Language run-time systems are routinely used to host potentially buggy or malicious codelets — software modules, agents, applets, etc. — in a secure environment. A number of techniques exist for managing access control to system services and even for terminating codelets once they’ve been determined to be misbehaving. However, because codelets can be terminated anywhere in their execution, a codelet’s internal state might become inconsistent; restarting the codelet could result in unexpected behavior. Any state the codelet shares with other codelets may likewise become inconsistent, destabilizing those codelets as well. To address these problems, we have designed a mechanism, strictly using code-to-code transformations, which provides transactional rollback support for codelets. Each instance of a codelet is run in its own transaction, and standard (ACID) transactional semantics apply. All changes made by the codelet are automatically rolled back when the corresponding transaction aborts. We discuss a transactional rollback implementation for Java, and present its performance.