Forgot your password?
typodupeerror
Software Apple News

WebKit2 API Layer Brings Split-Process Model 95

Posted by Soulskill
from the empire-strikes-back dept.
99BottlesOfBeerInMyF writes "Anders Carlsson and Sam Weinig over at Apple just announced WebKit2, a rework of the WebKit engine that powers Chrome and Safari. This new version of WebKit incorporates the same style of split-process model that provides stability in Chrome, but built directly into the framework so all browsers based upon WebKit will be able to gain the same level of sandboxing and stability. AppleInsider has a writeup, and the team has provided 'high level documentation' as well. Both Palm and the Epiphany team are going to be happy about this."
This discussion has been archived. No new comments can be posted.

WebKit2 API Layer Brings Split-Process Model

Comments Filter:
  • Each tab in its own 'sandbox' makes things more stable and more secure, which may give any browser built on it similar security as Chrome. Next year Safari & Mobile Safari may last an extra few hours in the 'hack-a-thon'.
    • Re: (Score:1, Funny)

      by Anonymous Coward

      I went on a safari once and there was really a lot more driving and picture taking than hacking and bushwhacking.

    • Re: (Score:3, Funny)

      by ls671 (1122017)

      Well, my own custom browser that I designed and that I use uses a VM (I chose VMware) for every tab, I find it even more secure that way ;-))

    • Re: (Score:3, Interesting)

      by rawler (1005089)

      Still, whenever a Tab hangs in my Chromium, usually most, or all other tab dies as well, occasionally entire chromium.

      • by Anonymous Coward

        Since it took me a few passes to parse this post, here's a courtesy translation to English:

        Still, whenever a tab hangs in my Chromium, most, or all, other tabs usually die as well. Occasionally, it causes Chromium to crash in its entirety.

      • Re: (Score:1, Interesting)

        by Anonymous Coward

        Do people just make shit up about Chrome? I don't get it. A month ago one person claimed on Slashdot that Chrome caused DNS failure, another that it pegged the CPU when downloading. Both got modded Informative. Both were proven wrong, as was immediately obvious to anyone who has used Chrome.

        So now you claim that tab process load freezes Chrome (and its subprocesses). I haven't heard of it. I haven't experienced it, after being forced to close unresponding Chrome tabs 30-40 times. Not on my ancient single-co

        • Re: (Score:2, Insightful)

          by gaggle (206502)

          Are you absolutely sure it's not Flash/PDF/[Silver/Moon]light plugins that are freezing Chrome?

          Wait, hang on, what's the difference in a plugin freezing Chrome and the problem described by GP? He says a tab can hang and then sometimes all the other tabs die too, to the end user who cares if it's technically caused by a plugin or not?

        • Re:Yay! Sandboxes! (Score:4, Informative)

          by Bake (2609) on Saturday April 10, 2010 @07:51AM (#31799058) Homepage

          I actually have seen something similar since I started to use Chrome. It usually happens when I fire up many tabs from one tab (in my case it happens when I open what I deem fit for further reading from my Google Reader, which can reach up to 30-40 tabs). What appears to happen is that the tabs opened from another tab share the same tab process as the parent tab.

          Under other circumstances this might not be a problem, but given the nature of Google Reader when you're scrolling through your unread items list (i.e. it "appends" newer and newer RSS items to the bottom of the list frame itself) it starts to take up a fair amount of ram that isn't freed up when you reload the originating tab (all in the name of caching no doubt).

          This has happened less often now that I have Flashblock installed, but still happens occasionally. It also helps that I now open fewer tabs from the Google Reader tab and simply close and reopen it when I'm done reading the tabs that I opened from within the GR tab. This kills the ram eating process and starts a new one.

    • Re: (Score:3, Insightful)

      It's still a bad way of reinventing the Unix philosophy. There should be one process per webpage, with a caching demon handling common images and resources. Maybe a separate app to combine web pages into a tab collection, for those whose window manager is not powerful enough.

      IMHO of course :)

      • by ultranova (717540)

        There should be one process per webpage, with a caching demon handling common images and resources.

        There should be one network IO, one HTML (and image and whatever) parser, one script VM, one rendering and one UI response thread per page. I'm sick and tired of Firefox locking up regularly when browsing the net, even on a 4-core machine. Parallelize everything that can be parallelized, and never ever block or run a heavy computing operation with a lock held.

        Javascript should not be able to stop the browser

  • Wouldn't it be easier to just mention by far the most popular products falling into general categories instead of two quite obscure ones?

    Like...Nokia (they ship Webkit browser with S60, half of smartphone market, since forever; plus lately with mainstream "featurephone" S40) and Safari. Users of those should be pleased too, you know...

  • Is there an Electrolysis ETA for Firefox? I have a bad feeling that WebKit will get this out first. Firefox is sure getting slower and slower in tech advancement.
  • I mean if Firefox starts using this model, I'll have 100 firefox.exe processes in the task manager and I don't want that. So, is there a way to run all of those processes inside a one big process? Well, other than using a full VM...

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Alternatively, you can use a better task manager such as Process Explorer which will group all processes in a nice hierarchical view:

      http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx [microsoft.com]

    • https://developer.mozilla.org/devnews/index.php/2010/04/08/firefox-lorentz-beta-available-for-download-and-testing/ [mozilla.org]

      'Lorentz' - a beta version combining FF 3.6.3 with the out of process plugin feature, became available yesterday. This shoves the plugins into their own process, which is where the vast majority of problems occur. Give it a shot and report them bugs!

    • by TheRaven64 (641858) on Friday April 09, 2010 @07:04PM (#31796214) Journal

      So, is there a way to run all of those processes inside a one big process?

      Not on most operating systems, no. This is a major flaw (I actually gave a talk about this and proposed a language extension that takes advantage of it a couple of weeks ago) in most modern systems. It's particularly embarrassing because several mainframe operating systems did support this idea back in the early '70s.

      The browser should not be doing this, it should be the job of the OS. Operating systems have a much better track record of isolating processes from each other. A process should be able to create subprocesses that have a subset of the capabilities of the parent and can not interact with the system without going via the parent. The isolation could then be trivially enforced by the MMU, without requiring (slow, complex, buggy, insecure) software implementations.

      • Re: (Score:2, Interesting)

        by c_forq (924234)
        On the other hand I think Steve Jobs made a great point about this at the iPhone OS 4 event. If your end user has to use some sort of process management you have failed. The more I have thought about it the more I agree, only coders and debuggers should have to deal with process management. If I'm not working on the project I don't care about processes, and unless your program is screwing up my system I don't care about processes.
        • by Servaas (1050156)

          unless your program is screwing up my system I don't care about processes.

          So you would rather see your system hang then go to the process manager? And what if that option isn't available?

          • Why would a system hang if a single process hangs? Unless it's an essential, system process, of course. That's rather the point. If an application hangs in OS X, I "force quit". That ought to be the exception.

          • Re: (Score:3, Insightful)

            by beelsebob (529313)

            "Unless your program is screwing up my system..."

            In what way is a process hang *not* screwing up my system?

            List of ways it's potentially screwing up my system:
            - It's consuming CPU and not doing anything useful.
            - It's consuming RAM and not doing anything useful.
            - It's stopping me from doing actual work in it.

            His point is that the only time the end user should see a process manager is if you fucked up... Admittedly programmers tend to fuck up an awful lot – this programming thing is *really* hard to get

            • by c_forq (924234)
              I think my point is a little beyond that. Unless I'm developing or debugging an application or OS I never want to see a process manager, even if you fucked up your code somewhere in your program. In my ideal world I wouldn't even have to force quit a program or process, my OS would do it for me. Just like how my drill will automatically slips if it hits too much resistance; or how my car will activate all wheel drive if a wheel slips, I want my computer to make my job easier.
              • I think my point is a little beyond that. Unless I'm developing or debugging an application or OS I never want to see a process manager, even if you fucked up your code somewhere in your program. In my ideal world I wouldn't even have to force quit a program or process, my OS would do it for me.

                Look up the "Halting Problem".

        • Steve Jobs wasn't the first person to say this, by a good few decades. It was one of the design goals of EPOC, which later evolved into Symbian. Symbian does not differentiate between leaving and closing an app. Apps that are in a state where they can terminate without losing data are terminated automatically when the system is low on resources. OS X recently copied this, a couple of decades later.

          I hold the same view on files. They're a terrible abstraction for users, who care about things like doc

          • by PenguSven (988769)

            Symbian does not differentiate between leaving and closing an app.

            Except, when it does. There is a big fucking button in the corner of my Symbian SE smartphone. It gives you two things - a program "switcher" and a task manager. This is necessary, as so far only two of the Apps I've ever had on the damn thing (the built in picture viewer and music player) actually close on their own. The rest all have to be killed via the Task Manager. The task manager is however, about as useful as a shit in a paper bag

      • processes inside one big process? Uhm, threads?

        • Re: (Score:1, Informative)

          by Anonymous Coward

          Except that threads share memory and processes don't. That's the main reason for Chrome's process boundary to ensure that different parts of the browser (tabs, plugins) don't correct each other. A VM can enforce this on the code, but the browsers are compiled. So basically he wants threads without shared memory in C/C++.

        • Threads have several differences with nested processes. Firstly, threads all exist inside the same address space. This means that they can alter each other's state without any kind of mediation. There is no isolation between threads. (Most) operating systems do not maintain per-thread page tables, so you can't make a region of memory read-only to one thread without making it read-only to all threads in a process.

          Secondly, they can make system calls directly, rather than having to go via the parent proc

          • by ultranova (717540)

            Each nested process could only do things that the parent permitted and the top-level parent could only do things that the OS permitted.

            Would there be a real separation between userspace and OS in this kind of system? Seems to me that you've described a microkernel system, where interprocess communication is handled through unnamed pipes.

            • Would there be a real separation between userspace and OS in this kind of system?

              Yes, absolutely. You're still stuck with the constraints of the hardware. You only have two modes for most modern CPUs. The kernel runs in protected mode, and other things run in unprotected mode. Some code would be permitted by the kernel to make system calls. Other code would have to use something like a call gate to request that another program calls the kernel on its behalf. You'd probably implement the call from a process to its parent as a system call, although with call gates on x86 or PALcode

              • by ultranova (717540)

                Yes, absolutely. You're still stuck with the constraints of the hardware. You only have two modes for most modern CPUs. The kernel runs in protected mode, and other things run in unprotected mode. Some code would be permitted by the kernel to make system calls. Other code would have to use something like a call gate to request that another program calls the kernel on its behalf.

                Um, what? I presume you meant Ring 0 with protected mode, and Ring 1 with unprotected. But that has very little to do with anythin

      • by ploxiln (1114367)

        uh... are you referring to threads? I mean, when you say the MMU could trivially enforce something... in all modern operating systems, the MMU already forces complete separation of all processes, and any interaction between them is through system calls to the kernel (or shared memory, which is set up by system calls...).

        My point is, one way or the other, the OS has to decide what processes are allowed to make what system calls (with what arguments). Operating systems already have mechanisms that allow paren

    • by amorsen (7485)

      So noone should not take advantage of basic multitasking because Task Manager is broken? Right...

      A properly written task manager should have no problems showing process groups as, well, process groups.

      • Doesn't creating a new process use more memory than a thread?

        I mean, there has to be a reason why chrome uses so much memory...

        I think the "tab=process" thing should be an option.

        • by Endymion (12816)

          It only uses more memory if your OS is decades out of date and doesn't support copy-on-write for all memory pages after the fork(). The fact that windows sometimes falls into this category is a problem for MS, not Firefox...

          • Of course, since the OS must fit around the browser, not the other way around, right?

            Ok if it's just firefox, but what if two different programs that I use start demanding different OSs?

        • If you use threads you do not have process isolation and it your program isn't going to get more stable. In fact it will likely get less stable.
        • by amorsen (7485)

          Doesn't creating a new process use more memory than a thread?

          Yes, on the order of a few kB extra for a large program. Parts of the page table need to be maintained twice. If you're into saving as much memory as possible I can recommend AmigaOS where essentially all "programs" and the OS are threads. Great performance, lousy security and stability.

  • Inovation? (Score:1, Troll)

    by pydev (1683904)

    So you're saying that implementing a rendering engine according to existing specs constitutes "innovation" for Apple? Sadly, you're right. I think most people would call that "programming" though,

RADIO SHACK LEVEL II BASIC READY >_

Working...