WebKit2 API Layer Brings Split-Process Model

99BottlesOfBeerInMyF writes "Anders Carlsson and Sam Weinig over at Apple just announced WebKit2, a rework of the WebKit engine that powers Chrome and Safari. This new version of WebKit incorporates the same style of split-process model that provides stability in Chrome, but built directly into the framework so all browsers based upon WebKit will be able to gain the same level of sandboxing and stability. AppleInsider has a writeup, and the team has provided 'high level documentation' as well. Both Palm and the Epiphany team are going to be happy about this."

Yay! Sandboxes!

[WrongSizeGlass]

Each tab in its own 'sandbox' makes things more stable and more secure, which may give any browser built on it similar security as Chrome. Next year Safari & Mobile Safari may last an extra few hours in the 'hack-a-thon'.

Re:

[Anonymous Coward]

I went on a safari once and there was really a lot more driving and picture taking than hacking and bushwhacking.

Re:

[ls671]

Well, my own custom browser that I designed and that I use uses a VM (I chose VMware) for every tab, I find it even more secure that way ;-))

Re:

[rawler]

Still, whenever a Tab hangs in my Chromium, usually most, or all other tab dies as well, occasionally entire chromium.

Re:

[Anonymous Coward]

Since it took me a few passes to parse this post, here's a courtesy translation to English:

Still, whenever a tab hangs in my Chromium, most, or all, other tabs usually die as well. Occasionally, it causes Chromium to crash in its entirety.

Re:

[Anonymous Coward]

Do people just make shit up about Chrome? I don't get it. A month ago one person claimed on Slashdot that Chrome caused DNS failure, another that it pegged the CPU when downloading. Both got modded Informative. Both were proven wrong, as was immediately obvious to anyone who has used Chrome.

So now you claim that tab process load freezes Chrome (and its subprocesses). I haven't heard of it. I haven't experienced it, after being forced to close unresponding Chrome tabs 30-40 times. Not on my ancient single-co

Re:

[gaggle]

Are you absolutely sure it's not Flash/PDF/[Silver/Moon]light plugins that are freezing Chrome?

Wait, hang on, what's the difference in a plugin freezing Chrome and the problem described by GP? He says a tab can hang and then sometimes all the other tabs die too, to the end user who cares if it's technically caused by a plugin or not?

Re:Yay! Sandboxes!

[Bake]

I actually have seen something similar since I started to use Chrome. It usually happens when I fire up many tabs from one tab (in my case it happens when I open what I deem fit for further reading from my Google Reader, which can reach up to 30-40 tabs). What appears to happen is that the tabs opened from another tab share the same tab process as the parent tab.

Under other circumstances this might not be a problem, but given the nature of Google Reader when you're scrolling through your unread items list (i.e. it "appends" newer and newer RSS items to the bottom of the list frame itself) it starts to take up a fair amount of ram that isn't freed up when you reload the originating tab (all in the name of caching no doubt).

This has happened less often now that I have Flashblock installed, but still happens occasionally. It also helps that I now open fewer tabs from the Google Reader tab and simply close and reopen it when I'm done reading the tabs that I opened from within the GR tab. This kills the ram eating process and starts a new one.

Re:

[martin-boundary]

It's still a bad way of reinventing the Unix philosophy. There should be one process per webpage, with a caching demon handling common images and resources. Maybe a separate app to combine web pages into a tab collection, for those whose window manager is not powerful enough.

IMHO of course :)

Re:

[ultranova]

There should be one process per webpage, with a caching demon handling common images and resources.

There should be one network IO, one HTML (and image and whatever) parser, one script VM, one rendering and one UI response thread per page. I'm sick and tired of Firefox locking up regularly when browsing the net, even on a 4-core machine. Parallelize everything that can be parallelized, and never ever block or run a heavy computing operation with a lock held.

Javascript should not be able to stop the browser

Re:Why is this tagged 'Apple'?

[UnknowingFool]

Like so many things, Webkit isn't an Apple innovation!

Don't let facts and history [wikipedia.org] get in the way of your bias. Webkit was forked from KHTML by Apple in 2002 and named it Webkit. For a while KHTML developers backported Apple's features independently but have since worked closely with Apple incorporating Webkit features into KHTML. Apple released Webkit as open source in 2005. They are still active in maintaining and developing it. Specifically, some developers at Apple did the development and announced the changes on a dev forum:

This is a heads-up that we will shortly start landing patches for a new WebKit framework that we at Apple have been working on for a while.

Re:Why is this tagged 'Apple'?

[TheRaven64]

Did you ever use KHTML? It did a tiny fraction of what WebKit does, and most of the recent stuff (JavaScript implementation, all of the HTML5 support much of the CSS support) is from Apple. It's basically just the work of the KHTML devs in the same way that FreeBSD is basically just the work of those guys at UCB in the '80s.

Re:

[andersa]

When you say JavaScript implementation, you mean a replacement engine for the standard one in KHTML, right? KHTML had javascript and it was working fine before Apple started ripping it apart. Same goes for CSS. HTML5 was still just being talked about when they did the fork, so obviously couldn't have been implemented at the time.

Re:

[beelsebob]

When he says JavaScript engine, he means that Apple wrote the entire javascript engine in WebKit. It happens that KHTML had a javascript engine that was much slower, much less stable, and much less supporting of modern javascript, but that doesn't change the fact that apple wrote *all* of WebKit's Javascript support as it stands. They also wrote most of it's CSS support, and most of it's HTML support (even for older standards).

To suggest that WebKit as it currently stands is the work of the KHTML devs is

Re:

[jo_ham]

Yes, they rolled their own Javascript engine for Safari 4, but based on the original engine with large improvements in speed. This is Nitro (or SquirrelFish, or SFX, or whatever it is being called right now).

They also did *massive* work on the CSS core to enable Safari (and Webkit itself) to pass Acid 2. So "working fine" before Apple "ripped it apart" to make it more standards compliant.

Apple have done a great deal of work on Webkit, not to diminish any of the work done by people on KHTML before that, but

Re:Why is this tagged 'Apple'?

[pslam]

Like GP said, WebKit is basically just the work of the KHTML devs. Apple leeched off of their work.

If by 'leeched' you mean they took an existing open project, modified and extended it, then released that work for free. I guess if you redefine leech then yes they leeched it.

Re:

[Lemming Mark]

Though since rather addressed, there were grumbles early on that Apple weren't running the project in a co-operative way - they were abiding by the letter but not the spirit of the open source licensing. It's their right to do this but it used to upset people when Apple got credit for "contributing" when they were doing the bare minimum. But I think they reformed the WebKit project a lot and they're working rather in the open now, so I'm not sure that (generally) so much of this historical attitude remain

Re:

[jo_ham]

They released big chunks of changes at once, especially in the early days, since they had been working on the fork for about a year before they made it public. They switched to a CVS model that made it easier, but there were also grumblings that some of the changes made it less KHTML-like (but that did help to make it more portable).

They also (not immediately) released the other parts of the engine that they wrote from scratch under a BSD licence to go with the GPL components.

Re:

[cheesybagel]

They couldn't have done otherwise. KHTML was licensed under the LGPL.

Re:

[jo_ham]

Yes, clearly, but I think the original assertion by the troll was that Apple took KHTML, changed the name to WebKit and put it in a browser and called it done and they they haven't done or contributed anything and that every new development is a KHTML-crafted change.

They also open sourced the other parts of Webkit that they wrote (under a BSD-style licence) to go with the GPL licensed bits.

Re:

[yabos]

If the KHTML devs don't want someone using their code then why did they license it the way they did? Why do people complain about companies using open source code and then making it better?

Re:

[bonch]

While WebKit began from KHTML, since 2002, it's definitely been an Apple-driven innovation, and they contribute most to its existence.

Re:

[Josh04]

We already have it, it's called 'Facebook'.

Re:

[SanityInAnarchy]

The next "big thing" will be some dipshit who writes an HTML rendering engine using nothing but JavaScript and HTML5 canvas.

Nope, canvas clearly isn't the right choice. If some dipshit were to seriously consider this, they'd use OpenGL.

Just because this is how the Web community does things, that JavaScript/HTML5/canvas browser will in turn get a new scripting language that's even shittier than JavaScript is.

First: Where's your evidence that this is how the Web community does things? I honestly can't remember the last time I wrote a scripting language within a scripting language in anything at all related to web development.

Second: What, exactly, is shitty about JavaScript? Most people who think JavaScript is shitty don't understand it. It's actually a very nice language, albeit with a few ugly quirks

Re:

[ciroknight]

Well first of all, since it makes no sense for me to reiterate them here: wtfjs [wtfjs.com]

Secondly, Prototype-based OO is quite ugly. Sure, it's workable, and you can argue that it's the more pure way to do OO as it emphasizes object orientation and encapsulates better, however, any way you try to sugar coat it, Javascript makes it a lot uglier than it needs to be.

Thirdly, the fact that it's a defacto standardized language, a lot like the web itself was defacto'd into existence rather than people trying to follow

Re:

[SanityInAnarchy]

wtfjs [wtfjs.com]

Top post on that is a remark about how things behave weirdly when you redefine certain methods. That's true of other languages I like -- any language that supports operator overloading can create some really weird shit.

The more important question is why you would ever do that? Don't abuse the language, and it won't abuse you.

Next one is about numbers close to infinity. When would I ever see this?

And there is one that's an IE-specific bug. That's an IE bug, not a Javascript bug.

Again, these are interesting w

Re:

[xero314]

You were really onto something until you said:

think it's far easier and cleaner to build a class-based system on top of prototype-based

You really can't say things like that and then expect people to take you serious when you say "Don't abuse the language." Creating a classical framework on top of a prototypical language is clearly abusing the language. And I don't mean abusing as is "trying to get it to do something it was not originally designed for," I mean abusing as in "what goes on in prison when then guards are not looking." And this coming from someone that wrote one of the earlier cla

Palm? Epiphany?

[sznupi]

Wouldn't it be easier to just mention by far the most popular products falling into general categories instead of two quite obscure ones?

Like...Nokia (they ship Webkit browser with S60, half of smartphone market, since forever; plus lately with mainstream "featurephone" S40) and Safari. Users of those should be pleased too, you know...

Re:

[Quarters]

I've never heard of a Nokia S60, but I recognize Palm. Obscurity is relative.

Electrolysis ETA?

[Elgonn]

Is there an Electrolysis ETA for Firefox? I have a bad feeling that WebKit will get this out first. Firefox is sure getting slower and slower in tech advancement.

Re:

[TLLOTS]

I think it's coming in phases. Isn't the next version of Firefox supposed to isolate plugins in their own processes?

It is indeed, in fact I'm writing this post on the beta version [mozilla.com].

Turing Test

[Anonymous Coward]

Wow.

This script has been around nearly as long as slashdot itself. Congratulations to the author, if he's even still around.

Is there a sandbox for sandbox?

[Pentium100]

I mean if Firefox starts using this model, I'll have 100 firefox.exe processes in the task manager and I don't want that. So, is there a way to run all of those processes inside a one big process? Well, other than using a full VM...

Re:

[Anonymous Coward]

Alternatively, you can use a better task manager such as Process Explorer which will group all processes in a nice hierarchical view:

http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx [microsoft.com]

Re:

[CRiMSON]

Way to miss the point of the question he asked....

Re:

[Pentium100]

How do I make it appear when I press Ctrl+Alt+Del?

Re:

[EvanED]

See here [cybernetnews.com]; at least newer versions of Process Explorer have that feature built-in.

FF with out of process plugin beta available!

[Tumbleweed]

https://developer.mozilla.org/devnews/index.php/2010/04/08/firefox-lorentz-beta-available-for-download-and-testing/ [mozilla.org]

'Lorentz' - a beta version combining FF 3.6.3 with the out of process plugin feature, became available yesterday. This shoves the plugins into their own process, which is where the vast majority of problems occur. Give it a shot and report them bugs!

Re:Is there a sandbox for sandbox?

[TheRaven64]

So, is there a way to run all of those processes inside a one big process?

Not on most operating systems, no. This is a major flaw (I actually gave a talk about this and proposed a language extension that takes advantage of it a couple of weeks ago) in most modern systems. It's particularly embarrassing because several mainframe operating systems did support this idea back in the early '70s.

The browser should not be doing this, it should be the job of the OS. Operating systems have a much better track record of isolating processes from each other. A process should be able to create subprocesses that have a subset of the capabilities of the parent and can not interact with the system without going via the parent. The isolation could then be trivially enforced by the MMU, without requiring (slow, complex, buggy, insecure) software implementations.

Re:

[c_forq]

On the other hand I think Steve Jobs made a great point about this at the iPhone OS 4 event. If your end user has to use some sort of process management you have failed. The more I have thought about it the more I agree, only coders and debuggers should have to deal with process management. If I'm not working on the project I don't care about processes, and unless your program is screwing up my system I don't care about processes.

Re:

[Servaas]

unless your program is screwing up my system I don't care about processes.

So you would rather see your system hang then go to the process manager? And what if that option isn't available?

Re:

[poopdeville]

Why would a system hang if a single process hangs? Unless it's an essential, system process, of course. That's rather the point. If an application hangs in OS X, I "force quit". That ought to be the exception.

Re:

[beelsebob]

"Unless your program is screwing up my system..."

In what way is a process hang *not* screwing up my system?

List of ways it's potentially screwing up my system:
- It's consuming CPU and not doing anything useful.
- It's consuming RAM and not doing anything useful.
- It's stopping me from doing actual work in it.

His point is that the only time the end user should see a process manager is if you fucked up... Admittedly programmers tend to fuck up an awful lot – this programming thing is *really* hard to get

Re:

[c_forq]

I think my point is a little beyond that. Unless I'm developing or debugging an application or OS I never want to see a process manager, even if you fucked up your code somewhere in your program. In my ideal world I wouldn't even have to force quit a program or process, my OS would do it for me. Just like how my drill will automatically slips if it hits too much resistance; or how my car will activate all wheel drive if a wheel slips, I want my computer to make my job easier.

Re:

[poopdeville]

I think my point is a little beyond that. Unless I'm developing or debugging an application or OS I never want to see a process manager, even if you fucked up your code somewhere in your program. In my ideal world I wouldn't even have to force quit a program or process, my OS would do it for me.

Look up the "Halting Problem".

Re:

[TheRaven64]

Steve Jobs wasn't the first person to say this, by a good few decades. It was one of the design goals of EPOC, which later evolved into Symbian. Symbian does not differentiate between leaving and closing an app. Apps that are in a state where they can terminate without losing data are terminated automatically when the system is low on resources. OS X recently copied this, a couple of decades later.

I hold the same view on files. They're a terrible abstraction for users, who care about things like doc

Re:

[PenguSven]

Symbian does not differentiate between leaving and closing an app.

Except, when it does. There is a big fucking button in the corner of my Symbian SE smartphone. It gives you two things - a program "switcher" and a task manager. This is necessary, as so far only two of the Apps I've ever had on the damn thing (the built in picture viewer and music player) actually close on their own. The rest all have to be killed via the Task Manager. The task manager is however, about as useful as a shit in a paper bag

Re:

[buchner.johannes]

processes inside one big process? Uhm, threads?

Re:

[Anonymous Coward]

Except that threads share memory and processes don't. That's the main reason for Chrome's process boundary to ensure that different parts of the browser (tabs, plugins) don't correct each other. A VM can enforce this on the code, but the browsers are compiled. So basically he wants threads without shared memory in C/C++.

Re:

[TheRaven64]

Threads have several differences with nested processes. Firstly, threads all exist inside the same address space. This means that they can alter each other's state without any kind of mediation. There is no isolation between threads. (Most) operating systems do not maintain per-thread page tables, so you can't make a region of memory read-only to one thread without making it read-only to all threads in a process.

Secondly, they can make system calls directly, rather than having to go via the parent proc

Re:

[ultranova]

Each nested process could only do things that the parent permitted and the top-level parent could only do things that the OS permitted.

Would there be a real separation between userspace and OS in this kind of system? Seems to me that you've described a microkernel system, where interprocess communication is handled through unnamed pipes.

Re:

[TheRaven64]

Would there be a real separation between userspace and OS in this kind of system?

Yes, absolutely. You're still stuck with the constraints of the hardware. You only have two modes for most modern CPUs. The kernel runs in protected mode, and other things run in unprotected mode. Some code would be permitted by the kernel to make system calls. Other code would have to use something like a call gate to request that another program calls the kernel on its behalf. You'd probably implement the call from a process to its parent as a system call, although with call gates on x86 or PALcode

Re:

[ultranova]

Yes, absolutely. You're still stuck with the constraints of the hardware. You only have two modes for most modern CPUs. The kernel runs in protected mode, and other things run in unprotected mode. Some code would be permitted by the kernel to make system calls. Other code would have to use something like a call gate to request that another program calls the kernel on its behalf.

Um, what? I presume you meant Ring 0 with protected mode, and Ring 1 with unprotected. But that has very little to do with anythin

Re:

[ploxiln]

uh... are you referring to threads? I mean, when you say the MMU could trivially enforce something... in all modern operating systems, the MMU already forces complete separation of all processes, and any interaction between them is through system calls to the kernel (or shared memory, which is set up by system calls...).

My point is, one way or the other, the OS has to decide what processes are allowed to make what system calls (with what arguments). Operating systems already have mechanisms that allow paren

Re:

[amorsen]

So noone should not take advantage of basic multitasking because Task Manager is broken? Right...

A properly written task manager should have no problems showing process groups as, well, process groups.

Re:

[Pentium100]

Doesn't creating a new process use more memory than a thread?

I mean, there has to be a reason why chrome uses so much memory...

I think the "tab=process" thing should be an option.

Re:

[Endymion]

It only uses more memory if your OS is decades out of date and doesn't support copy-on-write for all memory pages after the fork(). The fact that windows sometimes falls into this category is a problem for MS, not Firefox...

Re:

[Pentium100]

Of course, since the OS must fit around the browser, not the other way around, right?

Ok if it's just firefox, but what if two different programs that I use start demanding different OSs?

Re:

[Pentium100]

On my PC there are 10 svchost processes. Anyway, if firefox made a new process for each tab, I would have 100 firefox processes. There are 100 processes running in my computer now, with that it would be 200.

Firefox is stable enough as it is for me, it does not crash.

Re:

[cheesybagel]

If you use threads you do not have process isolation and it your program isn't going to get more stable. In fact it will likely get less stable.

Re:

[amorsen]

Doesn't creating a new process use more memory than a thread?

Yes, on the order of a few kB extra for a large program. Parts of the page table need to be maintained twice. If you're into saving as much memory as possible I can recommend AmigaOS where essentially all "programs" and the OS are threads. Great performance, lousy security and stability.

Re:

[thoughtsatthemoment]

typo: appropriate should be proprietary.

Re:

[maccodemonkey]

The only proprietary thing required seems to be QuickTime (for H.264), looking at their build directions. Apple added Win32 rendering a while ago... And the network components are open source under CFLite.

Chrome is Webkit

[Anonymous Coward]

If I have a choice between Webkit and Chrome, I'd prefer Webkit to embed in applications. However, the graphics and network components of Apple's Windows port are appropriate, so Chrome is clearly the better choice, even after Apple has added this split process feature.

Chrome uses WebKit as its HTML renderer. Google essentially packaged a separate Webkit instance inside each tab.

This is just moving it down a level.

Re:

[beelsebob]

You realise Chrome uses WebKit to render? WebKit is an engine, Chrome is a browser implemented using it.

Inovation?

[pydev]

So you're saying that implementing a rendering engine according to existing specs constitutes "innovation" for Apple? Sadly, you're right. I think most people would call that "programming" though,

Re:

[MobileTatsu-NJG]

Where was the word 'innovation' used?