--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
+1
A couple questions:
For security:- I assume that mojom changes require security reviews, just like IPC message changes already do, but I don't see any mention of this on the Mojo basics.
- Are there any security gotchas with IPCs that you won't have to worry about in Mojo? What about the other way around?
- IPC::ParamTraits provides an easy way for common validation of parameters, so individual message handlers don't have to repeat all that validation (or risk forgetting to validate it at all). What is the analogous mechanism in Mojo?
What should developers do when adding a new IPC::Message to an existing IPC message handler? Should they add a new IPC::Message, or are there guidelines on how to incrementally move things to Mojo?
Finally, I'm curious about the FIFO guarantees of Mojo: in general, if you have two different Mojo interface pointers, there's no guarantee of FIFO ordering between them, right? How will this interact with things that are sensitive to the order of operations, such as cleanup when a frame is detached?
Finally, I'm curious about the FIFO guarantees of Mojo: in general, if you have two different Mojo interface pointers, there's no guarantee of FIFO ordering between them, right? How will this interact with things that are sensitive to the order of operations, such as cleanup when a frame is detached?Correct -- no FIFO ordering between independent pipes. The bindings layer does support associated interfaces which is a way of sharing a single message pipe between multiple bindings endpoints that need relative FIFO.
This is great, I'm enthusiastic about the move to mojo, and it sounds like it has a lot of benefits.However, I think dcheng@ raises some really important points about security, in particular the porting of IPC::ParamTraits to mojo, and setting up a robust way of ensuring that security reviews are carried out. Historically, IPC has been one of the major techniques for attackers to escape our sandbox so it's critical to our security model that this level of assurance is maintained, and developers are given all the facilities they already have in IPC (e.g. traits for validation) to land secure code.I am concerned if we move too fast without both of these in place we might introduce security regressions, can we perhaps prioritize the above work and mark it as a blocker on actually deprecating IPC::Message?
--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev...@chromium.org.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev+unsubscribe@chromium.org.
--Egor Pasko
Do you have estimations of the impact on binary size from the new bindings?
Also, it seems you have been studying performance impact. I could not find detailed descriptions of those linked from the proposal, are they somewhere else?
Does Mojo support passing Mach ports on Mac?
The Mac port of Chrome has transitioned to using Mach ports to back all shared memory regions, which means any new, cross-platform IPC messages that include a SharedMemoryHandle parameter may still have to use IPC::Message?
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev...@chromium.org.
--Egor Pasko
On Fri, Jan 29, 2016 at 6:16 AM, Egor Pasko <pa...@google.com> wrote:Do you have estimations of the impact on binary size from the new bindings?No, but it's something we're considering. It's a lot of generated code and we may want to optimize it down. We also anticipate deleting a lot of other code during the refactoring process though, so my baseline expectation is to at least break even on total size.Also, it seems you have been studying performance impact. I could not find detailed descriptions of those linked from the proposal, are they somewhere else?So far much of the performance analysis has been pretty ad hoc and focused on microbenchmarks to ensure we're at least equal or better at the transport layer. There's some work under way this quarter to a closer look at specific metrics, and to some extent benchmarking performance in isolation won't tell us as much as pushing some more IPCs over Mojo and monitoring the suite of performance metrics we already have in place across Chrome.My candid expectation is that initially we'll be using more CPU to serialize Mojo messages and we'll need to optimize the bindings layer further. It remains to be seen how much of a practical impact this will have.
On Fri, Jan 29, 2016 at 6:16 AM, Egor Pasko <pa...@google.com> wrote:Do you have estimations of the impact on binary size from the new bindings?No, but it's something we're considering. It's a lot of generated code and we may want to optimize it down. We also anticipate deleting a lot of other code during the refactoring process though, so my baseline expectation is to at least break even on total size.Also, it seems you have been studying performance impact. I could not find detailed descriptions of those linked from the proposal, are they somewhere else?So far much of the performance analysis has been pretty ad hoc and focused on microbenchmarks to ensure we're at least equal or better at the transport layer. There's some work under way this quarter to a closer look at specific metrics, and to some extent benchmarking performance in isolation won't tell us as much as pushing some more IPCs over Mojo and monitoring the suite of performance metrics we already have in place across Chrome.
Rather than micro-benchmarks, how about measuring the typical message patterns between some Chrome processes (e.g., message size, frequency, etc) and building a benchmark suite that exercises these patterns using both current IPC and mojo? This would be an apples-to-apples comparison of real-world messaging. It would be unfortunate if, for example, mojo wins on certain micro-benchmarks, but ends up having higher CPU overhead and latency for real Chrome messages.
On Fri, Jan 29, 2016 at 2:14 PM 'Dmitry Skiba' via Chromium-dev <chromi...@chromium.org> wrote:On Fri, Jan 29, 2016 at 8:17 AM, Ken Rockot <roc...@chromium.org> wrote:On Fri, Jan 29, 2016 at 6:16 AM, Egor Pasko <pa...@google.com> wrote:Do you have estimations of the impact on binary size from the new bindings?No, but it's something we're considering. It's a lot of generated code and we may want to optimize it down. We also anticipate deleting a lot of other code during the refactoring process though, so my baseline expectation is to at least break even on total size.Also, it seems you have been studying performance impact. I could not find detailed descriptions of those linked from the proposal, are they somewhere else?So far much of the performance analysis has been pretty ad hoc and focused on microbenchmarks to ensure we're at least equal or better at the transport layer. There's some work under way this quarter to a closer look at specific metrics, and to some extent benchmarking performance in isolation won't tell us as much as pushing some more IPCs over Mojo and monitoring the suite of performance metrics we already have in place across Chrome.Is http://crbug.com/500019 still relevant? Or Mojo IPC performance is better when used only with Mojo types, but not when used as a transport level for Chrome IPC?
I guess my main point is that it is extremely hard to catch regressions when they creep in gradually in small portions. I would prefer a path where the primitives we build on top are performant enough at all times. How can we make sure that the rate of optimizing Mojo IPC outpaces the rate of migration to Mojo IPC? One approach is to optimize first and migrate strictly later, but I assume it is too constraining for you?
Rather than micro-benchmarks, how about measuring the typical message patterns between some Chrome processes (e.g., message size, frequency, etc) and building a benchmark suite that exercises these patterns using both current IPC and mojo? This would be an apples-to-apples comparison of real-world messaging. It would be unfortunate if, for example, mojo wins on certain micro-benchmarks, but ends up having higher CPU overhead and latency for real Chrome messages.
Is there any serialization around shared memory ?
If u are using any of Protobufs serialization / deserialization then I think you should be fine. IPC benchmarks / waking threads up leaves you in the millisecond range and serialization is in the 0.6.-1.2 microseconds - if the benchmarks are not accurate on your perf page are they in microsecond maybe ? 100 microseconds on average isn't bad for event based processing on x86_64
Now there is tons of optimizations to make at a later date with multiple messages.... But yeah I personally think the sleeping / waking generaly constitutes an order of magnitude higher performance impact than a decent / awesome serializer especially if it's lazy on the client side.
On Fri, Jan 29, 2016 at 6:16 AM, Egor Pasko <pa...@google.com> wrote:Do you have estimations of the impact on binary size from the new bindings?No, but it's something we're considering. It's a lot of generated code and we may want to optimize it down. We also anticipate deleting a lot of other code during the refactoring process though, so my baseline expectation is to at least break even on total size.