--
To unsubscribe from this group and stop receiving emails from it, send an email to storage-dev...@chromium.org.
Hi storage-dev team,I work in the Chrometto team, focused on analyzing Chrome traces to improve the browser performance. We build and use a tool called trace_processor_shell that uses sqlite to provide SQL interface for computing metrics on traces. These metrics often require SQL features that are disabled in third_party/sqlite, like e.g. window functions. So we'd like to ask you for advice on how to make them available.The simplest solution would be to enable them Chrome-wide, but this results in a binary size increase of 16 KB on Android (this is for window functions only; data obtained from this experimental CL [1]).
--
> 2) SQLite is Web-exposed via WebSQL. Once we enable a feature, disabling it is really difficult or nearly impossible.
> This isn't an issue if your use case is likely to be permanent. However, if you'll stop needing window functions in a year (for example), the project will still be paying the price to support them.Since the WebSQL API is unofficially deprecated, it would be good not to add even more features to it, no matter how much the project needs them. Unless you find a way to exclude them from WebSQL, adding them would be bad and send the wrong message to web developers, in my opinion.
Thanks Victor for the detailed answer!From what I've learned, it seems that having two SQLite targets is the best approach here.Our project is under active development, so we can't make a complete list of required SQL features yet. So far it's only window functions, but we may need other features later. Neither can we guarantee that we'll need them forever. So making an irreversible change doesn't sound good to me in this case.We can't use system SQLite since our tool is also being built on Chromium CI.So splitting targets is the only option left. How comfortable are you with the increased maintenance cost that goes with it?
On Wed, Feb 26, 2020 at 8:43 PM Victor Costan <pwnall@chromium.org> wrote:
Long message below. TL;DR: given that we're already (unintentionally) exposing new SQLite features to WebSQL, I don't think we should let this concern block Chrometto's performance work.
On Wed, Feb 26, 2020 at 11:16 AM PhistucK <phistuck@gmail.com> wrote:
> 2) SQLite is Web-exposed via WebSQL. Once we enable a feature, disabling it is really difficult or nearly impossible.
> This isn't an issue if your use case is likely to be permanent. However, if you'll stop needing window functions in a year (for example), the project will still be paying the price to support them.Since the WebSQL API is unofficially deprecated, it would be good not to add even more features to it, no matter how much the project needs them. Unless you find a way to exclude them from WebSQL, adding them would be bad and send the wrong message to web developers, in my opinion.This is a very good point, thank you for making it!I agree that it'd be ideal to freeze the SQLite dialect exposed to WebSQL. Pragmatically though, we're not going to hold the project back to cater to WebSQL users.For instance, we'll keep updating SQLite, to mitigate security vulnerabilities. Updates bring new features, some of which cannot be disabled at build time. One such feature is generated columns, introduced in 3.31, which is now exposed to WebSQL. Also, even if new features can be disabled at build time or via DatabaseAuthorizer, the accelerated timelines imposed by some security vulnerabilities might not give us enough time to identify and disable newly introduced features.In my opinion, this is the main reason why WebSQL wasn't sustainable as a standard. Building a thin JS binding over SQLite was brilliantly pragmatic, but left the browsers stuck between the letter of the standard, which requires shipping SQLite 3.6.19, and the reality of the fact that SQLite needs to be constantly kept up to date for security reasons.So, given that we're already (unintentionally) exposing new SQLite features to WebSQL, I don't think we should let this concern block Chrometto's performance work.As an aside, SQLite was not designed to execute untrusted queries, which is what we do when we allow Web applications to talk to our implementation in Blink. We are extremely fortunate and grateful that the SQLite authors agreed to support our use case, and that they're developing patches and in-depth defenses for this use case!Victor
☆PhistucKOn Wed, Feb 26, 2020 at 8:48 PM Victor Costan <pwnall@chromium.org> wrote:
--To unsubscribe from this group and stop receiving emails from it, send an email to storage-dev+unsubscribe@chromium.org.
To unsubscribe from this group and stop receiving emails from it, send an email to storage-dev+unsubscribe@chromium.org.
As a heavy user of the SQLite that ships with Chromium, I can say that the new behaviour of shipping upgraded versions is strictly better than the standardized "stick with version X". (And anecdotally, we've spent less time debugging SQLite related changes than many of the other Chrome changes that have broken Superhuman.)It doesn't seem like an issue to me, to continue to tweak the exact flags that SQLite is compiled with (indeed it seems a lot less of an issue than two SQLite builds!), though it's unlikely that we would adopt new features until well after they've propagated to Brave and Electron.ConradP.S.I still maintain that having a standardized way to access a SQL database is good for the web. Cross-engine SQL support is a well solved problem in existing javascript frameworks, so I think that a new standard would not need to prescribe only SQLite, and definitely would not lock it to an old version.I think this because SQL is powerful, widely adopted outside the web, existing SQL implementations are mature and fast, and all browsers already ship with one for internal use (We use WebSQL at Superhuman because it is orders of magnitude faster than IndexedDB for non-trivial queries).I am excited for the WASM block-storage APIs, so that we could ship our own SQLite compiled to WASM. But in my mind that's a very clear second (slower and larger download size) to having access to this as a first class citizen.P.S. Superhuman is hiring — referral bonus for Full Stack Engineers: $1,947.
On Thu, Feb 27, 2020 at 2:12 PM, Mikhail Khokhlov <khok...@google.com> wrote:
Thanks Victor for the detailed answer!From what I've learned, it seems that having two SQLite targets is the best approach here.Our project is under active development, so we can't make a complete list of required SQL features yet. So far it's only window functions, but we may need other features later. Neither can we guarantee that we'll need them forever. So making an irreversible change doesn't sound good to me in this case.We can't use system SQLite since our tool is also being built on Chromium CI.So splitting targets is the only option left. How comfortable are you with the increased maintenance cost that goes with it?
On Wed, Feb 26, 2020 at 8:43 PM Victor Costan <pwn...@chromium.org> wrote:
Long message below. TL;DR: given that we're already (unintentionally) exposing new SQLite features to WebSQL, I don't think we should let this concern block Chrometto's performance work.
On Wed, Feb 26, 2020 at 11:16 AM PhistucK <phis...@gmail.com> wrote:
> 2) SQLite is Web-exposed via WebSQL. Once we enable a feature, disabling it is really difficult or nearly impossible.
> This isn't an issue if your use case is likely to be permanent. However, if you'll stop needing window functions in a year (for example), the project will still be paying the price to support them.Since the WebSQL API is unofficially deprecated, it would be good not to add even more features to it, no matter how much the project needs them. Unless you find a way to exclude them from WebSQL, adding them would be bad and send the wrong message to web developers, in my opinion.This is a very good point, thank you for making it!I agree that it'd be ideal to freeze the SQLite dialect exposed to WebSQL. Pragmatically though, we're not going to hold the project back to cater to WebSQL users.For instance, we'll keep updating SQLite, to mitigate security vulnerabilities. Updates bring new features, some of which cannot be disabled at build time. One such feature is generated columns, introduced in 3.31, which is now exposed to WebSQL. Also, even if new features can be disabled at build time or via DatabaseAuthorizer, the accelerated timelines imposed by some security vulnerabilities might not give us enough time to identify and disable newly introduced features.In my opinion, this is the main reason why WebSQL wasn't sustainable as a standard. Building a thin JS binding over SQLite was brilliantly pragmatic, but left the browsers stuck between the letter of the standard, which requires shipping SQLite 3.6.19, and the reality of the fact that SQLite needs to be constantly kept up to date for security reasons.So, given that we're already (unintentionally) exposing new SQLite features to WebSQL, I don't think we should let this concern block Chrometto's performance work.As an aside, SQLite was not designed to execute untrusted queries, which is what we do when we allow Web applications to talk to our implementation in Blink. We are extremely fortunate and grateful that the SQLite authors agreed to support our use case, and that they're developing patches and in-depth defenses for this use case!Victor
☆PhistucKOn Wed, Feb 26, 2020 at 8:48 PM Victor Costan <pwn...@chromium.org> wrote:
--To unsubscribe from this group and stop receiving emails from it, send an email to storage-dev...@chromium.org.
To unsubscribe from this group and stop receiving emails from it, send an email to storage-dev...@chromium.org.