Here are my attempts at answers.
On 7/12/13 10:51 AM, Josh Matthews wrote:
> * Are there viability criteria? How much better (performance-wise) than
> other engines does Servo have to be considered worth continued investment?
No idea. There are both security and performance wins, so both must be
considered.
> * What are the expectations of parallel wins relative to Gecko? Where
> are the wins, and how much?
Leo Meyerovich's work (Fast and Parallel Webpage Layout) has some
numbers that he got from parallel speedups (see section 5.4, Performance
Evaluation):
http://www.eecs.berkeley.edu/~lmeyerov/projects/pbrowser/pubfiles/playout.pdf
> * What's the timeline for determining viability?
Hard to estimate at this stage; as much as possible we're trying to get
early numbers, but of course we have to ensure that our numbers mean
something. (A browser that does nothing will be very fast, but that
number doesn't mean much!)
In general we've been finding that our small microbenchmarks such as
time spent to perform synchronous message sends (discussed later) are
encouraging, but until most of the pieces (for example, pure-Rust CSS
selector matching and dirty bits for reflow) are in, the numbers will
not be competitive with Gecko for the simple reason that layout engine
is incomplete.
> * What is the plan to handle cycles between the DOM and JS?
The JavaScript garbage collector handles all DOM objects, so the JS
garbage collector will trace all DOM-JS cycles and clean them up.
> * Do same-origin pages that can't communicate synchronously need to be
> on the same script task? (scenario: two tabs pointing at
google.com
> properties)
No. Chromium uses separate processes for these and the plan as far as I
understand it is to do the same with tasks/processes.
> * What's the status of allocating DOM objects on the JS heap and/or
> using the JS GC for the DOM task?
The DOM task doesn't use `@` pointers very much, but where it does,
they're in the Rust heap and can't have strong references to DOM nodes
(other than the root of the document).
> * Are we ignoring the major known issue on the web (synchronous layout
> operations) in favour of fixing the less important ones? (mentioned
> running GC during sync layout; audience not particularly impressed)
I wouldn't say we're ignoring them; we've talked about prototyping, and
proposing for standardization, asynchronous layout operations (e.g.
getBoundingClientRectAsync). Running GC during sync layout is for
helping extant Web content; ideally the Web shouldn't be blocking on
layout operations in the first place, and Servo can help it get there.
> * Could we "freeze" background pages (on a language level?) and unload
> them in order to conserve memory and avoid extra processing work, with
> the expectation of resurrecting them later as needed?
Rust does have good support for serialization of object graphs, so this
is potentially feasible. However, the JS engine is a question mark here:
probably work would need to be done to serialize the JS state of a page.
> * How can we handle individual task failure, such as layout/rendering?
> Could we recover by spawning a new task, or do we need to create a whole
> pipeline from scratch?
We should be able to recover by spawning a new task.
> * Is abortable layout being considered for short-circuiting in-progress
> operations when new results are needed?
We've thought about it, but it isn't currently being done.
> * If compositing ends up happening no sooner than Gecko (ie. we're still
> a sequential pipeline starting from layout), aren't we wasting effort
> being parallel (more cores, more work, same amount of time)?
If we don't use the pipelining, it's true that it's a loss. But the
hypothesis is that pipelining will kick in enough for it to be useful:
we want to allow e.g. script to run while layout is running, or for
layout to be able to return to script while Azure is rendering the new
tiles for display.
> * Do we have data showing how many security bugs we could be avoiding in
> Servo in comparison to Gecko? Is the security benefit truly as valuable
> if expected performance benefits don't pan out?
We've been talking to some members of the security team (Jesse, Brian).
In general the main class of security vulnerabilities that Rust offers a
layer of defense against is memory safety problems in layout, rendering,
and compositing code. Use-after-free is the big one here, but there are
others. I'm not in the sg so I can't run the numbers myself, but I am
told this constitutes a large class of security vulnerabilities.
The pwn2own and Pwnium results demonstrate, at least to me, that memory
safety is still valuable even in the presence of intricate sandboxing.
We need defense in depth, and Rust's type system provides a strong layer
of defense for new code.
Servo is *also* designed to be amenable to OS sandboxing, so that
processes compromised via unsafe code or the JIT can be stopped from
taking over the system. In general, although we don't have fine-grained
sandboxing today, we try to specify the interface so that we can add
process-level sandboxing in the future and keep most of the code intact.
Rust's type system helps a lot here by carefully circumscribing where
memory can be shared. Single-process shared-nothing message passing
designs should be able to be readily ported to multi-process designs.
Of course, Gecko can do the latter with e10s, but the viability of e10s
is not certain on desktop, as I understand things (though please correct
me if I'm wrong).
> * For cases with lots of synchronous layout, could there be a way to run
> layout and script sequentially, same-task, such that no async
> message-passing is necessary?
Well, if you did it as written, you would need to then migrate the
render tree to another thread in the asynchronous case.
However, Brian has been doing a lot of work in the Rust runtime to
achieve the benefits of this. In the new scheduler, synchronously
sending a message to a sleeping task immediately switches to that task
*on the same OS thread*, without a trip through the OS kernel or Rust
scheduler. This significantly improves message passing performance in
the synchronous case. (IIRC the early, unoptimized numbers in the new
scheduler were on the order of a couple of microseconds, which is
dwarfed by the time actually spent to do the layout, and they should be
improvable.)
> * Can we have more traffic on dev-servo for people who want to follow
> what's going on? (one suggestion: posting links to meeting notes every
> week)
Sure, we absolutely should do that.
Patrick