[tbb-dev] fission meeting notes
Richard Pospesel
pospeselr at riseup.net
Tue Jan 28 14:01:41 UTC 2020
What fission is and why we do it:
multi-process model of gecko change
currently: each tab in own processes
fission: each 'origin' within a tab has own process
ie 1st party domain in one, iframes loading 3rd party things in another
why?
unclear if 1st-party domains in multiple tabs are same proc
for security, helping sandbox untrusted code from ads, etc
help mitigate spectre, meltdown, things of this nature
better security through process boundary woop woop
possibly better performance, but primarily security concerns driver here
Architecture:
cross-process Navigation
DocumentChannel
load starts in one proc, but we don't know where it will end (ie which content process loaded contnet needs to be run in)
Session History
thing that allows forward/back navigation
global thing per tab
currently lives in the content process
fission: moved to parent process since so child content can access it (not landed yet)
invisible change to consumers
Remote WindowProxy
needed for accessing 'windows' (like iframes) which now live in different procs
should be an invisible change to consumers
chrome code can no longer use 'x-ray vision' to change internal thingies
Browsing Context and Window Context
nsIDocShellTreeItem
cannot be used post-fission world as things are corss-proc
relevant methods renamed with 'InProcess' 'InChildAt' suffixes
WindowContexts
like BrowsingContext, but not persistent across navigation
SyncedContext
handles syncing of context state IPC
Browsing Context Group
'closure' of all reachable browsing contexts
list of all 'reachable' browsing contexts
Syncing state:
FIELD macro allows for syncing state between contexts, implication that it is SAFE to share data between contexts
CanSet, DidSet methods can be overwridden
If you do not implement CanSet, then procs will all have write access by default
Do not add new state to nsDocShell
determine if state needs to survive navigation
if so use BrowsingContext
if not use WindowContext
Do not need to necessarily check principles everywhere
if a browser context does not have a principle, that implies it is different from yours
JS Window Actors
registered in a few places (damn you fast slides)
grep for JSWindowActorChild/JSWindowActorParent
Window Actors only receive messages from their child/parent so don't need to namespace your messages (ie: Foo:FunMessage becomes FunMessage)
Schedule
MVP start 2021
until then feature-based milestones
M5 -> Nightly dogfoodable with fission
M6 -> Enable for small % of Nightly users
Contacts:
Dev Lead: Nika Layzell <nika at mozilla.com>
#fission channels on Slack and Matrix
Q&A:
Will fission be mandatory when everything is finished? -> Short story Yes, Long story No
We're not going to add a 'make my security worse' button to about:preferences for users
Basically we can't expect process allocation model to be as described above on all platforms
Android for instance has a cap on # of procs
Also constrained platforms in terms of memory so lots of procs might suck
Interesting fact, on android chromium isolates based on login credentials existing (ie if you have credentials for a site then it should be in its' own proc)
tldr: don't write code with the assumption that the implmentation details are exaclty as described
What are the potential perf benefits?
Parellelism (duh)
tldr; it's complicated (in ways you'd expect from talking about multi-process perf) so i won't go into every point in these notes, but it's *potentially* a win for some scenarios
interestingly, switching tabs is faster as we only have to wait for the top-level content process to finish painting, so child iframes we don't have to wait to finish
Question about security principles and some discussion about it:
Don't spray principles around everywhere anymore
The general assumption now for objects that if you don't have access to a thing, then you are not allowed to read/write it
To test fission:
prefs:
fission.autostart
gfx.webrender.all
Links:
docs: https://firefox-source-docs.mozilla.org/dom/Fission.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tbb-dev/attachments/20200128/7ea6448d/attachment.sig>
More information about the tbb-dev
mailing list