1. 50
  1.  

  2. 31

    at this point most browsers are OS’s that run (and build) on other OS’s:

    • language runtime - multiple checks
    • graphic subsystem - check
    • networking - check
    • interaction with peripherals (sound, location, etc) - check
    • permissions - for users, pages, sites, and more.

    And more importantly, is there any (important to the writers) advantage to them becoming smaller? Security maybe?

    1. 11

      Browsers rarely link out the system. FF/Chromium have their own PNG decodes, JPEG decodes, AV codecs, memory allocators or allocation abstraction layers, etc. etc.

      It bothers me everything is now shipping as an electron app. Do we really need every single app to have the footprint of a modern browser? Can we at least limit them to the footprint of Firefox2?

      1. 10

        but if you limit it to the footprint of firefox2 then computers might be fast enough. (a problem)

        1. 2

          New computers are no longer faster than old computers at the same cost, though – moore’s law ended in 2005 and consumer stuff has caught up with the lag. So, the only speed-up from replacement is from clearing out bloat, not from actual hardware improvements in processing speed.

          (Maybe secondary storage speed will have a big bump, if you’re moving from hard disk to SSD, but that only happens once.)

          1. 3

            moore’s law ended in 2005 and consumer stuff has caught up with the lag. So, the only speed-up from replacement is from clearing out bloat, not from actual hardware improvements in processing speed.

            Are you claiming there have been no speedups due to better pipelining, out-of-order/speculative execution, larger caches, multicore, hyperthreading, and ASIC acceleration of common primitives? And the benchmarks magazines post showing newer stuff outperforming older stuff were all fabricated? I’d find those claims unbelievable.

            Also, every newer system I had was faster past 2005. I recently had to use an older backup. Much slower. Finally, performance isn’t the only thing to consider: the newer, process nodes use less energy and have smaller chips.

            1. 2

              I’m slightly overstating the claim. Performance increases have dropped to incremental from exponential, and are associated with piecemeal attempts to chase performance increase goals that once were a straightforward result of increased circuit density through optimization tricks that can only really be done once.

              Once we’ve picked all the low-hanging fruit (simple optimization tricks with major & general impact) we’ll need to start seriously milking performance out of multicore and other features that actually require the involvement of application developers. (Multicore doesn’t affect performance at all for single-threaded applications or fully-synchronous applications that happen to have multiple threads – in other words, everything an unschooled developer is prepared to write, unless they happen to be mostly into unix shell scripting or something.)

              Moore’s law isn’t all that matters, no. But, it matters a lot with regard to whether or not we can reasonably expect to defend practices like electron apps on the grounds that we can maintain current responsiveness while making everything take more cycles. The era where the same slow code can be guaranteed to run faster on next year’s machine without any effort on the part of developers is over.

              As a specific example: I doubt that even in ten years, a low-end desktop PC will be able to run today’s version of slack with reasonable performance. There is no discernible difference in its performance between my two primary machines (both low-end desktop PCs, one from 2011 and one from 2017). There isn’t a perpetually rising tide that makes all code more performant anymore, and the kind of bookkeeping that most web apps spend their cycles in doesn’t have specialized hardware accelerators the way matrix arithmetic does.

              1. 5

                Performance increases have dropped to incremental from exponential, and are associated with piecemeal attempts to chase performance increase goals that once were a straightforward result of increased circuit density through optimization tricks that can only really be done once.

                I agree with that totally.

                “Multicore doesn’t affect performance at all for single-threaded applications “

                Although largely true, people often forget a way multicore can boost single-threaded performance: simply letting the single-threaded app have more time on CPU core since other stuff is running on another. Some OS’s, esp RTOS’s, let you control which cores apps run on specifically to utilize that. I’m not sure if desktop OS’s have good support for this right now, though. I haven’t tried it in a while.

                “There isn’t a perpetually rising tide that makes all code more performant anymore, and the kind of bookkeeping that most web apps spend their cycles in doesn’t have specialized hardware accelerators the way matrix arithmetic does.”

                Yeah, all the ideas I have for it are incremental. The best illustration of where rest of gains might come from is Cavium’s Octeon line. They have offloading engines for TCP/IP, compression, crypto, string ops, and so on. On rendering side, Firefox is switching to GPU’s which will take time to fully utilize. On Javascript side, maybe JIT’s could have a small, dedicated core. So, there’s still room for speeding Web up in hardware. Just not Moore’s law without developer effort like you were saying.

      2. 9

        Although you partly covered it, I’d say “execution of programs” is good wording for JavaScript since it matches browser and OS usage. There’s definitely advantages to them being smaller. A guy I knew even deleted a bunch of code out of his OS and Firefox to achieve that on top of a tiny, backup image. Dude had a WinXP system full of working apps that fit on one CD-R.

        Far as secure browsers, I’d start with designs from high-assurance security bringing in mainstream components carefully. Some are already doing that. An older one inspired Chrome’s architecture. I have a list in this comment. I’ll also note that there were few of these because high-assurance security defaulted on just putting a browser in a dedicated partition that isolated it from other apps on top of security-focused kernels. One browser per domain of trust. Also common were partitioning network stacks and filesystems that limited effect of one partition using them on others. QubesOS and GenodeOS are open-source software that support these with QubesOS having great usability/polish and GenodeOS architecturally closer to high-security designs.

        1. 6

          Are there simpler browsers optimised for displaying plain ol’ hyperlinked HTML documents, and also support modern standards? I don’t really need 4 tiers of JIT and whatnot for web apps to go fast, since I don’t use them.

          1. 12

            I’ve always thought one could improve on a Dillo-like browser for that. I also thought compile-time programming might make various components in browsers optional where you could actually tune it to amount of code or attack surface you need. That would require lots of work for mainstream stuff, though. A project like Dillo might pull it off, though.

            1. 10
              1. 3

                Oh yeah, I have that on a Raspberry Pi running RISC OS. It’s quite nice! I didn’t realise it runs on so many other platforms. Unfortunately it only crashes on my main machine, I will investigate. Thanks for reminding me that it exists.

                1. 2

                  Fascinating; how had I never heard of this before?

                  Or maybe I had and just assumed it was a variant of suckless surf? https://surf.suckless.org/

                  Looks promising. I wonder how it fares on keyboard control in particular.

                  1. 1

                    Aw hell; they don’t even have TLS set up correctly on https://netsurf-browser.org

                    Does not exactly inspire confidence. Plus there appears to be no keyboard shortcut for switching tabs?

                    Neat idea; hope they get it into a usable state in the future.

                  2. 1

                    AFAIK, it doesn’t support “modern” non-standards.

                    But it doesn’t support Javascript either, so it’s way more secure of mainstream ones.

                  3. 8

                    No. Modern web standards are too complicated to implement in a simple manner.

                    1. 3

                      Either KHTML or Links is what you’d like. KHTML would probably be the smallest browser you could find with a working, modern CSS, javascript and HTML5 engine. Links only does HTML <=4.0 (including everything implied by its <img> tag, but not CSS).

                      1. 2

                        I’m pretty sure KHTML was taken to a farm upstate years ago, and replaced with WebKit or Blink.

                        1. 6

                          It wasn’t “replaced”, Konqueror supports all KHTML-based backends including WebKit, WebEngine (chromium) and KHTML. KHTML still works relatively well to show modern web pages according to HTML5 standards and fits OP’s description perfectly. Konqueror allows you to choose your browser engine per tab, and even switch on the fly which I think is really nice, although this means loading all engines that you’re currently using in memory.

                          I wouldn’t say development is still very active, but it’s still supported in the KDE frameworks, they still make sure that it builds at least, along with the occasional bug fix. Saying that it was replaced is an overstatement. Although most KDE distributions do ship other browsers by default, if any, and I’m pretty sure Falkon is set to become KDE’s browser these days, which is basically an interface for WebEngine.

                      2. 2

                        A growing part of my browsing is now text-mode browsing. Maybe you could treat full graphical browsing as an exception and go to the minimum footprint most of the time…

                    2. 4

                      And more importantly, is there any (important to the writers) advantage to them becoming smaller? Security maybe?

                      user choice. rampant complexity has restricted your options to 3 rendering engines, if you want to function in the modern world.

                      1. 3

                        When reimplementing malloc and testing it out on several applications, I found out that Firefox ( at the time, I don’t know if this is still true) had its own internal malloc. It was allocating a big chunk of memory at startup and then managing it itself.

                        Back in the time I thought this was a crazy idea for a browser but in fact, it follows exactly the idea of your comment!

                        1. 3

                          Firefox uses a fork of jemalloc by default.

                          1. 2

                            IIRC this was done somewhere between Firefox 3 and Firefox 4 and was a huge speed boost. I can’t find a source for that claim though.

                            Anyway, there are good reasons Firefox uses its own malloc.

                            Edit: apparently I’m bored and/or like archeology, so I traced back the introduction of jemalloc to this hg changeset. This changeset is present in the tree for Mozilla 1.9.1 but not Mozilla 1.8.0. That would seem to indicate that jemalloc landed in the 3.6 cycle, although I’m not totally sure because the changeset description indicates that the real history is in CVS.

                        2. 3

                          In my daily job, this week I’m working on patching a modern Javascript application to run on older browsers (IE10, IE9 and IE8+ GCF 12).

                          The hardest problems are due the different implementation details of same origin policy.
                          The funniest problem has been one of the used famework that used “native” as variable name: when people speak about the good parts in Javascript I know they don’t know what they are talking about.

                          BTW, if browser complexity address a real problem (instead of being a DARPA weapon to get control of foreign computers), such problem is the distribution of computation among long distances.

                          Such problem was not addressed well enough by operating systems, despite some mild attempts, such as Microsoft’s CIFS.

                          This is partially a protocol issue, as both NFS, SMB and 9P were designed with local network in mind.

                          However, IMHO browsers OS are not the proper solution to the issue: they are designed for different goals, and they cannot discontinue such goals without loosing market share (unless they retain such share with weird marketing practices as Microsoft did years ago with IE on Windows and Google is currently doing with Chrome on Android).

                          We need better protocols and better distributed operating systems.

                          Unfortunately it’s not easy to create them.
                          (Disclaimer: browsers as platforms for os and javascript’s ubiquity are among the strongest reasons that make me spend countless nights hacking an OS)

                        3. 33

                          I remember a conversation at work that went something like this:

                          Coworker: “Did you see the latest Firefox download? It’s like 40MB.”

                          Young coworker: “That’s the size of a small operating system!”

                          Me: “That’s the size of a large operating system. I’m old.”

                          (Yes, I did a “young whippersnapper” comment. Yes, I’m old.)

                          1. 9

                            One example I gave in a conversation about application-specific, VM OS’s was Solo weighing in at 39K words of memory (see p 11). A cloud VM would need a few more things that would push up the KB’s. The core can be really small. That one also had some sequential and concurrency safety through the Pascal’s he used.

                            For desktop and/or GUI, the QNX Demo Disc is still the coolest if aiming for many requirements at once.

                          2. 15

                            Rust on the 7th place with 1 million LOC is actually pretty cool for Firefox! Didn’t think it has taken over that much already.

                            1. 8

                              All of the times I’ve upgraded my personal computer in the last two decades have been because my web browser, of all things, got slow to the point of annoyance. Didn’t need better graphics, a bigger disk, or more RAM for VMs at all. Just faster browsing.

                              I don’t know how much I trust this “cloc” tool, though. I’ve used it a few times and found it to sometimes wildly inaccurate. (I mean, even considering what a generally useless metric “lines of code” is anyway.) For example, I’m going to be quite surprised if either Chrome or Firefox have any Visual Basic, C Shell, Tcl/Tk, or Pascal in them.

                              Or, if they do, it would be more interesting to know what those files are for.

                              1. 3

                                My guess is that the dependencies are bundled in the repo, and they have all the other stuff that seems out of place.

                                1. 1

                                  Also cloc just guesses based on file extension. I have a project I check with it which has a bunch of intermediate .d clang build files, and if I don’t clean those out first it thinks I’m writing loads of D. But otherwise in terms of actual counting and speed cloc seems pretty good fir me anyway.

                              2. 4

                                I don’t really understand the huge variety of languages in these things. Chromium is mostly C/C++, okay. And I suppose they need some JS around for internal UI stuff. I suppose it makes sense to have some Python in there too for build automation or something. But why do they need Python and Ruby and Perl and PHP? And Lisp and Go and Scheme and R and Powershell and Sed and so on? I have to wonder if there are good reasons for all that, or if these projects need some language synchronization.

                                1. 20

                                  But why do they need Python and Ruby and Perl and PHP?

                                  An attempt at an explanation:

                                  Python

                                  Most integration test running infrastructure inherited from WebKit was written in and continues to be written in Python. You can see this lineage comparing Chromium and WebKit’s source trees:

                                  All Python files: https://cs.chromium.org/search/?q=lang:%5Epython$&p=2&sq=package:chromium&type=cs

                                  Ruby

                                  One thing we used Ruby for was for a tiny utility for formatting patch files. We just replaced it (CL). There are some other random files.

                                  All Ruby files: https://cs.chromium.org/search/?q=lang:%5Eruby$&sq=package:chromium&type=cs

                                  Perl

                                  Chromium actually vendors in a copy of the Perl language.

                                  All Perl files: https://cs.chromium.org/search/?q=lang:%5Eperl$&sq=package:chromium&type=cs

                                  PHP

                                  Many manual tests are written in PHP since (for better or worse) it’s easy.

                                  All PHP files: https://cs.chromium.org/search/?q=lang:%5EPHP$&sq=package:chromium&type=cs

                                  Other languages

                                  or if these projects need some language synchronization

                                  Contributions welcome! :)

                                  (but seriously, if you are interested, I’m at jeffcarp@chromium.org for any questions)

                                  To try to answer the question more directly: code gets written in many languages and it takes SWE hours to rewrite it in a different language. If you’re choosing between investigating a P1 bug and rewriting something that already works in a different language, time usually gets spent on the P1 bug.

                                  (source: I work on the Chrome infrastructure team)

                                  1. 8

                                    Those .cl files appear to be OpenCL code rather than common lisp.

                                    1. 5

                                      Oo good catch, thx - updated my reply. I can find some Emacs Lisp in the codebase but I can’t find any Common Lisp 🤔.

                                    2. 5

                                      On Scheme code in V8: V8 implements a fast floating point formatting algorithm which is relatiely recent (2010, IIRC) hence likely to be faster than system printf. As I understand, Scheme code is directly from the paper.

                                      1. 3

                                        Looks like a lot of the perl is part of lcov. That was some interesting reading.

                                        1. 2

                                          Interesting, thanks for finding all of that! Looks like Chromium has a lot more third-party libs and testing infrastructure than I thought.

                                          I may just take a look at some of the open-source infrastructure there, though I doubt I’ll have the time or energy to try and make contributions.

                                      2. 2

                                        So Chromium + Mozilla account for 57MLOC together, including comments and empty lines. Quite tiny compared to the billions lines of legacy Cobol code we hear about!

                                        1. 1

                                          I doubt there are literally billions of COBOL lines ever written. No, deploying one package to more nodes doesn’t count, sorry.

                                          IOW, [citation needed]

                                          1. 1

                                            Exactly, just that this claim gets thrown so much around tech forums.

                                        2. 1

                                          The document doesn’t state where these clones come from. Are the Firefox numbers from a mozilla-central clone? Because if so it’s also including lots of code for Thunderbird and Lightning at least, and probably lots of legacy stuff like XULRunner, etc…. the list goes on.