JEmalloc is a highly scalable memory allocator made by Jason Evans. This is the default allocator of the FreeBSD operating system and Firefox's Linux/Windows versions, but how does it perform in WebKit?
February 02, 2010
How to improve Webkit performance?
Trolltech Labs
Like for the other parts of Qt, having great performance is important for QtWebKit.
Traditionally, QtWebKit has been mostly used on desktop computers for advanced layouting, hybrid applications or simply to browse the web. On a modern computer, the speed of WebKit is not a problem.
The world has changed, and QtWebKit is now used on mobile phones running Maemo, Symbian or Windows CE, and it is more and more used in embedded application on various devices.
Working on what matters
To improve the performance of WebKit, we works with benchmarks. Those benchmarks are used as use cases when profiling WebKit and to evaluate the gain of our patches.
Those benchmarks and the tools are available on Gitorious, in the QtWebkit performance repository.
WebKit gives a lot of possibilities, and we try to focus our work on what matters. For the performance work, we use real webpages, and look for ways to improve WebKit in the way it is used on the Web.
How we benchmark WebKit
The performance suite has three kinds of tools:
- host tools: to manage the data used by the benchmarks
- tests: the benchmarks
- reductions: some benchmarks for specific components of WebKit
Let’s have a look at the tools and the tests. The full documentation of the performance suite is on the WebKit’s wiki.
Mirroring the web
For the benchmark, we do not want to access Internet directly. We want to compare the results from one run to the other, so we don’t want the pages to change arbitrarily. Using the Web for benchmarking would also create an important load on the servers.
To use real pages without going online, we create databases of web pages with the mirror application:
Those databases are snapshots of webpages at a given point in time, and they are used as input of the benchmarks.
The mirror application uses WebKit to load the pages and intercept all network requests. This means the database also includes resources that are loaded lazily via Javascript.
Using the benchmarks
There are two ways to exploit the databases with the benchmark: the online and offline modes. The difference lies in the way we provide the database’s content to the benchmarks:
In the “online mode“, we use a basic web server to serve the database over HTTP. The benchmarks use the complete stack to load pages, as they would if we were loading the page from Internet.
In the “offline mode“, the database is loaded directly by the benchmarks and is used as the source of data. In that case, the network is not involved. This mode is mostly useful for the benchmarks that do not involve the network (like measuring the rendering speed).
What is measured
The benchmark suite is still a work in progress. Currently, there are benchmarks for:
- the page loading performance (with or without rendering)
- the rendering performance
- the scrolling performance
How you can use that?
If you use WebKit, and are interested in great performance, you can use the performance suite to profile the use case you are interested in, and optimize those cases.
If you evaluate the use of WebKit for embedded, you can use the benchmark to evaluate how good WebKit performs on the hardware.
If you make patches for WebKit’s performance, have a look on how to contribute. You can also join us on IRC in #qtwebkit on freenode.
February 01, 2010
Nate Chapin is now a WebKit reviewer!
Surfin’ Safari
Nate got his start in WebKit with helping to upstream Javascript bindings for the Chromium port into WebKit. During that work, he learned much about WebKit style as well as getting to know the bindings quite well. Since then, he continued to do a prodigious amount with the bindings and improved them in many ways. In addition, he also added noreferrer support and fixed bugs in a variety of areas such as the loader and plugin scripting.
Please join me in congratulating Nate on his reviewer status!
Last week (4) in QtWebKit trunk
Trolltech Labs
Hi!
Here’s the weekly summary of Qt related changes to WebKit trunk. Big changes include Yael’s patch for WebSockets support, the beginnings of QtScript on top of JavaScriptCore’s C API, Maemo 5 tweaks and layout test fixes:
- Janne added the necessary meta-data to make QtWebKit play nicely with Symbian backups (34077).
- I did some code cleanups in RenderThemeQt and fixed a bug with combo boxes not showing up in Maemo5 (34088).
- Holger fixed a regression in the JavaScript prompt handling (30914).
- Jedrzej landed the first files for building QtScript on top of JavaScriptCore’s C API (32565).
- Diego added history support to the Qt DRT, we now pass the
http/tests/historylayout tests! (34167) - Daniel fixed a bug with the height of button elements (29564).
- Kent fixed support for ES5 style introspection with QMetaObject methods (34087).
- Yael implemented the Qt part of WebSocket support, we now pass
websocket/testsin the layout tests (34180). - Diego fixed more worker layout tests by adding support for counting worker threads in the Qt DRT (34221).
- Holger found a neat way to speed up the conversion from KURL to QUrl (33873).
- Trond fixed an endless loop in QWebPage printing (r53997).
- Kenneth fixed incorrect fonts on comboboxes on Maemo5 and Symbian (r53999).
- Andreas upstreamed Ralf and Robert’s kinetic scrolling support for QWebView using
QAbstractKineticScroller(34267). - Benjamin implemented support for the
display()method in the Qt DRT (34258). - Oswald speed up the conversion between
WebCore::StringandQStringby avoidingQString::fromUtf16()(r54060). - Kenneth landed a patch to disable auto-uppercasing and text prediction for password input fields (r54064).
- Kenneth also continued to clean up the QtLauncher for a future merge with QGVLauncher
- Andreas and Kenneth submitted tweaks to the look’n'feel of QtLauncher on Maemo5.
January 28, 2010
Encouraging More Chromium Security Research
The Chromium Blog
In designing Chromium, we've been working hard to make the browser as secure as possible. We've made strong improvements with the integrated sandboxing and our up-to-date user base. We're always looking to stay on top of the latest browser security features. We've also worked closely with the broader security community to get independent scrutiny and to quickly fix bugs that have been reported.
Some of the most interesting security bugs we've fixed have been reported by researchers external to the Chromium project. For example, this same origin policy bypass from Isaac Dawson or this v8 engine bug found by the Mozilla Security Team. Thanks to the collaborative efforts of these people and others, Chromium security is stronger and our users are safer.
Today, we are introducing an experimental new incentive for external researchers to participate. We will be rewarding select interesting and original vulnerabilities reported to us by the security research community. For existing contributors to Chromium security — who would likely continue to contribute regardless — this may be seen as a token of our appreciation. In addition, we are hoping that the introduction of this program will encourage new individuals to participate in Chromium security. The more people involved in scrutinizing Chromium's code and behavior, the more secure our millions of users will be.
Such a concept is not new; we'd like to give serious kudos to the folks at Mozilla for their long-running and successful vulnerability reward program.
Any valid security bug filed through the Chromium bug tracker (under the template "Security Bug") will qualify for consideration. As this is an experimental program, here are some guidelines in the form of questions and answers:
Q) What reward might I get?
A) As per Mozilla, our base reward for eligible bugs is $500. If the panel finds a particular bug particularly severe or particularly clever, we envisage rewards of $1337. The panel may also decide a single report actually constitutes multiple bugs. As a consumer of the Chromium open source project, Google will be sponsoring the rewards.
Q) What bugs are eligible?
A) Any security bug may be considered. We will typically focus on High and Critical impact bugs, but any clever vulnerability at any severity might get a reward. Obviously, your bug won't be eligible if you worked on the code or review in the area in question.
Q) How do I find out my bug was eligible?
A) You will see a provisional comment to that effect in the bug entry once we have triaged the bug.
Q) What if someone else also found the same bug?
A) Only the first report of a given issue that we were previously unaware of is eligible. In the event of a duplicate submission, the earliest filed bug report in the bug tracker is considered the first report.
Q) What about bugs present in Google Chrome but not the Chromium open source project?
A) Bugs in either build may be eligible. In addition, bugs in plugins that are part of the Chromium project and shipped with Google Chrome by default (e.g. Google Gears) may be eligible. Bugs in third-party plugins and extensions are ineligible.
Q) Will bugs disclosed publicly without giving Chromium developers an opportunity to fix them first still qualify?
A) We encourage responsible disclosure. Note that we believe responsible disclosure is a two-way street; it's our job to fix serious bugs within a reasonable time frame.
Q) Do I still qualify if I disclose the problem publicly once fixed?
A) Yes, absolutely. We encourage open collaboration. We will also make sure to credit you in the relevant Google Chrome release notes and nominate you for the Google Security "thank you" section.
Q) What about bugs in channels other than Stable?
A) We are interested in bugs in the Stable, Beta and Dev channels. It's best for everyone to find and fix bugs before they are released to the Stable channel.
Q) What about bugs in third-party components?
A) These bugs may be eligible (e.g. WebKit, libxml, image libraries, compression libraries, etc). Bugs will be ineligible if they are part of the base operating system as opposed to part of the Chromium source tree. In the event of bugs in a component shared with other software, we are happy to take care of responsibly notifying other affected parties.
Q) Who determines whether a given bug is eligible?
A) The panel includes Adam Barth, Chris Evans, Neel Mehta, SkyLined and Michal Zalewski.
Q) Can you keep my identity confidential from the rest of the world?
A) Yes. If selected as the recipient of a reward, and you accept, we will need your contact details in order to pay you. However — at your discretion, we can credit the bug to "anonymous" and leave the bug entry private.
Q) No doubt you wanted to make some legal points?
A) Sure. We encourage participation from everyone. However, we are unable to issue rewards to residents of countries where the US has imposed the highest levels of export restriction (e.g. Cuba, Iran, North Korea, Sudan and Syria). We cannot issue rewards to minors, but would be happy to have an adult represent you. This is not a competition, but rather an ongoing reward program. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon local law.
We look forward very much to issuing our first reward and featuring it on our releases blog. We're happy to take questions at security@chromium.org. Alternatively, feel free to leave a comment. We will update this blog post with answers to any popular questions.
Finally, if you're interested in helping out Chromium security on a more permanent basis, we have open positions.
By noreply@blogger.com (Ian Fette) at January 28, 2010 09:59 PM
January 27, 2010
The sounds of TCmalloc in QtLauncher
University of Szeged
It took a while but now I'm happy to announce that all core classes are inherited from FastAllocBase in WebCore. Further the previous changes in JavaScriptCore, by now almost the whole world is a subclass of FastAllocBase. :-)
January 26, 2010
Security in Depth: New Security Features
The Chromium Blog
We've been hard at work adding proactive security features to Google Chrome, and we're particularly excited about five new security features that make it easier for developers to build secure web sites.
Strict-Transport-Security
Strict-Transport-Security lets a high-security web site tell the browser that it wants to be contacted over a secure connection only. That means the browser will always use HTTPS to connect to the site and will treat all HTTPS errors as hard stops (instead of prompting the user to "click through" certificate errors). This feature strengthens the browser's defenses against attackers who control the network, such as malicious folks disrupting the wireless network at a coffee shop.
Originally proposed in a research paper in 2008, Strict-Transport-Security is now an open specification. In addition to being in Google Chrome 4, Strict-Transport-Security has also been implemented in NoScript, a security add-on for Firefox, and a native implementation is underway in Firefox. A number of high-security web sites have already started to use the feature, including PayPal. As with all of our security improvements, we hope that every browser will adopt Strict-Transport-Security, making the web, as a whole, more secure.
Cross-Origin Communication with postMessage
The postMessage API is a new HTML5 feature that lets web developers establish a communication channel between frames in different origins. Previously, when you wanted to add a gadget to your web page, you had two options: (1) include the gadget via a script tag, or (2) embed the gadget using an iframe tag. If you used a script tag, you could have a rich interaction with the gadget (e.g., the Google Maps API), but you had to trust the gadget author not to inject malicious script into your web page. Alternatively, if you used an iframe tag to embed the gadget (e.g., the Google Calendar web element), you had strong security properties, but it was difficult to interact with the gadget.
postMessage changes the game. By using postMessage to communicate with the gadget, you get the security advantages of an iframe with all the interactivity of a script tag. What's more, you can use postMessage to create more secure versions of existing gadgets. postMessage is now available in the latest versions of all the major browsers: Google Chrome, Internet Explorer, Firefox, Safari, and Opera. A number of web sites, including Facebook, are already using postMessage to make their site safer.
CSRF Protection via Origin Header
The Origin header is a new HTML5 feature that helps you defend your site against cross-site request forgery (CSRF) attacks. In a CSRF attack, a malicious web site, say attacker.com, instructs the user's browser to send an HTTP request to a target server, say example.com, that confuses the example.com server into performing some action. For example, if example.com is a webmail provider, the CSRF attack might trick example.com into forwarding an email message to the attacker.
The Origin header helps sites defend against CSRF attacks by identifying which web site generated the request. In the above example, example.com can see that the request came from the malicious web site because the Origin header contains the value http://attacker.com. To use the Origin header as a CSRF defense, a site should modify state only in response to requests that either (1) lack an Origin header or (2) have an Origin header with a white-listed value.
The details of the Origin header are still being finalized. We will update the implementation in Google Chrome as the specification evolves based on feedback from Mozilla and from the W3C and IETF communities at large. We welcome your feedback on the last draft of the specification.
ClickJacking Protection with X-Frame-Options
First introduced in Internet Explorer 8, X-Frame-Options is a security feature that lets web sites defend themselves against clickjacking attacks. To defend against clickjacking, a web developer can request that a web page not be loaded inside a frame by including the X-Frame-Options: deny HTTP header. X-Frame-Options is implemented in Google Chrome, Internet Explorer 8, and Safari 4.
Reflective XSS Protection
One of the most difficult parts of building a secure web site is protecting against cross-site scripting (XSS) vulnerabilities. In Google Chrome 4, we've added an experimental feature to help mitigate one form of XSS, reflective XSS. The XSS filter checks whether a script that's about to run on a web page is also present in the request that fetched that web page. If the script is present in the request, that's a strong indication that the web server might have been tricked into reflecting the script.
The XSS filter is similar to those found in Internet Explorer 8 and NoScript. Instead of being layered on top of the browser like those filters, our XSS filter is integrated into WebKit, which Google Chrome uses to render webpages. Integrating the XSS filter into the rendering engine has two benefits: (1) the filter can catch scripts right before they are executed, making it easier to detect some tricky attack variations, and (2) the filter can be used by every WebKit-based browser, including Safari and Epiphany.
We are aware of a few ways to bypass the filter, but, on balance, we think that the filter is providing enough benefit to enable it by default in this release. If you discover a new way to bypass the filter, please let us know. We're very interested in improving the filter in subsequent releases. We're grateful to the security researchers who have helped us with the filter thus far (especially Eduardo "Sirdarckcat" Vela), and we welcome even more participation.
By noreply@blogger.com (Ian Fette) at January 26, 2010 10:03 PM
Jeremy Orlow is now a WebKit reviewer!
Surfin’ Safari
Jeremy has done a lot of work on local storage and session storage within WebKit. Much of this brought it up to date with spec changes, but he also improved it by adding quota support and fixing many bugs. As part of the Chromium port, he also worked on its WebKit api and JavaScript bindings.
Please join me in congratulating Jeremy on his reviewer status!
January 24, 2010
This week (3) in QtWebKit trunk
Trolltech Labs
This week has been a very busy week! Here’s a list of the landed changes that affect the Qt port, in chronological order:
- Tor Arne has ported the Qt build of DumpRenderTree to run on Windows. (r53526, r53543).
- Luiz continued with cleaning up the combobox popup handling.(33418).
- Ben from the Google Team fixed a bug where touch events weren’t sent to iframes (33894).
- No’am landed support in the Qt bindings that allows passing pixmaps and images as arguments in signals/slots/properties, which can then easily be turned into image elements or data urls. (32461).
- Benjamin cleaned up the QWebPage autotest (32216).
- On Thursday we landed No’am’s implementation of GraphicsLayer. This accelerates the composition of layers with animated opacity or transform attributes, through content caching in pixmaps. Layers are mapped to
QGraphicsItemswith enabledCacheModeand the animation is driven by the Qt Animation Framework.The feature is disabled by default currently as it’s not stable yet, but it’s a fantastic start! (33514). - Diego continued implementing missing functions in the Qt DRT (33945).
- Jakub fixed a crash with video elements and phonon (33842).
- Girish fixed a bug with combobox popups in transformed QGraphicsWebViews (r53703, 33887).
- Robert fixed 5 layout tests by fixing support for
window.close()andwindow.closed()in the Qt DRT (32953). - Kent fixed bugs with
Object.getOwnPropertyDescriptor(33948, 33946).
January 21, 2010
Ruby Rendering in WebKit
Surfin’ Safari
Introduction
From the W3C spec: The name “ruby” originated from the name of the 5.5 point font size in British printing, which is about half the 10 point font size commonly used for normal text.
A ruby annotation is a short piece of text in smaller font, written directly above or below or – with vertical text – to either side of the base text. It is most often used in East Asian typography in order to provide further information. Most commonly it shows the pronounciation of Chinese characters. Another use case is in text books, to give the foreign spelling of a native word, or vice versa. In literary text or Manga ruby is also sometimes used to specify a variant pronunciation of the underlying characters, to add some depth or twist to the normal understanding. However, there is no reason to limit ruby to East Asian text. It can also be applied to other languages for much the same purpose: to specify annotations or give further context.
In this regard note that ruby is a typographic tag rather than a semantic tag like the <abbr> or <dfn> tags that may seem to fill a similar role – by using <ruby> one specifies how the text is to be displayed rather than what its relation is to the base text.
Ruby Tags
The WebKit ruby implementation follows the HTML5 spec for the tags used. The tags themselves are rather simple:
<ruby> some base text <rp> ( </rp><rt> annotation </rt><rp> ) </rp></ruby>
where:
| <ruby> | Encloses the whole annotated part of the text. |
| <rt> | Encloses the ruby text that is to appear in smaller font above the base text. |
| <rp> | Contains optional parentheses that appear if the user agent does not, in fact, render <ruby>. |
Regarding the <rp> tags: browsers that don’t “understand” ruby will just output the whole content as is, disregarding the unknown tags. This includes the opening and closing parentheses provided within the <rp> tags, as shown in the following image:
Browsers with ruby support, on the other hand, will ignore the contents of the <rp> tags and place what is contained within the <rt> tags in small print over the base text:
To give a different example, here is a sample text in Japanese annotated with English translations of the main words in Kanji characters:
Current State and Future Improvements
The current implementation follows the outline described above and should satisfy all the basic usage for ruby. This does not mean that implementation can be considered complete – there are two main areas that deserve future attention: character spacing and positioning.
Character spacing: Traditionally, in East Asian typography the characters that make up the ruby text annotation or (less commonly) the base text are spaced such that they line up cleanly.
Positioning: It is sometimes desirable to have the ruby text be positioned below (i.e., ‘after’ in HTML5 parlance) rather than above (’before’), or even in both places. One use case for the latter is in textbooks, e.g. to give a Japanese student both the Furigana reading of a particular Kanji word (usually displayed above the word) as well as the translation (usually below).
Both are addressed by the CSS3 spec, which is based off the XHTML ruby module. However, there are some small but significant differences between the HTML5 and CSS3 ruby specs. Most notably, HTML5 allows several spans of base text and annotations within a single <ruby> element. This is useful to annotate several chinese characters in a row, e.g. (example taken from the HTML5 spec):
<ruby> 漢<rt> ㄏㄢˋ</rt> 字 <rt> ㄗˋ </rt> </ruby>
The CSS3 ruby module on the other hand specifies a version of ruby called complex ruby, which separates ruby base text from annotations in a way similar to <table>. In the future we hope to bring these two conventions together cleanly.
CSS3 Specifications
For reference, CSS3 contains a few modules that more or less directly pertain to ruby rendering. Note that, as indicated above, the current implementation does not (yet) address these.
- Ruby module
- This is the main module concerning ruby.
- Requirements on Japanese Text Layout
- Has sections on ruby (probably more than you will ever want to know about ruby rendering), as well as general rendering guidelines for Japanese.
- Line module
- This module specifies the line-stacking-ruby property.
- Text module
- Although only marginally related to ruby, this contains additional rules for CJK line breaking.
Vertical Text
Many East Asian scripts are traditionally written vertically rather than horizontally. Some of the conventions of ruby text stem from this tradition. Furthermore, with Chinese Bopomofo/Zhuyin-Fuhao, the ruby annotation may traditionally run vertically next to each character even for horizontal text (example from the CSS3 ruby spec):
Note that as shown in the above example, this is complicated by the fact that tone markers are not to be rendered in the normal vertical text stream, but to the side of it.
Unfortunately, vertical text does not lend itself easily to seamless integration with the way web pages are rendered today. Addressing this shortcoming would not only help further improve the visual quality of ruby, but open up ways to give East Asian web pages a more natural look. However, implementation of this is a challenge that still lies ahead.
