(See the 2004-era Mozilla 2 pages for older ideas.)
See the latest status meeting notes.
A detailed list of items that we are working on can be found here:
- Clean up our APIs to be fewer, better, and "on the outside" of Gecko, with symbol visibility strictly limited to public APIs.
- Based on these APIs and supported embedding scenarios, support intentional Gecko embedding in a first-class way.
- Simplify the Mozilla codebase to make it smaller, faster, and easier to approach and maintain.
- Take advantage of standard C++ features and fast paths instead of XPCOM and ad hoc code.
- Implement JS2 on top of Tamarin via ActionMonkey.
- Optimization including JIT compilation for JS2 with very fast DOM access and low memory costs.
- Tool-time and runtime enforcement of important safety properties including memory safety and confidentiality properties for both XUL and the Web.
- Rich graphics support including accelerated SVG/Canvas and Video Support
What these mean in detail is mostly "to be decided", but we should try to say what we don't mean:
- We won't rewrite the Mozilla codebase by hand.
- We won't gratuitously break API compatibility ("some of our APIs are fine, thank you").
- We won't drop XPCOM completely; we may even have configurable Mozilla 1 XPCOM compatibility.
- We won't bring up Mozilla 2 on mobile devices (but volunteers are welcome to port early and often; Mozilla 2 will fit on such devices much more easily than Mozilla 1 code does).
The goals boil down to competing more effectively with ourselves, with Webkit, Opera's Presto, and even with IE, for all three of the Web, XUL (or equivalent "widget" or "rich client platform" comparable), and C++ embeddable HTML rendering engine platforms. We should aspire to beat the competition on major time, space, and ease-of-use axes, not just show or place.
- XPCOMGC: Switch from reference counting to a GC
- Gfx glue layer removal
The goals are ambitious, and unrealistic without new tools and approaches to the code. Here are some of the major levers we use to move mountains.
The info below has not been significantly updated since December 2006
- Import final dirlist into Hg (Benjamin/Brendan)
- Begin refactoring work/deCOMtamination/API work
- Get tools good enough for broad use (Taras)
- Develop hitlist of areas to refactor (Taras/Brendan)
- Plan for refactoring DOM APIs (JST)
- Complete ES4 spec and ref impl (Brendan/Graydon)
- Begin Tamarin/SM integration
- Extract GC from Tamarin - remove all flash deps (TBH)
- Ensure GC/Taramin compiles/runs on all platforms (TBH)
- XPCOMGC object model
- Rich Graphics Plan
- Video Prototypes (Chris D)
- SVG/Canvas Plan (Vlad)
- Accelerated Graphics Plan (Vlad)
- OpenText Improvements Plan (Pav)
- Security Plan (Window)
- Layout Plan (Roc/DBaron)
- Q107 - Kickoff of project
- VCS up and ready for checkins
- Major areas of focus identified
- Owners for each area identified
- ES4 Spec and Ref Impl Draft
- Plans flushed out for each major task area
- Refactoring tools usable by wider audience
- Prototype VIDEO Tag
- ES4 Spec and Ref Impl Complete
- Refactoring work begun
- Elimination of raw pointers
- Shift to STD C++
- Tamarin GC Building on all major platforms
- First prototype of Tamarin
- Design/Prototypes done for each major area
- First Alpha of Moz2/Gecko2/Fx4 released
- Fx4 Alphas
- All Major design work done
- First Fx4/Moz2 Beta
- Moz2/Fx4 Ship
A Better VCS (Brendan/Preed)
See the great Version Control System shoot-out. We need a better VCS because Mozilla 2 will require more sweeping changes, and more experiments which must be run in parallel, than anything we've done so far. So we need at least
- better, cheaper branching
- better merge algorithms for updating and landing branches
- decentralized operation (no master repository with slave workareas)
- good merge-from-CVS capability to track the Mozilla 1.9 trunk where possible
- great performance on Windows (this rules out cygwin-ported Linux VCSes)
See preed's Mortal Kombat salute and look for news on his blog.
An important aspect to get straight is the branching topology. We will have many unstable branches running concurrently during Moz2 development. Generally for each task you want sub-task branches (possibly per-author or per-feature) plus a task-integration branch that your group tries to keep building and working most of the time. The ability to chain a new branch to a new buildbot, with a minimum of fuss, is very helpful.
- Ref implementation complete June 07
- Merge Tamarin in existing JS APIs
- Tamarin Performance Improvements (see above)
- JS Trust labels
By combining APIs, code, and ideas from SpiderMonkey and Tamarin, we will build a JS2 virtual machine as part of Mozilla 2. The Tamarin code contribution is a big boost to this effort, and we intend to extend it, not copy code from it. But we need more than today's Tamarin in order to avoid certain pitfalls. We will probably need all of these:
- Dynamic optimizations for untyped JS (both Web and XUL JS -- we won't require all XUL JS to be annotated with types).
- Profile-directed Ahead Of Time compilation for critical methods (in lieu of XUL FastLoad, to avoid taking a startup performance hit).
- Fresh thinking and hacking for VM-based security, learning from recent security research.
We hope to self-host a JS2 compiler on the VM, but if performance can't match or beat the competition (including today's SpiderMonkey), we will have to consider:
- Native compiler front end.
While "it would be nice" (sincerely; but also, these are famous last words) to optimize the VM such that the self-hosted compiler beats a C or C++ hand-crafted compiler, we cannot put purity ahead of performance. The trade-off for Tamarin's embedding in the Flash Player is different: offline compilation via the Flex SDK is the rule there, and the self-hosted compiler need only be fast enough for
eval requirements (which will be novel to Flash in a future release).
Current DOM security checks use the Security:Scattered Security Checks model. For Mozilla 2, in order to JIT DOM calls efficiently, we need either Security:Security Checks In Glue or Security:Wrapper-based Checks. To support "mashups in the browser" and XBL2, we may need to support data-tainting with static flow analysis as well as dynamic taint propagation.
Semi-automated refactoring work/Oink
- deCOMtamination, including getting XPCOM completely out of the middle of Gecko
- static data-tainting checks to uphold confidentiality properties
- conversion to exception-safe code, and holding the line on exception safety
- conversion to C++ exceptions, possibly including a new XPCOM C++ binding
- identification of C++ ripe for conversion to JS2.
- conversion from ad-hoc or Mozilla-private APIs to standard C++ APIs
- simple metrics of code complexity, to be regularly compared to other open source projects
Other good ideas for Oink-based tools should be noted on Static Analysis. The "conversion" items above will use the to-be-written (but proven-in-concept) pattern-matching patch-generating tool discussed at another this blog post.
Embedding API Design
- Get rid of remnants of old gfx
- convert all paint methods to take gfxContext instead of nsIRenderingContext
- optimize API usage, e.g. take advantage of new clipping/transform capabilities
- Add optional acceleration using OpenGL (or Direct3D)
- Involves work to make widget layer 3D-aware
- Add video capabilities to platform, combined with hw accel and complex transform capability
- Make 3D a first-class citizen of platform
- any 2D element should render correctly under an arbitrary 2D transform
- Tighter integration between image decoding and rendering
- SVG as image
Security Ideas and Wish List for Post Gecko 1.9
- attack surface reduction
- content restrictions, <noscript>, jail
- next level private browsing
- low privilege/protected mode, cross platform
- security review for every feature lightweight process to make it manageable
- offline stuff
- profile encryption
- identity management
- platform native keychain
- all critical – moderate resolved through every major release
- documenting and enforcing invariants
- what is allows to happen when
- assert if you do that
- clean up assertions
- ones remaining really mean something
- regression test suite for security, pages to assert, measure leaks
- out of process plugins