Oxidation2

From MozillaWiki
Revision as of 23:12, 20 November 2017 by Nnethercote (talk | contribs)
Jump to navigation Jump to search

Oxidation is a project to integrate Rust code in and around Firefox.

Rust support has been required on all platforms since Firefox 54, and the first major Rust components were shipped in Firefox 56 (encoding_rs) and 57 (Stylo). Moving forward, the goal of Oxidation is to make it easier and more pleasant to use Rust in Firefox, and correspondingly to increase the amount of Rust code in Firefox.

Guidelines

The goal of this section is to provide some high-level guidelines, but not to serve as any kind of gatekeeping function. Choice of language is an engineering decision, with corresponding trade-offs, and is best decided by individual teams. With that in mind...

When should Rust be used in Firefox? In summary:

  • For new components and completely rewritten components there should be a strong bias towards using Rust, especially for code around Firefox but not within Firefox.
  • For existing components it's more complicated!

Rust has the following strengths.

  • Memory safety, which prevents crashes and security vulnerabilities.
  • Thread safety, which enables parallel performance.
  • Highly expressive.
  • A great community.

Rust has the following challenges.

  • Personnel:
    • Steep learning curve.
    • Wide variety of experience levels within Mozilla, for both coding and reviewing.
  • Technical
    • Compile times are currently slow.
    • Crossing the C++/Rust boundary layer can be difficult, and is relatively slow due to no inlining.
      • Bindgen can be tricky, especially working around clang bugs in different versions
    • Android is currently not a Tier 1 platform
      • https://forge.rust-lang.org/platform-support.html
      • Hasn't shipped on many devices yet
      • Rust 1.22 should be better?
      • rillian: "As I understand it, the problem is no one has set up tests on a cloud service, so there's no way for upstream to gate work on Android regressions. Qemu emulation is too slow. There aren't many services with arm support, but there are a couple of new options. If someone does the work of setting something up we should be able to get the Rust team to adopt it."
    • Often requires adding wrapper/glue code
      • But this is typically valuable/reusable
    • Sharing components between Gecko and Servo is difficult
      • The workflow is annoying
      • There are continuous integration mismatches
      • Servo CI is under-resourced?
      • vcs-sync/Phabricator/Lando should fix this?
      • This is not relevant for Gecko-only Rust components, however.

Therefore, Rust is most suitable in the following situations.

  • For components that are relatively standalone, with small and simple APIs.
    • Minimizes the C++/Rust boundary layer issues.
    • Infrastructure tools that are standalone programs are ideal.
    • Note that it's good sofware engineering practice to write loosely-coupled components anyway.
  • For components that process untrusted input, e.g. parsers.
  • For components where parallelism can provide big performance wins.
  • For components where Servo has demonstrated success.

When should a code component be made into an external crate?

  • XXX: suggest being conservative
    • heapsize is a cautionary tale
  • WebRender is an external crate, regularly vendored into mozilla-central
  • where does binding code live: in Gecko or in Servo?

Documentation and Education

Rust in general

Rust training

documentation: - basics on learning Rust, e.g. links to Rust stuff - #rust, #servo, #rust-internals, #rustc

XXX: encourage managers to let their staff take time to learn Rust

  • Lack of Mozilla-wide Rust training for engineers

Rust in Firefox

Supported Rust versions for Firefox builds

Below are our expectations if everything goes smoothly; we may need newer toolchains to address specific issues. Our ultimate policy is just that release Firefox will not require unstable or beta Rust to build.

  • Firefox 56 (released 2017 September 26) requires Rust 1.17.0 or later.
    • Official builds will use Rust 1.19.0.
  • Firefox 57 (released 2017 November 14) requires Rust 1.20.0.
    • Mozilla-central can start using Rust 1.19.0 language features 2017 August 3.
    • Mozilla-central can start using Rust 1.20.0 features 2017 September 14.
  • Firefox 58 (released 2018 January 16) requires Rust 1.21.0.
    • Mozilla-central can use Rust 1.21.0 language features 2017 October 26.
  • Firefox 59 (released 2018 March 6) requires Rust 1.22.0.
    • Mozilla-central can use Rust 1.22.0 features 2017 December 7.
    • Firefox 59 ESR is expected to continue to work with Rust 1.22 throughout its support lifetime.
  • Firefox 60 (released 2018 May 1) requires Rust 1.23.0.
    • Mozilla-central can use Rust 1.23.0 features 2018 January 18.
  • Firefox 61 (released 2018 June 26) requires Rust 1.25.0.
    • Mozilla-central can use Rust 1.24.0 features 2018 March 6.
    • Mozilla-central can use Rust 1.25.0 features 2018 April 12.

Rust components in Firefox

Completed

  • MP4 metadata parser: bug 1161350 (shipped for desktop in Firefox 48)
    • Parses untrusted input, replaces libstagefright, a 3rd-party library with a history of security vulnerabilities
  • Replace uconv with encoding-rs: bug 1261841 (shipped in Firefox 56)
  • CSS style calculation (from Servo): bug stylo (shipped in Firefox 57)
    • Code taken from Servo, uses parallel algorithms
  • U2F HID backend: bug 1388843 (shipped in Firefox 57)

In progress

  • URL parser: bug url-oxidation
  • WebM demuxer: bug 1267492
  • WebRender: bug webrender
    • Code taken from Servo, has high performance; Rust's memory and thread safety provides protection against complexity
  • Audio remoting for Linux: bug 1362220
  • SDP parsing in WebRTC: bug 1365792 (aiming for Firefox 59)
  • Linebreaking with xi-unicode: bug 1290022
  • Optimizing WebVM compiler backend: cretonne
    • Well-separated component with a clear interface

Proposed

  • Parallel layout
    • Code from Servo
  • Replace the XML parser
    • Parses untrusted input, replaces expat, a 3rd-party library with a history of security vulnerabilities
  • WebMIDI: bug 1201593, bug 1201596, bug 1201598
  • Gamepad code: bug 1286699
  • Replace the telemetry module(?)
    • The existing C++ code has a history of threading problems
  • Share media playback stack with Servo(?)
  • Replace DOM serializers (XML, HTML for Save As.., plain text)
  • Image decoders?

Rust components outside Firefox

Completed

  • GeckoDriver - WebDriver implementation for Firefox integrated via marionette protocol (bug 1340637) released as a standalone binary (releases)

Blockers and obstacles

- Identify and fix pain points that affect Rust integration.

Raw Rust code (lives in m-c) blockers

Rust / Cargo nice-to-haves

  • Tracking bug: Make the developer experience for Firefox + Rust great: bug rust-great
  • Artifact caching [2]
  • Shared Gecko/Servo components are painful
    • Landing/merging process
  • Any remaining crash report issues? bug 1348896
  • Debugging?
  • IDE/symbol lookup support?
  • Code coverage?
  • Profiling?
    • Especially for parallel code
  • Test integration?

Things blocking new components from being written in Rust

  • Bindings/interop
    • No IPDL binding generator
    • No WebIDL binding generator for dom components (Servo must have something here?)
    • No XPIDL binding generator (bug 1293362
    • Immature rust-bindgen and cheddar/cbindgen tools for general cross-language support.
  • Slow compile times
  • debugging stuff (ttromey)

People

  • rillian: build system, other misc. stuff
  • ttromey: debugging
  • bz: everything
  • froydnj: build system, integration
  • ted: build system, crash reporting, releng
  • emilio: Stylo
  • Manishearth: Stylo
  • jrmuizel or kats: gfx
  • bholley: Stylo
  • njn: high-level stuff
  • fitzgen?: bindgen
  • mystor?: bindings
  • qdot?: webauthn integration
  • rust compiler folks? acrichto, mwoerister

Meetings

  • Mozlando [3]
  • Oxidation Nov. 2015 [4]
  • Mozlandia [5]
  • Whistler [6]