Servo: Building a High-Performance, Safe Web Browser

Servo is a new web rendering engine that was launched by Mozilla in 2012 and is now receiving significant contributions from both Samsung and independent community members. Our goal is to produce an embeddable engine that can be used in both browsers and applications to make the web platform faster and safer, and bring it to more devices.

We started this project to address fundamental limitations of current browser engines. First, the C family of programming languages doesn’t ensure safe use of memory, which leads to the majority of all zero-day browser security bugs. Second, current engines were originally designed for use on a PC, and are challenging to scale down to low memory and low power devices. Finally, as the web platform has evolved, the tightly-coupled design of current browser engines has made it difficult to provide performance guarantees, such as 60 fps screen updates.

Memory Safety

Investigations have shown that most high priority, security critical bugs in the browser engine are related to use-after-free or buffer overruns. In Servo, we are using the Rust programming language to prevent many of these issues statically, at compile-time. In Rust, all allocated memory is owned by a single variable, and the compiler ensures that the memory cannot be referenced by multiple owners.

For example:

fn foo() {
let x = create_thing();
use_thing(x); // Error - the value in 'x' has been moved!

This ownership model ensures that pointers to allocated memory do not outlive the release of that memory and that concurrent threads cannot access the same piece of memory simultaneously.The Rust compiler automatically inserts all calls to allocate and free data, and because these ownership properties are statically checked, at runtime this data may freely be accessed without any extra overhead, unlike traditional approaches such as garbage collection or reference counting.

Low Memory and Power Devices

Modern browsers have achieved incredible levels of performance, even running full video games in JavaScript. While Firefox runs well on devices with only 256 MB of RAM , with Servo we are working to make it possible to bring the web platform to wearables and appliances with less than a quarter of that amount.

Parallelism has been exploited primarily to provide speedups by using a machine with four cores in the hopes that the program would run four times as fast as the program on a single core. However, in Servo we are using parallelism to provide better power usage and are experimenting with running four cores clocked to a more power-efficient clock speed, resulting in the same execution time but significantly lower power usage. For example, the following charts show that when running Servo on large benchmark page at a lower clock frequency, the four cores have the same speed as a single core at the higher frequency, but use 40% less power.

Servo Building a High-Performance Safe Web Browser - servo-perf
Running 4 threads at a lower frequency is as fast as a single core running at a higher frequency.

Servo Building a High-Performance Safe Web Browser - servo-power


Concurrency is the ability to perform multiple tasks in an interleaved fashion. As web sites have become more complex, the lack of concurrency in modern browsers has resulted in ‘jank’, or cases where the page fails to update because a non-graphics task is being performed on the same thread where the graphics are being rendered. In Servo, our graphics task is completely decoupled from JavaScript evaluation and webpage layout, allowing the graphics to be updated at a consistent 60fps.

Additionally, we have added concurrency within web pages. If a page has multiple iframe elements, each of which is running JavaScript, in today’s web browsers all of the iframes will pause when any one of them is executing that script. Some modern browsers plan to solve this by spawning a process per iframe, but it is unclear how that will work for sites with tens to hundreds of iframes. Such sites already exist, and will only become more prevalent as ad platforms shift from Flash to HTML5.

In Servo, we avoid this problem by using Rust’s lightweight task spawning mechanism. For each iframe in a page, each of the layout, graphics rendering, and script processing tasks run concurrently. And that is also true between each iframe. So, without consuming a huge number of native OS threads or processes, we can already provide concurrency.

This design also has the advantage of forcing a clean architectural separation between the various pieces of our engine, which makes the addition of new web platform features both easier to write and less likely to affect unrelated pieces of the browser engine.

Current Status

Servo is intended to support the full web platform eventually, and it passes the ACID1 and ACID2 tests. Rather than focus on benchmark suites and further classic web conformance tests, we are now working towards full specification compliance through the Web Platform Tests initiative.

We are currently expanding on Servo’s functionality and are targeting an alpha-quality browser in 2015. We are always looking for new contributors, and actively mentor newcomers by curating bugs appropriate for them! Because Servo is so new, it is easy to make a very large contribution with a small amount of effort.

Please come join us!

Guest Author: Lars Bergstrom

Lars Bergstrom is a researcher at Mozilla, currently working on the servo parallel web browser project.He received his Ph.D. from the University of Chicago‘s Computer Science department, studying under Dr. John Reppy. His Master’s paper was on the implementation of analysis and optimization passes in our parallel compiler, Manticore. His Ph.D. research was on how to add mutation safely and efficiently into a functional parallel programming language. He has also been doing work on a runtime, garbage collector, and most recently some extensions to control-flow analysis. Before that, he was a manager and a developer at Microsoft in the Visual Studio organization, working on next-generation software development tools technology out at the Redmond, WA offices.

Author: Mike Blumenkrantz

Mike is the release manager for Enlightenment as well as a core developer of the EFL toolkit.