summaryrefslogtreecommitdiff
path: root/chromium/docs/website/site/developers/design-documents/multi-process-architecture/index.md
diff options
context:
space:
mode:
Diffstat (limited to 'chromium/docs/website/site/developers/design-documents/multi-process-architecture/index.md')
-rw-r--r--chromium/docs/website/site/developers/design-documents/multi-process-architecture/index.md170
1 files changed, 0 insertions, 170 deletions
diff --git a/chromium/docs/website/site/developers/design-documents/multi-process-architecture/index.md b/chromium/docs/website/site/developers/design-documents/multi-process-architecture/index.md
deleted file mode 100644
index 8bbfb9c9972..00000000000
--- a/chromium/docs/website/site/developers/design-documents/multi-process-architecture/index.md
+++ /dev/null
@@ -1,170 +0,0 @@
----
-breadcrumbs:
-- - /developers
- - For Developers
-- - /developers/design-documents
- - Design Documents
-page_name: multi-process-architecture
-title: Multi-process Architecture
----
-
-This document describes Chromium's high-level architecture.
-
-## Problem
-
-It's nearly impossible to build a rendering engine that never crashes or hangs.
-It's also nearly impossible to build a rendering engine that is perfectly
-secure.
-
-In some ways, the state of web browsers around 2006 was like that of the
-single-user, co-operatively multi-tasked operating systems of the past. As a
-misbehaving application in such an operating system could take down the entire
-system, so could a misbehaving web page in a web browser. All it took is one
-browser or plug-in bug to bring down the entire browser and all of the currently
-running tabs.
-
-Modern operating systems are more robust because they put applications into
-separate processes that are walled off from one another. A crash in one
-application generally does not impair other applications or the integrity of the
-operating system, and each user's access to other users' data is restricted.
-
-## Architectural overview
-
-We use separate processes for browser tabs to protect the overall application
-from bugs and glitches in the rendering engine. We also restrict access from
-each rendering engine process to others and to the rest of the system. In some
-ways, this brings to web browsing the benefits that memory protection and access
-control brought to operating systems.
-
-We refer to the main process that runs the UI and manages tab and plugin
-processes as the "browser process" or "browser." Likewise, the tab-specific
-processes are called "render processes" or "renderers." The renderers use the
-[Blink](/blink) open-source layout engine for interpreting and laying out HTML.
-
-[<img alt="image"
-src="/developers/design-documents/multi-process-architecture/arch.png">](/developers/design-documents/multi-process-architecture/arch.png)
-
-### Managing render processes
-
-Each render process has a global `RenderProcess` object that manages
-communication with the parent browser process and maintains global state. The
-browser maintains a corresponding `RenderProcessHost` for each render process,
-which manages browser state and communication for the renderer. The browser and
-the renderers communicate using [Chromium's IPC
-system](/developers/design-documents/inter-process-communication).
-
-### Managing views
-
-Each render process has one or more `RenderView` objects, managed by the
-`RenderProcess`, which correspond to tabs of content. The corresponding
-`RenderProcessHost` maintains a `RenderViewHost` corresponding to each view in
-the renderer. Each view is given a view ID that is used to differentiate
-multiple views in the same renderer. These IDs are unique inside one renderer
-but not within the browser, so identifying a view requires a `RenderProcessHost`
-and a view ID. Communication from the browser to a specific tab of content is
-done through these `RenderViewHost` objects, which know how to send messages
-through their `RenderProcessHost` to the `RenderProcess` and on to the
-`RenderView`.
-
-## Components and interfaces
-
-In the render process:
-
-* The `RenderProcess` handles IPC with the corresponding
- `RenderProcessHost` in the browser. There is exactly one
- `RenderProcess` object per render process. This is how all browser ↔
- renderer communication happens.
-* The `RenderView` object communicates with its corresponding
- `RenderViewHost` in the browser process (via the RenderProcess), and
- our WebKit embedding layer. This object represents the contents of
- one web page in a tab or popup window
-
-In the browser process:
-
-* The `Browser` object represents a top-level browser window.
-* The `RenderProcessHost` object represents the browser side of a
- single browser ↔ renderer IPC connection. There is one
- `RenderProcessHost` in the browser process for each render process.
-* The `RenderViewHost` object encapsulates communication with the
- remote `RenderView`, and RenderWidgetHost handles the input and
- painting for RenderWidget in the browser.
-
-For more detailed information on how this embedding works, see the [How Chromium
-displays web
-pages](/developers/design-documents/displaying-a-web-page-in-chrome) design
-document.
-
-## Sharing the render process
-
-In general, each new window or tab opens in a new process. The browser will
-spawn a new process and instruct it to create a single `RenderView`.
-
-Sometimes it is necessary or desirable to share the render process between tabs
-or windows. A web application opens a new window that it expects to communicate
-with synchronously, for example, using window.open in JavaScript. In this case,
-when we create a new window or tab, we need to reuse the process that the window
-was opened with. We also have strategies to assign new tabs to existing
-processes if the total number of processes is too large, or if the user already
-has a process open navigated to that domain. These strategies are described in
-[Process Models](/developers/design-documents/process-models).
-
-## Detecting crashed or misbehaving renderers
-
-Each IPC connection to a browser process watches the process handles. If these
-handles are signaled, the render process has crashed and the tabs are notified
-of the crash. For now, we show a "sad tab" screen that notifies the user that
-the renderer has crashed. The page can be reloaded by pressing the reload button
-or by starting a new navigation. When this happens, we notice that there is no
-process and create a new one.
-
-## Sandboxing the renderer
-
-Given the renderer is running in a separate process, we have the opportunity to
-restrict its access to system resources via
-[sandboxing](/developers/design-documents/sandbox). For example, we can ensure
-that the renderer's only access to the network is via its parent browser
-process. Likewise, we can restrict its access to the filesystem using the host
-operating system's built-in permissions.
-
-In addition to restricting the renderer's access to the filesystem and network,
-we can also place limitations on its access to the user's display and related
-objects. We run each render process on a separate Windows
-"[Desktop](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682573(v=vs.85).aspx)"
-which is not visible to the user. This prevents a compromised renderer from
-opening new windows or capturing keystrokes.
-
-## Giving back memory
-
-Given renderers running in separate processes, it becomes straightforward to
-treat hidden tabs as lower priority. Normally, minimized processes on Windows
-have their memory automatically put into a pool of "available memory." In
-low-memory situations, Windows will swap this memory to disk before it swaps out
-higher-priority memory, helping to keep the user-visible programs more
-responsive. We can apply this same principle to hidden tabs. When a render
-process has no top-level tabs, we can release that process's "working set" size
-as a hint to the system to swap that memory out to disk first if necessary.
-Because we found that reducing the working set size also reduces tab switching
-performance when the user is switching between two tabs, we release this memory
-gradually. This means that if the user switches back to a recently used tab,
-that tab's memory is more likely to be paged in than less recently used tabs.
-Users with enough memory to run all their programs will not notice this process
-at all: Windows will only actually reclaim such data if it needs it, so there is
-no performance hit when there is ample memory.
-
-This helps us get a more optimal memory footprint in low-memory situations. The
-memory associated with seldom-used background tabs can get entirely swapped out
-while foreground tabs' data can be entirely loaded into memory. In contrast, a
-single-process browser will have all tabs' data randomly distributed in its
-memory, and it is impossible to separate the used and unused data so cleanly,
-wasting both memory and performance.
-
-## Plug-ins and Extensions
-
-Firefox-style NPAPI plug-ins ran in their own process, separate from renderers.
-This is described in detail in [Plugin
-Architecture](/developers/design-documents/plugin-architecture).
-
-The [Site Isolation](/developers/design-documents/site-isolation) project aims
-to provide more isolation between renderers, an early deliverable for this
-project includes running Chrome's HTML/JavaScript content extensions in isolated
-processes. \ No newline at end of file
View Lorry Controller Status