a web page broke my firefox broke my OS, in 2023

I noticed my PC's fans whirring loudly.

Running top(1), I saw that firefox was pegging the CPU.  In most cases, this is caused by a web page pegging firefox, and, more decisively, by firefox allowing itself to be pegged.  

It was not possible to select different tabs in firefox windows to get an idea what was going on (per-app MDI like tabs is in any case reflection of failure to handle groups of windows at the OS / window-manager level.  Multiple app instances / documents / tabs in one big process ala firefox is itself terrible design.  Web pages / documents should not live in the same memory space and process together just because they being handled by the same app, let each tab (window / doc / web page / app instance) be its own process) Firefox was completely unresponsive.  Moving the mouse started to get glitchy.  I had to move the mouse, and then wait a few seconds.  I tried killing the window with my window manager commands "Close", "Delete" and "Destroy" -- I forget exactly what these translate to in X11 terms, but anyway none of them worked.

I managed to get the focus into a terminal emulator running a shell, and ran something like "killall firefox".  The windows disappeared, the rest of the system breathed a big sigh, and the fans spun down.  Substitute netscape navigator for firefox, and this could have been 1998.  But it's 2023, a quarter of a century later.  Actually, this isn't entirely fair.  Netscape didn't used to do that as much then as firefox does now.

This time was lucky.  As well as firefox allowing itself to be pegged by a web page, the OS allows itself to be pegged by firefox.  This time it was possible to kill firefox, but sometimes the OS's failure to contain firefox necessitates a reset at the OS level, for example at the power switch.

What has gone wrong?

In the intervening time, hardware capacity has increased by around 3 orders of magnitude, or 10 doublings.  Instead of 64M RAM, we have 64G.  Instead of the 8G hard drive, there's the fast 8T SSD.  CPU compute increases are not far off.

The whole job of the OS is to multiplex resources.  If one app can deny service to the rest of the system, the OS is failing to do its most basic job.  Firefox is a known dodgy app.  Why is it allowed to grow to indefinite size, until it outgrows any amount of system RAM, every time?  Why is it, or anything, able to behave in a way that causes user input elsewhere to lag?  Or to prevent window selection, or other window management operations?  Or to make it seem like my computer is going to set on fire?

Since firefox is a platform for running untrusted code loaded from remote sources, it (the browser) might contain its own sandboxing features.  One idea is simply limiting CPU and memory, with reasonable default limits, say a tenth of a core.  But should a page really be allowed to just go on executing in the background, when the app (page, tab) is not in focus?  Smartphones clearly do not allow this: any process not in focus can be expected to be suspended; web pages in tabs other than the one in focus generally don't get to execute either.  

Relatedly, many web pages cause visual distraction by changing spontaneously.  A user wanting visual peace is forced to close such web pages if they are in the field of vision.  Such pages should instead be "stopped" at some level when not in use.  A page wanting to execute javascript, and / or a page wanting to change its rendering when not in focus, could be indicated by the browser with some kind of play / pause UI for the page as a whole.  Perhaps pages get some reasonable time to quiesce after loading, and perhaps this depends on whether they are in focus.  There might be a setting for "by default, pages are stopped and user must press play to execute".  Could "suspended" pages look different, go into sepia even?

Most of these ideas can also be done additionally, or alternatively, at the OS and / or windowing system levels.  There is no fundamental reason why a windowing system couldn't have an available policy of "all apps except foreground app are suspended".  (It is not relevant, at this level of discussion, whether X11 currently allows Unix process control of remotely displayed X clients -- I said "fundamental reason", and there are things to be invented or re-invented. We are not necessarily assuming either X11 or Unix, tho both may be adapted in various ways towards a solution.)

Any throttling, resource limits, press-playness done by the browser for web pages might also be done by the OS (broadly) for the browser, or for individual browser instances representing individual pages.  Remember, the OS is now handling MDI including tabbing.

When the user's console becomes locked, should things in their session continue to execute within the locked session?  Do all those web pages continue to poll for updates, potentially fetching "implants" or deciding to start pegging the CPU and set things on fire, or do things just suspend nicely until the user is back? Should it at least be configurable, and with reasonable defaults, and at some level supported by the system?

There are lifetimes of interesting and worthwhile practical systems software research and development in these very obvious ideas, yet nothing happens.  No one is doing it.

In summary: no one has done anything worthwhile in systems software, in the free software world, for decades.  Almost the only interesting things have been done by apple, with google copying this and that idea, for their proprietary platforms.

Comments

Post a Comment

Popular posts from this blog

the persistent idiocy of "privileged ports" on Unix

TCP and UDP have ports.  These are 16 bit; there are 65535 or so per IP address. These protocols don't care to differentiate between the ports.  Elsewhere, IANA presumes to operate a process to allocate "well-known" ports in the range 1-1023, "registered ports" in the range 1024-49151, and to reserve the remainder, 49152–65535, for "ephemeral" ports.  The caller end has to have a port, which is how replies get back within the virtual connection, and these are conventionally picked from the ephemeral range by the OS's networking stack. The whole idea of ports is ridiculous, because it allows ISPs to arse around presuming to decide which services they will "not allow".  Anything that allows IPSs to do anything other than shift opaque packets will allow ISPs to meddle and break things, and due to the Law of Meddling, if they can, they will.  I am currently working around an issue with Claro, a pretend ISP, blocking port 5060, allocated to SI
Read more

google is giving more and more 500 errors

Image
Total state capture and moral bankruptcy are not the only problems facing Google.  They are also giving an increasing rate of 500 Internal Server errors.  This is the sort that means they've messed up, but not in a way that they should have messed up.  On the other hand, they have drawn a lovely picture of a robot falling apart. Today's example is from Google Calendar under calendar.google.com.  I was trying to make an appointment, and now I'm doing this. I remember, in 2018, a friend trying to convince me that 500 Internal Server Errors no longer happened, or if they did it was my fault, and that they hadn't seen any for years, and some other things.  They assured me that they would love to see screenshots of such a rare specimen, which I bored them with for a while.  That friend happens to be a Google employee. Well, there are plenty of others posting about Google Calendar on twitter today, including screenshots of 500 Internal Server errors, so I doubt this one is en
Read more

Guernsey Waste in incorrect bag-rejection horror May 6th, 2024

Image
The rubbish collection folk at my new place seem pickier than at other places on Guernsey. Last week, they removed some card packaging that I'd included in the card and paper (plastic) clear bag, and left it on the lane.  This week, they have attached a rejection label entitled "Polite Notice".  Just like modern software-engineered error messages (see attached tag "extremely_general_error_handling"), this does not give a specific reason why the bag was rejected, but instead lists miscellaneous possible "reasons", leaving the victim guessing, or perhaps trying to follow a process of elimination. In this case, some possible reasons, which the label does not claim to be exhaustive ("was most likely because ..."), and of which none apply, are: (i) "did not have the required payment sticker" -- no, I applied to 90 litre sticker; or  (ii) (a) "too heavy" -- no, I estimate it was 3kg, and I easily supported the bag's weight o
Read more