Comment by danpalmer
20 hours ago
I'm interested in why C++ was chosen for this? Browsers are notoriously hard to secure, they're effectively mean to be RCE vulnerabilities! Securing C++ binaries is hard and has in recent years been called out by numerous organisations and companies as being the root cause of many classes of security vulnerability. With languages like (but not limited to) Rust, we now have better options.
> I'm interested in why C++ was chosen for this?
For the same reason C++ is chosen for a lot of projects. Probably the authors have a lot of experience in C++.
For an exceedingly complex and large project, you really want to choose a language you're very proficient in. Like, years and years of experience proficient in. If you don't have the experience in Rust then you don't have it. And, Rust is really the only other language that can be considered here. Swift, C#, whatever, are just a tad too high-level to write an engine in. At least, ergonomically.
I looked at the source code briefly and it's very high-quality code. Writing good C++ is hard, harder than pretty much any other language. It's modern, it's consistent, it's readable, and it's typed well.
There already is a Rust web engine, it's called Servo, and it's currently being overtaken by the C++ Ladybird project.
Rust is a bad language to write an open source browser in because the hardest problem of building a browser is not security but the number of people you can convince to work on it.
C++ programmers are a dime a dozen, there's a huge number of people who write C++ for 8 hours a day. The Rust community is mostly dabblers like myself.
But ladybird is ditching c++ for swift?
AFAIU they are not ditching C++, they are exploring writing some parts of the engine in Swift using the new C++ interop features in Swift. But a wholesale switch to Swift doesn't seem realistic.
I remember Andreas saying something along those lines in some interview, but seeing their repo[0] doesn't looks like
C++ 64.6%
HTML 22.4%
JavaScript 11.0%
CMake 0.7%
Objective-C++ 0.5%
Swift 0.3%
Other 0.5%
[0] https://github.com/LadybirdBrowser/ladybird
I guess it's just me but after more than 10 years of C++ 8 hours a day I'm happy to never touch it for free
> it's currently being overtaken by the C++ Ladybird project.
Saying a mature engine that you can use today for ~all of the web is being "overtaken" by unreleased pre-alpha software is a strange definition of overtaking.
Ladybird overtook Servo in WPT a few months ago and the gap is only increasing. Servo cannot match the development pace of Ladybird and Ladybird's access to the huge pool of C++ devs is everything to do with that.
AFAIK Rust isn't a great language for writing browsers, because the pattern that HTML/DOM needs isn't something that Rust supports out of the box, you need a lot of pointers here and there, IIRC Andreas Kling (Ladybird dev) said something like that, where Swift was better suited than Rust for the job, or at least more pleasant to work with after the team evaluated a few languages, including Rust.
I had the same thought. The project's description:
>secure HTML/CSS engine
No offense to these folks, but I see no evidence of any fuzzing which makes it hard to believe there aren't some exploitable bugs in the codebase. Google has world-class browser devs and tooling, yet they still write exploitable bugs :p (and sorry Apple / Mozilla, you guys have world-class browser devs but I don't know enough about your tooling. Microsoft was purposefully omitted)
Yeah, very few of those bugs are in the renderer, but they still happen!
[flagged]
FWIW, I don't write Rust, and this is why I said "not limited to". Honestly, Swift might be an interesting one. I gather Zig can provide a more safety than C++. There are a bunch of other options too.
Performance is often a concern, but a slow secure browser is better than a fast insecure one. Perhaps I'm a security troll, but writing this stuff in C++ has been shown over the last 30+ years to be functionally impossible, and yet security is one of the most important things for a browser.
If the answer is that there are more possible contributors, or even that this is a hobby project and it's what the author knows, those are reasonable answers, but I'm interested anyway because perhaps the author has a different way of thinking about these tradeoffs to me, and maybe that's something I can learn from.
I'm convinced that the "security" paranoia is just concern-trolling at this point, trying to push people towards more authoritarian and corporate-controlled languages and environments.
1 reply →
Rude
You're right. The reason why we don't have many browsers is because nobody is doing it in rust.
The reason why we don't have many secure browsers, is because everybody is doing it in C++. I'm just looking for a little variety and approach to security.
Do you think it is attainable ? Could someone like you break the task up into small enough pieces to let each piece be coded by a group of rust newbies ?