Chromium's process architecture has graphics access restricted to a separate GPU-process. There are several reasons why this could make sense, three common ones are: Security, Robustness and Dependency Separation.
GPU access restricted to a single process requires an efficient framework for communication over IPC from the other processes, and most likely a framework for composition of surfaces. This talk describes both the possible motivations for this kind of architecture and Chromium's solution for the IPC framework. We will demonstrate how a multi-process program can compose into a single window on Linux.
2. Isolating GPU Access
in its own process
Patricia Aas, T S
NDC TechTown 2018
T
S
@pati_gallardo
3. Patricia Aas - Consultant
C++ Programmer, Application Security
Currently : T S
Previously : Vivaldi, Cisco Systems, Knowit, Opera Software
Master in Computer Science - main language Java
Pronouns: she/her T
S
@pati_gallardo
4. - What is Chromium?
- Communication Architecture
- Passing A Video Frame
- Why have a GPU process?
- Can I Use?
@pati_gallardo
14. Components of Communication
Renderer
Gpu Process
Browser Renderer
IPC Channels
Shared Memory
Gpu Memory
Buffers
Command Buffers
(Ring buffer)
Gpu Memory
Buffers
Gpu Memory
BuffersCommand
Command
Command
15. Faking OpenGL ES 2 (for fun and profit?)
Command CommandCommand Command
Render/Browser Process Gpu Process
Client Encoder/Proxy ServerDecoder/Validator
Shared
Memory
OpenGL ES 2
Interface
16. - Write Commands to
Command Buffer in Shared
Memory
- Update ‘put’ pointer
- Signal GPU process
@pati_gallardo
Client
Renderer / Browser
17. - Read Commands from
Command Buffer in Shared
Memory
- Validate Command and
arguments
- Make actual call@pati_gallardo
Server
GPU Process
20. - Inserts a synchronization
fence into the command
stream
- Can be attached to a
resource (texture) that
cannot be used before all
previous commands have
been processed
@pati_gallardo
Sync Token
25. Software Decoded Video Frame
- Decoded Frame in Memory in RENDERER PROCESS
- GPU Composition is done in the GPU PROCESS
- The Frame needs to be uploaded to the GPU as a
Texture BEFORE it can be composed
@pati_gallardo
26. Decode Frame into
Renderer Memory
Copy Frame to GPU
Memory Buffer
Issue Draw
Commands to GPU
Wait
SyncToken
Using the SyncToken to
Reorder
27. Insert Some Hand Waving
The full architecture is
massive
We will follow one path
A software decoded video
frame
@pati_gallardo
28. “At a high enough level of abstraction,
everything looks the same.”
Law of PowerPoint Architecture
Patricia Aas, 2018
@pati_gallardo
32. 1. Mailbox - unique name
2. SyncToken - fence
3. Texture Target Type (if
texture backed)
@pati_gallardo
Mailbox Holder
33. VideoFrame VideoFrame
Memory Buffer
V Plane
Y Plane
U Plane
Shared Memory Gpu ProcessRenderer
Transform the Video Frame into a GPU Resource
Y Plane Texture
UV Plane Texture
Plane Resources
Y Plane
GpuMemoryBuffer
UV Planes
GpuMemoryBuffer
MailboxHolder
SyncToken
MailboxMailbox
MailboxHolder
49. Gives Fine Grained Control
Texture memory being leaked across processes
- From Other Programs on the Users Machine
- From Other Tabs
- From the Browser @pati_gallardo
53. Graphics Drivers Crashing the Browser
- Prevent bugs in GPU drivers from crashing the browser
- Make sure graphics code in WebGL can’t crash the browser
- Compensate for Graphics Driver Bugs/Inconsistencies
@pati_gallardo
57. “We can solve any problem by introducing an extra
level of indirection.
…except for the problem of too many levels of
indirection”
Fundamental theorem of software engineering
Andrew Koenig/Butler Lampson/David J. Wheeler
@pati_gallardo
58. - What is Chromium?
- Communication Architecture
- Passing A Video Frame
- Why have a GPU process?
- Can I Use?
@pati_gallardo
59. - Ok, but… Can I Use?
- Hm, don’t know…
Maybe? ¯_(ツ)_/¯
@pati_gallardo
72. High Level Design
Client - Server Architecture
Emulates OpenGl ES2.0
Actual Graphics Implementation is Platform Specific
Composition in GPU Process
Page Composition Controlled From Renderer
@pati_gallardo
76. OES_EGL_image_external
Extension that creates EGLImage texture targets from EGLImages
“Each TEXTURE_EXTERNAL_OES texture object may require up to 3
texture image units for each texture unit to which it is bound.”
@pati_gallardo
78. Share Group
- Command Buffers in the same share group
must be in the same Command Stream
- gl::GLFence
- eglFenceSyncKHR (EGL_KHR_fence_sync)
- eglWaitSyncKHR (EGL_KHR_wait_sync)
@pati_gallardo