Chromium Blog: Multi-process Architecture

Multi-process Architecture

Thursday, September 11, 2008

Unlike most current web browsers, Google Chrome uses many operating system processes to keep web sites separate from each other and from the rest of your computer. In this blog post, I'll explain why using a multi-process architecture can be a big win for browsers on today's web. I'll also talk about which parts of the browser belong in each process and in which situations Google Chrome creates new processes.

1. Why use multiple processes in a browser?

In the days when most current browsers were designed, web pages were simple and had little or no active code in them. It made sense for the browser to render all the pages you visited in the same process, to keep resource usage low.

Today, however, we've seen a major shift towards active web content, ranging from pages with lots of JavaScript and Flash to full-blown "web apps" like Gmail. Large parts of these apps run inside the browser, just like normal applications run on an operating system. Just like an operating system, the browser must keep these apps separate from each other.

On top of this, the parts of the browser that render HTML, JavaScript, and CSS have become extraordinarily complex over time. These rendering engines frequently have bugs as they continue to evolve, and some of these bugs may cause the rendering engine to occasionally crash. Also, rendering engines routinely face untrusted and even malicious code from the web, which may try to exploit these bugs to install malware on your computer.

In this world, browsers that put everything in one process face real challenges for robustness, responsiveness, and security. If one web app causes a crash in the rendering engine, it will take the rest of the browser with it, including any other web apps that are open. Web apps often have to compete with each other for CPU time on a single thread, sometimes causing the entire browser to become unresponsive. Security is also a concern, because a web page that exploits a vulnerability in the rendering engine can often take over your entire computer.

It doesn't have to be this way, though. Web apps are designed to be run independently of each other in your browser, and they could be run in parallel. They don't need much access to your disk or devices, either. The security policy used throughout the web ensures this, so that you can visit most web pages without worrying about your data or your computer's safety. This means that it's possible to more completely isolate web apps from each other in the browser without breaking them. The same is true of browser plug-ins like Flash, which are loosely coupled with the browser and can be separated from it without much trouble.

Google Chrome takes advantage of these properties and puts web apps and plug-ins in separate processes from the browser itself. This means that a rendering engine crash in one web app won't affect the browser or other web apps. It means the OS can run web apps in parallel to increase their responsiveness, and it means the browser itself won't lock up if a particular web app or plug-in stops responding. It also means we can run the rendering engine processes in a restrictive sandbox that helps limit the damage if an exploit does occur.

Interestingly, using multiple processes means Google Chrome can have its own Task Manager (shown below), which you can get to by right clicking on the browser's title bar. This Task Manager lets you track resource usage for each web app and plug-in, rather than for the entire browser. It also lets you kill any web apps or plug-ins that have stopped responding, without having to restart the entire browser.

For all of these reasons, Google Chrome's multi-process architecture can help it be more robust, responsive, and secure than single process browsers.

2. What goes in each process?

Google Chrome creates three different types of processes: browser, renderers, and plug-ins.

Browser. There's only one browser process, which manages the tabs, windows, and "chrome" of the browser. This process also handles all interactions with the disk, network, user input, and display, but it makes no attempt to parse or render any content from the web.

Renderers. The browser process creates many renderer processes, each responsible for rendering web pages. The renderer processes contain all the complex logic for handling HTML, JavaScript, CSS, images, and so on. We achieve this using the open source WebKit rendering engine, which is also used by Apple's Safari web browser. Each renderer process is run in a sandbox, which means it has almost no direct access to your disk, network, or display. All interactions with web apps, including user input events and screen painting, must go through the browser process. This lets the browser process monitor the renderers for suspicious activity, killing them if it suspects an exploit has occurred.

Plug-ins. The browser process also creates one process for each type of plug-in that is in use, such as Flash, Quicktime, or Adobe Reader. These processes just contain the plug-ins themselves, along with some glue code to let them interact with the browser and renderers.

3. When should the browser create processes?

Once Google Chrome has created its browser process, it will generally create one renderer process for each instance of a web site you visit. This approach aims to keep pages from different web sites isolated from each other.

You can think of this as using a different process for each tab in the browser, but allowing two tabs to share a process if they are related to each other and are showing the same site. For example, if one tab opens another tab using JavaScript, or if you open a link to the same site in a new tab, the tabs will share a renderer process. This lets the pages in these tabs communicate via JavaScript and share cached objects. Conversely, if you type the URL of a different site into the location bar of a tab, we will swap in a new renderer process for the tab.

Compatibility with existing web pages is important for us. For this reason, we define a web site as a registered domain name, like google.com or bbc.co.uk. This means we'll consider sub-domains like mail.google.com and maps.google.com as part of the same site. This is necessary because there are cases where tabs from different sub-domains may try to communicate with each other via JavaScript, so we want to keep them in the same renderer process.

There are a few caveats to this basic approach, however. Your computer would start to slow down if we created too many processes, so we place a limit on the number of renderer processes that we create (20 in most cases). Once we hit this limit, we'll start re-using the existing renderer processes for new tabs. Thus, it's possible that the same renderer process could be used for more than one web site. We also don't yet put cross-site frames in their own processes, and we don't yet swap a tab's renderer process for all types of cross-site navigations. So far, we only swap a tab's process for navigations via the browser's "chrome," like the location bar or bookmarks. Despite these caveats, Google Chrome will generally keep instances of different web sites isolated from each other in common usage.

For each type of plug-in, Google Chrome will create a plug-in process when you first visit a page that uses it. A short time after you close all pages using a particular plug-in, we will destroy its process.

We'll post future blog entries as we refine our policies for creating and swapping among renderer processes. In the mean time, we hope you see some of the benefits of a multi-process architecture when using Google Chrome.

Posted by Charlie Reis

16 comments:

grfgguvf said...: This is how browsers should have always worked. I filed a bug with the Mozilla bug tracker many years ago but it got little response. Glad that someone at Google had the same idea!

I think "swapping" in a new renderer process for every type of navigation to a new site would make sense, what is the reason for avoiding it? Only thing I can imagine is trying to provide smoother page transitions (or page-transition effects in the future), but keeping a bitmap snapshot of the page in the browser process should be enough for that...; September 11, 2008 9:22 PM
bacon said...: Does the lack of fork() in Windows force Chrome to use more memory than it otherwise would per process? Is this the reason there is a relatively low limit for the number of processes that will spawn?; September 11, 2008 11:13 PM
Γριφεγ said...: @bacon

Windows API doesn't call it fork() but it does have the equivalent -- intuitively named CreateProces(), and pages of shared libraries (.DLL) and process images (.EXE), etc only appear once in memory like on Multics/Unix.; September 11, 2008 11:22 PM
Charlie Reis said...: grfgguvf: There's more information about the caveats I mentioned on the process models page of our developer docs. The first and last bullet points under "Caveats" should answer your question.

Thanks for the comment!; September 12, 2008 8:39 AM
Jeroen-bart Engelen said...: It's funny that Google gets so much press about their "each tab is it's own process", while Internet Explorer 8 (of which I've installed the beta for a couple of months now) also does this, but for some reason no one seems to notice.; September 12, 2008 2:10 PM
Arthur Kalmenson said...: @jeroen-bart engelen

Because they're not the same.

From here: http://www.pcworld.com/article/150623/chrome_vs_explorer_8.html?tk=rss_news

"Like Chrome, IE 8 uses multiple, discrete processes to isolate and protect each tab's contents. However, while Chrome takes a purist approach and literally launches a new process with each opened tab, IE 8 uses more of a hybrid model: It creates multiple instances of the iexplore.exe process but doesn't specifically assign each tab to its own instance. Thus a look at Task Manager under Windows will show an equal or greater number of Chrome instances than running tabs, whereas IE 8 will generate a fewer number of instances -- for example, six copies of iexplore.exe to support 10 discrete tabs -- and share them among the running tabs."; September 13, 2008 9:49 PM
Darky said...: @ Arthur Kalmenson,
actually by default Google Chrome does not "literally launches a new process with each opened tab", but uses the "process-per-site-instance" setting, which is indeed quite similar to IE8's LCIE. Each new tab opened with the new tab button launches a new process, but tabs opened from links within an existing tab will share the same process as the originating tab. Google Chrome does launch a new process specifically for plugins, but other than that, its default behavior is indeed practically the same as that of LCIE in IE8.

and the multi-process architecture/approach in a web browser was first introduced by IE8b1 to the public months ago, that's the fact.; September 15, 2008 10:13 PM
Γριφεγ said...: @Darky

That's not a fact, one of the first browsers, NCSA Mosaic used separate processes for each window, for example.

Of course pages were just HTML back then so it was the natural thing to do.

Anyway, the most annoying thing on the web currently is crashing plugins, at least for me, so running them in a separate process is a very important improvement.; September 16, 2008 12:26 AM
Darky said...: @ Γριφεγ

Nope what I said IS a fact, try read my post more clearly instead of distorting it with your blind bias. I said "multi-process architecture/approach", NOT "used separate processes for each window". Every single non-tabbed browser (IE6 for example) use separate processes for each different window, because they are basically launched multiple times. However that's NOT what "multi-process architecture" is about here in this article, which is what IE8b1 first introduced to the public.

Anyway, this is not about whether plugins are run in separate processes or not, the point is, Chrome's "multi-process architecture" is indeed very similar to LCIE in IE8, and IE8b1 introduced this concept to the public first. Not NCSA Mosaic. That's not just a fact, that's THE fact.; September 16, 2008 5:36 AM
Γριφεγ said...: @Darky

If you think I have a blind bias against Microsoft read above where "Bacon" says Windows lacks fork() and I reply it has CreateProcess().

I have never used IE6 but I thought launching it a second time just opens a new window from the already existing IE process. That's what Netscape did for example.

Anyway, it's not exactly revolutionary to start a new process for (almost) each tab. Maybe my view is skewed because I hate tabs, I regard them as redundant because the graphical system can handle windows better, tabs are just windows in a frame with restricted arrangement options.

And I think it is very much about separating plugins. That's one reason why Chrome gets more praise than IE8.; September 16, 2008 5:59 AM
Patrick Roberts said...: i keep learning about more and more little advantages and quirks with Chrome, such as with privacy, for example... now if only they would take care of it's cookie management glitches; September 16, 2008 3:37 PM
bacon said...: @γριφεγ

Why limit the number of processes if shared pages aren't duplicated? If you or anyone has any insight on that...; September 18, 2008 11:12 PM
liang cai said...: Charlie: I have a feeling that the upper bound of process number has defeated the efforts to separate contents from different origin. Furthermore, sometime users just want to read a lot of web pages which don't have any javascript. It is not needed to use different process for them in that case.
Why the process model has to be stable as long as the browser has been built. Is it possible for the application designer to have some control over the process model in Chrome, or intelligently decide which model based on the content of the web page. At least it can be an new alternative of process model:; September 18, 2008 11:47 PM
Bryn said...: @Γριφεγ
IE6 uses both 1 or multiple processes per window.

If you go to an existing IE window and click file->new window, or right click->open in new window, the same process just creates a new window. If something goes wrong in one, you loose the lot.

If you go to an IE shortcut and launch a new window, it is indeed a seperate process.

I don't think this is by design, I think it just happened and no one bothered to put any "if instance running get it to open a new window" logic in.; September 21, 2008 10:09 AM
Γριφεγ said...: @bryn

If it isn't by design, then they accidentally got it right. Sometimes there is a reason why an architecture naturally lends itself.

Anyway, I dislike tabs intensely, here's a shameless plug of my anti-tab rant provoked partly by my frustration using Google Chrome.; September 21, 2008 6:51 PM
Lars Schouw said...: Is the build download manager also working parallel so it can use all my bandwidth on my 100 bps fiber Internet at home when downloading files?

Lars; December 11, 2008 9:43 PM

Search our Blog

Archive

Subscribe

More Blogs from Google

Useful links

Multi-process Architecture

16 comments: