Google Demonstrates Chrome Native Client With Bastion

Multiple readers sent word that Bastion, an action RPG from indie developer Supergiant Games originally made for Xbox Live Arcade, has shown up in the Chrome Web Store. The purpose of the move is to showcase the browser's Native Client technology. From the article: "Ian Ellison-Taylor, Google's director of product management for the open Web platform, said that Native Client, also called NaCl, can currently improve browser performance by 1 to 10 times. 'What would it be like if we could run native code inside the browser,' he asked the crowd, and he enumerated two goals for the Native Client project. He said Google wants to bring native applications to the Web for performance and security reasons, and it wants to enrich the Web ecosystem by bringing popular, long-in-use programming languages to the Web."

Wow, this is so innovative.

This is so revolutionary. Now we can run native applications on our computers! Just imagine the possibilities! Oh, wait. We already can. And they aren't inhibited by some horrid browser-based sandbox.

improving performance by 1 to 10 times

[roman_mir]

can currently improve browser performance by 1 to 10 times

- this reminds me of the quote from the historical documents:

-Good Lord! That's over 5000 atmospheres of pressure!
-How many atmospheres can the ship withstand?
-Well, it was built for space travel, so anywhere between zero and one.

Re:improving performance by 1 to 10 times

[donscarletti]

It's best to take all figures, especially those concerning NaCl with a grain of salt.

How do I turn this off?

[orn]

Like I really want anyone and their uncle to be running native code on my machine. We went to a sandbox model for a reason! If this is active now, how do we shut it off?

Re:How do I turn this off?

You should read up on how NaCl works. It is in a sandbox. One based on software fault isolationi.

Re:How do I turn this off?

[TheGratefulNet]

yeah, right; I'm going to trust italian software!?

It's SLLOOOOWWWW

[Mr.+McGibby]

I tried Bastion this morning on my arguable beefy 8-core 8 GB machine. SLOW AS SNOT. So either it's slow or I need to change some configuration setting. Maybe I'm missing something, but wasn't doing this crap in the browser supposed to make it "just work" (tm)?

Re:It's SLLOOOOWWWW

[VortexCortex]

Single core code... You bought more cores thinking coders (especially poor indie ones) were going to support all of them at once?
My 7 year old 3ghz single core machine, w/ 3GB RAM and a crappy $50 Nvidia GeForec FX 5200 runs this fantastically.

As a coder myself I take great pains to ensure my software can take advantage of as many cores as you throw at it, but in reality, most programs do not. What's the individual cycle speed of one of your cores? Less than my 6 year old laptop? Yeah, don't expect low quality software to run well on your high quality rig.

I wish Erlang wasn't crap when it comes to games -- it was a step in the right direction.

Reminds me of IE 6

[Billly+Gates]

I am a little uneasy of making a web browser a proprietary platform. PcMag had an article about Chrome being the next IE 6 of the browser wars 2.0.

IE 6 was a great browser in 2001 regardless of its security shortcomings found years later. Everyone on slashdot back then admitted to using it but were scared and assumed the WWW would die soon because of it. Everyone seems to be oblivious that Google is another evil big corporation no different than Microsoft. Actually synergy is behind Google now, like it was with MS a decade ago.

Dart is chrome only, the javascript libraries are Chrome only or particulary run much better on Chrome (google ones like V8), this and many other proprietary HTML 5 code like that site with the band a few months ago that only work in Chrome. This game will use HTML 5 but has other proprietary hooks to make sure it wont run in any browser.

Google is making it clear they look at the browser as an operating system. At least Microsoft today is running away from ActiveX and trying to do good with IE 10 which will be the most open and standards compliant browser to date. Firefox is dying and is losing popularity. In a year or two from now it will be a IE vs Chrome world.

Anyone else bugged or am I just paranoid? I just want a great browser and not a simple fast one, but with the real goodies underneath it that are dependent on Chrome.

Re:Reminds me of IE 6

[Qwavel]

I agree that Google is just another big evil corp and should be watched closely - I'm a fan of much of what they have done, but I still try to remain critical.

But this is nothing like what MS tried to do to the web. I'll repeat some of what I posted above: with NaCl, Dart, WebM, and SPDY, Google is not replacing web technologies with proprietary technologies - they are optimizing pieces of web technologies.

Even when you use these technologies you are still writing a standard web app and it still runs on all browsers - just without the Chrome optimizations. For NaCl for example, the primary use case (according to Google) is that you take your bundle of HTML/CSS/Javascript and replace pieces of the javascript with native code. When deployed to other browsers your app uses the original javascript instead of the optimized NaCl alternative.

More importantly, these technologies are all open source and restriction and royalty free. So, for example, Amazon is now using Google's SPDY technology in their browser without any royalties or advantage to Google.

To me these seem like reasonable ways to move the web forward without subverting it.

So, if you want to be pissed at Google then note that a couple of weeks ago they cancelled their project to make Green technologies competitive with coal. That didn't get nearly enough press. But when it comes to the web they (for now) still appear to be behaving themselves.

Re:Reminds me of IE 6

[DragonWriter]

I am a little uneasy of making a web browser a proprietary platform.

There's two different uses of "proprietary" that are common, one is in contrast to FOSS (which Native Client is), and one is in contrast to "standard" (with regard to which, per the Native Client FAQ, Google thinks Native Client is too immature to consider trying to standardize at this time.)

Lots of technology gets integrated into browsers to be proven before being submitted for standardization.

Dart is chrome only

No, its not. The VM isn't integrated into Chrome yet, the only way to run it in a browser is compiling to JS that runs on any modern browser, so its not even runs-better-on-Chrome, much less Chrome-only.

Its possible that the when the VM is integrated in Chrome it will be runs-better-on-Chrome.

the javascript libraries are Chrome only or particulary run much better on Chrome (google ones like V8)

V8 isn't a javascript library, its the JavaScript engine that Chrome uses, parallel to SpiderMonkey or whatever the engine is that Firefox uses now.

[...] proprietary HTML 5 code [...]

You are misusing either "proprietary" or "HTML 5" here.

Good question

[0123456]

What would it be like if we could run native code inside the browser?

The massive swamp of security vulnerabilities that was ActiveX?

Re:Good question

[VortexCortex]

I think you're missing something important. Every bit of JavaScript you run on modern browsers is compiled into machine code in memory, marked as executable, then executed -- right on the metal.

This is why mistakes in the compiler and/or buffer overflows in JS supporting code can so easily cause remote code execution. All the "sandboxing" NaCl provides is the same as what JS provides -- NONE! Do you actually think that there are Zero buffer overflow vulnerabilities in any of your favorite softwares?

The only way to sand box this stuff is to have a secure Hardware supported VM, or use an interpreted language. We traded speed for security with WEB BROWSERS!?!? Yeah, the whole web is held together with duct-tape bubble gum and twine. I'm out. The native vetted application market is the way to go, except they all made the same SNAFUBAR, compiling bytecode to machine code and calling that a sandbox.

Active X?

[The+Raven]

Can someone describe the differences between NaCl (Salt?) and ActiveX? They both seem to be methods to run native code inside a browser sandbox. What are the ways Google's offering is superior? Is it better at all than the current implementation of ActiveX? I like Google, but this particular initiative seems kind of backwards thinking.

Re:Active X?

[0123456]

NaCl program is sandboxed, so even when you allowed it to run, it cannot do anything harmful.

I remember people saying that about Java.

A type-safe subset of x86 instructions

[tepples]

NaCl defines a subset of x86 instructions that are verifiably type-safe, just as .NET IL and JVM bytecode are verifiably type-safe. The browser verifies the binary before executing it.

Re:A type-safe subset of x86 instructions

[shutdown+-p+now]

It's not type-safe (there are no types as such on assembly level, it's all just bytes and words), it's memory-safe.

More importantly, the subset of instructions available in NaCl allows one to do lower-level stuff than verifiable CIL instructions (JVM is always memory-safe). For example, NaCl permits pointer arithmetic.

Re:A type-safe subset of x86 instructions

[Cajun+Hell]

People are going to be in for such a surprise, when the all-male population of dinosaurs start laying eggs. Life finds a way.

Re:Enough with the "sandboxing is perfect" bullshi

For crying out loud, what is it with you wheel freaks? Why do you insist that wheels are the only solution to transportation problems? Why do you get so excited about a technique that's actually quite ancient?

Fuck, I first remember using wheels back in the 1970s on some Ford pintos, and it probably wasn't even a new technique then. All through the 1980s, 1990s and 2000s it became a pretty common feature of most land yachts. Hell, even Chrysler and GM have excellent wheel rotating support, and have had it for a long time. That's not even considering Hyundai, Kia, and the other existing and well-established platforms that have wheels! These days we've also got Saab, BMW and many other systems we can run on roads.

Look, wheel rotation is one transportation technique among many. If getting rid of wheels causes you that much of a problem, THEN YOU'RE DOING TRANSPORTATION REALLY FUCKING WRONG!

FTFY

Or You Could... You Know...

[Greyfox]

Run native code WITHOUT the browser. Revolutionary idea, I know. You could pass on all the frameworks required to shoe-horn procedural programming onto a stateless protocol, give HTML and XML markup a miss, not write any javascript, and... just... write an application. And maybe it won't need 34MB to run in, and maybe it'll actually be instantly responsive. Maybe... just maybe... that's what you really need to do.

Re:Or You Could... You Know...

[goruka]

And lose the ease of deployment that web based apps have and the multiplatform goodness of Native Client? No thanks.

Re:bad idea

[Qwavel]

I'm guessing they mean that you are more secure now that you can run apps in your browser which you previously had to install into your OS. The privileges enjoyed by an NaCl browser app are really minimal compared to the same app installed with admin on Windows (which is how most users do it).

Regarding web standardization, note that NaCl is nothing like Flash or Silverlight: rather then replacing standard web technologies with proprietary technologies, it is primarily a way to optimize pieces of web technology. You take your bundle of HTML/CSS/Javascript and replace pieces of the javascript with native code. And you don't do it with some proprietary google language - you do it (eventually) with whatever language you want.

To me it seems like a reasonable way to move the web forward without subverting it (or even altering it much).

Pepper

[DragonWriter]

Yes, I'm curious if there'll be a complementary technology named Pepper.

Pepper is the plug-in API that NaCl modules use to communicate with browser-managed resource, JS, etc.

Re:bad idea

[AaronLS]

Since NaCl == Sodium Chloride == Salt, let's make this discussion more interesting by replacing all instances of "NaCl" with "salt".

"note that [salt] is nothing like Flash or Silverlight". The first consistently taste great, while the others vary in flavor from one OS to the next. I kid, I kid :)

A plugin to rule them all!

[goruka]

Native Client is like a plugin that makes all other plugins obsolete.

-It can do everything you can do with Flash, Unity, Silverlight, etc.
-You can use any language to develop for it, C, C++, ObjC, Python, C#, you name it.
-Can access everything JS can (using the Pepper plugin API).
-It's from a trusted vendor (Google), so most people will not be afraid to install it.
-Will come pre-installed in the soon to be most popular web browser.
-It's open source
-It's much more secure than existing plugins due to sandboxing.

And, yes, I can understand HTML5 purists, but the truth is that:

1) Not everything can be made into a web application using HTML5+JS.
2) There's way too much code and applications written in other languages..
3) Cross-Platform web deployment is very attractive. Compile for x86 and ARM and 99.999% of the devices on the planet can be supported.

So, disable it if you don't want it, but this is a very attractive idea with a lot of potential for us developers, and even Adobe is trying somehting similar with Alchemy on Flash. It's a much more realistic way to bring actual real applications to the web than the dream that HTML5+JavaScript is.

Re:bad idea

[chrb]

Implementing something your own way is evil and proprietary.

Native client is open source. So is chromium.

Re:bad idea

[kripkenstein]

To me [NaCl] seems like a reasonable way to move the web forward without subverting it (or even altering it much).

There are a few big problems with that:

• NaCl is not portable. NaCl apps only run on x86 and x86_64, not ARM or PowerPC or anything else.
• NaCl is not a standard or even a proposed standard, and all other browser vendors are opposed to it (because of the previous issue, and because it is controlled by Google). As a consequence, NaCl apps only run on Chrome (and on x86 and x86_64).

The web is all about open standards, viewing the same web from any browser or any OS, and so forth. So NaCl, that only runs on two archs and on one browser, is a step backwards.

Re:bad idea

[suy]

NaCl is not portable. NaCl apps only run on x86 and x86_64, not ARM or PowerPC or anything else.

NaCL binaries are not portable in the same way I can't install the FireFox's Windows binaries on Linux (or the armel ".deb" from packages.debian.org on my amd64 computer), but honestly, who cares? Mozilla and Debian guys just compile it for each supported platform. There is also the possibility of creating a "fat nexe" that supports all platforms.

As a consequence, NaCl apps only run on Chrome (and on x86 and x86_64).

Is open source code on an open source browser. I would prefer it being a plugin (I think at some point there was one) so I can run it in all my browsers. But this is no different than any other proprietary feature on other browsers. I'm currently using Mozilla's proprietary "crypto" JavaScript API for an application, and it only runs on Mozilla's browsers. Not convenient, for sure, but what should I do? Not use the feature at all? Or try to make something valuable from it, so other developers might consider incorporating it?

It's actually a good idea

[TobiX]

Think of how most developers are using Javascript nowadays: it's a target language for their compilers.

Whether the source was Java (GWT compiler) or Javascript itself (YUI compressor, Google closure compiler) the fact remains that what browsers are given to run is not what the developers wrote. Which is standard practice in the software business (it's called compilation) and for good reasons.

Now, JS makes for a poor machine language. So we could either beat around the bush with an intermediate bytecode language (Java went there, and Python and all the others too, with varying results) or go for the real thing and come up with a good x86 sandboxing and code verification standard.

Remember, x86 is currently in use by 99% of desktop machines. When other architectures will gain momentum, websites will just offer two or more compiled versions of their code. In the mean time, they will just have to emulate or translate the x86 instruction set, a task for which a large open source code base has already been developed, and which would still be more efficient than parsing plain Javascript, by several orders of magnitude.

So what's the problem with that, again?

Re:bad idea

[gsnedders]

NaCL binaries are not portable in the same way I can't install the FireFox's Windows binaries on Linux (or the armel ".deb" from packages.debian.org on my amd64 computer), but honestly, who cares? Mozilla and Debian guys just compile it for each supported platform. There is also the possibility of creating a "fat nexe" that supports all platforms.

And what happens when I'm browsing the web on my MIPS-based TV? I'm at the mercy of the website author to specifically support my architecture. Today, I can visit any website and it will work. There is no dependency on any architecture specific stuff. Most developers will only bother compiling for x86 and ARM in all probability, which will hurt anyone else.

Is open source code on an open source browser. I would prefer it being a plugin (I think at some point there was one) so I can run it in all my browsers. But this is no different than any other proprietary feature on other browsers. I'm currently using Mozilla's proprietary "crypto" JavaScript API for an application, and it only runs on Mozilla's browsers. Not convenient, for sure, but what should I do? Not use the feature at all? Or try to make something valuable from it, so other developers might consider incorporating it?

It is a plugin... using a non-standard, non-documented plugin API, which nobody apart from Chrome supports or has any intention of supporting (it's a huge amount of badly documented, totally web irrelevant, anti-Open-Web chunk of code --- why should anyone take it in?). If they had used the standard plugin API (NPAPI), it would work today in every browser.

And I'm sorry, but this is fundamentally different to a lot of proprietary functionality in other browsers. Most of browser vendors are putting in large amounts of effort into removing old proprietary behaviour and specifying anything they wish to keep. Even Apple when it adds new proprietary behaviour to WebKit typically specifies it. Writing a spec is a big deal: it allows anyone else to write a clean-room implementation, which is often desirable (especially for CSS/DOM extensions: it's practically impossible to share much code without all moving to a single engine). Google hasn't released any spec for NaCl (and neither for the Pepper plugin API it relies upon), the spec it has released for Dart is nowhere near complete enough to allow a new implementation (and it had a several year headstart on implementing --- something that makes their implementation very hard to compete with), the spec for WebM is mostly just a dump of the code of the implementation (it's not really a spec: it's just code and the spec just says "match this").

Re:Enough with the "sandboxing is perfect" bullshi

[MadKeithV]

Sensible people, on the other hand, see sandboxing as just one more tool in the toolbox.

So please enlighten us. How do you run untrusted code on your machine without some kind of sandbox?

Root someone else's machine and run it there.