> The engine works by allowing developers to use special interfaces and a high-performance scripting language called KL for performance critical parts of the code
I haven't looked into it, but this suggests it's not actually JavaScript (as the title implies) but rather some new language that gets the speed boost.
Using pointers adds a certain amount of complexity, and they also introduce the possibility of security problems. This was particularly important for the work we were doing on the browser plug-in. For the type of work that developers use KL for, they aren't needed.
On that topic, I wasn't able to find any information on the security of Fabric or the sandboxing it uses. Short of going through the source code is there documentation on this topic?
NACL, which is only somewhat similar in that it runs native code via the browser, went to great lengths to demonstrate how their sandboxing worked to address the FUD of running native code in the browser. I have a very similar FUD about executing Fabric LLVM code from arbitrary websites.
To clarify where I'm coming from, I am a javascript / ruby dev and although I have worked in C I do not claim to understand the inner workings of LLVM or have ever worked with it. If there is an implicit reason why building on LLVM would sandbox code written in fabric it is not implicit to me. I doubt I am alone in this and would greatly appreciate an explanation of Fabric's sandboxing.
As promised:
Security was an important part of the design of Fabric. What security means depends on whether Fabric is running standalone from the command-line or as a browser plugin.
When Fabric is run from the command line, we are in general unconcerned with security. This is because Fabric is run like any other program on a computer where the software is deliberately installed by the user. Fabric runs as a module for Node.js or for Python, and runs with the same security credentials as Node.js and Python. Like Node.js and Python, Fabric will only do what you explicitly tell it to. Let us be clear: this is the context in which you might use Fabric for server-side work, much as one does with Node.js, Python or Ruby.
When Fabric is run as a browser plugin, security is a major concern because a Fabric application (or, more precisely, an in-broswer application that wants to use the computer the browser is running on to run code) specifies code that is compiled and executed on the machine running the browser. To prevent the usual types of exploits, the language KL in which the Fabric operator code is written is both pointer-free (like Ruby, Javascript and Python) and provides bounds checks for all array accesses, throwing an exception for any out-of-bounds accesses (like Ruby and Python). Access to third-party code, which does not adhere to the same pointer-free and bounds-checked rules, is done through our extension mechanism, and extensions, besides the default extensions provided with Fabric (that are just wrappers for common open-source libraries), must be explicitly installed by the user -- it is not possible to make the user's browser automatically "download" an extension.
Of course, you are wise to question whether you can "trust" our security model. Fortunately, if you're really in doubt, you can simply look at our code, which is open-source; we believe this already places us ahead of common browser plugins, such as Flash, to which could be posed the same questions but for which one cannot audit the code.
I've asked one of my colleagues to write a longer response to this (we may post it on the developer blog), but I'll give you a short answer in the meantime. We don't do sand-boxing - I think a look at the amount of money that's gone into NaCl shows that a startup would have no chance of pulling that off.
By being pointer-less, we block a lot of potential malicious code. If you don't have access to memory, it's hard to write anything dangerous. Our bigger concern with the plug-in is around our extension system - it allows us to include existing libraries, which of course means it's opening up to C/C++. Consequently, we force explicit install of extensions - if a developer builds a custom extensions, then the end user has to install it, the same as if you were choosing to install a local application.
not really - Fabric is integrated with dynamic languages, we 're not interpreting JS or Python (we work with both languages). Fabric is basically a high-performance threading engine that you can call from your dynamic language - the key element is that the operator code (KL) enables the high-performance. This KL is only required for the operators, and is not as difficult or complex as C/C++ to use - it's designed purely for this task. A regular Python or JavaScript developer can pick it up.
> Fabric is integrated with dynamic languages, we 're not interpreting JS or Python (we work with both languages).
Neither does Cython.
> Fabric is basically a high-performance threading engine that you can call from your dynamic language
Well Cython is for writing Python modules, so it's integrated with Python only. But that's pretty much it.
> the key element is that the operator code (KL) enables the high-performance. This KL is only required for the operators, and is not as difficult or complex as C/C++ to use - it's designed purely for this task.
So's Cython. Cython compile to a native module, that native module is simply imported and used from regular Python code.
> A regular Python or JavaScript developer can pick it up.
A regular Python developer really shouldn't have any trouble picking up cython.
as per my other comment: "please correct me if I'm wrong, but I don't see anything about Cython handling multi-threading and I don't see anything about dynamic compilation on target. I just had a flick through their documentation, so if this stuff is in there then I missed it..."
When we designed Fabric, our goal was not to speed up Python, or JavaScript. Our goal was to build high performance multi-threaded applications on top or dynamic languages.
Fabric is for software developers who need to build high performance software, and also use dynamic languages.
V8 will continue to speed up, and may even get close to the speed of native code. But in that time, CPUs architectures will continue to gain more cores, widening the gap between multi-threaded code, and dynamic code.
Replying to comment below (can't see a reply button) - please correct me if I'm wrong, but I don't see anything about Cython handling multi-threading and I don't see anything about dynamic compilation on target. I just had a flick through their documentation, so if this stuff is in there then I missed it...
Multi-threaded software development is a huge challenge facing software developers. The model we have taken enables massive amounts of computation to be distributed across all available cores.
The combination of task based parallelism, and data based parallelism, orchestrated using a dependency graph, enable our scheduler to very efficiently manage the CPU(and in the GPU in the future).
This model is used in high end video game engines today to leverage multi-core CPUs effectively. We make this programming model available in Python and JavaScript.
I haven't looked into it, but this suggests it's not actually JavaScript (as the title implies) but rather some new language that gets the speed boost.