See this “How Blink works” document.
blink/renderer
directory structureThis section describes a high-level architecture of blink/renderer
, which contains most of the Web Platform implementation, and runs exclusively in the renderer process. On the other hand, common/
and public/common
also run in the browser process.
All code in blink/renderer
is an implementation detail of Blink and should not be used outside of it. Use Blink's public API in code outside of Blink.
core/
The core/
directory implements the essence of the Web Platform defined by specs and IDL interfaces. Due to historical reasons, core/
contains a lot of features with complex inter-dependencies and hence can be perceived as a single monolithic entity.
modules/
The modules/
directory is a collection of self-contained, well-defined features of the Web Platform that are factored out of a monolithic core/
. These features are:
README.md
;platform/
, core/
or modules/
, forming a healthy dependency tree.modules/
OWNERS are responsible for making sure only features that satisfy requirements above are added.
For example, modules/crypto
implements WebCrypto API.
platform/
The platform/
directory is a collection of lower level features of Blink that are factored out of a monolithic core/
. These features follow the same principles as modules/
, but with different dependencies allowed:
README.md
;platform/
(but not core/
or modules/
), forming a healthy dependency tree.platform/
OWNERS are responsible for making sure only features that satisfy requirements above are added.
For example, platform/scheduler
implements a task scheduler for all tasks posted by Blink, while platform/wtf
implements Blink-specific containers (e.g., WTF::Vector
, WTF::HashTable
, WTF::String
).
core
vs modules
vs platform
splitNote that specs do not have a notion of “core”, “platform” or “modules”. The distinction between them is for implementation convenience to avoid putting everything in a single core/
entity (which decreases code modularity and increases build time):
core/
;modules/
;platform/
.Note that some of these guidelines are violated (at the time of writing this), but the code should gradually change and eventually conform.
bindings/
The bindings/
directory contains files that heavily use V8 APIs. The rationale for splitting bindings out is: V8 APIs are complex, error-prone and security-sensitive, so we want to put V8 API usage separately from other code.
In terms of dependencies, bindings/core
and core/
are in the same link unit. The only difference is how heavily they are using V8 APIs. If a given file is using a lot of V8 APIs, it should go to bindings/core
. Otherwise, it should go to core/
. Consult bindings/
OWNERS when in doubt.
Note that over time bindings/core
should move to core/bindings
and become just a part of a larger “core”.
All of the above applies to bindings/modules
and modules/
.
extensions/
The extensions/
directory contains embedder-specific, not-web-exposed APIs (e.g., not-web-exposed APIs for Chromium OS etc). The directory is useful to implement embedder-specific, not-web-exposed APIs using Blink technologies for web-exposed APIs like WebIDL, V8 bindings and Oilpan.
Remember that you should not implement web-exposed APIs in extensions/
. Web-exposed APIs should go through the standardization process and be implemented in core/
or modules/
. Also, per the Chromium contributor guideline, code that is not used by Chromium should not be added to extensions/
.
In terms of dependencies, extensions/
can depend on modules/
, core/
and platform/
, but not vice versa.
controller/
The controller/
directory contains the system infrastructure that uses or drives Blink. Functionality that implements the Web Platform should not go to controller/
, but instead reside in platform/
, core/
or modules/
.
If the sole purpose of higher level functionality is to drive the Web Platform or to implement API for the embedder, it goes to controller/
, however most of the features should go to other directories. Consult controller/
OWNERS when in doubt.
In terms of dependencies, controller/
can depend on extensions/
, modules/
, core/
and platform/
, but not vice versa.
build/
The build/
directory contains scripts to build Blink.
In terms of dependencies, build/
is a stand-alone directory.
Dependencies only flow in the following order:
public/web
controller/
extensions/
modules/
and bindings/modules
core/
and bindings/core
platform/
public/platform
public/common
//base
, V8 etc.See this diagram.
build/
is a stand-alone directory.
Member variables of the following types are strongly discouraged in Blink:
WTF::String
and WTF containers instead.GURL
and url::Origin
. Use KURL
and SecurityOrigin
respectively.//base
type which has a matching type in platform/wtf
. The number of duplicated types between WTF and base is continuously shrinking, but always look at WTF first.The types above could only be used at the boundary to interoperate with //base
, //services
, //third_party/blink/common
and other Chromium-side or third-party code. It is also allowed to use local variables of these types when convenient, as long as the result is not stored in a member variable. For example, calling an utility function on an std::string
which came from //net
and then converting to WTF::String
to store in a field is allowed.
We try to share as much code between Chromium and Blink as possible, so the number of these types should go down. However, some types really need to be optimized for Blink's workload (e.g., Vector
, HashTable
, AtomicString
).
Exceptions to this rule:
//third_party/blink/common
and //third_party/blink/public/common
also runs in the browser process, and should use STL and base instead of WTF.public/platform
and public/web
, whole purpose of which is conversion between WTF and STL, for example WebString
or WebVector
.To prevent use of random types, we control allowed types by allow listing them in DEPS and a presubmit script.
Blink can use Mojo and directly talk to the browser process. This allows removal of unnecessary public APIs and abstraction layers and it is highly recommended.
When you need to use threads in Blink, cross-thread communication should be done with a message passing model (i.e., call cross_thread_task_runner->PostTask() with cloned POD input parameters).
A shared memory model (e.g., using mutex locks or atomics) is strongly discouraged. The rationale is that mutex locks and atomics are really hard to use correctly, and even if it appears to be manageable initially, it gets out of control easily. Historically, shared memory programming patterns in Blink have been one of the major sources of use-after-free security bugs and stability issues (e.g., WebAudio, memory access via CrossThreadPersistent). Remember that, unlike V8, Blink does not have a strict API boundary and is touched by many developers, and thus it‘s more important to adopt a less error-prone programming pattern. There are existing instances of shared and concurrent memory access in blink, but they should not be extended or cargo-culted. Just because you see a shared memory pattern in the code does not mean it’s okay to use the pattern elsewhere.
Introducing a few mutex locks or atomics in simple classes (e.g., shared counters) is fine. However, when you need to introduce a non-trivial number of mutex locks and atomics, the architecture needs to be designed and reviewed carefully. In that case, please get approval from platform-architecture-dev@chromium.org.
If you have any questions about the directory architecture and dependencies, reach out to platform-architecture-dev@chromium.org!