back to article Google heats up native code for Chrome OS

Google has released a preliminary software development kit for Native Client, its native-code browser plug-in. The company unveiled its Native Client SDK "developer preview" with a blog post on Wednesday, calling it "an important first step in making Native Client more accessible as a tool for developing real web applications …


This topic is closed for new posts.
  1. HCl+NaOH


    The Portable Native Client project - aka PNaCl, pronounced 'pinnacle' - uses the Low Level Virtual Machine (LLVM) bitcode format. The idea is to compile C, C++, and other languages into LLVM bitcode that allows for client-side translation into the client's native instruction set.

    That kinda describes java, doesn't it (that is without the language and without the inherent convenience when compared to C/C++)? Yet another virtual machine architecture, how is that new/different? (other than the fact that it would be controlled by Google as opposed to Oracle).

    Here's to Larry with hopes that he will put Java back in the game. Loved his remarks regarding Schwartz's blogtastic performance.

    1. Eddie Edwards

      LLVM is not a VM

      Easy mistake to make, but LLVM is more akin to a compiler backend than a VM per se. It offers compilation from bitcode to assembly on multiple platforms. You can do this JIT or up-front, as you wish. LLVM doesn't force any other options e.g. garbage collection. And LLVM is pure open-source, used all over, and not controlled by Google. It's the most open standard there is for this sort of thing.

      It kind of describes p-code, doesn't it, which predates Java by decades.

  2. Stuart 2

    good thing

    The advantage of NaCL is that you will be able to compile most reasonably cross platform code to work with NaCL, with relatively little effort, once some of the cross-platform gui/graphics libraries are ported to it, e.g. openGL, wxWidgets, QT. This means that countless linux programs could be made to work with little effort. No doubt google will use it to deploy office apps to PC's running Chrome OS.

    Compared to Java, the chief advantage is that it is native code, and thus there is no translation/interpretation step. In addition, there is a lot more existing code written in C/C++ than java.

  3. Anonymous Coward

    Beating the Crap out of MS

    "That kinda describes java, doesn't it (that is without the language and without the inherent convenience when compared to C/C++)? Yet another virtual machine architecture, how is that new/different? (other than the fact that it would be controlled by Google as opposed to Oracle)."

    Only "kinda". LLVM does not mandate an academic memory model like the JVM does. You *can* have any type of variable allocated on the stack, you can have destructors and you do not need Garbage Collection. Arrays do no need to be arrays of pointers. And this list is the core reason for C/C++ being so much more efficient than "managed" languages.

    Netscape and SUN botched it, but Google now has the technology at their hands to give Microsoft a really, really hard time. Imagine Google Docs using client-side code which runs at native speed. Imagine a flight simulator being run inside a webpage. Imagine collaborative CAD applications without the need to go through install orgies. Imagine running photoshop inside a web page.

    1. Michael Shelby
      Thumb Down


      Imagine having to download Photoshop every time you pointed your browser at that web page.

      1. William Gallafent


        Er, imagine having a cache in your browser that stores objects locally (what a novel idea). Your browser checks that the version of Photoshop you downloaded last time is up to date when you point your web browser at that web page, and uses that if it is, only downloading anything if an update is available.

  4. Stu


    This is just one stones throw from ActiveX, even if it is essentially virtualised and has a smidgeon of security tied to it.

    How long before somebody writes an LLVM virus, as I'm sure Native Client will be bullet proof on day of arrival! ;-)

    Lets not forget how JavaScript opened up the floodgates to script kiddie viruses and phishing attacks, no matter if its virtualised or interpreted, it still presents opportunities, and the opportunities seem huge if you've got direct native API access!

    Then again I may be wrong - prove your worth Google.

  5. Stephen Channell

    How about some standardisation?

    We could call it p-code, bytecode or something more wordy like "Common Intermediate Language (CIL)".. but then it would be obvious that this was just repeating other initiatives.

    They should have used niblecode and saved bitcode for the next iteration

  6. amanfromMars 1 Silver badge

    Ok ...let's cut to the chase and quit pratting around like Virgin Fairies in the Perfumed Garden

    "Google is obsessed with moving all applications into what it insists on calling the cloud,..."

    And what would you rather call it, Cade? A free and ubiquitous, ridiculously easily accessed, invisible and intangible, collective executive administrative vault?

    Methinks cloud, which can easily be thought to be an instrument and facility in any and many of its possible iterations [CLOUD/Clouds/CLoud/C##LOUD] is much more appropriate even if it is beautifully ambiguous ..... which is a very fine form of superior security for sensitive subjective applications/sublime programs and/or subversive projects ...... with the one being being the same as the other and delivering something else, completely different, which is what Quantum Communication Control brings to the Future and Private and Pirate Parties Playing in the Public Space and ITs Cyber Places.

    And just in case anyone doesn't yet know of the Essence of Quantum, this is as clear and as simple an explanation of its bits and infinite flexibility as you are ever likely to get ....... "A qubit has some similarities to a classical bit, but is overall very different. Like a bit, a qubit can have two possible values—normally a 0 or a 1. The difference is that whereas a bit must be either 0 or 1, a qubit can be 0, 1, or a superposition of both." .....

    1. Atonnis


      How about 'the internet', or 'someone else's server(s) so they can scan and index all of your data'. Those work for me.

      The term 'cloud' likely comes more from the fact that people often use a cloud-like bubble on technical drawings to describe the internet. I wouldn't see it any other way.

    2. Anonymous Coward
      Jobs Horns


      Just call it the 'Internet'. Like, you know, we have been doing since the internet's inception. See what I did there?

  7. Anonymous Coward
    Anonymous Coward

    @good thing

    Don't expect NaCl apps to be able to use Qt or other libraries that contain system calls. The security of this system depends on the "sandbodx" concept and libraries like Qt do (not yet) fit properly into this. With some major effort, this would certainly be doable, though.

  8. DZ-Jay


    >> "Imagine you want to create a video editing application for the web," Bridge says. "When it comes time to write the code to modify the video data, what's the right approach? You could implement the video editing on the server but this approach would waste bandwidth and feel slow. On the other hand, you could try to implement video editing code that would run on the client in JavaScript but this would be difficult to implement and would also be slow."

    Or, you could realize that it is a stupid thing to do, and proceed to build a real, native video editing application for a real, local (read: offline) platform.


  9. Anonymous Coward
    Thumb Down


    I think it is very unfair to compare NaCl to ActiveX. The latter only had code signing as a security mechanism. Also, afaik, world&dog could run *other people's* ActiveX applets for their nefarious purposes.

    NaCl uses a very simple approach to security: 1.) No system calls allowed (good code must go through Google-created wrapper code) 2.) All jump targets are aligned to 32-byte boundaries. 2.2) Jumps can only target 32-byte boundaries 3.) Some other dangerous instructions are prohibited.

    These properties make NaCl verifiers very simple. Consequentially, it will be feasible to create correct implementations. The technical concept is very simple and very solid.

    Having said that, it would definitely not hurt to use additional mechanisms like AppArmor/SE Linux or BSD Jails to add a second layer of defense. It seems there is nothing equivalent on Windows as of today. IE8 has something like it, but MS has not made it publicly accessible for other programs, including other browsers.

    1. Stu


      I take your points, but I dont know of a single internet service (or any system) that is bullet proofed, let alone one thats bulletproofed from day one, and saying its simple so it must be easier to secure is indeed quite a feasible concept, but ultimately untrue.

      Just take pretty much every major web service, the simple fact that they are popular is enough for hackers to invest a lot of time into breaking into them just because cracking 1000 email addresses might bag them one credit card number, or full person profile for info theft - no system is perfect, even GMail accounts have been broken into.

      Take for instance a pretty resistant (to hacking) system like the PS3, it has been compromised despite the copious Cell chip code signing and all the other protective measures taken. Google have a way better track record than Sony, MS, Apple etc, but its not spotless.


      I'd give it six months tops, from Chromium OS proper release to a black market posting online somewhere on how to create spam-zombie-bots using Chromium OS systems.

    2. sT0rNG b4R3 duRiD


      I am somewhat uneasy about this.

      So the downlaoded code runs within the browser...

      I wonder how difficult it would be for some malicious code to subvert the actually browser.

      One suggestion to mitigate against this obviously is to only run over the wire java, flash etc in a machine, virtualised or otherwise you can afford to let get compromised. And assume that this is always the case, that it is compromised. This is the approach I favour. I use said machine to game, run all the dodgy stuff etc.

      I am guessing I will never ever install chrome on any machine I would imagine I would even actually begin to depend on.

  10. YumDogfood

    I might allow LLVM...

    But executing some x86 blob compiled for fecking C? At least with JS the hackers are looking for holes to exploit, not a shotgun already pointing at your head - was your nads, but we had a bit of stack overflow/array barf into some data area that just happened to hold some data suspiciously looking like a syscall instruction...

  11. Atonnis

    I'm confused...

    With the ample evidence of exactly how companies treat their customers, if the internet is available to them, coming out of the games industry why would people want to use any internet-based services for applications that cost? (And yes, I include Google's services and applications, they cost quite a bit even if it isn't in direct cash).

    Look at Ubisoft and EA Games. How long until you can't use an application without your card being automatically charged, or you being denied access to an application because you aren't connected to the internet for them to monitor what you're doing. Worse, what happens when the companies screw up and you've made payments but never received the service in return? Consumer legal recourse to claim anything back is not only difficult (almost impossible when the company's team of lawyers join in) but pretty much a non-happener when the company is international and you can't chase down anyone in your country bound by the country's laws.

    I like to buy software and use it on my computer. I like to unplug the network and keep playing my game, typing my documents, listening to my music, watching my video, etc.

  12. Martin Ryan


    "Native Client - NaCl for short"

    or Salt as they call it round here.

  13. Anonymous Coward


    I guess that hacking a JavaScript engine is acutally easier than hacking the NaCl verifier, simply because it is much more complicated to scan, parse and verify JavaScript and all those optimizers that are required to make it speedy.

    If you have time, look at the youtube videos on NaCl. The whole concept is very simple and elegant.

    Having said that, certainly it will have some security issues, like any new software.

  14. Anonymous Coward

    Caching ??

    "Or, you could realize that it is a stupid thing to do, and proceed to build a real, native video editing application for a real, local (read: offline) platform."

    HTML5 will have local storage (ala Google Gears) and a proper NaCl implementation will of course cache downloaded and verified executables for quick startup. Also, your application components could be loaded in a modular, incremental fashion whenever you need another feature or piece of data.

    Soon you will have 100Mbit Internet in your home. That will change a lot about our perception of "online" and "offline".

    Also, NaCl could be used in intranet scenarios to distribute code for a company. Instead of installing that CATIA for an hour, you would just point your browser to and start modifying the airliner you work on. All updates and admin stuff done by your corporate IT folks.

    1. Rafael 1

      "Soon you will have 100Mbit Internet in your home."

      I've heard that one before -- circa 2000, if I am not wrong.

  15. Anonymous Coward
    Gates Halo

    Native and offline

    I don't think Google's dream of cloud only computing will come to pass. There will always be people that want to use offline applications on a cloud independent operating system. (Hopefully that will always be a version of Windows.)

    If nothing else, then the black markets, underground activities and good old media piracy will ensure there is always a demand for offline computing option for the masses. If everything legitimate moves to the cloud, then expect a shadow cloud to be formed for those of us that want the internet to work the way it does currently.

  16. pslam

    Non-Portable Native Client

    So if there's a 'Portable' Native Client, doesn't that make the normal one the 'Non-Portable' Native Client? I cannot understand how they think distributing binaries compiled for a select few machine architectures is suitable as a web standard. Even the ARM port they're doing will only work on a few select ARM architectures - it won't even work on Cortex 'M' chips.

    And yes, the LLVM version is basically Java, only a bit 'lite'. History repeating.

  17. Anonymous Coward

    ActiveX or Flash?

    Sounds like googlesoft / microogle nonsense to me.

    Looking at the evolution of the company, and the more and more ludicrous stuff that it's getting itself involved with, i'd say that sooner or later we'll see a new upstart company coming along to take the throne. Looking forward to it.

    When are google going to start games manufacturing?

  18. Anonymous Coward

    I remember times when...

    ....ability to run machine code from a website was called a bug. Now they tell me it's a feature?

  19. Nathan 6

    Hmmm, what the point

    Why doesn't Google just push the whole idea of the network computer (Great Idea BTW) cause this is where this is heading. Still not clear why they just simple didn't shift the focus to enhance Java Applet type model.

  20. Anonymous Coward
    Thumb Down


    "Still not clear why they just simple didn't shift the focus to enhance Java Applet type model"

    Maybe that is because there are systematic reasons for the low performance of Java and .Net ? Garbage Collection, only pointer/primitive arrays, no objects on the stack, no destructors and so on ?

  21. Anonymous Coward

    @Rafael 1

    In a lot of places in Germany you can already get 100Mbit/s over the TV cable:

    According to a friend of mine, one actually gets those 100Mbit/s.

This topic is closed for new posts.

Other stories you might like