Hacker News new | past | comments | ask | show | jobs | submit login

There is at least already a WebGPU implementation in Rust (the one that Firefox uses). So they could use that if they wanted to. I guess it's probably better for the overall health of the ecosystem if there are multiple implementations though.



Yup, wgpu is already a thing. While it's ironically widely used on desktop, it's less mature in the browser context. Like, there is an open-world 3D MMORPG using wgpu for its graphics, meanwhile it's not yet enabled on stable Firefox.

I'm not sure whether many different implementations is inherently good, though.


You can say the same thing about something as simple as "shared memory" -- normal multiprocessing computers have had shared memory since time immemorial, but browsers literally disabled SharedArrayBuffer from 2018 to 2020 and anyone using them to communicate with Web Workers had to find another way. Browsers run a 24/7 onslaught of extremely untrustworthy code, whereas games only run themselves.

Firefox has not enabled WebGPU via wgpu for the same reasons Chrome Security has done an in-depth review of Dawn. It is a component that must be hardened. For anyone out there trying it out by enabling config flags, remember to disable it once you are done. It will be ready in time.


> whereas games only run themselves.

Until you run multiplayer and are suddenly dealing with hostile players, servers and possible mods.


I would love to hear about an implementation of multiplayer that receives code from hostile opponents and executes it, but I do not anticipate you'll find many examples.


Ever heard of a game called "Call of Duty"?

> SV_SteamAuthClient in various Activision Infinity Ward Call of Duty games before 2015-08-11 is missing a size check when reading authBlob data into a buffer, which allows one to execute code on the remote target machine when sending a steam authentication request. This affects Call of Duty: Modern Warfare 2, Call of Duty: Modern Warfare 3, Call of Duty: Ghosts, Call of Duty: Advanced Warfare, Call of Duty: Black Ops 1, and Call of Duty: Black Ops 2.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2081...


In case this needs to be pointed out, an RCE in a game is an accident, not the way they designed their multiplayer to work. I was describing why the Firefox team might wait for a feature to be security-hardened before releasing it. The answer remains the same -- they design and market the thing to be secure even when it executes untrusted code. Activision does not advertise their games as able to "securely execute RCE gadgets from maliciously crafted steam authentication packets". This part may be surprising: the Chrome and Firefox teams do, in fact, try to ensure that when someone gains RCE, that they execute it securely and it can't get very far.

I am not attempting to claim that games do not have security issues or cannot experience remote code execution, just that this is not a normal pattern of behaviour that they plan for, so it is normal that a game author would deploy wgpu long before Firefox does (while Firefox spends a lot of effort on fuzzing, etc). If anything a terrible CVE that Activision has expended apparently zero resources fixing is a very good example of what I'm talking about.


Understood. I should not have been snarky; I'm sorry. I think the CoD CVE is worth noting in this thread though.


No need to apologise! You got me pretty good.


With the amount of visible bugs that every game is released with nowadays, there are easily as many security bugs.

Depending on the game, it downloads maps, skins, etc. from the server... File parsing code is highly suspectible to security bugs.


What MMO?


https://veloren.net/ I'm a bit impartial since I'm a former contributor, but I think it's super cool.

Aside from that, the Bevy game engine also uses wgpu on non-web, but afaik no game of particular significance or player base has shipped with it yet. I think the biggest user of it is actually a software tool for mining (the hardhat kind), but it's a "call us for a quote" kind of thing so hard to tell how big it is.


Veloren is an MMO? Thought it was just a multiplayer game


wgpu I think might be finally an OpenGL killer. It's more platform independent than any graphics API ever dreamt of being.


Middleware has existed since mid-1990's.


That's true, but how many middleware were also available by default in the browser?


Plenty, using browser plugins back in the day, targeting ActiveX, Flash, PNaCL.

Additionally wgpu and WebGPU aren't the same thing, as wgpu exposes native features as well.


That's kind of irrelevant to the adoption potential of WebGPU.

Those examples you gave are not comparable at all, ativex and flash are way, way higher level, don't operate at all like graphics API middleware. PNaCL was a WASM alternative design, which thankfully lost as WASM is much more flexible.

My point is that WebGPU is way better positioned than any middleware, it has industry backing and official support from all relevant platforms (or plans for it). It's also benefitted a huge amount from hindsight.


I think he means Veloren.


Just wanted to point out that wgpu has both webgpu and webgl2 backends. So, currently, most projects use the webgl2 backend via wgpu for any rust app running in firefox right now.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: