Author Topic: 611 Defects, 71 Vulnerabilities Found In Firefox  (Read 3199 times)

0 Members and 1 Guest are viewing this topic.

Offline rabbit

  • x86
  • Hero Member
  • *****
  • Posts: 8092
  • I speak for the entire clan (except Joe)
    • View Profile
611 Defects, 71 Vulnerabilities Found In Firefox
« on: September 10, 2006, 01:54:44 pm »
http://www.g2zero.com/2006/09/examining_defects_in_the_firef.html

OUCH!  That really sucks.  Still not as bad as IE6, but still, I expected a little more :\

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: 611 Defects, 71 Vulnerabilities Found In Firefox
« Reply #1 on: September 10, 2006, 03:25:52 pm »
Quote
Disclaimer: I'm a former developer on the mozilla project and helped architect some parts of the mozilla codebase.

This is really bogus - many people have run code correctness tools on the mozilla/firefox codebase over the last few years and some good has indeed come out of it. There are always a few dangling pointers or missing null checks that could be added here and there. But to claim that there are 611 known, specific, real defects is just wrong.

With most of these tools the signal:noise ratio is very high. For example, most of these "dereferencing null" cases are either handled automatically by C++ template wrappers that do smart pointer management. Many of these "potential" memory leaks are handled automatically by XPCOM's refcounting.

To paraphrase jwz, (who normally I finally tremendously annoying) - these tools are helpful only if your time has no value.

This is not to say there aren't 141 other legitimate memory management defects lurking, but it takes a deeper (human) understanding of the codebase, as well as testing of actual codepaths in use, to flush them out.

To spend smart developers' time going over long reports of machine-generated lint would be a waste.

Posted by: Alec Flett | September 7, 2006 12:18 PM

I'd never trust a machine to analyze my code over a human.
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline Warrior

  • supreme mac daddy of trolls
  • Hero Member
  • *****
  • Posts: 7503
  • One for a Dime two for a Quarter!
    • View Profile
Re: 611 Defects, 71 Vulnerabilities Found In Firefox
« Reply #2 on: September 10, 2006, 03:38:27 pm »
Quote
Disclaimer: I'm a former developer on the mozilla project and helped architect some parts of the mozilla codebase.

This is really bogus - many people have run code correctness tools on the mozilla/firefox codebase over the last few years and some good has indeed come out of it. There are always a few dangling pointers or missing null checks that could be added here and there. But to claim that there are 611 known, specific, real defects is just wrong.

With most of these tools the signal:noise ratio is very high. For example, most of these "dereferencing null" cases are either handled automatically by C++ template wrappers that do smart pointer management. Many of these "potential" memory leaks are handled automatically by XPCOM's refcounting.

To paraphrase jwz, (who normally I finally tremendously annoying) - these tools are helpful only if your time has no value.

This is not to say there aren't 141 other legitimate memory management defects lurking, but it takes a deeper (human) understanding of the codebase, as well as testing of actual codepaths in use, to flush them out.

To spend smart developers' time going over long reports of machine-generated lint would be a waste.

Posted by: Alec Flett | September 7, 2006 12:18 PM

I'd never trust a machine to analyze my code over a human.

I said this back when there was a Windows vs Linux discussion, Machines cannot verify code reliably and I'd trust a human before I'd trust one of them. Mozilla needs to do some code auditing (Like ReactOS) but do it for bug checking. Then merge the audited code with the Firefox 2.0 codebase.
One must ask oneself: "do I will trolling to become a universal law?" And then when one realizes "yes, I do will it to be such," one feels completely justified.
-- from Groundwork for the Metaphysics of Trolling