611 Defects, 71 Vulnerabilities Found In Firefox

Danny Begonia writes, "Some folks at Klocwork examined the large and complicated code base of the popular open source browser, Firefox. Overall, Firefox is a well written and high quality piece of software. Several builds were performed on the code, culminating in the final analysis of version 1.5.0.6. The analysis resulted in 611 defects and 71 potential security vulnerabilities. The Firefox team has been given the analysis results, and they will determine if or how they will deal with the issues." What are your thoughts — do Firefox and the open source community welcome this kind of analysis?

Memory leaks

It seems mainly the problems were to do with memory leaks. Which having seen firefox eat 700mb of ram doesnt surprise me....As long as these probs get fixed i cant complain...Doning this kinda of analysis is much easier with the source code i imagine.

I value it

[jimstapleton]

as a user, I value this kind of criticism - it's better out in the open where the devs are pressured to do something about it, than behind close doors where those of malicious intent can go about their nefarious business unhindered.

One would certainly hope so...

[tcopeland]

...I recently wrote an article for Better Software (details here) showing the duplicated code and some other static analysis-type problems that PMD turned up in two fairly popular open source Java apps - Azureus and Columba. Both these programs are excellent open source apps, but both also had a number of places that could be improved.

This is kind of a Slashdot permathread, but anyhow, static code analysis is not a replacement for smart people also looking at the code. Rather, it augments folks' efforts and provides a safety net to catch little problems that can slip through. A duplicated code detector is especially useful because it can scan a massive codebase and help pick out chunks of code that can be refactored away. This reduces the lines of code, eliminates the possibility of duplicate bugs, and is great fun.

Re:Obvious.

[legoburner]

Especially now that firefox is so popular. Firefox makes up 10% of users on the general Internet (as counter by thecounter.com), with IE at 85%. My own tech related site has 76.4% of users using firefox, with just 10.1% on IE, and my other more casual site has 23.1% firefox and 64% IE (the rest being safari, opera, konq, etc.)

Re:Speaking of which... (Was Re:Obvious.)

[rucs_hack]

slightly OT I know, but relevent:

Back when I was a nurse, in the days before programming sucked me in, I was a manager in a private elderly care home for people with dimentia.

We kept excruciatingly detailed records of every scratch, cut and injury, serious or otherwise, that happened to our clients. So much so that on paper our accident record look awful compared to other homes, who tended not to be so open. We actually had fewer such incidents then other homes in our region, but we documented *everything*.

However, come official inspection day, the health authority inspectors were always very pleased with our records, and always passed us with a very high grade.

The reason? Instead of hunting around for hidden evidence that had been concealed, they just had to consult our records.
We were open about problems, and always sought solutions. We were also, because of our policy on recording everything, able more easily to identify problems with patients who were more likely to get cut, and work to alter their environment or diet to try and help.

The result was that we ended up being the top specialist care home in our region.

When I moved into computer science, the only software model that I would work with was open source. Again there is nothing gained from hiding problems with code, and it's much easier to identify issues. I discovered remarkable similarities with my old nursing practices and the Open Source method.

I realise the comparison may seem odd, but my point is that being open about problems is a far better way to reach solutions, whatever field it is applied to.

The Firefox team needs the help.

[Futurepower(R)]

Firefox is the most unstable program in common use. Some of the most serious bugs, like the CPU hogging bug, are more than 4 years old. So it's great that the Firefox team is getting some help. They need it.

(Note that the main bug report linked is always marked invalid. That's not because anything has been done about the instability of Firefox; it's because people on the Firefox team don't want to, or don't know how to, fix the very, very serious bugs. Note also the links to magazine articles about Firefox instability, and the many links to user reports of problems.)

I'm posting this comment from Firefox version 1.5.0.6. It is using 22 percent of the CPU, even though all pages have been loaded, and there is no active content. That's 22% on the way to 70% or more, which will soon make it necessary to close all windows and tabs of Firefox and reboot Windows XP. (Firefox corrupts Windows XP SP2 with all patches applied, so that it is necessary to restart the OS. In Linux, it is necessary only to kill Firefox to get full control again.)

The CPU hogging bug in Firefox runs the fan in a laptop computer continuously, meaning that expensive hardware maintenance will be required more often for heavy Firefox users.

Firefox has extensions, but they often make Firefox unstable. The Firefox team thinks that it is entirely acceptable to market Firefox extensions, but when the extensions cause Firefox to be unstable, to excuse the instability by saying that it is caused by an extension.

The 1.5.0.4 version of Firefox was quite stable, if the Flashblock extension was installed. The 1.5.0.6 version is unstable again.

The problem appears to be that Firefox does not allocate enough resources. If you open several Firefox windows and several tabs in each window, and leave them open for several days, or suspend or hibernate your computer a few times, you will find that Firefox has started to hog the CPU.

It is interesting to note that, when the latest version of Firefox is used with the latest version of Thunderbird, they both have trouble with the CPU hogging bug. The each corrupt the other. Weird, and seemingly a good clue to the flaw that causes CPU hogging.

Apparently everyone on the Firefox team wants to add features or work on easy bugs. Apparently also, browser programmers are not necessarily heavy browser users. People who often do research on the internet, and open several Firefox windows and many tabs, and leave them open for several days, are certain or almost certain to cause Firefox to become unstable, however.

Mozilla Foundation Top 14 Excuses for Not Fixing Bugs

Top 14 things Firefox and Mozilla developers say about those who report difficult bugs, collected during the last 4 years:

1. Maybe this bug is fixed in the nightly build.
2. Yes, this bug exists, but other things are more important.
3. No one has posted a TalkBack report. [If they had read the bug report, they would know that there is never a TalkBack report, because the bug crashes TalkBack, too, or a TalkBack report is not generated.]
4. If you would just give us more information, we would fix this bug.
5. This bug report is a composite of other bugs, so this bug report is invalid. [The other bugs aren't specified.]
6. You are using Firefox in a way that would crash any software. [But the same use does not crash any version of Opera.]
7. I don't like the way you worded your bug report. [So, I didn't read it or think about it.]
8. You should run a debugger and find what causes this problem yourself. [Then when you have done most of the work, tell us what causes the problem, and we may fix it.]
9. Many bugs that are filed aren't important to 99.99% of the users.
10. If you are saying bad things about Mozilla and Firefox, you must be trolling. [They say this even though Firefox and Mozilla instabili