Firefox 3.6.4 Released With Out-of-Process Plugins

DragonHawk writes "Mozilla Firefox 3.6.4 went to general release today. The big new feature in this release is out-of-process plugins (OOPP). This means things like Flash, Java, QuickTime, etc., all run in separate processes, so when Flash decides to crash, it won't take your browser out with it. If Flash starts consuming all the CPU it can find, you can kill it without nuking your browser session. I've been using this feature since it was in the 'nightly build' stage, and it was still more stable than 3.6.3, just because Flash was isolated." And reader Trailrunner7 supplies another compelling reason to download 3.6.4: "Security researcher Michal Zalewski has identified a problem with the way Firefox handles links that are opened in a new browser window or tab, enabling attackers to inject arbitrary code into the new window or tab while still keeping a deceptive URL in the browser's address bar. The vulnerability, which Mozilla has fixed in version 3.6.4, has the effect of tricking users into thinking that they're visiting a legitimate site while instead sending arbitrary attacker-controlled code to their browsers."

Re:Can already kill Flash in 3.6.3

[yuhong]

That is because you are using nspluginwrapper to wrap the 32-bit Flash plugin.

Opera!

[uid8472]

Has no-one else yet commented to point out that Opera has run plugins in a separate process for years now? Then I guess I have to.

Not to minimize the accomplishments of the Firefox developers, I mean, and getting this feature to the Firefox userbase is valuable in and of itself, and so on. But there is precedent.

Re:Opera!

[Ndymium]

I would like to comment that it, in fact, doesn't. I've run Opera on OS X and Windows for a few years now and have seen no indication of that. In fact, I can see only one Opera process in Activity Monitor right now, with 15 threads - even if I open up a Youtube video. When Flash crashes, so does the whole browser (which used to happen all the time with the 10.5x betas). I've heard rumors on the My Opera forums that Opera on *nix might have this, but the OS X version certainly doesn't and I have no knowledge that the Windows version would either. Opera is a great browser, but this is something I've yet to see (and am eager to).

Re:Opera!

[Jugalator]

Popularity != better. Since IE has the largest fan base, you're saying that IE is the browser that is "all that?"

Neither Opera, nor Firefox or Chrome, are shipped with any Windows version.

Correction: Bugfix will be in 3.6.6

[behindthewall]

According to the discoverer and the issue; he mixed up two different fixes, initially:

http://lcamtuf.blogspot.com/2010/06/yeah-about-that-address-bar-thing.html

https://bugzilla.mozilla.org/show_bug.cgi?id=556957#c46

single process for all flash

[thoughtsatthemoment]

It looks like there is a single process plugin-container.exe to run all flash files. Killing this exe will stop playing all the flash files. This means while you are enjoying a show on hulu.com, a rogue flash ad could still spoil the fun.

Firefox futures

[DragonHawk]

I'll take this opportunity to post some non-inflammatory info on planned Firefox development.

Firefox 4.0, which may go into beta as early as next month, is supposed to do a lot in this direction. Overhauled JavaScript engine, overhauled HTML rendering, etc.

http://wiki.mozilla.org/Firefox/4/Beta

http://developer.mozilla.org/en/Firefox_4_for_developers

I thought I had heard that 4.0 was supposed to deliver one-process-per-page functionality, but I'm having trouble finding recent status info. (One drawback to high-speed FOSS development is it's hard to keep track of things like that.) But anyway, the project is named "Electrolysis" ("E10S" in Firefox-developer-speak).

http://wiki.mozilla.org/Electrolysis

http://wiki.mozilla.org/Talk:Firefox/Roadmap

Re:Firefox futures

Don't forget the new HTML5 parser that is already working in the betas. Not only will this be the first fully HTML5 compliant parser, it will also be faster, run in a separate thread off the main thread, and make it possible to use SVG and MathML inline in HTML documents.

http://hacks.mozilla.org/2010/05/firefox-4-the-html5-parser-inline-svg-speed-and-more/

Re:So...

[thoughtsatthemoment]

No. If I kill firefox.exe in the Task Manager the plugin process disappears too.

Nope, sorry

[yuhong]

"And reader Trailrunner7 supplies another compelling reason to download 3.6.4: "Security researcher Michal Zalewski has identified a problem with the way Firefox handles links that are opened in a new browser window or tab, enabling attackers to inject arbitrary code into the new window or tab while still keeping a deceptive URL in the browser's address bar. The vulnerability, which Mozilla has fixed in version 3.6.4, has the effect of tricking users into thinking that they're visiting a legitimate site while instead sending arbitrary attacker-controlled code to their browsers."" Nope, sorry: https://bugzilla.mozilla.org/show_bug.cgi?id=556957#c46

Re:Single process for each plugin

[BZ]

You're exactly right. Flash assumes that all running instances of it share a single address space and uses various internal communication channels to have the instances talk to each other. The Chrome folks actually tried a process per plugin instance, and it broke too much stuff out there.

Firefox does NOT do process-per-page

[DragonHawk]

"In my experience, the process-per-page (be they tab, window, or whatever) yields much better performance."

"While reading Slashdot, it doesn't make one bit of difference. While one story tab loads, the rest of Firefox FREEZES while slashdot struggles to get rendered. I can't even scroll up or down."

That's because Firefox uses a single thread for just about everything. If a page is slow to render because of complex HTML/CSS, or has bad JavaScript which eats up CPU time, that drags everything to a stand-still.

Browsers that use a separate process/thread per page, on other hand, will keep everything else running. That one page will be slow/non-responsive, but everything else keeps humming along nicely (as long as the hardware can keep up). Google Chrome works this way. Firefox does not (yet).

(Firefox does spawn multiple threads, but the bulk of the work appears to be done in one thread. I presume the others are support/helper threads.)

Re:No 64-bit version on the Mozilla website

[BZ]

This is at least in part because on the 3.6 branch the 64-bit version is not at feature parity with the 32-bit one (for example doesn't have the JS jit, so has much worse JS execution performance). So linking to it on equal terms really doesn't make sense.

For 4.0, 64-bit Linux builds are much higher quality (for example they actually have the automated correctness tests run on them). So there's a decent chance those builds might become tier-1 by the time 4.0 ships.

Re:UI Lag

[shadowbearer]

So in other words, the thing runs perfectly if you disable the default options and install ad-ons to make it work right and then disable plugins.

  I'm running the release with over sixty tabs open, adblock, noscript, flashblock, + other addons, an HD youtube video for entertainment on the second monitor, several adobe plugin pdfs open, plus some active weather flash running (it was storming here earlier, watching the radar) and Firefox is only using about six hundred MB or so. My three year old desktop X2/32bitW7/4GB is still snappy, I hardly notice the difference.

  I don't even remember the last time Firefox crashed on this system (W7). Sometime in February I think, I'd have to look at my logs. Firefox has been incredibly stable for me for at least a couple years, and that experience has been echoed on the systems I build for customers as well. I suspect at least some it may be due the other memory resident programs on the computer, particularly antivirus programs, although I can't name any offhand, not enough data yet.

SB

Re:Privilege separation, anyone?

[FraGGod]

Well, I can think of a "nobody" user with home in, say, /tmp/nobody, and flash is running with it's uid and cgroup'ed, so:

• flash can read any libs or binaries (for these raw graphic ops, I presume) from fs as needed.
• flash can't access sensitive data in /home/myuser.
• flash can't write to /home/myuser/.mozilla/firefox/**/some_binary_file (that might get injected into process, run as "myuser").
• it can write to it's own "home" and access network as it pleases, although it will die along with a browser tab (cgroup gets killed, and flash can't escape it via forks).

I don't know much about what files flash accesses on local fs, but it certainly doesn't need write access anywhere but $HOME on unixes (works fine w/o it as it is), and I doubt it ever accesses ~/.mozilla (or ~/.opera, ~/.chrome, whatever) directly - these are subject to a constant change and shouldn't be necessary for the plugin which has direct interface to a working browser (whatever one it is). What am I missing here?

Re:Privilege separation, anyone?

[BZ]

What flash needs for a lot of what it does is raw device access. In Linux terms, access to stuff in /dev (video, camera, audio, etc).

It's clearly possible to setuid Flash to a low-privileges user if you want it to not write to disk in general and don't mind breaking part of the functionality. The question is whether you're willing to break it. Browsers may not be in a position to do that (though you individually may be if you don't use certain Flash features yourself).

Re:First

[cgomezr]

I'm afraid Firefox hasn't been the feature leader at all. Tabbed browsing? Opera had it before. Mouse gestures? Opera had it before. Quick dial? Opera had it before. Customisable search bars? Opera had them before. Ad blocking? Opera had it before (although, admittedly, worse than Firefox's). Stored sessions? Opera had them before (and it does restore from crashes without any problem in my case). I could keep enumerating, I'd say 90% of the browser features that Firefox implements are copied from Opera.

OK, I think Firefox had private browsing before Opera, making it the browser of choice for pr0n (i.e. 99% of the internet usage); but now Opera has catched up on that and offers private and non-private tabs mixed in the same window :)

BTW, on my machine Opera behaves much better than Firefox with 20+ tabs open (I have 57 right now), it's still snappy and Firefox would be crawling and taking up loads of RAM. But of course YMMV.

As a Linux user

As a Linux user I can sum up my choice of browser in the following way:

Opera: Excellent browser. Has the best set of features of any browser out-of-the-box, almost no rendering issues and it's fast. Unfortunately it can't be patched, updated and packaged as easily as other free software browsers. It's closed nature also makes it non-portable, limiting me to whatever platforms Opera Software decides to support. It was my browser of choice for a long time but when I started to migrate to pure64 Linux Opera's releases didn't keep up. Ruled out.

Chromium: Also excellent. Unfortunately Google's development model for the browser makes it painful to package and distribute. The bootstrap tarball is a whopping 700MB in size, and after the tarball has been downloaded you have to update it with svn. AFAIK there are no regular release tarballs and shipping a 700MB non-current tarball in the source tree with a strange build system and code that has to be updated before building is out of the question. It would be my browser of choice on Linux if it didn't complicate things so much. I think most Linux distributors agree with a number of these points, which is why we don't see more of them package Chrome(ium). Distributions like Slackware would never, ever carry source code that big (at best you get the pre-built binaries from Google.. again, this affects portability and from what I know it's heavily optimized for x86, probably won't even work on PPC/ARM). Ruled out.

Konqueror: Great browser for the most part, but uncomfortable to use. Has rendering issues (and "flickering" when it draws and loads webpages, forms are sometimes broken etc.) which makes it annoying, plugins don't always work (like flash). And the way bookmarks is implemented isn't as polished as one would hope. KHTML is a good engine but not as good as WebKit, and QT's internal WebKit engine apparently needs work (based on my experience with Rekonq which needs a LOT of polish). Ruled out.

Epiphany: Haven't used the new WebKit-based version because I don't use Gnome (and it's heavily tied to it). Probably what I would recommend and use myself if I didn't prefer KDE as my desktop. Ruled out.

Firefox: The browser I prefer. It isn't the fastest browser but it's fast enough. It's easy to build and the functionality it lacks can be added with extensions. I use it because it's well supported and just works. Fact is, while there are plenty of browsers that can compete with Firefox in terms of features and polish (even exceed it) those aren't the reasons I actually USE firefox. It's might be based on Gtk but isn't tied into Gnome so it's well suited for using on desktops other than Gnome (like Xfce and KDE).

I don't fit the profile of your average Linux user so my reasons for choosing a particular browser is different from the norm, but the fact is that Firefox is good anough and it fits the free software development and distribution platform very well making it easy to support.