655 FF bugs and 71 security leaks 

polonus · 2006-09-08T21:20:06.000Z

Hi dk70,

Fully agree with you that there can be unknown compatibility problems with some extensions (MacAfee SiteAdvisor was an example recently with all the jar50.dll crashes), and how these add-ons and plug-ins work out on each other. There are also code discrepancies as well, and secure code issues (race conditions).
But I cannot understand the users of the closed software browsers, when they rather like to feel secure not knowing what insecurities they have not heard of (security through obscurity).
With FF or Flock security one is to know more or less where you/we stand. With IE7 you take a blank check on the future.

And when you know where the main vectors are to infect your computer (mainly script and Flash). When you can pre-scan links, or you have some indication of the insecurity of a possible search query hyperlink (GeoTrust, SiteAdvisor), and avast Webshield running inside, the rest of your vulnerability window that is left open is made up by the online risks you run (surfing habits/attitude).
The major problems left are made up by instability issues.
Too much of firefox -p or flock -P?
No I think honesty is the best policy, and will render best results.

polonus

szc · 2006-09-08T21:53:23.000Z

Spending so much time thinking about security deals with paranoia my friend. If users spend all their free time on the internet searching on how to lock their computers and securing themselves from who knows who (maybe Cylons), not much time will left for them to at least try to be creative and do something creative using their computers. Why not simply unplug the internet cable and problem solved ?

Now about the Flash… just because it uses ActiveX (sometimes, not always especially not if developer doesn’t want to use it), what damage can my web site possibly give to you or your computer ? Here is one of those I made: www.peepers.ca

polonus · 2006-09-08T22:06:09.000Z

Hej Sasha,

Everybody is got to do what he likes to do. You wanna be creative on the Net, others like dk70 and little old me like to delve into security issues, because it is interesting to look for solutions. You want to know why things work or not, and why? You do not have this inclination. If I can see something interesting in a nice patch.
Now in this thread dk70 mentioned mem leaks, then polonus finds that memory leaks in FF can add up to a nice total of 500 MB daily. And we have something to discuss.
That is all the Flash Sasha needs to make some nice Avatars. How many Avatars would that be, Sasha?
I know security has it limits, and that the best firewall runs through the open fireplace, and the best security tool is a pair of pliers. But then everybody is entitled to his or her hobbies, right?

pozdravi,

the old pol

szc · 2006-09-08T22:22:30.000Z

Except I could never use Flash to make avatars, simply because this forum doesn’t support Flash even though we have INSERT FLASH tag when posting in this forum. Avatars are not my priority nor hobbi, I just do that on people’s request to make them happy if possible. I use simple graphic editing tools to create avatars, everyone could do it in no minutes if I show him how… if they would look exactly the same as mine, or better or worse, that depends on individuals.

My work span spreads far more than just simple avatars. When I am really, really, really tired of the primary work I do, then I close my eyes and do some avatars to release the pressure.

system · 2006-09-08T22:27:41.000Z

hey szc and the old polonus…do you know if they are ANY themes available for flock and the google toolbar extension seems very unstable…had to uninstall it-do you know of this problem?

http://extensions.flock.com/themes/

polonus · 2006-09-08T22:40:50.000Z

Look at the other one I posted in the general about add-ons.

I made a bookmarklet with the crunchator, and copied the leak of the wrong hanging pointer from Leak Monitor here:

Leaks in window 0x33b5c08:
[+] [leaked object] (1a13348) = [object Object]
[-] wrappedJSObject (1a13348) = [object Object]
type = insert
action = newbookmark
[+] item (1a13368) = [xpconnect wrapped nsIRDFResource]
[+] 0 (198c230) = [xpconnect wrapped nsIRDFResource]
Value = rdf:#$C4hvU
[-] QueryInterface (198c340) = function QueryInterface() {
[native code]
}
[-] EqualsNode (198c348) = function EqualsNode() {
[native code]
}
ValueUTF8 = rdf:#$C4hvU
[-] Init (198c398) = function Init() {
[native code]
}
[-] EqualsString (198c3b0) = function EqualsString() {
[native code]
}
[-] GetDelegate (198c3d8) = function GetDelegate() {
[native code]
}
[-] ReleaseDelegate (198c438) = function ReleaseDelegate() {
[native code]
}
[+] parent (1a13370) = [xpconnect wrapped nsIRDFResource]
[+] 0 (1a212e0) = [xpconnect wrapped nsIRDFResource]
Value = NC:BookmarksRoot
[-] QueryInterface (198c1a8) = function QueryInterface() {
[native code]
}
[-] EqualsNode (198c1b0) = function EqualsNode() {
[native code]
}
ValueUTF8 = NC:BookmarksRoot
[-] Init (198c1c8) = function Init() {
[native code]
}
[-] EqualsString (198c1d0) = function EqualsString() {
[native code]
}
[-] GetDelegate (198c1d8) = function GetDelegate() {
[native code]
}
[-] ReleaseDelegate (198c200) = function ReleaseDelegate() {
[native code]
}
[+] index (1a13380) = 6
0 = 6
[+] removedProp (1a13398) =
0 = null
[+] Properties (1a20e58) = [xpconnect wrapped nsIRDFResource],[xpconnect wrapped nsIRDFResource],[xpconnect wrapped nsIRDFResource],[xpconnect wrapped nsIRDFResource],[xpconnect wrapped nsIRDFResource],[xpconnect wrapped nsIRDFResource]
[+] 0 (1a200b8) = [xpconnect wrapped nsIRDFResource]
[-] QueryInterface (1944d38) = function QueryInterface() {
[native code]
}
[-] EqualsNode (1944d48) = function EqualsNode() {
[native code]
}
Value = http://home.netscape.com/NC-rdf#Name
ValueUTF8 = http://home.netscape.com/NC-rdf#Name
[-] Init (1945010) = function Init() {
[native code]
}
[-] EqualsString (1945298) = function EqualsString() {
[native code]
}
[-] GetDelegate (1945398) = function GetDelegate() {
[native code]
}
[-] ReleaseDelegate (19453b0) = function ReleaseDelegate() {
[native code]
}
[+] 1 (1a200c8) = [xpconnect wrapped nsIRDFResource]
[-] QueryInterface (19457c0) = function QueryInterface() {
[native code]
}
[-] EqualsNode (18a2190) = function EqualsNode() {
[native code]
}
Value = http://home.netscape.com/NC-rdf#URL
ValueUTF8 = http://home.netscape.com/NC-rdf#URL
[-] Init (18a21b0) = function Init() {
[native code]
}
[-] EqualsString (18a21b8) = function EqualsString() {
[native code]
}
[-] GetDelegate (18a21c0) = function GetDelegate() {
[native code]
}
[-] ReleaseDelegate (18a21d0) = function ReleaseDelegate() {
[native code]
}
[+] 2 (1a200d8) = [xpconnect wrapped nsIRDFResource]
[-] QueryInterface (18a2290) = function QueryInterface() {
[native code]
}
[-] EqualsNode (18a22b0) = function EqualsNode() {
[native code]
}
Value = http://home.netscape.com/NC-rdf#ShortcutURL
ValueUTF8 = http://home.netscape.com/NC-rdf#ShortcutURL
[-] Init (18a22d8) = function Init() {
[native code]
}
[-] EqualsString (18a22e0) = function EqualsString() {
[native code]
}
[-] GetDelegate (18a2300) = function GetDelegate() {
[native code]
}
[-] ReleaseDelegate (18a2320) = function ReleaseDelegate() {
[native code]
}
[+] 3 (1a200e8) = [xpconnect wrapped nsIRDFResource]
[-] QueryInterface (18a23e0) = function QueryInterface() {
[native code]
}
[-] EqualsNode (18a23e8) = function EqualsNode() {
[native code]
}
Value = http://home.netscape.com/NC-rdf#Description
ValueUTF8 = http://home.netscape.com/NC-rdf#Description
[-] Init (18a2d38) = function Init() {
[native code]
}
[-] EqualsString (18a2dd0) = function EqualsString() {
[native code]
}
[-] GetDelegate (18a2dd8) = function GetDelegate() {
[native code]
}
[-] ReleaseDelegate (18a2de0) = function ReleaseDelegate() {
[native code]
}
[+] 4 (1a200f8) = [xpconnect wrapped nsIRDFResource]
[-] QueryInterface (18a30e0) = function QueryInterface() {
[native code]
}
[-] EqualsNode (18a3100) = function EqualsNode() {
[native code]
}
Value = http://home.netscape.com/NC-rdf#WebPanel
ValueUTF8 = http://home.netscape.com/NC-rdf#WebPanel
[-] Init (18a32b8) = function Init() {
[native code]
}
[-] EqualsString (18a33a0) = function EqualsString() {
[native code]
}
[-] GetDelegate (18a33b0) = function GetDelegate() {
[native code]
}
[-] ReleaseDelegate (18a3408) = function ReleaseDelegate() {
[native code]
}
[+] 5 (1a20108) = [xpconnect wrapped nsIRDFResource]
[-] QueryInterface (18a3c18) = function QueryInterface() {
[native code]
}
[-] EqualsNode (18a3c20) = function EqualsNode() {
[native code]
}
Value = http://home.netscape.com/NC-rdf#FeedURL
ValueUTF8 = http://home.netscape.com/NC-rdf#FeedURL
[-] Init (18a3cb0) = function Init() {
[native code]
}
[-] EqualsString (18a3cc0) = function EqualsString() {
[native code]
}
[-] GetDelegate (18a3cd0) = function GetDelegate() {
[native code]
}
[-] ReleaseDelegate (18a3d00) = function ReleaseDelegate() {
[native code]
}
[+] container (1a13360) = [xpconnect wrapped nsIRDFContainer]
[+] QueryInterface (d3ca58) = function QueryInterface() {
[native code]
}
prototype (1a134e0) = [object Object]
DataSource = null
Resource = null
[+] Init (17efff8) = function Init() {
[native code]
}
prototype (1a133d0) = [object Object]
[+] GetCount (1952f48) = function GetCount() {
[native code]
}
prototype (1a13340) = [object Object]
[+] GetElements (17c1310) = function GetElements() {
[native code]
}
prototype (1a132e8) = [object Object]
[+] AppendElement (17c1478) = function AppendElement() {
[native code]
}
prototype (1a132c8) = [object Object]
[+] RemoveElement (17c1ec0) = function RemoveElement() {
[native code]
}
prototype (1a13290) = [object Object]
[+] InsertElementAt (17c1ee8) = function InsertElementAt() {
[native code]
}
prototype (1a13260) = [object Object]
[+] RemoveElementAt (17c1f00) = function RemoveElementAt() {
[native code]
}
prototype (1a131e0) = [object Object]
[+] IndexOf (17c1f18) = function IndexOf() {
[native code]
}
prototype (1a131b8) = [object Object]

polonus

szc · 2006-09-08T22:43:57.000Z

Hey Polonus the Damian my friend ! ;D ;D

Have you found any security threat coming from the Flash page I posted link for in one of those previous links ? I am really interested what’s happening in the background even though I have no clue what could be happening when my intention was just to please my wonderful client from Vancouver and give her small but still beatiful web site.

Cheers !

EDIT: All I know is that I never ever enabled anything in Flash that would by any way try to breach my site visitor’s security.

system · 2006-09-08T22:46:07.000Z

Haha that was a good one ;D

system · 2006-09-08T23:05:50.000Z

Not sure what you made to tricker Leak Monitor but try again with 2.0 or even in 1.5.0.7 RC5 http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/1.5.0.7-candidates/rc5/

Anyway, what we dont know is the bookmarks of Polonus 8) Certain type of sites are more likely to increase demand for tighter security than others. My feeling is if you can manage so much security stuff you either do visit risky sites or you dont really have actual need for them. Awareness or human factor is good enough protection. Not so much awareness among those Myspace users who recently got in trouble with their not updated most likely “cheap” XPs - still SP1 but they knew. Some dont care and just reformat or fix themself up with Anti-Spyware programs. People are different.

Matter of definition of course, if you count tracking cookies as a form of spyware/evil that must go away start protecting. And trust! I trust Opera, Firefox and IE7 to have high security as a goal. Dont think they can even compete on this issue any more. There will be single events showing a hole from time to time but I think it will be closed before it becomes a general problem. Goes for all 3 of them - though we might only hear most about Firefox “thanks” to open source policy. No bug is too small for Bugzilla which is good. When Microsoft give away a tool like Windows Defender they are aware and when Microsoft are aware rest have been since long. Not like you need 3rd party tools to avoid getting attacked. Can increase security for sure.

If it helps I remember a problem some had with Google toolbar or rather the phishing database. If you chose active protection during installation, each url send to Google, then it can get weird. Or at least some probably now fixed version could. Can also eat some cpu cycles. If you chose passive protection, only local database used, you should avoid most problems. Google toolbar itself should be pretty stable. Could be a Flock only problem, dont know…

polonus · 2006-09-08T23:18:50.000Z

Hi dk70,

The bookmarklet of Polonus? Just a demo from the page on Memory Leaking in Wikipedia, patched the piece of demo code there in the Crunchator, and Leak Monitor leaked the results. Nothing to do with risky surfing. Just to demonstrate a point,

polonus

system · 2006-09-08T23:43:33.000Z

Yeah Leak Monitor works and author is a known figure and contributor to Firefox code/fixes. Think I read some Mozilla Chief Engineer something giving him much credit for 2.0 improvements (bug-hunting I assume). I can tell you many a website/javascript triggered it when I used 1.5.0.x Now on 2.0 it hardly ever happens. Some extensions still make it go crazy. I dont think Mozilla Add-on site should approve extensions which triggers monitor but they obviously do and some extension makers still dont test that much.

I somehow doubt every leak means 500mb used or no one would be able to use Gmail for long but it probably have some negative impact on “memory management”. In some cases may be even stability.

polonus · 2006-09-09T18:08:52.000Z

Hi dk70, the leaks are meant to be taken as cumulative leakage over a full 24 hours, not only mem leaks but also idle mem waste.

From your responses, it can be fairly concluded that you are a coder, and you know your way around browsers and appl. quite some bit.

Question to you, why you rank the coders of Flock amongst the crapola crowd? What are the problems with Flock in your opinion.

polonus

PS a tweak to free up some mem in FF:

Start Firefox (yeah, I know… duh.)
type “about:config” in the address bar and hit enter (don’t type the double-quotes)
type “config.trim_on_minimize” (again, not the double-quotes) into the Filter field. Odds are, you won’t have this preference but we should check first.
1. If you DO have the preference, make sure it is set to true
2. If you do NOT have the preference, add it
  1. Right click anywhere in the preference list and select New → Boolean
  2. Preference name should be “config.trim_on_minimize”
  3. Select true for the value
Close Firefox and then reopen it.

That should be all it takes. To verify you got it right, load up a few pages in a few tabs. Start up task manager or your platform’s monitoring tool of choice and see how much memory Firefox is using. Now, minimize Firefox…

D

system · 2006-09-09T19:23:50.000Z

No I have never coded anything except batchfiles.

Did I say anything bad about Flock I should have deleted it. However it share same code as 1.5.0.x and so also the same bugs making it very hard to use a tool like Leak Monitor for a longer periode. Must have been what I meant. Flock is clearly more than just extension pack. http://screencastsonline.com/sco/Shows/files/6bab7806ed46d123ba0175a8a90fcff3-82.html Not for everyone of course. I might use it if it was using 2.0 code - which it will eventually.

If minimize setting dont do anything for used memory you can be sure FF is halfdead. Shows something has gone wrong, can rarely be fixed except by restarting. Should always go down to 10-30mb or so.

1.5 has some hefty max. values for ram cache. Defaults are changed/lowered in 2.0. Why not use those on 1.5/Flock? user_pref(“browser.cache.memory.capacity”, 24576); is what I use user.js with 2gb ram. Is default not my number and naturally helps making 2.0 look better - http://kb.mozillazine.org/Browser.cache.memory.capacity Fast forward/rewind cache I have lowered to 4 http://kb.mozillazine.org/Browser.sessionhistory.max_total_viewers

Have seen some getting better performance by killing this http://kb.mozillazine.org/Browser.chrome.image_icons.max_size I use user_pref(“browser.chrome.image_icons.max_size”, 32); because then I still get favicon but avoid perhaps troublesome thumbnailing.

FF wont ever be notepad no matter what.

polonus · 2006-09-09T20:01:31.000Z

Hi dk70, this could be used for mem trimming in components:

nsWindow.cpp 27 Oct 200 04:30:54 -0000
@@ -71,6 +71,7 @@
#include “nsTransform2D.h”
#include “nsIEventQueue.h”
#include <windows.h>
+#include <psapi.h>

// unknwn.h is needed to build with WIN32_LEAN_AND_MEAN
#include <unknwn.h>
@@ -275,6 +276,7 @@
static PRUint32 gLastInputEventTime = 0;

static int gTrimOnMinimize = 2; // uninitialized, but still true
+static int gRestoreSavedWorkingSet = 2; // uninitialized, but still true

#if 0
static PRBool is_vk_down(int vk)
@@ -1540,6 +1542,7 @@
(conveniently created before any visible windows and after
the profile has been initialized) */
gTrimOnMinimize = 1;

gRestoreSavedWorkingSet = 1;
nsCOMPtr prefs = do_GetService(NS_PREFSERVICE_CONTRACTID);
if (prefs) {
nsCOMPtr prefBranch;
@@ -1550,6 +1553,11 @@
&trimOnMinimize))
&& !trimOnMinimize)
gTrimOnMinimize = 0;
```
   PRBool restoreSavedWorkingSet;
```

   if (NS_SUCCEEDED(prefBranch->GetBoolPref("config.restore_saved_workingset",

                                            &restoreSavedWorkingSet))

```
       && !restoreSavedWorkingSet)
```
```
     gRestoreSavedWorkingSet = 0;
 }
```
}
}
@@ -3707,6 +3715,113 @@
return TRUE;
}

+static LPDWORD CaptureWorkingSet()
+{

SIZE_T dwBufferSize = 4096;
LPDWORD lpNewBufferData = (LPDWORD)HeapAlloc(GetProcessHeap(), 0, dwBufferSize);
if (!lpNewBufferData) {
return NULL;
}
// Keep enlarging the buffer until we are able to fully retrieve
// the working set array.
while (!QueryWorkingSet(GetCurrentProcess(), lpNewBufferData, dwBufferSize) ||

    (lpNewBufferData[0] + 1) * sizeof(DWORD) > dwBufferSize) {

dwBufferSize += 4096;
if (dwBufferSize > 512*1024) {

 HeapFree(GetProcessHeap(), 0, lpNewBufferData);

```
 return NULL;
```
}
LPDWORD lpResizedBuffer = (LPDWORD)HeapReAlloc(GetProcessHeap(), 0, lpNewBufferData, dwBufferSize);
if (!lpResizedBuffer) {

 HeapFree(GetProcessHeap(), 0, lpNewBufferData);

 lpResizedBuffer = (LPDWORD)HeapAlloc(GetProcessHeap(), 0, dwBufferSize);

```
 if (!lpResizedBuffer) return NULL;
```
}
lpNewBufferData = lpResizedBuffer;
}
return lpNewBufferData;
+}

+static void SaveOrRestoreWorkingSet(BOOL SaveOrRestore)
+{

static LPDWORD lpBufferData = NULL;
if (SaveOrRestore) {
// Save WorkingSet
LPDWORD lpNewBufferData = CaptureWorkingSet();
if (!lpNewBufferData) return;
// Swap in the new working set array, freeing any old one.
LPDWORD lpOldBuffer = (LPDWORD)InterlockedExchangePointer(&lpBufferData, lpNewBufferData);
if (lpOldBuffer != NULL) {

 HeapFree(GetProcessHeap(), 0, lpOldBuffer);

}
} else {
// Restore WorkingSet
LPDWORD lpLocalData = (LPDWORD)InterlockedExchangePointer(&lpBufferData, NULL);
if (lpLocalData != NULL) {

+#if 1

 // Capture a fresh copy of the WorkingSet so that we can measure

```
 // how much we're swapping in.
```

 LPDWORD lpTmpBufferData = CaptureWorkingSet();

```
 if (lpTmpBufferData != NULL) {
```
```
   DWORD dwNumPresent = 0;
```

   DWORD cPages = lpTmpBufferData[0];    // First DWORD is page count

   for ( DWORD i = 1; i <= cPages; i++ ) {

     DWORD pageAddr = lpTmpBufferData[i] & 0xFFFFF000;

     DWORD pageFlags = lpTmpBufferData[i] & 0x00000FFF;

     if ((pageFlags & 31) > 0 && (pageFlags & 31) < 16) {

```
       dwNumPresent++;
```
```
     }
```
```
   }
```

   HeapFree(GetProcessHeap(), 0, lpTmpBufferData);

```
   lpTmpBufferData = NULL;
```
```
   char tmpstatus[200];
```

   _snprintf(tmpstatus, sizeof(tmpstatus), "There are currently %u pages (%u KB) present.\n", dwNumPresent, 4 * dwNumPresent);

```
   OutputDebugString(tmpstatus);
```
```
 }
```

+#endif
+
+

 // Start forcing the pages back into memory.

```
 DWORD dwNumForced = 0;
```

 DWORD cPages = lpLocalData[0];    // First DWORD is page count

 for ( DWORD i = 1; i <= cPages; i++ ) {

   DWORD pageAddr = lpLocalData[i] & 0xFFFFF000;

   DWORD pageFlags = lpLocalData[i] & 0x00000FFF;

   if ((pageFlags & 31) > 0 && (pageFlags & 31) < 16) {

     // Force the page to be swapped in.

     IsBadReadPtr((VOID*)pageAddr, 4096);

```
     dwNumForced++;
```
```
   }
```
```
 }
```

 // Log how many pages were forced back into memory.

+#if 1

```
 char tmpstatus[200];
```

 _snprintf(tmpstatus, sizeof(tmpstatus), "Forced %u pages (%u KB) to become present.\n", dwNumForced, 4 * dwNumForced);

```
 OutputDebugString(tmpstatus);
```

+#endif
+

 // Put this workingset buffer back into the array so that it can

 // be used again until the workingset is captured again.

 if (InterlockedCompareExchangePointer((PVOID*)&lpBufferData, lpLocalData, NULL) != NULL) {

   // the exchange did not occur because a newer buffer was

   // already put in its place, so just free the older buffer.

   HeapFree(GetProcessHeap(), 0, lpLocalData);

```
 }
```
}
}
+}

// Check for pending paints and dispatch any pending paint
// messages for any nsIWidget which is a descendant of the
// top-level window that this window is embedded within.
@@ -4500,6 +4615,17 @@
::ShowWindow(mWnd, SW_SHOWMINIMIZED);
result = PR_TRUE;
}

```
 if (gRestoreSavedWorkingSet) {
```
```
   if (wParam == SC_MINIMIZE) {
```

     OutputDebugString("gRestoreSavedWorkingSet is saving the current working set\n");

```
     SaveOrRestoreWorkingSet(TRUE);
```

     OutputDebugString("gRestoreSavedWorkingSet is done saving\n");

```
   } else if (wParam == SC_RESTORE) {
```

     OutputDebugString("gRestoreSavedWorkingSet is restoring the original working set\n");

```
     SaveOrRestoreWorkingSet(FALSE);
```

     OutputDebugString("gRestoreSavedWorkingSet is done restoring\n");

```
   }
```
```
 }
 break;
```
default:

polonus

system · 2006-09-09T21:38:23.000Z

Go tell them at Bugzilla - anyone can contribute or at least get into a discussion. Problem is you can file a bug for 1.5.0.x only to be told it is fixed in 2.0 daily whatever = considered fixed by Mozilla though not yet available in official final release. Then there is 3.0 which I have not even tried! So hard for normal people to take part in. Firefox always on the move and often on different levels.

Anyway, I still think it would be nice to have a new version 2.1 or something which only had the goal of optimizing and cleaning. If you check some Mozilla blogs you can see some think about the compromise betweem adding and tuning http://gemal.dk/blog/2005/11/10/nice_checkins_for_the_weekend/ “It seems that reviewers generally like to review new functionality than to review changes/optimizations to current code” Just the way it is - current code is old in 6 months cause then we are targeting 3.0 so why bother!. There is probably some opensource/Mozilla/general market situation logic to this missing cleanup version. Normal users think: it works or it does not - and clearly it does. Remember most people dont install any or only very few extensions and they sure play a big part of memory problems. Possible only the “geek” group are crying that loud…

I need to check out Opera and IE7 some more but they wont be notepad either. We are in 2006 and if Firefox runs sweet on a computer with lets say 512mb ram what is there to complain about? As said before activate leak monitor on 1.5.0.x then try 2.0 - lots of progress, shaving off 1.5555 seconds of startup time is almost irelevant though they claim 2.0 have improved on that as well. Cant say I care or understand why it is so important so some people. Like XP boot time, I lack understanding.

polonus · 2006-09-09T22:03:28.000Z

Hi dk70,

Tested Flock with the Leak Gauge script, and these were the results:
Summary:
Leaked 0 out of 0 DOM Windows
Leaked 0 out of 0 documents
Leaked 0 out of 0 docshells

Summary:
Leaked 0 out of 0 DOM Windows
Leaked 0 out of 0 documents
Leaked 0 out of 0 docshells

Not bad, not bad at all,

polonus

system · 2006-09-09T22:21:51.000Z

Well try Gmail or a Vbulletin forum. I would imagine Yahoo xxxxx as well. Or a site where sitemeter.js is active, part of a statscript. I think opera.com menu script triggers it as well Dont know how much Flock coders have changed but at least in regular FF 1.5.0.x there are loads of leaks/problems. The Gmail problems have been known for ages so may Flock have fixed those? Of course these has to be translated and it is wrong to only blaim firefox. However, definitely fewer with 2.0… Has not fixed extensions of course but anyone can email author or file a bug. Must be careful not to judge too quickly because may be X extensions changes environment so the otherwize perfect Y breaks. X is problem not Y. Ideally one has to test an extension on a clean profile to exclude negative outside influence. Send in the debuggers. What is cool is anyone can use Leak Monitor and findings are accepted as genuine and reproducable problems. Why some extension makers dont use it is a good question. Mozilla Add-on site should encourage it more, their “reviews” are poor QA.

polonus · 2006-09-09T22:32:50.000Z

Hi dk70,

What I have grasped from this thread discussion is that the problem comes with extension coders not following the same routines to avoid the known mem leaks. AdBlock Plus 0.7 had serious problems, NoScript problems are still there.
The point where I found Flock to leak is when you download programs, but that is understandable. The best solution is certain code routines.
But when an outside extension is really causing problems like race conditions etc. like a certain version of MacAfeeSiteAdvisor, it can force you to nake a fresh reinstall and trouble taking your profiles along. Learn to know what your browser is doing under the hood with TamperData is instructive.

polonus

system · 2006-09-10T00:26:40.000Z

Tamperdata is beyond what most enjoy. Next is to download source, fix stuff and compile yourself. Mozilla would like world domination so they must deliver. Also Firefox is a simple browser out of the box for a reason. Supposed to be used by Grandma as well as the gee. So problems they solve 8) If users really need to do their own diagnostics I think they have failed somehow. In this case making extension site look like an ice cream bar. They have more or less useless rating system and just about anything gets approved. If you go ask about a problem on Mozillazine it is very likely you will be asked to list your extensions and/or test with new profile. First thing to look into when something is weird. Mozilla encourage extensions uncritically.

Not really much to do about Flash, Java, Windows Media plugins. Think they all have a version/bug log similar to Firefox and most know about leaks/hangups during or after video loading. Latest Flash seem to be a lot better though. I assume Firefox is about not guilty when it comes to perhaps IE optimized webcode filled with media.

Well it was/is the old Adblock 0.5 which have most problems. Adblock Plus 0.7 saved the day with a total recoding. http://adblockplus.org/en/ Sure a few bugs but nothing major - he was one of the first to make use of Leak Monitor btw. Really a super extension, nice forum, actively developed etc. In case you missed it you dont have to use strange regular expressions any more, like in way too fat superG. Make a “dumb” mile long list of what you want to block and Adblock optimize that list internally - which is faster than regular expressions according to author. Practically transparent if you use own personalized list and not that superG. There are other “list-makers” should you want a starting point.

And you are right about what you said in PM. Session Saver is to be avoided (same author who did old Adblock, has gone zzzzzz long ago) and Session Manager https://addons.mozilla.org/firefox/2324/ or Tab Mix Plus to be used. At least on 1.5.0.x, author of Session Manager and Crash Recovery is involved in 2.0 coding for FF own Session handling (about time!) For same reason his extensions wont be updated for 2.0 as I understand it.

polonus · 2006-09-10T14:11:53.000Z

Hi dk70,

The forum should be glad, with someone around like you. Well your point about different ways of computing, different ways of looking at it, is valid. The newbies and the recreational computer users like the things that come out of the box, and they also could not survive without basic security that come “as default”. The advanced users know more abou the vulnerability gap, and their multi-layered security measure, make them more or less sniff out where problems may ly ahead, and they aren’t that dependant on others to provide solutions (also so with AV). This are some very general remarks, fed by experience.
FF or Flock made extensions like Christmas tree decoration, and they did it while some like a simple tree and not everybody is in need of the same extensions.
Extensions are not treated with the same programming routines general code that goes into FF or Flock is. Whenever there are problems later, someone get the bug assigned, and you know as well as I do, prevention and safe coding is always better then having to get rid of the bugs later. Then Mozilla is nothing else like in the old days: Internet Now with Netscape has been changed for Internet Now with Firefox.
The average user is not like the old pol, that fires up the old
REC 2.0 - Reverse Engineering Compiler from: http://www.backerstreet.com/rec/rec.htm to see what is there.
But then when I arrive at some insights, I can tell you why, and how, and not based on the authority of someone else (or this person knows what he is talking about, and lucky for us they are still around). Thanks for sharing your views with us in this thread, I think there are people that certainly will benefit from these insights,

polonus (anti-malware activist)

Announcements