Just how buggy is Firefox?

Code analysis row after tool identifies 611 defects


Security researchers that carried out a code analysis of popular open source browser Firefox using automated tools, have discovered scores of potential defects and security vulnerabilities despite coming to the conclusion that the software was generally well written.

A former Mozilla developer has criticised the methodology of the analysis and said it provides little help in unearthing real security bugs.

Several versions of the software were put through their paces by Adam Harrsion of Klocwork using Klocwork's K7 analysis tool. The analysis, which culminated in an examination of Firefox version 1.5.0.6 unearthed 611 defects and 71 potential security bugs.

A large number of these flaws resulted from the code not checking for null after memory was allocated or reallocated. Memory management issues accounted for the next highest defect count (141 flaws). Failure to check the execution path of code also frequently cropped up as a potential error.

Firefox developers have been sent the analysis results, which Harrsion concedes is preliminary. "Only someone with in-depth knowledge and background of the Firefox code could judge the danger of a particular security vulnerability," he writes.

It's unclear how many, if any, of the potential defects identified by Klocwork's tool are exploitable, the most important consideration.

Neither Microsoft nor Opera have released proprietary code for their respective browsers for similar analysis, so no comparisons can be drawn.

Alec Fleet, a former developer on the Mozilla Project, said that running code analysis tools has some benefit, but he criticised Klocwork's conclusions as incomplete and potentially misleading.

"To claim that there are 611 known, specific, real defects is just wrong. With most of these tools the signal to noise ratio is very high," he writes.

"This is not to say there aren't 141 other legitimate memory management defects lurking, but it takes a deeper (human) understanding of the codebase, as well as testing of actual codepaths in use, to flush them out. To spend smart developers' time going over long reports of machine-generated lint would be a waste," Fleet adds.

Harrsion defended the quality of his analysis against these criticisms. "Although this analysis was automated, the level of analysis is more sophisticated then a traditional lint-type tool. In this particular analysis we reviewed the entire results to verify the correctness of the defects... [but] as with any analysis only the developers can be the final judge on the severity of these problems," he said. ®


Other stories you might like

  • It's primed and full of fuel, the James Webb Space Telescope is ready to be packed up prior to launch

    Fingers crossed the telescope will finally take to space on 22 December

    Engineers have finished pumping the James Webb Space Telescope with fuel, and are now preparing to carefully place the folded instrument inside the top of a rocket, expected to blast off later this month.

    “Propellant tanks were filled separately with 79.5 [liters] of dinitrogen tetroxide oxidiser and 159 [liters of] hydrazine,” the European Space Agency confirmed on Monday. “Oxidiser improves the burn efficiency of the hydrazine fuel.” The fuelling process took ten days and finished on 3 December.

    All eyes are on the JWST as it enters the last leg of its journey to space; astronomers have been waiting for this moment since development for the world’s largest space telescope began in 1996.

    Continue reading
  • China to upgrade mainstream RISC-V chips every six months

    Home-baked silicon is the way forward

    China is gut punching Moore's Law and the roughly one-year cadence for major chip releases adopted by the Intel, AMD, Nvidia and others.

    The government-backed Chinese Academy of Sciences, which is developing open-source RISC-V performance processor, says it will release major design upgrades every six months. CAS is hoping that the accelerated release of chip designs will build up momentum and support for its open-source project.

    RISC-V is based on an open-source instruction architecture, and is royalty free, meaning companies can adopt designs without paying licensing fees.

    Continue reading
  • The SEC is investigating whistleblower claims that Tesla was reckless as its solar panels go up in smoke

    Tens of thousands of homeowners and hundreds of businesses were at risk, lawsuit claims

    The Securities and Exchange Commission has launched an investigation into whether Tesla failed to tell investors and customers about the fire risks of its faulty solar panels.

    Whistleblower and ex-employee, Steven Henkes, accused the company of flouting safety issues in a complaint with the SEC in 2019. He filed a freedom of information request to regulators and asked to see records relating to the case in September, earlier this year. An SEC official declined to hand over documents, and confirmed its probe into the company is still in progress.

    “We have confirmed with Division of Enforcement staff that the investigation from which you seek records is still active and ongoing," a letter from the SEC said in a reply to Henkes’ request, according to Reuters. Active SEC complaints and investigations are typically confidential. “The SEC does not comment on the existence or nonexistence of a possible investigation,” a spokesperson from the regulatory agency told The Register.

    Continue reading

Biting the hand that feeds IT © 1998–2021