
Engineering code quality in Firefox - caution
https://hacks.mozilla.org/2020/04/code-quality-tools-at-mozilla/
======
alephnan
We had an "open-ended" project in an undergraduate Computer Security course to
discover a 0-day in Firefox. The professor (a researcher, not lecturer, by
trade) didn't really have a curriculum, and said this artifact accounted for
70-80% of our grade.

Trying to compile Firefox was already a challenge. That, and each compile took
an hour. IIRC, Firefox is built on some esoteric architecture / design pattern
that's definitely beyond the scope of design patterns undergraduate students
are familiar with.

By the end of the term, no one discovered a 0-day, unsurprising considering
half the class didn't even try. There were 90 students in the class, and I
ended up being the only person to produce a JS payload that would crash
Firefox in one of the newer HTML5 libraries. It's neither a zero-day or
exciting or profitable vulnerability though.

Realizing everyone in the class would fail, the professor changed the grade of
this project to only account for 30% of the grade. I spent most of my time on
this project while disregarding the rest of the busy work for the class. In
the end, I got a C grade while my peers who didn't even attempt to tackle this
project received higher grades.

~~~
thayne
> Trying to compile Firefox was already a challenge. That, and each compile
> took an hour.

At first glance, this sounds terrible. But when compared to software projects
of comparable size, Firefox is hardly unique. Compare to compiling Chromium
for example, or even the Linux kernel.

~~~
swiley
Those are all very different levels of difficulty IMO:

Linux is almost trivially easy, only slightly harder than the usual configure
&& make and has very few dependencies.

Firefox is pretty painful but it's doable with a decent amount of care and
bandwidth.

Chromium is a fairly typical google project where the recommended first step
to building it is to become a google employee but some alternative workarounds
are also available if that's not practical.

~~~
happosai
Nah building is fine, just follow the steps from Debian/Ubuntu/whateverdistro
. But trying to contribute is fun. By the time you've danced all the hoops to
allow you to contribute, some Google employee has already refactored the code
around the bug. Then you have to be fast enough to get your updated patch
applied before someone else has reorganized the code again...

At some point I started wondering if indeed I'd get the fix in faster by
starting to practice whiteboard interviews.

~~~
eholk
> ...some Google employee has already refactored the code around the bug. Then
> you have to be fast enough to get your updated patch applied before someone
> else has reorganized the code again...

For what it's worth, this is how it work's if you're a Google employee too.

------
bergheim
I just wanted to say that, despite a few mishaps, firefox is what _everybody_
on hn should be using. I can give my browser-time credentials, but really.
Firefox is amazing. Care for the open web, fear ie6, and at the same time
enjoy firefox!

~~~
eitland
> Care for the open web, fear ie6, and at the same time enjoy firefox!

And remember: Chrome is the new IE.

(Since a number of people have misunderstood this quote in the past I'll
explain it up front: 1. IE was in some ways technically superior to
competition until they became dominant. 2. At the same time devs stopped
caring about other browsers, and then 3. Microsoft lost interest in it. We are
repeating this it seems, currently at step 2 for a few years already, waiting
for Chrome to completely outcompete other browsers and for Google to abondon
it like so many other of their projects :-)

Edit: I took the time to write down a slightly expanded version of the
explanation above: [https://erik.itland.no/chrome-is-the-new-internet-
explorer-4...](https://erik.itland.no/chrome-is-the-new-internet-
explorer-4-stages)

~~~
alephnan
For people who don't care about privacy, what would be the motivation for
making the switch?

Chrome is good enough. The interface is still streamlined. Microsoft didn't
just lose interest in IE, but it became bloated with the toolbar. The UI
wasn't well proportioned in general.

Web development wise, it was a struggle to be compatible with IE. Chrome may
be setting the web standard for better or worst, but atleast developers are
more comfortable developing and testing Chrome. The sentiment is that writing
code to work I.E. would be exceptional, whereas now writing code for non-
Chrome browsers would be the exceptional case. In fact, developers sometimes
only test Chrome. Some popular E2E JavaScript testing frameworks only work
with Chrome.

Also, I don’t know if there are examples of Chrome implementing non-standard
behavior that rivals IE having an event bubbling system that was inverted from
every other browser.

~~~
eitland
I wrote a blog post last year that touches into it:
[https://erik.itland.no/are-you-making-a-chrome-
application-o...](https://erik.itland.no/are-you-making-a-chrome-application-
or-a-web-application)

As a developer you get a lot for free by developing in Firefox, most
importantly if it works in Firefox the it will likely work in all other
browsers as well. This is, in my experience as developer and code reviewer not
the case for code written and tested exclusively on Chrome.

------
djanogo
I was thinking about Firefox development quality while trying to figure out
why the f does Firefox CPU usage fluctuate between 1 and 5% with one
background tab open and only one plugin installed (containers). The same URL
when opened in safari goes to 0.1% or 0.0. I tried to look up dom timeout
config settings and tried to set aggressive timeouts, but in the end I gave
up.

There must be something fundamentally wrong if apps can't stfu and be at 0%
while in background with simplest use case. I am going back to close app's
when I am done using it.

~~~
mschuster91
Chrome has the same issue. The thing is, Safari is _deeply_ connected to OS X
and its internals to save as much energy as possible. Apple can do this and
tie the code to the specific hardware, kernel, and what else matters that
Safari runs on as they control everything. Chrome and Firefox cannot.

I would not be surprised if someone tells me that parts of Safari hook into
private APIs in the kernel, the graphics driver and the other parts of the
graphic and input stack to achieve the (measurable!) performance advantage
over other browsers. For me personally, this is uncompetitive behavior that
should be punished, but oh well, anti-trust legislation isn't exactly
something that got much use over the last decades :(

~~~
spijdar
You think Apple should be punished for creating a vertically integrated stack?

Setting aside private APIs as I have no idea what Safari does or doesn't use
(although vast portions of it are open source, enough that you can compile
modern versions of WebKit and "upgrade" the ancient WebKit on PowerPC Macs),
another browser could be just as closely integrated as Safari. Obviously, the
cost/benefit ratio is awful for Mozilla and Google, so they won't, but why
should Apple cripple their own software? Safari's development costs, as part
of MacOS, are funded by profits from Mac sales. Safari is deeply integrated
with MacOS which is in turn deeply integrated with the Mac.

In my opinion the whole point of the Mac is this vertical integration, and the
main value-add of Apple's sphere. If you don't value that, there are cheaper
options where cheaper and more flexible software is available.

To me, an anti-trust suit would make sense for Safari on iOS, where Apple has
locked all competitors out (in practice). Saying Apple should be fined for
Safari because it's more integrated and efficient and that's not fair to
Chrome and Firefox seems a bit silly, especially given (desktop) Safari's
relatively small usage numbers. All IMO of course.

~~~
mschuster91
> You think Apple should be punished for creating a vertically integrated
> stack?

No, only for not giving everyone a fair and equal level of access. I'm not
against Apple deeply integrating Safari into the OS, but they should allow
competition to enjoy the same level of performance that their own stuff does.

------
unethical_ban
I appreciate the acknowledgement of needing to tolerate previously acceptable
conditions while scanning and remediating those same conditions point forward.

I wish IT auditors understood this concept better.

------
webmobdev
I am glad they are looking into this:

Sorry for the following rant, but I really don't think of Firefox browser when
I think of code quality. (Still don't even though it has improved a lot in
some areas).

When it comes to browsers, I still feel the old Opera browser (presto), that
had more features, was blazing fast and small in size (in memory) is a very
good example of a finely engineered software. In the early versions they
really cared about optimizing for performance, using less memory and less
power (on mobile devices) - I am amazed that years after, modern browsers are
bloatier now than ever and just don't seem to care as much about these aspect
as much as Opera did.

Questions like how modular is Firefox, how easy is it to customize Firefox
(add or remove feature from the code), how easy is it for someone to use the
Gecko rendering engine in their own project etc. all kind of indicate the
bloatier, messier nature of the code within Firefox (in my opinion).

It's like browser developers now a days only care about adding more features
(read bloat) without considering any constraints ...

~~~
acdha
Opera felt small and fast because it did less and ran websites doing less. If
you look at an old site in a modern browser, it's much faster; if you even
could run a modern site in an old browser, you'd see just how many
optimizations you're taking for granted — not to mention things like high-
quality text rendering which fully supports Unicode and complex scripts.

~~~
adrianN
The machines you were likely running Opera on were a lot less powerful though.
Doing a bit less on a Pentium IV might be more impressive than rendering a
modern website on an i5.

~~~
acdha
True, but again it was doing much less: we take things like high resolution,
full color depth with color management, high-quality text rendering, anti-
aliasing & subpixel rendering, etc. for granted.

Back then, good scrolling performance meant moving one page of thumbnails at a
time, not continuously scrolling many times more thumbnails of significantly
greater resolution.

The better lesson I’d draw from this is that it’s healthy to be skeptical when
people say we “need” a huge pile of JavaScript for everything. If you let a
modern browser run without layers of heavy code it’s usually easy to get the
response times faster than the thresholds where users perceive it as
instantaneous.

------
rstefanic
> Our next major challenge: We are dealing with 21 million lines of code.

I think I just fail to understand the true complexity of a browser, but how is
Firefox 21 million lines of code? How can a browser be 21 million lines of
code? That just seems so large for what a browser does.

~~~
kryptiskt
A browser lays out text and graphics (for any script in any locale), does GPU
accelerated 3D rendering, handles network communication, plays video, plays
audio, provides accessibility, parses a bunch of languages, compiles a couple
of languages to machine code run in a security sandbox (and has a separate
optimizing compiler), provides database storage, implements a plugin system,
provides support for 25 years of legacy standards. And a bunch of more things.

~~~
ken
It also reimplements all of those things itself from scratch because their
priority is on cross-platform parity, not efficiency.

Every time I see someone working on a FF bug I’m cc’d on, I marvel at how many
files they have to touch to get anything done. One key binding missing,
because they’re not using the system text field? Hundreds of lines of diffs,
spread across a dozen source files.

