This Tuesday (2009-07-21), I’m organizing a crash bug triage day where anyone interested can help us classify the swamp of open crash bugs. Join us in #bugday on irc.mozilla.org if you’d like to help.
Crashes and security
Some Firefox crash bugs are severe security bugs. A crash bug is likely to be exploitable if it can be triggered by a web page and the bug is a memory safety bug such as calling a virtual method on a dangling pointer.
Although only a fraction of our crashes are exploitable, two thirds of our most severe security bugs are crashes. We’re striving to improve how we find and fix crash bugs, since the better we can find and fix the bugs, the more stable and secure Firefox will be.
When a user reports a bug, a loose team of volunteers tries to reproduce the bug, improve the bug report, and inform the correct developers about the bug.
Our current bug triage process is not perfect, and sometimes leaves valid bugs unprocessed. During this Tuesday’s crash bug triage day, we will experiment with a new triage workflow that should be both more efficient and more effective. If you’d like to help clear the crash bug backlog, please join us in #bugday this Tuesday (2009-07-21).
Reporting bugs requires substantial effort from users, and requires both English-language and technical skills, so we prefer not to rely exclusively on user-reported bugs. Luckily, crashes are easier to detect automatically than most other types of bugs, so we can find many of them using other methods.
Whenever Firefox crashes, a dialog appears that allows users to submit information about the crash to Mozilla. Although the average Firefox user only sends us 1.5 crash reports per year, this information is valuable in aggregate. (Note added December 2009: the total number of crashes is likely higher, since users may choose not to submit crash reports, and for 90% of users the checkbox for submitting is unchecked by default.)
Currently, our main use for these crash reports is to identify the most common crashes. If a crash is common but has not been reported in Bugzilla, we can look at the comments that come with some crash reports to get an idea of what triggers the crash.
Fixing common crashes is enough to make Firefox stable for most users, but even a rare crash could be a security hole, so we need to do more. To address this issue, Mozilla is creating a “crash reproduction farm” of computers that will automatically load URLs that come with crash reports. This will let us identify and fix most crashes that result from simply loading a web page.
Fixing crash bugs
For developers who are familiar with the relevant code, crashes are often easier to debug and fix than they are to find. To identify the developers familiar with the code, you can click the source code links in crash reports and see who last touched each line of code.
Security bug hunter