Jesse Ruderman

Về 5000~500000

395

Có quý nhân giúp đỡ. có thể thành công

2

173.236.136.178

JesseRuderman/*BEGINIMECSS*//*ToaccomodatedifferinginstallpathsofWordPress,imesarereferredonlyhere,andnotinthewp-layout.cssfile.IfyouprefertouseonlyCSSforcolorsandwhatnot,thengorightaheadanddeletethefollowinglines,andtheimefiles.*/body{background:url("/wp-content/themes/indistinguishable-from-jesse/imes/kubrickbgcolor.jpg");}#pe{background:url("/wp-content/themes/indistinguishable-from-jesse/imes/kubrickbg.jpg")repeat-ytop;border:none;}#header{background:url("/wp-content/themes/indistinguishable-from-jesse/imes/kubrickheader.jpg")no-repeatbottomcenter;}#footer{background:url("/wp-content/themes/indistinguishable-from-jesse/imes/kubrickfooter.jpg")no-repeatbottom;border:none;}/*Becausethetemplateisslightlydifferent,size-wise,withimes,thisneedstobesethereIfyoudon'twanttousethetemplate'simes,youcanalsodeletethefollowingtwolines.*/#header{margin:0!important;margin:0001px;padding:1px;height:198px;width:758px;}#headerimg{margin:7px9px0;height:192px;width:740px;}/*ENDIMECSS*//*Toeasetheinsertionofapersonalheaderime,Ihedoneitinsuchaway,thatyousimplydropinanimecalled'personalheader.jpg'intoyour/imes/directory.Dimensionsshouldbeatleast760pxx200px.Anythingabovethatwillgetcroppedoffoftheime.*//*#headerimg{background:url('/wp-content/themes/indistinguishable-from-jesse/imes/personalheader.jpg')no-repeattop;}*//**/ img.wp-smiley,img.emoji{ display:inline!important; border:none!important; box-shadow:none!important; height:1em!important; width:1em!important; margin:00.07em!important; vertical-align:-0.1em!important; background:none!important; padding:0!important; }/*!Thisfileisauto-generated*/.wp-block-button__link{color:#fff;bacJesse Ruderman kground-color:#c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em+2px)calc(1.333em+2px);font-size:1.125em}.wp-block-file__button{background:#c;color:#fff;text-decoration:none}:root{--wp--preset--aspect-ratio--square:1;--wp--preset--aspect-ratio--4-3:4/3;--wp--preset--aspect-ratio--3-4:3/4;--wp--preset--aspect-ratio--3-2:3/2;--wp--preset--aspect-ratio--2-3:2/3;--wp--preset--aspect-ratio--16-9:16/9;--wp--preset--aspect-ratio--9-16:9/16;--wp--preset--color--black:#;--wp--preset--color--cyan-bluish-gray:#abb8c3;--wp--preset--color--white:#ffffff;--wp--preset--color--pale-pink:#f78da7;--wp--preset--color--vivid-red:#cf2e2e;--wp--preset--color--luminous-vivid-orange:#ff6900;--wp--preset--color--luminous-vivid-amber:#fcb900;--wp--preset--color--light-green-cyan:#7bdcb5;--wp--preset--color--vivid-green-cyan:#00d084;--wp--preset--color--pale-cyan-blue:#8ed1fc;--wp--preset--color--vivid-cyan-blue:#0693e3;--wp--preset--color--vivid-purple:#9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple:linear-gradient(135deg,rgba(6,147,227,1)0%,rgb(155,81,224)100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan:linear-gradient(135deg,rgb(122,220,180)0%,rgb(0,208,130)100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange:linear-gradient(135deg,rgba(252,185,0,1)0%,rgba(255,105,0,1)100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red:linear-gradient(135deg,rgba(255,105,0,1)0%,rgb(207,46,46)100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray:linear-gradient(135deg,rgb(238,238,238)0%,rgb(169,184,195)100%);--wp--preset--gradient--cool-to-warm-spectrum:linear-gradient(135deg,rgb(74,234,220)0%,rgb(151,120,209)20%,rgb(207,42,186)40%,rgb(238,44,130)60%,rgb(251,105,98)80%,rgb(254,248,76)100%);--wp--preset--gradient--blush-light-purple:linear-gradient(135deg,rgb(255,206,236)0%,rgb(152,150,240)100%);--wp--preset--gradient--blush-bordeaux:linear-gradient(135deg,rgb(254,205,165)0%,rgb(254,45,45)50%,rgb(107,0,62)100%);--wp--preset--gradient--luminous-dusk:linear-gradient(135deg,rgb(255,203,112)0%,rgb(199,81,192)50%,rgb(65,88,208)100%);--wp--preset--gradient--pale-ocean:linear-gradient(135deg,rgb(255,245,203)0%,rgb(182,227,212)50%,rgb(51,167,181)100%);--wp--preset--gradient--electric-grass:linear-gradient(135deg,rgb(202,248,128)0%,rgb(113,206,126)100%);--wp--preset--gradient--midnight:linear-gradient(135deg,rgb(2,3,129)0%,rgb(40,116,252)100%);--wp--preset--font-size--small:13px;--wp--preset--font-size--medium:20px;--wp--preset--font-size--large:36px;--wp--preset--font-size--x-large:42px;--wp--preset--spacing--20:0.44rem;--wp--preset--spacing--30:0.67rem;--wp--preset--spacing--40:1rem;--wp--preset--spacing--50:1.5rem;--wp--preset--spacing--60:2.25rem;--wp--preset--spacing--70:3.38rem;--wp--preset--spacing--80:5.06rem;--wp--preset--shadow--natural:6px6px9pxrgba(0,0,0,0.2);--wp--preset--shadow--deep:12px12px50pxrgba(0,0,0,0.4);--wp--preset--shadow--sharp:6px6px0pxrgba(0,0,0,0.2);--wp--preset--shadow--outlined:6px6px0px-3pxrgba(255,255,255,1),6px6pxrgba(0,0,0,1);--wp--preset--shadow--crisp:6px6px0pxrgba(0,0,0,1);}:where(.is-layout-flex){gap:0.5em;}:where(.is-layout-grid){gap:0.5em;}body.is-layout-flex{display:flex;}.is-layout-flex{flex-wrap:wrap;align-items:center;}.is-layout-flex>:is(*,div){margin:0;}body.is-layout-grid{display:grid;}.is-layout-grid>:is(*,div){margin:0;}:where(.wp-block-columns.is-layout-flex){gap:2em;}:where(.wp-block-columns.is-layout-grid){gap:2em;}:where(.wp-block-post-template.is-layout-flex){gap:1.25em;}:where(.wp-block-post-template.is-layout-grid){gap:1.25em;}.has-black-color{color:var(--wp--preset--color--black)!important;}.has-cyan-bluish-gray-color{color:var(--wp--preset--color--cyan-bluish-gray)!important;}.has-white-color{color:var(--wp--preset--color--white)!important;}.has-pale-pink-color{color:var(--wp--preset--color--pale-pink)!important;}.has-vivid-red-color{color:var(--wp--preset--color--vivid-red)!important;}.has-luminous-vivid-orange-color{color:var(--wp--preset--color--luminous-vivid-orange)!important;}.has-luminous-vivid-amber-color{color:var(--wp--preset--color--luminous-vivid-amber)!important;}.has-light-green-cyan-color{color:var(--wp--preset--color--light-green-cyan)!important;}.has-vivid-green-cyan-color{color:var(--wp--preset--color--vivid-green-cyan)!important;}.has-pale-cyan-blue-color{color:var(--wp--preset--color--pale-cyan-blue)!important;}.has-vivid-cyan-blue-color{color:var(--wp--preset--color--vivid-cyan-blue)!important;}.has-vivid-purple-color{color:var(--wp--preset--color--vivid-purple)!important;}.has-black-background-color{background-color:var(--wp--preset--color--black)!important;}.has-cyan-bluish-gray-background-color{background-color:var(--wp--preset--color--cyan-bluish-gray)!important;}.has-white-background-color{background-color:var(--wp--preset--color--white)!important;}.has-pale-pink-background-color{background-color:var(--wp--preset--color--pale-pink)!important;}.has-vivid-red-background-color{background-color:var(--wp--preset--color--vivid-red)!important;}.has-luminous-vivid-orange-background-color{background-color:var(--wp--preset--color--luminous-vivid-orange)!important;}.has-luminous-vivid-amber-background-color{background-color:var(--wp--preset--color--luminous-vivid-amber)!important;}.has-light-green-cyan-background-color{background-color:var(--wp--preset--color--light-green-cyan)!important;}.has-vivid-green-cyan-background-color{background-color:var(--wp--preset--color--vivid-green-cyan)!important;}.has-pale-cyan-blue-background-color{background-color:var(--wp--preset--color--pale-cyan-blue)!important;}.has-vivid-cyan-blue-background-color{background-color:var(--wp--preset--color--vivid-cyan-blue)!important;}.has-vivid-purple-background-color{background-color:var(--wp--preset--color--vivid-purple)!important;}.has-black-border-color{border-color:var(--wp--preset--color--black)!important;}.has-cyan-bluish-gray-border-color{border-color:var(--wp--preset--color--cyan-bluish-gray)!important;}.has-white-border-color{border-color:var(--wp--preset--color--white)!important;}.has-pale-pink-border-color{border-color:var(--wp--preset--color--pale-pink)!important;}.has-vivid-red-border-color{border-color:var(--wp--preset--color--vivid-red)!important;}.has-luminous-vivid-orange-border-color{border-color:var(--wp--preset--color--luminous-vivid-orange)!important;}.has-luminous-vivid-amber-border-color{border-color:var(--wp--preset--color--luminous-vivid-amber)!important;}.has-light-green-cyan-border-color{border-color:var(--wp--preset--color--light-green-cyan)!important;}.has-vivid-green-cyan-border-color{border-color:var(--wp--preset--color--vivid-green-cyan)!important;}.has-pale-cyan-blue-border-color{border-color:var(--wp--preset--color--pale-cyan-blue)!important;}.has-vivid-cyan-blue-border-color{border-color:var(--wp--preset--color--vivid-cyan-blue)!important;}.has-vivid-purple-border-color{border-color:var(--wp--preset--color--vivid-purple)!important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background:var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple)!important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background:var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan)!important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background:var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange)!important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background:var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red)!important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background:var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray)!important;}.has-cool-to-warm-spectrum-gradient-background{background:var(--wp--preset--gradient--cool-to-warm-spectrum)!important;}.has-blush-light-purple-gradient-background{background:var(--wp--preset--gradient--blush-light-purple)!important;}.has-blush-bordeaux-gradient-background{background:var(--wp--preset--gradient--blush-bordeaux)!important;}.has-luminous-dusk-gradient-background{background:var(--wp--preset--gradient--luminous-dusk)!important;}.has-pale-ocean-gradient-background{background:var(--wp--preset--gradient--pale-ocean)!important;}.has-electric-grass-gradient-background{background:var(--wp--preset--gradient--electric-grass)!important;}.has-midnight-gradient-background{background:var(--wp--preset--gradient--midnight)!important;}.has-small-font-size{font-size:var(--wp--preset--font-size--small)!important;}.has-medium-font-size{font-size:var(--wp--preset--font-size--medium)!important;}.has-large-font-size{font-size:var(--wp--preset--font-size--large)!important;}.has-x-large-font-size{font-size:var(--wp--preset--font-size--x-large)!important;}:where(.wp-block-post-template.is-layout-flex){gap:1.25em;}:where(.wp-block-post-template.is-layout-grid){gap:1.25em;}:where(.wp-block-columns.is-layout-flex){gap:2em;}:where(.wp-block-columns.is-layout-grid){gap:2em;}:root:where(.wp-block-pullquote){font-size:1.5em;line-height:1.6;}IndistinguishablefromJesseJesseRudermanonFirefox,security,andmore ReleasingjsfunfuzzandDOMFuzz July28th,2015 TodayI'mreleasingtwofuzzers:jsfunfuzz,whichtestsJaScriptengines,andDOMFuzz,whichtestslayoutandDOMAPIs.Overthelast11years,thesefuzzershefound6450Firefoxbugs,including790bugsthatwereratedassecurity-critical.IhadtokeepthesefuzzersprivateforalongtimebecauseofthefrequencywithwhichtheyfoundsecurityholesinFirefox.Butthreethingshechangedthathetippedthebalancetowardopenness.First,eachareaofFirefoxhasbeenthroughmanyfuzz-fixcycles.SonowI'mmostlyfindingregressionsintheNightlychannel,andthesevereonesarefixedwellbeforetheyreachmostFirefoxusers.Second,modernFirefoxismuchlessfrile,thankstoarchitecturalchangestoareasthatonceoozedwithfuzzbugs.Third,othersecurityresearchershenoticedmysuccessanddemonstratedthattheycanwritesimilarlypowerfulfuzzers.Myfuzzersarenolongeruniqueintheirabilitytofindsecuritybugs,buttheyareunusualintheirabilitytochurnoutreliable,reducedtestcases.EachfuzzeralternatesbetweenrandomlybuildingaJSstringandthenevalingit.Thisconstructionmakesitpossibletomakeareproductionfilefromthesamegeneratedstrings.Furthermore,mostDOMFuzzmodulesaredesignedsotheirfunctionswillhethesameeffectevenifotherpartsofthetestcaseareremoved.Asaresult,asimpletestcasereductiontoolcanreducemosttestcasesfrom3000linesto3-10lines,andIcanusuallyfinishreducingtestcasesinlessthan15minutes.Theeaseofgettingreducedtestcasesletsmeaffordtoreportlessseverebugs.Occasionally,oneoftheseturnsouttobeasecuritybugindisguise.Butmostimportantly,thesebugreportshelpmeestablishpositiverelationshipswithFirefoxdevelopers,byfrequentlysingthemtime.AJaScriptenginedevelopercaneasilyspendadaytryingtofigureoutwhyawebsitedoesn'tworkinFirefox.IfinsteadIcangivethemasimpletestcasethatshowsanincorrectresultwithanewJSoptimizationenabled,theycanquicklyfindthesourceofthebugandfixit.Similarly,theymuchpreferreliableassertiontestcasesoverbugreportssaying"sometimes,GoogleMapscrashesafterawhile".Asaresult,insteadofbeinghostiletofuzzing,Firefoxdevelopersactivelyhelpmefuzztheircode.They'veaddednumerousassertionstotheircode,allowingfuzzerstonoticeassoonasthesmallestthinggoeswrong.They'vefixedmostofthebugsthatimpedefuzzingprogress.Andseveralhesuggestednewwaystotesttheircode,even(especially)waysthatscarethem.DevelopersworkingontheJaScriptenginehebeenespeciallyhelpful.First,theyensuredIcouldtesttheircodedirectly,apartfromtherestofthebrowser.TheyalreadyhadaJaScriptshellforrunningregressiontests,andtheyaddeda--fuzzing-safeoptiontodisablethemoredangeroustestingfunctions.TheJSteamalsocreatedalargesetoftestingfunctionstoletmecontrolthingsthatwouldnormallybebasedonheuristics.Fuzzerscannowchoosewhengarbecollectionhappensandevenhowmuch.TheycanmakeexpensiveJITskickinafter2loopiterationsratherthan100.Fuzzerscanevensimulateout-of-memoryconditions.Allofthesethingsmakeitpossibletocreatesmall,reliabletestcasesfornastyclassesofbugs.Finally,theJSteamhassupporteddifferentialtesting,aformoffuzzingwhereoutputischeckedforcorrectnessainstsomeoracle.Inthiscase,theoracleisthesameJaScriptenginewithmostofitsoptimizationsdisabled.Byfixinginconsistenciesquicklyandsupporting--enable-more-deterministic,they'veensuredthatdifferentialtestingdoesn'tgetstuckfindingthesameproblemsrepeatedly.PleasejoinusonIRC,orjustdiveinandcontribute!Yoursuggestionsandpatchescanhealargeimpact:fuzzermodulesoftenacttogethertofindcomplexinteractionswithinthebrowser.Forexample,bugwasfoundbymydesignModemoduleinteractingwitha<table>modulecontributedbyaFirefoxdeveloper,MatsPalmgren.Likewise,bugwasfoundbyChristophDiehl'sWebAudiomodulecombinedwithmyreflection-basedAPI-discoverymodules.Tothenext6450browserbugfixes! PostedinFuzzing,Mozilla,Security|12Comments187; Fuzzersloveassertions February3rd,2014 Fuzzersmakethingsgowrong.Assertionsmakesurewefindout.Assertionscanimprovecodequalityinmanyways,buttheytrulyshinewhencombinedwithfuzzing.Fuzzingisnormallylimitedtofindingobvioussymptomslikecrashes,becauseit'sraretobeabletotellcorrectbehiorfromincorrectbehiorwhentheinputisgeneratedrandomly.Assertionsexpandthescopeoffuzzingtoincludeeverythingtheycheck.Assertionscanevenhelpfindcrashbugs:somebugsarerelativelyeasyforfuzzerstotrigger,butonlyleadtocrasheswhenadditionalconditionsaremet.Awell-placedassertioncanletusknoweverytimewetriggerthebug.FuzzingJSandDOMhasfoundabout4000assertionbugs,includingabout300securitybugs.AssertingsafeuseofgenericdatastructuresAssertionsinwidely-useddatastructurescanfindbugsinmanycallers.Arrayindicesmustbewithinbounds.ThissimplepreconditionassertinnsTArrayhascaughtabout90bugs.Hashtablesmustnotbemodifiedduringenumeration.Ifthemodificationhappenedtoresizethehashtable,itwouldleestackpointersdangling.ThisPLDHashTableassertionhascaughtover50bugs.Cachedvaluesshouldnotbeoutofdate.Whenacache'sgetmethodtakesakeyandaclosureforcomputingvaluesinthecaseofacachemiss,debugbuildscancheckwhetherthecachedvaluesarestillcorrect.Thisiseffectivelyaformofdifferentialtestingthatnoticesbugsincache-invalidationlogic.AssertingmoduleinvariantsWhenanentiremodulemustmaintainaninvariant,asingleassertioncancatchdozensofbugs.Compartmentmismatches.WhenaJSobjectinonepe'scompartmentreferencesanobjectinanother,itmustdosothroughawrappersthatenforcessecuritypolicies.Withouttheseassertions,wewouldhemissedover25violationsofFirefox'sscriptsecuritymodel.Phasesoflayout.Theseassertionshestringslike"Shouldbeinanupdatewhilecreatingframes"and"reflowinginthemiddleofframeconstruction".Morephaseandnestingassertionsarewanted,butsometimesspecialcaseslikepluginsgetintheway.MakingtheframearenasaferGecko'sCSSboxobjects,called"frames",arecreatedanddestroyedmanually.Theyareallocatedwithinanarenatoreducemallocoverheadandfrmentation.Thearenaalsomadeitpossibletoreducetheriskassociatedwithmanualmemorymanement.Acombinationofassertions(indebugbuilds)andruntimemitigations(inallbuilds)mitigatesdanglingpointerbugsthatinvolveframes.Whenthearenaisdestroyed,debugbuildsassertthatallobjectsinthearenawerealsodestroyed.Over60bugshebeencaughtbytheassertion.Abouthalfofthebugsthattriggertheassertioncanleadtoexploitablecrashes,butwithoutaspeciallycraftedtestcase,theywillnotcrashatall.Whilethearenaisstillalive,deletedframesareoverwrittenwithaspecialpoisonpattern.Ifanycodeusesapointerfromadeletedframe,thebrowserwillsegfaultsafely.Thismitigation,calledframepoisoning,haspreventeddozensofbugsfrombeingexploitable.Writingoverthepoisontripsanotherassertion.Thisassertionisactuallymorepronetocatchhardwareerrorsthansoftwarebugs,soithasbeenmodifiedtohelpdistinguishbetweenthetwo.RequestsforGeckodevelopersPleaseaddassertions,especiallywhen:AbugwouldbeasecurityholeCrashingisnotguaranteedManycallersmustfulfillapreconditionComplex,extensivecodemustmaintainaninvariantAlsoconsider:Ensureassertionsinthird-partylibrariesareenabledindebugbuildsofFirefox.Fixbugsrequestingnewassertions.Fixmyassertionbugstoallowmyfuzzerstofindmore. PostedinFuzzing,Mozilla|1Comment187; CustomizingtheMozillaManifesto December17th,2013 IhemixedfeelingsaboutrequiringMozilliansto“ree”totheMozillaManifesto.Igettheimpressionthatmanyvolunteersaren’tfondof“commercialinvolvement”(9).Firefoxdevelopmentoftendoesnotliveuptotheidealsofabsolutesecurity(4)ortransparency(8),sowe’dbeaskingnewcontributorstocommittobehiorforwhichtheymayhelittlesupport.Meanwhile,themanifestoisoddlysilentontwoissuesthatmanyMozillianscareaboutdeeply.First,itsayslittleaboutprivacy.“ShapingyourownexperienceontheInternet”(5)suggestscontrolovercustomizedads,butnotcontrolovertrackingbyadvertisersorgovernments.Second,themanifestodoesnotadequatelyaddressremovingbarrierstocontributionorpromotinginclusivenessincommunityprocesses.Therelevantprinciples(6,8)arewordedasvuebeliefsratherthanstrongvalues.ComparewithmyforitepartoftheAdaInitiativeFAQ:“Opentechnologyandcultureareshapingthefutureofglobalsociety.Ifwewantthatsocietytobesociallyjustandtoservetheinterestsofallpeople,[allkindsofpeople]mustbeinvolvedinitscreationandorganization.”RatherthanaskingeachMozilliantoreetotheentiremanifesto,let’sinsteadencoureeveryonetoLikertthe10existingprinciplesandaddafewoftheirown.Indicatinghowyoufeelabouteachprincipleismorememorablethanclicking“ree”once.EachMozillianwouldheapersonalversionoftheManifestotoremindthemwhatdrivesthemtocontribute.SuchasurveycouldalsoleadtobetterunderstandingofthecommunityandsuggestimprovementstotheManifesto. PostedinMozilla|8Comments187; Mobileappsforcar-freeliving April16th,2012 SwingsonBART(photobyAudreyPenven)Eachoftheseappsmakestransitmoreefficientorconvenient.Together,theycandosomethingalmostmical:maketransitattractivetourbaniteswhopreviouslysawowningacarasanecessity.PlanningyourtripsTheseappstrytofindthebestwaytoreachyourdestinationbycombiningtimetablesfrommultipletransitencies:GoogleMaps[Learnmore]showsyourcurrentlocationalongwithwalking,transit,ordrivingdirections.IntheiPhoneapp,youcandouble-tapthelocatorbuttontoalignthemapwiththeiPhone'scompass.HopStop[iOS|Android]letsyouspecifywhetheryouprefertrainsorbuses,andwhetheryoupreferwalkingorwaitingforatransfer.Itshowsazoomed-inmapforeachtransfer.Reroute.itletsyouquicklycomparemodesoftransportationbeforegettingdirections.CatchingyourrideRoutesy,Nextime,andNextbususereal-timetransitdatatohelpyoumakequickdecisionsonfamiliarroutes.Forexample,you'llknowwhentowalktoyourstop,whentorun,andwhentowaitinside.NotmissingyourstopAlocation-basedalarm,suchasGetOffNoworGPSAlarms,canallowyoutonap,read,orworkwithoutworryingaboutmissingyourstop.Theseappscanruninthebackgroundandhesurprisinglylittleeffectonbatterylife.Theyusepower-hungryGPSonlywhencell/wifilocationdataindicatesthatyouaresomewhatclose.StayingproductiveandentertainedOneofthebiggestadvantesofpublictransportationisbeingabletogetthingsdonewhileintransit.Somepeoplecheckemail,watchTVshows,orevenorderfromChipotleusingtheirphones.Ioftenusetimeonthetraintoreadarticles.WheneverIfindmyselfwithtoomanyWikipediatabsopen,IsendthemtomyphoneusingtheInstapaperorSpoolbookmarklet.SometimesIreadbooksonmyphoneusingtheAmazonKindleapp.GettingacarwhenyouneedoneTheZipcarappletsyouborrowcarsfromZipcarlocations,whileGetaroundletsyouborrowcarsfromawesomeneighbors.OryoucanpayforarideusingTaxiMicorUber.MorereadingSometransitauthoritiesrecommendappsfortheircities:SanFrancisco,NewYork,Chico,Seattle,andPortland,Oregon.Inmynextposts,I'lllistmyideasfornewtransitappsandexplainhowplatformscouldbettersupportlocation-awareapps. PostedinTransportation|CommentsOffonMobileappsforcar-freeliving Fuzzingforconsistentrendering March3rd,2012 MyDOMfuzzercannowfindbugswherethelayoutofaDOMtreedependsonitshistory.Inthisexample,forcingare-layoutswappeda“1”and“3”onthescreen.Myfuzzerdidn’tknowwhichrenderingwascorrect,butitcouldtellthatFirefoxwasbeinginconsistent..domtree{font-family:monospace;font-size:130%;margin-top:0;margin-bottom:0;}.domtreecode{color:purple;font-weight:bold;}InitialDOMtreeDIVx062a;SPAN1SPAN331x062a;Randomchange:removetheinnerspanDIVx062a;SPAN1331x062a;Forcere-layoutDIVx062a;SPAN1313x062a;GeckodeveloperSimonMontuquicklydeterminedthat13x062a;isthecorrectrenderingandattachedapatch.Later,whenauserreportedthatthebugaffectedPersiancommentsonFacebook,wewereabletobackportSimon’sfixtoFirefox11.HowitworksThefuzzerstartsbymakingrandomdynamicchangestoape.Thenitcomparestwosnapshots:onetakenimmediatelyafterthedynamicchanges,andanothertakenafteralsoforcingarelayout.Toforcearelayout,itremovestherootfromthedocumentandthenaddsitback:varr=document.documentElement;document.removeChild(r);document.appendChild(r);Likereftest,itusesdrawWindow()totakesnapshotsandcompareCanvases()tocomparethem.Intheory,Icouldalsolookforbugswheredynamicchangesdonotrepaintenoughofthewindow.ButI'vebeentoldthattestingforpaintinginvalidationbugsistricky,soI'llwaituntilmostofthelayoutbugsarefixed.ExceptionsSincethetestcasesarerandom,Ihetobehey-handedinignoringknownbugs.IfIfilearenderingbugwheretheweirdestpartofthetestcaseisfloats,I'llhethefuzzerignoreinconsistentrenderingintestcaseswithfloatsuntilthebugisfixed.Thecurrentlistofexceptionsisfairlylargeandincludeskeywebtechnologies:CSSborder/padding(bug)CSSposition:relative/absolute(bug)CSSfloat(bug)Non-ASCIItext(bug)Right-to-lefttext(bug)<table>(bug)MathML(bug)SVG(bug,bug)AnythingthatcausescoordinateoverflowAnythingthatcausesassertionfailures(whicharetrackedseparately) PostedinDifferentialtesting,Fuzzing,Mozilla|CommentsOffonFuzzingforconsistentrendering Rentingmoviesishard March1st,2012 Noneofthemajorvideorentalsystemsappealtome:Redboxisforpeoplewhovisitthegrocerystoretwodaysinarow.(Whydon'ttheyputkiosksattrainstations?)NetflixDVD-by-mailisforpeoplewhowatchlotsofmoviesandchecksnailmaildaily.AmazonInstantVideoisforpeoplewholiveonline,yetarewillingtogiveupcontrolovertheircomputers.TheiTunesStoremostlyworksformycurrentsetofdevices,butallthemoviesIwanttowatchareeithertoonewortooobscureforthemtoherentalsailable.MaybeIshouldsignupforNetflixbutuseothermeanstoactuallywatchmovies.AtleastthenHollywoodwillheenoughmoneytomakegoodfilmsbuypoliticians,printanddistributebillionsofopticaldiscs,preventpayingcustomersfromexercisingtheirfairuserights,andsuemyneighbors. PostedinBroken|1Comment187; IdreamofAlpha February5th,2012 Thismuseum’sroomsareempty,waitingtobefilledwithanswerstovisitors’questions.Inmysearchfornutrition,heIoverlookedsomefruitthatImightfindconvenientanddelicious?Istartbytryingtofindoutwhat’spopularthroughouttheworld.Whatfruitsarelikedbythemostpeople?Humanthoughtsarenotmyforte.WhatfruitsareeatenthemostJesse Ruderman ?Igetananswer,butnotinthechartformIexpected.ArowJesse Ruderman offruitappearsonthefloor.Thelargeronesareshownbothwholeandsliced.Doesthefive-secondruleapplytofoodthatsuddenlyappearedonthefloor,oronlytofoodthathasbeendropped?AmIlookingatholograms?Abiggerproblemisthatthelistisdominatedbysmallfruitslikeberries.Idon’tlikeberries.Whatfruitsareeatenthemost,byweight?Insufficientdata.Iprobe,usingsimplerquestions,tofigureoutwhatitknows.What’stheweightofanapple?180grams.What’sthetotalweightofappleseateninayear?Insufficientdata.IguessIhetobeexplicitifIwantittocombineitsweightandconsumptiondata.Foreachfruitforwhichyouhesufficientdata,chartthenumbereateninayear,theereweight,andtheproductofthetwo.Idon’tgetananswerrightaway.Isitjusttakingawhile?DidImanglethequestion,causingittomakeachartthatisinvisiblebecauseithasnoentries?DidIconfuseitwiththephrase“theproductofthetwo”?Twowomenaredebatingthemeritsofbananas.Inthisplace,theyaren’tlimitedtospeculation.CanyouchartfruitbypotassiumperCalorie?VitaminB6perdollar?Ithelpfullyhighlightsthe“banana”rowineachchart.Theyexplorethesupplysideaswell.Showmemapsofwherebananasaregrown.Canyouaddayearlyanimationwithharvestsshownasglowingdots?Drawachartwithaxesfortemperatureandlatitude,coloredtoshowhowwellbananasgrowineachcondition.Istartthinkingofmyownquestions,butIdon’texpectittobeabletoanswerthem.Howdomostpeopleopenbananas?Howmanybananasareusedinrecipesratherthaneatendirectly?Howmanybananasareusedassextoys?Oops,didIaskthatoutloud?Itdoesn’tevenacknowledgemyquestion,butoneofthewomenretortswithaquestionofherown.Whatpercentofthetimearementhinkingaboutsex?Humanthoughtsarenotmyforte.WhenIwakeup,it’sstilldarkoutside.Today,theclosestthingtothemuseumofmydreamisawebsitecalledWolframAlpha.Itcanchartmanythings.Butitrequiresustophrasequestionscarefully,andsometimesitsimplymisinterpretsqueries.Asforfruit?WolframAlphahasconsumptiondataforsomefruit.Butsomefruitismissing,andsomefruitconfusesit.Istartwritingthispostwhileeatingthelasttwoapplesfrommyfridge.Igobacktobed,hopingforadditionalpleasantdreams. PostedinUncategorized|CommentsOffonIdreamofAlpha LessonsfromJSenginebugs September1st,2011 Lastweek,IaskedLukeWnertoexplainsomesecuritybugsthathefixedinthepast.Ihopedtolearnfromeachbugatmultiplelevels,inwaysthatcouldhelppreventfuturesecuritybugsfromarisingandpersisting.LukeisoneofthedevelopersworkingonFirefox'sJaScriptengine,whichiscurrentlyourlargestsourceofcriticalsecuritybugs.MethodIiminedwewouldrecurseinexhaustivebreadthandexhaustingdepth.Instead,werecursedonlyonthemostinterestingitems,andrefinedachecklistofstartingpoints:Whatwasthebug?Whatwentwronginthedeveloper'sthinkingthatcausedthebugtobeintroduced?Whatmadethebugexploitable?WhatcausedustouseespeciallydangerousfeaturesofC++?Couldanewabstractionmakeitpossibletodothisbothfastandsafe?Whatcausedthebugtopersist?Couldwehecaughtthisearlierwithimprovedregressiontests,fuzztesting,dynamicanalysis,orstaticanalysis?LukeandImadetreesforalltenbugs,atfirstonpaperandlaterusingEtherPad.ThenIextractedandcategorizedwhatIthoughtwerethemostusefullessonsandrecommendations.RecommendationsforintroducingfewerbugsCastsCreatecentralized,type-restrictedcastfunctions.Thisprotectsyouwhenyouchangetherepresentationofoneofthetypes.Italsoprotectsainstmistakesthatcausetheinputtypetobeincorrect.SentinelvaluesUsetgedunionsinstead.Useatypedwrapper(astructcontainingasinglevalue).Whenassigningfromtheunderlyingnumerictype,convertusingoneoftwofunctions:onethatchecksforspecialvalues,andonethatexplicitlydoesnot.Auditexistingcodepathstoensuretheycannotgeneratethespecialvalue.ClarityofinvariantsIncreaseuseofmethodsnamedAssertInvariantsCreateanaliasforJS_ASSERTIONcalledJS_INVARIANT.InteractingwithotherdevelopersIfyou'reabouttodosomethinggrossbecausesomeoneelsedoesn'texposetherightAPI/helper,maybeyoushouldgetitexposed.JSEnginespecificAnypatchthattouchesrootingshouldbereviewedbyIgor.Interpretercouldhebetterabstractionandencapsulationforitsstack.RecommendationsforcatchingbugsearlierStaticanalysisFindallcasts(C-stylecasts,thereinterpret_castkeyword,andcaststhroughunions)foragiventype.Couldbeusedtoenforcecentralizationortofindthingsthatshouldbecentralized.Besuspiciousofafunctionwithmultiplereturnstatements,allofwhichreturnthesameprimitivevalue.Besuspiciousofafunctionreturningtrue/successinanOOMpath.DynamicanalysisAskValgrinddeveloperswhattheythinkofproviding(invalgrind.h)awaytotietheaddressabilityof"stacklikememory"toavariablethatrepresentstheendofthestack.FuzzingWeshouldfuzzworkerthreadssomehow.Inbrowser(slowandmessy,butit'swhatusersarerunning).Inthread-safeshell(--enable-threadsafe?),whichhas"toyworkers".Weshouldfuzzcompartmentsbetter.IshouldaskBlakeandAndreasforhelpwithtestingcompartmentsandwrappers.IshouldaskGarytorunjsfunfuzzinxpcshell,whereIcantestbothsame-originanddifferent-origincompartments,andthusgetmoreinterestingwrappers.WeshouldgiveJSOOMfuzzinganothershot.NextstepsI'mcuriousifothersheadditionalideasforwhatcouldhepreventedthetenbugswelookedat.Forexample,someonelikeJeffWalden,wholovestowriteexhaustiveregressiontests,mightheideasthatLukeandIdidnotconsider.I'dalsoliketodothiskindofanalysiswithaotherdevelopersonbugstheyhefixed. PostedinJaScript,Mozilla,Security|1Comment187; «PreviousEntries NextPe» JesseTwitterMybookmarksIMmeMailmeFirefoxTheBurningEdgePornzillaBugzillaQuickSearchGuideBrowseraddonsFirefoxextensionsGreasemonkeyscriptsBookmarkletsUserStylesWebdevelopmenttoolsLiveHTMLEditorJaScriptShellJaScriptEnvironmentArchivesAllposts Ads(1) Apple(2) Art(4) AskJesse(8) Asktheworld(6) Blogging(14) Bookmarklets(20) Broken(9) Bugtracking(11) ComputationalComplexity(3) Cryptography(2) CSS(5) Democracy(2) Differentialtesting(5) DreamHost(9) Economics(3) Ethics(1) Fuzzing(18) Games(12) Google(38) GTD(9) HTML(2) Humor(37) IntellectualProperty(4) JaScript(19) JaScriptShell(5) Linguistics(17) Mac(3) Math(6) Me(4) Memes(2) Mozilla(253) Mudd(22) Music(11) Myplans(11) Perception(9) Performance(7) Photography(3) Physics(2) Politics(24) Polls(1) Porn(15) Presentations(2) Quotes(5) Rapidrelease(6) Reduction(2) Religion(3) Reputation(1) Research(3) Security(65) Space(3) Spam(2) Tinderbox(6) Transportation(2) Trel(10) UCSD(9) Uncategorized(7) UserInterfaces(29) UserScripts(27) UserStyles(1) IndistinguishablefromJesseisproudlypoweredby WordPress Entries(RSS) andComments(RSS).