1. 18
  1.  

  2. 12

    I tolerate safari because it’s fast and has good OS integration, but even to the casual observer it’s clearly littered with race conditions.

    Type in a URL, hit enter, open new tab, safari opens the URL in the new tab. Type in a URL, hit enter, safari gets stuck and doesn’t load the link. Type a different URL, hit enter, safari loads the old URL.

    I’m not even sure how it’s possible to screw up event ordering that badly. It suggests to me that they have some really horrendous architecture that almost certainly has tons of UAFs and timing-sensitive bugs.

      1. 13

        Well, Ted, that’d be because that one didn’t sound alarmist, whereas this one does. Clearly you know nothing of attracting the discerning reader.

        1. 5

          So noted for next time.

          Substantively:

          a) it’s disappointing to see that coverage guided fuzzing wasn’t very useful, given how productive a technique it’s been on other targets (honestly, watching a coverage guided is the closest thing I’ve seen to magic)

          b) I’d be curious if the results change with another 10x runs

          1. 7

            So noted for next time.

            I think this was obvious, but your original title was perfect; my riposte was barely disguised annoyance at the clickbait titling of this version. Please don’t change.

            a) it’s disappointing to see that coverage guided fuzzing wasn’t very useful, given how productive a technique it’s been on other targets (honestly, watching a coverage guided is the closest thing I’ve seen to magic)

            I was also surprised about that, and mulling it over my morning coffee. Here’s my mostly uninformed best guess:

            Right now, Blink, WebKit, Gecko, and (I assume) Trident all have incredibly extensive unit tests. It seems plausible to me that the guided fuzzing was amounting to little more than extra unit tests, falling into the old trap of “if you write the code and the tests, then you’ll code to the tests”. In that scenario, it’d precisely be the unguided fuzzing where I’d expect issues to be found, since it’s there that pre- and post-conditions are likely to be broken in unexpected ways.

            That said, I have extremely limited experience with guided fuzzing, and I have never actually written any code myself for any of the rendering engines, so I may be misinformed on one or both points.

            1. 4

              I was being facetious :-)

              My guess as to the problem is that browser engines are kind of like interpreters - there’s a lot of “shared branches”, which makes the coverage metrics misleading, you hit very high line coverage very quickly, but not “conceptual” coverage.

              1. 1

                It is a really relevant observation. thanks a lot for sharing.

        2. 3

          Apologies, I hadn’t seen that posted. I was wondering whether to link directly to the project, but I thought the synopsis might be more interesting to scan.

          1. 2

            I personally prefer original links, but as much as I’d like to think that Lobsters’s readership is more discerning than most, clickbaity titles (unfortunate) and synopses (understandable) tend to get more attention.

        3. 2

          Much like https://lobste.rs/s/5wdg6t/google_project_zero_great_dom_fuzz_off, but with a nice coat of FUD on top.

          Meta: Can we get a downvote as FUD option?