Planet Mozilla Interns

Today TechCrunch reported on a paper describing a way to use Facebook for malicious means.  The paper describes a DDoS attack that can be done, leveraging the large number of users of an application to attack a victim site.

While this attack vector is legitimate, I see a number of things that make it inherently infeasibly, and don’t think it really warrants being called a “FaceBot” (implying similar power to a botnet).

In order to create an application, one obviously needs to create a Facebook account, though that can be done anonymously.  The real issue is that in order to execute such an attack, one would need to make an application that is incredibly popular.  The attacker would need to devote a large number of resources to keeping such a popular app up, which would all need to be done anonymously (though would need to be paid for in one way or another).

Let’s say an attacker has gone through all of this to make a popular application: why doesn’t he/she just use those resources for a direct attack?  One possibly answer is that the Facebook DDoS would be hard to shut down, or better in some other way in executing the attack.  This is false because as soon as someone realizes that their traffic is coming from Facebook (whether by referrers, or FB trying to pull images for its cache, or some other mechanism), it can in most instances be stopped immediately, especially considering how most Facebook calls to other sites include the application’s API keys.  Even barring that, IP addresses and Facebook’s logging can be used to determine what application a user was in when they requested the victim’s site.

Additionally, DDoSs using this attack vector are relatively easy to mitigate.  If a hacker already has all of these resources dedicated to keeping an application up, why wouldn’t they just launch a TCP SYN flood or similar lower-level attack, much more potent DoSs, even if launched from a more limited IP range.

Let’s take a different route: suppose a hacker attacks one of Slide’s applications and somehow manages to break in and add an attack iframe.  This is a completely legitimate and anonymous way of attacking a site (though it begs the question of why the hacker didn’t just break into the target site in the first place, assuming both have similar levels of security).  While this is a legitimate issue, the same holds true for all websites.  Should someone hack into Yahoo! and figure out how to deploy a new home page (somewhere between almost-impossible and no-freaking-way on the difficulty scale), almost any site on the internet could easily be taken down.  I certainly hope top app developers take security as seriously as top website owners, but this is nothing special for Facebook.

On the topic of information theft, this is why Facebook requires you to explicitly permit an application to access your information.  The concept of an API implies this potential for theft…users are trusting applications to access their information and not keep it.  There is no way to prevent this for the same reason DRM doesn’t work: if people can view things they can store things.  While this is a legitimate concern, again it is nothing new, and not much can be done about it short of user education.

September 06, 2008 02:09 AM

My friend Dan Schultz is currently taking a course called “Science of The Web”. For one of his assignments (see problem 2), he needs as much help as he can get. Here’s where you come in. It’s quick and easy:

1) Go to http://boom.aladdin.cs.cmu.edu/cgi-bin/ipaddy (the server might encounter an error, just refresh and it should work)
2) Enter ‘dschultz’
3) Get as many other people as possible to do the same

September 03, 2008 03:32 PM

Actually I like Google products over a lot of others. But there’s something out there makes me not a big fan of it. Eventually I cannot endure it anymore and decide to write something. I think Google, being considered as one of the leading software companies in the world, has the responsibility to make their product user experience not suck, not only in terms of usability, but of aesthetics.

If everybody is using Gmail, Google Calendar and Google Doc, we begin to lose our control over our choices of web applications, just as we have to use Windows OS. So welcome to a software modernism age. Welcome Google’s fast-food web apps. Keep Google Bauhaus design doctrine in mind: “Our Web Apps are so simple, secure and fast, that’s all you need for your Internet.”

Is simple, secure and fast all we want? If design is about the value,not the truth, where can we target our values in this fast-food software culture? When can a piece of software become a form of art, bringing people altimate enjoyment?When can a web Apps functions beyond a tool, behave like a digital being or digital asistant that help us in an interesting and considerate way? Can softare have personalities, catering to their master(user)’s ever-changing needs and interests? Google basically ignores all of those possibilities and proves itself proudly: A group of engineers, make softwares, work hard to make every engineer happy, and change every Internet user to a engineer.

September 02, 2008 09:53 PM

Recently my school(CMU)announces a new program: Master of Tangible Interaction Design. It’s a one-year master program, no GRE requirements, no need to have any design backgrounds, no Thesis project or thesis paper, no CHI submissions, and under the school of architecture. I regrect that I chose my current program -Interaction Design(well-known for its user-centered design theory and practice), for which I had to do everything the other program doesn’t need, for which I dropped Yale, and declined RCA and CMU HCI’s offer. It really hurts, we spent so much money and energy to define the word of “interaction design”, we worked so hard to distinguish interaction design/user experience design with other subjects, and a new name-misleading program simply ruin it all.

August 29, 2008 06:15 PM

When I first wrote the new storage module for the Password Manager, I took a few “shortcuts,” trying to keep my code DRY. Partially this was because of the first patch by Mrinal Kant, but mostly it was because I like to reuse code. This bit us just a bit.

I mentioned in my first post about this change that we were initially considerably slower in the critical countLogins method. While it got improved before being checked in, it was still marginally slower (milliseconds on an abnormally large dataset).

As I said before, this was most likely since we were doing a SELECT * on the moz_logins table, and looping over the results and counting. This allowed me to reuse more code. Loops are a kind of slow, and since this was so important, I decided to speed it up.

I filed a bug just over a week ago entitled “storage-mozStorage should use COUNT in countLogins” – which pretty much explains what the solution to the above problem. I created a patch which essentially just switched the mosStorage module to use SELECT COUNT(1). I reran the performance tests I created and we’re doing much better now. There’s still a miniscule loss in speed from the legacy storage module, but at this point, we’ve done all that we can, and where the difference was milliseconds, its closer to millisecond.

This was checked in today (thanks Justin!).

And that’s it. I have another patch in the pipeline and hopefully I’ll have time to get it finished, approved, and reviewed for the freeze (whenever that is now).

August 29, 2008 01:01 AM

I have been using iPhone for three weeks now. Here’s a normal iPhone user daily schedule.

• 7:00 AM: iPhone Alarm wakes me up
• 7:01 AM: Check facebook, twitter, mySpace, Blog, School email, Gmail, company email, open MC chats, log into msn and AIM, Gmail, skype(wifi), IRC(wifi).Quickly check TODO.
• 7:05 AM: Fully wake up. Hold iPhone and run to the bathroom. Listen to Stitcher’s new radios. Cook breakfast, check iPhone for nutrition info.
• 7:30 AM: Bring my iPhone(and my iPhone charger!), walk to the bus stop, read Newsstand RSS feeds, check Stanza, Jamed, NetNewsWire, and Shovel, digg news and comment on other people’s blogs.
• 8:00 AM: On the bus stop, search iWant for local bus schedule.
• 8:30 AM: Class begin. Use Note&Sketch to take notes, use FileMagnet to view course outline.
• 8:35 AM: Bored. Check iGotchi and feed my pet.
• 9:00 AM: Teacher forgot my name. Use Shout it, display “Wei Zhou” and wave to him.
• 9:30 AM: Use Camera to take a picture of my teacher, publish through ShoZu, send it to facebook, flickr, MySpace, WordPress and Picasa.
• 10:30 AM: Class ends, update my Diary. Play Tris, Tap Tap.
• 11:30 AM: Run for another class, focus on teaching, Camera bad students sleep in class.
• 12:00 AM. Break. Use VoiceNotes to record student’s requirements.
• 1:30 PM: Starving. Check Urbanspoon for food.Drive up there using maps.Turn on Pathtracker because I’m directionally challenged. Using where to find Starbucks.
• 2:30 PM: Graffitio notify me another CMU friend in Starbucks is using iPhone as well.Exchange cellphone number with him.Textmessage another friend to join us. Send him our location using Over Here. Share Loopt with them.
• 3:00 PM:Another class. Bored. Use Lifecast to record class discussion.
• 5:50 PM: End class. Repeat 1:30 PM.
• 6:30 PM: Another class. Explore new Apps on App Store.
• 8:30 PM: School ends. Walk back home. Study english using Blanks. Update TODO. Repeat 7:01 AM.
• 9:30 PM: Homework time, use SnatchTest as a mouse for my Macpro.Use controller for my iTV and iPod player.
• 10:30 PM: Play Ambient to get to sleep.

P.S.: Repeat 7:01 AM many times during the day.

What else do I need?

• Support remote printing.
• Every time I jump from one App to another App, the previous one stops working, I have to reopen it afterwards. That really stops my work-flow. I wish it works like Tabs in a browser(Or even better). In summery, the navigation is bad.
• Constantly pressing the main home button is annoying. Especially when I lay on the bed, holding the iPhone with one hand, I don’t want to move another hand. Can I just do everything use one hand?
• I wish I could track my iPhone using history.
• Searching is painful. iPhone should have an universal Google search button on the device.
• Typing is painful. I need a auto-type App.
• How can I copy and paste info from one App to another???!!!
• I need a Firefox browser App

How to design a Multi-touch interaction framework from ground up? IPhone just scratched the surface of a smart phone design - for me iPhone is a device that combines a bunch of unrelated separate gadgets together. It’s getting there, but hardly to be considered as “Smart”. Multi-touch gesture standards will be set up within next 5 years. What we need is no longer a “smart phone“, but a smart browser that embedded in a mobile device, In this way we would be able to use a series of small Apps in a meaningful combination, adjusting to people’s ever-changing task flow and context, without interrupting people’s thinking model over time(also see Ubiquity). That makes a digital device really become part of our body, like our hands and feet.

Yes. Building a variety of cool Apps is important, but not as important as arranging them in a useful way(Outsourcing part of human thinking to machines?). That applies to Small screen browser design, as well as browser for OS. Human beings are task-oriented, not tool-oriented.  Guess that’s the difference between a human and a computer.

As a designer we usually need to answer three questions:”What”, “Why”, and “How”. Here I delve into what and why, not much how. I found Aza’s blog particularly interesting -  Ambient information. Because it also talked about how. We need more “Hows”.

August 27, 2008 06:36 PM

Firefox has a JIT for JavaScript now. Whoa. Before I continue on, here are links to the blogs of other Mozilla people close to the TraceMonkey team:

• Brendan Eich - TraceMonkey: JavaScript Lightspeed
• Mike Shaver - Building a Faster Monkey
• Andreas Gal - Tracing the Web
• Mike Schreopfer - What can you do when your browser is 7 times faster?

So, I started at Mozilla by working on Tamarin-Tracing. Tracing is Andreas Gal’s fancy new idea for run-time guided JIT optimization, a powerful new concept that poses huge benefits over whole method compilation. I talked about this before, perhaps erroneously, but the concepts are there.

The old style of compilation is to perform static analysis on entire methods at a time, compiling them to assembly when necessary. Without running the program, you decide how to compile loops and nested loops efficiently, perhaps even trying to decide if they’re expensive or not. Methods may or may not be inlined, but they are still the fundamental building block of most compilers.

The concept of methods quickly disappears in a tracing compiler. Everything is inlined as the tracer only compiles exactly what low level operations it sees being performed (and any sort of control flow is essentially a no-op). A tracing JIT essentially turns an expensive loop into its own isolated method call, optimized for its run-time properties, regardless of where it is or what the loop has to call into.

Andreas’s original paper on tracing was targeted toward mobile performance, where whole-method compilation and static analysis are too expensive. For dynamic languages one instruction can have many decision paths at run-time. Whole method JITing is a real problem because the code required for each opcode becomes very large, and static analysis is either unfruitful (because of dynamic types) or just too expensive. This is especially problematic for JavaScript where browser performance is critical, and time spent analyzing code is time wasted.

Thus it’s no surprise that Adobe decided to try tracing in the next generation of their Tamarin project. Adobe’s approach to tracing ActionScript is to create very primitive building blocks and trace those at the lowest level. It does this by converting ActionScript bytecode to a Forth dialect, and tracing the primitive Forth operations.

Mozilla’s JavaScript engine (”SpiderMonkey”) is very different. It has a decade worth of optimization hacks and very “fat” opcodes (instructions that have a lot of internal decisions, rather than performing one single operation). Although there were originally plans for Mozilla to switch to Tamarin, throwing out SpiderMonkey had a lot of hurdles, and the TraceMonkey project was started instead.

Luckily Adobe had very nicely separated the tracing backend from their interpreter. Tamarin-Tracing has a “nanojit” component with a simple IR. Interpreters are responsible for emitting the IR, and nanojit can compile straight-line IR blocks into native code. It can also link compiled code fragments together for attaching branches and building trees of traces.

Using Adobe’s nanojit, Andreas decided to take a top-down approach to tracing SpiderMonkey. The edge of every loop is monitored. If a loop is executed enough times, the tracer is activated. Every opcode is hooked and critical decision points are emitted as nanojit IR where possible. When the control flow reaches the loop edge again, the IR is compiled and the loop will run as native code thereafter.

There are some fascinating aspects to Andreas’s work. Type speculation and specialization, the native stack versus the script stack, tree specialization, his handling of global variables — are all intricate and critical to the rapid progress and success he’s made on TraceMonkey. And he (and Mike Shaver and Brendan Eich) did it all in 60 days, which is amazing.

What’s my role in all this? My summer intern project was porting the code generator and tracer to AMD64, which has landed and seems to work in the shell. I’ve also been debugging anything that goes wrong on the 32-bit port. Working with nanojit was a lot of fun - Adobe did a great job making it usable by other projects, and it’s definitely something that could become a generic library for dynamic languages to use for tracing.

The big news today is that TraceMonkey has landed in mozilla-central and will probably be turned on by default for Firefox 3.1 beta 1. Although it was open source and downloadable during development, it is now being officially announced and publicized, and can be used in the official nightly builds. The speed difference is noticeable in sites doing intense JavaScript processing. And though the SunSpider benchmarks can be considered superficial, it’s great to see the improvements we’re getting on them versus the old SpiderMonkey.

This is just the beginning. A lot more is planned for TraceMonkey and for tracing in general. Code that used to be considered too crazy for JavaScript, like graphics and crypto loops, is becoming plausible. We’re already noticing smoother play quality in some 3D JavaScript games on the web (using Canvas) and in other heavy applications. In Mike Shaver’s words, this could change the way people use JavaScript.

In terms of portability, nanojit still needs a bit of work, but it’s been hammered into shape for AMD64 for the time being. It can use the extra eight registers available with REX prefixes, and it will perform 32-bit integer math versus 64-bit pointer math correctly (given using the correct LIR instructions for safety). I also took the liberty of prettying up the macros used for code generation. Some of the work remaining that I’d like to do in terms of the overall x32/x64 assembly process:

• Taking more advantage of addressing modes — we can reduce register pressure by combining redundant store/load ALU operations.
• Improving SSE2 logic which currently uses LAHF/PUSHF.
• Improving calling conventions for SSE2 and reducing register spilling.
• Inheriting type information from child instructions, to remove the need for separately typed IR instructions (i.e. no need for add versus fadd versus qadd).
• Enabling 64-bit jitting in the browser (too unstable right now so it’s only on in the shell).

I should thank Edwin Smith at Adobe for putting up with my intense nanojit nagging; Mozilla for giving me the opportunity to work on this project as an intern; and Andreas Gal for coaching me through the tracing concepts every time I got them wrong.

For people who follow this blog from the SourceMod project, will SourcePawn get tracing? It’s something I’m experimenting with and will talk more about later. There are some hurdles to JITing Pawn in that very careful escape analysis is needed to make any of the nice optimizations.

August 22, 2008 08:00 PM

The other day my patch landed switching the Password Manager to use mozStorage (our wrapper around SQLite). The bug had been up on Bugzilla for a long time, over 3 years, when I came across it at the end of June. I had been doing some Password Manager related work already by that point, so I decided I would do it. This is the story of that bug: the process, the hardships, the code (at least a bit). Keep in mind I was also doing work on my DTrace Treemaps at the time, went to Summit, and encountered more edge cases than I wanted, so this took longer than expected.

Quick Features & Change Summary

Some of this is discussed further down, so bear with me. One of the primary differences in the switch to using mozStorage is that we now store data in a database. Previously we were storing data in a text file, using lines and periods to separate data fields. Open signons3.txt in your profile directory and take a look at it (assuming you’ve saved a password before). All information was kept in memory, and when a new password was saved, the whole file would need to be rewritten. The same thing happened if you ever removed a saved password. Using a database means that we don’t have to keep any (potentially) sensitive information in memory. It also means faster reading and writing since we don’t have to read the whole file every time. These speed boosts are apparent especially in the speed tests, attached to the bug and summarized below.

Since this is really just a drop in change that must implement an API, to the outside world nothing has changed. Although the inner workings are different, it’s the same to anybody who happens to use it (extensions or other parts of Firefox).

v0.1 – The beginning

I began work by really taking a look at the legacy storage module to make sure I knew what was supposed to be happening. Then I looked at the initial attempts by other developers. The first attempts were made before Password Manager got rewritten, so those weren’t relevant. Mrinal Kant came in (over 2 years after the first patches) and wrote what I used as the basis for my code. I don’t think I ran it as it was, but it looked functional, at least at the core.

I actually started by just copying the legacy storage file, removing all of the code from methods that would need to be changed, and started fresh. I copied in some code from Mrinal’s work and used some of the conventions, but the bulk of it was rewritten. I opted to use the wrapper we have for Storage, which makes it easy to do parameter replacement. This also automatically binds the parameters to a type – so when you give it a string, it will ensure it’s treated as a string. It’s very handy.

This first version “worked” (at least as far as I remember), though it definitely had problems. I brought it up at our weekly status meeting and it became one of the “nice to have” features for 3.1. That gave it some attention it needed and I got some quick feedback from Shawn and Justin.

v0.2 – Database details

One of the primary changes here was some of the database stuff. Shawn had pointed out that I needed a way to version the database. All I had was a method to create the tables. In order to future-proof this, I needed to make sure the schema was stored somewhere and there was a procedure for migrating the database.

I took a look at nsContentPrefService (which stores your preferences for specific sites, like remembering zoom settings) since that was another component using storage and written in JavaScript. I “hijacked” the code related to the database stuff, and modified it a bit to fit my needs.

The other major change here was to replace var with let – “let is the new var” as my shirt says. A number of other changes were also made – cleaning up queries, hard-coding the table names, and making sure I was using statements correctly.

v0.3, v0.4 – Cleanup & Optimization

These versions were pretty light – mostly involving cleanup. modifyLogin and the process involved got improved. I also reduced the number of queries we were making by hand and so all SELECTs were done from just 2 places (one for each table).

v0.5 – Importing

v0.5 focused on importing from the legacy module. The basics were in the original code Mrinal wrote, but all of the edge cases were difficult to handle. The one case that caused a lot of problems were the “user has a master password, but presses cancel when we import”. We needed to handle that gracefully, and Justin and I decided the best way was to introduce a _deferredInit method, which did the bulk of the initialization work. At the beginning of each public method, we then check the initialization state and try to import again. It can get annoying, but everything about the master password is annoying.

This also resulted in a couple bugs being spun off to help us with importing: one bug was just a few lines added to the legacy module and the password manager UI to handle an additional error, and the other was just to ensure the legacy module didn’t create an empty file if it was never used.

v0.6 – Tests

I finally got to writing the tests, which involved a lot of copy & paste from the legacy tests, then making small modifications. It’s not the most efficient way, but it works ok. Since the mozStorage module works slightly differently, the code duplication is a necessity for now. In theory they can be cleaned up, but that’ll be a task for the next intern :)

At this point I thought I was pretty much done, and I was. There were still a few problems though, and also not quite enough test coverage.

v0.7, v0.8 – Cleanup, Tests, Corrupt Databases

v0.7 involved a lot of cleanup and adding tests. v0.8 was an important milestone in that I finally added the handling of a corrupt database. Before this point, if we encountered a corrupt database, we would fail and then as with a failed import, just try again and again. This was bad, really bad. So a “thank you” to Shawn for catching that. Now we backup the corrupt database and just create a new one. It should be difficult to get a corrupt database, but just in case (and to cover the case when people think they know what they’re doing, but don’t).

v0.9, v1.0 – Performance

In one of the recent status meetings, Mike Shaver asked me about performance. At that point I hadn’t really done much except throw it up on the try server. The try server gives decent ball park figures, but it’s not perfect. So Justin worked on getting Standalone Talos working while I wrote some XPC shell “tests”. I discovered that while we were generally faster – faster init, faster add, faster remove – we were considerably slower for countLogin, which is a critical path, since it gets called on every page. Over 90% of the that time was actually spent initializing nsLoginInfo objects (since I tried to reuse code). This got improved, though we are still a couple milliseconds slower. This could likely be improved a little bit since we are still doing a SELECT and looping over the results. A little bit more work needs to be done that way, so making the query use COUNT would cut that out. Maybe I’ll write another patch to do that before Beta 1. For now though, we’ll keep doing it how we’re doing it.

And that’s all… almost

After this got checked in, the Windows boxes turned orange on Tinderbox. This was because of the tests (trying to delete files). Justin and I thought we had a quick fix, committed that. As I was packing to come home, I got pinged on IRC since the boxes were still orange and it was my fault. So the tests for my changeset got backed out and we switched back to the legacy module, but the code was still in there.

On Sunday, my module was re-enabled (thanks Justin!). There was another hiccup related to packages-static, but that was fixed as well. If you have any problems please report them on Bugzilla.

August 19, 2008 03:55 AM

The night before heading to Whistler for Summit (it was awesome!), I started messing around in Illustrator. I came up with a little idea that I liked and decided to take it a step further, so I opened Photoshop and got to work. It progressed fairly well, so I started working on the HTML the next day. By the end of the plane ride to Vancouver I had a single page mostly done, with all the images and everything.

I was busy the next few weeks, so put it aside. When I flew home yesterday, I decided to actually make it work. So here it is. There are probably a few things I’ll tweak when I see them, but I hope to keep this for a while.

I also decided to actually write my own comment system. I was pretty unhappy with Disqus. Disqus has potential, but it required more work than it took for me to write my own. I have a basic “human test” to prevent against spam. We’ll see how well it works. If you commented here previously, I’ve taken the liberty to copy your comment into the new system, adding a link to your website if I knew it.

I’ve wrapped up my summer with Mozilla, so I’ll have more content about what I did coming shortly.

August 18, 2008 02:46 AM

Since I’m only a few days away from the end of my internship, I can’t really start any large projects so I went looking for little projects I can get done. This one originated from my dislike of pushing patches from bugzilla. My steps so far have been to go to the bug, find the attachment, download it, import it into my mozilla-central patch queue and then qpush, qrm and push. Well that’s a small hassle. So today I decided to write a small python script to help me out (I would have made it an hg extension but I can’t build hg on my system due to compiler issues with python’s extension API). So here’s my script.

Usage is pretty simple:
qimportbz.py 418454
This will fetch bugzilla’s xml output for bug 418454, look for patches that are not obsolete, and let you pick which ones to import. It conveniently displays the patch description and any review flags. If there’s only one, it’ll pick it automatically. It then takes the patch and feeds it into hg qimport, automatically generating a patch name from the bug and attachment name.

I plan to extend this further to automatically generate a commit message and user (preserving any already in the patch), display more flags (like approval) and automatically upgrade to newer versions of the patch posted in the bug.

August 16, 2008 12:24 AM

When we left off, there was a check error happening across all Linux slaves and a reftest failure on the Win32 ones.

Update #1: A bug (450637) has been filed on that win32 failure, and also I brought the physical boxes back from sleep to be up on the new 1.9 master alongside their VM counterparts. We should know in the next hour or so if the reftest failure is consistent on all of them.

Update #2: The check error on Linux was due to the placement of a simple .sqlite file bug-365166.sqlite to be specific. This file was in /tmp and not in the slave build dir and thus, escaped during chown. Being owned by buildbot instead of cltbld was the cause of the access denied errors. Huge thanks to Cesar and Sdwilsh for looking at that test with me and for catching this anomaly. I've filed a bug (450665)to remove the offending placement so that this doesn't happen again in the future. Files shouldn't be getting created outside of the build dir, creates a whole mess of problems.

Speaking of mess:


Ew. That's all I can say. I've been watching this waterfall obsessively (more than usual) as it has displayed a bruised variety of colours, mostly *Not* green.

In other news, something I noticed while upgrading the windows slaves:


Really? I didn't know that people _chose_ IE. I thought it just came with the OS. I wish they would choose their words more carefully.

Back to the unittest trenches.

August 15, 2008 12:29 AM

Yesterday, I pushed my patch to add glass support to chrome windows for Vista (see bug for some implementation discussion). For those who don’t use Vista on a physical machine (virtual machines don’t support glass): it is a fancy blurring effect rendered using the system’s graphics card. It is part of Vista’s Aero theme but requires some hardware support beyond Vista’s minimum requirements. The changes overall are mostly trivial, but they required lots of little edits over many files.

Example Glass Window

How to use it

Start by adding the CSS property -moz-appearance: -moz-win-glass; to your XUL window. For any areas that you want to be glass, be sure to make their backgrounds transparent. This includes the window itself. You can also set the opacity on elements to have them blend with the glass as transparent windows already do. Ok, you’re done.

Well, almost done. The glass effect is possible only when the user has desktop composition enabled, which requires a reasonably modern graphics card. Also, they can toggle it on or off at runtime as with native themes. Oh, and it only seems to work with the Windows Aero theme; Aero Basic users are left behind.

Rather than add some fallback code when glass is disabled, I left the issue to the theme designers. There’s a new system metric selector, windows-compositor, which detects if the glass effect is enabled. Now you can setup your CSS rules like this:

window:-moz-system-metric(windows-compositor) {
  background: transparent;
  -moz-appearance: -moz-win-glass;
}

to add glass to your window’s client area (and presumably other UI changes) when the user enables composition.

Here are some example rules for emulating the fallback used by Media Player and Explorer:

window[active="true"]:-moz-system-metric(windows-default-theme) {
  background-color: #b9d1ea;
}
window:not([active="true"]):-moz-system-metric(windows-default-theme) {
  background-color: #d7e4f2;
}
window:not(:-moz-system-metric(windows-default-theme)) {
  background-color: -moz-Dialog;
}
window:-moz-system-metric(windows-compositor) {
  background: transparent !important;
  -moz-appearance: -moz-win-glass;
}

Note: When bug 431666 lands, you’ll want to use windows-classic instead of windows-default-theme in your selectors.

Gotchas

The Desktop Window Manager (DWM) draws a border around the window’s client area, but our method of enabling glass disables that, so if you want to achieve the same look as Media Player or Explorer, you’ll have to do some fancy border work. I hope to fix this in the future so that it is automatically done in most cases.

Text on glass is hard. It’s sometimes hard to read which is why Windows provides the DrawThemeTextEx function which adds a glow behind the text; this is done by the DWM for the window title of unmaximized windows. DrawThemeTextEx takes characters, not glyphs so we can’t really integrate it into our text rendering code. CSS text-shadow can fake the glow, but it doesn’t work on the XUL widgets you’d want to use for your UI. So for now, don’t count on using text on glass.

Content (the xul browser element specifically) doesn’t render quite properly on glass. The underlying issue seems to be present in Firefox 3 (with transparent windows though) and will probably be fixed when the internal compositor for Gecko is completed. This unfortunately prevents Firefox from adopting IE7’s Vista UI.

Under the hood changes

Previously, windows were either transparent or not, so I added an enum nsTransparencyMode for the three options: opaque, transparent, and glass. Only windows supports the glass option; the other platforms fall back to opaque. A glass nsWindow calls DwmExtendFrameIntoClientArea to tell the DWM to render the entire window as glass. This has a performance impact for large windows since the entire window has the (already expensive) glass shader applied to it, even though we are probably going to be painting most of the window opaquely. I’m looking into ways to detect which areas of the window are glass and tell the DWM to only render those areas. This also solves the aforementioned border problem. We also have to render each window with an alpha channel, so there is a rendering performance hit.

Demos

I have two little demos to show off. The first (and its style sheet) was my testcase which shows opaque, semi transparent and transparent XUL on a glass window. The second uses an animating CSS transform on a green box with text on plain glass window. Since CSS transforms haven’t landed yet, you’ll need do a build yourself with the patch applied.

August 13, 2008 09:58 PM

August 13, 2008 08:27 PM

August 13, 2008 12:01 AM

August 11, 2008 05:54 PM

Yesterday was my last day at Mozilla Labs, bringing my summer internship to an end. As evidenced by all my posts recently, the summer has been one heck of a ride. I had a great time, and I owe it all to the awesome folks at Mozilla, and my fellow interns.

It’s funny how bonds formed in just 3 short months can be so difficult to part from. I would never have imagined that it would be so hard to say goodbye. I take comfort in the fact that I will be seeing many Mozillians again, and I know it’s never really goodbye in the Mozilla world - but there are those who I probably won’t be seeing ever again - and that makes me really sad.

I guess that’s life.

Anyway, I’m looking forward to better times ahead. I hope to continue working with the Labs - so I’ll still be around - just not in Mountain View

As for my immediate plans, after a long flight to Bangalore, I’ll be spending a week with family. Sometime during that week, I also have to pick up my VISA for The Netherlands, and then I’m off to Amsterdam for my Masters on the 21st.

August 09, 2008 06:07 PM

So seeing as how my summer is just about over, I had a bunch of things to wrap up.  One of them was canceling my Comcast subscription.  I called them and setup the cancellation.  A few days later I got a call from a representative “confirming” that I really wanted to cancel.  I said yes, I was moving out of their service area, and they told me that they would note that on the account.

Then I flew to Whistler, Canada for Firefox+ Summit 2008, where the calls are outrageous, so I didn’t answer my phone.  Here’s my call log from that trip (note that Whistler is the same timezone as Mountain View):

• Jul 31, 6:08 am - Comcast
• Jul 31, 1:23 pm - Comcast
• Aug 1, 10:45 am - Comcast
• Aug 1, 1:53 pm - Comcast
• Aug 2, 7:30 am - Comcast

Aug 4 I was back stateside so I could answer my phone.  Just like clockwork, at 7:21 am I got another call from Comcast.  This time I was a little more stern in my request to not be called again (though still polite, I can’t blame that particular phone rep for anything), and lo and behold, they actually stopped calling.

I’m going to assume the first rep forgot to mark my cancellation confirmed and ignore that, but what the hell is with this policy?  Not only do they call at ungodly hours (can’t they do timezone conversions there?), but they kept calling back every single day.  I told them I wanted to cancel, were they really that desperate to make sure I wanted to?

It’s been a pretty bad week for me and customer service…before I cancelled Comcast, I called XBox Live to cancel that.  I got a notice via email that my subscription (which I only took our for Eric to use this summer) was going to be automatically renewed, and to make sure that my payment info was up to date.  I searched through that site for a good 15 minutes…there is no mechanism or instruction on how to cancel your subscription.  I’m sure this was done for retention purposes, since a cancel option is usually pretty standard for a web interface, but I suppose it’s way too easy to allow people to cancel in less than 20 minutes.

So I hunted down a phone number and called them, got transfered around, and finally found someone who could cancel my account.  I had to guide the rep through the “customer retention” script, where he kept asking me if there was anybody I could transfer the account to or another XBox I could recover the account on, and I kept having to remind him that all of my friends had Live accounts, and I still owned an XBox.  They may as well have a machine play the script, they read each line regardless of context.  In fact. most big companies do that.

</rant>

August 08, 2008 10:42 PM

linux-2 | 67 | 07/25/2008 | 06:40 | *** 61506 ERROR TEST-UNEXPECTED-FAIL | /tests/toolkit/content/tests/widgets/test_tree.xul | Error thrown during test: uncaught exception: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIDOMWindowUtils.sendMouseScrollEvent]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: http://localhost:8888/tests/SimpleTest/EventUtils.js :: synthesizeMouseScroll :: line 273"  data: no] - got 0, expected 1
linux-2 | 67 | 07/25/2008 | 06:40 | *** 62352 ERROR TEST-UNEXPECTED-FAIL | /tests/toolkit/content/tests/widgets/test_tree_hier.xul | Error thrown during test: uncaught exception: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIDOMWindowUtils.sendMouseScrollEvent]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: http://localhost:8888/tests/SimpleTest/EventUtils.js :: synthesizeMouseScroll :: line 273"  data: no] - got 0, expected 1
linux-2 | 67 | 07/25/2008 | 06:40 | *** 63084 ERROR TEST-UNEXPECTED-FAIL | /tests/toolkit/content/tests/widgets/test_tree_hier_cell.xul | Error thrown during test: uncaught exception: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIDOMWindowUtils.sendMouseScrollEvent]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: http://localhost:8888/tests/SimpleTest/EventUtils.js :: synthesizeMouseScroll :: line 273"  data: no] - got 0, expected 1</pre>

Where the info is "|" delimited and goes like this:

<pre>PLATFORM | BUILD_NO | DATE | TIME | TEST-RESULT | TEST-NAME | TEST-OUTPUT

August 07, 2008 05:51 PM

Today, social media are in all conversations.

Tomorrow, social media will be everywhere, like air.

It’s referring to everything from Facebook, to Flickr, to Twitter and on-line business networking such as LinkedIn and Xing.

In fact, social media is a very generic term that includes different concepts all related to technology, social interaction and building/providing content such text, photos or videos.

Source: http://www.fredcavazza.net/2008/06/09/social-media-landscape/

As you can see on the previous chart, it can be about sharing or publishing information, but also about building a social network. It can be linked to entertainment as well.

According to some people, social networks will replace email (also here), address book, TV network, search engines, cold calling, and soon our whole social lives.

We are not yet at this point but one thing is sure: its importance is quickly growing and is becoming not only a new way to communicate between brands/consumers and consumers/consumers. In fact it’s also setting up interactions with “older” kind of websites such as blogs, e-business websites, user-created content’s websites… How many blogs have you ever visited with links to “Digg it” or “share on Facebook” ? What about last photos of Flickr album on these blogs ? It is also about identification with the spread of openID, with the will to interconnect different systems but also simplifying it.

But, what is social media about? Social media is about relationships. Social media is about interactivity. Social media is about word of mouth.

Sound familiar? Does this sound like the world of open source? It seems to me that communication over social media looks quite like open-source: voluntary involvement, sharing information, working in a group with common goals… OK, I know that people involved in social networks perhaps don’t feel involved in a community as strongly as in open-source but I think that comparison is still valid.

Working on that (with Jane’s help), I realized that no one has really focused on having user feedback on social media, especially for Europe, that is to say, to have the possibility to get a huge amount of data and focus on analyzing it. So we decided to try something.
For the moment social media is being used across the board to help raise awareness of Mozilla and Firefox. But we need now to find a way to understand what this all means.
Looking after already existing solutions, it became apparent that I cannot focus on Europe and must take a global perspective given the range and scope of tools currently available.
After researching them, I found a plethora. I suppose I am not the only one to look after this kind of tool.

There are a lot of free/cheap websites. I tried to identify them (non-exhaustive list) and think that I have most of them to date at the end of July 2008. From independent developer to multinational corporation, from open-source beginning project to Google, there is a large choice.

But in fact, few companies really try to sort data and analyze it as I expect to.
A lot of semantic research is being conducted on this topic, but so far, it has not been very effective.
The challenge is allowing the computer to understand the meaning of the words when we talk naturally, for example when associating salmon and fish.

Some other focus with statistics. Commercial solutions exist, like Nielsen Buzz Metrics, Attentio, Biz360, Filtrbox, Trackur or also Brandimensions (more exhaustive list available here). Some are really very expensive and others are more accessible but they all provide solutions for our problem.

I did my research on this, based on these tools. Next week I will present you the results, hoping that they will be interesting enough considering the research spanned only a few weeks. Obviously, a long term study would yield more significant results and help deepen the analysis.

I encourage you to find out some news about social media, but be careful the topic is large and you can be lost very quickly. A good starting point is to read Groundswell , by Charlene Li and Josh Bernoff.

* Florian - a happy marketing intern discovering the wonderful Mozilla world.

August 07, 2008 04:21 PM

My internship ends at Aug 23th, meaning officially I only have 15 days to contribute to Firefox. I will continue working as a contributor for Mozilla at school, so anybody needs a UI designer, a flash AS coder, a web designer or a CG artist and dev, ping me “Wei”on IRC or email me at weizhou@andrew.cmu.edu.I’m more than glad to help.

By the end of yesterday, proud as I am, tried 500 add-ons and extensions for firefox, as well as successfully developed a hobby of working for Mozilla. Work is just more fun than fun. The Summit gave me insights of how an open-source community could attract so much passionate developers - but I hope in the future, designer contributors could be largely involved to improve the user experience of future web.

I’m doing two things this week.

1. Design the first version of the Firefox phone. 2. Trying to write a brief overview of all Firefox add-ons and extensions, and find design implications based on it.

This media player UI design costs me Friday whole day. I designed 12 versions and choose those two. It’s hard to choose between concept 1 and concept 2, because I liked them both. User testing result shows people tends to like concept 1.Which one do you like better?

August 05, 2008 09:58 PM

The Firefox 2008 Summit was — well — an adventure.

It was great being able to put a face to all of the names that pass by in Mozilla’s IRC. Andreas gave some great talks on trace compilation. John Lilly and Mitchell Baker gave some good speeches. There was a very interesting Q&A session where members of the community got to ask face to face questions with John, Mitchell, and Brendan Eich. It was a diverse and global group as many of Firefox’s localizers were there.

The views in Whistler are fantastic. We took a two hour bus ride from Vancouver to the Westin Resort Hotel. There were some complications though. It turns out that there’s really only one fast route between Vancouver (where the airport is), and Whistler. And that path was hit by a rockslide on the second day of the Summit.

Later in the week a laundry truck hit the hotel’s transformer and we lost power for the entire morning (which was problematic because sessions were conducted on electronic whiteboards). When it came time to leave, the rockslide still wasn’t cleared yet, so we all had to take buses along the next shortest route. Unfortunately, that route was eight hours, so the buses had to leave at 2AM and 3AM to make our flights.

But my flight wasn’t until 3PM, so I spent another five hours or so in the airport (six, counting that our flight was delayed because a mechanic had to fix a seat’s reclining feature). All in all, it was a 16-17 hour trip to get home, but the Summit was worth it. Other people had worse trips back so I won’t complain.

Short digression: Mike Schroepfer (attributed with building Mozilla’s engineering division) recently announced that he was leaving Mozilla for Facebook. He had said he was leaving “the only job he ever truly loved.” It’s sad to see him go — he’s extraordinarily talented and there’s no doubt he’ll be a great asset at whatever company he works at.

On the last day everyone took gondolas up a mountain to have a dinner/party at the top. Sometime during the event, everyone started chanting “Schrep! Schrep! Schrep!” to get him to say something at the podium. He gave a short but very emotional farewell which received a standing ovation.

Mitchell Baker had given a long speech earlier in the week comparing Mozilla to a tree, so when she took the podium at the party, we were joking that we’d hear more about trees. But instead she gave a new, shorter definition of the community. One that I really like:

“Mozilla is people — having fun — improving the Internet.”

August 04, 2008 05:21 PM

Bear with me for this long post (no pun intended) describing the awesome Mozilla Summit at Whistler. The short version is that it was supercalifragilisticexpialidoceous. Ok, that’s a nonsense word but there’s no way I can put the experience in just one word

Monday
All the interns got up fairly early to catch a shuttle to SFO, and we arrived in Whistler after a pleasant 3 hour flight and 2 hour bus ride from YVR. The scenery was fantastic all along the way, and the hotel was overwhelmingly comfortable. Nothing much happened except meeting some familiar as well as new people at dinner.

Tuesday
First day of the summit started off with keynotes by John Lilly and Mitchell Baker. Mitchell’s analogy of what she thought of Mozilla was especially intriguing. A great way to kick-off the sessions that were to follow over the next few days. The UX talk on the history and future of browsers was especially a good one. Highlight of the day was Gary spotting bears. Apparently, there were a few that were brave enough to jump into the room balconies too.

Wednesday
I spent most of the early part of the day in the Emerald room, attending sessions on Mozilla’s Technology roadmap, Fennec and the Labs concept series. I ended the round of session-attending with Myk’s talk on Snowl, which is another cool labs project (well, all labs projects are cool!).

The big news of the day was the rockslide on the road connecting Vancouver with Whistler. ~350 at the summit suddenly had to change travel plans to accomodate for this… um… natural disaster. The contingency plan involved 8-hour long bus rides on a longer, more scenic route or float planes.

The labs team spent wednesday night hacking at Chris’ room, in preparation for our presentations the next day. Prior experience led us to believe that relying on the WiFi network in the hotel was probably not a wise idea for our demos, so I setup a local weave sever with a few demo accounts and changed the bookmark sharing code to not depend on XMPP to notify the receving user of the share. It was 3 am by the time I got to sleep so I responsibly set an alarm because the weave talk was the first one on the next day.

Thursday
Except the alarm didn’t go off, and I woke up 45 minutes after the scheduled time for the session. My first reaction was along the lines of oops, I screwed up. But as I became fully awake I realized there was no power in the entire hotel and breathed a sigh of relief because all the morning sessions were postponed. So the story was that a laundry truck ran into a transformer and it would take a few hours for power to be restored.

The Labs sessions were moved to a conference room run by our friendly neighbors (The Hilton), and we started off shortly after lunch. The Labs sessions on Weave and Ubiquity went off really well and I think they created a lot of buzz. Especially with ubiquity, some of the demos were mind-blowing!

Though I really wanted to attend the session on HG, I decided to take a nap instead and prepare myself for the grand dinner atop Whistler-Blackcomb (which are, incidentally, codenames for Windows editions). The dinner was a fine end to a fine summit, and I was especially excited to experience snowfall for the first time in my life

My plan to get back home was to catch a Floatplane with the rest of Labs the next morning, in time for the YVR-SFO flight at 3 pm.

Friday
But NO. All the floatplanes had been cancelled due to fog and low tides, so Dan & Chris put me up on the last bus out of Whistler at 11 am, and kindly provided a goodie bag full of food and coffee for my 8 hour bus ride.

The ride itself was not bad at all, the scenery on the way was well worth it. As we approached Vancouver (around 6:30 pm), Melissa Shapiro found me on the bus and informed me that she would try to catch the 8:15 pm flight to SFO (which was the last one out of YVR) and recommended I do the same. The bus didn’t go to the airport, but to the Sheraton at Wall centre instead, so Melissa and I took a cab and rushed to the airport.

We managed to get standby tickets on the plane, and went through US immigration, customs and security check (where I was “selected for random screening”). We did make it to the gate on time, but not on the plane. Technically, I had to re-enter Canada through immigration, but I had a single-entry VISA. Thankfully, Melissa was there to vouch for me, so I was able to make it back in.

Chris had rooms for us at the Sheraton and we headed back. After a great dinner with Bret, Brad, Melissa, Chris and Dan, I tucked in for the night watching Vancouver’s great skyline.

Saturday
Quite an uneventful day, considering the last week, because everything went as planned. All of us had confirmed tickets on the 11 am flight to SFO.

Melissa, Chris and I stopped for a while at Stanley Park on our way to the Aiport, while Dan had to leave early because he had to pick up his bag and passport (which he left at the party on Thursday, there’s another whole story!)

Phew
Well, I’m back in Mountain View now; and only have a week more to go. I’m really going to miss everyone, and the summit just made it a whole lot harder for me to say goodbye. But as Chris Hoffman had said in a brown-bag sometime ago: “This is Hotel Mozilla - you can check out anytime you like, but you can never leave!”

Just want to convey a big Thank You to everyone at Mozilla; especially Dan Portillo, Tiffney Mortensen, John Lilly, Julie Deroche, Melissa Shapiro, Maria Emerson, and most of all, Chris Beard, for making my experience at the summit an experience of a lifetime!

(Pictures up on Flickr)

August 03, 2008 08:12 AM

Under social pressure, I feel forced to open my own blog:) talking about my experience in Mozilla and my point of view of technology and Internet evolution.

But don’t worry: I take my responsibility and feel very good about that;)

—

Understanding better my work environment, feel free to take a look at my collegues blogs: Jane my intership mentor, Tristan’s Standblog that I follow since some years… Pascal of course, William that just arrived in the Mozilla’s-wonderfull-world like me and finally Gandalf for a more technical approach.

—

Finally, feel also free to visit other blogs I did before: Student organization about video VidéOrganisation, student organization Liberty’M about sport, charity organization Vaincre la mucoviscidose Midi-Pyrénées.

July 30, 2008 09:30 AM

No article this week, we’re invading Canada as part of the Firefox 2008 Summit.

Tomorrow the project I’m on (TraceMonkey) is doing a presentation on our technology. Hopefully we’ll be able to blog about this soon, it’s some exciting stuff.

My summer intern project is complete going into the summit, which is a nice feeling. And now that Adobe has an AMD64 JIT backend to Tamarin-Tracing, I hope Flash 11 has some impetus for 64-bit builds.

(TraceMonkey will definitely use it, though Firefox can’t ship 64-bit builds without 64-bit Flash.)

July 28, 2008 04:22 PM

Time for a quick update on what I’ve been upto this week…

Let’s start with the Intern BBQ - I guess the highlight of the event was Schrep almost being thrown into the pool, I think David sums it up quite nicely. I left the same night for L.A. - the primary item on my agenda was to attend Russell Peters and Friends at the Grove of Anaheim. The show was great, he didn’t repeat any of his old jokes and we had 3 other comics (as Russell called them) - all of them kept us laughing for over 2 hours.

I spent all of Sunday at Universal Studios, Hollywood - which was also great fun. The studio tour, ‘Water World’ and ‘Jurassic Park’ attractions were especially worth it. I caught a Greyhound back to San Jose and headed straight to work.

Week 10 was spent in finishing up the OAuth implementation for Weave - both server-side and client-side. I also wrote a PHP library to access a user’s Bookmarks and open Tabs via OAuth. We had a small demo at the third edition of Labs Night (which was held on Thursday, Jono gives a more detailed account). As we get closer to unrolling both the Weave web client and the OAuth API, I’m looking to forward to some great mashups from third party developers

Maria, Rob, Paul and I spent saturday touring the vineyards and hills of Santa Cruz…

Now, we have a plane to catch in about 7 hours for what is poised to be a climax of gargantuan proportions for my summer. Keep track of what’s going on at Whistler at Summitr. Needless to say, I’m super-excited!

July 28, 2008 10:20 AM

Get the story

Should’ve known something like this was coming, given the recent spike in M$ spending on FOSS conferences.

What really caught my eye is that Mike Schroepfer of Mozilla is on the list of people Sam Ramji wants to thank

July 26, 2008 08:00 AM

One of my goals for this summer at Mozilla was improving performance when Firefox starts. Admittedly, I’ve done nothing of the sort. Instead I’ve tackled this from a more general angle – making a tool that uses DTrace and creates a treemap of the output. This serves as a way of analyzing performance in a very visual way. Before I go further, a little background.

DTrace

“DTrace is a comprehensive dynamic tracing framework created by Sun Microsystems for troubleshooting system and application problems in real time.”[1] It was originally in Solaris and OpenSolaris, but has since been ported to OS X and was included in Leopard. In a nutshell, it lets you take a look at the inner workings of applications and kernel activity, with a low overhead. You can do everything from looking at file IO to time spent in functions to analyzing system call times. It’s pretty powerful and I’ve only just touched the surface of it.

Developers at Mozilla have done a lot of work getting probes into Firefox so that we can take advantage of all DTrace has to offer. One of these places where probes have gone is into JavaScript execution. This opens up the doors to using DTrace to track what’s happening in JavaScript, which is especially useful at Mozilla since a lot of our front-end code is JavaScript.

Treemaps

“Treemapping is a method for displaying tree-structured data using nested rectangles.”[2] In other words, pretty damn cool. One of the coolest uses I’ve seen recently is newsmap – which takes the news as aggregated by Google News, and builds a beautiful representation of what’s “hot” in the news.

What I’ve done

The work that I’ve been doing so far is pretty simple. I’ve taken the output of a single DTrace script (js_functime, available on Brendan Gregg’s blog) and used that to create a treemap. This DTrace script measures the time spent in Javascript functions. It’s not the most accurate measurement since the output is the overlapping times, but it’s still a good place to start. The output contains the number of times each function was called, the average time spent in the function, and the total time spent (across calls). From there I build these treemaps.

I’ve used a modified version of the RubyTreemap gem to create SVGs of this output. I create 3 different high-level maps, each representing the bits of information I get (count, average time, total time). Each of these maps is made from a tree 3 levels deep (though the root node is insignificant). The topmost level is the file from which the function is in. The second level is the function name. Size is determined from the measurement type (thus 3 maps). Each of these maps can then be broken down further, stepping into each individual file. So from these 3 “index” SVGs, I’ve linked down into the second level, and a new SVG is generated for each file, making it a bit easier to read the smaller nodes. Colors are consistent between runs and based on an adapted hashing algorithm.

I can’t hand out the source yet since the original RubyTreemap is GPL’ed and I’m not ready to redistribute. The changes aren’t huge, but are very focused for this task, so might not even be able to be merged back. Also, my code is pretty ugly right now and that would just lead to embarrassment.

So without further ado, here’s the page on playground: DTrace Treemaps. Keep in mind that this is not complete and what you see may very well change soon. Here are the direct links to the SVGs if you are a bit impatient: count, average, sum.

Future Directions

From here I plan on using the output from some of the scripts in the DTrace Toolkit to create other visuals, likely more treemaps. I also need to do a number of things to package this nicely so it’s easy to adapt and use for different DTrace outputs. Last, but certainly not least, I need to make the code much better – it’s my own personal Frankenstein right now, and needs to suck less.

July 25, 2008 02:58 AM

July 23, 2008 11:14 PM

The patch for the last of the major outstanding bugs with the WHATWG Canvas text API landed in time for a nearly spec compliant implementation to make it into Firefox 3.1 Alpha 1. I am pleased to say that Canvas now supports right-to-left text and bidirectional text resolution on its text drawing functions.

Canvas has undergone and will be undergoing some other changes, as well. I went through and cleaned up a lot of old code so that, among other things, Canvas uses Mozilla’s Thebes API instead of directly calling into Cairo. Philip Taylor has created a new set of unit tests for Canvas which are more extensive than before. Additionally, a patch has been sitting around for a while that adds shadow support to Canvas, which I hope to push to completion soon.

July 23, 2008 11:04 PM

July 23, 2008 10:44 PM

I’m sitting here in a front-row seat for the f8 keynote.  I’ll be keeping this post updated as interesting things happen…so stay tuned!

1:29 pm: Waiting for the talk to start…great seat!  Music is good but a little loud

1:35 pm: Music out, Zuck in.  That is an amazingly hi-res projector!

1:36 pm: FB has been learning how to work with developers, made some mistakes along the way.

1:39 pm: FB mission: “Give people the power to share and make the world more open and connected.”

1:42 pm: 24mil users at f8 ‘07, 90mil users now.  f8 ‘07 US/International ratio was 50/50, now more like 30/60

1:44 pm: Opening up translation tool for platforms, they can use FB’s users to translate apps.

1:45 pm: Over 400k developers, more than half outside the US.

1:48 pm: Top 5k bands have more fans on iLike than anywhere else (including MySpace Music).  Causes app has more users than Al Gore’s alliance campaign (the two have since merged).

1:49 pm: Over 30 different developers have been funded to develop FB apps.  Flixter got $6m and Zynga raised $29mil just this morning.

1:54 pm: Lessons learned: Need to work more closely with developers.  Need to align incentives better, reward good apps, punish bad apps.

1:56 pm: Walking us through new FB, explaining the new Wall.

2:04 pm: “We’ll do it live!”, giving us a live tour of the new feed.

2:10 pm: Talking about the decentralization of social networking, comparing the social network movement to the PC movement.  FB expects in a few years all good applications and uses will come from sources other than FB, just utilizing their platform.

2:13 pm: FB Connect: Goals: Build the same kinds of apps across the web, share info across the web, control your info across the web.  3rd party sites can use it to pull profile info, friend lists, etc.  You can also send FB hashes of your users emails and it will tell you if they are FB users.

2:15 pm: “It goes to their profile, and Christmas is ruined.”  Zuck has a sense of humor…nice!

2:18 pm: Someone from Digg is on stage to demo the Digg/FB Connect inegration, nice, clean, and simple.

2:20 pm: Six Apart is next, demoing comment authentication with FB Connect, followed by Citysearch for reviews & recommendations.

2:26 pm: Profile is being rolled out over time, FB Connect Beta is today.

2:27 pm: That’s it for Zuck.  Ben Ling takes the stage.

2:32 pm: They had a slide that lists universities researching FB Apps…they used a logo from Central Michigan University instead of Carnegie Mellon!!!

2:38 pm: Talking about what makes great apps, building trust, etc.

2:46 pm: Talking about partnerships with MS, Joyent, and AWS.  New Developer Website (about time!).  Also promising to build up a team to work more closely with the community.  Applause for initial fbFund recipients, discussing Connected Weddings as an example.

2:48 pm: New program: giving out $2mil over the next 2 months.  25 finalists get $25k, 5 finalists (voted by community) get $250k.

2:49 pm: Announcing FB Verification program: Apps that feel they are Secure, Respectful, and Transparent can apply and be verified (they get a badge).  Verified apps get more visibility on the site.

2:50 pm: Announcing FB Great Apps program: Apps that feel they are super-awesome (10 criteria + history of adherence to policies + minimum user base).  Great Apps are more integrated and more trusted, as well as getting early access to new features and feedback directly from FB.  iLike & Causes are the first 2 Great Apps, though the program is in Alpha.

2:53 pm: Talking about a more transparent and consistant process for enforcing abuse policies.

2:56 pm: FB Connect will be released for Desktop, Web , and Mobile (they have an iPhone Cocoa API).

2:58 pm: FB Connect launches full on next summer.  There’s a hackathon today running until 9pm, winners announced at 11pm.  That’s all :).

July 23, 2008 08:23 PM

Two weeks ago, while working on a project yet to be revealed (unless you happen to stalk me on Bugzilla – I’ll write about it soon, I promise), I happened to make Minefield seg fault. I was talking to Shawn Wilsher about what I was working on, so he had some familiarity with the code, and told me it shouldn’t be crashing. But it was. Shawn told me to file a bug, create a test case, and get a stack trace with GDB. I was a bit annoyed because it took time away from what I was working on. But I did all that, filed the bug, and went along my way.

The other day, I got to work and found a few Bugzilla emails waiting. Apparently somebody had written a patch for the bug, and it had been r+ed and checked in. I figured somebody was looking at it, but a lot happened at once. So I took a look at the commit log and it turns out that the test case I had written had been included! That makes perfect sense – we want to keep the test around to make sure we don’t regress in the future – but it still surprised me. I never came to Mozilla expecting to touch such a random place in the code base. And while I wasn’t fixing the C++ code, I was still contributing. It felt good.

I think that is part of the power of open source.

July 23, 2008 04:36 PM

Update: Schrep (I’m far back right, he’s in the middle…note the ripped shirt, sorry Schrep!) was kind enough to point out that, as of bug 423377 being resolved, Firefox 3 defaults to 6 simultaneous connections.  Modern browsers all use different numbers, the lowest being IE 7 with 2 (all older browsers also use 2).

One of my projects here at Mozilla (and, coincidentally, a past project at Yahoo!) was improving ySlow scores.  ySlow is a utility that measures load time and analyzes page performance, assigning you a final letter grade based on various performance metrics.  It’s a neat little Firebug plugin, and I highly suggest that any web developer install it.

Occasionally I like to play with this tool on other big sites, just to see how many of them actually care about such things.  So I went through and ran ySlow on some of the more common Facebook pages.  Here’s what I found:

With most aspects Facebook does a decent job: with the exception of advertiser scripts and some application-specific code they use etags, minify their JS, and use long expires headers.  What amazed me is the number of JS and CSS files on each page, all listed one after another in the header:

And for those curious, here’s the count for the new facebook design (summary: significantly worse):

Really, I can’t think of any context in which 47 external files would be necessary! I understand breaking files up by purpose to make coding and revision management easier, but I wonder if someone at some point considered the speed impacts. I’m fortunate enough to almost always have a broadband connection, but the experience for their dial-up users is probably deplorable. Especially considering that they now localize the site and are pushing to expand overseas, you would think this would be a much higher priority. And don’t even get me started about the lack of spriting!

Here’s how I setup Mozilla’s JS/CSS concatenation (see the Build Process):

1. Add a configuration setting for site state (example: a flag set to “production” on production servers, “dev” on everything else)
2. All CSS/JS calls use these flags to decide if they go to the concatenated files or the actual development files
3. Create a build script that generates the concatenated files (profile.js, photo.js, etc), run before pushing to production

Ironically enough I would bet Facebook already has #1 and #2 setup, since they use Akamai for production servers, and can’t use that for development.

Alternatively they could use the method YUI uses for serving JS files.  Basically call a script that will return the concatenated files.  It’s a less elegant solution, and is heavier on the server, but still better than nothing.

Note that this doesn’t only affect dial-up users.  While broadband users usually have a fast enough connection to offset the slowdown, a large file count is the biggest slowdown for broadband.  This is because of the 2-simultaneous-connection limit that most browsers obey.  From rfc2068:

Clients that use persistent connections SHOULD limit the number of simultaneous connections that they maintain to a given server. A single-user client SHOULD maintain AT MOST 2 connections with any server or proxy.

Facebook.com is the 8th most popular site on the web, while Mozilla.org is the 258th (note that this is all of mozilla.org, not just addons.mozilla.org).  They should be able to devote a lot more to the tail end of their users, especially considering the residual benefits for their main audience.

Just as bad is their lack of proper fallback for those with JS disabled. For example, if you were to disable JS, you can still login fine, but once you login, head back to facebook.com. That’s right, they use JS to redirect users from their homepage, with no <noscript> fallback, meaning the average joe with JS disabled can easily lock himself out of Facebook.  In addition, pretty much every new feature added since poking doesn’t have a non-JS fallback.  Status updates, “People you may know”, dropdowns, the entire “Friends” page, and so on.  All completely useless.

July 22, 2008 10:30 PM

Last week, us Mozilla interns held our annual intern BBQ. I guess one of the traditions is to throw someone in the pool.

This year they chose Mike Schroepfer (also known as “Schrep”). Schrep is the VP of the Engineering, and about five seconds with him is enough to know he means business. He talks fast and asks deep technical questions about the projects he oversees. This is an interesting trait, as he’s both very bright on a technical level while also being a high-level manager.

So when five+ interns tried to gang up on Schrep (who, as always, was dressed as neat as a pin), people on the sidelines seemed a bit apprehensive about how that’d play out. Lo and behold, not well.

In the process of trying to grab him, they accidentally tore his shirt. Then as they got close to the pool, Asa Doltzer warned them that Schrep’s shoes were too nice to get wet, so the interns had to pull them off. After that they gave up and dropped him to the ground by the pool.

Schrep didn’t look terribly pleased but he took it all in stride, even making a joke about it at the all-hands company meeting on Monday: “For the record,” he said, “Despite it being five-on-one, you guys still couldn’t take me dow