Over the weekend I got word from Rakshith, the ColdFusion product manager, that it was ok to share the following news with the community at large.
Adobe plans to continue improving the JSON (de)serialization functionality that was added in ColdFusion 8, at the very least including those improvements in the next version of ColdFusion (codenamed "splendor" (pdf) [...gag me with a spoon]). Considering we have this awesome updater, I'd also love to see a patch for CF10, but that may be a pipe dream. Still, any improvement would be welcome.
So what's wrong with serializeJSON? Currently, there are many edge cases that serialize incorrectly, necessitating the use of an alternate serializer like CFJSON or my personal preference JSONUtil. For example:
Not only is the key name annoyingly upper-cased, but the value, which was a string containing the number 3, has been converted to the numeric value 3.
These are two known issues. There are a bunch of these issues that are known, and possibly some that are still unknown. Fortunately, Adobe is being forthright with us in sharing the fact that they're attempting to fix the bugs, and they're happy to accept feedback and bug repro cases.
To that end, I've taken the first step and created a set of tests demonstrating all of the issues of which I am aware. Those tests are on GitHub, you can see them run against ACF 9.0.1 here, and I am happy to accept begging to you send pull requests with additional tests for more bugs.
Showing the bugs in action is paramount to getting them fixed. If you know of a bug, and you don't report it, you only have yourself to blame for it not being fixed.
If you aren't familiar with writing tests using JavaScript, take a look at the code. It's very readable and you just mind find that it's easier than you thought... But if you're too lazy, or you still just don't quite have the hang of it, I would settle for you filing a bug against the repo, so that someone can add a test for it.
One last thing: Do you have ACF10 hosting and want to volunteer to host a copy of the tests? It would be helpful! Contact me!
I have a relatively fast laptop -- an early 2012 model Macbook Pro with an SSD and a Core i7 processor. Yet it still takes a vanilla ColdFusion 10 installation about 20 seconds to restart. If you start/stop/restart the service a lot, as I do, then that delay is probably enough to start to get on your nerves. For me, it was enough for me to get distracted by email, IRC, instant messages, etc, and eventually lose ~5 minutes of productivity at a time... All because I had to wait for a 20 second process that could have been instant.
I did some digging and found out that there are several calls to the sleep function, each of several seconds. Calling the stop method includes a total of 12 seconds of sleep time, and the start method includes 10 seconds. Restarting the server simply calls stop + start, so that's 22 seconds.
I've found that, even in "horrible conditions" on my laptop, I am able to remove ALL sleep time and have NEVER had an issue. What amounts to horrible conditions?
At least one virtual machine running
Several memory-hungry apps
Code editor
Music playing
Several browsers open for testing
etc
How To Alter Your Installation
It's really rather simple. Inside your ColdFusion 10 installation folder (mine is /Applications/ColdFusion10/) you'll find one folder for each Instance of ColdFusion that you have installed, the default instance being named cfusion. Inside each instance folder you'll find a bin folder, and in that bin folder you'll find an executable script named coldfusion. Simply open that script up with your favorite code editor.
Search for all instances of the word "sleep" and comment those lines out. You comment them out by putting a # on the line before the command. It can be immediately before the text as in:
#sleep 10
Or at the beginning of the line, as in:
# sleep 10
Either way is fine. Comment them all out, save, and quit. It's that simple. Enjoy, and get back to work!
One of the contributions I've made so far this month, as part of 24 Pull Requests, was porting the Debounce method from the popular Underscore JavaScript library to the ColdFusion port, UnderscoreCF. It took me a while to figure out what its behavior was because it's a very abstract concept, but once I understood it I was able to come up with some more concrete examples, so I thought I would share them. Hopefully this will help someone grok the concepts.
Here's that abstract explanation:
debounce_.debounce(function, wait, [immediate])
Creates and returns a new debounced version of the passed function that will postpone its execution until after wait milliseconds have elapsed since the last time it was invoked. Useful for implementing behavior that should only happen after the input has stopped arriving. For example: rendering a preview of a Markdown comment, recalculating a layout after the window has stopped being resized, and so on.
Pass true for the immediate parameter to cause debounce to trigger the function on the leading instead of the trailing edge of the wait interval. Useful in circumstances like preventing accidental double-clicks on a "submit" button from firing a second time.
var lazyLayout = _.debounce(calculateLayout, 300);
$(window).resize(lazyLayout);
So... concrete would be better, right? There are two modes in which you can use the Debounce function: Immediate, and non-immediate. When immediate is false (the default), it resembles the way my wife and I handle time out for our (young) kids:
If you do something worthy of time out, you're placed into it (with an explanation of why you're there)
The clock starts (1 minute per year of age)
If you leave the time out spot before you've been excused, you're placed back in it and the clock starts over
Each time the child leaves time out is like calling the timeOut function again. It resets the timer, and they will not be released from time out until they've served a full consecutive sentence.
When immediate is true, it more closely resembles a day when Daddy gets home from work and his brain is fried. He loves to read books to his kids, but he needs a few minutes to himself every now and then to unwind. Daddy declares that he needs 5 minutes uninterrupted relaxation time between books, but he'll read one to them immediately before starting to relax. If they interrupt Daddy's relaxation time, the clock starts over and thus have to wait even longer for their next book:
Each time my kids ask me to read them a book it's an invocation of readIfRelaxed(). But if it hasn't been 5 minutes since the last book then the new book isn't read and the relaxation clock starts over.
Hopefully that more clearly illustrates the types of behavior debounce can do for you. I'm not exactly sure of the scenarios in which it will prove useful in ColdFusion, but it was a fun and challenging exercise to write it! (It uses a combination of threads and closures!)
It's quite old news by this point, but the lauded automatic-update-installer feature in ColdFusion 10 was not capable of installing one particular update or any updates thereafter; and I still regularly see and talk with people who point to that as some epic failure on the part of Adobe. Obviously it's not well understood why the update couldn't be applied by the auto-updater, and why that's actually a good thing.
Why couldn't it auto-install?
The reason for the update was, in a nutshell, to update the security of the auto-updater. When the auto-updater downloads an update for your CF install, it first checks that the newly downloaded update has been signed by Adobe, to make sure that only certified code makes its way into your CF install.
There was a security breach in some other product, which resulted in the code signing certificate being compromised. This means that Adobe had to create a new certificate and update every product using the same code-signing process to use the new one. ColdFusion was among them.
The manual update installs the new certificate (I'm guessing here, it's probably the new public-key in an asymmetrical encryption key pair) into ColdFusion so that it can validate future updates that will be signed with the new certificate. They could have signed the update with the old key so that the auto-installer would accept it (again: guessing), but then it would have been possible for someone to create a falsified version of the update, using the compromised certificate, and your ColdFusion install would have accepted it.
If they managed this, it would probably also be easy to change the URL from which the auto-updater finds new updates to install. These two things combined would have given the attacker the ability to install whatever malicious code he or she liked on your server by providing what seem like important, innocuous updates that actually include malicious code; which you might carelessly install exactly because the updater is so easy to use.
Why is it a good thing?
So the manual, mandatory update is what I like to call a necessary evil. And if you've applied it (please tell me you've applied it!) then you know it really wasn't that big of a deal:
Download a jar file
Then java -jar update.jar
This is a good thing because it is the most secure path forward. It wasn't the easiest path, but the important things in life rarely are.
This November I'm running a marathon to raise money for Children's Miracle Network. But instead of running a marathon I'll be playing an epic 24 hour video game marathon.
It's called Extra Life, and last year I raised more than $700 through donations from people just like you. This year I've set my sights even higher: $1024.
Want to help me reach that goal? Want to know more? Click the button indicating that you do not in fact, hate kids, below.
This November I'm running a marathon to raise money for Children's Miracle Network. But instead of running a marathon I'll be playing an epic 24 hour video game marathon.