[firefox] regression in recent update to 2.0.0.10

Bug #172518 reported by disabled.user on 2007-11-28
6
Affects Status Importance Assigned to Milestone
Mozilla Firefox
Fix Released
High
2.0
Fix Released
High
firefox (Ubuntu)
Undecided
Unassigned
Edgy
High
Alexander Sack
Feisty
High
Alexander Sack
Gutsy
High
Alexander Sack
Hardy
Undecided
Unassigned

Bug Description

Binary package hint: firefox

The recently (upstream) published Firefox 2.0.0.10 contains the following regression:

References:
https://bugzilla.mozilla.org/show_bug.cgi?id=405584

Quoting:
"canvas.drawImage is not working in version 2.0.0.10

Please, test following URL. (It is a MDC sample page.)

Test URL :
http://developer.mozilla.org/samples/canvas-tutorial/3_1_canvas_drawimage.html"

As far as I can tell, Dapper's Firefox 1.5.x with it's backported security patches is *not* affected by this regression (I've tested the amd64 build).

CVE References

I can confirm this problem. We are using drawImage alot in our web shop and now in firefox 2.0.0.10 everything is broken while it works fine in 2.0.0.8 and all other browsers (including IE with the excanvas extension). Customers are complaining because their Firefox automatically updated to 2.0.0.10 and now they can no longer order photo prints in our shop. I think this is a very serious problem and I hope it will be fixed immediately in a 2.0.0.11 update.

But I also wonder why Google Maps is still working. I thought they used the Canvas stuff for it...

Here are some popular example web pages which are no longer working with 2.0.0.10:

  * http://www.abrahamjoffe.com.au/ben/canvascape/textures.htm (The rifle is not drawn with canvas so that's why this part of the game is still working)
  * http://developer.mozilla.org/en/docs/Puzzles_using_Canvas_%28external%29
  * http://developer.mozilla.org/en/docs/Water_Reflection_Effect_%28external%29

Bye the way: I'm using Firefox 2.0.0.10 on Ubuntu Linux 7.10. So it's not a windows-only problem.

Bug also confirmed on Mac OS X (10.4.11). Same error message.

Have to confirm it myself but according to comments I'm going to confirm it here now.

Confirming this is occurring in my Firefox extension for users on all platforms.

Possibly caused by bug 391028.

applying the follow up attachment 284556 in bug 391028 fixes this in 2.0.0.10 for me.

We should make sure we at least have a regression test for this on trunk...

(In reply to comment #1)
> We are using drawImage alot in our web shop and now in firefox 2.0.0.10
> everything is broken while it works fine in 2.0.0.8

What site? Would hate to "fix" this and find out you've got a completely different regression. Is there a link that exhibits the problem?

(In reply to comment #5)
> Confirming this is occurring in my Firefox extension

ditto: what extension, doing what to repro the problem?

(yes, I see that the links in comment 0 are broken but I don't know that your problems are fixed by the same patch unless we can try it)

Just some testing info:

We develop FoxSaver extension, which works well on 2.0.0.9 and earlier. But it's having exactly the same error after applying 2.0.0.10

To test this bug, just install FoxSaver, and start it. It should work in 2.0.0.9, and not showing pictures on 2.0.0.10.

Another testing info:

Please visit this site:
 http://www.foxsaver.com/public/published/

In 2.0.0.9, there are reflection effects. With 2.0.0.10, no reflection effects.

(In reply to comment #9)
>
> (In reply to comment #5)
> > Confirming this is occurring in my Firefox extension
>
> ditto: what extension, doing what to repro the problem?
>
It's an extension for a specific website that uses canvas to dynamically create images.

It is reproducible by using the drawImage function anywhere in any page/extension. Personally I'm getting the source image from a "new Image();" with .src set to a data url, specifically png.

Created attachment 290440
reftest

Reftest has not been checked-in, yet.

I just checked it in.

*** Bug 405694 has been marked as a duplicate of this bug. ***

*** Bug 405648 has been marked as a duplicate of this bug. ***

I've landed attachment 284556 from bug 391028 on MOZILLA_1_8_BRANCH and GECKO181_20071115_RELBRANCH.

With a build with the fix, I see that http://www.foxsaver.com/public/published/
works correctly with reflections.

You can reproduce this bug by looking at
http://www.foxsaver.com/public/published.

For FF2.0.0.10, this shows the photos fine. However the title and photographer
name are on a plain background, when instead, they should be on a background of
a inverted copy of the lower portion of the photo.

If you see the plain white background, you have repro'd the bug.
If you see the inverted photo background, you have verified the fix!

Another test that should be run before verifying this is installing the Fotofox add-on (https://addons.mozilla.org/en-US/firefox/addon/3945) and ensuring that when you add an image for upload, you see the preview inside the picture frame in the sidebar.

Builds with the fix are at
  http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2007-11-27-14-mozilla1.8/
  http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2007-11-27-15-mozilla1.8/
(linux and windows respectively).

The Mac build crashed in the MozillaAliveTest, investigating.

*** Bug 405728 has been marked as a duplicate of this bug. ***

Binary package hint: firefox

The recently (upstream) published Firefox 2.0.0.10 contains the following regression:

References:
https://bugzilla.mozilla.org/show_bug.cgi?id=405584

Quoting:
"canvas.drawImage is not working in version 2.0.0.10

Please, test following URL. (It is a MDC sample page.)

Test URL :
http://developer.mozilla.org/samples/canvas-tutorial/3_1_canvas_drawimage.html"

As far as I can tell, Dapper's Firefox 1.5.x with it's backported security patches is *not* affected by this regression (I've tested the amd64 build).

Alexander Sack (asac) wrote :

this is fixed for hardy:

firefox (2.0.0.10+2nobinonly-0ubuntu2) hardy; urgency=low

  New security/stability upstream release (v2.0.0.10):
  * include follow up patch to fix 2.0.0.10 regression (bz391028):
    - add debian/patches/bz391028_att284556.patch
    - update debian/patches/series
  * include patch for cairo Xlib build failure (bz344818):
    - add bz344818_att264996.patch
    - update debian/patches/series
    - update debian/patches/configure-autoconf2-13-reconfigure.patch

firefox (2.0.0.10+2nobinonly-0ubuntu1.7.10.1) gutsy-security; urgency=low

  * New security/stability upstream release (v2.0.0.10)
  * MFSA 2007-37 aka CVE-2007-5947
  * MFSA 2007-38 aka CVE-2007-5959
  * MFSA 2007-39 aka CVE-2007-5960

  * debian/patches/bz384304_lp117575_linkrecursion_fix_in_startscript.patch,
    series: drop patch applied upstream.
  * debian/patches/configure-autoconf2-13-reconfigure.patch: rerun
    autconf2.13 to resolve upstream merge conflicts.

 -- Alexander Sack < <email address hidden>> Wed, 28 Nov 2007 17:14:46 +0100

Changed in firefox:
importance: Undecided → High
status: New → Fix Committed
importance: Undecided → High
status: New → Fix Committed
importance: Undecided → High
status: New → Fix Committed
status: New → Fix Released
assignee: nobody → asac
assignee: nobody → asac
assignee: nobody → asac

Any idea when 2.0.0.11 will be released with working canvas tags?

*** Bug 405930 has been marked as a duplicate of this bug. ***

Thanks for the quick fix Martijn. Sorry I missed the duplicate when I posted 405930.

I'm likewise curious on a 2.0.0.11 fix date. We have a lot of effected code with numerous customers on Macs effected. Issuing a temporary fix would be real ugly for us. I really don't feel like sending out e-mail to all of them explaining our preferred browser made all the navigation Icons in out Oracle backed web applications break.

The release of 2.0.0.11 is _tentatively_ scheduled for Friday 30th Nov. If that comes off it'll be the fastest turnaround between Firefox releases to date (ie, it relies on everything in the release process going without a hitch).

That's good to know. Having 2 more days doing regression test would be better.

I am really surprised the canvas part was not even tested before releasing 2.0.0.10.

I still support FireFox, although I consider this incident really dampen it a lot.

I have to agree with Chris on this. We develop process management web applications on with Oracle that use Ajax, Ruby on rails and we have gone out of our way to tell our customers that we "strongly" recommend they use Firefox. We make extensive use of features which really show off firefox in a good light.

This little episode really has egg on our face.

For a couple days we have had an unbearable number of support calls. I would hope this reinforces the need for someone to put in some serious effort on developing a solid and extensive suite of regression tests. This should have NEVER gotten into a public release.

reply to comment #29)
> This little episode really has egg on our face.

Yes, this was a rather bad regression. For those with a high profile website it's probably useful to test their pages regularly with the latest nightlies from the stable branch:
ftp://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-mozilla1.8/
If there are any regressions cry wolf with a bug report with the keyword "regression" and a "blocking 1.8.1.x?" request.

It's hard or unrealistic for small business to QA the nightly releases, especially when we are not aware of the release schedule. Even for sites like Yahoo Email is broken by 2.0.0.10. I guess they are not checking the nightly release either.

What's a more realistic solution is to include this kind of major APIs part of an automated testing. And it should not be a fire-fighting remedy, but a well planned QA strategy.

Now we have the testing data for this API. I hope other APIs will include unit test also.

(In reply to comment #31)
> It's hard or unrealistic for small business to QA the nightly releases,
> especially when we are not aware of the release schedule. Even for sites like
> Yahoo Email is broken by 2.0.0.10. I guess they are not checking the nightly
> release either.

It's just a suggestion for those with a few minutes to spare. Testing the stable nightlies isn't that hard. Once you've installed one you can use the update mechanism to stay current and the stable nightlies are stable enough for everyday surfing.

> What's a more realistic solution is to include this kind of major APIs part of
> an automated testing. And it should not be a fire-fighting remedy, but a well
> planned QA strategy.

Absolutely.

Arthur,

Once again I have to agree with Chris on this.

We have far more pressing issues as a <25 person company, than making daily checks of the firefox nightlies. Half of us are working 14-18 hours a day already.

Perhaps there should be a subscription service that sends out e-mail to developers alerting them of update releases 72 hours prior to release. This gives small and mid sized developers an opportunity to vet their code against a stable branch nightly.

This would serve your purposes as well as ours and provides an added benefit of insuring we don't burn cycles over testing. It would also insure this kind of "embarrassment" is avoided in the future.

J

(In reply to comment #31)
> Even for sites like
> Yahoo Email is broken by 2.0.0.10. I guess they are not checking the nightly
> release either.

With FF2.0.0.10 on Mac, we just tried using "new" Yahoo mail, and it seems to
work fine. Can you provide more details on what exactly looks broken, and what
OS you were using?

(In reply to comment #33)
> Perhaps there should be a subscription service that sends out e-mail to
> developers alerting them of update releases 72 hours prior to release. This
> gives small and mid sized developers an opportunity to vet their code against a
> stable branch nightly.

Mozilla already does this sort of thing. All the release candidates for security releases are announced through the mozilla.announce-prerelease newsgroup on news.mozilla.org, also available by Google Groups at
  http://groups.google.com/group/mozilla.announce.prerelease/topics
and also by email via the mozilla-announce-prerelease mailing list at
  https://lists.mozilla.org/listinfo/announce-prerelease
Alternatively you can you get that info (and more) on the web at
  http://developer.mozilla.org/devnews/
or even pull the RSS feed from that.

Any problems with Yahoo should be handled in another bug please.

Nick,

Thanks, I've just subscribed. Didn't know about that. Very useful.

J

Nick, this is also very good to know. Subscribed now. Thanks! Although I found no message for 2.0.0.10 pre-release on the group. I guess it's an "urgent" security patch that can skip ordinary release processes.

John, Sorry, my memory was wrong and 2.0.0.10 does work with Yahoo new UI. I am using 2.0.0.11pre and 3.0 now on my two computers, and Yahoo email is simply direct me to the "classic" UI.

(In reply to comment #37)
> John, Sorry, my memory was wrong and 2.0.0.10 does work with Yahoo new UI. I am
> using 2.0.0.11pre and 3.0 now on my two computers, and Yahoo email is simply
> direct me to the "classic" UI.
Phew! :-) Good to hear - thanks for the update.

There is a bug with Firefox 3 and the new Yahoo UI. That isn't simply a Firefox bug and Yahoo has an update to the e-mail webapp staged that fixes it. I'm not sure on their ETA for shipping it.

We have more automated tests on the trunk that catch problems like the current bug. The issue here, really, is that the same tests are not available on branch.

Interested parties can try the 2.0.0.11 release candidate as well:

http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2.0.0.11-candidates/rc1/

This regression broke the "ChromaTabs" extension as well. Not work-critical or all that popular, but I like it. Might be a handy simple testcase.

Error: [Exception... "Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIDOMCanvasRenderingContext2D.drawImage]" nsresult: "0x80040111 (NS_ERROR_NOT_AVAILABLE)" location: "JS frame :: chrome://chromatabs/content/chromatabs.js :: anonymous :: line 545" data: no]
Source File: chrome://chromatabs/content/chromatabs.js
Line: 545

I just ran tests on the mac RC1 using
    ftp://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2.0.0.11-candidates/rc1/firefox-2.0.0.11.en-GB.mac.dmg and our issue is resolved in this build. Good job on a fast fix guys.

J

I can confirm the fix on WinXP using the beta-channel build for
  test link in comment 0
  test links in comment 2
  FoxSaver.com page (comment 11)
  FotoFox add-on (comment 21)
  ChromaTabs (comment 41)

verified fixed 1.8.1.11 using Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.11) Gecko/2007112718 Firefox/2.0.0.11 and the various testcases/testsites from this bug. Also per comment #42 and #43

-> adding verified keyword

*** Bug 406146 has been marked as a duplicate of this bug. ***

Jonathan and others that are interested: Please sign up for our newly created list, https://mail.mozilla.org/listinfo/betatesters if you are interested in getting a heads up about pending releases. We would love to have you join the list.

(In reply to comment #33)
> Arthur,
>
> Once again I have to agree with Chris on this.
>
> We have far more pressing issues as a <25 person company, than making daily
> checks of the firefox nightlies. Half of us are working 14-18 hours a day
> already.
>
> Perhaps there should be a subscription service that sends out e-mail to
> developers alerting them of update releases 72 hours prior to release. This
> gives small and mid sized developers an opportunity to vet their code against a
> stable branch nightly.
>
> This would serve your purposes as well as ours and provides an added benefit of
> insuring we don't burn cycles over testing. It would also insure this kind of
> "embarrassment" is avoided in the future.
>
> J
>

Marcia Knous,

Thanks Marcia. That's helpful.

Jonathan

Marcia, Nick, et. al,

I wanted to send you all a note thanking you for your quick response to this issue and especially to Martijn for effecting a fix in just 16 hours that allowed us to get RC nightlies tested quicker that we could have ever hoped.

I know there's been a lot made of this episode. I have even seen posts from bugzilla used horribly out of context by the online media, but in our book the response to this was absolutely stellar. As developers ourselves we recognize that from time to time you are bound to introduce bugs like this. Anyone who claims that their company is procedurally immune from this kind of thing is completely delusional.

This, in our book, is a bright example of why open source development of this sort is working. I could never have imagined a closed source vendor responding to a critical fix with an actual release in +/- 48 hours.

Rest assured you will continue to have our support and we look forward to continuing our users to use Firefox as their primary browser.

J

*** Bug 406482 has been marked as a duplicate of this bug. ***

Download full text (4.4 KiB)

I wanted to comment on something that came up a few times in discussions above. Paraphrasing, the question was:

"Can you let us know a few days before shipping, when a new FF is coming, so we can test it and confirm it doesn't break with our site - *before* you ship FF"?

Well, actually, we already do this. Let me explain with some background...

We have 3 different channels for sending out updates to users. These channels are currently called: nightly channel, beta channel and release channel. The nightly channel was discussed above, keeping you updated with new nightly builds as they are produced - the "bleeding edge" of browser development, so to speak, and typically of most interest to FF developers and testers. However, I'd like to talk more about the "beta" and "release" channels.

As part of our release process, after we finish our in-house testing, we make the new FF release candidate available to "beta" channel users.
* If there are showstopper bugs reported by "beta" channel users, we stop the release, fix the bugs, generate a new release candidate and push that new release candidate out to "beta" channel users. Repeat as needed. Most releases ship on rc1, but looking back over all the releases in the last 7 months, we've had a couple of rc2s and one rc3.
* If there are no showstoppers reported by "beta" channel users after 3-7 days of exposure, we take the *same* identical bits that are on "beta" channel and copy them out to "release" channel users. The "beta" channel and "release" channel users then remain identical, until we start shipping the next release, when we repeat the above process all over again.

The important point here is, for most of the time, people on the "beta" channel have exactly the same bits as people on the "release" channel. The only exception is when Mozilla is about to ship a new release - thats when users on the "beta" channel will be *newer* than the "release" channel, using what *will* soon be available on the "release" channel. For people who dont want to risk instability of the nightly builds, yet at the same time, care about ensuring new upcoming FF releases work for them without any surprises, this "beta" channel is the place to be.

How do you get onto the "beta" channel? There's 3 different ways:

1) Download and install a beta version of FF from ftp.mozilla.org. Once that beta version of FF is running, it will automatically monitor the "beta" channel for new release candidates, and refresh forward to the latest release candidate when available. For example, if you were do this today, you would download and install FF2.0beta from ftp://ftp.mozilla.org/pub/mozilla.org/firefox/releases/2.0b2. Once installed, use CheckForUpdates to update from FF2.0b2 to the FF2.0.0.11release candidate. This FF2.0.0.11 release candidate is identical to the "release" FF2.0.0.11. Now, just use your FF2.0.0.11 install like normal. At some point in the future, whenever Mozilla start producing release candidates for FF2.0.0.12, your FF2.0.0.11 "beta" browser will automatically refresh forward to the new FF2.0.0.12 release candidate - in the same way that a regular release version of the browser refreshes forward to n...

Read more...

Verified again in Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.12pre) Gecko/2008012208 BonEcho/2.0.0.12pre.

please check whether bug 414539 is related

https://litmus.mozilla.org/show_test.cgi?id=5226 has been added to Litmus to address this case, both branch and trunk.

Hew (hew) wrote :

Ubuntu Edgy Eft is no longer supported, so a SRU will not be issued for this release. Marking Edgy as Won't Fix.

Changed in firefox:
status: Fix Committed → Won't Fix

Please could someone mark this as Won't Fix for Feisty?

Hew (hew) wrote :

Reading the upstream report, it looks like this was fixed in 2.0.0.11, so Feisty and Gutsy are really Fix Released.

Changed in firefox:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Changed in firefox:
importance: Unknown → High
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.