Firefox gets emergency update to fix the last update

It looks like last week's automatic update to Firefox came with an unintended hitchhiker: a new bug that opened up a potentially critical security vulnerability. The Mozilla Foundation responded by pushing out a new update that fixes the problem:

• MFSA 2009-23 Crash in nsTextFrame::ClearTextRun()

I found the time line on this one interesting so I thought I'd share it. It provides a fascinating insight into Mozilla's around-the-clock development process (all times are PDT):

April 21:

• 5:11am: Marc Gueury, who was running a pre-release version of Firefox, noticed a new crash when using the HTML Validator extension (bug 489322). As more people started running into it, one noted:

  Firefox 3.0.9 downloaded in the background and installed when I restarted. Ordinarily I think that is a brilliant thing, but this time, because of this bug, it's corrupting my ability to work.

April 22:

• 1:06pm: Daniel Veditz noticed a new "topcrash" and filed bug 489647. Topcrashes are like Firefox's equivalent of a "Top 10 list" from the automatic crash reporter.
• 1:16pm: Developers narrowed down the time frame of the regression and identified a couple of possible pushes that might have caused it.
• 11:17pm: The exact problem was described. Essentially, a fix to one problem got tangled up in a fix to another problem, which resulted in an incomplete patch being applied.

April 23:

• 3:46am: A test case was created.
• 3:52am: A patch was created to fix the bug.
• 10:20am: The patch was checked into source control.
• 12:30am: The fix was approved for an emergency release.
• 5:04pm: The bug fix was verified on 3.0.10 builds on Linux.
• 11:52pm: The bug fix was verified on 3.0.10 builds on Windows.

Once the fix was approved and verified the process of pushing out a new automatic update was started.