Yes, sorry, you are correct. I have updated my comment. The call stack looks like this if I wait for an `mView` to get poisoned: ``` # Child-SP RetAddr Call Site 00 00000049`503fdde8 00007ffa`c4b4f40e VCRUNTIME140!memset+0xbe [D:\a\_work\1\s\src\vctools\crt\vcruntime\src\string\amd64\memset.asm @ 187] 01 (Inline Function) --------`-------- mozglue!MaybePoison+0xa [/builds/worker/checkouts/gecko/memory/build/mozjemalloc.cpp @ 1501] 02 (Inline Function) --------`-------- mozglue!arena_dalloc+0x4a [/builds/worker/checkouts/gecko/memory/build/mozjemalloc.cpp @ 3740] 03 (Inline Function) --------`-------- mozglue!BaseAllocator::free+0x67 [/builds/worker/checkouts/gecko/memory/build/mozjemalloc.cpp @ 4547] 04 (Inline Function) --------`-------- mozglue!Allocator<MozJemallocBase>::free+0x67 [/builds/worker/checkouts/gecko/memory/build/malloc_decls.h @ 54] 05 00000049`503fddf0 00007ffa`353f6d33 mozglue!je_free+0x9e [/builds/worker/checkouts/gecko/memory/build/malloc_decls.h @ 54] 06 (Inline Function) --------`-------- xul!operator delete+0x6 [/builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h @ 51] 07 (Inline Function) --------`-------- xul!NS_DestroyXPTCallStub+0x6 [/builds/worker/checkouts/gecko/xpcom/reflect/xptcall/xptcall.cpp @ 46] 08 (Inline Function) --------`-------- xul!nsAutoXPTCStub::~nsAutoXPTCStub+0x19 [/builds/worker/workspace/obj-build/dist/include/nsXPTCUtils.h @ 30] 09 00000049`503fdee0 00007ffa`353fb538 xul!nsXPCWrappedJS::~nsXPCWrappedJS+0x113 [/builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedJS.cpp @ 445] 0a (Inline Function) --------`-------- xul!nsXPCWrappedJS::DeleteCycleCollectable+0x8 [/builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedJS.cpp @ 314] 0b 00000049`503fdf30 00007ffa`36478b91 xul!nsXPCWrappedJS::cycleCollection::DeleteCycleCollectable+0x18 [/builds/worker/checkouts/gecko/js/xpconnect/src/xpcprivate.h @ 1571] 0c (Inline Function) --------`-------- xul!SnowWhiteKiller::MaybeKillObject+0x4d7 [/builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp @ 2486] 0d (Inline Function) --------`-------- xul!SnowWhiteKiller::Visit+0x9b6 [/builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp @ 2511] 0e 00000049`503fdf60 00007ffa`35188c77 xul!nsPurpleBuffer::VisitEntries<SnowWhiteKiller>+0xb81 [/builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp @ 969] 0f 00000049`503fe0b0 00007ffa`353f45d8 xul!nsCycleCollector::FreeSnowWhiteWithBudget+0xa7 [/builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp @ 2680] 10 (Inline Function) --------`-------- xul!nsCycleCollector_doDeferredDeletionWithBudget+0x4a [/builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp @ 3971] 11 00000049`503fe160 00007ffa`351c53e4 xul!AsyncFreeSnowWhite::Run+0xf8 [/builds/worker/checkouts/gecko/js/xpconnect/src/XPCJSRuntime.cpp @ 158] 12 00000049`503fe270 00007ffa`3648dfcc xul!IdleRunnableWrapper::Run+0x44 [/builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp @ 326] 13 (Inline Function) --------`-------- xul!mozilla::RunnableTask::Run+0x11 [/builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp @ 555] 14 00000049`503fe2b0 00007ffa`364909eb xul!mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal+0x7ac [/builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp @ 879] 15 (Inline Function) --------`-------- xul!mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal+0x2bc [/builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp @ 744] 16 (Inline Function) --------`-------- xul!mozilla::TaskController::ProcessPendingMTTask+0x2c8 [/builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp @ 491] 17 (Inline Function) --------`-------- xul!mozilla::TaskController::TaskController::<lambda_4>::operator()+0x2d4 [/builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp @ 218] 18 00000049`503fe6c0 00007ffa`36204711 xul!mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:218:7'>::Run+0x2fb [/builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h @ 549] 19 (Inline Function) --------`-------- xul!nsThread::ProcessNextEvent+0xb49 [/builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp @ 1240] 1a 00000049`503fe790 00007ffa`364c86bf xul!NS_ProcessNextEvent+0xba1 [/builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp @ 479] 1b 00000049`503feb40 00007ffa`35379e4f xul!mozilla::ipc::MessagePump::Run+0x25f [/builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp @ 85] 1c (Inline Function) --------`-------- xul!MessageLoop::RunInternal+0x16 [/builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc @ 368] 1d 00000049`503fedc0 00007ffa`349cd1de xul!MessageLoop::RunHandler+0x2f [/builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc @ 362] 1e 00000049`503fee10 00007ffa`34b13c58 xul!MessageLoop::Run+0x4e [/builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc @ 344] 1f 00000049`503fee70 00007ffa`34b12b6a xul!nsBaseAppShell::Run+0x28 [/builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp @ 150] 20 00000049`503feeb0 00007ffa`39308eb1 xul!nsAppShell::Run+0x3a [/builds/worker/checkouts/gecko/widget/windows/nsAppShell.cpp @ 615] 21 00000049`503ff030 00007ffa`3937fc02 xul!nsAppStartup::Run+0x41 [/builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp @ 296] 22 00000049`503ff080 00007ffa`39380963 xul!XREMain::XRE_mainRun+0xc12 [/builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp @ 5659] 23 00000049`503ff3a0 00007ffa`36b168fb xul!XREMain::XRE_main+0x323 [/builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp @ 5859] 24 00000049`503ff450 00007ff6`1cfaf319 xul!XRE_main+0x6b [/builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp @ 5915] 25 (Inline Function) --------`-------- firefox!do_main+0xc6 [/builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp @ 227] 26 (Inline Function) --------`-------- firefox!NS_internal_main+0x497 [/builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp @ 445] 27 00000049`503ff530 00007ff6`1cfc03c8 firefox!wmain+0x729 [/builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp @ 167] 28 (Inline Function) --------`-------- firefox!invoke_main+0x22 [D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 90] 29 00000049`503ff760 00007ffa`e25626ad firefox!__scrt_common_main_seh+0x10c [D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288] 2a 00000049`503ff7a0 00007ffa`e358aa68 KERNEL32!BaseThreadInitThunk+0x1d 2b 00000049`503ff7d0 00000000`00000000 ntdll!RtlUserThreadStart+0x28 ``` No `nsView` involved, but still a use-after-poison.
Bug 1809492 Comment 23 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Yes, sorry, you are correct. I have updated my comment. The call stack looks like this if I wait for an example `mView` to get poisoned: ``` # Child-SP RetAddr Call Site 00 00000049`503fdde8 00007ffa`c4b4f40e VCRUNTIME140!memset+0xbe [D:\a\_work\1\s\src\vctools\crt\vcruntime\src\string\amd64\memset.asm @ 187] 01 (Inline Function) --------`-------- mozglue!MaybePoison+0xa [/builds/worker/checkouts/gecko/memory/build/mozjemalloc.cpp @ 1501] 02 (Inline Function) --------`-------- mozglue!arena_dalloc+0x4a [/builds/worker/checkouts/gecko/memory/build/mozjemalloc.cpp @ 3740] 03 (Inline Function) --------`-------- mozglue!BaseAllocator::free+0x67 [/builds/worker/checkouts/gecko/memory/build/mozjemalloc.cpp @ 4547] 04 (Inline Function) --------`-------- mozglue!Allocator<MozJemallocBase>::free+0x67 [/builds/worker/checkouts/gecko/memory/build/malloc_decls.h @ 54] 05 00000049`503fddf0 00007ffa`353f6d33 mozglue!je_free+0x9e [/builds/worker/checkouts/gecko/memory/build/malloc_decls.h @ 54] 06 (Inline Function) --------`-------- xul!operator delete+0x6 [/builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h @ 51] 07 (Inline Function) --------`-------- xul!NS_DestroyXPTCallStub+0x6 [/builds/worker/checkouts/gecko/xpcom/reflect/xptcall/xptcall.cpp @ 46] 08 (Inline Function) --------`-------- xul!nsAutoXPTCStub::~nsAutoXPTCStub+0x19 [/builds/worker/workspace/obj-build/dist/include/nsXPTCUtils.h @ 30] 09 00000049`503fdee0 00007ffa`353fb538 xul!nsXPCWrappedJS::~nsXPCWrappedJS+0x113 [/builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedJS.cpp @ 445] 0a (Inline Function) --------`-------- xul!nsXPCWrappedJS::DeleteCycleCollectable+0x8 [/builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedJS.cpp @ 314] 0b 00000049`503fdf30 00007ffa`36478b91 xul!nsXPCWrappedJS::cycleCollection::DeleteCycleCollectable+0x18 [/builds/worker/checkouts/gecko/js/xpconnect/src/xpcprivate.h @ 1571] 0c (Inline Function) --------`-------- xul!SnowWhiteKiller::MaybeKillObject+0x4d7 [/builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp @ 2486] 0d (Inline Function) --------`-------- xul!SnowWhiteKiller::Visit+0x9b6 [/builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp @ 2511] 0e 00000049`503fdf60 00007ffa`35188c77 xul!nsPurpleBuffer::VisitEntries<SnowWhiteKiller>+0xb81 [/builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp @ 969] 0f 00000049`503fe0b0 00007ffa`353f45d8 xul!nsCycleCollector::FreeSnowWhiteWithBudget+0xa7 [/builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp @ 2680] 10 (Inline Function) --------`-------- xul!nsCycleCollector_doDeferredDeletionWithBudget+0x4a [/builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp @ 3971] 11 00000049`503fe160 00007ffa`351c53e4 xul!AsyncFreeSnowWhite::Run+0xf8 [/builds/worker/checkouts/gecko/js/xpconnect/src/XPCJSRuntime.cpp @ 158] 12 00000049`503fe270 00007ffa`3648dfcc xul!IdleRunnableWrapper::Run+0x44 [/builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp @ 326] 13 (Inline Function) --------`-------- xul!mozilla::RunnableTask::Run+0x11 [/builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp @ 555] 14 00000049`503fe2b0 00007ffa`364909eb xul!mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal+0x7ac [/builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp @ 879] 15 (Inline Function) --------`-------- xul!mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal+0x2bc [/builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp @ 744] 16 (Inline Function) --------`-------- xul!mozilla::TaskController::ProcessPendingMTTask+0x2c8 [/builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp @ 491] 17 (Inline Function) --------`-------- xul!mozilla::TaskController::TaskController::<lambda_4>::operator()+0x2d4 [/builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp @ 218] 18 00000049`503fe6c0 00007ffa`36204711 xul!mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:218:7'>::Run+0x2fb [/builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h @ 549] 19 (Inline Function) --------`-------- xul!nsThread::ProcessNextEvent+0xb49 [/builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp @ 1240] 1a 00000049`503fe790 00007ffa`364c86bf xul!NS_ProcessNextEvent+0xba1 [/builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp @ 479] 1b 00000049`503feb40 00007ffa`35379e4f xul!mozilla::ipc::MessagePump::Run+0x25f [/builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp @ 85] 1c (Inline Function) --------`-------- xul!MessageLoop::RunInternal+0x16 [/builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc @ 368] 1d 00000049`503fedc0 00007ffa`349cd1de xul!MessageLoop::RunHandler+0x2f [/builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc @ 362] 1e 00000049`503fee10 00007ffa`34b13c58 xul!MessageLoop::Run+0x4e [/builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc @ 344] 1f 00000049`503fee70 00007ffa`34b12b6a xul!nsBaseAppShell::Run+0x28 [/builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp @ 150] 20 00000049`503feeb0 00007ffa`39308eb1 xul!nsAppShell::Run+0x3a [/builds/worker/checkouts/gecko/widget/windows/nsAppShell.cpp @ 615] 21 00000049`503ff030 00007ffa`3937fc02 xul!nsAppStartup::Run+0x41 [/builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp @ 296] 22 00000049`503ff080 00007ffa`39380963 xul!XREMain::XRE_mainRun+0xc12 [/builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp @ 5659] 23 00000049`503ff3a0 00007ffa`36b168fb xul!XREMain::XRE_main+0x323 [/builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp @ 5859] 24 00000049`503ff450 00007ff6`1cfaf319 xul!XRE_main+0x6b [/builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp @ 5915] 25 (Inline Function) --------`-------- firefox!do_main+0xc6 [/builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp @ 227] 26 (Inline Function) --------`-------- firefox!NS_internal_main+0x497 [/builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp @ 445] 27 00000049`503ff530 00007ff6`1cfc03c8 firefox!wmain+0x729 [/builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp @ 167] 28 (Inline Function) --------`-------- firefox!invoke_main+0x22 [D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 90] 29 00000049`503ff760 00007ffa`e25626ad firefox!__scrt_common_main_seh+0x10c [D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288] 2a 00000049`503ff7a0 00007ffa`e358aa68 KERNEL32!BaseThreadInitThunk+0x1d 2b 00000049`503ff7d0 00000000`00000000 ntdll!RtlUserThreadStart+0x28 ``` No `nsView` involved, but still a use-after-poison.
Yes, sorry, you are correct. I have updated my comment. The call stack looks like this if I wait for an example `mView` to get poisoned: ``` # Child-SP RetAddr Call Site 00 00000049`503fdde8 00007ffa`c4b4f40e VCRUNTIME140!memset+0xbe [D:\a\_work\1\s\src\vctools\crt\vcruntime\src\string\amd64\memset.asm @ 187] 01 (Inline Function) --------`-------- mozglue!MaybePoison+0xa [/builds/worker/checkouts/gecko/memory/build/mozjemalloc.cpp @ 1501] 02 (Inline Function) --------`-------- mozglue!arena_dalloc+0x4a [/builds/worker/checkouts/gecko/memory/build/mozjemalloc.cpp @ 3740] 03 (Inline Function) --------`-------- mozglue!BaseAllocator::free+0x67 [/builds/worker/checkouts/gecko/memory/build/mozjemalloc.cpp @ 4547] 04 (Inline Function) --------`-------- mozglue!Allocator<MozJemallocBase>::free+0x67 [/builds/worker/checkouts/gecko/memory/build/malloc_decls.h @ 54] 05 00000049`503fddf0 00007ffa`353f6d33 mozglue!je_free+0x9e [/builds/worker/checkouts/gecko/memory/build/malloc_decls.h @ 54] 06 (Inline Function) --------`-------- xul!operator delete+0x6 [/builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h @ 51] 07 (Inline Function) --------`-------- xul!NS_DestroyXPTCallStub+0x6 [/builds/worker/checkouts/gecko/xpcom/reflect/xptcall/xptcall.cpp @ 46] 08 (Inline Function) --------`-------- xul!nsAutoXPTCStub::~nsAutoXPTCStub+0x19 [/builds/worker/workspace/obj-build/dist/include/nsXPTCUtils.h @ 30] 09 00000049`503fdee0 00007ffa`353fb538 xul!nsXPCWrappedJS::~nsXPCWrappedJS+0x113 [/builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedJS.cpp @ 445] 0a (Inline Function) --------`-------- xul!nsXPCWrappedJS::DeleteCycleCollectable+0x8 [/builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedJS.cpp @ 314] 0b 00000049`503fdf30 00007ffa`36478b91 xul!nsXPCWrappedJS::cycleCollection::DeleteCycleCollectable+0x18 [/builds/worker/checkouts/gecko/js/xpconnect/src/xpcprivate.h @ 1571] 0c (Inline Function) --------`-------- xul!SnowWhiteKiller::MaybeKillObject+0x4d7 [/builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp @ 2486] 0d (Inline Function) --------`-------- xul!SnowWhiteKiller::Visit+0x9b6 [/builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp @ 2511] 0e 00000049`503fdf60 00007ffa`35188c77 xul!nsPurpleBuffer::VisitEntries<SnowWhiteKiller>+0xb81 [/builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp @ 969] 0f 00000049`503fe0b0 00007ffa`353f45d8 xul!nsCycleCollector::FreeSnowWhiteWithBudget+0xa7 [/builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp @ 2680] 10 (Inline Function) --------`-------- xul!nsCycleCollector_doDeferredDeletionWithBudget+0x4a [/builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp @ 3971] 11 00000049`503fe160 00007ffa`351c53e4 xul!AsyncFreeSnowWhite::Run+0xf8 [/builds/worker/checkouts/gecko/js/xpconnect/src/XPCJSRuntime.cpp @ 158] 12 00000049`503fe270 00007ffa`3648dfcc xul!IdleRunnableWrapper::Run+0x44 [/builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp @ 326] 13 (Inline Function) --------`-------- xul!mozilla::RunnableTask::Run+0x11 [/builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp @ 555] 14 00000049`503fe2b0 00007ffa`364909eb xul!mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal+0x7ac [/builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp @ 879] 15 (Inline Function) --------`-------- xul!mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal+0x2bc [/builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp @ 744] 16 (Inline Function) --------`-------- xul!mozilla::TaskController::ProcessPendingMTTask+0x2c8 [/builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp @ 491] 17 (Inline Function) --------`-------- xul!mozilla::TaskController::TaskController::<lambda_4>::operator()+0x2d4 [/builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp @ 218] 18 00000049`503fe6c0 00007ffa`36204711 xul!mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:218:7'>::Run+0x2fb [/builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h @ 549] 19 (Inline Function) --------`-------- xul!nsThread::ProcessNextEvent+0xb49 [/builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp @ 1240] 1a 00000049`503fe790 00007ffa`364c86bf xul!NS_ProcessNextEvent+0xba1 [/builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp @ 479] 1b 00000049`503feb40 00007ffa`35379e4f xul!mozilla::ipc::MessagePump::Run+0x25f [/builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp @ 85] 1c (Inline Function) --------`-------- xul!MessageLoop::RunInternal+0x16 [/builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc @ 368] 1d 00000049`503fedc0 00007ffa`349cd1de xul!MessageLoop::RunHandler+0x2f [/builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc @ 362] 1e 00000049`503fee10 00007ffa`34b13c58 xul!MessageLoop::Run+0x4e [/builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc @ 344] 1f 00000049`503fee70 00007ffa`34b12b6a xul!nsBaseAppShell::Run+0x28 [/builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp @ 150] 20 00000049`503feeb0 00007ffa`39308eb1 xul!nsAppShell::Run+0x3a [/builds/worker/checkouts/gecko/widget/windows/nsAppShell.cpp @ 615] 21 00000049`503ff030 00007ffa`3937fc02 xul!nsAppStartup::Run+0x41 [/builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp @ 296] 22 00000049`503ff080 00007ffa`39380963 xul!XREMain::XRE_mainRun+0xc12 [/builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp @ 5659] 23 00000049`503ff3a0 00007ffa`36b168fb xul!XREMain::XRE_main+0x323 [/builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp @ 5859] 24 00000049`503ff450 00007ff6`1cfaf319 xul!XRE_main+0x6b [/builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp @ 5915] 25 (Inline Function) --------`-------- firefox!do_main+0xc6 [/builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp @ 227] 26 (Inline Function) --------`-------- firefox!NS_internal_main+0x497 [/builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp @ 445] 27 00000049`503ff530 00007ff6`1cfc03c8 firefox!wmain+0x729 [/builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp @ 167] 28 (Inline Function) --------`-------- firefox!invoke_main+0x22 [D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 90] 29 00000049`503ff760 00007ffa`e25626ad firefox!__scrt_common_main_seh+0x10c [D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288] 2a 00000049`503ff7a0 00007ffa`e358aa68 KERNEL32!BaseThreadInitThunk+0x1d 2b 00000049`503ff7d0 00000000`00000000 ntdll!RtlUserThreadStart+0x28 ``` No `nsView` involved, but still a use-after-poison. Edit: This comment is misleading, again.