Closed Bug 1142939 Opened 6 years ago Closed 6 years ago

Shutdown crash in mozilla::layers::CompositorChild::Destroy()


(Core :: Graphics: Layers, defect)

39 Branch
Windows 7
Not set



Tracking Status
firefox38 --- unaffected
firefox39 + fixed
firefox-esr31 --- unaffected


(Reporter: whimboo, Assigned: nical)




(Keywords: crash, regression, topcrash-win, Whiteboard: [mozmill][tbird crash][fixed by bug 1125848])

Crash Data

[Tracking Requested - why for this release]:

+++ This bug was initially created as a clone of Bug #1133426 +++

Since the crash on bug 1133426 was fixed we haven't seen any crash anymore on our test machines. But starting with yesterdays Nightly we have this crash back: bp-f623f36f-1832-4fa3-b836-6c3262150313.

And this time it sounds way more critical given that we read a random address:

Crash Address 	0x5a5a5a5a

First 10 frames of the stack:

0 	xul.dll 	mozilla::layers::CompositorChild::Destroy() 	gfx/layers/ipc/CompositorChild.cpp
1 	xul.dll 	nsBaseWidget::DestroyCompositor() 	widget/nsBaseWidget.cpp
2 	xul.dll 	nsWindow::EnumAllThreadWindowProc(HWND__*, long) 	widget/windows/nsWindow.cpp
3 	user32.dll 	InternalEnumWindows 	
4 	user32.dll 	EnumThreadWindows 	
5 	xul.dll 	nsWindow::OnPaint(HDC__*, unsigned int) 	widget/windows/nsWindowGfx.cpp
6 	xul.dll 	nsWindow::ProcessMessage(unsigned int, unsigned int&, long&, long*) 	widget/windows/nsWindow.cpp
7 	xul.dll 	nsWindow::WindowProcInternal(HWND__*, unsigned int, unsigned int, long) 	widget/windows/nsWindow.cpp
8 	xul.dll 	CallWindowProcCrashProtected 	xpcom/base/nsCrashOnException.cpp
9 	xul.dll 	nsWindow::WindowProc(HWND__*, unsigned int, unsigned int, long) 	widget/windows/nsWindow.cpp
10 	user32.dll 	InternalCallWinProc 	

This crash can be reproduced by our functional tests as run with Mozmill.

Crash details as reported by crash-stats

Windows 7 	99.67 %	303
Windows 8.1 	0.33 %	1 

Aurora is unaffected so far.
Maybe caused by the landing of the patch on bug 1125848?
Flags: needinfo?(nical.bugzilla)
Pushlog between builds from March 11th and 12th:

The only patch landed and modifies code in CompositorChild.cpp are indeed the changes from bug 1125848.
I will make this bug security sensitive for now given that we read random memory.
Blocks: 1125848
Group: core-security
Assignee: nobody → nical.bugzilla
Flags: needinfo?(nical.bugzilla)
Are you sure that 38 and 37 are unaffected? Bug 1125848 landed on beta for 37.0b4 and is approved for aurora as well.
The problematic changeset here is, which doesn't seem to have been landed on other branches than Aurora yet, or? Also we haven't seen any crashes on Windows 7 for Aurora yesterday and today.
Just checked the bug and bug 1125848 comment 48 is about the backout from beta, and as Nicolas said it hasn't been landed in aurora yet.
OK, that's a relief. I will watch crash-stats carefully on 37.0b5 though.
Whiteboard: [mozmill] → [mozmill][tbird crash]
[Tracking Requested - why for this release]:

Backout on mozilla-central happened on bug 1125848 via:

Any shutdown crashes for our Mozmill Tests are gone. Also crashstats doesn't show any more crashes with this signature past March 13th. We are good! Thanks.
Closed: 6 years ago
Resolution: --- → FIXED
Whiteboard: [mozmill][tbird crash] → [mozmill][tbird crash][fixed by bug 1125848]
Target Milestone: --- → mozilla39
Tracking this for 39 since it's a regression, topcrash, and potential security issue.
Group: core-security
You need to log in before you can comment on or make changes to this bug.