[Tracking Requested - why for this release]: +++ This bug was initially created as a clone of Bug #1133426 +++ Since the crash on bug 1133426 was fixed we haven't seen any crash anymore on our test machines. But starting with yesterdays Nightly we have this crash back: bp-f623f36f-1832-4fa3-b836-6c3262150313. And this time it sounds way more critical given that we read a random address: Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0x5a5a5a5a First 10 frames of the stack: 0 xul.dll mozilla::layers::CompositorChild::Destroy() gfx/layers/ipc/CompositorChild.cpp 1 xul.dll nsBaseWidget::DestroyCompositor() widget/nsBaseWidget.cpp 2 xul.dll nsWindow::EnumAllThreadWindowProc(HWND__*, long) widget/windows/nsWindow.cpp 3 user32.dll InternalEnumWindows 4 user32.dll EnumThreadWindows 5 xul.dll nsWindow::OnPaint(HDC__*, unsigned int) widget/windows/nsWindowGfx.cpp 6 xul.dll nsWindow::ProcessMessage(unsigned int, unsigned int&, long&, long*) widget/windows/nsWindow.cpp 7 xul.dll nsWindow::WindowProcInternal(HWND__*, unsigned int, unsigned int, long) widget/windows/nsWindow.cpp 8 xul.dll CallWindowProcCrashProtected xpcom/base/nsCrashOnException.cpp 9 xul.dll nsWindow::WindowProc(HWND__*, unsigned int, unsigned int, long) widget/windows/nsWindow.cpp 10 user32.dll InternalCallWinProc This crash can be reproduced by our functional tests as run with Mozmill. Crash details as reported by crash-stats Windows 7 99.67 % 303 Windows 8.1 0.33 % 1 Aurora is unaffected so far.
Maybe caused by the landing of the patch on bug 1125848?
Pushlog between builds from March 11th and 12th: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=fd8e079d6335&tochange=58c9d079f318 The only patch landed and modifies code in CompositorChild.cpp are indeed the changes from bug 1125848.
I will make this bug security sensitive for now given that we read random memory.
Are you sure that 38 and 37 are unaffected? Bug 1125848 landed on beta for 37.0b4 and is approved for aurora as well.
The problematic changeset here is https://hg.mozilla.org/mozilla-central/rev/79eab0a3960e, which doesn't seem to have been landed on other branches than Aurora yet, or? Also we haven't seen any crashes on Windows 7 for Aurora yesterday and today.
Just checked the bug and bug 1125848 comment 48 is about the backout from beta, and as Nicolas said it hasn't been landed in aurora yet.
OK, that's a relief. I will watch crash-stats carefully on 37.0b5 though.
[Tracking Requested - why for this release]: Backout on mozilla-central happened on bug 1125848 via: https://hg.mozilla.org/mozilla-central/rev/906c7ac5ac40 Any shutdown crashes for our Mozmill Tests are gone. Also crashstats doesn't show any more crashes with this signature past March 13th. We are good! Thanks.
Tracking this for 39 since it's a regression, topcrash, and potential security issue.