1142939 - Shutdown crash in mozilla::layers::CompositorChild::Destroy()

Status: RESOLVED FIXED

(Core :: Graphics: Layers, defect)

Description

[Henrik Skupin [:whimboo][⌚️UTC+1]]

[Tracking Requested - why for this release]:

+++ This bug was initially created as a clone of Bug #1133426 +++

Since the crash on bug 1133426 was fixed we haven't seen any crash anymore on our test machines. But starting with yesterdays Nightly we have this crash back: bp-f623f36f-1832-4fa3-b836-6c3262150313.

And this time it sounds way more critical given that we read a random address:

Crash Reason 	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address 	0x5a5a5a5a

First 10 frames of the stack:

0 	xul.dll 	mozilla::layers::CompositorChild::Destroy() 	gfx/layers/ipc/CompositorChild.cpp
1 	xul.dll 	nsBaseWidget::DestroyCompositor() 	widget/nsBaseWidget.cpp
2 	xul.dll 	nsWindow::EnumAllThreadWindowProc(HWND__*, long) 	widget/windows/nsWindow.cpp
3 	user32.dll 	InternalEnumWindows 	
4 	user32.dll 	EnumThreadWindows 	
5 	xul.dll 	nsWindow::OnPaint(HDC__*, unsigned int) 	widget/windows/nsWindowGfx.cpp
6 	xul.dll 	nsWindow::ProcessMessage(unsigned int, unsigned int&, long&, long*) 	widget/windows/nsWindow.cpp
7 	xul.dll 	nsWindow::WindowProcInternal(HWND__*, unsigned int, unsigned int, long) 	widget/windows/nsWindow.cpp
8 	xul.dll 	CallWindowProcCrashProtected 	xpcom/base/nsCrashOnException.cpp
9 	xul.dll 	nsWindow::WindowProc(HWND__*, unsigned int, unsigned int, long) 	widget/windows/nsWindow.cpp
10 	user32.dll 	InternalCallWinProc 	

This crash can be reproduced by our functional tests as run with Mozmill.

Crash details as reported by crash-stats

Windows 7 	99.67 %	303
Windows 8.1 	0.33 %	1 

Aurora is unaffected so far.

Comment 1

[Henrik Skupin [:whimboo][⌚️UTC+1]]

Maybe caused by the landing of the patch on bug 1125848?

Comment 2

[Henrik Skupin [:whimboo][⌚️UTC+1]]

Pushlog between builds from March 11th and 12th:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=fd8e079d6335&tochange=58c9d079f318

The only patch landed and modifies code in CompositorChild.cpp are indeed the changes from bug 1125848.

Comment 3

[Henrik Skupin [:whimboo][⌚️UTC+1]]

I will make this bug security sensitive for now given that we read random memory.

Comment 4

[Robert Kaiser]

Are you sure that 38 and 37 are unaffected? Bug 1125848 landed on beta for 37.0b4 and is approved for aurora as well.

Comment 5

[Henrik Skupin [:whimboo][⌚️UTC+1]]

The problematic changeset here is https://hg.mozilla.org/mozilla-central/rev/79eab0a3960e, which doesn't seem to have been landed on other branches than Aurora yet, or? Also we haven't seen any crashes on Windows 7 for Aurora yesterday and today.

Comment 6

[Henrik Skupin [:whimboo][⌚️UTC+1]]

Just checked the bug and bug 1125848 comment 48 is about the backout from beta, and as Nicolas said it hasn't been landed in aurora yet.

Comment 7

[Robert Kaiser]

OK, that's a relief. I will watch crash-stats carefully on 37.0b5 though.

Comment 8

[Henrik Skupin [:whimboo][⌚️UTC+1]]

[Tracking Requested - why for this release]:

Backout on mozilla-central happened on bug 1125848 via:
https://hg.mozilla.org/mozilla-central/rev/906c7ac5ac40

Any shutdown crashes for our Mozmill Tests are gone. Also crashstats doesn't show any more crashes with this signature past March 13th. We are good! Thanks.

Comment 9

[Liz Henry (:lizzard) (relman/hg->git project)]

Tracking this for 39 since it's a regression, topcrash, and potential security issue.