Closed Bug 1142939 Opened 10 years ago Closed 10 years ago

Shutdown crash in mozilla::layers::CompositorChild::Destroy()

Categories

(Core :: Graphics: Layers, defect)

Product:
Core
Component:
Graphics: Layers
Version:
39 Branch
Platform:
All
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla39
Tracking Flags:
Tracking Status
firefox38 --- unaffected
firefox39 + fixed
firefox-esr31 --- unaffected

People

(Reporter: whimboo, Assigned: nical)

References

(
URL
)

Details

(Keywords: crash, regression, topcrash-win, Whiteboard: [mozmill][tbird crash][fixed by bug 1125848])

Crash Data

[Tracking Requested - why for this release]: +++ This bug was initially created as a clone of Bug #1133426 +++ Since the crash on bug 1133426 was fixed we haven't seen any crash anymore on our test machines. But starting with yesterdays Nightly we have this crash back: bp-f623f36f-1832-4fa3-b836-6c3262150313. And this time it sounds way more critical given that we read a random address: Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0x5a5a5a5a First 10 frames of the stack: 0 xul.dll mozilla::layers::CompositorChild::Destroy() gfx/layers/ipc/CompositorChild.cpp 1 xul.dll nsBaseWidget::DestroyCompositor() widget/nsBaseWidget.cpp 2 xul.dll nsWindow::EnumAllThreadWindowProc(HWND__*, long) widget/windows/nsWindow.cpp 3 user32.dll InternalEnumWindows 4 user32.dll EnumThreadWindows 5 xul.dll nsWindow::OnPaint(HDC__*, unsigned int) widget/windows/nsWindowGfx.cpp 6 xul.dll nsWindow::ProcessMessage(unsigned int, unsigned int&, long&, long*) widget/windows/nsWindow.cpp 7 xul.dll nsWindow::WindowProcInternal(HWND__*, unsigned int, unsigned int, long) widget/windows/nsWindow.cpp 8 xul.dll CallWindowProcCrashProtected xpcom/base/nsCrashOnException.cpp 9 xul.dll nsWindow::WindowProc(HWND__*, unsigned int, unsigned int, long) widget/windows/nsWindow.cpp 10 user32.dll InternalCallWinProc This crash can be reproduced by our functional tests as run with Mozmill. Crash details as reported by crash-stats Windows 7 99.67 % 303 Windows 8.1 0.33 % 1 Aurora is unaffected so far.
Maybe caused by the landing of the patch on bug 1125848?
Flags: needinfo?(nical.bugzilla)
Keywords: regression, regressionwindow-wanted
Pushlog between builds from March 11th and 12th: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=fd8e079d6335&tochange=58c9d079f318 The only patch landed and modifies code in CompositorChild.cpp are indeed the changes from bug 1125848.
I will make this bug security sensitive for now given that we read random memory.
Blocks: 1125848
Group: core-security
Keywords: regressionwindow-wanted
Assignee: nobody → nical.bugzilla
Flags: needinfo?(nical.bugzilla)
Are you sure that 38 and 37 are unaffected? Bug 1125848 landed on beta for 37.0b4 and is approved for aurora as well.
The problematic changeset here is https://hg.mozilla.org/mozilla-central/rev/79eab0a3960e, which doesn't seem to have been landed on other branches than Aurora yet, or? Also we haven't seen any crashes on Windows 7 for Aurora yesterday and today.
Just checked the bug and bug 1125848 comment 48 is about the backout from beta, and as Nicolas said it hasn't been landed in aurora yet.
OK, that's a relief. I will watch crash-stats carefully on 37.0b5 though.
Whiteboard: [mozmill] → [mozmill][tbird crash]
[Tracking Requested - why for this release]: Backout on mozilla-central happened on bug 1125848 via: https://hg.mozilla.org/mozilla-central/rev/906c7ac5ac40 Any shutdown crashes for our Mozmill Tests are gone. Also crashstats doesn't show any more crashes with this signature past March 13th. We are good! Thanks.
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox39: affectedfixed
Resolution: --- → FIXED
Whiteboard: [mozmill][tbird crash] → [mozmill][tbird crash][fixed by bug 1125848]
Target Milestone: --- → mozilla39
Tracking this for 39 since it's a regression, topcrash, and potential security issue.
tracking-firefox39: ?+
Group: core-security
status-firefox-esr31: --- → unaffected
You need to log in before you can comment on or make changes to this bug.