Shutdown crash in mozilla::layers::CompositorChild::Destroy()

RESOLVED FIXED in Firefox 39

Status

()

--
critical
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: whimboo, Assigned: nical)

Tracking

({crash, regression, topcrash-win})

39 Branch
mozilla39
All
Windows 7
crash, regression, topcrash-win
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox38 unaffected, firefox39+ fixed, firefox-esr31 unaffected)

Details

(Whiteboard: [mozmill][tbird crash][fixed by bug 1125848], crash signature, URL)

(Reporter)

Description

4 years ago
[Tracking Requested - why for this release]:

+++ This bug was initially created as a clone of Bug #1133426 +++

Since the crash on bug 1133426 was fixed we haven't seen any crash anymore on our test machines. But starting with yesterdays Nightly we have this crash back: bp-f623f36f-1832-4fa3-b836-6c3262150313.

And this time it sounds way more critical given that we read a random address:

Crash Reason 	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address 	0x5a5a5a5a

First 10 frames of the stack:

0 	xul.dll 	mozilla::layers::CompositorChild::Destroy() 	gfx/layers/ipc/CompositorChild.cpp
1 	xul.dll 	nsBaseWidget::DestroyCompositor() 	widget/nsBaseWidget.cpp
2 	xul.dll 	nsWindow::EnumAllThreadWindowProc(HWND__*, long) 	widget/windows/nsWindow.cpp
3 	user32.dll 	InternalEnumWindows 	
4 	user32.dll 	EnumThreadWindows 	
5 	xul.dll 	nsWindow::OnPaint(HDC__*, unsigned int) 	widget/windows/nsWindowGfx.cpp
6 	xul.dll 	nsWindow::ProcessMessage(unsigned int, unsigned int&, long&, long*) 	widget/windows/nsWindow.cpp
7 	xul.dll 	nsWindow::WindowProcInternal(HWND__*, unsigned int, unsigned int, long) 	widget/windows/nsWindow.cpp
8 	xul.dll 	CallWindowProcCrashProtected 	xpcom/base/nsCrashOnException.cpp
9 	xul.dll 	nsWindow::WindowProc(HWND__*, unsigned int, unsigned int, long) 	widget/windows/nsWindow.cpp
10 	user32.dll 	InternalCallWinProc 	

This crash can be reproduced by our functional tests as run with Mozmill.

Crash details as reported by crash-stats

Windows 7 	99.67 %	303
Windows 8.1 	0.33 %	1 

Aurora is unaffected so far.
(Reporter)

Comment 1

4 years ago
Maybe caused by the landing of the patch on bug 1125848?
Flags: needinfo?(nical.bugzilla)
Keywords: regression, regressionwindow-wanted
(Reporter)

Comment 2

4 years ago
Pushlog between builds from March 11th and 12th:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=fd8e079d6335&tochange=58c9d079f318

The only patch landed and modifies code in CompositorChild.cpp are indeed the changes from bug 1125848.
(Reporter)

Comment 3

4 years ago
I will make this bug security sensitive for now given that we read random memory.
Blocks: 1125848
Group: core-security
Keywords: regressionwindow-wanted
(Assignee)

Updated

4 years ago
Assignee: nobody → nical.bugzilla
Flags: needinfo?(nical.bugzilla)

Comment 4

4 years ago
Are you sure that 38 and 37 are unaffected? Bug 1125848 landed on beta for 37.0b4 and is approved for aurora as well.
(Reporter)

Comment 5

4 years ago
The problematic changeset here is https://hg.mozilla.org/mozilla-central/rev/79eab0a3960e, which doesn't seem to have been landed on other branches than Aurora yet, or? Also we haven't seen any crashes on Windows 7 for Aurora yesterday and today.
(Reporter)

Comment 6

4 years ago
Just checked the bug and bug 1125848 comment 48 is about the backout from beta, and as Nicolas said it hasn't been landed in aurora yet.

Comment 7

4 years ago
OK, that's a relief. I will watch crash-stats carefully on 37.0b5 though.

Updated

4 years ago
Whiteboard: [mozmill] → [mozmill][tbird crash]
(Reporter)

Comment 8

4 years ago
[Tracking Requested - why for this release]:

Backout on mozilla-central happened on bug 1125848 via:
https://hg.mozilla.org/mozilla-central/rev/906c7ac5ac40

Any shutdown crashes for our Mozmill Tests are gone. Also crashstats doesn't show any more crashes with this signature past March 13th. We are good! Thanks.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
status-firefox39: affected → fixed
Resolution: --- → FIXED
Whiteboard: [mozmill][tbird crash] → [mozmill][tbird crash][fixed by bug 1125848]
Target Milestone: --- → mozilla39
Tracking this for 39 since it's a regression, topcrash, and potential security issue.
tracking-firefox39: ? → +
Group: core-security
status-firefox-esr31: --- → unaffected
You need to log in before you can comment on or make changes to this bug.