Shutdown crash in mozilla::layers::CompositorChild::Destroy()

RESOLVED FIXED in Firefox 39

Status

()

Core
Graphics: Layers
--
critical
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: whimboo, Assigned: nical)

Tracking

({crash, regression, topcrash-win})

39 Branch
mozilla39
All
Windows 7
crash, regression, topcrash-win
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox38 unaffected, firefox39+ fixed, firefox-esr31 unaffected)

Details

(Whiteboard: [mozmill][tbird crash][fixed by bug 1125848], crash signature, URL)

[Tracking Requested - why for this release]:

+++ This bug was initially created as a clone of Bug #1133426 +++

Since the crash on bug 1133426 was fixed we haven't seen any crash anymore on our test machines. But starting with yesterdays Nightly we have this crash back: bp-f623f36f-1832-4fa3-b836-6c3262150313.

And this time it sounds way more critical given that we read a random address:

Crash Reason 	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address 	0x5a5a5a5a

First 10 frames of the stack:

0 	xul.dll 	mozilla::layers::CompositorChild::Destroy() 	gfx/layers/ipc/CompositorChild.cpp
1 	xul.dll 	nsBaseWidget::DestroyCompositor() 	widget/nsBaseWidget.cpp
2 	xul.dll 	nsWindow::EnumAllThreadWindowProc(HWND__*, long) 	widget/windows/nsWindow.cpp
3 	user32.dll 	InternalEnumWindows 	
4 	user32.dll 	EnumThreadWindows 	
5 	xul.dll 	nsWindow::OnPaint(HDC__*, unsigned int) 	widget/windows/nsWindowGfx.cpp
6 	xul.dll 	nsWindow::ProcessMessage(unsigned int, unsigned int&, long&, long*) 	widget/windows/nsWindow.cpp
7 	xul.dll 	nsWindow::WindowProcInternal(HWND__*, unsigned int, unsigned int, long) 	widget/windows/nsWindow.cpp
8 	xul.dll 	CallWindowProcCrashProtected 	xpcom/base/nsCrashOnException.cpp
9 	xul.dll 	nsWindow::WindowProc(HWND__*, unsigned int, unsigned int, long) 	widget/windows/nsWindow.cpp
10 	user32.dll 	InternalCallWinProc 	

This crash can be reproduced by our functional tests as run with Mozmill.

Crash details as reported by crash-stats

Windows 7 	99.67 %	303
Windows 8.1 	0.33 %	1 

Aurora is unaffected so far.
Maybe caused by the landing of the patch on bug 1125848?
Flags: needinfo?(nical.bugzilla)
Keywords: regression, regressionwindow-wanted
Pushlog between builds from March 11th and 12th:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=fd8e079d6335&tochange=58c9d079f318

The only patch landed and modifies code in CompositorChild.cpp are indeed the changes from bug 1125848.
I will make this bug security sensitive for now given that we read random memory.
Blocks: 1125848
Group: core-security
Keywords: regressionwindow-wanted
(Assignee)

Updated

3 years ago
Assignee: nobody → nical.bugzilla
Flags: needinfo?(nical.bugzilla)

Comment 4

3 years ago
Are you sure that 38 and 37 are unaffected? Bug 1125848 landed on beta for 37.0b4 and is approved for aurora as well.
The problematic changeset here is https://hg.mozilla.org/mozilla-central/rev/79eab0a3960e, which doesn't seem to have been landed on other branches than Aurora yet, or? Also we haven't seen any crashes on Windows 7 for Aurora yesterday and today.
Just checked the bug and bug 1125848 comment 48 is about the backout from beta, and as Nicolas said it hasn't been landed in aurora yet.

Comment 7

3 years ago
OK, that's a relief. I will watch crash-stats carefully on 37.0b5 though.

Updated

3 years ago
Whiteboard: [mozmill] → [mozmill][tbird crash]
[Tracking Requested - why for this release]:

Backout on mozilla-central happened on bug 1125848 via:
https://hg.mozilla.org/mozilla-central/rev/906c7ac5ac40

Any shutdown crashes for our Mozmill Tests are gone. Also crashstats doesn't show any more crashes with this signature past March 13th. We are good! Thanks.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
status-firefox39: affected → fixed
Resolution: --- → FIXED
Whiteboard: [mozmill][tbird crash] → [mozmill][tbird crash][fixed by bug 1125848]
Target Milestone: --- → mozilla39
Tracking this for 39 since it's a regression, topcrash, and potential security issue.
tracking-firefox39: ? → +
Group: core-security
status-firefox-esr31: --- → unaffected
You need to log in before you can comment on or make changes to this bug.