crash in mozilla::net::Http2Session::CleanupStream(mozilla::net::Http2Stream*, tag_nsresult, mozilla::net::Http2Session::errorType)

RESOLVED FIXED in Firefox 34

Status

()

defect
--
critical
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: raul.malea, Assigned: mcmanus)

Tracking

({crash})

35 Branch
mozilla36
All
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox33 unaffected, firefox34+ fixed, firefox35 fixed, firefox36 fixed)

Details

(Whiteboard: [spdy], crash signature)

Attachments

(1 attachment)

Reporter

Comment 1

5 years ago
Mozilla/5.0 (X11; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0 ID:20140926185533 CSet: 818f353b7aa6

Extensions:

Adblock Plus 2.6.4
Add-on Compatibility Reporter 2.0.4
Bookmark Duplicate Cleaner 0.2 [DISABLED]
Bookmarks Checker - check for bad links 3.1.1
British English Dictionary 1.19.1
Bugzilla Tweaks 1.12.1.1
Cheevos 1.5 [DISABLED]
Clearly 10.2.1.7
Evernote Web Clipper 5.9.1
feedly 16.0.528
Firebug 2.0.3 [DISABLED]
Firefox OS Simulator 4.0.2 [DISABLED]
FlashGot 1.5.6.5 [DISABLED]
Google Shortcuts 2.1.8.2
Greasemonkey 2.2 [DISABLED]
ImageSearch 0.3.1 [DISABLED]
Lightbeam 1.0.10.2
Mozilla Reps Companion 1.1 [DISABLED]
Mozmill Crowd 0.2 [DISABLED]
Mozmill test Addon initial.rev11 [DISABLED]
Nightly Tester Tools 3.7
openSUSE Firefox Extensions 1.0.2
Pocket 3.0.5
Quick Locale Switcher 1.7.8.5 [DISABLED]
Submit Word 1.1.0
Test Pilot 1.2.3 [DISABLED]
Web Developer 1.2.5 [DISABLED]
Yoono 7.7.29 [DISABLED]
YSlow 3.1.8 [DISABLED]

OS: openSUSE 13.1, KDE 4.14.1
Reporter

Comment 2

5 years ago
about:support

Application Basics
------------------

Name: Firefox
Version: 35.0a1
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0
Multiprocess Windows: 0/1

Crash Reports for the Last 3 Days
---------------------------------

Report ID: bp-64a7341b-c657-4907-bb4c-ff8d52140927
Submitted: 8 minutes ago

All Crash Reports

Extensions
----------

Name: Adblock Plus
Version: 2.6.4
Enabled: true
ID: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

Name: Add-on Compatibility Reporter
Version: 2.0.4
Enabled: true
ID: compatibility@addons.mozilla.org

Name: Bookmarks Checker - check for bad links
Version: 3.1.1
Enabled: true
ID: firefoxbookmarkchecker@everhelper.me

Name: British English Dictionary
Version: 1.19.1
Enabled: true
ID: en-GB@dictionaries.addons.mozilla.org

Name: Bugzilla Tweaks
Version: 1.12.1.1
Enabled: true
ID: jid0-qBnIpLfDFa4LpdrjhAC6vBqN20Q@jetpack

Name: Clearly
Version: 10.2.1.7
Enabled: true
ID: readable@evernote.com

Name: Evernote Web Clipper
Version: 5.9.1
Enabled: true
ID: {E0B8C461-F8FB-49b4-8373-FE32E9252800}

Name: feedly
Version: 16.0.528
Enabled: true
ID: feedly@devhd

Name: Google Shortcuts
Version: 2.1.8.2
Enabled: true
ID: {5C46D283-ABDE-4dce-B83C-08881401921C}

Name: Lightbeam
Version: 1.0.10.2
Enabled: true
ID: jid1-F9UJ2thwoAm5gQ@jetpack

Name: Nightly Tester Tools
Version: 3.7
Enabled: true
ID: {8620c15f-30dc-4dba-a131-7c5d20cf4a29}

Name: openSUSE Firefox Extensions
Version: 1.0.2
Enabled: true
ID: susefox@opensuse.org

Name: Pocket
Version: 3.0.5
Enabled: true
ID: isreaditlater@ideashower.com

Name: Submit Word
Version: 1.1.0
Enabled: true
ID: submitword@suseromania.ro

Name: Bookmark Duplicate Cleaner
Version: 0.2
Enabled: false
ID: bookmarkdup@localghost.net

Name: Cheevos
Version: 1.5
Enabled: false
ID: jid1-bpzDizt9E1R7nw@jetpack

Name: Firebug
Version: 2.0.3
Enabled: false
ID: firebug@software.joehewitt.com

Name: Firefox OS Simulator
Version: 4.0.2
Enabled: false
ID: r2d2b2g@mozilla.org

Name: FlashGot
Version: 1.5.6.5
Enabled: false
ID: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}

Name: Greasemonkey
Version: 2.2
Enabled: false
ID: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}

Name: ImageSearch
Version: 0.3.1
Enabled: false
ID: jid1-NOlwYOe3E3vApg@jetpack

Name: Mozilla Reps Companion
Version: 1.1
Enabled: false
ID: jid1-4QxcVDv2lBVyfQ@jetpack

Name: Mozmill Crowd
Version: 0.2
Enabled: false
ID: mozmill-crowd@quality.mozilla.org

Name: Mozmill test Addon
Version: initial.rev11
Enabled: false
ID: jid0-eXBmaisIIhuqsxKsdxROTr5TCwc@jetpack

Name: Quick Locale Switcher
Version: 1.7.8.5
Enabled: false
ID: {25A1388B-6B18-46c3-BEBA-A81915D0DE8F}

Name: Test Pilot
Version: 1.2.3
Enabled: false
ID: testpilot@labs.mozilla.com

Name: Web Developer
Version: 1.2.5
Enabled: false
ID: {c45c406e-ab73-11d8-be73-000a95be3b12}

Name: Yoono
Version: 7.7.29
Enabled: false
ID: {d9284e50-81fc-11da-a72b-0800200c9a66}

Name: YSlow
Version: 3.1.8
Enabled: false
ID: yslow@yahoo-inc.com

Graphics
--------

Adapter Description: NVIDIA Corporation -- GeForce GTX 560 Ti/PCIe/SSE2
Device ID: GeForce GTX 560 Ti/PCIe/SSE2
Driver Version: 4.4.0 NVIDIA 340.32
GPU Accelerated Windows: 0/1 Basic
Vendor ID: NVIDIA Corporation
WebGL Renderer: NVIDIA Corporation -- GeForce GTX 560 Ti/PCIe/SSE2
windowLayerManagerRemote: false
AzureCanvasBackend: cairo
AzureContentBackend: cairo
AzureFallbackCanvasBackend: none
AzureSkiaAccelerated: 0

Important Modified Preferences
------------------------------

accessibility.typeaheadfind: true
accessibility.typeaheadfind.flashBar: 0
browser.cache.disk.capacity: 358400
browser.cache.disk.smart_size_cached_value: 358400
browser.cache.disk.smart_size.first_run: false
browser.cache.disk.smart_size.use_old_max: false
browser.cache.frecency_experiment: 1
browser.fixup.domainwhitelist.8675309: true
browser.places.importBookmarksHTML: false
browser.places.smartBookmarksVersion: 7
browser.sessionstore.upgradeBackup.latestBuildID: 20140926030202
browser.startup.homepage: about:home
browser.startup.homepage_override.buildID: 20140926185533
browser.startup.homepage_override.mstone: 35.0a1
dom.mozApps.used: true
extensions.lastAppVersion: 35.0a1
font.name.sans-serif.x-western: DejaVu Serif
font.name.serif.x-western: Times New Roman
media.gmp-gmpopenh264.lastUpdate: 1405887411
media.gmp-gmpopenh264.path: /home/oscarmrn/.mozilla/firefox/81hjddfl.default/gmp-gmpopenh264
media.gmp-gmpopenh264.version: 1.0
media.gmp-manager.lastCheck: 1411833623
network.cookie.prefsMigrated: true
places.database.lastMaintenance: 1411833624
places.history.expiration.transient_current_max_pages: 68041
plugin.disable_full_page_plugin_for_types: application/pdf
plugin.importedState: true
plugin.state.libnpgoogletalk: 2
plugin.state.libnpo1d: 2
print.print_bgcolor: false
print.print_bgimages: false
print.print_colorspace: default
print.print_downloadfonts: false
print.print_evenpages: true
print.print_in_color: true
print.print_margin_bottom: 0.5
print.print_margin_left: 0.5
print.print_margin_right: 0.5
print.print_margin_top: 0.5
print.print_oddpages: true
print.print_orientation: 0
print.print_page_delay: 50
print.print_paper_data: 0
print.print_paper_height: 297.00
print.print_paper_name: iso_a4
print.print_paper_size_type: 1
print.print_paper_size_unit: 1
print.print_paper_width: 210.00
print.print_plex_name: default
print.print_resolution_name: default
print.print_scaling: 1.00
print.print_shrink_to_fit: false
print.print_to_file: false
print.print_unwriteable_margin_bottom: 22
print.print_unwriteable_margin_left: 25
print.print_unwriteable_margin_right: 25
print.print_unwriteable_margin_top: 22
privacy.donottrackheader.enabled: true
privacy.donottrackheader.value: 0
privacy.sanitize.migrateFx3Prefs: true
storage.vacuum.last.index: 1
storage.vacuum.last.places.sqlite: 1409484056

Important Locked Preferences
----------------------------

JavaScript
----------

Incremental GC: true

Accessibility
-------------

Activated: false
Prevent Accessibility: 0

Library Versions
----------------

NSPR
Expected minimum version: 4.10.7
Version in use: 4.10.7

NSS
Expected minimum version: 3.17.1 Basic ECC
Version in use: 3.17.1 Basic ECC

NSSSMIME
Expected minimum version: 3.17.1 Basic ECC
Version in use: 3.17.1 Basic ECC

NSSSSL
Expected minimum version: 3.17.1 Basic ECC
Version in use: 3.17.1 Basic ECC

NSSUTIL
Expected minimum version: 3.17.1
Version in use: 3.17.1

Experimental Features
---------------------

Name: Invisible test of the experiment branching system.
ID: experiment-branch-test-nightly@experiments.mozilla.org
Description: An experiment using branches just to test whether branches get saved correctly.
Active: false
End Date: 1409645695466
Homepage:
Assignee

Updated

5 years ago
Whiteboard: [spdy]
Assignee

Comment 3

5 years ago
same stack - but a clear uaf instead of that null deref from before.. 

https://crash-stats.mozilla.com/report/index/59d294ad-fc4e-4665-a5c4-8efc62141013
Assignee

Comment 4

5 years ago
this is probably a double cleanupStream invocation.. I would guess once via cancel and then once via normal stream EOF on this stack.

we can use the stream ID instead of a stream pointer here.. that's essentially a weak reference to the stream because it needs to be relooked up in the hash table.

crash stats shows a few of these a day, so it ought to be pretty easy to determine if the guess is correct.

https://tbpl.mozilla.org/?tree=Try&rev=9266e0bbb566
Assignee

Updated

5 years ago
Assignee: nobody → mcmanus
Status: NEW → ASSIGNED
I experienced this issue using cloud.feedly.com (time to time)
crash report:
https://crash-stats.mozilla.com/report/index/7a184376-0acd-4290-8d9a-4d89b2141020
Reporter

Comment 8

5 years ago
Mda, I think Feedly addon caused this crash (I used too this addon, see in my crash signature).

Comment 9

5 years ago
Comment on attachment 8504103 [details] [diff] [review]
http2session::cleanupstream failure

Review of attachment 8504103 [details] [diff] [review]:
-----------------------------------------------------------------

LGTM.

::: netwerk/protocol/http/Http2Session.cpp
@@ +2590,5 @@
>        mDownstreamState = PROCESSING_DATA_FRAME;
>  
>        if (mInputFrameDataRead == mInputFrameDataSize)
>          ResetDownstreamState();
> +      LOG3(("Http2Session::WriteSegments session=%p 0x%X "

Maybe call out that the 0x%X is a stream id, since it's less obvious now that we're not dumping a stream=%p in the log, too? Not critical, though.
Attachment #8504103 - Flags: review?(hurley) → review+
https://hg.mozilla.org/mozilla-central/rev/73b167114b73
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
Patrick, can we have an uplift request for aurora? thanks
Flags: needinfo?(mcmanus)
Assignee

Comment 13

5 years ago
(In reply to Sylvestre Ledru [:sylvestre] from comment #12)
> Patrick, can we have an uplift request for aurora? thanks

I'm going to wait a day or two until crash stats can verify the fix as there is no reliable str. It should also go to beta.
Flags: needinfo?(mcmanus)
Assignee

Comment 14

5 years ago
crash stats shows this happening for build ids
       ff35  ff36
10/20    y     y
10/21    y     n

the fix is first included in the ff 36 10/21 build, so I think we can call that verified and the uplifts should commence.
Assignee

Comment 15

5 years ago
Comment on attachment 8504103 [details] [diff] [review]
http2session::cleanupstream failure

Approval Request Comment
[Feature/regressing bug #]: 1047594 (http2 support)
[User impact if declined]: random crashes
[Describe test coverage new/current, TBPL]: no str for the race condition but crash stats verifies fix in nightly
[Risks and why]: med-low risk solves crasher. this feature is first enabled on gecko 34
[String/UUID change made/needed]: none
Attachment #8504103 - Flags: approval-mozilla-beta?
Attachment #8504103 - Flags: approval-mozilla-aurora?
Reporter

Comment 16

5 years ago
Good jobs! Congratulations to all! :)
Comment on attachment 8504103 [details] [diff] [review]
http2session::cleanupstream failure

Let's see if we can prove that this fixes the issue on Beta and Aurora as well. a+
Attachment #8504103 - Flags: approval-mozilla-beta?
Attachment #8504103 - Flags: approval-mozilla-beta+
Attachment #8504103 - Flags: approval-mozilla-aurora?
Attachment #8504103 - Flags: approval-mozilla-aurora+
I just received a crash in today's x64 Nightly for Windows that pointed me here:
https://crash-stats.mozilla.com/report/index/37af1683-28f5-4d49-a2a3-259432141027

It was proceded by this one:
https://crash-stats.mozilla.com/report/index/de05e2dd-784d-4146-9941-e32752141027

Not sure if they are related to this bug or not, but I haven't had another one yet.
(In reply to Brian Carpenter [:geeknik] from comment #19)
> I just received a crash in today's x64 Nightly for Windows that pointed me
> here:
> https://crash-stats.mozilla.com/report/index/37af1683-28f5-4d49-a2a3-
> 259432141027
> 
> It was proceded by this one:
> https://crash-stats.mozilla.com/report/index/de05e2dd-784d-4146-9941-
> e32752141027
> 
> Not sure if they are related to this bug or not, but I haven't had another
> one yet.

Same for me as well.
https://crash-stats.mozilla.com/report/index/0a679810-792a-4308-aa33-db0a12141027
https://crash-stats.mozilla.com/report/index/5f328861-8884-48cc-8efa-b97462141027
Flags: needinfo?(mcmanus)
Assignee

Comment 21

5 years ago
see 1089749 - its not this bug
Flags: needinfo?(mcmanus)

Comment 22

5 years ago
FireFox Nightly 37 still has this bug:

https://crash-stats.mozilla.com/report/index/b4af7b17-0276-4abb-8fcb-c6dc42141212 (FF has crashed during browsing of YouTube videos.)

Patrick, could you please check it? Why this error has revived?
Flags: needinfo?(mcmanus)
Assignee

Comment 23

5 years ago
thanks for the bit about yt - that's helpful.

865314 relanded - apparently there was more than one root cause in there the first time. It has already been backed out - you should only see this in 1 december nightly.
Flags: needinfo?(mcmanus)

Comment 24

5 years ago
Yes, it is YouTube. This bug crashes my Nightly over and over again. Twice in a row just now, one of which immediately after I restarted the browser:

https://crash-stats.mozilla.com/report/index/589934fa-6a2b-40c0-bb34-785652141213
https://crash-stats.mozilla.com/report/index/384a3dc8-17d8-45ad-82bf-b126d2141213

It a bad bug, it borders with turning Nightly to be unusable.
Depends on: 1111207

Comment 25

5 years ago
Latest Nightly, x64, without e10s turned on, built from Built from https://hg.mozilla.org/mozilla-central/rev/5288b15d22de , crash in https://crash-stats.mozilla.com/report/index/58124c9f-e9ad-4c74-a222-dd9ab2141213 .

Usually I can crash it entering http://play.google.com and trying to signin. Either it crashes right away or after awhile.
Flags: needinfo?(mcmanus)

Comment 26

5 years ago
Something is going on with the Nightly and Google (judging from previous comments...)

https://crash-stats.mozilla.com/report/index/bp-15f35878-9f43-45d1-a818-7ee0b2141213
https://crash-stats.mozilla.com/report/index/afe7b1d4-ac7b-430a-8166-a13872141213

Both times, I was just using Gmail, reading mail.

The second time, I had just finished reading my mail, and as I closed the tab, it crashed on me.

OK, so as I'm filling this out, I get a new build.  :/  I'll see what's happening with this one.

Win 64-bit, 64-bit Nightly.
Assignee

Comment 27

5 years ago
please see comment 23, there has been a backout for this already.
Flags: needinfo?(mcmanus)
Assignee

Updated

5 years ago
Blocks: 865314

Comment 28

5 years ago
Ok the part "you should only see this in 1 december nightly" got me confused.

If it still crashes after tomorrow I'll re-ping, but I'm guessing it will be fixed on today's nightly.
Assignee

Updated

5 years ago
Depends on: 1111217

Comment 29

5 years ago
Confirmed fixed. Sorry for the noise and thank you for your time :)
You need to log in before you can comment on or make changes to this bug.