Closed Bug 1073825 Opened 9 years ago Closed 9 years ago

crash in mozilla::net::Http2Session::CleanupStream(mozilla::net::Http2Stream*, tag_nsresult, mozilla::net::Http2Session::errorType)


(Core :: Networking: HTTP, defect)

35 Branch
Not set



Tracking Status
firefox33 --- unaffected
firefox34 + fixed
firefox35 --- fixed
firefox36 --- fixed


(Reporter: raul.malea, Assigned: mcmanus)



(Keywords: crash, Whiteboard: [spdy])

Crash Data


(1 file)

Mozilla/5.0 (X11; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0 ID:20140926185533 CSet: 818f353b7aa6


Adblock Plus 2.6.4
Add-on Compatibility Reporter 2.0.4
Bookmark Duplicate Cleaner 0.2 [DISABLED]
Bookmarks Checker - check for bad links 3.1.1
British English Dictionary 1.19.1
Bugzilla Tweaks
Cheevos 1.5 [DISABLED]
Evernote Web Clipper 5.9.1
feedly 16.0.528
Firebug 2.0.3 [DISABLED]
Firefox OS Simulator 4.0.2 [DISABLED]
Google Shortcuts
Greasemonkey 2.2 [DISABLED]
ImageSearch 0.3.1 [DISABLED]
Mozilla Reps Companion 1.1 [DISABLED]
Mozmill Crowd 0.2 [DISABLED]
Mozmill test Addon initial.rev11 [DISABLED]
Nightly Tester Tools 3.7
openSUSE Firefox Extensions 1.0.2
Pocket 3.0.5
Quick Locale Switcher [DISABLED]
Submit Word 1.1.0
Test Pilot 1.2.3 [DISABLED]
Web Developer 1.2.5 [DISABLED]
Yoono 7.7.29 [DISABLED]
YSlow 3.1.8 [DISABLED]

OS: openSUSE 13.1, KDE 4.14.1

Application Basics

Name: Firefox
Version: 35.0a1
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0
Multiprocess Windows: 0/1

Crash Reports for the Last 3 Days

Report ID: bp-64a7341b-c657-4907-bb4c-ff8d52140927
Submitted: 8 minutes ago

All Crash Reports


Name: Adblock Plus
Version: 2.6.4
Enabled: true
ID: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

Name: Add-on Compatibility Reporter
Version: 2.0.4
Enabled: true

Name: Bookmarks Checker - check for bad links
Version: 3.1.1
Enabled: true

Name: British English Dictionary
Version: 1.19.1
Enabled: true

Name: Bugzilla Tweaks
Enabled: true
ID: jid0-qBnIpLfDFa4LpdrjhAC6vBqN20Q@jetpack

Name: Clearly
Enabled: true

Name: Evernote Web Clipper
Version: 5.9.1
Enabled: true
ID: {E0B8C461-F8FB-49b4-8373-FE32E9252800}

Name: feedly
Version: 16.0.528
Enabled: true
ID: feedly@devhd

Name: Google Shortcuts
Enabled: true
ID: {5C46D283-ABDE-4dce-B83C-08881401921C}

Name: Lightbeam
Enabled: true
ID: jid1-F9UJ2thwoAm5gQ@jetpack

Name: Nightly Tester Tools
Version: 3.7
Enabled: true
ID: {8620c15f-30dc-4dba-a131-7c5d20cf4a29}

Name: openSUSE Firefox Extensions
Version: 1.0.2
Enabled: true

Name: Pocket
Version: 3.0.5
Enabled: true

Name: Submit Word
Version: 1.1.0
Enabled: true

Name: Bookmark Duplicate Cleaner
Version: 0.2
Enabled: false

Name: Cheevos
Version: 1.5
Enabled: false
ID: jid1-bpzDizt9E1R7nw@jetpack

Name: Firebug
Version: 2.0.3
Enabled: false

Name: Firefox OS Simulator
Version: 4.0.2
Enabled: false

Name: FlashGot
Enabled: false
ID: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}

Name: Greasemonkey
Version: 2.2
Enabled: false
ID: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}

Name: ImageSearch
Version: 0.3.1
Enabled: false
ID: jid1-NOlwYOe3E3vApg@jetpack

Name: Mozilla Reps Companion
Version: 1.1
Enabled: false
ID: jid1-4QxcVDv2lBVyfQ@jetpack

Name: Mozmill Crowd
Version: 0.2
Enabled: false

Name: Mozmill test Addon
Version: initial.rev11
Enabled: false
ID: jid0-eXBmaisIIhuqsxKsdxROTr5TCwc@jetpack

Name: Quick Locale Switcher
Enabled: false
ID: {25A1388B-6B18-46c3-BEBA-A81915D0DE8F}

Name: Test Pilot
Version: 1.2.3
Enabled: false

Name: Web Developer
Version: 1.2.5
Enabled: false
ID: {c45c406e-ab73-11d8-be73-000a95be3b12}

Name: Yoono
Version: 7.7.29
Enabled: false
ID: {d9284e50-81fc-11da-a72b-0800200c9a66}

Name: YSlow
Version: 3.1.8
Enabled: false


Adapter Description: NVIDIA Corporation -- GeForce GTX 560 Ti/PCIe/SSE2
Device ID: GeForce GTX 560 Ti/PCIe/SSE2
Driver Version: 4.4.0 NVIDIA 340.32
GPU Accelerated Windows: 0/1 Basic
Vendor ID: NVIDIA Corporation
WebGL Renderer: NVIDIA Corporation -- GeForce GTX 560 Ti/PCIe/SSE2
windowLayerManagerRemote: false
AzureCanvasBackend: cairo
AzureContentBackend: cairo
AzureFallbackCanvasBackend: none
AzureSkiaAccelerated: 0

Important Modified Preferences

accessibility.typeaheadfind: true
accessibility.typeaheadfind.flashBar: 0
browser.cache.disk.capacity: 358400
browser.cache.disk.smart_size_cached_value: 358400
browser.cache.disk.smart_size.first_run: false
browser.cache.disk.smart_size.use_old_max: false
browser.cache.frecency_experiment: 1
browser.fixup.domainwhitelist.8675309: true
browser.places.importBookmarksHTML: false
browser.places.smartBookmarksVersion: 7
browser.sessionstore.upgradeBackup.latestBuildID: 20140926030202
browser.startup.homepage: about:home
browser.startup.homepage_override.buildID: 20140926185533
browser.startup.homepage_override.mstone: 35.0a1
dom.mozApps.used: true
extensions.lastAppVersion: 35.0a1 DejaVu Serif Times New Roman
media.gmp-gmpopenh264.lastUpdate: 1405887411
media.gmp-gmpopenh264.path: /home/oscarmrn/.mozilla/firefox/81hjddfl.default/gmp-gmpopenh264
media.gmp-gmpopenh264.version: 1.0
media.gmp-manager.lastCheck: 1411833623
network.cookie.prefsMigrated: true
places.database.lastMaintenance: 1411833624
places.history.expiration.transient_current_max_pages: 68041
plugin.disable_full_page_plugin_for_types: application/pdf
plugin.importedState: true
plugin.state.libnpgoogletalk: 2
plugin.state.libnpo1d: 2
print.print_bgcolor: false
print.print_bgimages: false
print.print_colorspace: default
print.print_downloadfonts: false
print.print_evenpages: true
print.print_in_color: true
print.print_margin_bottom: 0.5
print.print_margin_left: 0.5
print.print_margin_right: 0.5
print.print_margin_top: 0.5
print.print_oddpages: true
print.print_orientation: 0
print.print_page_delay: 50
print.print_paper_data: 0
print.print_paper_height: 297.00
print.print_paper_name: iso_a4
print.print_paper_size_type: 1
print.print_paper_size_unit: 1
print.print_paper_width: 210.00
print.print_plex_name: default
print.print_resolution_name: default
print.print_scaling: 1.00
print.print_shrink_to_fit: false
print.print_to_file: false
print.print_unwriteable_margin_bottom: 22
print.print_unwriteable_margin_left: 25
print.print_unwriteable_margin_right: 25
print.print_unwriteable_margin_top: 22
privacy.donottrackheader.enabled: true
privacy.donottrackheader.value: 0
privacy.sanitize.migrateFx3Prefs: true
storage.vacuum.last.index: 1
storage.vacuum.last.places.sqlite: 1409484056

Important Locked Preferences


Incremental GC: true


Activated: false
Prevent Accessibility: 0

Library Versions

Expected minimum version: 4.10.7
Version in use: 4.10.7

Expected minimum version: 3.17.1 Basic ECC
Version in use: 3.17.1 Basic ECC

Expected minimum version: 3.17.1 Basic ECC
Version in use: 3.17.1 Basic ECC

Expected minimum version: 3.17.1 Basic ECC
Version in use: 3.17.1 Basic ECC

Expected minimum version: 3.17.1
Version in use: 3.17.1

Experimental Features

Name: Invisible test of the experiment branching system.
Description: An experiment using branches just to test whether branches get saved correctly.
Active: false
End Date: 1409645695466
Whiteboard: [spdy]
same stack - but a clear uaf instead of that null deref from before..
this is probably a double cleanupStream invocation.. I would guess once via cancel and then once via normal stream EOF on this stack.

we can use the stream ID instead of a stream pointer here.. that's essentially a weak reference to the stream because it needs to be relooked up in the hash table.

crash stats shows a few of these a day, so it ought to be pretty easy to determine if the guess is correct.
Attachment #8504103 - Flags: review?(hurley)
Assignee: nobody → mcmanus
I experienced this issue using (time to time)
crash report:
Mda, I think Feedly addon caused this crash (I used too this addon, see in my crash signature).
Comment on attachment 8504103 [details] [diff] [review]
http2session::cleanupstream failure

Review of attachment 8504103 [details] [diff] [review]:


::: netwerk/protocol/http/Http2Session.cpp
@@ +2590,5 @@
>        mDownstreamState = PROCESSING_DATA_FRAME;
>        if (mInputFrameDataRead == mInputFrameDataSize)
>          ResetDownstreamState();
> +      LOG3(("Http2Session::WriteSegments session=%p 0x%X "

Maybe call out that the 0x%X is a stream id, since it's less obvious now that we're not dumping a stream=%p in the log, too? Not critical, though.
Attachment #8504103 - Flags: review?(hurley) → review+
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
Patrick, can we have an uplift request for aurora? thanks
Flags: needinfo?(mcmanus)
(In reply to Sylvestre Ledru [:sylvestre] from comment #12)
> Patrick, can we have an uplift request for aurora? thanks

I'm going to wait a day or two until crash stats can verify the fix as there is no reliable str. It should also go to beta.
Flags: needinfo?(mcmanus)
crash stats shows this happening for build ids
       ff35  ff36
10/20    y     y
10/21    y     n

the fix is first included in the ff 36 10/21 build, so I think we can call that verified and the uplifts should commence.
Comment on attachment 8504103 [details] [diff] [review]
http2session::cleanupstream failure

Approval Request Comment
[Feature/regressing bug #]: 1047594 (http2 support)
[User impact if declined]: random crashes
[Describe test coverage new/current, TBPL]: no str for the race condition but crash stats verifies fix in nightly
[Risks and why]: med-low risk solves crasher. this feature is first enabled on gecko 34
[String/UUID change made/needed]: none
Attachment #8504103 - Flags: approval-mozilla-beta?
Attachment #8504103 - Flags: approval-mozilla-aurora?
Good jobs! Congratulations to all! :)
Comment on attachment 8504103 [details] [diff] [review]
http2session::cleanupstream failure

Let's see if we can prove that this fixes the issue on Beta and Aurora as well. a+
Attachment #8504103 - Flags: approval-mozilla-beta?
Attachment #8504103 - Flags: approval-mozilla-beta+
Attachment #8504103 - Flags: approval-mozilla-aurora?
Attachment #8504103 - Flags: approval-mozilla-aurora+
I just received a crash in today's x64 Nightly for Windows that pointed me here:

It was proceded by this one:

Not sure if they are related to this bug or not, but I haven't had another one yet.
(In reply to Brian Carpenter [:geeknik] from comment #19)
> I just received a crash in today's x64 Nightly for Windows that pointed me
> here:
> 259432141027
> It was proceded by this one:
> e32752141027
> Not sure if they are related to this bug or not, but I haven't had another
> one yet.

Same for me as well.
Flags: needinfo?(mcmanus)
see 1089749 - its not this bug
Flags: needinfo?(mcmanus)
FireFox Nightly 37 still has this bug: (FF has crashed during browsing of YouTube videos.)

Patrick, could you please check it? Why this error has revived?
Flags: needinfo?(mcmanus)
thanks for the bit about yt - that's helpful.

865314 relanded - apparently there was more than one root cause in there the first time. It has already been backed out - you should only see this in 1 december nightly.
Flags: needinfo?(mcmanus)
Yes, it is YouTube. This bug crashes my Nightly over and over again. Twice in a row just now, one of which immediately after I restarted the browser:

It a bad bug, it borders with turning Nightly to be unusable.
Depends on: 1111207
Latest Nightly, x64, without e10s turned on, built from Built from , crash in .

Usually I can crash it entering and trying to signin. Either it crashes right away or after awhile.
Flags: needinfo?(mcmanus)
Something is going on with the Nightly and Google (judging from previous comments...)

Both times, I was just using Gmail, reading mail.

The second time, I had just finished reading my mail, and as I closed the tab, it crashed on me.

OK, so as I'm filling this out, I get a new build.  :/  I'll see what's happening with this one.

Win 64-bit, 64-bit Nightly.
please see comment 23, there has been a backout for this already.
Flags: needinfo?(mcmanus)
Blocks: 865314
Ok the part "you should only see this in 1 december nightly" got me confused.

If it still crashes after tomorrow I'll re-ping, but I'm guessing it will be fixed on today's nightly.
Depends on: 1111217
Confirmed fixed. Sorry for the noise and thank you for your time :)
You need to log in before you can comment on or make changes to this bug.