Crash in [@ mozilla::net::Http2Session::IsReused]
Categories
(Core :: Networking: HTTP, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr91 | --- | unaffected |
| firefox94 | --- | fixed |
| firefox95 | --- | fixed |
| firefox96 | --- | fixed |
People
(Reporter: aryx, Assigned: kershaw)
Details
(Keywords: crash, Whiteboard: [necko-triaged])
Crash Data
Attachments
(5 files)
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-release+
|
Details | Review |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review |
Not sure if from bug 1718520 or not - the crash signature existed before and 3 crashes had been observed 2 days before that bug landed. The frequency definitely increased.
Maybe Fission related. (DOMFissionEnabled=1)
Crash report: https://crash-stats.mozilla.org/report/index/3a3d620b-78f0-4bb5-82cd-b3c3d0211006
Reason: EXCEPTION_ACCESS_VIOLATION_READ
Top 10 frames of crashing thread:
0 xul.dll mozilla::net::Http2Session::IsReused netwerk/protocol/http/Http2Session.cpp:4433
1 xul.dll mozilla::net::nsHttpTransaction::Close netwerk/protocol/http/nsHttpTransaction.cpp:1418
2 xul.dll mozilla::net::Http2Stream::Close netwerk/protocol/http/Http2Stream.cpp:1176
3 xul.dll mozilla::net::Http2Session::Shutdown netwerk/protocol/http/Http2Session.cpp:200
4 xul.dll mozilla::net::Http2Session::Close netwerk/protocol/http/Http2Session.cpp:3719
5 xul.dll mozilla::net::nsHttpConnection::CloseTransaction netwerk/protocol/http/nsHttpConnection.cpp:1669
6 xul.dll mozilla::net::nsHttpConnection::OnOutputStreamReady netwerk/protocol/http/nsHttpConnection.cpp:2375
7 xul.dll mozilla::net::nsSocketOutputStream::OnSocketReady netwerk/base/nsSocketTransport2.cpp:514
8 xul.dll mozilla::net::nsSocketTransport::OnSocketReady netwerk/base/nsSocketTransport2.cpp:2057
9 xul.dll mozilla::net::nsSocketTransportService::Run netwerk/base/nsSocketTransportService2.cpp:1150
|
||
Comment 1•3 years ago
|
||
Bug bug 1718520 landed a day after this has started. It is probably not that bug.
|
Reporter | |
Comment 2•3 years ago
|
||
There are crash reports for this with Firefox 94.0. Could you take a look at the issue?
|
Assignee | |
Comment 3•3 years ago
|
||
It seems that Http2Session::mConneciton is null, but it's unclear how this can happen.
Http2Session::mConneciton is only set to null at here, but the stacktrace shows that this is the first time that Http2Session::Close is called.
I guess that somehow nsHttpTransaction::mConnection is pointed to a already closed Http2Session. I'll try to create a diagnostic patch.
|
|
Assignee | |
Updated•3 years ago
|
|
|
Assignee | |
Comment 4•3 years ago
|
||
|
||
Updated•3 years ago
|
|
|
Assignee | |
Comment 5•3 years ago
|
||
Depends on D130250
|
|
Assignee | |
Comment 6•3 years ago
|
||
|
|
Assignee | |
Comment 7•3 years ago
|
||
Keeps this bug open to investigate the real root cause.
Pushed by kjang@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/09b7f5f688ac Avoid crashing when mConnection is null, r=necko-reviewers,valentin
|
|
Assignee | |
Comment 9•3 years ago
|
||
Comment on attachment 9250005 [details]
Bug 1734609 - Avoid crashing when mConnection is null, r=#necko
Beta/Release Uplift Approval Request
- User impact if declined: Firefox could crash
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): This patch only adds a null check to avoid crashing, so the risk is low.
- String changes made/needed: no
|
||
Comment 10•3 years ago
|
||
| bugherder | ||
|
||
Updated•3 years ago
|
|
|
||
Comment 11•3 years ago
|
||
Comment on attachment 9250005 [details]
Bug 1734609 - Avoid crashing when mConnection is null, r=#necko
Approved for 96.0b6. Could be a good ride-along if we spin a 94 dot release too.
|
|
||
Comment 12•3 years ago
|
||
| uplift | ||
|
|
||
Comment 13•3 years ago
|
||
Comment on attachment 9250005 [details]
Bug 1734609 - Avoid crashing when mConnection is null, r=#necko
Approved for 94.0.2.
|
|
||
Comment 14•3 years ago
|
||
| bugherder uplift | ||
|
||
Comment 15•3 years ago
|
||
Pushed by kjang@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/c376158bf365 Make sure we don't dispatch a transaction more than once, r=necko-reviewers,dragana https://hg.mozilla.org/integration/autoland/rev/9cabacd358e2 Fix the test:testAllRecordsInHttp3ExcludedList, r=necko-reviewers,dragana
|
|
||
Comment 16•3 years ago
|
||
| bugherder | ||
|
||
Comment 17•3 years ago
|
||
This crash report shows that an added assert has been hit (MOZ_DIAGNOSTIC_ASSERT(mConnection)):
https://crash-stats.mozilla.org/report/index/31c33f02-4f00-4623-bc95-e4b760211119
|
|
Assignee | |
Comment 18•3 years ago
|
||
0 xul.dll mozilla::net::Http2Session::SanityCheck() netwerk/protocol/http/Http2Session.cpp:4672 context
1 xul.dll mozilla::net::nsHttpTransaction::SetConnection(mozilla::net::nsAHttpConnection*) netwerk/protocol/http/nsHttpTransaction.cpp:531 cfi
2 xul.dll mozilla::net::Http2Session::AddStream(mozilla::net::nsAHttpTransaction*, int, bool, bool, nsIInterfaceRequestor*) netwerk/protocol/http/Http2Session.cpp:496 cfi
3 xul.dll mozilla::net::nsHttpConnection::AddTransaction(mozilla::net::nsAHttpTransaction*, int) netwerk/protocol/http/nsHttpConnection.cpp:821 cfi
4 xul.dll mozilla::net::nsHttpConnectionMgr::DispatchTransaction(mozilla::net::ConnectionEntry*, mozilla::net::nsHttpTransaction*, mozilla::net::HttpConnectionBase*) netwerk/protocol/http/nsHttpConnectionMgr.cpp:1529 cfi
5 xul.dll mozilla::net::nsHttpConnectionMgr::TryDispatchTransactionOnIdleConn(mozilla::net::ConnectionEntry*, mozilla::net::PendingTransactionInfo*, bool, bool*) netwerk/protocol/http/nsHttpConnectionMgr.cpp:1483 cfi
6 xul.dll mozilla::net::nsHttpConnectionMgr::TryDispatchTransaction(mozilla::net::ConnectionEntry*, bool, mozilla::net::PendingTransactionInfo*) netwerk/protocol/http/nsHttpConnectionMgr.cpp:1388 cfi
7 xul.dll mozilla::net::nsHttpConnectionMgr::ProcessNewTransaction(mozilla::net::nsHttpTransaction*) netwerk/protocol/http/nsHttpConnectionMgr.cpp:1702
The stack trace above shows that a h2 connection is reused. This is wrong, since a h2 connection should have mEverUsedSpdy set to true to avoid it being reused. Also. the stack trace shows that mSpdySession is not null, so Http2Session::AddStream is called.
So, the only call path that causes mSpdySession is not null and mEverUsedSpdy is fasle is nsHttpConnection::Start0RTTSpdy.
I think the problem is like:
- A transaction is dispatched to a h2 connection.
- We try to do 0RTT.
- Before 0RTT is finished, the transaction is cancelled, so the h2 connection is reclaimed and being put to the idle connection list.
- A new transaction is created and it's dispatched to the old h2 connection.
|
|
Assignee | |
Comment 19•3 years ago
|
||
|
|
||
Comment 20•2 years ago
|
||
Pushed by kjang@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a6772aa874f3 Make sure to not reuse a connection that has a mSpdySession, r=necko-reviewers,valentin
|
||
Comment 21•2 years ago
|
||
| bugherder | ||
|
|
Assignee | |
Comment 22•2 years ago
|
||
|
|
||
Comment 23•2 years ago
|
||
Pushed by kjang@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/361325187e7e Remove the diagnostic check to avoid crashing, r=necko-reviewers,dragana
|
|
Assignee | |
Updated•2 years ago
|
|
||
Comment 24•2 years ago
|
||
| bugherder | ||
|
||
Updated•2 years ago
|
Description
•