spdy: crash on cancel of queued session

RESOLVED FIXED in mozilla11

Status

()

Core
Networking: HTTP
--
critical
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: mcmanus, Assigned: mcmanus)

Tracking

({crash})

11 Branch
mozilla11
x86_64
Linux
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(1 attachment)

(Assignee)

Description

6 years ago
Before the uplift of 11 to aurora I checked on socorro looking for any unknown spdy issues. I found just 2 reports which I believe are dups of each other:

https://crash-stats.mozilla.com/report/index/d8414902-291d-4aa9-888e-1f8982111209
https://crash-stats.mozilla.com/report/index/2cf95ab8-b4d9-4a2f-8d41-0f46f2111214

In each case the stream is crashing when being activated out of the pending queue. I believe that the stream had actually been canceled and freed prior to activation. (i.e. it got queued due to an extreme level of parallelization (>100) and was cancelled in that state probably because the user navigated off the page).


0 	libxul.so 	mozilla::net::SpdyStream::ReadSegments 	netwerk/protocol/http/SpdyStream.cpp:124
1 	libxul.so 	mozilla::net::SpdySession::ReadSegments 	netwerk/protocol/http/SpdySession.cpp:1223
2 	libxul.so 	mozilla::net::SpdySession::ActivateStream 	netwerk/protocol/http/SpdySession.cpp:283
3 	libxul.so 	mozilla::net::SpdySession::ProcessPending 	netwerk/protocol/http/SpdySession.cpp:295
(Assignee)

Comment 1

6 years ago
Created attachment 582856 [details] [diff] [review]
patch v0

This touches only SpdySession.cpp

I can reproduce this and confirm the fix by loading a page with thousands of icons off plus.google.com (commments on a celeb posting for example) and immediately closing the windows.
Assignee: nobody → mcmanus
Status: NEW → ASSIGNED
Attachment #582856 - Flags: review?(honzab.moz)
Comment on attachment 582856 [details] [diff] [review]
patch v0

Review of attachment 582856 [details] [diff] [review]:
-----------------------------------------------------------------

r=honzab, full review this time (for spdy.enabled = true as well)

void pointers are bitches...
Attachment #582856 - Flags: review?(honzab.moz) → review+
(Assignee)

Comment 3

6 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/b4d859a1e338

thanks honza
Target Milestone: --- → mozilla11

Updated

6 years ago
Severity: major → critical
Crash Signature: [@ mozilla::net::SpdyStream::ReadSegments]
Keywords: crash

Comment 4

6 years ago
https://hg.mozilla.org/mozilla-central/rev/b4d859a1e338
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.