Closed Bug 712021 Opened 13 years ago Closed 13 years ago

spdy: crash on cancel of queued session

Categories

(Core :: Networking: HTTP, defect)

Product:
Core
Component:
Networking: HTTP
Version:
11 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla11

People

(Reporter: mcmanus, Assigned: mcmanus)

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

patch v0
1.33 KB, patch
mayhemer
: review+
Details | Diff | Splinter Review 
Before the uplift of 11 to aurora I checked on socorro looking for any unknown spdy issues. I found just 2 reports which I believe are dups of each other:

https://crash-stats.mozilla.com/report/index/d8414902-291d-4aa9-888e-1f8982111209
https://crash-stats.mozilla.com/report/index/2cf95ab8-b4d9-4a2f-8d41-0f46f2111214

In each case the stream is crashing when being activated out of the pending queue. I believe that the stream had actually been canceled and freed prior to activation. (i.e. it got queued due to an extreme level of parallelization (>100) and was cancelled in that state probably because the user navigated off the page).


0 	libxul.so 	mozilla::net::SpdyStream::ReadSegments 	netwerk/protocol/http/SpdyStream.cpp:124
1 	libxul.so 	mozilla::net::SpdySession::ReadSegments 	netwerk/protocol/http/SpdySession.cpp:1223
2 	libxul.so 	mozilla::net::SpdySession::ActivateStream 	netwerk/protocol/http/SpdySession.cpp:283
3 	libxul.so 	mozilla::net::SpdySession::ProcessPending 	netwerk/protocol/http/SpdySession.cpp:295
Attached patch patch v0Splinter Review 
This touches only SpdySession.cpp

I can reproduce this and confirm the fix by loading a page with thousands of icons off plus.google.com (commments on a celeb posting for example) and immediately closing the windows.
Assignee: nobody → mcmanus
Status: NEW → ASSIGNED
Attachment #582856 - Flags: review?(honzab.moz)
Comment on attachment 582856 [details] [diff] [review]
patch v0

Review of attachment 582856 [details] [diff] [review]:
-----------------------------------------------------------------

r=honzab, full review this time (for spdy.enabled = true as well)

void pointers are bitches...
Attachment #582856 - Flags: review?(honzab.moz) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/b4d859a1e338

thanks honza
Target Milestone: --- → mozilla11
Severity: major → critical
Crash Signature: [@ mozilla::net::SpdyStream::ReadSegments]
Keywords: crash
https://hg.mozilla.org/mozilla-central/rev/b4d859a1e338
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: