The default bug view has changed. See this FAQ.

SPDY Division by Zero [@mozilla::net::SpdySession::HandleSynReply]

RESOLVED FIXED in mozilla12

Status

()

Core
Networking
--
critical
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: posidron, Assigned: mcmanus)

Tracking

({crash})

Trunk
mozilla12
x86
Mac OS X
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(3 attachments)

(Reporter)

Description

5 years ago
Created attachment 590498 [details]
callstack

The complete SYN_REPLY packet:

0000   80 02 00 02 01 00 00 0C 00 00 00 01 00 00 78 BB
0010   DF A2 51 B2 62 60 64 00 02 00 00 00 00 FF FF   


Crash occurs right after:

[...]
186150912[10037b5c0]: 00000000: 00 00 00 01 00 00 78 BB DF A2 51 B2 
186150912[10037b5c0]: SpdySession::HandleSynReply 11a9e2400 SYN_REPLY for 0x1 fin=1


Program received signal EXC_ARITHMETIC, Arithmetic exception.
[Switching to process 15940 thread 0x3303]
0x0000000101544fc2 in mozilla::net::SpdySession::HandleSynReply (self=0x116d3d400) at /Users/cdiehl/Code/Mozilla/mz_spdy/netwerk/protocol/http/SpdySession.cpp:881
881     (self->mFrameDataSize - 6) * 100 / self->mDecompressBufferUsed;


More information can be found in the provided callstack and NSPR log.
(Reporter)

Comment 1

5 years ago
Created attachment 590499 [details]
NSPR Log
(Reporter)

Updated

5 years ago
Severity: normal → critical

Updated

5 years ago
Assignee: nobody → mcmanus
(Assignee)

Comment 2

5 years ago
Christoph is running fuzzing tests - that's not a valid SYN_REPLY. (its too long for the length included)

Christoph, is your code out of date? That gdb output has a line number that does not match the trunk.

In any event, that code does not exit as expected on decompress failed because of the length issue. the compression is fine but truncated up to the packet length (20) which is how decompress buffer used is 0.

I will attach the fix in a minute. I don't see any further implications.
Status: NEW → ASSIGNED
(Assignee)

Comment 3

5 years ago
Created attachment 590705 [details] [diff] [review]
patch 0
Attachment #590705 - Flags: review?(honzab.moz)
Comment on attachment 590705 [details] [diff] [review]
patch 0

Review of attachment 590705 [details] [diff] [review]:
-----------------------------------------------------------------

r=honzab

Isn't it better to just not accumulate telemetry in that case?  IMO it doesn't make much sense.
Attachment #590705 - Flags: review?(honzab.moz) → review+
(Assignee)

Comment 5

5 years ago

https://hg.mozilla.org/integration/mozilla-inbound/rev/4035cbbd550b

> 
> Isn't it better to just not accumulate telemetry in that case?  IMO it
> doesn't make much sense.

I was thinking more along the lines of "compression failed, so report an identity sized ratio" - but your suggestion is better. we'll do that.
https://hg.mozilla.org/mozilla-central/rev/4035cbbd550b
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla12
You need to log in before you can comment on or make changes to this bug.