Last Comment Bug 720150 - SPDY Division by Zero [@mozilla::net::SpdySession::HandleSynReply]
: SPDY Division by Zero [@mozilla::net::SpdySession::HandleSynReply]
Status: RESOLVED FIXED
: crash
Product: Core
Classification: Components
Component: Networking (show other bugs)
: Trunk
: x86 Mac OS X
: -- critical (vote)
: mozilla12
Assigned To: Patrick McManus [:mcmanus]
:
: Patrick McManus [:mcmanus]
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-01-21 11:30 PST by Christoph Diehl [:posidron]
Modified: 2012-01-24 08:18 PST (History)
5 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
callstack (4.65 KB, text/plain)
2012-01-21 11:30 PST, Christoph Diehl [:posidron]
no flags Details
NSPR Log (25.69 KB, text/plain)
2012-01-21 11:30 PST, Christoph Diehl [:posidron]
no flags Details
patch 0 (1.16 KB, patch)
2012-01-23 06:57 PST, Patrick McManus [:mcmanus]
honzab.moz: review+
Details | Diff | Splinter Review

Description Christoph Diehl [:posidron] 2012-01-21 11:30:15 PST
Created attachment 590498 [details]
callstack

The complete SYN_REPLY packet:

0000   80 02 00 02 01 00 00 0C 00 00 00 01 00 00 78 BB
0010   DF A2 51 B2 62 60 64 00 02 00 00 00 00 FF FF   


Crash occurs right after:

[...]
186150912[10037b5c0]: 00000000: 00 00 00 01 00 00 78 BB DF A2 51 B2 
186150912[10037b5c0]: SpdySession::HandleSynReply 11a9e2400 SYN_REPLY for 0x1 fin=1


Program received signal EXC_ARITHMETIC, Arithmetic exception.
[Switching to process 15940 thread 0x3303]
0x0000000101544fc2 in mozilla::net::SpdySession::HandleSynReply (self=0x116d3d400) at /Users/cdiehl/Code/Mozilla/mz_spdy/netwerk/protocol/http/SpdySession.cpp:881
881     (self->mFrameDataSize - 6) * 100 / self->mDecompressBufferUsed;


More information can be found in the provided callstack and NSPR log.
Comment 1 Christoph Diehl [:posidron] 2012-01-21 11:30:38 PST
Created attachment 590499 [details]
NSPR Log
Comment 2 Patrick McManus [:mcmanus] 2012-01-23 06:38:16 PST
Christoph is running fuzzing tests - that's not a valid SYN_REPLY. (its too long for the length included)

Christoph, is your code out of date? That gdb output has a line number that does not match the trunk.

In any event, that code does not exit as expected on decompress failed because of the length issue. the compression is fine but truncated up to the packet length (20) which is how decompress buffer used is 0.

I will attach the fix in a minute. I don't see any further implications.
Comment 3 Patrick McManus [:mcmanus] 2012-01-23 06:57:41 PST
Created attachment 590705 [details] [diff] [review]
patch 0
Comment 4 Honza Bambas (:mayhemer) 2012-01-23 16:18:56 PST
Comment on attachment 590705 [details] [diff] [review]
patch 0

Review of attachment 590705 [details] [diff] [review]:
-----------------------------------------------------------------

r=honzab

Isn't it better to just not accumulate telemetry in that case?  IMO it doesn't make much sense.
Comment 5 Patrick McManus [:mcmanus] 2012-01-23 19:51:44 PST

https://hg.mozilla.org/integration/mozilla-inbound/rev/4035cbbd550b

> 
> Isn't it better to just not accumulate telemetry in that case?  IMO it
> doesn't make much sense.

I was thinking more along the lines of "compression failed, so report an identity sized ratio" - but your suggestion is better. we'll do that.
Comment 6 Marco Bonardo [::mak] 2012-01-24 05:10:43 PST
https://hg.mozilla.org/mozilla-central/rev/4035cbbd550b

Note You need to log in before you can comment on or make changes to this bug.