Crash Reports for mozilla::net::SpdySession31::CleanupStream

VERIFIED FIXED in Firefox 27

Status

()

defect
VERIFIED FIXED
6 years ago
6 years ago

People

(Reporter: mcmanus, Assigned: mcmanus)

Tracking

({topcrash})

29 Branch
mozilla29
x86_64
Linux
Points:
---

Firefox Tracking Flags

(firefox27 verified, firefox28 verified, firefox29 verified)

Details

(Whiteboard: [sdpy])

Attachments

(1 attachment)

No description provided.
https://crash-stats.mozilla.com/report/list?date=2014-01-12&range_unit=days&range_value=7&signature=mozilla%3A%3Anet%3A%3ASpdySession31%3A%3ACleanupStream%28mozilla%3A%3Anet%3A%3ASpdyStream31*%2C+tag_nsresult%2C+mozilla%3A%3Anet%3A%3ASpdySession31%3A%3ArstReason%29

an example

https://crash-stats.mozilla.com/report/index/af1e9fe5-62bb-4215-8160-2d3f62140111

~75 crashes across the last week

0 	xul.dll 	mozilla::net::SpdySession31::CleanupStream(mozilla::net::SpdyStream31 *,tag_nsresult,mozilla::net::SpdySession31::rstReason) 	netwerk/protocol/http/SpdySession31.cpp
1 	xul.dll 	mozilla::net::SpdySession31::WriteSegments(nsAHttpSegmentWriter *,unsigned int,unsigned int *) 	netwerk/protocol/http/SpdySession31.cpp
2 	xul.dll 	nsHttpConnection::OnSocketReadable() 	netwerk/protocol/http/nsHttpConnection.cpp
3 	xul.dll 	nsHttpConnection::OnInputStreamReady(nsIAsyncInputStream *) 	netwerk/protocol/http/nsHttpConnection.cpp
4 	xul.dll 	nsSocketInputStream::OnSocketReady(tag_nsresult) 	netwerk/base/src/nsSocketTransport2.cpp
Whiteboard: [sdpy]
I think we're seeing the error resulting in a double cleanup of the stream off the stream->writesegements() stack.

The pragmatic thing to do, especially for backports, is to make cleanupstream robust to being called in this circumstance.
Attachment #8359247 - Flags: review?(hurley)
Assignee: nobody → mcmanus
Status: NEW → ASSIGNED
Attachment #8359247 - Flags: review?(hurley) → review+
https://hg.mozilla.org/mozilla-central/rev/135a5b7ba6d9
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
Comment on attachment 8359247 [details] [diff] [review]
double SpdySession::CleanupStream

[Approval Request Comment]
Bug caused by (feature/regressing bug #): unknown
User impact if declined: continued exposure to crash bug.. about 75 crashes across all channels in the last 7 days
Testing completed (on m-c, etc.): on m-c
Risk to taking this patch (and alternatives if risky): this is a null ptr check right before deref'ing the pointer. very low risk.
String or IDL/UUID changes made by this patch: none
Attachment #8359247 - Flags: approval-mozilla-beta?
Attachment #8359247 - Flags: approval-mozilla-aurora?
Comment on attachment 8359247 [details] [diff] [review]
double SpdySession::CleanupStream

low risk crash fix, approving on branches.
Attachment #8359247 - Flags: approval-mozilla-beta?
Attachment #8359247 - Flags: approval-mozilla-beta+
Attachment #8359247 - Flags: approval-mozilla-aurora?
Attachment #8359247 - Flags: approval-mozilla-aurora+
FYI, I reported bug 960482 -- I'm not sure how this bug impacts that bug, if at all.
Duplicate of this bug: 960482
Adding topcrash keyword to this bug as per bug 960482. I'll follow up here next week with up to date data to evaluate this fix.
Keywords: topcrash
Additionally flagging as verifyme to confirm crashstats shows these crashes are gone across all branches next week.
Keywords: verifyme
You need to log in before you can comment on or make changes to this bug.