QUIC_STREAM_SEQUENCER_INVALID_STATE error caught |
|||
Issue descriptionHere are some unexpected stream sequencer buffer states collected from server side: Stream1: QUIC_STREAM_SEQUENCER_INVALID_STATE: QuicStreamSequencerBuffer error: OnStreamData() exceed array bounds.write offset = 0 write_block_num = 0 blocks_count_ = 0 Stream69: QUIC_STREAM_SEQUENCER_INVALID_STATE: QuicStreamSequencerBuffer error: OnStreamData() exceed array bounds.write offset = 8192 write_block_num = 1 blocks_count_ = 1 Stream1: QUIC_STREAM_SEQUENCER_INVALID_STATE: QuicStreamSequencerBuffer error: OnStreamData() exceed array bounds.write offset = 0 write_block_num = 0 blocks_count_ = 0 Stream5: QUIC_STREAM_SEQUENCER_INVALID_STATE: QuicStreamSequencerBuffer error: OnStreamData() exceed array bounds.write offset = 640759 write_block_num = 4294967295 blocks_count_ = 2048 Stream101: QUIC_STREAM_SEQUENCER_INVALID_STATE: QuicStreamSequencerBuffer error: OnStreamData() exceed array bounds.write offset = 8192 write_block_num = 1 blocks_count_ = 1 Stream1: QUIC_STREAM_SEQUENCER_INVALID_STATE: QuicStreamSequencerBuffer error: OnStreamData() exceed array bounds.write offset = 0 write_block_num = 0 blocks_count_ = 0 Stream113: QUIC_STREAM_SEQUENCER_INVALID_STATE: QuicStreamSequencerBuffer error: OnStreamData() exceed array bounds.write offset = 2323529 write_block_num = 4294967295 blocks_count_ = 2048 https://cs.chromium.org/chromium/src/net/quic/core/quic_stream_sequencer_buffer.cc?rcl=1478765818&l=187 blocks_count_ is supposed to be initiated as 2048 (16M/8k) in constructor, but the code below may have some type casting problem in certain platform: blocks_count_( ceil(static_cast<double>(max_capacity_bytes) / kBlockSizeBytes)), some of the errors above have write_block_num = 4294967295 which also seems like a type casting issue because 4294967295 is 2^32-1. The code calculating write_block_num_ is: size_t QuicStreamSequencerBuffer::GetBlockIndex(QuicStreamOffset offset) const { return (offset % max_buffer_capacity_bytes_) / kBlockSizeBytes; } Another error message belows means quic is trying to read out buffered data but the destination memory's address is null. This might indicate there is use of un-allocated memory. Stream 5: QuicStreamSequencerBuffer error: Readv() dest == nullptr: true blocks_[0] == nullptr: false https://cs.chromium.org/chromium/src/net/quic/core/quic_stream_sequencer_buffer.cc?rcl=1478765818&l=289
,
Nov 10 2016
,
Nov 11 2016
Unsure if this is related, but I'm getting ERR_QUIC_PROTOCOL_ERROR when being redirected to a Google Sites site after entering a Google account password. Happy to share logs offline, but I'm not sure if I'm comfortable posting these particular logs to crbug.
,
Nov 11 2016
Hi sdy@, thank for your report! It's hard to tell if the error you experienced is caused by this bug based on the error code ERR_QUIC_PROTOCOL_ERROR. Can you search for QUIC_STREAM_SEQUENCER_INVALID_STATE in the log to seem whether it appears? Actually all quic errors start with "QUIC_", can you try to search for anything similar in your log? Of course, you're most welcomed to share the logs with me via email.
,
Nov 11 2016
sdy@: can you send the log to rch@chromium.org? I'll investigate. I suspect this is actually a problem with a recent experiment. Which version of Chrome are you running.
,
Nov 20 2016
rch@: I haven't been able to reproduce it again. I will if it comes back! I was running the current Canary at the time.
,
Nov 28 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/0f23a5372fa884f61204f980fa057c168c6288eb commit 0f23a5372fa884f61204f980fa057c168c6288eb Author: danzh <danzh@chromium.org> Date: Mon Nov 28 15:20:38 2016 Add CHECK's to debug QuicStreamSequencerBuffer in weird state. Add a destruction indicator to detect free after use. Also remove some tests because CHECK's prevent some corner case from happening. R=rch@chromium.org BUG=664200 Review-Url: https://codereview.chromium.org/2519333006 Cr-Commit-Position: refs/heads/master@{#434659} [modify] https://crrev.com/0f23a5372fa884f61204f980fa057c168c6288eb/net/quic/core/quic_stream_sequencer_buffer.cc [modify] https://crrev.com/0f23a5372fa884f61204f980fa057c168c6288eb/net/quic/core/quic_stream_sequencer_buffer.h [modify] https://crrev.com/0f23a5372fa884f61204f980fa057c168c6288eb/net/quic/core/quic_stream_sequencer_buffer_test.cc [modify] https://crrev.com/0f23a5372fa884f61204f980fa057c168c6288eb/net/quic/core/quic_stream_sequencer_test.cc
,
Dec 28 2016
danzh: ping. Is this bug fixed? If not, what's the next step?
,
Dec 29 2016
I'm waiting for version 57.0.2936.0 to roll out. With CHECK's, I expect we should get some crash reports if it is really caused by use-after-free.
,
Dec 29 2016
m57 is already in dev. are we getting any crashes from it yet?
,
Dec 29 2016
There are a few crashes, but not at the place where I added CHECK's. https://crash.corp.google.com/browse?q=(custom_data.ChromeCrashProto.magic_signature_1.name%3D%27net%3A%3AQuicStreamSequencerBuffer%3A%3AReadv%27%20OR%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27net%3A%3AQuicStreamSequencerBuffer%3A%3AOnStreamData%27%20OR%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27net%3A%3AQuicStreamSequencerBuffer%3A%3AClear%27)%20AND%20product.version%3E%3D%2757.0.0.0%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D The chromeOS crash looks like another issue https://bugs.chromium.org/p/chromium/issues/detail?id=644884, which also existed before.
,
Jul 13
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/03bdd99f175dacf861d34623d546a8f54278bb36 commit 03bdd99f175dacf861d34623d546a8f54278bb36 Author: Dan Zhang <danzh@chromium.org> Date: Fri Jul 13 21:21:49 2018 Remove destruction_indicator_ from QuicStreamSequencerBuffer. Existing crashes are not use-after-free. The CHECK's haven't been triggered so far. Merge internal changelist: 204339592 R=zhongyi@chromium.org Change-Id: I2b0549aafff5f639a3a86803aef364dc8c4e059c Bug: 664200 Change-Id: I2b0549aafff5f639a3a86803aef364dc8c4e059c Reviewed-on: https://chromium-review.googlesource.com/1135871 Commit-Queue: Dan Zhang <danzh@chromium.org> Reviewed-by: Zhongyi Shi <zhongyi@chromium.org> Cr-Commit-Position: refs/heads/master@{#575074} [modify] https://crrev.com/03bdd99f175dacf861d34623d546a8f54278bb36/net/third_party/quic/core/quic_stream_sequencer_buffer.cc [modify] https://crrev.com/03bdd99f175dacf861d34623d546a8f54278bb36/net/third_party/quic/core/quic_stream_sequencer_buffer.h
,
Aug 3
This bug has an owner, thus, it's been triaged. Changing status to "assigned". |
|||
►
Sign in to add a comment |
|||
Comment 1 by danzh@chromium.org
, Nov 10 2016