I noticed in logs that when a stream was dropped, and thus within transition and ready to expire as a locally reset stream, it would then pop its related push promises, and those could trigger the original stream to call transition_after. The end result is that the original stream would call dec_num_reset_streams() twice.
This gets rid of a dangerous call to transition_after that is happening outside the bounds of a transition. It ends up making newer streams that are locally reset to get forgotten, instead of older streams, but that's not really better or worse.
There is a fuzz seed that triggered the panic, and with this change, that fuzz seed no longer panics.
I noticed in logs that when a stream was dropped, and thus within
transitionand ready to expire as a locally reset stream, it would then pop its related push promises, and those could trigger the original stream to calltransition_after. The end result is that the original stream would calldec_num_reset_streams()twice.This gets rid of a dangerous call to
transition_afterthat is happening outside the bounds of a transition. It ends up making newer streams that are locally reset to get forgotten, instead of older streams, but that's not really better or worse.There is a fuzz seed that triggered the panic, and with this change, that fuzz seed no longer panics.