How to Diagnose and Resolve a CUBIC Congestion Window Bug in QUIC Implementations

Introduction

This guide walks you through identifying and fixing a subtle bug in QUIC congestion control that arises when porting a Linux kernel optimization for CUBIC. The bug manifests as a permanently pinned minimum congestion window (cwnd) after a congestion collapse event, causing the connection to never recover. By following these steps, you will learn how to reproduce the issue, analyze its root cause, and apply a minimal one-line fix.

What You Need

• Familiarity with congestion control algorithms (especially CUBIC, as defined in RFC 9438)
• Understanding of QUIC protocol basics and your implementation (e.g., quiche from Cloudflare)
• A test environment that can simulate heavy packet loss early in a connection
• Access to source code for your QUIC congestion controller (e.g., a modified CUBIC module)
• Linux kernel knowledge (the original fix targets the kernel’s CUBIC implementation)
• Integration test pipeline or similar automated testing for regression detection

Step-by-Step Guide

Step 1: Understand CUBIC’s Core Logic and the App-Limited Exclusion

Before debugging, familiarize yourself with how CUBIC operates. CUBIC is a loss-based congestion control algorithm that adjusts the congestion window (cwnd) based on packet loss signals. Its normal behavior:

• When no loss occurs, cwnd grows (probing for available bandwidth).
• When loss is detected, cwnd is reduced (backoff) and then gradually increases in a cubic function.

Linux kernel introduced a change to comply with RFC 9438 §4.2-12, which defines an app-limited exclusion. The exclusion prevents the congestion window from growing when the application is not sending enough data to fill the window (i.e., app-limited intervals). This optimization is correct for TCP but, when ported to QUIC (as in Cloudflare’s quiche), it can cause a race condition: if loss occurs during an app-limited phase, the cwnd may become stuck at its minimum value and never grow again.

Step 2: Identify the Symptom – Erratic Test Failures

Look for failures in your congestion control test suite, especially tests that simulate heavy loss early in a connection. In Cloudflare’s case, the test failed 61% of the time. Characteristics:

• Connection never recovers throughput after a congestion collapse.
• cwnd remains at the minimum (often 1 or 2 segments) for the entire connection.
• No visible error or loss after the initial collapse – the algorithm simply stops growing.

These failures occur only in early-loss scenarios, which are uncommon but critical for robustness. Most standard tests only exercise steady-state growth and miss this corner case.

Step 3: Analyze the Root Cause – cwnd Stuck at Minimum

Examine the interaction between the app-limited exclusion and CUBIC’s recovery logic. When a packet loss happens, CUBIC reduces cwnd to a value based on the estimated delivery rate during the loss event. After the loss recovery phase, CUBIC waits for a “congestion window validation” phase before allowing growth. The app-limited exclusion prematurely marks the flow as app-limited if the application does not immediately send enough to fully use the reduced cwnd. This prevents the validation phase from completing, and cwnd stays locked at the minimum.

In QUIC, unlike TCP, the sender might not have large amounts of data ready after a loss (e.g., due to head-of-line blocking or application dynamics). This makes the exclusion bug more likely to trigger in QUIC. By setting breakpoints or logging cwnd decisions in your implementation, you can confirm that the cwnd never leaves the minimum after the first loss.

Step 4: Apply the One-Line Fix

The fix is elegantly simple: when the congestion window is at its minimum (e.g., cwnd == 2 * MSS or similar floor), bypass the app-limited exclusion and allow the window to grow. In code terms, modify the condition that checks for app-limited state to exclude the minimum cwnd case. For example, in quiche’s CUBIC implementation:

if (cwnd > min_cwnd && app_limited) { return; }

Change to:

if (app_limited && cwnd > min_cwnd) { return; }

(Assuming the original incorrectly prevented growth even at minimum cwnd.) Alternatively, simply remove the app-limited check when cwnd equals the minimum. The key is that after a congestion collapse, the algorithm must be allowed to probe for available bandwidth even if the application is momentarily idle.

Step 5: Verify the Fix with Reproducible Tests

Run the same heavy-loss scenario that previously failed. The test should now pass consistently. More importantly, verify that the fix does not break normal operation:

• Check steady-state throughput for long-lived connections.
• Test app-limited phases without loss – the exclusion should still work for non-minimum cwnd.
• Run full integration test suite to ensure no regressions.

Cloudflare reported that after the fix, the test failure rate dropped from 61% to 0% without harming other performance metrics.

Conclusion and Tips

• Test edge cases aggressively: standard tests miss recovery from congestion collapse. Design tests that start with high loss.
• Understand protocol differences: TCP optimizations may not directly port to QUIC due to different application models and loss recovery semantics.
• Keep fixes minimal: The one-line fix is easy to review and maintain. Resist adding large patches.
• Monitor production traffic: After deploying such a fix, watch for changes in connection recovery behavior, especially when short flows experience early loss.
• Contribute upstream: If your fix benefits the community, submit it to open-source projects like quiche or the Linux kernel CUBIC module.

By following these steps, you can systematically resolve similar bugs where congestion controllers refuse to recover from minimum window conditions.