Page MenuHomePhabricator
Create Task
Maniphest T120267

PHP 5.6 and 5.5 does not work with Mediawiki 1.26 on Centos 6.6 with default APCu settings
Closed, ResolvedPublic
Actions

Description

"PHP Fatal error: Unsupported operand types in /var/www/html/wiki/includes/registration/ExtensionRegistry.php on line 272"
It appears that this is the problem line in ExtensionsRegistry.php

$this->loaded += $info['credits'];
This error occurs on PHP 5.5 and PHP 5.6

It does not occur on PHP 5.4

Details

SubjectRepoBranchLines +/-
Work around APCu memory corruption bugmediawiki/coreREL1_26+53 -2
Work around APCu memory corruption bugmediawiki/coremaster+52 -2
Customize query in gerrit

Event Timeline

Maniphest changed the visibility from "Public (No Login Required)" to "Custom Policy".Dec 3 2015, 7:59 PM
Maniphest changed the edit policy from "All Users" to "Custom Policy".
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 3 2015, 7:59 PM
Minddragon created this task.Dec 3 2015, 7:59 PM
Minddragon updated the task description. (Show Details)
Minddragon added projects: MediaWiki-extensions-General, acl*security.
Minddragon changed Security from None to Software security bug.
Minddragon edited subscribers, added: Minddragon; removed: Aklapper.
Krenair subscribed.Dec 3 2015, 8:02 PM

How is this a software security bug?

MaxSem removed a project: acl*security.Dec 3 2015, 8:02 PM
MaxSem changed the visibility from "Custom Policy" to "Public (No Login Required)".
MaxSem changed Security from Software security bug to None.
MaxSem removed a subscriber: Krenair.
Restricted Application added a subscriber: StudiesWorld. · View Herald TranscriptDec 3 2015, 8:02 PM
Legoktm edited projects, added MediaWiki-Configuration; removed MediaWiki-extensions-General.Dec 3 2015, 8:04 PM
Legoktm subscribed.

Can you please indicate what extensions and skins you have installed and their versions? One of them likely has an invalid extension.json or skin.json file.

Minddragon added a comment.Dec 3 2015, 8:08 PM

Steps to replicate:

  1. Have a CentOS machine, apache, Mysql, PHP 5.6w (I did yum install php56w php56w-common php56w-pecl* and a few others
  2. Download Mediawiki 1.26 tarball
  3. Ran the initial Mediawiki setup with no extensions enabled
  4. Observed the crash. I couldn't get skins to work as well.
  5. Tried Yum remove php56* and installed PHP55* and got the same thing
  6. Did Yum remove php55* and installed 54* and everything worked including default Mediawiki extensions.

Please note several other people on support forums are reporting similar conditions.

Anomie subscribed.EditedDec 3 2015, 9:41 PM

I managed to reproduce this with a virtual machine:

Then I found that a package "php56w" does not exist. I'm guessing you're using https://mirror.webtatic.com/yum/el6/latest.rpm as an additional repo? Let's try that.

After poking at it a bit, it looks like ExtensionRegistry decided to use APC for caching and the APC cache is somehow or other corrupting the keys in the stored arrays. Uninstalling php56w-pecl-apcu makes it work by not using APC. Probably this didn't happen in 1.25 because the code removed in https://gerrit.wikimedia.org/r/#/c/226441/ avoided the corruption by only storing strings in APC.

ori subscribed.Dec 13 2015, 12:01 AM
ori added a comment.Dec 13 2015, 12:46 AM

Following @Anomie's instructions, I end up with these warnings & notices:

T120267.log3 KBDownload

Legoktm added a comment.Dec 13 2015, 1:07 AM

Can you stick a var_dump($data) right after ExtensionRegistry reads out of the APC cache at line 133?

ori added a comment.Dec 13 2015, 1:17 AM
In T120267#1875977, @Legoktm wrote:

Can you stick a var_dump($data) right after ExtensionRegistry reads out of the APC cache at line 133?

info_array.txt9 KBDownload

ori added a comment.Dec 13 2015, 1:19 AM
In T120267#1875985, @ori wrote:
In T120267#1875977, @Legoktm wrote:

Can you stick a var_dump($data) right after ExtensionRegistry reads out of the APC cache at line 133?

info_array.txt9 KBDownload

It does appear to be corrupt somehow. Replacing $data = $this->cache->get( $key ); with $data = false; (and thus forcing the data to be computed rather than loaded from the cache) works.

ori added a comment.Dec 13 2015, 1:25 AM
This comment was removed by ori.
ori added a comment.Dec 13 2015, 1:30 AM

Changing apc.serializer = 'default' to apc.serializer = 'php' in /etc/php.d/apcu.ini and then restarting httpd makes the problem go away.

ori added a comment.Dec 13 2015, 1:38 AM

It'd be great to have a minimal reproduction case (e.g. some cooked-up array that reliably triggers this corruption). Then, when APCBagOStuff is first initialized, try to set/get it, and if it is corrupt, default to the old behavior (serialize and deserialize in user code).

ori added a comment.Dec 13 2015, 5:53 AM

I'm pretty certain the bug is the one described here:

@Minddragon, you should edit /etc/php.d/apcu.ini and ensure apc.serializer is set to php rather than default.

Since this is a possible use-after-free in apcu's serialization code, I don't think that we should try to trigger it, as I suggested above. We should just fall back to the old behavior of serializing everything in PHP "user space" when APCu is used with the default serializer.

gerritbot subscribed.Dec 13 2015, 6:51 AM

Change 258734 had a related patch set uploaded (by Ori.livneh):
Work around APCu memory corruption bug

https://gerrit.wikimedia.org/r/258734

gerritbot added a project: Patch-For-Review.Dec 13 2015, 6:51 AM
Minddragon added a comment.Dec 13 2015, 3:24 PM

@ori thank you guys for figuring it out :)

Ciencia_Al_Poder subscribed.Dec 13 2015, 3:36 PM
Legoktm added a project: MW-1.26-release.Dec 14 2015, 6:15 AM
gerritbot added a comment.Dec 14 2015, 6:21 AM

Change 258734 merged by jenkins-bot:
Work around APCu memory corruption bug

https://gerrit.wikimedia.org/r/258734

gerritbot added a comment.Dec 14 2015, 6:44 AM

Change 258930 had a related patch set uploaded (by Legoktm):
Work around APCu memory corruption bug

https://gerrit.wikimedia.org/r/258930

gerritbot added a comment.Dec 14 2015, 7:02 AM

Change 258930 merged by jenkins-bot:
Work around APCu memory corruption bug

https://gerrit.wikimedia.org/r/258930

Legoktm closed this task as Resolved.Dec 14 2015, 7:04 AM
Legoktm assigned this task to ori.

Fixed in master and backported to REL1_26. Will be included as part of the 1.26.1 release. Thanks everyone for investigating and fixing this :)

Legoktm renamed this task from PHP 5.6 and 5.5 does not work with Mediawiki 1.26 on Centos 6.6 to PHP 5.6 and 5.5 does not work with Mediawiki 1.26 on Centos 6.6 with default APCu settings.Dec 14 2015, 7:05 AM
Legoktm added a project: MediaWiki-libs-BagOStuff.
ReleaseTaggerBot added projects: MW-1.27-release-notes, MW-1.27-release (WMF-deploy-2015-12-15_(1.27.0-wmf.9)).Dec 14 2015, 8:00 AM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:39 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL