Page MenuHomePhabricator

Wikimedia wikis with $wgLanguageCode = 'zh' error with certain input
Closed, ResolvedPublic

Description

Steps to reproduce:

  1. Go to a wiki with $wgLanguageCode = 'zh' (for example https://zh.wiktionary.org).
  1. Enter the string "-{H|=>zh-hans:SOMETHING;}-[[Category:Test]][[A]]" on a page and attempt to save the page.

User is immediately presented with an error:


WIKIMEDIA FOUNDATION
Error

[...]

Request: POST http://test.wikipedia.org/w/index.php?title=Zh&action=submit, from 10.64.0.133 via cp1011.eqiad.wmnet (squid/2.7.STABLE9) to 10.64.0.47 (10.64.0.47)

Error: ERR_ZERO_SIZE_OBJECT, errno [No Error] at Wed, 17 Jul 2013 16:29:51 GMT

(test.wikipedia.org was temporarily set to $wgLanguageCode = 'zh' for debugging this issue.)

Alexandros K. helpfully provided a gdb output:

#0 0x00007f6230670be4 in _zval_ptr_dtor () from /usr/lib/apache2/modules/libphp5.so
#1 0x00007f6228760082 in _php_fss_close (rsrc=<optimized out>) at /root/fw-ports/php5-fss/php5-fss-0.0.1/fss.c:339
#2 0x00007f623068efee in ?? () from /usr/lib/apache2/modules/libphp5.so
#3 0x00007f623068cd71 in zend_hash_del_key_or_index () from /usr/lib/apache2/modules/libphp5.so
#4 0x00007f623068f107 in _zend_list_delete () from /usr/lib/apache2/modules/libphp5.so
#5 0x00007f6230670c21 in _zval_ptr_dtor () from /usr/lib/apache2/modules/libphp5.so
#6 0x00007f62306a3478 in ?? () from /usr/lib/apache2/modules/libphp5.so
#7 0x00007f62306de437 in ?? () from /usr/lib/apache2/modules/libphp5.so
#8 0x00007f62306ded36 in ?? () from /usr/lib/apache2/modules/libphp5.so
#9 0x00007f62306a546b in execute () from /usr/lib/apache2/modules/libphp5.so
#10 0x00007f62306729ac in zend_call_function () from /usr/lib/apache2/modules/libphp5.so
#11 0x00007f62305b5318 in ?? () from /usr/lib/apache2/modules/libphp5.so
#12 0x00007f62306f48fd in ?? () from /usr/lib/apache2/modules/libphp5.so
#13 0x00007f62306a546b in execute () from /usr/lib/apache2/modules/libphp5.so
#14 0x00007f62306809d0 in zend_execute_scripts () from /usr/lib/apache2/modules/libphp5.so
#15 0x00007f623062d043 in php_execute_script () from /usr/lib/apache2/modules/libphp5.so
#16 0x00007f623070fedd in ?? () from /usr/lib/apache2/modules/libphp5.so
#17 0x00007f6232b0e508 in ap_run_handler ()
#18 0x00007f6232b0e97e in ap_invoke_handler ()
#19 0x00007f6232b1e570 in ap_process_request ()
#20 0x00007f6232b1b398 in ?? ()
#21 0x00007f6232b14fa8 in ap_run_process_connection ()
#22 0x00007f6232b231d0 in ?? ()
#23 0x00007f6232b2393a in ?? ()
#24 0x00007f6232b244e7 in ap_mpm_run ()
#25 0x00007f6232af94a4 in main ()


Version: 1.24rc
Severity: major

Details

Reference
bz51551

Event Timeline

bzimport raised the priority of this task from to Normal.Nov 22 2014, 2:10 AM
bzimport set Reference to bz51551.
bzimport added a subscriber: Unknown Object (MLST).

Change 74186 had a related patch set uploaded by Hoo man:
Fix the calculation of fss_resource_t->replace_size

https://gerrit.wikimedia.org/r/74186

I confirmed in gdb that this test case generates a replacement array with an empty search string, and thus leads to res->replace[i] being set to NULL, which leads to a null pointer dereference in _php_fss_close(). The only other read of res->replace was already appropriately guarded.

Change 74186 merged by jenkins-bot:
Fix a segfault with zval_ptr_dtor

https://gerrit.wikimedia.org/r/74186

(In reply to comment #2)

I confirmed in gdb that this test case generates a replacement array with an
empty search string,

This doesn't sound good as strtr() fails on it too (with unwanted output) IIRC.

Is it deployed now?

hoo added a comment.Aug 21 2013, 6:11 PM

(In reply to comment #5)

Is it deployed now?

I guess so, but you can easily try it with the above wikitext snippet on any zh language wiki...

(In reply to comment #6)

(In reply to comment #5)

Is it deployed now?

I guess so, but you can easily try it with the above wikitext snippet on any
zh
language wiki...

It still fails so I wonder whether it's not deployed yet or it doesn't fix the error.

hoo added a comment.Aug 21 2013, 6:38 PM

(In reply to comment #7)

(In reply to comment #6)

(In reply to comment #5)

Is it deployed now?

I guess so, but you can easily try it with the above wikitext snippet on any
zh
language wiki...

It still fails so I wonder whether it's not deployed yet or it doesn't fix
the error.

I (of course) tested my patch locally and with it applied I've been able to save the snippet... so if you aren't, the fast string search probably isn't up to date on the WMF installations.

Reedy added a comment.Aug 21 2013, 6:49 PM

This will require proper intervention to be deployed - It won't happen automagically. It needs to be built, packaged, inserted in the WMF deb repo, all the apaches to be updated and then for them to be gracefuled.

We're apparently running a version that doesn't have a changelog entry. Needless to say, I'm fairly sure this means it has not been deployed yet. Needs to be done by opsen or Tim

reedy@tin:/a/common$ dpkg -l | grep fss
ii php5-fss 0.0.1-5 FastStringSearch extension used for MediaWiki

(In reply to MZMcBride from comment #0)

  1. Go to a wiki with $wgLanguageCode = 'zh' (for example

https://zh.wiktionary.org).

  1. Enter the string "-{H|=>zh-hans:SOMETHING;}-[[Category:Test]][[A]]" on a

page and attempt to save the page.
User is immediately presented with an error:

I tried on https://zh.wiktionary.org/w/index.php?title=User:AKlapper_%28WMF%29/bug51551&action=edit and I did not get any error.

Is this obsolete now, or are my steps wrong?

hoo added a comment.Mar 13 2014, 1:22 PM

(In reply to Andre Klapper from comment #10)

Is this obsolete now, or are my steps wrong?

Well on WMF sites it should be fine (as I've patched that with https://gerrit.wikimedia.org/r/74186). But for sites which don't use our php fss extension there might still be some unwanted behaviour.

(In reply to Marius Hoch from comment #11)

Well on WMF sites it should be fine (as I've patched that with
https://gerrit.wikimedia.org/r/74186). But for sites which don't use our php
fss extension there might still be some unwanted behaviour.

Ah. Thanks.
So I wonder if this ticket should be moved to the MediaWiki product.

(In reply to Marius Hoch from comment #11)

But for sites which don't use our php
fss extension there might still be some unwanted behaviour.

For the record, on other sites a page with "-{H|=>zh-hans:SOMETHING;}-[[Category:Test]][[A]]" appears completely empty in zh-hans, because strtr() returns false when there's a key of empty string.

Change 131717 had a related patch set uploaded by Liangent:
LanguageConverter fix of empty and numeric strings

https://gerrit.wikimedia.org/r/131717

Anomie merged a task: Restricted Task.Jun 6 2015, 11:35 AM
Anomie added subscribers: csteipp, Anomie, Aklapper.

Change 131717 had a related patch set uploaded (by Liangent):
LanguageConverter fix of empty and numeric strings

https://gerrit.wikimedia.org/r/131717

Change 131717 merged by jenkins-bot:
LanguageConverter fix of empty and numeric strings

https://gerrit.wikimedia.org/r/131717

Anomie closed this task as Resolved.Jun 8 2015, 4:57 PM
Anomie assigned this task to liangent.
Anomie set Security to None.

The fix should go out to WMF wikis with 1.26wmf9, see https://www.mediawiki.org/wiki/MediaWiki_1.26/Roadmap for the schedule.