Page MenuHomePhabricator
Create Task
Maniphest T73724

Crash while serializing Wikibase\DataModel\ReferenceList
Closed, ResolvedPublic
Actions

Description

A core dump was collected showing a crash SplObjectStorage::serialize() while serializing a Wikibase\DataModel\ReferenceList object.

The request URL was:

http://pt.wikivoyage.org/wiki/Centro-Leste_(Rio_Grande_do_Sul)

The crash is currently reproducible with that URL.

The PHP backtrace was:

#0: serialize
#1: HashBagOStuff::get
#2: Wikibase\Lib\Store\CachingEntityRevisionLookup::getEntityRevision
#3: Wikibase\Lib\Store\RevisionBasedEntityLookup::getEntity
#4: call_user_func_array
#5: Wikibase\Lib\Store\EntityRedirectResolvingDecorator::call
#6: Wikibase\Lib\Store\EntityRedirectResolvingDecorator::getEntity
#7: Wikibase\Lib\Store\RedirectResolvingEntityLookup::getEntity
#8: Wikibase\Client\Scribunto\WikibaseLuaBindings::getEntity
#9: Scribunto_LuaWikibaseLibrary::getEntity
#10: call_user_func_array
#11: Scribunto_LuaSandboxCallback::call
#12: Scribunto_LuaSandboxCallback::getEntity
#13: LuaSandboxFunction::call
#14: call_user_func_array
#15: Scribunto_LuaSandboxInterpreter::callFunction
#16: Scribunto_LuaEngine::executeFunctionChunk
#17: Scribunto_LuaModule::invoke
#18: ScribuntoHooks::invokeHook
#19: call_user_func_array
#20: Parser::callParserFunction
#21: Parser::braceSubstitution
#22: PPFrame_DOM::expand
#23: ExtParserFunctions::ifObj
#24: call_user_func_array
#25: Parser::callParserFunction
#26: Parser::braceSubstitution
#27: PPFrame_DOM::expand
#28: ExtParserFunctions::ifObj
#29: call_user_func_array
#30: Parser::callParserFunction
#31: Parser::braceSubstitution
#32: PPFrame_DOM::expand
#33: PPTemplateFrame_DOM::cachedExpand
#34: Parser::braceSubstitution
#35: PPFrame_DOM::expand
#36: Parser::replaceVariables
#37: Parser::internalParse
#38: Parser::parse
#39: WikitextContent::fillParserOutput
#40: AbstractContent::getParserOutput
#41: PoolWorkArticleView::doWork
#42: PoolCounterWork::execute
#43: WikiPage::getParserOutput
#44: GeoCrumbs::getParserCache
#45: GeoCrumbs::makeTrail
#46: GeoCrumbs::onSkinTemplateOutputPageBeforeExec
#47: call_user_func_array
#48: Hooks::run
#49: wfRunHooks
#50: SkinTemplate::prepareQuickTemplate
#51: SkinTemplate::outputPage
#52: OutputPage::output
#53: MediaWiki::main
#54: MediaWiki::run

The top of the gdb backtrace was:

(gdb) bt
#0 0x00007fea99b79e84 in zend_object_store_get_object (zobject=0x7feaa0ee63a0)

at /tmp/buildd/php5-5.3.10/Zend/zend_objects_API.c:272

#1 0x00007fea99b76039 in zend_std_object_get_class (object=0x7feaa0ee63a0)

at /tmp/buildd/php5-5.3.10/Zend/zend_object_handlers.c:1234

#2 0x00007fea99ac1530 in php_var_serialize_intern (buf=0x7fff49038a70, struc=0xcccccccccccccccd,

var_hash=0x7fff49038a00) at /tmp/buildd/php5-5.3.10/ext/standard/var.c:767

#3 0x00007fea99ac1ea6 in php_var_serialize_intern (buf=0x7fff49038a70, struc=0x7fff49038a00, var_hash=0x56)

at /tmp/buildd/php5-5.3.10/ext/standard/var.c:866

#4 0x00007fea99ac716c in php_var_serialize (buf=0x7fff49038a70, struc=0x58, var_hash=0x7fea9a28ae80)

at /tmp/buildd/php5-5.3.10/ext/standard/var.c:885

#5 0x00007fea99a6cd69 in zim_spl_SplObjectStorage_serialize (ht=-1594987592, return_value=0x7feaa2685458,

return_value_ptr=0x7fea9a28ae80, this_ptr=0xb6b84cc231a29827, return_value_used=-1565637857)
at /tmp/buildd/php5-5.3.10/ext/spl/spl_observer.c:683

The immediate cause of the crash was an invalid object handle in a zval, out of the bounds of object_buckets, but handlers was apparently correct since it was set to spl_handler_ArrayObject.

Version: unspecified
Severity: normal

Details

Reference
bz71724

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 3:49 AM
bzimport added a project: MediaWiki-extensions-WikibaseRepository.
bzimport set Reference to bz71724.
bzimport added a subscriber: Unknown Object (MLST).
tstarling created this task.Oct 7 2014, 12:44 AM
gerritbot added a comment.Oct 7 2014, 5:32 AM

Change 165166 had a related patch set uploaded by Tim Starling:
HashBagOStuff: use the value itself as the CAS token

https://gerrit.wikimedia.org/r/165166

gerritbot added a comment.Oct 7 2014, 5:39 AM

Change 165167 had a related patch set uploaded by Tim Starling:
[1.25wmf1] HashBagOStuff: use the value itself as the CAS token

https://gerrit.wikimedia.org/r/165167

gerritbot added a comment.Oct 7 2014, 5:40 AM

Change 165168 had a related patch set uploaded by Tim Starling:
[1.25wmf2] HashBagOStuff: use the value itself as the CAS token

https://gerrit.wikimedia.org/r/165168

gerritbot added a comment.Oct 7 2014, 5:47 AM

Change 165167 merged by jenkins-bot:
HashBagOStuff: use the value itself as the CAS token

https://gerrit.wikimedia.org/r/165167

gerritbot added a comment.Oct 7 2014, 5:48 AM

Change 165168 merged by jenkins-bot:
[1.25wmf2] HashBagOStuff: use the value itself as the CAS token

https://gerrit.wikimedia.org/r/165168

ori added a comment.Oct 7 2014, 6:11 AM
  • Bug 71734 has been marked as a duplicate of this bug. ***
gerritbot added a comment.Oct 7 2014, 6:13 AM

Change 165166 merged by jenkins-bot:
HashBagOStuff: use the value itself as the CAS token

https://gerrit.wikimedia.org/r/165166

ori added a comment.Oct 7 2014, 10:38 PM

Practically (if not essentially) resolved by change I0b0b5f015. That is to say: the underlying bug is still there, but we're no longer hitting it. Since I very much doubt anyone will take the time to chase down an obscure segfault that is no longer reproducible in production, I'm closing this as FIXED.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL