Page MenuHomePhabricator

Crash while serializing Wikibase\DataModel\ReferenceList
Closed, ResolvedPublic

Description

A core dump was collected showing a crash SplObjectStorage::serialize() while serializing a Wikibase\DataModel\ReferenceList object.

The request URL was:

http://pt.wikivoyage.org/wiki/Centro-Leste_(Rio_Grande_do_Sul)

The crash is currently reproducible with that URL.

The PHP backtrace was:

#0: serialize
#1: HashBagOStuff::get
#2: Wikibase\Lib\Store\CachingEntityRevisionLookup::getEntityRevision
#3: Wikibase\Lib\Store\RevisionBasedEntityLookup::getEntity
#4: call_user_func_array
#5: Wikibase\Lib\Store\EntityRedirectResolvingDecorator::call
#6: Wikibase\Lib\Store\EntityRedirectResolvingDecorator::getEntity
#7: Wikibase\Lib\Store\RedirectResolvingEntityLookup::getEntity
#8: Wikibase\Client\Scribunto\WikibaseLuaBindings::getEntity
#9: Scribunto_LuaWikibaseLibrary::getEntity
#10: call_user_func_array
#11: Scribunto_LuaSandboxCallback::
call
#12: Scribunto_LuaSandboxCallback::getEntity
#13: LuaSandboxFunction::call
#14: call_user_func_array
#15: Scribunto_LuaSandboxInterpreter::callFunction
#16: Scribunto_LuaEngine::executeFunctionChunk
#17: Scribunto_LuaModule::invoke
#18: ScribuntoHooks::invokeHook
#19: call_user_func_array
#20: Parser::callParserFunction
#21: Parser::braceSubstitution
#22: PPFrame_DOM::expand
#23: ExtParserFunctions::ifObj
#24: call_user_func_array
#25: Parser::callParserFunction
#26: Parser::braceSubstitution
#27: PPFrame_DOM::expand
#28: ExtParserFunctions::ifObj
#29: call_user_func_array
#30: Parser::callParserFunction
#31: Parser::braceSubstitution
#32: PPFrame_DOM::expand
#33: PPTemplateFrame_DOM::cachedExpand
#34: Parser::braceSubstitution
#35: PPFrame_DOM::expand
#36: Parser::replaceVariables
#37: Parser::internalParse
#38: Parser::parse
#39: WikitextContent::fillParserOutput
#40: AbstractContent::getParserOutput
#41: PoolWorkArticleView::doWork
#42: PoolCounterWork::execute
#43: WikiPage::getParserOutput
#44: GeoCrumbs::getParserCache
#45: GeoCrumbs::makeTrail
#46: GeoCrumbs::onSkinTemplateOutputPageBeforeExec
#47: call_user_func_array
#48: Hooks::run
#49: wfRunHooks
#50: SkinTemplate::prepareQuickTemplate
#51: SkinTemplate::outputPage
#52: OutputPage::output
#53: MediaWiki::main
#54: MediaWiki::run

The top of the gdb backtrace was:

(gdb) bt
#0 0x00007fea99b79e84 in zend_object_store_get_object (zobject=0x7feaa0ee63a0)

at /tmp/buildd/php5-5.3.10/Zend/zend_objects_API.c:272

#1 0x00007fea99b76039 in zend_std_object_get_class (object=0x7feaa0ee63a0)

at /tmp/buildd/php5-5.3.10/Zend/zend_object_handlers.c:1234

#2 0x00007fea99ac1530 in php_var_serialize_intern (buf=0x7fff49038a70, struc=0xcccccccccccccccd,

var_hash=0x7fff49038a00) at /tmp/buildd/php5-5.3.10/ext/standard/var.c:767

#3 0x00007fea99ac1ea6 in php_var_serialize_intern (buf=0x7fff49038a70, struc=0x7fff49038a00, var_hash=0x56)

at /tmp/buildd/php5-5.3.10/ext/standard/var.c:866

#4 0x00007fea99ac716c in php_var_serialize (buf=0x7fff49038a70, struc=0x58, var_hash=0x7fea9a28ae80)

at /tmp/buildd/php5-5.3.10/ext/standard/var.c:885

#5 0x00007fea99a6cd69 in zim_spl_SplObjectStorage_serialize (ht=-1594987592, return_value=0x7feaa2685458,

return_value_ptr=0x7fea9a28ae80, this_ptr=0xb6b84cc231a29827, return_value_used=-1565637857)
at /tmp/buildd/php5-5.3.10/ext/spl/spl_observer.c:683

The immediate cause of the crash was an invalid object handle in a zval, out of the bounds of object_buckets, but handlers was apparently correct since it was set to spl_handler_ArrayObject.


Version: unspecified
Severity: normal

Details

Reference
bz71724

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 3:49 AM
bzimport set Reference to bz71724.
bzimport added a subscriber: Unknown Object (MLST).

Change 165166 had a related patch set uploaded by Tim Starling:
HashBagOStuff: use the value itself as the CAS token

https://gerrit.wikimedia.org/r/165166

Change 165167 had a related patch set uploaded by Tim Starling:
[1.25wmf1] HashBagOStuff: use the value itself as the CAS token

https://gerrit.wikimedia.org/r/165167

Change 165168 had a related patch set uploaded by Tim Starling:
[1.25wmf2] HashBagOStuff: use the value itself as the CAS token

https://gerrit.wikimedia.org/r/165168

Change 165167 merged by jenkins-bot:
HashBagOStuff: use the value itself as the CAS token

https://gerrit.wikimedia.org/r/165167

Change 165168 merged by jenkins-bot:
[1.25wmf2] HashBagOStuff: use the value itself as the CAS token

https://gerrit.wikimedia.org/r/165168

ori added a comment.Oct 7 2014, 6:11 AM
  • Bug 71734 has been marked as a duplicate of this bug. ***

Change 165166 merged by jenkins-bot:
HashBagOStuff: use the value itself as the CAS token

https://gerrit.wikimedia.org/r/165166

ori added a comment.Oct 7 2014, 10:38 PM

Practically (if not essentially) resolved by change I0b0b5f015. That is to say: the underlying bug is still there, but we're no longer hitting it. Since I very much doubt anyone will take the time to chase down an obscure segfault that is no longer reproducible in production, I'm closing this as FIXED.