Last modified: 2014-07-25 22:07:47 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T70422, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 68422 - FastStringSearch on HHVM: Assertion `!"Invalid Cell type"' failed.
FastStringSearch on HHVM: Assertion `!"Invalid Cell type"' failed.
Status: RESOLVED WORKSFORME
Product: MediaWiki
Classification: Unclassified
General/Unknown (Other open bugs)
unspecified
All All
: Unprioritized normal (vote)
: ---
Assigned To: Nobody - You can work on this!
: hhvm
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-07-23 07:48 UTC by Ori Livneh
Modified: 2014-07-25 22:07 UTC (History)
5 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
parser test case (419 bytes, text/plain)
2014-07-25 21:32 UTC, Ori Livneh 		Details
Add an attachment (proposed patch, testcase, etc.)

Description Ori Livneh 2014-07-23 07:48:14 UTC 
osmium's HHVM is hhvm/master@f4b9fe9 plus cherry-picks b03beff from swtaarrs/hhvm and ca5a0db from tstarling/hiphop-php. FastStringSearch is at 9523fc6.

php: /srv/hhvm-dev/hphp/runtime/base/tv-helpers.cpp:72: bool HPHP::cellIsPlausible(HPHP::Cell): Assertion `!"Invalid Cell type"' failed.


Host: osmium
ProcessID: 30771
ThreadID: 7f8c0cc5f800
ThreadPID: 30771
Name: /usr/local/bin/php
Type: Aborted
Runtime: hhvm
Version: remotes/origin/HEAD-0-gca5a0dbfbdcc76b6e6830aa827fdf1cde22dabcd
DebuggerCount: 0

Arguments: tests/phpunit/phpunit.php
ThreadType: CLI

# 0  ?? at php:0
# 1  __GI_raise at /build/buildd/eglibc-2.19/signal/../nptl/sysdeps/unix/sysv/linux/raise.c:56
# 2  __GI_abort at /build/buildd/eglibc-2.19/stdlib/abort.c:91
# 3  __assert_fail_base at /build/buildd/eglibc-2.19/assert/assert.c:92
# 4  __assert_fail at /lib/x86_64-linux-gnu/libc.so.6:0
# 5  HPHP::cellIsPlausible(HPHP::TypedValue) at php:0
# 6  HPHP::tvIsPlausible(HPHP::TypedValue) at php:0
# 7  f_fss_prep_replace at /srv/hhvm-dev/hphp/runtime/base/tv-helpers.h:461
# 8  HPHP::Native::NativeFuncCaller::callInt64() at php:0
# 9  HPHP::Native::callFunc(HPHP::Func const*, void*, HPHP::TypedValue*, int, HPHP::TypedValue&) at php:0
# 10 HPHP::ExecutionContext::iopFCallBuiltin(unsigned char const*&) at php:0
# 11 void HPHP::ExecutionContext::dispatchImpl<false>() at php:0
# 12 HPHP::ExecutionContext::dispatch() at php:0
# 13 HPHP::ExecutionContext::enterVMAtCurPC() at php:0
# 14 HPHP::ExecutionContext::enterVM(HPHP::ActRec*, HPHP::ExecutionContext::StackArgsState, HPHP::Resumable*, HPHP::ObjectData*) at php:0
# 15 HPHP::ExecutionContext::invokeFunc(HPHP::TypedValue*, HPHP::Func const*, HPHP::Variant const&, HPHP::ObjectData*, HPHP::Class*, HPHP::VarEnv*, HPHP::StringData*, HPHP::ExecutionContext::InvokeFlags) at php:0
# 16 HPHP::ExecutionContext::invokeUnit(HPHP::TypedValue*, HPHP::Unit const*) at php:0
# 17 ?? at php:0
# 18 ?? at php:0
# 19 HPHP::include_impl_invoke(HPHP::String const&, bool, char const*) at php:0
# 20 HPHP::hphp_invoke(HPHP::ExecutionContext*, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool, HPHP::Array const&, HPHP::VRefParamValue const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool&, std::basic_string<char, std::char_traits<char>, std::allocator<char> >&, bool, bool, bool) at php:0
# 21 HPHP::hphp_invoke_simple(std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) at php:0
# 22 ?? at php:0
# 23 HPHP::execute_program(int, char**) at php:0
# 24 HPHP::emulate_zend(int, char**) at php:0
# 25 main at php:0
# 26 __libc_start_main at /build/buildd/eglibc-2.19/csu/libc-start.c:321
# 27 ?? at php:0
Comment 1 Ori Livneh 2014-07-25 21:32:57 UTC 
Created attachment 16038 [details]
parser test case

Invoke using tests/parserTests.php --file=parser_test.txt
Comment 2 Ori Livneh 2014-07-25 21:36:52 UTC 
(Documenting my baby-steps.)

I run gdb like this:

$ TRACE=bcinterp:3 HPHP_TRACE_FILE=/tmp/hphp.log gdb -ex run --args /usr/local/bin/hhvm /srv/mediawiki/tests/parserTests.php --file=/srv/mediawiki/68422.txt

And I see:

hhvm: /srv/hhvm-dev/hphp/runtime/base/ref-data.h:118: HPHP::Cell* HPHP::RefData::tv(): Assertion `m_magic == Magic::kMagic' failed.

The relevant frame looks like this one:

#4  0x0000000001f76289 in HPHP::RefData::tv (this=0x7fffe8759c50) at /srv/hhvm-dev/hphp/runtime/base/ref-data.h:118

So:

(gdb) frame 4
#4  0x0000000001f76289 in HPHP::RefData::tv (this=0x7fffe8759c50) at /srv/hhvm-dev/hphp/runtime/base/ref-data.h:118
118	    assert(m_magic == Magic::kMagic);
(gdb) p m_tv->m_data.pobj
$1 = (HPHP::ObjectData *) 0x6a6a6a6a6a6a6a6a

0x6a6a6a6a is typical of memory freed by the smart allocator, which suggests that this is a use-after free bug.
Comment 3 Brett Simmers 2014-07-25 21:48:47 UTC 
I'd recommend not using TRACE=bcinterp. It's way too verbose for most use cases (I was using it as a bit of a last resort debugging that lua thing) and currently has the bug we ran into last week where it can try to trace values that are legitimately freed already. That failed assertion might be a red herring.
Comment 4 Ori Livneh 2014-07-25 22:07:47 UTC 
I am an idiot; I was loading dynamic extensions from the wrong path. Once I set the right hhvm.dynamic_extension_path, the test-case passes without asserting.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links