Last modified: 2014-10-07 22:38:49 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T73724, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 71724 - Crash while serializing Wikibase\DataModel\ReferenceList
Crash while serializing Wikibase\DataModel\ReferenceList
Status: RESOLVED FIXED
Product: MediaWiki extensions
Classification: Unclassified
WikidataRepo (Other open bugs)
unspecified
All All
: Unprioritized normal (vote)
: ---
Assigned To: Wikidata bugs
:
: 71734 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-10-07 00:44 UTC by Tim Starling
Modified: 2014-10-07 22:38 UTC (History)
3 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Tim Starling 2014-10-07 00:44:32 UTC 
A core dump was collected showing a crash SplObjectStorage::serialize() while serializing a Wikibase\DataModel\ReferenceList object.

The request URL was:

http://pt.wikivoyage.org/wiki/Centro-Leste_(Rio_Grande_do_Sul)

The crash is currently reproducible with that URL.

The PHP backtrace was:

#0: serialize
#1: HashBagOStuff::get
#2: Wikibase\Lib\Store\CachingEntityRevisionLookup::getEntityRevision
#3: Wikibase\Lib\Store\RevisionBasedEntityLookup::getEntity
#4: call_user_func_array
#5: Wikibase\Lib\Store\EntityRedirectResolvingDecorator::__call
#6: Wikibase\Lib\Store\EntityRedirectResolvingDecorator::getEntity
#7: Wikibase\Lib\Store\RedirectResolvingEntityLookup::getEntity
#8: Wikibase\Client\Scribunto\WikibaseLuaBindings::getEntity
#9: Scribunto_LuaWikibaseLibrary::getEntity
#10: call_user_func_array
#11: Scribunto_LuaSandboxCallback::__call
#12: Scribunto_LuaSandboxCallback::getEntity
#13: LuaSandboxFunction::call
#14: call_user_func_array
#15: Scribunto_LuaSandboxInterpreter::callFunction
#16: Scribunto_LuaEngine::executeFunctionChunk
#17: Scribunto_LuaModule::invoke
#18: ScribuntoHooks::invokeHook
#19: call_user_func_array
#20: Parser::callParserFunction
#21: Parser::braceSubstitution
#22: PPFrame_DOM::expand
#23: ExtParserFunctions::ifObj
#24: call_user_func_array
#25: Parser::callParserFunction
#26: Parser::braceSubstitution
#27: PPFrame_DOM::expand
#28: ExtParserFunctions::ifObj
#29: call_user_func_array
#30: Parser::callParserFunction
#31: Parser::braceSubstitution
#32: PPFrame_DOM::expand
#33: PPTemplateFrame_DOM::cachedExpand
#34: Parser::braceSubstitution
#35: PPFrame_DOM::expand
#36: Parser::replaceVariables
#37: Parser::internalParse
#38: Parser::parse
#39: WikitextContent::fillParserOutput
#40: AbstractContent::getParserOutput
#41: PoolWorkArticleView::doWork
#42: PoolCounterWork::execute
#43: WikiPage::getParserOutput
#44: GeoCrumbs::getParserCache
#45: GeoCrumbs::makeTrail
#46: GeoCrumbs::onSkinTemplateOutputPageBeforeExec
#47: call_user_func_array
#48: Hooks::run
#49: wfRunHooks
#50: SkinTemplate::prepareQuickTemplate
#51: SkinTemplate::outputPage
#52: OutputPage::output
#53: MediaWiki::main
#54: MediaWiki::run

The top of the gdb backtrace was:

(gdb) bt
#0  0x00007fea99b79e84 in zend_object_store_get_object (zobject=0x7feaa0ee63a0)
    at /tmp/buildd/php5-5.3.10/Zend/zend_objects_API.c:272
#1  0x00007fea99b76039 in zend_std_object_get_class (object=0x7feaa0ee63a0)
    at /tmp/buildd/php5-5.3.10/Zend/zend_object_handlers.c:1234
#2  0x00007fea99ac1530 in php_var_serialize_intern (buf=0x7fff49038a70, struc=0xcccccccccccccccd, 
    var_hash=0x7fff49038a00) at /tmp/buildd/php5-5.3.10/ext/standard/var.c:767
#3  0x00007fea99ac1ea6 in php_var_serialize_intern (buf=0x7fff49038a70, struc=0x7fff49038a00, var_hash=0x56)
    at /tmp/buildd/php5-5.3.10/ext/standard/var.c:866
#4  0x00007fea99ac716c in php_var_serialize (buf=0x7fff49038a70, struc=0x58, var_hash=0x7fea9a28ae80)
    at /tmp/buildd/php5-5.3.10/ext/standard/var.c:885
#5  0x00007fea99a6cd69 in zim_spl_SplObjectStorage_serialize (ht=-1594987592, return_value=0x7feaa2685458, 
    return_value_ptr=0x7fea9a28ae80, this_ptr=0xb6b84cc231a29827, return_value_used=-1565637857)
    at /tmp/buildd/php5-5.3.10/ext/spl/spl_observer.c:683

The immediate cause of the crash was an invalid object handle in a zval, out of the bounds of object_buckets, but handlers was apparently correct since it was set to spl_handler_ArrayObject.
Comment 1 Gerrit Notification Bot 2014-10-07 05:32:32 UTC 
Change 165166 had a related patch set uploaded by Tim Starling:
HashBagOStuff: use the value itself as the CAS token

https://gerrit.wikimedia.org/r/165166
Comment 2 Gerrit Notification Bot 2014-10-07 05:39:48 UTC 
Change 165167 had a related patch set uploaded by Tim Starling:
[1.25wmf1] HashBagOStuff: use the value itself as the CAS token

https://gerrit.wikimedia.org/r/165167
Comment 3 Gerrit Notification Bot 2014-10-07 05:40:14 UTC 
Change 165168 had a related patch set uploaded by Tim Starling:
[1.25wmf2] HashBagOStuff: use the value itself as the CAS token

https://gerrit.wikimedia.org/r/165168
Comment 4 Gerrit Notification Bot 2014-10-07 05:47:30 UTC 
Change 165167 merged by jenkins-bot:
HashBagOStuff: use the value itself as the CAS token

https://gerrit.wikimedia.org/r/165167
Comment 5 Gerrit Notification Bot 2014-10-07 05:48:33 UTC 
Change 165168 merged by jenkins-bot:
[1.25wmf2] HashBagOStuff: use the value itself as the CAS token

https://gerrit.wikimedia.org/r/165168
Comment 6 Ori Livneh 2014-10-07 06:11:58 UTC 
*** Bug 71734 has been marked as a duplicate of this bug. ***
Comment 7 Gerrit Notification Bot 2014-10-07 06:13:17 UTC 
Change 165166 merged by jenkins-bot:
HashBagOStuff: use the value itself as the CAS token

https://gerrit.wikimedia.org/r/165166
Comment 8 Ori Livneh 2014-10-07 22:38:49 UTC 
Practically (if not essentially) resolved by change I0b0b5f015. That is to say: the underlying bug is still there, but we're no longer hitting it. Since I very much doubt anyone will take the time to chase down an obscure segfault that is no longer reproducible in production, I'm closing this as FIXED.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links