[Bug 65796] HHVM segfaults when calling Parser-callParserFunction
https://bugzilla.wikimedia.org/show_bug.cgi?id=65796 --- Comment #15 from Ori Livneh o...@wikimedia.org --- *** Bug 65792 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 65796] HHVM segfaults when calling Parser-callParserFunction
https://bugzilla.wikimedia.org/show_bug.cgi?id=65796 --- Comment #14 from Ori Livneh o...@wikimedia.org --- *** Bug 66936 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 65796] HHVM segfaults when calling Parser-callParserFunction
https://bugzilla.wikimedia.org/show_bug.cgi?id=65796 Ori Livneh o...@wikimedia.org changed: What|Removed |Added Status|PATCH_TO_REVIEW |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 65796] HHVM segfaults when calling Parser-callParserFunction
https://bugzilla.wikimedia.org/show_bug.cgi?id=65796 --- Comment #13 from Tim Starling tstarl...@wikimedia.org --- *** Bug 66205 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 65796] HHVM segfaults when calling Parser-callParserFunction
https://bugzilla.wikimedia.org/show_bug.cgi?id=65796 --- Comment #9 from Tim Starling tstarl...@wikimedia.org --- I'm at the how can this possibly work at all stage now, which is usually a sign of progress. _object_and_properties_init() has: Z_OBJVAL_P(arg) = HPHP::ObjectData::newInstance(cls); at this point, the ObjectData's refcount is 0, which is apparently broken. Then it does: // Zend doesn't have this, but I think we need it or else new objects have a // refcount of 0 Z_ADDREF_P(arg); The comment is apparently incorrect -- the RefData's refcount is 1 already and apparently doesn't need to be incremented, and it fails to increment the ObjectData's refcount. The two bugs apparently sometimes cancel each other out, since the RefData stays live indefinitely and keeps the ObjectData alive. I'm still sorting through the exact chronology, but it seems some sequence of boxing and unboxing exposes the incorrect reference count in the ObjectData. -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 65796] HHVM segfaults when calling Parser-callParserFunction
https://bugzilla.wikimedia.org/show_bug.cgi?id=65796 --- Comment #10 from Tim Starling tstarl...@wikimedia.org --- The reason it works at all is because when you pass the result of _object_and_properties_init() as the EZC function return value, the tvUnbox() at the end of zend_wrap_func() fixes the broken ObjectData refcount, because the RefData is leaked, not freed, so the decref of the RefData in tvUnbox() does not cause the ObjectData refcount to be decremented like it normally would. If you return the result of _object_and_properties_init() to userspace any other way -- say by putting it into an array where it will be protected from tvUnbox() -- then the broken ObjectData refcount is exposed to userspace. In the first snippet of comment 8, the first $ret[0] causes the ObjectData's refcount to go up to 1, so that the ObjectData is freed when the result of the array access is freed. Then the second $ret[0] is a use-after-free. -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 65796] HHVM segfaults when calling Parser-callParserFunction
https://bugzilla.wikimedia.org/show_bug.cgi?id=65796 --- Comment #11 from Tim Starling tstarl...@wikimedia.org --- There's a fix in my dev branch, to be submitted as a PR once I've finished testing it: https://github.com/tstarling/hiphop-php/commit/24005dee6a113e87cbb2bc715274de31f614fcb2 -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 65796] HHVM segfaults when calling Parser-callParserFunction
https://bugzilla.wikimedia.org/show_bug.cgi?id=65796 --- Comment #12 from Tim Starling tstarl...@wikimedia.org --- https://github.com/facebook/hhvm/pull/2959 -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 65796] HHVM segfaults when calling Parser-callParserFunction
https://bugzilla.wikimedia.org/show_bug.cgi?id=65796 --- Comment #8 from Brad Jorsch bjor...@wikimedia.org --- I note the C stack trace reported in Tim's test case doesn't really match what Ori reported in comment 6. Not sure if that matters. I managed to reduce Tim's test case a bit further, though: ?php $sandbox = new LuaSandbox; $ret = $sandbox-loadString( 'return function() end', =test )-call(); $ret[0]; $ret[0]; ? Then I did this: ?php $s = new LuaSandbox; $f = $s-loadString( return function() end, =x )-call(); debug_zval_dump( $f ); On zend PHP this says that the LuaSandboxFunction has a refcount of 1, while in HHVM it says it has a refcount of 0. The same happens with return { function() end }, the LuaSandboxFunction has a refcount of 0. At that point I ran out of luck in trying to figure out why it's coming out with a 0 refcount in HHVM and 1 in zend PHP. -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 65796] HHVM segfaults when calling Parser-callParserFunction
https://bugzilla.wikimedia.org/show_bug.cgi?id=65796 --- Comment #7 from Tim Starling tstarl...@wikimedia.org --- Slightly reduced test case: mwscript eval.php --wiki=elwiktionary $out = $wgParser-parse('{{#invoke:Kleida-el|kleida}}{{#invoke:Kleida-el|reverseit}}', Title::newMainPage(), new ParserOptions); -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 65796] HHVM segfaults when calling Parser-callParserFunction
https://bugzilla.wikimedia.org/show_bug.cgi?id=65796 --- Comment #6 from Ori Livneh o...@wikimedia.org --- Created attachment 15610 -- https://bugzilla.wikimedia.org/attachment.cgi?id=15610action=edit stack trace from osmium This is still happening.. -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 65796] HHVM segfaults when calling Parser-callParserFunction
https://bugzilla.wikimedia.org/show_bug.cgi?id=65796 Tim Starling tstarl...@wikimedia.org changed: What|Removed |Added Assignee|wikibugs-l@lists.wikimedia. |tstarl...@wikimedia.org |org | -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 65796] HHVM segfaults when calling Parser-callParserFunction
https://bugzilla.wikimedia.org/show_bug.cgi?id=65796 --- Comment #5 from Gerrit Notification Bot gerritad...@wikimedia.org --- Change 135942 merged by jenkins-bot: Fix leak in LuaSandbox::setCPULimit https://gerrit.wikimedia.org/r/135942 -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 65796] HHVM segfaults when calling Parser-callParserFunction
https://bugzilla.wikimedia.org/show_bug.cgi?id=65796 --- Comment #2 from Tim Starling tstarl...@wikimedia.org --- This is mostly a LuaSandbox bug. LuaSandbox::setCPULimit() calls convert_to_double_ex() on its argument, which decrefs the original zval and creates a new one that is a double. convert_to_double_ex() callers in the PHP source tree invariably use the Z type character in zend_parse_parameters(), which is what LuaSandbox used to do, but I changed it to z to support HHVM. With Z, a zval** is returned, and so convert_to_double_ex() will leave the newly-allocated zval* in the stack, which will be decref'd on return. But with z, the newly-allocated zval leaks, since the pointer is only stored in a local variable, and the argument zval is decref'd, which apparently breaks HHVM's frame cleanup. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 65796] HHVM segfaults when calling Parser-callParserFunction
https://bugzilla.wikimedia.org/show_bug.cgi?id=65796 Andre Klapper aklap...@wikimedia.org changed: What|Removed |Added Priority|Unprioritized |Normal CC||bjor...@wikimedia.org Version|unspecified |1.24-git Severity|normal |major --- Comment #3 from Andre Klapper aklap...@wikimedia.org --- (In reply to Tim Starling from comment #2) This is mostly a LuaSandbox bug. CC'ing anomie -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 65796] HHVM segfaults when calling Parser-callParserFunction
https://bugzilla.wikimedia.org/show_bug.cgi?id=65796 Gerrit Notification Bot gerritad...@wikimedia.org changed: What|Removed |Added Status|NEW |PATCH_TO_REVIEW -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 65796] HHVM segfaults when calling Parser-callParserFunction
https://bugzilla.wikimedia.org/show_bug.cgi?id=65796 --- Comment #4 from Gerrit Notification Bot gerritad...@wikimedia.org --- Change 135942 had a related patch set uploaded by Ori.livneh: Fix leak in LuaSandbox::setCPULimit https://gerrit.wikimedia.org/r/135942 -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 65796] HHVM segfaults when calling Parser-callParserFunction
https://bugzilla.wikimedia.org/show_bug.cgi?id=65796 Ori Livneh o...@wikimedia.org changed: What|Removed |Added CC||o...@wikimedia.org --- Comment #1 from Ori Livneh o...@wikimedia.org --- Sorry, I didn't mean to paste the content of the attachment into the comment body. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l