⚓ T208539 Upload failed with fatal error: Call to load() on a non-object in UploadBase.php
Page MenuHomePhabricator
Create Task
Maniphest T208539

Upload failed with fatal error: Call to load() on a non-object in UploadBase.php
Closed, ResolvedPublicPRODUCTION ERROR
Actions

Description

Error

Request ID: W9tAFQpAEDMAAAUovYYAAABI
Request URL: /w/api.php
Request Method: POST

message
[{exception_id}] {exception_url} BadMethodCallException from line 645 of /srv/mediawiki/php-1.33.0-wmf.2/includes/upload/UploadBase.php: Call to a member function load() on a non-object (null)
trace
#0 /srv/mediawiki/php-1.33.0-wmf.2/includes/api/ApiUpload.php(661): UploadBase->checkWarnings()
#1 /srv/mediawiki/php-1.33.0-wmf.2/includes/api/ApiUpload.php(126): ApiUpload->getApiWarnings()
#2 /srv/mediawiki/php-1.33.0-wmf.2/includes/api/ApiUpload.php(104): ApiUpload->getContextResult()
#3 /srv/mediawiki/php-1.33.0-wmf.2/includes/api/ApiMain.php(1570): ApiUpload->execute()
#4 /srv/mediawiki/php-1.33.0-wmf.2/includes/api/ApiMain.php(531): ApiMain->executeAction()
#5 /srv/mediawiki/php-1.33.0-wmf.2/includes/api/ApiMain.php(502): ApiMain->executeActionWithErrorHandling()
#6 /srv/mediawiki/php-1.33.0-wmf.2/api.php(87): ApiMain->execute()
#7 /srv/mediawiki/w/api.php(3): include(string)
#8 {main}

Impact

Unknown, but based on the trace and request details, I would assume it is causing user uploads to be aborted and fail without descriptive error message, and without a way for the user to recover (fatal exception).

Notes

Appears to have started today/yesterday with the deployment of 1.33-wmf.2.

Low frequency (seen 7 times since then), but not seen for several weeks before that and might be indicative of a deeper problem that is more common but not captured via our detection. To be confirmed.

Details

Request ID
XbHxRApAIDgAABL9sPAAAAAI
SubjectRepoBranchLines +/-
Validate name for async uploadsmediawiki/coremaster+30 -17
Fix title max length to match backend, and actually validate itmediawiki/extensions/UploadWizardmaster+29 -6
Always validate uploads over apimediawiki/coremaster+2 -14
Customize query in gerrit

Related Objects

Event Timeline

Krinkle created this task.Nov 1 2018, 7:54 PM
Restricted Application added a project: Multimedia. · View Herald TranscriptNov 1 2018, 7:54 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Tgr subscribed.Nov 1 2018, 9:17 PM

At a glance this happens when files are uploaded with an invalid target name.

Krinkle added a comment.Mar 19 2019, 6:08 PM

(Still seen on 1.33-wmf.21.)

Krinkle mentioned this in Blog Post: Production Excellence #8: February 2019.Mar 21 2019, 5:56 PM
gerritbot added a comment.Mar 25 2019, 8:08 PM

Change 498984 had a related patch set uploaded (by Umherirrender; owner: Umherirrender):
[mediawiki/core@master] Handle null from UploadBase::getLocalFile

https://gerrit.wikimedia.org/r/498984

gerritbot added a project: Patch-For-Review.Mar 25 2019, 8:08 PM
Umherirrender added subscribers: Anomie, Umherirrender.Mar 26 2019, 10:31 PM
		// Check if the uploaded file is sane
		if ( $this->mParams['chunk'] ) {
			$maxSize = UploadBase::getMaxUploadSize();
			if ( $this->mParams['filesize'] > $maxSize ) {
				$this->dieWithError( 'file-too-large' );
			}
			if ( !$this->mUpload->getTitle() ) {
				$this->dieWithError( 'illegal-filename' );
			}
		} elseif ( $this->mParams['async'] && $this->mParams['filekey'] ) {
			// defer verification to background process
		} else {
			wfDebug( __METHOD__ . " about to verify\n" );
			$this->verifyUpload();
		}

if 'chunk' is set, UploadBase::getTitle is checked for null and api dies
elseif 'async' and 'filekey' is set, nothing is validated -> here a very long file name can cause this issue
else calling ApiUpload::verifyUpload -> UploadBase::verifyUpload -> UploadBase::validateName -> UploadBase::getTitle to check for null

So when doing a chunked upload (with a short valid filename) and than for the publish step (without the chunk param) the filekey and async is given with a long filename (>240) this error can occur.

First request:
action = upload
comment = test
token = csrf
filename = shortname.jpg
stash = 
chunk = your file
offset = 0
filesize = max

Result:
result=Success
filekey=xxxxxxxxxxxx.tmp

Second request:
action = upload
comment = test
token = csrf
filekey=xxxxxxxxxxxx.tmp
filename = verylongname012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789.jpg
async =

Without the async it gives the expected error: code=filename-toolong, info=Filenames may not be longer than 240 bytes.

I have not checked if my combine of the params makes sense, but there is a validation gap when defered to the background process
I see no security problem here (bypassing any validation for blacklist or such), because getTitle is called when looking for warnings and than the fatal has happen. The warning check path of the code is always running and not depending on params

Krinkle added a subscriber: MarkTraceur.Apr 5 2019, 4:23 PM

Hm.. yeah, I don't know either. The path from the client interaction to this particular line of code where $localFile = $this->getLocalFile(); $localFile->load(…); happens is quite long.

Without the necessary context, I'm inclined to think that if something shouldn't be possible, it'd be better to fail explicitly (and we'll find out if it's really possible). Instead of skipping the validation and assuming it's fine.

Anyway, I don't know how to verify this or what the use cases are.

@MarkTraceur Could you/your team take a look here to see what we can do to fix and/or avoid this error?

MarkTraceur added a comment.Apr 5 2019, 7:56 PM

I'm not entirely certain I follow the example code above (I looked for it in the patched file but it must be elsewhere), but I'm inclined to agree that it's better to fail on "impossible" behavior, then dig more to figure out why it's not impossible.

The async API parameter seems to only fire (in UploadWizard, at least) when uploading very large files (>10MB, higher than most images uploaded to Commons), and obviously this error will only occur when someone then further tries to input a too-long filename. That may be a problem for GLAM cases (where uploads are large, and filenames tend to have a lot of information in them), but as the error count shows, the impact here is relatively low.

Without a deep dive through the code path, I'm not sure how best to fix this. The bug is in our backlog and will be tracked and triaged in time, but unless we see a much larger spike, I doubt we'll get to it very soon. Especially given our day-to-day is currently focused on attempting to finally release an extraordinarily delayed feature.

If this becomes more urgent, I'll bring it up to the team.

Krinkle added a comment.May 9 2019, 10:46 PM

Thanks. I'm landing Umherirrender patch and will circle back to see if this rare issue is still reported in Logstash after that. Also, be on the look out for any new upload-related errors or bugs.

gerritbot added a comment.May 9 2019, 10:58 PM

Change 498984 merged by jenkins-bot:
[mediawiki/core@master] Always validate uploads over api

https://gerrit.wikimedia.org/r/498984

ReleaseTaggerBot added a project: MW-1.34-notes (1.34.0-wmf.5; 2019-05-14).May 9 2019, 11:01 PM
Jdforrester-WMF subscribed.May 10 2019, 4:38 PM

Given the timing, this is not going to be the sole cause of T190988, but possibly related? That's API-based chunked uploads being mis-reconstructed, and has a related category of failure in production: https://commons.wikimedia.org/wiki/Category:Incomplete_files_(5_MB_interruption)

hashar mentioned this in T223448: ErrorException from line 1274 of /srv/mediawiki/php-1.34.0-wmf.5/includes/upload/UploadBase.php: PHP Warning: fread() expects parameter 1 to be resource, boolean given.May 17 2019, 1:17 PM
gerritbot added a comment.May 17 2019, 1:40 PM

Change 510905 had a related patch set uploaded (by Matthias Mullie; owner: Matthias Mullie):
[mediawiki/extensions/UploadWizard@master] Fix title max length to match backend, and actually validate it

https://gerrit.wikimedia.org/r/510905

gerritbot added a comment.May 20 2019, 11:51 AM

Change 510893 had a related patch set uploaded (by Matthias Mullie; owner: Matthias Mullie):
[mediawiki/core@master] Validate name for async uploads

https://gerrit.wikimedia.org/r/510893

matthiasmullie subscribed.Jun 19 2019, 12:10 PM

@Umherirrender Can you take a look at https://gerrit.wikimedia.org/r/c/mediawiki/core/+/510893 to see whether you think this would also adequately solve this task?

gerritbot added a comment.Jun 20 2019, 11:31 AM

Change 510905 merged by jenkins-bot:
[mediawiki/extensions/UploadWizard@master] Fix title max length to match backend, and actually validate it

https://gerrit.wikimedia.org/r/510905

ReleaseTaggerBot edited projects, added MW-1.34-notes (1.34.0-wmf.11; 2019-06-26); removed MW-1.34-notes (1.34.0-wmf.5; 2019-05-14).Jun 20 2019, 12:00 PM
Krinkle assigned this task to matthiasmullie.Jul 9 2019, 10:11 PM

(Re-assigning per CR from Umherirrender on Gerrit.)

Krinkle moved this task from Since Nov 2018 / 1.33.wmf2 to Resolved on the Wikimedia-production-error board.Jul 25 2019, 9:36 PM

Not seen in WMF Logstash for 30 days.

mmodell changed the subtype of this task from "Task" to "Production Error".Aug 28 2019, 11:08 PM
Krinkle moved this task from Resolved to Older on the Wikimedia-production-error board.Oct 24 2019, 6:48 PM

Seen again.

Request: commons.wikimedia.org/w/api.php

Fatal error:
Call to a member function load() on null
exception.trace
#0 /includes/api/ApiUpload.php(664): UploadBase->checkWarnings()
#1 /includes/api/ApiUpload.php(127): ApiUpload->getApiWarnings()
#2 /includes/api/ApiUpload.php(104): ApiUpload->getContextResult()
#3 /includes/api/ApiMain.php(1602): ApiUpload->execute()
#4 /includes/api/ApiMain.php(538): ApiMain->executeAction()
#5 /includes/api/ApiMain.php(509): ApiMain->executeActionWithErrorHandling()
#6 /api.php(83): ApiMain->execute()
#7 /srv/mediawiki/w/api.php(3): require(string)
#8 {main}
Krinkle set Request ID to XbHxRApAIDgAABL9sPAAAAAI.Oct 24 2019, 6:49 PM
Krinkle set Phatality ID to 86c313431a15a502bb495c54e6eab7d7914d3ea1c9bf5987dc837e572fb32554.
Krinkle removed projects: MW-1.34-notes (1.34.0-wmf.11; 2019-06-26), Patch-For-Review.
Krinkle merged a task: T40222: UploadBase::checkWarnings could throw exception on null object access.
Krinkle added subscribers: cneubauer, TerraCodes, Harjotsingh and 5 others.
Krinkle added a comment.Oct 24 2019, 6:53 PM
In T40222#452661, @gerritbot wrote:

Change 104012 had a related patch set uploaded by Mayankmadan:
verifyUpload should be called before checkWarnings

https://gerrit.wikimedia.org/r/104012

In T40222#452679, @gerritbot wrote:

Change 105111 had a related patch set uploaded by Mayankmadan:
getApiWarnings() throws an exception if upload is invalid

https://gerrit.wikimedia.org/r/105111

In T40222#3098016, @matthiasmullie wrote:

If getLocalFile returns null (instead of a LocalFile object), checkWarnings() won't even be able to proceed to the other checks.
Before those other checks are conducted, checkWarnings() will try to fetch $localFile->getName(), which will cause a fatal error (that method is not available in $localFile, if $localFile is null)
So no, it does not already handle this, but it probably should :)

Krinkle mentioned this in T240281: Clarify confusion between Multimedia and Structured Data team and update docs accordingly.Jun 23 2020, 7:02 PM
matthiasmullie added a project: Structured-Data-Backlog (Current Work).Jun 26 2020, 4:00 PM
matthiasmullie moved this task from Incoming to Code Review on the Structured-Data-Backlog (Current Work) board.
Cparle moved this task from Code Review to Verify on Production on the Structured-Data-Backlog (Current Work) board.EditedJul 9 2020, 11:47 AM
Cparle subscribed.

Ok we think this is now fixed (or will be when the train rolls), I guess we're back to monitoring logstash to see if it resurfaces

gerritbot added a comment.Jul 9 2020, 12:17 PM

Change 510893 merged by jenkins-bot:
[mediawiki/core@master] Validate name for async uploads

https://gerrit.wikimedia.org/r/510893

ReleaseTaggerBot added a project: MW-1.35-notes (1.35.0-wmf.41; 2020-07-14).Jul 9 2020, 1:00 PM
TerraCodes unsubscribed.Jul 9 2020, 6:48 PM
Cparle closed this task as Resolved.Aug 25 2020, 2:31 PM

No sign of this error in kibana for the last month, so closing

Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:38 PM
Jdforrester-WMF mentioned this in T271183: "The filename is not allowed." when attempting to upload MP4 file on en.wiki.Jan 5 2021, 4:51 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits