hhvm in server mode crash on HPHP::jit::HhbcTranslator::MInstrTranslator::getKey

[rootnet]

version: 3.3.1-1~wheezy (from repository)
mode: server

When running hhvm in -m server mode we on debian wheezy get an incidental SIGABRT from an assert in HPHP::jit::HhbcTranslator::MInstrTranslator::getKey.
The crash is fairly regular, but not 100% consistent. Although it does appear to be triggered only when the following warning is displayed in the error log:

Notice: Array to string conversion in /var/www/index.php line 242

Notice: Array to string conversion in /var/www/index.php line 242
Core dumped: Aborted

A full backtrace :
#0  0x00007f0332902545 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007f03329057c0 in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x00007f03328fb6f1 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
#3  0x0000000002d330e1 in HPHP::jit::HhbcTranslator::MInstrTranslator::getKey() () at /tmp/tmp.iQ0VwZL0HJ/hphp/runtime/vm/jit/minstr-translator.cpp:484
#4  0x0000000002d36808 in HPHP::jit::HhbcTranslator::MInstrTranslator::emitElem() () at /tmp/tmp.iQ0VwZL0HJ/hphp/runtime/vm/jit/minstr-translator.cpp:1150
#5  0x0000000002d34aae in HPHP::jit::HhbcTranslator::MInstrTranslator::emitIntermediateOp() () at /tmp/tmp.iQ0VwZL0HJ/hphp/runtime/vm/jit/minstr-translator.cpp:848
#6  0x0000000002d3290b in HPHP::jit::HhbcTranslator::MInstrTranslator::emitMPre() () at /tmp/tmp.iQ0VwZL0HJ/hphp/runtime/vm/jit/minstr-translator.cpp:404
#7  0x0000000002d32014 in HPHP::jit::HhbcTranslator::MInstrTranslator::emit() () at /tmp/tmp.iQ0VwZL0HJ/hphp/runtime/vm/jit/minstr-translator.cpp:252
#8  0x0000000002962397 in HPHP::jit::HhbcTranslator::emitMInstr(HPHP::jit::NormalizedInstruction const&) () at /tmp/tmp.iQ0VwZL0HJ/hphp/runtime/vm/jit/hhbc-translator.cpp:2100
#9  0x0000000002e44d0f in HPHP::jit::IRTranslator::translateSetM(HPHP::jit::NormalizedInstruction const&) () at /tmp/tmp.iQ0VwZL0HJ/hphp/runtime/vm/jit/ir-translator.cpp:865
#10 0x0000000002e45e64 in HPHP::jit::IRTranslator::translateInstrWork(HPHP::jit::NormalizedInstruction const&) () at /tmp/tmp.iQ0VwZL0HJ/hphp/runtime/vm/jit/ir-translator.cpp:883
#11 0x0000000002e465a3 in HPHP::jit::IRTranslator::translateInstr(HPHP::jit::NormalizedInstruction const&) () at /tmp/tmp.iQ0VwZL0HJ/hphp/runtime/vm/jit/ir-translator.cpp:937
#12 0x0000000002a99386 in HPHP::jit::Translator::translateRegion(HPHP::jit::RegionDesc const&, bool, HPHP::hphp_hash_set<HPHP::jit::ProfSrcKey, HPHP::jit::ProfSrcKey::Hasher, std::equal_to<HPHP::jit::ProfSrcKey> >&, HPHP::jit::TransFlags) () at /tmp/tmp.iQ0VwZL0HJ/hphp/runtime/vm/jit/translator.cpp:1845
#13 0x0000000002e15b17 in HPHP::jit::MCGenerator::translateWork(HPHP::jit::TranslArgs const&) () at /tmp/tmp.iQ0VwZL0HJ/hphp/runtime/vm/jit/mc-generator.cpp:1646
#14 0x0000000002dede0d in HPHP::jit::MCGenerator::translate(HPHP::jit::TranslArgs const&) () at /tmp/tmp.iQ0VwZL0HJ/hphp/runtime/vm/jit/mc-generator.cpp:451
#15 0x0000000002dec765 in HPHP::jit::MCGenerator::retranslate(HPHP::jit::TranslArgs const&) () at /tmp/tmp.iQ0VwZL0HJ/hphp/runtime/vm/jit/mc-generator.cpp:201
#16 0x0000000002dedaca in HPHP::jit::MCGenerator::createTranslation(HPHP::jit::TranslArgs const&) () at /tmp/tmp.iQ0VwZL0HJ/hphp/runtime/vm/jit/mc-generator.cpp:412
#17 0x0000000002ded08a in HPHP::jit::MCGenerator::getTranslation(HPHP::jit::TranslArgs const&) () at /tmp/tmp.iQ0VwZL0HJ/hphp/runtime/vm/jit/mc-generator.cpp:295
#18 0x0000000002defb7f in HPHP::jit::MCGenerator::bindJmpccFirst(unsigned char*, int, int, bool, HPHP::jit::ConditionCode, bool&) () at /tmp/tmp.iQ0VwZL0HJ/hphp/runtime/vm/jit/mc-generator.cpp:869
#19 0x0000000002df0d34 in HPHP::jit::MCGenerator::handleServiceRequest(HPHP::jit::TReqInfo&, unsigned char*&, HPHP::SrcKey&) () at /tmp/tmp.iQ0VwZL0HJ/hphp/runtime/vm/jit/mc-generator.cpp:1174
#20 0x0000000002df06fe in HPHP::jit::MCGenerator::enterTC(unsigned char*, void*) () at /tmp/tmp.iQ0VwZL0HJ/hphp/runtime/vm/jit/mc-generator.cpp:1052
#21 0x00000000027b14b8 in HPHP::jit::MCGenerator::enterTCAfterPrologue(unsigned char*) () at /tmp/tmp.iQ0VwZL0HJ/hphp/runtime/vm/jit/mc-generator.h:244
#22 0x0000000002762d8e in HPHP::ExecutionContext::enterVMAtFunc(HPHP::ActRec*, HPHP::ExecutionContext::StackArgsState) () at /tmp/tmp.iQ0VwZL0HJ/hphp/runtime/vm/bytecode.cpp:1869
#23 0x00000000027630c5 in HPHP::ExecutionContext::enterVM(HPHP::ActRec*, HPHP::ExecutionContext::StackArgsState, HPHP::Resumable*, HPHP::ObjectData*) () at /tmp/tmp.iQ0VwZL0HJ/hphp/runtime/vm/bytecode.cpp:1927
#24 0x0000000002763c70 in HPHP::ExecutionContext::invokeFunc(HPHP::TypedValue*, HPHP::Func const*, HPHP::Variant const&, HPHP::ObjectData*, HPHP::Class*, HPHP::VarEnv*, HPHP::StringData*, HPHP::ExecutionContext::InvokeFlags) () at /tmp/tmp.iQ0VwZL0HJ/hphp/runtime/vm/bytecode.cpp:2092
#25 0x0000000002764eb2 in HPHP::ExecutionContext::invokeUnit(HPHP::TypedValue*, HPHP::Unit const*) () at /tmp/tmp.iQ0VwZL0HJ/hphp/runtime/vm/bytecode.cpp:2274
#26 0x00000000022bdd66 in HPHP::invoke_file_impl(HPHP::Variant&, HPHP::String const&, bool, char const*) () at /tmp/tmp.iQ0VwZL0HJ/hphp/runtime/base/builtin-functions.cpp:721
#27 0x00000000022bde11 in HPHP::invoke_file(HPHP::String const&, bool, char const*) () at /tmp/tmp.iQ0VwZL0HJ/hphp/runtime/base/builtin-functions.cpp:734
#28 0x00000000022bdee4 in HPHP::include_impl_invoke(HPHP::String const&, bool, char const*) () at /tmp/tmp.iQ0VwZL0HJ/hphp/runtime/base/builtin-functions.cpp:745
#29 0x00000000024336bc in HPHP::hphp_invoke(HPHP::ExecutionContext*, std::string const&, bool, HPHP::Array const&, HPHP::VRefParamValue const&, std::string const&, std::string const&, bool&, std::string&, bool, bool, bool) () at /tmp/tmp.iQ0VwZL0HJ/hphp/runtime/base/program-functions.cpp:1792
#30 0x0000000002583e71 in HPHP::HttpRequestHandler::executePHPRequest(HPHP::Transport*, HPHP::RequestURI&, HPHP::SourceRootInfo&, bool) () at /tmp/tmp.iQ0VwZL0HJ/hphp/runtime/server/http-request-handler.cpp:399
#31 0x0000000002583337 in HPHP::HttpRequestHandler::handleRequestImpl(HPHP::Transport*) () at /tmp/tmp.iQ0VwZL0HJ/hphp/runtime/server/http-request-handler.cpp:292
#32 0x0000000002583a4f in HPHP::HttpRequestHandler::handleRequest(HPHP::Transport*) () at /tmp/tmp.iQ0VwZL0HJ/hphp/runtime/server/http-request-handler.cpp:332
#33 0x00000000025f38fd in HPHP::ServerWorker<std::shared_ptr<HPHP::FastCGIJob>, HPHP::FastCGITransportTraits>::doJobImpl(std::shared_ptr<HPHP::FastCGIJob>, bool) () at /tmp/tmp.iQ0VwZL0HJ/hphp/runtime/server/server-worker.h:103
#34 0x00000000025f31e6 in HPHP::ServerWorker<std::shared_ptr<HPHP::FastCGIJob>, HPHP::FastCGITransportTraits>::doJob(std::shared_ptr<HPHP::FastCGIJob>) () at /tmp/tmp.iQ0VwZL0HJ/hphp/runtime/server/server-worker.h:57
#35 0x00000000025eb478 in HPHP::JobQueueWorker<std::shared_ptr<HPHP::FastCGIJob>, HPHP::Server*, true, false, HPHP::JobQueueDropVMStack>::start() () at /tmp/tmp.iQ0VwZL0HJ/hphp/util/job-queue.h:461
#36 0x00000000025ec717 in HPHP::AsyncFunc<HPHP::ServerWorker<std::shared_ptr<HPHP::FastCGIJob>, HPHP::FastCGITransportTraits> >::run_(void*) () at /tmp/tmp.iQ0VwZL0HJ/hphp/util/async-func.h:205
#37 0x00000000038f4715 in HPHP::AsyncFuncImpl::threadFuncImpl() () at /tmp/tmp.iQ0VwZL0HJ/hphp/util/async-func.cpp:131
#38 0x00000000038f42f9 in HPHP::AsyncFuncImpl::ThreadFunc(void*) () at /tmp/tmp.iQ0VwZL0HJ/hphp/util/async-func.cpp:51
#39 0x00007f0333111b50 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
#40 0x00007f03329ac20d in clone () from /lib/x86_64-linux-gnu/libc.so.6
#41 0x0000000000000000 in ?? ()

[paulbiss]

Do you have any isolated examples of PHP that can reproduce this?

[rootnet]

As stated, the crash isn't consistent, even when just calling the suspect page multiple times in a row, so I haven't been able to create a small code-sample.

The suspect code does look something like if($arrayKey === false), where arrayKey has been retrieved from a multidimensional array.
Until a solid proof of concept is found, is there any internal variable, retrievable via gdb, worth investigating to get more information?

[Orvid]

This issue has been waiting for more info for more than 2 weeks. Closing for now, feel free to re-open it if you can provide more info.

https://github.com/facebook/hhvm/wiki/Human-Timeouts