0001486: Crash on ZEND_SWITCH_LONG / ZEND_SWITCH_STRING - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0001486	Xdebug	Code Coverage	public	2017-11-01 17:57	2017-12-02 18:36

Reporter	cristi.cotet	Assigned To	derick
Priority	normal	Severity	crash	Reproducibility	always
Status	closed	Resolution	fixed
Platform	unix	OS	centos	OS Version	7.4.1708
Product Version	2.5.5
Target Version	2.6.0	Fixed in Version	2.6.0alpha1

Summary	0001486: Crash on ZEND_SWITCH_LONG / ZEND_SWITCH_STRING
Description	Program received signal SIGSEGV, Segmentation fault. 0x00007fffe92ae150 in xdebug_set_in_ex (set=0x18ea990, position=4294940576, noisy=1) at /shoty/servers/xdebug/xdebug/xdebug_set.c:71 71 return (*byte & (1 << bit)); Fixed by changing #define XDEBUG_BRANCH_MAX_OUTS 320
Steps To Reproduce	After switching to jumplist when running phpunit with code coverage the jumplist will exceed XDEBUG_BRANCH_MAX_OUTS records and buffer overflow occurs. This will lead to jump_count corruption (in my case after adding element 32 it will add element 577) and xdebug_analyse_branch will be called with invalid position from element 33 (values not set in jumplist) Fixed it by modifying XDEBUG_BRANCH_MAX_OUTS to 320. Don't know the best value for this!
Additional Information	BackTrace: (gdb) backtrace #0 0x00007fffe92ae150 in xdebug_set_in_ex (set=0x18ea990, position=4294940576, noisy=1) at /shoty/servers/xdebug/xdebug/xdebug_set.c:71 #1 0x00007fffe9299b25 in xdebug_analyse_branch (opa=0x7fffefa15840, position=4294940576, set=0x18ea990, branch_info=0x0) at /shoty/servers/xdebug/xdebug/xdebug_code_coverage.c:616 0000002 0x00007fffe9299cb6 in xdebug_analyse_branch (opa=0x7fffefa15840, position=38, set=0x18ea990, branch_info=0x0) at /shoty/servers/xdebug/xdebug/xdebug_code_coverage.c:639 0000003 0x00007fffe9299cb6 in xdebug_analyse_branch (opa=0x7fffefa15840, position=35, set=0x18ea990, branch_info=0x0) at /shoty/servers/xdebug/xdebug/xdebug_code_coverage.c:639 0000004 0x00007fffe9299cb6 in xdebug_analyse_branch (opa=0x7fffefa15840, position=34, set=0x18ea990, branch_info=0x0) at /shoty/servers/xdebug/xdebug/xdebug_code_coverage.c:639 0000005 0x00007fffe9299cb6 in xdebug_analyse_branch (opa=0x7fffefa15840, position=19, set=0x18ea990, branch_info=0x0) at /shoty/servers/xdebug/xdebug/xdebug_code_coverage.c:639 0000006 0x00007fffe9299f14 in xdebug_analyse_oparray (opa=0x7fffefa15840, set=0x18ea990, branch_info=0x0) at /shoty/servers/xdebug/xdebug/xdebug_code_coverage.c:691 0000007 0x00007fffe929a27d in prefill_from_oparray ( filename=0x7fffefb20bf8 "/var/lib/jenkins/workspace/Test3/Checkout/vendor/phpunit/phpunit/src/TextUI/Command.php", op_array=0x7fffefa15840) at /shoty/servers/xdebug/xdebug/xdebug_code_coverage.c:773 0000008 0x00007fffe929a43f in prefill_from_function_table (opa=0x7fffefa15840) at /shoty/servers/xdebug/xdebug/xdebug_code_coverage.c:811 0000009 0x00007fffe929a515 in prefill_from_class_table (class_entry=0x7fffefa15328) at /shoty/servers/xdebug/xdebug/xdebug_code_coverage.c:830 0000010 0x00007fffe929a6f1 in xdebug_prefill_code_coverage (op_array=0x7fffefa0e978) at /shoty/servers/xdebug/xdebug/xdebug_code_coverage.c:856 0000011 0x00007fffe929a74e in xdebug_code_coverage_start_of_function (op_array=0x7fffefa0e978, function_name=0x18ea930 "Composer\Autoload\ClassLoader->loadClass") at /shoty/servers/xdebug/xdebug/xdebug_code_coverage.c:865 0000012 0x00007fffe9294891 in xdebug_execute_ex (execute_data=0x7fffefa229f0) at /shoty/servers/xdebug/xdebug/xdebug.c:1770 0000013 0x0000000000a74aea in zend_call_function (fci=0x7fffffff9d90, fci_cache=0x7fffffff9d60) at /shoty/servers/php-7.2.0RC5/Zend/zend_execute_API.c:817 0000014 0x000000000086bdb6 in zif_spl_autoload_call (execute_data=0x7fffefa22990, return_value=0x7fffffffa070) at /shoty/servers/php-7.2.0RC5/ext/spl/php_spl.c:451 0000015 0x0000000000aeb16d in execute_internal (execute_data=0x7fffefa22990, return_value=0x7fffffffa070) at /shoty/servers/php-7.2.0RC5/Zend/zend_execute.c:2077 0000016 0x00007fffe9294f6c in xdebug_execute_internal (current_execute_data=0x7fffefa22990, return_value=0x7fffffffa070) at /shoty/servers/xdebug/xdebug/xdebug.c:1909 0000017 0x0000000000a74be2 in zend_call_function (fci=0x7fffffffa030, fci_cache=0x7fffffffa000) at /shoty/servers/php-7.2.0RC5/Zend/zend_execute_API.c:833 0000018 0x000003310000032b in ?? () 0000019 0x0000033f00000338 in ?? () 0000020 0x0000000100000027 in ?? () 0000021 0x00007fffe91743f0 in ?? () 0000022 0x00007fffefb86140 in ?? () 0000023 0x0000002573655201 in ?? () 0000024 0x000000000170db10 in ?? () 0000025 0x0000000000000000 in ?? ()
Tags	No tags attached.

Operating System	centos 7.4.1708
PHP Version	7.2-dev

derick 2017-11-01 18:21 administrator ~0004447	Can you share a code snippet that causes this? The whole idea behind this was that it can't overflow :-)

cristi.cotet 2017-11-02 06:13 reporter ~0004452	I will provide a code snippet later today. I believe any switch with more than 31 cases+default+next will overflow in PHP 7.2 RC5. This report is for the master branch not version 2.5.5 as 2.5.5 is not working in PHP 7.2

derick 2017-11-10 14:45 administrator ~0004455	Cheers - did you have the time to attach the code snippet yet?

derick 2017-11-12 19:16 administrator ~0004456	Thanks for the report, this is now fixed in master.

Date Modified	Username	Field	Change
2017-11-01 17:57	cristi.cotet	New Issue
2017-11-01 18:21	derick	Note Added: 0004447
2017-11-01 18:21	derick	Assigned To	=> derick
2017-11-01 18:21	derick	Status	new => feedback
2017-11-02 06:13	cristi.cotet	Note Added: 0004452
2017-11-02 06:13	cristi.cotet	Status	feedback => assigned
2017-11-10 14:45	derick	Note Added: 0004455
2017-11-10 14:45	derick	Status	assigned => feedback
2017-11-11 10:09	derick	Target Version	=> 2.6.0dev
2017-11-12 19:16	derick	Note Added: 0004456
2017-11-12 19:16	derick	Status	feedback => closed
2017-11-12 19:16	derick	Resolution	open => fixed
2017-11-12 19:16	derick	Fixed in Version	=> 2.6.0dev
2017-11-13 10:59	derick	Relationship added	has duplicate 0001490
2017-12-02 15:57	derick	Fixed in Version	2.6.0dev => 2.6.0alpha1
2017-12-02 18:34	derick	Target Version	2.6.0dev => 2.6.0alpha1
2017-12-02 18:36	derick	Target Version	2.6.0alpha1 => 2.6.0