View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0001329 | Xdebug | Usage problems (Wrong Results) | public | 2016-07-21 19:25 | 2016-12-19 12:49 |
Reporter | tyson | Assigned To | derick | ||
Priority | normal | Severity | crash | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Platform | Linux | OS | Centos(/All?) | OS Version | 6 |
Product Version | 2.4.0 | ||||
Target Version | Fixed in Version | 2.5.1 | |||
Summary | 0001329: While printing out a stack with and function parameters, XDebug reads uninitialized zvals or free()d memory | ||||
Description | This happens when the only zend_extension is xdebug.so, and for php versions 7.0.8 and 7.0.9. Other extensions are disabled. (php < 7.0.8 was not tested) In the provided test case, the stack trace was printed because of a php notice. I've observed a similar error when an exception was being thrown (or rethrown?), will attempt to reproduce it if requested. I get errors such as segmentation faults, valgrind errors, and attempts to allocate strings which are too large. I managed to reproduce this in a dockerfile running centos 6.6, though I don't think it's OS specific. Removing the xdebug.collect_params config from the php.ini removed any valgrind errors. | ||||
Steps To Reproduce | The steps to reproduce are found in https://github.com/TysonAndre-ContinuousIntegration/xdebug_segfault , which was uploaded here. Php config options ------------------- export CFLAGS="-O3 -g" export CXXFLAGS="$CFLAGS" ./configure --enable-exif --localstatedir=/var --sysconfdir=/etc --with-config-file-path=/etc --without-pdo-sqlite --without-sqlite3 --without-pear --enable-inline-optimization --enable-ctype --enable-session --enable-wddx --with-z lib=/usr --with-layout=GNU --enable-json --enable-filter --enable-hash --enable-bcmath=shared --enable-fd-setsize=10000 --enable-pcntl --enable-zend-signals --with-apxs2 --with-bz2 --enable-intl --enable-fpm --enable-phpdbg --enable-debugs Xdebug config options ---------------------- export CFLAGS="-O3 -g" export CXXFLAGS="$CFLAGS" ./configure php.ini ------- [PHP] error_reporting = E_ALL | E_STRICT display_errors = On log_errors = On report_memleaks = On extension_dir="/usr/local/lib/php/20151012-debug" include_path="." [xdebug] zend_extension="/usr/local/lib/php/20151012-debug/xdebug.so" xdebug.profiler_enable=0 xdebug.collect_params=3 xdebug.remote_enable=1 Test file: https://github.com/TysonAndre-ContinuousIntegration/xdebug_segfault/blob/master/tests/test5.php | ||||
Additional Information | See https://github.com/TysonAndre-ContinuousIntegration/xdebug_segfault/blob/master/run_testcase_inner_valgrind.sh . The first valgrind error: PHP Notice: Undefined property: client::$_url in /tests/test5.php on line 75 PHP Stack trace: PHP 1. {main}() /tests/test5.php:0 PHP 2. main($a = TRUE) /tests/test5.php:100 ==1== Invalid read of size 8 ==1== at 0x8DE8098: xdebug_var_export (xdebug_var.c:1040) ==1== by 0x8DE88E9: xdebug_get_zval_value (xdebug_var.c:1169) ==1== by 0x8DDDA48: xdebug_log_stack (xdebug_stack.c:223) ==1== by 0x8DDF9A0: xdebug_error_cb (xdebug_stack.c:759) ==1== by 0x7A502E: zend_error (zend.c:1154) ==1== by 0x7EFB3C: zend_std_read_property (zend_object_handlers.c:621) ==1== by 0x83E302: ZEND_FETCH_OBJ_R_SPEC_UNUSED_CONST_HANDLER (zend_vm_execute.h:23544) ==1== by 0x807B74: ZEND_USER_OPCODE_SPEC_HANDLER (zend_vm_execute.h:1568) ==1== by 0x803F22: execute_ex (zend_vm_execute.h:417) ==1== by 0x8DC3CF9: xdebug_execute_ex (xdebug.c:1890) ==1== by 0x8086B9: ZEND_CALL_TRAMPOLINE_SPEC_HANDLER (zend_vm_execute.h:1750) ==1== by 0x803F22: execute_ex (zend_vm_execute.h:417) ==1== Address 0x8d73820 is 16 bytes inside a block of size 32 free'd ==1== at 0x4C27430: free (vg_replace_malloc.c:446) ==1== by 0x772220: _efree (zend_alloc.c:2461) ==1== by 0x7A1F84: zend_string_free (zend_string.h:263) ==1== by 0x7A23E1: _zval_dtor_func_for_ptr (zend_variables.c:90) ==1== by 0x802988: i_free_compiled_variables (zend_execute.c:2067) ==1== by 0x804380: zend_leave_helper_SPEC (zend_vm_execute.h:531) ==1== by 0x80BAD2: ZEND_RETURN_SPEC_CONST_HANDLER (zend_vm_execute.h:3100) ==1== by 0x807B74: ZEND_USER_OPCODE_SPEC_HANDLER (zend_vm_execute.h:1568) ==1== by 0x803F22: execute_ex (zend_vm_execute.h:417) ==1== by 0x8DC3CF9: xdebug_execute_ex (xdebug.c:1890) ==1== by 0x78E495: zend_call_function (zend_execute_API.c:866) ==1== by 0x7CCA47: zend_call_method (zend_interfaces.c:104) ==1== ==1== Invalid read of size 1 ==1== at 0x4C29D21: memcpy (mc_replace_strmem.c:882) ==1== by 0x8DE5909: zend_string_init (zend_string.h:159) ==1== by 0x8DE80BC: xdebug_var_export (xdebug_var.c:1040) ==1== by 0x8DE88E9: xdebug_get_zval_value (xdebug_var.c:1169) ==1== by 0x8DDDA48: xdebug_log_stack (xdebug_stack.c:223) ==1== by 0x8DDF9A0: xdebug_error_cb (xdebug_stack.c:759) ==1== by 0x7A502E: zend_error (zend.c:1154) ==1== by 0x7EFB3C: zend_std_read_property (zend_object_handlers.c:621) ==1== by 0x83E302: ZEND_FETCH_OBJ_R_SPEC_UNUSED_CONST_HANDLER (zend_vm_execute.h:23544) ==1== by 0x807B74: ZEND_USER_OPCODE_SPEC_HANDLER (zend_vm_execute.h:1568) ==1== by 0x803F22: execute_ex (zend_vm_execute.h:417) ==1== by 0x8DC3CF9: xdebug_execute_ex (xdebug.c:1890) ==1== Address 0x8d73829 is 25 bytes inside a block of size 32 free'd ==1== at 0x4C27430: free (vg_replace_malloc.c:446) ==1== by 0x772220: _efree (zend_alloc.c:2461) ==1== by 0x7A1F84: zend_string_free (zend_string.h:263) ==1== by 0x7A23E1: _zval_dtor_func_for_ptr (zend_variables.c:90) ==1== by 0x802988: i_free_compiled_variables (zend_execute.c:2067) ==1== by 0x804380: zend_leave_helper_SPEC (zend_vm_execute.h:531) ==1== by 0x80BAD2: ZEND_RETURN_SPEC_CONST_HANDLER (zend_vm_execute.h:3100) ==1== by 0x807B74: ZEND_USER_OPCODE_SPEC_HANDLER (zend_vm_execute.h:1568) ==1== by 0x803F22: execute_ex (zend_vm_execute.h:417) ==1== by 0x8DC3CF9: xdebug_execute_ex (xdebug.c:1890) ==1== by 0x78E495: zend_call_function (zend_execute_API.c:866) ==1== by 0x7CCA47: zend_call_method (zend_interfaces.c:104) | ||||
Tags | No tags attached. | ||||
Operating System | Centos 6.5/6.6/(or all?) | ||||
PHP Version | 7.0.5-7.0.9 | ||||
|
xdebug_segfault-master.zip (14,034 bytes) |
|
I also see this error when xdebug.collect_params = 1 (along with other errors) ==1== ==1== Use of uninitialised value of size 8 ==1== at 0x8DE8A3C: xdebug_var_synopsis (xdebug_var.c:1208) ==1== by 0x8DE8CD8: xdebug_get_zval_synopsis (xdebug_var.c:1285) ==1== by 0x8DDE4E9: add_single_value (xdebug_stack.c:389) ==1== by 0x8DDE9FC: xdebug_append_printable_stack (xdebug_stack.c:483) ==1== by 0x8DDEF71: get_printable_stack (xdebug_stack.c:580) ==1== by 0x8DDFC05: xdebug_error_cb (xdebug_stack.c:805) ==1== by 0x7A57CA: zend_error (zend.c:1154) ==1== by 0x7F0434: zend_std_read_property (zend_object_handlers.c:621) ==1== by 0x83EBBC: ZEND_FETCH_OBJ_R_SPEC_UNUSED_CONST_HANDLER (zend_vm_execute.h:23539) ==1== by 0x80846C: ZEND_USER_OPCODE_SPEC_HANDLER (zend_vm_execute.h:1568) ==1== by 0x80481A: execute_ex (zend_vm_execute.h:417) ==1== by 0x8DC3CF9: xdebug_execute_ex (xdebug.c:1890) |
|
I thought it might have been related to call_user_func*, but it happened even without the dynamic method name. A smaller version of the test case is test6.php |
|
test6.php (2,339 bytes) |
|
I also tried test6.php with the latest commit on github, and still got errors ( https://github.com/xdebug/xdebug/commit/bcb45acb6c828ccf9e217a1f58db92658c6650cb ) https://github.com/TysonAndre-ContinuousIntegration/xdebug_segfault/blob/master/valgrind_output_for_xdebug-bcb45ac.txt |
|
I'm looking at this, and also seeing the crash. Albeit in a different way. If you could work on continuing making the test case smaller, that'd be a great help. |
|
Contents of test8.php after minimization between the quotes: ``` <?php class client { public function __call($method, $params) { echo $this->_url; } } function main($a) { $service = new client(); list($aaaa) = $service->callSomeMagicMethod_1($xxxxxxx); } main(true); ``` php.ini is the same as my other examples: ``` [PHP] error_reporting = E_ALL | E_STRICT display_errors = On log_errors = On report_memleaks = On extension_dir="/usr/local/lib/php/20151012-debug" include_path="." [xdebug] zend_extension="/usr/local/lib/php/20151012-debug/xdebug.so" xdebug.profiler_enable=0 xdebug.collect_params=3 xdebug.remote_enable=1 ``` Valgrind output for me: https://github.com/TysonAndre-ContinuousIntegration/xdebug_segfault/blob/master/valgrind_test8-for-xdebug-bcb45ac.txt |
|
test8.php (229 bytes) |
|
Also, did you want the ./configure script options to be "smaller" (And if so, what you call a standard config / compiler flags)? |
|
No, I'm fine. Thanks. The test cases I have now are good enough. |
|
I have an inkling that https://github.com/xdebug/xdebug/commit/90efb3aada7b0423a86462d10d6758ca3c384e75 might have fixed this - would you mind trying with the latest Git version? |
|
It seems like it's fixed. (Will reopen this if the code the examples were derived from encounters different bugs) I ran all 4 tests cases in https://github.com/TysonAndre-ContinuousIntegration/xdebug_segfault again with php 7.0.14. The crashes are fixed in the current xdebug master branch (bb535ed, which includes 90efb3aa) The issue description could be amended to include 7.0.5-7.0.14 and xdebug 2.4.0-2.5.0 (I was able to reproduce the crashes/allocator error with xdebug 2.5.0 and php 7.0.14. There were no errors with xdebug master(2.6-dev?) and php 7.0.14) |
|
Okay, let me close this as fixed then. Please create a *new* issue if you find further crashes etc. |
Date Modified | Username | Field | Change |
---|---|---|---|
2016-07-21 19:25 | tyson | New Issue | |
2016-07-21 19:25 | tyson | File Added: xdebug_segfault-master.zip | |
2016-07-21 20:04 | tyson | Note Added: 0003650 | |
2016-07-21 20:25 | tyson | Note Added: 0003651 | |
2016-07-21 20:25 | tyson | File Added: test6.php | |
2016-07-21 20:45 | tyson | Note Added: 0003652 | |
2016-07-21 20:49 | derick | Note Added: 0003653 | |
2016-07-21 21:09 | tyson | Note Added: 0003654 | |
2016-07-21 21:09 | tyson | Note Edited: 0003654 | View Revisions |
2016-07-21 21:10 | tyson | File Added: test8.php | |
2016-07-21 21:13 | tyson | Note Added: 0003655 | |
2016-07-21 21:24 | derick | Note Added: 0003656 | |
2016-07-31 12:36 | derick | Category | Usage problems => Usage problems (Crashes) |
2016-07-31 12:38 | derick | Category | Usage problems (Crashes) => Usage problems (Wrong Results) |
2016-12-04 16:06 | derick | Assigned To | => derick |
2016-12-04 16:06 | derick | Status | new => acknowledged |
2016-12-04 17:40 | derick | Status | acknowledged => confirmed |
2016-12-17 17:12 | derick | Severity | major => crash |
2016-12-17 19:21 | derick | Note Added: 0004079 | |
2016-12-17 19:21 | derick | Status | confirmed => feedback |
2016-12-18 02:36 | tyson | Note Added: 0004080 | |
2016-12-18 02:36 | tyson | Status | feedback => assigned |
2016-12-18 02:38 | tyson | Note Edited: 0004080 | View Revisions |
2016-12-18 02:39 | tyson | Note Edited: 0004080 | View Revisions |
2016-12-19 12:49 | derick | Note Added: 0004091 | |
2016-12-19 12:49 | derick | Status | assigned => closed |
2016-12-19 12:49 | derick | Resolution | open => fixed |
2016-12-19 12:49 | derick | Fixed in Version | => 2.5.1 |