0001329: While printing out a stack with and function parameters, XDebug reads uninitialized zvals or free()d memory

ID	Project	Category	View Status	Date Submitted	Last Update

0001329	Xdebug	Usage problems (Wrong Results)	public	2016-07-21 19:25	2016-12-19 12:49

Reporter	tyson	Assigned To	derick
Priority	normal	Severity	crash	Reproducibility	always
Status	closed	Resolution	fixed
Platform	Linux	OS	Centos(/All?)	OS Version	6
Product Version	2.4.0
Target Version		Fixed in Version	2.5.1

Summary	0001329: While printing out a stack with and function parameters, XDebug reads uninitialized zvals or free()d memory
Description	This happens when the only zend_extension is xdebug.so, and for php versions 7.0.8 and 7.0.9. Other extensions are disabled. (php < 7.0.8 was not tested) In the provided test case, the stack trace was printed because of a php notice. I've observed a similar error when an exception was being thrown (or rethrown?), will attempt to reproduce it if requested. I get errors such as segmentation faults, valgrind errors, and attempts to allocate strings which are too large. I managed to reproduce this in a dockerfile running centos 6.6, though I don't think it's OS specific. Removing the xdebug.collect_params config from the php.ini removed any valgrind errors.
Steps To Reproduce	The steps to reproduce are found in https://github.com/TysonAndre-ContinuousIntegration/xdebug_segfault , which was uploaded here. Php config options ------------------- export CFLAGS="-O3 -g" export CXXFLAGS="$CFLAGS" ./configure --enable-exif --localstatedir=/var --sysconfdir=/etc --with-config-file-path=/etc --without-pdo-sqlite --without-sqlite3 --without-pear --enable-inline-optimization --enable-ctype --enable-session --enable-wddx --with-z lib=/usr --with-layout=GNU --enable-json --enable-filter --enable-hash --enable-bcmath=shared --enable-fd-setsize=10000 --enable-pcntl --enable-zend-signals --with-apxs2 --with-bz2 --enable-intl --enable-fpm --enable-phpdbg --enable-debugs Xdebug config options ---------------------- export CFLAGS="-O3 -g" export CXXFLAGS="$CFLAGS" ./configure php.ini ------- [PHP] error_reporting = E_ALL \| E_STRICT display_errors = On log_errors = On report_memleaks = On extension_dir="/usr/local/lib/php/20151012-debug" include_path="." [xdebug] zend_extension="/usr/local/lib/php/20151012-debug/xdebug.so" xdebug.profiler_enable=0 xdebug.collect_params=3 xdebug.remote_enable=1 Test file: https://github.com/TysonAndre-ContinuousIntegration/xdebug_segfault/blob/master/tests/test5.php
Additional Information	See https://github.com/TysonAndre-ContinuousIntegration/xdebug_segfault/blob/master/run_testcase_inner_valgrind.sh . The first valgrind error: PHP Notice: Undefined property: client::$_url in /tests/test5.php on line 75 PHP Stack trace: PHP 1. {main}() /tests/test5.php:0 PHP 2. main($a = TRUE) /tests/test5.php:100 ==1== Invalid read of size 8 ==1== at 0x8DE8098: xdebug_var_export (xdebug_var.c:1040) ==1== by 0x8DE88E9: xdebug_get_zval_value (xdebug_var.c:1169) ==1== by 0x8DDDA48: xdebug_log_stack (xdebug_stack.c:223) ==1== by 0x8DDF9A0: xdebug_error_cb (xdebug_stack.c:759) ==1== by 0x7A502E: zend_error (zend.c:1154) ==1== by 0x7EFB3C: zend_std_read_property (zend_object_handlers.c:621) ==1== by 0x83E302: ZEND_FETCH_OBJ_R_SPEC_UNUSED_CONST_HANDLER (zend_vm_execute.h:23544) ==1== by 0x807B74: ZEND_USER_OPCODE_SPEC_HANDLER (zend_vm_execute.h:1568) ==1== by 0x803F22: execute_ex (zend_vm_execute.h:417) ==1== by 0x8DC3CF9: xdebug_execute_ex (xdebug.c:1890) ==1== by 0x8086B9: ZEND_CALL_TRAMPOLINE_SPEC_HANDLER (zend_vm_execute.h:1750) ==1== by 0x803F22: execute_ex (zend_vm_execute.h:417) ==1== Address 0x8d73820 is 16 bytes inside a block of size 32 free'd ==1== at 0x4C27430: free (vg_replace_malloc.c:446) ==1== by 0x772220: _efree (zend_alloc.c:2461) ==1== by 0x7A1F84: zend_string_free (zend_string.h:263) ==1== by 0x7A23E1: _zval_dtor_func_for_ptr (zend_variables.c:90) ==1== by 0x802988: i_free_compiled_variables (zend_execute.c:2067) ==1== by 0x804380: zend_leave_helper_SPEC (zend_vm_execute.h:531) ==1== by 0x80BAD2: ZEND_RETURN_SPEC_CONST_HANDLER (zend_vm_execute.h:3100) ==1== by 0x807B74: ZEND_USER_OPCODE_SPEC_HANDLER (zend_vm_execute.h:1568) ==1== by 0x803F22: execute_ex (zend_vm_execute.h:417) ==1== by 0x8DC3CF9: xdebug_execute_ex (xdebug.c:1890) ==1== by 0x78E495: zend_call_function (zend_execute_API.c:866) ==1== by 0x7CCA47: zend_call_method (zend_interfaces.c:104) ==1== ==1== Invalid read of size 1 ==1== at 0x4C29D21: memcpy (mc_replace_strmem.c:882) ==1== by 0x8DE5909: zend_string_init (zend_string.h:159) ==1== by 0x8DE80BC: xdebug_var_export (xdebug_var.c:1040) ==1== by 0x8DE88E9: xdebug_get_zval_value (xdebug_var.c:1169) ==1== by 0x8DDDA48: xdebug_log_stack (xdebug_stack.c:223) ==1== by 0x8DDF9A0: xdebug_error_cb (xdebug_stack.c:759) ==1== by 0x7A502E: zend_error (zend.c:1154) ==1== by 0x7EFB3C: zend_std_read_property (zend_object_handlers.c:621) ==1== by 0x83E302: ZEND_FETCH_OBJ_R_SPEC_UNUSED_CONST_HANDLER (zend_vm_execute.h:23544) ==1== by 0x807B74: ZEND_USER_OPCODE_SPEC_HANDLER (zend_vm_execute.h:1568) ==1== by 0x803F22: execute_ex (zend_vm_execute.h:417) ==1== by 0x8DC3CF9: xdebug_execute_ex (xdebug.c:1890) ==1== Address 0x8d73829 is 25 bytes inside a block of size 32 free'd ==1== at 0x4C27430: free (vg_replace_malloc.c:446) ==1== by 0x772220: _efree (zend_alloc.c:2461) ==1== by 0x7A1F84: zend_string_free (zend_string.h:263) ==1== by 0x7A23E1: _zval_dtor_func_for_ptr (zend_variables.c:90) ==1== by 0x802988: i_free_compiled_variables (zend_execute.c:2067) ==1== by 0x804380: zend_leave_helper_SPEC (zend_vm_execute.h:531) ==1== by 0x80BAD2: ZEND_RETURN_SPEC_CONST_HANDLER (zend_vm_execute.h:3100) ==1== by 0x807B74: ZEND_USER_OPCODE_SPEC_HANDLER (zend_vm_execute.h:1568) ==1== by 0x803F22: execute_ex (zend_vm_execute.h:417) ==1== by 0x8DC3CF9: xdebug_execute_ex (xdebug.c:1890) ==1== by 0x78E495: zend_call_function (zend_execute_API.c:866) ==1== by 0x7CCA47: zend_call_method (zend_interfaces.c:104)
Tags	No tags attached.

Operating System	Centos 6.5/6.6/(or all?)
PHP Version	7.0.5-7.0.9

tyson 2016-07-21 19:25 reporter	xdebug_segfault-master.zip (14,034 bytes)

tyson 2016-07-21 20:04 reporter ~0003650	I also see this error when xdebug.collect_params = 1 (along with other errors) ==1== ==1== Use of uninitialised value of size 8 ==1== at 0x8DE8A3C: xdebug_var_synopsis (xdebug_var.c:1208) ==1== by 0x8DE8CD8: xdebug_get_zval_synopsis (xdebug_var.c:1285) ==1== by 0x8DDE4E9: add_single_value (xdebug_stack.c:389) ==1== by 0x8DDE9FC: xdebug_append_printable_stack (xdebug_stack.c:483) ==1== by 0x8DDEF71: get_printable_stack (xdebug_stack.c:580) ==1== by 0x8DDFC05: xdebug_error_cb (xdebug_stack.c:805) ==1== by 0x7A57CA: zend_error (zend.c:1154) ==1== by 0x7F0434: zend_std_read_property (zend_object_handlers.c:621) ==1== by 0x83EBBC: ZEND_FETCH_OBJ_R_SPEC_UNUSED_CONST_HANDLER (zend_vm_execute.h:23539) ==1== by 0x80846C: ZEND_USER_OPCODE_SPEC_HANDLER (zend_vm_execute.h:1568) ==1== by 0x80481A: execute_ex (zend_vm_execute.h:417) ==1== by 0x8DC3CF9: xdebug_execute_ex (xdebug.c:1890)

tyson 2016-07-21 20:25 reporter ~0003651	I thought it might have been related to call_user_func*, but it happened even without the dynamic method name. A smaller version of the test case is test6.php

tyson 2016-07-21 20:25 reporter	test6.php (2,339 bytes)

tyson 2016-07-21 20:45 reporter ~0003652	I also tried test6.php with the latest commit on github, and still got errors ( https://github.com/xdebug/xdebug/commit/bcb45acb6c828ccf9e217a1f58db92658c6650cb ) https://github.com/TysonAndre-ContinuousIntegration/xdebug_segfault/blob/master/valgrind_output_for_xdebug-bcb45ac.txt

derick 2016-07-21 20:49 administrator ~0003653	I'm looking at this, and also seeing the crash. Albeit in a different way. If you could work on continuing making the test case smaller, that'd be a great help.

tyson 2016-07-21 21:09 reporter ~0003654 Last edited: 2016-07-21 21:09 View 2 revisions	Contents of test8.php after minimization between the quotes: ``` <?php class client { public function __call($method, $params) { echo $this->_url; } } function main($a) { $service = new client(); list($aaaa) = $service->callSomeMagicMethod_1($xxxxxxx); } main(true); ``` php.ini is the same as my other examples: ``` [PHP] error_reporting = E_ALL \| E_STRICT display_errors = On log_errors = On report_memleaks = On extension_dir="/usr/local/lib/php/20151012-debug" include_path="." [xdebug] zend_extension="/usr/local/lib/php/20151012-debug/xdebug.so" xdebug.profiler_enable=0 xdebug.collect_params=3 xdebug.remote_enable=1 ``` Valgrind output for me: https://github.com/TysonAndre-ContinuousIntegration/xdebug_segfault/blob/master/valgrind_test8-for-xdebug-bcb45ac.txt

tyson 2016-07-21 21:10 reporter	test8.php (229 bytes)

tyson 2016-07-21 21:13 reporter ~0003655	Also, did you want the ./configure script options to be "smaller" (And if so, what you call a standard config / compiler flags)?

derick 2016-07-21 21:24 administrator ~0003656	No, I'm fine. Thanks. The test cases I have now are good enough.

derick 2016-12-17 19:21 administrator ~0004079	I have an inkling that https://github.com/xdebug/xdebug/commit/90efb3aada7b0423a86462d10d6758ca3c384e75 might have fixed this - would you mind trying with the latest Git version?

tyson 2016-12-18 02:36 reporter ~0004080 Last edited: 2016-12-18 02:39 View 3 revisions	It seems like it's fixed. (Will reopen this if the code the examples were derived from encounters different bugs) I ran all 4 tests cases in https://github.com/TysonAndre-ContinuousIntegration/xdebug_segfault again with php 7.0.14. The crashes are fixed in the current xdebug master branch (bb535ed, which includes 90efb3aa) The issue description could be amended to include 7.0.5-7.0.14 and xdebug 2.4.0-2.5.0 (I was able to reproduce the crashes/allocator error with xdebug 2.5.0 and php 7.0.14. There were no errors with xdebug master(2.6-dev?) and php 7.0.14)

derick 2016-12-19 12:49 administrator ~0004091	Okay, let me close this as fixed then. Please create a new issue if you find further crashes etc.

Date Modified	Username	Field	Change
2016-07-21 19:25	tyson	New Issue
2016-07-21 19:25	tyson	File Added: xdebug_segfault-master.zip
2016-07-21 20:04	tyson	Note Added: 0003650
2016-07-21 20:25	tyson	Note Added: 0003651
2016-07-21 20:25	tyson	File Added: test6.php
2016-07-21 20:45	tyson	Note Added: 0003652
2016-07-21 20:49	derick	Note Added: 0003653
2016-07-21 21:09	tyson	Note Added: 0003654
2016-07-21 21:09	tyson	Note Edited: 0003654	View Revisions
2016-07-21 21:10	tyson	File Added: test8.php
2016-07-21 21:13	tyson	Note Added: 0003655
2016-07-21 21:24	derick	Note Added: 0003656
2016-07-31 12:36	derick	Category	Usage problems => Usage problems (Crashes)
2016-07-31 12:38	derick	Category	Usage problems (Crashes) => Usage problems (Wrong Results)
2016-12-04 16:06	derick	Assigned To	=> derick
2016-12-04 16:06	derick	Status	new => acknowledged
2016-12-04 17:40	derick	Status	acknowledged => confirmed
2016-12-17 17:12	derick	Severity	major => crash
2016-12-17 19:21	derick	Note Added: 0004079
2016-12-17 19:21	derick	Status	confirmed => feedback
2016-12-18 02:36	tyson	Note Added: 0004080
2016-12-18 02:36	tyson	Status	feedback => assigned
2016-12-18 02:38	tyson	Note Edited: 0004080	View Revisions
2016-12-18 02:39	tyson	Note Edited: 0004080	View Revisions
2016-12-19 12:49	derick	Note Added: 0004091
2016-12-19 12:49	derick	Status	assigned => closed
2016-12-19 12:49	derick	Resolution	open => fixed
2016-12-19 12:49	derick	Fixed in Version	=> 2.5.1

View Issue Details

Activities

Issue History