0001454: Seeing invalid memory read or segfaults from a __call() method when running unit test (using Phockito) in php 7.1

ID	Project	Category	View Status	Date Submitted	Last Update

0001454	Xdebug	Uncategorized	public	2017-07-14 22:11	2018-01-22 18:21

Reporter	tyson	Assigned To	derick
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Platform	Any
Product Version	2.5.5
Target Version	2.6.0	Fixed in Version	2.6.0rc1

Summary	0001454: Seeing invalid memory read or segfaults from a __call() method when running unit test (using Phockito) in php 7.1
Description	A unit test (internally used with a lot of dependencies) was segfaulting when using https://github.com/ifwe/phockito/blob/6e6011301ac5f6e62a49b6c4931cc4180e12d6e5/Phockito.php#L837 The conditions for the invalid memory reads with xdebug are unknown, but it happens when a Phockito test fails and attempts to throw an exception indicating this. It likely has something to do with the fact it's happening in __call() https://github.com/TysonAndre/xdebug_invalidread_phockito has a simplified version of that test, which consistently emits invalid memory read errors when run under valgrind. Before merging multiple files into a single file, it would consistently emit invalid memory read errors, then segfault. I haven't tested php 7.1 yet. I was able to reproduce this in Centos 6.5 and Ubuntu (dockerized)
Steps To Reproduce	Run the below command (Must include collect_params=3. If collect_params=0 is used, there are no invalid memory reads) USE_ZEND_ALLOC=0 valgrind php --no-php-ini zend_extension=xdebug.so xdebug.collect_params=3 invalid_read_test.php
Additional Information	It seems to happen when reading the contents of temporary un-named variables of the function, in order to create a stack trace. I've seen attempts to dump zvals with (type 6) strings with negative refcounts, as well as zvals with (type 8) values with invalid object handlers and class entries. Various valgrind errors such as the below were seen. 7 ==7== Invalid read of size 8 8 ==7== at 0x9488663: xdebug_var_export (xdebug_var.c:1083) 9 ==7== by 0x9488EA6: xdebug_get_zval_value (xdebug_var.c:1212) 10 ==7== by 0x948148B: add_single_value (xdebug_stack.c:397) 11 ==7== by 0x948148B: xdebug_append_printable_stack (xdebug_stack.c:486) 12 ==7== by 0x946D677: xdebug_throw_exception_hook (xdebug.c:1650) 13 ==7== by 0x1ED300: zend_throw_exception_internal (in /usr/bin/php7.1) 14 ==7== by 0x3DADA7: ??? (in /usr/bin/php7.1) 15 ==7== by 0x3C0ADA: execute_ex (in /usr/bin/php7.1) 16 ==7== by 0x946ECF5: xdebug_execute_ex (xdebug.c:2056) 17 ==7== by 0x418CCB: ??? (in /usr/bin/php7.1) 18 ==7== by 0x3C0ADA: execute_ex (in /usr/bin/php7.1) 19 ==7== by 0x946ECF5: xdebug_execute_ex (xdebug.c:2056) 20 ==7== by 0x419E3B: ??? (in /usr/bin/php7.1) 21 ==7== Address 0x97c6d10 is 16 bytes inside a block of size 4,096 free'd 22 ==7== at 0x4C2ED5B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) 23 ==7== by 0x419CF7: ??? (in /usr/bin/php7.1) 24 ==7== by 0x3C0ADA: execute_ex (in /usr/bin/php7.1) 25 ==7== by 0x946ECF5: xdebug_execute_ex (xdebug.c:2056) 26 ==7== by 0x418CCB: ??? (in /usr/bin/php7.1) 27 ==7== by 0x3C0ADA: execute_ex (in /usr/bin/php7.1) 28 ==7== by 0x946ECF5: xdebug_execute_ex (xdebug.c:2056) 29 ==7== by 0x419E3B: ??? (in /usr/bin/php7.1) 30 ==7== by 0x3C0ADA: execute_ex (in /usr/bin/php7.1) 31 ==7== by 0x946ECF5: xdebug_execute_ex (xdebug.c:2056) 32 ==7== by 0x419E3B: ??? (in /usr/bin/php7.1) 33 ==7== by 0x3C0ADA: execute_ex (in /usr/bin/php7.1) 34 ==7== Block was alloc'd at 35 ==7== at 0x4C2FD4F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) 36 ==7== by 0x34C6A8: __zend_realloc (in /usr/bin/php7.1) 37 ==7== by 0x3B9B3E: smart_str_erealloc (in /usr/bin/php7.1) 38 ==7== by 0x2F1555: php_var_export_ex (in /usr/bin/php7.1) 39 ==7== by 0x2F0C86: php_var_export_ex (in /usr/bin/php7.1) 40 ==7== by 0x2F1830: zif_var_export (in /usr/bin/php7.1) 41 ==7== by 0x946F7BC: xdebug_execute_internal (xdebug.c:2208) 42 ==7== by 0x4197DB: ??? (in /usr/bin/php7.1) 43 ==7== by 0x3C0ADA: execute_ex (in /usr/bin/php7.1) 44 ==7== by 0x946ECF5: xdebug_execute_ex (xdebug.c:2056) 45 ==7== by 0x418CCB: ??? (in /usr/bin/php7.1) 46 ==7== by 0x3C0ADA: execute_ex (in /usr/bin/php7.1) 47 ==7== 48 ==7== Invalid read of size 8 49 ==7== at 0x4C345C0: memmove (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) 50 ==7== by 0x948869F: memcpy (string3.h:53) 51 ==7== by 0x948869F: zend_string_init (zend_string.h:160) 52 ==7== by 0x948869F: xdebug_var_export (xdebug_var.c:1083) 53 ==7== by 0x9488EA6: xdebug_get_zval_value (xdebug_var.c:1212) 54 ==7== by 0x948148B: add_single_value (xdebug_stack.c:397) 55 ==7== by 0x948148B: xdebug_append_printable_stack (xdebug_stack.c:486) 56 ==7== by 0x946D677: xdebug_throw_exception_hook (xdebug.c:1650) 57 ==7== by 0x1ED300: zend_throw_exception_internal (in /usr/bin/php7.1) 58 ==7== by 0x3DADA7: ??? (in /usr/bin/php7.1) 59 ==7== by 0x3C0ADA: execute_ex (in /usr/bin/php7.1) 60 ==7== by 0x946ECF5: xdebug_execute_ex (xdebug.c:2056) 61 ==7== by 0x418CCB: ??? (in /usr/bin/php7.1) 62 ==7== by 0x3C0ADA: execute_ex (in /usr/bin/php7.1) 63 ==7== by 0x946ECF5: xdebug_execute_ex (xdebug.c:2056)
Tags	No tags attached.
Attached Files	invalid_read_test.php (118,932 bytes) invalid_read_test_simplified.php (1,292 bytes)

Operating System	Centos/Ubuntu/any
PHP Version	7.1.5-7.1.9

derick 2017-07-15 09:58 administrator ~0004370	I can reproduce this.

derick 2017-09-26 22:28 administrator ~0004428	I just had a look at this again, and I scan still reproduce it. However, I found out that the simplified test was still 4000 lines, which I wouldn't particularly "simple". With this much data, it's really hard to figure out what causes the problem :-/ If you have some time, could you help out by simplifying this test case even more?

tyson 2017-09-26 23:14 reporter ~0004429	I simplified it even more. See https://github.com/TysonAndre/xdebug_invalidread_phockito for the steps, I also uploaded the final simplified version (60 lines)

derick 2018-01-20 09:53 administrator ~0004566	I believe I have this fixed in GIT just now. After my patch, I can't reproduce this issue any more. Thanks for the report, and short test case!

Date Modified	Username	Field	Change
2017-07-14 22:11	tyson	New Issue
2017-07-14 22:11	tyson	File Added: invalid_read_test.php
2017-07-15 09:58	derick	Note Added: 0004370
2017-07-15 09:58	derick	Assigned To	=> derick
2017-07-15 09:58	derick	Status	new => confirmed
2017-07-15 09:59	derick	Target Version	=> 2.5.6
2017-09-26 22:28	derick	Note Added: 0004428
2017-09-26 22:28	derick	Status	confirmed => feedback
2017-09-26 23:13	tyson	File Added: invalid_read_test_simplified.php
2017-09-26 23:14	tyson	Note Added: 0004429
2017-09-26 23:14	tyson	Status	feedback => assigned
2017-11-05 14:12	derick	Target Version	2.5.6 => 2.6.0dev
2017-12-02 18:35	derick	Target Version	2.6.0dev => 2.6.0
2018-01-20 09:53	derick	Note Added: 0004566
2018-01-20 09:53	derick	Status	assigned => closed
2018-01-20 09:53	derick	Resolution	open => fixed
2018-01-20 09:53	derick	Fixed in Version	=> 2.6.0
2018-01-22 18:21	derick	Fixed in Version	2.6.0 => 2.6.0rc1
2020-03-12 16:35	derick	Category	Usage problems (Wrong Results) => Variable Display
2020-03-12 16:38	derick	Category	Variable Display => Uncategorized

View Issue Details

Activities

Issue History