View Issue Details

IDProjectCategoryView StatusLast Update
0001625XdebugStep Debuggingpublic2019-02-16 00:38
Reporterdv-ds Assigned Toderick  
PriorityhighSeveritycrashReproducibilityalways
Status closedResolutionfixed 
Platformx86_64OSmacOSOS Version10.14.2
Product Version2.7.0rc1 
Target Version2.7.0Fixed in Version2.7.0RC2 
Summary0001625: Work around ABI conflicts in PHP 7.3.0/PHP 7.3.1
Description

Some evaluations are possible, others are not. In the cases where it doesn't work, the end result is something like this:

[Mon Feb 04 11:49:24.093890 2019] [core:notice] [pid 10169] AH00052: child pid 39934 exit signal Segmentation fault (11)

For what it's worth, I'm fairly certain this occurred also in 2.7.0beta1, but I did not investigate that further as the major issue for me at that point was the opcache issue.

Steps To Reproduce

Setup index.php as follows and navigate to /?foo=bar

<?php

$a = 1;
echo ""; // Set breakpoint here and either hover over $a in VS Code or try to evaluate $_GET in the console. Either will crash. The latter will not cause a crash if the query string is omitted however.

Additional Information

Setup:

  • Visual Studio Code, 1.30.2
  • Apache 2.4.37 (Homebrew)
  • PHP 7.3.1 (Homebrew)
TagsNo tags attached.
Attached Files
xdebug_0001625.log (7,253 bytes)
Operating SystemmacOS
PHP Version7.3.2-7.3.4

Relationships

has duplicate 0001626 resolvedderick Segmentation fault when superglobal query is run 
has duplicate 0001627 resolvedderick Segmentation fault 

Activities

dv-ds

2019-02-04 11:13

reporter   ~0004871

I just noticed I set "PHP Version" incorrectly, and don't see any way to modify it. It's 7.3.1 as indicated in the other section.

derick

2019-02-11 17:15

administrator   ~0004885

I think this is a duplicate of 0001626 — can you please see if you can make a GDB trace as is explained at https://xdebug.org/support.php#crash ?

dv-ds

2019-02-12 09:33

reporter   ~0004888

I can't get GDB to work even with a simple hello world program unfortunately. It's been like that for a long time and I gave up trying to fix it. It's a homebrew installation, and I'd rather not touch it as Homebrew very often breaks things for me when I upgrade things, due to messed up dependencies and whatnot.

However, I am able to attach with LLDB (sudo lldb -p nnnn). Here's what I got, and see also attached xdebug log from an earlier session, explained below, do you need more?

Program used:

<?php

error_log("PID: " . getmypid());

sleep(20);

$a = 1; // LLDB log below indicates crash when hovering over $a, at breakpoint
echo ""; // Breakpoint set here

(lldb) continue
Process 4188 resuming
xdebug.so was compiled with optimization - stepping may behave oddly; variables may not be available.
Process 4188 stopped

  • thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
    frame #0: 0x000000010d2a5e17 xdebug.so`xdebug_var_export_xml_node at xdebug_var.c:1715 [opt]
    1712 zend_string *tmp_fullname_zstr;
    1713
    1714 #if PHP_VERSION_ID >= 70300
    -> 1715 tmp_fullname_zstr = php_addslashes(i_string);
    1716 #else
    1717 tmp_fullname_zstr = php_addslashes(i_string, 0);
    1718 #endif
    Target 0: (httpd) stopped.

For the xdebug log: (/?foo=bar)

Evaluating $a in console works fine:
[3829] <- eval -i 10 -- JGE=

Hovering over $a - crash:
[3829] <- context_get -i 11 -d 0 -c 1

Evaluating $_GET in console - crash: (and reconnect fails because the thread already died, I get similar results when running this on a running thread)
[4305] <- eval -i 10 -- JF9HRVQ=

derick

2019-02-12 16:00

administrator   ~0004890

This is really useful. If only I could reproduce this at home (or have access to your debugging session)...

It's possible to compile Xdebug with debugging symbols, by using:

./configure --with-xdebug-dev

instead of the normal ./configure

I'm curious to see what the values of the local vars and arguments are. For both this frame (top) one, and lower ones. Can you show the output of the following commands on lldb:

frame 0
frame variable
frame info

frame 1
frame variable
frame info

frame 2
frame variable
frame info
(etc, until... 10 or so?)

dv-ds

2019-02-12 16:53

reporter   ~0004895

Hm, if I try ./configure --enable-xdebug-dev (I assume that's the one you meant, I get an error if I try --with-xdebug-dev), some warnings are treated as fatal, which they are not otherwise. Example:

xdebug/xdebug.c:1822:107: error: format specifies type 'long' but the argument has type 'zend_long' (aka 'long long') [-Werror,-Wformat]
zend_throw_exception_ex(zend_ce_error, 0, "Maximum function nesting level of '%ld' reached, aborting!", XG(max_nesting_level));


                                                                                              %lld

Then it stops compiling after two such messages.

I'm not sure which flag is causing this, but will see if I can work around them by blindly massaging the code a bit to make the warnings go away. In case that does not pan out, please suggest a better route in the meantime to get this to compile.

dv-ds

2019-02-12 16:59

reporter   ~0004896

Found a quicker path and applied this diff to mute the warnings, will get back to you shortly:

$ git diff
diff --git a/config.m4 b/config.m4
index 27f19b4f..03ec597b 100644
--- a/config.m4
+++ b/config.m4
@@ -40,7 +40,6 @@ if test "$PHP_XDEBUG" != "no"; then
PHP_CHECK_GCC_ARG(-Wduplicate-enum, _MAINTAINER_CFLAGS="$_MAINTAINER_CFLAGS -Wduplicate-enum")
PHP_CHECK_GCC_ARG(-Wempty-body, _MAINTAINER_CFLAGS="$_MAINTAINER_CFLAGS -Wempty-body")
PHP_CHECK_GCC_ARG(-Wenum-compare, _MAINTAINER_CFLAGS="$_MAINTAINER_CFLAGS -Wenum-compare")

  • PHP_CHECK_GCC_ARG(-Werror, _MAINTAINER_CFLAGS="$_MAINTAINER_CFLAGS -Werror")
    PHP_CHECK_GCC_ARG(-Wextra, _MAINTAINER_CFLAGS="$_MAINTAINER_CFLAGS -Wextra")
    PHP_CHECK_GCC_ARG(-Wformat-nonliteral, _MAINTAINER_CFLAGS="$_MAINTAINER_CFLAGS -Wformat-nonliteral")
    PHP_CHECK_GCC_ARG(-Wformat-security, _MAINTAINER_CFLAGS="$_MAINTAINER_CFLAGS -Wformat-security")

dv-ds

2019-02-12 17:29

reporter   ~0004897

I was able to compile, but things are not working out yet:

  • I get "xdebug.so was compiled with optimization - stepping may behave oddly; variables may not be available.". I notice that -O2 or perhaps other settings are present in for instance libtool. I don't know where it sources that from. It seems quite difficult for me to find all of those occurrences as well.
  • For what it's worth, note that it appears I get debug symbols (xdebug.so.dSYM) no matter if I set --enable-xdebug-dev or not. Not sure of the practical difference as both yield the same warning about optimizations.

How can I completely disable optimization?

The frame info I can get at this point is thus quite uninformative, so I'll refrain from posting the rest unless you think it might still be of use:

(lldb) frame select 0
frame #0: 0x0000000111db8e67 xdebug.so`xdebug_var_export_xml_node at xdebug_var.c:1715 [opt]
1712 zend_string tmp_fullname_zstr;
1713
1714 #if PHP_VERSION_ID >= 70300
-> 1715 tmp_fullname_zstr = php_addslashes(i_string);
1716 #else
1717 tmp_fullname_zstr = php_addslashes(i_string, 0);
1718 #endif
(lldb) frame variable
(zval
) zv_nptr = <variable not available>

(zend_ulong) index_key = <variable not available>

(zend_string ) hash_key = 0x0000000111e61060
(xdebug_xml_node
) parent = <variable not available>

(xdebug_str *) parent_name = <variable not available>

(xdebug_var_export_options *) options = <variable not available>

(xdebug_xml_node ) node = 0x00007fa61271cd90
(xdebug_str
) name = <variable not available>

(xdebug_str) full_name = <variable not available>

(zend_string ) i_string = 0x0000000111e61900
(zend_string
) tmp_fullname_zstr = <variable not available>

dv-ds

2019-02-12 18:16

reporter   ~0004898

It was phpize that introduced -O2. Hacked it away manually before ./configure --enable-xdebug-dev && make and was able to get some debug info, see attached lldb-output.txt.

Some notes:

  • I've replaced some paths with [...].
  • Line 188 (and maybe others) is how it is shown in the terminal (I just copy-pasted the whole output from the terminal to an editor), I suppose LLDB might be masking non-printable characters, please let me know if you need the exact bytes for some reason: (char *) var_name = 0x00007fff6e72e7d8 "?z???f\x85?\x85q???f?@\x10"
lldb-output.txt (25,232 bytes)   
$ sudo lldb -p 23027
(lldb) process attach --pid 23027
Process 23027 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
    frame #0: 0x00007fff6e6baeae libsystem_kernel.dylib`__semwait_signal + 10
libsystem_kernel.dylib`__semwait_signal:
->  0x7fff6e6baeae <+10>: jae    0x7fff6e6baeb8            ; <+20>
    0x7fff6e6baeb0 <+12>: movq   %rax, %rdi
    0x7fff6e6baeb3 <+15>: jmp    0x7fff6e6b7381            ; cerror
    0x7fff6e6baeb8 <+20>: retq   
Target 0: (httpd) stopped.

Executable module set to "/usr/local/opt/httpd/bin/httpd".
Architecture set to: x86_64h-apple-macosx.
(lldb) continue
Process 23027 resuming
Process 23027 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
    frame #0: 0x000000010dc3def3 xdebug.so`xdebug_array_element_export_xml_node(zv_nptr=0x000000010da7a600, index_key=12731958461851390867, hash_key=0x000000010da61060, level=0, parent=0x00007facd8d70d20, parent_name=0x00007facd8d70a20, options=0x00007facd8c001d0) at xdebug_var.c:1715
   1712				zend_string *tmp_fullname_zstr;
   1713	
   1714	#if PHP_VERSION_ID >= 70300
-> 1715				tmp_fullname_zstr = php_addslashes(i_string);
   1716	#else
   1717				tmp_fullname_zstr = php_addslashes(i_string, 0);
   1718	#endif
Target 0: (httpd) stopped.
(lldb) frame select 0
frame #0: 0x000000010dc3def3 xdebug.so`xdebug_array_element_export_xml_node(zv_nptr=0x000000010da7a600, index_key=12731958461851390867, hash_key=0x000000010da61060, level=0, parent=0x00007facd8d70d20, parent_name=0x00007facd8d70a20, options=0x00007facd8c001d0) at xdebug_var.c:1715
   1712				zend_string *tmp_fullname_zstr;
   1713	
   1714	#if PHP_VERSION_ID >= 70300
-> 1715				tmp_fullname_zstr = php_addslashes(i_string);
   1716	#else
   1717				tmp_fullname_zstr = php_addslashes(i_string, 0);
   1718	#endif
(lldb) frame variable
(zval *) zv_nptr = 0x000000010da7a600
(zend_ulong) index_key = 12731958461851390867
(zend_string *) hash_key = 0x000000010da61060
(int) level = 0
(xdebug_xml_node *) parent = 0x00007facd8d70d20
(xdebug_str *) parent_name = 0x00007facd8d70a20
(xdebug_var_export_options *) options = 0x00007facd8c001d0
(zval **) zv = 0x00007ffee594dc90
(xdebug_xml_node *) node = 0x00007facd8d744a0
(xdebug_str *) name = 0x00007ffee594dc80
(xdebug_str) full_name = (l = 0, a = 0, d = 0x0000000000000000)
(zend_string *) i_string = 0x000000010da618a0
(zend_string *) tmp_fullname_zstr = 0x0000000000000000
(lldb) frame info
frame #0: 0x000000010dc3def3 xdebug.so`xdebug_array_element_export_xml_node(zv_nptr=0x000000010da7a600, index_key=12731958461851390867, hash_key=0x000000010da61060, level=0, parent=0x00007facd8d70d20, parent_name=0x00007facd8d70a20, options=0x00007facd8c001d0) at xdebug_var.c:1715
(lldb) frame select 1
frame #1: 0x000000010dc3cd03 xdebug.so`xdebug_var_export_xml_node(struc=0x00007ffee594e450, name=0x00007facd8d70a20, node=0x00007facd8d70d20, options=0x00007facd8c001d0, level=0) at xdebug_var.c:2028
   2025						xdebug_zend_hash_apply_protection_begin(myht);
   2026	
   2027						ZEND_HASH_FOREACH_KEY_VAL_IND(myht, num, key, z_val) {
-> 2028							xdebug_array_element_export_xml_node(z_val, num, key, level, node, name, options);
   2029						} ZEND_HASH_FOREACH_END();
   2030	
   2031						xdebug_zend_hash_apply_protection_end(myht);
(lldb) frame variable
(zval **) struc = 0x00007ffee594e450
(xdebug_str *) name = 0x00007facd8d70a20
(xdebug_xml_node *) node = 0x00007facd8d70d20
(xdebug_var_export_options *) options = 0x00007facd8c001d0
(int) level = 0
(HashTable *) myht = 0x000000010da660a8
(zend_ulong) num = 12731958461851390867
(zend_string *) key = 0x000000010da61060
(zval *) z_val = 0x000000010da7a600
(xdebug_object_item *) xoi_val = 0x0000000100000000
(zval *) tmpz = 0x00007fff6e72dbac
(HashTable *) __ht = 0x000000010da660a8
(Bucket *) _p = 0x000000010da7a600
(Bucket *) _end = 0x000000010da7a8c0
(zval *) _z = 0x000000010da7a600
(lldb) frame info
frame #1: 0x000000010dc3cd03 xdebug.so`xdebug_var_export_xml_node(struc=0x00007ffee594e450, name=0x00007facd8d70a20, node=0x00007facd8d70d20, options=0x00007facd8c001d0, level=0) at xdebug_var.c:2028
(lldb) frame select 2
frame #2: 0x000000010dc3bb10 xdebug.so`xdebug_get_zval_value_xml_node_ex(name=0x00007ffee594e6f0, val=0x00007ffee594e480, var_type=0, options=0x00007facd8c001d0) at xdebug_var.c:2167
   2164			add_xml_attribute_or_element(options, node, "name", 4, short_name);
   2165			add_xml_attribute_or_element(options, node, "fullname", 8, full_name);
   2166		}
-> 2167		xdebug_var_export_xml_node(&val, full_name ? full_name : NULL, node, options, 0 TSRMLS_CC);
   2168	
   2169		if (short_name) {
   2170			xdebug_str_free(short_name);
(lldb) frame variable
(xdebug_str *) name = 0x00007ffee594e6f0
(zval *) val = 0x00007ffee594e480
(int) var_type = 0
(xdebug_var_export_options *) options = 0x00007facd8c001d0
(xdebug_xml_node *) node = 0x00007facd8d70d20
(xdebug_str *) short_name = 0x00007facd8d70d50
(xdebug_str *) full_name = 0x00007facd8d70a20
(lldb) frame info
frame #2: 0x000000010dc3bb10 xdebug.so`xdebug_get_zval_value_xml_node_ex(name=0x00007ffee594e6f0, val=0x00007ffee594e480, var_type=0, options=0x00007facd8c001d0) at xdebug_var.c:2167
(lldb) frame select 3
frame #3: 0x000000010dc25d8f xdebug.so`get_symbol(name=0x00007ffee594e6f0, options=0x00007facd8c001d0) at xdebug_handler_dbgp.c:285
   282 			if (strcmp(name->d, "this") == 0 && Z_TYPE(retval) == IS_NULL) {
   283 				return NULL;
   284 			}
-> 285 			tmp_node = xdebug_get_zval_value_xml_node(name, &retval, options TSRMLS_CC);
   286 			zval_ptr_dtor_nogc(&retval);
   287 			return tmp_node;
   288 		}
(lldb) frame variable
^[[A(xdebug_str *) name = 0x00007ffee594e6f0
(xdebug_var_export_options *) options = 0x00007facd8c001d0
(zval) retval = {
  value = {
    lval = 4523974824
    dval = 2.2351405431890997E-314
    counted = 0x000000010da660a8
    str = 0x000000010da660a8
    arr = 0x000000010da660a8
    obj = 0x000000010da660a8
    res = 0x000000010da660a8
    ref = 0x000000010da660a8
    ast = 0x000000010da660a8
    zv = 0x000000010da660a8
    ptr = 0x000000010da660a8
    ce = 0x000000010da660a8
    func = 0x000000010da660a8
    ww = (w1 = 229007528, w2 = 1)
  }
  u1 = {
    v = {
      type = '\a'
      type_flags = '\x01'
      u = (call_info = 0, extra = 0)
    }
    type_info = 263
  }
  u2 = {
    next = 0
    cache_slot = 0
    opline_num = 0
    lineno = 0
    num_args = 0
    fe_pos = 0
    fe_iter_idx = 0
    access_flags = 0
    property_guard = 0
    constant_flags = 0
    extra = 0
  }
}
(xdebug_xml_node *) tmp_node = 0xfd00000070001004
(lldb) frame info
frame #3: 0x000000010dc25d8f xdebug.so`get_symbol(name=0x00007ffee594e6f0, options=0x00007facd8c001d0) at xdebug_handler_dbgp.c:285
(lldb) frame select 4
frame #4: 0x000000010dc256db xdebug.so`add_variable_node(node=0x00007facd8d008e0, name=0x00007ffee594e6f0, var_only=1, non_null=1, no_eval=0, options=0x00007facd8c001d0) at xdebug_handler_dbgp.c:1331
   1328	{
   1329		xdebug_xml_node *contents;
   1330	
-> 1331		contents = get_symbol(name, options);
   1332		if (contents) {
   1333			xdebug_xml_add_child(node, contents);
   1334			return SUCCESS;
(lldb) frame variable
(xdebug_xml_node *) node = 0x00007facd8d008e0
(xdebug_str *) name = 0x00007ffee594e6f0
(int) var_only = 1
(int) non_null = 1
(int) no_eval = 0
(xdebug_var_export_options *) options = 0x00007facd8c001d0
(xdebug_xml_node *) contents = 0x0000000000000027
(lldb) frame info
frame #4: 0x000000010dc256db xdebug.so`add_variable_node(node=0x00007facd8d008e0, name=0x00007ffee594e6f0, var_only=1, non_null=1, no_eval=0, options=0x00007facd8c001d0) at xdebug_handler_dbgp.c:1331
(lldb) frame select 5
frame #5: 0x000000010dc24fb3 xdebug.so`attach_context_vars(node=0x00007facd8d008e0, options=0x00007facd8c001d0, context_id=1, depth=0, func=(xdebug.so`attach_declared_var_with_contents at xdebug_handler_dbgp.c:1628)) at xdebug_handler_dbgp.c:1700
   1697			/* add super globals */
   1698			XG(active_symbol_table) = &EG(symbol_table);
   1699			XG(active_execute_data) = NULL;
-> 1700			add_variable_node(node, XDEBUG_STR_WRAP_CHAR("_COOKIE"),  1, 1, 0, options);
   1701			add_variable_node(node, XDEBUG_STR_WRAP_CHAR("_ENV"),     1, 1, 0, options);
   1702			add_variable_node(node, XDEBUG_STR_WRAP_CHAR("_FILES"),   1, 1, 0, options);
   1703			add_variable_node(node, XDEBUG_STR_WRAP_CHAR("_GET"),     1, 1, 0, options);
(lldb) frame variable
(xdebug_xml_node *) node = 0x00007facd8d008e0
(xdebug_var_export_options *) options = 0x00007facd8c001d0
(long) context_id = 1
(long) depth = 0
(void (*)(void *, xdebug_hash_element *, void *)) func = 0x000000010dc25630 (xdebug.so`attach_declared_var_with_contents at xdebug_handler_dbgp.c:1628)
(function_stack_entry *) fse = 0x0000000000000000
(char *) var_name = 0x00007fff6e72e7d8 "?z???f\x85?\x85q???f?@\x10"
(lldb) frame info
frame #5: 0x000000010dc24fb3 xdebug.so`attach_context_vars(node=0x00007facd8d008e0, options=0x00007facd8c001d0, context_id=1, depth=0, func=(xdebug.so`attach_declared_var_with_contents at xdebug_handler_dbgp.c:1628)) at xdebug_handler_dbgp.c:1700
(lldb) frame select 6
frame #6: 0x000000010dc19f7a xdebug.so`xdebug_dbgp_handle_context_get(retval=0x00007ffee594ea50, context=0x000000010dc4d400, args=0x00007facd8d74330) at xdebug_handler_dbgp.c:1865
   1862		/* Always reset to page = 0, as it might have been modified by property_get or property_value */
   1863		options->runtime[0].page = 0;
   1864	
-> 1865		res = attach_context_vars(*retval, options, context_id, depth, attach_declared_var_with_contents TSRMLS_CC);
   1866		switch (res) {
   1867			case 1:
   1868				RETURN_RESULT(XG(status), XG(reason), XDEBUG_ERROR_STACK_DEPTH_INVALID);
(lldb) frame variable
(xdebug_xml_node **) retval = 0x00007ffee594ea50
(xdebug_con *) context = 0x000000010dc4d400
(xdebug_dbgp_arg *) args = 0x00007facd8d74330
(int) res = 32684
(int) context_id = 1
(int) depth = 0
(xdebug_var_export_options *) options = 0x00007facd8c001d0
(lldb) frame info
frame #6: 0x000000010dc19f7a xdebug.so`xdebug_dbgp_handle_context_get(retval=0x00007ffee594ea50, context=0x000000010dc4d400, args=0x00007facd8d74330) at xdebug_handler_dbgp.c:1865
(lldb) frame select 7
frame #7: 0x000000010dc16471 xdebug.so`xdebug_dbgp_parse_option(context=0x000000010dc4d400, line="context_get -i 10 -d 0 -c 1", flags=0, retval=0x00007facd8d008e0) at xdebug_handler_dbgp.c:2123
   2120				}
   2121				XG(lasttransid) = xdstrdup(CMD_OPTION_CHAR('i'));
   2122				if (XG(status) != DBGP_STATUS_STOPPING || (XG(status) == DBGP_STATUS_STOPPING && command->flags & XDEBUG_DBGP_POST_MORTEM)) {
-> 2123					command->handler((xdebug_xml_node**) &retval, context, args TSRMLS_CC);
   2124					ret = command->cont;
   2125				} else {
   2126					error = xdebug_xml_node_init("error");
(lldb) frame variable
(xdebug_con *) context = 0x000000010dc4d400
(char *) line = 0x00007facd8d70c20 "context_get -i 10 -d 0 -c 1"
(int) flags = 0
(xdebug_xml_node *) retval = 0x00007facd8d008e0
(char *) cmd = 0x00007facd8d00940 "context_get"
(int) res = 0
(int) ret = 0
(xdebug_dbgp_arg *) args = 0x00007facd8d74330
(xdebug_dbgp_cmd *) command = 0x000000010dc4cb68
(xdebug_xml_node *) error = 0x000000006e72c783
(lldb) frame info
frame #7: 0x000000010dc16471 xdebug.so`xdebug_dbgp_parse_option(context=0x000000010dc4d400, line="context_get -i 10 -d 0 -c 1", flags=0, retval=0x00007facd8d008e0) at xdebug_handler_dbgp.c:2123
(lldb) frame select 8
frame #8: 0x000000010dc13e1b xdebug.so`xdebug_dbgp_cmdloop(context=0x000000010dc4d400, bail=1) at xdebug_handler_dbgp.c:2167
   2164			response = xdebug_xml_node_init("response");
   2165			xdebug_xml_add_attribute(response, "xmlns", "urn:debugger_protocol_v1");
   2166			xdebug_xml_add_attribute(response, "xmlns:xdebug", "https://xdebug.org/dbgp/xdebug");
-> 2167			ret = xdebug_dbgp_parse_option(context, option, 0, response TSRMLS_CC);
   2168			if (ret != 1) {
   2169				send_message(context, response TSRMLS_CC);
   2170			}
(lldb) frame variable
(xdebug_con *) context = 0x000000010dc4d400
(int) bail = 1
(char *) option = 0x00007facd8d70c20 "context_get -i 10 -d 0 -c 1"
(int) ret = 0
(xdebug_xml_node *) response = 0x00007facd8d008e0
(lldb) frame info
frame #8: 0x000000010dc13e1b xdebug.so`xdebug_dbgp_cmdloop(context=0x000000010dc4d400, bail=1) at xdebug_handler_dbgp.c:2167
(lldb) frame select 9
frame #9: 0x000000010dc15339 xdebug.so`xdebug_dbgp_breakpoint(context=0x000000010dc4d400, stack=0x00007facdb30dcc0, file="[...]/index.php", lineno=8, type=1, exception=0x0000000000000000, code=0x0000000000000000, message=0x0000000000000000) at xdebug_handler_dbgp.c:2442
   2439			XG(lasttransid) = NULL;
   2440		}
   2441	
-> 2442		xdebug_dbgp_cmdloop(context, 1 TSRMLS_CC);
   2443	
   2444		return 1;
   2445	}
(lldb) frame variable
(xdebug_con *) context = 0x000000010dc4d400
(xdebug_llist *) stack = 0x00007facdb30dcc0
(char *) file = 0x000000010f586580 "[...]/index.php"
(long) lineno = 8
(int) type = 1
(char *) exception = 0x0000000000000000
(char *) code = 0x0000000000000000
(char *) message = 0x0000000000000000
(xdebug_xml_node *) response = 0x00007facdb40e570
(xdebug_xml_node *) error_container = 0x00007facdb40e750
(lldb) frame info
frame #9: 0x000000010dc15339 xdebug.so`xdebug_dbgp_breakpoint(context=0x000000010dc4d400, stack=0x00007facdb30dcc0, file="[...]/index.php", lineno=8, type=1, exception=0x0000000000000000, code=0x0000000000000000, message=0x0000000000000000) at xdebug_handler_dbgp.c:2442
(lldb) frame select 10
frame #10: 0x000000010dc07d3d xdebug.so`xdebug_statement_call(frame=0x000000010da1d030) at xdebug.c:2599
   2596							XG(context).inhibit_notifications = 0;
   2597						}
   2598						if (break_ok && xdebug_handle_hit_value(extra_brk_info)) {
-> 2599							if (!XG(context).handler->remote_breakpoint(&(XG(context)), XG(stack), file, lineno, XDEBUG_BREAK, NULL, 0, NULL)) {
   2600								xdebug_mark_debug_connection_not_active();
   2601								break;
   2602							}
(lldb) frame variable
(zend_execute_data *) frame = 0x000000010da1d030
(zend_op_array *) op_array = 0x000000010da831c0
(xdebug_llist_element *) le = 0x00007facdb40e610
(xdebug_brk_info *) extra_brk_info = 0x00007facd8e0bd00
(function_stack_entry *) fse = 0x00007facdb31ff20
(int) lineno = 8
(char *) file = 0x000000010f586580 "[...]/index.php"
(int) level = 1
(int) func_nr = 0
(int) break_ok = 1
(int) old_error_reporting = 23027
(zval) retval = {
  value = {
    lval = 140380349074464
    dval = 6.9357107828894693E-310
    counted = 0x00007facd8d70c20
    str = 0x00007facd8d70c20
    arr = 0x00007facd8d70c20
    obj = 0x00007facd8d70c20
    res = 0x00007facd8d70c20
    ref = 0x00007facd8d70c20
    ast = 0x00007facd8d70c20
    zv = 0x00007facd8d70c20
    ptr = 0x00007facd8d70c20
    ce = 0x00007facd8d70c20
    func = 0x00007facd8d70c20
    ww = (w1 = 3637972000, w2 = 32684)
  }
  u1 = {
    v = {
      type = '?'
      type_flags = '?'
      u = (call_info = 56112, extra = 56112)
    }
    type_info = 3677412544
  }
  u2 = {
    next = 32684
    cache_slot = 32684
    opline_num = 32684
    lineno = 32684
    num_args = 32684
    fe_pos = 32684
    fe_iter_idx = 32684
    access_flags = 32684
    property_guard = 32684
    constant_flags = 32684
    extra = 32684
  }
}
(int) file_len = 44
(lldb) frame info
frame #10: 0x000000010dc07d3d xdebug.so`xdebug_statement_call(frame=0x000000010da1d030) at xdebug.c:2599
(lldb) frame select 11
frame #11: 0x000000010a84b1e0 libphp7.so`zend_llist_apply_with_argument + 31
libphp7.so`zend_llist_apply_with_argument:
    0x10a84b1e0 <+31>: movq   (%rbx), %rbx
    0x10a84b1e3 <+34>: testq  %rbx, %rbx
    0x10a84b1e6 <+37>: jne    0x10a84b1d6               ; <+21>
    0x10a84b1e8 <+39>: addq   $0x8, %rsp
(lldb) frame variable
(lldb) frame info
frame #11: 0x000000010a84b1e0 libphp7.so`zend_llist_apply_with_argument + 31
(lldb) frame select 12
frame #12: 0x000000010a8cf1f5 libphp7.so`ZEND_EXT_STMT_SPEC_HANDLER + 47
libphp7.so`ZEND_EXT_STMT_SPEC_HANDLER:
    0x10a8cf1f5 <+47>: addq   $0x20, (%rbx)
    0x10a8cf1f9 <+51>: xorl   %eax, %eax
    0x10a8cf1fb <+53>: addq   $0x8, %rsp
    0x10a8cf1ff <+57>: popq   %rbx
(lldb) frame variable
(lldb) frame info
frame #12: 0x000000010a8cf1f5 libphp7.so`ZEND_EXT_STMT_SPEC_HANDLER + 47
(lldb) frame select 13
frame #13: 0x000000010a8910ee libphp7.so`execute_ex + 98
libphp7.so`execute_ex:
    0x10a8910ee <+98>:  testl  %eax, %eax
    0x10a8910f0 <+100>: je     0x10a8910e6               ; <+90>
    0x10a8910f2 <+102>: jg     0x10a8910b7               ; <+43>
    0x10a8910f4 <+104>: popq   %rbx
(lldb) frame variable
(lldb) frame info
frame #13: 0x000000010a8910ee libphp7.so`execute_ex + 98
(lldb) frame select 14
frame #14: 0x000000010dc05400 xdebug.so`xdebug_execute_ex(execute_data=0x000000010da1d030) at xdebug.c:1903
   1900			xdebug_profiler_function_begin(fse TSRMLS_CC);
   1901		}
   1902	
-> 1903		xdebug_old_execute_ex(execute_data TSRMLS_CC);
   1904	
   1905		if (XG(profiler_enabled)) {
   1906			xdebug_profiler_function_end(fse TSRMLS_CC);
(lldb) frame variable
(zend_execute_data *) execute_data = 0x000000010da1d030
(zend_op_array *) op_array = 0x000000010da831c0
(zend_execute_data *) edata = 0x0000000000000000
(function_stack_entry *) fse = 0x00007facdb31ff20
(function_stack_entry *) xfse = 0x00007facdb31ff20
(int) do_return = 0
(int) function_nr = 0
(xdebug_llist_element *) le = 0x00007facdb31fe60
(xdebug_func) code_coverage_func_info = (class = 0x0000000000000000, function = "\x01", type = 185895904, internal = 1)
(char *) code_coverage_function_name = 0x0000000000000000
(char *) code_coverage_file_name = 0x0000000000000000
(int) code_coverage_init = 0
(lldb) frame info
frame #14: 0x000000010dc05400 xdebug.so`xdebug_execute_ex(execute_data=0x000000010da1d030) at xdebug.c:1903
(lldb) frame select 15
frame #15: 0x000000010a89126a libphp7.so`zend_execute + 318
libphp7.so`zend_execute:
    0x10a89126a <+318>: cmpb   $0x0, 0x2a(%rbx)
    0x10a89126e <+322>: js     0x10a8912ad               ; <+385>
    0x10a891270 <+324>: movq   %rbx, 0x1c8(%r12)
    0x10a891278 <+332>: addq   $0x8, %rsp
(lldb) frame variable
(lldb) frame info
frame #15: 0x000000010a89126a libphp7.so`zend_execute + 318
(lldb) frame select 16
frame #16: 0x000000010a85605a libphp7.so`zend_execute_scripts + 277
libphp7.so`zend_execute_scripts:
    0x10a85605a <+277>: callq  0x10a87015c               ; zend_exception_restore
    0x10a85605f <+282>: callq  0x10a855e33               ; zend_try_exception_handler
    0x10a856064 <+287>: leaq   0x8f2a45(%rip), %rax      ; executor_globals
    0x10a85606b <+294>: movq   0x360(%rax), %rdi
(lldb) frame variable
(lldb) frame info
frame #16: 0x000000010a85605a libphp7.so`zend_execute_scripts + 277
(lldb) frame select 17
frame #17: 0x000000010a801a8f libphp7.so`php_execute_script + 639
libphp7.so`php_execute_script:
    0x10a801a8f <+639>: testl  %eax, %eax
    0x10a801a91 <+641>: sete   %r12b
    0x10a801a95 <+645>: movzbl %r12b, %r15d
    0x10a801a99 <+649>: movq   -0x4e8(%rbp), %rbx
(lldb) frame variable
(lldb) frame info
frame #17: 0x000000010a801a8f libphp7.so`php_execute_script + 639
(lldb) frame select 18
frame #18: 0x000000010a900b7c libphp7.so`php_handler + 1092
libphp7.so`php_handler:
    0x10a900b7c <+1092>: movq   0x108(%r13), %r15
    0x10a900b83 <+1099>: movq   -0xe0(%rbp), %rax
    0x10a900b8a <+1106>: movq   0x8(%rax), %rax
    0x10a900b8e <+1110>: movq   (%rax), %rbx
(lldb) frame variable
(lldb) frame info
frame #18: 0x000000010a900b7c libphp7.so`php_handler + 1092
(lldb) frame select 19
frame #19: 0x000000010a2b37db httpd`ap_run_handler + 51
httpd`ap_run_handler:
    0x10a2b37db <+51>: cmpl   $-0x1, %eax
    0x10a2b37de <+54>: jne    0x10a2b37f9               ; <+81>
    0x10a2b37e0 <+56>: incq   %rbx
    0x10a2b37e3 <+59>: movq   0x51366(%rip), %rax       ; _hooks + 48
(lldb) frame variable
(lldb) frame info
frame #19: 0x000000010a2b37db httpd`ap_run_handler + 51
(lldb) frame select 20
frame #20: 0x000000010a2b3d9b httpd`ap_invoke_handler + 246
httpd`ap_invoke_handler:
    0x10a2b3d9b <+246>: movl   %eax, %r15d
    0x10a2b3d9e <+249>: movq   %r12, 0x118(%r14)
    0x10a2b3da5 <+256>: testq  %r12, %r12
    0x10a2b3da8 <+259>: je     0x10a2b3dfc               ; <+343>
(lldb) frame variable
(lldb) frame info
frame #20: 0x000000010a2b3d9b httpd`ap_invoke_handler + 246
(lldb) frame select 21
frame #21: 0x000000010a2e918c httpd`ap_process_async_request + 861
httpd`ap_process_async_request:
    0x10a2e918c <+861>: movl   %eax, %r15d
    0x10a2e918f <+864>: cmpl   $-0x3, %r15d
    0x10a2e9193 <+868>: movq   -0x38(%rbp), %r12
    0x10a2e9197 <+872>: jne    0x10a2e91dd               ; <+942>
(lldb) frame variable
(lldb) frame info
frame #21: 0x000000010a2e918c httpd`ap_process_async_request + 861
(lldb) frame select 22
frame #22: 0x000000010a2e9223 httpd`ap_process_request + 20
httpd`ap_process_request:
    0x10a2e9223 <+20>: cmpl   $0x0, 0x90(%rbx)
    0x10a2e922a <+27>: jne    0x10a2e9365               ; <+342>
    0x10a2e9230 <+33>: movq   (%rbx), %rdx
    0x10a2e9233 <+36>: leaq   0x13094(%rip), %rsi       ; "ap_process_request_brigade"
(lldb) frame variable
(lldb) frame info
frame #22: 0x000000010a2e9223 httpd`ap_process_request + 20
(lldb) frame select 23
frame #23: 0x000000010a2e5e35 httpd`ap_process_http_connection + 302
httpd`ap_process_http_connection:
    0x10a2e5e35 <+302>: cmpl   $0x2, 0xa0(%r13)
    0x10a2e5e3d <+310>: jne    0x10a2e5eb2               ; <+427>
    0x10a2e5e3f <+312>: cmpl   $0x0, 0x9c(%r13)
    0x10a2e5e47 <+320>: jne    0x10a2e5eb2               ; <+427>
(lldb) frame variable
(lldb) frame info
frame #23: 0x000000010a2e5e35 httpd`ap_process_http_connection + 302
(lldb) frame select 24
frame #24: 0x000000010a2c3ec1 httpd`ap_run_process_connection + 51
httpd`ap_run_process_connection:
    0x10a2c3ec1 <+51>: cmpl   $-0x1, %eax
    0x10a2c3ec4 <+54>: jne    0x10a2c3edf               ; <+81>
    0x10a2c3ec6 <+56>: incq   %rbx
    0x10a2c3ec9 <+59>: movq   0x41d28(%rip), %rax       ; _hooks + 8
(lldb) frame variable
(lldb) frame info
frame #24: 0x000000010a2c3ec1 httpd`ap_run_process_connection + 51
(lldb) frame select 25
frame #25: 0x000000010a45a816 mod_mpm_prefork.so`child_main + 1084
mod_mpm_prefork.so`child_main:
    0x10a45a816 <+1084>: movq   %rbx, %rdi
    0x10a45a819 <+1087>: callq  0x10a45acde               ; symbol stub for: ap_lingering_close
    0x10a45a81e <+1092>: movq   0x1dcb(%rip), %rax        ; my_bucket
    0x10a45a825 <+1099>: movq   (%rax), %rdi
(lldb) frame variable
(lldb) frame info
frame #25: 0x000000010a45a816 mod_mpm_prefork.so`child_main + 1084
(lldb) frame select 26
frame #26: 0x000000010a45a2c5 mod_mpm_prefork.so`make_child + 404
mod_mpm_prefork.so`startup_children:
    0x10a45a2c5 <+0>: pushq  %rbp
    0x10a45a2c6 <+1>: movq   %rsp, %rbp
    0x10a45a2c9 <+4>: pushq  %r15
    0x10a45a2cb <+6>: pushq  %r14
(lldb) frame variable
(lldb) frame info
frame #26: 0x000000010a45a2c5 mod_mpm_prefork.so`make_child + 404
(lldb) frame select 27
frame #27: 0x000000010a45a31e mod_mpm_prefork.so`startup_children + 89
mod_mpm_prefork.so`startup_children:
    0x10a45a31e <+89>: testl  %eax, %eax
    0x10a45a320 <+91>: js     0x10a45a33b               ; <+118>
    0x10a45a322 <+93>: decl   %r14d
    0x10a45a325 <+96>: movl   0x2299(%rip), %eax        ; ap_daemons_limit
(lldb) frame variable
(lldb) frame info
frame #27: 0x000000010a45a31e mod_mpm_prefork.so`startup_children + 89
(lldb) frame select 28
frame #28: 0x000000010a4594ff mod_mpm_prefork.so`prefork_run + 286
mod_mpm_prefork.so`prefork_run:
    0x10a4594ff <+286>: movl   $0x0, -0xb8(%rbp)
    0x10a459509 <+296>: movq   0x2b40(%rip), %r13        ; (void *)0x000000010a305ed8: ap_server_conf
    0x10a459510 <+303>: movq   (%r13), %r12
    0x10a459514 <+307>: movl   0x302d(%rip), %r14d       ; mpm_prefork_module + 8
(lldb) frame variable
(lldb) frame info
frame #28: 0x000000010a4594ff mod_mpm_prefork.so`prefork_run + 286
(lldb) frame select 29
frame #29: 0x000000010a2c624b httpd`ap_run_mpm + 64
httpd`ap_run_mpm:
    0x10a2c624b <+64>: cmpl   $-0x1, %eax
    0x10a2c624e <+67>: jne    0x10a2c626c               ; <+97>
    0x10a2c6250 <+69>: incq   %r14
    0x10a2c6253 <+72>: movq   0x3f9f6(%rip), %rax       ; _hooks + 16
(lldb) frame variable
(lldb) frame info
frame #29: 0x000000010a2c624b httpd`ap_run_mpm + 64
(lldb) frame select 30
frame #30: 0x000000010a2babf0 httpd`main + 2108
httpd`main:
    0x10a2babf0 <+2108>: movl   %eax, %r15d
    0x10a2babf3 <+2111>: testl  %r15d, %r15d
    0x10a2babf6 <+2114>: je     0x10a2baa48               ; <+1684>
    0x10a2babfc <+2120>: cmpl   $-0x2, %r15d
(lldb) frame variable
(lldb) frame info
frame #30: 0x000000010a2babf0 httpd`main + 2108
(lldb) frame select 31
frame #31: 0x00007fff6e57ded9 libdyld.dylib`start + 1
libdyld.dylib`start:
    0x7fff6e57ded9 <+1>: movl   %eax, %edi
    0x7fff6e57dedb <+3>: callq  0x7fff6e58fabc            ; symbol stub for: exit
    0x7fff6e57dee0 <+8>: hlt    

libdyld.dylib`dyld3::kdebug_trace_dyld_marker:
    0x7fff6e57dee1 <+0>: pushq  %rbp
(lldb) frame variable
(lldb) frame info
frame #31: 0x00007fff6e57ded9 libdyld.dylib`start + 1
(lldb) frame select 32
error: Frame index (32) out of range.
lldb-output.txt (25,232 bytes)   

derick

2019-02-12 19:15

administrator   ~0004899

Thanks for that. I just did a live debugging session with somebody through IRC and screensharing, and we came to the same conclusions, with albeit slightly better output (See attached screenshots). Unfortunately, I still don't understand what goes wrong, except for the crash...

xdebug-foo2.png (570,636 bytes)

deek

2019-02-12 22:43

reporter   ~0004901

Looks like I got the same results as both dv-ds and derick from my ticket 0001626. I tried to check the value of i_string from within lldb without much success.

(lldb) frame var -L i_string                         0x00007ffeefbfd9d0: (zend_string *) i_string = 0x0000000104201dc0
(lldb) frame var -L &i_string                      scalar: (zend_string **) &i_string = 0x00007ffeefbfd9d
lldb-output-xdebug-2.7.0rc1-deek.txt (5,579 bytes)   
(lldb) target create "php"
ruCurrent executable set to 'php' (x86_64).
(lldb) settings set -- target.run-args  "xdebugTest.php"
(lldb) run
Process 53913 launched: '/usr/local/bin/php' (x86_64)
xdebug.so was compiled with optimization - stepping may behave oddly; variables may not be available.
Process 53913 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
    frame #0: 0x00000001041a5e77 xdebug.so`xdebug_var_export_xml_node at xdebug_var.c:1715 [opt]
   1712                         zend_string *tmp_fullname_zstr;
   1713
   1714 #if PHP_VERSION_ID >= 70300
-> 1715                         tmp_fullname_zstr = php_addslashes(i_string);
   1716 #else
   1717                         tmp_fullname_zstr = php_addslashes(i_string, 0);
   1718 #endif
Target 0: (php) stopped.
(lldb) register read
General Purpose Registers:
       rax = 0x00000001002ca489  php`php_addslashes
       rbx = 0x000000000000000c
       rcx = 0x5f44494f52444e41
       rdx = 0x0000000000000004
       rdi = 0x0000000104201dc0
       rsi = 0x0000000104201068
       rbp = 0x00007ffeefbfda30
       rsp = 0x00007ffeefbfd960
        r8 = 0x454d4f485f44494f
        r9 = 0x0000000103600000
       r10 = 0x0000000003ffffff
       r11 = 0x0000000000000d70
       r12 = 0x000000010427f400
       r13 = 0x0000000104201dc0
       r14 = 0x0000000000000c80
       r15 = 0x0000000104201050
       rip = 0x00000001041a5e77  xdebug.so`xdebug_var_export_xml_node + 2647 [inlined] xdebug_array_element_export_xml_node + 173 at xdebug_var.c:2028
  xdebug.so`xdebug_var_export_xml_node + 2474 at xdebug_var.c:2028
    rflags = 0x0000000000010202
        cs = 0x000000000000002b
        fs = 0x0000000000000000
        gs = 0x0000000000000000

(lldb) frame variable 
(zval *) zv_nptr = <variable not available>

(zend_ulong) index_key = <variable not available>

(zend_string *) hash_key = 0x0000000104201050
(xdebug_xml_node *) parent = <variable not available>

(xdebug_str *) parent_name = <variable not available>

(xdebug_var_export_options *) options = <variable not available>

(xdebug_xml_node *) node = 0x0000000103651390
(xdebug_str *) name = <variable not available>

(xdebug_str) full_name = <variable not available>

(zend_string *) i_string = 0x0000000104201dc0
(zend_string *) tmp_fullname_zstr = <variable not available>

(lldb) frame var -L i_string                                                                                                                                        0x00007ffeefbfd9d0: (zend_string *) i_string = 0x0000000104201dc0
(lldb) frame var -L &i_string
scalar: (zend_string **) &i_string = 0x00007ffeefbfd9d0
(lldb) bt all
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
  * frame #0: 0x00000001041a5e77 xdebug.so`xdebug_var_export_xml_node at xdebug_var.c:1715 [opt]
    frame #1: 0x00000001041a5dca xdebug.so`xdebug_var_export_xml_node(struc=<unavailable>, name=0x00000001036511e0, node=0x0000000103650ff0, options=<unavailable>, level=1) at xdebug_var.c:2028 [opt]
    frame #2: 0x00000001041a51c4 xdebug.so`xdebug_get_zval_value_xml_node_ex(name=<unavailable>, val=0x00007ffeefbfdb60, var_type=<unavailable>, options=0x000000010364d820) at xdebug_var.c:2167 [opt]
    frame #3: 0x00000001041938f1 xdebug.so`xdebug_dbgp_handle_context_get [inlined] get_symbol(name=0x0000000000000007, options=0x000000010364d820) at xdebug_handler_dbgp.c:285 [opt]
    frame #4: 0x00000001041938ad xdebug.so`xdebug_dbgp_handle_context_get [inlined] add_variable_node(node=0x0000000103650420, name=0x0000000000000007, var_only=0, non_null=0, no_eval=0, options=0x000000010364d820) at xdebug_handler_dbgp.c:1331 [opt]
    frame #5: 0x00000001041938ad xdebug.so`xdebug_dbgp_handle_context_get [inlined] attach_context_vars(node=0x0000000103650420, options=0x000000010364d820, context_id=<unavailable>, depth=<unavailable>, func=<unavailable>) at xdebug_handler_dbgp.c:1706 [opt]
    frame #6: 0x00000001041934ae xdebug.so`xdebug_dbgp_handle_context_get(retval=0x00007ffeefbfdc60, context=<unavailable>, args=<unavailable>) at xdebug_handler_dbgp.c:1865 [opt]
    frame #7: 0x00000001041909be xdebug.so`xdebug_dbgp_cmdloop [inlined] xdebug_dbgp_parse_option(context=0x00000001041b33e8, line=<unavailable>, flags=<unavailable>, retval=0x0000000103650420) at xdebug_handler_dbgp.c:2123 [opt]
    frame #8: 0x0000000104190884 xdebug.so`xdebug_dbgp_cmdloop(context=0x00000001041b33e8, bail=1) at xdebug_handler_dbgp.c:2167 [opt]
    frame #9: 0x0000000104191813 xdebug.so`xdebug_dbgp_breakpoint(context=0x00000001041b33e8, stack=<unavailable>, file=<unavailable>, lineno=<unavailable>, type=<unavailable>, exception=0x0000000000000000, code=0x0000000000000000, message=0x0000000000000000) at xdebug_handler_dbgp.c:2442 [opt]
    frame #10: 0x0000000104189ad1 xdebug.so`xdebug_statement_call(frame=<unavailable>) at xdebug.c:0 [opt]
    frame #11: 0x000000010037ab80 php`zend_llist_apply_with_argument + 31
    frame #12: 0x00000001003feb95 php`ZEND_EXT_STMT_SPEC_HANDLER + 47
    frame #13: 0x00000001003c0a8e php`execute_ex + 98
    frame #14: 0x0000000104188914 xdebug.so`xdebug_execute_ex(execute_data=0x0000000104220030) at xdebug.c:1903 [opt]
    frame #15: 0x00000001003c0c0a php`zend_execute + 318
    frame #16: 0x00000001003859fa php`zend_execute_scripts + 277
    frame #17: 0x000000010033142f php`php_execute_script + 639
    frame #18: 0x00000001004315b7 php`do_cli + 3857
    frame #19: 0x0000000100430539 php`main + 1234
    frame #20: 0x00007fff60ce0ed9 libdyld.dylib`start + 1

dv-ds

2019-02-13 12:16

reporter   ~0004902

Is the following of any use?

(lldb) frame select 0
frame #0: 0x000000010f953ef3 xdebug.soxdebug_array_element_export_xml_node(zv_nptr=0x000000010fa7a600, index_key=12731958461851390867, hash_key=0x000000010fa61060, level=0, parent=0x00007f96c66075c0, parent_name=0x00007f96c6607610, options=0x00007f96c9383ed0) at xdebug_var.c:1715 1712 zend_string *tmp_fullname_zstr; 1713 1714 #if PHP_VERSION_ID >= 70300 -> 1715 tmp_fullname_zstr = php_addslashes(i_string); 1716 #else 1717 tmp_fullname_zstr = php_addslashes(i_string, 0); 1718 #endif (lldb) dis xdebug.soxdebug_array_element_export_xml_node:
[...]
0x10f953eb5 <+581>: callq 0x10f959f90 ; symbol stub for: __memcpy_chk
0x10f953eba <+586>: movq 0xc187(%rip), %rcx ; (void )0x000000010c6f1ae9: php_addslashes
0x10f953ec1 <+593>: movq -0x98(%rbp), %rdx
0x10f953ec8 <+600>: movq -0x88(%rbp), %rsi
0x10f953ecf <+607>: movb $0x0, 0x18(%rdx,%rsi)
0x10f953ed4 <+612>: movq -0x98(%rbp), %rdx
0x10f953edb <+619>: movq %rdx, -0x100(%rbp)
0x10f953ee2 <+626>: movq (%rcx), %rcx
0x10f953ee5 <+629>: movq -0x100(%rbp), %rdi
0x10f953eec <+636>: movq %rax, -0x128(%rbp)
-> 0x10f953ef3 <+643>: callq
%rcx
0x10f953ef5 <+645>: movq %rax, -0x108(%rbp)
0x10f953efc <+652>: movq -0xb0(%rbp), %rax
0x10f953f03 <+659>: addq $0x18, %rax
0x10f953f07 <+663>: movq -0xb0(%rbp), %rcx
0x10f953f0e <+670>: movq 0x10(%rcx), %rcx
0x10f953f12 <+674>: addq $0x1, %rcx
0x10f953f16 <+678>: subq $0x1, %rcx
0x10f953f1a <+682>: movq %rax, %rdi
0x10f953f1d <+685>: movq %rcx, %rsi
0x10f953f20 <+688>: callq 0x10f95a5d2 ; symbol stub for: xdebug_str_create
[...]

(lldb) p/x $rcx
(long) $36 = 0x56415741e5894855
(lldb) x/64x $rcx
error: memory read failed for 0x56415741e5894800

dv-ds

2019-02-13 12:22

reporter   ~0004903

Note that the address mentioned above evaluates as follows:

(lldb) dis -a 0x000000010c6f1ae9
libphp7.so`php_addslashes:
0x10c6f1ae9 <+0>: pushq %rbp
0x10c6f1aea <+1>: movq %rsp, %rbp
[...]

derick

2019-02-13 12:58

administrator   ~0004904

This almost looks like the php_addslashes function call is wrong. But Xdebug does nothing special with this function. I am wondering whether there is another memory corruption going on here. Maybe it's worth trying to do this with the zend memory manager turned off, which you can do by setting "export USE_ZEND_ALLOC=0" as an environment variable (but make sure they propagate to PHP/PHP-FPM — phpinfo() and or var_dump($_ENV) should tell you).

dv-ds

2019-02-13 15:06

reporter   ~0004905

I set USE_ZEND_ALLOC=0 now and phpinfo() confirms it ($_ENV does not however).

However, I still get the same error and the same instructions:

0x107fe5eb5 <+581>:  callq  0x107febf90               ; symbol stub for: __memcpy_chk
0x107fe5eba <+586>:  movq   0xc187(%rip), %rcx        ; (void *)0x0000000104d84ae9: php_addslashes
0x107fe5ec1 <+593>:  movq   -0x98(%rbp), %rdx
0x107fe5ec8 <+600>:  movq   -0x88(%rbp), %rsi
0x107fe5ecf <+607>:  movb   $0x0, 0x18(%rdx,%rsi)
0x107fe5ed4 <+612>:  movq   -0x98(%rbp), %rdx
0x107fe5edb <+619>:  movq   %rdx, -0x100(%rbp)
0x107fe5ee2 <+626>:  movq   (%rcx), %rcx
0x107fe5ee5 <+629>:  movq   -0x100(%rbp), %rdi
0x107fe5eec <+636>:  movq   %rax, -0x128(%rbp)

-> 0x107fe5ef3 <+643>: callq *%rcx
0x107fe5ef5 <+645>: movq %rax, -0x108(%rbp)
0x107fe5efc <+652>: movq -0xb0(%rbp), %rax
0x107fe5f03 <+659>: addq $0x18, %rax
0x107fe5f07 <+663>: movq -0xb0(%rbp), %rcx
0x107fe5f0e <+670>: movq 0x10(%rcx), %rcx
0x107fe5f12 <+674>: addq $0x1, %rcx
0x107fe5f16 <+678>: subq $0x1, %rcx
0x107fe5f1a <+682>: movq %rax, %rdi
0x107fe5f1d <+685>: movq %rcx, %rsi
0x107fe5f20 <+688>: callq 0x107fec5d2 ; symbol stub for: xdebug_str_create

derick

2019-02-13 20:39

administrator   ~0004906

I have been talking to Nikita today, and it seems that a hunch "it looks like addslashes is not a function" seems to be correct. Nikita theorizes that this problem occurs because PHP and Xdebug are targetted at a different architecture. PHP's php_addslashes calls have an optimisation for SSE4.2 systems, which gets only enabled on machines that support it. So if PHP was compiled on a system that doesn't enable it, and yours does, then the calling convention is off and you get a crash. It's possible that a hint on what happens can be found in the ./configure line that can be found in phpinfo() output (<code>php -i | grep Configure</code>).

Unfortunately, there is currently no clean way around this without a hack (i.e., copying the php_addslashes function into the Xdebug source code). Nikita suggests to try to compile Xdebug with <code> ./configure CFLAGS="-march=native" </code> to see if that addresses the problem until this can be sorted out in PHP itself.

deek

2019-02-13 21:30

reporter   ~0004907

Looks like you beat me to it. I just found these lines in the PHP src which are exactly what you describe.

https://github.com/php/php-src/blob/php-7.3.1/ext/standard/php_string.h#L127-L133

deek

2019-02-13 21:45

reporter   ~0004908

Please excuse any misunderstanding about this complex code, this might be way of the mark. Would it be possible to leverage the code in the PHP source that checks for the SSE4.2 instructions in XDebug 2.7 as well?

https://github.com/php/php-src/blob/php-7.3.1/ext/standard/string.c#L3902-L3919

dv-ds

2019-02-14 04:09

reporter   ~0004909

So if PHP was compiled on a system that doesn't enable it, and yours does, then the calling convention is off and you get a crash.

That seems to be the case indeed! I don't see any mention of SSE4.2 in the output of php -i, whereas sysctl -a | grep machdep.cpu.features lists it.

You did not hear it from me, but what I did now was:

  • Edit /usr/local/include/php/Zend/zend_portability.h
  • Change ZEND_INTRIN_SSE4_2_FUNC_PTR from 1 to 0
  • Recompile Xdebug

There are a bunch of flags in there, so I have no idea if there is more that needs to be hacked. Probably some upstream flag is a less bad thing to mess with. And clearly this is not a proper solution...

Nevertheless, after this change I can't reproduce the scenarios I described in "Steps To Reproduce". I have not done extensive testing, but it looks very promising.

Assuming no other issues pop up, this is good enough on my side for now as I also can't think of a non-awkward workaround on the Xdebug side. It doesn't necessarily merit closing the issue, but I'll leave that up to you and others affected by this issue.

derick

2019-02-14 15:23

administrator   ~0004910

This has now been fixed in PHP (for PHP 7.3.3 (https://github.com/php/php-src/pull/3826/files) and PHP 7.4-dev (https://github.com/php/php-src/pull/3828/files)). I will be adding a workaround for Xdebug for the two broken PHP versions (i.e., copy the addslashes code into the Xdebug source code, so that no ABI conflicts exist), and then release a new release candidate.

derick

2019-02-15 13:10

administrator   ~0004912

Fixed in GIT for Xdebug 2.7.0RC2 (soon to be released)

deek

2019-02-16 00:38

reporter   ~0004914

Verified that Xdebug 2.7.0RC2 fixes the issues I was having from ticket 0001627.

Issue History

Date Modified Username Field Change
2019-02-04 11:10 dv-ds New Issue
2019-02-04 11:13 dv-ds Note Added: 0004871
2019-02-11 17:15 derick Note Added: 0004885
2019-02-11 17:15 derick Assigned To => derick
2019-02-11 17:15 derick Status new => feedback
2019-02-12 09:33 dv-ds File Added: xdebug_0001625.log
2019-02-12 09:33 dv-ds Note Added: 0004888
2019-02-12 09:33 dv-ds Status feedback => assigned
2019-02-12 16:00 derick Note Added: 0004890
2019-02-12 16:00 derick Status assigned => feedback
2019-02-12 16:01 derick Relationship added has duplicate 0001626
2019-02-12 16:53 dv-ds Note Added: 0004895
2019-02-12 16:53 dv-ds Status feedback => assigned
2019-02-12 16:59 dv-ds Note Added: 0004896
2019-02-12 17:29 dv-ds Note Added: 0004897
2019-02-12 18:16 dv-ds File Added: lldb-output.txt
2019-02-12 18:16 dv-ds Note Added: 0004898
2019-02-12 19:15 derick File Added: xdebug-foo2.png
2019-02-12 19:15 derick Note Added: 0004899
2019-02-12 22:43 deek File Added: lldb-output-xdebug-2.7.0rc1-deek.txt
2019-02-12 22:43 deek Note Added: 0004901
2019-02-13 12:16 dv-ds Note Added: 0004902
2019-02-13 12:22 dv-ds Note Added: 0004903
2019-02-13 12:58 derick Note Added: 0004904
2019-02-13 15:06 dv-ds Note Added: 0004905
2019-02-13 20:39 derick Note Added: 0004906
2019-02-13 21:30 deek Note Added: 0004907
2019-02-13 21:45 deek Note Added: 0004908
2019-02-14 04:09 dv-ds Note Added: 0004909
2019-02-14 15:23 derick Note Added: 0004910
2019-02-14 15:25 derick Relationship added has duplicate 0001627
2019-02-15 13:10 derick Status assigned => closed
2019-02-15 13:10 derick Resolution open => fixed
2019-02-15 13:10 derick Fixed in Version => 2.7.0
2019-02-15 13:10 derick Note Added: 0004912
2019-02-15 13:11 derick Summary Segfault when evaluating variables => Work around ABI conflicts in PHP 7.3.0/PHP 7.3.1
2019-02-15 15:10 derick Fixed in Version 2.7.0 => 2.7.0RC2
2019-02-15 15:12 derick Target Version => 2.7.0
2019-02-16 00:38 deek Note Added: 0004914
2020-03-12 16:33 derick Category Remote Debugging => Step Debugging