View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0002182 | Xdebug | Stacktraces | public | 2023-06-16 18:12 | 2023-07-14 09:14 |
| Reporter | rstark | Assigned To | derick | ||
| Priority | normal | Severity | major | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Product Version | 3.2.1 | ||||
| Fixed in Version | 3.2.2 | ||||
| Summary | 0002182: Segfault with ArrayObject on stack | ||||
| Description | Segfault occurs when 'develop' mode is enabled with ArrayObject as a parameter on the stack | ||||
| Steps To Reproduce | Run test program: <?php class Z { $obj = new ArrayObject(new Z()); | ||||
| Additional Information | Recreated using xdebug3-3.2.0, 3.2.1, and current dev master. The attached backtrace and valgrind output are for current dev master. $ cat /etc/redhat-release Removing the exception check on the first 'if' in xdebug_objdebug_pp on line 93 of src/lib/var.c seems to fix the issue, but I don't know that it is the right fix. | ||||
| Tags | No tags attached. | ||||
| Attached Files | backtrace.out (7,596 bytes)
Program received signal SIGSEGV, Segmentation fault.
0x00007ffb22bc6ab8 in zend_get_property_info_for_slot (slot=0x7ffb22e58290, obj=0x7ffb22e84058) at /usr/include/php/Zend/zend_objects_API.h:108
108 zend_property_info *prop_info = zend_get_property_info_for_slot(obj, slot);
(gdb) bt full
#0 0x00007ffb22bc6ab8 in zend_get_property_info_for_slot (slot=0x7ffb22e58290, obj=0x7ffb22e84058) at /usr/include/php/Zend/zend_objects_API.h:108
table = 0x0
prop_num = -11231
table = <optimized out>
prop_num = <optimized out>
#1 zend_get_typed_property_info_for_slot (slot=0x7ffb22e58290, obj=0x7ffb22e84058) at /usr/include/php/Zend/zend_objects_API.h:108
prop_info = <optimized out>
prop_info = <optimized out>
#2 xdebug_get_property_type (object=0x562f05dd87e8, val=0x7ffb22e58290, val@entry=0x7ffb22e5eb80) at /xdebug-build/xdebug/src/lib/var.c:866
type_str = 0x0
info = <optimized out>
#3 0x00007ffb22bc8c0c in xdebug_object_element_export (class_name=0x562f05ce58d8 "ArrayObject", options=0x562f05db8db0, debug_zval=0, str=0x562f05dd8830, level=1, hash_key=0x7ffb22e572e0,
index_key=<optimized out>, zv_nptr=<optimized out>, object=<optimized out>) at /xdebug-build/xdebug/src/lib/var_export_line.c:75
property_name = <optimized out>
property_type = 0x0
prop_class_name = 0xffffff000000ff00 <error: Cannot access memory at address 0xffffff000000ff00>
modifier = 0xffffffffffffffff <error: Cannot access memory at address 0xffffffffffffffff>
zv = 0x7ffe75cc8968
zv = <optimized out>
property_name = <optimized out>
property_type = <optimized out>
prop_class_name = <optimized out>
modifier = <optimized out>
#4 xdebug_var_export_line (struc=struc@entry=0x7ffe75cc89c8, str=str@entry=0x562f05dd8830, level=level@entry=1, debug_zval=debug_zval@entry=0, options=options@entry=0x562f05db8db0)
at /xdebug-build/xdebug/src/lib/var_export_line.c:296
_z = 0x7ffb22e5eb80
__ht = 0x7ffb22e582d8
_p = 0x7ffb22e5eb80
_end = 0x7ffb22e5eba0
ce = <optimized out>
myht = 0x7ffb22e582d8
num = <optimized out>
--Type <RET> for more, q to quit, c to continue without paging--c
key = 0x7ffb22e572e0
val = 0x7ffb22e5eb80
tmpz = 0x3f2318e178557c33
z_type = <optimized out>
#5 0x00007ffb22bc8eb8 in xdebug_get_zval_value_line (val=<optimized out>, debug_zval=0, options=0x562f05db8db0) at /xdebug-build/xdebug/src/lib/var_export_line.c:348
str = 0x562f05dd8830
default_options = 1
#6 0x00007ffb22be03e5 in add_single_value (html=<optimized out>, zv=<optimized out>, str=0x7ffe75cc8a90) at /xdebug-build/xdebug/src/develop/stack.c:263
tmp_value = 0x0
tmp_html_value = 0x0
newlen = 140716599132160
tmp_value = <optimized out>
tmp_html_value = <optimized out>
newlen = <optimized out>
#7 xdebug_append_printable_stack (str=str@entry=0x7ffe75cc8a90, html=<optimized out>) at /xdebug-build/xdebug/src/develop/stack.c:443
c = 1
variadic_opened = <optimized out>
sent_variables = 1
j = <optimized out>
tmp_name = <optimized out>
printed_frames = 1
formats = 0x7ffb22dfdaa0 <text_formats>
i = 1
fse = 0x562f05dd6e60
#8 0x00007ffb22be135c in xdebug_develop_throw_exception_hook (exception=exception@entry=0x7ffb22e7c000, file=file@entry=0x7ffb22e7c058, line=line@entry=0x7ffb22e7c068, code=code@entry=0x7ffb22e7c048, code_str=code_str@entry=0x0, message=message@entry=0x7ffb22e7c028) at /xdebug-build/xdebug/src/develop/stack.c:871
exception_ce = 0x562f05c72950
exception_trace = <optimized out>
tmp_str = {l = 133, a = 1025, d = 0x562f05c7e8d0 "\nException: in /test.php on line 5\n\nCall Stack:\n 0.0001 388120 1. {main}() /test.php:0\n 0.0001 388304 2. z($obj = "}
xdebug_message_trace = <optimized out>
previous_exception = <optimized out>
dummy = {value = {lval = 94759960389968, dval = 4.6817641029960481e-310, counted = 0x562f05c72950, str = 0x562f05c72950, arr = 0x562f05c72950, obj = 0x562f05c72950, res = 0x562f05c72950, ref = 0x562f05c72950, ast = 0x562f05c72950, zv = 0x562f05c72950, ptr = 0x562f05c72950, ce = 0x562f05c72950, func = 0x562f05c72950, ww = {w1 = 96938320, w2 = 22063}}, u1 = {type_info = 585613312, v = {type = 0 '\000', type_flags = 192 '\300', u = {extra = 8935}}}, u2 = {next = 32763, cache_slot = 32763, opline_num = 32763, lineno = 32763, num_args = 32763, fe_pos = 32763, fe_iter_idx = 32763, property_guard = 32763, constant_flags = 32763, extra = 32763}}
#9 0x00007ffb22bbb1c7 in xdebug_throw_exception_hook (exception=0x7ffb22e7c000) at /xdebug-build/xdebug/src/base/base.c:1476
message = 0x7ffb22e7c028
file = 0x7ffb22e7c058
line = 0x7ffb22e7c068
exception_ce = <optimized out>
code = 0x7ffb22e7c048
code_str = 0x0
dummy = {value = {lval = 0, dval = 0, counted = 0x0, str = 0x0, arr = 0x0, obj = 0x0, res = 0x0, ref = 0x0, ast = 0x0, zv = 0x0, ptr = 0x0, ce = 0x0, func = 0x0, ww = {w1 = 0, w2 = 0}}, u1 = {type_info = 965469952, v = {type = 0 '\000', type_flags = 231 '\347', u = {extra = 14731}}}, u2 = {next = 2288836005, cache_slot = 2288836005, opline_num = 2288836005, lineno = 2288836005, num_args = 2288836005, fe_pos = 2288836005, fe_iter_idx = 2288836005, property_guard = 2288836005, constant_flags = 2288836005, extra = 2288836005}}
code = <optimized out>
message = <optimized out>
file = <optimized out>
line = <optimized out>
exception_ce = <optimized out>
code_str = <optimized out>
dummy = <optimized out>
#10 xdebug_throw_exception_hook (exception=0x7ffb22e7c000) at /xdebug-build/xdebug/src/base/base.c:1428
code = <optimized out>
message = <optimized out>
file = <optimized out>
line = <optimized out>
exception_ce = <optimized out>
dummy = <optimized out>
#11 0x0000562f03f14d0b in zend_throw_exception_internal ()
No symbol table info available.
#12 0x0000562f03f0d2d4 in ZEND_THROW_SPEC_TMPVAR_HANDLER.cold.215 ()
No symbol table info available.
#13 0x0000562f0413c5bc in execute_ex ()
No symbol table info available.
#14 0x00007ffb22bbc5c0 in xdebug_execute_ex (execute_data=0x7ffb22e140e0) at /xdebug-build/xdebug/src/base/base.c:830
op_array = 0x7ffb22e04018
edata = <optimized out>
fse = 0x7ffb22e140e0
function_nr = 2
code_coverage_function_name = 0x0
code_coverage_filename = 0x0
code_coverage_init = 0
#15 0x0000562f03f04252 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER ()
No symbol table info available.
#16 0x0000562f0413c5bc in execute_ex ()
No symbol table info available.
#17 0x00007ffb22bbc5c0 in xdebug_execute_ex (execute_data=0x7ffb22e14020) at /xdebug-build/xdebug/src/base/base.c:830
op_array = 0x7ffb22e86000
edata = <optimized out>
fse = 0x7ffb22e14020
function_nr = 0
code_coverage_function_name = 0x0
code_coverage_filename = 0x0
code_coverage_init = 0
#18 0x0000562f04145bbc in zend_execute ()
No symbol table info available.
#19 0x0000562f040d5375 in zend_execute_scripts ()
No symbol table info available.
#20 0x0000562f0407035a in php_execute_script ()
No symbol table info available.
#21 0x0000562f041be601 in do_cli ()
No symbol table info available.
#22 0x0000562f03f1dec3 in main ()
No symbol table info available.
valgrind.log (3,922 bytes)
$ export USE_ZEND_ALLOC=0 $ export ZEND_DONT_UNLOAD_MODULES=1 $ valgrind php test.php > valgrind.log 2>&1 Segmentation fault $ cat valgrind.log ==6070== Memcheck, a memory error detector ==6070== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al. ==6070== Using Valgrind-3.19.0 and LibVEX; rerun with -h for copyright info ==6070== Command: php test.php ==6070== ==6070== Invalid read of size 8 ==6070== at 0x93A0AB8: zend_get_property_info_for_slot (zend_objects_API.h:102) ==6070== by 0x93A0AB8: zend_get_typed_property_info_for_slot (zend_objects_API.h:108) ==6070== by 0x93A0AB8: xdebug_get_property_type (var.c:866) ==6070== by 0x93A2C0B: xdebug_object_element_export (var_export_line.c:75) ==6070== by 0x93A2C0B: xdebug_var_export_line (var_export_line.c:296) ==6070== by 0x93A2EB7: xdebug_get_zval_value_line (var_export_line.c:348) ==6070== by 0x93BA3E4: add_single_value (stack.c:263) ==6070== by 0x93BA3E4: xdebug_append_printable_stack (stack.c:443) ==6070== by 0x93BB35B: xdebug_develop_throw_exception_hook (stack.c:871) ==6070== by 0x93951C6: xdebug_throw_exception_hook (base.c:1476) ==6070== by 0x93951C6: xdebug_throw_exception_hook (base.c:1428) ==6070== by 0x21CD0A: zend_throw_exception_internal (in /usr/bin/php) ==6070== by 0x2152D3: ??? (in /usr/bin/php) ==6070== by 0x4445BB: execute_ex (in /usr/bin/php) ==6070== by 0x93965BF: xdebug_execute_ex (base.c:830) ==6070== by 0x20C251: ??? (in /usr/bin/php) ==6070== by 0x4445BB: execute_ex (in /usr/bin/php) ==6070== Address 0x70 is not stack'd, malloc'd or (recently) free'd ==6070== ==6070== ==6070== Process terminating with default action of signal 11 (SIGSEGV) ==6070== Access not within mapped region at address 0x70 ==6070== at 0x93A0AB8: zend_get_property_info_for_slot (zend_objects_API.h:102) ==6070== by 0x93A0AB8: zend_get_typed_property_info_for_slot (zend_objects_API.h:108) ==6070== by 0x93A0AB8: xdebug_get_property_type (var.c:866) ==6070== by 0x93A2C0B: xdebug_object_element_export (var_export_line.c:75) ==6070== by 0x93A2C0B: xdebug_var_export_line (var_export_line.c:296) ==6070== by 0x93A2EB7: xdebug_get_zval_value_line (var_export_line.c:348) ==6070== by 0x93BA3E4: add_single_value (stack.c:263) ==6070== by 0x93BA3E4: xdebug_append_printable_stack (stack.c:443) ==6070== by 0x93BB35B: xdebug_develop_throw_exception_hook (stack.c:871) ==6070== by 0x93951C6: xdebug_throw_exception_hook (base.c:1476) ==6070== by 0x93951C6: xdebug_throw_exception_hook (base.c:1428) ==6070== by 0x21CD0A: zend_throw_exception_internal (in /usr/bin/php) ==6070== by 0x2152D3: ??? (in /usr/bin/php) ==6070== by 0x4445BB: execute_ex (in /usr/bin/php) ==6070== by 0x93965BF: xdebug_execute_ex (base.c:830) ==6070== by 0x20C251: ??? (in /usr/bin/php) ==6070== by 0x4445BB: execute_ex (in /usr/bin/php) ==6070== If you believe this happened as a result of a stack ==6070== overflow in your program's main thread (unlikely but ==6070== possible), you can try to increase the size of the ==6070== main thread stack using the --main-stacksize= flag. ==6070== The main thread stack size used in this run was 8388608. ==6070== ==6070== HEAP SUMMARY: ==6070== in use at exit: 2,852,649 bytes in 23,683 blocks ==6070== total heap usage: 27,161 allocs, 3,478 frees, 3,812,510 bytes allocated ==6070== ==6070== LEAK SUMMARY: ==6070== definitely lost: 23,136 bytes in 723 blocks ==6070== indirectly lost: 40 bytes in 1 blocks ==6070== possibly lost: 1,737,194 bytes in 13,709 blocks ==6070== still reachable: 1,092,279 bytes in 9,250 blocks ==6070== suppressed: 0 bytes in 0 blocks ==6070== Rerun with --leak-check=full to see details of leaked memory ==6070== ==6070== For lists of detected and suppressed errors, rerun with: -s ==6070== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) | ||||
| Operating System | RHEL 8.8 | ||||
| PHP Version | 8.1.10-8.1.19 | ||||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2023-06-16 18:12 | rstark | New Issue | |
| 2023-06-16 18:12 | rstark | File Added: backtrace.out | |
| 2023-06-16 18:12 | rstark | File Added: valgrind.log | |
| 2023-07-04 15:31 | derick | Assigned To | => derick |
| 2023-07-04 15:31 | derick | Status | new => closed |
| 2023-07-04 15:31 | derick | Resolution | open => fixed |
| 2023-07-04 15:31 | derick | Fixed in Version | => 3.2dev |
| 2023-07-04 15:31 | derick | Note Added: 0006575 | |
| 2023-07-14 09:14 | derick | Fixed in Version | 3.2dev => 3.2.2 |
