View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0002186XdebugStep Debuggingpublic2023-07-11 13:452023-07-14 09:14
Reporterrstark Assigned Toderick  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
PlatformLinuxOSRHELOS Version8
Product Version3.2.1 
Target Version3.2devFixed in Version3.2.2 
Summary0002186: Segfault with trampoline functions and debugger activation
Description

Segfault occurs with nested __call invocation with xdebug3 and PHP 8.1.21 (also tested under PHP 8.1.19 and 8.1.11)

Steps To Reproduce

Run the following program

<?php
$anon = new class() {
    function execute() {
        new ReflectionClass(null);
    }
};

(new Wrapper($anon))->execute(
    (new Wrapper($anon))->execute());

class Wrapper
{
    protected $wrapped;
    function __construct($wrapped)
    {
        $this->wrapped = $wrapped;
    }
    public function __call($method, $arguments)
    {
        return call_user_func([$this->wrapped, $method]);
    }
}
Additional Information

The segfault occurs whether or not the class is anonymous. The segfault does not occur with USE_ZEND_ALLOC=0.

The attached backtrace and valgrind / gdb traces are from an xdebug3 build of master at commit cb6882fd47c7591c7f4fb22567a7f2860919d086

It appears the code in debugger.c:121 is attempting to use memory (op_array) that has been freed (see attached gdb-free-trace.out)

Thanks to my collegue Robert for creating the above test script from a more complex scenario.

TagsNo tags attached.
Attached Files
backtrace.out (4,830 bytes)    
Program received signal SIGSEGV, Segmentation fault.
0x00007f1d21fc1f21 in xdebug_lib_register_compiled_variables (fse=fse@entry=0x562d98089ef0, op_array=0x7f1d22287200) at /xdebug-build/xdebug/src/lib/lib.c:763
763			xdebug_llist_insert_next(fse->declared_vars, XDEBUG_LLIST_TAIL(fse->declared_vars), xdebug_str_create(STR_NAME_VAL(op_array->vars[i]), STR_NAME_LEN(op_array->vars[i])));
(gdb) bt full
#0  0x00007f1d21fc1f21 in xdebug_lib_register_compiled_variables (fse=fse@entry=0x562d98089ef0, op_array=0x7f1d22287200) at /xdebug-build/xdebug/src/lib/lib.c:763
        i = 0
#1  0x00007f1d21fd2019 in register_compiled_variables () at /xdebug-build/xdebug/src/debugger/debugger.c:121
        loop_fse = 0x562d98089ef0
        i = 3
#2  0x00007f1d21fd291b in xdebug_debugger_error_cb (error_filename=error_filename@entry=0x7f1d22202400, error_lineno=error_lineno@entry=4, type=type@entry=8192, 
    error_type_str=error_type_str@entry=0x562d9808b940 "Deprecated", 
    buffer=buffer@entry=0x7f1d22287218 "ReflectionClass::__construct(): Passing null to parameter #1 ($objectOrClass) of type object|string is deprecated") at /xdebug-build/xdebug/src/debugger/debugger.c:452
        extra_brk_info = 0x0
#3  0x00007f1d21fbb0da in xdebug_error_cb (orig_type=8192, error_filename=0x7f1d22202400, error_lineno=4, message=0x7f1d22287200) at /xdebug-build/xdebug/src/base/base.c:1387
        type = 8192
        error_type_str = 0x562d9808b940 "Deprecated"
        type = <optimized out>
        error_type_str = <optimized out>
#4  0x0000562d973010d9 in zend_error_zstr_at ()
No symbol table info available.
#5  0x0000562d97301493 in zend_error_va_list ()
No symbol table info available.
#6  0x0000562d97301678 in zend_error ()
No symbol table info available.
#7  0x0000562d9730205e in zend_null_arg_deprecated ()
No symbol table info available.
#8  0x0000562d97302a87 in zend_parse_arg_str_weak.cold ()
No symbol table info available.
#9  0x0000562d973b999c in reflection_class_object_ctor.isra ()
No symbol table info available.
#10 0x00007f1d21fbd115 in xdebug_execute_internal (current_execute_data=0x7f1d222132e0, return_value=0x7ffc45a54618) at /xdebug-build/xdebug/src/base/base.c:952
        edata = <optimized out>
        fse = 0x562d9808a160
        function_nr = 6
        function_call_traced = 0
        restore_error_handler_situation = 0
        tmp_error_cb = 0x0
#11 0x0000562d97304341 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER ()
No symbol table info available.
#12 0x0000562d9753cbdc in execute_ex ()
No symbol table info available.
#13 0x00007f1d21fbc6c0 in xdebug_execute_ex (execute_data=0x7f1d22213270) at /xdebug-build/xdebug/src/base/base.c:830
        op_array = 0x7f1d22203208
        edata = <optimized out>
        fse = 0x7f1d22213270
        function_nr = 5
        code_coverage_function_name = 0x0
        code_coverage_filename = 0x0
        code_coverage_init = 0
#14 0x0000562d9730457d in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER ()
No symbol table info available.
#15 0x0000562d9753cbdc in execute_ex ()
No symbol table info available.
#16 0x00007f1d21fbc6c0 in xdebug_execute_ex (execute_data=0x7f1d222131d0) at /xdebug-build/xdebug/src/base/base.c:830
        op_array = 0x7f1d22203620
        edata = <optimized out>
        fse = 0x7f1d222131d0
        function_nr = 4
        code_coverage_function_name = 0x0
        code_coverage_filename = 0x0
        code_coverage_init = 0
#17 0x0000562d975100a2 in ZEND_CALL_TRAMPOLINE_SPEC_OBSERVER_HANDLER ()
No symbol table info available.
#18 0x0000562d9753cb94 in execute_ex ()
No symbol table info available.
#19 0x00007f1d21fbc6c0 in xdebug_execute_ex (execute_data=0x7f1d222131d0) at /xdebug-build/xdebug/src/base/base.c:830
        op_array = 0x7f1d22287200
        edata = <optimized out>
        fse = 0x7f1d22213020
        function_nr = 3
        code_coverage_function_name = 0x0
        code_coverage_filename = 0x0
        code_coverage_init = 0
#20 0x0000562d9730457d in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER ()
No symbol table info available.
#21 0x0000562d9753cbdc in execute_ex ()
No symbol table info available.
#22 0x00007f1d21fbc6c0 in xdebug_execute_ex (execute_data=0x7f1d22213020) at /xdebug-build/xdebug/src/base/base.c:830
        op_array = 0x7f1d22287000
        edata = <optimized out>
        fse = 0x7f1d22213020
        function_nr = 0
        code_coverage_function_name = 0x0
        code_coverage_filename = 0x0
        code_coverage_init = 0
#23 0x0000562d9754619c in zend_execute ()
No symbol table info available.
#24 0x0000562d974d57d5 in zend_execute_scripts ()
No symbol table info available.
#25 0x0000562d974708ca in php_execute_script ()
No symbol table info available.
#26 0x0000562d975bec51 in do_cli ()
No symbol table info available.
#27 0x0000562d9731df53 in main ()
No symbol table info available.
backtrace.out (4,830 bytes)   
valgrind.out (5,383 bytes)    
==3704== Memcheck, a memory error detector
==3704== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
==3704== Using Valgrind-3.19.0 and LibVEX; rerun with -h for copyright info
==3704== Command: php t.php
==3704== 
==3704== Invalid read of size 8
==3704==    at 0x939CF61: xdebug_lib_register_compiled_variables (lib.c:754)
==3704==    by 0x93AD018: register_compiled_variables (debugger.c:121)
==3704==    by 0x93AD91A: xdebug_debugger_error_cb (debugger.c:452)
==3704==    by 0x93960D9: xdebug_error_cb (base.c:1387)
==3704==    by 0x2090D8: zend_error_zstr_at (in /usr/bin/php)
==3704==    by 0x209492: ??? (in /usr/bin/php)
==3704==    by 0x209677: zend_error (in /usr/bin/php)
==3704==    by 0x20A05D: ??? (in /usr/bin/php)
==3704==    by 0x20AA86: ??? (in /usr/bin/php)
==3704==    by 0x2C199B: ??? (in /usr/bin/php)
==3704==    by 0x9398114: xdebug_execute_internal (base.c:952)
==3704==    by 0x20C340: ??? (in /usr/bin/php)
==3704==  Address 0xee259f8 is 104 bytes inside a block of size 240 free'd
==3704==    at 0x4C3AA93: free (vg_replace_malloc.c:872)
==3704==    by 0x417E22: ??? (in /usr/bin/php)
==3704==    by 0x444B93: execute_ex (in /usr/bin/php)
==3704==    by 0x93976BF: xdebug_execute_ex (base.c:830)
==3704==    by 0x20C57C: ??? (in /usr/bin/php)
==3704==    by 0x444BDB: execute_ex (in /usr/bin/php)
==3704==    by 0x93976BF: xdebug_execute_ex (base.c:830)
==3704==    by 0x44E19B: zend_execute (in /usr/bin/php)
==3704==    by 0x3DD7D4: zend_execute_scripts (in /usr/bin/php)
==3704==    by 0x3788C9: php_execute_script (in /usr/bin/php)
==3704==    by 0x4C6C50: ??? (in /usr/bin/php)
==3704==    by 0x225F52: ??? (in /usr/bin/php)
==3704==  Block was alloc'd at
==3704==    at 0x4C38135: malloc (vg_replace_malloc.c:381)
==3704==    by 0x3B0BDC: __zend_malloc (in /usr/bin/php)
==3704==    by 0x3B5BC2: _ecalloc (in /usr/bin/php)
==3704==    by 0x46DEF2: zend_get_call_trampoline_func (in /usr/bin/php)
==3704==    by 0x46E145: zend_std_get_method (in /usr/bin/php)
==3704==    by 0x41A18A: ??? (in /usr/bin/php)
==3704==    by 0x444BDB: execute_ex (in /usr/bin/php)
==3704==    by 0x93976BF: xdebug_execute_ex (base.c:830)
==3704==    by 0x44E19B: zend_execute (in /usr/bin/php)
==3704==    by 0x3DD7D4: zend_execute_scripts (in /usr/bin/php)
==3704==    by 0x3788C9: php_execute_script (in /usr/bin/php)
==3704==    by 0x4C6C50: ??? (in /usr/bin/php)
==3704== 
==3704== Invalid read of size 1
==3704==    at 0x939770F: xdebug_execute_ex (base.c:849)
==3704==    by 0x20C57C: ??? (in /usr/bin/php)
==3704==    by 0x444BDB: execute_ex (in /usr/bin/php)
==3704==    by 0x93976BF: xdebug_execute_ex (base.c:830)
==3704==    by 0x44E19B: zend_execute (in /usr/bin/php)
==3704==    by 0x3DD7D4: zend_execute_scripts (in /usr/bin/php)
==3704==    by 0x3788C9: php_execute_script (in /usr/bin/php)
==3704==    by 0x4C6C50: ??? (in /usr/bin/php)
==3704==    by 0x225F52: ??? (in /usr/bin/php)
==3704==    by 0x7F57D84: (below main) (in /usr/lib64/libc-2.28.so)
==3704==  Address 0xee25997 is 7 bytes inside a block of size 240 free'd
==3704==    at 0x4C3AA93: free (vg_replace_malloc.c:872)
==3704==    by 0x417E22: ??? (in /usr/bin/php)
==3704==    by 0x444B93: execute_ex (in /usr/bin/php)
==3704==    by 0x93976BF: xdebug_execute_ex (base.c:830)
==3704==    by 0x20C57C: ??? (in /usr/bin/php)
==3704==    by 0x444BDB: execute_ex (in /usr/bin/php)
==3704==    by 0x93976BF: xdebug_execute_ex (base.c:830)
==3704==    by 0x44E19B: zend_execute (in /usr/bin/php)
==3704==    by 0x3DD7D4: zend_execute_scripts (in /usr/bin/php)
==3704==    by 0x3788C9: php_execute_script (in /usr/bin/php)
==3704==    by 0x4C6C50: ??? (in /usr/bin/php)
==3704==    by 0x225F52: ??? (in /usr/bin/php)
==3704==  Block was alloc'd at
==3704==    at 0x4C38135: malloc (vg_replace_malloc.c:381)
==3704==    by 0x3B0BDC: __zend_malloc (in /usr/bin/php)
==3704==    by 0x3B5BC2: _ecalloc (in /usr/bin/php)
==3704==    by 0x46DEF2: zend_get_call_trampoline_func (in /usr/bin/php)
==3704==    by 0x46E145: zend_std_get_method (in /usr/bin/php)
==3704==    by 0x41A18A: ??? (in /usr/bin/php)
==3704==    by 0x444BDB: execute_ex (in /usr/bin/php)
==3704==    by 0x93976BF: xdebug_execute_ex (base.c:830)
==3704==    by 0x44E19B: zend_execute (in /usr/bin/php)
==3704==    by 0x3DD7D4: zend_execute_scripts (in /usr/bin/php)
==3704==    by 0x3788C9: php_execute_script (in /usr/bin/php)
==3704==    by 0x4C6C50: ??? (in /usr/bin/php)
==3704== 
PHP Fatal error:  Uncaught ReflectionException: Class "" does not exist in /t.php:4
Stack trace:
#0 /t.php(4): ReflectionClass->__construct()
#1 /t.php(20): class@anonymous->execute()
#2 /t.php(9): Wrapper->__call()
#3 {main}
  thrown in /t.php on line 4
==3704== 
==3704== HEAP SUMMARY:
==3704==     in use at exit: 57,111 bytes in 172 blocks
==3704==   total heap usage: 27,277 allocs, 27,105 frees, 3,827,537 bytes allocated
==3704== 
==3704== LEAK SUMMARY:
==3704==    definitely lost: 0 bytes in 0 blocks
==3704==    indirectly lost: 0 bytes in 0 blocks
==3704==      possibly lost: 0 bytes in 0 blocks
==3704==    still reachable: 57,111 bytes in 172 blocks
==3704==         suppressed: 0 bytes in 0 blocks
==3704== Rerun with --leak-check=full to see details of leaked memory
==3704== 
==3704== For lists of detected and suppressed errors, rerun with: -s
==3704== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
valgrind.out (5,383 bytes)   
gdb-free-trace.out (15,458 bytes)    
[root@4c9e88417cb4 /]# env | grep ZEND
ZEND_DONT_UNLOAD_MODULES=1
USE_ZEND_ALLOC=0
[root@4c9e88417cb4 /]# gdb php
GNU gdb (GDB) Red Hat Enterprise Linux 8.2-19.el8
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from php...Reading symbols from .gnu_debugdata for /usr/bin/php...(no debugging symbols found)...done.
(no debugging symbols found)...done.
Missing separate debuginfos, use: yum debuginfo-install php-cli-8.1.21-1.el8.remi.x86_64
(gdb) b src/base/base.c:772
No symbol table is loaded.  Use the "file" command.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (src/base/base.c:772) pending.
(gdb) b src/debugger/debugger.c:121
No symbol table is loaded.  Use the "file" command.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 2 (src/debugger/debugger.c:121) pending.
(gdb) run t.php
Starting program: /usr/bin/php t.php
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".

Breakpoint 1, xdebug_execute_ex (execute_data=0x7f1814b8f030) at /xdebug-build/xdebug/src/base/base.c:772
772		fse = xdebug_add_stack_frame(edata, op_array, XDEBUG_USER_DEFINED);
(gdb) print op_array
$1 = (zend_op_array *) 0x557cf4a16560
(gdb) print *op_array
$2 = {type = 2 '\002', arg_flags = "\000\000", fn_flags = 100663296, function_name = 0x0, scope = 0x0, prototype = 0x0, num_args = 0, required_num_args = 0, arg_info = 0x0, attributes = 0x0, cache_size = 56, 
  last_var = 1, T = 10, last = 19, opcodes = 0x557cf4ad9620, run_time_cache__ptr = 0x557cf4a771c0, static_variables_ptr__ptr = 0x0, static_variables = 0x0, vars = 0x557cf4ad9e30, refcount = 0x557cf4acffe0, 
  last_live_range = 3, last_try_catch = 0, live_range = 0x557cf4ada620, try_catch_array = 0x0, filename = 0x557cf4ad0000, line_start = 1, line_end = 24, doc_comment = 0x0, last_literal = 10, 
  num_dynamic_func_defs = 0, literals = 0x557cf4ad9880, dynamic_func_defs = 0x0, reserved = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
(gdb) c
Continuing.

Breakpoint 1, xdebug_execute_ex (execute_data=0x7f1814b8f130) at /xdebug-build/xdebug/src/base/base.c:772
772		fse = xdebug_add_stack_frame(edata, op_array, XDEBUG_USER_DEFINED);
(gdb) print op_array
$3 = (zend_op_array *) 0x557cf4a78f18
(gdb) print *op_array
$4 = {type = 2 '\002', arg_flags = "\000\000", fn_flags = 35782657, function_name = 0x557cf4ad93e0, scope = 0x557cf4a78cf0, prototype = 0x0, num_args = 1, required_num_args = 1, arg_info = 0x557cf4ada490, 
  attributes = 0x0, cache_size = 24, last_var = 1, T = 1, last = 6, opcodes = 0x557cf4ada970, run_time_cache__ptr = 0x557cf4a79008, static_variables_ptr__ptr = 0x0, static_variables = 0x0, 
  vars = 0x557cf4ada4c0, refcount = 0x557cf4ada320, last_live_range = 0, last_try_catch = 0, live_range = 0x0, try_catch_array = 0x0, filename = 0x557cf4ad0000, line_start = 14, line_end = 17, 
  doc_comment = 0x0, last_literal = 2, num_dynamic_func_defs = 0, literals = 0x557cf4adaa30, dynamic_func_defs = 0x0, reserved = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
(gdb) x/1s op_array.function_name.val
0x557cf4ad93f8:	"__construct"
(gdb) c
Continuing.

Breakpoint 1, xdebug_execute_ex (execute_data=0x7f1814b8f1e0) at /xdebug-build/xdebug/src/base/base.c:772
772		fse = xdebug_add_stack_frame(edata, op_array, XDEBUG_USER_DEFINED);
(gdb) print op_array
$5 = (zend_op_array *) 0x557cf4a78f18
(gdb) print *op_array
$6 = {type = 2 '\002', arg_flags = "\000\000", fn_flags = 35782657, function_name = 0x557cf4ad93e0, scope = 0x557cf4a78cf0, prototype = 0x0, num_args = 1, required_num_args = 1, arg_info = 0x557cf4ada490, 
  attributes = 0x0, cache_size = 24, last_var = 1, T = 1, last = 6, opcodes = 0x557cf4ada970, run_time_cache__ptr = 0x557cf4a79008, static_variables_ptr__ptr = 0x0, static_variables = 0x0, 
  vars = 0x557cf4ada4c0, refcount = 0x557cf4ada320, last_live_range = 0, last_try_catch = 0, live_range = 0x0, try_catch_array = 0x0, filename = 0x557cf4ad0000, line_start = 14, line_end = 17, 
  doc_comment = 0x0, last_literal = 2, num_dynamic_func_defs = 0, literals = 0x557cf4adaa30, dynamic_func_defs = 0x0, reserved = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
(gdb) x/1s op_array.function_name.val
0x557cf4ad93f8:	"__construct"
(gdb) c
Continuing.

Breakpoint 1, xdebug_execute_ex (execute_data=0x7f1814b8f1e0) at /xdebug-build/xdebug/src/base/base.c:772
772		fse = xdebug_add_stack_frame(edata, op_array, XDEBUG_USER_DEFINED);
(gdb) print op_array
$7 = (zend_op_array *) 0x557cf4a259a0
(gdb) print *op_array
$8 = {type = 2 '\002', arg_flags = "\000\000", fn_flags = 278529, function_name = 0x557cf4ada6f0, scope = 0x557cf4a78cf0, prototype = 0x0, num_args = 0, required_num_args = 0, arg_info = 0x557cf3821d20, 
  attributes = 0x0, cache_size = 0, last_var = 0, T = 5, last = 0, opcodes = 0x557cf3c08bf8 <executor_globals+1528>, run_time_cache__ptr = 0x557cf3c01720, static_variables_ptr__ptr = 0x0, 
  static_variables = 0x0, vars = 0x0, refcount = 0x0, last_live_range = 0, last_try_catch = 0, live_range = 0x0, try_catch_array = 0x0, filename = 0x557cf4ad0000, line_start = 18, line_end = 21, 
  doc_comment = 0x0, last_literal = 0, num_dynamic_func_defs = 0, literals = 0x0, dynamic_func_defs = 0x0, reserved = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
(gdb) x/1s op_array.function_name.val
0x557cf4ada708:	"execute"
(gdb) watch op_array.function_name
Watchpoint 3: op_array.function_name
(gdb) info breakpoints
Num     Type           Disp Enb Address            What
1       breakpoint     keep y   0x00007f181075d59f in xdebug_execute_ex at /xdebug-build/xdebug/src/base/base.c:772
	breakpoint already hit 4 times
2       breakpoint     keep y   0x00007f181077300a in register_compiled_variables at /xdebug-build/xdebug/src/debugger/debugger.c:121
3       watchpoint     keep y                      op_array.function_name
(gdb) c
Continuing.

Watchpoint 3: op_array.function_name

Old value = (zend_string *) 0x557cf4ada6f0
New value = (zend_string *) 0x11503989ad620e57
0x00007f18116d8b2e in _int_free () from /lib64/libc.so.6
(gdb) bt full
#0  0x00007f18116d8b2e in _int_free () from /lib64/libc.so.6
No symbol table info available.
#1  0x0000557cf370fe23 in ZEND_CALL_TRAMPOLINE_SPEC_OBSERVER_HANDLER ()
No symbol table info available.
#2  0x0000557cf373cb94 in execute_ex ()
No symbol table info available.
#3  0x00007f181075d6c0 in xdebug_execute_ex (execute_data=0x7f1814b8f1e0) at /xdebug-build/xdebug/src/base/base.c:830
        op_array = 0x557cf4a259a0
        edata = <optimized out>
        fse = 0x7f1814b8f030
        function_nr = 3
        code_coverage_function_name = 0x0
        code_coverage_filename = 0x0
        code_coverage_init = 0
#4  0x0000557cf350457d in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER ()
No symbol table info available.
#5  0x0000557cf373cbdc in execute_ex ()
No symbol table info available.
#6  0x00007f181075d6c0 in xdebug_execute_ex (execute_data=0x7f1814b8f030) at /xdebug-build/xdebug/src/base/base.c:830
        op_array = 0x557cf4a16560
        edata = <optimized out>
        fse = 0x7f1814b8f030
        function_nr = 0
        code_coverage_function_name = 0x0
        code_coverage_filename = 0x0
        code_coverage_init = 0
#7  0x0000557cf374619c in zend_execute ()
No symbol table info available.
#8  0x0000557cf36d57d5 in zend_execute_scripts ()
No symbol table info available.
#9  0x0000557cf36708ca in php_execute_script ()
No symbol table info available.
#10 0x0000557cf37bec51 in do_cli ()
No symbol table info available.
#11 0x0000557cf351df53 in main ()
No symbol table info available.
(gdb) c
Continuing.

Breakpoint 1, xdebug_execute_ex (execute_data=0x7f1814b8f1e0) at /xdebug-build/xdebug/src/base/base.c:772
772		fse = xdebug_add_stack_frame(edata, op_array, XDEBUG_USER_DEFINED);
(gdb) print op_array
$9 = (zend_op_array *) 0x557cf4a79010
(gdb) print *op_array
$10 = {type = 2 '\002', arg_flags = "\000\000", fn_flags = 33685505, function_name = 0x557cf4ad94d0, scope = 0x557cf4a78cf0, prototype = 0x0, num_args = 2, required_num_args = 2, arg_info = 0x557cf4a77170, 
  attributes = 0x0, cache_size = 24, last_var = 2, T = 3, last = 11, opcodes = 0x557cf4adaa60, run_time_cache__ptr = 0x557cf4a79100, static_variables_ptr__ptr = 0x0, static_variables = 0x0, 
  vars = 0x557cf4ada570, refcount = 0x557cf4ada550, last_live_range = 1, last_try_catch = 0, live_range = 0x557cf4ada600, try_catch_array = 0x0, filename = 0x557cf4ad0000, line_start = 18, line_end = 21, 
  doc_comment = 0x0, last_literal = 3, num_dynamic_func_defs = 0, literals = 0x557cf4adabc0, dynamic_func_defs = 0x0, reserved = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
(gdb) x/1s op_array.function_name.val
0x557cf4ad94e8:	"__call"
(gdb) c
Continuing.

Breakpoint 1, xdebug_execute_ex (execute_data=0x7f1814b8f280) at /xdebug-build/xdebug/src/base/base.c:772
772		fse = xdebug_add_stack_frame(edata, op_array, XDEBUG_USER_DEFINED);
(gdb) print op_array
$11 = (zend_op_array *) 0x557cf4a78bf8
(gdb) print *op_array
$12 = {type = 2 '\002', arg_flags = "\000\000", fn_flags = 33554433, function_name = 0x557cf4ad91d0, scope = 0x557cf4a78a08, prototype = 0x0, num_args = 0, required_num_args = 0, arg_info = 0x0, 
  attributes = 0x0, cache_size = 8, last_var = 0, T = 2, last = 7, opcodes = 0x557cf4ad9ee0, run_time_cache__ptr = 0x557cf4a78ce8, static_variables_ptr__ptr = 0x0, static_variables = 0x0, vars = 0x0, 
  refcount = 0x557cf4ad9ec0, last_live_range = 1, last_try_catch = 0, live_range = 0x557cf4ada010, try_catch_array = 0x0, filename = 0x557cf4ad0000, line_start = 3, line_end = 5, doc_comment = 0x0, 
  last_literal = 4, num_dynamic_func_defs = 0, literals = 0x557cf4ad9fc0, dynamic_func_defs = 0x0, reserved = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
(gdb) x/1s op_array.function_name.val
0x557cf4ad91e8:	"execute"
(gdb) c
Continuing.

Breakpoint 2, register_compiled_variables () at /xdebug-build/xdebug/src/debugger/debugger.c:121
121			xdebug_lib_register_compiled_variables(loop_fse, loop_fse->op_array);
(gdb) print loop_fse->op_array
$13 = (zend_op_array *) 0x557cf4a78bf8
(gdb) print *loop_fse->op_array
$14 = {type = 2 '\002', arg_flags = "\000\000", fn_flags = 33554433, function_name = 0x557cf4ad91d0, scope = 0x557cf4a78a08, prototype = 0x0, num_args = 0, required_num_args = 0, arg_info = 0x0, 
  attributes = 0x0, cache_size = 8, last_var = 0, T = 2, last = 7, opcodes = 0x557cf4ad9ee0, run_time_cache__ptr = 0x557cf4a78ce8, static_variables_ptr__ptr = 0x0, static_variables = 0x0, vars = 0x0, 
  refcount = 0x557cf4ad9ec0, last_live_range = 1, last_try_catch = 0, live_range = 0x557cf4ada010, try_catch_array = 0x0, filename = 0x557cf4ad0000, line_start = 3, line_end = 5, doc_comment = 0x0, 
  last_literal = 4, num_dynamic_func_defs = 0, literals = 0x557cf4ad9fc0, dynamic_func_defs = 0x0, reserved = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
(gdb) x/1s loop_fse->op_array.function_name.val
0x557cf4ad91e8:	"execute"
(gdb) c
Continuing.

Breakpoint 2, register_compiled_variables () at /xdebug-build/xdebug/src/debugger/debugger.c:121
121			xdebug_lib_register_compiled_variables(loop_fse, loop_fse->op_array);
(gdb) print loop_fse->op_array
$15 = (zend_op_array *) 0x557cf4a79010
(gdb) print *loop_fse->op_array
$16 = {type = 2 '\002', arg_flags = "\000\000", fn_flags = 33685505, function_name = 0x557cf4ad94d0, scope = 0x557cf4a78cf0, prototype = 0x0, num_args = 2, required_num_args = 2, arg_info = 0x557cf4a77170, 
  attributes = 0x0, cache_size = 24, last_var = 2, T = 3, last = 11, opcodes = 0x557cf4adaa60, run_time_cache__ptr = 0x557cf4a79100, static_variables_ptr__ptr = 0x0, static_variables = 0x0, 
  vars = 0x557cf4ada570, refcount = 0x557cf4ada550, last_live_range = 1, last_try_catch = 0, live_range = 0x557cf4ada600, try_catch_array = 0x0, filename = 0x557cf4ad0000, line_start = 18, line_end = 21, 
  doc_comment = 0x0, last_literal = 3, num_dynamic_func_defs = 0, literals = 0x557cf4adabc0, dynamic_func_defs = 0x0, reserved = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
(gdb) x/1s loop_fse->op_array.function_name.val
0x557cf4ad94e8:	"__call"
(gdb) c
Continuing.

Breakpoint 2, register_compiled_variables () at /xdebug-build/xdebug/src/debugger/debugger.c:121
121			xdebug_lib_register_compiled_variables(loop_fse, loop_fse->op_array);
(gdb) print loop_fse->op_array
$17 = (zend_op_array *) 0x557cf4a259a0
(gdb) print *loop_fse->op_array
$18 = {type = 21 '\025', arg_flags = "\332n\243", fn_flags = 21881, function_name = 0x11503989ad620e57, scope = 0x557cf4a78cf0, prototype = 0x0, num_args = 0, required_num_args = 0, 
  arg_info = 0x557cf3821d20, attributes = 0x0, cache_size = 0, last_var = 0, T = 5, last = 0, opcodes = 0x557cf3c08bf8 <executor_globals+1528>, run_time_cache__ptr = 0x557cf3c01720, 
  static_variables_ptr__ptr = 0x0, static_variables = 0x0, vars = 0x0, refcount = 0x0, last_live_range = 0, last_try_catch = 0, live_range = 0x0, try_catch_array = 0x0, filename = 0x557cf4ad0000, 
  line_start = 18, line_end = 21, doc_comment = 0x0, last_literal = 0, num_dynamic_func_defs = 0, literals = 0x0, dynamic_func_defs = 0x0, reserved = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
(gdb) x/1s loop_fse->op_array.function_name.val
0x11503989ad620e6f:	<error: Cannot access memory at address 0x11503989ad620e6f>
(gdb) c
Continuing.

Breakpoint 2, register_compiled_variables () at /xdebug-build/xdebug/src/debugger/debugger.c:121
121			xdebug_lib_register_compiled_variables(loop_fse, loop_fse->op_array);
(gdb) print loop_fse->op_array
$19 = (zend_op_array *) 0x557cf4a16560
(gdb) print *loop_fse->op_array
$20 = {type = 2 '\002', arg_flags = "\000\000", fn_flags = 100663296, function_name = 0x0, scope = 0x0, prototype = 0x0, num_args = 0, required_num_args = 0, arg_info = 0x0, attributes = 0x0, 
  cache_size = 56, last_var = 1, T = 10, last = 19, opcodes = 0x557cf4ad9620, run_time_cache__ptr = 0x557cf4a771c0, static_variables_ptr__ptr = 0x0, static_variables = 0x0, vars = 0x557cf4ad9e30, 
  refcount = 0x557cf4acffe0, last_live_range = 3, last_try_catch = 0, live_range = 0x557cf4ada620, try_catch_array = 0x0, filename = 0x557cf4ad0000, line_start = 1, line_end = 24, doc_comment = 0x0, 
  last_literal = 10, num_dynamic_func_defs = 0, literals = 0x557cf4ad9880, dynamic_func_defs = 0x0, reserved = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
(gdb) c
Continuing.
Error evaluating expression for watchpoint 3
value has been optimized out
Watchpoint 3 deleted.
0x00007f181075d760 in xdebug_execute_ex (execute_data=0x7f1814b8f1e0) at /xdebug-build/xdebug/src/lib/vector.h:64
64		v->count--;
(gdb) c
Continuing.
PHP Fatal error:  Uncaught ReflectionException: Class "" does not exist in /t.php:4
Stack trace:
#0 /t.php(4): ReflectionClass->__construct()
#1 /t.php(20): class@anonymous->execute()
#2 /t.php(9): Wrapper->__call()
#3 {main}
  thrown in /t.php on line 4
[Inferior 1 (process 3721) exited with code 0377]
gdb-free-trace.out (15,458 bytes)   
Operating System
PHP Version8.1.10-8.1.19

Relationships

related to 0002175 closedderick Crash with EXC_BAD_ACCESS in xdebug_str_create 

Activities

derick

2023-07-11 16:52

administrator   ~0006591

Your script fails with:

Fatal error: Uncaught Error: Call to undefined method Wrapper::execute() in /home/derick/dev/php/derickr-xdebug/tests/develop/bug02186.phpt on line 8

Error: Call to undefined method Wrapper::execute() in /home/derick/dev/php/derickr-xdebug/tests/develop/bug02186.phpt on line 8

Can you attach the script, please?

cheers,
Derick

derick

2023-07-11 18:00

administrator   ~0006592

Never mind, I saw what was wrong. I can reproduce it and I have a fix, but still need to write a proper test.

derick

2023-07-13 12:59

administrator   ~0006593

https://github.com/xdebug/xdebug/pull/895

derick

2023-07-14 09:04

administrator   ~0006603

https://github.com/xdebug/xdebug/pull/895

Issue History

Date Modified Username Field Change
2023-07-11 13:45 rstark New Issue
2023-07-11 13:45 rstark File Added: backtrace.out
2023-07-11 13:45 rstark File Added: valgrind.out
2023-07-11 13:45 rstark File Added: gdb-free-trace.out
2023-07-11 16:52 derick Assigned To => derick
2023-07-11 16:52 derick Status new => feedback
2023-07-11 16:52 derick Note Added: 0006591
2023-07-11 18:00 derick Status feedback => assigned
2023-07-11 18:00 derick Note Added: 0006592
2023-07-11 18:00 derick Target Version => 3.2dev
2023-07-13 12:59 derick Category Stacktraces => Step Debugging
2023-07-13 12:59 derick Summary Segfault with nested __call invocation => Segfault with trampoline functions and debugger activation
2023-07-13 12:59 derick Note Added: 0006593
2023-07-13 13:00 derick Relationship added related to 0002175
2023-07-13 13:03 derick Steps to Reproduce Updated
2023-07-14 09:04 derick Status assigned => closed
2023-07-14 09:04 derick Resolution open => fixed
2023-07-14 09:04 derick Fixed in Version => 3.2dev
2023-07-14 09:04 derick Note Added: 0006603
2023-07-14 09:14 derick Fixed in Version 3.2dev => 3.2.2