MantisBT - Xdebug
View Issue Details
0001454XdebugUsage problems (Wrong Results)public2017-07-14 23:112018-01-22 18:21
tyson 
derick 
normalminoralways
closedfixed 
Any
2.5.5 
2.6.02.6.0rc1 
Centos/Ubuntu/any
7.1.5-7.1.9
0001454: Seeing invalid memory read or segfaults from a __call() method when running unit test (using Phockito) in php 7.1
A unit test (internally used with a lot of dependencies) was segfaulting when using https://github.com/ifwe/phockito/blob/6e6011301ac5f6e62a49b6c4931cc4180e12d6e5/Phockito.php#L837 [^]

The conditions for the invalid memory reads with xdebug are unknown, but it happens when a Phockito test fails and attempts to throw an exception indicating this. It likely has something to do with the fact it's happening in __call()

https://github.com/TysonAndre/xdebug_invalidread_phockito [^] has a simplified version of that test, which consistently emits invalid memory read errors when run under valgrind.

- Before merging multiple files into a single file, it would consistently emit invalid memory read errors, then segfault.

I haven't tested php 7.1 yet. I was able to reproduce this in Centos 6.5 and Ubuntu (dockerized)
Run the below command (Must include collect_params=3. If collect_params=0 is used, there are no invalid memory reads)

USE_ZEND_ALLOC=0 valgrind php --no-php-ini zend_extension=xdebug.so xdebug.collect_params=3 invalid_read_test.php
It seems to happen when reading the contents of temporary un-named variables of the function, in order to create a stack trace. I've seen attempts to dump zvals with (type 6) strings with negative refcounts, as well as zvals with (type 8) values with invalid object handlers and class entries.

Various valgrind errors such as the below were seen.

  7 ==7== Invalid read of size 8
  8 ==7== at 0x9488663: xdebug_var_export (xdebug_var.c:1083)
  9 ==7== by 0x9488EA6: xdebug_get_zval_value (xdebug_var.c:1212)
 10 ==7== by 0x948148B: add_single_value (xdebug_stack.c:397)
 11 ==7== by 0x948148B: xdebug_append_printable_stack (xdebug_stack.c:486)
 12 ==7== by 0x946D677: xdebug_throw_exception_hook (xdebug.c:1650)
 13 ==7== by 0x1ED300: zend_throw_exception_internal (in /usr/bin/php7.1)
 14 ==7== by 0x3DADA7: ??? (in /usr/bin/php7.1)
 15 ==7== by 0x3C0ADA: execute_ex (in /usr/bin/php7.1)
 16 ==7== by 0x946ECF5: xdebug_execute_ex (xdebug.c:2056)
 17 ==7== by 0x418CCB: ??? (in /usr/bin/php7.1)
 18 ==7== by 0x3C0ADA: execute_ex (in /usr/bin/php7.1)
 19 ==7== by 0x946ECF5: xdebug_execute_ex (xdebug.c:2056)
 20 ==7== by 0x419E3B: ??? (in /usr/bin/php7.1)
 21 ==7== Address 0x97c6d10 is 16 bytes inside a block of size 4,096 free'd
 22 ==7== at 0x4C2ED5B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
 23 ==7== by 0x419CF7: ??? (in /usr/bin/php7.1)
 24 ==7== by 0x3C0ADA: execute_ex (in /usr/bin/php7.1)
 25 ==7== by 0x946ECF5: xdebug_execute_ex (xdebug.c:2056)
 26 ==7== by 0x418CCB: ??? (in /usr/bin/php7.1)
 27 ==7== by 0x3C0ADA: execute_ex (in /usr/bin/php7.1)
 28 ==7== by 0x946ECF5: xdebug_execute_ex (xdebug.c:2056)
 29 ==7== by 0x419E3B: ??? (in /usr/bin/php7.1)
 30 ==7== by 0x3C0ADA: execute_ex (in /usr/bin/php7.1)
 31 ==7== by 0x946ECF5: xdebug_execute_ex (xdebug.c:2056)
 32 ==7== by 0x419E3B: ??? (in /usr/bin/php7.1)
 33 ==7== by 0x3C0ADA: execute_ex (in /usr/bin/php7.1)
 34 ==7== Block was alloc'd at
 35 ==7== at 0x4C2FD4F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
 36 ==7== by 0x34C6A8: __zend_realloc (in /usr/bin/php7.1)
 37 ==7== by 0x3B9B3E: smart_str_erealloc (in /usr/bin/php7.1)
 38 ==7== by 0x2F1555: php_var_export_ex (in /usr/bin/php7.1)
 39 ==7== by 0x2F0C86: php_var_export_ex (in /usr/bin/php7.1)
 40 ==7== by 0x2F1830: zif_var_export (in /usr/bin/php7.1)
 41 ==7== by 0x946F7BC: xdebug_execute_internal (xdebug.c:2208)
 42 ==7== by 0x4197DB: ??? (in /usr/bin/php7.1)
 43 ==7== by 0x3C0ADA: execute_ex (in /usr/bin/php7.1)
 44 ==7== by 0x946ECF5: xdebug_execute_ex (xdebug.c:2056)
 45 ==7== by 0x418CCB: ??? (in /usr/bin/php7.1)
 46 ==7== by 0x3C0ADA: execute_ex (in /usr/bin/php7.1)
 47 ==7==
 48 ==7== Invalid read of size 8
 49 ==7== at 0x4C345C0: memmove (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
 50 ==7== by 0x948869F: memcpy (string3.h:53)
 51 ==7== by 0x948869F: zend_string_init (zend_string.h:160)
 52 ==7== by 0x948869F: xdebug_var_export (xdebug_var.c:1083)
 53 ==7== by 0x9488EA6: xdebug_get_zval_value (xdebug_var.c:1212)
 54 ==7== by 0x948148B: add_single_value (xdebug_stack.c:397)
 55 ==7== by 0x948148B: xdebug_append_printable_stack (xdebug_stack.c:486)
 56 ==7== by 0x946D677: xdebug_throw_exception_hook (xdebug.c:1650)
 57 ==7== by 0x1ED300: zend_throw_exception_internal (in /usr/bin/php7.1)
 58 ==7== by 0x3DADA7: ??? (in /usr/bin/php7.1)
 59 ==7== by 0x3C0ADA: execute_ex (in /usr/bin/php7.1)
 60 ==7== by 0x946ECF5: xdebug_execute_ex (xdebug.c:2056)
 61 ==7== by 0x418CCB: ??? (in /usr/bin/php7.1)
 62 ==7== by 0x3C0ADA: execute_ex (in /usr/bin/php7.1)
 63 ==7== by 0x946ECF5: xdebug_execute_ex (xdebug.c:2056)
No tags attached.
? invalid_read_test.php (118,932) 2017-07-14 23:11
https://bugs.xdebug.org/file_download.php?file_id=389&type=bug
? invalid_read_test_simplified.php (1,292) 2017-09-27 00:13
https://bugs.xdebug.org/file_download.php?file_id=394&type=bug
Issue History
2017-07-14 23:11tysonNew Issue
2017-07-14 23:11tysonFile Added: invalid_read_test.php
2017-07-15 10:58derickNote Added: 0004370
2017-07-15 10:58derickAssigned To => derick
2017-07-15 10:58derickStatusnew => confirmed
2017-07-15 10:59derickTarget Version => 2.5.6
2017-09-26 23:28derickNote Added: 0004428
2017-09-26 23:28derickStatusconfirmed => feedback
2017-09-27 00:13tysonFile Added: invalid_read_test_simplified.php
2017-09-27 00:14tysonNote Added: 0004429
2017-09-27 00:14tysonStatusfeedback => assigned
2017-11-05 14:12derickTarget Version2.5.6 => 2.6.0dev
2017-12-02 18:35derickTarget Version2.6.0dev => 2.6.0
2018-01-20 09:53derickNote Added: 0004566
2018-01-20 09:53derickStatusassigned => closed
2018-01-20 09:53derickResolutionopen => fixed
2018-01-20 09:53derickFixed in Version => 2.6.0
2018-01-22 18:21derickFixed in Version2.6.0 => 2.6.0rc1

Notes
(0004370)
derick   
2017-07-15 10:58   
I can reproduce this.
(0004428)
derick   
2017-09-26 23:28   
I just had a look at this again, and I scan still reproduce it. However, I found out that the simplified test was still 4000 lines, which I wouldn't particularly "simple". With this much data, it's really hard to figure out what causes the problem :-/

If you have some time, could you help out by simplifying this test case even more?
(0004429)
tyson   
2017-09-27 00:14   
I simplified it even more. See https://github.com/TysonAndre/xdebug_invalidread_phockito [^] for the steps, I also uploaded the final simplified version (60 lines)
(0004566)
derick   
2018-01-20 09:53   
I believe I have this fixed in GIT just now. After my patch, I can't reproduce this issue any more. Thanks for the report, and short test case!