View Issue Details

IDProjectCategoryView StatusLast Update
0001047XdebugUncategorizedpublic2016-12-04 15:36
Reporterchrisi1698 Assigned Toderick  
PrioritynormalSeveritycrashReproducibilityalways
Status resolvedResolutionunable to reproduce 
Product Version2.2.4 
Summary0001047: PHP crashes when xdebug is enabled when calling any(?) function that would implicitely autoload a class
Description

as the summary says - php crashes when xdebug is enabled and any function that tries to autoload a function is called, e.g.
var_dump(class_exists('ServiceProvider')); (while "class_exists($name, false)" does not crash php, also it does not crash when xdebug is not enabled)
also, get_class_methods($name) crashes when class $name is not already loaded

Steps To Reproduce

minimum example:
<?php
function activerecord_autoload($class_name)
{
$file = "models/$class_name.php";
if(file_exists($file)) require_once $file;
}
spl_autoload_register('activerecord_autoload',false);
var_dump(class_exists('ServiceProvider'));
?>
in models/ServiceProvider.php:
<?php
class ServiceProvider extends ActiveRecord\Model
{
static $table_name = 'service_providers';
}
?>

Additional Information

backtrace of one of the crashes (tried to build xdebug against debug-enabled php, but somehow xdebug doesn't load any more then, so.. whatever:)
(gdb)
#0 xdebug_zval_ptr (op_type=4, node=0x7f6209638e90, zdata=zdata@entry=0x7fff3ff2bcb0) at /DATA/BUILD/XDEBUG/xdebug-2.2.4/xdebug_compat.c:93
#1 0x00007f6208f8c70a in xdebug_execute_internal (current_execute_data=0x7fff3ff2bcb0, fci=0x7fff3ff2be50, return_value_used=1)
at /DATA/BUILD/XDEBUG/xdebug-2.2.4/xdebug.c:1572
0000002 0x00000000007cfed5 in zend_call_function (fci=fci@entry=0x7fff3ff2be50, fci_cache=fci_cache@entry=0x7fff3ff2be20)
at /DATA/BUILD/php-5.5.11/Zend/zend_execute_API.c:959
0000003 0x00000000007d05e5 in zend_lookup_class_ex (name=0x7f620953e218 "ServiceProvider", name_length=15, key=key@entry=0x0,
use_autoload=use_autoload@entry=1, ce=ce@entry=0x7fff3ff2bf08) at /DATA/BUILD/php-5.5.11/Zend/zend_execute_API.c:1115
0000004 0x00000000007d070f in zend_lookup_class (name=<optimized out>, name_length=<optimized out>, ce=ce@entry=0x7fff3ff2bf08)
at /DATA/BUILD/php-5.5.11/Zend/zend_execute_API.c:1140
0000005 0x00000000007efaf0 in zif_class_exists (ht=<optimized out>, return_value=0x3d278f0, return_value_ptr=<optimized out>, this_ptr=<optimized out>,
return_value_used=<optimized out>) at /DATA/BUILD/php-5.5.11/Zend/zend_builtin_functions.c:1252
0000006 0x00007f6208f8c815 in xdebug_execute_internal (current_execute_data=0x7f62095fd120, fci=0x0, return_value_used=1)
at /DATA/BUILD/XDEBUG/xdebug-2.2.4/xdebug.c:1553
0000007 0x000000000088863e in zend_do_fcall_common_helper_SPEC (execute_data=0x7f62095fd120) at /DATA/BUILD/php-5.5.11/Zend/zend_vm_execute.h:552
0000008 0x000000000084a058 in execute_ex (execute_data=0x7f62095fd120) at /DATA/BUILD/php-5.5.11/Zend/zend_vm_execute.h:363
0000009 0x00007f6208f8cbec in xdebug_execute_ex (execute_data=0x7f62095fd120) at /DATA/BUILD/XDEBUG/xdebug-2.2.4/xdebug.c:1437
0000010 0x00000000007debbf in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3)
at /DATA/BUILD/php-5.5.11/Zend/zend.c:1316
0000011 0x000000000077f3d2 in php_execute_script (primary_file=primary_file@entry=0x7fff3ff2e6f0) at /DATA/BUILD/php-5.5.11/main/main.c:2506
0000012 0x000000000045652c in main (argc=4, argv=0x7fff3ff2eb68) at /DATA/BUILD/php-5.5.11/sapi/cgi/cgi_main.c:2454

TagsNo tags attached.
Operating SystemLinux local 3.13-0.bpo.1-amd64 #1 SMP Debian 3.13.5-1~bpo70+1 (2014-03-15) x86_64 GNU/Linux
PHP Version5.5.5-5.5.9

Activities

derick

2014-04-11 09:30

administrator   ~0002783

I've just tried this, but I only get:

Fatal error: Class 'ActiveRecord\Model' not found in /tmp/models/ServiceProvider.php on line 3

Call Stack:
0.1814 0 1. {main}() /tmp/index.php:0
0.2172 0 2. class_exists() /tmp/index.php:8
0.2328 0 3. spl_autoload_call() /tmp/index.php:8
0.2387 0 4. activerecord_autoload() /tmp/index.php:0
0.3194 0 5. require_once('/tmp/models/ServiceProvider.php') /tmp/index.php:5

Can you try running it with:

  1. export USE_ZEND_ALLOC=0
    gdb --args php index.php
    and when you hit the segfault: bt full

  2. export USE_ZEND_ALLOC=0
    valgrind php index.php

(you will need to install valgrind for the latter)

chrisi1698

2014-04-11 12:17

reporter   ~0002784

thank you for your reply and suggestions!
I narrowed the problem down again. First, I recompiled php with --enable-debug and recompiled xdebug as well, now everything loads fine at least, perhaps re-installing php with debug without proper cleaning messed something up or whatever.

I found a new minimum working (crashing) example which crashes when xdebug profiling is enabled and doesn't if it isn't (which doesn't depend on codeigniter/activerecord any more - sorry I missed that):

<?php
function activerecord_autoload($class_name)
{
$file = "models/$class_name.php";
if(file_exists($file)) require_once $file;
}
spl_autoload_register('activerecord_autoload',false);
var_dump(in_array('hello', array_map('strtolower',get_class_methods('ServiceProvider'))));
?>

models/ServiceProvider.php:
<?php
class ServiceProvider
{
static $table_name = 'service_providers';
function Hello($x) { echo "$x\n"; }
function Hello1($x) { echo "$x\n"; }
function Hello2($x) { echo "$x\n"; }
function Hello3($x) { echo "$x\n"; }
function Hello4($x) { echo "$x\n"; }
function Hello5($x) { echo "$x\n"; }
function Hello6($x) { echo "$x\n"; }
function Hello7($x) { echo "$x\n"; }
function Hello8($x) { echo "$x\n"; }
function Hello9($x) { echo "$x\n"; }
function Hello10($x) { echo "$x\n"; }
};
?>

without the array_map() + in_array() it does work. however, assigning get_class_methods to a variable and calling array_map on that does not help. however - it seems to be some kind of timing-dependent problem, because with only the array_map() call, it produces error 500 when I load the file via web browser -> lighty -> fastcgi, but doesen't segfault when i call it with "/opt/php5/bin/php-cgi -c /data/dev-env/configs/php.ini crash.php". with the two nested calls, it crashes in both cases; more functions in class ServiceProvider also help provoking said behavior. if the class-file to be loaded is smaller or not that much to do with the stuff the function call returns, a crash is not triggered. weird.

thank you very much again,
below the 2 debug outputs as you suggested:

% export USE_ZEND_ALLOC=0
% gdb --args /opt/php5/bin/php-cgi -e -c /data/dev-env/configs/php.ini crash.php
GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /opt/php-5.5.11/bin/php-cgi...done.
(gdb) run
Starting program: /opt/php-5.5.11/bin/php-cgi -e -c /data/dev-env/configs/php.ini crash.php
warning: no loadable sections found in added symbol-file system-supplied DSO at 0x7ffff7ffa000
warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffeea13700 (LWP 11960)]
[Thread 0x7fffeea13700 (LWP 11960) exited]

Program received signal SIGSEGV, Segmentation fault.
0x00007fffeea28023 in xdebug_zval_ptr (op_type=4, node=0x2c671e8, zdata=0x7fffffffb690) at /DATA/BUILD/XDEBUG/xdebug-2.2.4/xdebug_compat.c:93
93 if (T->str_offset.str->type != IS_STRING
(gdb) bt full
#0 0x00007fffeea28023 in xdebug_zval_ptr (op_type=4, node=0x2c671e8, zdata=0x7fffffffb690) at /DATA/BUILD/XDEBUG/xdebug-2.2.4/xdebug_compat.c:93
T = 0x7fffffffb630
str = 0x0
#1 0x00007fffeea242e6 in xdebug_execute_internal (current_execute_data=0x7fffffffb690, fci=0x7fffffffb820, return_value_used=1)
at /DATA/BUILD/XDEBUG/xdebug-2.2.4/xdebug.c:1572
ret = 0x7fffffffb878
edata = 0x7fffffffb690
fse = 0x2c66a40
cur_opcode = 0x2c671d0
do_return = 1
function_nr = 9
restore_error_handler_situation = 0
tmp_error_cb = 0
0000002 0x0000000000983f0f in zend_call_function (fci=0x7fffffffb820, fci_cache=0x7fffffffb7f0) at /data/BUILD/php-5.5.11/Zend/zend_execute_API.c:959
call_via_handler = 0
i = 1
original_return_value = 0x481ffffb778
calling_symbol_table = 0x1026ad8
original_op_array = 0x800000001
original_opline_ptr = 0x0
current_scope = 0x0
current_called_scope = 0x0
calling_scope = 0x0
called_scope = 0x0
current_this = 0x0
execute_data = {opline = 0x0, function_state = {function = 0x140a0c0, arguments = 0x2c311b8}, op_array = 0x0, object = 0x0,
symbol_table = 0x137bc08, prev_execute_data = 0x2c310f0, old_error_reporting = 0x0, nested = 0 '\000', original_return_value = 0x0,
current_scope = 0x0, current_called_scope = 0x0, current_this = 0x0, fast_ret = 0x0, call_slots = 0x2c31170, call = 0x2c31170}
fci_cache_local = {initialized = 91 '[', function_handler = 0x7c00000077, calling_scope = 0x1026ad8, called_scope = 0x7ffff18c8640,
object_ptr = 0x48}
0000003 0x0000000000864c2d in zif_array_map (ht=2, return_value=0x266d600, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1)
at /data/BUILD/php-5.5.11/ext/standard/array.c:4371
str_key_len = 32767
num_key = 1
str_key = 0x7fffeea2312a "UH\211\345SH\201", <incomplete sequence \354\270>
key_type = 2
arrays = 0x26384a0
n_arrays = 1
params = 0x26384a0
result = 0x2605bb0
null = 0x261ef10
array_pos = 0x263d6d0
args = 0x26389a0
fci = {size = 72, function_table = 0x137dc90, function_name = 0x26eecd0, symbol_table = 0x0, retval_ptr_ptr = 0x7fffffffb878,
param_count = 1, params = 0x26384a0, object_ptr = 0x0, no_separation = 0 '\000'}
fci_cache = {initialized = 0 '\000', function_handler = 0x140a0c0, calling_scope = 0x0, called_scope = 0x0, object_ptr = 0x0}
i = 1
k = 1
maxlen = 6
array_len = 0x26389c0
---Type <return> to continue, or q <return> to quit---
0000004 0x00000000009d18f7 in execute_internal (execute_data_ptr=0x2c310f0, fci=0x0, return_value_used=1)
at /data/BUILD/php-5.5.11/Zend/zend_execute.c:1484
return_value_ptr = 0x2c31098
0000005 0x00007fffeea24201 in xdebug_execute_internal (current_execute_data=0x2c310f0, fci=0x0, return_value_used=1)
at /DATA/BUILD/XDEBUG/xdebug-2.2.4/xdebug.c:1553
edata = 0x2c310f0
fse = 0x2c67830
cur_opcode = 0x7fffffffb990
do_return = 1
function_nr = 7
restore_error_handler_situation = 0
tmp_error_cb = 0
0000006 0x00000000009d27e1 in zend_do_fcall_common_helper_SPEC (execute_data=0x2c310f0) at /data/BUILD/php-5.5.11/Zend/zend_vm_execute.h:552
ret = 0x2c31090
opline = 0x2c671d0
should_change_scope = 0 '\000'
fbc = 0x1430700
0000007 0x00000000009d6c41 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x2c310f0) at /data/BUILD/php-5.5.11/Zend/zend_vm_execute.h:2329
opline = 0x2c671d0
fname = 0x2c68a20
call = 0x2c31170
0000008 0x00000000009d1fa9 in execute_ex (execute_data=0x2c310f0) at /data/BUILD/php-5.5.11/Zend/zend_vm_execute.h:363
ret = 0
original_in_execution = 0 '\000'
0000009 0x00007fffeea23d40 in xdebug_execute_ex (execute_data=0x2c310f0) at /DATA/BUILD/XDEBUG/xdebug-2.2.4/xdebug.c:1437
op_array = 0x2c66c10
edata = 0x0
dummy = 0x7fffffffe390
fse = 0x2c692b0
xfse = 0x2c692b0
magic_cookie = 0x0
do_return = 1
function_nr = 0
le = 0x2ba25e0
clear = 1
return_val = 0x0
0000010 0x00000000009d2019 in zend_execute (op_array=0x2c66c10) at /data/BUILD/php-5.5.11/Zend/zend_vm_execute.h:388
No locals.
0000011 0x00000000009966bc in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /data/BUILD/php-5.5.11/Zend/zend.c:1316
files = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fffffffbce0, reg_save_area = 0x7fffffffbc20}}
i = 1
file_handle = 0x7fffffffe120
orig_op_array = 0x0
orig_retval_ptr_ptr = 0x0
orig_interactive = 0
0000012 0x000000000090fae6 in php_execute_script (primary_file=0x7fffffffe120) at /data/BUILD/php-5.5.11/main/main.c:2506
realfile = "\000\000\000\000\000\000\000\000\240\316\377\377\377\177\000\000\000\000\000\000\000\000\000\000\005\362\336\367\377\177\000\000\200K7\001\000\000\000\000pK7\001\000\000\000\000\000\216\251\002", '\000' <repeats 24 times>"\377, \177\000\000\000\000\000\000\377\177\000 \000\000\000\000\000\000\000\000\240\316\377\377\377\177", '\000' <repeats 26 times>, "\020", '\000' <repeats 39 times>"\377, \377\377\377\377\377\377\377\360\322\377\377\377\177", '\000' <repeats 11 times>"\300, \000\000\000\000\000\000\260\204)\002", '\000' <repeats 12 times>, "\001\000\000\000\002\000\0---Type <return> to continue, or q <return> to quit---
00\000\316\024\225\363\377\177\000\000\000\000\000\000+\000\000\000\060y\003\001\000\000\000\000\065y\003\001\000\000\000\000U\237V\361\377\177\000\000\374\214V\361\377\177\000\000\000\000\000\000\000\000\000\000\030", '\000' <repeats 23 times>"\333, \024\225\363\377\177\000\000\000\000\000\000\000\000\000\000P", '\000' <repeats 35 times>...
orig_bailout = 0x7fffffffdf60
bailout = {{jmpbuf = {1, -9161571196182848101, 4543712, 140737488348048, 0, 0, -9161571197229326949, 9161572163906706843},
mask_was_saved = 0, saved_mask = {
val = {7738717297580402036, 8101813437696656431, 7090204234065274221, 3420042347867956580,
6066194093999158376, 8314052157424030533, 482788519528, 140737280021694, 140737280021712, 140737242373973, 140737242369276,
140737488342688, 16, 5, 0, 32}}}}
prepend_file_p = 0x0
append_file_p = 0x0
prepend_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0,
isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0}, reader = 0, fsizer = 0, closer = 0}},
free_filename = 0 '\000'}
append_file = {type = ZEND_HANDLE_FILENAME, filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0,
isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, old_handle = 0x0, old_closer = 0}, reader = 0, fsizer = 0, closer = 0}},
free_filename = 0 '\000'}
old_cwd = 0x7fffffffbd00 "/Users/ctessarek/Development/webdev-env/htdocs/TEST"
use_heap = 0 '\000'
retval = 0
0000013 0x0000000000a4112d in main (argc=5, argv=0x7fffffffe398) at /data/BUILD/php-5.5.11/sapi/cgi/cgi_main.c:2454
orig_bailout = 0x0
bailout = {{jmpbuf = {0, -9161571194219913829, 4543712, 140737488348048, 0, 0, -9161571196168168037, 9161572053969673627},
mask_was_saved = 0, saved_mask = {
val = {15, 140737488347472, 58, 814159578, 140737351927152, 0, 26, 12721243, 140737351925116,
140737313747704, 39, 140737488347552, 58, 4287062190, 140737351925116, 0}}}}
free_query_string = 1
exit_status = 0
cgi = 0
c = -1
i = 5
len = 11
file_handle = {type = ZEND_HANDLE_MAPPED, filename = 0x2bb0c90 "crash.php", opened_path = 0x0, handle = {fd = 46557968, fp = 0x2c66b10,
stream = {handle = 0x2c66b10, isatty = 0, mmap = {len = 283, pos = 0, map = 0x0,
buf = 0x7ffff7fd5000 <Address 0x7ffff7fd5000 out of bounds>, old_handle = 0x0, old_closer = 0},
reader = 0x9291c1 <_php_stream_read>, fsizer = 0x90da1e <php_zend_stream_fsizer>, closer = 0x90d9f8 <php_zend_stream_mmap_closer>}},
free_filename = 0 '\000'}
s = 0x2bb0750 "crash.php"
behavior = 1
no_headers = 0
orig_optind = 1
orig_optarg = 0x0
script_file = 0x0
ini_entries_len = 0
max_requests = 500
requests = 0
fastcgi = 0
bindpath = 0x0
fcgi_fd = 0
request = 0x0
repeats = 1
benchmark = 0
---Type <return> to continue, or q <return> to quit---
start = {tv_sec = 1, tv_usec = 140737352403024}
end = {tv_sec = 140737488347760, tv_usec = 140737242145056}
status = 0
query_string = 0x0
decoded_query_string = 0x7ffff7ffe540 "\240\344\377\367\377\177"
skip_getopt = 0
(gdb) quit
A debugging session is active.

Inferior 1 [process 11954] will be killed.

Quit anyway? (y or n) y

% export USE_ZEND_ALLOC=0 1
% valgrind /opt/php5/bin/php-cgi -e -c /data/dev-env/configs/php.ini crash.php 0
==12012== Memcheck, a memory error detector
==12012== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==12012== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==12012== Command: /opt/php5/bin/php-cgi -e -c /data/dev-env/configs/php.ini crash.php
==12012==
==12012== Conditional jump or move depends on uninitialised value(s)
==12012== at 0x4017756: index (strchr.S:55)
==12012== by 0x40078C2: expand_dynamic_string_token (dl-load.c:431)
==12012== by 0x40081B6: _dl_map_object (dl-load.c:2539)
==12012== by 0x40016ED: map_doit (rtld.c:627)
==12012== by 0x400E805: _dl_catch_error (dl-error.c:177)
==12012== by 0x4000FBD: do_preload (rtld.c:816)
==12012== by 0x40046F1: dl_main (rtld.c:1630)
==12012== by 0x401519D: _dl_sysdep_start (dl-sysdep.c:241)
==12012== by 0x4004D65: _dl_start (rtld.c:332)
==12012== by 0x4001507: ??? (in /lib/x86_64-linux-gnu/ld-2.17.so)
==12012== by 0x4: ???
==12012== by 0x7FF00060A: ???
==12012==
==12012== Conditional jump or move depends on uninitialised value(s)
==12012== at 0x401775B: index (strchr.S:58)
==12012== by 0x40078C2: expand_dynamic_string_token (dl-load.c:431)
==12012== by 0x40081B6: _dl_map_object (dl-load.c:2539)
==12012== by 0x40016ED: map_doit (rtld.c:627)
==12012== by 0x400E805: _dl_catch_error (dl-error.c:177)
==12012== by 0x4000FBD: do_preload (rtld.c:816)
==12012== by 0x40046F1: dl_main (rtld.c:1630)
==12012== by 0x401519D: _dl_sysdep_start (dl-sysdep.c:241)
==12012== by 0x4004D65: _dl_start (rtld.c:332)
==12012== by 0x4001507: ??? (in /lib/x86_64-linux-gnu/ld-2.17.so)
==12012== by 0x4: ???
==12012== by 0x7FF00060A: ???
==12012==
==12012== Syscall param socketcall.getpeername(namelen_in) points to uninitialised byte(s)
==12012== at 0xB427E87: getpeername (syscall-template.S:81)
==12012== by 0xE277EF6: xdebug_create_socket (xdebug_com.c:160)
==12012== by 0xE28A9F3: xdebug_init_debugger (xdebug_stack.c:493)
==12012== by 0xE2739B9: xdebug_execute_ex (xdebug.c:1349)
==12012== by 0x9D2018: zend_execute (zend_vm_execute.h:388)
==12012== by 0x9966BB: zend_execute_scripts (zend.c:1316)
==12012== by 0x90FAE5: php_execute_script (main.c:2506)
==12012== by 0xA4112C: main (cgi_main.c:2454)
==12012== Address 0x7feffd8bc is on thread 1's stack
==12012==
==12012== Conditional jump or move depends on uninitialised value(s)
==12012== at 0xE277FE0: xdebug_zval_ptr (xdebug_compat.c:87)
==12012== by 0xE2742E5: xdebug_execute_internal (xdebug.c:1572)
==12012== by 0x983F0E: zend_call_function (zend_execute_API.c:959)
==12012== by 0x98473D: zend_lookup_class_ex (zend_execute_API.c:1115)
==12012== by 0x98484A: zend_lookup_class (zend_execute_API.c:1140)
==12012== by 0x9AD8AD: zif_get_class_methods (zend_builtin_functions.c:1057)
==12012== by 0x9D18F6: execute_internal (zend_execute.c:1484)
==12012== by 0xE274200: xdebug_execute_internal (xdebug.c:1553)
==12012== by 0x9D27E0: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:552)
==12012== by 0x9D6C40: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2329)
==12012== by 0x9D1FA8: execute_ex (zend_vm_execute.h:363)
==12012== by 0xE273D3F: xdebug_execute_ex (xdebug.c:1437)
==12012==
==12012== Conditional jump or move depends on uninitialised value(s)
==12012== at 0xE2742EF: xdebug_execute_internal (xdebug.c:1573)
==12012== by 0x983F0E: zend_call_function (zend_execute_API.c:959)
==12012== by 0x98473D: zend_lookup_class_ex (zend_execute_API.c:1115)
==12012== by 0x98484A: zend_lookup_class (zend_execute_API.c:1140)
==12012== by 0x9AD8AD: zif_get_class_methods (zend_builtin_functions.c:1057)
==12012== by 0x9D18F6: execute_internal (zend_execute.c:1484)
==12012== by 0xE274200: xdebug_execute_internal (xdebug.c:1553)
==12012== by 0x9D27E0: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:552)
==12012== by 0x9D6C40: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2329)
==12012== by 0x9D1FA8: execute_ex (zend_vm_execute.h:363)
==12012== by 0xE273D3F: xdebug_execute_ex (xdebug.c:1437)
==12012== by 0x9D2018: zend_execute (zend_vm_execute.h:388)
==12012==
==12012== Conditional jump or move depends on uninitialised value(s)
==12012== at 0xE290783: xdebug_var_export (xdebug_var.c:377)
==12012== by 0xE290E47: xdebug_get_zval_value (xdebug_var.c:491)
==12012== by 0xE28E1A5: xdebug_return_trace_stack_retval (xdebug_tracing.c:121)
==12012== by 0xE274303: xdebug_execute_internal (xdebug.c:1574)
==12012== by 0x983F0E: zend_call_function (zend_execute_API.c:959)
==12012== by 0x98473D: zend_lookup_class_ex (zend_execute_API.c:1115)
==12012== by 0x98484A: zend_lookup_class (zend_execute_API.c:1140)
==12012== by 0x9AD8AD: zif_get_class_methods (zend_builtin_functions.c:1057)
==12012== by 0x9D18F6: execute_internal (zend_execute.c:1484)
==12012== by 0xE274200: xdebug_execute_internal (xdebug.c:1553)
==12012== by 0x9D27E0: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:552)
==12012== by 0x9D6C40: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2329)
==12012==
==12012== Use of uninitialised value of size 8
==12012== at 0xE2907D8: xdebug_var_export (xdebug_var.c:383)
==12012== by 0xE290E47: xdebug_get_zval_value (xdebug_var.c:491)
==12012== by 0xE28E1A5: xdebug_return_trace_stack_retval (xdebug_tracing.c:121)
==12012== by 0xE274303: xdebug_execute_internal (xdebug.c:1574)
==12012== by 0x983F0E: zend_call_function (zend_execute_API.c:959)
==12012== by 0x98473D: zend_lookup_class_ex (zend_execute_API.c:1115)
==12012== by 0x98484A: zend_lookup_class (zend_execute_API.c:1140)
==12012== by 0x9AD8AD: zif_get_class_methods (zend_builtin_functions.c:1057)
==12012== by 0x9D18F6: execute_internal (zend_execute.c:1484)
==12012== by 0xE274200: xdebug_execute_internal (xdebug.c:1553)
==12012== by 0x9D27E0: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:552)
==12012== by 0x9D6C40: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2329)
==12012==
==12012== Conditional jump or move depends on uninitialised value(s)
==12012== at 0xE277FE0: xdebug_zval_ptr (xdebug_compat.c:87)
==12012== by 0xE2742E5: xdebug_execute_internal (xdebug.c:1572)
==12012== by 0x983F0E: zend_call_function (zend_execute_API.c:959)
==12012== by 0x864C2C: zif_array_map (array.c:4371)
==12012== by 0x9D18F6: execute_internal (zend_execute.c:1484)
==12012== by 0xE274200: xdebug_execute_internal (xdebug.c:1553)
==12012== by 0x9D27E0: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:552)
==12012== by 0x9D6C40: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2329)
==12012== by 0x9D1FA8: execute_ex (zend_vm_execute.h:363)
==12012== by 0xE273D3F: xdebug_execute_ex (xdebug.c:1437)
==12012== by 0x9D2018: zend_execute (zend_vm_execute.h:388)
==12012== by 0x9966BB: zend_execute_scripts (zend.c:1316)
==12012==
==12012== Conditional jump or move depends on uninitialised value(s)
==12012== at 0xE2742EF: xdebug_execute_internal (xdebug.c:1573)
==12012== by 0x983F0E: zend_call_function (zend_execute_API.c:959)
==12012== by 0x864C2C: zif_array_map (array.c:4371)
==12012== by 0x9D18F6: execute_internal (zend_execute.c:1484)
==12012== by 0xE274200: xdebug_execute_internal (xdebug.c:1553)
==12012== by 0x9D27E0: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:552)
==12012== by 0x9D6C40: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2329)
==12012== by 0x9D1FA8: execute_ex (zend_vm_execute.h:363)
==12012== by 0xE273D3F: xdebug_execute_ex (xdebug.c:1437)
==12012== by 0x9D2018: zend_execute (zend_vm_execute.h:388)
==12012== by 0x9966BB: zend_execute_scripts (zend.c:1316)
==12012== by 0x90FAE5: php_execute_script (main.c:2506)
==12012==
==12012== Invalid read of size 1
==12012== at 0xE2907D8: xdebug_var_export (xdebug_var.c:383)
==12012== by 0xE290E47: xdebug_get_zval_value (xdebug_var.c:491)
==12012== by 0xE28E1A5: xdebug_return_trace_stack_retval (xdebug_tracing.c:121)
==12012== by 0xE274303: xdebug_execute_internal (xdebug.c:1574)
==12012== by 0x983F0E: zend_call_function (zend_execute_API.c:959)
==12012== by 0x864C2C: zif_array_map (array.c:4371)
==12012== by 0x9D18F6: execute_internal (zend_execute.c:1484)
==12012== by 0xE274200: xdebug_execute_internal (xdebug.c:1553)
==12012== by 0x9D27E0: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:552)
==12012== by 0x9D6C40: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2329)
==12012== by 0x9D1FA8: execute_ex (zend_vm_execute.h:363)
==12012== by 0xE273D3F: xdebug_execute_ex (xdebug.c:1437)
==12012== Address 0x17800000a2b is not stack'd, malloc'd or (recently) free'd
==12012==
==12012==
==12012== Process terminating with default action of signal 11 (SIGSEGV)
==12012== Access not within mapped region at address 0x17800000A2B
==12012== at 0xE2907D8: xdebug_var_export (xdebug_var.c:383)
==12012== by 0xE290E47: xdebug_get_zval_value (xdebug_var.c:491)
==12012== by 0xE28E1A5: xdebug_return_trace_stack_retval (xdebug_tracing.c:121)
==12012== by 0xE274303: xdebug_execute_internal (xdebug.c:1574)
==12012== by 0x983F0E: zend_call_function (zend_execute_API.c:959)
==12012== by 0x864C2C: zif_array_map (array.c:4371)
==12012== by 0x9D18F6: execute_internal (zend_execute.c:1484)
==12012== by 0xE274200: xdebug_execute_internal (xdebug.c:1553)
==12012== by 0x9D27E0: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:552)
==12012== by 0x9D6C40: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2329)
==12012== by 0x9D1FA8: execute_ex (zend_vm_execute.h:363)
==12012== by 0xE273D3F: xdebug_execute_ex (xdebug.c:1437)
==12012== If you believe this happened as a result of a stack
==12012== overflow in your program's main thread (unlikely but
==12012== possible), you can try to increase the size of the
==12012== main thread stack using the --main-stacksize= flag.
==12012== The main thread stack size used in this run was 8388608.
==12012==
==12012== HEAP SUMMARY:
==12012== in use at exit: 20,477,915 bytes in 332,729 blocks
==12012== total heap usage: 614,786 allocs, 282,057 frees, 345,669,445 bytes allocated
==12012==
==12012== LEAK SUMMARY:
==12012== definitely lost: 0 bytes in 0 blocks
==12012== indirectly lost: 0 bytes in 0 blocks
==12012== possibly lost: 0 bytes in 0 blocks
==12012== still reachable: 20,477,915 bytes in 332,729 blocks
==12012== suppressed: 0 bytes in 0 blocks
==12012== Rerun with --leak-check=full to see details of leaked memory
==12012==
==12012== For counts of detected and suppressed errors, rerun with: -v
==12012== Use --track-origins=yes to see where uninitialised values come from
==12012== ERROR SUMMARY: 16 errors from 10 contexts (suppressed: 0 from 0)
zsh: segmentation fault valgrind /opt/php5/bin/php-cgi -e -c /data/dev-env/configs/php.ini crash.php

derick

2014-05-19 23:08

administrator   ~0002814

I have just tried reproducing this again, but I have no luck. Is there any chance you can reproduce this in a VM I can have access to?

derick

2014-06-14 10:33

administrator   ~0002847

Hello, is there a VM I can have access to to try to reproduce this?

rodrigorm

2014-07-04 01:32

reporter   ~0002856

This bug only happens when xdebug.collect_return is enabled. If you create the files chrisi1698 says and run the command below:

$ php -dxdebug.auto_trace=1 -dxdebug.trace_format=1 -dxdebug.collect_return=1 crash.php
Segmentation fault (core dumped)

But without the collect_return:

$ php -dxdebug.auto_trace=1 -dxdebug.trace_format=1 -dxdebug.collect_return=0 crash.php
bool(true)

Maybe this help you.

rodrigorm

2014-07-04 02:28

reporter   ~0002857

I created a branch with tests:

https://github.com/rodrigorm/xdebug/compare/issue1047

chrisi1698

2016-05-28 13:47

reporter   ~0003612

Hello everyone,
sorry for the long radio silence, got caught up in so much other stuff -- just stumbled over the test files for this bug in my web dev root, and I'm happy to report, that both with the current git version as well as the latest release version 2.4.0 (on Linux 3.13/x86_64 with PHP 5.5.36), I can't reproduce this problem anymore. :-)
Thanks very much!

derick

2016-12-04 15:36

administrator   ~0003906

Hi,

sorry, I missed your comment that it was no longer a problem. Thanks for reporting back!

cheers,
Derick

Issue History

Date Modified Username Field Change
2014-04-10 18:50 chrisi1698 New Issue
2014-04-11 09:30 derick Note Added: 0002783
2014-04-11 09:30 derick Assigned To => derick
2014-04-11 09:30 derick Status new => feedback
2014-04-11 12:17 chrisi1698 Note Added: 0002784
2014-04-11 12:17 chrisi1698 Status feedback => assigned
2014-05-19 23:08 derick Note Added: 0002814
2014-05-19 23:08 derick Status assigned => feedback
2014-06-14 10:33 derick Note Added: 0002847
2014-07-04 01:32 rodrigorm Note Added: 0002856
2014-07-04 02:28 rodrigorm Note Added: 0002857
2016-05-28 13:47 chrisi1698 Note Added: 0003612
2016-05-28 13:47 chrisi1698 Status feedback => assigned
2016-07-31 12:36 derick Category Usage problems => Usage problems (Crashes)
2016-07-31 12:38 derick Category Usage problems (Crashes) => Usage problems (Wrong Results)
2016-12-04 15:36 derick Note Added: 0003906
2016-12-04 15:36 derick Status assigned => resolved
2016-12-04 15:36 derick Resolution open => unable to reproduce
2020-03-12 16:35 derick Category Usage problems (Wrong Results) => Variable Display
2020-03-12 16:38 derick Category Variable Display => Uncategorized