View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0001329XdebugUncategorizedpublic2016-07-21 19:252016-12-19 12:49
Reportertyson Assigned Toderick  
PrioritynormalSeveritycrashReproducibilityalways
Status closedResolutionfixed 
PlatformLinuxOSCentos(/All?)OS Version6
Product Version2.4.0 
Fixed in Version2.5.1 
Summary0001329: While printing out a stack with and function parameters, XDebug reads uninitialized zvals or free()d memory
Description

This happens when the only zend_extension is xdebug.so, and for php versions 7.0.8 and 7.0.9. Other extensions are disabled. (php < 7.0.8 was not tested)

In the provided test case, the stack trace was printed because of a php notice. I've observed a similar error when an exception was being thrown (or rethrown?), will attempt to reproduce it if requested.

I get errors such as segmentation faults, valgrind errors, and attempts to allocate strings which are too large.

I managed to reproduce this in a dockerfile running centos 6.6, though I don't think it's OS specific.

Removing the xdebug.collect_params config from the php.ini removed any valgrind errors.

Steps To Reproduce

The steps to reproduce are found in https://github.com/TysonAndre-ContinuousIntegration/xdebug_segfault , which was uploaded here.

Php config options

export CFLAGS="-O3 -g"
export CXXFLAGS="$CFLAGS"
./configure --enable-exif --localstatedir=/var --sysconfdir=/etc --with-config-file-path=/etc --without-pdo-sqlite --without-sqlite3 --without-pear --enable-inline-optimization --enable-ctype --enable-session --enable-wddx --with-z lib=/usr --with-layout=GNU --enable-json --enable-filter --enable-hash --enable-bcmath=shared --enable-fd-setsize=10000 --enable-pcntl --enable-zend-signals --with-apxs2 --with-bz2 --enable-intl --enable-fpm --enable-phpdbg --enable-debugs

Xdebug config options

export CFLAGS="-O3 -g"
export CXXFLAGS="$CFLAGS"
./configure

php.ini

[PHP]
error_reporting = E_ALL | E_STRICT
display_errors = On
log_errors = On
report_memleaks = On
extension_dir="/usr/local/lib/php/20151012-debug"
include_path="."
[xdebug]
zend_extension="/usr/local/lib/php/20151012-debug/xdebug.so"
xdebug.profiler_enable=0
xdebug.collect_params=3
xdebug.remote_enable=1

Test file: https://github.com/TysonAndre-ContinuousIntegration/xdebug_segfault/blob/master/tests/test5.php

Additional Information

See https://github.com/TysonAndre-ContinuousIntegration/xdebug_segfault/blob/master/run_testcase_inner_valgrind.sh . The first valgrind error:

PHP Notice: Undefined property: client::$_url in /tests/test5.php on line 75
PHP Stack trace:
PHP 1. {main}() /tests/test5.php:0
PHP 2. main($a = TRUE) /tests/test5.php:100
==1== Invalid read of size 8
==1== at 0x8DE8098: xdebug_var_export (xdebug_var.c:1040)
==1== by 0x8DE88E9: xdebug_get_zval_value (xdebug_var.c:1169)
==1== by 0x8DDDA48: xdebug_log_stack (xdebug_stack.c:223)
==1== by 0x8DDF9A0: xdebug_error_cb (xdebug_stack.c:759)
==1== by 0x7A502E: zend_error (zend.c:1154)
==1== by 0x7EFB3C: zend_std_read_property (zend_object_handlers.c:621)
==1== by 0x83E302: ZEND_FETCH_OBJ_R_SPEC_UNUSED_CONST_HANDLER (zend_vm_execute.h:23544)
==1== by 0x807B74: ZEND_USER_OPCODE_SPEC_HANDLER (zend_vm_execute.h:1568)
==1== by 0x803F22: execute_ex (zend_vm_execute.h:417)
==1== by 0x8DC3CF9: xdebug_execute_ex (xdebug.c:1890)
==1== by 0x8086B9: ZEND_CALL_TRAMPOLINE_SPEC_HANDLER (zend_vm_execute.h:1750)
==1== by 0x803F22: execute_ex (zend_vm_execute.h:417)
==1== Address 0x8d73820 is 16 bytes inside a block of size 32 free'd
==1== at 0x4C27430: free (vg_replace_malloc.c:446)
==1== by 0x772220: _efree (zend_alloc.c:2461)
==1== by 0x7A1F84: zend_string_free (zend_string.h:263)
==1== by 0x7A23E1: _zval_dtor_func_for_ptr (zend_variables.c:90)
==1== by 0x802988: i_free_compiled_variables (zend_execute.c:2067)
==1== by 0x804380: zend_leave_helper_SPEC (zend_vm_execute.h:531)
==1== by 0x80BAD2: ZEND_RETURN_SPEC_CONST_HANDLER (zend_vm_execute.h:3100)
==1== by 0x807B74: ZEND_USER_OPCODE_SPEC_HANDLER (zend_vm_execute.h:1568)
==1== by 0x803F22: execute_ex (zend_vm_execute.h:417)
==1== by 0x8DC3CF9: xdebug_execute_ex (xdebug.c:1890)
==1== by 0x78E495: zend_call_function (zend_execute_API.c:866)
==1== by 0x7CCA47: zend_call_method (zend_interfaces.c:104)
==1==
==1== Invalid read of size 1
==1== at 0x4C29D21: memcpy (mc_replace_strmem.c:882)
==1== by 0x8DE5909: zend_string_init (zend_string.h:159)
==1== by 0x8DE80BC: xdebug_var_export (xdebug_var.c:1040)
==1== by 0x8DE88E9: xdebug_get_zval_value (xdebug_var.c:1169)
==1== by 0x8DDDA48: xdebug_log_stack (xdebug_stack.c:223)
==1== by 0x8DDF9A0: xdebug_error_cb (xdebug_stack.c:759)
==1== by 0x7A502E: zend_error (zend.c:1154)
==1== by 0x7EFB3C: zend_std_read_property (zend_object_handlers.c:621)
==1== by 0x83E302: ZEND_FETCH_OBJ_R_SPEC_UNUSED_CONST_HANDLER (zend_vm_execute.h:23544)
==1== by 0x807B74: ZEND_USER_OPCODE_SPEC_HANDLER (zend_vm_execute.h:1568)
==1== by 0x803F22: execute_ex (zend_vm_execute.h:417)
==1== by 0x8DC3CF9: xdebug_execute_ex (xdebug.c:1890)
==1== Address 0x8d73829 is 25 bytes inside a block of size 32 free'd
==1== at 0x4C27430: free (vg_replace_malloc.c:446)
==1== by 0x772220: _efree (zend_alloc.c:2461)
==1== by 0x7A1F84: zend_string_free (zend_string.h:263)
==1== by 0x7A23E1: _zval_dtor_func_for_ptr (zend_variables.c:90)
==1== by 0x802988: i_free_compiled_variables (zend_execute.c:2067)
==1== by 0x804380: zend_leave_helper_SPEC (zend_vm_execute.h:531)
==1== by 0x80BAD2: ZEND_RETURN_SPEC_CONST_HANDLER (zend_vm_execute.h:3100)
==1== by 0x807B74: ZEND_USER_OPCODE_SPEC_HANDLER (zend_vm_execute.h:1568)
==1== by 0x803F22: execute_ex (zend_vm_execute.h:417)
==1== by 0x8DC3CF9: xdebug_execute_ex (xdebug.c:1890)
==1== by 0x78E495: zend_call_function (zend_execute_API.c:866)
==1== by 0x7CCA47: zend_call_method (zend_interfaces.c:104)

TagsNo tags attached.
Attached Files
xdebug_segfault-master.zip (14,034 bytes)
test6.php (2,339 bytes)
test8.php (229 bytes)
Operating SystemCentos 6.5/6.6/(or all?)
PHP Version7.0.5-7.0.9

Activities

tyson

2016-07-21 20:04

reporter   ~0003650

I also see this error when xdebug.collect_params = 1 (along with other errors)

==1==
==1== Use of uninitialised value of size 8
==1== at 0x8DE8A3C: xdebug_var_synopsis (xdebug_var.c:1208)
==1== by 0x8DE8CD8: xdebug_get_zval_synopsis (xdebug_var.c:1285)
==1== by 0x8DDE4E9: add_single_value (xdebug_stack.c:389)
==1== by 0x8DDE9FC: xdebug_append_printable_stack (xdebug_stack.c:483)
==1== by 0x8DDEF71: get_printable_stack (xdebug_stack.c:580)
==1== by 0x8DDFC05: xdebug_error_cb (xdebug_stack.c:805)
==1== by 0x7A57CA: zend_error (zend.c:1154)
==1== by 0x7F0434: zend_std_read_property (zend_object_handlers.c:621)
==1== by 0x83EBBC: ZEND_FETCH_OBJ_R_SPEC_UNUSED_CONST_HANDLER (zend_vm_execute.h:23539)
==1== by 0x80846C: ZEND_USER_OPCODE_SPEC_HANDLER (zend_vm_execute.h:1568)
==1== by 0x80481A: execute_ex (zend_vm_execute.h:417)
==1== by 0x8DC3CF9: xdebug_execute_ex (xdebug.c:1890)

tyson

2016-07-21 20:25

reporter   ~0003651

I thought it might have been related to call_user_func*, but it happened even without the dynamic method name. A smaller version of the test case is test6.php

tyson

2016-07-21 20:45

reporter   ~0003652

I also tried test6.php with the latest commit on github, and still got errors ( https://github.com/xdebug/xdebug/commit/bcb45acb6c828ccf9e217a1f58db92658c6650cb )
https://github.com/TysonAndre-ContinuousIntegration/xdebug_segfault/blob/master/valgrind_output_for_xdebug-bcb45ac.txt

derick

2016-07-21 20:49

administrator   ~0003653

I'm looking at this, and also seeing the crash. Albeit in a different way. If you could work on continuing making the test case smaller, that'd be a great help.

tyson

2016-07-21 21:09

reporter   ~0003654

Last edited: 2016-07-21 21:09

Contents of test8.php after minimization between the quotes:

<?php

class client {
    public function __call($method, $params) {
        echo $this->_url;
    }
}

function main($a) {
    $service = new client();

    list($aaaa) = $service->callSomeMagicMethod_1($xxxxxxx);
}
main(true);

php.ini is the same as my other examples:

[PHP]
error_reporting  =  E_ALL  | E_STRICT
display_errors = On
log_errors = On
report_memleaks = On
extension_dir="/usr/local/lib/php/20151012-debug"
include_path="."
[xdebug]
zend_extension="/usr/local/lib/php/20151012-debug/xdebug.so"
xdebug.profiler_enable=0
xdebug.collect_params=3
xdebug.remote_enable=1

Valgrind output for me: https://github.com/TysonAndre-ContinuousIntegration/xdebug_segfault/blob/master/valgrind_test8-for-xdebug-bcb45ac.txt

tyson

2016-07-21 21:13

reporter   ~0003655

Also, did you want the ./configure script options to be "smaller" (And if so, what you call a standard config / compiler flags)?

derick

2016-07-21 21:24

administrator   ~0003656

No, I'm fine. Thanks. The test cases I have now are good enough.

derick

2016-12-17 19:21

administrator   ~0004079

I have an inkling that https://github.com/xdebug/xdebug/commit/90efb3aada7b0423a86462d10d6758ca3c384e75 might have fixed this - would you mind trying with the latest Git version?

tyson

2016-12-18 02:36

reporter   ~0004080

Last edited: 2016-12-18 02:39

It seems like it's fixed. (Will reopen this if the code the examples were derived from encounters different bugs)

I ran all 4 tests cases in https://github.com/TysonAndre-ContinuousIntegration/xdebug_segfault again with php 7.0.14. The crashes are fixed in the current xdebug master branch (bb535ed, which includes 90efb3aa)

The issue description could be amended to include 7.0.5-7.0.14 and xdebug 2.4.0-2.5.0 (I was able to reproduce the crashes/allocator error with xdebug 2.5.0 and php 7.0.14. There were no errors with xdebug master(2.6-dev?) and php 7.0.14)

derick

2016-12-19 12:49

administrator   ~0004091

Okay, let me close this as fixed then. Please create a new issue if you find further crashes etc.

Issue History

Date Modified Username Field Change
2016-07-21 19:25 tyson New Issue
2016-07-21 19:25 tyson File Added: xdebug_segfault-master.zip
2016-07-21 20:04 tyson Note Added: 0003650
2016-07-21 20:25 tyson Note Added: 0003651
2016-07-21 20:25 tyson File Added: test6.php
2016-07-21 20:45 tyson Note Added: 0003652
2016-07-21 20:49 derick Note Added: 0003653
2016-07-21 21:09 tyson Note Added: 0003654
2016-07-21 21:09 tyson Note Edited: 0003654
2016-07-21 21:10 tyson File Added: test8.php
2016-07-21 21:13 tyson Note Added: 0003655
2016-07-21 21:24 derick Note Added: 0003656
2016-07-31 12:36 derick Category Usage problems => Usage problems (Crashes)
2016-07-31 12:38 derick Category Usage problems (Crashes) => Usage problems (Wrong Results)
2016-12-04 16:06 derick Assigned To => derick
2016-12-04 16:06 derick Status new => acknowledged
2016-12-04 17:40 derick Status acknowledged => confirmed
2016-12-17 17:12 derick Severity major => crash
2016-12-17 19:21 derick Note Added: 0004079
2016-12-17 19:21 derick Status confirmed => feedback
2016-12-18 02:36 tyson Note Added: 0004080
2016-12-18 02:36 tyson Status feedback => assigned
2016-12-18 02:38 tyson Note Edited: 0004080
2016-12-18 02:39 tyson Note Edited: 0004080
2016-12-19 12:49 derick Note Added: 0004091
2016-12-19 12:49 derick Status assigned => closed
2016-12-19 12:49 derick Resolution open => fixed
2016-12-19 12:49 derick Fixed in Version => 2.5.1
2020-03-12 16:35 derick Category Usage problems (Wrong Results) => Variable Display
2020-03-12 16:38 derick Category Variable Display => Uncategorized