MantisBT

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0001454XdebugUsage problems (Wrong Results)public2017-07-14 23:112017-11-05 14:12
Reportertyson 
Assigned Toderick 
PrioritynormalSeverityminorReproducibilityalways
StatusassignedResolutionopen 
PlatformAnyOSOS Version
Product Version2.5.5 
Target Version2.6.0devFixed in Version 
Summary0001454: Seeing invalid memory read or segfaults from a __call() method when running unit test (using Phockito) in php 7.1
DescriptionA unit test (internally used with a lot of dependencies) was segfaulting when using https://github.com/ifwe/phockito/blob/6e6011301ac5f6e62a49b6c4931cc4180e12d6e5/Phockito.php#L837 [^]

The conditions for the invalid memory reads with xdebug are unknown, but it happens when a Phockito test fails and attempts to throw an exception indicating this. It likely has something to do with the fact it's happening in __call()

https://github.com/TysonAndre/xdebug_invalidread_phockito [^] has a simplified version of that test, which consistently emits invalid memory read errors when run under valgrind.

- Before merging multiple files into a single file, it would consistently emit invalid memory read errors, then segfault.

I haven't tested php 7.1 yet. I was able to reproduce this in Centos 6.5 and Ubuntu (dockerized)
Steps To ReproduceRun the below command (Must include collect_params=3. If collect_params=0 is used, there are no invalid memory reads)

USE_ZEND_ALLOC=0 valgrind php --no-php-ini zend_extension=xdebug.so xdebug.collect_params=3 invalid_read_test.php
Additional InformationIt seems to happen when reading the contents of temporary un-named variables of the function, in order to create a stack trace. I've seen attempts to dump zvals with (type 6) strings with negative refcounts, as well as zvals with (type 8) values with invalid object handlers and class entries.

Various valgrind errors such as the below were seen.

  7 ==7== Invalid read of size 8
  8 ==7== at 0x9488663: xdebug_var_export (xdebug_var.c:1083)
  9 ==7== by 0x9488EA6: xdebug_get_zval_value (xdebug_var.c:1212)
 10 ==7== by 0x948148B: add_single_value (xdebug_stack.c:397)
 11 ==7== by 0x948148B: xdebug_append_printable_stack (xdebug_stack.c:486)
 12 ==7== by 0x946D677: xdebug_throw_exception_hook (xdebug.c:1650)
 13 ==7== by 0x1ED300: zend_throw_exception_internal (in /usr/bin/php7.1)
 14 ==7== by 0x3DADA7: ??? (in /usr/bin/php7.1)
 15 ==7== by 0x3C0ADA: execute_ex (in /usr/bin/php7.1)
 16 ==7== by 0x946ECF5: xdebug_execute_ex (xdebug.c:2056)
 17 ==7== by 0x418CCB: ??? (in /usr/bin/php7.1)
 18 ==7== by 0x3C0ADA: execute_ex (in /usr/bin/php7.1)
 19 ==7== by 0x946ECF5: xdebug_execute_ex (xdebug.c:2056)
 20 ==7== by 0x419E3B: ??? (in /usr/bin/php7.1)
 21 ==7== Address 0x97c6d10 is 16 bytes inside a block of size 4,096 free'd
 22 ==7== at 0x4C2ED5B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
 23 ==7== by 0x419CF7: ??? (in /usr/bin/php7.1)
 24 ==7== by 0x3C0ADA: execute_ex (in /usr/bin/php7.1)
 25 ==7== by 0x946ECF5: xdebug_execute_ex (xdebug.c:2056)
 26 ==7== by 0x418CCB: ??? (in /usr/bin/php7.1)
 27 ==7== by 0x3C0ADA: execute_ex (in /usr/bin/php7.1)
 28 ==7== by 0x946ECF5: xdebug_execute_ex (xdebug.c:2056)
 29 ==7== by 0x419E3B: ??? (in /usr/bin/php7.1)
 30 ==7== by 0x3C0ADA: execute_ex (in /usr/bin/php7.1)
 31 ==7== by 0x946ECF5: xdebug_execute_ex (xdebug.c:2056)
 32 ==7== by 0x419E3B: ??? (in /usr/bin/php7.1)
 33 ==7== by 0x3C0ADA: execute_ex (in /usr/bin/php7.1)
 34 ==7== Block was alloc'd at
 35 ==7== at 0x4C2FD4F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
 36 ==7== by 0x34C6A8: __zend_realloc (in /usr/bin/php7.1)
 37 ==7== by 0x3B9B3E: smart_str_erealloc (in /usr/bin/php7.1)
 38 ==7== by 0x2F1555: php_var_export_ex (in /usr/bin/php7.1)
 39 ==7== by 0x2F0C86: php_var_export_ex (in /usr/bin/php7.1)
 40 ==7== by 0x2F1830: zif_var_export (in /usr/bin/php7.1)
 41 ==7== by 0x946F7BC: xdebug_execute_internal (xdebug.c:2208)
 42 ==7== by 0x4197DB: ??? (in /usr/bin/php7.1)
 43 ==7== by 0x3C0ADA: execute_ex (in /usr/bin/php7.1)
 44 ==7== by 0x946ECF5: xdebug_execute_ex (xdebug.c:2056)
 45 ==7== by 0x418CCB: ??? (in /usr/bin/php7.1)
 46 ==7== by 0x3C0ADA: execute_ex (in /usr/bin/php7.1)
 47 ==7==
 48 ==7== Invalid read of size 8
 49 ==7== at 0x4C345C0: memmove (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
 50 ==7== by 0x948869F: memcpy (string3.h:53)
 51 ==7== by 0x948869F: zend_string_init (zend_string.h:160)
 52 ==7== by 0x948869F: xdebug_var_export (xdebug_var.c:1083)
 53 ==7== by 0x9488EA6: xdebug_get_zval_value (xdebug_var.c:1212)
 54 ==7== by 0x948148B: add_single_value (xdebug_stack.c:397)
 55 ==7== by 0x948148B: xdebug_append_printable_stack (xdebug_stack.c:486)
 56 ==7== by 0x946D677: xdebug_throw_exception_hook (xdebug.c:1650)
 57 ==7== by 0x1ED300: zend_throw_exception_internal (in /usr/bin/php7.1)
 58 ==7== by 0x3DADA7: ??? (in /usr/bin/php7.1)
 59 ==7== by 0x3C0ADA: execute_ex (in /usr/bin/php7.1)
 60 ==7== by 0x946ECF5: xdebug_execute_ex (xdebug.c:2056)
 61 ==7== by 0x418CCB: ??? (in /usr/bin/php7.1)
 62 ==7== by 0x3C0ADA: execute_ex (in /usr/bin/php7.1)
 63 ==7== by 0x946ECF5: xdebug_execute_ex (xdebug.c:2056)
TagsNo tags attached.
Operating SystemCentos/Ubuntu/any
PHP Version7.1.5-7.1.9
Attached Files? file icon invalid_read_test.php [^] (118,932 bytes) 2017-07-14 23:11
? file icon invalid_read_test_simplified.php [^] (1,292 bytes) 2017-09-27 00:13

- Relationships

-  Notes
(0004370)
derick (administrator)
2017-07-15 10:58

I can reproduce this.
(0004428)
derick (administrator)
2017-09-26 23:28

I just had a look at this again, and I scan still reproduce it. However, I found out that the simplified test was still 4000 lines, which I wouldn't particularly "simple". With this much data, it's really hard to figure out what causes the problem :-/

If you have some time, could you help out by simplifying this test case even more?
(0004429)
tyson (reporter)
2017-09-27 00:14

I simplified it even more. See https://github.com/TysonAndre/xdebug_invalidread_phockito [^] for the steps, I also uploaded the final simplified version (60 lines)

- Issue History
Date Modified Username Field Change
2017-07-14 23:11 tyson New Issue
2017-07-14 23:11 tyson File Added: invalid_read_test.php
2017-07-15 10:58 derick Note Added: 0004370
2017-07-15 10:58 derick Assigned To => derick
2017-07-15 10:58 derick Status new => confirmed
2017-07-15 10:59 derick Target Version => 2.5.6
2017-09-26 23:28 derick Note Added: 0004428
2017-09-26 23:28 derick Status confirmed => feedback
2017-09-27 00:13 tyson File Added: invalid_read_test_simplified.php
2017-09-27 00:14 tyson Note Added: 0004429
2017-09-27 00:14 tyson Status feedback => assigned
2017-11-05 14:12 derick Target Version 2.5.6 => 2.6.0dev


Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker