MantisBT

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0001459XdebugUsage problems (Wrong Results)public2017-07-28 19:282017-09-02 09:41
Reporterkenorb 
Assigned Toderick 
PrioritynormalSeveritycrashReproducibilityalways
StatusfeedbackResolutionopen 
PlatformOSOS Version
Product Version2.5.5 
Target VersionFixed in Version 
Summary0001459: SIGSEGV in strx_printv/ap_php_vsnprintf/xdebug_sprintf
DescriptionI've added in xdebug_start_trace(); processValue method and the Drupal 8 CMS is crashing on certain page.
Steps To ReproduceDon't have minimum example, but it happens all the time on certain page after adding xdebug_start_trace();
Additional InformationProcess: httpd [10767]
Path: /usr/local/Cellar/httpd24/2.4.26/bin/httpd
Code Type: X86-64 (Native)
Parent Process: httpd [18204]
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000010
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 libsystem_c.dylib 0x00007fffa7c1bb92 strlen + 18
1 libphp7.so 0x00000001029768d1 strx_printv + 846
2 libphp7.so 0x0000000102977a87 ap_php_vsnprintf + 33
3 xdebug.so 0x000000010369a047 xdebug_sprintf + 181
4 xdebug.so 0x000000010368a6cc xdebug_common_assign_dim_handler + 204
5 xdebug.so 0x000000010368ae43 xdebug_qm_assign_handler + 27
6 libphp7.so 0x0000000102a46478 ZEND_USER_OPCODE_SPEC_HANDLER + 26
7 libphp7.so 0x0000000102a0c361 execute_ex + 25
8 xdebug.so 0x0000000103687d1e xdebug_execute_ex + 1953
9 libphp7.so 0x0000000102a20a67 ZEND_DO_FCALL_SPEC_HANDLER + 570
10 libphp7.so 0x0000000102a0c361 execute_ex + 25
11 xdebug.so 0x0000000103687d1e xdebug_execute_ex + 1953
12 libphp7.so 0x00000001029c218b zend_call_function + 1981
13 libphp7.so 0x00000001029c19c8 call_user_function_ex + 86
14 libphp7.so 0x00000001029d19a1 zend_error_va_list + 1594
15 libphp7.so 0x00000001029d1349 zend_error + 132
16 xdebug.so 0x000000010369aa18 zif_xdebug_start_trace + 74
17 xdebug.so 0x00000001036880eb xdebug_execute_internal + 429
18 libphp7.so 0x0000000102a20a2f ZEND_DO_FCALL_SPEC_HANDLER + 514
19 libphp7.so 0x0000000102a0c361 execute_ex + 25
20 xdebug.so 0x0000000103687d1e xdebug_execute_ex + 1953
21 libphp7.so 0x0000000102a20a67 ZEND_DO_FCALL_SPEC_HANDLER + 570
22 libphp7.so 0x0000000102a0c361 execute_ex + 25
23 xdebug.so 0x0000000103687d1e xdebug_execute_ex + 1953
TagsNo tags attached.
Operating System
PHP Version7.0.20-7.0.24
Attached Files

- Relationships

-  Notes
(0004386)
kenorb (reporter)
2017-07-29 17:06

Similar reports here:
https://github.com/phalcon/cphalcon/issues/1969 [^]
https://gist.github.com/tony2001/3f08bfc9b1632ad630eb [^]
(0004388)
kenorb (reporter)
2017-08-01 21:06

Same with Xdebug v2.6.0-dev
(0004396)
kenorb (reporter)
2017-08-20 16:30

Backtrace from current master branch:

* thread #1, stop reason = signal SIGSTOP
  * frame #0: 0x00007fff8a2f8b92 libsystem_c.dylib`strlen + 18
    frame #1: 0x000000010d0b1111 php71`strx_printv + 878
    frame 0000002: 0x000000010d0b22d7 php71`ap_php_vsnprintf + 33
    frame 0000003: 0x000000010df0fbdd xdebug.so`xdebug_sprintf(fmt="$%s") at xdebug_str.c:97 [opt]
    frame 0000004: 0x000000010deff1aa xdebug.so`xdebug_common_assign_dim_handler [inlined] xdebug_find_var_name(execute_data=0x000000010e01c4e0) at xdebug_code_coverage.c:179 [opt]
    frame 0000005: 0x000000010deff16e xdebug.so`xdebug_common_assign_dim_handler(op=<unavailable>, do_cc=<unavailable>, execute_data=<unavailable>) at xdebug_code_coverage.c:343 [opt]
    frame 0000006: 0x000000010deff9ab xdebug.so`xdebug_qm_assign_handler(execute_data=<unavailable>) at xdebug_code_coverage.c:395 [opt]
    frame 0000007: 0x000000010d1858b3 php71`ZEND_USER_OPCODE_SPEC_HANDLER + 26
    frame 0000008: 0x000000010d142e9e php71`execute_ex + 56
(lldb) frame select 4
xdebug.so was compiled with optimization - stepping may behave oddly; variables may not be available.
frame 0000004: 0x000000010deff1aa xdebug.so`xdebug_common_assign_dim_handler [inlined] xdebug_find_var_name(execute_data=0x000000010e01c4e0) at xdebug_code_coverage.c:179 [opt]
   176
   177 if (cur_opcode->opcode == ZEND_QM_ASSIGN) {
   178 #if PHP_VERSION_ID >= 70000
-> 179 xdebug_str_add(&name, xdebug_sprintf("$%s", zend_get_compiled_variable_name(op_array, cur_opcode->result.var)->val), 1);
   180 #else
   181 xdebug_str_add(&name, xdebug_sprintf("$%s", zend_get_compiled_variable_name(op_array, cur_opcode->result.var, &cv_len)), 1);
   182 #endif
(lldb) frame select 5
frame 0000005: 0x000000010deff16e xdebug.so`xdebug_common_assign_dim_handler(op=<unavailable>, do_cc=<unavailable>, execute_data=<unavailable>) at xdebug_code_coverage.c:343 [opt]
   340 }
   341 }
   342 if (XG(do_trace) && XG(trace_context) && XG(collect_assignments)) {
-> 343 full_varname = xdebug_find_var_name(execute_data TSRMLS_CC);
(lldb) frame select 3
frame 0000003: 0x000000010df0fbdd xdebug.so`xdebug_sprintf(fmt="$%s") at xdebug_str.c:97 [opt]
   94 int n;
   95
   96 va_start(args, fmt);
-> 97 n = vsnprintf(new_str, size, fmt, args);
   98 va_end(args);
   99
   100 if (n > -1 && n < size) {
(lldb) frame select 2
frame 0000002: 0x000000010d0b22d7 php71`ap_php_vsnprintf + 33
php71`ap_php_vsnprintf:
    0x10d0b22d7 <+33>: movl (%rbx), %eax
    0x10d0b22d9 <+35>: addq $0x8, %rsp
    0x10d0b22dd <+39>: popq %rbx
    0x10d0b22de <+40>: popq %rbp
(0004397)
kenorb (reporter)
2017-08-20 17:38

This is regression introduced in 5d611dfaa1351aa38b6744f31bedd2f137c882a5 commit. See this PR for more details: https://github.com/xdebug/xdebug/pull/363 [^]
(0004400)
derick (administrator)
2017-09-02 09:41

I am going to need a small reproducible case here, or at the very least a reproducible case without any dependencies besides the code.

A small case shouldn't be very hard to make as tracing tells you exactly where in the code something crashes (or rather, it tells you which line was executed before the crash).

Simply making a trace (with xdebug.auto_trace=1, xdebug.collect_params=4, xdebug.collect_returns=1, xdebug.collect_assignments=1) should tell you the file/line combination, and hence, should allow you to find out a mimimal case.
As this seems to happen in reconstructing variable names, the pattern of the variable on each side of the QM_ASSIGN is going to be important.

- Issue History
Date Modified Username Field Change
2017-07-28 19:28 kenorb New Issue
2017-07-29 17:06 kenorb Note Added: 0004386
2017-08-01 21:06 kenorb Note Added: 0004388
2017-08-20 16:30 kenorb Note Added: 0004396
2017-08-20 17:38 kenorb Note Added: 0004397
2017-09-02 09:41 derick Note Added: 0004400
2017-09-02 09:41 derick Assigned To => derick
2017-09-02 09:41 derick Status new => feedback


Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker