View Issue Details

IDProjectCategoryView StatusLast Update
0001459XdebugUncategorizedpublic2018-01-29 21:48
Reporterkenorb Assigned Toderick  
PrioritynormalSeveritycrashReproducibilityalways
Status resolvedResolutionunable to reproduce 
Product Version2.5.5 
Summary0001459: SIGSEGV in strx_printv/ap_php_vsnprintf/xdebug_sprintf
Description

I've added in xdebug_start_trace(); processValue method and the Drupal 8 CMS is crashing on certain page.

Steps To Reproduce

Don't have minimum example, but it happens all the time on certain page after adding xdebug_start_trace();

Additional Information

Process: httpd [10767]
Path: /usr/local/Cellar/httpd24/2.4.26/bin/httpd
Code Type: X86-64 (Native)
Parent Process: httpd [18204]
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000010
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 libsystem_c.dylib 0x00007fffa7c1bb92 strlen + 18
1 libphp7.so 0x00000001029768d1 strx_printv + 846
2 libphp7.so 0x0000000102977a87 ap_php_vsnprintf + 33
3 xdebug.so 0x000000010369a047 xdebug_sprintf + 181
4 xdebug.so 0x000000010368a6cc xdebug_common_assign_dim_handler + 204
5 xdebug.so 0x000000010368ae43 xdebug_qm_assign_handler + 27
6 libphp7.so 0x0000000102a46478 ZEND_USER_OPCODE_SPEC_HANDLER + 26
7 libphp7.so 0x0000000102a0c361 execute_ex + 25
8 xdebug.so 0x0000000103687d1e xdebug_execute_ex + 1953
9 libphp7.so 0x0000000102a20a67 ZEND_DO_FCALL_SPEC_HANDLER + 570
10 libphp7.so 0x0000000102a0c361 execute_ex + 25
11 xdebug.so 0x0000000103687d1e xdebug_execute_ex + 1953
12 libphp7.so 0x00000001029c218b zend_call_function + 1981
13 libphp7.so 0x00000001029c19c8 call_user_function_ex + 86
14 libphp7.so 0x00000001029d19a1 zend_error_va_list + 1594
15 libphp7.so 0x00000001029d1349 zend_error + 132
16 xdebug.so 0x000000010369aa18 zif_xdebug_start_trace + 74
17 xdebug.so 0x00000001036880eb xdebug_execute_internal + 429
18 libphp7.so 0x0000000102a20a2f ZEND_DO_FCALL_SPEC_HANDLER + 514
19 libphp7.so 0x0000000102a0c361 execute_ex + 25
20 xdebug.so 0x0000000103687d1e xdebug_execute_ex + 1953
21 libphp7.so 0x0000000102a20a67 ZEND_DO_FCALL_SPEC_HANDLER + 570
22 libphp7.so 0x0000000102a0c361 execute_ex + 25
23 xdebug.so 0x0000000103687d1e xdebug_execute_ex + 1953

TagsNo tags attached.
Operating System
PHP Version7.0.20-7.0.24

Activities

kenorb

2017-07-29 16:06

reporter   ~0004386

Similar reports here:
https://github.com/phalcon/cphalcon/issues/1969
https://gist.github.com/tony2001/3f08bfc9b1632ad630eb

kenorb

2017-08-01 20:06

reporter   ~0004388

Same with Xdebug v2.6.0-dev

kenorb

2017-08-20 15:30

reporter   ~0004396

Backtrace from current master branch:

  • thread #1, stop reason = signal SIGSTOP
    • frame #0: 0x00007fff8a2f8b92 libsystem_c.dylibstrlen + 18 frame #1: 0x000000010d0b1111 php71strx_printv + 878
      frame 0000002: 0x000000010d0b22d7 php71ap_php_vsnprintf + 33 frame #3: 0x000000010df0fbdd xdebug.soxdebug_sprintf(fmt="$%s") at xdebug_str.c:97 [opt]
      frame 0000004: 0x000000010deff1aa xdebug.soxdebug_common_assign_dim_handler [inlined] xdebug_find_var_name(execute_data=0x000000010e01c4e0) at xdebug_code_coverage.c:179 [opt] frame #5: 0x000000010deff16e xdebug.soxdebug_common_assign_dim_handler(op=<unavailable>, do_cc=<unavailable>, execute_data=<unavailable>) at xdebug_code_coverage.c:343 [opt]
      frame 0000006: 0x000000010deff9ab xdebug.soxdebug_qm_assign_handler(execute_data=<unavailable>) at xdebug_code_coverage.c:395 [opt] frame #7: 0x000000010d1858b3 php71ZEND_USER_OPCODE_SPEC_HANDLER + 26
      frame 0000008: 0x000000010d142e9e php71execute_ex + 56 (lldb) frame select 4 xdebug.so was compiled with optimization - stepping may behave oddly; variables may not be available. frame #4: 0x000000010deff1aa xdebug.soxdebug_common_assign_dim_handler [inlined] xdebug_find_var_name(execute_data=0x000000010e01c4e0) at xdebug_code_coverage.c:179 [opt]
      176
      177 if (cur_opcode->opcode == ZEND_QM_ASSIGN) {
      178 #if PHP_VERSION_ID >= 70000
      -> 179 xdebug_str_add(&name, xdebug_sprintf("$%s", zend_get_compiled_variable_name(op_array, cur_opcode->result.var)->val), 1);
      180 #else
      181 xdebug_str_add(&name, xdebug_sprintf("$%s", zend_get_compiled_variable_name(op_array, cur_opcode->result.var, &cv_len)), 1);
      182 #endif
      (lldb) frame select 5
      frame 0000005: 0x000000010deff16e xdebug.soxdebug_common_assign_dim_handler(op=<unavailable>, do_cc=<unavailable>, execute_data=<unavailable>) at xdebug_code_coverage.c:343 [opt] 340 } 341 } 342 if (XG(do_trace) && XG(trace_context) && XG(collect_assignments)) { -> 343 full_varname = xdebug_find_var_name(execute_data TSRMLS_CC); (lldb) frame select 3 frame #3: 0x000000010df0fbdd xdebug.soxdebug_sprintf(fmt="$%s") at xdebug_str.c:97 [opt]
      94 int n;
      95
      96 va_start(args, fmt);
      -> 97 n = vsnprintf(new_str, size, fmt, args);
      98 va_end(args);
      99
      100 if (n > -1 && n < size) {
      (lldb) frame select 2
      frame 0000002: 0x000000010d0b22d7 php71ap_php_vsnprintf + 33 php71ap_php_vsnprintf:
      0x10d0b22d7 <+33>: movl (%rbx), %eax
      0x10d0b22d9 <+35>: addq $0x8, %rsp
      0x10d0b22dd <+39>: popq %rbx
      0x10d0b22de <+40>: popq %rbp

kenorb

2017-08-20 16:38

reporter   ~0004397

This is regression introduced in 5d611dfaa1351aa38b6744f31bedd2f137c882a5 commit. See this PR for more details: https://github.com/xdebug/xdebug/pull/363

derick

2017-09-02 08:41

administrator   ~0004400

I am going to need a small reproducible case here, or at the very least a reproducible case without any dependencies besides the code.

A small case shouldn't be very hard to make as tracing tells you exactly where in the code something crashes (or rather, it tells you which line was executed before the crash).

Simply making a trace (with xdebug.auto_trace=1, xdebug.collect_params=4, xdebug.collect_returns=1, xdebug.collect_assignments=1) should tell you the file/line combination, and hence, should allow you to find out a mimimal case.
As this seems to happen in reconstructing variable names, the pattern of the variable on each side of the QM_ASSIGN is going to be important.

derick

2017-11-01 21:41

administrator   ~0004448

I believe this is a duplicate of 0001474, which is fixed in the master branch on GitHub. Can you try that please?

derick

2018-01-29 21:48

administrator   ~0004580

Can't reproduce this, and no feedback provided.

Issue History

Date Modified Username Field Change
2017-07-28 18:28 kenorb New Issue
2017-07-29 16:06 kenorb Note Added: 0004386
2017-08-01 20:06 kenorb Note Added: 0004388
2017-08-20 15:30 kenorb Note Added: 0004396
2017-08-20 16:38 kenorb Note Added: 0004397
2017-09-02 08:41 derick Note Added: 0004400
2017-09-02 08:41 derick Assigned To => derick
2017-09-02 08:41 derick Status new => feedback
2017-11-01 21:41 derick Note Added: 0004448
2018-01-29 21:48 derick Note Added: 0004580
2018-01-29 21:48 derick Status feedback => resolved
2018-01-29 21:48 derick Resolution open => unable to reproduce
2020-03-12 16:35 derick Category Usage problems (Wrong Results) => Variable Display
2020-03-12 16:38 derick Category Variable Display => Uncategorized