MantisBT

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0001583XdebugFeature/Change requestpublic2018-10-25 11:272019-01-21 16:01
Reporterkmdm 
Assigned Toderick 
PriorityhighSeveritycrashReproducibilityhave not tried
StatusconfirmedResolutionopen 
PlatformLinuxOSDebianOS Version7
Product Version2.7.0beta1 
Target VersionFixed in Version 
Summary0001583: xdebug 2.7.0beta1 SIGSEGV while running some php scripts on PHP 7.3.0RC3
DescriptionThe segfault occurs when running certain scripts in our codebase, I've attached the gdb backtrace.
Steps To ReproduceN/A -- pending test case script which can trigger the issue
Additional InformationProgram received signal SIGSEGV, Segmentation fault.
zval_addref_p (pz=<optimized out>) at /build/php7.3-7.3.0~rc3/Zend/zend_types.h:1017
1017 /build/php7.3-7.3.0~rc3/Zend/zend_types.h: No such file or directory.
(gdb) bt
#0 zval_addref_p (pz=<optimized out>) at /build/php7.3-7.3.0~rc3/Zend/zend_types.h:1017
#1 ZEND_SEND_VAR_EX_SPEC_CV_QUICK_HANDLER (execute_data=0x2aaaad420dc0) at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:37385
0000002 0x0000555555802170 in execute_ex (ex=<optimized out>) at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:55287
0000003 0x00002aaaad89a7bc in xdebug_execute_ex (execute_data=0x2aaaad420dc0)
    at /build/xdebug-2.7.0~beta1+2.6.1+2.5.5/build-7.3/xdebug.c:1868
0000004 0x0000555555851299 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (execute_data=0x2aaaad420ca0)
    at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:961
0000005 0x0000555555802170 in execute_ex (ex=<optimized out>) at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:55287
0000006 0x00002aaaad89a7bc in xdebug_execute_ex (execute_data=0x2aaaad420ca0)
    at /build/xdebug-2.7.0~beta1+2.6.1+2.5.5/build-7.3/xdebug.c:1868
0000007 0x0000555555850ec8 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER (execute_data=0x2aaaad420b70)
    at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:1083
0000008 0x0000555555802170 in execute_ex (ex=<optimized out>) at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:55287
0000009 0x00002aaaad89a7bc in xdebug_execute_ex (execute_data=0x2aaaad420b70)
    at /build/xdebug-2.7.0~beta1+2.6.1+2.5.5/build-7.3/xdebug.c:1868
0000010 0x0000555555850ec8 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER (execute_data=0x2aaaad420a10)
    at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:1083
0000011 0x0000555555802170 in execute_ex (ex=<optimized out>) at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:55287
0000012 0x00002aaaad89a7bc in xdebug_execute_ex (execute_data=0x2aaaad420a10)
    at /build/xdebug-2.7.0~beta1+2.6.1+2.5.5/build-7.3/xdebug.c:1868
0000013 0x0000555555851299 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (execute_data=0x2aaaad420940)
    at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:961
0000014 0x0000555555802170 in execute_ex (ex=<optimized out>) at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:55287
0000015 0x00002aaaad89a7bc in xdebug_execute_ex (execute_data=0x2aaaad420940)
    at /build/xdebug-2.7.0~beta1+2.6.1+2.5.5/build-7.3/xdebug.c:1868
0000016 0x0000555555850ec8 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER (execute_data=0x2aaaad420860)
    at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:1083
0000017 0x0000555555802170 in execute_ex (ex=<optimized out>) at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:55287
0000018 0x00002aaaad89a7bc in xdebug_execute_ex (execute_data=0x2aaaad420860)
    at /build/xdebug-2.7.0~beta1+2.6.1+2.5.5/build-7.3/xdebug.c:1868
0000019 0x0000555555851299 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (execute_data=0x2aaaad420740)
    at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:961
0000020 0x0000555555802170 in execute_ex (ex=<optimized out>) at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:55287
0000021 0x00002aaaad89a7bc in xdebug_execute_ex (execute_data=0x2aaaad420740)
    at /build/xdebug-2.7.0~beta1+2.6.1+2.5.5/build-7.3/xdebug.c:1868
0000022 0x0000555555851299 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (execute_data=0x2aaaad4206c0)
    at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:961
0000023 0x0000555555802170 in execute_ex (ex=<optimized out>) at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:55287
0000024 0x00002aaaad89a7bc in xdebug_execute_ex (execute_data=0x2aaaad4206c0)
    at /build/xdebug-2.7.0~beta1+2.6.1+2.5.5/build-7.3/xdebug.c:1868
0000025 0x0000555555851299 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (execute_data=0x2aaaad420650)
    at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:961
0000026 0x0000555555802170 in execute_ex (ex=<optimized out>) at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:55287
0000027 0x00002aaaad89a7bc in xdebug_execute_ex (execute_data=0x2aaaad420650)
    at /build/xdebug-2.7.0~beta1+2.6.1+2.5.5/build-7.3/xdebug.c:1868
0000028 0x0000555555851299 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (execute_data=0x2aaaad420030)
    at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:961
0000029 0x0000555555802170 in execute_ex (ex=<optimized out>) at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:55287
0000030 0x00002aaaad89a7bc in xdebug_execute_ex (execute_data=0x2aaaad420030)
    at /build/xdebug-2.7.0~beta1+2.6.1+2.5.5/build-7.3/xdebug.c:1868
0000031 0x000055555585167a in zend_execute (op_array=op_array@entry=0x2aaaad48c000, return_value=return_value@entry=0x0)
    at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:60834
0000032 0x00005555557c5614 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3)
    at /build/php7.3-7.3.0~rc3/Zend/zend.c:1568
0000033 0x0000555555764588 in php_execute_script (primary_file=primary_file@entry=0x7fffffffea60)
    at /build/php7.3-7.3.0~rc3/main/main.c:2630
0000034 0x000055555562571e in main (argc=<optimized out>, argv=<optimized out>) at /build/php7.3-7.3.0~rc3/sapi/fpm/fpm/fpm_main.c:1947
TagsNo tags attached.
Operating SystemLinux
PHP Version7.3-dev
Attached Files

- Relationships
has duplicate 0001607resolvedderick Warning Illegal offset type when using XDebug and Opcache with PHP 7.3 
has duplicate 0001612resolvedderick Wrong default parameter when using xdebug 
has duplicate 0001592resolvedderick Removes the default constant ENT_QUOTES 

-  Notes
(0004712)
derick (administrator)
2018-10-25 11:53

Hi,

I"m going to need a (short) script to reproduce this. Please note, that 2.7.0-beta1 is still a pre-release version, and that there are still issues with it. A short script to reproduce this will expedite fixes.

cheers,
Derick
(0004713)
kmdm (reporter)
2018-10-25 12:37

Ok, I've got one. It only crashes in the FPM SAPI in my testing and not CLI.

PHP:
<?php
class Foo
{
    public function __destruct() { $this->shutdown(); }
    public function shutdown($how=STREAM_SHUT_RDWR) { }
}

function get_it()
{
    return false;

}

$x = new Foo();
$x->shutdown();
echo json_encode(['x'=>get_it()]);

GDB (BT):
#0 i_free_compiled_variables (execute_data=0x2aaaad420080) at /build/php7.3-7.3.0~rc3/Zend/zend_execute.c:2351
#1 zend_leave_helper_SPEC (execute_data=0x2aaaad420080) at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:589
0000002 0x0000555555802170 in execute_ex (ex=<optimized out>) at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:55287
0000003 0x00002aaaad89a7bc in xdebug_execute_ex (execute_data=0x2aaaad420080)
    at /build/xdebug-2.7.0~beta1+2.6.1+2.5.5/build-7.3/xdebug.c:1868
0000004 0x0000555555851299 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (execute_data=0x2aaaad420030)
    at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:961
0000005 0x0000555555802170 in execute_ex (ex=<optimized out>) at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:55287
0000006 0x00002aaaad89a7bc in xdebug_execute_ex (execute_data=0x2aaaad420030)
    at /build/xdebug-2.7.0~beta1+2.6.1+2.5.5/build-7.3/xdebug.c:1868
0000007 0x00005555557b71ba in zend_call_function (fci=fci@entry=0x7fffffffe560, fci_cache=<optimized out>, fci_cache@entry=0x7fffffffe540)
    at /build/php7.3-7.3.0~rc3/Zend/zend_execute_API.c:756
0000008 0x00005555557f49ef in zend_objects_destroy_object (object=0x2aaaad470a78) at /build/php7.3-7.3.0~rc3/Zend/zend_objects.c:158
0000009 0x00005555557f9cbc in zend_objects_store_del (object=0x2aaaad470a78) at /build/php7.3-7.3.0~rc3/Zend/zend_objects_API.c:170
0000010 0x00005555557d5c45 in _zend_hash_del_el_ex (prev=<optimized out>, p=<optimized out>, idx=7, ht=<optimized out>)
    at /build/php7.3-7.3.0~rc3/Zend/zend_hash.c:1181
0000011 _zend_hash_del_el (p=0x2aaaad4662e0, idx=7, ht=0x555555bb23b0) at /build/php7.3-7.3.0~rc3/Zend/zend_hash.c:1204
0000012 zend_hash_reverse_apply (ht=ht@entry=0x555555bb23b0, apply_func=apply_func@entry=0x5555557b5a20 <zval_call_destructor>)
    at /build/php7.3-7.3.0~rc3/Zend/zend_hash.c:1775
0000013 0x00005555557b5e55 in shutdown_destructors () at /build/php7.3-7.3.0~rc3/Zend/zend_execute_API.c:240
0000014 0x00005555557c5267 in zend_call_destructors () at /build/php7.3-7.3.0~rc3/Zend/zend.c:1089
0000015 0x000055555576322d in php_request_shutdown (dummy=dummy@entry=0x0) at /build/php7.3-7.3.0~rc3/main/main.c:1873
0000016 0x000055555562578b in main (argc=<optimized out>, argv=<optimized out>) at /build/php7.3-7.3.0~rc3/sapi/fpm/fpm/fpm_main.c:1975

GDB PHP:
[0x2aaaad420080] Foo->shutdown() /<redacted>/crash.php:5
[0x2aaaad420030] Foo->__destruct() /<redacted>/crash.php:4
[0x7fffffffe4a0] ???

NOTES:

 * Changing $how=STREAM_SHUT_RDWR to $how=1 fixes the issue.
 * Removing the call to get_it() and just using 'false' fixes the issue.
(0004757)
morozov (reporter)
2018-12-10 22:54

FWIW, this issue is only reproducible with Opcache loaded.
(0004758)
kmdm (reporter)
2018-12-11 10:21

@morozov Aha! That explains why I couldn't reproduce it in the CLI!

Now I can:

% gdb --ex=r --args php7.3 -dzend_extension=xdebug.so -dopcache.enable_cli=On crash.php

GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> [^]
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>... [^]
Reading symbols from /usr/bin/php7.3...Reading symbols from /usr/lib/debug/.build-id/a4/0643386852dbb9b42577955d32bf91ff2f77ce.debug...done.
done.
Starting program: /usr/bin/php7.3 -dzend_extension=xdebug.so -dopcache.enable_cli=On crash.php
warning: no loadable sections found in added symbol-file system-supplied DSO at 0x2aaaaaacb000
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
{"x":false}
Program received signal SIGSEGV, Segmentation fault.
i_free_compiled_variables (execute_data=0x2aaaad21e080) at /build/php7.3-7.3.0~rc4/Zend/zend_execute.c:2351
2351 /build/php7.3-7.3.0~rc4/Zend/zend_execute.c: No such file or directory.
(0004760)
derick (administrator)
2018-12-11 11:03

I can reproduce this:

valgrind php -n -dzend_extension=xdebug.so -dzend_extension=opcache.so -dopcache.enable_cli=1 1583.php



Shows:

==23877== Memcheck, a memory error detector
==23877== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==23877== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==23877== Command: php -n -dzend_extension=xdebug.so -dzend_extension=opcache.so -dopcache.enable_cli=1 
1583.php
==23877== 
==23877== Conditional jump or move depends on uninitialised value(s)
==23877==    at 0x9FEACD: ZEND_RECV_INIT_SPEC_CONST_HANDLER (zend_vm_execute.h:2229)
==23877==    by 0x9FDA67: ZEND_USER_OPCODE_SPEC_HANDLER (zend_vm_execute.h:1829)
==23877==    by 0xA62805: execute_ex (zend_vm_execute.h:55510)
==23877==    by 0x86C15CA: xdebug_execute_ex (xdebug.c:1868)
==23877==    by 0x9FB101: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:961)
==23877==    by 0x9FDA67: ZEND_USER_OPCODE_SPEC_HANDLER (zend_vm_execute.h:1829)
==23877==    by 0xA62805: execute_ex (zend_vm_execute.h:55510)
==23877==    by 0x86C15CA: xdebug_execute_ex (xdebug.c:1868)
==23877==    by 0xA67D16: zend_execute (zend_vm_execute.h:60834)
==23877==    by 0x997069: zend_execute_scripts (zend.c:1568)
==23877==    by 0x906D4D: php_execute_script (main.c:2630)
==23877==    by 0xA6A79E: do_cli (php_cli.c:997)
==23877== 
{"x":false}==23877== Invalid read of size 4
==23877==    at 0x9EF704: zend_gc_delref (zend_types.h:996)
==23877==    by 0x9F728B: i_free_compiled_variables (zend_execute.c:2351)
==23877==    by 0x9FA1A0: zend_leave_helper_SPEC (zend_vm_execute.h:589)
==23877==    by 0x9FFF2D: ZEND_RETURN_SPEC_CONST_HANDLER (zend_vm_execute.h:2758)
==23877==    by 0x9FDA67: ZEND_USER_OPCODE_SPEC_HANDLER (zend_vm_execute.h:1829)
==23877==    by 0xA62805: execute_ex (zend_vm_execute.h:55510)
==23877==    by 0x86C15CA: xdebug_execute_ex (xdebug.c:1868)
==23877==    by 0x9FB101: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:961)
==23877==    by 0x9FDA67: ZEND_USER_OPCODE_SPEC_HANDLER (zend_vm_execute.h:1829)
==23877==    by 0xA62805: execute_ex (zend_vm_execute.h:55510)
==23877==    by 0x86C15CA: xdebug_execute_ex (xdebug.c:1868)
==23877==    by 0x98017C: zend_call_function (zend_execute_API.c:756)
==23877==  Address 0x800000000000002 is not stack'd, malloc'd or (recently) free'd
==23877== 
==23877== 
==23877== Process terminating with default action of signal 11 (SIGSEGV)
==23877==  General Protection Fault
==23877==    at 0x9EF704: zend_gc_delref (zend_types.h:996)
==23877==    by 0x9F728B: i_free_compiled_variables (zend_execute.c:2351)
==23877==    by 0x9FA1A0: zend_leave_helper_SPEC (zend_vm_execute.h:589)
==23877==    by 0x9FFF2D: ZEND_RETURN_SPEC_CONST_HANDLER (zend_vm_execute.h:2758)
==23877==    by 0x9FDA67: ZEND_USER_OPCODE_SPEC_HANDLER (zend_vm_execute.h:1829)
==23877==    by 0xA62805: execute_ex (zend_vm_execute.h:55510)
==23877==    by 0x86C15CA: xdebug_execute_ex (xdebug.c:1868)
==23877==    by 0x9FB101: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:961)
==23877==    by 0x9FDA67: ZEND_USER_OPCODE_SPEC_HANDLER (zend_vm_execute.h:1829)
==23877==    by 0xA62805: execute_ex (zend_vm_execute.h:55510)
==23877==    by 0x86C15CA: xdebug_execute_ex (xdebug.c:1868)
==23877==    by 0x98017C: zend_call_function (zend_execute_API.c:756)
==23877== 
==23877== HEAP SUMMARY:
==23877==     in use at exit: 2,879,895 bytes in 24,279 blocks
==23877==   total heap usage: 26,787 allocs, 2,508 frees, 3,875,685 bytes allocated


The first error is the same one as in 0001592, so these issues could as well be related.
(0004772)
ondrej (reporter)
2018-12-17 13:58

Full backtrace on PHP 7.3.0 with OpCache optimizer bug (PHP#77275) fixed:

#0 i_free_compiled_variables (execute_data=<optimized out>) at ./Zend/zend_execute.c:2351
        r = 0x800000000000002
        cv = 0x7ffff481e0d0
        count = 1
        cv = <optimized out>
        count = <optimized out>
        r = <optimized out>
#1 zend_leave_helper_SPEC () at ./Zend/zend_vm_execute.h:589
        old_execute_data = <optimized out>
        call_info = 2
0000002 0x000055555587aaf7 in execute_ex (ex=0x800000000000002) at ./Zend/zend_vm_execute.h:55510
        orig_opline = 0x7ffff480e7d8
        orig_execute_data = <optimized out>
0000003 0x00007ffff4acff03 in xdebug_execute_ex (execute_data=0x7ffff481e080) at ./build-7.3/xdebug.c:1868
        op_array = 0x7fffec6bebb0
        edata = <optimized out>
        fse = 0x555555b7bbd0
        xfse = <optimized out>
        do_return = 0
        function_nr = 6
        le = <optimized out>
        code_coverage_func_info = {class = 0x0, function = 0x555555a9ec80 "p\273\267UUU", type = 2, internal = 0}
        code_coverage_function_name = 0x0
        code_coverage_file_name = 0x7ffff481e080 "\260\353k\354\377\177"
        code_coverage_init = 0
0000004 0x0000555555651ea3 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER () at ./Zend/zend_vm_execute.h:961
        call = 0x7ffff481e080
        fbc = 0x7ffff480e7d8
        object = <optimized out>
        ret = 0x0
        retval = <optimized out>
        retval = <optimized out>
0000005 0x000055555587aaf7 in execute_ex (ex=0x800000000000002) at ./Zend/zend_vm_execute.h:55510
        orig_opline = 0x7ffff480e700
        orig_execute_data = <optimized out>
0000006 0x00007ffff4acff03 in xdebug_execute_ex (execute_data=0x7ffff481e030) at ./build-7.3/xdebug.c:1868
        op_array = 0x7fffec6bea90
        edata = <optimized out>
        fse = 0x555555a9ec80
        xfse = <optimized out>
        do_return = 0
        function_nr = 5
        le = <optimized out>
        code_coverage_func_info = {class = 0x5555559f9940 <executor_globals> "", function = 0x7ffff480e540 "\002", type = -192815056, internal = 32767}
        code_coverage_function_name = 0x0
        code_coverage_file_name = 0x7ffff481e030 "\220\352k\354\377\177"
        code_coverage_init = 0
0000007 0x00005555557ec68e in zend_call_function (fci=fci@entry=0x7fffffffc8b0, fci_cache=<optimized out>, fci_cache@entry=0x7fffffffc890)
    at ./Zend/zend_execute_API.c:756
        call_via_handler = 0
        current_opline_before_exception = 0x0
        i = <optimized out>
        call = 0x7ffff481e030
        dummy_execute_data = {opline = 0x0, call = 0x0, return_value = 0x0, func = 0x0, This = {value = {lval = 0, dval = 0, counted = 0x0, str = 0x0,
              arr = 0x0, obj = 0x0, res = 0x0, ref = 0x0, ast = 0x0, zv = 0x0, ptr = 0x0, ce = 0x0, func = 0x0, ww = {w1 = 0, w2 = 0}}, u1 = {v = {
                type = 0 '\000', type_flags = 0 '\000', u = {call_info = 0, extra = 0}}, type_info = 0}, u2 = {next = 0, cache_slot = 0, opline_num = 0,
              lineno = 0, num_args = 0, fe_pos = 0, fe_iter_idx = 0, access_flags = 0, property_guard = 0, constant_flags = 0, extra = 0}},
          prev_execute_data = 0x0, symbol_table = 0x0, run_time_cache = 0x0}
        fci_cache_local = {function_handler = 0x7fffffffc830, calling_scope = 0x555555898f8d, called_scope = 0x0, object = 0x555555a9c280}
        func = 0x7ffff480e700
0000008 0x000055555582a05d in zend_objects_destroy_object (object=0x7ffff4866618) at ./Zend/zend_objects.c:158
        old_exception = 0x0
        ret = {value = {lval = 0, dval = 0, counted = 0x0, str = 0x0, arr = 0x0, obj = 0x0, res = 0x0, ref = 0x0, ast = 0x0, zv = 0x0, ptr = 0x0, ce = 0x0,
            func = 0x0, ww = {w1 = 0, w2 = 0}}, u1 = {v = {type = 0 '\000', type_flags = 0 '\000', u = {call_info = 0, extra = 0}}, type_info = 0}, u2 = {
            next = 21845, cache_slot = 21845, opline_num = 21845, lineno = 21845, num_args = 21845, fe_pos = 21845, fe_iter_idx = 21845, access_flags = 21845,
            property_guard = 21845, constant_flags = 21845, extra = 21845}}
        orig_fake_scope = 0x0
        fci = {size = 56, function_name = {value = {lval = 0, dval = 0, counted = 0x0, str = 0x0, arr = 0x0, obj = 0x0, res = 0x0, ref = 0x0, ast = 0x0,
              zv = 0x0, ptr = 0x0, ce = 0x0, func = 0x0, ww = {w1 = 0, w2 = 0}}, u1 = {v = {type = 0 '\000', type_flags = 0 '\000', u = {call_info = 0,
                  extra = 0}}, type_info = 0}, u2 = {next = 0, cache_slot = 0, opline_num = 0, lineno = 0, num_args = 0, fe_pos = 0, fe_iter_idx = 0,
              access_flags = 0, property_guard = 0, constant_flags = 0, extra = 0}}, retval = 0x7fffffffc880, params = 0x0, object = 0x7ffff4866618,
          no_separation = 1 '\001', param_count = 0}
        fcic = {function_handler = 0x7ffff480e700, calling_scope = 0x55555582a590 <zend_objects_clone_obj>, called_scope = 0x7ffff480e540,
          object = 0x7ffff4866618}
        destructor = 0x7ffff480e700
0000009 0x000055555582f02f in zend_objects_store_del (object=0x7ffff4866618) at ./Zend/zend_objects_API.c:170
No locals.
0000010 0x000055555580aa40 in _zend_hash_del_el_ex (prev=<optimized out>, p=<optimized out>, idx=9, ht=<optimized out>) at ./Zend/zend_hash.c:1181
        tmp = {value = {lval = 140737295836696, dval = 6.9533462961507788e-310, counted = 0x7ffff4866618, str = 0x7ffff4866618, arr = 0x7ffff4866618,
            obj = 0x7ffff4866618, res = 0x7ffff4866618, ref = 0x7ffff4866618, ast = 0x7ffff4866618, zv = 0x7ffff4866618, ptr = 0x7ffff4866618,
            ce = 0x7ffff4866618, func = 0x7ffff4866618, ww = {w1 = 4102448664, w2 = 32767}}, u1 = {v = {type = 8 '\b', type_flags = 1 '\001', u = {
                call_info = 0, extra = 0}}, type_info = 264}, u2 = {next = 0, cache_slot = 0, opline_num = 0, lineno = 0, num_args = 0, fe_pos = 0,
            fe_iter_idx = 0, access_flags = 0, property_guard = 0, constant_flags = 0, extra = 0}}
0000011 _zend_hash_del_el (p=0x7ffff4861320, idx=9, ht=0x5555559f9a70 <executor_globals+304>) at ./Zend/zend_hash.c:1204
        prev = <optimized out>
        prev = <optimized out>
        nIndex = <optimized out>
        i = <optimized out>
0000012 zend_hash_reverse_apply (ht=ht@entry=0x5555559f9a70 <executor_globals+304>, apply_func=apply_func@entry=0x5555557eae60 <zval_call_destructor>)
    at ./Zend/zend_hash.c:1775
        idx = <optimized out>
        p = 0x7ffff4861320
        result = <optimized out>
0000013 0x00005555557eb2a5 in shutdown_destructors () at ./Zend/zend_execute_API.c:240
        symbols = <optimized out>
        __orig_bailout = 0x7fffffffcae0
        __bailout = {{__jmpbuf = {93824997103936, 768434357834357521, 93824995976456, 93824995976496, 1, 93824997197024, 6917337964184607505,
              768434625227135761}, __mask_was_saved = 0, __saved_mask = {__val = {140737488343800, 140737488343712, 0, 140737488341664, 93824995635903, 0, 0,
                0, 0, 0, 11, 0, 0, 0, 0, 0}}}}
0000014 0x00005555557fa225 in zend_call_destructors () at ./Zend/zend.c:1089
        __orig_bailout = 0x7fffffffcce0
        __bailout = {{__jmpbuf = {93824997103936, 768434357834357521, 93824995976456, 93824995976496, 1, 93824997197024, 6917337964218161937,
              768434633232620305}, __mask_was_saved = 0, __saved_mask = {__val = {93824997757696, 0, 0, 0, 4194213060263121664, 0, 93824997483600,
                93824997102232, 0, 93824995976496, 1, 93824997197024, 93824994960221, 93824997102232, 93824997101920, 93824995976456}}}}
0000015 0x000055555579a175 in php_request_shutdown (dummy=<optimized out>) at ./main/main.c:1873
        __orig_bailout = <optimized out>
        __bailout = {{__jmpbuf = {93824997103936, 768434357834357521, 93824995976456, 93824995976496, 1, 93824997197024, 6917337964253813521,
              768434615912373009}, __mask_was_saved = 0, __saved_mask = {__val = {93824997122072, 31, 80, 18446744073709550456, 0, 112, 206158430248,
                140737488344080, 140737488343888, 140737488344096, 140737488343904, 111, 160, 18446744073709550456, 2, 214748364808}}}}
        report_memleaks = 1 '\001'
0000016 0x00005555558829ca in do_cli (argc=3, argv=0x555555a10470) at ./sapi/cli/php_cli.c:1164
        c = <optimized out>
        file_handle = {handle = {fd = -192425968, fp = 0x7ffff487d010, stream = {handle = 0x7ffff487d010, isatty = 0, mmap = {len = 250, pos = 0,
                map = 0x7ffff4a02000, buf = 0x7ffff4a02000 <error: Cannot access memory at address 0x7ffff4a02000>, old_handle = 0x555555a2cfa0,
                old_closer = 0x555555815170 <zend_stream_stdio_closer>}, reader = 0x5555558151a0 <zend_stream_stdio_reader>,
              fsizer = 0x555555815280 <zend_stream_stdio_fsizer>, closer = 0x555555815100 <zend_stream_mmap_closer>}},
          filename = 0x555555a104e0 "/tmp/crash.php", opened_path = 0x0, type = ZEND_HANDLE_MAPPED, free_filename = 0 '\000'}
        behavior = <optimized out>
        reflection_what = <optimized out>
        request_started = 1
        exit_status = 0
        php_optarg = 0x555555a104c2 "opcache.enable_cli=On"
        php_optind = 3
        exec_direct = <optimized out>
        exec_run = <optimized out>
        exec_begin = <optimized out>
        exec_end = <optimized out>
        arg_free = <optimized out>
        arg_excp = <optimized out>
        script_file = <optimized out>
        translated_path = 0x555555b7cbf0 "/tmp/crash.php"
        lineno = 1
        param_error = <optimized out>
        hide_argv = <optimized out>
0000017 0x000055555566184f in main (argc=3, argv=0x555555a10470) at ./sapi/cli/php_cli.c:1389
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {93824997197664, 6917337965266213649, 22, 0, 93824995979524, 0, 6917337965222697745, 768434422431357713},
            __mask_was_saved = 0, __saved_mask = {__val = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 4194213060263121664, 93824997195384, 140737336741983, 0, 0, 0}}}}
        c = <optimized out>
        exit_status = 0
        module_started = 1
        sapi_started = 1
        php_optarg = 0x555555a104c2 "opcache.enable_cli=On"
        php_optind = 2
        use_extended_info = 0
        ini_path_override = 0x0
        ini_entries = 0x555555a10760 "html_errors=0\nregister_argc_argv=1\nimplicit_flush=1\noutput_buffering=0\nmax_execution_time=0\nmax_input_time=-1\nopcache.enable_cli=On\n"
        ini_entries_len = 22
        ini_ignore = 0
        sapi_module = <optimized out>
(0004773)
superdav42 (reporter)
2018-12-18 00:25

As I work around I have found disabling certain optimizations in opcache will avoid this bug.
setting this in php.ini will let me use xdebug fine.
opcache.optimization_level=0xFFFFFBFF

but setting it to:
opcache.optimization_level=0xFFFFFFFF
will cause this error.
I'm not sure which optimizations this bit corresponds to but hopefully it will help trace down the bug.
(0004774)
kmdm (reporter)
2018-12-18 10:13

That 'B' would seem to align with this comment from php bug 77275:

We set in php.ini:
opcache.optimization_level=0x7FFFBBFF

The second 'B' represents the removal of 0x400, or ZEND_OPTIMIZER_PASS_11 (1<<10) /* Merge equal constants */
(0004776)
kmdm (reporter)
2018-12-18 13:41

Possibly related to (at a hunch/guess):

https://github.com/php/php-src/commit/1a63fa6ec9b0bacbb726e60c3c212e7d97b518c6 [^]
(0004790)
christianlupus (reporter)
2019-01-02 10:34

I can confirm this bug with the most recent Archlinux. Both using the CLI and the php-fpm the same effect as described above happens.

How can we help? What information is needed to track this down?
(0004791)
derick (administrator)
2019-01-02 10:41

I'm still on my Christmas break so haven't had time to check this more in depth. It's quite possible that this is a bug in opcache as a related issue was fixed there too. I'll be back on the weekend to look at this again.

Right now, the workaround in (0004774) should work. (Turning off a specific opcache optimisation.)
(0004792)
aboks (reporter)
2019-01-02 15:02

I don't know if it is exactly the same issue, but I can reproduce something similar using the following script:

```
require_once(__DIR__ . '/../vendor/autoload.php');

class X {
    const DEFAULT_X = "xxx";

    public function __construct($x1, string $x2 = self::DEFAULT_X) {

    }
}

$x = new X([]);
```
Unfortunately my composer dependencies contain proprietary code, so I cannot post a self-contained test case. Commenting out the require_once makes the segfault disappear.

I'm running PHP 7.3.0 and Xdebug 2.7.0beta1 (both from deb.sury.org) on Debian Stretch, invoked using the CLI:
```
php -n -dzend_extension=xdebug.so -dzend_extension=opcache.so -dopcache.enable_cli=1 script.php
```

Variations tried:
* Without XDebug: no segfault occurs.
* Without Opcache: no segfault occurs.
* With the extra option `-dopcache.optimization_level=0xFFFFFBFF`: no segfault occurs
* Running the script using libapache2-mod-php7.3: results vary per invocation (probably related to different worker processes). Sometimes the script runs fine. Sometimes an error `Uncaught TypeError: Argument 2 passed to X::__construct() must be of the type string, unknown given` is shown. I've also seen this error with `false` instead of `unknown`.
* Without including the composer autoloader: no segfault occurs.

Running the script with valgrind ends with:
```
==222== Invalid read of size 8
==222== at 0x39EDFD: zend_parse_arg_str_weak (in /usr/bin/php7.3)
==222== by 0x3DFB5A: ??? (in /usr/bin/php7.3)
==222== by 0x1EE967: ??? (in /usr/bin/php7.3)
==222== by 0x4249EA: execute_ex (in /usr/bin/php7.3)
==222== by 0xA2107A0: xdebug_execute_ex (xdebug.c:1868)
==222== by 0x1EDE7A: ??? (in /usr/bin/php7.3)
==222== by 0x4249EA: execute_ex (in /usr/bin/php7.3)
==222== by 0xA2107A0: xdebug_execute_ex (xdebug.c:1868)
==222== by 0x42CAA9: zend_execute (in /usr/bin/php7.3)
==222== by 0x39DC82: zend_execute_scripts (in /usr/bin/php7.3)
==222== by 0x33C727: php_execute_script (in /usr/bin/php7.3)
==222== by 0x42EF2E: ??? (in /usr/bin/php7.3)
==222== Address 0xe8 is not stack'd, malloc'd or (recently) free'd
==222==
==222==
==222== Process terminating with default action of signal 11 (SIGSEGV)
==222== Access not within mapped region at address 0xE8
==222== at 0x39EDFD: zend_parse_arg_str_weak (in /usr/bin/php7.3)
==222== by 0x3DFB5A: ??? (in /usr/bin/php7.3)
==222== by 0x1EE967: ??? (in /usr/bin/php7.3)
==222== by 0x4249EA: execute_ex (in /usr/bin/php7.3)
==222== by 0xA2107A0: xdebug_execute_ex (xdebug.c:1868)
==222== by 0x1EDE7A: ??? (in /usr/bin/php7.3)
==222== by 0x4249EA: execute_ex (in /usr/bin/php7.3)
==222== by 0xA2107A0: xdebug_execute_ex (xdebug.c:1868)
==222== by 0x42CAA9: zend_execute (in /usr/bin/php7.3)
==222== by 0x39DC82: zend_execute_scripts (in /usr/bin/php7.3)
==222== by 0x33C727: php_execute_script (in /usr/bin/php7.3)
==222== by 0x42EF2E: ??? (in /usr/bin/php7.3)
==222== If you believe this happened as a result of a stack
==222== overflow in your program's main thread (unlikely but
==222== possible), you can try to increase the size of the
==222== main thread stack using the --main-stacksize= flag.
==222== The main thread stack size used in this run was 8388608.
```

Hope this helps to narrow down the issue.
(0004793)
christianlupus (reporter)
2019-01-02 17:32

I dove a bit in the Arch build system and tried to recompile PHP (+ Co.) with debugging symbols and without optimization. Then I ran php-fpm through valgrind and triggered the problem. The results can be seen here: https://gist.github.com/christianlupus/b942a198960c2d9f276f42a5d6f5a6cf. [^]

I hope this helps. If I can give more information or retry it with different configuration etc, please tell me.
(0004801)
attrib (reporter)
2019-01-14 13:55

With PHP 7.3.1 the workaround with "opcache.optimization_level=0x7FFFBBFF" is not working anymore. Unsure if new issue or same issue as here.

Also tried latest xdebug from master, same result as described here segfault 11 when xdebug is enabled and a breakpoint gets triggered.
(0004820)
kschroeder (reporter)
2019-01-21 16:01

I just tried adding "opcache.optimization_level=0xFFFFFBFF" to my local file /etc/opt/remi/php73/php.d/9999-last.ini and it worked for me.

- Issue History
Date Modified Username Field Change
2018-10-25 11:27 kmdm New Issue
2018-10-25 11:53 derick Note Added: 0004712
2018-10-25 11:53 derick Assigned To => derick
2018-10-25 11:53 derick Status new => feedback
2018-10-25 12:37 kmdm Note Added: 0004713
2018-10-25 12:37 kmdm Status feedback => assigned
2018-12-10 22:54 morozov Note Added: 0004757
2018-12-11 10:21 kmdm Note Added: 0004758
2018-12-11 11:03 derick Note Added: 0004760
2018-12-11 11:03 derick Status assigned => confirmed
2018-12-17 13:58 ondrej Note Added: 0004772
2018-12-18 00:25 superdav42 Note Added: 0004773
2018-12-18 10:13 kmdm Note Added: 0004774
2018-12-18 13:41 kmdm Note Added: 0004776
2019-01-02 10:34 christianlupus Note Added: 0004790
2019-01-02 10:41 derick Note Added: 0004791
2019-01-02 15:02 aboks Note Added: 0004792
2019-01-02 17:32 christianlupus Note Added: 0004793
2019-01-14 13:55 attrib Note Added: 0004801
2019-01-17 11:51 derick Relationship added has duplicate 0001607
2019-01-17 11:51 derick Relationship added has duplicate 0001612
2019-01-17 12:13 derick Relationship added has duplicate 0001592
2019-01-21 16:01 kschroeder Note Added: 0004820


Copyright © 2000 - 2019 MantisBT Team
Powered by Mantis Bugtracker