MantisBT

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0001583XdebugFeature/Change requestpublic2018-10-25 11:272018-12-12 17:00
Reporterkmdm 
Assigned Toderick 
PriorityhighSeveritycrashReproducibilityhave not tried
StatusconfirmedResolutionopen 
PlatformLinuxOSDebianOS Version7
Product Version2.7.0beta1 
Target VersionFixed in Version 
Summary0001583: xdebug 2.7.0beta1 SIGSEGV while running some php scripts on PHP 7.3.0RC3
DescriptionThe segfault occurs when running certain scripts in our codebase, I've attached the gdb backtrace.
Steps To ReproduceN/A -- pending test case script which can trigger the issue
Additional InformationProgram received signal SIGSEGV, Segmentation fault.
zval_addref_p (pz=<optimized out>) at /build/php7.3-7.3.0~rc3/Zend/zend_types.h:1017
1017 /build/php7.3-7.3.0~rc3/Zend/zend_types.h: No such file or directory.
(gdb) bt
#0 zval_addref_p (pz=<optimized out>) at /build/php7.3-7.3.0~rc3/Zend/zend_types.h:1017
#1 ZEND_SEND_VAR_EX_SPEC_CV_QUICK_HANDLER (execute_data=0x2aaaad420dc0) at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:37385
0000002 0x0000555555802170 in execute_ex (ex=<optimized out>) at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:55287
0000003 0x00002aaaad89a7bc in xdebug_execute_ex (execute_data=0x2aaaad420dc0)
    at /build/xdebug-2.7.0~beta1+2.6.1+2.5.5/build-7.3/xdebug.c:1868
0000004 0x0000555555851299 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (execute_data=0x2aaaad420ca0)
    at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:961
0000005 0x0000555555802170 in execute_ex (ex=<optimized out>) at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:55287
0000006 0x00002aaaad89a7bc in xdebug_execute_ex (execute_data=0x2aaaad420ca0)
    at /build/xdebug-2.7.0~beta1+2.6.1+2.5.5/build-7.3/xdebug.c:1868
0000007 0x0000555555850ec8 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER (execute_data=0x2aaaad420b70)
    at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:1083
0000008 0x0000555555802170 in execute_ex (ex=<optimized out>) at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:55287
0000009 0x00002aaaad89a7bc in xdebug_execute_ex (execute_data=0x2aaaad420b70)
    at /build/xdebug-2.7.0~beta1+2.6.1+2.5.5/build-7.3/xdebug.c:1868
0000010 0x0000555555850ec8 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER (execute_data=0x2aaaad420a10)
    at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:1083
0000011 0x0000555555802170 in execute_ex (ex=<optimized out>) at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:55287
0000012 0x00002aaaad89a7bc in xdebug_execute_ex (execute_data=0x2aaaad420a10)
    at /build/xdebug-2.7.0~beta1+2.6.1+2.5.5/build-7.3/xdebug.c:1868
0000013 0x0000555555851299 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (execute_data=0x2aaaad420940)
    at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:961
0000014 0x0000555555802170 in execute_ex (ex=<optimized out>) at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:55287
0000015 0x00002aaaad89a7bc in xdebug_execute_ex (execute_data=0x2aaaad420940)
    at /build/xdebug-2.7.0~beta1+2.6.1+2.5.5/build-7.3/xdebug.c:1868
0000016 0x0000555555850ec8 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER (execute_data=0x2aaaad420860)
    at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:1083
0000017 0x0000555555802170 in execute_ex (ex=<optimized out>) at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:55287
0000018 0x00002aaaad89a7bc in xdebug_execute_ex (execute_data=0x2aaaad420860)
    at /build/xdebug-2.7.0~beta1+2.6.1+2.5.5/build-7.3/xdebug.c:1868
0000019 0x0000555555851299 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (execute_data=0x2aaaad420740)
    at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:961
0000020 0x0000555555802170 in execute_ex (ex=<optimized out>) at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:55287
0000021 0x00002aaaad89a7bc in xdebug_execute_ex (execute_data=0x2aaaad420740)
    at /build/xdebug-2.7.0~beta1+2.6.1+2.5.5/build-7.3/xdebug.c:1868
0000022 0x0000555555851299 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (execute_data=0x2aaaad4206c0)
    at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:961
0000023 0x0000555555802170 in execute_ex (ex=<optimized out>) at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:55287
0000024 0x00002aaaad89a7bc in xdebug_execute_ex (execute_data=0x2aaaad4206c0)
    at /build/xdebug-2.7.0~beta1+2.6.1+2.5.5/build-7.3/xdebug.c:1868
0000025 0x0000555555851299 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (execute_data=0x2aaaad420650)
    at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:961
0000026 0x0000555555802170 in execute_ex (ex=<optimized out>) at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:55287
0000027 0x00002aaaad89a7bc in xdebug_execute_ex (execute_data=0x2aaaad420650)
    at /build/xdebug-2.7.0~beta1+2.6.1+2.5.5/build-7.3/xdebug.c:1868
0000028 0x0000555555851299 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (execute_data=0x2aaaad420030)
    at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:961
0000029 0x0000555555802170 in execute_ex (ex=<optimized out>) at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:55287
0000030 0x00002aaaad89a7bc in xdebug_execute_ex (execute_data=0x2aaaad420030)
    at /build/xdebug-2.7.0~beta1+2.6.1+2.5.5/build-7.3/xdebug.c:1868
0000031 0x000055555585167a in zend_execute (op_array=op_array@entry=0x2aaaad48c000, return_value=return_value@entry=0x0)
    at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:60834
0000032 0x00005555557c5614 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3)
    at /build/php7.3-7.3.0~rc3/Zend/zend.c:1568
0000033 0x0000555555764588 in php_execute_script (primary_file=primary_file@entry=0x7fffffffea60)
    at /build/php7.3-7.3.0~rc3/main/main.c:2630
0000034 0x000055555562571e in main (argc=<optimized out>, argv=<optimized out>) at /build/php7.3-7.3.0~rc3/sapi/fpm/fpm/fpm_main.c:1947
TagsNo tags attached.
Operating SystemLinux
PHP Version7.3-dev
Attached Files

- Relationships

-  Notes
(0004712)
derick (administrator)
2018-10-25 11:53

Hi,

I"m going to need a (short) script to reproduce this. Please note, that 2.7.0-beta1 is still a pre-release version, and that there are still issues with it. A short script to reproduce this will expedite fixes.

cheers,
Derick
(0004713)
kmdm (reporter)
2018-10-25 12:37

Ok, I've got one. It only crashes in the FPM SAPI in my testing and not CLI.

PHP:
<?php
class Foo
{
    public function __destruct() { $this->shutdown(); }
    public function shutdown($how=STREAM_SHUT_RDWR) { }
}

function get_it()
{
    return false;

}

$x = new Foo();
$x->shutdown();
echo json_encode(['x'=>get_it()]);

GDB (BT):
#0 i_free_compiled_variables (execute_data=0x2aaaad420080) at /build/php7.3-7.3.0~rc3/Zend/zend_execute.c:2351
#1 zend_leave_helper_SPEC (execute_data=0x2aaaad420080) at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:589
0000002 0x0000555555802170 in execute_ex (ex=<optimized out>) at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:55287
0000003 0x00002aaaad89a7bc in xdebug_execute_ex (execute_data=0x2aaaad420080)
    at /build/xdebug-2.7.0~beta1+2.6.1+2.5.5/build-7.3/xdebug.c:1868
0000004 0x0000555555851299 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (execute_data=0x2aaaad420030)
    at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:961
0000005 0x0000555555802170 in execute_ex (ex=<optimized out>) at /build/php7.3-7.3.0~rc3/Zend/zend_vm_execute.h:55287
0000006 0x00002aaaad89a7bc in xdebug_execute_ex (execute_data=0x2aaaad420030)
    at /build/xdebug-2.7.0~beta1+2.6.1+2.5.5/build-7.3/xdebug.c:1868
0000007 0x00005555557b71ba in zend_call_function (fci=fci@entry=0x7fffffffe560, fci_cache=<optimized out>, fci_cache@entry=0x7fffffffe540)
    at /build/php7.3-7.3.0~rc3/Zend/zend_execute_API.c:756
0000008 0x00005555557f49ef in zend_objects_destroy_object (object=0x2aaaad470a78) at /build/php7.3-7.3.0~rc3/Zend/zend_objects.c:158
0000009 0x00005555557f9cbc in zend_objects_store_del (object=0x2aaaad470a78) at /build/php7.3-7.3.0~rc3/Zend/zend_objects_API.c:170
0000010 0x00005555557d5c45 in _zend_hash_del_el_ex (prev=<optimized out>, p=<optimized out>, idx=7, ht=<optimized out>)
    at /build/php7.3-7.3.0~rc3/Zend/zend_hash.c:1181
0000011 _zend_hash_del_el (p=0x2aaaad4662e0, idx=7, ht=0x555555bb23b0) at /build/php7.3-7.3.0~rc3/Zend/zend_hash.c:1204
0000012 zend_hash_reverse_apply (ht=ht@entry=0x555555bb23b0, apply_func=apply_func@entry=0x5555557b5a20 <zval_call_destructor>)
    at /build/php7.3-7.3.0~rc3/Zend/zend_hash.c:1775
0000013 0x00005555557b5e55 in shutdown_destructors () at /build/php7.3-7.3.0~rc3/Zend/zend_execute_API.c:240
0000014 0x00005555557c5267 in zend_call_destructors () at /build/php7.3-7.3.0~rc3/Zend/zend.c:1089
0000015 0x000055555576322d in php_request_shutdown (dummy=dummy@entry=0x0) at /build/php7.3-7.3.0~rc3/main/main.c:1873
0000016 0x000055555562578b in main (argc=<optimized out>, argv=<optimized out>) at /build/php7.3-7.3.0~rc3/sapi/fpm/fpm/fpm_main.c:1975

GDB PHP:
[0x2aaaad420080] Foo->shutdown() /<redacted>/crash.php:5
[0x2aaaad420030] Foo->__destruct() /<redacted>/crash.php:4
[0x7fffffffe4a0] ???

NOTES:

 * Changing $how=STREAM_SHUT_RDWR to $how=1 fixes the issue.
 * Removing the call to get_it() and just using 'false' fixes the issue.
(0004757)
morozov (reporter)
2018-12-10 22:54

FWIW, this issue is only reproducible with Opcache loaded.
(0004758)
kmdm (reporter)
2018-12-11 10:21

@morozov Aha! That explains why I couldn't reproduce it in the CLI!

Now I can:

% gdb --ex=r --args php7.3 -dzend_extension=xdebug.so -dopcache.enable_cli=On crash.php

GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> [^]
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>... [^]
Reading symbols from /usr/bin/php7.3...Reading symbols from /usr/lib/debug/.build-id/a4/0643386852dbb9b42577955d32bf91ff2f77ce.debug...done.
done.
Starting program: /usr/bin/php7.3 -dzend_extension=xdebug.so -dopcache.enable_cli=On crash.php
warning: no loadable sections found in added symbol-file system-supplied DSO at 0x2aaaaaacb000
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
{"x":false}
Program received signal SIGSEGV, Segmentation fault.
i_free_compiled_variables (execute_data=0x2aaaad21e080) at /build/php7.3-7.3.0~rc4/Zend/zend_execute.c:2351
2351 /build/php7.3-7.3.0~rc4/Zend/zend_execute.c: No such file or directory.
(0004760)
derick (administrator)
2018-12-11 11:03

I can reproduce this:

valgrind php -n -dzend_extension=xdebug.so -dzend_extension=opcache.so -dopcache.enable_cli=1 1583.php



Shows:

==23877== Memcheck, a memory error detector
==23877== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==23877== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==23877== Command: php -n -dzend_extension=xdebug.so -dzend_extension=opcache.so -dopcache.enable_cli=1 
1583.php
==23877== 
==23877== Conditional jump or move depends on uninitialised value(s)
==23877==    at 0x9FEACD: ZEND_RECV_INIT_SPEC_CONST_HANDLER (zend_vm_execute.h:2229)
==23877==    by 0x9FDA67: ZEND_USER_OPCODE_SPEC_HANDLER (zend_vm_execute.h:1829)
==23877==    by 0xA62805: execute_ex (zend_vm_execute.h:55510)
==23877==    by 0x86C15CA: xdebug_execute_ex (xdebug.c:1868)
==23877==    by 0x9FB101: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:961)
==23877==    by 0x9FDA67: ZEND_USER_OPCODE_SPEC_HANDLER (zend_vm_execute.h:1829)
==23877==    by 0xA62805: execute_ex (zend_vm_execute.h:55510)
==23877==    by 0x86C15CA: xdebug_execute_ex (xdebug.c:1868)
==23877==    by 0xA67D16: zend_execute (zend_vm_execute.h:60834)
==23877==    by 0x997069: zend_execute_scripts (zend.c:1568)
==23877==    by 0x906D4D: php_execute_script (main.c:2630)
==23877==    by 0xA6A79E: do_cli (php_cli.c:997)
==23877== 
{"x":false}==23877== Invalid read of size 4
==23877==    at 0x9EF704: zend_gc_delref (zend_types.h:996)
==23877==    by 0x9F728B: i_free_compiled_variables (zend_execute.c:2351)
==23877==    by 0x9FA1A0: zend_leave_helper_SPEC (zend_vm_execute.h:589)
==23877==    by 0x9FFF2D: ZEND_RETURN_SPEC_CONST_HANDLER (zend_vm_execute.h:2758)
==23877==    by 0x9FDA67: ZEND_USER_OPCODE_SPEC_HANDLER (zend_vm_execute.h:1829)
==23877==    by 0xA62805: execute_ex (zend_vm_execute.h:55510)
==23877==    by 0x86C15CA: xdebug_execute_ex (xdebug.c:1868)
==23877==    by 0x9FB101: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:961)
==23877==    by 0x9FDA67: ZEND_USER_OPCODE_SPEC_HANDLER (zend_vm_execute.h:1829)
==23877==    by 0xA62805: execute_ex (zend_vm_execute.h:55510)
==23877==    by 0x86C15CA: xdebug_execute_ex (xdebug.c:1868)
==23877==    by 0x98017C: zend_call_function (zend_execute_API.c:756)
==23877==  Address 0x800000000000002 is not stack'd, malloc'd or (recently) free'd
==23877== 
==23877== 
==23877== Process terminating with default action of signal 11 (SIGSEGV)
==23877==  General Protection Fault
==23877==    at 0x9EF704: zend_gc_delref (zend_types.h:996)
==23877==    by 0x9F728B: i_free_compiled_variables (zend_execute.c:2351)
==23877==    by 0x9FA1A0: zend_leave_helper_SPEC (zend_vm_execute.h:589)
==23877==    by 0x9FFF2D: ZEND_RETURN_SPEC_CONST_HANDLER (zend_vm_execute.h:2758)
==23877==    by 0x9FDA67: ZEND_USER_OPCODE_SPEC_HANDLER (zend_vm_execute.h:1829)
==23877==    by 0xA62805: execute_ex (zend_vm_execute.h:55510)
==23877==    by 0x86C15CA: xdebug_execute_ex (xdebug.c:1868)
==23877==    by 0x9FB101: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:961)
==23877==    by 0x9FDA67: ZEND_USER_OPCODE_SPEC_HANDLER (zend_vm_execute.h:1829)
==23877==    by 0xA62805: execute_ex (zend_vm_execute.h:55510)
==23877==    by 0x86C15CA: xdebug_execute_ex (xdebug.c:1868)
==23877==    by 0x98017C: zend_call_function (zend_execute_API.c:756)
==23877== 
==23877== HEAP SUMMARY:
==23877==     in use at exit: 2,879,895 bytes in 24,279 blocks
==23877==   total heap usage: 26,787 allocs, 2,508 frees, 3,875,685 bytes allocated


The first error is the same one as in 0001592, so these issues could as well be related.

- Issue History
Date Modified Username Field Change
2018-10-25 11:27 kmdm New Issue
2018-10-25 11:53 derick Note Added: 0004712
2018-10-25 11:53 derick Assigned To => derick
2018-10-25 11:53 derick Status new => feedback
2018-10-25 12:37 kmdm Note Added: 0004713
2018-10-25 12:37 kmdm Status feedback => assigned
2018-12-10 22:54 morozov Note Added: 0004757
2018-12-11 10:21 kmdm Note Added: 0004758
2018-12-11 11:03 derick Note Added: 0004760
2018-12-11 11:03 derick Status assigned => confirmed


Copyright © 2000 - 2018 MantisBT Team
Powered by Mantis Bugtracker