View Issue Details

IDProjectCategoryView StatusLast Update
0001651XdebugProfilingpublic2019-06-28 11:50
Reporterstantheman Assigned Toderick  
PrioritynormalSeveritycrashReproducibilityhave not tried
Status resolvedResolutionduplicate 
Product Version2.7.0 
Summary0001651: segfault in xdebug_var_export with collect_params set to 3 or 4
Description

In xdebug_var.c, the xdebug_var_export function calls xdebug_objdebug_pp, which can return NULL. If it's NULL, the following call to xdebug_zend_hash_is_recursive causes a segfault:

https://github.com/xdebug/xdebug/blob/xdebug_2_7/xdebug_var.c#L1049

This happens in v2.6.1 as well as a fresh build from master.

Steps To Reproduce

I don't have a minimal repro. It happens when tracing a CLI script and selling xdebug.collect_params to a value of '3' or '4'. I collect the values on the CLI with:

php -d 'zend_extension=/usr/lib64/php/modules7/xdebug.so' -d 'xdebug.trace_format=1' -d 'xdebug.auto_trace=1' -d 'xdebug.trace_output_dir=/tmp/xdebug' -d 'xdebug.profiler_enable=1' -d 'xdebug.profiler_enable=On' -d 'xdebug.collect_params=4' bigtable.php

Additional Information

gdb from the segfault:

(gdb) zbacktrace
[0x7fffeb614730] Google\ApiCore\Serializer->decodeMessage(object[0x7fffeb614780], array(2)[0x7fffeb614790]) /home/sschwertly/development/test/vendor/google/gax/src/Serializer.php:120
[0x7fffeb614670] Google\Cloud\Bigtable\Table->Google\Cloud\Bigtable{closure}(reference, object[0x7fffeb6146d0]) /home/sschwertly/development/test/vendor/google/cloud-bigtable/src/Table.php:272
[0x7fffeb614600] array_walk(reference, object[0x7fffeb614660]) [internal function]
[0x7fffeb6142f0] Google\Cloud\Bigtable\Table->readRows(reference) /home/sschwertly/development/test/vendor/google/cloud-bigtable/src/Table.php:274
[0x7fffeb613030] (main) /home/sschwertly/development/test/bigtable.php

(gdb) bt
#0 0x00007fffe4a40111 in xdebug_zend_hash_is_recursive (ht=ht@entry=0x0) at /home/sschwertly/development/xdebug/xdebug_compat.c:417
#1 0x00007fffe4a54688 in xdebug_var_export (struc=struc@entry=0x7fffffff9558, str=str@entry=0x15d8f30, level=level@entry=1, debug_zval=debug_zval@entry=0, options=options@entry=0x163b110) at /home/sschwertly/development/xdebug/xdebug_var.c:1049
0000002 0x00007fffe4a550ef in xdebug_get_zval_value (val=0x1626eb0, debug_zval=debug_zval@entry=0, options=0x163b110, options@entry=0x0) at /home/sschwertly/development/xdebug/xdebug_var.c:1112
0000003 0x00007fffe4a51791 in add_single_value (str=0x7fffffff95e0, zv=<optimized out>, collection_level=<optimized out>) at /home/sschwertly/development/xdebug/xdebug_trace_computerized.c:104
0000004 0x00007fffe4a519b4 in xdebug_trace_computerized_function_entry (ctxt=0x15a3480, fse=0x15d6510, function_nr=<optimized out>) at /home/sschwertly/development/xdebug/xdebug_trace_computerized.c:177
0000005 0x00007fffe4a38557 in xdebug_execute_ex (execute_data=0x7fffeb614730) at /home/sschwertly/development/xdebug/xdebug.c:1860
0000006 0x00000000008abb85 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER () at /usr/src/debug/php-src-php-7.1.18/Zend/zend_vm_execute.h:1076
0000007 0x000000000085a40b in execute_ex (ex=<optimized out>) at /usr/src/debug/php-src-php-7.1.18/Zend/zend_vm_execute.h:429
0000008 0x00007fffe4a382c5 in xdebug_execute_ex (execute_data=0x7fffeb614670) at /home/sschwertly/development/xdebug/xdebug.c:1928
0000009 0x0000000000802ac1 in zend_call_function (fci=fci@entry=0x11a6140 <basic_globals+416>, fci_cache=fci_cache@entry=0x11a6178 <basic_globals+472>) at /usr/src/debug/php-src-php-7.1.18/Zend/zend_execute_API.c:855
0000010 0x00000000006eb4e9 in php_array_walk (array=array@entry=0x7fffcae12fb0, userdata=0x0, recursive=recursive@entry=0) at /usr/src/debug/php-src-php-7.1.18/ext/standard/array.c:1448
0000011 0x00000000006efd75 in zif_array_walk (execute_data=0x7fffeb614600, return_value=0x7fffffff9b30) at /usr/src/debug/php-src-php-7.1.18/ext/standard/array.c:1510
0000012 0x00007fffe4a389be in xdebug_execute_internal (current_execute_data=0x7fffeb614600, return_value=0x7fffffff9b30) at /home/sschwertly/development/xdebug/xdebug.c:2048
0000013 0x00000000008ac17c in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER () at /usr/src/debug/php-src-php-7.1.18/Zend/zend_vm_execute.h:972
0000014 0x000000000085a40b in execute_ex (ex=<optimized out>) at /usr/src/debug/php-src-php-7.1.18/Zend/zend_vm_execute.h:429
0000015 0x00007fffe4a382c5 in xdebug_execute_ex (execute_data=0x7fffeb6142f0) at /home/sschwertly/development/xdebug/xdebug.c:1928
0000016 0x00000000008abb85 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER () at /usr/src/debug/php-src-php-7.1.18/Zend/zend_vm_execute.h:1076
0000017 0x000000000085a40b in execute_ex (ex=<optimized out>) at /usr/src/debug/php-src-php-7.1.18/Zend/zend_vm_execute.h:429
0000018 0x00007fffe4a382c5 in xdebug_execute_ex (execute_data=0x7fffeb613030) at /home/sschwertly/development/xdebug/xdebug.c:1928
0000019 0x00000000008ae074 in zend_execute (op_array=op_array@entry=0x7fffeb6721c0, return_value=return_value@entry=0x0) at /usr/src/debug/php-src-php-7.1.18/Zend/zend_vm_execute.h:474
0000020 0x00000000008126a3 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /usr/src/debug/php-src-php-7.1.18/Zend/zend.c:1482
0000021 0x00000000007afee8 in php_execute_script (primary_file=primary_file@entry=0x7fffffffc140) at /usr/src/debug/php-src-php-7.1.18/main/main.c:2577
0000022 0x00000000008b0328 in do_cli (argc=24, argv=0x11b11b0) at /usr/src/debug/php-src-php-7.1.18/sapi/cli/php_cli.c:993
0000023 0x00000000004539ef in main (argc=24, argv=0x11b11b0) at /usr/src/debug/php-src-php-7.1.18/sapi/cli/php_cli.c:1381

I have a patch to submit on github but need this reference number to make the PR

TagsNo tags attached.
Operating System
PHP Version7.1.15-7.1.19

Relationships

duplicate of 0001665 closedderick Segfault when overriding a function object parameter + collect_params > 0 

Activities

stantheman

2019-03-26 19:34

reporter   ~0004978

Pull request is here: https://github.com/xdebug/xdebug/pull/461

derick

2019-04-03 15:53

administrator   ~0004982

Hi,

thanks for the ticket and pull request. I would need to have a minimal test case before I can merge that though. Can you produce one? I wouldn't want to merge this PR as it might just fix a symptom, and not the real cause. And I would also not want to reintroduce the bug in the future, so a test case is really needed.

cheers,
Derick

derick

2019-04-26 10:25

administrator   ~0005009

Would you please have a test case?

derick

2019-06-28 11:50

administrator   ~0005048

I am pretty sure this has the same root cause as the issue described in 0001665. I'm therefore merging them, and marking this one as duplicate.

Issue History

Date Modified Username Field Change
2019-03-26 19:25 stantheman New Issue
2019-03-26 19:34 stantheman Note Added: 0004978
2019-04-03 15:53 derick Assigned To => derick
2019-04-03 15:53 derick Status new => feedback
2019-04-03 15:53 derick Note Added: 0004982
2019-04-26 10:25 derick Note Added: 0005009
2019-06-28 11:50 derick Status feedback => resolved
2019-06-28 11:50 derick Resolution open => duplicate
2019-06-28 11:50 derick Note Added: 0005048
2019-06-28 11:50 derick Relationship added duplicate of 0001665