View Issue Details

IDProjectCategoryView StatusLast Update
0002046XdebugTracingpublic2021-12-01 15:39
Reportereater Assigned Toderick  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Platformx86_64OSVoid Linux 
Product Version3.1.1 
Fixed in Version3.1.2 
Summary0002046: Segault on xdebug_get_function_stack inside a Fiber
Description

When I call xdebug_get_function_stack inside a Fiber I expect to see the function stack originating from the Fiber entry point

instead php segfaults instantly

Steps To Reproduce

Run the following on PHP 8.1.0RC6 with xdebug 3.1.1

<?php

var_dump(xdebug_get_function_stack());
$f = new Fiber(function() {
var_dump(debug_backtrace());
var_dump(xdebug_get_function_stack());
});

$f->start();

Additional Information

From preliminary inspection it looks like xdebug tries to retrieve the file of the Fiber (see https://github.com/xdebug/xdebug/blob/3.1.1/src/develop/stack.c#L1069 )

but the closure has no file associated with it as can been seen in PHP's backtrace, thus segfaulting on copying it

relevant valgrind/gdb excerpts (full logs in attachments)

valgrind:
==7423== Invalid read of size 1
==7423== at 0x60FDA75: zend_string_copy (zend_string.h:191)
==7423== by 0x60FDA75: zif_xdebug_get_function_stack (stack.c:1069)
==7423== by 0x60D991C: xdebug_execute_internal (base.c:897)
==7423== by 0x5D1B1B: ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:1872)
==7423== by 0x5D1B1B: execute_ex (zend_vm_execute.h:54541)
==7423== by 0x60D9081: xdebug_execute_ex (base.c:779)
==7423== by 0x55A7CF: zend_call_function (zend_execute_API.c:896)
==7423== by 0x5FD132: zend_fiber_execute (zend_fibers.c:475)
==7423== by 0x5FDE66: zend_fiber_trampoline (zend_fibers.c:287)
==7423== Address 0x4 is not stack'd, malloc'd or (recently) free'd

gdb:
Program received signal SIGSEGV, Segmentation fault.
zif_xdebug_get_function_stack (execute_data=<optimized out>, return_value=0x5555568acc20) at /builddir/xdebug-3.1.1/src/develop/stack.c:1069

TagsNo tags attached.
Attached Files
valgrind.log (3,556 bytes)   
==7983== Memcheck, a memory error detector
==7983== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==7983== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info
==7983== Command: php -d xdebug.mode=develop ./test.php
==7983== 
/home/eater/test.php:3:
array(1) {
  [0] =>
  array(4) {
    'function' =>
    string(6) "{main}"
    'file' =>
    string(20) "/home/eater/test.php"
    'line' =>
    int(0)
    'params' =>
    array(0) {
    }
  }
}
==7983== Warning: client switching stacks?  SP change: 0x1ffeffbfe0 --> 0x6e47fc0
==7983==          to suppress, use: --max-stackframe=137306521632 or greater
/home/eater/test.php:5:
array(2) {
  [0] =>
  array(2) {
    'function' =>
    string(9) "{closure}"
    'args' =>
    array(0) {
    }
  }
  [1] =>
  array(7) {
    'file' =>
    string(20) "/home/eater/test.php"
    'line' =>
    int(9)
    'function' =>
    string(5) "start"
    'class' =>
    string(5) "Fiber"
    'object' =>
    class Fiber#1 (0) {
    }
    'type' =>
    string(2) "->"
    'args' =>
    array(0) {
    }
  }
}
==7983== Invalid read of size 1
==7983==    at 0x60FDA75: zend_string_copy (zend_string.h:191)
==7983==    by 0x60FDA75: zif_xdebug_get_function_stack (stack.c:1069)
==7983==    by 0x60D991C: xdebug_execute_internal (base.c:897)
==7983==    by 0x5D1B1B: ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:1872)
==7983==    by 0x5D1B1B: execute_ex (zend_vm_execute.h:54541)
==7983==    by 0x60D9081: xdebug_execute_ex (base.c:779)
==7983==    by 0x55A7CF: zend_call_function (zend_execute_API.c:896)
==7983==    by 0x5FD132: zend_fiber_execute (zend_fibers.c:475)
==7983==    by 0x5FDE66: zend_fiber_trampoline (zend_fibers.c:287)
==7983==  Address 0x4 is not stack'd, malloc'd or (recently) free'd
==7983== 
==7983== 
==7983== Process terminating with default action of signal 11 (SIGSEGV)
==7983==  Access not within mapped region at address 0x4
==7983==    at 0x60FDA75: zend_string_copy (zend_string.h:191)
==7983==    by 0x60FDA75: zif_xdebug_get_function_stack (stack.c:1069)
==7983==    by 0x60D991C: xdebug_execute_internal (base.c:897)
==7983==    by 0x5D1B1B: ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:1872)
==7983==    by 0x5D1B1B: execute_ex (zend_vm_execute.h:54541)
==7983==    by 0x60D9081: xdebug_execute_ex (base.c:779)
==7983==    by 0x55A7CF: zend_call_function (zend_execute_API.c:896)
==7983==    by 0x5FD132: zend_fiber_execute (zend_fibers.c:475)
==7983==    by 0x5FDE66: zend_fiber_trampoline (zend_fibers.c:287)
==7983==  If you believe this happened as a result of a stack
==7983==  overflow in your program's main thread (unlikely but
==7983==  possible), you can try to increase the size of the
==7983==  main thread stack using the --main-stacksize= flag.
==7983==  The main thread stack size used in this run was 8388608.
==7983== 
==7983== HEAP SUMMARY:
==7983==     in use at exit: 3,045,394 bytes in 23,119 blocks
==7983==   total heap usage: 25,596 allocs, 2,477 frees, 4,089,403 bytes allocated
==7983== 
==7983== LEAK SUMMARY:
==7983==    definitely lost: 28,280 bytes in 884 blocks
==7983==    indirectly lost: 1,065 bytes in 2 blocks
==7983==      possibly lost: 2,133,914 bytes in 17,183 blocks
==7983==    still reachable: 882,135 bytes in 5,050 blocks
==7983==         suppressed: 0 bytes in 0 blocks
==7983== Rerun with --leak-check=full to see details of leaked memory
==7983== 
==7983== For lists of detected and suppressed errors, rerun with: -s
==7983== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
valgrind.log (3,556 bytes)   
gdb.log (4,209 bytes)   
Starting program: /usr/bin/php -d xdebug.mode=develop ./test.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib64/libthread_db.so.1".
/home/eater/test.php:3:
array(1) {
  [0] =>
  array(4) {
    'function' =>
    string(6) "{main}"
    'file' =>
    string(20) "/home/eater/test.php"
    'line' =>
    int(0)
    'params' =>
    array(0) {
    }
  }
}

Program received signal SIGSEGV, Segmentation fault.
zif_xdebug_get_function_stack (execute_data=<optimized out>, return_value=0x5555568acc20) at /builddir/xdebug-3.1.1/src/develop/stack.c:1069
1069	/builddir/xdebug-3.1.1/src/develop/stack.c: No such file or directory.
(gdb) bt all
No symbol "all" in current context.
(gdb) bt full
#0  zif_xdebug_get_function_stack (execute_data=<optimized out>, return_value=0x5555568acc20) at /builddir/xdebug-3.1.1/src/develop/stack.c:1069
        sent_variables = <optimized out>
        fse = 0x5555568ab150
        i = 0
        j = <optimized out>
        frame = 0x5555568b1c80
        params = <optimized out>
        variadic_opened = 0
#1  0x00007ffff6ade91d in xdebug_execute_internal (current_execute_data=0x5555568acca0, return_value=0x5555568acc20) at /builddir/xdebug-3.1.1/src/base/base.c:897
        edata = <optimized out>
        fse = 0x5555568ab2f0
        function_nr = 6
        function_call_traced = <optimized out>
        restore_error_handler_situation = 0
        tmp_error_cb = 0x0
#2  0x00005555558c9b1c in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER () at /builddir/php-8.1.0RC6/Zend/zend_vm_execute.h:1872
        retval = <optimized out>
        call = 0x5555568acca0
        fbc = 0x55555687df30
        ret = <optimized out>
        call = <optimized out>
        fbc = <optimized out>
        ret = <optimized out>
        retval = <optimized out>
#3  execute_ex (ex=0x5555568b1768) at /builddir/php-8.1.0RC6/Zend/zend_vm_execute.h:54541
        vm_stack_data = {orig_opline = 0x7ffff6b20c80 <xdebug_globals>, orig_execute_data = 0x5555568ab220, hybrid_jit_red_zone = '\000' <repeats 15 times>}
#4  0x00007ffff6ade082 in xdebug_execute_ex (execute_data=0x5555568acbd0) at /builddir/xdebug-3.1.1/src/base/base.c:779
        op_array = 0x555556717b88
        edata = <optimized out>
        fse = 0x5555568acbd0
        function_nr = 5
        code_coverage_function_name = 0x0
        code_coverage_filename = 0x0
        code_coverage_init = 0
#5  0x00005555558527d0 in zend_call_function (fci=fci@entry=0x5555568b1e18, fci_cache=fci_cache@entry=0x5555568b1e58) at /builddir/php-8.1.0RC6/Zend/zend_execute_API.c:896
        orig_jit_trace_num = 0
        i = <optimized out>
        call = 0x5555568acbd0
        fci_cache_local = {function_handler = 0x770000007b, calling_scope = 0x7c00000072, called_scope = 0x0, object = 0x3ff}
        func = 0x555556717b88
        call_info = <optimized out>
        object_or_called_scope = <optimized out>
        orig_fake_scope = 0x0
#6  0x00005555558f5133 in zend_fiber_execute (transfer=0x7ffff62eefb0) at /builddir/php-8.1.0RC6/Zend/zend_fibers.c:475
        stack = <optimized out>
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {93825012538800, -6372625461540119318, 0, 0, 0, 0, -6372625461573673750, -947262616570127126}, __mask_was_saved = 0, __saved_mask = {__val = {0 <repeats 16 times>}}}}
        fiber = 0x5555568b1d70
        error_reporting = 22527
#7  0x00005555558f5e67 in zend_fiber_trampoline (data=...) at /builddir/php-8.1.0RC6/Zend/zend_fibers.c:287
        transfer = {context = 0x5555568749a0, value = {value = {lval = 0, dval = 0, counted = 0x0, str = 0x0, arr = 0x0, obj = 0x0, res = 0x0, ref = 0x0, ast = 0x0, zv = 0x0, ptr = 0x0, ce = 0x0, func = 0x0, ww = {w1 = 0, w2 = 0}}, u1 = {type_info = 1, v = {type = 1 '\001', type_flags = 0 '\000', u = {extra = 0}}}, 
            u2 = {next = 0, cache_slot = 0, opline_num = 0, lineno = 0, num_args = 0, fe_pos = 0, fe_iter_idx = 0, property_guard = 0, constant_flags = 0, extra = 0}}, flags = 0 '\000'}
        from = <optimized out>
        context = 0x5555568b1db0
#8  0x00005555557f876f in make_fcontext () at make_x86_64_sysv_elf_gas.S:71
No locals.
#9  0x0000000000000000 in ?? ()
No symbol table info available.
gdb.log (4,209 bytes)   
Operating System
PHP Version8.1.0-8.1.4

Relationships

duplicate of 0002036 closedderick Segfault on fiber switch in finally block in garbage collected fiber 

Activities

derick

2021-11-22 11:00

administrator   ~0006160

I can indeed reproduce this with Xdebug 3.1.1, but not with the latest code in the xdebug_3_1 branch. I think this is a duplicated of 0002036.

If you can try the latest xdebug_3_1 (or master) branch from GitHub to verify, that'd be great.

The fix for 0002036 will be in Xdebug 3.1.2, which I am intending to release this week.

eater

2021-11-22 11:15

reporter   ~0006161

Indeed works for me on master! thanks :)

Issue History

Date Modified Username Field Change
2021-11-22 10:30 eater New Issue
2021-11-22 10:30 eater File Added: valgrind.log
2021-11-22 10:30 eater File Added: gdb.log
2021-11-22 11:00 derick Assigned To => derick
2021-11-22 11:00 derick Status new => feedback
2021-11-22 11:00 derick Note Added: 0006160
2021-11-22 11:15 eater Note Added: 0006161
2021-11-22 11:15 eater Status feedback => assigned
2021-11-24 10:19 derick Status assigned => closed
2021-11-24 10:19 derick Resolution open => fixed
2021-11-24 10:19 derick Fixed in Version => 3.1dev
2021-11-24 10:19 derick Relationship added duplicate of 0002036
2021-12-01 15:39 derick Fixed in Version 3.1dev => 3.1.2