0002232: Segmentation fault with Symfony dependency injection and ddtrace extension - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0002232	Xdebug	Uncategorized	public	2023-12-27 09:50	2024-01-15 20:22

Reporter	edsrzf	Assigned To	derick
Priority	normal	Severity	crash	Reproducibility	always
Status	resolved	Resolution	no change required
OS	Debian	OS Version	11.8
Product Version	3.3.1

Summary	0002232: Segmentation fault with Symfony dependency injection and ddtrace extension
Description	When trying to upgrade my Symfony application to XDebug 3.3.1, I experience a segmentation fault when making certain requests. It seems to be related to the service container based on the PHP stack trace. My code doesn't even get a chance to execute. Other observations: It only happens when the ddtrace extension is also installed and enabled. It happens most often on the first request, when the service container needs to be dumped to PHP.
Steps To Reproduce	I've created a GitHub repository here, with steps to reproduce: https://github.com/edsrzf/xdebug-segfault git clone git@github.com:edsrzf/xdebug-segfault.git docker build -t xdebug-segfault . docker run --rm xdebug-segfault Notice that the exit code is 139, which indicates a segmentation fault. It doesn't output "Segmentation fault" on my machine when run this way, but if I create a shell in the container with docker run --rm -it xdebug-segfault /bin/bash, then run src/entry, I do see "Segmentation fault". I tried to make the code as minimal as possible, but it still has a few Composer dependencies and multiple files. Apologies, but I definitely spent more than the "several hours" mentioned in the bug reporting guide getting to this point. :) I imagine it should also be possible to reproduce on Linux outside of Docker as long as ddtrace is installed.
Additional Information	Output of php -v: PHP 8.3.0 (cli) (built: Dec 19 2023 03:56:34) (NTS) Copyright (c) The PHP Group Zend Engine v4.3.0, Copyright (c) Zend Technologies with Xdebug v3.3.1, Copyright (c) 2002-2023, by Derick Rethans with ddtrace v0.95.0, Copyright Datadog, by Datadog with ddappsec v0.95.0, Copyright Datadog, by Datadog I've attached full GDB backtrace and valgrind logs. I've attached
Tags	No tags attached.
Attached Files	valgrind.log (10,563 bytes) ==46== Memcheck, a memory error detector ==46== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al. ==46== Using Valgrind-3.19.0 and LibVEX; rerun with -h for copyright info ==46== Command: php src/entry ==46== ==47== Warning: invalid file descriptor 1048564 in syscall close() ==48== ==48== Process terminating with default action of signal 6 (SIGABRT) ==48== at 0x54B09D0: __pthread_kill_implementation (pthread_kill.c:44) ==48== by 0x546A76B: raise (raise.c:26) ==48== by 0x54574BB: abort (abort.c:79) ==48== by 0x901D7FF: panic_abort::__rust_start_panic::abort (in /usr/local/lib/php/extensions/no-debug-non-zts-20230831/ddtrace.so) ==48== by 0x901D7FF: panic_abort::__rust_start_panic::abort (in /usr/local/lib/php/extensions/no-debug-non-zts-20230831/ddtrace.so) ==48== by 0x901D7FF: panic_abort::__rust_start_panic::abort (in /usr/local/lib/php/extensions/no-debug-non-zts-20230831/ddtrace.so) ==48== by 0x901D7FF: panic_abort::__rust_start_panic::abort (in /usr/local/lib/php/extensions/no-debug-non-zts-20230831/ddtrace.so) ==48== by 0x901D7FF: panic_abort::__rust_start_panic::abort (in /usr/local/lib/php/extensions/no-debug-non-zts-20230831/ddtrace.so) ==48== by 0x901D7FF: panic_abort::__rust_start_panic::abort (in /usr/local/lib/php/extensions/no-debug-non-zts-20230831/ddtrace.so) ==48== by 0x901D7FF: panic_abort::__rust_start_panic::abort (in /usr/local/lib/php/extensions/no-debug-non-zts-20230831/ddtrace.so) ==48== by 0x901D7FF: panic_abort::__rust_start_panic::abort (in /usr/local/lib/php/extensions/no-debug-non-zts-20230831/ddtrace.so) ==48== by 0x901D7FF: panic_abort::__rust_start_panic::abort (in /usr/local/lib/php/extensions/no-debug-non-zts-20230831/ddtrace.so) ==48== ==48== HEAP SUMMARY: ==48== in use at exit: 3,046,868 bytes in 23,169 blocks ==48== total heap usage: 26,242 allocs, 3,073 frees, 3,944,973 bytes allocated ==48== ==47== ==47== HEAP SUMMARY: ==47== in use at exit: 2,814,529 bytes in 20,491 blocks ==47== total heap usage: 26,238 allocs, 5,747 frees, 3,944,849 bytes allocated ==47== ==48== LEAK SUMMARY: ==48== definitely lost: 27,392 bytes in 856 blocks ==48== indirectly lost: 40 bytes in 1 blocks ==48== possibly lost: 2,172,334 bytes in 16,591 blocks ==48== still reachable: 847,102 bytes in 5,721 blocks ==48== suppressed: 0 bytes in 0 blocks ==48== Rerun with --leak-check=full to see details of leaked memory ==48== ==48== For lists of detected and suppressed errors, rerun with: -s ==48== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) ==47== LEAK SUMMARY: ==47== definitely lost: 27,392 bytes in 856 blocks ==47== indirectly lost: 40 bytes in 1 blocks ==47== possibly lost: 2,167,726 bytes in 16,589 blocks ==47== still reachable: 619,371 bytes in 3,045 blocks ==47== suppressed: 0 bytes in 0 blocks ==47== Rerun with --leak-check=full to see details of leaked memory ==47== ==47== For lists of detected and suppressed errors, rerun with: -s ==47== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) Failed connecting to the sidecar: Connection refused (os error 111) ==49== Warning: invalid file descriptor 1048564 in syscall close() ==50== ==50== Process terminating with default action of signal 6 (SIGABRT) ==50== at 0x54B09D0: __pthread_kill_implementation (pthread_kill.c:44) ==50== by 0x546A76B: raise (raise.c:26) ==50== by 0x54574BB: abort (abort.c:79) ==50== by 0x901D7FF: panic_abort::__rust_start_panic::abort (in /usr/local/lib/php/extensions/no-debug-non-zts-20230831/ddtrace.so) ==50== by 0x901D7FF: panic_abort::__rust_start_panic::abort (in /usr/local/lib/php/extensions/no-debug-non-zts-20230831/ddtrace.so) ==50== by 0x901D7FF: panic_abort::__rust_start_panic::abort (in /usr/local/lib/php/extensions/no-debug-non-zts-20230831/ddtrace.so) ==50== by 0x901D7FF: panic_abort::__rust_start_panic::abort (in /usr/local/lib/php/extensions/no-debug-non-zts-20230831/ddtrace.so) ==50== by 0x901D7FF: panic_abort::__rust_start_panic::abort (in /usr/local/lib/php/extensions/no-debug-non-zts-20230831/ddtrace.so) ==50== by 0x901D7FF: panic_abort::__rust_start_panic::abort (in /usr/local/lib/php/extensions/no-debug-non-zts-20230831/ddtrace.so) ==50== by 0x901D7FF: panic_abort::__rust_start_panic::abort (in /usr/local/lib/php/extensions/no-debug-non-zts-20230831/ddtrace.so) ==50== by 0x901D7FF: panic_abort::__rust_start_panic::abort (in /usr/local/lib/php/extensions/no-debug-non-zts-20230831/ddtrace.so) ==50== by 0x901D7FF: panic_abort::__rust_start_panic::abort (in /usr/local/lib/php/extensions/no-debug-non-zts-20230831/ddtrace.so) ==50== ==50== HEAP SUMMARY: ==50== in use at exit: 3,046,868 bytes in 23,169 blocks ==50== total heap usage: 26,416 allocs, 3,247 frees, 3,962,007 bytes allocated ==50== ==49== ==49== HEAP SUMMARY: ==49== in use at exit: 2,814,529 bytes in 20,491 blocks ==49== total heap usage: 26,412 allocs, 5,921 frees, 3,961,883 bytes allocated ==49== ==50== LEAK SUMMARY: ==50== definitely lost: 27,392 bytes in 856 blocks ==50== indirectly lost: 40 bytes in 1 blocks ==50== possibly lost: 2,172,334 bytes in 16,591 blocks ==50== still reachable: 847,102 bytes in 5,721 blocks ==50== suppressed: 0 bytes in 0 blocks ==50== Rerun with --leak-check=full to see details of leaked memory ==50== ==50== For lists of detected and suppressed errors, rerun with: -s ==50== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) ==49== LEAK SUMMARY: ==49== definitely lost: 27,392 bytes in 856 blocks ==49== indirectly lost: 40 bytes in 1 blocks ==49== possibly lost: 2,167,726 bytes in 16,589 blocks ==49== still reachable: 619,371 bytes in 3,045 blocks ==49== suppressed: 0 bytes in 0 blocks ==49== Rerun with --leak-check=full to see details of leaked memory ==49== ==49== For lists of detected and suppressed errors, rerun with: -s ==49== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) Failed connecting to the sidecar: Connection refused (os error 111) ==46== Conditional jump or move depends on uninitialised value(s) ==46== at 0x9071B34: regex_syntax::ast::parse::ParserI<P>::parse_counted_repetition (in /usr/local/lib/php/extensions/no-debug-non-zts-20230831/ddtrace.so) ==46== by 0x90353B3: regex_automata::meta::regex::Builder::build (in /usr/local/lib/php/extensions/no-debug-non-zts-20230831/ddtrace.so) ==46== by 0x901E5BF: regex::regex::string::Regex::new (in /usr/local/lib/php/extensions/no-debug-non-zts-20230831/ddtrace.so) ==46== by 0x8E72A77: std::sys_common::once::futex::Once::call (in /usr/local/lib/php/extensions/no-debug-non-zts-20230831/ddtrace.so) ==46== by 0x8E7234F: std::sys_common::once::futex::Once::call (in /usr/local/lib/php/extensions/no-debug-non-zts-20230831/ddtrace.so) ==46== by 0x8ECBF7B: ddtrace_get_container_id (in /usr/local/lib/php/extensions/no-debug-non-zts-20230831/ddtrace.so) ==46== by 0x8EAF143: dd_agent_headers_alloc (coms.c:692) ==46== by 0x8EB0297: ddtrace_coms_init_and_start_writer (coms.c:1097) ==46== by 0x54B3DC7: __pthread_once_slow (pthread_once.c:116) ==46== by 0x8EA610B: dd_initialize_request (ddtrace.c:949) ==46== by 0x8EA772B: zm_activate_ddtrace (ddtrace.c:1008) ==46== by 0x57D5CF: zend_activate_modules (in /usr/local/bin/php) ==46== [critical] Uncaught Error: Class "Symfony\Component\Console\Application" not found ==46== Invalid read of size 8 ==46== at 0x8ACB0FC: zval_from_stack_add_frame_variables (stack.c:431) ==46== by 0x8ACB0FC: zval_from_stack_add_frame (stack.c:467) ==46== by 0x8ACB4CB: zval_from_stack (stack.c:495) ==46== by 0x8ACD6CB: xdebug_develop_throw_exception_hook (stack.c:1252) ==46== by 0x8AA597B: xdebug_throw_exception_hook (base.c:1580) ==46== by 0x8AA597B: xdebug_throw_exception_hook (base.c:1532) ==46== by 0x248E97: zend_throw_exception_internal (in /usr/local/bin/php) ==46== by 0x248FBF: ??? (in /usr/local/bin/php) ==46== by 0x24906B: zend_throw_exception (in /usr/local/bin/php) ==46== by 0x24916F: zend_throw_exception_ex (in /usr/local/bin/php) ==46== by 0x408443: ??? (in /usr/local/bin/php) ==46== by 0x246B93: ??? (in /usr/local/bin/php) ==46== by 0x5FAE83: execute_ex (in /usr/local/bin/php) ==46== by 0x246AF7: ??? (in /usr/local/bin/php) ==46== Address 0x2a200a2a200a2e74 is not stack'd, malloc'd or (recently) free'd ==46== ==46== ==46== Process terminating with default action of signal 11 (SIGSEGV) ==46== Access not within mapped region at address 0x200A2A200A2E74 ==46== at 0x8ACB0FC: zval_from_stack_add_frame_variables (stack.c:431) ==46== by 0x8ACB0FC: zval_from_stack_add_frame (stack.c:467) ==46== by 0x8ACB4CB: zval_from_stack (stack.c:495) ==46== by 0x8ACD6CB: xdebug_develop_throw_exception_hook (stack.c:1252) ==46== by 0x8AA597B: xdebug_throw_exception_hook (base.c:1580) ==46== by 0x8AA597B: xdebug_throw_exception_hook (base.c:1532) ==46== by 0x248E97: zend_throw_exception_internal (in /usr/local/bin/php) ==46== by 0x248FBF: ??? (in /usr/local/bin/php) ==46== by 0x24906B: zend_throw_exception (in /usr/local/bin/php) ==46== by 0x24916F: zend_throw_exception_ex (in /usr/local/bin/php) ==46== by 0x408443: ??? (in /usr/local/bin/php) ==46== by 0x246B93: ??? (in /usr/local/bin/php) ==46== by 0x5FAE83: execute_ex (in /usr/local/bin/php) ==46== by 0x246AF7: ??? (in /usr/local/bin/php) ==46== If you believe this happened as a result of a stack ==46== overflow in your program's main thread (unlikely but ==46== possible), you can try to increase the size of the ==46== main thread stack using the --main-stacksize= flag. ==46== The main thread stack size used in this run was 8388608. ==46== ==46== HEAP SUMMARY: ==46== in use at exit: 3,285,671 bytes in 23,999 blocks ==46== total heap usage: 209,674 allocs, 185,675 frees, 36,010,370 bytes allocated ==46== ==46== LEAK SUMMARY: ==46== definitely lost: 27,392 bytes in 856 blocks ==46== indirectly lost: 40 bytes in 1 blocks ==46== possibly lost: 2,131,784 bytes in 15,383 blocks ==46== still reachable: 1,126,455 bytes in 7,759 blocks ==46== suppressed: 0 bytes in 0 blocks ==46== Rerun with --leak-check=full to see details of leaked memory ==46== ==46== Use --track-origins=yes to see where uninitialised values come from ==46== For lists of detected and suppressed errors, rerun with: -s ==46== ERROR SUMMARY: 8 errors from 2 contexts (suppressed: 0 from 0) valgrind.log (10,563 bytes) gdb-bt-full (10,791 bytes) #0 0x0000fffff3f6b0fc in zval_from_stack_add_frame_variables (opa=0xfffff4063300, symbols=<optimized out>, edata=0x0, frame=0xfffff203a660) at /tmp/pear/temp/xdebug/src/develop/stack.c:431 symbol_name = <optimized out> symbol = {value = {lval = 281474976689216, dval = 1.3906711614610732e-309, counted = 0xffffffffac40, str = 0xffffffffac40, arr = 0xffffffffac40, obj = 0xffffffffac40, res = 0xffffffffac40, ref = 0xffffffffac40, ast = 0xffffffffac40, zv = 0xffffffffac40, ptr = 0xffffffffac40, ce = 0xffffffffac40, func = 0xffffffffac40, ww = {w1 = 4294945856, w2 = 65535}}, u1 = {type_info = 4093031544, v = {type = 120 'x', type_flags = 180 '\264', u = { extra = 62454}}}, u2 = {next = 65535, cache_slot = 65535, opline_num = 65535, lineno = 65535, num_args = 65535, fe_pos = 65535, fe_iter_idx = 65535, guard = 65535, constant_flags = 65535, extra = 65535}} j = 0 variables = {value = {lval = 281474754886552, dval = 1.3906700656103088e-309, counted = 0xfffff2c73b98, str = 0xfffff2c73b98, arr = 0xfffff2c73b98, obj = 0xfffff2c73b98, res = 0xfffff2c73b98, ref = 0xfffff2c73b98, ast = 0xfffff2c73b98, zv = 0xfffff2c73b98, ptr = 0xfffff2c73b98, ce = 0xfffff2c73b98, func = 0xfffff2c73b98, ww = {w1 = 4073143192, w2 = 65535}}, u1 = {type_info = 775, v = {type = 7 '\a', type_flags = 3 '\003', u = {extra = 0}}}, u2 = { next = 43690, cache_slot = 43690, opline_num = 43690, lineno = 43690, num_args = 43690, fe_pos = 43690, fe_iter_idx = 43690, guard = 43690, constant_flags = 43690, extra = 43690}} #1 zval_from_stack_add_frame (output=0xfffff3fa2378 <xdebug_globals+1048>, fse=0xaaaaabe2e6a0, edata=0x0, add_local_vars=true, params_as_values=<optimized out>) at /tmp/pear/temp/xdebug/src/develop/stack.c:467 frame = 0xfffff203a660 #2 0x0000fffff3f6b4cc in zval_from_stack (output=output@entry=0xfffff3fa2378 <xdebug_globals+1048>, add_local_vars=add_local_vars@entry=true, params_as_values=params_as_values@entry=true) at /tmp/pear/temp/xdebug/src/develop/stack.c:495 fse = 0xaaaaabe2e6a0 next_fse = 0xaaaaabe2e790 i = 1 #3 0x0000fffff3f6d6cc in xdebug_develop_throw_exception_hook (exception=exception@entry=0xfffff2064820, file=file@entry=0xfffff2064878, line=line@entry=0xfffff2064888, code=code@entry=0xfffff2064868, code_str=code_str@entry=0x0, message=message@entry=0xfffff2064848) at /tmp/pear/temp/xdebug/src/develop/stack.c:1252 exception_ce = 0xaaaaabcf16e0 exception_trace = <optimized out> tmp_str = {l = 9019, a = 9572, d = 0xaaaaabe2b2e0 "\nReflectionException: Function include() does not exist in /root/vendor/symfony/var-dumper/Caster/ExceptionCaster.php on line 342\n\nCall Stack:\n 0.0078 2916064 1. {main}() /root/src/entry:0\n "...} z_previous_exception = 0xaaaaabadff00 <executor_globals> z_last_exception_slot = <optimized out> z_previous_trace = <optimized out> previous_exception_obj = <optimized out> dummy = {value = {lval = 281474976689520, dval = 1.3906711614625751e-309, counted = 0xffffffffad70, str = 0xffffffffad70, arr = 0xffffffffad70, obj = 0xffffffffad70, res = 0xffffffffad70, ref = 0xffffffffad70, ast = 0xffffffffad70, zv = 0xffffffffad70, ptr = 0xffffffffad70, ce = 0xffffffffad70, func = 0xffffffffad70, ww = {w1 = 4294946160, w2 = 65535}}, u1 = {type_info = 4092876996, v = {type = 196 '\304', type_flags = 88 'X', u = {extra = 62452}}}, u2 = {next = 65535, cache_slot = 65535, opline_num = 65535, lineno = 65535, num_args = 65535, fe_pos = 65535, fe_iter_idx = 65535, guard = 65535, constant_flags = 65535, extra = 65535}} #4 0x0000fffff3f4597c in xdebug_throw_exception_hook (exception=0xfffff2064820) at /tmp/pear/temp/xdebug/src/base/base.c:1580 code = 0xfffff2064868 message = 0xfffff2064848 file = 0xfffff2064878 line = 0xfffff2064888 exception_ce = <optimized out> code_str = 0x0 dummy = {value = {lval = 281474976689648, dval = 1.3906711614632076e-309, counted = 0xffffffffadf0, str = 0xffffffffadf0, arr = 0xffffffffadf0, obj = 0xffffffffadf0, res = 0xffffffffadf0, ref = 0xffffffffadf0, ast = 0xffffffffadf0, zv = 0xffffffffadf0, ptr = 0xffffffffadf0, ce = 0xffffffffadf0, func = 0xffffffffadf0, ww = {w1 = 4294946288, w2 = 65535}}, u1 = {type_info = 3559593728, v = {type = 0 '\000', type_flags = 23 '\027', u = { extra = 54315}}}, u2 = {next = 4286588792, cache_slot = 4286588792, opline_num = 4286588792, lineno = 4286588792, num_args = 4286588792, fe_pos = 4286588792, fe_iter_idx = 4286588792, guard = 4286588792, constant_flags = 4286588792, extra = 4286588792}} #5 xdebug_throw_exception_hook (exception=0xfffff2064820) at /tmp/pear/temp/xdebug/src/base/base.c:1532 code = <optimized out> message = <optimized out> file = <optimized out> line = <optimized out> exception_ce = <optimized out> code_str = 0x0 dummy = <optimized out> #6 0x0000aaaaaabe0e98 in zend_throw_exception_internal () No symbol table info available. #7 0x0000aaaaaabe0fc0 in ?? () No symbol table info available. #8 0x0000aaaaaabe106c in zend_throw_exception () No symbol table info available. #9 0x0000aaaaaabe1170 in zend_throw_exception_ex () No symbol table info available. #10 0x0000aaaaaada0444 in ?? () No symbol table info available. #11 0x0000aaaaaabdeb94 in ?? () No symbol table info available. #12 0x0000aaaaaaf92e84 in execute_ex () No symbol table info available. #13 0x0000aaaaaabdeaf8 in ?? () No symbol table info available. #14 0x0000aaaaaaf92e84 in execute_ex () No symbol table info available. #15 0x0000aaaaaabdeaf8 in ?? () No symbol table info available. #16 0x0000aaaaaaf92e84 in execute_ex () No symbol table info available. #17 0x0000aaaaaabdeaf8 in ?? () No symbol table info available. #18 0x0000aaaaaaf92e84 in execute_ex () No symbol table info available. #19 0x0000aaaaaabdeaf8 in ?? () No symbol table info available. #20 0x0000aaaaaaf92e84 in execute_ex () No symbol table info available. #21 0x0000aaaaaabdeaf8 in ?? () No symbol table info available. #22 0x0000aaaaaaf92e84 in execute_ex () No symbol table info available. #23 0x0000aaaaaabdeaf8 in ?? () No symbol table info available. #24 0x0000aaaaaaf92e84 in execute_ex () No symbol table info available. #25 0x0000aaaaaabdeaf8 in ?? () No symbol table info available. #26 0x0000aaaaaaf92e84 in execute_ex () No symbol table info available. #27 0x0000aaaaaabdeaf8 in ?? () No symbol table info available. #28 0x0000aaaaaaf92e84 in execute_ex () No symbol table info available. #29 0x0000aaaaaaefdf18 in zend_call_function () No symbol table info available. #30 0x0000aaaaaaefe340 in _call_user_function_impl () No symbol table info available. #31 0x0000fffff3af4268 in zim_DDTrace_ExceptionOrErrorHandler_execute (execute_data=0x308, return_value=0xfffff2216be0) at /home/circleci/datadog/tmp/build_extension/ext/handlers_exception.c:317 params = {{value = {lval = 281474744019936, dval = 1.3906700119220923e-309, counted = 0xfffff2216be0, str = 0xfffff2216be0, arr = 0xfffff2216be0, obj = 0xfffff2216be0, res = 0xfffff2216be0, ref = 0xfffff2216be0, ast = 0xfffff2216be0, zv = 0xfffff2216be0, ptr = 0xfffff2216be0, ce = 0xfffff2216be0, func = 0xfffff2216be0, ww = {w1 = 4062276576, w2 = 65535}}, u1 = {type_info = 776, v = {type = 8 '\b', type_flags = 3 '\003', u = {extra = 0}}}, u2 = { next = 0, cache_slot = 0, opline_num = 0, lineno = 0, num_args = 0, fe_pos = 0, fe_iter_idx = 0, guard = 0, constant_flags = 0, extra = 0}}} __orig_bailout = 0xbd0 __bailout = {{__jmpbuf = {281474744319208, 1, 0, 0, 281474976693688, 281474976693784, 187650001469184, 0, 0, 281474976693944, 281474976692512, 11600046097445617978, 187649989111968, 11600046097375427078, 0, 0, 0, 0, 0, 0, 0, 0}, __mask_was_saved = 0, __saved_mask = {__val = {281474976693472, 281474774622540, 187650004508256, 187650004936592, 0, 281474775004664, 281474976693536, 187649989008980, 187650001492804, 281474774366576, 281474976693536, 187649989008948, 281474976693792, 281474744019936, 281474976693912, 281474976693928}}}} root_span = 0xfffff40ae000 exception = 0xfffff2216be0 span_exception = 0xfffff40ae0d8 old_exception = {value = {lval = 3024, dval = 1.4940545130239295e-320, counted = 0xbd0, str = 0xbd0, arr = 0xbd0, obj = 0xbd0, res = 0xbd0, ref = 0xbd0, ast = 0xbd0, zv = 0xbd0, ptr = 0xbd0, ce = 0xbd0, func = 0xbd0, ww = {w1 = 3024, w2 = 0}}, u1 = {type_info = 1, v = {type = 1 '\001', type_flags = 0 '\000', u = {extra = 0}}}, u2 = {next = 0, cache_slot = 0, opline_num = 0, lineno = 0, num_args = 0, fe_pos = 0, fe_iter_idx = 0, guard = 0, constant_flags = 0, extra = 0}} has_bailout = false is_error_handler = <optimized out> handler = 0x1 #32 0x0000aaaaaaefdc48 in zend_call_function () No symbol table info available. #33 0x0000aaaaaaefe340 in _call_user_function_impl () No symbol table info available. #34 0x0000aaaaaabd1470 in zend_user_exception_handler () No symbol table info available. #35 0x0000aaaaaaf0e310 in zend_execute_scripts () No symbol table info available. #36 0x0000aaaaaaea0a40 in php_execute_script () No symbol table info available. #37 0x0000aaaaab008070 in ?? () No symbol table info available. #38 0x0000aaaaaabe8e50 in ?? () No symbol table info available. #39 0x0000fffff72c7780 in __libc_start_call_main (main=main@entry=0xaaaaaabe8b80, argc=argc@entry=2, argv=argv@entry=0xfffffffffa28) at ../sysdeps/nptl/libc_start_call_main.h:58 self = <optimized out> result = <optimized out> unwind_buf = {cancel_jmp_buf = {{jmp_buf = {281474976709160, 2, 187650000656552, 187649985776512, 281474976709184, 281474842483600, 0, 281474842484776, 187650000656552, 0, 281474976708784, 11600046097520931942, 18410758676599740160, 11600046097375411094, 0, 0, 0, 0, 0, 0, 0, 0}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0xfffff7ffdb90 <_rtld_global_ro>, 0xfffff7440080 <_dl_audit_preinit@got.plt>}, data = {prev = 0x0, cleanup = 0x0, canceltype = -134227056}}} not_first_call = <optimized out> #40 0x0000fffff72c7858 in __libc_start_main_impl (main=0xaaaaaabe8b80, argc=2, argv=0xfffffffffa28, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=<optimized out>) at ../csu/libc-start.c:360 No locals. #41 0x0000aaaaaabe8f30 in _start () No symbol table info available. gdb-bt-full (10,791 bytes)

Operating System	Debian 11.8
PHP Version	8.2.0-8.2.9

derick 2024-01-02 17:55 administrator ~0006747	When I try out your reproduce case, I only get: `derick@gargleblaster:/tmp/xdebug-segfault$ docker run --rm xdebug-segfault [critical] Uncaught Error: Class "Symfony\Component\Console\Application" not found`

edsrzf 2024-01-02 19:15 reporter ~0006748	What exit code do you see? That's the same output I get, but exit code is 139, indicating segfault. As mentioned in the report, if I run within a shell, I do see "Segmentation fault": $ docker run --rm -it xdebug-segfault /bin/bash $ src/entry

derick 2024-01-08 18:22 administrator ~0006753	I managed to reproduce it. I had to remove the cache first :-) After installing Xdebug from source in the Docker container, I could reproduce this and dial into the problem. I believe this patch fixes this, and CI is now testing it: https://github.com/xdebug/xdebug/pull/946

derick 2024-01-10 18:24 administrator ~0006761	So, my fix doesn't actually fix this, and I also can't reproduce this locally. Not even with ddtrace installed. I've spent a lot of time on this now, and don't know what is going on here. I have made a PR against your branch, where it pulls the Xdebug sources from my special branch. Please merge that, so that a further go at fixing this might succeed.

derick 2024-01-15 15:17 administrator ~0006774	Hi, After many hours of debugging with Bob from Datadog, this turned out not to be a bug in Xdebug, but rather in Datadog's tracer. Xdebug switched from overloading the Zend engine function `execute_ex` to the more modern Observer API that was recently introduced in PHP. With `execute_ex` overloading it is up to the extension to call the original one from within the overloaded handler, but with the Observer API it is PHP that takes care of calling pre- and post-hooks. The problem occurred here when Datadog's Trace, removed the post-hook incorrectly, rendering Xdebug's post-hook inoperable. This means that in some situations, this hook wasn't called, and Xdebug's idea of how the stack looked like had an extra item — which had already been freed. When Xdebug then tries to access data in this already freed stack frame, the crash occurs. Datadog is working on a fix: https://github.com/DataDog/dd-trace-php/pull/2469, which should take care of fixing this. As there is no bug in Xdebug, I am closing this report.

edsrzf 2024-01-15 20:22 reporter ~0006780	Fantastic work! Thank you very much for the time spent resolving this!

Date Modified	Username	Field	Change
2023-12-27 09:50	edsrzf	New Issue
2023-12-27 09:50	edsrzf	File Added: valgrind.log
2023-12-27 09:50	edsrzf	File Added: gdb-bt-full
2024-01-02 17:55	derick	Assigned To	=> derick
2024-01-02 17:55	derick	Status	new => feedback
2024-01-02 17:55	derick	Note Added: 0006747
2024-01-02 19:15	edsrzf	Note Added: 0006748
2024-01-02 19:15	edsrzf	Status	feedback => assigned
2024-01-08 18:22	derick	Status	assigned => confirmed
2024-01-08 18:22	derick	Note Added: 0006753
2024-01-10 18:24	derick	Note Added: 0006761
2024-01-15 15:17	derick	Status	confirmed => resolved
2024-01-15 15:17	derick	Resolution	open => no change required
2024-01-15 15:17	derick	Note Added: 0006774
2024-01-15 20:22	edsrzf	Note Added: 0006780