View Issue Details

IDProjectCategoryView StatusLast Update
0002252XdebugCode Coveragepublic2024-11-27 16:00
ReporterJoshuaBehrens Assigned Toderick  
PrioritynormalSeveritycrashReproducibilityalways
Status acknowledgedResolutionopen 
OSDebianOS Versionbuster 
Product Version3.3.1 
Target Version3.3dev 
Summary0002252: Running phpunit in coverage triggers segfault in xdebug_branch_info_mark_reached
Description

When using php 8.2.17 and xdebug 3.3.1 on phpunit 9 coverage test triggers a segfault

Steps To Reproduce

$ git clone https://github.com/HEPTACOM/heptaconnect-framework
$ cd heptaconnect-framework
$ git checkout 0.10.x
$ composer install
$ XDEBUG_MODE=coverage php vendor/bin/phpunit --config=test/phpunit.xml --coverage-text

segfault breakpoint should trigger at https://github.com/xdebug/xdebug/blob/5115378c10642280f8f70034afd6401355f6e620/src/coverage/branch_info.c#L383-L387

Most of the time (flaky due to phpunit randomOrder) the method, that is referenced in the stacktrace is Heptacom\HeptaConnect\Dataset\Base\Support\AbstractCollection->getIterator . I was not yet able to reduce the test to a certain test that fails as I did not understand how to get the stacktrace out of it.

Additional Information

Our CI using the same docker image (heptacom/heptaconnect-pipeline:php81-8.0.0 based on debian:buster-slim) runs always into segfault running the coverage tests. Running locally on MacOS 14 I get into the same issue. When I bisect my way to the broken commit I noticed, that this https://github.com/xdebug/xdebug/commit/7d5e2e91f4b08eb673a20c8f57abfc1507889b27 broke it for php 8.2.17 but after reverting the changes I noticed changes in xdebug_execute_ex where a not operation was missing and has been moved to a wrapper with a comment https://github.com/xdebug/xdebug/blame/5115378c10642280f8f70034afd6401355f6e620/src/base/base.c#L857-L873 and having no not in this wrapper solves it for me. But I do not know why. I have also seen list structs where size and count where not 32 items apart (which seems to be the standard list memory append buffer size) but multiple thousands. So I assume it is just the wrong memory displayed at this struct.

The gdb and valgrind is from the pipeline image which has no debug symbols installed so I am not sure how helpful this is.

GDB
xdebug_branch_info_mark_reached (filename=0x7fabf65d1e60, function_name=function_name@entry=0x7ffd58dcd490 "Heptacom\HeptaConnect\Dataset\Base\Support\AbstractCollection->getIterator", op_array=op_array@entry=0x7fabf65df3b8,
opcode_nr=opcode_nr@entry=0) at ./build-8.1/src/coverage/branch_info.c:384
384 ./build-8.1/src/coverage/branch_info.c: No such file or directory.
(gdb) bt full
#0 xdebug_branch_info_mark_reached (filename=0x7fabf65d1e60, function_name=function_name@entry=0x7ffd58dcd490 "Heptacom\HeptaConnect\Dataset\Base\Support\AbstractCollection->getIterator", op_array=op_array@entry=0x7fabf65df3b8,
opcode_nr=opcode_nr@entry=0) at ./build-8.1/src/coverage/branch_info.c:384
i = 4331518
key = <optimized out>
dummy = 0x7ffd58dcd420
tail_fse = 0x557570420c30
file = 0x55756e3e3900
function = 0x55756c29bfa0
branch_info = 0x55756c29b770
#1 0x00007fabf9283507 in xdebug_print_opcode_info (cur_opcode=0x7fabf65d0e00, execute_data=<optimized out>, execute_data=<optimized out>) at ./build-8.1/src/coverage/code_coverage.c:171
op_array = 0x7fabf65df3b8
func_info = {object_class = 0x7fabf65c05a0, scope_class = 0x0, function = 0x7fabf6421c80, include_filename = 0x0, type = 3, internal = 0}
function_name = "Heptacom\HeptaConnect\Dataset\Base\Support\AbstractCollection->getIterator\000\000\000\000\000\000\030", '\000' <repeats 15 times>, "x\375\377\377\377\377\377\377\360E\023luU\000\000\000\000\000\000\000\000\000\000\243\325N\373\253\177\000\000x\375\377\377\377\377\377\377\340\233\005iuU\000\000@F\023luU\000\000\340\211muU\000\000\340\233\005iuU\000\000\214'\371\253\177\000\000\v\000\000\000\000\000\000\000P\207`muU\000\000\360K\004iuU\000\000"...
opnr = 0
0000002 0x00007fabf9284340 in xdebug_common_override_handler (execute_data=0x7fabf901b4e0) at ./build-8.1/src/coverage/code_coverage.c:239
lineno = 90
op_array = 0x7fabf65df3b8
cur_opcode = 0x7fabf65d0e00
0000003 0x000055756875e8b9 in ?? ()
No symbol table info available.
0000004 0x000055756875f310 in execute_ex ()
No symbol table info available.
0000005 0x00005575686eb34e in zend_call_function ()
No symbol table info available.
0000006 0x00005575686eb611 in zend_call_known_function ()
No symbol table info available.
0000007 0x000055756876bf48 in zend_user_it_new_iterator ()
No symbol table info available.
0000008 0x000055756876bf7e in zend_user_it_get_new_iterator ()

valgrind
==874== Memcheck, a memory error detector
==874== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==874== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==874== Command: /usr/bin/php vendor/bin/phpunit --config=test/phpunit.xml --coverage-text
==874==
==874== Invalid read of size 4
==874== at 0x7B2E591: xdebug_branch_info_mark_reached (branch_info.c:383)
==874== by 0x7B2F506: xdebug_print_opcode_info.isra.4 (code_coverage.c:171)
==874== by 0x7B3033F: xdebug_common_override_handler (code_coverage.c:239)
==874== by 0x44F8B8: ??? (in /usr/bin/php8.1)
==874== by 0x45030F: execute_ex (in /usr/bin/php8.1)
==874== by 0x3DC34D: zend_call_function (in /usr/bin/php8.1)
==874== by 0x3DC610: zend_call_known_function (in /usr/bin/php8.1)
==874== by 0x45CF47: zend_user_it_new_iterator (in /usr/bin/php8.1)
==874== by 0x45CF7D: zend_user_it_get_new_iterator (in /usr/bin/php8.1)
==874== by 0x40A06A: ??? (in /usr/bin/php8.1)
==874== by 0x41BBCA: ??? (in /usr/bin/php8.1)
==874== by 0x45030F: execute_ex (in /usr/bin/php8.1)
==874== Address 0x13529294 is 4 bytes after a block of size 32 alloc'd
==874== at 0x483577F: malloc (vg_replace_malloc.c:299)
==874== by 0x7B22052: xdebug_llist_alloc (llist.c:26)
==874== by 0x7B1FF7B: xdebug_hash_alloc (hash.c:94)
==874== by 0x7B2E39D: xdebug_branch_find_paths (branch_info.c:328)
==874== by 0x7B2FF47: prefill_from_oparray (code_coverage.c:558)
==874== by 0x7B30292: prefill_from_function_table (code_coverage.c:577)
==874== by 0x7B30292: prefill_from_function_table (code_coverage.c:573)
==874== by 0x7B30292: prefill_from_class_table (code_coverage.c:599)
==874== by 0x7B30292: xdebug_prefill_code_coverage (code_coverage.c:627)
==874== by 0x7B303CC: xdebug_code_coverage_start_of_function (code_coverage.c:637)
==874== by 0x7B309FB: xdebug_coverage_execute_ex (code_coverage.c:984)
==874== by 0x7B1B64E: xdebug_execute_user_code_begin (base.c:777)
==874== by 0x480A68: ??? (in /usr/bin/php8.1)
==874== by 0x21E5CF: ??? (in /usr/bin/php8.1)
==874== by 0x45030F: execute_ex (in /usr/bin/php8.1)

Tagssegfault
Operating SystemMacOS 14, Debian buster
PHP Version8.2.0-8.2.9

Relationships

has duplicate 0002254 resolvedderick Segmentation fault in mark_fse_as_having_line_breakpoints on php-fpm 8.1.27 
has duplicate 0002236 resolvedderick SIGSEGV in zend_string_equal_content 
has duplicate 0002241 resolvedderick Segmentation fault - Symfony 6.2.1 - Sulu cms 
has duplicate 0002290 resolvedderick Process crash when used with php-cgi.exe 

Activities

derick

2024-03-21 13:56

administrator   ~0006864

I can reproduce this, with your information.

I have also found out a few tests for which this happens:

[0x555556ff7930] Heptacom\HeptaConnect\Core\Test\ComposerPackageConfigurationLoaderTest->testLoadingPlugin() 
/tmp/heptaconnect-framework/test/Core/ComposerPackageConfigurationLoaderTest.php:28 
[0x555556ff7930] Heptacom\HeptaConnect\Core\Test\Web\Http\HttpHandleServiceTest->testActingFails() 

Running these single ones with GDB:

(gdb) bt
#0  0x00007ffff3c83c06 in xdebug_path_add (path=0x7fffeada7550, nr=0) at /home/derick/dev/php/xdebug-xdebug/src/coverage/branch_info.c:159
#1  0x00007ffff3c846bc in xdebug_branch_info_mark_reached (filename=0x5555580d6388, 
    function_name=0x7fffffff8270 "Heptacom\\HeptaConnect\\Dataset\\Base\\Support\\AbstractCollection->getIterator", op_array=0x5555580e53f0, opcode_nr=0)
    at /home/derick/dev/php/xdebug-xdebug/src/coverage/branch_info.c:393
#2  0x00007ffff3c8549b in xdebug_print_opcode_info (execute_data=0x7ffff3a16290, cur_opcode=0x5555580d7d28)
    at /home/derick/dev/php/xdebug-xdebug/src/coverage/code_coverage.c:171
#3  0x00007ffff3c857a6 in xdebug_common_override_handler (execute_data=0x7ffff3a16290) at /home/derick/dev/php/xdebug-xdebug/src/coverage/code_coverage.c:239

and

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff3c8455b in xdebug_branch_info_mark_reached (filename=0x555558446068, function_name=0x7fffffff7ff0 "Heptacom\\HeptaConnect\\Portal\\Base\\Support\\Contract\\DeepObjectIteratorContract->iterateIterable", op_array=0x555558446828, opcode_nr=0)
    at /home/derick/dev/php/xdebug-xdebug/src/coverage/branch_info.c:384
384                 if (branch_info->branches[XG_COV(branches).last_branch_nr[XDEBUG_VECTOR_COUNT(XG_BASE(stack))]].outs[i] == opcode_nr) {
(gdb) bt
#0  0x00007ffff3c8455b in xdebug_branch_info_mark_reached (filename=0x555558446068, function_name=0x7fffffff7ff0 "Heptacom\\HeptaConnect\\Portal\\Base\\Support\\Contract\\DeepObjectIteratorContract->iterateIterable", op_array=0x555558446828, 
    opcode_nr=0) at /home/derick/dev/php/xdebug-xdebug/src/coverage/branch_info.c:384
#1  0x00007ffff3c8549b in xdebug_print_opcode_info (execute_data=0x7ffff3a16530, cur_opcode=0x555558446930) at /home/derick/dev/php/xdebug-xdebug/src/coverage/code_coverage.c:171
#2  0x00007ffff3c8551a in xdebug_check_branch_entry_handler (execute_data=0x7ffff3a16530) at /home/derick/dev/php/xdebug-xdebug/src/coverage/code_coverage.c:180
#3  0x0000555555d30253 in ZEND_USER_OPCODE_SPEC_HANDLER () at /home/derick/dev/php/php-src.git/Zend/zend_vm_execute.h:3239

Valgrind are similar, but not the same:

==2114522== Invalid read of size 4
==2114522==    at 0x8F525EE: xdebug_branch_info_mark_reached (branch_info.c:383)
==2114522==    by 0x8F5349A: xdebug_print_opcode_info (code_coverage.c:171)
==2114522==    by 0x8F537A5: xdebug_common_override_handler (code_coverage.c:239)
==2114522==    by 0xA38252: ZEND_USER_OPCODE_SPEC_HANDLER (zend_vm_execute.h:3239)

vs

==2115409== Invalid read of size 4
==2115409==    at 0x8F51BA2: xdebug_path_add (branch_info.c:155)
==2115409==    by 0x8F526BB: xdebug_branch_info_mark_reached (branch_info.c:393)
==2115409==    by 0x8F5349A: xdebug_print_opcode_info (code_coverage.c:171)
==2115409==    by 0x8F537A5: xdebug_common_override_handler (code_coverage.c:239)
==2115409==    by 0xA38252: ZEND_USER_OPCODE_SPEC_HANDLER (zend_vm_execute.h:3239)

qkdreyer

2024-08-30 09:23

reporter   ~0007047

I believe that https://github.com/xdebug/xdebug/commit/91bfb654b0a6cfed63d327728db8ec2f3f82c97a is the faulty commit

Issue History

Date Modified Username Field Change
2024-03-21 09:10 JoshuaBehrens New Issue
2024-03-21 09:10 JoshuaBehrens Tag Attached: segfault
2024-03-21 13:56 derick Assigned To => derick
2024-03-21 13:56 derick Status new => acknowledged
2024-03-21 13:56 derick Note Added: 0006864
2024-03-28 16:57 derick Relationship added has duplicate 0002254
2024-03-28 16:59 derick Relationship added has duplicate 0002236
2024-03-28 17:00 derick Relationship added has duplicate 0002241
2024-07-18 13:27 derick Target Version => 3.3dev
2024-08-30 09:23 qkdreyer Note Added: 0007047
2024-11-27 16:00 derick Relationship added has duplicate 0002290