0002252: Running phpunit in coverage triggers segfault in xdebug_branch_info_mark_reached

ID	Project	Category	View Status	Date Submitted	Last Update

0002252	Xdebug	Code Coverage	public	2024-03-21 09:10	2024-03-28 18:14

Reporter	JoshuaBehrens	Assigned To	derick
Priority	normal	Severity	crash	Reproducibility	always
Status	acknowledged	Resolution	open
OS	Debian	OS Version	buster
Product Version	3.3.1

Summary	0002252: Running phpunit in coverage triggers segfault in xdebug_branch_info_mark_reached
Description	When using php 8.2.17 and xdebug 3.3.1 on phpunit 9 coverage test triggers a segfault
Steps To Reproduce	$ git clone https://github.com/HEPTACOM/heptaconnect-framework $ cd heptaconnect-framework $ git checkout 0.10.x $ composer install $ XDEBUG_MODE=coverage php vendor/bin/phpunit --config=test/phpunit.xml --coverage-text segfault breakpoint should trigger at https://github.com/xdebug/xdebug/blob/5115378c10642280f8f70034afd6401355f6e620/src/coverage/branch_info.c#L383-L387 Most of the time (flaky due to phpunit randomOrder) the method, that is referenced in the stacktrace is Heptacom\HeptaConnect\Dataset\Base\Support\AbstractCollection->getIterator . I was not yet able to reduce the test to a certain test that fails as I did not understand how to get the stacktrace out of it.
Additional Information	Our CI using the same docker image (heptacom/heptaconnect-pipeline:php81-8.0.0 based on debian:buster-slim) runs always into segfault running the coverage tests. Running locally on MacOS 14 I get into the same issue. When I bisect my way to the broken commit I noticed, that this https://github.com/xdebug/xdebug/commit/7d5e2e91f4b08eb673a20c8f57abfc1507889b27 broke it for php 8.2.17 but after reverting the changes I noticed changes in xdebug_execute_ex where a not operation was missing and has been moved to a wrapper with a comment https://github.com/xdebug/xdebug/blame/5115378c10642280f8f70034afd6401355f6e620/src/base/base.c#L857-L873 and having no not in this wrapper solves it for me. But I do not know why. I have also seen list structs where size and count where not 32 items apart (which seems to be the standard list memory append buffer size) but multiple thousands. So I assume it is just the wrong memory displayed at this struct. The gdb and valgrind is from the pipeline image which has no debug symbols installed so I am not sure how helpful this is. GDB xdebug_branch_info_mark_reached (filename=0x7fabf65d1e60, function_name=function_name@entry=0x7ffd58dcd490 "Heptacom\HeptaConnect\Dataset\Base\Support\AbstractCollection->getIterator", op_array=op_array@entry=0x7fabf65df3b8, opcode_nr=opcode_nr@entry=0) at ./build-8.1/src/coverage/branch_info.c:384 384 ./build-8.1/src/coverage/branch_info.c: No such file or directory. (gdb) bt full #0 xdebug_branch_info_mark_reached (filename=0x7fabf65d1e60, function_name=function_name@entry=0x7ffd58dcd490 "Heptacom\HeptaConnect\Dataset\Base\Support\AbstractCollection->getIterator", op_array=op_array@entry=0x7fabf65df3b8, opcode_nr=opcode_nr@entry=0) at ./build-8.1/src/coverage/branch_info.c:384 i = 4331518 key = <optimized out> dummy = 0x7ffd58dcd420 tail_fse = 0x557570420c30 file = 0x55756e3e3900 function = 0x55756c29bfa0 branch_info = 0x55756c29b770 #1 0x00007fabf9283507 in xdebug_print_opcode_info (cur_opcode=0x7fabf65d0e00, execute_data=<optimized out>, execute_data=<optimized out>) at ./build-8.1/src/coverage/code_coverage.c:171 op_array = 0x7fabf65df3b8 func_info = {object_class = 0x7fabf65c05a0, scope_class = 0x0, function = 0x7fabf6421c80, include_filename = 0x0, type = 3, internal = 0} function_name = "Heptacom\HeptaConnect\Dataset\Base\Support\AbstractCollection->getIterator\000\000\000\000\000\000\030", '\000' <repeats 15 times>, "x\375\377\377\377\377\377\377\360E\023luU\000\000\000\000\000\000\000\000\000\000\243\325N\373\253\177\000\000x\375\377\377\377\377\377\377\340\233\005iuU\000\000@F\023luU\000\000\340\211`muU\000\000\340\233\005iuU\000\000\214`'\371\253\177\000\000\v\000\000\000\000\000\000\000P\207`muU\000\000\360K\004iuU\000\000"... opnr = 0 0000002 0x00007fabf9284340 in xdebug_common_override_handler (execute_data=0x7fabf901b4e0) at ./build-8.1/src/coverage/code_coverage.c:239 lineno = 90 op_array = 0x7fabf65df3b8 cur_opcode = 0x7fabf65d0e00 0000003 0x000055756875e8b9 in ?? () No symbol table info available. 0000004 0x000055756875f310 in execute_ex () No symbol table info available. 0000005 0x00005575686eb34e in zend_call_function () No symbol table info available. 0000006 0x00005575686eb611 in zend_call_known_function () No symbol table info available. 0000007 0x000055756876bf48 in zend_user_it_new_iterator () No symbol table info available. 0000008 0x000055756876bf7e in zend_user_it_get_new_iterator () valgrind ==874== Memcheck, a memory error detector ==874== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==874== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info ==874== Command: /usr/bin/php vendor/bin/phpunit --config=test/phpunit.xml --coverage-text ==874== ==874== Invalid read of size 4 ==874== at 0x7B2E591: xdebug_branch_info_mark_reached (branch_info.c:383) ==874== by 0x7B2F506: xdebug_print_opcode_info.isra.4 (code_coverage.c:171) ==874== by 0x7B3033F: xdebug_common_override_handler (code_coverage.c:239) ==874== by 0x44F8B8: ??? (in /usr/bin/php8.1) ==874== by 0x45030F: execute_ex (in /usr/bin/php8.1) ==874== by 0x3DC34D: zend_call_function (in /usr/bin/php8.1) ==874== by 0x3DC610: zend_call_known_function (in /usr/bin/php8.1) ==874== by 0x45CF47: zend_user_it_new_iterator (in /usr/bin/php8.1) ==874== by 0x45CF7D: zend_user_it_get_new_iterator (in /usr/bin/php8.1) ==874== by 0x40A06A: ??? (in /usr/bin/php8.1) ==874== by 0x41BBCA: ??? (in /usr/bin/php8.1) ==874== by 0x45030F: execute_ex (in /usr/bin/php8.1) ==874== Address 0x13529294 is 4 bytes after a block of size 32 alloc'd ==874== at 0x483577F: malloc (vg_replace_malloc.c:299) ==874== by 0x7B22052: xdebug_llist_alloc (llist.c:26) ==874== by 0x7B1FF7B: xdebug_hash_alloc (hash.c:94) ==874== by 0x7B2E39D: xdebug_branch_find_paths (branch_info.c:328) ==874== by 0x7B2FF47: prefill_from_oparray (code_coverage.c:558) ==874== by 0x7B30292: prefill_from_function_table (code_coverage.c:577) ==874== by 0x7B30292: prefill_from_function_table (code_coverage.c:573) ==874== by 0x7B30292: prefill_from_class_table (code_coverage.c:599) ==874== by 0x7B30292: xdebug_prefill_code_coverage (code_coverage.c:627) ==874== by 0x7B303CC: xdebug_code_coverage_start_of_function (code_coverage.c:637) ==874== by 0x7B309FB: xdebug_coverage_execute_ex (code_coverage.c:984) ==874== by 0x7B1B64E: xdebug_execute_user_code_begin (base.c:777) ==874== by 0x480A68: ??? (in /usr/bin/php8.1) ==874== by 0x21E5CF: ??? (in /usr/bin/php8.1) ==874== by 0x45030F: execute_ex (in /usr/bin/php8.1)
Tags	segfault

Operating System	MacOS 14, Debian buster
PHP Version	8.2.0-8.2.9

derick

2024-03-21 13:56

administrator ~0006864

I can reproduce this, with your information.

I have also found out a few tests for which this happens:

[0x555556ff7930] Heptacom\HeptaConnect\Core\Test\ComposerPackageConfigurationLoaderTest->testLoadingPlugin() 
/tmp/heptaconnect-framework/test/Core/ComposerPackageConfigurationLoaderTest.php:28

[0x555556ff7930] Heptacom\HeptaConnect\Core\Test\Web\Http\HttpHandleServiceTest->testActingFails()

Running these single ones with GDB:

(gdb) bt
#0  0x00007ffff3c83c06 in xdebug_path_add (path=0x7fffeada7550, nr=0) at /home/derick/dev/php/xdebug-xdebug/src/coverage/branch_info.c:159
#1  0x00007ffff3c846bc in xdebug_branch_info_mark_reached (filename=0x5555580d6388, 
    function_name=0x7fffffff8270 &quot;Heptacom\\HeptaConnect\\Dataset\\Base\\Support\\AbstractCollection->getIterator&quot;, op_array=0x5555580e53f0, opcode_nr=0)
    at /home/derick/dev/php/xdebug-xdebug/src/coverage/branch_info.c:393
0000002  0x00007ffff3c8549b in xdebug_print_opcode_info (execute_data=0x7ffff3a16290, cur_opcode=0x5555580d7d28)
    at /home/derick/dev/php/xdebug-xdebug/src/coverage/code_coverage.c:171
0000003  0x00007ffff3c857a6 in xdebug_common_override_handler (execute_data=0x7ffff3a16290) at /home/derick/dev/php/xdebug-xdebug/src/coverage/code_coverage.c:239

and

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff3c8455b in xdebug_branch_info_mark_reached (filename=0x555558446068, function_name=0x7fffffff7ff0 &quot;Heptacom\\HeptaConnect\\Portal\\Base\\Support\\Contract\\DeepObjectIteratorContract->iterateIterable&quot;, op_array=0x555558446828, opcode_nr=0)
    at /home/derick/dev/php/xdebug-xdebug/src/coverage/branch_info.c:384
384                 if (branch_info->branches[XG_COV(branches).last_branch_nr[XDEBUG_VECTOR_COUNT(XG_BASE(stack))]].outs[i] == opcode_nr) {
(gdb) bt
#0  0x00007ffff3c8455b in xdebug_branch_info_mark_reached (filename=0x555558446068, function_name=0x7fffffff7ff0 &quot;Heptacom\\HeptaConnect\\Portal\\Base\\Support\\Contract\\DeepObjectIteratorContract->iterateIterable&quot;, op_array=0x555558446828, 
    opcode_nr=0) at /home/derick/dev/php/xdebug-xdebug/src/coverage/branch_info.c:384
#1  0x00007ffff3c8549b in xdebug_print_opcode_info (execute_data=0x7ffff3a16530, cur_opcode=0x555558446930) at /home/derick/dev/php/xdebug-xdebug/src/coverage/code_coverage.c:171
0000002  0x00007ffff3c8551a in xdebug_check_branch_entry_handler (execute_data=0x7ffff3a16530) at /home/derick/dev/php/xdebug-xdebug/src/coverage/code_coverage.c:180
0000003  0x0000555555d30253 in ZEND_USER_OPCODE_SPEC_HANDLER () at /home/derick/dev/php/php-src.git/Zend/zend_vm_execute.h:3239

Valgrind are similar, but not the same:

==2114522== Invalid read of size 4
==2114522==    at 0x8F525EE: xdebug_branch_info_mark_reached (branch_info.c:383)
==2114522==    by 0x8F5349A: xdebug_print_opcode_info (code_coverage.c:171)
==2114522==    by 0x8F537A5: xdebug_common_override_handler (code_coverage.c:239)
==2114522==    by 0xA38252: ZEND_USER_OPCODE_SPEC_HANDLER (zend_vm_execute.h:3239)

==2115409== Invalid read of size 4
==2115409==    at 0x8F51BA2: xdebug_path_add (branch_info.c:155)
==2115409==    by 0x8F526BB: xdebug_branch_info_mark_reached (branch_info.c:393)
==2115409==    by 0x8F5349A: xdebug_print_opcode_info (code_coverage.c:171)
==2115409==    by 0x8F537A5: xdebug_common_override_handler (code_coverage.c:239)
==2115409==    by 0xA38252: ZEND_USER_OPCODE_SPEC_HANDLER (zend_vm_execute.h:3239)

Date Modified	Username	Field	Change
2024-03-21 09:10	JoshuaBehrens	New Issue
2024-03-21 09:10	JoshuaBehrens	Tag Attached: segfault
2024-03-21 13:56	derick	Assigned To	=> derick
2024-03-21 13:56	derick	Status	new => acknowledged
2024-03-21 13:56	derick	Note Added: 0006864
2024-03-28 16:57	derick	Relationship added	has duplicate 0002254
2024-03-28 16:59	derick	Relationship added	has duplicate 0002236
2024-03-28 17:00	derick	Relationship added	has duplicate 0002241

View Issue Details

Relationships

Activities

Issue History

has duplicate	0002254	resolved	derick	Segmentation fault in mark_fse_as_having_line_breakpoints on php-fpm 8.1.27
has duplicate	0002236	resolved	derick	SIGSEGV in zend_string_equal_content
has duplicate	0002241	resolved	derick	Segmentation fault - Symfony 6.2.1 - Sulu cms