View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0002252XdebugCode Coveragepublic2024-03-21 09:102025-07-18 15:18
ReporterJoshuaBehrens Assigned Toderick  
PrioritynormalSeveritycrashReproducibilityalways
Status acknowledgedResolutionopen 
OSDebianOS Versionbuster 
Product Version3.3.1 
Target Version3.3dev 
Summary0002252: Running phpunit in coverage triggers segfault in xdebug_branch_info_mark_reached
Description

When using php 8.2.17 and xdebug 3.3.1 on phpunit 9 coverage test triggers a segfault

Steps To Reproduce

$ git clone https://github.com/HEPTACOM/heptaconnect-framework
$ cd heptaconnect-framework
$ git checkout 0.10.x
$ composer install
$ XDEBUG_MODE=coverage php vendor/bin/phpunit --config=test/phpunit.xml --coverage-text

segfault breakpoint should trigger at https://github.com/xdebug/xdebug/blob/5115378c10642280f8f70034afd6401355f6e620/src/coverage/branch_info.c#L383-L387

Most of the time (flaky due to phpunit randomOrder) the method, that is referenced in the stacktrace is Heptacom\HeptaConnect\Dataset\Base\Support\AbstractCollection->getIterator . I was not yet able to reduce the test to a certain test that fails as I did not understand how to get the stacktrace out of it.

Additional Information

Our CI using the same docker image (heptacom/heptaconnect-pipeline:php81-8.0.0 based on debian:buster-slim) runs always into segfault running the coverage tests. Running locally on MacOS 14 I get into the same issue. When I bisect my way to the broken commit I noticed, that this https://github.com/xdebug/xdebug/commit/7d5e2e91f4b08eb673a20c8f57abfc1507889b27 broke it for php 8.2.17 but after reverting the changes I noticed changes in xdebug_execute_ex where a not operation was missing and has been moved to a wrapper with a comment https://github.com/xdebug/xdebug/blame/5115378c10642280f8f70034afd6401355f6e620/src/base/base.c#L857-L873 and having no not in this wrapper solves it for me. But I do not know why. I have also seen list structs where size and count where not 32 items apart (which seems to be the standard list memory append buffer size) but multiple thousands. So I assume it is just the wrong memory displayed at this struct.

The gdb and valgrind is from the pipeline image which has no debug symbols installed so I am not sure how helpful this is.

GDB
xdebug_branch_info_mark_reached (filename=0x7fabf65d1e60, function_name=function_name@entry=0x7ffd58dcd490 "Heptacom\HeptaConnect\Dataset\Base\Support\AbstractCollection->getIterator", op_array=op_array@entry=0x7fabf65df3b8,
opcode_nr=opcode_nr@entry=0) at ./build-8.1/src/coverage/branch_info.c:384
384 ./build-8.1/src/coverage/branch_info.c: No such file or directory.
(gdb) bt full
#0 xdebug_branch_info_mark_reached (filename=0x7fabf65d1e60, function_name=function_name@entry=0x7ffd58dcd490 "Heptacom\HeptaConnect\Dataset\Base\Support\AbstractCollection->getIterator", op_array=op_array@entry=0x7fabf65df3b8,
opcode_nr=opcode_nr@entry=0) at ./build-8.1/src/coverage/branch_info.c:384
i = 4331518
key = <optimized out>
dummy = 0x7ffd58dcd420
tail_fse = 0x557570420c30
file = 0x55756e3e3900
function = 0x55756c29bfa0
branch_info = 0x55756c29b770
#1 0x00007fabf9283507 in xdebug_print_opcode_info (cur_opcode=0x7fabf65d0e00, execute_data=<optimized out>, execute_data=<optimized out>) at ./build-8.1/src/coverage/code_coverage.c:171
op_array = 0x7fabf65df3b8
func_info = {object_class = 0x7fabf65c05a0, scope_class = 0x0, function = 0x7fabf6421c80, include_filename = 0x0, type = 3, internal = 0}
function_name = "Heptacom\HeptaConnect\Dataset\Base\Support\AbstractCollection->getIterator\000\000\000\000\000\000\030", '\000' <repeats 15 times>, "x\375\377\377\377\377\377\377\360E\023luU\000\000\000\000\000\000\000\000\000\000\243\325N\373\253\177\000\000x\375\377\377\377\377\377\377\340\233\005iuU\000\000@F\023luU\000\000\340\211muU\000\000\340\233\005iuU\000\000\214'\371\253\177\000\000\v\000\000\000\000\000\000\000P\207`muU\000\000\360K\004iuU\000\000"...
opnr = 0
0000002 0x00007fabf9284340 in xdebug_common_override_handler (execute_data=0x7fabf901b4e0) at ./build-8.1/src/coverage/code_coverage.c:239
lineno = 90
op_array = 0x7fabf65df3b8
cur_opcode = 0x7fabf65d0e00
0000003 0x000055756875e8b9 in ?? ()
No symbol table info available.
0000004 0x000055756875f310 in execute_ex ()
No symbol table info available.
0000005 0x00005575686eb34e in zend_call_function ()
No symbol table info available.
0000006 0x00005575686eb611 in zend_call_known_function ()
No symbol table info available.
0000007 0x000055756876bf48 in zend_user_it_new_iterator ()
No symbol table info available.
0000008 0x000055756876bf7e in zend_user_it_get_new_iterator ()

valgrind
==874== Memcheck, a memory error detector
==874== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==874== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==874== Command: /usr/bin/php vendor/bin/phpunit --config=test/phpunit.xml --coverage-text
==874==
==874== Invalid read of size 4
==874== at 0x7B2E591: xdebug_branch_info_mark_reached (branch_info.c:383)
==874== by 0x7B2F506: xdebug_print_opcode_info.isra.4 (code_coverage.c:171)
==874== by 0x7B3033F: xdebug_common_override_handler (code_coverage.c:239)
==874== by 0x44F8B8: ??? (in /usr/bin/php8.1)
==874== by 0x45030F: execute_ex (in /usr/bin/php8.1)
==874== by 0x3DC34D: zend_call_function (in /usr/bin/php8.1)
==874== by 0x3DC610: zend_call_known_function (in /usr/bin/php8.1)
==874== by 0x45CF47: zend_user_it_new_iterator (in /usr/bin/php8.1)
==874== by 0x45CF7D: zend_user_it_get_new_iterator (in /usr/bin/php8.1)
==874== by 0x40A06A: ??? (in /usr/bin/php8.1)
==874== by 0x41BBCA: ??? (in /usr/bin/php8.1)
==874== by 0x45030F: execute_ex (in /usr/bin/php8.1)
==874== Address 0x13529294 is 4 bytes after a block of size 32 alloc'd
==874== at 0x483577F: malloc (vg_replace_malloc.c:299)
==874== by 0x7B22052: xdebug_llist_alloc (llist.c:26)
==874== by 0x7B1FF7B: xdebug_hash_alloc (hash.c:94)
==874== by 0x7B2E39D: xdebug_branch_find_paths (branch_info.c:328)
==874== by 0x7B2FF47: prefill_from_oparray (code_coverage.c:558)
==874== by 0x7B30292: prefill_from_function_table (code_coverage.c:577)
==874== by 0x7B30292: prefill_from_function_table (code_coverage.c:573)
==874== by 0x7B30292: prefill_from_class_table (code_coverage.c:599)
==874== by 0x7B30292: xdebug_prefill_code_coverage (code_coverage.c:627)
==874== by 0x7B303CC: xdebug_code_coverage_start_of_function (code_coverage.c:637)
==874== by 0x7B309FB: xdebug_coverage_execute_ex (code_coverage.c:984)
==874== by 0x7B1B64E: xdebug_execute_user_code_begin (base.c:777)
==874== by 0x480A68: ??? (in /usr/bin/php8.1)
==874== by 0x21E5CF: ??? (in /usr/bin/php8.1)
==874== by 0x45030F: execute_ex (in /usr/bin/php8.1)

Tagssegfault
Operating SystemMacOS 14, Debian buster
PHP Version8.2.0-8.2.9

Relationships

has duplicate 0002254 resolvedderick Segmentation fault in mark_fse_as_having_line_breakpoints on php-fpm 8.1.27 
has duplicate 0002236 resolvedderick SIGSEGV in zend_string_equal_content 
has duplicate 0002241 resolvedderick Segmentation fault - Symfony 6.2.1 - Sulu cms 
has duplicate 0002290 resolvedderick Process crash when used with php-cgi.exe 

Activities

derick

2024-03-21 13:56

administrator   ~0006864

I can reproduce this, with your information.

I have also found out a few tests for which this happens:

[0x555556ff7930] Heptacom\HeptaConnect\Core\Test\ComposerPackageConfigurationLoaderTest->testLoadingPlugin() 
/tmp/heptaconnect-framework/test/Core/ComposerPackageConfigurationLoaderTest.php:28 
[0x555556ff7930] Heptacom\HeptaConnect\Core\Test\Web\Http\HttpHandleServiceTest->testActingFails()

Running these single ones with GDB:

(gdb) bt
#0  0x00007ffff3c83c06 in xdebug_path_add (path=0x7fffeada7550, nr=0) at /home/derick/dev/php/xdebug-xdebug/src/coverage/branch_info.c:159
#1  0x00007ffff3c846bc in xdebug_branch_info_mark_reached (filename=0x5555580d6388, 
    function_name=0x7fffffff8270 "Heptacom\\HeptaConnect\\Dataset\\Base\\Support\\AbstractCollection->getIterator", op_array=0x5555580e53f0, opcode_nr=0)
    at /home/derick/dev/php/xdebug-xdebug/src/coverage/branch_info.c:393
#2  0x00007ffff3c8549b in xdebug_print_opcode_info (execute_data=0x7ffff3a16290, cur_opcode=0x5555580d7d28)
    at /home/derick/dev/php/xdebug-xdebug/src/coverage/code_coverage.c:171
#3  0x00007ffff3c857a6 in xdebug_common_override_handler (execute_data=0x7ffff3a16290) at /home/derick/dev/php/xdebug-xdebug/src/coverage/code_coverage.c:239

and

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff3c8455b in xdebug_branch_info_mark_reached (filename=0x555558446068, function_name=0x7fffffff7ff0 "Heptacom\\HeptaConnect\\Portal\\Base\\Support\\Contract\\DeepObjectIteratorContract->iterateIterable", op_array=0x555558446828, opcode_nr=0)
    at /home/derick/dev/php/xdebug-xdebug/src/coverage/branch_info.c:384
384                 if (branch_info->branches[XG_COV(branches).last_branch_nr[XDEBUG_VECTOR_COUNT(XG_BASE(stack))]].outs[i] == opcode_nr) {
(gdb) bt
#0  0x00007ffff3c8455b in xdebug_branch_info_mark_reached (filename=0x555558446068, function_name=0x7fffffff7ff0 "Heptacom\\HeptaConnect\\Portal\\Base\\Support\\Contract\\DeepObjectIteratorContract->iterateIterable", op_array=0x555558446828, 
    opcode_nr=0) at /home/derick/dev/php/xdebug-xdebug/src/coverage/branch_info.c:384
#1  0x00007ffff3c8549b in xdebug_print_opcode_info (execute_data=0x7ffff3a16530, cur_opcode=0x555558446930) at /home/derick/dev/php/xdebug-xdebug/src/coverage/code_coverage.c:171
#2  0x00007ffff3c8551a in xdebug_check_branch_entry_handler (execute_data=0x7ffff3a16530) at /home/derick/dev/php/xdebug-xdebug/src/coverage/code_coverage.c:180
#3  0x0000555555d30253 in ZEND_USER_OPCODE_SPEC_HANDLER () at /home/derick/dev/php/php-src.git/Zend/zend_vm_execute.h:3239

Valgrind are similar, but not the same:

==2114522== Invalid read of size 4
==2114522==    at 0x8F525EE: xdebug_branch_info_mark_reached (branch_info.c:383)
==2114522==    by 0x8F5349A: xdebug_print_opcode_info (code_coverage.c:171)
==2114522==    by 0x8F537A5: xdebug_common_override_handler (code_coverage.c:239)
==2114522==    by 0xA38252: ZEND_USER_OPCODE_SPEC_HANDLER (zend_vm_execute.h:3239)

vs

==2115409== Invalid read of size 4
==2115409==    at 0x8F51BA2: xdebug_path_add (branch_info.c:155)
==2115409==    by 0x8F526BB: xdebug_branch_info_mark_reached (branch_info.c:393)
==2115409==    by 0x8F5349A: xdebug_print_opcode_info (code_coverage.c:171)
==2115409==    by 0x8F537A5: xdebug_common_override_handler (code_coverage.c:239)
==2115409==    by 0xA38252: ZEND_USER_OPCODE_SPEC_HANDLER (zend_vm_execute.h:3239)

qkdreyer

2024-08-30 09:23

reporter   ~0007047

I believe that https://github.com/xdebug/xdebug/commit/91bfb654b0a6cfed63d327728db8ec2f3f82c97a is the faulty commit

pdragiyski

2025-03-13 12:03

reporter   ~0007214

Tracing the issue with GDB:

In mark_fse_as_having_line_breakpoints there seems to be:

zend_string     *executed_filename = zend_get_executed_filename_ex();

When the stack trace contains closure function execution, the executed function __invoke belonging to the internal class Closure, then the executed_filename is invalid non-NULL pointer, rather than NULL pointer, which eventually lead to segmentation fault.

(gdb) p (char*)executor_globals.current_execute_data->func->internal_function->function_name->val
$30 = 0x7fe48e6b0670 "__invoke"
(gdb) p (char*)executor_globals.current_execute_data->func->internal_function->scope->name->val
$32 = 0x7fe48e6c9520 "Closure"
(gdb) p executor_globals.current_execute_data->func->op_array.filename
$35 = (zend_string *) 0x7d7d2274736575
(gdb) p executed_filename
$36 = (zend_string *) 0x7d7d2274736575
(gdb) p *executed_filename
Cannot access memory at address 0x7d7d2274736575

derick

2025-07-18 15:18

administrator   ~0007334

I tried reproducing this again, but not with any success. This was with PHP 8.3 and Xdebug 3.4 though, as your composer.json doesn't allow installation with PHP 8.2

Issue History

Date Modified Username Field Change
2024-03-21 09:10 JoshuaBehrens New Issue
2024-03-21 09:10 JoshuaBehrens Tag Attached: segfault
2024-03-21 13:56 derick Assigned To => derick
2024-03-21 13:56 derick Status new => acknowledged
2024-03-21 13:56 derick Note Added: 0006864
2024-03-28 16:57 derick Relationship added has duplicate 0002254
2024-03-28 16:59 derick Relationship added has duplicate 0002236
2024-03-28 17:00 derick Relationship added has duplicate 0002241
2024-07-18 13:27 derick Target Version => 3.3dev
2024-08-30 09:23 qkdreyer Note Added: 0007047
2024-11-27 16:00 derick Relationship added has duplicate 0002290
2025-03-13 12:03 pdragiyski Note Added: 0007214
2025-07-18 15:18 derick Note Added: 0007334