View Issue Details

IDProjectCategoryView StatusLast Update
0002292XdebugUncategorizedpublic2024-11-28 13:21
ReporterGaryAllan Assigned Toderick  
PrioritynormalSeveritycrashReproducibilityalways
Status feedbackResolutionopen 
Product Version3.3.2 
Summary0002292: Apache2 mod_php exit signal Segmentation fault (11) with Xdebug enabled
Description

Hello, I'm a developer on the phpIPAM project and have encountered a bug using xdebug to test and develop the code.

I am experiencing Segmentation faults with the Xdebug module enabled.

I'm aware you would prefer a minimal php script to reproduce but the process to reproduce is complex. The code spawns a number of threads to ping the subnet, sends the data to the main process via IPC and then iterates over the results using NET/DNS2 to resolve DNS names of discovered hosts.

Is there a way of obtaining additional debugging info from this Apache2 environment?

Steps To Reproduce

Install phpIPAM on Debian 12 AMD64, Apache 2 mod_php.

Install php8.3 project dependencies from deb [signed-by=/usr/share/keyrings/deb.sury.org-php.gpg] https://packages.sury.org/php/ bookworm mai

Enable Xdebug

Use the web application to scan a subnet.

Scan will fail to complete. FireFox developer tools will report that the XHR request for subnet-scan-execute.php fails with error NS_ERROR_NET_RESET and /var/log/apache2/error.log will contain the line "child pid 101462 exit signal Segmentation fault (11)"

Disabling the xdebug module results in the scan succeeding with no "exit signal Segmentation fault (11)"" errors logged.

The crash is 100% reproducible.

I've stepped through the code in VSCode using Xdebug. It segfaults with 100% repeatability as NET/DNS2 throws a Net_DNS2_Exception error. This is not caught by a wrapping try catch block.

The code behaves as expected with Xdebug 3.3.2 disabled on this system (php 8.3.12)

The code behaves as expected on another VM running PHP 7.2.24 and Xdebug 3.1.6 enabled.

The code crashes under php8.3.12 with Xdebug 3.3.2 enabled.

Additional Information

php83:/var/log/apache2# php -v
PHP 8.3.12 (cli) (built: Sep 27 2024 04:03:53) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.3.12, Copyright (c) Zend Technologies
with Zend OPcache v8.3.12, Copyright (c), by Zend Technologies
with Xdebug v3.3.2, Copyright (c) 2002-2024, by Derick Rethans

root@php83:/var/log/apache2# cat error.log | grep Seg
[Fri Oct 04 20:48:49.293844 2024] [core:notice] [pid 101457:tid 101457] AH00052: child pid 101462 exit signal Segmentation fault (11)
[Fri Oct 04 20:49:05.322734 2024] [core:notice] [pid 101457:tid 101457] AH00052: child pid 101461 exit signal Segmentation fault (11)

oot@php83:/var/log/apache2# dpkg -l | grep php
ii libapache2-mod-php8.3 8.3.12-1+0~20240927.43+debian12~1.gbpad3b8c amd64 server-side, HTML-embedded scripting language (Apache 2 module)
ii php-common 2:95+0~20240927.54+debian12~1.gbpe0084c all Common files for PHP packages
ii php-composer-ca-bundle 1.3.5-1 all utility library to find a path to the system CA bundle
ii php-composer-class-map-generator 1.0.0-2+deb12u1 all Utilities to scan PHP code and generate class maps
ii php-composer-metadata-minifier 1.0.0-2 all Small utility library that handles metadata minification and expansion
ii php-composer-pcre 3.1.0-1+deb12u1 all PCRE wrapping library that offers type-safe preg_* replacements
ii php-composer-semver 3.3.2-1 all utilities, version constraint parsing and validation
ii php-composer-spdx-licenses 1.5.7-1 all SPDX licenses list and validation library
ii php-composer-xdebug-handler 3.0.3-2+deb12u1 all Restarts a process without Xdebug
ii php-curl 2:8.3+95+0~20240927.54+debian12~1.gbpe0084c all CURL module for PHP [default]
ii php-gd 2:8.3+95+0~20240927.54+debian12~1.gbpe0084c all GD module for PHP [default]
ii php-gmp 2:8.3+95+0~20240927.54+debian12~1.gbpe0084c all GMP module for PHP [default]
ii php-intl 2:8.3+95+0~20240927.54+debian12~1.gbpe0084c all Internationalisation module for PHP [default]
ii php-json-schema 5.2.12-2 all implementation of JSON schema
ii php-ldap 2:8.3+95+0~20240927.54+debian12~1.gbpe0084c all LDAP module for PHP [default]
ii php-mbstring 2:8.3+95+0~20240927.54+debian12~1.gbpe0084c all MBSTRING module for PHP [default]
ii php-mysql 2:8.3+95+0~20240927.54+debian12~1.gbpe0084c all MySQL module for PHP [default]
ii php-pear 1:1.10.13+submodules+notgz+2022032202-2+0~20230612.39+debian12~1.gbpfd4c1d all PEAR Base System
ii php-psr-container 1.1.2-1 all Common Container Interface (PHP FIG PSR-11)
ii php-psr-log 1.1.4-2 all common interface for logging libraries
ii php-react-promise 2.9.0-3 all lightweight implementation of CommonJS Promises/A for PHP
ii php-seld-signal-handler 2.0.1-2 all simple cross-platform1 signal handler
ii php-snmp 2:8.3+95+0~20240927.54+debian12~1.gbpe0084c all SNMP module for PHP [default]
ii php-symfony-console 5.4.23+dfsg-1+deb12u2 all run tasks from the command line
ii php-symfony-deprecation-contracts 2.5.2-1+deb12u1 all A generic function and convention to trigger deprecation notices
ii php-symfony-filesystem 5.4.23+dfsg-1+deb12u2 all basic filesystem utilities
ii php-symfony-finder 5.4.23+dfsg-1+deb12u2 all find files and directories
ii php-symfony-process 5.4.23+dfsg-1+deb12u2 all execute commands in sub-processes
ii php-symfony-service-contracts 2.5.2-1+deb12u1 all Generic abstractions related to writing services
ii php-symfony-string 5.4.23+dfsg-1+deb12u2 all object-oriented API to work with strings
ii php-xdebug 3.3.2-1+0~20240420.60+debian12~1.gbp3869a8 amd64 Xdebug Module for PHP
ii php-xhprof 2.3.10-1+0~20240714.25+debian12~1.gbp5f4d7a amd64 Hierarchical Profiler for PHP 5.x
ii php-xml 2:8.3+95+0~20240927.54+debian12~1.gbpe0084c all DOM, SimpleXML, WDDX, XML, and XSL module for PHP [default]
ii php8.3 8.3.12-1+0~20240927.43+debian12~1.gbpad3b8c all server-side, HTML-embedded scripting language (metapackage)
ii php8.3-cli 8.3.12-1+0~20240927.43+debian12~1.gbpad3b8c amd64 command-line interpreter for the PHP scripting language
ii php8.3-common 8.3.12-1+0~20240927.43+debian12~1.gbpad3b8c amd64 documentation, examples and common module for PHP
ii php8.3-curl 8.3.12-1+0~20240927.43+debian12~1.gbpad3b8c amd64 CURL module for PHP
ii php8.3-gd 8.3.12-1+0~20240927.43+debian12~1.gbpad3b8c amd64 GD module for PHP
ii php8.3-gmp 8.3.12-1+0~20240927.43+debian12~1.gbpad3b8c amd64 GMP module for PHP
ii php8.3-intl 8.3.12-1+0~20240927.43+debian12~1.gbpad3b8c amd64 Internationalisation module for PHP
ii php8.3-ldap 8.3.12-1+0~20240927.43+debian12~1.gbpad3b8c amd64 LDAP module for PHP
ii php8.3-mbstring 8.3.12-1+0~20240927.43+debian12~1.gbpad3b8c amd64 MBSTRING module for PHP
ii php8.3-mysql 8.3.12-1+0~20240927.43+debian12~1.gbpad3b8c amd64 MySQL module for PHP
ii php8.3-opcache 8.3.12-1+0~20240927.43+debian12~1.gbpad3b8c amd64 Zend OpCache module for PHP
ii php8.3-readline 8.3.12-1+0~20240927.43+debian12~1.gbpad3b8c amd64 readline module for PHP
ii php8.3-snmp 8.3.12-1+0~20240927.43+debian12~1.gbpad3b8c amd64 SNMP module for PHP
ii php8.3-xdebug 3.3.2-1+0~20240420.60+debian12~1.gbp3869a8 amd64 Xdebug Module for PHP
ii php8.3-xhprof 2.3.10-1+0~20240714.25+debian12~1.gbp5f4d7a amd64 Hierarchical Profiler for PHP 5.x
ii php8.3-xml 8.3.12-1+0~20240927.43+debian12~1.gbpad3b8c amd64 DOM, SimpleXML, XML, and XSL module for PHP

root@php83:/var/log/apache2# cat /etc/php/8.3/apache2/conf.d/20-xdebug.ini
zend_extension=xdebug.so

xdebug.mode=develop,debug

xdebug.start_with_request=yes
xdebug.client_host=<Build PC>
xdebug.client_port=9000
xdebug.max_nesting_level=250

The code works as expected on another VM running php7.2.24 and Xdebug 3.1.6

root@php72 ~]# php -v
PHP 7.2.24 (cli) (built: Oct 22 2019 08:28:36) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
with Zend OPcache v7.2.24, Copyright (c) 1999-2018, by Zend Technologies
with Xdebug v3.1.6, Copyright (c) 2002-2022, by Derick Rethans

Tags3.3.2, php8.3
Operating SystemDebian 12, AMD64
PHP Version8.3.10-8.3.19

Activities

GaryAllan

2024-10-04 22:28

reporter   ~0007055

I've attached gdb output

(gdb) c
Continuing.
[Detaching after vfork from child process 127171]

Program received signal SIGSEGV, Segmentation fault.
0x00007c86fcc8f680 in _emalloc () from target:/usr/lib/apache2/modules/libphp8.3.so

(gdb) bt 15
#0 0x00007c86fcc8f680 in _emalloc () from target:/usr/lib/apache2/modules/libphp8.3.so
#1 0x00007c86fcccb3a2 in zend_hash_str_update () from target:/usr/lib/apache2/modules/libphp8.3.so
0000002 0x00007c86fccbec13 in add_assoc_null_ex () from target:/usr/lib/apache2/modules/libphp8.3.so
0000003 0x00007c86fd4ec5bc in zval_from_stack_add_frame_variables (opa=0x7c86fc693500, symbols=<optimized out>, edata=0x7c86fc618840, frame=0x7c86fc695050) at ./build-8.3/src/develop/stack.c:436
0000004 zval_from_stack_add_frame (output=0x7c86fd50f410 <xdebug_globals+1008>, fse=0x57ec1f8b0940, edata=0x7c86fc618840, add_local_vars=<optimized out>, params_as_values=<optimized out>) at ./build-8.3/src/develop/stack.c:467
0000005 0x00007c86fd4eca2f in zval_from_stack (output=output@entry=0x7c86fd50f410 <xdebug_globals+1008>, add_local_vars=add_local_vars@entry=true, params_as_values=params_as_values@entry=true) at ./build-8.3/src/develop/stack.c:495
0000006 0x00007c86fd4eedf3 in xdebug_develop_throw_exception_hook (exception=exception@entry=0x7c86fc6db300, file=file@entry=0x7c86fc6db358, line=line@entry=0x7c86fc6db368, code=code@entry=0x7c86fc6db348,
code_str=code_str@entry=0x57ec1fc68fb0 "3", message=message@entry=0x7c86fc6db328) at ./build-8.3/src/develop/stack.c:1252
0000007 0x00007c86fd4c6087 in xdebug_throw_exception_hook (exception=0x7c86fc6db300) at ./build-8.3/src/base/base.c:1543
0000008 xdebug_throw_exception_hook (exception=0x7c86fc6db300) at ./build-8.3/src/base/base.c:1495
0000009 0x00007c86fcad924d in zend_throw_exception_internal () from target:/usr/lib/apache2/modules/libphp8.3.so
0000010 0x00007c86fcad06f3 in ?? () from target:/usr/lib/apache2/modules/libphp8.3.so
0000011 0x00007c86fcd27423 in execute_ex () from target:/usr/lib/apache2/modules/libphp8.3.so
0000012 0x00007c86fcad7175 in ?? () from target:/usr/lib/apache2/modules/libphp8.3.so
0000013 0x00007c86fcad8043 in ?? () from target:/usr/lib/apache2/modules/libphp8.3.so
0000014 0x00007c86fcad7175 in ?? () from target:/usr/lib/apache2/modules/libphp8.3.so

GaryAllan

2024-10-05 11:36

reporter   ~0007056

Additional information attached.

I've discovered that the first request after restarting Apache does not crash but all subsequent identical requests do. This lead me to look at OPcache.

OPcache module enabled, xdebug module disabled = no crash
OPcache module disabled, xdebug module enabled = no crash
OPcache module enabled, xdebug module enabled = no crash on 1st run, crash on 2nd+ run
OPcache module enabled, xdebug module enabled, USE_ZEND_ALLOC=0 = no crash

I'm no longer sure if this a Xdebug, OPcache or PHP Zend Alloc issue.

Valgrind trace collected with:

USE_ZEND_ALLOC=1 ZEND_DONT_UNLOAD_MODULES=1 APACHE_RUN_USER=www-data APACHE_RUN_GROUP=www-data APACHE_PID_FILE=/var/run/apache2/apache2.pid APACHE_RUN_DIR=/var/run/apache2 APACHE_LOCK_DIR=/var/lock/apache2 APACHE_LOG_DIR=/var/log/apache2 valgrind --leak-check=full --show-reachable=yes --tool=memcheck --error-limit=no --log-file=val.log /usr/sbin/apache2 -DFOREGROUND

gdb-bt-full.txt (14,379 bytes)   
(gdb) continue
Continuing.
[Detaching after vfork from child process 200682]

Program received signal SIGSEGV, Segmentation fault.
zend_mm_alloc_small (bin_num=4, heap=0x71731c800040) at ./Zend/zend_alloc.c:1312
1312    ./Zend/zend_alloc.c: No such file or directory.
(gdb) bt full
#0  zend_mm_alloc_small (bin_num=4, heap=0x71731c800040) at ./Zend/zend_alloc.c:1312
        p = 0x71731c953a
#1  zend_mm_alloc_heap (size=<optimized out>, heap=0x71731c800040) at ./Zend/zend_alloc.c:1383
        ptr = 0x71731c953a
        ptr = <optimized out>
#2  _emalloc (size=<optimized out>) at ./Zend/zend_alloc.c:2613
No locals.
#3  0x000071731cdae3a2 in zend_string_alloc (persistent=<optimized out>, len=13) at ./Zend/zend_string.h:174
        ret = <optimized out>
        ret = <optimized out>
#4  zend_string_init (persistent=<optimized out>, len=13, str=0x41597f60 "to_scan_hosts") at ./Zend/zend_string.h:196
        ret = <optimized out>
        ret = <optimized out>
#5  _zend_hash_str_add_or_update_i (flag=1, pData=0x7ffd884efb20, h=15214260961822239740, len=13, str=0x41597f60 "to_scan_hosts", ht=0x71731c957ea8) at ./Zend/zend_hash.c:953
        key = <optimized out>
        nIndex = <optimized out>
        idx = <optimized out>
        p = 0x71731c972ea0
        key = <optimized out>
        nIndex = <optimized out>
        idx = <optimized out>
        p = <optimized out>
        add_to_hash = <optimized out>
        data = <optimized out>
        _z1 = <optimized out>
--Type <RET> for more, q to quit, c to continue without paging--c
        _z2 = <optimized out>
        _gc = <optimized out>
        _t = <optimized out>
        _z1 = <optimized out>
        _z2 = <optimized out>
        _gc = <optimized out>
        _t = <optimized out>
#6  zend_hash_str_update (ht=ht@entry=0x71731c957ea8, str=str@entry=0x41597f60 "to_scan_hosts", len=len@entry=13, pData=pData@entry=0x7ffd884efb20) at ./Zend/zend_hash.c:1030
        h = 15214260961822239740
#7  0x000071731cda1c13 in zend_symtable_str_update (pData=0x7ffd884efb20, len=13, str=0x41597f60 "to_scan_hosts", ht=0x71731c957ea8) at ./Zend/zend_hash.h:576
        idx = 7
        idx = <optimized out>
#8  add_assoc_null_ex (arg=arg@entry=0x7ffd884efba0, key=0x41597f60 "to_scan_hosts", key_len=13) at ./Zend/zend_API.c:1819
        tmp = {value = {lval = 140726890331040, dval = 6.9528321958635551e-310, counted = 0x7ffd884efba0, str = 0x7ffd884efba0, arr = 0x7ffd884efba0, obj = 0x7ffd884efba0, res = 0x7ffd884efba0, ref = 0x7ffd884efba0, 
            ast = 0x7ffd884efba0, zv = 0x7ffd884efba0, ptr = 0x7ffd884efba0, ce = 0x7ffd884efba0, func = 0x7ffd884efba0, ww = {w1 = 2286877600, w2 = 32765}}, u1 = {type_info = 1, v = {type = 1 '\001', type_flags = 0 '\000', u = {
                extra = 0}}}, u2 = {next = 29043, cache_slot = 29043, opline_num = 29043, lineno = 29043, num_args = 29043, fe_pos = 29043, fe_iter_idx = 29043, guard = 29043, constant_flags = 29043, extra = 29043}}
#9  0x000071731d5cf5bc in zval_from_stack_add_frame_variables (opa=0x71731c893500, symbols=<optimized out>, edata=0x71731c818840, frame=0x71731c895050) at ./build-8.3/src/develop/stack.c:436
        symbol_name = 0x5779b999ce90
        symbol = {value = {lval = 1102805128, dval = 5.4485812780235856e-315, counted = 0x41bb7888, str = 0x41bb7888, arr = 0x41bb7888, obj = 0x41bb7888, res = 0x41bb7888, ref = 0x41bb7888, ast = 0x41bb7888, zv = 0x41bb7888, 
            ptr = 0x41bb7888, ce = 0x41bb7888, func = 0x41bb7888, ww = {w1 = 1102805128, w2 = 0}}, u1 = {type_info = 0, v = {type = 0 '\000', type_flags = 0 '\000', u = {extra = 0}}}, u2 = {next = 0, cache_slot = 0, opline_num = 0, 
            lineno = 0, num_args = 0, fe_pos = 0, fe_iter_idx = 0, guard = 0, constant_flags = 0, extra = 0}}
        j = 7
        variables = {value = {lval = 124739214737064, dval = 6.1629360690797464e-310, counted = 0x71731c957ea8, str = 0x71731c957ea8, arr = 0x71731c957ea8, obj = 0x71731c957ea8, res = 0x71731c957ea8, ref = 0x71731c957ea8, 
            ast = 0x71731c957ea8, zv = 0x71731c957ea8, ptr = 0x71731c957ea8, ce = 0x71731c957ea8, func = 0x71731c957ea8, ww = {w1 = 479559336, w2 = 29043}}, u1 = {type_info = 775, v = {type = 7 '\a', type_flags = 3 '\003', u = {
                extra = 0}}}, u2 = {next = 29043, cache_slot = 29043, opline_num = 29043, lineno = 29043, num_args = 29043, fe_pos = 29043, fe_iter_idx = 29043, guard = 29043, constant_flags = 29043, extra = 29043}}
#10 zval_from_stack_add_frame (output=0x71731d5f2410 <xdebug_globals+1008>, fse=0x5779b95e0530, edata=0x71731c818840, add_local_vars=<optimized out>, params_as_values=<optimized out>) at ./build-8.3/src/develop/stack.c:467
        frame = <optimized out>
#11 0x000071731d5cfa2f in zval_from_stack (output=output@entry=0x71731d5f2410 <xdebug_globals+1008>, add_local_vars=add_local_vars@entry=true, params_as_values=params_as_values@entry=true) at ./build-8.3/src/develop/stack.c:495
        fse = 0x5779b95e0530
        next_fse = 0x5779b95e0620
        i = 1
#12 0x000071731d5d1df3 in xdebug_develop_throw_exception_hook (exception=exception@entry=0x71731c8db300, file=file@entry=0x71731c8db358, line=line@entry=0x71731c8db368, code=code@entry=0x71731c8db348, 
    code_str=code_str@entry=0x5779b9999460 "3", message=message@entry=0x71731c8db328) at ./build-8.3/src/develop/stack.c:1252
        exception_ce = 0x41f2bec8
        exception_trace = <optimized out>
        tmp_str = {l = 4019, a = 5222, 
          d = 0x5779b999d830 "<tr><th align='left' bgcolor='#f57900' colspan=\"5\"><span style='background-color: #cc0000; color: #fce94f; font-size: x-large;'>( ! )</span> Net_DNS2_Exception: DNS request failed: The domain name ref"...}
        z_previous_exception = <optimized out>
        z_last_exception_slot = <optimized out>
        z_previous_trace = <optimized out>
        previous_exception_obj = <optimized out>
        dummy = {value = {lval = 1106427592, dval = 5.4664786281805523e-315, counted = 0x41f2bec8, str = 0x41f2bec8, arr = 0x41f2bec8, obj = 0x41f2bec8, res = 0x41f2bec8, ref = 0x41f2bec8, ast = 0x41f2bec8, zv = 0x41f2bec8, 
            ptr = 0x41f2bec8, ce = 0x41f2bec8, func = 0x41f2bec8, ww = {w1 = 1106427592, w2 = 0}}, u1 = {type_info = 479048448, v = {type = 0 '\000', type_flags = 179 '\263', u = {extra = 7309}}}, u2 = {next = 29043, 
            cache_slot = 29043, opline_num = 29043, lineno = 29043, num_args = 29043, fe_pos = 29043, fe_iter_idx = 29043, guard = 29043, constant_flags = 29043, extra = 29043}}
#13 0x000071731d5a9087 in xdebug_throw_exception_hook (exception=0x71731c8db300) at ./build-8.3/src/base/base.c:1543
        code = 0x71731c8db348
        message = 0x71731c8db328
        file = 0x71731c8db358
        line = 0x71731c8db368
        exception_ce = <optimized out>
        code_str = 0x5779b9999460 "3"
        dummy = {value = {lval = 124739213437088, dval = 6.1629360048523982e-310, counted = 0x71731c81a8a0, str = 0x71731c81a8a0, arr = 0x71731c81a8a0, obj = 0x71731c81a8a0, res = 0x71731c81a8a0, ref = 0x71731c81a8a0, 
            ast = 0x71731c81a8a0, zv = 0x71731c81a8a0, ptr = 0x71731c81a8a0, ce = 0x71731c81a8a0, func = 0x71731c81a8a0, ww = {w1 = 478259360, w2 = 29043}}, u1 = {type_info = 502854521, v = {type = 121 'y', type_flags = 243 '\363', 
              u = {extra = 7672}}}, u2 = {next = 29043, cache_slot = 29043, opline_num = 29043, lineno = 29043, num_args = 29043, fe_pos = 29043, fe_iter_idx = 29043, guard = 29043, constant_flags = 29043, extra = 29043}}
#14 xdebug_throw_exception_hook (exception=0x71731c8db300) at ./build-8.3/src/base/base.c:1495
        code = <optimized out>
        message = <optimized out>
        file = <optimized out>
        line = <optimized out>
        exception_ce = <optimized out>
        code_str = <optimized out>
        dummy = <optimized out>
#15 0x000071731cbbc24d in zend_throw_exception_internal (exception=0x71731c8db300) at ./Zend/zend_exceptions.c:219
No locals.
#16 0x000071731cbb36f3 in ZEND_THROW_SPEC_TMPVAR_HANDLER () at ./Zend/zend_vm_execute.h:14697
        value = 0x71731c81aaf0
#17 0x000071731ce0a423 in execute_ex (ex=0x14e388) at ./Zend/zend_vm_execute.h:58713
        vm_stack_data = {orig_opline = 0x41eee570, orig_execute_data = 0x71731c81a010, hybrid_jit_red_zone = "\240\250\201\034sq\000\000\333\365\343\034sq\000"}
#18 0x000071731cbba175 in ZEND_DO_FCALL_SPEC_OBSERVER_HANDLER () at ./Zend/zend_vm_execute.h:2052
        call = 0x71731c81a8a0
        fbc = <optimized out>
        ret = <optimized out>
#19 0x000071731cbbb043 in execute_ex (ex=0x14e388) at ./Zend/zend_vm_execute.h:57256
        vm_stack_data = {orig_opline = 0x41dc8488, orig_execute_data = 0x71731c819a60, hybrid_jit_red_zone = "\020\240\201\034sq\000\000\333\365\343\034sq\000"}
#20 0x000071731cbba175 in ZEND_DO_FCALL_SPEC_OBSERVER_HANDLER () at ./Zend/zend_vm_execute.h:2052
        call = 0x71731c81a010
        fbc = <optimized out>
        ret = <optimized out>
#21 0x000071731cbbb043 in execute_ex (ex=0x14e388) at ./Zend/zend_vm_execute.h:57256
        vm_stack_data = {orig_opline = 0x41dc69b8, orig_execute_data = 0x71731c819760, hybrid_jit_red_zone = "`\232\201\034sq\000\000\333\365\343\034sq\000"}
#22 0x000071731cbba175 in ZEND_DO_FCALL_SPEC_OBSERVER_HANDLER () at ./Zend/zend_vm_execute.h:2052
        call = 0x71731c819a60
        fbc = <optimized out>
        ret = <optimized out>
#23 0x000071731cbbb043 in execute_ex (ex=0x14e388) at ./Zend/zend_vm_execute.h:57256
        vm_stack_data = {orig_opline = 0x41efbe50, orig_execute_data = 0x71731c818840, hybrid_jit_red_zone = "`\227\201\034sq\000\000\333\365\343\034sq\000"}
#24 0x000071731cbba175 in ZEND_DO_FCALL_SPEC_OBSERVER_HANDLER () at ./Zend/zend_vm_execute.h:2052
        call = 0x71731c819760
        fbc = <optimized out>
        ret = <optimized out>
#25 0x000071731cbbb043 in execute_ex (ex=0x14e388) at ./Zend/zend_vm_execute.h:57256
        vm_stack_data = {orig_opline = 0x41ba1b58, orig_execute_data = 0x71731c818020, hybrid_jit_red_zone = "\000\000\000\000\000\000\000\000\333\365\343\034sq\000"}
#26 0x000071731cde13cc in ZEND_INCLUDE_OR_EVAL_SPEC_OBSERVER_HANDLER () at ./Zend/zend_vm_execute.h:5125
        return_value = <optimized out>
        call = 0x71731c818840
        new_op_array = 0x71731c893500
        inc_filename = <optimized out>
#27 0x000071731ce09e3a in execute_ex (ex=0x14e388) at ./Zend/zend_vm_execute.h:57332
        vm_stack_data = {orig_opline = 0x1, orig_execute_data = 0x7ffd884f2790, hybrid_jit_red_zone = "\000\000\000\000\000\000\000\000\333\365\343\034sq\000"}
#28 0x000071731ce13235 in zend_execute (op_array=0x71731c893000, return_value=0x0) at ./Zend/zend_vm_execute.h:61604
        execute_data = 0x71731c818020
        object_or_called_scope = <optimized out>
        call_info = <optimized out>
#29 0x000071731cd9eeb8 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at ./Zend/zend.c:1893
        files = {{gp_offset = 40, fp_offset = 2004317999, overflow_arg_area = 0x7ffd884f0460, reg_save_area = 0x7ffd884f03f0}}
        i = 1106133584
        file_handle = 0x71731c81a8a0
        op_array = 0x71731c893000
        ret = SUCCESS
#30 0x000071731cd3366e in php_execute_script (primary_file=primary_file@entry=0x7ffd884f2790) at ./main/main.c:2528
        realfile = '\000' <repeats 920 times>...
        __orig_bailout = <optimized out>
        __bailout = {{__jmpbuf = {140726890342288, -5620640057367569252, 124739185016992, 0, 124739185016992, 5000000, -5620640056253981540, -5989135916667609956}, __mask_was_saved = 0, __saved_mask = {__val = {0 <repeats 16 times>}}}}
        prepend_file_p = <optimized out>
        append_file_p = <optimized out>
        prepend_file = {handle = {fp = 0x0, stream = {handle = 0x0, isatty = 0, reader = 0x0, fsizer = 0x0, closer = 0x0}}, filename = 0x71731c802310, opened_path = 0x0, type = 0 '\000', primary_script = false, in_list = false, 
          buf = 0x0, len = 0}
        append_file = {handle = {fp = 0x0, stream = {handle = 0x0, isatty = 0, reader = 0x0, fsizer = 0x0, closer = 0x0}}, filename = 0x0, opened_path = 0x0, type = 0 '\000', primary_script = false, in_list = false, buf = 0x0, len = 0}
        old_cwd = <optimized out>
        use_heap = false
        retval = false
#31 0x000071731ce8b898 in php_handler (r=<optimized out>) at ./sapi/apache2handler/sapi_apache2.c:721
        zfd = {handle = {fp = 0x0, stream = {handle = 0x0, isatty = 0, reader = 0x0, fsizer = 0x0, closer = 0x0}}, filename = 0x71731c897300, opened_path = 0x0, type = 0 '\000', primary_script = true, in_list = false, buf = 0x0, 
          len = 0}
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {124739185016992, 5621733941223382172, 124739185016992, 0, 124739185016992, 5000000, -5620640057369666404, -5989135585935598436}, __mask_was_saved = 0, __saved_mask = {__val = {17167697038640570368, 
                171798691840, 12884901888, 18446744073709551615, 18446744073709551615, 124739185024624, 140726890342756, 18446744073709551615, 18446744073709551615, 18446744073709551615, 18446744073709551615, 0, 0, 3, 124739185024689, 
                0}}}}
        ctx = 0x7173160fbe10
        conf = <optimized out>
        brigade = 0x7173160fcc48
        bucket = <optimized out>
        rv = <optimized out>
        parent_req = 0x0
#32 0x00005779b8ebdf00 in ap_run_handler ()
No symbol table info available.
#33 0x00005779b8ebe4e6 in ap_invoke_handler ()
No symbol table info available.
#34 0x00005779b8ed6dd7 in ap_process_async_request ()
No symbol table info available.
#35 0x00005779b8ed6fdf in ap_process_request ()
No symbol table info available.
#36 0x00005779b8ed2fe4 in ?? ()
No symbol table info available.
#37 0x00005779b8ec7d50 in ap_run_process_connection ()
No symbol table info available.
#38 0x000071731dd66ca4 in ?? () from /usr/lib/apache2/modules/mod_mpm_prefork.so
No symbol table info available.
#39 0x000071731dd67027 in ?? () from /usr/lib/apache2/modules/mod_mpm_prefork.so
No symbol table info available.
#40 0x000071731dd67089 in ?? () from /usr/lib/apache2/modules/mod_mpm_prefork.so
No symbol table info available.
#41 0x000071731dd677b3 in ?? () from /usr/lib/apache2/modules/mod_mpm_prefork.so
No symbol table info available.
#42 0x00005779b8e9e6e0 in ap_run_mpm ()
No symbol table info available.
#43 0x00005779b8e961c2 in main ()
No symbol table info available.
(gdb) 
gdb-bt-full.txt (14,379 bytes)   
valgrind.txt.gz (955,041 bytes)

derick

2024-10-13 16:47

administrator   ~0007075

I think the culprit in the valgrind output is:

==197826== Use of uninitialised value of size 8
==197826==    at 0x6184B6C: call_end_observers (zend_observer.c:274)
==197826==    by 0x6184B6C: zend_observer_fcall_end (zend_observer.c:283)
==197826==    by 0x64A9C0F: ???
==197826==    by 0x614EFFF: execute_ex (zend_vm_execute.h:57578)
==197826==    by 0x64A9BDF: ???
==197826==    by 0x55CBA69: xdebug_execute_user_code_begin (base.c:793)
==197826==    by 0x55CC107: xdebug_execute_begin (base.c:1042)
==197826==    by 0x55CC107: xdebug_execute_begin (base.c:1034)

Which I am going to guess is caused by https://github.com/php/php-src/commit/e715dd0afb1babc122efd4142c95623a12e14cfd, which should be fixed in the PHP releases going to be released on Thursday (the 17th of October).

GaryAllan

2024-11-07 18:55

reporter   ~0007079

Issue is still present on php8.3.13 when Opcache and Xdebug modules are both enabled.

root@php83:~# php -v
PHP 8.3.13 (cli) (built: Nov 4 2024 23:34:58) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.3.13, Copyright (c) Zend Technologies
with Zend OPcache v8.3.13, Copyright (c), by Zend Technologies
with Xdebug v3.3.2, Copyright (c) 2002-2024, by Derick Rethans

root@php83:~# cat /var/log/apache2/error.log
[Thu Nov 07 18:50:53.206379 2024] [core:notice] [pid 33472:tid 33472] AH00052: child pid 33478 exit signal Segmentation fault (11)
[Thu Nov 07 18:51:00.216094 2024] [core:notice] [pid 33472:tid 33472] AH00052: child pid 33473 exit signal Segmentation fault (11)

derick

2024-11-27 15:50

administrator   ~0007086

There are quite a lot of steps in the "Steps to Reproduce" section. Could you perhaps provide a Docker file that has all these steps, and hence shows this crash?

GaryAllan

2024-11-27 21:52

reporter   ~0007105

I can still trigger this with 8.3.14

Now i know it needs opcache and xdebug to be enabled I'll work on a cut down test case.

If not I'll add instructions on how to recreate with https://hub.docker.com/r/phpipam/phpipam-www

root@php83:~# php -v
PHP 8.3.14 (cli) (built: Nov 25 2024 18:23:27) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.3.14, Copyright (c) Zend Technologies
with Zend OPcache v8.3.14, Copyright (c), by Zend Technologies
with Xdebug v3.3.2, Copyright (c) 2002-2024, by Derick Rethans

root@php83:~# cat /var/log/apache2/error.log
[Wed Nov 27 21:45:39.406217 2024] [core:notice] [pid 24904:tid 24904] AH00052: child pid 24912 exit signal Segmentation fault (11)
[Wed Nov 27 21:45:43.413304 2024] [core:notice] [pid 24904:tid 24904] AH00052: child pid 24914 exit signal Segmentation fault (11)

derick

2024-11-28 13:21

administrator   ~0007109

Thanks for checking in. I'll leave this as "Feedback Requested" for now.

Issue History

Date Modified Username Field Change
2024-10-04 20:33 GaryAllan New Issue
2024-10-04 20:33 GaryAllan Tag Attached: 3.3.2
2024-10-04 20:33 GaryAllan Tag Attached: php8.3
2024-10-04 22:28 GaryAllan Note Added: 0007055
2024-10-05 11:36 GaryAllan Note Added: 0007056
2024-10-05 11:36 GaryAllan File Added: gdb-bt-full.txt
2024-10-05 11:36 GaryAllan File Added: valgrind.txt.gz
2024-10-13 16:47 derick Note Added: 0007075
2024-10-13 16:47 derick Assigned To => derick
2024-10-13 16:47 derick Status new => feedback
2024-11-07 18:55 GaryAllan Note Added: 0007079
2024-11-07 18:55 GaryAllan Status feedback => assigned
2024-11-27 15:50 derick Status assigned => feedback
2024-11-27 15:50 derick Note Added: 0007086
2024-11-27 21:52 GaryAllan Note Added: 0007105
2024-11-27 21:52 GaryAllan Status feedback => assigned
2024-11-28 13:21 derick Status assigned => feedback
2024-11-28 13:21 derick Note Added: 0007109