View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0002321XdebugUncategorizedpublic2025-02-24 07:272025-03-10 14:46
ReporterVojta Assigned Toderick  
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version3.4.1 
Fixed in Version3.4.2 
Summary0002321: Segfault when null is assigned to a superglobal
Description

PHP crashes with segmentation fault, when null is assigned to $_POST. This problem occurs only when xdebug is enabled.

Steps To Reproduce

echo '$_POST=null;\n$x=1;\n' | php -a

TagsNo tags attached.
Operating SystemLinux
PHP Version8.3.10-8.3.19

Activities

Vojta

2025-03-06 12:57

reporter   ~0007195

backtrace.txt (7,246 bytes)    
#0  zend_hash_str_find (ht=0x2, str=str@entry=0x7ffff726a153 "XDEBUG_IGNORE", len=13) at /usr/src/debug/php/php-8.4.4/Zend/zend_hash.c:2697
        h = <optimized out>
        p = <optimized out>
#1  0x00007ffff7235abc in zend_hash_str_find_deref (ht=<optimized out>, str=0x7ffff726a153 "XDEBUG_IGNORE", len=<optimized out>) at /usr/include/php/Zend/zend_hash.h:959
        zv = <optimized out>
        zv = <optimized out>
#2  xdebug_lib_find_in_globals (element=0x7ffff726a153 "XDEBUG_IGNORE", found_in_global=0x7fffffff9770) at /usr/src/debug/xdebug/xdebug-3.4.1/src/lib/lib.c:351
        trigger_val = <optimized out>
        env_value = 0x0
        st = <optimized out>
#3  0x00007ffff724e5aa in xdebug_should_ignore () at /usr/src/debug/xdebug/xdebug-3.4.1/src/debugger/com.c:664
        ignore_value = <optimized out>
        found_in_global = 0x7fffffff9790 ""
#4  0x00007ffff724eb0e in xdebug_debug_init_if_requested_at_startup () at /usr/src/debug/xdebug/xdebug-3.4.1/src/debugger/com.c:808
        found_trigger_value = 0x0
#5  0x00007ffff723b8f3 in xdebug_execute_user_code_begin (execute_data=<optimized out>) at /usr/src/debug/xdebug/xdebug-3.4.1/src/base/base.c:739
        op_array = 0x7ffff4a82200
        edata = 0x0
        fse = <optimized out>
#6  0x00007ffff723ba88 in xdebug_execute_begin (execute_data=0x7ffff4a12020) at /usr/src/debug/xdebug/xdebug-3.4.1/src/base/base.c:1039
No locals.
#7  0x0000555555a7204b in zend_observer_fcall_begin_prechecked (execute_data=0x7ffff4a12020, handler=0x7ffff4a01070) at /usr/src/debug/php/php-8.4.4/Zend/zend_observer.c:279
        possible_handlers_end = 0x7ffff4a01078
        end_handler = 0x7ffff4a01078
#8  0x0000555555a72234 in zend_observer_fcall_begin_specialized (execute_data=0x7ffff4a12020, allow_generator=true) at /usr/src/debug/php/php-8.4.4/Zend/zend_observer.h:116
        handler = <optimized out>
#9  0x0000555555a2cd6d in zend_execute (op_array=op_array@entry=0x7ffff4a82200, return_value=return_value@entry=0x7fffffff9920) at /usr/src/debug/php/php-8.4.4/Zend/zend_vm_execute.h:64235
        execute_data = 0x7ffff4a12020
        object_or_called_scope = <optimized out>
        call_info = <optimized out>
#10 0x00005555559d0690 in zend_eval_stringl (str=str@entry=0x7ffff4a85000 "$x = 1;\n", str_len=str_len@entry=8, retval_ptr=retval_ptr@entry=0x0, string_name=string_name@entry=0x555555c10b51 "php shell code") at /usr/src/debug/php/php-8.4.4/Zend/zend_execute_API.c:1355
        __orig_bailout = <optimized out>
        __bailout = {{__jmpbuf = {140737488329504, -8941478478777452500, 93824999295825, 140737298059264, 140737297901560, 8, -8941478478737606612, -2973457159567083476}, __mask_was_saved = 0, __saved_mask = {__val = {140737488329120, 140737488329248, 140737353497260, 13, 93825016459744, 3834307319663374680, 140733197136182, 18446744069414584320, 10, 140737353609568, 3626238878938652160, 140737488329040, 140733528932352, 140737341250768, 3626238878938652160, 93825016459744}}}}
        local_retval = {value = {lval = 140737298046976, dval = 6.9533464053531203e-310, counted = 0x7ffff4a82000, str = 0x7ffff4a82000, arr = 0x7ffff4a82000, obj = 0x7ffff4a82000, res = 0x7ffff4a82000, ref = 0x7ffff4a82000, ast = 0x7ffff4a82000, zv = 0x7ffff4a82000, ptr = 0x7ffff4a82000, ce = 0x7ffff4a82000, func = 0x7ffff4a82000, ww = {w1 = 4104658944, w2 = 32767}}, u1 = {type_info = 0, v = {type = 0 '\000', type_flags = 0 '\000', u = {extra = 0}}}, u2 = {next = 0, cache_slot = 0, opline_num = 0, lineno = 0, num_args = 0, fe_pos = 0, fe_iter_idx = 0, guard = 0, constant_flags = 0, extra = 0}}
        new_op_array = 0x7ffff4a82200
        original_compiler_options = <optimized out>
        retval = <optimized out>
        code_str = 0x7ffff4a5e7f8
#11 0x000055555580b49b in readline_shell_run () at /usr/src/debug/php/php-8.4.4/ext/readline/readline_cli.c:699
        __orig_bailout = 0x7fffffff9e50
        __bailout = {{__jmpbuf = {8, -8941478478576125908, 140737298059264, 1, 0, 8, -8941478478779549652, -2973457343794022356}, __mask_was_saved = 0, __saved_mask = {__val = {140737298055168, 140737298055616, 140737298055392, 93825016163808, 93825015150296, 140737488329760, 93824997726651, 140737297974688, 265, 140737297974784, 3626238878938652160, 140737297974720, 265, 140737297974816, 93825015854816, 140737297974752}}}}
        line = <optimized out>
        size = 4096
        pos = 8
        len = <optimized out>
        code = 0x7ffff4a85000 "$x = 1;\n"
        prompt = 0x7ffff4a82000
        history_file = 0x7ffff4a82100 "/home/pejsa/.php_history"
        history_lines_to_write = 0
        histfile_env_name = 0x555555c10b27 "PHP_HISTFILE"
#12 0x0000555555a9247f in do_cli (argc=argc@entry=2, argv=argv@entry=0x555556c3e5e0) at /usr/src/debug/php/php-8.4.4/sapi/cli/php_cli.c:933
        __orig_bailout = 0x7fffffffafc0
        __bailout = {{__jmpbuf = {0, -8941478477007456212, 0, 0, 93825016024448, 93825015150296, -8941478478578223060, -2973457537723303892}, __mask_was_saved = 0, __saved_mask = {__val = {93824999356772, 93824999356781, 93824999356805, 93824999356818, 93824999356835, 93824999356856, 93824999356876, 93824999356893, 93824999356914, 93824999356924, 93824999356938, 93824999356960, 93824999356979, 93824999357006, 93824999357035, 93824999357063}}}}
        c = <optimized out>
        file_handle = {handle = {fp = 0x28000, stream = {handle = 0x28000, isatty = 180224, reader = 0x2ba88, fsizer = 0x2ba88, closer = 0x1000}}, filename = 0x0, opened_path = 0x2000, type = 148 '\224', primary_script = 250, in_list = 193, buf = 0x555555c1fab1 "allow_url_include", len = 0}
        context = {mode = PHP_CLI_MODE_STANDARD}
        reflection_what = 0x0
        request_started = 1
        php_optarg = 0x0
        orig_optarg = 0x0
        php_optind = 2
        orig_optind = 1
        exec_direct = 0x0
        exec_run = 0x0
        exec_begin = 0x0
        exec_end = 0x0
        arg_free = <optimized out>
        arg_excp = <optimized out>
        script_file = 0x0
        translated_path = <optimized out>
        interactive = true
        param_error = <optimized out>
        hide_argv = false
        num_repeats = 1
        pid = 186122
#13 0x0000555555653f91 in main (argc=2, argv=0x555556c3e5e0) at /usr/src/debug/php/php-8.4.4/sapi/cli/php_cli.c:1310
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {0, -8941478477923911636, 0, 0, 93825016024448, 93825015150296, -8941478477009553364, -2973455990445213652}, __mask_was_saved = 0, __saved_mask = {__val = {4607, 140737488335344, 93825016169120, 140737488334928, 140737342999232, 4607, 18446744073709551552, 140737488335344, 140737302184632, 140737488334992, 140737341678530, 140737488334992, 140737302184544, 3348558691198135399, 73728, 3348558691198135399}}}}
        c = <optimized out>
        exit_status = 0
        module_started = 1
        sapi_started = 1
        php_optarg = 0x0
        php_optind = 2
        use_extended_info = <optimized out>
        ini_path_override = 0x0
        ini_builder = {value = 0x555556c3e880 "html_errors=0\nregister_argc_argv=1\nimplicit_flush=1\noutput_buffering=0\nmax_execution_time=0\nmax_input_time=-1\n", length = 110}
        ini_ignore = <optimized out>
        sapi_module = <optimized out>
backtrace.txt (7,246 bytes)   

derick

2025-03-07 11:56

administrator   ~0007197

I could not reproduce this with your test case, but I could with a similar equivalent one.

This PR should fix it: https://github.com/xdebug/xdebug/pull/1001

derick

2025-03-07 12:09

administrator   ~0007199

This is now fixed in GIT for 3.4.2, of which I'll make a release soon.

Vojta

2025-03-10 14:46

reporter   ~0007208

Version 3.4.2 fixed my issue, thank you.

Issue History

Date Modified Username Field Change
2025-02-24 07:27 Vojta New Issue
2025-03-06 12:57 Vojta Note Added: 0007195
2025-03-06 12:57 Vojta File Added: backtrace.txt
2025-03-07 11:56 derick Status new => assigned
2025-03-07 11:56 derick Summary Seg fault when null is assigned to $_POST => Segfault when null is assigned to a superglobal
2025-03-07 11:56 derick Note Added: 0007197
2025-03-07 12:09 derick Assigned To => derick
2025-03-07 12:09 derick Status assigned => closed
2025-03-07 12:09 derick Resolution open => fixed
2025-03-07 12:09 derick Fixed in Version => 3.4dev
2025-03-07 12:09 derick Note Added: 0007199
2025-03-09 16:08 derick Fixed in Version 3.4dev => 3.4.2
2025-03-10 14:46 Vojta Note Added: 0007208