View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0002331XdebugStep Debuggingpublic2025-03-24 11:572025-03-26 11:31
Reporterhburger Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status assignedResolutionopen 
Product Version3.4.2 
Target Version3.4dev 
Summary0002331: Segmentation fault with 'invalid' variable names
Description

A segmentation fault happens when assigning any value to $GLOBALS using an index that ends with "-h" while step-debugging.
Example:
$GLOBALS["x"] = 1; -> works,
$GLOBALS["x-h"] = 1; -> Segfault

Without an active breakpoint the script will run fine. I could reproduce it through Apache as well as CLI

Steps To Reproduce

Using the attached example (test.php):

  1. Set a breakpoint on the echo-statement in line 3.
  2. Run the Script
Additional Information

PHP-Version:

PHP 8.4.5 (cli) (built: Mar 13 2025 17:27:36) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.4.5, Copyright (c) Zend Technologies
with Zend OPcache v8.4.5, Copyright (c), by Zend Technologies
with Xdebug v3.4.2, Copyright (c) 2002-2025, by Derick Rethans

I ran the code inside a Docker Container using "debian:bookworm-slim" as the image and installed php/xdebug from sury

TagsNo tags attached.
Attached Files
test.php (38 bytes)    
<?php
$GLOBALS['-h'] = 5;
echo(1);
test.php (38 bytes)   
xdebug.log (7,112 bytes)
valgrind.txt (4,969 bytes)    
==713== Memcheck, a memory error detector
==713== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
==713== Using Valgrind-3.19.0 and LibVEX; rerun with -h for copyright info
==713== Command: php test.php
==713==
==713== Use of uninitialised value of size 8
==713==    at 0x5056F3: zend_get_properties_for (in /usr/bin/php8.4)
==713==    by 0x7AFC876: get_spl_storage (var.c:308)
==713==    by 0x7AFC876: handle_spl_classes (var.c:342)
==713==    by 0x7AFC876: fetch_zval_from_symbol_table (var.c:586)
==713==    by 0x7AFCB7F: xdebug_get_php_symbol (var.c:860)
==713==    by 0x7B0E32F: get_symbol (handler_dbgp.c:389)
==713==    by 0x7B0FEA8: add_variable_node (handler_dbgp.c:1555)
==713==    by 0x7B0FEA8: attach_context_vars (handler_dbgp.c:1921)
==713==    by 0x7B0FEA8: xdebug_dbgp_handle_context_get (handler_dbgp.c:2099)
==713==    by 0x7B13DA4: xdebug_dbgp_parse_option (handler_dbgp.c:2206)
==713==    by 0x7B13DA4: xdebug_dbgp_cmdloop.isra.0 (handler_dbgp.c:2316)
==713==    by 0x7B148ED: xdebug_dbgp_breakpoint (handler_dbgp.c:2691)
==713==    by 0x7B09A81: xdebug_debugger_statement_call (debugger.c:360)
==713==    by 0x7AEEDD6: xdebug_statement_call (xdebug.c:780)
==713==    by 0x500201: zend_llist_apply_with_argument (in /usr/bin/php8.4)
==713==    by 0x22C140: ??? (in /usr/bin/php8.4)
==713==    by 0x234F45: ??? (in /usr/bin/php8.4)
==713==
==713== Invalid read of size 8
==713==    at 0x5056F3: zend_get_properties_for (in /usr/bin/php8.4)
==713==    by 0x7AFC876: get_spl_storage (var.c:308)
==713==    by 0x7AFC876: handle_spl_classes (var.c:342)
==713==    by 0x7AFC876: fetch_zval_from_symbol_table (var.c:586)
==713==    by 0x7AFCB7F: xdebug_get_php_symbol (var.c:860)
==713==    by 0x7B0E32F: get_symbol (handler_dbgp.c:389)
==713==    by 0x7B0FEA8: add_variable_node (handler_dbgp.c:1555)
==713==    by 0x7B0FEA8: attach_context_vars (handler_dbgp.c:1921)
==713==    by 0x7B0FEA8: xdebug_dbgp_handle_context_get (handler_dbgp.c:2099)
==713==    by 0x7B13DA4: xdebug_dbgp_parse_option (handler_dbgp.c:2206)
==713==    by 0x7B13DA4: xdebug_dbgp_cmdloop.isra.0 (handler_dbgp.c:2316)
==713==    by 0x7B148ED: xdebug_dbgp_breakpoint (handler_dbgp.c:2691)
==713==    by 0x7B09A81: xdebug_debugger_statement_call (debugger.c:360)
==713==    by 0x7AEEDD6: xdebug_statement_call (xdebug.c:780)
==713==    by 0x500201: zend_llist_apply_with_argument (in /usr/bin/php8.4)
==713==    by 0x22C140: ??? (in /usr/bin/php8.4)
==713==    by 0x234F45: ??? (in /usr/bin/php8.4)
==713==  Address 0x20 is not stack'd, malloc'd or (recently) free'd
==713==
==713==
==713== Process terminating with default action of signal 11 (SIGSEGV)
==713==  Access not within mapped region at address 0x20
==713==    at 0x5056F3: zend_get_properties_for (in /usr/bin/php8.4)
==713==    by 0x7AFC876: get_spl_storage (var.c:308)
==713==    by 0x7AFC876: handle_spl_classes (var.c:342)
==713==    by 0x7AFC876: fetch_zval_from_symbol_table (var.c:586)
==713==    by 0x7AFCB7F: xdebug_get_php_symbol (var.c:860)
==713==    by 0x7B0E32F: get_symbol (handler_dbgp.c:389)
==713==    by 0x7B0FEA8: add_variable_node (handler_dbgp.c:1555)
==713==    by 0x7B0FEA8: attach_context_vars (handler_dbgp.c:1921)
==713==    by 0x7B0FEA8: xdebug_dbgp_handle_context_get (handler_dbgp.c:2099)
==713==    by 0x7B13DA4: xdebug_dbgp_parse_option (handler_dbgp.c:2206)
==713==    by 0x7B13DA4: xdebug_dbgp_cmdloop.isra.0 (handler_dbgp.c:2316)
==713==    by 0x7B148ED: xdebug_dbgp_breakpoint (handler_dbgp.c:2691)
==713==    by 0x7B09A81: xdebug_debugger_statement_call (debugger.c:360)
==713==    by 0x7AEEDD6: xdebug_statement_call (xdebug.c:780)
==713==    by 0x500201: zend_llist_apply_with_argument (in /usr/bin/php8.4)
==713==    by 0x22C140: ??? (in /usr/bin/php8.4)
==713==    by 0x234F45: ??? (in /usr/bin/php8.4)
==713==  If you believe this happened as a result of a stack
==713==  overflow in your program's main thread (unlikely but
==713==  possible), you can try to increase the size of the
==713==  main thread stack using the --main-stacksize= flag.
==713==  The main thread stack size used in this run was 8388608.
==713==
==713== HEAP SUMMARY:
==713==     in use at exit: 3,092,356 bytes in 22,597 blocks
==713==   total heap usage: 27,175 allocs, 4,578 frees, 5,009,716 bytes allocated
==713==
==713== LEAK SUMMARY:
==713==    definitely lost: 25,410 bytes in 795 blocks
==713==    indirectly lost: 40 bytes in 1 blocks
==713==      possibly lost: 1,852,338 bytes in 13,263 blocks
==713==    still reachable: 1,214,568 bytes in 8,538 blocks
==713==         suppressed: 0 bytes in 0 blocks
==713== Rerun with --leak-check=full to see details of leaked memory
==713==
==713== Use --track-origins=yes to see where uninitialised values come from
==713== For lists of detected and suppressed errors, rerun with: -s
==713== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
valgrind.txt (4,969 bytes)   
gdb.txt (9,599 bytes)    
Starting program: /usr/bin/php test.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00005555559516f3 in zend_get_properties_for ()
#0  0x00005555559516f3 in zend_get_properties_for ()
No symbol table info available.
#1  0x00007ffff50db877 in get_spl_storage (prop_name_len=22, prop_name=0x7ffff5104caa "", properties=<synthetic pointer>, parent=0x7fffffffafe0) at ./build-8.4/src/lib/var.c:308
No locals.
#2  handle_spl_classes (tmp_retval=0x7fffffffaef0, myht=<synthetic pointer>, element=<synthetic pointer>, value_in=0x7fffffffafe0, prop_name_len=1, prop_name=<optimized out>, class_name_len=0, class_name=0x0) at ./build-8.4/src/lib/var.c:342
        tmp = <optimized out>
        tmp = <optimized out>
        _z1 = <optimized out>
        _z2 = <optimized out>
        _gc = <optimized out>
        _t = <optimized out>
#3  fetch_zval_from_symbol_table (value_in=value_in@entry=0x7fffffffafe0, name=<optimized out>, name_length=<optimized out>, type=<optimized out>, ccn=ccn@entry=0x0, ccnl=0, cce=0x0) at ./build-8.4/src/lib/var.c:586
        ht = <optimized out>
        element = 0x555555db7240 "h"
        element_length = 1
        zpp = <optimized out>
        free_duplicated_name = <optimized out>
        myht = <optimized out>
        orig_value_in = 0x7fffffffafe0
        tmp_retval = {value = {lval = 115, dval = 5.6817549271743353e-322, counted = 0x73, str = 0x73, arr = 0x73, obj = 0x73, res = 0x73, ref = 0x73, ast = 0x73, zv = 0x73, ptr = 0x73, ce = 0x73, func = 0x73, ww = {w1 = 115, w2 = 0}}, u1 = {type_info = 0, v = {type = 0 '\000', type_flags = 0 '\000', u = {extra = 0}}}, u2 = {next = 4294967295, cache_slot = 4294967295, opline_num = 4294967295, lineno = 4294967295, num_args = 4294967295, fe_pos = 4294967295, fe_iter_idx = 4294967295, guard = 4294967295, constant_flags = 4294967295, extra = 4294967295}}
#4  0x00007ffff50dbb80 in xdebug_get_php_symbol (retval=0x7fffffffafe0, name=<optimized out>) at ./build-8.4/src/lib/var.c:860
        found = <optimized out>
        state = <optimized out>
        ptr = <optimized out>
        ctr = 2
        keyword = <optimized out>
        keyword_end = <optimized out>
        type = <optimized out>
        current_classname = 0x0
        current_ce = <optimized out>
        cc_length = <optimized out>
        quotechar = <optimized out>
#5  0x00007ffff50ed330 in get_symbol (name=name@entry=0x7fffffffb060, options=options@entry=0x555555db3190) at ./build-8.4/src/debugger/handler_dbgp.c:389
        retval = {value = {lval = 115, dval = 5.6817549271743353e-322, counted = 0x73, str = 0x73, arr = 0x73, obj = 0x73, res = 0x73, ref = 0x73, ast = 0x73, zv = 0x73, ptr = 0x73, ce = 0x73, func = 0x73, ww = {w1 = 115, w2 = 0}}, u1 = {type_info = 0, v = {type = 0 '\000', type_flags = 0 '\000', u = {extra = 0}}}, u2 = {next = 0, cache_slot = 0, opline_num = 0, lineno = 0, num_args = 0, fe_pos = 0, fe_iter_idx = 0, guard = 0, constant_flags = 0, extra = 0}}
        tmp_node = <optimized out>
#6  0x00007ffff50eeea9 in add_variable_node (options=0x555555db3190, no_eval=0, non_null=1, var_only=1, name=0x7fffffffb060, node=0x555555db33c0) at ./build-8.4/src/debugger/handler_dbgp.c:1555
        contents = <optimized out>
        contents = <optimized out>
#7  attach_context_vars (func=0x7ffff50ed920 <attach_declared_var_with_contents>, depth=<optimized out>, context_id=1, options=0x555555db3190, node=0x555555db33c0) at ./build-8.4/src/debugger/handler_dbgp.c:1921
        _z = <optimized out>
        __ht = <optimized out>
        __key = 0x555555db3740
        _idx = <optimized out>
        _count = 1
        __h = <optimized out>
        _size = <optimized out>
        __z = 0x555555d7c440
        key = 0x555555db3740
        fse = <optimized out>
        var_name = 0xfffffffffffffd48 <error: Cannot access memory at address 0xfffffffffffffd48>
        fse = <optimized out>
        var_name = <optimized out>
        key = <optimized out>
        __ht = <optimized out>
        __h = <optimized out>
        __key = <optimized out>
        _idx = <optimized out>
        _size = <optimized out>
        __z = <optimized out>
        _count = <optimized out>
        _z = <optimized out>
        _p = <optimized out>
        val = <optimized out>
        const_name = <optimized out>
        __ht = <optimized out>
        __h = <optimized out>
        __key = <optimized out>
        _idx = <optimized out>
        _size = <optimized out>
        __z = <optimized out>
        _count = <optimized out>
        _z = <optimized out>
        _p = <optimized out>
        tmp_name = <optimized out>
        tmp_node = <optimized out>
        name = <optimized out>
        orig_value = <optimized out>
        ta = <optimized out>
        tv = <optimized out>
        old_fse = <optimized out>
        must_add_this = <optimized out>
        tmp_hash = <optimized out>
        ce = <optimized out>
#8  xdebug_dbgp_handle_context_get (retval=0x7fffffffb0e8, context=<optimized out>, args=<optimized out>) at ./build-8.4/src/debugger/handler_dbgp.c:2099
        res = <optimized out>
        context_id = <optimized out>
        depth = <optimized out>
        options = 0x555555db3190
#9  0x00007ffff50f2da5 in xdebug_dbgp_parse_option (flags=0, retval=<optimized out>, line=0x555555db35e0 "context_get -i 20 -d 0 -c 1", context=0x7ffff51181a8 <xdebug_globals+392>) at ./build-8.4/src/debugger/handler_dbgp.c:2206
        ret = 0
        command = 0x7ffff51175f8 <dbgp_commands+120>
        cmd = 0x555555db3100 "context_get"
        res = 0
        args = 0x555555bd3620
        error = <optimized out>
        cmd = <optimized out>
        res = <optimized out>
        ret = <optimized out>
        args = <optimized out>
        command = <optimized out>
        error = <optimized out>
        ta = <optimized out>
        tv = <optimized out>
        ta = <optimized out>
        tv = <optimized out>
        ta = <optimized out>
        tv = <optimized out>
        message = <optimized out>
        ta = <optimized out>
        tv = <optimized out>
        message = <optimized out>
        ta = <optimized out>
        tv = <optimized out>
        message = <optimized out>
#10 xdebug_dbgp_cmdloop (context=context@entry=0x7ffff51181a8 <xdebug_globals+392>, bail=bail@entry=1) at ./build-8.4/src/debugger/handler_dbgp.c:2316
        option = 0x555555db35e0 "context_get -i 20 -d 0 -c 1"
        length = <optimized out>
        ret = <optimized out>
        response = 0x555555db33c0
#11 0x00007ffff50f38ee in xdebug_dbgp_breakpoint (context=0x7ffff51181a8 <xdebug_globals+392>, stack=<optimized out>, filename=<optimized out>, lineno=3, type=<optimized out>, exception=0x0, code=0x0, message=0x0, brk_info=0x555555db0800, return_value=0x0) at ./build-8.4/src/debugger/handler_dbgp.c:2691
        response = 0x555555db33c0
        error_container = <optimized out>
#12 0x00007ffff50e8a82 in xdebug_debugger_statement_call (filename=0x555555da9cd0, lineno=lineno@entry=3) at ./build-8.4/src/debugger/debugger.c:360
        break_ok = <optimized out>
        res = <optimized out>
        retval = {value = {lval = 0, dval = 0, counted = 0x0, str = 0x0, arr = 0x0, obj = 0x0, res = 0x0, ref = 0x0, ast = 0x0, zv = 0x0, ptr = 0x0, ce = 0x0, func = 0x0, ww = {w1 = 0, w2 = 0}}, u1 = {type_info = 4099641392, v = {type = 48 '0', type_flags = 144 '\220', u = {extra = 62555}}}, u2 = {next = 32767, cache_slot = 32767, opline_num = 32767, lineno = 32767, num_args = 32767, fe_pos = 32767, fe_iter_idx = 32767, guard = 32767, constant_flags = 32767, extra = 32767}}
        le = 0x555555db0b40
        extra_brk_info = 0x555555db0800
        fse = <optimized out>
#13 0x00007ffff50cddd7 in xdebug_statement_call (frame=<optimized out>) at ./build-8.4/xdebug.c:780
        op_array = <optimized out>
        lineno = 3
#14 0x000055555594c202 in zend_llist_apply_with_argument ()
No symbol table info available.
#15 0x0000555555678141 in ?? ()
No symbol table info available.
#16 0x0000555555680f46 in ?? ()
No symbol table info available.
#17 0x0000555555906f15 in zend_execute ()
No symbol table info available.
#18 0x000055555596e9a0 in zend_execute_script ()
No symbol table info available.
#19 0x0000555555809b35 in php_execute_script_ex ()
No symbol table info available.
#20 0x000055555597072c in ?? ()
No symbol table info available.
#21 0x00005555556876f9 in ?? ()
No symbol table info available.
#22 0x00007ffff752b24a in __libc_start_call_main (main=main@entry=0x555555687410, argc=argc@entry=2, argv=argv@entry=0x7fffffffecd8) at ../sysdeps/nptl/libc_start_call_main.h:58
        self = <optimized out>
        result = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140737488350424, 2985512663876003567, 0, 140737488350448, 93824997573848, 140737354125344, -2985512663202240785, -2985528840979061009}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x7fffffffecd8, 0x7fffffffecd8}, data = {prev = 0x0, cleanup = 0x0, canceltype = -4904}}}
        not_first_call = <optimized out>
#23 0x00007ffff752b305 in __libc_start_main_impl (main=0x555555687410, argc=2, argv=0x7fffffffecd8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffecc8) at ../csu/libc-start.c:360
No locals.
#24 0x0000555555688971 in _start ()
No symbol table info available.
gdb.txt (9,599 bytes)   
Operating System
PHP Version8.4-dev

Activities

derick

2025-03-26 11:31

administrator   ~0007220

This turns out to not be a problem with $GLOBALS per-se, but rather that the variable parser would see this as the syntax $x-h which isn't valid. Of course, you can set this in $GLOBALS by using the array syntax.

I have fixed the crash with https://github.com/xdebug/xdebug/pull/1003, but Xdebug still won't be able to show you the value for it.

Issue History

Date Modified Username Field Change
2025-03-24 11:57 hburger New Issue
2025-03-24 11:57 hburger File Added: test.php
2025-03-24 11:57 hburger File Added: xdebug.log
2025-03-24 11:57 hburger File Added: valgrind.txt
2025-03-24 11:57 hburger File Added: gdb.txt
2025-03-26 11:31 derick Status new => assigned
2025-03-26 11:31 derick Target Version => 3.4dev
2025-03-26 11:31 derick Summary Segmentation fault when modifying $GLOBALS => Segmentation fault with 'invalid' variable names
2025-03-26 11:31 derick Note Added: 0007220