View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0002339XdebugUncategorizedpublic2025-04-16 18:422025-05-14 09:36
ReporterRetrowareDavid Assigned Toderick  
PrioritynormalSeveritycrashReproducibilityalways
Status closedResolutionfixed 
PlatformmacOSOSSequoiaOS Version15.4 (24E248)
Product Version3.4.2 
Target Version3.4devFixed in Version3.4.3 
Summary0002339: Trying to throw an exception can cause a zend_mm_heap corrupted error under specific circumstances
Description

Modifying a variable in multiple files can cause a zend_mm_heap corrupted crash you try to throw an Exception.

Steps To Reproduce
  1. Create two files:
    File one (index.php): 
    <?php
$var  = "1234567890123456789012";
$var .= "3";
require_once realpath(__DIR__ . "/second-file.php");
?>

    File two (second-file.php):

    <?php
$var .= "4";
throw new Exception();
?>
  2. Open the first file with php index.php on the command line
  3. ---> PHP crashes with a zend_mm_heap corrupted
Additional Information

For the crash to occur:

  • The code needs to be in two files.
  • A variable needs to be created, then modified in the first file, then modified again in the second file.
  • The variable needs to be of a certain size/length at the end of the modifications.
    • I'm not sure if this issue only happens with strings, but in the case of strings, the final length must be at least 24 characters long.
    • It appears that any modification will work, e.g. substr(), strtolower(), or simple concatenation.

This was checked against via Terminal on macOS 15.4 (24E248) using PHP 8.4.5 and 8.4.6 and via Command Prompt on Windows 10 Pro (19045.5737) using PHP 8.4.6.

I was not able to reliably reproduce the issue with USE_ZEND_ALLOC off, but I am including a crash report from macOS (php-2025-04-15-144626.ips). While trying to isolate the problem, though, I did have an EXC_BAD_ACCESS (SIGSEGV) crash while USE_ZEND_ALLOC was disabled, which is also included just in case (php-2025-04-11-124429.ips). I was not able to get a GDB backtrace: When I got to the run step, it failed with the error Don't know how to run. Try "help target".

TagsNo tags attached.
Attached Files
php-2025-04-15-144626.ips (22,066 bytes)
php-2025-04-11-124429.ips (21,894 bytes)
Operating SystemmacOS 15.4 (24E248) & Windows 10 Pro (19045.5737)
PHP Version8.4-dev

Activities

derick

2025-04-17 16:04

administrator   ~0007251

I can easily reproduce this. Instead of needing the more specific constraints (special length or content), the problem shows up with valgrind regardless.

derick

2025-05-02 15:00

administrator   ~0007280

https://github.com/xdebug/xdebug/pull/1019

Thanks for the report! I hope to have a release out early next week.

RetrowareDavid

2025-05-02 15:42

reporter   ~0007281

Great! Thanks for the fix, and thanks for Xdebug! :)

Issue History

Date Modified Username Field Change
2025-04-16 18:42 RetrowareDavid New Issue
2025-04-16 18:42 RetrowareDavid File Added: php-2025-04-15-144626.ips
2025-04-16 18:42 RetrowareDavid File Added: php-2025-04-11-124429.ips
2025-04-17 16:04 derick Assigned To => derick
2025-04-17 16:04 derick Status new => confirmed
2025-04-17 16:04 derick Note Added: 0007251
2025-04-17 16:04 derick Target Version => 3.4dev
2025-05-02 15:00 derick Status confirmed => closed
2025-05-02 15:00 derick Resolution open => fixed
2025-05-02 15:00 derick Fixed in Version => 3.4dev
2025-05-02 15:00 derick Note Added: 0007280
2025-05-02 15:42 RetrowareDavid Note Added: 0007281
2025-05-14 09:36 derick Fixed in Version 3.4dev => 3.4.3