Well, for some reason it now segfaults when I do the reproduction code from GDB. Not sure why it wasn't happening before...

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1217698096 (LWP 495)]
0xb757419e in xdebug_set_in_ex (set=0x8f60068, position=54657166, noisy=1) at /tmp/xdebug-2.0.2/xdebug_set.c:72
72 return (*byte & (1 << bit));

(gdb) bt
#0 0xb757419e in xdebug_set_in_ex (set=0x8f60068, position=54657166, noisy=1) at /tmp/xdebug-2.0.2/xdebug_set.c:72
#1 0xb75613cd in xdebug_analyse_branch (opa=0x8a3bad0, position=54657166, set=0x8f60068) at /tmp/xdebug-2.0.2/xdebug_code_coverage.c:167
0000002 0xb7561452 in xdebug_analyse_branch (opa=0x8a3bad0, position=56, set=0x8f60068) at /tmp/xdebug-2.0.2/xdebug_code_coverage.c:185
0000003 0xb756142b in xdebug_analyse_branch (opa=0x8a3bad0, position=32, set=0x8f60068) at /tmp/xdebug-2.0.2/xdebug_code_coverage.c:183
0000004 0xb7561599 in prefill_from_oparray (fn=0x8db425c "/var/www/accounts/a199400125f04d539cbdbe4616e44107/eas/lib/publishing.tools.esp",
opa=0x8a3bad0) at /tmp/xdebug-2.0.2/xdebug_code_coverage.c:246
0000005 0xb75616f7 in prefill_from_function_table (opa=0x8a3bad0, num_args=1, args=0xbfa83f60 "0f?\t`2X?????.?U??\234V\b?~\001",
hash_key=0xbfa83f2c) at /tmp/xdebug-2.0.2/xdebug_code_coverage.c:268
0000006 0x0820eb6e in zend_hash_apply_with_arguments ()
0000007 0xb75617fa in xdebug_prefill_code_coverage (op_array=0x8569ce0) at /tmp/xdebug-2.0.2/xdebug_code_coverage.c:311
0000008 0xb755ca2e in xdebug_execute (op_array=0x8569ce0) at /tmp/xdebug-2.0.2/xdebug.c:1489
0000009 0xb7640ffb in _su3jdmx () from /usr/lib/php5/extensions/ioncube/ioncube_loader_lin_5.2.so
0000010 0x08569ce0 in ?? ()
0000011 0xb78f1ff4 in ?? () from /lib/libc.so.6
0000012 0xb78f3120 in __after_morecore_hook () from /lib/libc.so.6
0000013 0x0898eef8 in ?? ()
0000014 0x0835cd70 in ?? ()
0000015 0xb781f870 in free () from /lib/libc.so.6
0000016 0x082247b8 in execute ()
0000017 0xb755caf9 in xdebug_execute (op_array=0x8550df8) at /tmp/xdebug-2.0.2/xdebug.c:1509
0000018 0xb7640ffb in _su3jdmx () from /usr/lib/php5/extensions/ioncube/ioncube_loader_lin_5.2.so
0000019 0x08550df8 in ?? ()
0000020 0x08543214 in ?? ()
0000021 0x00000000 in ?? ()

(gdb) list
67 unsigned int bit;
68
69 byte = &(set->setinfo[position / 8]);
70 bit = position % 8;
71
72 return (*byte & (1 << bit));
73 }

I have the same problem since version 2.0.1

What I found out:

• The error does happen with and without apc, suhosin and incube_loader extensions
• The error is triggered by new versions of phpunit with coverage/metrics enabled

Here is a additional backtrace (with suhosin and apc enabled)

#0 0xb774792e in xdebug_set_in_ex (set=0x91a92c8, position=54484423, noisy=1) at /tmp/pear/download/xdebug-2.0.2/xdebug_set.c:72
72 return (*byte & (1 << bit));

(gdb) bt
#0 0xb774792e in xdebug_set_in_ex (set=0x91a92c8, position=54484423, noisy=1) at /tmp/pear/download/xdebug-2.0.2/xdebug_set.c:72
#1 0xb7735897 in xdebug_analyse_branch (opa=0x93016e0, position=54484423, set=0x91a92c8) at /tmp/pear/download/xdebug-2.0.2/xdebug_code_coverage.c:167
0000002 0xb773591c in xdebug_analyse_branch (opa=0x93016e0, position=18, set=0x91a92c8) at /tmp/pear/download/xdebug-2.0.2/xdebug_code_coverage.c:185
0000003 0xb7735a9c in prefill_from_oparray (fn=0x92e8114 "/usr/share/php/HTML/QuickForm.php", opa=0x93016e0)
at /tmp/pear/download/xdebug-2.0.2/xdebug_code_coverage.c:246
0000004 0xb7735c2f in prefill_from_function_table (opa=0x93016e0, num_args=1, args=0xbff4db40 "d", hash_key=0xbff4db0c)
at /tmp/pear/download/xdebug-2.0.2/xdebug_code_coverage.c:268
0000005 0x082ce25e in zend_hash_apply_with_arguments (ht=0x92f00c8, apply_func=0xb7735bd6 <prefill_from_function_table>, num_args=1)
at /build/buildd/php5-5.2.4/Zend/zend_hash.c:923
0000006 0xb7735cb8 in prefill_from_class_table (class_entry=0x91a883c, num_args=1, args=0xbff4dbb0 "�au��au�8����\020s���x\bF/", hash_key=0xbff4db7c)
at /tmp/pear/download/xdebug-2.0.2/xdebug_code_coverage.c:295
0000007 0x082ce25e in zend_hash_apply_with_arguments (ht=0x85998c0, apply_func=0xb7735c3a <prefill_from_class_table>, num_args=1)
at /build/buildd/php5-5.2.4/Zend/zend_hash.c:923
0000008 0xb7735d62 in xdebug_prefill_code_coverage (op_array=0x878f4b0) at /tmp/pear/download/xdebug-2.0.2/xdebug_code_coverage.c:312
0000009 0xb77310ed in xdebug_execute (op_array=0x878f4b0) at /tmp/pear/download/xdebug-2.0.2/xdebug.c:1489
0000010 0xb5e0f4ef in suhosin_execute_ex (op_array=0x878f4b0, zo=0, dummy=0) at /build/buildd/php-suhosin-0.9.22/execute.c:559
0000011 0x082b72ea in zend_call_function (fci=0xbff4ddd0, fci_cache=0x0) at /build/buildd/php5-5.2.4/Zend/zend_execute_API.c:990
0000012 0x082b852c in call_user_function_ex (function_table=0x8599890, object_pp=0x0, function_name=0x9245dcc, retval_ptr_ptr=0xbff4de70,
param_count=<error type>, params=0x92fa7d4, no_separation=1, symbol_table=0x0) at /build/buildd/php5-5.2.4/Zend/zend_execute_API.c:617
0000013 0x082c4279 in zend_error (type=2048, format=0x8540654 "Assigning the return value of new by reference is deprecated")
at /build/buildd/php5-5.2.4/Zend/zend.c:1122
0000014 0x0829e3e6 in zendparse () at /build/buildd/php5-5.2.4/Zend/zend_language_parser.c:3869
0000015 0x082a36f0 in compile_file (file_handle=<incomplete type>, type=8) at /build/buildd/php5-5.2.4/Zend/zend_language_scanner.c:3420
0000016 0xb7733776 in xdebug_compile_file (file_handle=0xbff4f2c0, type=8) at /tmp/pear/download/xdebug-2.0.2/xdebug.c:2336
0000017 0x082e940d in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER (execute_data=0xbff4f398) at /build/buildd/php5-5.2.4/Zend/zend_vm_execute.h:1984
0000018 0x082e4018 in execute (op_array=0x92d9a5c) at /build/buildd/php5-5.2.4/Zend/zend_vm_execute.h:92
0000019 0xb77311b8 in xdebug_execute (op_array=0x92d9a5c) at /tmp/pear/download/xdebug-2.0.2/xdebug.c:1509
0000020 0xb5e0f4ef in suhosin_execute_ex (op_array=0x92d9a5c, zo=0, dummy=0) at /build/buildd/php-suhosin-0.9.22/execute.c:559
0000021 0x082e92a4 in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER (execute_data=0xbff4f6b8) at /build/buildd/php5-5.2.4/Zend/zend_vm_execute.h:2030
0000022 0x082e4018 in execute (op_array=0x8e11d3c) at /build/buildd/php5-5.2.4/Zend/zend_vm_execute.h:92
0000023 0xb77311b8 in xdebug_execute (op_array=0x8e11d3c) at /tmp/pear/download/xdebug-2.0.2/xdebug.c:1509
0000024 0xb5e0f4ef in suhosin_execute_ex (op_array=0x8e11d3c, zo=0, dummy=0) at /build/buildd/php-suhosin-0.9.22/execute.c:559
0000025 0x082f2f3b in zend_do_fcall_common_helper_SPEC (execute_data=0xbff4fac8) at /build/buildd/php5-5.2.4/Zend/zend_vm_execute.h:234
0000026 0x082e4018 in execute (op_array=0x8e798b8) at /build/buildd/php5-5.2.4/Zend/zend_vm_execute.h:92
0000027 0xb77311b8 in xdebug_execute (op_array=0x8e798b8) at /tmp/pear/download/xdebug-2.0.2/xdebug.c:1509
0000028 0xb5e0f4ef in suhosin_execute_ex (op_array=0x8e798b8, zo=0, dummy=0) at /build/buildd/php-suhosin-0.9.22/execute.c:559
0000029 0x082b72ea in zend_call_function (fci=0xbff4fd44, fci_cache=0xbff4fd68) at /build/buildd/php5-5.2.4/Zend/zend_execute_API.c:990
0000030 0x081717bb in zim_reflection_method_invoke (ht=1, return_value=0x92d9640, return_value_ptr=0x0, this_ptr=0x92d96e0, return_value_used=0)
at /build/buildd/php5-5.2.4/ext/reflection/php_reflection.c:2375
0000031 0x082e2831 in execute_internal (execute_data_ptr=0xbff50358, return_value_used=0) at /build/buildd/php5-5.2.4/Zend/zend_execute.c:1385
0000032 0xb7731513 in xdebug_execute_internal (current_execute_data=0xbff50358, return_value_used=0) at /tmp/pear/download/xdebug-2.0.2/xdebug.c:1573
0000033 0xb5e0efc8 in suhosin_execute_internal (execute_data_ptr=0xbff50358, return_value_used=0) at /build/buildd/php-suhosin-0.9.22/execute.c:1211
0000034 0x082f3367 in zend_do_fcall_common_helper_SPEC (execute_data=0xbff50358) at /build/buildd/php5-5.2.4/Zend/zend_vm_execute.h:202
#35 0x082e4018 in execute (op_array=0x8eb3ca8) at /build/buildd/php5-5.2.4/Zend/zend_vm_execute.h:92
0000036 0xb77311b8 in xdebug_execute (op_array=0x8eb3ca8) at /tmp/pear/download/xdebug-2.0.2/xdebug.c:1509
0000037 0xb5e0f4ef in suhosin_execute_ex (op_array=0x8eb3ca8, zo=0, dummy=0) at /build/buildd/php-suhosin-0.9.22/execute.c:559
0000038 0x082f2f3b in zend_do_fcall_common_helper_SPEC (execute_data=0xbff50a38) at /build/buildd/php5-5.2.4/Zend/zend_vm_execute.h:234
0000039 0x082e4018 in execute (op_array=0x8eb3bc0) at /build/buildd/php5-5.2.4/Zend/zend_vm_execute.h:92
0000040 0xb77311b8 in xdebug_execute (op_array=0x8eb3bc0) at /tmp/pear/download/xdebug-2.0.2/xdebug.c:1509
0000041 0xb5e0f4ef in suhosin_execute_ex (op_array=0x8eb3bc0, zo=0, dummy=0) at /build/buildd/php-suhosin-0.9.22/execute.c:559
0000042 0x082f2f3b in zend_do_fcall_common_helper_SPEC (execute_data=0xbff513c8) at /build/buildd/php5-5.2.4/Zend/zend_vm_execute.h:234
0000043 0x082e4018 in execute (op_array=0x883a2f4) at /build/buildd/php5-5.2.4/Zend/zend_vm_execute.h:92
0000044 0xb77311b8 in xdebug_execute (op_array=0x883a2f4) at /tmp/pear/download/xdebug-2.0.2/xdebug.c:1509
0000045 0xb5e0f4ef in suhosin_execute_ex (op_array=0x883a2f4, zo=0, dummy=0) at /build/buildd/php-suhosin-0.9.22/execute.c:559
0000046 0x082f2f3b in zend_do_fcall_common_helper_SPEC (execute_data=0xbff516e8) at /build/buildd/php5-5.2.4/Zend/zend_vm_execute.h:234
0000047 0x082e4018 in execute (op_array=0x8eb3ad8) at /build/buildd/php5-5.2.4/Zend/zend_vm_execute.h:92
0000048 0xb77311b8 in xdebug_execute (op_array=0x8eb3ad8) at /tmp/pear/download/xdebug-2.0.2/xdebug.c:1509
#49 0xb5e0f4ef in suhosin_execute_ex (op_array=0x8eb3ad8, zo=0, dummy=0) at /build/buildd/php-suhosin-0.9.22/execute.c:559
0000050 0x082f2f3b in zend_do_fcall_common_helper_SPEC (execute_data=0xbff519a8) at /build/buildd/php5-5.2.4/Zend/zend_vm_execute.h:234
#51 0x082e4018 in execute (op_array=0x89165d4) at /build/buildd/php5-5.2.4/Zend/zend_vm_execute.h:92
0000052 0xb77311b8 in xdebug_execute (op_array=0x89165d4) at /tmp/pear/download/xdebug-2.0.2/xdebug.c:1509
0000053 0xb5e0f4ef in suhosin_execute_ex (op_array=0x89165d4, zo=0, dummy=0) at /build/buildd/php-suhosin-0.9.22/execute.c:559
0000054 0x082f2f3b in zend_do_fcall_common_helper_SPEC (execute_data=0xbff52278) at /build/buildd/php5-5.2.4/Zend/zend_vm_execute.h:234
0000055 0x082e4018 in execute (op_array=0x890fd54) at /build/buildd/php5-5.2.4/Zend/zend_vm_execute.h:92
0000056 0xb77311b8 in xdebug_execute (op_array=0x890fd54) at /tmp/pear/download/xdebug-2.0.2/xdebug.c:1509
0000057 0xb5e0f4ef in suhosin_execute_ex (op_array=0x890fd54, zo=0, dummy=0) at /build/buildd/php-suhosin-0.9.22/execute.c:559
0000058 0x082f2f3b in zend_do_fcall_common_helper_SPEC (execute_data=0xbff52b48) at /build/buildd/php5-5.2.4/Zend/zend_vm_execute.h:234
0000059 0x082e4018 in execute (op_array=0x890fd54) at /build/buildd/php5-5.2.4/Zend/zend_vm_execute.h:92
0000060 0xb77311b8 in xdebug_execute (op_array=0x890fd54) at /tmp/pear/download/xdebug-2.0.2/xdebug.c:1509
0000061 0xb5e0f4ef in suhosin_execute_ex (op_array=0x890fd54, zo=0, dummy=0) at /build/buildd/php-suhosin-0.9.22/execute.c:559
0000062 0x082f2f3b in zend_do_fcall_common_helper_SPEC (execute_data=0xbff53fc8) at /build/buildd/php5-5.2.4/Zend/zend_vm_execute.h:234
0000063 0x082e4018 in execute (op_array=0x87768c4) at /build/buildd/php5-5.2.4/Zend/zend_vm_execute.h:92
0000064 0xb77311b8 in xdebug_execute (op_array=0x87768c4) at /tmp/pear/download/xdebug-2.0.2/xdebug.c:1509
0000065 0xb5e0f4ef in suhosin_execute_ex (op_array=0x87768c4, zo=0, dummy=0) at /build/buildd/php-suhosin-0.9.22/execute.c:559
0000066 0x082f2f3b in zend_do_fcall_common_helper_SPEC (execute_data=0xbff54828) at /build/buildd/php5-5.2.4/Zend/zend_vm_execute.h:234
0000067 0x082e4018 in execute (op_array=0x875e8ac) at /build/buildd/php5-5.2.4/Zend/zend_vm_execute.h:92
0000068 0xb77311b8 in xdebug_execute (op_array=0x875e8ac) at /tmp/pear/download/xdebug-2.0.2/xdebug.c:1509
0000069 0xb5e0f4ef in suhosin_execute_ex (op_array=0x875e8ac, zo=0, dummy=0) at /build/buildd/php-suhosin-0.9.22/execute.c:559
0000070 0x082f2f3b in zend_do_fcall_common_helper_SPEC (execute_data=0xbff54bd8) at /build/buildd/php5-5.2.4/Zend/zend_vm_execute.h:234
0000071 0x082e4018 in execute (op_array=0x875f3e4) at /build/buildd/php5-5.2.4/Zend/zend_vm_execute.h:92
0000072 0xb77311b8 in xdebug_execute (op_array=0x875f3e4) at /tmp/pear/download/xdebug-2.0.2/xdebug.c:1509
0000073 0xb5e0f4ef in suhosin_execute_ex (op_array=0x875f3e4, zo=0, dummy=0) at /build/buildd/php-suhosin-0.9.22/execute.c:559
0000074 0x082e92a4 in ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER (execute_data=0xbff54e68) at /build/buildd/php5-5.2.4/Zend/zend_vm_execute.h:2030
0000075 0x082e4018 in execute (op_array=0x875ac58) at /build/buildd/php5-5.2.4/Zend/zend_vm_execute.h:92
0000076 0xb77311b8 in xdebug_execute (op_array=0x875ac58) at /tmp/pear/download/xdebug-2.0.2/xdebug.c:1509
0000077 0xb5e0f4ef in suhosin_execute_ex (op_array=0x875ac58, zo=0, dummy=0) at /build/buildd/php-suhosin-0.9.22/execute.c:559
0000078 0x082c2ee3 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /build/buildd/php5-5.2.4/Zend/zend.c:1215
0000079 0x08278d60 in php_execute_script (primary_file=0xbff57360) at /build/buildd/php5-5.2.4/main/main.c:2003
0000080 0x083553ba in main (argc=14, argv=0xbff57444) at /build/buildd/php5-5.2.4/sapi/cli/php_cli.c:1146

(gdb) list xdebug_set_in_ex
60
61 byte = byte & ~(1 << bit);
62 }
63
64 int xdebug_set_in_ex(xdebug_set set, unsigned int position, int noisy)
65 {
66 unsigned char byte;
67 unsigned int bit;
68
69 byte = &(set->setinfo[position / 8]);

(gdb) print byte
$1 = (unsigned char *) 0x9827538 <Address 0x9827538 out of bounds>
(gdb) print bit
$2 = 7

Ok, I found the problem of the segfault and a workaround but not the real source of the problem.

The problem is that position is bigger than opa->size, which obviously doesn't work. xdebug_find_jump does return a negitive int which is converted to a high integer because position is unsigned and jmp1/2 are signed.

If I unterstand the code correctly, the problem is that sometimes, opcode.op2.u.opline_num is smaller than base_address on line 135. I added a simple check but it is probably better the find the reason because it is so.

diff -u xdebug_code_coverage.c_orig xdebug_code_coverage.c
--- xdebug_code_coverage.c_orig 2008-01-10 08:31:50.000000000 +0900
+++ xdebug_code_coverage.c 2008-01-10 08:53:28.000000000 +0900
@@ -132,7 +132,12 @@
) {
*jmp1 = position + 1;
#ifdef ZEND_ENGINE_2

• *jmp2 = (opcode.op2.u.opline_num - base_address) / sizeof(zend_op);

• / if opline_num is smaller than base_address, use it directly /

• if (opcode.op2.u.opline_num < base_address) {

• *jmp2 = opcode.op2.u.opline_num;

• } else {

• *jmp2 = (opcode.op2.u.opline_num - base_address) / sizeof(zend_op);

• }
  #else
  *jmp2 = opcode.op1.u.opline_num;
  #endif
  @@ -162,6 +167,11 @@
  int jump_pos1 = -1;
  int jump_pos2 = -1;

• / Cancel if position is bigger than the actual size /

• if ( position > opa->size) {

• return;

• }

• /(fprintf(stderr, "Branch analysis from position: %d\n", position);)/
  / First we see if the branch has been visited, if so we bail out. /
  if (xdebug_set_in(set, position)) {

I have a segfault that seems very similar. The below patch resolved the segfault for me. I've slightly cleaned it up for xdebug 2.0.3 and can be found here:

https://rpm.silfreed.net:8002/file/fde6c1fac8b5/php-pecl-xdebug/segfault-codecoverage-xdebug-2.0.3.patch

I think I have fixed this already in a better way, it seems like its related to this issue: http://derickrethans.nl/phps_twopass_compiler.php (and it's the same as bug 0000422). Can you see if the later Xdebug release (2.0.4) fixes this for you?

No feedback, and likely fixed -> closing issue.