0000463: Segmentation fault: xdebug & PHP/Java Bridge

ID	Project	Category	View Status	Date Submitted	Last Update

0000463	Xdebug	Uncategorized	public	2009-08-06 11:11	2014-01-03 15:51

Reporter	jaruz	Assigned To	derick
Priority	normal	Severity	crash	Reproducibility	always
Status	resolved	Resolution	unable to reproduce
Target Version	2.2dev

Summary	0000463: Segmentation fault: xdebug & PHP/Java Bridge
Description	We are using the PHP/Java Bridge (http://php-java-bridge.sourceforge.net/) to communicate with our Java Back-End. When Xdebug is enabled, we get a Segmentation Fault. With Xdebug disabled, everything works fine. The PHP/Java Bridge is a "pure PHP" implementation, thus no extensions are compiled into PHP. (Java.inc is just a PHP script which uses sockets to communicate with the back-end server). Before we figured that the problem was being triggered by Xdebug, we contacted the developers of the PHP/Java Bridge; after a while of debugging the issue, they stated: "Sounds like a bug in the php debug code, trying to trace non-existent references. Or a bug in your C compiler/optimizer." Please let me know what information you need to pinpoint the exact cause of this bug. Thanks!
Additional Information	Script used to reproduce the Segmentation Fault: <?php error_reporting(E_ALL); define('JAVA_DEBUG', false); define('JAVA_LOG_LEVEL', 0); define('JAVA_SERVLET', 'On'); define('JAVA_HOSTS', 'backenddev:8080'); require_once('http://backenddev:8080/JavaBridge/java/Java.inc'); java_set_file_encoding('UTF-8'); $buffer = new Java( "java.lang.StringBuffer" ); $buffer->append( "test" ); // This triggers the Segmentation Fault echo 'If we see this, it works fine' . PHP_EOL; ?>
Tags	No tags attached.

Operating System	Linux 2.6.15-54-server
PHP Version	5.2.6

jaruz 2009-08-06 11:28 reporter ~0001030	Possibly related to bug 443. The Segmentation Fault only happens when calling Java Methods which return an instance of itself. Executing methods which return void or data, works fine.

derick 2009-08-06 12:16 administrator ~0001033	I need a GDB backtrace: http://bugs.php.net/bugs-generating-backtrace.php Very much likely related to bug 0000358 as well.

jaruz 2009-08-06 12:25 reporter ~0001034	Hi Derick: Thanks for your help. The following message and GDB backtrace was just posted by the PHP/Java Bridge Lead Developer on the PHP/Java Bridge mailing list (he was able to reproduce the issue too): --------------------- Hi, yes, it crashes in strcmp, due to an uninitialized function name. I think xdebug makes false asumptions about the zend engine state: Program received signal SIGSEGV, Segmentation fault. 0x001194fd in add_stack_frame (zdata=0xbfffcbec, op_array=0x852ef1c, type=2) at /home/jostb/xdebug-2.0.0/xdebug.c:1007 1007 if ( (gdb) list 1002 XDEBUG_LLIST_TAIL(XG(stack)) 1003 ) { 1004 /* Ugly hack for call_user_() type function calls / 1005 zend_function *tmpf = EG(current_execute_data)->prev_execute_data->function_state.function; 1006 if (tmpf && (tmpf->common.type != 3) && tmpf->common.function_name) { 1007 if ( 1008 (strcmp(tmpf->common.function_name, "call_user_func") == 0) \|\| 1009 (strcmp(tmpf->common.function_name, "call_user_func_array") == 0) \|\| 1010 (strcmp(tmpf->common.function_name, "call_user_func_method") == 0) \|\| 1011 (strcmp(tmpf->common.function_name, "call_user_func_method_array") == 0) (gdb) p tmpf->common $4 = {type = 144 '\220', function_name = 0x7 <Address 0x7 out of bounds>, scope = 0x845fed0, fn_flags = 138807704, prototype = 0x8460368, num_args = 0, required_num_args = 0, arg_info = 0x0, pass_rest_by_reference = 99 'c', return_reference = 108 'l'} (gdb) Regards, Jost Boekemeier --------------------- Please let me know if you need anything else. Thanks!

derick 2009-08-06 12:27 administrator ~0001035	Please type "bt full" on the GDB prompt.

jostb 2009-08-07 07:17 reporter ~0001038 Last edited: 2009-08-07 07:35	To reproduce this bug install php 5.2.6 and xdebug 2.0.0, save the following as file "xdebug.php" and run "php xdebug.php": => http://php-java-bridge.sourceforge.net/pjb/xdebug.php.txt

jaruz 2009-08-10 11:57 reporter ~0001039	Derick: The PHP page states that --enable-debug should be configured but when I recompile PHP, xdebug stops working. I have recompiled xdebug and have a valid /usr/lib/php/20060613-debug/xdebug.so extension. I am using "zend_extension_debug" to load it (with the full path), but it seems to be simply ignored. (And if I use "zend_extension", PHP starts up with error: "zend contains debug xdebug does not") So I recompiled PHP & xdebug again with --disable-debug and I execute my script to verify if I still get the segmentation fault: ------------ antonioz@myserver:~/javatest$ php testdev.php Segmentation fault ------------ There is no core file, so I execute: ------------ antonioz@myserver:~/javatest$ gdb --args php testdev.php GNU gdb 6.4-debian Copyright 2005 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i486-linux-gnu"...Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1". (gdb) run Starting program: /usr/bin/php testdev.php [Thread debugging using libthread_db enabled] [New Thread -1215138112 (LWP 26345)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1215138112 (LWP 26345)] 0xb7888b1d in add_stack_frame (zdata=0xbfea71c4, op_array=0xb72987b4, type=2) at /tmp/pear/temp/xdebug/xdebug.c:1030 1030 /tmp/pear/temp/xdebug/xdebug.c: No such file or directory. in /tmp/pear/temp/xdebug/xdebug.c (gdb) bt full #0 0xb7888b1d in add_stack_frame (zdata=0xbfea71c4, op_array=0xb72987b4, type=2) at /tmp/pear/temp/xdebug/xdebug.c:1030 tmpf = (zend_function ) 0xb78f5c9c edata = (zend_execute_data ) 0xbfea71c4 tmp = (function_stack_entry ) 0x874e720 cur_opcode = (zend_op ) 0xbfea727c param = (zval ) 0xb72f9600 i = 0 aggr_key = 0x8617be0 "\230rê¿" aggr_key_len = -1214647372 #1 0xb788a338 in xdebug_execute (op_array=0xb72987b4) at /tmp/pear/temp/xdebug/xdebug.c:1512 dummy = (zval ) 0x8309870 edata = (zend_execute_data ) 0xbfea71c4 fse = (function_stack_entry ) 0x0 xfse = (function_stack_entry ) 0x20 magic_cookie = 0x0 do_return = 0 function_nr = 0 le = (xdebug_llist_element ) 0xbfea7108 eval_id = 0 return_val = (zval ) 0x0 0000002 0x083184c9 in zend_call_function (fci=0xbfea724c, fci_cache=0xbfea7270) at /home/antonioz/php-5.2.6/Zend/zend_execute_API.c:1013 param = <value optimized out> i = <value optimized out> original_return_value = (zval ) 0xbfea7964 calling_symbol_table = (HashTable ) 0x8617cb0 original_function_state_ptr = (zend_function_state ) 0xbfea7830 original_op_array = (zend_op_array ) 0xb78f1504 original_opline_ptr = (zend_op *) 0xbfea782c current_scope = (zend_class_entry ) 0x0 calling_scope = (zend_class_entry ) 0xb72970b8 check_scope_or_static = (zend_class_entry ) 0xb78b132c current_this = (zval ) 0xb72b3a78 execute_data = {opline = 0x0, function_state = {function_symbol_table = 0xb7245a74, function = 0xb72987b4, reserved = {0x0, 0x8749b20, 0xb79a1411, 0x0}}, fbc = 0xb78f5c9c, op_array = 0x0, object = 0xb7906ac0, Ts = 0xbfea76d0, CVs = 0xbfea76b0, original_in_execution = 0 '\0', symbol_table = 0x8617cb0, prev_execute_data = 0xbfea782c, old_error_reporting = 0x0} method_name = (zval ) 0xb7887dd0 params_array = (zval ) 0x874a8d0 call_via_handler = 0 fname = 0x87586f0 "Ø§t\bX\203¦·\003" fname_len = <value optimized out> 0000003 0x0833830a in zend_call_method (object_pp=0xbfea72f4, obj_ce=0xb72970b8, fn_proxy=0xbfea72f8, function_name=0x85c569b "__destruct", function_name_len=10, retval_ptr_ptr=<value optimized out>, param_count=-1215653109, arg1=0x0, arg2=0x0) at /home/antonioz/php-5.2.6/Zend/zend_interfaces.c:88 fcic = {initialized = 1 '\001', function_handler = 0xb72987b4, calling_scope = 0xb72970b8, object_pp = 0xbfea72f4} result = <value optimized out> fci = {size = 36, function_table = 0xb72922b4, function_name = 0xbfea7280, symbol_table = 0x0, retval_ptr_ptr = 0xbfea7298, param_count = 0, params = 0xbfea7290, object_pp = 0xbfea72f4, no_separation = 1 '\001'} z_fname = {value = {lval = -1215342512, dval = 1.0009519971716759e-313, str = {val = 0xb78f5850 "", len = 4}, ht = 0xb78f5850, obj = {handle = 3079624784, handlers = 0x4}}, refcount = 0, type = 184 '¸', is_ref = 8 '\b'} retval = <value optimized out> function_table = (HashTable ) 0x874e720 params = {0xbfea72cc, 0xbfea72d0} 0000004 0x0833e986 in zend_objects_destroy_object (object=0xb7287640, handle=141879072) at /home/antonioz/php-5.2.6/Zend/zend_objects.c:101 obj = (zval ) 0xb7906ac0 old_exception = (zval ) 0x0 destructor = (zend_function ) 0xb72987b4 0000005 0x08341d48 in zend_objects_store_del_ref_by_handle (handle=20) at /home/antonioz/php-5.2.6/Zend/zend_objects_API.c:197 __orig_bailout = <value optimized out> __bailout = {{__jmpbuf = {140380344, -1075153724, -1221988944, -1075153960, -1075154160, 137632849}, __mask_was_saved = 0, __saved_mask = {__val = {140606756, 0, 3072612980, 137397186, 0, 141859616, 3080328209, 140608004, 3079625884, 3073349120, 3079695040, 3219814096, 3219814064, 137556224, 140606640, 140380344, 3219813416, 3079695872, 3219813304, 137457049, 3073349128, 3219813612, 1, 140380344, 140380344, 3073041392, 3219813432, 137593892, 3219813416, 3219813376, 3073035856, 3080319924}}}} obj = (struct _store_object ) 0xb78e9030 failure = 1 0000006 0x08341d8b in zend_objects_store_del_ref (zobject=0xb7330a98) at /home/antonioz/php-5.2.6/Zend/zend_objects_API.c:168 handle = 3079314187 0000007 0x08323816 in _zval_dtor_func (zvalue=0xb7330a98) at /home/antonioz/php-5.2.6/Zend/zend_variables.c:52 No locals. ---Type <return> to continue, or q <return> to quit--- 0000008 0x08316dbe in _zval_ptr_dtor (zval_ptr=0xb73252bc) at zend_variables.h:35 No locals. 0000009 0x0832dfe1 in zend_hash_destroy (ht=0xb729edb0) at /home/antonioz/php-5.2.6/Zend/zend_hash.c:526 p = (Bucket ) 0xb7920a20 0000010 0x0833e4bd in zend_object_std_dtor (object=0xb7906e10) at /home/antonioz/php-5.2.6/Zend/zend_objects.c:45 No locals. 0000011 0x0833e4ed in zend_objects_free_object_storage (object=0xb7906e10) at /home/antonioz/php-5.2.6/Zend/zend_objects.c:122 No locals. 0000012 0x08341d65 in zend_objects_store_del_ref_by_handle (handle=21) at /home/antonioz/php-5.2.6/Zend/zend_objects_API.c:206 __orig_bailout = (jmp_buf ) 0xbfea99d4 __bailout = {{__jmpbuf = {140380344, -1075144236, -1075152852, -1075153560, -1075153760, 137632990}, __mask_was_saved = 0, __saved_mask = {__val = {3073317536, 1, 3219813720, 137624597, 3081136860, 3081097392, 40, 141863000, 3080319818, 3081143072, 141861448, 3079344940, 3081136860, 3081143072, 141862880, 3219813688, 3080319818, 3081097428, 141862880, 3079344940, 0, 3219814444, 3219813736, 3079175950, 3081136860, 3081143072, 141876696, 3219813736, 3080319818, 3081143072, 141876696, 3079344940}}}} obj = (struct _store_object ) 0xb78e9048 failure = 0 0000013 0x08341d8b in zend_objects_store_del_ref (zobject=0xb72f1aa0) at /home/antonioz/php-5.2.6/Zend/zend_objects_API.c:168 handle = 3079314187 0000014 0x08323816 in _zval_dtor_func (zvalue=0xb72f1aa0) at /home/antonioz/php-5.2.6/Zend/zend_variables.c:52 No locals. 0000015 0x08316dbe in _zval_ptr_dtor (zval_ptr=0xbfea77d8) at zend_variables.h:35 No locals. 0000016 0x083448da in zend_do_fcall_common_helper_SPEC (execute_data=0xbfea782c) at zend_vm_execute.h:215 i = 140380344 p = <value optimized out> arg_count = 3079611788 return_reference = 0 '\0' opline = (zend_op ) 0xb78f25bc original_return_value = <value optimized out> current_scope = (zend_class_entry ) 0x0 current_this = (zval ) 0x0 should_change_scope = 1 '\001' ctor_opline = <value optimized out> 0000017 0x08342372 in execute (op_array=0xb78f1504) at zend_vm_execute.h:92 execute_data = {opline = 0xb78f25bc, function_state = {function_symbol_table = 0xb7245a74, function = 0xb78f5c9c, reserved = {0x0, 0x8749b20, 0xb79a1411, 0x0}}, fbc = 0xb78f5c9c, op_array = 0xb78f1504, object = 0xb72b3a78, Ts = 0xbfea76d0, CVs = 0xbfea76b0, original_in_execution = 0 '\0', symbol_table = 0x8617cb0, prev_execute_data = 0x0, old_error_reporting = 0x0} 0000018 0xb788a50e in xdebug_execute (op_array=0xb78f1504) at /tmp/pear/temp/xdebug/xdebug.c:1562 dummy = (zval *) 0x831a0ae edata = (zend_execute_data ) 0x0 fse = (function_stack_entry ) 0x8749b20 xfse = (function_stack_entry ) 0xb78f15a0 magic_cookie = 0x0 do_return = 0 function_nr = 0 le = (xdebug_llist_element ) 0xbfea7908 eval_id = 0 return_val = (zval ) 0x0 0000019 0x08324fa2 in zend_execute_scripts (type=8, retval=<value optimized out>, file_count=3) at /home/antonioz/php-5.2.6/Zend/zend.c:1134 retval2 = (zval ) 0x830976a old_exception = (zval ) 0xbfea7978 files = 0xbfea7994 "" i = 1 file_handle = (zend_file_handle ) 0xbfea9ccc orig_op_array = (zend_op_array ) 0x0 orig_retval_ptr_ptr = (zval *) 0x0 local_retval = (zval ) 0x0 0000020 0x082e114f in php_execute_script (primary_file=0xbfea9ccc) at /home/antonioz/php-5.2.6/main/main.c:2005 realfile = "/home/antonioz/javatest/testdev.php\0000\212ê¿ö+ú·¬qù·h¶\223·\001\000\000\000\001\000\000\000Z¨\231·H\v^\bé\004\000\000IO\a\b\034\033\224·Üj¦·àp¦· f¦·H\212ê¿\202û\230·àp¦·¸\b^\b\000xa\bD\aZ\bh\212ê¿òy.\bàp¦·ðÿÿÿt\212ê¿¸\b^\b¸\b^\b\000xa\b(\232ê¿úz.\b`xa\b\005\000\000\000\000À\001\000\000ð\001\000¨ä\001\000¬ä\001\000\000À\001\000\003\000\000\000\016\000\000\000\002\000\000\000>/¾·"... prepend_file_p = (zend_file_handle ) 0x0 append_file_p = (zend_file_handle ) 0x0 prepend_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, reader = 0, closer = 0, fteller = 0, interactive = 0}}, free_filename = 0 '\0'} append_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, reader = 0, closer = 0, fteller = 0, interactive = 0}}, free_filename = 0 '\0'} old_cwd = 0xbfea79a0 "" retval = <value optimized out> 0000021 0x083bb2be in main (argc=2, argv=0xbfea9dd4) at /home/antonioz/php-5.2.6/sapi/cli/php_cli.c:1140 ---Type <return> to continue, or q <return> to quit--- __bailout = {{__jmpbuf = {140380344, 203308, 1, -1075143352, -1075143984, 138127317}, __mask_was_saved = 0, __saved_mask = {__val = {3082693776, 3084876018, 3219823536, 3086631008, 3084876018, 3082693788, 3084876100, 3082693864, 3079931004, 3219823620, 3086611958, 3079981707, 3084876090, 0, 0, 32, 0, 0, 277, 3079981902, 3079961084, 3079926572, 23, 3079910888, 3079911864, 115125334, 3084814917, 3086669688, 0, 3086268168, 3219823816, 3086612425}}}} exit_status = 0 c = <value optimized out> file_handle = {type = 2 '\002', filename = 0xbfeabb7e "testdev.php", opened_path = 0x0, handle = {fd = 141859576, fp = 0x8749af8, stream = {handle = 0x8749af8, reader = 0x8337cd0 <zend_stream_stdio_reader>, closer = 0x8337d09 <zend_stream_stdio_closer>, fteller = 0x8337d36 <zend_stream_stdio_fteller>, interactive = 0}}, free_filename = 0 '\0'} behavior = 1 reflection_what = 0x0 orig_optind = 1 orig_optarg = 0x0 arg_free = 0xbfeabb7e "testdev.php" arg_excp = (char **) 0xbfea9dd8 script_file = 0xbfeabb7e "testdev.php" interactive = <value optimized out> module_started = 1 request_started = 1 lineno = 1 exec_direct = 0x0 exec_run = 0x0 exec_begin = 0x0 exec_end = 0x0 param_error = <value optimized out> hide_argv = 0 ini_entries_len = <value optimized out> (gdb) ------------ I hope the backtrace is useful even though PHP was configured with --disable-debug. Please let me know if you need anything else. Thanks!

jaruz 2009-08-24 13:15 reporter ~0001053	Hi Derick, is there anything else I can do?

derick 2009-08-24 13:30 administrator ~0001054	@jaruz, it would really help me if you could give me access to the machine where you've all set this up. Setting up the Java bridge is quite a bit of work for me. Ideally it would also allow me to modify the xdebug code and recompile it.

jostb 2009-08-24 13:39 reporter ~0001055	Why do you need the java bridge to reproduce this bug? Just type php xdebug.php (see above) to reproduce the crash.

jaruz 2009-08-24 14:50 reporter ~0001056	Hi Derick: as Jost correctly states, the JavaBridge is not required to reproduce this Segmentation Fault; it can be triggered simply by a PHP Script: If you save the file provided by Jost in his comment from 2009-08-07 08:17 as "xdebug.php" and run it, you will get the following result without xdebug: ------------------------------------------------- antonioz@lowe:~/javatest$ php xdebug.php <O v="1" m="java.lang.StringBuffer" p="O" n="F"/> <O v="2" m="java.lang.StringBuffer" p="O" n="F"/> <F p="E"/> SUCCESS antonioz@lowe:~/javatest$ ------------------------------------------------- Then I enable xdebug in php.ini and execute it again: ------------------------------------------------- antonioz@lowe:~/javatest$ vim /etc/php5/php.ini antonioz@lowe:~/javatest$ php xdebug.php <O v="1" m="java.lang.StringBuffer" p="O" n="F"/> <O v="2" m="java.lang.StringBuffer" p="O" n="F"/> <F p="E"/> Segmentation fault antonioz@lowe:~/javatest$ ------------------------------------------------- (Add error_reporting(E_ERROR); at the beginning of the file so it does not output notices). Please let me know if you need anything else.

derick 2009-09-04 21:14 administrator ~0001063	Ah right, I can reproduce this now.

kronos 2010-11-23 22:43 reporter ~0001616	Just a quick note, might be useful: In jaruz's example I also get a segmentation fault at: $buffer->append( "a" ); But if I change it to: $x = $buffer->append( "a" ); I don't. What kind of feedback is needed to fix this bug? At the moment none of the debuggers is usable when I'm working with the PHP/Java bridge. Xdebug produces these segmentation faults and ZendDebugger seems to stop at breakpoints in Java.inc that I never set or have control over.

jerico 2012-06-21 19:20 reporter ~0002265	I hit this bug, too. Are there any plans to fix this?

derick 2014-01-03 15:51 administrator ~0002656	I can't reproduce this, and the reproducible script as mentioned in one of the comments is no longer accessible. I'm closing this for now. If the script is put back, I might have another look.

Date Modified	Username	Field	Change
2009-08-06 11:11	jaruz	New Issue
2009-08-06 11:11	jaruz	Operating System	=> Linux 2.6.15-54-server
2009-08-06 11:11	jaruz	PHP Version	=> 5.2.6
2009-08-06 11:11	jaruz	Xdebug Version	=> 2.0.5
2009-08-06 11:28	jaruz	Note Added: 0001030
2009-08-06 12:16	derick	Note Added: 0001033
2009-08-06 12:16	derick	Status	new => feedback
2009-08-06 12:25	jaruz	Note Added: 0001034
2009-08-06 12:27	derick	Note Added: 0001035
2009-08-07 07:17	jostb	Note Added: 0001038
2009-08-07 07:35	jostb	Note Edited: 0001038
2009-08-10 11:57	jaruz	Note Added: 0001039
2009-08-24 13:15	jaruz	Note Added: 0001053
2009-08-24 13:30	derick	Note Added: 0001054
2009-08-24 13:39	jostb	Note Added: 0001055
2009-08-24 14:50	jaruz	Note Added: 0001056
2009-09-04 21:14	derick	Note Added: 0001063
2010-03-20 23:47	derick	Target Version	=> 2.2dev
2010-11-23 22:43	kronos	Note Added: 0001616
2012-06-21 19:20	jerico	Note Added: 0002265
2014-01-03 15:51	derick	Note Added: 0002656
2014-01-03 15:51	derick	Status	feedback => resolved
2014-01-03 15:51	derick	Resolution	open => unable to reproduce
2014-01-03 15:51	derick	Assigned To	=> derick
2016-07-31 12:36	derick	Category	Usage problems => Usage problems (Crashes)
2016-07-31 12:38	derick	Category	Usage problems (Crashes) => Usage problems (Wrong Results)
2020-03-12 16:35	derick	Category	Usage problems (Wrong Results) => Variable Display
2020-03-12 16:38	derick	Category	Variable Display => Uncategorized

View Issue Details

Activities

Issue History