View Issue Details

IDProjectCategoryView StatusLast Update
0000463XdebugUncategorizedpublic2014-01-03 15:51
Reporterjaruz Assigned Toderick  
PrioritynormalSeveritycrashReproducibilityalways
Status resolvedResolutionunable to reproduce 
Target Version2.2dev 
Summary0000463: Segmentation fault: xdebug & PHP/Java Bridge
Description

We are using the PHP/Java Bridge (http://php-java-bridge.sourceforge.net/) to communicate with our Java Back-End.

When Xdebug is enabled, we get a Segmentation Fault. With Xdebug disabled, everything works fine.

The PHP/Java Bridge is a "pure PHP" implementation, thus no extensions are compiled into PHP. (Java.inc is just a PHP script which uses sockets to communicate with the back-end server).

Before we figured that the problem was being triggered by Xdebug, we contacted the developers of the PHP/Java Bridge; after a while of debugging the issue, they stated: "Sounds like a bug in the php debug code, trying to trace non-existent references. Or a bug in your C compiler/optimizer."

Please let me know what information you need to pinpoint the exact cause of this bug. Thanks!

Additional Information

Script used to reproduce the Segmentation Fault:

<?php
error_reporting(E_ALL);
define('JAVA_DEBUG', false);
define('JAVA_LOG_LEVEL', 0);
define('JAVA_SERVLET', 'On');
define('JAVA_HOSTS', 'backenddev:8080');
require_once('http://backenddev:8080/JavaBridge/java/Java.inc');
java_set_file_encoding('UTF-8');
$buffer = new Java( "java.lang.StringBuffer" );
$buffer->append( "test" ); // This triggers the Segmentation Fault
echo 'If we see this, it works fine' . PHP_EOL;
?>

TagsNo tags attached.
Operating SystemLinux 2.6.15-54-server
PHP Version5.2.6

Activities

jaruz

2009-08-06 11:28

reporter   ~0001030

Possibly related to bug 443.

The Segmentation Fault only happens when calling Java Methods which return an instance of itself. Executing methods which return void or data, works fine.

derick

2009-08-06 12:16

administrator   ~0001033

I need a GDB backtrace: http://bugs.php.net/bugs-generating-backtrace.php
Very much likely related to bug 0000358 as well.

jaruz

2009-08-06 12:25

reporter   ~0001034

Hi Derick:

Thanks for your help.

The following message and GDB backtrace was just posted by the PHP/Java Bridge Lead Developer on the PHP/Java Bridge mailing list (he was able to reproduce the issue too):

Hi,

yes, it crashes in strcmp, due to an uninitialized function name. I think
xdebug makes false asumptions about the zend engine state:

Program received signal SIGSEGV, Segmentation fault.
0x001194fd in add_stack_frame (zdata=0xbfffcbec, op_array=0x852ef1c, type=2)
at /home/jostb/xdebug-2.0.0/xdebug.c:1007
1007 if (
(gdb) list
1002 XDEBUG_LLIST_TAIL(XG(stack))
1003 ) {
1004 / Ugly hack for calluser() type function calls /
1005 zend_function
tmpf =
EG(current_execute_data)->prev_execute_data->function_state.function;
1006 if (tmpf && (tmpf->common.type != 3) && tmpf->common.function_name) {
1007 if (
1008 (strcmp(tmpf->common.function_name, "call_user_func") == 0) ||
1009 (strcmp(tmpf->common.function_name, "call_user_func_array") == 0) ||
1010 (strcmp(tmpf->common.function_name, "call_user_func_method") == 0) ||
1011 (strcmp(tmpf->common.function_name, "call_user_func_method_array") ==
0)
(gdb) p tmpf->common
$4 = {type = 144 '\220', function_name = 0x7 <Address 0x7 out of bounds>,
scope = 0x845fed0, fn_flags = 138807704, prototype = 0x8460368,
num_args = 0, required_num_args = 0, arg_info = 0x0,
pass_rest_by_reference = 99 'c', return_reference = 108 'l'}
(gdb)

Regards,
Jost Boekemeier

Please let me know if you need anything else. Thanks!

derick

2009-08-06 12:27

administrator   ~0001035

Please type "bt full" on the GDB prompt.

jostb

2009-08-07 07:17

reporter   ~0001038

Last edited: 2009-08-07 07:35

To reproduce this bug install php 5.2.6 and xdebug 2.0.0, save the following as file "xdebug.php" and run "php xdebug.php":

=>
http://php-java-bridge.sourceforge.net/pjb/xdebug.php.txt

jaruz

2009-08-10 11:57

reporter   ~0001039

Derick:

The PHP page states that --enable-debug should be configured but when I recompile PHP, xdebug stops working. I have recompiled xdebug and have a valid /usr/lib/php/20060613-debug/xdebug.so extension. I am using "zend_extension_debug" to load it (with the full path), but it seems to be simply ignored. (And if I use "zend_extension", PHP starts up with error: "zend contains debug xdebug does not")

So I recompiled PHP & xdebug again with --disable-debug and I execute my script to verify if I still get the segmentation fault:

antonioz@myserver:~/javatest$ php testdev.php
Segmentation fault

There is no core file, so I execute:


antonioz@myserver:~/javatest$ gdb --args php testdev.php
GNU gdb 6.4-debian
Copyright 2005 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".

(gdb) run
Starting program: /usr/bin/php testdev.php
[Thread debugging using libthread_db enabled]
[New Thread -1215138112 (LWP 26345)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1215138112 (LWP 26345)]
0xb7888b1d in add_stack_frame (zdata=0xbfea71c4, op_array=0xb72987b4, type=2) at /tmp/pear/temp/xdebug/xdebug.c:1030
1030 /tmp/pear/temp/xdebug/xdebug.c: No such file or directory.
in /tmp/pear/temp/xdebug/xdebug.c
(gdb) bt full
#0 0xb7888b1d in add_stack_frame (zdata=0xbfea71c4, op_array=0xb72987b4, type=2) at /tmp/pear/temp/xdebug/xdebug.c:1030
tmpf = (zend_function ) 0xb78f5c9c
edata = (zend_execute_data
) 0xbfea71c4
tmp = (function_stack_entry ) 0x874e720
cur_opcode = (zend_op
) 0xbfea727c
param = (zval ) 0xb72f9600
i = 0
aggr_key = 0x8617be0 "\230rê¿"
aggr_key_len = -1214647372
#1 0xb788a338 in xdebug_execute (op_array=0xb72987b4) at /tmp/pear/temp/xdebug/xdebug.c:1512
dummy = (zval
) 0x8309870
edata = (zend_execute_data ) 0xbfea71c4
fse = (function_stack_entry
) 0x0
xfse = (function_stack_entry ) 0x20
magic_cookie = 0x0
do_return = 0
function_nr = 0
le = (xdebug_llist_element
) 0xbfea7108
eval_id = 0
return_val = (zval *) 0x0
0000002 0x083184c9 in zend_call_function (fci=0xbfea724c, fci_cache=0xbfea7270) at /home/antonioz/php-5.2.6/Zend/zend_execute_API.c:1013
param = <value optimized out>
i = <value optimized out>
original_return_value = (zval ) 0xbfea7964
calling_symbol_table = (HashTable ) 0x8617cb0
original_function_state_ptr = (zend_function_state
) 0xbfea7830
original_op_array = (zend_op_array *) 0xb78f1504
original_opline_ptr = (zend_op *) 0xbfea782c
current_scope = (zend_class_entry
) 0x0
calling_scope = (zend_class_entry ) 0xb72970b8
check_scope_or_static = (zend_class_entry
) 0xb78b132c
current_this = (zval ) 0xb72b3a78
execute_data = {opline = 0x0, function_state = {function_symbol_table = 0xb7245a74, function = 0xb72987b4, reserved = {0x0, 0x8749b20, 0xb79a1411, 0x0}}, fbc = 0xb78f5c9c, op_array = 0x0,
object = 0xb7906ac0, Ts = 0xbfea76d0, CVs = 0xbfea76b0, original_in_execution = 0 '\0', symbol_table = 0x8617cb0, prev_execute_data = 0xbfea782c, old_error_reporting = 0x0}
method_name = (zval
) 0xb7887dd0
params_array = (zval ) 0x874a8d0
call_via_handler = 0
fname = 0x87586f0 "اt\bX\203¦·\003"
fname_len = <value optimized out>
0000003 0x0833830a in zend_call_method (object_pp=0xbfea72f4, obj_ce=0xb72970b8, fn_proxy=0xbfea72f8, function_name=0x85c569b "__destruct", function_name_len=10, retval_ptr_ptr=<value optimized out>,
param_count=-1215653109, arg1=0x0, arg2=0x0) at /home/antonioz/php-5.2.6/Zend/zend_interfaces.c:88
fcic = {initialized = 1 '\001', function_handler = 0xb72987b4, calling_scope = 0xb72970b8, object_pp = 0xbfea72f4}
result = <value optimized out>
fci = {size = 36, function_table = 0xb72922b4, function_name = 0xbfea7280, symbol_table = 0x0, retval_ptr_ptr = 0xbfea7298, param_count = 0, params = 0xbfea7290, object_pp = 0xbfea72f4,
no_separation = 1 '\001'}
z_fname = {value = {lval = -1215342512, dval = 1.0009519971716759e-313, str = {val = 0xb78f5850 "", len = 4}, ht = 0xb78f5850, obj = {handle = 3079624784, handlers = 0x4}}, refcount = 0,
type = 184 '¸', is_ref = 8 '\b'}
retval = <value optimized out>
function_table = (HashTable
) 0x874e720
params = {0xbfea72cc, 0xbfea72d0}
0000004 0x0833e986 in zend_objects_destroy_object (object=0xb7287640, handle=141879072) at /home/antonioz/php-5.2.6/Zend/zend_objects.c:101
obj = (zval ) 0xb7906ac0
old_exception = (zval
) 0x0
destructor = (zend_function ) 0xb72987b4
0000005 0x08341d48 in zend_objects_store_del_ref_by_handle (handle=20) at /home/antonioz/php-5.2.6/Zend/zend_objects_API.c:197
orig_bailout = <value optimized out>
bailout = {{jmpbuf = {140380344, -1075153724, -1221988944, -1075153960, -1075154160, 137632849}, mask_was_saved = 0, saved_mask = {
val = {140606756, 0, 3072612980, 137397186, 0, 141859616,
3080328209, 140608004, 3079625884, 3073349120, 3079695040, 3219814096, 3219814064, 137556224, 140606640, 140380344, 3219813416, 3079695872, 3219813304, 137457049, 3073349128, 3219813612, 1,
140380344, 140380344, 3073041392, 3219813432, 137593892, 3219813416, 3219813376, 3073035856, 3080319924}}}}
obj = (struct _store_object
) 0xb78e9030
failure = 1
0000006 0x08341d8b in zend_objects_store_del_ref (zobject=0xb7330a98) at /home/antonioz/php-5.2.6/Zend/zend_objects_API.c:168
handle = 3079314187
0000007 0x08323816 in _zval_dtor_func (zvalue=0xb7330a98) at /home/antonioz/php-5.2.6/Zend/zend_variables.c:52
No locals.
---Type <return> to continue, or q <return> to quit---
0000008 0x08316dbe in _zval_ptr_dtor (zval_ptr=0xb73252bc) at zend_variables.h:35
No locals.
0000009 0x0832dfe1 in zend_hash_destroy (ht=0xb729edb0) at /home/antonioz/php-5.2.6/Zend/zend_hash.c:526
p = (Bucket ) 0xb7920a20
0000010 0x0833e4bd in zend_object_std_dtor (object=0xb7906e10) at /home/antonioz/php-5.2.6/Zend/zend_objects.c:45
No locals.
0000011 0x0833e4ed in zend_objects_free_object_storage (object=0xb7906e10) at /home/antonioz/php-5.2.6/Zend/zend_objects.c:122
No locals.
0000012 0x08341d65 in zend_objects_store_del_ref_by_handle (handle=21) at /home/antonioz/php-5.2.6/Zend/zend_objects_API.c:206
__orig_bailout = (jmp_buf
) 0xbfea99d4
bailout = {{jmpbuf = {140380344, -1075144236, -1075152852, -1075153560, -1075153760, 137632990}, mask_was_saved = 0, saved_mask = {__val = {3073317536, 1, 3219813720, 137624597, 3081136860,
3081097392, 40, 141863000, 3080319818, 3081143072, 141861448, 3079344940, 3081136860, 3081143072, 141862880, 3219813688, 3080319818, 3081097428, 141862880, 3079344940, 0, 3219814444, 3219813736,
3079175950, 3081136860, 3081143072, 141876696, 3219813736, 3080319818, 3081143072, 141876696, 3079344940}}}}
obj = (struct _store_object ) 0xb78e9048
failure = 0
0000013 0x08341d8b in zend_objects_store_del_ref (zobject=0xb72f1aa0) at /home/antonioz/php-5.2.6/Zend/zend_objects_API.c:168
handle = 3079314187
0000014 0x08323816 in _zval_dtor_func (zvalue=0xb72f1aa0) at /home/antonioz/php-5.2.6/Zend/zend_variables.c:52
No locals.
0000015 0x08316dbe in _zval_ptr_dtor (zval_ptr=0xbfea77d8) at zend_variables.h:35
No locals.
0000016 0x083448da in zend_do_fcall_common_helper_SPEC (execute_data=0xbfea782c) at zend_vm_execute.h:215
i = 140380344
p = <value optimized out>
arg_count = 3079611788
return_reference = 0 '\0'
opline = (zend_op
) 0xb78f25bc
original_return_value = <value optimized out>
current_scope = (zend_class_entry ) 0x0
current_this = (zval
) 0x0
should_change_scope = 1 '\001'
ctor_opline = <value optimized out>
0000017 0x08342372 in execute (op_array=0xb78f1504) at zend_vm_execute.h:92
execute_data = {opline = 0xb78f25bc, function_state = {function_symbol_table = 0xb7245a74, function = 0xb78f5c9c, reserved = {0x0, 0x8749b20, 0xb79a1411, 0x0}}, fbc = 0xb78f5c9c,
op_array = 0xb78f1504, object = 0xb72b3a78, Ts = 0xbfea76d0, CVs = 0xbfea76b0, original_in_execution = 0 '\0', symbol_table = 0x8617cb0, prev_execute_data = 0x0, old_error_reporting = 0x0}
0000018 0xb788a50e in xdebug_execute (op_array=0xb78f1504) at /tmp/pear/temp/xdebug/xdebug.c:1562
dummy = (zval
) 0x831a0ae
edata = (zend_execute_data ) 0x0
fse = (function_stack_entry
) 0x8749b20
xfse = (function_stack_entry ) 0xb78f15a0
magic_cookie = 0x0
do_return = 0
function_nr = 0
le = (xdebug_llist_element
) 0xbfea7908
eval_id = 0
return_val = (zval ) 0x0
0000019 0x08324fa2 in zend_execute_scripts (type=8, retval=<value optimized out>, file_count=3) at /home/antonioz/php-5.2.6/Zend/zend.c:1134
retval2 = (zval
) 0x830976a
old_exception = (zval ) 0xbfea7978
files = 0xbfea7994 ""
i = 1
file_handle = (zend_file_handle
) 0xbfea9ccc
orig_op_array = (zend_op_array *) 0x0
orig_retval_ptr_ptr = (zval *) 0x0
local_retval = (zval
) 0x0
0000020 0x082e114f in php_execute_script (primary_file=0xbfea9ccc) at /home/antonioz/php-5.2.6/main/main.c:2005
realfile = "/home/antonioz/javatest/testdev.php\0000\212ê¿ö+ú·¬qù·h¶\223·\001\000\000\000\001\000\000\000Z¨\231·H\v^\bé\004\000\000IO\a\b\034\033\224·Üj¦·àp¦· f¦·H\212ê¿\202û\230·àp¦·¸\b^\b\000xa\bD\aZ\bh\212ê¿òy.\bàp¦·ðÿÿÿt\212꿸\b^\b¸\b^\b\000xa\b(\232ê¿úz.\b`xa\b\005\000\000\000\000À\001\000\000ð\001\000¨ä\001\000¬ä\001\000\000À\001\000\003\000\000\000\016\000\000\000\002\000\000\000>/¾·"...
prepend_file_p = (zend_file_handle ) 0x0
append_file_p = (zend_file_handle
) 0x0
prepend_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, reader = 0, closer = 0, fteller = 0, interactive = 0}}, free_filename = 0 '\0'}
append_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, reader = 0, closer = 0, fteller = 0, interactive = 0}}, free_filename = 0 '\0'}
old_cwd = 0xbfea79a0 ""
retval = <value optimized out>
0000021 0x083bb2be in main (argc=2, argv=0xbfea9dd4) at /home/antonioz/php-5.2.6/sapi/cli/php_cli.c:1140
---Type <return> to continue, or q <return> to quit---
bailout = {{jmpbuf = {140380344, 203308, 1, -1075143352, -1075143984, 138127317}, mask_was_saved = 0, saved_mask = {__val = {3082693776, 3084876018, 3219823536, 3086631008, 3084876018,
3082693788, 3084876100, 3082693864, 3079931004, 3219823620, 3086611958, 3079981707, 3084876090, 0, 0, 32, 0, 0, 277, 3079981902, 3079961084, 3079926572, 23, 3079910888, 3079911864, 115125334,
3084814917, 3086669688, 0, 3086268168, 3219823816, 3086612425}}}}
exit_status = 0
c = <value optimized out>
file_handle = {type = 2 '\002', filename = 0xbfeabb7e "testdev.php", opened_path = 0x0, handle = {fd = 141859576, fp = 0x8749af8, stream = {handle = 0x8749af8,
reader = 0x8337cd0 <zend_stream_stdio_reader>, closer = 0x8337d09 <zend_stream_stdio_closer>, fteller = 0x8337d36 <zend_stream_stdio_fteller>, interactive = 0}}, free_filename = 0 '\0'}
behavior = 1
reflection_what = 0x0
orig_optind = 1
orig_optarg = 0x0
arg_free = 0xbfeabb7e "testdev.php"
arg_excp = (char **) 0xbfea9dd8
script_file = 0xbfeabb7e "testdev.php"
interactive = <value optimized out>
module_started = 1
request_started = 1
lineno = 1
exec_direct = 0x0
exec_run = 0x0
exec_begin = 0x0
exec_end = 0x0
param_error = <value optimized out>
hide_argv = 0
ini_entries_len = <value optimized out>
(gdb)

I hope the backtrace is useful even though PHP was configured with --disable-debug.

Please let me know if you need anything else. Thanks!

jaruz

2009-08-24 13:15

reporter   ~0001053

Hi Derick, is there anything else I can do?

derick

2009-08-24 13:30

administrator   ~0001054

@jaruz, it would really help me if you could give me access to the machine where you've all set this up. Setting up the Java bridge is quite a bit of work for me. Ideally it would also allow me to modify the xdebug code and recompile it.

jostb

2009-08-24 13:39

reporter   ~0001055

Why do you need the java bridge to reproduce this bug?

Just type php xdebug.php (see above) to reproduce the crash.

jaruz

2009-08-24 14:50

reporter   ~0001056

Hi Derick: as Jost correctly states, the JavaBridge is not required to reproduce this Segmentation Fault; it can be triggered simply by a PHP Script:

If you save the file provided by Jost in his comment from
2009-08-07 08:17 as "xdebug.php" and run it, you will get the following result without xdebug:

antonioz@lowe:~/javatest$ php xdebug.php
<O v="1" m="java.lang.StringBuffer" p="O" n="F"/>
<O v="2" m="java.lang.StringBuffer" p="O" n="F"/>
<F p="E"/>
SUCCESS
antonioz@lowe:~/javatest$

Then I enable xdebug in php.ini and execute it again:

antonioz@lowe:~/javatest$ vim /etc/php5/php.ini

antonioz@lowe:~/javatest$ php xdebug.php
<O v="1" m="java.lang.StringBuffer" p="O" n="F"/>
<O v="2" m="java.lang.StringBuffer" p="O" n="F"/>
<F p="E"/>
Segmentation fault
antonioz@lowe:~/javatest$

(Add error_reporting(E_ERROR); at the beginning of the file so it does not output notices).

Please let me know if you need anything else.

derick

2009-09-04 21:14

administrator   ~0001063

Ah right, I can reproduce this now.

kronos

2010-11-23 22:43

reporter   ~0001616

Just a quick note, might be useful:

In jaruz's example I also get a segmentation fault at:
$buffer->append( "a" );
But if I change it to:
$x = $buffer->append( "a" );
I don't.

What kind of feedback is needed to fix this bug?
At the moment none of the debuggers is usable when I'm working with the PHP/Java bridge. Xdebug produces these segmentation faults and ZendDebugger seems to stop at breakpoints in Java.inc that I never set or have control over.

jerico

2012-06-21 19:20

reporter   ~0002265

I hit this bug, too. Are there any plans to fix this?

derick

2014-01-03 15:51

administrator   ~0002656

I can't reproduce this, and the reproducible script as mentioned in one of the comments is no longer accessible. I'm closing this for now. If the script is put back, I might have another look.

Issue History

Date Modified Username Field Change
2009-08-06 11:11 jaruz New Issue
2009-08-06 11:11 jaruz Operating System => Linux 2.6.15-54-server
2009-08-06 11:11 jaruz PHP Version => 5.2.6
2009-08-06 11:11 jaruz Xdebug Version => 2.0.5
2009-08-06 11:28 jaruz Note Added: 0001030
2009-08-06 12:16 derick Note Added: 0001033
2009-08-06 12:16 derick Status new => feedback
2009-08-06 12:25 jaruz Note Added: 0001034
2009-08-06 12:27 derick Note Added: 0001035
2009-08-07 07:17 jostb Note Added: 0001038
2009-08-07 07:35 jostb Note Edited: 0001038
2009-08-10 11:57 jaruz Note Added: 0001039
2009-08-24 13:15 jaruz Note Added: 0001053
2009-08-24 13:30 derick Note Added: 0001054
2009-08-24 13:39 jostb Note Added: 0001055
2009-08-24 14:50 jaruz Note Added: 0001056
2009-09-04 21:14 derick Note Added: 0001063
2010-03-20 23:47 derick Target Version => 2.2dev
2010-11-23 22:43 kronos Note Added: 0001616
2012-06-21 19:20 jerico Note Added: 0002265
2014-01-03 15:51 derick Note Added: 0002656
2014-01-03 15:51 derick Status feedback => resolved
2014-01-03 15:51 derick Resolution open => unable to reproduce
2014-01-03 15:51 derick Assigned To => derick
2016-07-31 12:36 derick Category Usage problems => Usage problems (Crashes)
2016-07-31 12:38 derick Category Usage problems (Crashes) => Usage problems (Wrong Results)
2020-03-12 16:35 derick Category Usage problems (Wrong Results) => Variable Display
2020-03-12 16:38 derick Category Variable Display => Uncategorized