Possibly related to bug 443.

The Segmentation Fault only happens when calling Java Methods which return an instance of itself. Executing methods which return void or data, works fine.

I need a GDB backtrace: http://bugs.php.net/bugs-generating-backtrace.php
Very much likely related to bug 0000358 as well.

Hi Derick:

Thanks for your help.

The following message and GDB backtrace was just posted by the PHP/Java Bridge Lead Developer on the PHP/Java Bridge mailing list (he was able to reproduce the issue too):

Hi,

yes, it crashes in strcmp, due to an uninitialized function name. I think
xdebug makes false asumptions about the zend engine state:

Program received signal SIGSEGV, Segmentation fault.
0x001194fd in add_stack_frame (zdata=0xbfffcbec, op_array=0x852ef1c, type=2)
at /home/jostb/xdebug-2.0.0/xdebug.c:1007
1007 if (
(gdb) list
1002 XDEBUG_LLIST_TAIL(XG(stack))
1003 ) {
1004 / Ugly hack for calluser() type function calls /
1005 zend_function tmpf =
EG(current_execute_data)->prev_execute_data->function_state.function;
1006 if (tmpf && (tmpf->common.type != 3) && tmpf->common.function_name) {
1007 if (
1008 (strcmp(tmpf->common.function_name, "call_user_func") == 0) ||
1009 (strcmp(tmpf->common.function_name, "call_user_func_array") == 0) ||
1010 (strcmp(tmpf->common.function_name, "call_user_func_method") == 0) ||
1011 (strcmp(tmpf->common.function_name, "call_user_func_method_array") ==
0)
(gdb) p tmpf->common
$4 = {type = 144 '\220', function_name = 0x7 <Address 0x7 out of bounds>,
scope = 0x845fed0, fn_flags = 138807704, prototype = 0x8460368,
num_args = 0, required_num_args = 0, arg_info = 0x0,
pass_rest_by_reference = 99 'c', return_reference = 108 'l'}
(gdb)

Regards,
Jost Boekemeier

Please let me know if you need anything else. Thanks!

Please type "bt full" on the GDB prompt.

To reproduce this bug install php 5.2.6 and xdebug 2.0.0, save the following as file "xdebug.php" and run "php xdebug.php":

=>
http://php-java-bridge.sourceforge.net/pjb/xdebug.php.txt

Derick:

The PHP page states that --enable-debug should be configured but when I recompile PHP, xdebug stops working. I have recompiled xdebug and have a valid /usr/lib/php/20060613-debug/xdebug.so extension. I am using "zend_extension_debug" to load it (with the full path), but it seems to be simply ignored. (And if I use "zend_extension", PHP starts up with error: "zend contains debug xdebug does not")

So I recompiled PHP & xdebug again with --disable-debug and I execute my script to verify if I still get the segmentation fault:

antonioz@myserver:~/javatest$ php testdev.php
Segmentation fault

There is no core file, so I execute:

antonioz@myserver:~/javatest$ gdb --args php testdev.php
GNU gdb 6.4-debian
Copyright 2005 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".

(gdb) run
Starting program: /usr/bin/php testdev.php
[Thread debugging using libthread_db enabled]
[New Thread -1215138112 (LWP 26345)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1215138112 (LWP 26345)]
0xb7888b1d in add_stack_frame (zdata=0xbfea71c4, op_array=0xb72987b4, type=2) at /tmp/pear/temp/xdebug/xdebug.c:1030
1030 /tmp/pear/temp/xdebug/xdebug.c: No such file or directory.
in /tmp/pear/temp/xdebug/xdebug.c
(gdb) bt full
#0 0xb7888b1d in add_stack_frame (zdata=0xbfea71c4, op_array=0xb72987b4, type=2) at /tmp/pear/temp/xdebug/xdebug.c:1030
tmpf = (zend_function ) 0xb78f5c9c
edata = (zend_execute_data ) 0xbfea71c4
tmp = (function_stack_entry ) 0x874e720
cur_opcode = (zend_op ) 0xbfea727c
param = (zval ) 0xb72f9600
i = 0
aggr_key = 0x8617be0 "\230rê¿"
aggr_key_len = -1214647372
#1 0xb788a338 in xdebug_execute (op_array=0xb72987b4) at /tmp/pear/temp/xdebug/xdebug.c:1512
dummy = (zval ) 0x8309870
edata = (zend_execute_data ) 0xbfea71c4
fse = (function_stack_entry ) 0x0
xfse = (function_stack_entry ) 0x20
magic_cookie = 0x0
do_return = 0
function_nr = 0
le = (xdebug_llist_element ) 0xbfea7108
eval_id = 0
return_val = (zval *) 0x0
0000002 0x083184c9 in zend_call_function (fci=0xbfea724c, fci_cache=0xbfea7270) at /home/antonioz/php-5.2.6/Zend/zend_execute_API.c:1013
param = <value optimized out>
i = <value optimized out>
original_return_value = (zval ) 0xbfea7964
calling_symbol_table = (HashTable ) 0x8617cb0
original_function_state_ptr = (zend_function_state ) 0xbfea7830
original_op_array = (zend_op_array *) 0xb78f1504
original_opline_ptr = (zend_op *) 0xbfea782c
current_scope = (zend_class_entry ) 0x0
calling_scope = (zend_class_entry ) 0xb72970b8
check_scope_or_static = (zend_class_entry ) 0xb78b132c
current_this = (zval ) 0xb72b3a78
execute_data = {opline = 0x0, function_state = {function_symbol_table = 0xb7245a74, function = 0xb72987b4, reserved = {0x0, 0x8749b20, 0xb79a1411, 0x0}}, fbc = 0xb78f5c9c, op_array = 0x0,
object = 0xb7906ac0, Ts = 0xbfea76d0, CVs = 0xbfea76b0, original_in_execution = 0 '\0', symbol_table = 0x8617cb0, prev_execute_data = 0xbfea782c, old_error_reporting = 0x0}
method_name = (zval ) 0xb7887dd0
params_array = (zval ) 0x874a8d0
call_via_handler = 0
fname = 0x87586f0 "اt\bX\203¦·\003"
fname_len = <value optimized out>
0000003 0x0833830a in zend_call_method (object_pp=0xbfea72f4, obj_ce=0xb72970b8, fn_proxy=0xbfea72f8, function_name=0x85c569b "__destruct", function_name_len=10, retval_ptr_ptr=<value optimized out>,
param_count=-1215653109, arg1=0x0, arg2=0x0) at /home/antonioz/php-5.2.6/Zend/zend_interfaces.c:88
fcic = {initialized = 1 '\001', function_handler = 0xb72987b4, calling_scope = 0xb72970b8, object_pp = 0xbfea72f4}
result = <value optimized out>
fci = {size = 36, function_table = 0xb72922b4, function_name = 0xbfea7280, symbol_table = 0x0, retval_ptr_ptr = 0xbfea7298, param_count = 0, params = 0xbfea7290, object_pp = 0xbfea72f4,
no_separation = 1 '\001'}
z_fname = {value = {lval = -1215342512, dval = 1.0009519971716759e-313, str = {val = 0xb78f5850 "", len = 4}, ht = 0xb78f5850, obj = {handle = 3079624784, handlers = 0x4}}, refcount = 0,
type = 184 '¸', is_ref = 8 '\b'}
retval = <value optimized out>
function_table = (HashTable ) 0x874e720
params = {0xbfea72cc, 0xbfea72d0}
0000004 0x0833e986 in zend_objects_destroy_object (object=0xb7287640, handle=141879072) at /home/antonioz/php-5.2.6/Zend/zend_objects.c:101
obj = (zval ) 0xb7906ac0
old_exception = (zval ) 0x0
destructor = (zend_function ) 0xb72987b4
0000005 0x08341d48 in zend_objects_store_del_ref_by_handle (handle=20) at /home/antonioz/php-5.2.6/Zend/zend_objects_API.c:197
orig_bailout = <value optimized out>
bailout = {{jmpbuf = {140380344, -1075153724, -1221988944, -1075153960, -1075154160, 137632849}, mask_was_saved = 0, saved_mask = {val = {140606756, 0, 3072612980, 137397186, 0, 141859616,
3080328209, 140608004, 3079625884, 3073349120, 3079695040, 3219814096, 3219814064, 137556224, 140606640, 140380344, 3219813416, 3079695872, 3219813304, 137457049, 3073349128, 3219813612, 1,
140380344, 140380344, 3073041392, 3219813432, 137593892, 3219813416, 3219813376, 3073035856, 3080319924}}}}
obj = (struct _store_object ) 0xb78e9030
failure = 1
0000006 0x08341d8b in zend_objects_store_del_ref (zobject=0xb7330a98) at /home/antonioz/php-5.2.6/Zend/zend_objects_API.c:168
handle = 3079314187
0000007 0x08323816 in _zval_dtor_func (zvalue=0xb7330a98) at /home/antonioz/php-5.2.6/Zend/zend_variables.c:52
No locals.
---Type <return> to continue, or q <return> to quit---
0000008 0x08316dbe in _zval_ptr_dtor (zval_ptr=0xb73252bc) at zend_variables.h:35
No locals.
0000009 0x0832dfe1 in zend_hash_destroy (ht=0xb729edb0) at /home/antonioz/php-5.2.6/Zend/zend_hash.c:526
p = (Bucket ) 0xb7920a20
0000010 0x0833e4bd in zend_object_std_dtor (object=0xb7906e10) at /home/antonioz/php-5.2.6/Zend/zend_objects.c:45
No locals.
0000011 0x0833e4ed in zend_objects_free_object_storage (object=0xb7906e10) at /home/antonioz/php-5.2.6/Zend/zend_objects.c:122
No locals.
0000012 0x08341d65 in zend_objects_store_del_ref_by_handle (handle=21) at /home/antonioz/php-5.2.6/Zend/zend_objects_API.c:206
__orig_bailout = (jmp_buf ) 0xbfea99d4
bailout = {{jmpbuf = {140380344, -1075144236, -1075152852, -1075153560, -1075153760, 137632990}, mask_was_saved = 0, saved_mask = {__val = {3073317536, 1, 3219813720, 137624597, 3081136860,
3081097392, 40, 141863000, 3080319818, 3081143072, 141861448, 3079344940, 3081136860, 3081143072, 141862880, 3219813688, 3080319818, 3081097428, 141862880, 3079344940, 0, 3219814444, 3219813736,
3079175950, 3081136860, 3081143072, 141876696, 3219813736, 3080319818, 3081143072, 141876696, 3079344940}}}}
obj = (struct _store_object ) 0xb78e9048
failure = 0
0000013 0x08341d8b in zend_objects_store_del_ref (zobject=0xb72f1aa0) at /home/antonioz/php-5.2.6/Zend/zend_objects_API.c:168
handle = 3079314187
0000014 0x08323816 in _zval_dtor_func (zvalue=0xb72f1aa0) at /home/antonioz/php-5.2.6/Zend/zend_variables.c:52
No locals.
0000015 0x08316dbe in _zval_ptr_dtor (zval_ptr=0xbfea77d8) at zend_variables.h:35
No locals.
0000016 0x083448da in zend_do_fcall_common_helper_SPEC (execute_data=0xbfea782c) at zend_vm_execute.h:215
i = 140380344
p = <value optimized out>
arg_count = 3079611788
return_reference = 0 '\0'
opline = (zend_op ) 0xb78f25bc
original_return_value = <value optimized out>
current_scope = (zend_class_entry ) 0x0
current_this = (zval ) 0x0
should_change_scope = 1 '\001'
ctor_opline = <value optimized out>
0000017 0x08342372 in execute (op_array=0xb78f1504) at zend_vm_execute.h:92
execute_data = {opline = 0xb78f25bc, function_state = {function_symbol_table = 0xb7245a74, function = 0xb78f5c9c, reserved = {0x0, 0x8749b20, 0xb79a1411, 0x0}}, fbc = 0xb78f5c9c,
op_array = 0xb78f1504, object = 0xb72b3a78, Ts = 0xbfea76d0, CVs = 0xbfea76b0, original_in_execution = 0 '\0', symbol_table = 0x8617cb0, prev_execute_data = 0x0, old_error_reporting = 0x0}
0000018 0xb788a50e in xdebug_execute (op_array=0xb78f1504) at /tmp/pear/temp/xdebug/xdebug.c:1562
dummy = (zval ) 0x831a0ae
edata = (zend_execute_data ) 0x0
fse = (function_stack_entry ) 0x8749b20
xfse = (function_stack_entry ) 0xb78f15a0
magic_cookie = 0x0
do_return = 0
function_nr = 0
le = (xdebug_llist_element ) 0xbfea7908
eval_id = 0
return_val = (zval ) 0x0
0000019 0x08324fa2 in zend_execute_scripts (type=8, retval=<value optimized out>, file_count=3) at /home/antonioz/php-5.2.6/Zend/zend.c:1134
retval2 = (zval ) 0x830976a
old_exception = (zval ) 0xbfea7978
files = 0xbfea7994 ""
i = 1
file_handle = (zend_file_handle ) 0xbfea9ccc
orig_op_array = (zend_op_array *) 0x0
orig_retval_ptr_ptr = (zval *) 0x0
local_retval = (zval ) 0x0
0000020 0x082e114f in php_execute_script (primary_file=0xbfea9ccc) at /home/antonioz/php-5.2.6/main/main.c:2005
realfile = "/home/antonioz/javatest/testdev.php\0000\212ê¿ö+ú·¬qù·h¶\223·\001\000\000\000\001\000\000\000Z¨\231·H\v^\bé\004\000\000IO\a\b\034\033\224·Üj¦·àp¦· f¦·H\212ê¿\202û\230·àp¦·¸\b^\b\000xa\bD\aZ\bh\212ê¿òy.\bàp¦·ðÿÿÿt\212꿸\b^\b¸\b^\b\000xa\b(\232ê¿úz.\b`xa\b\005\000\000\000\000À\001\000\000ð\001\000¨ä\001\000¬ä\001\000\000À\001\000\003\000\000\000\016\000\000\000\002\000\000\000>/¾·"...
prepend_file_p = (zend_file_handle ) 0x0
append_file_p = (zend_file_handle ) 0x0
prepend_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, reader = 0, closer = 0, fteller = 0, interactive = 0}}, free_filename = 0 '\0'}
append_file = {type = 0 '\0', filename = 0x0, opened_path = 0x0, handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, reader = 0, closer = 0, fteller = 0, interactive = 0}}, free_filename = 0 '\0'}
old_cwd = 0xbfea79a0 ""
retval = <value optimized out>
0000021 0x083bb2be in main (argc=2, argv=0xbfea9dd4) at /home/antonioz/php-5.2.6/sapi/cli/php_cli.c:1140
---Type <return> to continue, or q <return> to quit---
bailout = {{jmpbuf = {140380344, 203308, 1, -1075143352, -1075143984, 138127317}, mask_was_saved = 0, saved_mask = {__val = {3082693776, 3084876018, 3219823536, 3086631008, 3084876018,
3082693788, 3084876100, 3082693864, 3079931004, 3219823620, 3086611958, 3079981707, 3084876090, 0, 0, 32, 0, 0, 277, 3079981902, 3079961084, 3079926572, 23, 3079910888, 3079911864, 115125334,
3084814917, 3086669688, 0, 3086268168, 3219823816, 3086612425}}}}
exit_status = 0
c = <value optimized out>
file_handle = {type = 2 '\002', filename = 0xbfeabb7e "testdev.php", opened_path = 0x0, handle = {fd = 141859576, fp = 0x8749af8, stream = {handle = 0x8749af8,
reader = 0x8337cd0 <zend_stream_stdio_reader>, closer = 0x8337d09 <zend_stream_stdio_closer>, fteller = 0x8337d36 <zend_stream_stdio_fteller>, interactive = 0}}, free_filename = 0 '\0'}
behavior = 1
reflection_what = 0x0
orig_optind = 1
orig_optarg = 0x0
arg_free = 0xbfeabb7e "testdev.php"
arg_excp = (char **) 0xbfea9dd8
script_file = 0xbfeabb7e "testdev.php"
interactive = <value optimized out>
module_started = 1
request_started = 1
lineno = 1
exec_direct = 0x0
exec_run = 0x0
exec_begin = 0x0
exec_end = 0x0
param_error = <value optimized out>
hide_argv = 0
ini_entries_len = <value optimized out>
(gdb)

I hope the backtrace is useful even though PHP was configured with --disable-debug.

Please let me know if you need anything else. Thanks!

Hi Derick, is there anything else I can do?

@jaruz, it would really help me if you could give me access to the machine where you've all set this up. Setting up the Java bridge is quite a bit of work for me. Ideally it would also allow me to modify the xdebug code and recompile it.

Why do you need the java bridge to reproduce this bug?

Just type php xdebug.php (see above) to reproduce the crash.

Hi Derick: as Jost correctly states, the JavaBridge is not required to reproduce this Segmentation Fault; it can be triggered simply by a PHP Script:

If you save the file provided by Jost in his comment from
2009-08-07 08:17 as "xdebug.php" and run it, you will get the following result without xdebug:

antonioz@lowe:~/javatest$ php xdebug.php
<O v="1" m="java.lang.StringBuffer" p="O" n="F"/>
<O v="2" m="java.lang.StringBuffer" p="O" n="F"/>
<F p="E"/>
SUCCESS
antonioz@lowe:~/javatest$

Then I enable xdebug in php.ini and execute it again:

antonioz@lowe:~/javatest$ vim /etc/php5/php.ini

antonioz@lowe:~/javatest$ php xdebug.php
<O v="1" m="java.lang.StringBuffer" p="O" n="F"/>
<O v="2" m="java.lang.StringBuffer" p="O" n="F"/>
<F p="E"/>
Segmentation fault
antonioz@lowe:~/javatest$

(Add error_reporting(E_ERROR); at the beginning of the file so it does not output notices).

Please let me know if you need anything else.

Ah right, I can reproduce this now.

Just a quick note, might be useful:

In jaruz's example I also get a segmentation fault at:
$buffer->append( "a" );
But if I change it to:
$x = $buffer->append( "a" );
I don't.

What kind of feedback is needed to fix this bug?
At the moment none of the debuggers is usable when I'm working with the PHP/Java bridge. Xdebug produces these segmentation faults and ZendDebugger seems to stop at breakpoints in Java.inc that I never set or have control over.

I hit this bug, too. Are there any plans to fix this?

I can't reproduce this, and the reproducible script as mentioned in one of the comments is no longer accessible. I'm closing this for now. If the script is put back, I might have another look.