View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0000897XdebugUncategorizedpublic2012-10-29 11:042013-03-09 22:05
Reportersebastian Assigned Toderick  
PrioritynormalSeveritycrashReproducibilityalways
Status resolvedResolutionno change required 
Platformx86_64OSLinuxOS Version3.6.3-1.fc17.x86
Product Version2.2dev 
Summary0000897: Segfault with catchable fatal error and error handler
Description

The attached script, aptly named segfault.txt, segfault when I run with Xdebug enabled. See the attached output from GDB and Valgrind for details.

When I run the script without Xdebug enabled (php -n) I get the expected output and not a segfault.

What looks funny to me is the fact that according to GDB the segfault happens in zif_dom_document_savexml and not inside Xdebug's code.

Steps To Reproduce

<?php
class PHPUnit_Util_ErrorHandler
{
public static function handleError($errno, $errstr, $errfile, $errline)
{
throw new Exception;
}
}

set_error_handler(
array('PHPUnit_Util_ErrorHandler', 'handleError'),
E_ALL | E_STRICT
);

$dom = new DOMDocument;
$dom->saveXML('foo');

? ~ php segfault.php
[1] 29943 segmentation fault (core dumped) php segfault.php

? ~ php -n segfault.php

Fatal error: Uncaught exception 'Exception' in /home/sb/segfault.php:6
Stack trace:
#0 [internal function]: PHPUnit_Util_ErrorHandler::handleError(4096, 'Argument 1 pass...', '/home/sb/segfau...', 16, Array)
#1 /home/sb/segfault.php(16): DOMDocument->saveXML('foo')
0000002 {main}
thrown in /home/sb/segfault.php on line 6

Additional Information

? ~ gdb php
GNU gdb (GDB) Fedora (7.4.50.20120120-52.fc17)
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
http://www.gnu.org/software/gdb/bugs/...
Reading symbols from /usr/local/php-5.4/bin/php...done.
(gdb) r segfault.php
Starting program: /usr/local/php-5.4/bin/php segfault.php
warning: "/usr/lib/debug/usr/lib64/libicudata.so.48.1.1.debug": separate debug info file has no debug info
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00000000005ad86b in zif_dom_document_savexml (ht=0, return_value=0xa31122f3, return_value_ptr=0x0, this_ptr=0x7ffff11361f8, return_value_used=0)
at /usr/local/src/php/src/ext/dom/document.c:1849
1849 RETVAL_STRINGL(mem, size, 1);
(gdb) bt
#0 0x00000000005ad86b in zif_dom_document_savexml (ht=0, return_value=0xa31122f3, return_value_ptr=0x0, this_ptr=0x7ffff11361f8, return_value_used=0)
at /usr/local/src/php/src/ext/dom/document.c:1849
#1 0x000000000094d912 in execute_internal (execute_data_ptr=0x7ffff79350e8, return_value_used=0) at /usr/local/src/php/src/Zend/zend_execute.c:1480
0000002 0x00007ffff1183781 in xdebug_execute_internal () from /usr/local/php-5.4/lib/php/extensions/debug-non-zts-20100525/xdebug.so
0000003 0x000000000094f718 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff79350e8) at /usr/local/src/php/src/Zend/zend_vm_execute.h:644
0000004 0x00000000009506e9 in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (execute_data=0x7ffff79350e8) at /usr/local/src/php/src/Zend/zend_vm_execute.h:752
0000005 0x000000000094de77 in execute (op_array=0x7ffff1134840) at /usr/local/src/php/src/Zend/zend_vm_execute.h:410
0000006 0x00007ffff118331a in xdebug_execute () from /usr/local/php-5.4/lib/php/extensions/debug-non-zts-20100525/xdebug.so
0000007 0x000000000090e2a5 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /usr/local/src/php/src/Zend/zend.c:1309
0000008 0x0000000000878ebd in php_execute_script (primary_file=0x7fffffffdbe0) at /usr/local/src/php/src/main/main.c:2482
0000009 0x0000000000a60959 in do_cli (argc=2, argv=0x7fffffffdf88) at /usr/local/src/php/src/sapi/cli/php_cli.c:988
0000010 0x0000000000a61a5e in main (argc=2, argv=0x7fffffffdf88) at /usr/local/src/php/src/sapi/cli/php_cli.c:1364

? ~ USE_ZEND_ALLOC=0 valgrind --leak-check=full php segfault.php
==29871== Memcheck, a memory error detector
==29871== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==29871== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==29871== Command: php segfault.php
==29871==
==29871== Use of uninitialised value of size 8
==29871== at 0x5AD86B: zif_dom_document_savexml (document.c:1849)
==29871== by 0x94D911: execute_internal (zend_execute.c:1480)
==29871== by 0xBAD4780: xdebug_execute_internal (in /usr/local/php-5.4/lib/php/extensions/debug-non-zts-20100525/xdebug.so)
==29871== by 0x94F717: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:644)
==29871== by 0x9506E8: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==29871== by 0x94DE76: execute (zend_vm_execute.h:410)
==29871== by 0xBAD4319: xdebug_execute (in /usr/local/php-5.4/lib/php/extensions/debug-non-zts-20100525/xdebug.so)
==29871== by 0x90E2A4: zend_execute_scripts (zend.c:1309)
==29871== by 0x878EBC: php_execute_script (main.c:2482)
==29871== by 0xA60958: do_cli (php_cli.c:988)
==29871== by 0xA61A5D: main (php_cli.c:1364)
==29871==
==29871== Invalid write of size 4
==29871== at 0x5AD86B: zif_dom_document_savexml (document.c:1849)
==29871== by 0x94D911: execute_internal (zend_execute.c:1480)
==29871== by 0xBAD4780: xdebug_execute_internal (in /usr/local/php-5.4/lib/php/extensions/debug-non-zts-20100525/xdebug.so)
==29871== by 0x94F717: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:644)
==29871== by 0x9506E8: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==29871== by 0x94DE76: execute (zend_vm_execute.h:410)
==29871== by 0xBAD4319: xdebug_execute (in /usr/local/php-5.4/lib/php/extensions/debug-non-zts-20100525/xdebug.so)
==29871== by 0x90E2A4: zend_execute_scripts (zend.c:1309)
==29871== by 0x878EBC: php_execute_script (main.c:2482)
==29871== by 0xA60958: do_cli (php_cli.c:988)
==29871== by 0xA61A5D: main (php_cli.c:1364)
==29871== Address 0x8 is not stack'd, malloc'd or (recently) free'd
==29871==
==29871==
==29871== Process terminating with default action of signal 11 (SIGSEGV)
==29871== Access not within mapped region at address 0x8
==29871== at 0x5AD86B: zif_dom_document_savexml (document.c:1849)
==29871== by 0x94D911: execute_internal (zend_execute.c:1480)
==29871== by 0xBAD4780: xdebug_execute_internal (in /usr/local/php-5.4/lib/php/extensions/debug-non-zts-20100525/xdebug.so)
==29871== by 0x94F717: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:644)
==29871== by 0x9506E8: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:752)
==29871== by 0x94DE76: execute (zend_vm_execute.h:410)
==29871== by 0xBAD4319: xdebug_execute (in /usr/local/php-5.4/lib/php/extensions/debug-non-zts-20100525/xdebug.so)
==29871== by 0x90E2A4: zend_execute_scripts (zend.c:1309)
==29871== by 0x878EBC: php_execute_script (main.c:2482)
==29871== by 0xA60958: do_cli (php_cli.c:988)
==29871== by 0xA61A5D: main (php_cli.c:1364)
==29871== If you believe this happened as a result of a stack
==29871== overflow in your program's main thread (unlikely but
==29871== possible), you can try to increase the size of the
==29871== main thread stack using the --main-stacksize= flag.
==29871== The main thread stack size used in this run was 8388608.
==29871==
==29871== HEAP SUMMARY:
==29871== in use at exit: 3,498,101 bytes in 19,356 blocks
==29871== total heap usage: 23,205 allocs, 3,849 frees, 3,713,624 bytes allocated
==29871==
==29871== LEAK SUMMARY:
==29871== definitely lost: 0 bytes in 0 blocks
==29871== indirectly lost: 0 bytes in 0 blocks
==29871== possibly lost: 0 bytes in 0 blocks
==29871== still reachable: 3,498,101 bytes in 19,356 blocks
==29871== suppressed: 0 bytes in 0 blocks
==29871== Reachable blocks (those to which a pointer was found) are not shown.
==29871== To see them, rerun with: --leak-check=full --show-reachable=yes
==29871==
==29871== For counts of detected and suppressed errors, rerun with: -v
==29871== Use --track-origins=yes to see where uninitialised values come from
==29871== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 2 from 2)
[1] 29871 segmentation fault (core dumped) USE_ZEND_ALLOC=0 valgrind --leak-check=full php segfault.php

TagsNo tags attached.
Operating SystemLinux
PHP Version5.4-dev

Activities

derick

2012-12-17 20:58

administrator   ~0002396

I had a good look at this, but no lock so far :-/

whatthejeff

2013-01-06 00:38

reporter   ~0002413

I think this is a bug in PHP. I've filed a bug report here: https://bugs.php.net/bug.php?id=63914

I'll send a pull request to fix this issue shortly.

whatthejeff

2013-01-06 01:33

reporter   ~0002414

Pull request is here: https://github.com/php/php-src/pull/250

NOTE: This pull request is against master, which by coincidence no longer segfaults. The same changes can be applied to PHP <= 5.4 to prevent the segfault, but take care to update the zend_execute_internal signature.

derick

2013-03-09 22:05

administrator   ~0002440

Jeff, I am closing this from my side - I've just pinged Dmitry on the other side to have a look at it.

Issue History

Date Modified Username Field Change
2012-10-29 11:04 sebastian New Issue
2012-12-17 20:58 derick Note Added: 0002396
2013-01-06 00:38 whatthejeff Note Added: 0002413
2013-01-06 01:33 whatthejeff Note Added: 0002414
2013-03-09 22:05 derick Note Added: 0002440
2013-03-09 22:05 derick Status new => resolved
2013-03-09 22:05 derick Resolution open => no change required
2013-03-09 22:05 derick Assigned To => derick
2016-07-31 12:36 derick Category Usage problems => Usage problems (Crashes)
2016-07-31 12:38 derick Category Usage problems (Crashes) => Usage problems (Wrong Results)
2020-03-12 16:35 derick Category Usage problems (Wrong Results) => Variable Display
2020-03-12 16:38 derick Category Variable Display => Uncategorized