var_dump(SensitiveParameterValue) segfaults

[Firehed]

Description

While I'm not sure directly using SensitiveParameterValue class is intended outside of the #[SensitiveParameter] attribute, it seems to be completely possible and at least somewhat documented.

If you do this and try to var_dump() an instance of that class (not the automaticaly-unwrapped variable you get with the attribute), PHP segfaults. This is in no way a normal thing to do and probably something you'd only ever encounter while debugging during dev, but it still shouldn't crash :)

I've only tested this on the CLI SAPI. Sadly not on the latest 8.3.x, but I didn't see anything in the changelog that suggested this has already been addressed.

The following code:

<?php

function sp(#[SensitiveParameter] string $str): void
{
    var_dump($str);
}

function spv(SensitiveParameterValue $spv): void
{
    var_dump($spv);
}

sp('a');
spv(new SensitiveParameterValue('p'));

Resulted in this output:

string(1) "a"
Segmentation fault: 11

But I expected this output instead:

string(1) "a"
class SensitiveParameterValue#2 (0) {
}

PHP Version

8.3.2

Operating System

macOS Sequoia 15.0

[cmb69]

I cannot reproduce the segfault locally, nor at https://3v4l.org/pNrd5. Can you please re-check with the latest PHP 8.3.12.

[Firehed]

@cmb69 It may be Mac-specific? I experienced the expected behavior using the Alpine Docker images for 8.3.2 (where my local version is) and 8.3.12.

$ docker run --rm -it php:8.3.12-alpine sh
Unable to find image 'php:8.3.12-alpine' locally
8.3.12-alpine: Pulling from library/php
cf04c63912e1: Already exists
48ef8ad75958: Already exists
25f80c1299f6: Already exists
6eb3615e2ca5: Already exists
961b9546279e: Already exists
12f79de44719: Already exists
a0d0cbd3b25b: Already exists
eaf81e500f25: Already exists
435163f05c73: Already exists
Digest: sha256:c1dab7496d3d23b98d7a7e9551f5f0a8d37dcfbd20ec4724689357d1ffe5126b
Status: Downloaded newer image for php:8.3.12-alpine
/ # vi x.php
/ # php x.php
string(1) "a"
object(SensitiveParameterValue)#1 (0) {
}
/ # exit

$ docker run --rm -it php:8.3.2-alpine sh
Unable to find image 'php:8.3.2-alpine' locally
8.3.2-alpine: Pulling from library/php
bca4290a9639: Already exists
f072bab4d3b7: Already exists
537d23c253bc: Already exists
c65cde09541f: Already exists
84822948d41e: Pull complete
f5a0b1452fae: Pull complete
292dd4ac776f: Pull complete
f6688d2bd308: Pull complete
e1db26f84cd8: Pull complete
Digest: sha256:ea8cdb42a3def0a4d65226f9348fa4ea67ef9bbefb445200778f329c795e9b4b
Status: Downloaded newer image for php:8.3.2-alpine
/ # vi x.php
/ # php x.php
string(1) "a"
object(SensitiveParameterValue)#1 (0) {
}
/ # exit

$ pbpaste > x.php
$ php x.php
x.php:5:
string(1) "a"
Segmentation fault: 11

I'll see if I can get my local env updated to latest as well. Here's the host version details:

 $ php -v
PHP 8.3.2 (cli) (built: Jan 16 2024 13:46:41) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.3.2, Copyright (c) Zend Technologies
    with Xdebug v3.3.0, Copyright (c) 2002-2023, by Derick Rethans
    with Zend OPcache v8.3.2, Copyright (c), by Zend Technologies

 $ uname -a
Darwin [name].local 24.0.0 Darwin Kernel Version 24.0.0: Mon Aug 12 20:52:12 PDT 2024; root:xnu-11215.1.10~2/RELEASE_ARM64_T6020 arm64

[cmb69]

Does it also crash when you don't load Xdebug?

[damianwadley]

Yup, the segfault is from Xdebug.

string(1) "a"
AddressSanitizer:DEADLYSIGNAL
=================================================================
==8789==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001c (pc 0x7fbc9708cac4 bp 0x7ffd15722ec0 sp 0x7ffd15722d80 T0)
==8789==The signal is caused by a READ memory access.
==8789==Hint: address points to the zero page.
    #0 0x7fbc9708cac4 in xdebug_var_export_text_ansi /tmp/pear/temp/xdebug/src/lib/var_export_text.c:346
    #1 0x7fbc9708cea9 in xdebug_get_zval_value_text_ansi /tmp/pear/temp/xdebug/src/lib/var_export_text.c:399
    #2 0x7fbc970b094a in zif_xdebug_var_dump /tmp/pear/temp/xdebug/src/develop/php_functions.c:65
    #3 0x56284ab6c8b7 in ZEND_DO_ICALL_SPEC_OBSERVER_HANDLER /home/ubuntu/php/php-8.3.12/src/Zend/zend_vm_execute.h:1400
    #4 0x56284acc583d in execute_ex /home/ubuntu/php/php-8.3.12/src/Zend/zend_vm_execute.h:57220
    #5 0x7fbc97074a5f in xdebug_execute_ex /tmp/pear/temp/xdebug/src/base/base.c:889
    #6 0x56284ab712ef in ZEND_DO_FCALL_SPEC_OBSERVER_HANDLER /home/ubuntu/php/php-8.3.12/src/Zend/zend_vm_execute.h:2052
    #7 0x56284acc5abc in execute_ex /home/ubuntu/php/php-8.3.12/src/Zend/zend_vm_execute.h:57256
    #8 0x7fbc97074a5f in xdebug_execute_ex /tmp/pear/temp/xdebug/src/base/base.c:889
    #9 0x56284acd8909 in zend_execute /home/ubuntu/php/php-8.3.12/src/Zend/zend_vm_execute.h:61604
    #10 0x56284aac69c0 in zend_execute_scripts /home/ubuntu/php/php-8.3.12/src/Zend/zend.c:1893
    #11 0x56284a940cb4 in php_execute_script /home/ubuntu/php/php-8.3.12/src/main/main.c:2528
    #12 0x56284aeb703a in do_cli /home/ubuntu/php/php-8.3.12/src/sapi/cli/php_cli.c:966
    #13 0x56284aeb8e37 in main /home/ubuntu/php/php-8.3.12/src/sapi/cli/php_cli.c:1340
    #14 0x7fbc9ac8bd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #15 0x7fbc9ac8be3f in __libc_start_main_impl ../csu/libc-start.c:392
    #16 0x562849c0ebc4 in _start (/home/ubuntu/php/php-8.3.12/bin/php+0x60ebc4)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/pear/temp/xdebug/src/lib/var_export_text.c:346 in xdebug_var_export_text_ansi
==8789==ABORTING

[cmb69]

@derickr, do you want to take a look, or should this be reported upstream?