Fixed issue #2221: Crash when other extensions run PHP code without the stack being initialised yet

[Yurunsoft]

The fix in 5e13c7b is not complete, Swoole still has a segfault

[derickr]

The paths looks good (and is right). Would you have a small reproduce case with swoole perhaps? I'll see if I can turn that into a test case.

[Yurunsoft]

In my system environment, I only need an empty file to reproduce:

test.php:

<?php

php test.php

[derickr]

I don't know what your environment is though. Can you show me which extensions (php -v && php -m) etc? Is it just you having swoole loaded? If so, how would I replicate that?

[derickr]

Turned out that this fix was also not correct. I had to do add this:

diff --git src/base/base.c src/base/base.c
index 267c9631..66bcb9a1 100644
--- src/base/base.c
+++ src/base/base.c
@@ -719,6 +719,11 @@ static void xdebug_execute_user_code_begin(zend_execute_data *execute_data)
 
        function_stack_entry *fse;
 
+       /* If the stack vector hasn't been initialised yet, we should abort immediately */
+       if (!XG_BASE(stack)) {
+               return;
+       }
+
        /* For PHP 7, we need to reset the opline to the start, so that all opcode
         * handlers are being hit. But not for generators, as that would make an
         * endless loop. TODO: Fix RECV handling with generators. */
@@ -797,6 +802,11 @@ static void xdebug_execute_user_code_end(zend_execute_data *execute_data, zval *
        zend_op_array        *op_array = &(execute_data->func->op_array);
        function_stack_entry *fse;
 
+       /* If the stack vector hasn't been initialised yet, we should abort immediately */
+       if (!XG_BASE(stack)) {
+               return;
+       }
+
        fse = XDEBUG_VECTOR_TAIL(XG_BASE(stack));
 
        if (XDEBUG_MODE_IS(XDEBUG_MODE_PROFILING)) {
@@ -859,11 +869,6 @@ static bool should_run_user_handler(zend_execute_data *execute_data)
  * negation should be **added** to the usage below in xdebug_execute_ex. */
 static bool should_run_user_handler_wrapper(zend_execute_data *execute_data)
 {
-       /* If the stack vector hasn't been initialised yet, we should abort immediately */
-       if (!XG_BASE(stack)) {
-               return false;
-       }
-
 #if PHP_VERSION_ID >= 80100
        return !should_run_user_handler(execute_data);
 #else

[derickr]

Closed and replaced by #939.

[Yurunsoft]

I don't know what your environment is though. Can you show me which extensions (php -v && php -m) etc? Is it just you having swoole loaded? If so, how would I replicate that?

python-3.10root@LAPTOP-15IRLJ0T:~# php -v && php -m
PHP 8.2.13 (cli) (built: Nov 24 2023 08:46:50) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.2.13, Copyright (c) Zend Technologies
    with Zend OPcache v8.2.13, Copyright (c), by Zend Technologies
    with Xdebug v3.3.1-dev, Copyright (c) 2002-2023, by Derick Rethans
[PHP Modules]
bcmath
bz2
calendar
Core
ctype
curl
date
dom
exif
FFI
fileinfo
filter
ftp
gd
gettext
hash
iconv
igbinary
inotify
json
libxml
mbstring
mysqli
mysqlnd
openssl
pcntl
pcre
PDO
pdo_mysql
pdo_sqlite
Phar
posix
random
readline
redis
Reflection
session
shmop
SimpleXML
sockets
sodium
SPL
sqlite3
standard
swoole
sysvmsg
sysvsem
sysvshm
tokenizer
xdebug
xml
xmlreader
xmlwriter
xsl
Zend OPcache
zip
zlib

[Zend Modules]
Xdebug
Zend OPcache

[derickr]

@Yurunsoft Can you try the patch in #939? I have tried reproduce the crash with swoole on 3.3.0, but I can't manage. Perhaps I haven't set it up correctly. Sharing your bt full might be useful too.

[Yurunsoft]

You can also try this code:

<?php

Co\run(function(){
	go(function(){
		usleep(1);
	});
	go(function(){
		usleep(1);
	});
});

[NHZEX]

my environment

FROM phpswoole/swoole:5.1.1-php8.2

RUN pecl install xdebug-3.3.0 \
    && docker-php-ext-enable xdebug opcache \
    && apt-get clean \
    && php -m \
    && php --ri xdebug \
    && php --ri swoole

<?php

Co\run(function () {
    go (function () {
        usleep(1);
        echo 'Hello World#1'.PHP_EOL;
    });

    go (function () {
        usleep(1);
        echo 'Hello World#2'.PHP_EOL;
    });
});

(gdb) bt full
#0  xdebug_execute_internal_end (current_execute_data=<optimized out>, return_value=0x0) at /tmp/pear/temp/xdebug/src/base/base.c:985
        fse = 0x0
        fse = <optimized out>
#1  xdebug_execute_end (execute_data=<optimized out>, retval=0x0) at /tmp/pear/temp/xdebug/src/base/base.c:1047
No locals.
#2  0x000056267bdaf08d in zend_observer_fcall_end_all ()
No symbol table info available.
#3  0x000056267bcaf6c9 in php_request_shutdown ()
No symbol table info available.
#4  0x000056267bdf9bcd in ?? ()
No symbol table info available.
#5  0x000056267b9fc717 in ?? ()
No symbol table info available.
#6  0x00007f199d4fe1ca in __libc_start_call_main (main=main@entry=0x56267b9fc430, argc=argc@entry=3, argv=argv@entry=0x7fffafdd0438) at ../sysdeps/nptl/libc_start_call_main.h:58
        self = <optimized out>
        result = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140736143885368, -5418603757060112252, 0, 140736143885400, 94723300689720, 139748003606560, 5418427582225039492, 5403890778925154436}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x7fffafdd0438, 0x7fffafdd0438}, data = {prev = 0x0, cleanup = 0x0, 
              canceltype = -1344469960}}}
        not_first_call = <optimized out>
#7  0x00007f199d4fe285 in __libc_start_main_impl (main=0x56267b9fc430, argc=3, argv=0x7fffafdd0438, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffafdd0428) at ../csu/libc-start.c:360
No locals.
#8  0x000056267b9fd981 in _start ()
No symbol table info available.