Segfault with breakpoint map and phpdbg_clear()

[YuanchengJiang]

Description

The following code (ie, Zend/tests/arginfo_zpp_mismatch.phpt, and its dependency arginfo_zpp_mismatch.inc):

<?php

require __DIR__ . "/arginfo_zpp_mismatch.inc";

function test($function) {
    if (skipFunction($function)) {
        return;
    }

    ob_start();
    if (is_string($function)) {
        echo "Testing $function\n";
    } else {
        echo "Testing " . get_class($function[0]) . "::$function[1]\n";
    }
    try {
        @$function();
    } catch (Throwable) {
    }
    try {
        @$function(null);
    } catch (Throwable) {
    }
    try {
        @$function(null, null);
    } catch (Throwable) {
    }
    try {
        @$function(null, null, null);
    } catch (Throwable) {
    }
    try {
        @$function(null, null, null, null);
    } catch (Throwable) {
    }
    try {
        @$function(null, null, null, null, null);
    } catch (Throwable) {
    }
    try {
        @$function(null, null, null, null, null, null);
    } catch (Throwable) {
    }
    try {
        @$function(null, null, null, null, null, null, null);
    } catch (Throwable) {
    }
    try {
        @$function(null, null, null, null, null, null, null, null);
    } catch (Throwable) {
    }
    ob_end_clean();
}

foreach (get_defined_functions()["internal"] as $function) {
    test($function);
}

foreach (get_declared_classes() as $class) {
    try {
        $rc = new ReflectionClass($class);
        $obj = $rc->newInstanceWithoutConstructor();
    } catch (Throwable) {
        continue;
    }

    foreach (get_class_methods($class) as $method) {
        test([$obj, $method]);
    }
}

// var_dump() and debug_zval_dump() print all arguments
?>

Resulted in this output:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==3683045==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000093a8 (pc 0x558a82647131 bp 0x7ffd8cb95f00 sp 0x7ffd8cb95dd0 T0)
==3683045==The signal is caused by a READ memory access.
    #0 0x558a82647131 in phpdbg_export_breakpoints_to_string /php-src/sapi/phpdbg/phpdbg_bp.c:132
    #1 0x558a825e6a96 in main /php-src/sapi/phpdbg/phpdbg.c:1615
    #2 0x7f1077aa1d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
    #3 0x7f1077aa1e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f)
    #4 0x558a7fe068d4 in _start (/php-src/sapi/phpdbg/phpdbg+0x32068d4)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /php-src/sapi/phpdbg/phpdbg_bp.c:132 in phpdbg_export_breakpoints_to_string
==3683045==ABORTING

To reproduce:

phpdbg ./test.php
> r
> c

PHP Version

PHP 8.4.0-dev

Operating System

ubuntu 22.04

[devnexen]

can be reproduced back to 8.2.

[nielsdos]

I don't think the root cause was understood properly.
This is a minimal reproducer:

<?php

phpdbg_break_method("", "");
phpdbg_clear();

It crashes because it's gonna try accessing the breakpoint which was cleared by user code in phpdbg_clear();.