Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: php-debugger/php-debugger
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: main
Choose a base ref
...
head repository: php-debugger/php-debugger
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: security-ci
Choose a head ref
Checking mergeability… Don’t worry, you can still create the pull request.
  • 5 commits
  • 4 files changed
  • 1 contributor

Commits on Mar 22, 2026

  1. Add security CI workflows 

    - CodeQL: semantic analysis with security-extended queries (every push/PR + weekly)
- ASAN + UBSAN: runtime sanitizers, builds PHP from source with sanitizer flags (every push/PR)
- Cppcheck: fast static analysis for leaks, null derefs, fd leaks (every push/PR)
- Clang Static Analyzer: path-sensitive analysis via scan-build (weekly + manual dispatch)
    @pronskiy
    pronskiy committed Mar 22, 2026
    Configuration menu
    Copy the full SHA
    f2dd859 View commit details
    Browse the repository at this point in the history

  2. Fix UBSAN: xdebug_fiber_entry_dtor function type mismatch 

    The hash destructor callback was declared as taking
struct xdebug_fiber_entry * but registered as xdebug_hash_dtor_t
(void (*)(void *)). Calling through the mismatched pointer type
is undefined behavior per C11 §6.5.2.2.

Fix: accept void * and cast inside the function body.
Zero performance impact — identical generated code.
    @pronskiy
    pronskiy committed Mar 22, 2026
    Configuration menu
    Copy the full SHA
    526bcae View commit details
    Browse the repository at this point in the history

  3. Fix DBGp test timeouts under ASAN 

    The DBGp test client had hardcoded 3s/5s socket timeouts. Under ASAN
(2-3x slower), PHP takes longer to respond, causing false test failures.

Fix: make timeouts configurable via DBGP_TIMEOUT env var (defaults
unchanged). Set DBGP_TIMEOUT=10 in the sanitizer CI workflow.
    @pronskiy
    pronskiy committed Mar 22, 2026
    Configuration menu
    Copy the full SHA
    51381af View commit details
    Browse the repository at this point in the history

  4. Run ASAN tests single-threaded 

    Parallel ASAN-instrumented PHP processes compete for CPU on CI runners,
causing DBGp socket timeouts. Run with -j1 for reliable results.
    @pronskiy
    pronskiy committed Mar 22, 2026
    Configuration menu
    Copy the full SHA
    6120ecf View commit details
    Browse the repository at this point in the history

  5. ASAN CI: fail only on sanitizer errors, not test mismatches 

    The ASAN-instrumented test suite has ~36-45 test output mismatches
(known XFAIL tests + ASAN-induced timing differences). These are
not memory bugs.

The CI now runs all tests, captures output, and fails ONLY when
actual sanitizer errors are detected (AddressSanitizer, LeakSanitizer,
UBSAN runtime errors). Test output mismatches are logged but
do not block the PR.
    @pronskiy
    pronskiy committed Mar 22, 2026
    Configuration menu
    Copy the full SHA
    322ed0b View commit details
    Browse the repository at this point in the history
Loading