CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

Xdebug — Debugging & Profiling

PHP PHP 5.0+ Beginner
debt(d7/e3/b3/t7)
d7 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'only careful code review or runtime testing' (d7). The detection_hints list phpunit and phpstan as tools, but neither catches Xdebug being enabled in production php.ini as a default rule. The code_pattern notes 'xdebug enabled in production php.ini' — this requires inspecting server configuration or deployment scripts, which is typically caught only through code review of infrastructure files or noticing performance degradation in production. Not d9 because a careful deployment review or CI environment check can surface it.

e3 Effort Remediation debt — work required to fix once spotted

Closest to 'simple parameterised fix' (e3). The quick_fix is essentially editing php.ini or environment configuration to set correct xdebug.mode values and remove the extension from production. This is slightly more than a one-line patch (e1) because it touches php.ini, possibly deployment scripts, and CI configuration, but it doesn't span multiple application files — it's a localised configuration change.

b3 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3). Xdebug is a developer tooling choice that primarily affects the local development and CI environment. It applies to web and cli contexts but its misuse (being left in production) is a configuration/ops concern, not a structural burden that shapes every future feature. The rest of the codebase is unaffected once correctly configured.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap' (t7). The misconception field explicitly states developers believe Xdebug can be left enabled in production for emergency debugging. This contradicts the mental model of 'emergency debug tools are safe if rarely used' that developers carry from other ecosystems or local usage. The up to 10x performance overhead and exposure of stack traces are non-obvious consequences that a competent developer unfamiliar with Xdebug's production impact would likely miss.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-11 · reviewed by human

Also Known As

Xdebug PHP debugger PHP profiler

TL;DR

The essential PHP debugging extension providing step debugging, stack traces, code coverage, and profiling output.

Explanation

Xdebug is the standard PHP debugging and profiling tool. It integrates with IDEs (PhpStorm, VS Code) via DAP (Debug Adapter Protocol) for step-through debugging, variable inspection, and breakpoints. In profiling mode it generates cachegrind files readable by KCacheGrind or WebGrind. It powers PHPUnit's code coverage reports (requires xdebug.mode=coverage). Key modes: debug (step debugging), profile (performance analysis), trace (full execution trace), coverage. Never run Xdebug in production — it adds significant overhead and exposes a remote debugging port.

Watch Out

Disable Xdebug in production environments — it degrades performance and can expose a step-debugger port if xdebug.remote_connect_back is enabled.

Common Misconception

Xdebug can be left enabled in production for emergency debugging. Xdebug has a significant performance overhead (up to 10x slower) and exposes detailed stack traces. It must never run in production — use proper logging and error tracking (Sentry, Bugsnag) instead.

Why It Matters

Xdebug provides step debugging, code coverage, and profiling — without it, PHP debugging relies on var_dump and guesswork, making complex bugs orders of magnitude slower to diagnose.

Common Mistakes

  • Installing Xdebug in production — it adds significant overhead and exposes debug endpoints.
  • Not configuring xdebug.mode = debug,coverage in php.ini — leaving it on develop mode without specific mode misses features.
  • Not setting xdebug.start_with_request = trigger — without it, every request tries to connect to the debugger.
  • Using var_dump as a substitute for a debugger — Xdebug step debugging shows the full call stack and variable state at any point.

Avoid When

  • Never install Xdebug on a production server — it significantly degrades performance and exposes debugging interfaces.
  • Disable xdebug.remote_enable and xdebug.mode=off in any non-development environment.

When To Use

  • Use Xdebug in local development for step debugging, profiling, and code coverage.
  • Use Xdebug's profiler output with KCacheGrind/QCacheGrind to identify performance bottlenecks.

Code Examples

✗ Vulnerable 
; php.ini — Xdebug in production:
[xdebug]
zend_extension=xdebug.so
xdebug.mode=develop,debug
xdebug.start_with_request=yes ; Every request tries to debug — massive overhead
xdebug.client_host=localhost   ; Should never be active in production
✓ Fixed 
; Xdebug 3 configuration
[xdebug]
zend_extension = xdebug
xdebug.mode    = debug,coverage
xdebug.start_with_request = trigger  ; activate only when triggered (not every request)
xdebug.client_host = host.docker.internal
xdebug.client_port = 9003

; VS Code step debugging:
; 1. Install PHP Debug extension
; 2. Set breakpoint
; 3. Start listening (F5)
; 4. Trigger request with XDEBUG_SESSION cookie or ?XDEBUG_SESSION=1

; Code coverage (PHPUnit):
$ phpunit --coverage-html=coverage/
; Requires xdebug.mode = coverage
Added 15 Mar 2026
Edited 31 Mar 2026
Views 52

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 0 pings W 1 ping T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 1 ping W 0 pings T 0 pings F 0 pings S 2 pings S 0 pings M 0 pings T 1 ping W 0 pings T 0 pings F 1 ping S 1 ping S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 1 ping S 1 ping M 0 pings T 0 pings W
Agents 0
No pings yet today
No pings yesterday
Amazonbot 8 Perplexity 8 Ahrefs 4 Scrapy 3 Unknown AI 2 Claude 2 Bing 2 ChatGPT 2 Majestic 1 Google 1 Meta AI 1 Qwen 1 PetalBot 1
Also referenced
PHP-FPM 92 Profiling & Benchmarking 82 OPcache 75 Code Coverage 66
How they use it
crawler 32 crawler_json 4
Related categories
php 13.1k performance 3.3k testing 3.2k
DEV INTEL Tools & Severity
🔵 Info ⚙ Fix effort: Low
⚡ Quick Fix
Use xdebug.mode=debug for step debugging, xdebug.mode=coverage for code coverage reports, xdebug.mode=profile for performance profiling — never enable all modes in production
📦 Applies To
PHP 5.0+ web cli
🔗 Prerequisites
🔍 Detection Hints
xdebug enabled in production php.ini; xdebug.mode=debug on production server; coverage reports not generated in CI
Auto-detectable: ✓ Yes phpunit phpstan
⚠ Related Problems
🤖 AI Agent
Confidence: Low False Positives: Medium ✗ Manual fix Fix: Low Context: File
CWE-94
✓ schema.org compliant