For a particular assignment, a non-coerced constant assignment
value will remain valid. However, opcache merges cache slots for
all identical property references, which means that this
optimization also disables property type checks for all other
operands on the property that occur in the same functions.
This could be addressed by blocking cache slot merging in opcache,
but I prefer dropping it entirely instead. It does not seem
important enough to warrant doing that.
Updating based on the properties info HT will miss private parent
properties that have been shadowed in the child class. Instead,
perform updating directly on the default properties table.
We can't do the same for static properties, because those don't
have a convenient way to look up the property type from the
property offset. However, I don't believe the problem exists for
static properties, because we're always going to be using the
property on the class it was declared on, while children only hold
INDIRECT references. As such, this should be covered by parent
class const updating.
Fixes oss-fuzz #35906.
We can't destroy the result operand early, because the division
might fail, in which case we need to preserve the original value.
Place the division result in a temporary zval, and only copy it
on success.
Fixes oss-fuzz #35876.
The analysis in the bug report wasn't correct (at least not in
this case -- there may still be a more general problem here),
the issue was that write_property returned the original variable_ptr
rather than the zend_assign_to_variable() return value, which will
DEREF the variable before overwriting it.
In this case we ended up creating an ASSIGN_OBJ_REF with VAR
result operand, which was not freed.
Fix this by implementing assign_ref_znode the same was as
assign_znode, i.e. performing an assignment with result and
then freeing the result, which will result mark the result as
UNUSED. This is more robust than the special handling for
result == NULL that was used before.
This fixes one of the issues reported in bug #81190.
The result == op1 check did not work properly here, because op1
was &op1_copy at this point. Move the division by zero reporting
out of the _base function, so it can check the original op1.
When the memory limit is restored during shutdown, we may still
be using a lot of memory. Ignore the failure at that point and
set it again after the MM is shut down, at which point memory
usage should be at its lowest point.
When the memory limit is reduced using an `ini_set("memory_limit", ..)`
below the currently allocated memory, the out-of-memory check overflowed.
Instead of implementing additional checks during allocation,
`zend_set_memory_limit()` now validates the new memory limit. When
below the current memory usage the ini_set call will fail and throw
a warning.
This is part of GH-7040.
While the specified restriction was checked, the #[Attribute]
attribute did not specify the flags parameter, so that Reflection
returned incorrect information.
In particular, Attribute itself has a CLASS target, not an ALL
target.
mixed should be behaving the same way as no type here, and not
require X to be autoloaded. Everything apart from "void" is trivially
covariant to "mixed".
Only reset the uninitialized property flag once the type check
has succeeded. Previously the property was treated as unset rather
than uninitialized after a failed assignment.
Noticed this edge-case while working on accessors...
The function name should be kept if Closure was created from the function which is marked as ZEND_ACC_CALL_VIA_TRAMPOLINE, because it is not a one-time thing and it may be called multiple times.
Closes GH-6867.
Handle this in the implementation of get_current_key of user_it,
so that the callers may assume that the key is not a reference.
Fixes oss-fuzz #33018.
zend_find_array_dim_slow() may throw, make sure to handle this.
This backports the code we already use for this on PHP-8.0,
and also backports an exception check that makes this easier to
catch.
We need to first clean the symtable and then check whether a cache
slot is available for it. Otherwise, it may happen that a destructor
runs while cleaning the table and uses up all the remaining slots
in the cache.
This is particularly insidious because once we overflow the cache,
the first pointer we modify is symtable_cache_ptr, making it hard
to understand what happened after the fact.
Fixes oss-fuzz #30815.
For a division like [1..1]/[2..2] produce [0..1] as a result, which
would be the integer envelope of the floating-point result.
The implementation is pretty ugly (we're now taking min/max across
eight values...) but I couldn't come up with a more elegant way
to handle this that doesn't make things a lot more complex (the
division sign handling is the annoying issue here).
Nikita Popov