The cookie option parser uses a wrong offset to start scanning
attributes, causing cookie values containing substrings like
"path=" or "domain=" to be falsely matched as attributes.
close GH-21400
This path wasn't tested (clearly).
To trigger this we use FFI, which seemed like the easiest way that
doesn't involve using another process messing with the shared memory.
Closes GH-21388.
Fix `PQTRACE_SUPPRESS_TIMESTAMPS` guard misspelling in pgsql.stub.php.
The guard has been misspelled as `PQTRACE_SUPPPRESS_TIMESTAMPS`
(three P's) since 7ec8ae12c4, preventing the
`PGSQL_TRACE_SUPPRESS_TIMESTAMPS` constant from being registered.
close GH-21386
Also switch to uint64_t as that's used on master and makes the code
simpler to fix.
Closes GH-20807.
Co-authored-by: Arnaud Le Blanc <arnaud.lb@gmail.com>
Mirror the mdata_used protection pattern from php_pcre_replace_func_impl
in php_pcre_match_impl, php_pcre_replace_impl, php_pcre_split_impl,
and php_pcre_grep_impl.
close GH-21291
Fix pcre2_code leak when pcre2_pattern_info() fails after a successful
pcre2_compile(), and fix match_sets/match_data/marks leak when
offsets[1] < offsets[0] in php_pcre_match_impl().
close GH-21298
Since GH-15021 preloaded constants are propagated to compiled scripts. This is
problematic for file cache, which assumes all referenced zvals are either
persistently allocated or local to the current script. However, preloaded
constants live in shm as immutable, but not persistent.
To solve this, we'd need to duplicate propagated constants in the optimizer when
file cache is used. This is error prone given it needs to happen in many places.
It's debatable whether constant propagation is even correct in this case, as
running the preloaded script on a restart isn't guaranteed to produce the same
result.
Hence, avoid the issue for now by just not relying on preloaded symbols when
file cache is used.
Fixes GH-21052
Closes GH-21281
When installing executables that were built using libtool, we are
supposed to use
$ libtool --mode-install <install-command>
rather than the bare <install-command>. This is discussed ever so
briefly in the "Installing executables" section of the GNU libtool
documentation:
https://www.gnu.org/software/libtool/manual/libtool.html
So far this has not caused a problem with GNU libtool on the platforms
that PHP supports, but there is an alternate libtool implementation
called slibtool that stores wrappers at the locations where PHP is
expecting the true executables to live. As a result, the wrappers (and
not the executables) are installed when slibtool is used to build PHP.
This is fixed by replacing,
$(INSTALL)
with
$(LIBTOOL) --mode=install $(INSTALL)
in the install-foo rules for the executables that are built with
libtool.
Closes GH-13674
Move the signal table update after the php_signal4 call, mirroring
what is already done in the SIG_DFL/SIG_IGN (integer) code path.
This prevents a stale entry in the table if sigaction fails.
close GH-21270
Add missing PCNTL_CPU_DESTROY(mask) call before RETURN_THROWS() when
the cpu id is out of range, matching the cleanup on other error paths.
close GH-21268
Save errno into a local int before calling close(fd), as close() may
clobber errno on failure. Use int rather than errno_t because errno_t
is defined in C11 Annex K (bounds-checking interfaces) which is
optional and not widely implemented — many platforms (Linux/glibc,
musl, macOS, FreeBSD) do not provide it.
close GH-21256
Truncating to an int seems dangerous, esp. in combination with a MIN
macro. I don't see a reason to truncate the length from size_t to int,
and especially no reason to change the signedness.
Closes GH-20747.
In SCCP, arrays containing partial objects must be marked as partial so that
their values are not accidentally propagated.
Fixes GH-21227
Closes GH-21232
This avoids a crash in cases where the list of candidate encodings is so huge
that alloca would fail. Such crashes have been observed when the list of
encodings was larger than around 208,000 entries.
When building in strict mode (e.g. -std=c11), compilation of
main/debug_gdb_scripts.c fails because asm() is not a standard top level
statement. __asm__() however can be reserved by the compiler even in strict
mode.
Partially fixes GH-21215. IR needs a similar fix (dstogov/ir#128).
Closes GH-21226.
The PHP_PQ_ERROR macro calls php_error_docref() which triggers user error handlers
thus libpq does not have the chance to clean the resources (and empty
connections string are allowed) on failure thus we avoid this macro
and delay the error handling after.
close GH-21165
in the ipv6 address creation helper we need to use, for the error
message, the converted data rather than assuming the original
is a proper zend_string().
close GH-21166
The SysV shared memory allocator in OPcache hardcodes a maximum segment size of
32MB (SEG_ALLOC_SIZE_MAX). If the JIT buffer exceeds this, which it does with
the default 64MB size, startup will fail with "Insufficient shared memory!".
The allocator will now try allocating a contiguous buffer first, and only then
use segmentation by searching for continuously smaller powers of 2.
Fixes GH-20718
Closes GH-20719
There are two issues:
1. The 'e' formatter doesn't output the seconds of the timezone even if
it has seconds.
2. var_dump(), (array) cast, serialization, ... don't include the
timezone second offset in the output. This means that, for example,
serializing and then unserializing a date object loses the seconds of
the timezone. This can be observed by comparing the output of
getTimezone() for `$dt` vs the unserialized object in the provided test.
Closes GH-20764.
The "current" and "end" field also rely on start_ce, which is set by
"start". Therefore, if "current" or "end" are provided, so must "start"
be provided.
Closes GH-20939.
In GH-18039 we guard the underlying property before forwarding access
to the real instance of a lazy proxy. When the real instance lacks magic
methods, the assertion zobj->ce->ce_flags & ZEND_ACC_USE_GUARDS fails in
zend_get_property_guard().
Fix by checking that the real instance uses guards.
Fixes GH-20504
Closes GH-21093
A lazy object is marked non-lazy when all its properties are
initialized. Before doing so we delete the object info, resulting in a
temporarily invalid state. In GH-20657 the GC is triggered at this moment.
Fix by deleting the object info _after_ marking it non lazy.
Fixes GH-20657
Closes GH-21094
Prior to this patch there was a common read handler, and it relied on
the dom class set in the intern document. However, Dom\Implementation
allows creating DTDs unassociated with a document, so we can't rely on
an intern document and the check fails. This causes the ZVAL_NULL() path
to be taken.
To solve this, just split the handler.
Closes GH-21082.
Inline assembly in zend_safe_address() clobbers flags register. Add missing
register in clobber list for aarch64 and powerpc64. Other archs were already
correct.
Fixes GH-21029
In a lot of places the return value is not checked, and when the
function fails the code continues execution. However, this means that
operations on the stack fail and will cause memory leaks on the objects
that weren't pushed.
We also notice an inconsistency in how these failures are handled.
For example, in one place we explicitly have a fatal error
`php_error_docref(NULL, E_ERROR, "Memory allocation failure");`
but this is the only place to do so.
Closes GH-20957.
The computed number of properties using zend_hash_num_elements(zobj->properties)
is incorrect when the object contains virtual properties. We don't have a
trivial way to find the number of properties virtual properties that need to be
added to this number, so just append with zend_hash_add_new() instead.
Fixes GH-20479
Closes GH-20988
When FE_RESET_RW executes, it converts the CV to a reference before
checking if the array/object is empty. However, when the JIT creates
exit points for FE_RESET_RW in zend_jit_trace_handler(), it wasn't
updating the stack type for op1 to reflect this change.
This caused side traces compiled from these exit points to have
incorrect type information. The side trace's CV cleanup code would
see IS_OBJECT and generate a direct call to zend_objects_store_del(),
but the actual value was a zend_reference*, causing a segfault.
The fix adds ZEND_FE_RESET_RW to the list of opcodes that temporarily
set their op1 stack type to IS_UNKNOWN before creating exit points.
This follows the same pattern used for ZEND_BIND_INIT_STATIC_OR_JMP.
When IS_UNKNOWN, the JIT falls back to SSA type info which correctly
includes MAY_BE_REF for FE_RESET_RW's op1_def.
Fixes GH-20818
Closes GH-20948
This is similar to f6c2e40a11 but for minimal JIT + tracing JIT.
Most of the times the tracing JIT shouldn't rely on going to the VM, but
in some cases, like in minimal JIT, it can and then it hits the same
bug.
Closes GH-20897.
When __clone of the underlying object fails with a bailout, ZEND_ASSERT(res ==
SUCCESS) in zend_lazy_object_del_info() will fail because the info has not been
registered yet.
Only copy OBJ_EXTRA_FLAGS once the info has been successfully registered.
Fixes GH-20905
Closes GH-20975
