In a lot of places the return value is not checked, and when the
function fails the code continues execution. However, this means that
operations on the stack fail and will cause memory leaks on the objects
that weren't pushed.
We also notice an inconsistency in how these failures are handled.
For example, in one place we explicitly have a fatal error
`php_error_docref(NULL, E_ERROR, "Memory allocation failure");`
but this is the only place to do so.
Closes GH-20957.
This test still fails on i386 Windows with "Allowed memory size of %d bytes
exhausted" because the output buffer grows too big. My first intuition was to
add a chunk_size to ob_start, but this won't work if the output buffer is
flushed deep into the call stack, causing a premature or just a second stack
limit error. So, reduce the stack size in an attempt to produce less output.
When FE_RESET_RW executes, it converts the CV to a reference before
checking if the array/object is empty. However, when the JIT creates
exit points for FE_RESET_RW in zend_jit_trace_handler(), it wasn't
updating the stack type for op1 to reflect this change.
This caused side traces compiled from these exit points to have
incorrect type information. The side trace's CV cleanup code would
see IS_OBJECT and generate a direct call to zend_objects_store_del(),
but the actual value was a zend_reference*, causing a segfault.
The fix adds ZEND_FE_RESET_RW to the list of opcodes that temporarily
set their op1 stack type to IS_UNKNOWN before creating exit points.
This follows the same pattern used for ZEND_BIND_INIT_STATIC_OR_JMP.
When IS_UNKNOWN, the JIT falls back to SSA type info which correctly
includes MAY_BE_REF for FE_RESET_RW's op1_def.
Fixes GH-20818
Closes GH-20948
This is similar to f6c2e40a11 but for minimal JIT + tracing JIT.
Most of the times the tracing JIT shouldn't rely on going to the VM, but
in some cases, like in minimal JIT, it can and then it hits the same
bug.
Closes GH-20897.
This can trigger the memory limit in run-tests.php, which buffers the tests
output. Instead, only output "nesting level too deep" and discard the rest.
Closes GH-20946
* Fix use-after-free in FE_FREE with GC interaction
When FE_FREE with ZEND_FREE_ON_RETURN frees the loop variable during
an early return from a foreach loop, the live range for the loop
variable was incorrectly extending past the FE_FREE to the normal
loop end. This caused GC to access the already-freed loop variable
when it ran after the RETURN opcode, resulting in use-after-free.
Fix by splitting the ZEND_LIVE_LOOP range when an FE_FREE with
ZEND_FREE_ON_RETURN is encountered:
- One range covers the early return path up to the FE_FREE
- A separate range covers the normal loop end FE_FREE
- Multiple early returns create multiple separate ranges
* Split the live-ranges of loop variables again
b0af9ac733 removed the live-range splitting of foreach variables, however it only added handling to ZEND_HANDLE_EXCEPTION.
This was sort-of elegant, until it was realized in 8258b7731b that it would leak the return variable, requiring some more special handling.
At some point we added live tmpvar rooting in 52cf7ab8a2, but this did not take into account already freed loop variables, which also might happen during ZEND_RETURN, which cannot be trivially accounted for, without even more complicated handling in zend_gc_*_tmpvars() functions.
This commit also proposes a simpler way of tracking the loop end in loopvar freeing ops: handle it directly during live range computation rather than during compilation, eliminating the need for opcache to handle it specifically.
Further, opcache was using live_ranges in its basic block computation in the past, which it no longer does. Thus this complication is no longer necessary and this approach should be actually simpler now.
Closes#20766.
Signed-off-by: Bob Weinand <bobwei9@hotmail.com>
---------
Signed-off-by: Bob Weinand <bobwei9@hotmail.com>
Co-authored-by: Gustavo Lopes <mail@geleia.net>
Internal enums can be cloned and compared, unlike user enums, because we didn't set default_object_handlers when registering internal enums.
Fix by setting default_object_handlers when registering internal enums.
Fixes GH-20914
Closes GH-20915
The element may be still in use in other places, so the linking pointers
should be kept consistent. If not consistent, the "move forward" code in
the sample test will read a stale, dangling pointer.
Closes GH-20885.
In the following optimization:
JMPZ(X,L1) JMP(L2) L1: -> JMPNZ(X,L2) NOP
L1 must not be followed by another block, so that it may safely be followed by
the block containing the JMPNZ. get_next_block() is used to verify L1 is the
direct follower. This function also skips empty blocks, including live, empty
target blocks, which will then implicitly follow the new follow block. This will
result in L1 being followed by two separate blocks, which is not possible.
Resolve this by get_next_block() stopping at target blocks.
Fixes OSS-Fuzz #472563272
Closes GH-20850
Fix copy-and-paste mistakes in the sodium extension.
crypto_scalarmult_BYTES and crypto_scalarmult_ristretto255_BYTES
have the same value, so behavior is unchanged.
The reason why freeing was not done yet is because the pointer in these
variables may be:
- Static data set by the readline/libedit library initially, not heap
data.
- Data set by another thread. Although the libraries appear to be not
thread-safe anyway.
To solve this, introduce some TLS variables to hold a pointer for us
when we override the settings, such that we can free them and are
certain they are allocated by us.
Closes GH-20794.
Makes it like ext/standard/tests/file/filetype_variation.phpt; it's not
just Windows that can have a missing posix_mkfifo, but also a minimal
build, like the ones suggested that RMs test with (using --disable-all).
Static analysis reports that the bounds check comes after reading the
byte from the buffer.
In practice, this is tagged data that loops until the end tag is found
and therefore there isn't really a bug. The extra length check is only
there for extra hardening.
So we simply silence the static analysers and improve the hardening.
See also https://docwiki.embarcadero.com/InterBase/15/en/Isc_dsql_sql_info()
If you can extend the file between the file size gathering (resulting in
a buffer allocation), and reading / writing to the file you can trigger a
TOC-TOU where you write out of bounds.
To solve this, add extra bound checks and make sure that write actions
always fail when going out of bounds.
The easiest way to trigger this is via a pipe, which is used in the
test, but it should be possible with a regular file and a quick race
condition as well.
Closes GH-20591.
C14N code expects namespace to be in-tree, but we store namespaces in a
different way out-of-tree to avoid reconciliations that break the tree
structure in a way unexpected by the DOM spec. In the DOM spec,
namespace nodes don't exist; they're regular attributes.
To solve this, we temporarily make fake namespace nodes that we later
remove.
Closes GH-20457.
