The inline assembly uses labels with the prefix `.L`. On Linux systems
this is the local label prefix. It appears that macOS uses `L` as a
local prefix, which means that the prefix used in the inline assembly is not
local for macOS systems [1].
When combined with inlining, this causes the compiler to get confused
and merge a part of the inline assembly between different functions,
causing control flow to jump from one function to another function.
This is avoided on PHP 8.2 and up by the fact that it
uses `zend_never_inline NOIPA`, but nothing guarantees that compiler
changes won't affect this as well.
To solve this issue, we instead use local labels. These will make the
compiler pick the correct prefix, preventing the issue.
Additionally, while here, we also change the computation of `delta`.
It is undefined behaviour to compute the pointer difference between
two different objects. To circumvent this, we cast first to `uintptr_t`.
This change is cleanly backportable to 8.1 for vendors to pick up.
[1] https://github.com/php/php-src/issues/16168#issuecomment-2404792553
With the help of investigation and testing of @ryandesign.
Closes GH-16348.
zend_hash_get_current_key() does not return a string with incremented
refcount, so it shouldn't get released. This release caused a UAF later
when the attribute was destroyed. This wasn't noticed earlier because
object_init_with_constructor() was only ever tested with interned
strings.
Closes GH-16349.
As is, we're running the push workflow for all pushes and pull request,
plus we run more comprehensive nightly workflow for all branches which
had commits during the day. That means that security branches may not
run CI for weeks or even months. In the meantime, dependencies might
be updated, which can cause later workflow runs to fail. For instance,
a few openssl tests fail due to security fixes in OpenSSL[1], an update
of Oracle Instant Client causes a couple of oci8 and pdo_oci tests to
fail[2], and the macOS builds do no longer even built (investigation
pending).
Therefore, we allow to run the pull workflow manually, so it is
possible to check the CI condition of temporary inactive branches from
time to time.
[1] <https://github.com/php/php-src/pull/16097>
[2] <https://github.com/php/php-src/pull/16107>
Closes GH-16148.
Converting PHP arrays to Variants originally supported almost arbitrary
numeric arrays, possibly filling gaps with NULL values. This is broken
as of PHP 7.0.0[1] so that the SafeArray only has as many elements as
the PHP array. Thus, unless the array is a list, some elements may be
written outside of the SafeArray data.
To avoid breaking userland code after that long time, we do not restore
the original behavior, but instead only suppress the erroneous writes.
To avoid the need to split the regression test for 32bit and 64bit
Windows, we suppress the "max number 4294967295 of elements in safe
array exceeded" warning, which only occurs for 64bit versions.
[1] <c865472ef0>
Closes GH-16309.
* curl: Prevent a CurlMultiHandle from holding onto a CurlHandle if `add_handle` fails
As a user I expect `curl_multi_add_handle` to not have any effect if it returns
an error and I specifically do not expect that it would be necessary to call
`curl_multi_remove_handle`.
* NEWS
3 issues:
1) RETURN_NULL() was used via the macro NODE_GET_OBJ(), but the function
returns false on failure and cannot return null according to its
stub.
2) The struct layout of the different implementors of libxml only
guarantees overlap between the node pointer and the document
reference, so accessing the std zend_object may not work.
3) DOC_GET_OBJ() wasn't using ZSTR_VAL().
Closes GH-16307.
The check called an API only available with this def set.
Gate the check behind ifdef and change control flow to better fit it.
Co-authored-by: Arnaud Le Blanc <arnaud.lb@gmail.com>
These tests are failing because the integers are too large to be cast
to a PHP int. We fix this by expecting either an int or a string.
Closes GH-16278.
zend_jit() assumes that Closure op_arrays have no scope, but this is not true
when using the hot counters, first exec, or trace triggers as they use the
executed op_array, which is in case of Closures is a copy, with a scope.
In the tracing JIT this problem is avoided as we fetch the original op_array
when compiling a Closure. Here I replicate this for the hot counters and first
exec triggers.
Fixes GH-16186
Closes GH-16200
