The behaviour is weird in the sense that the reference must get
unwrapped. What ended up happening is that when destroying the old
reference the sources list was not cleaned properly. We add handling for
that. Normally we would use use ZEND_TRY_ASSIGN_STRINGL but that doesn't
work here as it would keep the reference and change values through
references (see bug #26639).
Closes GH-16272.
In the test, I have an internal `__call` function for `_ZendTestMagicCallForward` that calls the global function with name `$name` via `call_user_function`.
Note that observer writes the pointer to the previously observed frame in the last temporary of the new call frame (`*prev_observed_frame`).
The following happens:
First, we call `$test->callee`, this will be handled via a trampoline with T=2 for the two arguments. The call frame is allocated at this point. This call frame is not observed because it has `ZEND_ACC_CALL_VIA_TRAMPOLINE` set. Next we use `ZEND_CALL_TRAMPOLINE` to call the trampoline, this reuses the stack frame allocated earlier with T=2, but this time it is observed. The pointer to the previous frame is written outside of the call frame because `T` is too small (should be 3). We are now in the internal function `_ZendTestMagicCallForward::__call` where we call the global function `callee`. This will push a new call frame which will overlap `*prev_observed_frame`. This value gets overwritten by `zend_init_func_execute_data` when `EX(opline)` is set because `*prev_observed_frame` overlaps with `EX(opline)`. From now on, `*prev_observed_frame` is corrupted. When `zend_observer_fcall_end` is called this will result in reading wrong value `*prev_observed_frame` into `current_observed_frame`. This causes issues in `zend_observer_fcall_end_all` leading to the segfault we observe.
Despite function with `ZEND_ACC_CALL_VIA_TRAMPOLINE` not being observed, the reuse of call frames makes problems when `T` is not large enough.
To fix this, we make sure to add 1 to `T` if `ZEND_OBSERVER_ENABLED` is true.
Closes GH-16252.
Bisect points to 94ee4f9, however this only reveals the problem.
Cloning an object on a lower branch and trying to call its methods
crashes as well. Cloning the object shouldn't be possible in the first
place because there's an engine constraint that when we have a new
object handler we should also have a clone handler. This constraint is
not fulfilled here.
Closes GH-16245.
libpcre2 can return the special value -1 for a non-match.
In this case we get pointer overflow, although it doesn't matter in
practice because the pointer will be in bounds and the copy length will
be 0. Still, we should fix the UBSAN warning.
Closes GH-16205.
Unfortunately, old DOM allows attributes to be used as parent nodes.
Only text nodes and entities are allowed as children for these types of
nodes, because that's the constraint DOM and libxml give us.
Closes GH-16156.
These failures are caused by the fix for GHSA-p99j-rfp4-xqvq. Since
the two bug*.phpt tests don't need the "wsdl" query string, and don't
even need php-cgi, we just remove the `--GET--` section. The two
server*.phpt tests are harder to fix, since during evaluation of the
`--SKIPIF--` section, the soap extension can be loaded, but it may not
during evaluation of the `--FILE--` section. So for now, we skip these
tests on Windows altogether.
Co-authored-by: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Closes GH-16084.
On NixOS, the output of phpinfo() can get very large, causing us to run into the
backtracking limit. Lazy matching for .*/.+ can help reduce backtracking.
Apparently example.org now rejects POST requests, so we would need to
adjust the test expectation ("Method not allowed"). However, there is
no need for an online test; instead we're just using the CLI test
server. The serialization is a bit fiddly, but as long as there are
no quotes in `PHP_CLI_SERVER_ADDRESS` we're fine.
Closes GH-16063.
We check that the "attrib" and "modtype" keys are present in each array.
If not we throw a ValueError, in line with what other validation failure cases do.
Closes GH-16057
We need to avoid signed integer overflows which are undefined behavior.
We catch that, and set `offset` to `ZEND_LONG_MAX` (which is also the
largest value of `zend_off_t` on all platforms). Of course, that seek
may fail, but even if it succeeds, the stream is no longer readable,
but that matches the current behavior for offsets near `ZEND_LONG_MAX`.
Closes GH-15989.
Exactly these tests are failing on all our macOS x64 CI runners for
about a week. For now we mark them as xfail, to get back to a green
CI pipeline.
Closes GH-16002.
We need to avoid signed integer overflows which are undefined behavior.
We catch that, and set `offset` to `ZEND_LONG_MAX` (which is also the
largest value of `zend_off_t` on all platforms). Of course, after such
a seek a stream is no longer readable, but that matches the current
behavior for offsets near `ZEND_LONG_MAX`.
Closes GH-15989.
This works, but UBSan running on a big endian platform (in this, ppc64)
will complain that the ((uchar*)buffer)[n] is int, and shifting that
could be weird. Since the value of PHAR_GET_32 et al are almost always
unsigned, it makes sense to cast these as unsigned.
Fixes phar tests on a big endian system with UBSan enabled.
This was first reported as a leak in GH-15026, but was mistakingly
believed to be a false positive. Then an assertion was added and it got
triggered in GH-15908. This fixes the leak. Upon merging into master the
assertion should be removed as well.
Closes GH-15924.
Upon unwinding from an exception, the parser state is not stable, we
should not continue updating the values if an exception was thrown.
Closes GH-15879.
