Range analysis may fail to converge (the process hangs) when the transfer
function zend_inference_calc_range produces a smaller range.
Fix by ensuring that the widening operator zend_inference_widening_meet
allows only widening. This matches the inference rules in figure 13 of the
paper.
Fixes GH-19679
Closes GH-19683
Since cbf67e4, the GC needs to find all WeakMaps referencing a weakly
referenced object. Doing so, it treats all ZEND_WEAKREF_TAG_MAP as WeakMap
instances.
However, a ZEND_WEAKREF_TAG_MAP reference may be a bare HashTable when
zend_weakrefs_hash_add() is used.
Introduce a new tag, ZEND_WEAKREF_TAG_BARE_HT, and use this tag when weakly
referencing an object from a bare HashTable. Ignore such references in GC.
Fixes GH-19543
Closes GH-19544
Co-authored-by: Tim Düsterhus <tim@tideways-gmbh.com>
yylen is unsigned int, but len in zend_scan_escape_string() is int, which will
break for string literals >=2GB. yyleng is still limited to 4GB, but we can't
fix this without breaking the ABI.
Partially addresses GH-19542
Closes GH-19545
On some systems, like Alpine, the thread stack size is small by default.
The last step of SSA construction involves variable renaming that is
recursive, and also makes copies of their version of the renamed
variables on the stack. This combination causes a stack overflow during
compilation on Alpine. Triggerable for example with very long match
statements.
A stop-gap solution would be to use heap allocated arrays for the
renamed variable list, but that would only delay the error as increasing
the number of match arms increases the depth of the dominator tree, and
will eventually run into the same issue.
This patch transforms the algorithm into an iterative one.
There are two states stored in a worklist stack: positive numbers
indicate that the block still needs to undergo variable renaming.
Negative numbers indicate that the block and its dominated children are
already renamed. Because 0 is also a valid block number, we bias the
block numbers by adding 1.
To restore to the right variant when backtracking the "recursive" step,
we index into an array pointing to the different variable renaming
variants.
Closes GH-19083.
8MB sounded a prudent size for older 10.9 macOs release, however
with newer mac with arm64, it triggers a stack overflow.
Cherry picks b320aabc5e (GH-13319) from PHP-8.4.
Closes GH-19390.
Generator::throw() on a running generator is not allowed. It throws "Cannot
resume an already running generator" when trying to resume the generator to
handle the provided exception.
However, when calling Generator::throw() on a generator with a non-Generator
delegate, we release the delegate regardless. If a Fiber was suspended in
the delegate, this causes use after frees when the Fiber is resumed.
Fix this by throwing "Cannot resume an already running generator" earlier.
Fixes GH-19326
Closes GH-19327
Normally we prevent generators from being resumed while they are already
running, but we failed to do so for generators delegating to non-Generators. As
a result such generator can be resumed, terminated, which causes unexpected
results (crashes) later.
In gh19306.phpt in particular, the generator delegate It::getIterator() suspends
while being called by generator g(). We then resume g(), which throws while
trying to resume It::getIterator(). This causes g() and It::getIterator()
to be released. We then UAF when resuming the Fiber in It::getIterator().
Fix this by ensuring that generators are marked as running while they fetch
the next value from the delegate.
Fixes GH-19306
Closes GH-19315
Having an empty result array is not a problem, because zend_hash_extend()
will initialize it. Except it does not when the number of elements to add
equals 0, which leaves the array uninitialized and therefore does not
set the packed flag, causing the assertion failure.
Technically, removing the assert would also work and save a check.
On the other hand, this check could also prevent some real work to be
done and should be relatively cheap as we already have to compute the
sum anyway.
Closes GH-19318.
re2c version 4 enabled some warnings by default. This fixes re2c code
for the `-Wuseless-escape` warnings.
There are two same issues reported.
Issue: GH-17523
Closes: GH-17204
Both these issues have the same root cause, their reproducer is
extremely similar so I don't duplicate the test.
If the parser invokes the lexer, and the lexer fails, it could've
allocated a string which must be freed when the parser backs up.
The `%destructor` list is responsible for this but did not have an entry
for `fallback` yet. Solve the issue by adding such an entry.
Closes GH-19012.
The first warning may trigger an error handler, destroying the operand
and its string. So we need to protect the string in that case.
Care was taken to avoid unnecessary refcounts and to avoid touching the
hot code path.
Closes GH-18951.
When the array functions perform their operation in-place, the
`@refcount 1` annotation is wrong and causes a failure under
`ZEND_VERIFY_FUNC_INFO`.
The test file tests all functions that have the in-place optimization,
even those that didn't have the refcount annotation, just to prevent
future regressions.
Closes GH-18929.
real_size is returned by memory_get_usage(true), which previously returned 0.
Discovered in Symfony ConsumeMessagesCommandTest::testRunWithMemoryLimit()
through nightly.
Closes GH-18880
The VM assumes that an exception must be handled when the AST evaluation
returns FAILURE. However, the comparison functions always return SUCCESS
even if an exception happened. This can be fixed in
zend_ast_evaluate_inner() or we can make is_smaller_function() etc check
for the exception. I chose the former to avoid impact or API breaks.
Perhaps in the future the comparison functions should either return void
or return whether an exception happened, as to be not misleading.
Closes GH-18589.
This causes problems if an allocation profiler decides to walk the
stack, or if the engine itself OOMs on this opcode, and it tries to
print file and line information.
With nested objects and recursive comparisons, it is for now unavoidable
to have a stack overflow we do some early damage control attempt early
on with zend.max_allowed_stack_size check but ultimately more a band-aid
than a definitive solution.
close GH-18577
If there's a try-finally where the try_op starts on a basic block with a
single JMP, and the JMP optimization causes that basic block to become
unreachable, then we update try_op.
In this case, there is no catch_op, so try_op is erroneously set to 0,
we should instead set it to `b->start`.
Closes GH-18110.
We destroy classes of dl()'ed modules in clean_module_classes(), during
shutdown. Child classes of a module use structures of the parent class (such as
inherited properties), which are destroyed earlier, so we have a use-after-free
when destroying a child class.
Here I destroy classes in reverse order, as it is done in zend_shutdown() for
persistent classes.
Fixes GH-17961
Fixes GH-15367
Jakub Zelenka