On win64, xmm6-xmm15 are preserved registers, but the prologues and
epilogues of JITted code don't handle these. The issue occurs when
calling into the JIT code again via an internal handler
(like call_user_func). Therefore, we want to save/restore xmm registers
upon entering/leaving execute_ex. Since MSVC x64 does not support inline
assembly, we create an assembly wrapper around the real execute_ex
function.
The alternative is to always save/restore these xmm registers into the
fixed call frame, but this causes unnecessary overhead.
The same issue occurs for ARM64 platforms for floating point register
8 to 15. However, there we can use inline asm to fix this.
Closes GH-18352.
If there's a try-finally where the try_op starts on a basic block with a
single JMP, and the JMP optimization causes that basic block to become
unreachable, then we update try_op.
In this case, there is no catch_op, so try_op is erroneously set to 0,
we should instead set it to `b->start`.
Closes GH-18110.
in_array() calls are compiled to frameless calls. Adjust the
optimization appropriately. Luckily, frameless opcodes simplify the
optimization quite a bit.
Fixes GH-18050
Closes GH-18066
We destroy classes of dl()'ed modules in clean_module_classes(), during
shutdown. Child classes of a module use structures of the parent class (such as
inherited properties), which are destroyed earlier, so we have a use-after-free
when destroying a child class.
Here I destroy classes in reverse order, as it is done in zend_shutdown() for
persistent classes.
Fixes GH-17961
Fixes GH-15367
Writing to an uninitialized lazy proxy will initialize the underlying
object and then call zend_std_write_property() on it. If this happens
inside a hook, zend_std_write_property() should not call the hook again
but directly write to the property slot. This didn't previously work
because zend_should_call_hook() would compare the parent frame
containing the proxy to the underlying object. This is now handled
explicitly.
Fixes GH-18000
Closes GH-18001
zend_std_write_property() can return the variable pointer, but the code
was using a local variable, and so a pointer to a local variable could
be returned. Fix this by using the value pointer instead of the backup
value was written.
This can be more efficient on master by using the safe_assign helper.
Closes GH-17947.
The cache slot for FETCH_OBJ_W in function `test` is primed with the
class for C. The next call uses a simplexml instance and reuses the same
cache slot. simplexml's get_property_ptr handler does not use the cache
slot, so the old values remain in the cache slot. When
`zend_handle_fetch_obj_flags` is called this is not guarded by a check
for the class entry. So we end up using the prop_info from the property
C::$a instead of the simplexml property.
This patch adds a reset to the cache slots in the property address fetch
code and also in the extensions with a non-standard reference handler.
This keeps the run time cache consistent and avoids the issue without
complicating the fast paths.
Closes GH-17739.
The following code poses a problem in the JIT:
```php
class A {
public $prop = 1;
}
class B extends A {
public $prop = 1 {
get => parent::$prop::get() * 2;
}
}
function test(A $a) {
var_dump($a->prop);
}
test(new B);
```
The JIT would assume A::$prop in test() could be accessed directly
through OBJ_PROP_NUM(). However, since child classes can add new hooks
to existing properties, this assumption no longer holds.
To avoid introducing more JIT checks, a hooked property that overrides a
unhooked property now results in a separate zval slot that is used
instead of the parent slot. This causes the JIT to pick the slow path
due to an IS_UNDEF value in the parent slot.
zend_class_entry.properties_info_table poses a problem in that
zend_get_property_info_for_slot() and friends will be called using the
child slot, which does not store its property info, since the parent
slot already does. In this case, zend_get_property_info_for_slot() now
provides a fallback that will iterate all property infos to find the
correct one.
This also uncovered a bug (see Zend/tests/property_hooks/dump.phpt)
where the default value of a parent property would accidentally be
inherited by the child property.
Fixes GH-17376
Closes GH-17870
This regressed in GH-17592.
The function is with its attributes HashTable* is copied in
zend_get_closure_invoke_method() but its refcount is not increased.
This caused a crash in the Symfony demo page.
Closes GH-17880.
This solely affects the builtin enum functions currently.
Given that these are stored in SHM, we cannot simply hardwire a pointer into the internal function runtime cache on NTS too, but have to use a MAP_PTR (like on ZTS).
Now, by design, the runtime cache of internal functions no longer is reset between requests, hence we need to store them explicitly as static runtime cache.
On NTS builds we cannot trivially move the pointers into CG(internal_run_time_cache) as they're directly stored on the individual functions (on ZTS we could simply iterate the static map_ptrs).
Hence, we have the choice between having opcache managing the internal run_time_cache for its preloaded functions itself or realloc CG(internal_run_time_cache) and iterate through all functions to assign the new address. We choose the latter for simplicity and initial speed.
`new Reflectionproperty($scope, $propName)` keeps a reference to the
zend_property_info of $propName declared in $scope. In getRawValue() and
related methods, we use this reference to check whether the property is hooked.
Calling `new ReflectionProperty($scope, $propName)->getRawValue($object)` is
equivalent to the expression $object->$propName from scope $scope (except that
it bypasses hooks), and thus may access an overridden property (unless the
original is private). This property may have hooks and different flags.
Here I fetch the effective property info before checking for hooks and
property flags.
Fixes GH-17713
Closes GH-17714
This was asked to be checked in https://github.com/php/php-src/pull/17472#issuecomment-2591325036
There are 2 issues:
1) The UB in the if can overflow, and can be fixed by using zend_ulong
for the sum/sub.
2) fast_long_sub_function() has a problem when result aliases.
This is fixed in the same way as fast_long_add_function() works.
Closes GH-17666.
Saki Takamachi