Fix zend_separate_if_call_and_write for FUNC_ARGs

Fixes GH-12102
Closees GH-12140

Remove redundant condition

Never refactor code just before pushing

Fix segfault in format_default_value due to unexpected enum/object

Evaluating constants at comptime can result in arrays that contain objects. This
is problematic for printing the defaul

Fix segfault in format_default_value due to unexpected enum/object

Evaluating constants at comptime can result in arrays that contain objects. This
is problematic for printing the default value of constant ASTs containing
objects, because we don't actually know what the constructor arguments were.
Avoid this by not propagating array constants.

Fixes GH-11937
Closes GH-11947

show more ...

Always memoize assert

Closes GH-11686

Fix use-of-uninitialized-value with ??= on assert

Normally, PHP evaluates all expressions in offsets (property or array), as well
as the right hand side of assignments before actually fe

Fix use-of-uninitialized-value with ??= on assert

Normally, PHP evaluates all expressions in offsets (property or array), as well
as the right hand side of assignments before actually fetching the offsets. This
is well explained in this blog post.

https://www.npopov.com/2017/04/14/PHP-7-Virtual-machine.html#writes-and-memory-safety

For ??= we have a bit of a problem in that the rhs must only be evaluated if the
lhs is null or undefined. Thus, we have to first compile the lhs with BP_VAR_IS,
conditionally run the rhs and then re-fetch the lhs with BP_VAR_W to to make
sure the offsets are valid if they have been invalidated.

However, we don't want to just re-evaluate the entire lhs because it may contain
side-effects, as in $array[$x++] ??= 42;. In this case, we don't want to
re-evaluate $x++ because it would result in writing to a different offset than
was previously tested. The same goes for function calls, like
$array[foo()] ??= 42;, where the second call to foo() might result in a
different value. PHP behaves correctly in these cases. This is implemented by
memoizing sub-expressions in the lhs of ??= and reusing them when compiling the
lhs for the second time. This is done for any expression that isn't a variable,
i.e. anything that can (potentially) be written to.

Unfortunately, this also means that function calls are considered writable due
to their return-by-reference semantics, and will thus not be memoized. The
expression foo()['bar'] ??= 42; will invoke foo() twice. Even worse,
foo(bar()) ??= 42; will call both foo() and bar() twice, but
foo(bar() + 1) ??= 42; will only call foo() twice. This is likely not by design,
and was just overlooked in the implementation. The RFC does not specify how
function calls in the lhs of the coalesce assignment behaves. This should
probably be improved in the future.

Now, the problem this commit actually fixes is that ??= may memoize expressions
inside assert() function calls that may not actually execute. This is not only
an issue when using the VAR in the second expression (which would usually also
be skipped) but also when freeing the VAR. For this reason, it is not safe to
memoize assert() sub-expressions.

There are two possible solutions:

1. Don't memoize any sub-expressions of assert(), meaning they will execute
twice.
2. Throw a compile error.

Option 2 is not quite simple, because we can't disallow all memoization inside
assert(), as that would break assertions like assert($array[foo()] ??= 'bar');.
Code like this is highly unlikely (and dubious) but possible. In this case, we
would need to make sure that a memoized value could not be used across the
assert boundary it was created in. The complexity for this is not worthwhile. So
we opt for option 1 and disable memoization immediately inside assert().

Fixes GH-11580
Closes GH-11581

show more ...

Fix mis-compilation of by-reference nullsafe operator

Fixes oss-fuzz #60011
Closes GH-11540

Co-authored-by: Dmitry Stogov <dmitry@zend.com>
Co-authored-by: Niels Dossche <77

Fix mis-compilation of by-reference nullsafe operator

Fixes oss-fuzz #60011
Closes GH-11540

Co-authored-by: Dmitry Stogov <dmitry@zend.com>
Co-authored-by: Niels Dossche <7771979+nielsdos@users.noreply.github.com>

show more ...

Fix GH-8841: php-cli core dump calling a badly formed function

It's actually not php-cli specific, nor SAPI specific.
We should delay the registration of the function into the function t

Fix GH-8841: php-cli core dump calling a badly formed function

It's actually not php-cli specific, nor SAPI specific.
We should delay the registration of the function into the function table
until after the compilation was successful, otherwise the function is
mistakingly registered and a NULL dereference will happen when trying to
call it.

I based my test of Nikita's test, so credits to him for the test:
https://github.com/php/php-src/pull/8933#issuecomment-1259881008

Closes GH-10989.

show more ...

Fix GH-10570: Assertion `(key)->h != 0 && "Hash must be known"' failed.

Fixes GH-10570, see GH-10570 for analysis.

Closes GH-10572

Fix lsp error in eval'd code referring to incorrect class for static type

Fixes GH-9407
Closes GH-9471

Fix class name FQN when AST dumping new and class const

Fixes GH-9447
Closes GH-9462

Fix memory leaks

Fixes oss-fuzz #50078

Merge branch 'PHP-8.0' into PHP-8.1

Emit EXT_STMT for each 'elseif' clause

Fix crush after compilation of nullsafe operator introduced in 307e476e86e19135976ba7e686558de68dbb9b29

Now we flush only delayed opcodes realted to this nullsafe operator.

Fixes os

Fix crush after compilation of nullsafe operator introduced in 307e476e86e19135976ba7e686558de68dbb9b29

Now we flush only delayed opcodes realted to this nullsafe operator.

Fixes oss-fuzz #42152

show more ...

Improve final/abstract methods in interfaces error messages

Closes #81683
Closes GH-7722

Fix invalid opcode for ??= on $GLOBALS

Closes #81684
Closes GH-7717

Fixed bug #81216 (Nullsafe operator leaks dynamic property name)

Fixes oss-fuzz #38542

Allow constant folding bw_not on string

This will not actually error.

Merge branch 'PHP-8.0' into PHP-8.1

* PHP-8.0:
Don't implement Stringable on traits

Don't implement Stringable on traits

Traits do not support interfaces, so we should not implement
Stringable on them.

Also check the __toString() return type in the same way oth

Don't implement Stringable on traits

Traits do not support interfaces, so we should not implement
Stringable on them.

Also check the __toString() return type in the same way other
magic methods do, otherwise we would now miss the check in the
trait case.

show more ...

Fix self-assign evaluation order for ASSIGN_DIM_OP

For $ary[idx] op= $ary we should evaluate the RHS operand first,
otherwise we may create a reference-free recursive array. Use the

Fix self-assign evaluation order for ASSIGN_DIM_OP

For $ary[idx] op= $ary we should evaluate the RHS operand first,
otherwise we may create a reference-free recursive array. Use the
same handling we do for the normal $ary[idx] = $ary case.

Fixes oss-fuzz #40287.

show more ...

Fix incorrect access of AST_UNPACK

list_is_keyed() did not take into account that there may be
AST_UNPACK elements. These would error lateron anyway, but still
produce an invalid acc

Fix incorrect access of AST_UNPACK

list_is_keyed() did not take into account that there may be
AST_UNPACK elements. These would error lateron anyway, but still
produce an invalid access here.

show more ...

Fixed assign coalesce. "$a[0] ??= $a" should evaluate the right $a first.

Fixed assign coalesce. "$a[0] ??= $a" should evaluate the right $a first.

Convert exception during delayed autoload to fatal error

Same as with other exceptions during inheritance, convert those
thrown during delayed class loading into fatal errors. We can't

Convert exception during delayed autoload to fatal error

Same as with other exceptions during inheritance, convert those
thrown during delayed class loading into fatal errors. We can't
properly deal with such exceptions, as inheritance cannot be
gracefully aborted at this point.

Fixes oss-fuzz #39405.

show more ...