Fix propagation of ZEND_ACC_RETURN_REFERENCE for call trampoline

Fixes GH-16515
Closes GH-16529

Merge branch 'PHP-8.1' into PHP-8.2

* PHP-8.1:
Fix freeing of incompletely initialized closures

Fix freeing of incompletely initialized closures

Addref to relevant fields before allocating any memory. Also only set/remove the
ZEND_ACC_HEAP_RT_CACHE flag after allocating memory.

Fix freeing of incompletely initialized closures

Addref to relevant fields before allocating any memory. Also only set/remove the
ZEND_ACC_HEAP_RT_CACHE flag after allocating memory.

Fixes GH-12073
Closes GH-12074

show more ...

Fix a memory leak in tracig JIT when the same closure is called through Closure::call() and natively.

Closure::call() makes a temporary copy of original closure function, modifies its
sc

Fix a memory leak in tracig JIT when the same closure is called through Closure::call() and natively.

Closure::call() makes a temporary copy of original closure function, modifies its
scope, resets ZEND_ACC_CLOSURE flag and call it through zend_call_function().
As result the same function may be called with and without
ZEND_ACC_CLOSURE flag, that confuses JIT and may lead to memory leak or
even worse memory errors.

The patch allocates "fake" closure object and keep ZEND_ACC_CLOSURE flag
to always behave in the same way.

show more ...

Delay releasing closures until after observer end

Don’t reset func in zend_closure_internal_handler

The pointer is used in _zend_observe_fcall_begin().

Revert "Store default object handlers alongside the class entry"

This reverts commit 9e6eab3c139b41dc976dd5305fd1a6e387e5e27f.

Reverted along a01dd9fedaecd2e5b95bc5c2e8d6542116addea

Revert "Store default object handlers alongside the class entry"

This reverts commit 9e6eab3c139b41dc976dd5305fd1a6e387e5e27f.

Reverted along a01dd9fedaecd2e5b95bc5c2e8d6542116addeae.

show more ...

Store default object handlers alongside the class entry

Object handlers being separate from class entries is a legacy inherited from PHP 5. Today it has little benefit to keep them separate:

Store default object handlers alongside the class entry

Object handlers being separate from class entries is a legacy inherited from PHP 5. Today it has little benefit to keep them separate: in fact, accessing object handlers usually requires not-so-safe hacks.
While it is possible to swap handlers in a custom installed create_object handler, this mostly is tedious, as well as it requires allocating the object handlers struct at runtime, possibly caching it etc..

This allows extensions, which intend to observe other classes to install their own class handlers.
The life cycle of internal classes may now be simply observed by swapping the class handlers in post_startup stage.
The life cycle of userland classes may be observed by iterating over the new classes in zend_compile_file and zend_compile_string and then swapping their handlers.

In general, this would also be a first step in directly tying the object handlers to classes. Especially given that I am not aware of any case where the object handlers would be different between various instances of a given class.

Signed-off-by: Bob Weinand <bobwei9@hotmail.com>

show more ...

Show function name when dumping fake closure (#9306)

Fixes GH-8962

Avoid using a stack allocated zend_function in Closure::call, to avoid prevent crashes on bailout

Having a stack allocated zend_function may cause crashes if the stack is polluted between ba

Avoid using a stack allocated zend_function in Closure::call, to avoid prevent crashes on bailout

Having a stack allocated zend_function may cause crashes if the stack is polluted between bailout and the actual unwinding in zend_observer_fcall_end_all.

Signed-off-by: Bob Weinand <bobwei9@hotmail.com>

show more ...

Convert return type of various object handlers from int to zend_result (#8755)

Fix null static_variable_ptr for uncalled fake closures

Closes GH-8083
Closes GH-8109

Merge branch 'PHP-8.1'

* PHP-8.1:
Fix emory leak

Fix emory leak

Fixes oss-fuzz #44408

Use more compact representation for packed arrays.

- for packed arrays we store just an array of zvals without keys.
- the elements of packed array are accessible throuf as ht->arPacked[

Use more compact representation for packed arrays.

- for packed arrays we store just an array of zvals without keys.
- the elements of packed array are accessible throuf as ht->arPacked[i]
instead of ht->arData[i]
- in addition to general ZEND_HASH_FOREACH_* macros, we introduced similar
familied for packed (ZEND_HASH_PACKED_FORECH_*) and real hashes
(ZEND_HASH_MAP_FOREACH_*)
- introduced an additional family of macros to access elements of array
(packed or real hashes) ZEND_ARRAY_ELEMET_SIZE, ZEND_ARRAY_ELEMET_EX,
ZEND_ARRAY_ELEMET, ZEND_ARRAY_NEXT_ELEMENT, ZEND_ARRAY_PREV_ELEMENT
- zend_hash_minmax() prototype was changed to compare only values

Because of smaller data set, this patch may show performance improvement
on some apps and benchmarks that use packed arrays. (~1% on PHP-Parser)

TODO:
- sapi/phpdbg needs special support for packed arrays (WATCH_ON_BUCKET).
- zend_hash_sort_ex() may require converting packed arrays to hash.

show more ...

Always use direct pointer (not map_ptr slot) to access run_time_cache of a closure instance

Avoid non-immutable map_ptr indirection

Merge branch 'PHP-8.0'

* PHP-8.0:
Fix Closure::call() on internal method closure

Merge branch 'PHP-7.4' into PHP-8.0

* PHP-7.4:
Fix Closure::call() on internal method closure

Fix Closure::call() on internal method closure

In this case we should use the original internal handler. Otherwise
the trampoline will attempt to free the closure, but the function
b

Fix Closure::call() on internal method closure

In this case we should use the original internal handler. Otherwise
the trampoline will attempt to free the closure, but the function
being used is not actually part of a closure anymore.

show more ...

Fix use after free when rebinding __call closure

We would end up freeing the function name twice here, once for
the original closure, and once for the rebound one.

Rather than f

Fix use after free when rebinding __call closure

We would end up freeing the function name twice here, once for
the original closure, and once for the rebound one.

Rather than further special casing the zend_closure_call_magic
case, always addref the function_name for internal functions,
the same we do for userland functions. To compensate, we need to
release the original function name when creating from callable
or call frame.

Fixes oss-fuzz #37695.

show more ...

Set called_scope in __callStatic closure trampoline

Add ZEND_ACC_NOT_SERIALIZABLE flag

This prevents serialization and unserialization of a class and its
children in a way that does not depend on the zend_class_serialize_deny
and zend

Add ZEND_ACC_NOT_SERIALIZABLE flag

This prevents serialization and unserialization of a class and its
children in a way that does not depend on the zend_class_serialize_deny
and zend_class_unserialize_deny handlers that will be going away
in PHP 9 together with the Serializable interface.

In stubs, `@not-serializable` can be used to set this flag.

This patch only uses the new flag for a handful of Zend classes,
converting the remainder is left for later.

Closes GH-7249.
Fixes bug #81111.

show more ...

Add first-class callables

Support acquiring a Closure to a callable using the syntax
func(...), $obj->method(...), etc. This is essentially a
shortcut for Closure::fromCallable().

Add first-class callables

Support acquiring a Closure to a callable using the syntax
func(...), $obj->method(...), etc. This is essentially a
shortcut for Closure::fromCallable().

RFC: https://wiki.php.net/rfc/first_class_callable_syntax

Closes GH-7019.

Co-Authored-By: Nikita Popov <nikita.ppv@gmail.com>

show more ...

Fix bug #81237 comparison of fake closures doesn't work