#
08f1d470 |
| 07-Dec-2021 |
Dmitry Stogov |
Separate "cold" code
|
#
5459ed4c |
| 06-Dec-2021 |
Dmitry Stogov |
Fix use after free because of data clobbering by user error handler Fixes oss-fuzz #41692
|
#
1d054b3f |
| 03-Dec-2021 |
Dmitry Stogov |
Fix array object clobbering by user error handler Fixes oss-fuss #41605 and #41610
|
Revision tags: php-8.1.1RC1, php-8.0.14RC1 |
|
#
09547c64 |
| 01-Dec-2021 |
Dmitry Stogov |
Fix clobering of operand by error handler in assignment to string offset In some cases new code requires two reallocations insead of one. Fixes oss-fuzz #31716, #36196, #39739 and #
Fix clobering of operand by error handler in assignment to string offset In some cases new code requires two reallocations insead of one. Fixes oss-fuzz #31716, #36196, #39739 and #40002
show more ...
|
Revision tags: php-7.4.27RC1 |
|
#
fbdded1f |
| 28-Nov-2021 |
Tyson Andre |
Use interned string for calling count() in Zend VM Similar to f0dd79a7e415d8b1d4a3868a27975d6578c87961 Copied from GH-7695
|
Revision tags: php-8.1.0, php-8.0.13, php-7.4.26, php-7.3.33, php-8.1.0RC6, php-7.4.26RC1, php-8.0.13RC1, php-8.1.0RC5, php-7.3.32, php-7.4.25, php-8.0.12, php-8.1.0RC4 |
|
#
902d6439 |
| 11-Oct-2021 |
Nikita Popov |
Deprecate implicit dynamic properties Writing to a proprety that hasn't been declared is deprecated, unless the class uses the #[AllowDynamicProperties] attribute or defines __get()/
Deprecate implicit dynamic properties Writing to a proprety that hasn't been declared is deprecated, unless the class uses the #[AllowDynamicProperties] attribute or defines __get()/__set(). RFC: https://wiki.php.net/rfc/deprecate_dynamic_properties
show more ...
|
#
4d4fe763 |
| 17-Nov-2021 |
Nikita Popov |
Fixed bug #81631 We need to save the opline before fetching the operand, as it may throw an undef var warning.
|
#
fa0b84a0 |
| 11-Nov-2021 |
Dmitry Stogov |
Partially fix handling of exceptions thrown in interrupt handlers
|
#
90b7bde6 |
| 03-Nov-2021 |
Dmitry Stogov |
Use more compact representation for packed arrays. - for packed arrays we store just an array of zvals without keys. - the elements of packed array are accessible throuf as ht->arPacked[
Use more compact representation for packed arrays. - for packed arrays we store just an array of zvals without keys. - the elements of packed array are accessible throuf as ht->arPacked[i] instead of ht->arData[i] - in addition to general ZEND_HASH_FOREACH_* macros, we introduced similar familied for packed (ZEND_HASH_PACKED_FORECH_*) and real hashes (ZEND_HASH_MAP_FOREACH_*) - introduced an additional family of macros to access elements of array (packed or real hashes) ZEND_ARRAY_ELEMET_SIZE, ZEND_ARRAY_ELEMET_EX, ZEND_ARRAY_ELEMET, ZEND_ARRAY_NEXT_ELEMENT, ZEND_ARRAY_PREV_ELEMENT - zend_hash_minmax() prototype was changed to compare only values Because of smaller data set, this patch may show performance improvement on some apps and benchmarks that use packed arrays. (~1% on PHP-Parser) TODO: - sapi/phpdbg needs special support for packed arrays (WATCH_ON_BUCKET). - zend_hash_sort_ex() may require converting packed arrays to hash.
show more ...
|
#
1a2fb90b |
| 01-Nov-2021 |
Nikita Popov |
Fix finally exception chaining on recursion In this case zend_exception_set_previous() would destroy the fast_call exception and further accesses on ex would be invalid. We should on
Fix finally exception chaining on recursion In this case zend_exception_set_previous() would destroy the fast_call exception and further accesses on ex would be invalid. We should only update ex if we update EG(exception). Fixes oss-fuzz #40464.
show more ...
|
#
da0d246e |
| 19-Oct-2021 |
Nikita Popov |
Drop FREE_OP_VAR_PTR() distinction FREE_OP_VAR_PTR() is like FREE_OP(), but only frees VAR, rather than VARs and TMPs. I don't think this distinction makes sense anymore, as opcodes
Drop FREE_OP_VAR_PTR() distinction FREE_OP_VAR_PTR() is like FREE_OP(), but only frees VAR, rather than VARs and TMPs. I don't think this distinction makes sense anymore, as opcodes using FREE_OP_VAR_PTR() generally only accept VAR or CV. For the cases where other op types are accepted and only freeing VAR is desired we already have FREE_OP_IF_VAR(). This drops FREE_OP_VAR_PTR(), leaving only FREE_OP() and FREE_OP_IF_VAR().
show more ...
|
#
22b6aac6 |
| 19-Oct-2021 |
Nikita Popov |
Fix inc/dec of undef var with error handler Set the variable to null after emitting the undef var notice rather than before. This avoids an assertion failure if the var is unset by t
Fix inc/dec of undef var with error handler Set the variable to null after emitting the undef var notice rather than before. This avoids an assertion failure if the var is unset by the error handler. The flip side is that this may cause a leak instead, but that's the more harmless outcome. Fixes oss-fuzz #36604.
show more ...
|
#
a2e3ca1f |
| 12-Oct-2021 |
Nikita Popov |
Don't free FETCH_W operand if GLOBAL_LOCK The error path performed the free unconditionally, while we should not do it for GLOBAL_LOCK. Fixes oss-fuzz #39868.
|
Revision tags: php-8.0.12RC1, php-7.4.25RC1 |
|
#
11a9b036 |
| 05-Oct-2021 |
Nikita Popov |
Fix duplicate undef warning in assign_dim_op In case of auto-vivification we were fetching dim twice and as such also emitting the undef var warning twice.
|
#
e11faad2 |
| 30-Sep-2021 |
Nikita Popov |
Create reference wrappers in SEND_UNPACK if necessary Even if we can't actually pass by reference, we still need to create the REFERENCE wrapper to satisfy the calling convention. Th
Create reference wrappers in SEND_UNPACK if necessary Even if we can't actually pass by reference, we still need to create the REFERENCE wrapper to satisfy the calling convention. The particular test case would crash with JIT, because the existence of the reference was assumed. Fixes oss-fuzz #39440.
show more ...
|
#
ec54ffad |
| 29-Sep-2021 |
Nikita Popov |
Handle throwing destructor in BIND_STATIC Fixes oss-fuzz #39406.
|
Revision tags: php-8.1.0RC3, php-8.0.11, php-7.4.24, php-7.3.31 |
|
#
01453a0a |
| 17-Sep-2021 |
Nikita Popov |
Fix SEND_USER with ref arg Even though the input is not a reference (or not treated as such), we still need to create a reference to satisfy the function signature. Various code reli
Fix SEND_USER with ref arg Even though the input is not a reference (or not treated as such), we still need to create a reference to satisfy the function signature. Various code relies on reference arguments actually being references. In this particular case, it would result in a JIT crash. The zend_call_function() implementation already handled this correctly.
show more ...
|
Revision tags: php-8.1.0RC2 |
|
#
260d2acd |
| 14-Sep-2021 |
Nikita Popov |
Fix memory leak in array unpack with refcounted numeric string key
|
#
6381a16f |
| 09-Sep-2021 |
Nikita Popov |
Avoid use after free in internal prop type verification This issue only applies to debug builds: read_property can free the object, but we'd try to check the object handlers afterwards.
Avoid use after free in internal prop type verification This issue only applies to debug builds: read_property can free the object, but we'd try to check the object handlers afterwards. Rewrite the check in a way that only accessed the object before the read_property call. Fixes oss-fuzz #38297.
show more ...
|
Revision tags: php-7.4.24RC1, php-8.0.11RC1, php-8.1.0RC1, php-7.4.23, php-8.0.10 |
|
#
a40ccd75 |
| 24-Aug-2021 |
Nikita Popov |
Fixed bug #81377 BP_VAR_UNSET should not result in undefined warnings.
|
Revision tags: php-7.3.30 |
|
#
0b7dffb4 |
| 17-Aug-2021 |
Christoph M. Becker |
Fix #73122: Integer Overflow when concatenating strings We must avoid integer overflows in memory allocations, so we introduce an additional check in the VM, and bail out in the rare cas
Fix #73122: Integer Overflow when concatenating strings We must avoid integer overflows in memory allocations, so we introduce an additional check in the VM, and bail out in the rare case of an overflow. Closes GH-7381.
show more ...
|
Revision tags: php-8.1.0beta3, php-8.0.10RC1, php-7.4.23RC1, php-8.1.0beta2 |
|
#
6d5ae649 |
| 03-Aug-2021 |
Nikita Popov |
Fix ASSIGN_DIM to NEXT with rc=1 reference value The reference wrapper was destroyed while value still pointed into it and was later used to assign the ASSIGN_DIM return value. This
Fix ASSIGN_DIM to NEXT with rc=1 reference value The reference wrapper was destroyed while value still pointed into it and was later used to assign the ASSIGN_DIM return value. This could be fixed either by moving the return value assignment earlier, or by working with the value that has been stored in the array. I'm going with the latter here, because that matches what the non-NEXT codepath does via assign_to_variable more closely. Fixes oss-fuzz #36807.
show more ...
|
#
05ef6334 |
| 29-Jul-2021 |
Joe Watkins |
Fix bug #81303 improve match errors
|
Revision tags: php-8.0.9 |
|
#
6c7b322d |
| 29-Jul-2021 |
Nikita Popov |
Fix parameter name in count() error message This parameter has been renamed to $value.
|
#
60ea2cbf |
| 29-Jul-2021 |
Hao Sun |
Fix a typo in function execute_ex (#7315)
|