Separate "cold" code

Fix use after free because of data clobbering by user error handler

Fixes oss-fuzz #41692

Fix array object clobbering by user error handler

Fixes oss-fuss #41605 and #41610

Fix clobering of operand by error handler in assignment to string offset

In some cases new code requires two reallocations insead of one.

Fixes oss-fuzz #31716, #36196, #39739 and #

Fix clobering of operand by error handler in assignment to string offset

In some cases new code requires two reallocations insead of one.

Fixes oss-fuzz #31716, #36196, #39739 and #40002

show more ...

Use interned string for calling count() in Zend VM

Similar to f0dd79a7e415d8b1d4a3868a27975d6578c87961

Copied from GH-7695

Deprecate implicit dynamic properties

Writing to a proprety that hasn't been declared is deprecated,
unless the class uses the #[AllowDynamicProperties] attribute or
defines __get()/

Deprecate implicit dynamic properties

Writing to a proprety that hasn't been declared is deprecated,
unless the class uses the #[AllowDynamicProperties] attribute or
defines __get()/__set().

RFC: https://wiki.php.net/rfc/deprecate_dynamic_properties

show more ...

Fixed bug #81631

We need to save the opline before fetching the operand, as it may
throw an undef var warning.

Partially fix handling of exceptions thrown in interrupt handlers

Use more compact representation for packed arrays.

- for packed arrays we store just an array of zvals without keys.
- the elements of packed array are accessible throuf as ht->arPacked[

Use more compact representation for packed arrays.

- for packed arrays we store just an array of zvals without keys.
- the elements of packed array are accessible throuf as ht->arPacked[i]
instead of ht->arData[i]
- in addition to general ZEND_HASH_FOREACH_* macros, we introduced similar
familied for packed (ZEND_HASH_PACKED_FORECH_*) and real hashes
(ZEND_HASH_MAP_FOREACH_*)
- introduced an additional family of macros to access elements of array
(packed or real hashes) ZEND_ARRAY_ELEMET_SIZE, ZEND_ARRAY_ELEMET_EX,
ZEND_ARRAY_ELEMET, ZEND_ARRAY_NEXT_ELEMENT, ZEND_ARRAY_PREV_ELEMENT
- zend_hash_minmax() prototype was changed to compare only values

Because of smaller data set, this patch may show performance improvement
on some apps and benchmarks that use packed arrays. (~1% on PHP-Parser)

TODO:
- sapi/phpdbg needs special support for packed arrays (WATCH_ON_BUCKET).
- zend_hash_sort_ex() may require converting packed arrays to hash.

show more ...

Fix finally exception chaining on recursion

In this case zend_exception_set_previous() would destroy the
fast_call exception and further accesses on ex would be invalid.
We should on

Fix finally exception chaining on recursion

In this case zend_exception_set_previous() would destroy the
fast_call exception and further accesses on ex would be invalid.
We should only update ex if we update EG(exception).

Fixes oss-fuzz #40464.

show more ...

Drop FREE_OP_VAR_PTR() distinction

FREE_OP_VAR_PTR() is like FREE_OP(), but only frees VAR, rather
than VARs and TMPs. I don't think this distinction makes sense
anymore, as opcodes

Drop FREE_OP_VAR_PTR() distinction

FREE_OP_VAR_PTR() is like FREE_OP(), but only frees VAR, rather
than VARs and TMPs. I don't think this distinction makes sense
anymore, as opcodes using FREE_OP_VAR_PTR() generally only accept
VAR or CV. For the cases where other op types are accepted and
only freeing VAR is desired we already have FREE_OP_IF_VAR().

This drops FREE_OP_VAR_PTR(), leaving only FREE_OP() and
FREE_OP_IF_VAR().

show more ...

Fix inc/dec of undef var with error handler

Set the variable to null after emitting the undef var notice
rather than before. This avoids an assertion failure if the var
is unset by t

Fix inc/dec of undef var with error handler

Set the variable to null after emitting the undef var notice
rather than before. This avoids an assertion failure if the var
is unset by the error handler.

The flip side is that this may cause a leak instead, but that's
the more harmless outcome.

Fixes oss-fuzz #36604.

show more ...

Don't free FETCH_W operand if GLOBAL_LOCK

The error path performed the free unconditionally, while we should
not do it for GLOBAL_LOCK.

Fixes oss-fuzz #39868.

Fix duplicate undef warning in assign_dim_op

In case of auto-vivification we were fetching dim twice and as
such also emitting the undef var warning twice.

Create reference wrappers in SEND_UNPACK if necessary

Even if we can't actually pass by reference, we still need to
create the REFERENCE wrapper to satisfy the calling convention.
Th

Create reference wrappers in SEND_UNPACK if necessary

Even if we can't actually pass by reference, we still need to
create the REFERENCE wrapper to satisfy the calling convention.
The particular test case would crash with JIT, because the existence
of the reference was assumed.

Fixes oss-fuzz #39440.

show more ...

Handle throwing destructor in BIND_STATIC

Fixes oss-fuzz #39406.

Fix SEND_USER with ref arg

Even though the input is not a reference (or not treated as such),
we still need to create a reference to satisfy the function
signature. Various code reli

Fix SEND_USER with ref arg

Even though the input is not a reference (or not treated as such),
we still need to create a reference to satisfy the function
signature. Various code relies on reference arguments actually
being references. In this particular case, it would result in
a JIT crash.

The zend_call_function() implementation already handled this
correctly.

show more ...

Fix memory leak in array unpack with refcounted numeric string key

Avoid use after free in internal prop type verification

This issue only applies to debug builds: read_property can free
the object, but we'd try to check the object handlers afterwards.

Avoid use after free in internal prop type verification

This issue only applies to debug builds: read_property can free
the object, but we'd try to check the object handlers afterwards.
Rewrite the check in a way that only accessed the object before
the read_property call.

Fixes oss-fuzz #38297.

show more ...

Fixed bug #81377

BP_VAR_UNSET should not result in undefined warnings.

Fix #73122: Integer Overflow when concatenating strings

We must avoid integer overflows in memory allocations, so we introduce
an additional check in the VM, and bail out in the rare cas

Fix #73122: Integer Overflow when concatenating strings

We must avoid integer overflows in memory allocations, so we introduce
an additional check in the VM, and bail out in the rare case of an
overflow.

Closes GH-7381.

show more ...

Fix ASSIGN_DIM to NEXT with rc=1 reference value

The reference wrapper was destroyed while value still pointed into
it and was later used to assign the ASSIGN_DIM return value. This

Fix ASSIGN_DIM to NEXT with rc=1 reference value

The reference wrapper was destroyed while value still pointed into
it and was later used to assign the ASSIGN_DIM return value. This
could be fixed either by moving the return value assignment earlier,
or by working with the value that has been stored in the array.
I'm going with the latter here, because that matches what the
non-NEXT codepath does via assign_to_variable more closely.

Fixes oss-fuzz #36807.

show more ...

Fix bug #81303 improve match errors

Fix parameter name in count() error message

This parameter has been renamed to $value.

Fix a typo in function execute_ex (#7315)