Fix GH-12392: Segmentation fault on SoapClient::__getTypes

There are two issues:
- UAF because the hashmap resized while being iterated over, yet the local
variables used internall

Fix GH-12392: Segmentation fault on SoapClient::__getTypes

There are two issues:
- UAF because the hashmap resized while being iterated over, yet the local
variables used internally in the macros are not updated.
- The hashmap being iterated over is modified: entries are deleted after
other entries have been added. This causes the deletion to fail sometimes
because indices of buckets have shifted.

Fix it by using a while loop iteration and HashPosition position tracker
instead.
Issue exists on PHP 8.1 too, but is much harder to trigger.
The test file reproduces the issue reliably on PHP 8.2 and up.

Closes GH-12409.

show more ...

Fix GH-11121: ReflectionFiber segfault

Closes GH-12391.

Co-authored-by: Aaron Piotrowski <aaron@trowski.com>

[ci skip] NEWS

Entry for 90f2e7607a.

Report warning if JIT cannot be enabled

Closes GH-12404

Fix use-after-free of constant name

The constant name is usually interend. Without opcache, compilation always
interns strings. Without opcache, compilation does not intern (new) strings

Fix use-after-free of constant name

The constant name is usually interend. Without opcache, compilation always
interns strings. Without opcache, compilation does not intern (new) strings, but
persisting of script does. If a script is not stored in shm the constant name
will not be interned.

The building of enum backing stores was missing a addref for the constant name,
leading to a double-free when releasing constants and backing stores of enums.

Fixes GH-12366
Closes GH-12405

show more ...

PHP-8.1 is now for PHP 8.1.26-dev

PHP-8.2 is now for PHP 8.2.13-dev

Prepare NEWS for PHP 8.3.0RC5

Fix GH-8996: DOMNode serialization on PHP ^8.1

PHP 8.1 introduced a seemingly unintentional BC break in ca94d55a19 by
blocking the (un)serialization of DOM objects.
This was done bec

Fix GH-8996: DOMNode serialization on PHP ^8.1

PHP 8.1 introduced a seemingly unintentional BC break in ca94d55a19 by
blocking the (un)serialization of DOM objects.
This was done because the serialization never really worked and just
resulted in an empty object, which upon unserialization just resulted in
an object that you can't use.

Users can however implement their own serialization methods, but the
commit made that impossible as the ACC flag gets passed down to the
child class. An approach was tried in #10307 with a new ACC flag to
selectively allow serialization with subclasses if they implement the
right methods. However, that was found to be too ad hoc.

Instead, let's abuse how the __sleep and __wakeup methods work to throw
the exception instead. If the child class implements the __serialize /
__unserialize method, then the throwing methods won't be called.
Similarly, if the child class implements __sleep and __wakeup, then
they're overridden and it doesn't matter that they throw.

For the user, this PR has the exact same behaviour for (sub)classes that
don't implement the serialization methods: an exception will be thrown.
For code that previously implemented subclasses with these methods, this
approach will make that code work again. This approach should be both BC
preserving and unbreak user's code.

Closes GH-12388.

For the test:
Co-authored-by: wazelin <contact@sergeimikhailov.com>

show more ...

Fix GH-12380: JIT+private array property access inside closure accesses private property in child class

For private fields, the scope has to be taken into account, otherwise
the property

Fix GH-12380: JIT+private array property access inside closure accesses private property in child class

For private fields, the scope has to be taken into account, otherwise
the property info may come from the wrong ce.

Closes GH-12381.

show more ...

opcache posix creating special shared segments for FreeBSD 13 and above.

From this release, it is permitted to create shared memory blocks tagged
as large for faster accesses for a size

opcache posix creating special shared segments for FreeBSD 13 and above.

From this release, it is permitted to create shared memory blocks tagged
as large for faster accesses for a size compatible with otherwise
we fallback to a classic creation.

Close GH-8037

show more ...

PGSQL: Allow unconditional selection in pg_select

Previously, pg_select did not allow unconditional selection, where an
empty ids array would result in a function failure.

This

PGSQL: Allow unconditional selection in pg_select

Previously, pg_select did not allow unconditional selection, where an
empty ids array would result in a function failure.

This patch implements two changes:
- Make the ids array an optional parameter.
- Allow the ids array to be empty.

In both cases, unconditional selection happen, which is equivalent to
pg_query('SELECT * FROM <table>;').

Two test cases were added to test the aforementioned changes.

Close GH-5332

show more ...

php_cli_server: ensure single date header is present

Currently the PHP Development Server appends a Date header in the
response, despite already set from user code.

Added a chec

php_cli_server: ensure single date header is present

Currently the PHP Development Server appends a Date header in the
response, despite already set from user code.

Added a check condition before append the header, and a test file.

Closes GH-12363.

show more ...

password_hash: Increase PHP_PASSWORD_BCRYPT_COST to 12 (#12367)

RFC: https://wiki.php.net/rfc/bcrypt_cost_2023

Invalidate path even if the file was deleted

Closes GH-12323

Fix invalid returned opcode for memoized expressions

Closes GH-12345

Fix #80092: ZTS + preload = segfault on shutdown

After preloading has executed, the executor globals for class_table and
function_table are still referring to the values during preloadin

Fix #80092: ZTS + preload = segfault on shutdown

After preloading has executed, the executor globals for class_table and
function_table are still referring to the values during preloading.
If no request happens after that then these values will remain dangling
pointers. If then the -v option on CLI or -h option (and possibly
others) on CGI is provided, there is a double free.
Fix it by nulling the pointers explicitly after preloading has finished
to fix it for all SAPIs.

Closes GH-12311.

show more ...

Fix str_decrement() on "1"

Closes GH-12339

Fix broken cache invalidation with deallocated and reallocated document node

The original caching implementation had an oversight in combination with
the new lifetime management in DOM f

Fix broken cache invalidation with deallocated and reallocated document node

The original caching implementation had an oversight in combination with
the new lifetime management in DOM for 8.3.
The modification counter is stored on the document object itself, but as
that can get deallocated when all references disappear, stale cache data
can be used. Normally this isn't a problem, unless getElementsByTagName is
called not on the document but on a child node. Fix it by moving caching
data into the ref object, which will outlive all nodes from a document
even if the document object disappears.

Closes GH-12338.

show more ...

Implement request #64137 (XSLTProcessor::setParameter() should allow both quotes to be used)

This reimplements the parameter handling. Instead of quoting the strings
manually, adding the

Implement request #64137 (XSLTProcessor::setParameter() should allow both quotes to be used)

This reimplements the parameter handling. Instead of quoting the strings
manually, adding them to an array, and passing that as input; use the
libxslt API to pass data verbatim to the processor.
This also simplifies the code a lot.

Closes GH-12331.

show more ...

Apply SimpleXML iterator fixes only on master

Many methods in SimpleXML reset the iterator when called. This has the
consequence that mixing these operations with loops can cause infinit

Apply SimpleXML iterator fixes only on master

Many methods in SimpleXML reset the iterator when called. This has the
consequence that mixing these operations with loops can cause infinite
loops, or the loss of iteration data.
Some people may however rely on the resetting behaviour. To prevent
unintended breaks in stable branches, let's only apply the fix to master.

This reverts GH-12193, GH-12229, GG-12247 for stable branches while
keeping them on master, adding a note in UPGRADING as well.

show more ...

Revert "Fix GH-10008: Narrowing occurred during type inference of ZEND_ADD_ARRAY_ELEMENT"

Although it passes CI on 8.1, it causes CI failures in the JIT on 8.2 and
higher.
See https:

Revert "Fix GH-10008: Narrowing occurred during type inference of ZEND_ADD_ARRAY_ELEMENT"

Although it passes CI on 8.1, it causes CI failures in the JIT on 8.2 and
higher.
See https://github.com/php/php-src/actions/runs/6357716718/job/17269225001

This reverts commit e72fc12058dc0ee7bfe534dfa3daf46f3b357190.

show more ...

Fix compile error with -Werror=incompatible-function-pointer-types and old libxml2

libxml2 prior to 2.9.8 had a different signature for xmlHashScanner.
This signature changed in https://

Fix compile error with -Werror=incompatible-function-pointer-types and old libxml2

libxml2 prior to 2.9.8 had a different signature for xmlHashScanner.
This signature changed in https://github.com/GNOME/libxml2/commit/e03f0a199a67017b2f8052354cf732b2b4cae787
Use an #if to work around the incompatible signature.

Closes GH-12326.

show more ...

Fix GH-10008: Narrowing occurred during type inference of ZEND_ADD_ARRAY_ELEMENT

This test triggers narrowing for two ops: first ZEND_ADD_ARRAY_ELEMENT,
and then ZEND_ASSIGN.

Th

Fix GH-10008: Narrowing occurred during type inference of ZEND_ADD_ARRAY_ELEMENT

This test triggers narrowing for two ops: first ZEND_ADD_ARRAY_ELEMENT,
and then ZEND_ASSIGN.

The type inference happens in the following order:
1) The ZEND_ADD_ARRAY_ELEMENT infers type 0x40e04080 (packed flag is set),
arr_type=0 at this point because it hasn't been set by ZEND_INIT_ARRAY yet.
2) The ZEND_INIT_ARRAY infers type 0x40804080
3) The ZEND_ADD_ARRAY_ELEMENT infers type 0x40e04080, arr_type=0x40804080,
which does not have the packed flag set while the existing result of
ZEND_ADD_ARRAY_ELEMENT has the packed flag set.

This seems to occur because of the phi node introduced by the while
loop. If I remove the loop the problem goes away.

As Arnaud noted, this seems to be caused by a too wide type inference
for arr_type==0. We should keep the invariant that if x>=y then
key_type(x) >= key_type(y).
If we write the possible results down in a table we get:

```
arr_type resulting key type
--------------- --------------------------------------------------------------------------
HASH_ONLY -> MAY_BE_ARRAY_NUMERIC_HASH
PACKED_ONLY -> MAY_BE_ARRAY_NUMERIC_HASH | MAY_BE_ARRAY_PACKED (== MAY_BE_ARRAY_KEY_LONG)
HASH || PACKED -> MAY_BE_ARRAY_NUMERIC_HASH | MAY_BE_ARRAY_PACKED (== MAY_BE_ARRAY_KEY_LONG)
0 -> MAY_BE_ARRAY_NUMERIC_HASH | MAY_BE_ARRAY_PACKED (== MAY_BE_ARRAY_KEY_LONG)
```

As we can see, `HASH_ONLY > 0` but
`MAY_BE_ARRAY_NUMERIC_HASH < MAY_BE_ARRAY_NUMERIC_HASH | MAY_BE_ARRAY_PACKED`,
which violates the invariant.
Instead if we modify the zero case to have MAY_BE_ARRAY_NUMERIC_HASH instead,
we get the following table which satisfies the invariant.

```
arr_type resulting key type
--------------- --------------------------------------------------------------------------
HASH_ONLY -> MAY_BE_ARRAY_NUMERIC_HASH
PACKED_ONLY -> MAY_BE_ARRAY_NUMERIC_HASH | MAY_BE_ARRAY_PACKED (== MAY_BE_ARRAY_KEY_LONG)
HASH || PACKED -> MAY_BE_ARRAY_NUMERIC_HASH | MAY_BE_ARRAY_PACKED (== MAY_BE_ARRAY_KEY_LONG)
0 -> MAY_BE_ARRAY_NUMERIC_HASH
```

Broke in 1ffbb73.
Closes GH-10294.

show more ...

Fix type error on XSLTProcessor::transformToDoc return value with SimpleXML

The return type is wrong. You can also use this method with SimpleXML.
In fact, PHP provides a way that even t

Fix type error on XSLTProcessor::transformToDoc return value with SimpleXML

The return type is wrong. You can also use this method with SimpleXML.
In fact, PHP provides a way that even third party libraries can hook
into its XML handling. Therefore, we cannot even use the
SimpleXML|DOMDocument|false union type as third party extensions may
extend the possibilities.

Broke in 8.1 in 1b35056a33.

Closes GH-12315.

show more ...