Fix GH-15661: Access null pointer in Zend/Optimizer/zend_inference.c

Closes GH-15666.

Fixed missed exception

Fix create_object checks

Since PHP 8.3, object handlers may be changed by setting
ce->default_object_handlers, rather than in ce->create_object. Some checks need
to be extended to ch

Fix create_object checks

Since PHP 8.3, object handlers may be changed by setting
ce->default_object_handlers, rather than in ce->create_object. Some checks need
to be extended to check for the default handlers.

Closes GH-13272

show more ...

Fix zend_may_throw() for FETCH_DIM_IS and ISSET_ISEMPTY_DIM_OBJ

Recentlty this insructions were updated to emit warning on inability to
convert double index to long. This may lead to exc

Fix zend_may_throw() for FETCH_DIM_IS and ISSET_ISEMPTY_DIM_OBJ

Recentlty this insructions were updated to emit warning on inability to
convert double index to long. This may lead to exception.

This fixes memory leak on wordpress test suite (nightly workflow)

show more ...

Fixed type inference

Fixes oss-fuzz #65150

Fixed type inference

Fixes oss-fuzz #64577, #64579, #64589

Fixed GH-8251: Narrowing occurred during type inference of ZEND_FETCH_DIM_W

Fixed empty array inference

Fix inference of COPY_TMP

Since GH-11592 COPY_TMP may receive and thus define references. Unfortunately,
the name COPY_TMP is no longer accurate.

Closes GH-12619

Backport fix for HASH/PACKED array inference through MAY_BE_ARRAY_EMPTY flag (#12591)

* Fixed HASH/PACKED array inference through MAY_BE_ARRAY_EMPTY flag

This fixes GH-12527

Backport fix for HASH/PACKED array inference through MAY_BE_ARRAY_EMPTY flag (#12591)

* Fixed HASH/PACKED array inference through MAY_BE_ARRAY_EMPTY flag

This fixes GH-12527

* typo

show more ...

Fixed GH-10008: Narrowing occurred during type inference of ZEND_ADD_ARRAY_ELEMENT

Backport implementation of iterative Pearce's SCC finding algoritm (#12528)

Fixes GH-11795

Fixed GH-12511: Use must be in next opline assertion with patched infection

Fixed GH-12509: JIT assertion when running php-parser tests

Fixed incorrect type inference

Fixed GH-12262: Tracing JIT assertion crash when using phpstan

Revert "Fix GH-10008: Narrowing occurred during type inference of ZEND_ADD_ARRAY_ELEMENT"

Although it passes CI on 8.1, it causes CI failures in the JIT on 8.2 and
higher.
See https:

Revert "Fix GH-10008: Narrowing occurred during type inference of ZEND_ADD_ARRAY_ELEMENT"

Although it passes CI on 8.1, it causes CI failures in the JIT on 8.2 and
higher.
See https://github.com/php/php-src/actions/runs/6357716718/job/17269225001

This reverts commit e72fc12058dc0ee7bfe534dfa3daf46f3b357190.

show more ...

Fix GH-10008: Narrowing occurred during type inference of ZEND_ADD_ARRAY_ELEMENT

This test triggers narrowing for two ops: first ZEND_ADD_ARRAY_ELEMENT,
and then ZEND_ASSIGN.

Th

Fix GH-10008: Narrowing occurred during type inference of ZEND_ADD_ARRAY_ELEMENT

This test triggers narrowing for two ops: first ZEND_ADD_ARRAY_ELEMENT,
and then ZEND_ASSIGN.

The type inference happens in the following order:
1) The ZEND_ADD_ARRAY_ELEMENT infers type 0x40e04080 (packed flag is set),
arr_type=0 at this point because it hasn't been set by ZEND_INIT_ARRAY yet.
2) The ZEND_INIT_ARRAY infers type 0x40804080
3) The ZEND_ADD_ARRAY_ELEMENT infers type 0x40e04080, arr_type=0x40804080,
which does not have the packed flag set while the existing result of
ZEND_ADD_ARRAY_ELEMENT has the packed flag set.

This seems to occur because of the phi node introduced by the while
loop. If I remove the loop the problem goes away.

As Arnaud noted, this seems to be caused by a too wide type inference
for arr_type==0. We should keep the invariant that if x>=y then
key_type(x) >= key_type(y).
If we write the possible results down in a table we get:

```
arr_type resulting key type
--------------- --------------------------------------------------------------------------
HASH_ONLY -> MAY_BE_ARRAY_NUMERIC_HASH
PACKED_ONLY -> MAY_BE_ARRAY_NUMERIC_HASH | MAY_BE_ARRAY_PACKED (== MAY_BE_ARRAY_KEY_LONG)
HASH || PACKED -> MAY_BE_ARRAY_NUMERIC_HASH | MAY_BE_ARRAY_PACKED (== MAY_BE_ARRAY_KEY_LONG)
0 -> MAY_BE_ARRAY_NUMERIC_HASH | MAY_BE_ARRAY_PACKED (== MAY_BE_ARRAY_KEY_LONG)
```

As we can see, `HASH_ONLY > 0` but
`MAY_BE_ARRAY_NUMERIC_HASH < MAY_BE_ARRAY_NUMERIC_HASH | MAY_BE_ARRAY_PACKED`,
which violates the invariant.
Instead if we modify the zero case to have MAY_BE_ARRAY_NUMERIC_HASH instead,
we get the following table which satisfies the invariant.

```
arr_type resulting key type
--------------- --------------------------------------------------------------------------
HASH_ONLY -> MAY_BE_ARRAY_NUMERIC_HASH
PACKED_ONLY -> MAY_BE_ARRAY_NUMERIC_HASH | MAY_BE_ARRAY_PACKED (== MAY_BE_ARRAY_KEY_LONG)
HASH || PACKED -> MAY_BE_ARRAY_NUMERIC_HASH | MAY_BE_ARRAY_PACKED (== MAY_BE_ARRAY_KEY_LONG)
0 -> MAY_BE_ARRAY_NUMERIC_HASH
```

Broke in 1ffbb73.
Closes GH-10294.

show more ...

[RFC] Path to Saner Increment/Decrement operators (#10358)

* Add behavioural tests for incdec operators

* Add support to ++/-- for objects castable to _IS_NUMBER

* Add str_

[RFC] Path to Saner Increment/Decrement operators (#10358)

* Add behavioural tests for incdec operators

* Add support to ++/-- for objects castable to _IS_NUMBER

* Add str_increment() function

* Add str_decrement() function

RFC: https://wiki.php.net/rfc/saner-inc-dec-operators

Co-authored-by: Ilija Tovilo <ilija.tovilo@me.com>
Co-authored-by: Arnaud Le Blanc <arnaud.lb@gmail.com>

show more ...

Update type inference for ZEND_STRLEN

Since PHP 8.0, this cannot return NULL anymore, the only possible return
value is long. See https://wiki.php.net/rfc/consistent_type_errors.

Update type inference for ZEND_GET_CLASS and ZEND_GET_CALLED_CLASS

These cannot return false anymore since PHP 8.0.

Allow arbitrary expressions in static variable initializer

Closes GH-9301

Fix too wide OR and AND range inference

There is a typo which causes the AND and OR range inference to infer a
wider range than necessary. Fix this typo. There are many ranges for
wh

Fix too wide OR and AND range inference

There is a typo which causes the AND and OR range inference to infer a
wider range than necessary. Fix this typo. There are many ranges for
which the inference is too wide, I just picked one for AND and one for
OR that I found through symbolic execution.

In this example test, the previous range inferred for test_or was [-27..-1]
instead of [-20..-1].
And the previous range inferred for test_and was [-32..-25]
instead of [-28..-25].

Closes GH-11170.

show more ...

Allow FETCH_OBJ_W and FETCH_STATIC_PROP_W to return INDIRECT/UNDEF zval for uninitialized typed properties (#11048)

Fix RC1 assumption for typed properties with __get

Unsetting typed properties resorts back to __get which may have RC1.

Closes GH-10833