Fix GH-16727: Opcache bad signal 139 crash in ZTS bookworm (frankenphp)

Reproducer: https://github.com/php/php-src/issues/16727#issuecomment-2466256317

The root cause is a data race

Fix GH-16727: Opcache bad signal 139 crash in ZTS bookworm (frankenphp)

Reproducer: https://github.com/php/php-src/issues/16727#issuecomment-2466256317

The root cause is a data race between two different threads:

1) We allocate a lower cased name for an anonymous class here:
https://github.com/php/php-src/blob/f97353f228e21dcc2db24d7edf08c1cb3678b0fd/Zend/zend_compile.c#L8109
2) This gets looked up as an interned string here:
https://github.com/php/php-src/blob/f97353f228e21dcc2db24d7edf08c1cb3678b0fd/Zend/zend_compile.c#L8112
Assuming that there are uppercase symbols in the string and therefore
`lcname != name` and that `lcname` is not yet in the interned string table,
the pointer value of `lcname` won't change.
3) Here we add the string into the interned string table:
https://github.com/php/php-src/blob/f97353f228e21dcc2db24d7edf08c1cb3678b0fd/Zend/zend_compile.c#L8223
However, in the meantime another thread could've added the string into the interned string table.
This means that the following code will run, indirectly called via the `LITERAL_STR` macro,
freeing `lcname`: https://github.com/php/php-src/blob/62e53e6f4965f37d379a3fd21f65a4210c5c86b5/ext/opcache/ZendAccelerator.c#L572-L575
4) In the reproducer we then access the freed `lcname` string here:
https://github.com/php/php-src/blob/f97353f228e21dcc2db24d7edf08c1cb3678b0fd/Zend/zend_compile.c#L8229

This is solved in my patch by retrieving the interned string pointer
and putting it in `lcname`.

Closes GH-16748.

show more ...

ext/standard: Sync parameter names for fpow() to be identical to pow()

Closes GH-16751

ext/hash: Fix GH-16711: Segfault in mhash()

Closes GH-16713

Fix GH-16695: phar:// tar parser and zero-length file header blocks

There are two issues:
1) There's an off-by-one in the check for the minimum file size for a
tar (i.e. `>` inste

Fix GH-16695: phar:// tar parser and zero-length file header blocks

There are two issues:
1) There's an off-by-one in the check for the minimum file size for a
tar (i.e. `>` instead of `>=`).
2) The loop in the tar parsing parses a header, and then unconditionally
reads the next one. However, that doesn't necessarily exist.
Instead, we remove the loop condition and check for the end of the
file before reading the next header. Note that we can't use
php_stream_eof as the flag may not be set yet when we're already at
the end.

Closes GH-16700.

show more ...

Fail early in *nix configuration build script

Adding two exit early safeguards in the *nix configuration build script:

1) Given the initial cd into the build tree fails (the project

Fail early in *nix configuration build script

Adding two exit early safeguards in the *nix configuration build script:

1) Given the initial cd into the build tree fails (the project root),
the `buildconf` script exits with non-zero status (failure).
2) Given the grep command does not exist or `configure.ac` AC_INIT [1]
expectations are unmet, the buildconf script exits non-zero.

Additionally quoting the pathname to cd into and the empty CD_PATH
parameter for portability, also for systems that are using a
non-portable pathname [2] for the build tree.

The initial CD safeguard has been applied to the `buildconf` and
four more scripts:

- build/genif.sh
- scripts/dev/credits
- scripts/dev/genfiles
- scripts/dev/makedist

Rationale:

Cd-ing into the project root should always prematurely exit w/ FAILURE
as a required precondition for its invocation has not been met. This
should never go unnoticed as it always requires user intervention.

Similar and more specifically to the PHP build on *nix systems, the
grep command is required early to obtain the `php_extra_version` from
configure.ac. Previously, if the grep command is missing (or failing
due to not matching the line with the AC_INIT macro [1]), the internal
dev parameter would always be zero (0) which can easily result in the
situation that the configure script is not being rebuilt. This is
cumbersome as the rebuild of a configure script is more likely required
with checked-out dev versions under change rather than an already
properly set-up build environment on a dedicated build or release
system. Missing the fact that either the grep utility is missing or
the expectation of having the AC_INIT macro in configure.ac is unmet
should never go unnoticed as it always requires user intervention.

[1]: https://www.gnu.org/software/autoconf/manual/autoconf-2.67/html_node/Initializing-configure.html
[2]: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_271

Closes GH-16717.

show more ...

Fix GH-16723: CURLMOPT_PUSHFUNCTION issues

We copy the source handler's FCCs to those of the destination.

We also fix the erroneous test assumption that the trampoline wouldn't

Fix GH-16723: CURLMOPT_PUSHFUNCTION issues

We copy the source handler's FCCs to those of the destination.

We also fix the erroneous test assumption that the trampoline wouldn't
be called.

Closes GH-16732.

show more ...

[ci skip] NEWS for ReflectionConstant additions

Fix memory leak in php_openssl_pkey_from_zval()

Closes GH-16691.

Fix various memory leaks related to openssl exports

Closes GH-16692.

Prevent unexpected array entry conversion when reading key

When passing an array, the key entry can get converted to a string if it
is an object, but this actually modifies the original

Prevent unexpected array entry conversion when reading key

When passing an array, the key entry can get converted to a string if it
is an object, but this actually modifies the original array entry.
The test originally outputted:

```
array(2) {
[0]=>
string(...) => ...
[1]=>
string(0) ""
}
```

This is unexpected. Use zval_try_get_string() to prevent this behaviour.

Closes GH-16693.

show more ...

Add Dom\Element::insertAdjacentHTML() (#16614)

ext/soap: fix `make check` being invoked in `ext/soap`

On NixOS we run `make` & `make check` inside `ext/soap` which broke the test
like this:

001+ Fatal error: Uncaught Soa

ext/soap: fix `make check` being invoked in `ext/soap`

On NixOS we run `make` & `make check` inside `ext/soap` which broke the test
like this:

001+ Fatal error: Uncaught SoapFault exception: [WSDL] SOAP-ERROR: Parsing WSDL: Couldn't load from 'ext/soap/tests/gh15711.wsdl' : failed to load "ext/soap/tests/gh15711.wsdl": No such file or directory
002+ in /build/php-8.3.13/ext/soap/tests/gh15711.php:29
003+ Stack trace:
004+ #0 /build/php-8.3.13/ext/soap/tests/gh15711.php(29): SoapClient->__construct('ext/soap/tests/...', Array)
005+ #1 {main}
006+ thrown in /build/php-8.3.13/ext/soap/tests/gh15711.php on line 29

Fix is to make the path dependant on `__DIR__` as it's the case in other
testcases including WSDLs.

Closes GH-16733.

show more ...

Fix 8.4 NEWS file

Fix GH-16432: PHP-FPM 8.2 SIGSEGV in fpm_get_status

Fix oss-fuzz report triggered by GH-15712 commit.

It triggered allocation overflow which, even fixed, in turn gives memory
leak on 32 bits but the allocator relies on signed integers.

Fix oss-fuzz report triggered by GH-15712 commit.

It triggered allocation overflow which, even fixed, in turn gives memory
leak on 32 bits but the allocator relies on signed integers.

close GH-15915

show more ...

[ci skip] NEWS for GH-16702

Fix GH-10992: Improper long path support for relative paths

Relative paths are passed to the ioutils APIs, these are not properly
converted to long paths. If the path length already exc

Fix GH-10992: Improper long path support for relative paths

Relative paths are passed to the ioutils APIs, these are not properly
converted to long paths. If the path length already exceeds a given
threshold (usually 259 characters, but only 247 for `mkdir()`), the
long path prefix is prepended, resulting in an invalid path, since long
paths have to be absolute. If the path length does not exceed that
threshold, no conversion to a long path is done, although that may be
necessary.

Thus we take the path length of the current working directory into
account when checking the threshold, and prepend it to the filename if
necessary.

Since this is only relevant for NTS builds, and using the current
working directory of the process would be erroneous for ZTS builds, we
skip the new code for ZTS builds.

Closes GH-16687.

show more ...

Fix GH-16665: \array and \callable should not be usable

This list was initially introduced in 53a40386, but never included array or
callable. I suppose this is because int & friends are

Fix GH-16665: \array and \callable should not be usable

This list was initially introduced in 53a40386, but never included array or
callable. I suppose this is because int & friends are not actual tokens,
while array and callable are. This means it was never possible to do class
array, which is probably the reason this was overlooked.

Closes GH-16683.

show more ...

Fix GH-16235 jdtogregorian overflow

close GH-16242

Added gc_handler to properly handle circular references. (#16703)

closes #16703

Co-authored-by: Christoph M. Becker <cmbecker69@gmx.de>

PHP-8.2 is now for PHP 8.2.27-dev

[ci skip] Update NEWS for PHP 8.4.0RC4

Fix GH-16314 "Pdo\Mysql object is uninitialized" when opening a persistent connection (#16369)

Fixed a bug where size_t underflows (#16696)

fixes #16262
closes #16696

Added early return case when result is 0 (#16697)

fixes #16265
closes #16697