Fixed GH-16233: Observer segfault when calling user function in internal function via trampoline

In the test, I have an internal `__call` function for `_ZendTestMagicCallForward` that calls

Fixed GH-16233: Observer segfault when calling user function in internal function via trampoline

In the test, I have an internal `__call` function for `_ZendTestMagicCallForward` that calls the global function with name `$name` via `call_user_function`.
Note that observer writes the pointer to the previously observed frame in the last temporary of the new call frame (`*prev_observed_frame`).

The following happens:
First, we call `$test->callee`, this will be handled via a trampoline with T=2 for the two arguments. The call frame is allocated at this point. This call frame is not observed because it has `ZEND_ACC_CALL_VIA_TRAMPOLINE` set. Next we use `ZEND_CALL_TRAMPOLINE` to call the trampoline, this reuses the stack frame allocated earlier with T=2, but this time it is observed. The pointer to the previous frame is written outside of the call frame because `T` is too small (should be 3). We are now in the internal function `_ZendTestMagicCallForward::__call` where we call the global function `callee`. This will push a new call frame which will overlap `*prev_observed_frame`. This value gets overwritten by `zend_init_func_execute_data` when `EX(opline)` is set because `*prev_observed_frame` overlaps with `EX(opline)`. From now on, `*prev_observed_frame` is corrupted. When `zend_observer_fcall_end` is called this will result in reading wrong value `*prev_observed_frame` into `current_observed_frame`. This causes issues in `zend_observer_fcall_end_all` leading to the segfault we observe.

Despite function with `ZEND_ACC_CALL_VIA_TRAMPOLINE` not being observed, the reuse of call frames makes problems when `T` is not large enough.
To fix this, we make sure to add 1 to `T` if `ZEND_OBSERVER_ENABLED` is true.

Closes GH-16252.

show more ...

Generated arginfo header files: combine preprocessor conditional blocks (#15736)

When functions' or class methods' availability is based on some preprocessor
condition, the generated arg

Generated arginfo header files: combine preprocessor conditional blocks (#15736)

When functions' or class methods' availability is based on some preprocessor
condition, the generated arginfo header files wrap the declarations in the
preprocessor `#if` conditional blocks, one per declaration, even if they are in
the same conditional block based on comments in the stub file. Instead of
having multiple conditional blocks one after the other with the same condition,
combine them into a single conditional block.

show more ...

Generated arginfo header files: remove empty zend_function_entry arrays (#15705)

When a class (or enum) has no methods, rather than using an array that only
contains `ZEND_FE_END`, use `

Generated arginfo header files: remove empty zend_function_entry arrays (#15705)

When a class (or enum) has no methods, rather than using an array that only
contains `ZEND_FE_END`, use `NULL` for the functions. The implementation of
class registration for internal classes, `do_register_internal_class()` in
zend_API.c, already skips classes where the functions are `NULL`. By removing
these unneeded arrays, we can reduce the size of the header files, while also
removing an unneeded call to zend_register_functions() for each internal class
with no extra methods.

show more ...

Fix registration of internal readonly child classes (#15459)

Currently, internal classes are registered with the following code:

INIT_CLASS_ENTRY(ce, "InternalClass", class_Internal

Fix registration of internal readonly child classes (#15459)

Currently, internal classes are registered with the following code:

INIT_CLASS_ENTRY(ce, "InternalClass", class_InternalClass_methods);
class_entry = zend_register_internal_class_ex(&ce, NULL);
class_entry->ce_flags |= ...;

This has worked well so far, except if InternalClass is readonly. It is because some inheritance checks are run by zend_register_internal_class_ex before ZEND_ACC_READONLY_CLASS is added to ce_flags.

The issue is fixed by adding a zend_register_internal_class_with_flags() zend API function that stubs can use from now on. This function makes sure to add the flags before running any checks. Since the new API is not available in lower PHP versions, gen_stub.php has to keep support for the existing API for PHP 8.3 and below.

show more ...

RFC: Add `#[\Deprecated]` Attribute (#11293)

see https://wiki.php.net/rfc/deprecated_attribute

Co-authored-by: Tim Düsterhus <tim@tideways-gmbh.com>
Co-authored-by: Ilija Tovilo

RFC: Add `#[\Deprecated]` Attribute (#11293)

see https://wiki.php.net/rfc/deprecated_attribute

Co-authored-by: Tim Düsterhus <tim@tideways-gmbh.com>
Co-authored-by: Ilija Tovilo <ilija.tovilo@me.com>

show more ...

Remove ZEND_STATIC_ASSERT() calls from legacy arginfo files

After report in https://github.com/php/php-src/commit/5992a297246ab2a6ab0cd00707dcebbff8845851#r143540472

Fix is_zend_ptr() for huge blocks (#14626)

is_zend_ptr() expected zend_mm_heap.huge_list to be circular, but it's in fact NULL-terminated. It could crash when at least one huge block exists

Fix is_zend_ptr() for huge blocks (#14626)

is_zend_ptr() expected zend_mm_heap.huge_list to be circular, but it's in fact NULL-terminated. It could crash when at least one huge block exists and the ptr did not belong to any block.

show more ...

gen_stub: Intern the parameter name string for named arguments in internal attributes (#14595)

This is necessary because `zend_get_attribute_object()` will use the persistent
string with

gen_stub: Intern the parameter name string for named arguments in internal attributes (#14595)

This is necessary because `zend_get_attribute_object()` will use the persistent
string with the parameter name as the index for a newly created non-persistent
HashTable, which is not legal.

As parameter names are expected to be short-ish, reasonably common terms and
need to sit around in memory anyways, we might as well make them an interned
string, circumstepping the issue without needing to duplicate the parameter
name into a non-persistent string.

show more ...

Fix GH-11078: PHP Fatal error triggers pointer being freed was not allocated and malloc: double free for ptr errors

Although the issue was demonstrated using Curl, the issue is purely in

Fix GH-11078: PHP Fatal error triggers pointer being freed was not allocated and malloc: double free for ptr errors

Although the issue was demonstrated using Curl, the issue is purely in
the streams layer of PHP.

Full analysis is written in GH-11078 [1], but here is the brief version:
Here's what actually happens:
1) We're creating a FILE handle from a stream using the casting mechanism.
This will create a cookie-based FILE handle using funopen.
2) We're reading stream data using fread from the userspace stream. This will
temporarily set a buffer into a field _bf.base [2]. This buffer is now equal
to the upload buffer that Curl allocated and note that that buffer is owned
by Curl.
3) The fatal error occurs and we bail out from the fread function, notice how
the reset code is never executed and so the buffer will still point to
Curl's upload buffer instead of FILE's own buffer [3].
4) The resources are destroyed, this includes our opened stream and because the
FILE handle is cached, it gets destroyed as well.
In fact, the stream code calls through fclose on purpose in this case.
5) The fclose code frees the _bs.base buffer [4].
However, this is not the buffer that FILE owns but the one that Curl owns
because it isn't reset properly due to the bailout!
6) The objects are getting destroyed, and so the curl free logic is invoked.
When Curl tries to gracefully clean up, it tries to free the buffer.
But that buffer is actually already freed mistakingly by the C library!

This also explains why we can't reproduce it on Linux: this bizarre buffer
swapping only happens on macOS and BSD, not on Linux.

To solve this, we switch to an unbuffered mode for cookie-based FILEs.
This avoids any stateful problems related to buffers especially when the
bailout mechanism triggers. As streams have their own buffering
mechanism, I don't expect this to impact performance.

[1] https://github.com/php/php-src/issues/11078#issuecomment-2155616843
[2] https://github.com/apple-open-source-mirror/Libc/blob/5e566be7a7047360adfb35ffc44c6a019a854bea/stdio/FreeBSD/fread.c#L102-L103
[3] https://github.com/apple-open-source-mirror/Libc/blob/5e566be7a7047360adfb35ffc44c6a019a854bea/stdio/FreeBSD/fread.c#L117
[4] https://github.com/apple-open-source-mirror/Libc/blob/5e566be7a7047360adfb35ffc44c6a019a854bea/stdio/FreeBSD/fclose.c#L66-L67

Closes GH-14524.

show more ...

Zend: Add object_init_with_constructor() API (#14440)

This will instantiate the object and execute its constructor with the given parameters.

Fix GH-14215: Cannot use FFI::load on CRLF header file with apache2handler

Some modules may reset _fmode, which causes mangling of line endings.
Always be explicit like we do in other pl

Fix GH-14215: Cannot use FFI::load on CRLF header file with apache2handler

Some modules may reset _fmode, which causes mangling of line endings.
Always be explicit like we do in other places where the native open call
is used.

Closes GH-14218.

show more ...

Add ReflectionClassConstant::isDeprecated() (#14086)

This is in preparation for php/php-src#11293 and for consistency with
ReflectionConstant::isDeprecated() that was added in php/php-sr

Add ReflectionClassConstant::isDeprecated() (#14086)

This is in preparation for php/php-src#11293 and for consistency with
ReflectionConstant::isDeprecated() that was added in php/php-src#13669.

show more ...

Improve BC support of arginfo files fenerated by gen_stub.php (#13705)

- Declared compatibility expectations of stub files are now enforced by a ZEND_STATIC_ASSERT call at the top of arginfo

Improve BC support of arginfo files fenerated by gen_stub.php (#13705)

- Declared compatibility expectations of stub files are now enforced by a ZEND_STATIC_ASSERT call at the top of arginfo files
- Property registration for PHP 7 is fixed: function zend_declare_property_ex() is used again instead of zend_declare_typed_property(). This has been a regression since I added support for exposing doc comments.
- As a defensive measure, deep cloning is performed before newer features (type declarations, attributes etc.) are discarded before generating legacy arginfo files. Until now, some of the objects were forgotten to be taken care of. These omissions may have resulted in some weird bugs in theory (but probably they didn't have much impact in practice).
- PHP version related conditions inside *non-legacy arginfo files* used to possibly check for the 70000 version iD until now if compatibility with PHP 7.0 was declared in a stub. This was not 100% correct, since non-legacy arginfo files are only for PHP 8.0+. Now, I made sure that at least PHP version ID 80000 is used in the preprocessor conditions. The solution was a bit tricky though...

show more ...

Implement "support doc comments for internal classes and functions" (#13266)

Fixes #13130

Do not generate frameless info items when func info generation is disabled

While here, I fixed newlines around arginfo and function entry generation. Previously, newlines were repeated.

Fix leak of call->extra_named_params on internal __call

Fixes GH-12835
Closes GH-12836

Fix GH-12628: The gh11374 test fails on Alpinelinux

Closes GH-12636.

Fix GH-12558 Escape \N in generated stubs (#12562)

Fix #12063 convert PHP single-quote to C double-quote string

Fix GH-9967 Add support for generating custom function, class const, and property attributes in stubs

releases property attributes of internal classes (#11980)

* adds test case for internal class property attribute

* releases property attributes of internal classes

Adds support for DNF types in internal functions and properties (#11969)

Note that this does not add support for items generated by gen_stubs,
only for items registered dynamically via

Adds support for DNF types in internal functions and properties (#11969)

Note that this does not add support for items generated by gen_stubs,
only for items registered dynamically via the Zend API.

Closes GH-10120

show more ...

Fix various bugs related to DNF types

- GH-11958: DNF types in trait properties do not get bound properly
- GH-11883: Memory leak in zend_type_release() for non-arena allocated DNF typ

Fix various bugs related to DNF types

- GH-11958: DNF types in trait properties do not get bound properly
- GH-11883: Memory leak in zend_type_release() for non-arena allocated DNF types
- Internal trait bound to userland class would not be arena allocated
- Property DNF types were not properly deep copied during lazy loading

Co-authored-by: Ilija Tovilo <ilija.tovilo@me.com>
Co-authored-by: ju1ius <jules.bernable@gmail.com>

show more ...

ext/zend_test: Move object handler test objects to their own file (#11852)

Fix zend/test arginfo stub hash