This replaces add_new with update for the RW case. This should not
be problematic for performance, as this branch throws a notice.
Alternatively add_new could also be replaced with add. I went with
update, because it makes $a[0] += 1 behavior the same as
$a[0] = $a[0] + 1.
As it turns out, there is actually no reason to prevent this, it even was a bigger BC break than expected...
Also fixes a memory leak (the Closure leaks) when calling internal functions via Closure by moving it out of leave helper onto caller side for TOP_CODE:
$z = new SplStack; $z->push(20);
$x = (new ReflectionMethod("SplStack", "pop"))->getClosure($z);
var_dump($x());
Now it is completely impossible to rebind a scoped method Closure (only the kind you get from ReflectionMethod::getClosure()) to a foreign scope
Adding a lot of tests to ensure this...
Also, properly return NULL in case the Closure could not be created instead of some crippled unbound Closure
This additionally removes support for binding to an unknown (not in parent hierarchy) scope.
Removing support for cross-scope is necessary for certain compile-time assumptions (like class constants) to prevent unexpected results
We didn't have zend_internal_function.reserved[] in PHP5, but we always allocated space for zend_function union, and extensions were able to reuse zend_function.op_array.reserved[] even for internal function. Now this is not possible. And extensions have to use zend_function.op_array.reserved[] for user functions and zend_function.internal_function.reserved[] for internal.
This VM may work only if all tail calls are optimized, otherwaise it will crach because of stack overflow.
Unfortunately, we can't guarantee tail call optimization in C.
It is by far the most used branch; compilers tended here to split the branches via an &2, &1 check, now it only does an &3 check and prefers ZEND_CALL_NESTED_FUNCTION branch
* PHP-5.6: (21 commits)
fix unit tests
update NEWS
add NEWS for fixes
Improve fix for #70172
Fix bug #70312 - HAVAL gives wrong hashes in specific cases
fix test
add test
Fix bug #70366 - use-after-free vulnerability in unserialize() with SplDoublyLinkedList
Fix bug #70365 - use-after-free vulnerability in unserialize() with SplObjectStorage
Fix bug #70172 - Use After Free Vulnerability in unserialize()
Fix bug #70388 - SOAP serialize_function_call() type confusion
Fixed bug #70350: ZipArchive::extractTo allows for directory traversal when creating directories
Improve fix for #70385
Fix bug #70345 (Multiple vulnerabilities related to PCRE functions)
Fix bug #70385 (Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes)
Fix bug #70219 (Use after free vulnerability in session deserializer)
Fix bug ##70284 (Use after free vulnerability in unserialize() with GMP)
Fix for bug #69782
Add CVE IDs asigned (post release) to PHP 5.4.43
Add CVE IDs asigned to #69085 (PHP 5.4.39)
...
Conflicts:
ext/exif/exif.c
ext/gmp/gmp.c
ext/pcre/php_pcre.c
ext/session/session.c
ext/session/tests/session_decode_variation3.phpt
ext/soap/soap.c
ext/spl/spl_observer.c
ext/standard/var.c
ext/standard/var_unserializer.c
ext/standard/var_unserializer.re
ext/xsl/xsltprocessor.c
This fix is actually made for array acessing bug fix (#70262) which is
discarded since we have another better fix, anyway now seems this is still useful
Note that the UNEXPECTED(zv) was turned into EXPECTED(zv), as zv is mostly set in the context where it is used and usually anyway is checked first with OP*_TYPE == IS_VAR; or maybe just completely remove that (UN)EXPECTED at this place...
We recently added support for "use \Foo\{Bar}". This commit drops
support for the reverse "use Foo\{\Bar}". Those two got mixed up
in the initial implementation.
This prevented compilation warnings and disclosed few incorrect usages in Zend/zend_vm_def.h and ext/dom/xpath.c.
Now explicit type casting may be required on call site.
This may break some C extension code, but it shoulfn't be a problem to add explicit casting.
* PHP-5.6:
update NEWS
fix test
update NEWS
Fix bug #70019 - limit extracted files to given directory
Do not do convert_to_* on unserialize, it messes up references
Fix#69793 - limit what we accept when unserializing exception
Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList)
Fixed bug #70166 - Use After Free Vulnerability in unserialize() with SPLArrayObject
ignore signatures for packages too
Fix bug #70168 - Use After Free Vulnerability in unserialize() with SplObjectStorage
Fixed bug #69892
Fix bug #70014 - use RAND_bytes instead of deprecated RAND_pseudo_bytes
Improved fix for Bug #69441
Fix bug #70068 (Dangling pointer in the unserialization of ArrayObject items)
Fix bug #70121 (unserialize() could lead to unexpected methods execution / NULL pointer deref)
Fix bug #70081: check types for SOAP variables
Conflicts:
Zend/zend_exceptions.c
ext/date/php_date.c
ext/openssl/openssl.c
ext/phar/phar_internal.h
ext/soap/php_http.c
ext/spl/spl_array.c
ext/spl/spl_dllist.c
ext/spl/spl_observer.c
ext/standard/tests/serialize/bug69152.phpt
sapi/cli/tests/005.phpt
* PHP-5.5:
update NEWS
fix test
update NEWS
Fix bug #70019 - limit extracted files to given directory
Do not do convert_to_* on unserialize, it messes up references
Fix#69793 - limit what we accept when unserializing exception
Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList)
Fixed bug #70166 - Use After Free Vulnerability in unserialize() with SPLArrayObject
ignore signatures for packages too
Fix bug #70168 - Use After Free Vulnerability in unserialize() with SplObjectStorage
Fixed bug #69892
Fix bug #70014 - use RAND_bytes instead of deprecated RAND_pseudo_bytes
Improved fix for Bug #69441
Fix bug #70068 (Dangling pointer in the unserialization of ArrayObject items)
Fix bug #70121 (unserialize() could lead to unexpected methods execution / NULL pointer deref)
Fix bug #70081: check types for SOAP variables
Conflicts:
ext/soap/php_http.c
ext/spl/spl_observer.c
* PHP-5.4:
Fix bug #70019 - limit extracted files to given directory
Do not do convert_to_* on unserialize, it messes up references
Fix#69793 - limit what we accept when unserializing exception
Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList)
Fixed bug #70166 - Use After Free Vulnerability in unserialize() with SPLArrayObject
ignore signatures for packages too
Fix bug #70168 - Use After Free Vulnerability in unserialize() with SplObjectStorage
Fixed bug #69892
Fix bug #70014 - use RAND_bytes instead of deprecated RAND_pseudo_bytes
Improved fix for Bug #69441
Fix bug #70068 (Dangling pointer in the unserialization of ArrayObject items)
Fix bug #70121 (unserialize() could lead to unexpected methods execution / NULL pointer deref)
Fix bug #70081: check types for SOAP variables
Conflicts:
.gitignore
ext/date/php_date.c
ext/spl/spl_array.c
ext/spl/spl_observer.c
Revert "We cannot safely assume that all op array will be refcount 0 after execution"
This reverts commit b6936adb58.
This change turns out to not have been a clever idea and was causing more weirdness than it helped...
Detecting overflow with the XER is slow, partially because we have to
clear it before use.
PHP already has a fast way of detecting overflow in its fallback
c implementation. Overflow only occurs if the signs of the two
operands are the same and the sign of the result is different.
Furthermore, leaving it in c allows gcc to schedule the instructions
better.
This is 9% faster on a POWER8 running a simple testcase:
<?php
function testcase($count = 100000000) {
$x = 1;
for ($i = 0; $i < $count; $i++) {
$x = $x + 1;
$x = $x + 1;
$x = $x + 1;
$x = $x + 1;
$x = $x + 1;
}
}
testcase();
?>
Detecting overflow with the XER is slow, partially because we have to
clear it before use.
gcc does a better job of detecting overflow of an increment or decrement
than we can with inline assembly. It knows that an increment will only
overflow if it is one less than the overflow value. This means we end
up with a simple compare/branch. Furthermore, leaving it in c allows gcc
to schedule the instructions better.
This is 6% faster on a POWER8 running a simple testcase:
<?php
function testcase($count = 100000000) {
$x = 1;
for ($i = 0; $i < $count; $i++) {
$x++;
$x++;
$x++;
$x++;
$x++;
}
}
testcase();
?>
Detecting overflow with the XER is slow, partially because we have to
clear it before use. We can do better by using a trick where we compare
the high 64 bits of the result with the low 64 bits shifted right
63 bits.
This is 7% faster on a POWER8 running a simple testcase:
<?php
function testcase($count = 100000000) {
for ($i = 0; $i < $count; $i++) {
$x = 1;
$x = $x * 2;
$x = $x * 2;
$x = $x * 2;
$x = $x * 2;
}
}
testcase();
?>
We maybe should search for some other way, because just not refcounting the op_array is rather a dirty hack.
If possible, we should change opcache and just expect op_array->refcount != NULL ... but I have not found a clean way yet.
I'm excluding unticked statements for this (in 5.x they were included)
as this would just result in two consecutive EXT_STMTs.
Also add all class statements to unticked statements, these would
generate superfluous EXT_STMT/TICKS in the parent op_array.
This was generated for a return from a try block with both a catch
and a finally. However at this point no exception can be active,
because it either didn't exist in the first place or was explicitly
discarded using DISCARD_EXCEPTION.