real_size is returned by memory_get_usage(true), which previously returned 0.
Discovered in Symfony ConsumeMessagesCommandTest::testRunWithMemoryLimit()
through nightly.
Closes GH-18880
When observer is enabled, we normally add an extra temporary to all
functions, to store the previously observed frame. However, this is done in
zend_observer_post_startup() so it doesn't happen to dl'ed() functions.
One possible fix would be to move that from zend_observer_post_startup()
to zend_register_functions(), but this would be too early: Observer may
not be enabled when zend_register_functions() is called, and may still be
enabled later.
However, when zend_register_functions() is called at run-time (during dl()),
we know definitively whether observer is enabled.
Here I update zend_register_functions() to add a temporary to dl'ed()
functions when observer is enabled.
Fixes: GH-17211
Closes: GH-17220
Agreed by RM: https://github.com/php/php-src/issues/16168#issuecomment-2525433557
The inline assembly uses labels with the prefix `.L`. On Linux systems
this is the local label prefix. It appears that macOS uses `L` as a
local prefix, which means that the prefix used in the inline assembly is not
local for macOS systems [1].
When combined with inlining, this causes the compiler to get confused
and merge a part of the inline assembly between different functions,
causing control flow to jump from one function to another function.
This is avoided on PHP 8.2 and up by the fact that it
uses `zend_never_inline NOIPA`, but nothing guarantees that compiler
changes won't affect this as well.
To solve this issue, we instead use local labels. These will make the
compiler pick the correct prefix, preventing the issue.
Additionally, while here, we also change the computation of `delta`.
It is undefined behaviour to compute the pointer difference between
two different objects. To circumvent this, we cast first to `uintptr_t`.
This change is cleanly backportable to 8.1 for vendors to pick up.
[1] https://github.com/php/php-src/issues/16168#issuecomment-2404792553
With the help of investigation and testing of @ryandesign.
Closes GH-16348.
Only on Windows `IS_SLASH_P()` may read the previous byte, and so may
in unlikely cases read one byte out of bounds. Since `IS_SLASH_P()` is
in a public header (albeit not likely to be used by external extensions
or SAPIs), we introduce `IS_SLASH_P_EX()` which accepts a second
argument to prevent that OOB read.
It should be noted that the PHP userland function `dirname()` is not
affected by this issue, since it does not call `zend_dirname()` on
Windows.
Closes GH-16995.
We should compare the block memory, not the block metadata (See
zend_mm_add_huge_block).
This caused random test failure for ext/ffi/tests/gh14626.phpt when the
malloc() performed by the FFI code lies close to the block metadata, and
the size of the block is large enough.
This was reported by https://github.com/php/php-src/issues/16902#issuecomment-2498310452
Closes GH-16938.
zend_save_lexical_state() can be nested multiple times, for example for
the parser initialization and then in the heredoc lexing. The input
should not be freed if we restore to the same filtered string.
Closes GH-16716.
zend_is_callable_ex() can unfortunately emit a deprecation, and then
a user error handler can throw an exception. This causes an assert
failure at ZEND_VM_NEXT_OPCODE(). We fix this by checking if there's an
exception after zend_is_callable_ex().
Closes GH-16803.
Reproducer: https://github.com/php/php-src/issues/16727#issuecomment-2466256317
The root cause is a data race between two different threads:
1) We allocate a lower cased name for an anonymous class here:
f97353f228/Zend/zend_compile.c (L8109)
2) This gets looked up as an interned string here:
f97353f228/Zend/zend_compile.c (L8112)
Assuming that there are uppercase symbols in the string and therefore
`lcname != name` and that `lcname` is not yet in the interned string table,
the pointer value of `lcname` won't change.
3) Here we add the string into the interned string table:
f97353f228/Zend/zend_compile.c (L8223)
However, in the meantime another thread could've added the string into the interned string table.
This means that the following code will run, indirectly called via the `LITERAL_STR` macro,
freeing `lcname`: 62e53e6f49/ext/opcache/ZendAccelerator.c (L572-L575)
4) In the reproducer we then access the freed `lcname` string here:
f97353f228/Zend/zend_compile.c (L8229)
This is solved in my patch by retrieving the interned string pointer
and putting it in `lcname`.
Closes GH-16748.
These have been introduced a while ago[1], but their initialization has
been overlooked. Since we cannot rely on TLS variables to be zeroed,
we catch up on this.
[1] <e3ef7bbbb8>
Co-authored-by: Ilija Tovilo <ilija.tovilo@me.com>
Closes GH-16658.
Closes GH-16469
Working towards GH-16286
commit e0db221143b808d97bc3a44e9f0968c6308794b4
Author: Ilija Tovilo <ilija.tovilo@me.com>
Date: Fri Oct 25 22:48:20 2024 +0200
Move CFLAGS into ./configure command for consistency
commit 8ad67768250d181cd7fef30e0c866625bbd8ac94
Author: Ilija Tovilo <ilija.tovilo@me.com>
Date: Fri Oct 25 22:47:03 2024 +0200
Also upgrade nightly to macOS 13
commit 58a88ccb9f
Author: Ilija Tovilo <ilija.tovilo@me.com>
Date: Wed Oct 23 19:07:59 2024 +0200
Fix call to dc[n]gettext in tests with 0 $category
This causes a segfault on PHP-8.1
commit 611af05c50
Author: Ilija Tovilo <ilija.tovilo@me.com>
Date: Fri Dec 8 13:36:52 2023 +0100
[skip ci] Skip intermittently failing curl test on macOS
The test fails with "CURL ERROR: 56". I will create an issue for it shortly.
commit ec745178bb
Author: Ilija Tovilo <ilija.tovilo@me.com>
Date: Wed Oct 23 19:05:32 2024 +0200
Backport parts of 9999a0c for gettext
See 9999a0cb75
commit 5ce703496f
Author: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Sun Jul 28 14:34:26 2024 +0200
Fix CI failure on macOS after Curl update
commit 714a3e7071
Author: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Sat Jul 27 16:09:50 2024 +0200
Fix CI failure after Curl update (#15124)
commit 4f2eb921b9
Author: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Thu May 23 22:20:37 2024 +0200
Fix GH-14307: Test curl_basic_024 fails with curl 8.8.0
Curl changed the behaviour, from the changelog:
- lib: make protocol handlers store scheme name lowercase curl/curl@c294f9c
From the docs: "The returned scheme might be upper or lowercase. Do
comparisons case insensitively."
Closes GH-14312.
commit 251195b41b
Author: Ayesh Karunaratne <ayesh@aye.sh>
Date: Thu Feb 1 02:03:55 2024 +0700
ext/curl: Fix failing tests due to string changes in libcurl 8.6.0
Upstream libcurl 8.6.0 contains a change[^1] that caused a test failure.
This fixes it by updating the test's `EXPECTF` to use a regex to account for both string patterns.
[^1]: 45cf4755e7 (diff-a8a54563608f8155973318f4ddb61d7328dab512b8ff2b5cc48cc76979d4204cL1683)
Closes GH-13293.
commit fc5d83f2b1
Author: Christoph M. Becker <cmbecker69@gmx.de>
Date: Wed Oct 16 22:46:20 2024 +0200
Prepare for necessary move to macOS 13
GH will remove macOS 12 runner images as of December 3rd, so we prepare
for that.
Besides the obvious need to change the runner, we also suppress a
couple of warnings, because otherwise the build would fail due to
`-Werror`.
The inline assembly uses labels with the prefix `.L`. On Linux systems
this is the local label prefix. It appears that macOS uses `L` as a
local prefix, which means that the prefix used in the inline assembly is not
local for macOS systems [1].
When combined with inlining, this causes the compiler to get confused
and merge a part of the inline assembly between different functions,
causing control flow to jump from one function to another function.
This is avoided on PHP 8.2 and up by the fact that it
uses `zend_never_inline NOIPA`, but nothing guarantees that compiler
changes won't affect this as well.
To solve this issue, we instead use local labels. These will make the
compiler pick the correct prefix, preventing the issue.
Additionally, while here, we also change the computation of `delta`.
It is undefined behaviour to compute the pointer difference between
two different objects. To circumvent this, we cast first to `uintptr_t`.
This change is cleanly backportable to 8.1 for vendors to pick up.
[1] https://github.com/php/php-src/issues/16168#issuecomment-2404792553
With the help of investigation and testing of @ryandesign.
Closes GH-16348.
In the test, I have an internal `__call` function for `_ZendTestMagicCallForward` that calls the global function with name `$name` via `call_user_function`.
Note that observer writes the pointer to the previously observed frame in the last temporary of the new call frame (`*prev_observed_frame`).
The following happens:
First, we call `$test->callee`, this will be handled via a trampoline with T=2 for the two arguments. The call frame is allocated at this point. This call frame is not observed because it has `ZEND_ACC_CALL_VIA_TRAMPOLINE` set. Next we use `ZEND_CALL_TRAMPOLINE` to call the trampoline, this reuses the stack frame allocated earlier with T=2, but this time it is observed. The pointer to the previous frame is written outside of the call frame because `T` is too small (should be 3). We are now in the internal function `_ZendTestMagicCallForward::__call` where we call the global function `callee`. This will push a new call frame which will overlap `*prev_observed_frame`. This value gets overwritten by `zend_init_func_execute_data` when `EX(opline)` is set because `*prev_observed_frame` overlaps with `EX(opline)`. From now on, `*prev_observed_frame` is corrupted. When `zend_observer_fcall_end` is called this will result in reading wrong value `*prev_observed_frame` into `current_observed_frame`. This causes issues in `zend_observer_fcall_end_all` leading to the segfault we observe.
Despite function with `ZEND_ACC_CALL_VIA_TRAMPOLINE` not being observed, the reuse of call frames makes problems when `T` is not large enough.
To fix this, we make sure to add 1 to `T` if `ZEND_OBSERVER_ENABLED` is true.
Closes GH-16252.
When allocating enough room for floats, the allocator used overflows with
large ndigits/EG(precision) value which used an signed integer to
increase the size of thebuffer.
Testing with the zend operator directly is enough to trigger
the issue rather than higher level math interface.
close GH-15715
