On some systems, like Alpine, the thread stack size is small by default.
The last step of SSA construction involves variable renaming that is
recursive, and also makes copies of their version of the renamed
variables on the stack. This combination causes a stack overflow during
compilation on Alpine. Triggerable for example with very long match
statements.
A stop-gap solution would be to use heap allocated arrays for the
renamed variable list, but that would only delay the error as increasing
the number of match arms increases the depth of the dominator tree, and
will eventually run into the same issue.
This patch transforms the algorithm into an iterative one.
There are two states stored in a worklist stack: positive numbers
indicate that the block still needs to undergo variable renaming.
Negative numbers indicate that the block and its dominated children are
already renamed. Because 0 is also a valid block number, we bias the
block numbers by adding 1.
To restore to the right variant when backtracking the "recursive" step,
we index into an array pointing to the different variable renaming
variants.
Closes GH-19083.
8MB sounded a prudent size for older 10.9 macOs release, however
with newer mac with arm64, it triggers a stack overflow.
Cherry picks b320aabc5e (GH-13319) from PHP-8.4.
Closes GH-19390.
Since GH-13188 we're no longer immediately updating iterator positions when
deleting array elements. zend_hash_rehash() needs to adapt accordingly by
adjusting nInternalPosition for IS_UNDEF elements. This is already the case for
array iterators.
Fixes GH-19280
Closes GH-19323
Generator::throw() on a running generator is not allowed. It throws "Cannot
resume an already running generator" when trying to resume the generator to
handle the provided exception.
However, when calling Generator::throw() on a generator with a non-Generator
delegate, we release the delegate regardless. If a Fiber was suspended in
the delegate, this causes use after frees when the Fiber is resumed.
Fix this by throwing "Cannot resume an already running generator" earlier.
Fixes GH-19326
Closes GH-19327
Normally we prevent generators from being resumed while they are already
running, but we failed to do so for generators delegating to non-Generators. As
a result such generator can be resumed, terminated, which causes unexpected
results (crashes) later.
In gh19306.phpt in particular, the generator delegate It::getIterator() suspends
while being called by generator g(). We then resume g(), which throws while
trying to resume It::getIterator(). This causes g() and It::getIterator()
to be released. We then UAF when resuming the Fiber in It::getIterator().
Fix this by ensuring that generators are marked as running while they fetch
the next value from the delegate.
Fixes GH-19306
Closes GH-19315
Having an empty result array is not a problem, because zend_hash_extend()
will initialize it. Except it does not when the number of elements to add
equals 0, which leaves the array uninitialized and therefore does not
set the packed flag, causing the assertion failure.
Technically, removing the assert would also work and save a check.
On the other hand, this check could also prevent some real work to be
done and should be relatively cheap as we already have to compute the
sum anyway.
Closes GH-19318.
* Fix GH-19044: Protected properties are not scoped according to their prototype
* Adjust after review
* Simplify to using prototype even for asymmetric visibility
re2c version 4 enabled some warnings by default. This fixes re2c code
for the `-Wuseless-escape` warnings.
There are two same issues reported.
Issue: GH-17523
Closes: GH-17204
Both these issues have the same root cause, their reproducer is
extremely similar so I don't duplicate the test.
If the parser invokes the lexer, and the lexer fails, it could've
allocated a string which must be freed when the parser backs up.
The `%destructor` list is responsible for this but did not have an entry
for `fallback` yet. Solve the issue by adding such an entry.
Closes GH-19012.
The first warning may trigger an error handler, destroying the operand
and its string. So we need to protect the string in that case.
Care was taken to avoid unnecessary refcounts and to avoid touching the
hot code path.
Closes GH-18951.
When the array functions perform their operation in-place, the
`@refcount 1` annotation is wrong and causes a failure under
`ZEND_VERIFY_FUNC_INFO`.
The test file tests all functions that have the in-place optimization,
even those that didn't have the refcount annotation, just to prevent
future regressions.
Closes GH-18929.
This is necessary because the VM frees operands with the nogc variants. We
cannot just call gc_possible_root() because the object may no longer exist at
that point.
Fixes GH-18907
Closes GH-18917
real_size is returned by memory_get_usage(true), which previously returned 0.
Discovered in Symfony ConsumeMessagesCommandTest::testRunWithMemoryLimit()
through nightly.
Closes GH-18880
