89
311
81
PHP Static Analysis Tool - discover bugs in your code without running it!
Events
Fix another case without separation
Fix add_function_array() separation
This doesn't solve the problem when no separation happens :slightly_frowning_face:
$tmp = [0];
unset($tmp[0]);
$i = [$tmp, 0];
unset($tmp);
$ref = &$i;
$i[0] += $ref;
var_dump($i);
I don't know how to fix that without forcing a duplication...
Fix add_function_array() separation
result may be a slot in op2. In that case SEPARATE_ARRAY() will change both result and the slot in op2. Looping over op2 and inserting the element results in both reference-less recursion which we don't allow, and increasing the refcount to 2, failing any further insertions into the array.
Avoid this by copying result into a temporary zval and performing separation there instead.
Fixes GH-10085
Fix add_function_array() separation
result may be a slot in op2. In that case SEPARATE_ARRAY() will change both result and the slot in op2. Looping over op2 and inserting the element results in both reference-less recursion which we don't allow, and increasing the refcount to 2, failing any further insertions into the array.
Avoid this by copying result into a temporary zval and performing separation there instead.
Fixes GH-10085
realpath() with empty path should return false
I'm closing this, this should be discussed on the list.
realpath() with empty path should return false
Description
All file functions, incl. dir functions like file_exists() or is_dir() return false when the input is empty.
One exception is realpath(), it returns the current directory when '' is given.
The reason is probably the way how realpath() is written, the path is probably checked if absolute and if not, it is appended to the current directory, even if empty.
After a fix, I expect realpath('') to return false.
It is probably not a bug, as documented so [1], but I propose this to be fixed to be consistent with other file functions.
[1] https://github.com/php/doc-en/commit/5ca36de9639a35ba034a93205f4664471f3aae77
json_decode() fails on nested input of around 10000 characters.
To me, it doesn't seem like making changes and introducing bugs for a theoretical issue is worth it. I'd much rather fix the documentation.
Mailing lists: Messages sent to list bouncing with "error fetching DNS record"
Description
For the past few months at least, messages I've sent to mailing lists (php-general) have been bouncing (after some time) with DNS fetch errors.
I'm experiencing no other email related issues and have checked everything I can think of in my side, but the issues persist.
The last bounce I received, on the 23rd Dec, for a message sent on 16th Dec, contained the following error message:
Hi. This is the qmail-send program at lists.php.net.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
<php-general@lists.php.net>:
ezmlm-send: fatal: error fetching DNS record for allenjb.me.uk: temporary failure
I'm not going to try again; this message has been in the queue too long.
All messages are sent from my domain, allenjb.me.uk, hosted on Fastmail.
I am happy to forward a full copy of a bounce message on request.
PHP Version
n/a
Operating System
n/a
Mailing lists: Messages sent to list bouncing with "error fetching DNS record"
As mentioned by others, you might have the best luck contacting systems@php.net. Thanks!
Fix incorrect zval type_flags in preg_replace_callback_array() for immutable arrays
The ZVAL_ARR macro always set the zval type_info to IS_ARRAY_EX, even if the hash table is immutable. Since in preg_replace_callback_array() we can return the passed array directly, and that passed array can be immutable, we need to reset the type_flags to keep the VM from performing ref-counting on the array.
Fixes GH-10968
We could also introduce a new macro for this but I couldn't find another place that potentially returns an immutable array.
Fix incorrect zval type_flags in preg_replace_callback_array() for immutable arrays
The ZVAL_ARR macro always set the zval type_info to IS_ARRAY_EX, even if the hash table is immutable. Since in preg_replace_callback_array() we can return the passed array directly, and that passed array can be immutable, we need to reset the type_flags to keep the VM from performing ref-counting on the array.
Fixes GH-10968
Fix incorrect zval type_flags in preg_replace_callback_array() for immutable arrays
The ZVAL_ARR macro always set the zval type_info to IS_ARRAY_EX, even if the hash table is immutable. Since in preg_replace_callback_array() we can return the passed array directly, and that passed array can be immutable, we can copy the array to circumvent the problem.
Fixes GH-10968
[GDB] Update .gdbinit for latest source code changes
I saw below from zend_compile.h and am not sure if it could be 'Eval Code' with op_array?
Oh, you're right! I forgot about that one.
I often see the variable name fbc which is used to denote zend_function*. Do you know what it is short for? (frame buffer what? function what what).
I have no clue, actually. Maybe @Girgias knows.
Function returning value by reference should return/create reference only if needed
As shown in https://github.com/php/php-src/issues/10428#issuecomment-1401898912, is some contextes it can be optimized on compile time, ie. the optimized opcode can be used.
These opcodes are inside the called function. Thus, this could only be optimized if none of the callers used the function result by-ref.
[GDB] Update .gdbinit for latest source code changes
@stkeke Looks great! Btw, the function type is useless, op_arrays are always user functions.
Completely unnecessary compiler warnings In function ‘function_copy_ctor’
This code was removed on master, so https://github.com/php/php-src/issues/10962#issuecomment-1488319140 applies here :slightly_smiling_face:
Completely unnecessary compiler warnings In function ‘function_copy_ctor’
Description
/bin/sh /builds/php-8.2.4/libtool --silent --preserve-dup-deps --tag CC --mode=compile gcc-12 -IZend/ -I/builds/php-8.2.4/Zend/ -I/builds/php-8.2.4/include -I/builds/php-8.2.4/main -I/builds/php-8.2.4 -I/builds/php-8.2.4/ext/date/lib -I/usr/include/libxml2 -I/usr/include/libpng16 -I/builds/php-8.2.4/ext/mbstring/libmbfl -I/builds/php-8.2.4/ext/mbstring/libmbfl/mbfl -I/builds/php-8.2.4/TSRM -I/builds/php-8.2.4/Zend -D_GNU_SOURCE -D_REENTRANT -pthread -fno-common -Wformat-truncation -Wlogical-op -Wduplicated-cond -Wno-clobbered -Wall -Wextra -Wno-strict-aliasing -Wno-unused-parameter -Wno-sign-compare -g -O2 -fvisibility=hidden -pthread -Wimplicit-fallthrough=1 -DZTS -DZEND_SIGNALS -DZEND_ENABLE_STATIC_TSRMLS_CACHE=1 -c /builds/php-8.2.4/Zend/Optimizer/zend_cfg.c -o Zend/Optimizer/zend_cfg.lo -MMD -MF Zend/Optimizer/zend_cfg.dep -MT Zend/Optimizer/zend_cfg.lo
/builds/php-8.2.4/Zend/zend.c: In function ‘function_copy_ctor’:
/builds/php-8.2.4/Zend/zend.c:665:21: warning: array subscript ‘zend_function {aka union _zend_function}[0]’ is partly outside array bounds of ‘unsigned char[136]’ [-Warray-bounds]
665 | func->common.arg_info = new_arg_info + 1;
| ^~
In file included from /builds/php-8.2.4/Zend/zend.h:30,
from /builds/php-8.2.4/Zend/zend.c:20:
/builds/php-8.2.4/Zend/zend_alloc.h:188:69: note: object of size 136 allocated by ‘__zend_malloc’
188 | #define pemalloc(size, persistent) ((persistent)?__zend_malloc(size):emalloc(size))
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~
/builds/php-8.2.4/Zend/zend.c:632:16: note: in expansion of macro ‘pemalloc’
632 | func = pemalloc(sizeof(zend_internal_function), 1);
| ^~~~~~~~
/builds/php-8.2.4/Zend/zend.c:670:21: warning: array subscript ‘zend_function {aka union _zend_function}[0]’ is partly outside array bounds of ‘unsigned char[136]’ [-Warray-bounds]
670 | func->common.attributes = NULL;
| ^~
/builds/php-8.2.4/Zend/zend_alloc.h:188:69: note: object of size 136 allocated by ‘__zend_malloc’
188 | #define pemalloc(size, persistent) ((persistent)?__zend_malloc(size):emalloc(size))
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~
/builds/php-8.2.4/Zend/zend.c:632:16: note: in expansion of macro ‘pemalloc’
632 | func = pemalloc(sizeof(zend_internal_function), 1);
| ^~~~~~~~
PHP Version
PHP 8.2.4
Operating System
SLES 15.4 gcc 12
Completely unnecessary compiler warnings In function ‘zend_register_functions’
### Description
/bin/sh /builds/php-8.2.4/libtool --silent --preserve-dup-deps --tag CC --mode=compile gcc-12 -Isapi/phpdbg/ -I/builds/php-8.2.4/sapi/phpdbg/ -I/builds/php-8.2.4/include -I/builds/php-8.2.4/main -I/builds/php-8.2.4 -I/builds/php-8.2.4/ext/date/lib -I/usr/include/libxml2
-I/usr/include/libpng16 -I/builds/php-8.2.4/ext/mbstring/libmbfl -I/builds/php-8.2.4/ext/mbstring/libmbfl/mbfl -I/builds/php-8.2.4/TSRM -I/builds/php-8.2.4/Zend -D_GNU_SOURCE -D_REENTRANT -pthread -fno-common -Wformat-truncation -Wlogical-op -Wduplicated-cond -Wno-clobbered -Wall -Wextra -Wno-strict-aliasing -Wno-unused-parameter -Wno-sign-compare -g -O2 -fvisibility=hidden -pthread -Wimplicit-fallthrough=1 -DZTS -DZEND_SIGNALS -D_GNU_SOURCE -DZEND_ENABLE_STATIC_TSRMLS_CACHE=1 -c /builds/php-8.2.4/sapi/phpdbg/phpdbg_out.c -o sapi/phpdbg/phpdbg_out.lo -MMD -MF sapi/phpdbg/phpdbg_out.dep -MT sapi/phpdbg/phpdbg_out.lo
/builds/php-8.2.4/Zend/zend_API.c: In function ‘zend_register_functions’:
/builds/php-8.2.4/Zend/zend_API.c:2821:49: warning: array subscript ‘zend_function {aka union _zend_function}[0]’ is partly outside array bounds of ‘unsigned char[136]’ [-Warray-bounds]
2821 | uint32_t num_args = reg_function->common.num_args;
| ^~
/builds/php-8.2.4/Zend/zend_API.c:2811:32: note: object of size 136 allocated by ‘malloc’
2811 | reg_function = malloc(sizeof(zend_internal_function));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/builds/php-8.2.4/Zend/zend_API.c:2822:33: warning: array subscript ‘zend_function {aka union _zend_function}[0]’ is partly outside array bounds of ‘unsigned char[136]’ [-Warray-bounds]
2822 | if (reg_function->common.fn_flags & ZEND_ACC_VARIADIC) {
| ^~
/builds/php-8.2.4/Zend/zend_API.c:2811:32: note: object of size 136 allocated by ‘malloc’
2811 | reg_function = malloc(sizeof(zend_internal_function));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/builds/php-8.2.4/Zend/zend_API.c:2827:33: warning: array subscript ‘zend_function {aka union _zend_function}[0]’ is partly outside array bounds of ‘unsigned char[136]’ [-Warray-bounds]
2827 | if (reg_function->common.arg_info && num_args) {
| ^~
/builds/php-8.2.4/Zend/zend_API.c:2811:32: note: object of size 136 allocated by ‘malloc’
2811 | reg_function = malloc(sizeof(zend_internal_function));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/builds/php-8.2.4/Zend/zend_API.c:2833:49: warning: array subscript ‘zend_function {aka union _zend_function}[0]’ is partly outside array bounds of ‘unsigned char[136]’ [-Warray-bounds]
2833 | reg_function->common.fn_flags |= ZEND_ACC_HAS_TYPE_HINTS;
| ^~
/builds/php-8.2.4/Zend/zend_API.c:2811:32: note: object of size 136 allocated by ‘malloc’
2811 | reg_function = malloc(sizeof(zend_internal_function));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/builds/php-8.2.4/Zend/zend_API.c:2833:49: warning: array subscript ‘zend_function {aka union _zend_function}[0]’ is partly outside array bounds of ‘unsigned char[136]’ [-Warray-bounds]
2833 | reg_function->common.fn_flags |= ZEND_ACC_HAS_TYPE_HINTS;
| ^~
/builds/php-8.2.4/Zend/zend_API.c:2811:32: note: object of size 136 allocated by ‘malloc’
2811 | reg_function = malloc(sizeof(zend_internal_function));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/builds/php-8.2.4/Zend/zend_API.c:2849:34: warning: array subscript ‘zend_function {aka union _zend_function}[0]’ is partly outside array bounds of ‘unsigned char[136]’ [-Warray-bounds]
2849 | (reg_function->common.fn_flags & (ZEND_ACC_HAS_RETURN_TYPE|ZEND_ACC_HAS_TYPE_HINTS))) {
| ^~
/builds/php-8.2.4/Zend/zend_API.c:2811:32: note: object of size 136 allocated by ‘malloc’
2811 | reg_function = malloc(sizeof(zend_internal_function));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/builds/php-8.2.4/Zend/zend_API.c:2859:37: warning: array subscript ‘zend_function {aka union _zend_function}[0]’ is partly outside array bounds of ‘unsigned char[136]’ [-Warray-bounds]
2859 | reg_function->common.arg_info = new_arg_info + 1;
| ^~
/builds/php-8.2.4/Zend/zend_API.c:2811:32: note: object of size 136 allocated by ‘malloc’
2811 | reg_function = malloc(sizeof(zend_internal_function));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
### PHP Version
PHP 8.2.4
### Operating System
SLES 15.4 gcc 12
Completely unnecessary compiler warnings In function ‘zend_register_functions’
See https://github.com/php/php-src/issues/10962#issuecomment-1488319140.
Completely unnecessary compiler warnings In function ‘dasm_setupglobal’
### Description
/bin/sh /builds/php-8.2.4/libtool --silent --preserve-dup-deps --tag CC --mode=compile gcc-12 -Iext/opcache/ -I/builds/php-8.2.4/ext/opcache/ -I/builds/php-8.2.4/include -I/builds/php-8.2.4/main -I/builds/php-8.2.4 -I/builds/php-8.2.4/ext/date/lib -I/usr/include/libxml2
-I/usr/include/libpng16 -I/builds/php-8.2.4/ext/mbstring/libmbfl -I/builds/php-8.2.4/ext/mbstring/libmbfl/mbfl -I/builds/php-8.2.4/TSRM -I/builds/php-8.2.4/Zend -D_GNU_SOURCE -D_REENTRANT -pthread -fno-common -Wformat-truncation -Wlogical-op -Wduplicated-cond -Wno-clobbered -Wall -Wextra -Wno-strict-aliasing -Wno-unused-parameter -Wno-sign-compare -g -O2 -fvisibility=hidden -pthread -Wimplicit-fallthrough=1 -DZTS -DZEND_SIGNALS -Wno-implicit-fallthrough -DZEND_ENABLE_STATIC_TSRMLS_CACHE=1 -DZEND_COMPILE_DL_EXT=1 -c /builds/php-8.2.4/ext/opcache/jit/zend_jit.c -o ext/opcache/jit/zend_jit.lo -MMD -MF ext/opcache/jit/zend_jit.dep -MT ext/opcache/jit/zend_jit.lo
In file included from /builds/php-8.2.4/ext/opcache/jit/zend_jit.c:710:
In function ‘dasm_setupglobal’,
inlined from ‘zend_jit_trace_allocate_exit_group’ at ext/opcache/jit/zend_jit_trace.c:95:2,
inlined from ‘zend_jit_trace_allocate_exit_point’ at ext/opcache/jit/zend_jit_trace.c:125:11:
/builds/php-8.2.4/ext/opcache/jit/dynasm/dasm_x86.h:127:19: warning: array subscript -10 is outside array bounds of ‘void *[38]’ [-Warray-bounds]
127 | D->globals = gl - 10; /* Negative bias to compensate for locals. */
| ~~~^~~~
In file included from /builds/php-8.2.4/ext/opcache/jit/zend_jit.c:768:
/builds/php-8.2.4/ext/opcache/jit/zend_jit_x86.dasc: In function ‘zend_jit_trace_allocate_exit_point’:
/builds/php-8.2.4/ext/opcache/jit/zend_jit_x86.dasc:143:14: note: at offset -80 into object ‘dasm_labels’ of size 304
143 | static void* dasm_labels[zend_lb_MAX];
| ^~~~~~~~~~~
In function ‘dasm_setupglobal’,
inlined from ‘zend_jit’ at /builds/php-8.2.4/ext/opcache/jit/zend_jit.c:2729:2:
/builds/php-8.2.4/ext/opcache/jit/dynasm/dasm_x86.h:127:19: warning: array subscript -10 is outside array bounds of ‘void *[38]’ [-Warray-bounds]
127 | D->globals = gl - 10; /* Negative bias to compensate for locals. */
| ~~~^~~~
/builds/php-8.2.4/ext/opcache/jit/zend_jit_x86.dasc: In function ‘zend_jit’:
/builds/php-8.2.4/ext/opcache/jit/zend_jit_x86.dasc:143:14: note: at offset -80 into object ‘dasm_labels’ of size 304
143 | static void* dasm_labels[zend_lb_MAX];
| ^~~~~~~~~~~
In function ‘dasm_setupglobal’,
inlined from ‘zend_jit_trace’ at ext/opcache/jit/zend_jit_trace.c:4054:2:
/builds/php-8.2.4/ext/opcache/jit/dynasm/dasm_x86.h:127:19: warning: array subscript -10 is outside array bounds of ‘void *[38]’ [-Warray-bounds]
127 | D->globals = gl - 10; /* Negative bias to compensate for locals. */
| ~~~^~~~
/builds/php-8.2.4/ext/opcache/jit/zend_jit_x86.dasc: In function ‘zend_jit_trace’:
/builds/php-8.2.4/ext/opcache/jit/zend_jit_x86.dasc:143:14: note: at offset -80 into object ‘dasm_labels’ of size 304
143 | static void* dasm_labels[zend_lb_MAX];
| ^~~~~~~~~~~
In file included from /builds/php-8.2.4/ext/opcache/jit/zend_jit.c:4428:
ext/opcache/jit/zend_jit_trace.c:6472:86: warning: ‘gen_handler’ may be used uninitialized [-Wmaybe-uninitialized]
6472 | (gen_handler || !ra || !ra[ssa_op->op1_def]));
| ^~
ext/opcache/jit/zend_jit_trace.c:4298:30: note: ‘gen_handler’ was declared here
4298 | bool gen_handler;
| ^~~~~~~~~~~
In function ‘dasm_setupglobal’,
inlined from ‘zend_jit_trace_exit_to_vm’ at ext/opcache/jit/zend_jit_trace.c:7001:2,
inlined from ‘zend_jit_blacklist_trace_exit’ at ext/opcache/jit/zend_jit_trace.c:7721:14:
/builds/php-8.2.4/ext/opcache/jit/dynasm/dasm_x86.h:127:19: warning: array subscript -10 is outside array bounds of ‘void *[38]’ [-Warray-bounds]
127 | D->globals = gl - 10; /* Negative bias to compensate for locals. */
| ~~~^~~~
/builds/php-8.2.4/ext/opcache/jit/zend_jit_x86.dasc: In function ‘zend_jit_blacklist_trace_exit’:
/builds/php-8.2.4/ext/opcache/jit/zend_jit_x86.dasc:143:14: note: at offset -80 into object ‘dasm_labels’ of size 304
143 | static void* dasm_labels[zend_lb_MAX];
| ^~~~~~~~~~~
In function ‘dasm_setupglobal’,
inlined from ‘zend_jit_make_stubs’ at /builds/php-8.2.4/ext/opcache/jit/zend_jit.c:4712:2,
inlined from ‘zend_jit_startup’ at /builds/php-8.2.4/ext/opcache/jit/zend_jit.c:5001:9:
/builds/php-8.2.4/ext/opcache/jit/dynasm/dasm_x86.h:127:19: warning: array subscript -10 is outside array bounds of ‘void *[38]’ [-Warray-bounds]
127 | D->globals = gl - 10; /* Negative bias to compensate for locals. */
| ~~~^~~~
/builds/php-8.2.4/ext/opcache/jit/zend_jit_x86.dasc: In function ‘zend_jit_startup’:
/builds/php-8.2.4/ext/opcache/jit/zend_jit_x86.dasc:143:14: note: at offset -80 into object ‘dasm_labels’ of size 304
143 | static void* dasm_labels[zend_lb_MAX];
| ^~~~~~~~~~~
### PHP Version
PHP 8.2.4
### Operating System
SLES 15.4 gcc 12
