Merge tag 'php-8.1.21' into was-8.1.x

Tag for php 8.1.21

Author: MaxKellermann

.cirrus.yml

@@ -62,7 +62,7 @@ arm_task:
         libgmp-dev
         libicu-dev
         libtidy-dev
-        libenchant-dev
+        libenchant-2-dev
         libaspell-dev
         libpspell-dev
         libsasl2-dev

.github/actions/setup-x64/action.yml

@@ -17,7 +17,7 @@ runs:
         docker exec sql1 /opt/mssql-tools/bin/sqlcmd -S 127.0.0.1 -U SA -P "<YourStrong@Passw0rd>" -Q "create login pdo_test with password='password', check_policy=off; create user pdo_test for login pdo_test; grant alter, control to pdo_test;"
         sudo locale-gen de_DE
 
-        ./.github/scripts/setup-slapd.sh &>/dev/null
+        ./.github/scripts/setup-slapd.sh
 
         sudo cp ext/snmp/tests/snmpd.conf /etc/snmp
         sudo cp ext/snmp/tests/bigtest /etc/snmp

.github/workflows/nightly.yml

@@ -632,7 +632,7 @@ jobs:
         with:
           # FIXME: There are new warnings
           # configurationParameters: --enable-werror
-          libmysql: mysql-8.0.30-linux-glibc2.12-x86_64.tar.xz
+          libmysql: mysql-8.0.33-linux-glibc2.12-x86_64.tar.xz
           withMysqli: ${{ matrix.branch.ref == 'PHP-8.1' }}
       - name: Test mysql-8.0
         uses: ./.github/actions/test-libmysqlclient

NEWS

@@ -1,5 +1,138 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+06 Jun 2023, PHP 8.1.21
+
+- CLI:
+  . Fixed bug GH-11246 (cli/get_set_process_title fails on MacOS).
+    (James Lucas)
+
+- Core:
+  . Fixed build for the riscv64 architecture/GCC 12. (Daniil Gentili)
+
+- Curl:
+  . Fixed bug GH-11433 (Unable to set CURLOPT_ACCEPT_ENCODING to NULL).
+    (nielsdos)
+
+- DOM:
+  . Fixed bugs GH-11288 and GH-11289 and GH-11290 and GH-9142 (DOMExceptions
+    and segfaults with replaceWith). (nielsdos)
+  . Fixed bug GH-10234 (Setting DOMAttr::textContent results in an empty
+    attribute value). (nielsdos)
+  . Fix return value in stub file for DOMNodeList::item. (divinity76)
+  . Fix spec compliance error with '*' namespace for
+    DOMDocument::getElementsByTagNameNS. (nielsdos)
+  . Fix DOMElement::append() and DOMElement::prepend() hierarchy checks.
+    (nielsdos)
+  . Fixed bug GH-11347 (Memory leak when calling a static method inside an
+    xpath query). (nielsdos)
+  . Fixed bug #67440 (append_node of a DOMDocumentFragment does not reconcile
+    namespaces). (nielsdos)
+  . Fixed bug #81642 (DOMChildNode::replaceWith() bug when replacing a node
+    with itself). (nielsdos)
+  . Fixed bug #77686 (Removed elements are still returned by getElementById).
+    (nielsdos)
+  . Fixed bug #70359 (print_r() on DOMAttr causes Segfault in
+    php_libxml_node_free_list()). (nielsdos)
+  . Fixed bug #78577 (Crash in DOMNameSpace debug info handlers). (nielsdos)
+  . Fix lifetime issue with getAttributeNodeNS(). (nielsdos)
+  . Fix "invalid state error" with cloned namespace declarations. (nielsdos)
+  . Fixed bug #55294 and #47530 and #47847 (various namespace reconciliation
+    issues). (nielsdos)
+  . Fixed bug #80332 (Completely broken array access functionality with
+    DOMNamedNodeMap). (nielsdos)
+
+- Opcache:
+  . Fix allocation loop in zend_shared_alloc_startup(). (nielsdos)
+  . Access violation on smm_shared_globals with ALLOC_FALLBACK. (KoudelkaB)
+  . Fixed bug GH-11336 (php still tries to unlock the shared memory ZendSem
+    with opcache.file_cache_only=1 but it was never locked). (nielsdos)
+
+- OpenSSL:
+  . Fixed bug GH-9356 Incomplete validation of IPv6 Address fields in
+    subjectAltNames (James Lucas, Jakub Zelenka).
+
+- PGSQL:
+  . Fixed intermittent segfault with pg_trace. (David Carlier)
+
+- Phar:
+  . Fix cross-compilation check in phar generation for FreeBSD. (peter279k)
+
+- SPL:
+  . Fixed bug GH-11338 (SplFileInfo empty getBasename with more than one
+    slash). (nielsdos)
+
+- Standard:
+  . Fix access on NULL pointer in array_merge_recursive(). (ilutov)
+  . Fix exception handling in array_multisort(). (ilutov)
+
+08 Jun 2023, PHP 8.1.20
+
+- Core:
+  . Fixed bug GH-9068 (Conditional jump or move depends on uninitialised
+    value(s)). (nielsdos)
+  . Fixed bug GH-11189 (Exceeding memory limit in zend_hash_do_resize leaves
+    the array in an invalid state). (Bob)
+  . Fixed bug GH-11222 (foreach by-ref may jump over keys during a rehash).
+    (Bob)
+
+- Date:
+  . Fixed bug GH-11281 (DateTimeZone::getName() does not include seconds in
+    offset). (nielsdos)
+
+- Exif:
+  . Fixed bug GH-10834 (exif_read_data() cannot read smaller stream wrapper
+    chunk sizes). (nielsdos)
+
+- FPM:
+  . Fixed bug GH-10461 (PHP-FPM segfault due to after free usage of
+    child->ev_std(out|err)). (Jakub Zelenka)
+  . Fixed bug #64539 (FPM status page: query_string not properly JSON encoded).
+    (Jakub Zelenka)
+  . Fixed memory leak for invalid primary script file handle. (Jakub Zelenka)
+
+- Hash:
+  . Fixed bug GH-11180 (hash_file() appears to be restricted to 3 arguments).
+    (nielsdos)
+
+- LibXML:
+  . Fixed bug GH-11160 (Few tests failed building with new libxml 2.11.0).
+    (nielsdos)
+
+- Opcache:
+  . Fixed bug GH-11134 (Incorrect match default branch optimization). (ilutov)
+  . Fixed too wide OR and AND range inference. (nielsdos)
+  . Fixed bug GH-11245 (In some specific cases SWITCH with one default
+    statement will cause segfault). (nielsdos)
+
+- PGSQL:
+  . Fixed parameter parsing of pg_lo_export(). (kocsismate)
+
+- Phar:
+  . Fixed bug GH-11099 (Generating phar.php during cross-compile can't be
+    done). (peter279k)
+
+- Soap:
+  . Fixed bug GHSA-76gg-c692-v2mw (Missing error check and insufficient random
+    bytes in HTTP Digest authentication for SOAP). (nielsdos, timwolla)
+  . Fixed bug GH-8426 (make test fail while soap extension build). (nielsdos)
+
+- SPL:
+  . Fixed bug GH-11178 (Segmentation fault in spl_array_it_get_current_data
+    (PHP 8.1.18)). (nielsdos)
+
+- Standard:
+  . Fixed bug GH-11138 (move_uploaded_file() emits open_basedir warning for
+    source file). (ilutov)
+  . Fixed bug GH-11274 (POST/PATCH request switches to GET after a HTTP 308
+    redirect). (nielsdos)
+
+- Streams:
+  . Fixed bug GH-10031 ([Stream] STREAM_NOTIFY_PROGRESS over HTTP emitted
+    irregularly for last chunk of data). (nielsdos)
+  . Fixed bug GH-11175 (Stream Socket Timeout). (nielsdos)
+  . Fixed bug GH-11177 (ASAN UndefinedBehaviorSanitizer when timeout = -1
+    passed to stream_socket_accept/stream_socket_client). (nielsdos)
+
 11 May 2023, PHP 8.1.19
 
 - Core:

Zend/Optimizer/block_pass.c

@@ -257,6 +257,10 @@ static void zend_optimize_block(zend_basic_block *block, zend_op_array *op_array
 				break;
 
 			case ZEND_FREE:
+				/* Note: Only remove the source if the source is local to this block.
+				 * If it's not local, then the other blocks successors must also eventually either FREE or consume the temporary,
+				 * hence removing the temporary is not safe in the general case, especially when other consumers are not FREE.
+				 * A FREE may not be removed without also removing the source's result, because otherwise that would cause a memory leak. */
 				if (opline->op1_type == IS_TMP_VAR) {
 					src = VAR_SOURCE(opline->op1);
 					if (src) {
@@ -265,6 +269,7 @@ static void zend_optimize_block(zend_basic_block *block, zend_op_array *op_array
 							case ZEND_BOOL_NOT:
 								/* T = BOOL(X), FREE(T) => T = BOOL(X) */
 								/* The remaining BOOL is removed by a separate optimization */
+								/* The source is a bool, no source removals take place, so this may be done non-locally. */
 								VAR_SOURCE(opline->op1) = NULL;
 								MAKE_NOP(opline);
 								++(*opt_count);
@@ -283,6 +288,9 @@ static void zend_optimize_block(zend_basic_block *block, zend_op_array *op_array
 							case ZEND_PRE_DEC_OBJ:
 							case ZEND_PRE_INC_STATIC_PROP:
 							case ZEND_PRE_DEC_STATIC_PROP:
+								if (src < op_array->opcodes + block->start) {
+									break;
+								}
 								src->result_type = IS_UNUSED;
 								VAR_SOURCE(opline->op1) = NULL;
 								MAKE_NOP(opline);
@@ -295,7 +303,7 @@ static void zend_optimize_block(zend_basic_block *block, zend_op_array *op_array
 				} else if (opline->op1_type == IS_VAR) {
 					src = VAR_SOURCE(opline->op1);
 					/* V = OP, FREE(V) => OP. NOP */
-					if (src &&
+					if (src >= op_array->opcodes + block->start &&
 					    src->opcode != ZEND_FETCH_R &&
 					    src->opcode != ZEND_FETCH_STATIC_PROP_R &&
 					    src->opcode != ZEND_FETCH_DIM_R &&

Zend/Optimizer/dfa_pass.c

@@ -1000,32 +1000,41 @@ static int zend_dfa_optimize_jmps(zend_op_array *op_array, zend_ssa *ssa)
 							|| (opline->opcode == ZEND_SWITCH_STRING && type == IS_STRING)
 							|| (opline->opcode == ZEND_MATCH && (type == IS_LONG || type == IS_STRING));
 
-						if (!correct_type) {
+						/* Switch statements have a fallback chain for loose comparison. In those
+						 * cases the SWITCH_* instruction is a NOP. Match does strict comparison and
+						 * thus jumps to the default branch on mismatched types, so we need to
+						 * convert MATCH to a jmp. */
+						if (!correct_type && opline->opcode != ZEND_MATCH) {
 							removed_ops++;
 							MAKE_NOP(opline);
 							opline->extended_value = 0;
 							take_successor_ex(ssa, block_num, block, block->successors[block->successors_count - 1]);
 							goto optimize_nop;
-						} else {
+						}
+
+						uint32_t target;
+						if (correct_type) {
 							HashTable *jmptable = Z_ARRVAL_P(CT_CONSTANT_EX(op_array, opline->op2.constant));
 							zval *jmp_zv = type == IS_LONG
 								? zend_hash_index_find(jmptable, Z_LVAL_P(zv))
 								: zend_hash_find(jmptable, Z_STR_P(zv));
 
-							uint32_t target;
 							if (jmp_zv) {
 								target = ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, Z_LVAL_P(jmp_zv));
 							} else {
 								target = ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, opline->extended_value);
 							}
-							opline->opcode = ZEND_JMP;
-							opline->extended_value = 0;
-							SET_UNUSED(opline->op1);
-							ZEND_SET_OP_JMP_ADDR(opline, opline->op1, op_array->opcodes + target);
-							SET_UNUSED(opline->op2);
-							take_successor_ex(ssa, block_num, block, ssa->cfg.map[target]);
-							goto optimize_jmp;
+						} else {
+							ZEND_ASSERT(opline->opcode == ZEND_MATCH);
+							target = ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, opline->extended_value);
 						}
+						opline->opcode = ZEND_JMP;
+						opline->extended_value = 0;
+						SET_UNUSED(opline->op1);
+						ZEND_SET_OP_JMP_ADDR(opline, opline->op1, op_array->opcodes + target);
+						SET_UNUSED(opline->op2);
+						take_successor_ex(ssa, block_num, block, ssa->cfg.map[target]);
+						goto optimize_jmp;
 					}
 					break;
 				case ZEND_NOP:

Zend/Optimizer/zend_inference.c

@@ -436,7 +436,7 @@ static void zend_ssa_range_or(zend_long a, zend_long b, zend_long c, zend_long d
 	int x = ((a < 0) ? 8 : 0) |
 	        ((b < 0) ? 4 : 0) |
 	        ((c < 0) ? 2 : 0) |
-	        ((d < 0) ? 2 : 0);
+	        ((d < 0) ? 1 : 0);
 	switch (x) {
 		case 0x0:
 		case 0x3:
@@ -484,7 +484,7 @@ static void zend_ssa_range_and(zend_long a, zend_long b, zend_long c, zend_long
 	int x = ((a < 0) ? 8 : 0) |
 	        ((b < 0) ? 4 : 0) |
 	        ((c < 0) ? 2 : 0) |
-	        ((d < 0) ? 2 : 0);
+	        ((d < 0) ? 1 : 0);
 	switch (x) {
 		case 0x0:
 		case 0x3:

Zend/tests/array_merge_recursive_next_key_overflow.phpt

@@ -0,0 +1,25 @@
+--TEST--
+Access on NULL pointer in array_merge_recursive()
+--FILE--
+<?php
+try {
+    array_merge_recursive(
+        ['' => [PHP_INT_MAX => null]],
+        ['' => [null]],
+    );
+} catch (Throwable $e) {
+    echo $e->getMessage(), "\n";
+}
+
+try {
+    array_merge_recursive(
+        ['foo' => [PHP_INT_MAX => null]],
+        ['foo' => str_repeat('a', 2)],
+    );
+} catch (Throwable $e) {
+    echo $e->getMessage(), "\n";
+}
+?>
+--EXPECT--
+Cannot add element to the array as the next element is already occupied
+Cannot add element to the array as the next element is already occupied

Zend/tests/array_multisort_exception.phpt

@@ -0,0 +1,13 @@
+--TEST--
+Exception handling in array_multisort()
+--FILE--
+<?php
+$array = [1 => new DateTime(), 0 => new DateTime()];
+array_multisort($array, SORT_STRING);
+?>
+--EXPECTF--
+Fatal error: Uncaught Error: Object of class DateTime could not be converted to string in %s:%d
+Stack trace:
+#0 %s(%d): array_multisort(Array, 2)
+#1 {main}
+  thrown in %s on line %d

Zend/tests/gh11138.phpt

@@ -0,0 +1,28 @@
+--TEST--
+move_uploaded_file() emits open_basedir warning for source file
+--POST_RAW--
+Content-type: multipart/form-data, boundary=AaB03x
+
+--AaB03x
+content-disposition: form-data; name="file"; filename="file.txt"
+Content-Type: text/plain
+
+foo
+--AaB03x--
+--FILE--
+<?php
+
+ini_set('open_basedir', __DIR__);
+
+$destination = __DIR__ . '/gh11138.tmp';
+var_dump(move_uploaded_file($_FILES['file']['tmp_name'], $destination));
+echo file_get_contents($destination), "\n";
+
+?>
+--CLEAN--
+<?php
+@unlink(__DIR__ . '/gh11138.tmp');
+?>
+--EXPECT--
+bool(true)
+foo