Merge branch 'php:master' into feature/portable-opcache

Author: iamacarpet

NEWS

@@ -2,6 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.5.0alpha2
 
+- Core:
+  . Fix OSS-Fuzz #427814452 (pipe compilation fails with assert).
+    (nielsdos, ilutov)
+
 - DOM:
   . Make cloning DOM node lists, maps, and collections fail. (nielsdos)
 
@@ -79,6 +83,8 @@ PHP                                                                        NEWS
     (DanielEScherzer)
   . Do not use RTLD_DEEPBIND if dlmopen is available. (Daniil Gentili)
   . Make `clone()` a function. (timwolla, edorian)
+  . Fixed bug GH-19081 (Wrong lineno in property error with constructor property
+    promotion). (ilutov)
 
 - Curl:
   . Added curl_multi_get_handles(). (timwolla)

Zend/Optimizer/zend_func_infos.h

@@ -131,9 +131,7 @@ static const func_info_t func_infos[] = {
 	F1("imagecreatefromgd", MAY_BE_OBJECT|MAY_BE_FALSE),
 	F1("imagecreatefromgd2", MAY_BE_OBJECT|MAY_BE_FALSE),
 	F1("imagecreatefromgd2part", MAY_BE_OBJECT|MAY_BE_FALSE),
-#if defined(HAVE_GD_BMP)
 	F1("imagecreatefrombmp", MAY_BE_OBJECT|MAY_BE_FALSE),
-#endif
 	F1("imagecolorsforindex", MAY_BE_ARRAY|MAY_BE_ARRAY_KEY_STRING|MAY_BE_ARRAY_OF_LONG),
 	F1("imagegetclip", MAY_BE_ARRAY|MAY_BE_ARRAY_KEY_LONG|MAY_BE_ARRAY_OF_LONG),
 #if defined(HAVE_GD_FREETYPE)

Zend/tests/ctor_promotion/ctor_promotion_callable_type.phpt

@@ -4,9 +4,11 @@ Type of promoted property may not be callable
 <?php
 
 class Test {
-    public function __construct(public callable $callable) {}
+    public function __construct(
+        public callable $callable
+    ) {}
 }
 
 ?>
 --EXPECTF--
-Fatal error: Property Test::$callable cannot have type callable in %s on line %d
+Fatal error: Property Test::$callable cannot have type callable in %s on line 5

Zend/tests/pipe_operator/gh18965.phpt

@@ -0,0 +1,12 @@
+--TEST--
+GH-18965: ASSERT_CHECK avoids pipe lhs free
+--INI--
+zend.assertions=0
+--FILE--
+<?php
+namespace Foo;
+range(0, 10) |> assert(...);
+echo "No leak\n";
+?>
+--EXPECT--
+No leak

Zend/tests/pipe_operator/oss_fuzz_427814452.phpt

@@ -0,0 +1,26 @@
+--TEST--
+OSS-Fuzz #427814452
+--FILE--
+<?php
+
+try {
+    false |> assert(...);
+} catch (\AssertionError $e) {
+    echo $e::class, ": '", $e->getMessage(), "'\n";
+}
+try {
+    0 |> "assert"(...);
+} catch (\AssertionError $e) {
+    echo $e::class, ": '", $e->getMessage(), "'\n";
+}
+try {
+    false |> ("a"."ssert")(...);
+} catch (\AssertionError $e) {
+    echo $e::class, ": '", $e->getMessage(), "'\n";
+}
+
+?>
+--EXPECT--
+AssertionError: ''
+AssertionError: ''
+AssertionError: ''

Zend/zend_compile.c

@@ -6426,6 +6426,20 @@ static bool can_match_use_jumptable(zend_ast_list *arms) {
 	return 1;
 }
 
+static bool zend_is_pipe_optimizable_callable_name(zend_ast *ast)
+{
+	if (ast->kind == ZEND_AST_ZVAL && Z_TYPE_P(zend_ast_get_zval(ast)) == IS_STRING) {
+		/* Assert compilation adds a message operand, but this is incompatible with the
+		 * pipe optimization that uses a temporary znode for the reference elimination.
+		 * Therefore, disable the optimization for assert.
+		 * Note that "assert" as a name is always treated as fully qualified. */
+		zend_string *str = zend_ast_get_str(ast);
+		return !zend_string_equals_literal_ci(str, "assert");
+	}
+
+	return true;
+}
+
 static void zend_compile_pipe(znode *result, zend_ast *ast)
 {
 	zend_ast *operand_ast = ast->child[0];
@@ -6453,7 +6467,8 @@ static void zend_compile_pipe(znode *result, zend_ast *ast)
 
 	/* Turn $foo |> bar(...) into bar($foo). */
 	if (callable_ast->kind == ZEND_AST_CALL
-		&& callable_ast->child[1]->kind == ZEND_AST_CALLABLE_CONVERT) {
+		&& callable_ast->child[1]->kind == ZEND_AST_CALLABLE_CONVERT
+		&& zend_is_pipe_optimizable_callable_name(callable_ast->child[0])) {
 		fcall_ast = zend_ast_create(ZEND_AST_CALL,
 				callable_ast->child[0], arg_list_ast);
 	/* Turn $foo |> bar::baz(...) into bar::baz($foo). */
@@ -7683,6 +7698,8 @@ static void zend_compile_params(zend_ast *ast, zend_ast *return_type_ast, uint32
 		uint32_t property_flags = param_ast->attr & (ZEND_ACC_PPP_MASK | ZEND_ACC_PPP_SET_MASK | ZEND_ACC_READONLY | ZEND_ACC_FINAL);
 		bool is_promoted = property_flags || hooks_ast;
 
+		CG(zend_lineno) = param_ast->lineno;
+
 		znode var_node, default_node;
 		uint8_t opcode;
 		zend_op *opline;

Zend/zend_language_scanner.l

@@ -921,9 +921,7 @@ static zend_result zend_scan_escape_string(zval *zendlval, char *str, int len, c
 			ZVAL_EMPTY_STRING(zendlval);
 		} else {
 			zend_uchar c = (zend_uchar)*str;
-			if (c == '\n' || c == '\r') {
-				CG(zend_lineno)++;
-			}
+			HANDLE_NEWLINE(c);
 			ZVAL_INTERNED_STR(zendlval, ZSTR_CHAR(c));
 		}
 		goto skip_escape_conversion;
@@ -2512,9 +2510,7 @@ inline_char_handler:
 			ZVAL_EMPTY_STRING(zendlval);
 		} else {
 			zend_uchar c = (zend_uchar)*(yytext+bprefix+1);
-			if (c == '\n' || c == '\r') {
-				CG(zend_lineno)++;
-			}
+			HANDLE_NEWLINE(c);
 			ZVAL_INTERNED_STR(zendlval, ZSTR_CHAR(c));
 		}
 		goto skip_escape_conversion;

ext/dom/html_collection.c

@@ -46,47 +46,35 @@ static dom_named_item dom_html_collection_named_item(zend_string *key, zend_obje
 
 	/* 2. Return the first element in the collection for which at least one of the following is true: */
 	xmlNodePtr basep = dom_object_get_node(objmap->baseobj);
-	if (basep != NULL) {
-		zend_long cur = 0;
-		zend_long next = cur; /* not +1, otherwise we skip the first candidate */
-		xmlNodePtr candidate = basep->children;
-		bool iterate_tag_name = objmap->handler == &php_dom_obj_map_by_tag_name;
-		while (candidate != NULL) {
-			if (iterate_tag_name) {
-				candidate = dom_get_elements_by_tag_name_ns_raw(basep, candidate, objmap->ns, objmap->local, objmap->local_lower, &cur, next);
-				if (candidate == NULL) {
-					break;
-				}
-				next = cur + 1;
-			} else {
-				if (candidate->type != XML_ELEMENT_NODE) {
-					candidate = candidate->next;
-					continue;
-				}
+	if (basep != NULL && basep->children != NULL) {
+		php_dom_obj_map_collection_iter iter = {0};
+		iter.candidate = basep->children;
+		iter.basep = basep;
+
+		while (true) {
+			objmap->handler->collection_named_item_iter(objmap, &iter);
+			if (iter.candidate == NULL) {
+				break;
 			}
 
-			ZEND_ASSERT(candidate->type == XML_ELEMENT_NODE);
+			ZEND_ASSERT(iter.candidate->type == XML_ELEMENT_NODE);
 
 			xmlAttrPtr attr;
 
 			/* it has an ID which is key; */
-			if ((attr = xmlHasNsProp(candidate, BAD_CAST "id", NULL)) != NULL && dom_compare_value(attr, BAD_CAST ZSTR_VAL(key))) {
+			if ((attr = xmlHasNsProp(iter.candidate, BAD_CAST "id", NULL)) != NULL && dom_compare_value(attr, BAD_CAST ZSTR_VAL(key))) {
 				ret.context_intern = objmap->baseobj;
-				ret.node = candidate;
+				ret.node = iter.candidate;
 				return ret;
 			}
 			/* it is in the HTML namespace and has a name attribute whose value is key; */
-			else if (php_dom_ns_is_fast(candidate, php_dom_ns_is_html_magic_token)) {
-				if ((attr = xmlHasNsProp(candidate, BAD_CAST "name", NULL)) != NULL && dom_compare_value(attr, BAD_CAST ZSTR_VAL(key))) {
+			else if (php_dom_ns_is_fast(iter.candidate, php_dom_ns_is_html_magic_token)) {
+				if ((attr = xmlHasNsProp(iter.candidate, BAD_CAST "name", NULL)) != NULL && dom_compare_value(attr, BAD_CAST ZSTR_VAL(key))) {
 					ret.context_intern = objmap->baseobj;
-					ret.node = candidate;
+					ret.node = iter.candidate;
 					return ret;
 				}
 			}
-
-			if (!iterate_tag_name) {
-				candidate = candidate->next;
-			}
 		}
 	}
 

ext/dom/namednodemap.c

@@ -63,7 +63,7 @@ PHP_METHOD(DOMNamedNodeMap, getNamedItem)
 	}
 
 	dom_nnodemap_object *objmap = Z_DOMOBJ_P(ZEND_THIS)->ptr;
-	php_dom_obj_map_get_named_item_into_zval(objmap, named, NULL, return_value);
+	php_dom_obj_map_get_ns_named_item_into_zval(objmap, named, NULL, return_value);
 }
 /* }}} end dom_namednodemap_get_named_item */
 
@@ -108,7 +108,7 @@ PHP_METHOD(DOMNamedNodeMap, getNamedItemNS)
 	objmap = (dom_nnodemap_object *)intern->ptr;
 
 	if (objmap != NULL) {
-		php_dom_obj_map_get_named_item_into_zval(objmap, named, uri, return_value);
+		php_dom_obj_map_get_ns_named_item_into_zval(objmap, named, uri, return_value);
 	}
 }
 /* }}} end dom_namednodemap_get_named_item_ns */