Merge remote-tracking branch 'origin/PHP-8.4' into asan_zend_alloc

Author: danog

NEWS

@@ -13,6 +13,8 @@ PHP                                                                        NEWS
   . Fixed GH-18695 (zend_ast_export() - float number is not preserved).
     (Oleg Efimov)
   . Fix handling of references in zval_try_get_long(). (nielsdos)
+  . Do not delete main chunk in zend_gc. (danog, Arnaud)
+  . Fix compile issues with zend_alloc and some non-default options. (nielsdos)
 
 - Curl:
   . Fix memory leak when setting a list via curl_setopt fails. (nielsdos)
@@ -31,16 +33,33 @@ PHP                                                                        NEWS
   . Fix memory leak in intl_datetime_decompose() on failure. (nielsdos)
   . Fix memory leak in locale lookup on failure. (nielsdos)
 
+- Opcache:
+  . Fixed bug GH-18743 (Incompatibility in Inline TLS Assembly on Alpine 3.22).
+    (nielsdos, Arnaud)
+
+- ODBC:
+  . Fix memory leak on php_odbc_fetch_hash() failure. (nielsdos)
+
 - OpenSSL:
   . Fix memory leak of X509_STORE in php_openssl_setup_verify() on failure.
     (nielsdos)
   . Fixed bug #74796 (Requests through http proxy set peer name).
     (Jakub Zelenka)
 
+- PDO ODBC:
+  . Fix memory leak if WideCharToMultiByte() fails. (nielsdos)
+
+- PDO Sqlite:
+  . Fixed memory leak with Pdo_Sqlite::createCollation when the callback
+    has an incorrect return type. (David Carlier)
+
 - Phar:
   . Add missing filter cleanups on phar failure. (nielsdos)
   . Fixed bug GH-18642 (Signed integer overflow in ext/phar fseek). (nielsdos)
 
+- PHPDBG:
+  . Fix 'phpdbg --help' segfault on shutdown with USE_ZEND_ALLOC=0. (nielsdos)
+
 - PGSQL:
   . Fix warning not being emitted when failure to cancel a query with
     pg_cancel_query(). (Girgias)

Zend/tests/gh18756.phpt

@@ -0,0 +1,13 @@
+--TEST--
+Bug GH-18756: Zend MM may delete the main chunk
+--EXTENSIONS--
+zend_test
+--FILE--
+<?php
+
+zend_test_gh18756();
+
+?>
+==DONE==
+--EXPECT--
+==DONE==

Zend/zend_alloc.c

@@ -2505,7 +2505,9 @@ ZEND_API void zend_mm_shutdown(zend_mm_heap *heap, bool full, bool silent)
 				/* Make sure the heap free below does not use tracked_free(). */
 				heap->custom_heap._free = __zend_free;
 			}
+#if ZEND_MM_STAT
 			heap->size = 0;
+#endif
 		}
 
 		void (*shutdown)(bool, bool) = heap->custom_heap._shutdown;
@@ -3183,6 +3185,7 @@ static zend_always_inline zval *tracked_get_size_zv(zend_mm_heap *heap, void *pt
 }
 
 static zend_always_inline void tracked_check_limit(zend_mm_heap *heap, size_t add_size) {
+#if ZEND_MM_STAT
 	if (add_size > heap->limit - heap->size && !heap->overflow) {
 #if ZEND_DEBUG
 		zend_mm_safe_error(heap,
@@ -3194,6 +3197,7 @@ static zend_always_inline void tracked_check_limit(zend_mm_heap *heap, size_t ad
 			heap->limit, add_size);
 #endif
 	}
+#endif
 }
 
 static void *tracked_malloc(size_t size ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
@@ -3208,7 +3212,9 @@ static void *tracked_malloc(size_t size ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC
 	}
 
 	tracked_add(heap, ptr, size);
+#if ZEND_MM_STAT
 	heap->size += size;
+#endif
 	ZEND_ASAN_POISON_MEMORY_REGION(heap, sizeof(zend_mm_heap));
 	return ptr;
 }
@@ -3221,7 +3227,9 @@ static void tracked_free(void *ptr ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC) {
 	zend_mm_heap *heap = AG(mm_heap);
 	ZEND_ASAN_UNPOISON_MEMORY_REGION(heap, sizeof(zend_mm_heap));
 	zval *size_zv = tracked_get_size_zv(heap, ptr);
+#if ZEND_MM_STAT
 	heap->size -= Z_LVAL_P(size_zv);
+#endif
 	zend_hash_del_bucket(heap->tracked_allocs, (Bucket *) size_zv);
 	ZEND_ASAN_POISON_MEMORY_REGION(heap, sizeof(zend_mm_heap));
 	free(ptr);
@@ -3248,7 +3256,9 @@ static void *tracked_realloc(void *ptr, size_t new_size ZEND_FILE_LINE_DC ZEND_F
 
 	ptr = __zend_realloc(ptr, new_size ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
 	tracked_add(heap, ptr, new_size);
+#if ZEND_MM_STAT
 	heap->size += new_size - old_size;
+#endif
 	ZEND_ASAN_UNPOISON_MEMORY_REGION(heap, sizeof(zend_mm_heap));
 	return ptr;
 }

ext/odbc/php_odbc.c

@@ -1463,6 +1463,7 @@ static void php_odbc_fetch_hash(INTERNAL_FUNCTION_PARAMETERS, int result_type)
 				if (rc == SQL_ERROR) {
 					odbc_sql_error(result->conn_ptr, result->stmt, "SQLGetData");
 					efree(buf);
+					zval_ptr_dtor(return_value);
 					RETURN_FALSE;
 				}
 

ext/opcache/jit/zend_jit_ir.c

@@ -3458,15 +3458,15 @@ static void zend_jit_setup(bool reattached)
 
 		__asm__(
 			"leaq _tsrm_ls_cache@tlsgd(%%rip), %0\n"
-			: "=a" (ti));
+			: "=D" (ti));
 		tsrm_tls_offset = ti[1];
 		tsrm_tls_index = ti[0] * 8;
 #elif defined(__FreeBSD__)
 		size_t *ti;
 
 		__asm__(
 			"leaq _tsrm_ls_cache@tlsgd(%%rip), %0\n"
-			: "=a" (ti));
+			: "=D" (ti));
 		tsrm_tls_offset = ti[1];
 		/* Index is offset by 1 on FreeBSD (https://github.com/freebsd/freebsd-src/blob/bf56e8b9c8639ac4447d223b83cdc128107cc3cd/libexec/rtld-elf/rtld.c#L5260) */
 		tsrm_tls_index = (ti[0] + 1) * 8;
@@ -3475,7 +3475,7 @@ static void zend_jit_setup(bool reattached)
 
 		__asm__(
 			"leaq _tsrm_ls_cache@tlsgd(%%rip), %0\n"
-			: "=a" (ti));
+			: "=D" (ti));
 		tsrm_tls_offset = ti[1];
 		tsrm_tls_index = ti[0] * 16;
 #endif

ext/pdo_odbc/odbc_stmt.c

@@ -104,6 +104,7 @@ static int pdo_odbc_ucs22utf8(pdo_stmt_t *stmt, int is_unicode, zval *result)
 		zend_string *str = zend_string_alloc(ret, 0);
 		ret = WideCharToMultiByte(CP_UTF8, 0, (LPCWSTR) Z_STRVAL_P(result), Z_STRLEN_P(result)/sizeof(WCHAR), ZSTR_VAL(str), ZSTR_LEN(str), NULL, NULL);
 		if (ret == 0) {
+			zend_string_efree(str);
 			return PDO_ODBC_CONV_FAIL;
 		}
 

ext/pdo_sqlite/pdo_sqlite.c

@@ -346,6 +346,9 @@ static int php_sqlite_collation_callback(void *context, int string1_len, const v
 
 	zend_call_known_fcc(&collation->callback, &retval, /* argc */ 2, zargs, /* named_params */ NULL);
 
+	zval_ptr_dtor(&zargs[0]);
+	zval_ptr_dtor(&zargs[1]);
+
 	if (!Z_ISUNDEF(retval)) {
 		if (Z_TYPE(retval) != IS_LONG) {
 			zend_string *func_name = get_active_function_or_method_name();
@@ -362,9 +365,6 @@ static int php_sqlite_collation_callback(void *context, int string1_len, const v
 		}
 	}
 
-	zval_ptr_dtor(&zargs[0]);
-	zval_ptr_dtor(&zargs[1]);
-
 	return ret;
 }
 

ext/pdo_sqlite/tests/subclasses/pdo_sqlite_createcollation_wrong_callback.phpt

@@ -0,0 +1,24 @@
+--TEST--
+Pdo\Sqlite::createCollation() memory leaks on wrong callback return type
+--EXTENSIONS--
+pdo_sqlite
+--FILE--
+<?php
+
+declare(strict_types=1);
+
+$db = new Pdo\Sqlite('sqlite::memory:');
+
+$db->exec("CREATE TABLE test (c string)");
+$db->exec("INSERT INTO test VALUES('youwontseeme')");
+$db->exec("INSERT INTO test VALUES('neither')");
+$db->createCollation('NAT', function($a, $b): string { return $a . $b; });
+
+try {
+    $db->query("SELECT c FROM test ORDER BY c COLLATE NAT");
+} catch (\TypeError $e) {
+    echo $e->getMessage(), PHP_EOL;
+}
+?>
+--EXPECT--
+PDO::query(): Return value of the callback must be of type int, string returned

ext/standard/tests/file/copy_variation2-win32-mb.phpt

@@ -22,24 +22,24 @@ fclose($file_handle);
 $dest_files = array(
 
   /* File names containing special(non-alpha numeric) characters */
-  "_copy_variation2.tmp",
-  "@copy_variation2.tmp",
-  "#copy_variation2.tmp",
-  "+copy_variation2.tmp",
-  "?copy_variation2.tmp",
-  ">copy_variation2.tmp",
-  "!copy_variation2.tmp",
-  "&copy_variation2.tmp",
-  "(copy_variation2.tmp",
-  ":copy_variation2.tmp",
-  ";copy_variation2.tmp",
-  "=copy_variation2.tmp",
-  "[copy_variation2.tmp",
-  "^copy_variation2.tmp",
-  "{copy_variation2.tmp",
-  "|copy_variation2.tmp",
-  "~copy_variation2.tmp",
-  "\$copy_variation2.tmp"
+  "_copy_variation2_mb.tmp",
+  "@copy_variation2_mb.tmp",
+  "#copy_variation2_mb.tmp",
+  "+copy_variation2_mb.tmp",
+  "?copy_variation2_mb.tmp",
+  ">copy_variation2_mb.tmp",
+  "!copy_variation2_mb.tmp",
+  "&copy_variation2_mb.tmp",
+  "(copy_variation2_mb.tmp",
+  ":copy_variation2_mb.tmp",
+  ";copy_variation2_mb.tmp",
+  "=copy_variation2_mb.tmp",
+  "[copy_variation2_mb.tmp",
+  "^copy_variation2_mb.tmp",
+  "{copy_variation2_mb.tmp",
+  "|copy_variation2_mb.tmp",
+  "~copy_variation2_mb.tmp",
+  "\$copy_variation2_mb.tmp"
 );
 
 echo "Size of the source file before copy operation => ";
@@ -90,28 +90,28 @@ Size of the source file before copy operation => int(1500)
 -- Iteration 1 --
 Copy operation => bool(true)
 Existence of destination file => bool(true)
-Destination file name => %s/_copy_variation2.tmp
+Destination file name => %s/_copy_variation2_mb.tmp
 Size of source file => int(1500)
 Size of destination file => int(1500)
 
 -- Iteration 2 --
 Copy operation => bool(true)
 Existence of destination file => bool(true)
-Destination file name => %s/@copy_variation2.tmp
+Destination file name => %s/@copy_variation2_mb.tmp
 Size of source file => int(1500)
 Size of destination file => int(1500)
 
 -- Iteration 3 --
 Copy operation => bool(true)
 Existence of destination file => bool(true)
-Destination file name => %s/#copy_variation2.tmp
+Destination file name => %s/#copy_variation2_mb.tmp
 Size of source file => int(1500)
 Size of destination file => int(1500)
 
 -- Iteration 4 --
 Copy operation => bool(true)
 Existence of destination file => bool(true)
-Destination file name => %s/+copy_variation2.tmp
+Destination file name => %s/+copy_variation2_mb.tmp
 Size of source file => int(1500)
 Size of destination file => int(1500)
 
@@ -130,21 +130,21 @@ Existence of destination file => bool(false)
 -- Iteration 7 --
 Copy operation => bool(true)
 Existence of destination file => bool(true)
-Destination file name => %s/!copy_variation2.tmp
+Destination file name => %s/!copy_variation2_mb.tmp
 Size of source file => int(1500)
 Size of destination file => int(1500)
 
 -- Iteration 8 --
 Copy operation => bool(true)
 Existence of destination file => bool(true)
-Destination file name => %s/&copy_variation2.tmp
+Destination file name => %s/&copy_variation2_mb.tmp
 Size of source file => int(1500)
 Size of destination file => int(1500)
 
 -- Iteration 9 --
 Copy operation => bool(true)
 Existence of destination file => bool(true)
-Destination file name => %s/(copy_variation2.tmp
+Destination file name => %s/(copy_variation2_mb.tmp
 Size of source file => int(1500)
 Size of destination file => int(1500)
 
@@ -157,35 +157,35 @@ Existence of destination file => bool(false)
 -- Iteration 11 --
 Copy operation => bool(true)
 Existence of destination file => bool(true)
-Destination file name => %s/;copy_variation2.tmp
+Destination file name => %s/;copy_variation2_mb.tmp
 Size of source file => int(1500)
 Size of destination file => int(1500)
 
 -- Iteration 12 --
 Copy operation => bool(true)
 Existence of destination file => bool(true)
-Destination file name => %s/=copy_variation2.tmp
+Destination file name => %s/=copy_variation2_mb.tmp
 Size of source file => int(1500)
 Size of destination file => int(1500)
 
 -- Iteration 13 --
 Copy operation => bool(true)
 Existence of destination file => bool(true)
-Destination file name => %s/[copy_variation2.tmp
+Destination file name => %s/[copy_variation2_mb.tmp
 Size of source file => int(1500)
 Size of destination file => int(1500)
 
 -- Iteration 14 --
 Copy operation => bool(true)
 Existence of destination file => bool(true)
-Destination file name => %s/^copy_variation2.tmp
+Destination file name => %s/^copy_variation2_mb.tmp
 Size of source file => int(1500)
 Size of destination file => int(1500)
 
 -- Iteration 15 --
 Copy operation => bool(true)
 Existence of destination file => bool(true)
-Destination file name => %s/{copy_variation2.tmp
+Destination file name => %s/{copy_variation2_mb.tmp
 Size of source file => int(1500)
 Size of destination file => int(1500)
 
@@ -198,14 +198,14 @@ Existence of destination file => bool(false)
 -- Iteration 17 --
 Copy operation => bool(true)
 Existence of destination file => bool(true)
-Destination file name => %s/~copy_variation2.tmp
+Destination file name => %s/~copy_variation2_mb.tmp
 Size of source file => int(1500)
 Size of destination file => int(1500)
 
 -- Iteration 18 --
 Copy operation => bool(true)
 Existence of destination file => bool(true)
-Destination file name => %s/$copy_variation2.tmp
+Destination file name => %s/$copy_variation2_mb.tmp
 Size of source file => int(1500)
 Size of destination file => int(1500)
 *** Done ***

ext/zend_test/test.c

@@ -1576,3 +1576,13 @@ static PHP_FUNCTION(zend_test_create_throwing_resource)
 	zend_resource *res = zend_register_resource(NULL, le_throwing_resource);
 	ZVAL_RES(return_value, res);
 }
+
+static PHP_FUNCTION(zend_test_gh18756)
+{
+	ZEND_PARSE_PARAMETERS_NONE();
+
+	zend_mm_heap *heap = zend_mm_startup();
+	zend_mm_gc(heap);
+	zend_mm_gc(heap);
+	zend_mm_shutdown(heap, true, false);
+}