php-src/Zend
Niels Dossche 39b8d5c871 Fix GH-13612: Corrupted memory in destructor with weak references
Inside `zend_object_std_dtor` the weakrefs are notified after the destruction
of properties already took place. In this test case, the destructor of an anon
class will be invoked due to the property destruction. That class has a
weak reference to its parent. This means that the destructor can access
parent properties that already have been destroyed, resulting in a UAF.
Fix this by notifying the weakrefs at the start of the object's
destruction.

Closes GH-13613.
2024-03-08 18:26:17 +01:00
..
asm Merge branch 'PHP-8.1' into PHP-8.2 2023-02-05 16:41:34 +00:00
Optimizer Fix zend_may_throw() for FETCH_DIM_IS and ISSET_ISEMPTY_DIM_OBJ 2024-01-17 00:19:43 +03:00
tests Fix GH-13612: Corrupted memory in destructor with weak references 2024-03-08 18:26:17 +01:00
bench.php
LICENSE
Makefile.frag ext/Zend: zend_language_scanner_defs.h as make target 2023-02-17 16:37:13 +00:00
micro_bench.php
README.md [ci skip] Update README.md on ZE description 2022-02-08 10:38:33 +01:00
zend_alloc_sizes.h Fix GH-9361: Segmentation fault on script exit 2022-08-22 12:59:17 +02:00
zend_alloc.c Merge branch 'PHP-8.1' into PHP-8.2 2023-11-06 19:44:33 +01:00
zend_alloc.h Make pestr[n]dup infallible (#9295) 2022-08-12 12:21:14 +02:00
zend_API.c Workaround ZTS persistent resource crashes (PHP 8.3 and lower) 2024-02-20 21:24:43 +01:00
zend_API.h Merge branch 'PHP-8.1' into PHP-8.2 2023-03-09 13:37:19 +00:00
zend_arena.h Replace zend_bool uses with bool 2021-01-15 12:33:06 +01:00
zend_ast.c Merge branch 'PHP-8.1' into PHP-8.2 2023-03-31 14:28:25 +02:00
zend_ast.h Merge concatenated literal strings while compiling. (#7948) 2022-01-16 13:31:58 -05:00
zend_atomic.c Fixed undefined macros warnings 2022-09-22 13:17:02 +02:00
zend_atomic.h Fix GH-13215 GCC 14 build 2024-01-22 10:58:04 +01:00
zend_attributes_arginfo.h Revert "Fix GH-9967 Add support for generating custom function, class const, and property attributes in stubs" 2023-07-04 09:11:14 +02:00
zend_attributes.c Revert "Store default object handlers alongside the class entry" 2022-09-14 11:18:14 +02:00
zend_attributes.h Support the actual #[\SensitiveParameter] attribute in stubs (#8836) 2022-07-12 12:43:44 +02:00
zend_attributes.stub.php Rename @cname to @cvalue in stubs (#9043) 2022-07-19 15:11:42 +02:00
zend_bitset.h Update http->https in license (#6945) 2021-05-06 12:16:35 +02:00
zend_build.h
zend_builtin_functions_arginfo.h Revert "Fix GH-9967 Add support for generating custom function, class const, and property attributes in stubs" 2023-07-04 09:11:14 +02:00
zend_builtin_functions.c Fix GH-13097: Anonymous class reference in trigger_error / thrown Exception 2024-01-16 21:05:04 +01:00
zend_builtin_functions.h Improve type declarations for Zend APIs 2020-08-28 15:41:27 +02:00
zend_builtin_functions.stub.php Support the #[\AllowDynamicProperties] attribute in stubs (#8776) 2022-06-21 09:28:57 +02:00
zend_closures_arginfo.h Add ZEND_ACC_NOT_SERIALIZABLE flag 2021-07-19 15:59:11 +02:00
zend_closures.c Merge branch 'PHP-8.1' into PHP-8.2 2023-09-04 15:39:20 +02:00
zend_closures.h Add first-class callables 2021-07-14 14:37:25 +02:00
zend_closures.stub.php Add ZEND_ACC_NOT_SERIALIZABLE flag 2021-07-19 15:59:11 +02:00
zend_compile.c Merge branch 'PHP-8.1' into PHP-8.2 2023-09-07 14:25:43 +02:00
zend_compile.h Merge branch 'PHP-8.1' into PHP-8.2 2022-09-02 08:58:27 +02:00
zend_config.w32.h Remove "inline" defines on Windows (#7071) 2021-05-31 10:05:18 +02:00
zend_constants_arginfo.h Do not generate CONST_CS when registering constants (#9439) 2022-08-28 08:27:19 +02:00
zend_constants.c Implement constants in traits (#8888) 2022-08-04 20:08:40 +01:00
zend_constants.h Fix memory leak 2022-05-11 11:43:01 +03:00
zend_constants.stub.php Rename @cname to @cvalue in stubs (#9043) 2022-07-19 15:11:42 +02:00
zend_cpuinfo.c Windows arm64 zend and standard extension support 2022-08-09 12:45:14 +02:00
zend_cpuinfo.h Zend/zend_cpuinfo, ext/standard/crc32_x86: fix -Wstrict-prototypes 2023-02-07 22:47:43 +00:00
zend_default_classes.c Implement Fibers 2021-04-26 11:07:06 -05:00
zend_dtrace.c fix dtrace observer callback prototype 2021-06-04 16:03:09 +02:00
zend_dtrace.d
zend_dtrace.h fix dtrace observer callback prototype 2021-06-04 16:03:09 +02:00
zend_enum_arginfo.h Implement enums 2021-03-17 19:08:03 +01:00
zend_enum.c Fix use-after-free of constant name 2023-10-11 11:49:40 +02:00
zend_enum.h Allow arbitrary const expressions in backed enums 2022-06-12 22:56:05 +02:00
zend_enum.stub.php Implement enums 2021-03-17 19:08:03 +01:00
zend_errors.h
zend_exceptions_arginfo.h Revert "Fix GH-9967 Add support for generating custom function, class const, and property attributes in stubs" 2023-07-04 09:11:14 +02:00
zend_exceptions.c Fix GH-13097: Anonymous class reference in trigger_error / thrown Exception 2024-01-16 21:05:04 +01:00
zend_exceptions.h Allow creating Graceful/UnwindExit and use when destroying a fiber (#7174) 2021-06-28 15:23:34 -05:00
zend_exceptions.stub.php Require zend_constants.stub.php from zend_exceptions.stubs.php 2022-07-12 10:35:03 +02:00
zend_execute_API.c Merge branch 'PHP-8.1' into PHP-8.2 2023-08-03 09:50:20 +02:00
zend_execute.c Align error messages between normal VM and JIT for RW when using object as array (#12799) 2023-11-28 00:37:21 +03:00
zend_execute.h Merge branch 'PHP-8.1' into PHP-8.2 2023-05-24 13:37:47 +02:00
zend_extensions.c zend extension build warning fix. 2023-01-25 20:59:08 +00:00
zend_extensions.h Prepare PHP 8.2.0 RC1 2022-08-30 11:57:05 -04:00
zend_fibers_arginfo.h Add ZEND_ACC_NOT_SERIALIZABLE flag 2021-07-19 15:59:11 +02:00
zend_fibers.c Merge branch 'PHP-8.1' into PHP-8.2 2023-10-11 17:23:17 +02:00
zend_fibers.h Delay fiber VM stack cleanup until after observer has been called 2022-08-29 12:17:12 +02:00
zend_fibers.stub.php Add ZEND_ACC_NOT_SERIALIZABLE flag 2021-07-19 15:59:11 +02:00
zend_float.c Revert "Fix #79595: zend_init_fpu() alters FPU precision" 2020-05-22 16:57:14 +02:00
zend_float.h Fix #79595: zend_init_fpu() alters FPU precision 2020-05-26 17:19:54 +02:00
zend_gc.c Fix GH-13193: Significant performance degradation in 'foreach' starting from PHP 8.2.13 (caused by garbage collection) (#13265) 2024-01-30 06:38:30 +03:00
zend_gc.h Don't perform recursive get_gc call 2021-06-09 11:15:59 +02:00
zend_gdb.c zend_gdb disable gdb detection for FreeBSD < 11. 2023-07-13 12:39:58 +01:00
zend_gdb.h Improve type declarations for Zend APIs 2020-08-28 15:41:27 +02:00
zend_generators_arginfo.h Add ZEND_ACC_NOT_SERIALIZABLE flag 2021-07-19 15:59:11 +02:00
zend_generators.c Merge branch 'PHP-8.1' into PHP-8.2 2023-04-15 18:30:47 +02:00
zend_generators.h Prevent dtor of generator in suspended fiber (#10462) 2023-01-27 19:32:25 +01:00
zend_generators.stub.php Add ZEND_ACC_NOT_SERIALIZABLE flag 2021-07-19 15:59:11 +02:00
zend_globals_macros.h
zend_globals.h Merge branch 'PHP-8.1' into PHP-8.2 2023-03-03 11:45:50 +01:00
zend_hash.c Merge branch 'PHP-8.1' into PHP-8.2 2023-07-21 15:31:20 +02:00
zend_hash.h Convert some macros to zend_always_inline functions (#8288) 2022-08-04 13:24:12 +01:00
zend_highlight.c Introduce pseudo-keyword ZEND_FALLTHROUGH 2021-04-07 00:46:29 +01:00
zend_highlight.h Accept zend_string in highlight_string API 2020-10-22 14:35:40 +02:00
zend_inheritance.c Fix various bugs related to DNF types 2023-08-15 15:34:33 +01:00
zend_inheritance.h Convert some macros to zend_always_inline functions (#8288) 2022-08-04 13:24:12 +01:00
zend_ini_parser.y Merge branch 'PHP-8.1' into PHP-8.2 2022-09-12 23:33:03 +02:00
zend_ini_scanner.h Improve type declarations for Zend APIs 2020-08-28 15:41:27 +02:00
zend_ini_scanner.l Fix/improve handling of escaping in ini parser 2021-08-30 16:59:22 +02:00
zend_ini.c Merge branch 'PHP-8.1' into PHP-8.2 2023-10-14 18:41:48 +01:00
zend_ini.h Add zend_string INI validators 2022-09-06 10:41:47 +01:00
zend_interfaces_arginfo.h Drop serial denier functions 2021-07-20 13:11:11 +02:00
zend_interfaces.c Merge branch 'PHP-8.1' into PHP-8.2 2023-09-05 10:27:33 +01:00
zend_interfaces.h Convert some macros to zend_always_inline functions (#8288) 2022-08-04 13:24:12 +01:00
zend_interfaces.stub.php Drop serial denier functions 2021-07-20 13:11:11 +02:00
zend_istdiostream.h
zend_iterators.c Revert "Port all internally used classes to use default_object_handlers" 2022-09-14 11:13:23 +02:00
zend_iterators.h Cache method overrides of ArrayAccess in zend_class_entry 2021-12-04 11:35:38 -05:00
zend_language_parser.y Fix syntax error when dnf type in parens after readonly 2022-09-11 12:29:29 +02:00
zend_language_scanner.h Fix parsing of semi-reserved tokens at offset > 4 GB 2021-01-25 14:37:36 +01:00
zend_language_scanner.l Fix syntax error when dnf type in parens after readonly 2022-09-11 12:29:29 +02:00
zend_list.c Merge branch 'PHP-8.1' into PHP-8.2 2023-10-29 21:47:23 +01:00
zend_list.h Improve type declarations for Zend APIs 2020-08-28 15:41:27 +02:00
zend_llist.c Change Zend Stream API to use zend_string* instead of char*. 2021-03-16 20:31:36 +03:00
zend_llist.h Convert some macros to zend_always_inline functions (#8288) 2022-08-04 13:24:12 +01:00
zend_long.h Replace php_stdint.h header with standard headers (#8613) 2022-05-29 11:20:56 +01:00
zend_map_ptr.h ext/opcache: C++ compatibility 2022-03-20 20:38:23 +01:00
zend_max_execution_timer.c Fix timer leak (#13027) 2024-01-05 19:36:19 +01:00
zend_max_execution_timer.h fix: support for timeouts with ZTS on Linux (#10141) 2023-03-03 11:35:06 +01:00
zend_mmap.h Zend, ext/opcache: use PR_SET_VMA_ANON_NAME (Linux 5.17) (#8234) 2022-06-20 12:27:01 +01:00
zend_modules.h Workaround ZTS persistent resource crashes (PHP 8.3 and lower) 2024-02-20 21:24:43 +01:00
zend_multibyte.c Improve type declarations for Zend APIs 2020-08-28 15:41:27 +02:00
zend_multibyte.h Improve type declarations for Zend APIs 2020-08-28 15:41:27 +02:00
zend_multiply.h Windows arm64 zend and standard extension support 2022-08-09 12:45:14 +02:00
zend_object_handlers.c Merge branch 'PHP-8.1' into PHP-8.2 2023-04-10 23:25:08 +03:00
zend_object_handlers.h Convert return type of various object handlers from int to zend_result (#8755) 2022-06-26 01:00:19 +02:00
zend_objects_API.c Add API to prevent Fiber switch in select contexts 2021-06-14 14:19:00 -05:00
zend_objects_API.h We don't have to clear zend_object structure, it's initialized by zend_object_std_init() anyway. 2021-04-02 16:11:34 +03:00
zend_objects.c Fix GH-13612: Corrupted memory in destructor with weak references 2024-03-08 18:26:17 +01:00
zend_objects.h
zend_observer.c Fix add/remove observer API with multiple observers installed 2023-06-09 14:00:53 +02:00
zend_observer.h Wrap observer notify functions into inlined enabled checks 2022-08-23 15:22:22 +02:00
zend_opcode.c Fix assertion 2023-12-25 13:22:03 +03:00
zend_operators.c Merge branch 'PHP-8.1' into PHP-8.2 2023-05-01 13:21:32 +02:00
zend_operators.h Fixed a bug in zend_memnistr with single character needle 2023-10-18 16:00:49 +02:00
zend_portability.h Merge branch 'PHP-8.1' into PHP-8.2 2023-01-10 15:23:35 +00:00
zend_ptr_stack.c Replace zend_bool uses with bool 2021-01-15 12:33:06 +01:00
zend_ptr_stack.h Use safe_*erealloc* flavor in few places to mitigate possible overflows. 2022-07-04 14:41:04 +01:00
zend_range_check.h
zend_signal.c Merge branch 'PHP-8.1' into PHP-8.2 2023-03-18 11:45:06 +01:00
zend_signal.h Update http->https in license (#6945) 2021-05-06 12:16:35 +02:00
zend_smart_str_public.h Reduce memory allocated by var_export, json_encode, serialize, and other (#8902) 2022-07-08 14:47:46 +02:00
zend_smart_str.c Merge branch 'PHP-8.0' into PHP-8.1 2021-09-16 16:30:01 +02:00
zend_smart_str.h Convert some macros to zend_always_inline functions (#8288) 2022-08-04 13:24:12 +01:00
zend_smart_string_public.h Update http->https in license (#6945) 2021-05-06 12:16:35 +02:00
zend_smart_string.h Update http->https in license (#6945) 2021-05-06 12:16:35 +02:00
zend_sort.c Remove zend_qsort 2020-05-12 16:57:53 +02:00
zend_sort.h Remove zend_qsort 2020-05-12 16:57:53 +02:00
zend_stack.c Replace zend_bool uses with bool 2021-01-15 12:33:06 +01:00
zend_stack.h Replace zend_bool uses with bool 2021-01-15 12:33:06 +01:00
zend_stream.c Fix some MSAN complaints under Clang (#8553) 2022-05-13 23:30:20 +01:00
zend_stream.h Change Zend Stream API to use zend_string* instead of char*. 2021-03-16 20:31:36 +03:00
zend_string.c Disable inlining and inter-procedure-analyses for zend_string_equal_val() function that may be overriden for valgrind (#13099) 2024-01-09 20:05:51 +03:00
zend_string.h Merge branch 'PHP-8.1' into PHP-8.2 2023-03-19 10:50:39 +01:00
zend_strtod_int.h
zend_strtod.c Move php_gcvt to zend_gcvt 2021-08-02 14:51:46 +02:00
zend_strtod.h Move php_gcvt to zend_gcvt 2021-08-02 14:51:46 +02:00
zend_system_id.c Update http->https in license (#6945) 2021-05-06 12:16:35 +02:00
zend_system_id.h Update http->https in license (#6945) 2021-05-06 12:16:35 +02:00
zend_type_info.h Backport fix for HASH/PACKED array inference through MAY_BE_ARRAY_EMPTY flag (#12591) 2023-11-03 10:54:57 +03:00
zend_types.h Merge branch 'PHP-8.1' into PHP-8.2 2023-01-13 12:28:21 +01:00
zend_variables.c Fixed bug #81514 2021-10-08 10:31:24 +02:00
zend_variables.h Drop various unused macros/APIs 2020-08-26 12:59:43 +02:00
zend_virtual_cwd.c Fix GH-9227: Trailing dots and spaces in filenames are ignored 2022-08-19 14:23:57 +02:00
zend_virtual_cwd.h Update http->https in license (#6945) 2021-05-06 12:16:35 +02:00
zend_vm_def.h Fix leak of call->extra_named_params on internal __call 2023-12-01 16:49:16 +01:00
zend_vm_execute.h Fix leak of call->extra_named_params on internal __call 2023-12-01 16:49:16 +01:00
zend_vm_execute.skl Cleanup observer API and add JIT support 2020-09-18 12:55:58 +03:00
zend_vm_gen.php Collapse more generated files in PRs (#8754) 2022-06-12 10:56:35 +02:00
zend_vm_handlers.h Include internal functions in the observer API 2022-07-30 19:20:55 +02:00
zend_vm_opcodes.c Merge branch 'PHP-8.1' 2022-02-01 16:26:29 +03:00
zend_vm_opcodes.h Remove JMPZNZ opcode 2022-01-10 22:07:10 +01:00
zend_vm_trace_handlers.h Use more compact representation for packed arrays. 2021-11-03 15:18:26 +03:00
zend_vm_trace_lines.h A helper to trace executed source lines 2020-06-10 00:13:39 +03:00
zend_vm_trace_map.h Use more compact representation for packed arrays. 2021-11-03 15:18:26 +03:00
zend_vm.h Add function exposing HAVE_GCC_GLOBAL_REGS (#8359) 2022-06-08 12:32:30 +01:00
zend_weakrefs_arginfo.h Not serializable flag permeation 2021-07-20 12:28:35 +02:00
zend_weakrefs.c Revert "Store default object handlers alongside the class entry" 2022-09-14 11:18:14 +02:00
zend_weakrefs.h Improve performance of WeakReference/WeakMap. Avoid hash collisions on pointers. (#7690) 2021-11-27 19:52:30 -05:00
zend_weakrefs.stub.php Not serializable flag permeation 2021-07-20 12:28:35 +02:00
zend.c Workaround ZTS persistent resource crashes (PHP 8.3 and lower) 2024-02-20 21:24:43 +01:00
zend.h PHP-8.2 is now for PHP 8.2.18-dev 2024-02-27 17:26:44 +03:00
Zend.m4 Merge branch 'PHP-8.1' into PHP-8.2 2023-03-03 11:45:50 +01:00

Zend Engine

Zend memory manager

General

The goal of the new memory manager (available since PHP 5.2) is to reduce memory allocation overhead and speedup memory management.

Debugging

Normal:

sapi/cli/php -r 'leak();'

Zend MM disabled:

USE_ZEND_ALLOC=0 valgrind --leak-check=full sapi/cli/php -r 'leak();'

Shared extensions

Since PHP 5.3.11 it is possible to prevent shared extensions from unloading so that valgrind can correctly track the memory leaks in shared extensions. For this there is the ZEND_DONT_UNLOAD_MODULES environment variable. If set, then DL_UNLOAD() is skipped during the shutdown of shared extensions.

ZEND_VM

ZEND_VM architecture allows specializing opcode handlers according to op_type fields and using different execution methods (call threading, switch threading and direct threading). As a result ZE2 got more than 20% speedup on raw PHP code execution (with specialized executor and direct threading execution method). As in most PHP applications raw execution speed isn't the limiting factor but system calls and database calls are, your mileage with this patch will vary.

Most parts of the old zend_execute.c go into zend_vm_def.h. Here you can find opcode handlers and helpers. The typical opcode handler template looks like this:

ZEND_VM_HANDLER(<OPCODE-NUMBER>, <OPCODE>, <OP1_TYPES>, <OP2_TYPES>)
{
    <HANDLER'S CODE>
}

<OPCODE-NUMBER> is a opcode number (0, 1, ...) <OPCODE> is an opcode name (ZEN_NOP, ZEND_ADD, :) <OP1_TYPES> and <OP2_TYPES> are masks for allowed operand op_types. Specializer will generate code only for defined combination of types. You can use any combination of the following op_types UNUSED, CONST, VAR, TMP and CV also you can use ANY mask to disable specialization according operand's op_type. <HANDLER'S CODE> is a handler's code itself. For most handlers it stills the same as in old zend_execute.c, but now it uses macros to access opcode operands and some internal executor data.

You can see the conformity of new macros to old code in the following list:

EXECUTE_DATA
    execute_data
ZEND_VM_DISPATCH_TO_HANDLER(<OP>)
    return <OP>_helper(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU)
ZEND_VM_DISPATCH_TO_HELPER(<NAME>)
    return <NAME>(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU)
ZEND_VM_DISPATCH_TO_HELPER_EX(<NAME>,<PARAM>,<VAL>)
    return <NAME>(<VAL>, ZEND_OPCODE_HANDLER_ARGS_PASSTHRU)
ZEND_VM_CONTINUE()
    return 0
ZEND_VM_NEXT_OPCODE()
    NEXT_OPCODE()
ZEND_VM_SET_OPCODE(<TARGET>
    SET_OPCODE(<TARGET>
ZEND_VM_INC_OPCODE()
    INC_OPCOD()
ZEND_VM_RETURN_FROM_EXECUTE_LOOP()
    RETURN_FROM_EXECUTE_LOOP()
ZEND_VM_C_LABEL(<LABEL>):
    <LABEL>:
ZEND_VM_C_GOTO(<LABEL>)
    goto <LABEL>
OP<X>_TYPE
    opline->op<X>.op_type
GET_OP<X>_ZVAL_PTR(<TYPE>)
    get_zval_ptr(&opline->op<X>, EX(Ts), &free_op<X>, <TYPE>)
GET_OP<X>_ZVAL_PTR_PTR(<TYPE>)
    get_zval_ptr_ptr(&opline->op<X>, EX(Ts), &free_op<X>, <TYPE>)
GET_OP<X>_OBJ_ZVAL_PTR(<TYPE>)
    get_obj_zval_ptr(&opline->op<X>, EX(Ts), &free_op<X>, <TYPE>)
GET_OP<X>_OBJ_ZVAL_PTR_PTR(<TYPE>)
    get_obj_zval_ptr_ptr(&opline->op<X>, EX(Ts), &free_op<X>, <TYPE>)
IS_OP<X>_TMP_FREE()
    IS_TMP_FREE(free_op<X>)
FREE_OP<X>()
    FREE_OP(free_op<X>)
FREE_OP<X>_IF_VAR()
    FREE_VAR(free_op<X>)
FREE_OP<X>_VAR_PTR()
    FREE_VAR_PTR(free_op<X>)

Executor's helpers can be defined without parameters or with one parameter. This is done with the following constructs:

ZEND_VM_HELPER(<HELPER-NAME>, <OP1_TYPES>, <OP2_TYPES>)
{
    <HELPER'S CODE>
}

ZEND_VM_HELPER_EX(<HELPER-NAME>, <OP1_TYPES>, <OP2_TYPES>, <PARAM_SPEC>)
{
    <HELPER'S CODE>
}

The executors code is generated by the PHP script zend_vm_gen.php. It uses zend_vm_def.h and zend_vm_execute.skl as input and produces zend_vm_opcodes.h and zend_vm_execute.h. The first file is a list of opcode definitions. It is included from zend_compile.h. The second one is an executor code itself. It is included from zend_execute.c.

zend_vm_gen.php can produce different kind of executors. You can select a different opcode threading model using --with-vm-kind=CALL|SWITCH|GOTO|HYBRID. You can disable opcode specialization using --without-specializer. At last you can debug the executor using the original zend_vm_def.h or the generated zend_vm_execute.h file. Debugging with the original file requires the --with-lines option. By default, Zend Engine uses the following command to generate the executor:

# Default VM kind is HYBRID
php zend_vm_gen.php --with-vm-kind=HYBRID