From 02159c16b546e74f271db9ddf6f2b6811cde473c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A1t=C3=A9=20Kocsis?= Date: Thu, 15 Jan 2026 10:53:41 +0100 Subject: [PATCH 1/6] Do not measure instruction count by default on the scheduled runs It makes the benchmark faster to execute. And this metric is not that useful anyway. [skip-ci] --- .github/workflows/real-time-benchmark.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/real-time-benchmark.yml b/.github/workflows/real-time-benchmark.yml index 719d1795a00b..41301bdec01b 100644 --- a/.github/workflows/real-time-benchmark.yml +++ b/.github/workflows/real-time-benchmark.yml @@ -50,7 +50,7 @@ jobs: BASELINE_COMMIT: "d5f6e56610c729710073350af318c4ea1b292cfe" ID: "master" JIT: "1" - INSTRUCTION_COUNT: "1" + INSTRUCTION_COUNT: "0" RUN_MICRO_BENCH: "0" YEAR: "" steps: From d136b214d12fbe2b8d1c42294accc3b10fcfe047 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A1t=C3=A9=20Kocsis?= Date: Thu, 15 Jan 2026 10:53:53 +0100 Subject: [PATCH 2/6] Fix the real time benchmark artifact glob pattern [skip-ci] --- .github/workflows/real-time-benchmark.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/real-time-benchmark.yml b/.github/workflows/real-time-benchmark.yml index 41301bdec01b..54362f0157e0 100644 --- a/.github/workflows/real-time-benchmark.yml +++ b/.github/workflows/real-time-benchmark.yml @@ -269,8 +269,7 @@ jobs: with: name: results path: | - ./php-version-benchmarks/tmp/results/${{ env.YEAR }}/*/*.* - ./php-version-benchmarks/tmp/results/${{ env.YEAR }}/*/*/*.log + ./php-version-benchmarks/tmp/results/${{ env.YEAR }}/**/* retention-days: 30 - name: Comment results if: github.event_name == 'workflow_dispatch' From 27ed48c0be998e2d2e23a69a0d30fe61181aeea8 Mon Sep 17 00:00:00 2001 From: Bob Weinand Date: Thu, 15 Jan 2026 16:13:43 +0100 Subject: [PATCH 3/6] Split the live-ranges of loop variables again (#20865) * Fix use-after-free in FE_FREE with GC interaction When FE_FREE with ZEND_FREE_ON_RETURN frees the loop variable during an early return from a foreach loop, the live range for the loop variable was incorrectly extending past the FE_FREE to the normal loop end. This caused GC to access the already-freed loop variable when it ran after the RETURN opcode, resulting in use-after-free. Fix by splitting the ZEND_LIVE_LOOP range when an FE_FREE with ZEND_FREE_ON_RETURN is encountered: - One range covers the early return path up to the FE_FREE - A separate range covers the normal loop end FE_FREE - Multiple early returns create multiple separate ranges * Split the live-ranges of loop variables again b0af9ac7331e3efa0dcee4f43b2ba8b1e4e52f2f removed the live-range splitting of foreach variables, however it only added handling to ZEND_HANDLE_EXCEPTION. This was sort-of elegant, until it was realized in 8258b7731ba8cde929e1f3504577af0a4440cad4 that it would leak the return variable, requiring some more special handling. At some point we added live tmpvar rooting in 52cf7ab8a27ace6fbff60674d7aeecf4adec1bc8, but this did not take into account already freed loop variables, which also might happen during ZEND_RETURN, which cannot be trivially accounted for, without even more complicated handling in zend_gc_*_tmpvars() functions. This commit also proposes a simpler way of tracking the loop end in loopvar freeing ops: handle it directly during live range computation rather than during compilation, eliminating the need for opcache to handle it specifically. Further, opcache was using live_ranges in its basic block computation in the past, which it no longer does. Thus this complication is no longer necessary and this approach should be actually simpler now. Closes #20766. Signed-off-by: Bob Weinand --------- Signed-off-by: Bob Weinand Co-authored-by: Gustavo Lopes --- NEWS | 1 + Zend/Optimizer/zend_dump.c | 4 ++ Zend/tests/gc_050.phpt | 57 +++++++++++++++------------- Zend/tests/gc_051.phpt | 29 ++++++++++++++ Zend/tests/gc_052.phpt | 36 ++++++++++++++++++ Zend/tests/gc_053.phpt | 37 ++++++++++++++++++ Zend/zend_execute.c | 24 +++++------- Zend/zend_opcode.c | 29 ++++++++++++++ Zend/zend_vm_def.h | 25 +++--------- Zend/zend_vm_execute.h | 21 ++-------- Zend/zend_vm_gen.php | 3 +- Zend/zend_vm_opcodes.c | 4 +- Zend/zend_vm_opcodes.h | 1 + ext/opcache/tests/opt/gh11245_2.phpt | 4 +- 14 files changed, 193 insertions(+), 82 deletions(-) create mode 100644 Zend/tests/gc_051.phpt create mode 100644 Zend/tests/gc_052.phpt create mode 100644 Zend/tests/gc_053.phpt diff --git a/NEWS b/NEWS index 20d66b445e4d..0c4c5da48b43 100644 --- a/NEWS +++ b/NEWS @@ -9,6 +9,7 @@ PHP NEWS . Fix OSS-Fuzz #472563272 (Borked block_pass JMP[N]Z optimization). (ilutov) . Fixed bug GH-GH-20914 (Internal enums can be cloned and compared). (Arnaud) . Fix OSS-Fuzz #474613951 (Leaked parent property default value). (ilutov) + . Fixed bug GH-20766 (Use-after-free in FE_FREE with GC interaction). (Bob) - Date: . Update timelib to 2022.16. (Derick) diff --git a/Zend/Optimizer/zend_dump.c b/Zend/Optimizer/zend_dump.c index b788b652979d..5b61280d4805 100644 --- a/Zend/Optimizer/zend_dump.c +++ b/Zend/Optimizer/zend_dump.c @@ -122,6 +122,10 @@ static void zend_dump_unused_op(const zend_op *opline, znode_op op, uint32_t fla if (op.num != (uint32_t)-1) { fprintf(stderr, " try-catch(%u)", op.num); } + } else if (ZEND_VM_OP_LOOP_END == (flags & ZEND_VM_OP_MASK)) { + if (opline->extended_value & ZEND_FREE_ON_RETURN) { + fprintf(stderr, " loop-end(+%u)", op.num); + } } else if (ZEND_VM_OP_THIS == (flags & ZEND_VM_OP_MASK)) { fprintf(stderr, " THIS"); } else if (ZEND_VM_OP_NEXT == (flags & ZEND_VM_OP_MASK)) { diff --git a/Zend/tests/gc_050.phpt b/Zend/tests/gc_050.phpt index 858be7cbebd5..0bedc7220fd4 100644 --- a/Zend/tests/gc_050.phpt +++ b/Zend/tests/gc_050.phpt @@ -1,37 +1,40 @@ --TEST-- -GC 050: Destructor are never called twice +GC 050: Try/finally in foreach should create separate live ranges --FILE-- v = 1; + } + return new stdClass; } -class WithDestructor -{ - public function __destruct() - { - echo "d\n"; +for ($i = 0; $i < 100000; $i++) { + // Create cyclic garbage to trigger GC + $a = new stdClass; + $b = new stdClass; + $a->r = $b; + $b->r = $a; - G::$v = $this; - } + $r = f($i % 2 + 1); } - -$o = new WithDestructor(); -$weakO = \WeakReference::create($o); -echo "---\n"; -unset($o); -echo "---\n"; -var_dump($weakO->get() !== null); // verify if kept allocated -G::$v = null; -echo "---\n"; -var_dump($weakO->get() !== null); // verify if released +echo "OK\n"; ?> --EXPECT-- ---- -d ---- -bool(true) ---- -bool(false) +OK diff --git a/Zend/tests/gc_051.phpt b/Zend/tests/gc_051.phpt new file mode 100644 index 000000000000..575a25a108a1 --- /dev/null +++ b/Zend/tests/gc_051.phpt @@ -0,0 +1,29 @@ +--TEST-- +GC 048: FE_FREE should mark variable as UNDEF to prevent use-after-free during GC +--FILE-- +ref = $b; + $b->ref = $a; + + $result = test_foreach_early_return("x"); +} + +echo "OK\n"; +?> +--EXPECT-- +OK diff --git a/Zend/tests/gc_052.phpt b/Zend/tests/gc_052.phpt new file mode 100644 index 000000000000..dd15c56bcbf5 --- /dev/null +++ b/Zend/tests/gc_052.phpt @@ -0,0 +1,36 @@ +--TEST-- +GC 049: Multiple early returns from foreach should create separate live ranges +--FILE-- +r = $b; + $b->r = $a; + + $r = f($i % 3 + 1); +} +echo "OK\n"; +?> +--EXPECT-- +OK diff --git a/Zend/tests/gc_053.phpt b/Zend/tests/gc_053.phpt new file mode 100644 index 000000000000..858be7cbebd5 --- /dev/null +++ b/Zend/tests/gc_053.phpt @@ -0,0 +1,37 @@ +--TEST-- +GC 050: Destructor are never called twice +--FILE-- +get() !== null); // verify if kept allocated +G::$v = null; +echo "---\n"; +var_dump($weakO->get() !== null); // verify if released +?> +--EXPECT-- +--- +d +--- +bool(true) +--- +bool(false) diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c index c2d4e57c02db..ea5f55cf6ef7 100644 --- a/Zend/zend_execute.c +++ b/Zend/zend_execute.c @@ -4673,20 +4673,6 @@ static void cleanup_unfinished_calls(zend_execute_data *execute_data, uint32_t o } /* }}} */ -static const zend_live_range *find_live_range(const zend_op_array *op_array, uint32_t op_num, uint32_t var_num) /* {{{ */ -{ - int i; - for (i = 0; i < op_array->last_live_range; i++) { - const zend_live_range *range = &op_array->live_range[i]; - if (op_num >= range->start && op_num < range->end - && var_num == (range->var & ~ZEND_LIVE_MASK)) { - return range; - } - } - return NULL; -} -/* }}} */ - static void cleanup_live_vars(zend_execute_data *execute_data, uint32_t op_num, uint32_t catch_op_num) /* {{{ */ { int i; @@ -4702,6 +4688,16 @@ static void cleanup_live_vars(zend_execute_data *execute_data, uint32_t op_num, uint32_t var_num = range->var & ~ZEND_LIVE_MASK; zval *var = EX_VAR(var_num); + /* Handle the split range for loop vars */ + if (catch_op_num) { + zend_op *final_op = EX(func)->op_array.opcodes + range->end; + if (final_op->extended_value & ZEND_FREE_ON_RETURN && (final_op->opcode == ZEND_FE_FREE || final_op->opcode == ZEND_FREE)) { + if (catch_op_num < range->end + final_op->op2.num) { + continue; + } + } + } + if (kind == ZEND_LIVE_TMPVAR) { zval_ptr_dtor_nogc(var); } else if (kind == ZEND_LIVE_NEW) { diff --git a/Zend/zend_opcode.c b/Zend/zend_opcode.c index f32ae13e0679..7a364dfccbcd 100644 --- a/Zend/zend_opcode.c +++ b/Zend/zend_opcode.c @@ -981,6 +981,35 @@ static void zend_calc_live_ranges( /* OP_DATA is really part of the previous opcode. */ last_use[var_num] = opnum - (opline->opcode == ZEND_OP_DATA); } + } else if ((opline->opcode == ZEND_FREE || opline->opcode == ZEND_FE_FREE) && opline->extended_value & ZEND_FREE_ON_RETURN) { + int jump_offset = 1; + while (((opline + jump_offset)->opcode == ZEND_FREE || (opline + jump_offset)->opcode == ZEND_FE_FREE) + && (opline + jump_offset)->extended_value & ZEND_FREE_ON_RETURN) { + ++jump_offset; + } + // loop var frees directly precede the jump (or return) operand, except that ZEND_VERIFY_RETURN_TYPE may happen first. + if ((opline + jump_offset)->opcode == ZEND_VERIFY_RETURN_TYPE) { + ++jump_offset; + } + /* FREE with ZEND_FREE_ON_RETURN immediately followed by RETURN frees + * the loop variable on early return. We need to split the live range + * so GC doesn't access the freed variable after this FREE. */ + uint32_t opnum_last_use = last_use[var_num]; + zend_op *opline_last_use = op_array->opcodes + opnum_last_use; + ZEND_ASSERT(opline_last_use->opcode == opline->opcode); // any ZEND_FREE_ON_RETURN must be followed by a FREE without + if (opnum + jump_offset + 1 != opnum_last_use) { + emit_live_range_raw(op_array, var_num, opline->opcode == ZEND_FE_FREE ? ZEND_LIVE_LOOP : ZEND_LIVE_TMPVAR, + opnum + jump_offset + 1, opnum_last_use); + } + + /* Update last_use so next range includes this FREE */ + last_use[var_num] = opnum; + + /* Store opline offset to loop end */ + opline->op2.opline_num = opnum_last_use - opnum; + if (opline_last_use->extended_value & ZEND_FREE_ON_RETURN) { + opline->op2.opline_num += opline_last_use->op2.opline_num; + } } } if (opline->op2_type & (IS_TMP_VAR|IS_VAR)) { diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h index 039d9679848e..1f06eab120d3 100644 --- a/Zend/zend_vm_def.h +++ b/Zend/zend_vm_def.h @@ -3193,7 +3193,7 @@ ZEND_VM_COLD_CONST_HANDLER(47, ZEND_JMPNZ_EX, CONST|TMPVAR|CV, JMP_ADDR) ZEND_VM_JMP(opline); } -ZEND_VM_HANDLER(70, ZEND_FREE, TMPVAR, ANY) +ZEND_VM_HANDLER(70, ZEND_FREE, TMPVAR, LOOP_END) { USE_OPLINE @@ -3202,7 +3202,7 @@ ZEND_VM_HANDLER(70, ZEND_FREE, TMPVAR, ANY) ZEND_VM_NEXT_OPCODE_CHECK_EXCEPTION(); } -ZEND_VM_HOT_HANDLER(127, ZEND_FE_FREE, TMPVAR, ANY) +ZEND_VM_HOT_HANDLER(127, ZEND_FE_FREE, TMPVAR, LOOP_END) { zval *var; USE_OPLINE @@ -8140,24 +8140,11 @@ ZEND_VM_HANDLER(149, ZEND_HANDLE_EXCEPTION, ANY, ANY) && throw_op->extended_value & ZEND_FREE_ON_RETURN) { /* exceptions thrown because of loop var destruction on return/break/... * are logically thrown at the end of the foreach loop, so adjust the - * throw_op_num. + * throw_op_num to the final loop variable FREE. */ - const zend_live_range *range = find_live_range( - &EX(func)->op_array, throw_op_num, throw_op->op1.var); - /* free op1 of the corresponding RETURN */ - for (i = throw_op_num; i < range->end; i++) { - if (EX(func)->op_array.opcodes[i].opcode == ZEND_FREE - || EX(func)->op_array.opcodes[i].opcode == ZEND_FE_FREE) { - /* pass */ - } else { - if (EX(func)->op_array.opcodes[i].opcode == ZEND_RETURN - && (EX(func)->op_array.opcodes[i].op1_type & (IS_VAR|IS_TMP_VAR))) { - zval_ptr_dtor(EX_VAR(EX(func)->op_array.opcodes[i].op1.var)); - } - break; - } - } - throw_op_num = range->end; + uint32_t new_throw_op_num = throw_op_num + throw_op->op2.opline_num; + cleanup_live_vars(execute_data, throw_op_num, new_throw_op_num); + throw_op_num = new_throw_op_num; } /* Find the innermost try/catch/finally the exception was thrown in */ diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h index d6ee850839ae..fdef3e3a1b74 100644 --- a/Zend/zend_vm_execute.h +++ b/Zend/zend_vm_execute.h @@ -3265,24 +3265,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_HANDLE_EXCEPTION_SPEC_HANDLER( && throw_op->extended_value & ZEND_FREE_ON_RETURN) { /* exceptions thrown because of loop var destruction on return/break/... * are logically thrown at the end of the foreach loop, so adjust the - * throw_op_num. + * throw_op_num to the final loop variable FREE. */ - const zend_live_range *range = find_live_range( - &EX(func)->op_array, throw_op_num, throw_op->op1.var); - /* free op1 of the corresponding RETURN */ - for (i = throw_op_num; i < range->end; i++) { - if (EX(func)->op_array.opcodes[i].opcode == ZEND_FREE - || EX(func)->op_array.opcodes[i].opcode == ZEND_FE_FREE) { - /* pass */ - } else { - if (EX(func)->op_array.opcodes[i].opcode == ZEND_RETURN - && (EX(func)->op_array.opcodes[i].op1_type & (IS_VAR|IS_TMP_VAR))) { - zval_ptr_dtor(EX_VAR(EX(func)->op_array.opcodes[i].op1.var)); - } - break; - } - } - throw_op_num = range->end; + uint32_t new_throw_op_num = throw_op_num + throw_op->op2.opline_num; + cleanup_live_vars(execute_data, throw_op_num, new_throw_op_num); + throw_op_num = new_throw_op_num; } /* Find the innermost try/catch/finally the exception was thrown in */ diff --git a/Zend/zend_vm_gen.php b/Zend/zend_vm_gen.php index 8c178aba04ce..5f1a44efae3a 100755 --- a/Zend/zend_vm_gen.php +++ b/Zend/zend_vm_gen.php @@ -63,7 +63,7 @@ "ZEND_VM_OP_NUM" => 0x10, "ZEND_VM_OP_JMP_ADDR" => 0x20, "ZEND_VM_OP_TRY_CATCH" => 0x30, - // unused 0x40 + "ZEND_VM_OP_LOOP_END" => 0x40, "ZEND_VM_OP_THIS" => 0x50, "ZEND_VM_OP_NEXT" => 0x60, "ZEND_VM_OP_CLASS_FETCH" => 0x70, @@ -111,6 +111,7 @@ "NUM" => ZEND_VM_OP_NUM, "JMP_ADDR" => ZEND_VM_OP_JMP_ADDR, "TRY_CATCH" => ZEND_VM_OP_TRY_CATCH, + "LOOP_END" => ZEND_VM_OP_LOOP_END, "THIS" => ZEND_VM_OP_THIS, "NEXT" => ZEND_VM_OP_NEXT, "CLASS_FETCH" => ZEND_VM_OP_CLASS_FETCH, diff --git a/Zend/zend_vm_opcodes.c b/Zend/zend_vm_opcodes.c index 202dfd3f734f..2d57da5d06f1 100644 --- a/Zend/zend_vm_opcodes.c +++ b/Zend/zend_vm_opcodes.c @@ -306,7 +306,7 @@ static uint32_t zend_vm_opcodes_flags[210] = { 0x00001301, 0x0100a173, 0x01040300, - 0x00000005, + 0x00004005, 0x00186703, 0x00106703, 0x08000007, @@ -363,7 +363,7 @@ static uint32_t zend_vm_opcodes_flags[210] = { 0x0000a103, 0x00002003, 0x03000001, - 0x00000005, + 0x00004005, 0x01000700, 0x00000000, 0x00000000, diff --git a/Zend/zend_vm_opcodes.h b/Zend/zend_vm_opcodes.h index d472b5b9660f..9e56910c1445 100644 --- a/Zend/zend_vm_opcodes.h +++ b/Zend/zend_vm_opcodes.h @@ -48,6 +48,7 @@ #define ZEND_VM_OP_NUM 0x00000010 #define ZEND_VM_OP_JMP_ADDR 0x00000020 #define ZEND_VM_OP_TRY_CATCH 0x00000030 +#define ZEND_VM_OP_LOOP_END 0x00000040 #define ZEND_VM_OP_THIS 0x00000050 #define ZEND_VM_OP_NEXT 0x00000060 #define ZEND_VM_OP_CLASS_FETCH 0x00000070 diff --git a/ext/opcache/tests/opt/gh11245_2.phpt b/ext/opcache/tests/opt/gh11245_2.phpt index f42da12c5274..cd5b0bd363b6 100644 --- a/ext/opcache/tests/opt/gh11245_2.phpt +++ b/ext/opcache/tests/opt/gh11245_2.phpt @@ -28,9 +28,9 @@ $_main: 0000 T1 = PRE_INC_STATIC_PROP string("prop") string("X") 0001 T2 = ISSET_ISEMPTY_CV (empty) CV0($xx) 0002 JMPZ T2 0005 -0003 FREE T1 +0003 FREE T1 loop-end(+2) 0004 RETURN null 0005 FREE T1 0006 RETURN int(1) LIVE RANGES: - 1: 0001 - 0005 (tmp/var) + 1: 0001 - 0003 (tmp/var) From 82e2055300b400c7e1bafed5f20f6e45ec439a2f Mon Sep 17 00:00:00 2001 From: Bob Weinand Date: Thu, 15 Jan 2026 17:45:26 +0100 Subject: [PATCH 4/6] Regenerate VM after merge Signed-off-by: Bob Weinand --- Zend/zend_vm_execute.h | 21 ++++----------------- 1 file changed, 4 insertions(+), 17 deletions(-) diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h index 0ec56ca6f930..2545ea7f8721 100644 --- a/Zend/zend_vm_execute.h +++ b/Zend/zend_vm_execute.h @@ -59033,24 +59033,11 @@ static ZEND_OPCODE_HANDLER_RET ZEND_OPCODE_HANDLER_CCONV ZEND_HANDLE_EXCEPTION_S && throw_op->extended_value & ZEND_FREE_ON_RETURN) { /* exceptions thrown because of loop var destruction on return/break/... * are logically thrown at the end of the foreach loop, so adjust the - * throw_op_num. + * throw_op_num to the final loop variable FREE. */ - const zend_live_range *range = find_live_range( - &EX(func)->op_array, throw_op_num, throw_op->op1.var); - /* free op1 of the corresponding RETURN */ - for (i = throw_op_num; i < range->end; i++) { - if (EX(func)->op_array.opcodes[i].opcode == ZEND_FREE - || EX(func)->op_array.opcodes[i].opcode == ZEND_FE_FREE) { - /* pass */ - } else { - if (EX(func)->op_array.opcodes[i].opcode == ZEND_RETURN - && (EX(func)->op_array.opcodes[i].op1_type & (IS_VAR|IS_TMP_VAR))) { - zval_ptr_dtor(EX_VAR(EX(func)->op_array.opcodes[i].op1.var)); - } - break; - } - } - throw_op_num = range->end; + uint32_t new_throw_op_num = throw_op_num + throw_op->op2.opline_num; + cleanup_live_vars(execute_data, throw_op_num, new_throw_op_num); + throw_op_num = new_throw_op_num; } /* Find the innermost try/catch/finally the exception was thrown in */ From 0ab1f9f223dda2896c372441f607e89bf3c28349 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= Date: Thu, 15 Jan 2026 19:59:31 +0100 Subject: [PATCH 5/6] zend_execute: Remove unused `scope` parameter from `zend_check_type()` (#20937) --- Zend/zend_execute.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c index 4e4464072681..570aac4a8dbf 100644 --- a/Zend/zend_execute.c +++ b/Zend/zend_execute.c @@ -1213,8 +1213,7 @@ static zend_always_inline bool zend_check_type_slow( } static zend_always_inline bool zend_check_type( - const zend_type *type, zval *arg, zend_class_entry *scope, - bool is_return_type, bool is_internal) + const zend_type *type, zval *arg, bool is_return_type, bool is_internal) { const zend_reference *ref = NULL; ZEND_ASSERT(ZEND_TYPE_IS_SET(*type)); @@ -1246,7 +1245,7 @@ static zend_always_inline bool zend_verify_recv_arg_type(const zend_function *zf cur_arg_info = &zf->common.arg_info[arg_num-1]; if (ZEND_TYPE_IS_SET(cur_arg_info->type) - && UNEXPECTED(!zend_check_type(&cur_arg_info->type, arg, zf->common.scope, false, false))) { + && UNEXPECTED(!zend_check_type(&cur_arg_info->type, arg, false, false))) { zend_verify_arg_error(zf, cur_arg_info, arg_num, arg); return 0; } @@ -1258,7 +1257,7 @@ static zend_always_inline bool zend_verify_variadic_arg_type( const zend_function *zf, const zend_arg_info *arg_info, uint32_t arg_num, zval *arg) { ZEND_ASSERT(ZEND_TYPE_IS_SET(arg_info->type)); - if (UNEXPECTED(!zend_check_type(&arg_info->type, arg, zf->common.scope, false, false))) { + if (UNEXPECTED(!zend_check_type(&arg_info->type, arg, false, false))) { zend_verify_arg_error(zf, arg_info, arg_num, arg); return 0; } @@ -1283,7 +1282,7 @@ static zend_never_inline ZEND_ATTRIBUTE_UNUSED bool zend_verify_internal_arg_typ } if (ZEND_TYPE_IS_SET(cur_arg_info->type) - && UNEXPECTED(!zend_check_type(&cur_arg_info->type, arg, fbc->common.scope, false, /* is_internal */ true))) { + && UNEXPECTED(!zend_check_type(&cur_arg_info->type, arg, false, /* is_internal */ true))) { return 0; } arg++; @@ -1489,7 +1488,7 @@ ZEND_API bool zend_verify_internal_return_type(const zend_function *zf, zval *re return 1; } - if (UNEXPECTED(!zend_check_type(&ret_info->type, ret, NULL, true, /* is_internal */ true))) { + if (UNEXPECTED(!zend_check_type(&ret_info->type, ret, true, /* is_internal */ true))) { zend_verify_internal_return_error(zf, ret); return 0; } From 9b719cd4a3501ed76e2eaf88f4506c7fe73ee546 Mon Sep 17 00:00:00 2001 From: David CARLIER Date: Thu, 15 Jan 2026 19:24:56 +0000 Subject: [PATCH 6/6] ext/sockets: socket_addrinfo_lookup() allows AF_UNSPEC for ai_family. (#20658) while still filtering out IPC like addresses and so on. close GH-20658 --- NEWS | 4 +++- UPGRADING | 1 + ext/sockets/sockets.c | 25 +++++++++++++++---------- ext/sockets/sockets.stub.php | 7 +++++++ ext/sockets/sockets_arginfo.h | 5 ++++- 5 files changed, 30 insertions(+), 12 deletions(-) diff --git a/NEWS b/NEWS index 9c1fc8c14b02..062265576af7 100644 --- a/NEWS +++ b/NEWS @@ -80,7 +80,9 @@ PHP NEWS - Sockets: . Added the TCP_USER_TIMEOUT constant for Linux to set the maximum time in milliseconds - transmitted data can remain unacknowledged. (James Lucas) + transmitted data can remain unacknowledged. (James Lucas) + . Added AF_UNSPEC support for sock_addrinfo_lookup() as a sole umbrella for + AF_INET* family only. (David Carlier) - SPL: . DirectoryIterator key can now work better with filesystem supporting larger diff --git a/UPGRADING b/UPGRADING index a160f0c901a4..0b651e5895cc 100644 --- a/UPGRADING +++ b/UPGRADING @@ -111,6 +111,7 @@ PHP 8.6 UPGRADE NOTES - Sockets: . TCP_USER_TIMEOUT (Linux only). + . AF_UNSPEC. ======================================== 11. Changes to INI File Handling diff --git a/ext/sockets/sockets.c b/ext/sockets/sockets.c index b76818830fc0..54f862d55366 100644 --- a/ext/sockets/sockets.c +++ b/ext/sockets/sockets.c @@ -2749,8 +2749,7 @@ PHP_FUNCTION(socket_export_stream) /* {{{ Gets array with contents of getaddrinfo about the given hostname. */ PHP_FUNCTION(socket_addrinfo_lookup) { - char *service = NULL; - size_t service_len = 0; + zend_string *service = NULL; zend_string *hostname, *key; zval *hint, *zhints = NULL; @@ -2760,7 +2759,7 @@ PHP_FUNCTION(socket_addrinfo_lookup) ZEND_PARSE_PARAMETERS_START(1, 3) Z_PARAM_STR(hostname) Z_PARAM_OPTIONAL - Z_PARAM_STRING_OR_NULL(service, service_len) + Z_PARAM_STR_OR_NULL(service) Z_PARAM_ARRAY(zhints) ZEND_PARSE_PARAMETERS_END(); @@ -2824,14 +2823,16 @@ PHP_FUNCTION(socket_addrinfo_lookup) // Some platforms support also PF_LOCAL/AF_UNIX (e.g. FreeBSD) but the security concerns implied // make it not worth handling it (e.g. unwarranted write permissions on the socket). // Note existing socket_addrinfo* api already forbid such case. + if (val != AF_UNSPEC) { #ifdef HAVE_IPV6 - if (val != AF_INET && val != AF_INET6) { - zend_argument_value_error(3, "\"ai_family\" key must be AF_INET or AF_INET6"); + if (val != AF_INET && val != AF_INET6) { + zend_argument_value_error(3, "\"ai_family\" key must be AF_INET or AF_INET6"); #else - if (val != AF_INET) { - zend_argument_value_error(3, "\"ai_family\" key must be AF_INET"); + if (val != AF_INET) { + zend_argument_value_error(3, "\"ai_family\" key must be AF_INET"); #endif - RETURN_THROWS(); + RETURN_THROWS(); + } } hints.ai_family = (int)val; } else { @@ -2847,7 +2848,7 @@ PHP_FUNCTION(socket_addrinfo_lookup) } ZEND_HASH_FOREACH_END(); } - if (getaddrinfo(ZSTR_VAL(hostname), service, &hints, &result) != 0) { + if (getaddrinfo(ZSTR_VAL(hostname), service ? ZSTR_VAL(service) : NULL, &hints, &result) != 0) { RETURN_FALSE; } @@ -2855,7 +2856,11 @@ PHP_FUNCTION(socket_addrinfo_lookup) zend_hash_real_init_packed(Z_ARRVAL_P(return_value)); for (rp = result; rp != NULL; rp = rp->ai_next) { - if (rp->ai_family != AF_UNSPEC) { + if (rp->ai_family == AF_INET +#ifdef HAVE_IPV6 + || rp->ai_family == AF_INET6 +#endif + ) { zval zaddr; object_init_ex(&zaddr, address_info_ce); diff --git a/ext/sockets/sockets.stub.php b/ext/sockets/sockets.stub.php index 04fb702807e0..0f645da25ce5 100644 --- a/ext/sockets/sockets.stub.php +++ b/ext/sockets/sockets.stub.php @@ -19,6 +19,13 @@ */ const AF_INET6 = UNKNOWN; #endif +#ifdef AF_UNSPEC +/** + * @var int + * @cvalue AF_UNSPEC + */ +const AF_UNSPEC = UNKNOWN; +#endif #ifdef AF_DIVERT /** * @var int diff --git a/ext/sockets/sockets_arginfo.h b/ext/sockets/sockets_arginfo.h index 0145d0125288..50a81c5ee3a7 100644 --- a/ext/sockets/sockets_arginfo.h +++ b/ext/sockets/sockets_arginfo.h @@ -1,5 +1,5 @@ /* This is a generated file, edit the .stub.php file instead. - * Stub hash: 038081ca7bb98076d4b559d93b4c9300acc47160 */ + * Stub hash: a89c4e54ab913728e10baf8f32b45323495d685b */ ZEND_BEGIN_ARG_WITH_RETURN_TYPE_MASK_EX(arginfo_socket_select, 0, 4, MAY_BE_LONG|MAY_BE_FALSE) ZEND_ARG_TYPE_INFO(1, read, IS_ARRAY, 1) @@ -317,6 +317,9 @@ static void register_sockets_symbols(int module_number) #if defined(HAVE_IPV6) REGISTER_LONG_CONSTANT("AF_INET6", AF_INET6, CONST_PERSISTENT); #endif +#if defined(AF_UNSPEC) + REGISTER_LONG_CONSTANT("AF_UNSPEC", AF_UNSPEC, CONST_PERSISTENT); +#endif #if defined(AF_DIVERT) REGISTER_LONG_CONSTANT("AF_DIVERT", AF_DIVERT, CONST_PERSISTENT); #endif