From 359ad80c4a9f469956e303138c26ac46bb54a25f Mon Sep 17 00:00:00 2001 From: Arnaud Le Blanc Date: Fri, 26 Sep 2025 10:24:45 +0200 Subject: [PATCH 01/12] Fix race condition in zend_runtime_jit(), zend_jit_hot_func() zend_runtime_jit() prevents concurrent compilation with zend_shared_alloc_lock(), but this doesn't prevent blocked threads from trying to compile the function again after they acquire the lock. In the case of GH-19889, one of the function entries is compiled with zend_jit_handler(), which fails when the op handler has already been replaced by a JIT'ed handler. Fix by marking compiled functions with a new flag ZEND_FUNC_JITED, and skipping compilation of marked functions. The same fix is applied to zend_jit_hot_func(). Fixes GH-19889 Closes GH-19971 --- NEWS | 2 ++ Zend/Optimizer/zend_func_info.h | 2 +- ext/opcache/jit/zend_jit.c | 12 ++++++++---- 3 files changed, 11 insertions(+), 5 deletions(-) diff --git a/NEWS b/NEWS index 1d8270a3b875..9eadaaf7f3d9 100644 --- a/NEWS +++ b/NEWS @@ -44,6 +44,8 @@ PHP NEWS . Fixed bug GH-19669 (assertion failure in zend_jit_trace_type_to_info_ex). (Arnaud) . Fixed bug GH-19831 (function JIT may not deref property value). (Arnaud) + . Fixed bug GH-19889 (race condition in zend_runtime_jit(), + zend_jit_hot_func()). (Arnaud) - Phar: . Fix memory leak and invalid continuation after tar header writing fails. diff --git a/Zend/Optimizer/zend_func_info.h b/Zend/Optimizer/zend_func_info.h index b53683bdf5e7..db00d843ee10 100644 --- a/Zend/Optimizer/zend_func_info.h +++ b/Zend/Optimizer/zend_func_info.h @@ -39,7 +39,7 @@ #define ZEND_FUNC_JIT_ON_PROF_REQUEST (1<<14) /* used by JIT */ #define ZEND_FUNC_JIT_ON_HOT_COUNTERS (1<<15) /* used by JIT */ #define ZEND_FUNC_JIT_ON_HOT_TRACE (1<<16) /* used by JIT */ - +#define ZEND_FUNC_JITED (1<<17) /* used by JIT */ typedef struct _zend_func_info zend_func_info; typedef struct _zend_call_info zend_call_info; diff --git a/ext/opcache/jit/zend_jit.c b/ext/opcache/jit/zend_jit.c index b0423dc06bd1..19e5520b1569 100644 --- a/ext/opcache/jit/zend_jit.c +++ b/ext/opcache/jit/zend_jit.c @@ -2945,8 +2945,9 @@ static int ZEND_FASTCALL zend_runtime_jit(void) bool do_bailout = 0; zend_shared_alloc_lock(); + jit_extension = (zend_jit_op_array_extension*)ZEND_FUNC_INFO(op_array); - if (ZEND_FUNC_INFO(op_array)) { + if (jit_extension && !(jit_extension->func_info.flags & ZEND_FUNC_JITED)) { SHM_UNPROTECT(); zend_jit_unprotect(); @@ -2958,11 +2959,12 @@ static int ZEND_FASTCALL zend_runtime_jit(void) opline++; } } - jit_extension = (zend_jit_op_array_extension*)ZEND_FUNC_INFO(op_array); - opline->handler = jit_extension->orig_handler; + ((zend_op*)opline)->handler = jit_extension->orig_handler; /* perform real JIT for this function */ zend_real_jit_func(op_array, NULL, NULL, ZEND_JIT_ON_FIRST_EXEC); + + jit_extension->func_info.flags |= ZEND_FUNC_JITED; } zend_catch { do_bailout = true; } zend_end_try(); @@ -3024,7 +3026,7 @@ void ZEND_FASTCALL zend_jit_hot_func(zend_execute_data *execute_data, const zend zend_shared_alloc_lock(); jit_extension = (zend_jit_op_array_hot_extension*)ZEND_FUNC_INFO(op_array); - if (jit_extension) { + if (jit_extension && !(jit_extension->func_info.flags & ZEND_FUNC_JITED)) { SHM_UNPROTECT(); zend_jit_unprotect(); @@ -3039,6 +3041,8 @@ void ZEND_FASTCALL zend_jit_hot_func(zend_execute_data *execute_data, const zend /* perform real JIT for this function */ zend_real_jit_func(op_array, NULL, opline, ZEND_JIT_ON_HOT_COUNTERS); + + jit_extension->func_info.flags |= ZEND_FUNC_JITED; } zend_catch { do_bailout = 1; } zend_end_try(); From 66708de8417d743aba4f542ee6476b646cdb918b Mon Sep 17 00:00:00 2001 From: Arnaud Le Blanc Date: Thu, 2 Oct 2025 15:53:53 +0200 Subject: [PATCH 02/12] Upgrade Alpine in nightly job Closes GH-20044 --- .github/workflows/nightly.yml | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index a8c8c80d7d50..e0322e3b1be2 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -93,9 +93,9 @@ jobs: ALPINE: if: inputs.run_alpine name: ALPINE_X64_ASAN_UBSAN_DEBUG_ZTS - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 container: - image: 'alpine:3.20.1' + image: 'alpine:3.22' steps: - name: git checkout uses: actions/checkout@v5 @@ -103,11 +103,6 @@ jobs: ref: ${{ inputs.branch }} - name: apk uses: ./.github/actions/apk - - name: LLVM 17 (ASAN-only) - # libclang_rt.asan-x86_64.a is provided by compiler-rt, and only for clang17: - # https://pkgs.alpinelinux.org/contents?file=libclang_rt.asan-x86_64.a&path=&name=&branch=v3.20 - run: | - apk add clang17 compiler-rt - name: System info run: | echo "::group::Show host CPU info" @@ -122,8 +117,8 @@ jobs: configurationParameters: >- CFLAGS="-fsanitize=undefined,address -fno-sanitize=function -DZEND_TRACK_ARENA_ALLOC" LDFLAGS="-fsanitize=undefined,address -fno-sanitize=function" - CC=clang-17 - CXX=clang++-17 + CC=clang-20 + CXX=clang++-20 --enable-debug --enable-zts skipSlow: true # FIXME: This should likely include slow extensions From 93104e5c5980842f5cf9e9e7e267125ddc584f89 Mon Sep 17 00:00:00 2001 From: Arnaud Le Blanc Date: Tue, 7 Oct 2025 11:05:11 +0200 Subject: [PATCH 03/12] Upgrade Alpine in push job Closes GH-20090 --- .github/workflows/push.yml | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index 265f78abe076..ac1ac8be7b06 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -43,19 +43,14 @@ jobs: ALPINE: if: github.repository == 'php/php-src' || github.event_name == 'pull_request' name: ALPINE_X64_ASAN_UBSAN_DEBUG_ZTS - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 container: - image: 'alpine:3.20.1' + image: 'alpine:3.22' steps: - name: git checkout uses: actions/checkout@v5 - name: apk uses: ./.github/actions/apk - - name: LLVM 17 (ASAN-only) - # libclang_rt.asan-x86_64.a is provided by compiler-rt, and only for clang17: - # https://pkgs.alpinelinux.org/contents?file=libclang_rt.asan-x86_64.a&path=&name=&branch=v3.20 - run: | - apk add clang17 compiler-rt - name: System info run: | echo "::group::Show host CPU info" @@ -70,8 +65,8 @@ jobs: configurationParameters: >- CFLAGS="-fsanitize=undefined,address -fno-sanitize=function -DZEND_TRACK_ARENA_ALLOC" LDFLAGS="-fsanitize=undefined,address -fno-sanitize=function" - CC=clang-17 - CXX=clang++-17 + CC=clang-20 + CXX=clang++-20 --enable-debug --enable-zts skipSlow: true # FIXME: This should likely include slow extensions From 1c8363d2bfe214c142b3e17bf7303b6c338ac41a Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Sat, 13 Sep 2025 00:15:01 +0200 Subject: [PATCH 04/12] Fix curl build failure on macOS+curl 8.16 --- ext/curl/interface.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/ext/curl/interface.c b/ext/curl/interface.c index 807b27cb78c9..4df24cff1b5b 100644 --- a/ext/curl/interface.c +++ b/ext/curl/interface.c @@ -1453,11 +1453,11 @@ static int curl_fnmatch(void *ctx, const char *pattern, const char *string) /* }}} */ /* {{{ curl_progress */ -static size_t curl_progress(void *clientp, double dltotal, double dlnow, double ultotal, double ulnow) +static int curl_progress(void *clientp, double dltotal, double dlnow, double ultotal, double ulnow) { php_curl *ch = (php_curl *)clientp; php_curl_callback *t = ch->handlers.progress; - size_t rval = 0; + int rval = 0; #if PHP_CURL_DEBUG fprintf(stderr, "curl_progress() called\n"); @@ -1818,8 +1818,8 @@ static void _php_curl_set_default_options(php_curl *ch) { char *cainfo; - curl_easy_setopt(ch->cp, CURLOPT_NOPROGRESS, 1); - curl_easy_setopt(ch->cp, CURLOPT_VERBOSE, 0); + curl_easy_setopt(ch->cp, CURLOPT_NOPROGRESS, 1L); + curl_easy_setopt(ch->cp, CURLOPT_VERBOSE, 0L); curl_easy_setopt(ch->cp, CURLOPT_ERRORBUFFER, ch->err.str); curl_easy_setopt(ch->cp, CURLOPT_WRITEFUNCTION, curl_write); curl_easy_setopt(ch->cp, CURLOPT_FILE, (void *) ch); @@ -1828,10 +1828,10 @@ static void _php_curl_set_default_options(php_curl *ch) curl_easy_setopt(ch->cp, CURLOPT_HEADERFUNCTION, curl_write_header); curl_easy_setopt(ch->cp, CURLOPT_WRITEHEADER, (void *) ch); #ifndef ZTS - curl_easy_setopt(ch->cp, CURLOPT_DNS_USE_GLOBAL_CACHE, 1); + curl_easy_setopt(ch->cp, CURLOPT_DNS_USE_GLOBAL_CACHE, 1L); #endif - curl_easy_setopt(ch->cp, CURLOPT_DNS_CACHE_TIMEOUT, 120); - curl_easy_setopt(ch->cp, CURLOPT_MAXREDIRS, 20); /* prevent infinite redirects */ + curl_easy_setopt(ch->cp, CURLOPT_DNS_CACHE_TIMEOUT, 120L); + curl_easy_setopt(ch->cp, CURLOPT_MAXREDIRS, 20L); /* prevent infinite redirects */ cainfo = INI_STR("openssl.cafile"); if (!(cainfo && cainfo[0] != '\0')) { @@ -2807,7 +2807,7 @@ static int _php_curl_setopt(php_curl *ch, zend_long option, zval *zvalue, bool i /* no need to build the mime structure for empty hashtables; also works around https://github.com/curl/curl/issues/6455 */ curl_easy_setopt(ch->cp, CURLOPT_POSTFIELDS, ""); - error = curl_easy_setopt(ch->cp, CURLOPT_POSTFIELDSIZE, 0); + error = curl_easy_setopt(ch->cp, CURLOPT_POSTFIELDSIZE, 0L); } else { return build_mime_structure_from_hash(ch, zvalue); } @@ -2871,7 +2871,7 @@ static int _php_curl_setopt(php_curl *ch, zend_long option, zval *zvalue, bool i case CURLOPT_POSTREDIR: lval = zval_get_long(zvalue); - error = curl_easy_setopt(ch->cp, CURLOPT_POSTREDIR, lval & CURL_REDIR_POST_ALL); + error = curl_easy_setopt(ch->cp, CURLOPT_POSTREDIR, (long) (lval & CURL_REDIR_POST_ALL)); break; /* the following options deal with files, therefore the open_basedir check @@ -2906,11 +2906,11 @@ static int _php_curl_setopt(php_curl *ch, zend_long option, zval *zvalue, bool i if (zend_is_true(zvalue)) { curl_easy_setopt(ch->cp, CURLOPT_DEBUGFUNCTION, curl_debug); curl_easy_setopt(ch->cp, CURLOPT_DEBUGDATA, (void *)ch); - curl_easy_setopt(ch->cp, CURLOPT_VERBOSE, 1); + curl_easy_setopt(ch->cp, CURLOPT_VERBOSE, 1L); } else { curl_easy_setopt(ch->cp, CURLOPT_DEBUGFUNCTION, NULL); curl_easy_setopt(ch->cp, CURLOPT_DEBUGDATA, NULL); - curl_easy_setopt(ch->cp, CURLOPT_VERBOSE, 0); + curl_easy_setopt(ch->cp, CURLOPT_VERBOSE, 0L); } break; From da75e41a6f7e1d64904e45612eaafe4a636fe502 Mon Sep 17 00:00:00 2001 From: Ilija Tovilo Date: Mon, 22 Sep 2025 10:55:59 +0200 Subject: [PATCH 05/12] Fix curl 8.16.0 compilation with zts --- ext/curl/interface.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/curl/interface.c b/ext/curl/interface.c index 4df24cff1b5b..f8f0d1cec358 100644 --- a/ext/curl/interface.c +++ b/ext/curl/interface.c @@ -1842,7 +1842,7 @@ static void _php_curl_set_default_options(php_curl *ch) } #ifdef ZTS - curl_easy_setopt(ch->cp, CURLOPT_NOSIGNAL, 1); + curl_easy_setopt(ch->cp, CURLOPT_NOSIGNAL, 1L); #endif } /* }}} */ From b810a235870f7fbb377fa50470970eaf16d796ce Mon Sep 17 00:00:00 2001 From: Ilija Tovilo Date: Tue, 23 Sep 2025 14:14:09 +0200 Subject: [PATCH 06/12] Fix more curl 8.16 issues The CURLOPT_FOLLOWLOCATION seems like a gcc bug, where the integer extension of bool to long is lost, but I was unable to reproduce on godbolt.org. --- ext/curl/interface.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ext/curl/interface.c b/ext/curl/interface.c index f8f0d1cec358..c56a1b01f2fa 100644 --- a/ext/curl/interface.c +++ b/ext/curl/interface.c @@ -2289,7 +2289,7 @@ static int _php_curl_setopt(php_curl *ch, zend_long option, zval *zvalue, bool i lval = zval_get_long(zvalue); if (lval == 1) { php_error_docref(NULL, E_NOTICE, "CURLOPT_SSL_VERIFYHOST no longer accepts the value 1, value 2 will be used instead"); - error = curl_easy_setopt(ch->cp, option, 2); + error = curl_easy_setopt(ch->cp, option, 2L); break; } ZEND_FALLTHROUGH; @@ -2789,7 +2789,7 @@ static int _php_curl_setopt(php_curl *ch, zend_long option, zval *zvalue, bool i case CURLOPT_FOLLOWLOCATION: lval = zend_is_true(zvalue); - error = curl_easy_setopt(ch->cp, option, lval); + error = curl_easy_setopt(ch->cp, option, (long) lval); break; case CURLOPT_HEADERFUNCTION: From 36859ad97753f6d2e550d57823111d91f0ad0ce9 Mon Sep 17 00:00:00 2001 From: Jakub Zelenka Date: Tue, 7 Oct 2025 12:33:26 +0200 Subject: [PATCH 07/12] Fix curl_setopt_ssl test for curl 8.16 --- ext/curl/tests/curl_setopt_ssl.phpt | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/ext/curl/tests/curl_setopt_ssl.phpt b/ext/curl/tests/curl_setopt_ssl.phpt index 11d8fff702a8..ff08528321a0 100644 --- a/ext/curl/tests/curl_setopt_ssl.phpt +++ b/ext/curl/tests/curl_setopt_ssl.phpt @@ -18,9 +18,13 @@ if ($curl_version['version_number'] < 0x074700) { --FILE-- Date: Tue, 7 Oct 2025 14:25:08 +0200 Subject: [PATCH 08/12] Update NEWS with info about curl 8.16 compat fixes --- NEWS | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/NEWS b/NEWS index a05b577d101b..998b5d97d635 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,10 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? ????, PHP 8.1.34 +- Curl: + . Fix curl build and test failures with version 8.16. + (nielsdos, ilutov, Jakub Zelenka) + - Opcache: . Reset global pointers to prevent use-after-free in zend_jit_status(). (Florian Engelhardt) From 78a24ffc032804755e31bb308c0e754cbc049051 Mon Sep 17 00:00:00 2001 From: Jakub Zelenka Date: Tue, 7 Oct 2025 14:39:53 +0200 Subject: [PATCH 09/12] Update NEWS entry for curl 8.16 update --- NEWS | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/NEWS b/NEWS index cd793b71c9cb..884ccd0855d7 100644 --- a/NEWS +++ b/NEWS @@ -23,7 +23,8 @@ PHP NEWS - Curl: . Fix cloning of CURLOPT_POSTFIELDS when using the clone operator instead of the curl_copy_handle() function to clone a CurlHandle. (timwolla) - . Fix curl build failure on macOS+curl 8.16. (nielsdos) + . Fix curl build and test failures with version 8.16. + (nielsdos, ilutov, Jakub Zelenka) - Date: . Fixed GH-17159: "P" format for ::createFromFormat swallows string literals. @@ -208,10 +209,6 @@ PHP NEWS . Fixed bug GH-19397 (mb_list_encodings() can cause crashes on shutdown). (nielsdos) -- Curl: - . Fix curl build and test failures with version 8.16. - (nielsdos, ilutov, Jakub Zelenka) - - Opcache: . Reset global pointers to prevent use-after-free in zend_jit_status(). (Florian Engelhardt) From d2569c9727c13b9f1a8ddbc6eab6c9e298286ae9 Mon Sep 17 00:00:00 2001 From: Volker Dusch Date: Tue, 7 Oct 2025 14:26:00 +0200 Subject: [PATCH 10/12] [ci skip] Update NEWS for PHP 8.5.0 RC2 --- NEWS | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 98b0f62f0da8..0992089ca91f 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,9 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| -?? ??? ????, PHP 8.5.0RC2 +?? ??? ????, PHP 8.5.0RC3 + + +09 Oct 2025, PHP 8.5.0RC2 - Core: . Fix OSS-Fuzz #447521098 (Fatal error during sccp shift eval). (ilutov) From 91eb2a558db5d70a49ea62cee761eda8d663125e Mon Sep 17 00:00:00 2001 From: Eric Mann Date: Tue, 7 Oct 2025 06:58:36 -0700 Subject: [PATCH 11/12] PHP-8.3 is now for PHP 8.3.28-dev --- NEWS | 5 ++++- Zend/zend.h | 2 +- configure.ac | 2 +- main/php_version.h | 6 +++--- 4 files changed, 9 insertions(+), 6 deletions(-) diff --git a/NEWS b/NEWS index 884ccd0855d7..026aac13e69f 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,9 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| -?? ??? ????, PHP 8.3.27 +?? ??? ????, PHP 8.3.28 + + +23 Oct 2025, PHP 8.3.27 - Core: . Fixed bug GH-19765 (object_properties_load() bypasses readonly property diff --git a/Zend/zend.h b/Zend/zend.h index f0925298413f..3eade95aa6ac 100644 --- a/Zend/zend.h +++ b/Zend/zend.h @@ -20,7 +20,7 @@ #ifndef ZEND_H #define ZEND_H -#define ZEND_VERSION "4.3.27-dev" +#define ZEND_VERSION "4.3.28-dev" #define ZEND_ENGINE_3 diff --git a/configure.ac b/configure.ac index 1e39e16644b1..2ceb4d8df338 100644 --- a/configure.ac +++ b/configure.ac @@ -17,7 +17,7 @@ dnl Basic autoconf initialization, generation of config.nice. dnl ---------------------------------------------------------------------------- AC_PREREQ([2.68]) -AC_INIT([PHP],[8.3.27-dev],[https://github.com/php/php-src/issues],[php],[https://www.php.net]) +AC_INIT([PHP],[8.3.28-dev],[https://github.com/php/php-src/issues],[php],[https://www.php.net]) AC_CONFIG_SRCDIR([main/php_version.h]) AC_CONFIG_AUX_DIR([build]) AC_PRESERVE_HELP_ORDER diff --git a/main/php_version.h b/main/php_version.h index bf1b95c63193..00dbab93a747 100644 --- a/main/php_version.h +++ b/main/php_version.h @@ -2,7 +2,7 @@ /* edit configure.ac to change version number */ #define PHP_MAJOR_VERSION 8 #define PHP_MINOR_VERSION 3 -#define PHP_RELEASE_VERSION 27 +#define PHP_RELEASE_VERSION 28 #define PHP_EXTRA_VERSION "-dev" -#define PHP_VERSION "8.3.27-dev" -#define PHP_VERSION_ID 80327 +#define PHP_VERSION "8.3.28-dev" +#define PHP_VERSION_ID 80328 From 9f55c1ae1c53b117f88bedc0a536bb9910b26373 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 7 Oct 2025 15:39:12 +0200 Subject: [PATCH 12/12] ensure test passes with prod config --- sapi/cgi/tests/auto_globals_no_jit.phpt | 1 + 1 file changed, 1 insertion(+) diff --git a/sapi/cgi/tests/auto_globals_no_jit.phpt b/sapi/cgi/tests/auto_globals_no_jit.phpt index e331709db6db..21af9e038d2a 100644 --- a/sapi/cgi/tests/auto_globals_no_jit.phpt +++ b/sapi/cgi/tests/auto_globals_no_jit.phpt @@ -2,6 +2,7 @@ CGI with auto_globals_jit=0 --INI-- auto_globals_jit=0 +variables_order="EGPCS" --CGI-- --ENV-- FOO=BAR