Merge tag 'php-8.3.27' into was-8.3.x

Tag for php-8.3.27

Author: MaxKellermann

.gdbinit

@@ -42,7 +42,7 @@ define print_cvs
 
 	printf "Compiled variables count: %d\n\n", $cv_count
 	while $cv_idx < $cv_count
-		printf "[%d] '%s'\n", $cv_idx, $cv[$cv_idx].val
+		printf "[%d] '$%s'\n", $cv_idx, $cv[$cv_idx].val@$cv[$cv_idx].len
 		set $zvalue = ((zval *) $cv_ex_ptr) + $callFrameSize + $cv_idx
 		printzv $zvalue
 		set $cv_idx = $cv_idx + 1

.github/nightly_matrix.php

@@ -1,7 +1,8 @@
 <?php
 
 const BRANCHES = [
-    ['ref' => 'master', 'version' => [8, 5]],
+    ['ref' => 'master', 'version' => [8, 6]],
+    ['ref' => 'PHP-8.5', 'version' => [8, 5]],
     ['ref' => 'PHP-8.4', 'version' => [8, 4]],
     ['ref' => 'PHP-8.3', 'version' => [8, 3]],
     ['ref' => 'PHP-8.2', 'version' => [8, 2]],

.github/scripts/windows/find-target-branch.bat

@@ -3,6 +3,6 @@
 for /f "usebackq tokens=3" %%i in (`findstr PHP_MAJOR_VERSION main\php_version.h`) do set BRANCH=%%i
 for /f "usebackq tokens=3" %%i in (`findstr PHP_MINOR_VERSION main\php_version.h`) do set BRANCH=%BRANCH%.%%i
 
-if /i "%BRANCH%" equ "8.5" (
+if /i "%BRANCH%" equ "8.6" (
 	set BRANCH=master
 )

.github/workflows/nightly.yml

@@ -44,6 +44,9 @@ on:
       skip_wordpress:
         required: true
         type: boolean
+      variation_enable_zend_max_execution_timers:
+        required: true
+        type: boolean
 permissions:
   contents: read
 jobs:
@@ -90,21 +93,16 @@ jobs:
   ALPINE:
     if: inputs.run_alpine
     name: ALPINE_X64_ASAN_UBSAN_DEBUG_ZTS
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     container:
-      image: 'alpine:3.20.1'
+      image: 'alpine:3.22'
     steps:
       - name: git checkout
         uses: actions/checkout@v5
         with:
           ref: ${{ inputs.branch }}
       - name: apk
         uses: ./.github/actions/apk
-      - name: LLVM 17 (ASAN-only)
-        # libclang_rt.asan-x86_64.a is provided by compiler-rt, and only for clang17:
-        # https://pkgs.alpinelinux.org/contents?file=libclang_rt.asan-x86_64.a&path=&name=&branch=v3.20
-        run: |
-          apk add clang17 compiler-rt
       - name: System info
         run: |
           echo "::group::Show host CPU info"
@@ -119,8 +117,8 @@ jobs:
           configurationParameters: >-
             CFLAGS="-fsanitize=undefined,address -fno-sanitize=function -DZEND_TRACK_ARENA_ALLOC"
             LDFLAGS="-fsanitize=undefined,address -fno-sanitize=function"
-            CC=clang-17
-            CXX=clang++-17
+            CC=clang-20
+            CXX=clang++-20
             --enable-debug
             --enable-zts
           skipSlow: true # FIXME: This should likely include slow extensions
@@ -199,6 +197,7 @@ jobs:
             zts: true
             configuration_parameters: >-
               CFLAGS="-DZEND_RC_DEBUG=1 -DPROFITABILITY_CHECKS=0 -DZEND_VERIFY_FUNC_INFO=1 -DZEND_VERIFY_TYPE_INFERENCE"
+              ${{ inputs.variation_enable_zend_max_execution_timers && '--enable-zend-max-execution-timers' || '' }}
             run_tests_parameters: -d zend_test.observer.enabled=1 -d zend_test.observer.show_output=0
             timeout_minutes: 360
             test_function_jit: true

.github/workflows/push.yml

@@ -162,6 +162,7 @@ jobs:
         with:
           key: "${{github.job}}-${{hashFiles('main/php_version.h')}}"
           append-timestamp: false
+          save: ${{ github.event_name != 'pull_request' }}
       - name: ./configure
         uses: ./.github/actions/configure-x32
         with:

.github/workflows/root.yml

@@ -64,4 +64,5 @@ jobs:
       skip_laravel: ${{ matrix.branch.version[0] == 8 && matrix.branch.version[1] == 1 }}
       skip_symfony: ${{ matrix.branch.version[0] == 8 && matrix.branch.version[1] == 1 }}
       skip_wordpress: ${{ matrix.branch.version[0] == 8 && matrix.branch.version[1] == 1 }}
+      variation_enable_zend_max_execution_timers: ${{ (matrix.branch.version[0] == 8 && matrix.branch.version[1] >= 3) || matrix.branch.version[0] >= 9 }}
     secrets: inherit

NEWS

@@ -1,5 +1,91 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+23 Oct 2025, PHP 8.3.27
+
+- Core:
+  . Fixed bug GH-19765 (object_properties_load() bypasses readonly property
+    checks). (timwolla)
+  . Fixed hard_timeout with --enable-zend-max-execution-timers. (Appla)
+  . Fixed bug GH-19792 (SCCP causes UAF for return value if both warning and
+    exception are triggered). (nielsdos)
+  . Fixed bug GH-19653 (Closure named argument unpacking between temporary
+    closures can cause a crash). (nielsdos, Arnaud, Bob)
+  . Fixed bug GH-19839 (Incorrect HASH_FLAG_HAS_EMPTY_IND flag on userland
+    array). (ilutov)
+  . Fixed bug GH-19480 (error_log php.ini cannot be unset when open_basedir is
+    configured). (nielsdos)
+  . Fixed bug GH-20002 (Broken build on *BSD with MSAN). (outtersg)
+
+- CLI:
+  . Fix useless "Failed to poll event" error logs due to EAGAIN in CLI server
+    with PHP_CLI_SERVER_WORKERS. (leotaku)
+
+- Curl:
+  . Fix cloning of CURLOPT_POSTFIELDS when using the clone operator instead
+    of the curl_copy_handle() function to clone a CurlHandle. (timwolla)
+  . Fix curl build and test failures with version 8.16.
+    (nielsdos, ilutov, Jakub Zelenka)
+
+- Date:
+  . Fixed GH-17159: "P" format for ::createFromFormat swallows string literals.
+    (nielsdos)
+
+- DBA:
+  . Fixed GH-19885 (dba_fetch() overflow on skip argument). (David Carlier)
+
+- GD:
+  . Fixed GH-19955 (imagefttext() memory leak). (David Carlier)
+
+- MySQLnd:
+  . Fixed bug #67563 (mysqli compiled with mysqlnd does not take ipv6 adress
+    as parameter). (nielsdos)
+
+- Phar:
+  . Fix memory leak and invalid continuation after tar header writing fails.
+    (nielsdos)
+  . Fix memory leaks when creating temp file fails when applying zip signature.
+    (nielsdos)
+
+- SimpleXML:
+  . Fixed bug GH-19988 (zend_string_init with NULL pointer in simplexml (UB)).
+    (nielsdos)
+
+- Soap:
+  . Fixed bug GH-19784 (SoapServer memory leak). (nielsdos)
+  . Fixed bug GH-20011 (Array of SoapVar of unknown type causes crash).
+    (nielsdos)
+
+- Standard:
+  . Fixed bug GH-12265 (Cloning an object breaks serialization recursion).
+    (nielsdos)
+  . Fixed bug GH-19701 (Serialize/deserialize loses some data). (nielsdos)
+  . Fixed bug GH-19801 (leaks in var_dump() and debug_zval_dump()).
+    (alexandre-daubois)
+  . Fixed bug GH-20043 (array_unique assertion failure with RC1 array
+    causing an exception on sort). (nielsdos)
+  . Fixed bug GH-19926 (reset internal pointer earlier while splicing array
+    while COW violation flag is still set). (alexandre-daubois)
+  . Fixed bug GH-19570 (unable to fseek in /dev/zero and /dev/null).
+    (nielsdos, divinity76)
+
+- Streams:
+  . Fixed bug GH-19248 (Use strerror_r instead of strerror in main).
+    (Jakub Zelenka)
+  . Fixed bug GH-17345 (Bug #35916 was not completely fixed). (nielsdos)
+  . Fixed bug GH-19705 (segmentation when attempting to flush on non seekable
+    stream. (bukka/David Carlier)
+
+- XMLReader:
+  . Fixed bug GH-20009 (XMLReader leak on RelaxNG schema failure). (nielsdos)
+
+- Zip:
+  . Fixed bug GH-19688 (Remove pattern overflow in zip addGlob()). (nielsdos)
+  . Fixed bug GH-19932 (Memory leak in zip setEncryptionName()/setEncryptionIndex()).
+    (David Carlier)
+
+- Zlib:
+  . Fixed bug GH-19922 (Double free on gzopen). (David Carlier)
+
 25 Sep 2025, PHP 8.3.26
 
 - Core:

Zend/Optimizer/sccp.c

@@ -845,9 +845,7 @@ static inline zend_result ct_eval_func_call(
 		zval_ptr_dtor(result);
 		zend_clear_exception();
 		retval = FAILURE;
-	}
-
-	if (EG(capture_warnings_during_sccp) > 1) {
+	} else if (EG(capture_warnings_during_sccp) > 1) {
 		zval_ptr_dtor(result);
 		retval = FAILURE;
 	}

Zend/tests/closures/gh19653_1.phpt

@@ -0,0 +1,27 @@
+--TEST--
+GH-19653 (Closure named argument unpacking between temporary closures can cause a crash)
+--CREDITS--
+ivan-u7n
+--FILE--
+<?php
+
+function func1(string $a1 = 'a1', string $a2 = 'a2', string $a3 = 'a3') {
+	echo __FUNCTION__ . "() a1=$a1 a2=$a2 a3=$a3\n";
+}
+
+function usage1(?Closure $func1 = null) {
+	echo __FUNCTION__ . "() ";
+	($func1 ?? func1(...))(a3: 'm3+');
+}
+usage1();
+
+$func1 = function (string ...$args) {
+	echo "[function] ";
+	func1(...$args, a2: 'm2+');
+};
+usage1(func1: $func1);
+
+?>
+--EXPECT--
+usage1() func1() a1=a1 a2=a2 a3=m3+
+usage1() [function] func1() a1=a1 a2=m2+ a3=m3+

Zend/tests/closures/gh19653_2.phpt

@@ -0,0 +1,23 @@
+--TEST--
+GH-19653 (Closure named argument unpacking between temporary closures can cause a crash) - eval variation
+--CREDITS--
+arnaud-lb
+--FILE--
+<?php
+
+function usage1(Closure $c) {
+    $c(a: 1);
+}
+
+usage1(eval('return function($a) { var_dump($a); };'));
+usage1(eval('return function($b) { var_dump($b); };'));
+
+?>
+--EXPECTF--
+int(1)
+
+Fatal error: Uncaught Error: Unknown named parameter $a in %s:%d
+Stack trace:
+#0 %s(%d): usage1(Object(Closure))
+#1 {main}
+  thrown in %s on line %d