Don't expose references in debug_backtrace() or exception traces.
This is regardless of whether the argument is by-reference or not.
As a side-effect of this change, exception traces may now acquire
the interior value of a reference, which may be unexpected for
some internal functions. This is what necessitated the change in
the spl_array sort implementation.
- Core:
. Fixed bug #78236 (convert error on receiving variables when duplicate [).
(cmb)
+ . Fixed bug #79108 (Referencing argument in a function makes it a reference
+ in the stack trace). (Nikita)
- JIT:
. Fixed bug #79864 (JIT segfault in Symfony OptionsResolver). (Dmitry)
RFC: https://wiki.php.net/rfc/namespaced_names_as_token
. Nested ternaries now require explicit parentheses.
RFC: https://wiki.php.net/rfc/ternary_associativity
+ . debug_backtrace() and Exception::getTrace() will no longer provide
+ references to arguments. It will not be possible to change function
+ arguments through the backtrace.
- COM:
. Removed the ability to import case-insensitive constants from type
[0]=>
string(3) "1st"
[1]=>
- &string(3) "2nd"
+ string(3) "2nd"
[2]=>
string(3) "3th"
[3]=>
[0]=>
string(3) "1st"
[1]=>
- &string(3) "2nd"
+ string(3) "2nd"
[2]=>
NULL
[3]=>
[0]=>
NULL
[1]=>
- &string(3) "2nd"
+ string(3) "2nd"
[2]=>
NULL
[3]=>
--- /dev/null
+--TEST--
+Bug #79108: Referencing argument in a function makes it a reference in the stack trace
+--FILE--
+<?php
+
+function test(string $val) {
+ $a = &$val;
+ hackingHere();
+ print_r($val);
+}
+
+function hackingHere() {
+ // we're able to modify the $val from here, even though the arg was not a reference
+ debug_backtrace()[1]['args'][0] = 'Modified';
+}
+
+test('Original');
+
+?>
+--EXPECT--
+Original
* and we have to access them through symbol_table
* See: https://bugs.php.net/bug.php?id=73156
*/
- zend_string *arg_name;
- zval *arg;
-
while (i < first_extra_arg) {
- arg_name = call->func->op_array.vars[i];
- arg = zend_hash_find_ex_ind(call->symbol_table, arg_name, 1);
+ zend_string *arg_name = call->func->op_array.vars[i];
+ zval *arg = zend_hash_find_ex_ind(call->symbol_table, arg_name, 1);
if (arg) {
- if (Z_OPT_REFCOUNTED_P(arg)) {
- Z_ADDREF_P(arg);
- }
+ ZVAL_DEREF(arg);
+ Z_TRY_ADDREF_P(arg);
ZEND_HASH_FILL_SET(arg);
} else {
ZEND_HASH_FILL_SET_NULL();
} else {
while (i < first_extra_arg) {
if (EXPECTED(Z_TYPE_INFO_P(p) != IS_UNDEF)) {
- if (Z_OPT_REFCOUNTED_P(p)) {
- Z_ADDREF_P(p);
- }
- ZEND_HASH_FILL_SET(p);
+ zval *arg = p;
+ ZVAL_DEREF(arg);
+ Z_TRY_ADDREF_P(arg);
+ ZEND_HASH_FILL_SET(arg);
} else {
ZEND_HASH_FILL_SET_NULL();
}
while (i < num_args) {
if (EXPECTED(Z_TYPE_INFO_P(p) != IS_UNDEF)) {
- if (Z_OPT_REFCOUNTED_P(p)) {
- Z_ADDREF_P(p);
- }
- ZEND_HASH_FILL_SET(p);
+ zval *arg = p;
+ ZVAL_DEREF(arg);
+ Z_TRY_ADDREF_P(arg);
+ ZEND_HASH_FILL_SET(arg);
} else {
ZEND_HASH_FILL_SET_NULL();
}
[1]=>
int(1)
[2]=>
- &string(0) ""
+ string(0) ""
}
mb_ereg(): Argument #2 ($string) must be of type string, array given
array(3) {
array(0) {
}
[2]=>
- &string(0) ""
+ string(0) ""
}
bool(false)
array(3) {
}
/* }}} */
-static inline void spl_array_replace_hash_table(spl_array_object* intern, HashTable *ht) { /* {{{ */
- HashTable **ht_ptr = spl_array_get_hash_table_ptr(intern);
- zend_array_destroy(*ht_ptr);
- *ht_ptr = ht;
-}
-/* }}} */
-
static inline zend_bool spl_array_is_object(spl_array_object *intern) /* {{{ */
{
while (intern->ar_flags & SPL_ARRAY_USE_OTHER) {
static void spl_array_method(INTERNAL_FUNCTION_PARAMETERS, char *fname, int fname_len, int use_arg) /* {{{ */
{
spl_array_object *intern = Z_SPLARRAY_P(ZEND_THIS);
- HashTable *aht = spl_array_get_hash_table(intern);
+ HashTable **ht_ptr = spl_array_get_hash_table_ptr(intern);
+ HashTable *aht = *ht_ptr;
zval function_name, params[2], *arg = NULL;
ZVAL_STRINGL(&function_name, fname, fname_len);
exit:
{
- HashTable *new_ht = Z_ARRVAL_P(Z_REFVAL(params[0]));
- if (aht != new_ht) {
- spl_array_replace_hash_table(intern, new_ht);
- } else {
- GC_DELREF(aht);
- }
- ZVAL_NULL(Z_REFVAL(params[0]));
+ zval *ht_zv = Z_REFVAL(params[0]);
+ zend_array_release(*ht_ptr);
+ SEPARATE_ARRAY(ht_zv);
+ *ht_ptr = Z_ARRVAL_P(ht_zv);
+ ZVAL_NULL(ht_zv);
zval_ptr_dtor(¶ms[0]);
zend_string_free(Z_STR(function_name));
}
["args"]=>
array(2) {
[0]=>
- &array(3) {
+ array(3) {
["one"]=>
int(1)
["two"]=>
Cannot assign array to reference held by property Test::$prop of type int
object(Test)#1 (1) {
["prop"]=>
- &int(42)
+ int(42)
}
projects / php / commitdiff