New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap corruption in next_state_val() due to uninitialized local variable #60

Closed
lxxxxfdh opened this Issue May 23, 2017 · 1 comment

Comments

Projects
None yet
2 participants
@lxxxxfdh

lxxxxfdh commented May 23, 2017

The following non-deterministic behavior can be triggered from the following code. With ASAN enabled, on 64-bit platform, the crash reproduces within 3-10 runs.

#include <stdio.h>
#include "oniguruma.h"

static int
exec(OnigEncoding enc, OnigOptionType options,
     char* apattern, char* astr,  int pattern_len,
    unsigned char *end, OnigSyntaxType* sytax)
{
    int r;
    regex_t* reg;
    OnigErrorInfo einfo;
    UChar* pattern = (UChar* )apattern;
    UChar* str     = (UChar* )astr;

    onig_initialize(&enc, 1);

    r = onig_new(&reg, pattern,
                 pattern + pattern_len,
                 options, enc, sytax , &einfo);
    if (r != ONIG_NORMAL) {
        char s[ONIG_MAX_ERROR_MESSAGE_LEN];
        onig_error_code_to_str(s, r, &einfo);
        fprintf(stderr, "ERROR: %s\n", s);
        return -1;
    }

    onig_free(reg);
    onig_end();
    return 0;
}

extern int main(int argc, char* argv[])
{
    int r;
    /* ISO 8859-1 test */
    static unsigned char str[] = { 0xc7, 0xd6, 0xfe, 0xea, 0xe0, 0xe2, 0x00 };

    char* pattern = "\x5b\x5c\x48\x2d\xb0\x30\x8d\x30\x2a\x5b\x5d\x20\x20\x5d"
        "\xf9\x54\x00\x7f\x5c\x63\xef\xef\xef\xef\x52\xf7\xf7\x52"
        "\xf7\xeb\xeb\x70\x2b\xf7\x7b\x30\x2c\x32\x7d";

    r = exec(ONIG_ENCODING_GB18030, ONIG_OPTION_IGNORECASE,pattern, (char*) str, 39, str + 7, ONIG_SYNTAX_DEFAULT);
    r = exec(ONIG_ENCODING_GB18030, ONIG_OPTION_IGNORECASE,pattern, (char*) str, 39, str + 7, ONIG_SYNTAX_DEFAULT);

    return r;
}

With some add-on:

static int
parse_char_class(Node** np, OnigToken* tok, UChar** src, UChar* end,
		 ScanEnv* env)
{
  int r, neg, len, fetched, and_start;
  OnigCodePoint v, vs;
  UChar *p;
  Node* node;
  CClassNode *cc, *prev_cc;
  CClassNode work_cc;

  printf("*vs (init) = %lu\n", (unsigned long)vs);
static void
bitset_set_range(BitSetRef bs, int from, int to)
{
  int i;
  for (i = from; i <= to && i < SINGLE_BYTE_SIZE; i++) {
    fprintf(stderr, "bs=%p, i=%lu\n", (unsigned int*)bs, i);
    BITSET_SET_BIT(bs, i);
  }
}

ASAN report:

*vs (init) = 2953750392
*vs (from) = 2953750392, v=2955971888
bs=0x60600000ef08, i=2953750392
ASAN:SIGSEGV
=================================================================
==22101==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004030d0 bp 0x7ffe925592c0 sp 0x7ffe925592a0 T0)
    #0 0x4030cf in bitset_set_range /home/xie/Downloads/oni/onig-test-develop/src/regparse.c:203
    #1 0x419b72 in next_state_val /home/xie/Downloads/oni/onig-test-develop/src/regparse.c:4142
    #2 0x41ab77 in parse_char_class /home/xie/Downloads/oni/onig-test-develop/src/regparse.c:4329
    #3 0x41f7b6 in parse_exp /home/xie/Downloads/oni/onig-test-develop/src/regparse.c:5174
    #4 0x420728 in parse_branch /home/xie/Downloads/oni/onig-test-develop/src/regparse.c:5339
    #5 0x420bae in parse_subexp /home/xie/Downloads/oni/onig-test-develop/src/regparse.c:5385
    #6 0x420fc8 in parse_regexp /home/xie/Downloads/oni/onig-test-develop/src/regparse.c:5433
    #7 0x421454 in onig_parse_make_tree /home/xie/Downloads/oni/onig-test-develop/src/regparse.c:5464
    #8 0x43de89 in onig_compile /home/xie/Downloads/oni/onig-test-develop/src/regcomp.c:5326
    #9 0x43ed8b in onig_new /home/xie/Downloads/oni/onig-test-develop/src/regcomp.c:5565
    #10 0x4011d8 in exec /home/xie/Downloads/oni/onig-test-develop/test/testc.c:17
    #11 0x4013f6 in main /home/xie/Downloads/oni/onig-test-develop/test/testc.c:43
    #12 0x7f62aebd082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x400f98 in _start (/home/xie/Downloads/oni/onig-test-develop/test/testc+0x400f98)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/xie/Downloads/oni/onig-test-develop/src/regparse.c:203 bitset_set_range
==22101==ABORTING

The probabilistic reproducer triggers a heap OOB write when the local variable OnigCodePoint vs in parse_char_class() is not initialized, following the call as:

parse_char_class() -> next_state_val() -> bitset_set_range()

resulting in the said crash.

Note the calls to exec() is currently necessary to trigger the crash.

@xixabangm4

This comment has been minimized.

xixabangm4 commented May 25, 2017

Thanks, please use CVE-2017-9228 to reference this issue.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9228

@kkos kkos closed this in 3b63d12 May 29, 2017

php-pulls pushed a commit to php/php-src that referenced this issue May 30, 2017

Patch from the upstream git
kkos/oniguruma#60 (CVE-2017-9228)

Thanks to Mamoru TASAKA <mtasaka@fedoraproject.org>

php-pulls pushed a commit to php/php-src that referenced this issue May 30, 2017

Merge branch 'PHP-7.0' into PHP-7.1
* PHP-7.0:
  NEWS
  Patch from the upstream git kkos/oniguruma#60 (CVE-2017-9228)
  Patch from the upstream git kkos/oniguruma#59 (CVE-2017-9229) b690371bbf97794b4a1d3f295d4fb9a8b05d402d Modified for onig 5.9.6
  Patch from the upstream git kkos/oniguruma#58 (CVE-2017-9227)
  Patch from the upstream git kkos/oniguruma#57 (CVE-2017-9224)
  Patch from the upstream git kkos/oniguruma#55 (CVE-2017-9226) b4bf968ad52afe14e60a2dc8a95d3555c543353a Modified for onig 5.9.6 f015fbdd95f76438cd86366467bb2b39870dd7c6 Modified for onig 5.9.6

php-pulls pushed a commit to php/php-src that referenced this issue May 30, 2017

Merge branch 'PHP-7.1'
* PHP-7.1:
  NEWS
  NEWS
  Patch from the upstream git kkos/oniguruma#60 (CVE-2017-9228)
  Patch from the upstream git kkos/oniguruma#59 (CVE-2017-9229) b690371bbf97794b4a1d3f295d4fb9a8b05d402d Modified for onig 5.9.6
  Patch from the upstream git kkos/oniguruma#58 (CVE-2017-9227)
  Patch from the upstream git kkos/oniguruma#57 (CVE-2017-9224)
  Patch from the upstream git kkos/oniguruma#55 (CVE-2017-9226) b4bf968ad52afe14e60a2dc8a95d3555c543353a Modified for onig 5.9.6 f015fbdd95f76438cd86366467bb2b39870dd7c6 Modified for onig 5.9.6

kkos pushed a commit that referenced this issue Jun 15, 2017

php-pulls pushed a commit to php/php-src that referenced this issue Jul 5, 2017

Patch from the upstream git
kkos/oniguruma#60 (CVE-2017-9228)

Thanks to Mamoru TASAKA <mtasaka@fedoraproject.org>

php-pulls pushed a commit to php/php-src that referenced this issue Jul 5, 2017

Merge branch 'PHP-5.6' into PHP-7.0
* PHP-5.6:
  NEWS for oniguruma
  Patch from the upstream git kkos/oniguruma#60 (CVE-2017-9228)
  Patch from the upstream git kkos/oniguruma#59 (CVE-2017-9229) b690371bbf97794b4a1d3f295d4fb9a8b05d402d Modified for onig 5.9.6
  Patch from the upstream git kkos/oniguruma#58 (CVE-2017-9227)
  Patch from the upstream git kkos/oniguruma#57 (CVE-2017-9224)
  Patch from the upstream git kkos/oniguruma#55 (CVE-2017-9226) b4bf968ad52afe14e60a2dc8a95d3555c543353a Modified for onig 5.9.6 f015fbdd95f76438cd86366467bb2b39870dd7c6 Modified for onig 5.9.6

php-pulls pushed a commit to php/php-src that referenced this issue Jul 5, 2017

Merge branch 'PHP-7.0' into PHP-7.1
* PHP-7.0:
  NEWS for oniguruma
  Patch from the upstream git kkos/oniguruma#60 (CVE-2017-9228)
  Patch from the upstream git kkos/oniguruma#59 (CVE-2017-9229) b690371bbf97794b4a1d3f295d4fb9a8b05d402d Modified for onig 5.9.6
  Patch from the upstream git kkos/oniguruma#58 (CVE-2017-9227)
  Patch from the upstream git kkos/oniguruma#57 (CVE-2017-9224)
  Patch from the upstream git kkos/oniguruma#55 (CVE-2017-9226) b4bf968ad52afe14e60a2dc8a95d3555c543353a Modified for onig 5.9.6 f015fbdd95f76438cd86366467bb2b39870dd7c6 Modified for onig 5.9.6

php-pulls pushed a commit to php/php-src that referenced this issue Jul 5, 2017

Merge branch 'PHP-7.1'
* PHP-7.1:
  NEWS for oniguruma
  Patch from the upstream git kkos/oniguruma#60 (CVE-2017-9228)
  Patch from the upstream git kkos/oniguruma#59 (CVE-2017-9229) b690371bbf97794b4a1d3f295d4fb9a8b05d402d Modified for onig 5.9.6
  Patch from the upstream git kkos/oniguruma#58 (CVE-2017-9227)
  Patch from the upstream git kkos/oniguruma#57 (CVE-2017-9224)
  Patch from the upstream git kkos/oniguruma#55 (CVE-2017-9226) b4bf968ad52afe14e60a2dc8a95d3555c543353a Modified for onig 5.9.6 f015fbdd95f76438cd86366467bb2b39870dd7c6 Modified for onig 5.9.6

dstogov added a commit to dstogov/php-src that referenced this issue Jul 5, 2017

Merge branch 'master' into sccp
* master: (43 commits)
  Keep information about SSA variables, that may be modified indirectly.
  Added constants for known ldap controls OID and tests for ldap_get/set_option for controls
  Added support for controls to ldap_get_option
  [ci skip] sync NEWS
  NEWS for oniguruma
  Patch from the upstream git kkos/oniguruma#60 (CVE-2017-9228)
  Patch from the upstream git kkos/oniguruma#59 (CVE-2017-9229) b690371bbf97794b4a1d3f295d4fb9a8b05d402d Modified for onig 5.9.6
  Patch from the upstream git kkos/oniguruma#58 (CVE-2017-9227)
  Patch from the upstream git kkos/oniguruma#57 (CVE-2017-9224)
  Patch from the upstream git kkos/oniguruma#55 (CVE-2017-9226) b4bf968ad52afe14e60a2dc8a95d3555c543353a Modified for onig 5.9.6 f015fbdd95f76438cd86366467bb2b39870dd7c6 Modified for onig 5.9.6
  valid_symbol_table removed
  Improve fix for #74145
  Fix wddx
  Fix tests
  Fixed bug #74111
  Fix bug #74603 - use correct buffer size
  Fix bug #74651 - check EVP_SealInit as it can return -1
  Update NEWS
  Fix bug #74087
  Fixed parsing of strange formats with mixed month/day and time strings
  ...

k-takata added a commit to k-takata/Onigmo that referenced this issue Jul 12, 2017

php-pulls pushed a commit to php/php-src that referenced this issue Jul 14, 2017

Added goblal optimisation passes based on data flow analyses using SS…
…A form:

SCCP - Sparse Conditional Constant Propagation, DCE - Dead Code Elimination
and removing of unused local variablesi.

Squashed commit of the following:

commit bf5ac05
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Fri Jul 14 14:26:40 2017 +0300

    Added news entry

commit 4cfa698
Merge: 1cdaaac 1f261d7
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Fri Jul 14 13:30:50 2017 +0300

    Merge branch 'sccp' into dce

    * sccp:
      Bump OCI8 version for recent patch
      WS
      Fix test title
      Ensure that the stream position is kept between reads
      Turn off EXIF_DEBUG so Travis don't complain at me
      Don't add a new line to undefined tags in EXIF_DEBUG mode
      Fix compile error with EXIF_DEBUG
      update NEWS
      disable --with-pcre-valgrind on travis
      fix default args for --with-pcre-valgrind
      Enable valgrind support for PCRE by default in debug builds
      add oniguruma.patch to ease future upgrades
      SIZEOF_SIZE_T doesn't exist on AIX and POWER8 (ppc64le), keep using SIZEOF_LONG

commit 1f261d7
Merge: a32a3fb b280ba8
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Fri Jul 14 13:30:39 2017 +0300

    Merge branch 'master' into sccp

    * master:
      Bump OCI8 version for recent patch
      WS
      Fix test title
      Ensure that the stream position is kept between reads
      Turn off EXIF_DEBUG so Travis don't complain at me
      Don't add a new line to undefined tags in EXIF_DEBUG mode
      Fix compile error with EXIF_DEBUG
      update NEWS
      disable --with-pcre-valgrind on travis
      fix default args for --with-pcre-valgrind
      Enable valgrind support for PCRE by default in debug builds
      add oniguruma.patch to ease future upgrades
      SIZEOF_SIZE_T doesn't exist on AIX and POWER8 (ppc64le), keep using SIZEOF_LONG

commit 1cdaaac
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Fri Jul 14 13:27:12 2017 +0300

    Use generic evalution mechanism for constant functions

commit 75bd92a
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Fri Jul 14 12:39:05 2017 +0300

    Fixed use-def chain unlinking for "$a = 1; $a += $a;"

commit 7d77468
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Fri Jul 14 12:38:29 2017 +0300

    Enable duplicate predecessors verification

commit 6b1667f
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Fri Jul 14 11:55:20 2017 +0300

    Removed duplicate definitions

commit 1415b53
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Fri Jul 14 11:51:29 2017 +0300

    Enable evaluation of constant functions with 3 arguments

commit ab367de
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Fri Jul 14 11:45:13 2017 +0300

    Removed deprecated check

commit c51659e
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Fri Jul 14 11:40:42 2017 +0300

    Reduce limit

commit b1be5a0
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Fri Jul 14 11:38:23 2017 +0300

    Disable constant array_flip() evaluation

commit 7a5b059
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Fri Jul 14 11:33:20 2017 +0300

    Fixed comments

commit 377e48b
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Fri Jul 14 11:28:50 2017 +0300

    Cast of string to long/double can not produce exception

commit 228dd01
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Fri Jul 14 11:24:50 2017 +0300

    Added missed return

commit 0972a21
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Fri Jul 14 11:22:36 2017 +0300

    objects may be nested in array operands

commit bd346bf
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Fri Jul 14 11:19:20 2017 +0300

    ~$resource is unsupported.

commit c77e456
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Fri Jul 14 11:15:39 2017 +0300

    ws

commit 0b64d71
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Fri Jul 14 11:14:40 2017 +0300

    Call to zend_ssa_unlink_use_chain() shouldn't be dropped

commit cb7059f
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Fri Jul 14 11:11:58 2017 +0300

    Safer check for function name. The previous check is incorrect in ZTS build.

commit 7280aba
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Fri Jul 14 11:02:10 2017 +0300

    Missing warning

commit 54bc7b5
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Fri Jul 14 10:56:42 2017 +0300

    Proper check for successors count

commit ea8c004
Merge: 624f76d a32a3fb
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Thu Jul 13 15:56:26 2017 +0300

    Merge branch 'sccp' into dce

    * sccp:
      fix fold
      Fixed bug #74866 extension_dir = "./ext" now use current directory for base
      add next vc15 toolset to the list
      Revert "Enable whole program optimization for builds without PGO, too"
      extend comment
      cleanup discontinued target

commit a32a3fb
Merge: 2722dbf 5fb2abd
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Thu Jul 13 15:56:14 2017 +0300

    Merge branch 'master' into sccp

    * master:
      fix fold
      Fixed bug #74866 extension_dir = "./ext" now use current directory for base
      add next vc15 toolset to the list
      Revert "Enable whole program optimization for builds without PGO, too"
      extend comment
      cleanup discontinued target

commit 624f76d
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Thu Jul 13 12:30:27 2017 +0300

    Set RETURN_VALUE_UNUSED instead of additional FREE opcode, if possible.
    Keep alive dead instructions that have to free two temporary variables.

commit 94c9b26
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Thu Jul 13 11:51:14 2017 +0300

    More accurate "vararg" handling in DCE

commit 665ed84
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Thu Jul 13 09:31:45 2017 +0300

    Improved DCE performance, by avoiding redundand checks and repeatable iterations.

commit 3f42ce1
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Wed Jul 12 23:03:11 2017 +0300

    Added few more instructions without side effects and exceptions

commit b17178f
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Wed Jul 12 20:39:02 2017 +0300

    Temprary enable SSA validation in DEBUG build

commit e238a8d
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Wed Jul 12 20:37:53 2017 +0300

    Inegrate SSA validation developed by Nikita

commit a247cee
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Wed Jul 12 20:31:27 2017 +0300

    Perform DCE pass before other DFA optimisations, to properly reconstruct "no value" use-def chains.

commit a651564
Merge: 06f6eb0 2722dbf
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Wed Jul 12 18:55:05 2017 +0300

    Merge branch 'sccp' into dce

    * sccp:
      Resources should be closed during object destructioin, not during freeing.
      Guard against AppVeyor losing deps issue
      increase poll timeout as false positives mitigation
      Value of EG(user_exception_handler) should't relive request boundary
      sodium ext: remove function names before exception messages
      sodium ext: update the crypto_kx_*() API to the libsodium one
      Revert "fix macro redifinitions"

commit 2722dbf
Merge: 6595ea3 09d3b73
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Wed Jul 12 18:54:48 2017 +0300

    Merge branch 'master' into sccp

    * master:
      Resources should be closed during object destructioin, not during freeing.
      Guard against AppVeyor losing deps issue
      increase poll timeout as false positives mitigation
      Value of EG(user_exception_handler) should't relive request boundary
      sodium ext: remove function names before exception messages
      sodium ext: update the crypto_kx_*() API to the libsodium one
      Revert "fix macro redifinitions"

commit 06f6eb0
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Wed Jul 12 14:52:28 2017 +0300

    Use zend_ssa_is_no_val_use() instead of zend_has_improper_op1_use()

commit 4b64dbb
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Wed Jul 12 13:07:14 2017 +0300

    Check if instruction may throw exception only for instructions without known side effects.
    Always disable removing ASSIGN and UNSET_VAR that may throw.

commit c5aa1f4
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Wed Jul 12 11:21:07 2017 +0300

    Use existing bit

commit c2af153
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Wed Jul 12 11:10:48 2017 +0300

    Updated Windows build

commit de5e8fc
Merge: 8c0de53 6595ea3
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Wed Jul 12 11:10:12 2017 +0300

    Merge branch 'sccp' into dce

    * sccp: (29 commits)
      Use existing bit
      Updated Windows build
      Fixed compilation error
      Remove debug code
      We need to check for the length here too, or we crash and no one likes that! :(
      * Implemented #65187 (exif_read_data/thumbnail: add support for stream resource) * ext/exif now uses FAST_ZPP
      Remove extraneous configure flag
      Revert "remove excessive checks and fix warnings"
      parametrize zip names
      Upgrade bundled PCRE to 8.41
      Updated NEWS file with LDAP changes
      Fixed removing all controls by passing an empty array to ldap_set_option
      Filled in NEWS file with ext/ldap last modifications
      change order, allow to build as shared extension
      restore file deleted by mistake in a merge commit
      Fix segfault in php_stream_context_get_option call
      remove excessive checks and fix warnings
      fix macro redifinitions
      fix symbol availability and ws
      Remove this for now, as not found
      ...

commit 6595ea3
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Wed Jul 12 10:27:02 2017 +0300

    Use existing bit

commit f0bfd36
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Wed Jul 12 10:21:22 2017 +0300

    Updated Windows build

commit a9bd7c8
Merge: d1eb5ed 2b7d3fb
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Wed Jul 12 09:51:32 2017 +0300

    Merge branch 'master' into sccp

    * master: (27 commits)
      Fixed compilation error
      Remove debug code
      We need to check for the length here too, or we crash and no one likes that! :(
      * Implemented #65187 (exif_read_data/thumbnail: add support for stream resource) * ext/exif now uses FAST_ZPP
      Remove extraneous configure flag
      Revert "remove excessive checks and fix warnings"
      parametrize zip names
      Upgrade bundled PCRE to 8.41
      Updated NEWS file with LDAP changes
      Fixed removing all controls by passing an empty array to ldap_set_option
      Filled in NEWS file with ext/ldap last modifications
      change order, allow to build as shared extension
      restore file deleted by mistake in a merge commit
      Fix segfault in php_stream_context_get_option call
      remove excessive checks and fix warnings
      fix macro redifinitions
      fix symbol availability and ws
      Remove this for now, as not found
      fix authors
      NEWS for Sodium
      ...

commit 8c0de53
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Tue Jul 11 21:54:36 2017 +0300

    Initial integration of Dead Code Elimination (DCE) and unused variable removing passes, originally developed in https://github.com/nikic/php-src/tree/opt, into DFA optimization pass.

commit d1eb5ed
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Tue Jul 11 12:19:11 2017 +0300

    Proper SSA reconstruction for "$a = $a;"

commit 4872d13
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Tue Jul 11 11:57:33 2017 +0300

    Replace conditions, that should be always true, by ZEND_ASSERT()

commit 9915b1f
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Tue Jul 11 11:56:51 2017 +0300

    Fixed pass name

commit d26ff1b
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Tue Jul 11 11:55:47 2017 +0300

    Don't create identical predecessors

commit 0625fbe
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Tue Jul 11 09:36:07 2017 +0300

    Update unreachable blocks.

commit 9d7d409
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Tue Jul 11 09:28:49 2017 +0300

    Keep consistent cfg.map[]

commit 85a86e5
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Tue Jul 11 02:36:14 2017 +0300

    Remove unusded phi

commit d5e0f2d
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Tue Jul 11 02:35:00 2017 +0300

    Don't clear phi->spources[] too early.

commit a90ed34
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Mon Jul 10 21:29:39 2017 +0300

    Make SCCP to remove dead live ranges.

commit 320237f
Merge: 63bbed5 7be2637
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Mon Jul 10 17:35:21 2017 +0300

    Merge branch 'master' into sccp

    * master:
      Fixed memory leak introduced by 7cb5bdf
      eliminate casts
      remove checks for eol dependencies
      improve test
      Small fix in ext/ldap, Moved vars definitions to the beginning of the block using them
      ZipArchive implements countable, added ZipArchive::count() method

commit 63bbed5
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Mon Jul 10 17:01:15 2017 +0300

    Evaluation of few more constant functions

commit 07f45d8
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Mon Jul 10 16:22:47 2017 +0300

    Properly unlinking dead blocks from predecessors/successors and dominators

commit 502002a
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Mon Jul 10 13:33:14 2017 +0300

    Replacel constant JMPZ/NZ/ZNZ by JMP or NOP

commit 3253e61
Merge: e7f69f0 161c378
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Mon Jul 10 12:22:39 2017 +0300

    Merge branch 'master' into sccp

    * master:
      Revert "Fixed bug #74878"
      Upgrading note for #74837
      Fixed bug #74837 - NEWS
      Implement Countable for DomNodeList and DOMNamedNodeMap (Request #74837)
      Fix #49649 - Handle property visibility changes on unserialization

commit e7f69f0
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Mon Jul 10 12:15:08 2017 +0300

    Prevent compile-time evaluation of implode() with arguments causing run-time warnings

commit 0e882f1
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Mon Jul 10 11:54:04 2017 +0300

    Constant evaluation of ini_get() for some safe cases

commit 9e36a74
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Mon Jul 10 11:13:37 2017 +0300

    Constant evaluation of implode()

commit e73046e
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Mon Jul 10 10:51:23 2017 +0300

    Fixed uninitialized value

commit f5e2e8e
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Mon Jul 10 10:05:37 2017 +0300

    Remove (compact) unused constants after SCCP pass

commit f0b7bb8
Merge: e69d4f6 cfacf84
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Mon Jul 10 09:10:00 2017 +0300

    Merge branch 'master' into sccp

    * master: (37 commits)
      #73594 tests only check the extra params if dns_get_record is successful
      Fixed bug #74852 (property_exists returns true on unknown DateInterval property)
      fix uninitialized var
      fix comparison warning
      comply with POSIX signature
      fix warning
      remove some casts
      cleanup casts
      remove useless cast
      eliminate casts
      sync vim mode lines in main
      [ci skip] update NEWS
      [ci skip] update NEWS
      [ci skip] update NEWS
      Fixed bug #74883 SQLite3::__construct() produces "out of memory" exception with invalid flags
      Silent compiler warning
      Fix test
      Deprecated the read_exif_data() alias
      Add myself as exif maintainer
      update libs versions
      ...

commit e69d4f6
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Fri Jul 7 12:51:41 2017 +0300

    Avoid in-place modification of referenced data

commit 58f7c17
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Fri Jul 7 12:33:24 2017 +0300

    Use arena for temporary data.

commit 93d3e7d
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Fri Jul 7 11:54:47 2017 +0300

    Made sccp_ctx to be an "extension" of scdf_ctx and remove duplicate data.

commit f810c6f
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Fri Jul 7 11:20:48 2017 +0300

    Improved SSCP integration

commit d17ed88
Merge: d90805a 29653da
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Fri Jul 7 10:22:37 2017 +0300

    Merge branch 'master' into sccp

    * master:
      Fixed bug #74873 (Minor BC break: PCRE_JIT changes output of preg_match()).
      Fixed bug #72324 (imap_mailboxmsginfo() return wrong size)
      Fix redefine warnings
      Expand sb's name and capitalize my own
      Write the URL on a new line, so that it is easier copyable

commit d90805a
Merge: 2e5e03b fc336c7
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Thu Jul 6 23:07:04 2017 +0300

    Merge branch 'master' into sccp

    * master:
      Added missed dump of "main" script code
      replace the stack var by a macro
      [ci skip] sync NEWS
      minor fix for web announce
      add missing NEWS entry for #74087 and also fix the formatting
      move NEWS entry to the correct place, also bump the version

commit 2e5e03b
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Thu Jul 6 23:03:41 2017 +0300

    Call info should be removed, but at least we should prevent incorrect stack adjustment.

commit 1ee9110
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Thu Jul 6 19:34:43 2017 +0300

    Remove NOP instructions, introduced bvy SCCP.
    This commit discloses unrelated issue caused ext/soap/tests/bug70211.phpt failure.

commit 9a2f500
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Thu Jul 6 16:34:02 2017 +0300

    Avoid useless iterations for first SSA variablesi, always marked BOT.

commit c57dd7c
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Thu Jul 6 16:33:46 2017 +0300

    Use reference-counting

commit 90f822d
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Thu Jul 6 14:00:22 2017 +0300

    Support for few more opcodes

commit cffee2f
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Thu Jul 6 12:35:13 2017 +0300

    Combined constants substitutaion and dead instruction removing in single pass. This eleminates substitution in dead instructions.

commit f890375
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Thu Jul 6 10:34:48 2017 +0300

    Use reference-counting instead of duplication

commit db0cd64
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Thu Jul 6 03:04:27 2017 +0300

    Improved SCDF<->SCCP interface

     - "get_feasible_successors" callback is changed into "mark_feasible_successors" and should mark necessary edges through scdf_mark_edge_feasible()
     - SCDF takes care about OP_DATA instruction
     - SCDF code is re-arranged to avoid repeatable checks

commit e0ad5dd
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Thu Jul 6 00:55:40 2017 +0300

    Changed representation of "feasible_edges", using one bit per edge.

commit afee313
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Thu Jul 6 00:49:56 2017 +0300

    Revert "Don't propagate unused values"

    This reverts commit 84e5bfd.

commit 84e5bfd
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Wed Jul 5 23:39:42 2017 +0300

    Don't propagate unused values

commit d4f15b9
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Wed Jul 5 23:39:10 2017 +0300

    Don't visit the same Phi twice

commit 2558311
Merge: 722a59d 7bb4ae5
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Wed Jul 5 21:51:06 2017 +0300

    Merge branch 'master' into sccp

    * master:
      Fixed final dump "after optimizer"

commit 722a59d
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Wed Jul 5 21:09:29 2017 +0300

    SCCP doesn't support VERIFY_RETURN_TYPE (ext/opcache/tests/bug73789.phpt failure)

commit 7084fad
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Wed Jul 5 20:37:21 2017 +0300

    Fixed SSA reconstruction

commit 37ec4e0
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Wed Jul 5 19:34:46 2017 +0300

    Disable constant propagation for variables that can be modified indirectly

commit 4bb9b65
Merge: 6800460 73d5097
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Wed Jul 5 19:17:04 2017 +0300

    Merge branch 'master' into sccp

    * master: (43 commits)
      Keep information about SSA variables, that may be modified indirectly.
      Added constants for known ldap controls OID and tests for ldap_get/set_option for controls
      Added support for controls to ldap_get_option
      [ci skip] sync NEWS
      NEWS for oniguruma
      Patch from the upstream git kkos/oniguruma#60 (CVE-2017-9228)
      Patch from the upstream git kkos/oniguruma#59 (CVE-2017-9229) b690371bbf97794b4a1d3f295d4fb9a8b05d402d Modified for onig 5.9.6
      Patch from the upstream git kkos/oniguruma#58 (CVE-2017-9227)
      Patch from the upstream git kkos/oniguruma#57 (CVE-2017-9224)
      Patch from the upstream git kkos/oniguruma#55 (CVE-2017-9226) b4bf968ad52afe14e60a2dc8a95d3555c543353a Modified for onig 5.9.6 f015fbdd95f76438cd86366467bb2b39870dd7c6 Modified for onig 5.9.6
      valid_symbol_table removed
      Improve fix for #74145
      Fix wddx
      Fix tests
      Fixed bug #74111
      Fix bug #74603 - use correct buffer size
      Fix bug #74651 - check EVP_SealInit as it can return -1
      Update NEWS
      Fix bug #74087
      Fixed parsing of strange formats with mixed month/day and time strings
      ...

commit 6800460
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Wed Jul 5 16:14:38 2017 +0300

    Support for few more internal functions evaluation

commit 74a2946
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Wed Jul 5 13:42:55 2017 +0300

    Disabled evaluation of strpos() with empty needle.

commit e890894
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Wed Jul 5 13:17:30 2017 +0300

    Replace calls to in_array() with constant array by IN_ARRAY instruction after SCCP.

commit 4e8fa2c
Author: Dmitry Stogov <dmitry@zend.com>
Date:   Wed Jul 5 00:58:12 2017 +0300

    Initial integration of Sparse Conditional Constant Propagation (SCCP), originally developed in https://github.com/nikic/php-src/tree/opt, into DFA optimization pass.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment