Fix assertion failure in zend_std_read_property

We asserted that Z_PROP_FLAG_P(retval) was exactly IS_PROP_UNINIT, but this is a
bit field and it may contain irrelevant bits. For instanc

Fix assertion failure in zend_std_read_property

We asserted that Z_PROP_FLAG_P(retval) was exactly IS_PROP_UNINIT, but this is a
bit field and it may contain irrelevant bits. For instance it may contain
IS_PROP_REINITABLE during clone, or IS_PROP_LAZY if the object is lazy.

Fixes GH-16615
Closes GH-16639

show more ...

Fix propagation of ZEND_ACC_RETURN_REFERENCE for call trampoline

Fixes GH-16515
Closes GH-16529

Fixed GH-16233: Observer segfault when calling user function in internal function via trampoline

In the test, I have an internal `__call` function for `_ZendTestMagicCallForward` that calls

Fixed GH-16233: Observer segfault when calling user function in internal function via trampoline

In the test, I have an internal `__call` function for `_ZendTestMagicCallForward` that calls the global function with name `$name` via `call_user_function`.
Note that observer writes the pointer to the previously observed frame in the last temporary of the new call frame (`*prev_observed_frame`).

The following happens:
First, we call `$test->callee`, this will be handled via a trampoline with T=2 for the two arguments. The call frame is allocated at this point. This call frame is not observed because it has `ZEND_ACC_CALL_VIA_TRAMPOLINE` set. Next we use `ZEND_CALL_TRAMPOLINE` to call the trampoline, this reuses the stack frame allocated earlier with T=2, but this time it is observed. The pointer to the previous frame is written outside of the call frame because `T` is too small (should be 3). We are now in the internal function `_ZendTestMagicCallForward::__call` where we call the global function `callee`. This will push a new call frame which will overlap `*prev_observed_frame`. This value gets overwritten by `zend_init_func_execute_data` when `EX(opline)` is set because `*prev_observed_frame` overlaps with `EX(opline)`. From now on, `*prev_observed_frame` is corrupted. When `zend_observer_fcall_end` is called this will result in reading wrong value `*prev_observed_frame` into `current_observed_frame`. This causes issues in `zend_observer_fcall_end_all` leading to the segfault we observe.

Despite function with `ZEND_ACC_CALL_VIA_TRAMPOLINE` not being observed, the reuse of call frames makes problems when `T` is not large enough.
To fix this, we make sure to add 1 to `T` if `ZEND_OBSERVER_ENABLED` is true.

Closes GH-16252.

show more ...

Fix use-after-free during lazy object initialization (#16004)

Fix use-after-free of object released in hook

Fixes GH-16040
Closes GH-16058

Fix ReflectionProperty::isInitialized() for hooked props

In zend_std_has_property with ZEND_PROPERTY_EXISTS, we'd just return true when
no get hook was present. However, this function is

Fix ReflectionProperty::isInitialized() for hooked props

In zend_std_has_property with ZEND_PROPERTY_EXISTS, we'd just return true when
no get hook was present. However, this function is supposed to return false for
uninitialized properties. PROPERTY_EXISTS is somewhat of a misnomer. Virtual
properties continue to always return true, given there's no backing value to
check.

Fixes GH-15694
Closes GH-15822

show more ...

Remove redundant 'zobj->ce->__isset' check (#15699)

This became unnecessary due to the addition of lazy objects that added
the goto when '!zobj->ce->__isset' above.

Lazy objects

RFC: https://wiki.php.net/rfc/lazy-objects

Closes GH-15019

Fix asymmetric visibility with set hook

Fixes GH-15644
Closes GH-15645

[RFC] Asymmetric visibility v2 (GH-15063)

Co-authored-by: Larry Garfield <larry@garfieldtech.com>

Zend/zend_object_handlers.c: Remove unused include

Disallow indirect modification on readonly properties within __clone() (#15012)

Indirect modification isn't allowed in __construct() because it allows
references to leak, so it doesn't m

Disallow indirect modification on readonly properties within __clone() (#15012)

Indirect modification isn't allowed in __construct() because it allows
references to leak, so it doesn't make much sense to allow it in __clone().

show more ...

Followup GH-14996 (#15062)

Throw error for recursive comparison, instead of fatal (#14989)

I don't understand the rationale of fatal erroring here. It seems this should
properly unprotect the compared elements whe

Throw error for recursive comparison, instead of fatal (#14989)

I don't understand the rationale of fatal erroring here. It seems this should
properly unprotect the compared elements when returning up the stack.

Related to GH-14980

show more ...

Use zend_std_build_properties() to access zend_object.properties

The zend_object.properties HashTable needs to be built just in time by calling
rebuild_object_properties() on the object

Use zend_std_build_properties() to access zend_object.properties

The zend_object.properties HashTable needs to be built just in time by calling
rebuild_object_properties() on the object before accessing it. Normally this is
done automatically in zend_std_get_properties(), but we do it manually in a few
places.

In this change I introduce an inline variant of zend_std_build_properties(), and
refactor these places to use it instead of calling rebuild_object_properties()
manually.

rebuild_object_properties() renamed as rebuild_object_properties_internal(), to
enforce usage of zend_std_get_properties() or zend_std_build_properties_ex().

Closes GH-14996

show more ...

Fix indirect readonly error messages (#14979)

$obj->ro[] = 42;, passByRef($obj->ro); and the likes should emit an indirect
modification error message. This message already existed but wa

Fix indirect readonly error messages (#14979)

$obj->ro[] = 42;, passByRef($obj->ro); and the likes should emit an indirect
modification error message. This message already existed but was used
inconsistently.

show more ...

Fix use-after-free in property coercion with __toString()

This was only partially fixed in PHP-8.3. Backports and fixes the case for both
initialized and uninitialized property writes.

Fix use-after-free in property coercion with __toString()

This was only partially fixed in PHP-8.3. Backports and fixes the case for both
initialized and uninitialized property writes.

Fixes GH-14969
Closes GH-14971

show more ...

Avoid duplicate code in zend_std_write_property() (#14966)

Extract obtaining of fake scope into function (#14960)

[RFC] Property hooks (#13455)

RFC: https://wiki.php.net/rfc/property-hooks

Co-authored-by: Nikita Popov <nikita.ppv@gmail.com>

Fix bug GH-14456: Attempting to initialize class with private constructor calls destructor

Closes GH-14469

refactor: change `zend_is_true` to return `bool` (#14301)

Previously this returned `int`. Many functions actually take advantage
of the fact this returns exactly 0 or 1. For instance,

refactor: change `zend_is_true` to return `bool` (#14301)

Previously this returned `int`. Many functions actually take advantage
of the fact this returns exactly 0 or 1. For instance,
`main/streams/xp_socket.c` does:

sockopts |= STREAM_SOCKOP_IPV6_V6ONLY_ENABLED * zend_is_true(tmpzval);

And `Zend/zend_compile.c` does:

child = &ast->child[2 - zend_is_true(zend_ast_get_zval(ast->child[0]))];

I changed a few places trivially from `int` to `bool`, but there are
still many places such as the object handlers which return `int` that
should eventually be `bool`.

show more ...

Cleanup name handling in magic methods (#13733)

The copy was introduced in bc59289b7, and later changed in 57527455eb,
to prevent indirect modifications of magic method arguments.
Th

Cleanup name handling in magic methods (#13733)

The copy was introduced in bc59289b7, and later changed in 57527455eb,
to prevent indirect modifications of magic method arguments.
This is no longer necessary because we no longer deal with zvals, but
with string directly that the VM has retrieved either as a constant, or
via zval_try_get_tmp_string().

show more ...

Remove UNEXPECTED from typed prop checks

Closes GH-13143

Fix OSS Fuzz #61865: Undef variable in ++/-- for declared property that is unset in error handler

Reorder when we assign the property value to NULL which is identical to
a3a3964497922bcd

Fix OSS Fuzz #61865: Undef variable in ++/-- for declared property that is unset in error handler

Reorder when we assign the property value to NULL which is identical to
a3a3964497922bcd74282685218d90acea69c296

Just for the declared property case instead of dynamic.

Closes GH-12114

show more ...