Fix use-after-free of object released in hook

Fixes GH-16040
Closes GH-16058

Fix ReflectionProperty::isInitialized() for hooked props

In zend_std_has_property with ZEND_PROPERTY_EXISTS, we'd just return true when
no get hook was present. However, this function is

Fix ReflectionProperty::isInitialized() for hooked props

In zend_std_has_property with ZEND_PROPERTY_EXISTS, we'd just return true when
no get hook was present. However, this function is supposed to return false for
uninitialized properties. PROPERTY_EXISTS is somewhat of a misnomer. Virtual
properties continue to always return true, given there's no backing value to
check.

Fixes GH-15694
Closes GH-15822

show more ...

Remove redundant 'zobj->ce->__isset' check (#15699)

This became unnecessary due to the addition of lazy objects that added
the goto when '!zobj->ce->__isset' above.

Lazy objects

RFC: https://wiki.php.net/rfc/lazy-objects

Closes GH-15019

Fix asymmetric visibility with set hook

Fixes GH-15644
Closes GH-15645

[RFC] Asymmetric visibility v2 (GH-15063)

Co-authored-by: Larry Garfield <larry@garfieldtech.com>

Zend/zend_object_handlers.c: Remove unused include

Disallow indirect modification on readonly properties within __clone() (#15012)

Indirect modification isn't allowed in __construct() because it allows
references to leak, so it doesn't m

Disallow indirect modification on readonly properties within __clone() (#15012)

Indirect modification isn't allowed in __construct() because it allows
references to leak, so it doesn't make much sense to allow it in __clone().

show more ...

Followup GH-14996 (#15062)

Throw error for recursive comparison, instead of fatal (#14989)

I don't understand the rationale of fatal erroring here. It seems this should
properly unprotect the compared elements whe

Throw error for recursive comparison, instead of fatal (#14989)

I don't understand the rationale of fatal erroring here. It seems this should
properly unprotect the compared elements when returning up the stack.

Related to GH-14980

show more ...

Use zend_std_build_properties() to access zend_object.properties

The zend_object.properties HashTable needs to be built just in time by calling
rebuild_object_properties() on the object

Use zend_std_build_properties() to access zend_object.properties

The zend_object.properties HashTable needs to be built just in time by calling
rebuild_object_properties() on the object before accessing it. Normally this is
done automatically in zend_std_get_properties(), but we do it manually in a few
places.

In this change I introduce an inline variant of zend_std_build_properties(), and
refactor these places to use it instead of calling rebuild_object_properties()
manually.

rebuild_object_properties() renamed as rebuild_object_properties_internal(), to
enforce usage of zend_std_get_properties() or zend_std_build_properties_ex().

Closes GH-14996

show more ...

Fix indirect readonly error messages (#14979)

$obj->ro[] = 42;, passByRef($obj->ro); and the likes should emit an indirect
modification error message. This message already existed but wa

Fix indirect readonly error messages (#14979)

$obj->ro[] = 42;, passByRef($obj->ro); and the likes should emit an indirect
modification error message. This message already existed but was used
inconsistently.

show more ...

Fix use-after-free in property coercion with __toString()

This was only partially fixed in PHP-8.3. Backports and fixes the case for both
initialized and uninitialized property writes.

Fix use-after-free in property coercion with __toString()

This was only partially fixed in PHP-8.3. Backports and fixes the case for both
initialized and uninitialized property writes.

Fixes GH-14969
Closes GH-14971

show more ...

Avoid duplicate code in zend_std_write_property() (#14966)

Extract obtaining of fake scope into function (#14960)

[RFC] Property hooks (#13455)

RFC: https://wiki.php.net/rfc/property-hooks

Co-authored-by: Nikita Popov <nikita.ppv@gmail.com>

Fix bug GH-14456: Attempting to initialize class with private constructor calls destructor

Closes GH-14469

refactor: change `zend_is_true` to return `bool` (#14301)

Previously this returned `int`. Many functions actually take advantage
of the fact this returns exactly 0 or 1. For instance,

refactor: change `zend_is_true` to return `bool` (#14301)

Previously this returned `int`. Many functions actually take advantage
of the fact this returns exactly 0 or 1. For instance,
`main/streams/xp_socket.c` does:

sockopts |= STREAM_SOCKOP_IPV6_V6ONLY_ENABLED * zend_is_true(tmpzval);

And `Zend/zend_compile.c` does:

child = &ast->child[2 - zend_is_true(zend_ast_get_zval(ast->child[0]))];

I changed a few places trivially from `int` to `bool`, but there are
still many places such as the object handlers which return `int` that
should eventually be `bool`.

show more ...

Cleanup name handling in magic methods (#13733)

The copy was introduced in bc59289b7, and later changed in 57527455eb,
to prevent indirect modifications of magic method arguments.
Th

Cleanup name handling in magic methods (#13733)

The copy was introduced in bc59289b7, and later changed in 57527455eb,
to prevent indirect modifications of magic method arguments.
This is no longer necessary because we no longer deal with zvals, but
with string directly that the VM has retrieved either as a constant, or
via zval_try_get_tmp_string().

show more ...

Remove UNEXPECTED from typed prop checks

Closes GH-13143

Fix OSS Fuzz #61865: Undef variable in ++/-- for declared property that is unset in error handler

Reorder when we assign the property value to NULL which is identical to
a3a3964497922bcd

Fix OSS Fuzz #61865: Undef variable in ++/-- for declared property that is unset in error handler

Reorder when we assign the property value to NULL which is identical to
a3a3964497922bcd74282685218d90acea69c296

Just for the declared property case instead of dynamic.

Closes GH-12114

show more ...

Tweak behaviour of dynamic properties wrt error handlers

With the fix in https://github.com/php/php-src/pull/12114, the behaviour
would change for non-dynamic properties. Align the behav

Tweak behaviour of dynamic properties wrt error handlers

With the fix in https://github.com/php/php-src/pull/12114, the behaviour
would change for non-dynamic properties. Align the behaviour for dynamic
properties to be the same.

Closes GH-12117.

show more ...

Fix oss-fuzz #61712: assertion failure with error handler during binary op

Because the error handler is invoked after the property is updated,
the error handler has the opportunity to re

Fix oss-fuzz #61712: assertion failure with error handler during binary op

Because the error handler is invoked after the property is updated,
the error handler has the opportunity to remove it before the property
is returned.

Switching the order around fixes this issue. The comments mention that
the current ordering prevents overwriting the EG(std_property_info)
field in the error handler. EG(std_property_info) no longer exists as it
was removed in 7471c217. Back then a global was used to store the
returned property info, but as this is no longer the case there is no
longer a need to protect against overwriting a global.

Closes GH-12062.

show more ...

Introduce Zend guard recursion protection

This PR introduces a new way of recursion protection in JSON, var_dump
and friends. It fixes issue in master for __debugInfo and also improves

Introduce Zend guard recursion protection

This PR introduces a new way of recursion protection in JSON, var_dump
and friends. It fixes issue in master for __debugInfo and also improves
perf for jsonSerializable in some cases. More info can be found in
GH-10020.

Closes GH-11812

show more ...

Revert "Call cast_object handler from get_properties_for"

This reverts commit 4182813ebffe0570e3741debd7da543df3517d0d.