Writing to an uninitialized lazy proxy will initialize the underlying
object and then call zend_std_write_property() on it. If this happens
inside a hook, zend_std_write_property() should not call the hook again
but directly write to the property slot. This didn't previously work
because zend_should_call_hook() would compare the parent frame
containing the proxy to the underlying object. This is now handled
explicitly.
Fixes GH-18000
Closes GH-18001
zend_std_write_property() can return the variable pointer, but the code
was using a local variable, and so a pointer to a local variable could
be returned. Fix this by using the value pointer instead of the backup
value was written.
This can be more efficient on master by using the safe_assign helper.
Closes GH-17947.
This regressed in GH-17592.
The function is with its attributes HashTable* is copied in
zend_get_closure_invoke_method() but its refcount is not increased.
This caused a crash in the Symfony demo page.
Closes GH-17880.
* Fix `#[\Deprecated]` for `__call()` and `__callStatic()`
Fixesphp/php-src#17597.
* Do not duplicate the `attributes` table in `zend_get_call_trampoline_func()`
We asserted that Z_PROP_FLAG_P(retval) was exactly IS_PROP_UNINIT, but this is a
bit field and it may contain irrelevant bits. For instance it may contain
IS_PROP_REINITABLE during clone, or IS_PROP_LAZY if the object is lazy.
Fixes GH-16615
Closes GH-16639
In the test, I have an internal `__call` function for `_ZendTestMagicCallForward` that calls the global function with name `$name` via `call_user_function`.
Note that observer writes the pointer to the previously observed frame in the last temporary of the new call frame (`*prev_observed_frame`).
The following happens:
First, we call `$test->callee`, this will be handled via a trampoline with T=2 for the two arguments. The call frame is allocated at this point. This call frame is not observed because it has `ZEND_ACC_CALL_VIA_TRAMPOLINE` set. Next we use `ZEND_CALL_TRAMPOLINE` to call the trampoline, this reuses the stack frame allocated earlier with T=2, but this time it is observed. The pointer to the previous frame is written outside of the call frame because `T` is too small (should be 3). We are now in the internal function `_ZendTestMagicCallForward::__call` where we call the global function `callee`. This will push a new call frame which will overlap `*prev_observed_frame`. This value gets overwritten by `zend_init_func_execute_data` when `EX(opline)` is set because `*prev_observed_frame` overlaps with `EX(opline)`. From now on, `*prev_observed_frame` is corrupted. When `zend_observer_fcall_end` is called this will result in reading wrong value `*prev_observed_frame` into `current_observed_frame`. This causes issues in `zend_observer_fcall_end_all` leading to the segfault we observe.
Despite function with `ZEND_ACC_CALL_VIA_TRAMPOLINE` not being observed, the reuse of call frames makes problems when `T` is not large enough.
To fix this, we make sure to add 1 to `T` if `ZEND_OBSERVER_ENABLED` is true.
Closes GH-16252.
In zend_std_has_property with ZEND_PROPERTY_EXISTS, we'd just return true when
no get hook was present. However, this function is supposed to return false for
uninitialized properties. PROPERTY_EXISTS is somewhat of a misnomer. Virtual
properties continue to always return true, given there's no backing value to
check.
Fixes GH-15694
Closes GH-15822
I don't understand the rationale of fatal erroring here. It seems this should
properly unprotect the compared elements when returning up the stack.
Related to GH-14980
The zend_object.properties HashTable needs to be built just in time by calling
rebuild_object_properties() on the object before accessing it. Normally this is
done automatically in zend_std_get_properties(), but we do it manually in a few
places.
In this change I introduce an inline variant of zend_std_build_properties(), and
refactor these places to use it instead of calling rebuild_object_properties()
manually.
rebuild_object_properties() renamed as rebuild_object_properties_internal(), to
enforce usage of zend_std_get_properties() or zend_std_build_properties_ex().
Closes GH-14996
$obj->ro[] = 42;, passByRef($obj->ro); and the likes should emit an indirect
modification error message. This message already existed but was used
inconsistently.
This was only partially fixed in PHP-8.3. Backports and fixes the case for both
initialized and uninitialized property writes.
Fixes GH-14969
Closes GH-14971
Previously this returned `int`. Many functions actually take advantage
of the fact this returns exactly 0 or 1. For instance,
`main/streams/xp_socket.c` does:
sockopts |= STREAM_SOCKOP_IPV6_V6ONLY_ENABLED * zend_is_true(tmpzval);
And `Zend/zend_compile.c` does:
child = &ast->child[2 - zend_is_true(zend_ast_get_zval(ast->child[0]))];
I changed a few places trivially from `int` to `bool`, but there are
still many places such as the object handlers which return `int` that
should eventually be `bool`.
The copy was introduced in bc59289b7, and later changed in 57527455eb,
to prevent indirect modifications of magic method arguments.
This is no longer necessary because we no longer deal with zvals, but
with string directly that the VM has retrieved either as a constant, or
via zval_try_get_tmp_string().
Reorder when we assign the property value to NULL which is identical to
a3a3964497
Just for the declared property case instead of dynamic.
Closes GH-12114
With the fix in https://github.com/php/php-src/pull/12114, the behaviour
would change for non-dynamic properties. Align the behaviour for dynamic
properties to be the same.
Closes GH-12117.
Because the error handler is invoked after the property is updated,
the error handler has the opportunity to remove it before the property
is returned.
Switching the order around fixes this issue. The comments mention that
the current ordering prevents overwriting the EG(std_property_info)
field in the error handler. EG(std_property_info) no longer exists as it
was removed in 7471c217. Back then a global was used to store the
returned property info, but as this is no longer the case there is no
longer a need to protect against overwriting a global.
Closes GH-12062.
This PR introduces a new way of recursion protection in JSON, var_dump
and friends. It fixes issue in master for __debugInfo and also improves
perf for jsonSerializable in some cases. More info can be found in
GH-10020.
Closes GH-11812
