Fix assertion failure in zend_std_read_property

arnaud-lb · arnaud-lb · commit 3d3b22ddf249 · 2024-10-30T12:02:52.000+01:00
We asserted that Z_PROP_FLAG_P(retval) was exactly IS_PROP_UNINIT, but this is a bit field and it may contain irrelevant bits. For instance it may contain IS_PROP_REINITABLE during clone, or IS_PROP_LAZY if the object is lazy. Fixes phpGH-16615 Closes phpGH-16639
diff --git a/NEWS b/NEWS
@@ -7,6 +7,7 @@ PHP                                                                        NEWS
     (nielsdos)
   . Fixed bug GH-16577 (EG(strtod_state).freelist leaks with opcache.preload).
     (nielsdos)
+  . Fixed bug GH-16615 (Assertion failure in zend_std_read_property). (Arnaud)
 
 - DOM:
   . Fixed bug GH-16594 (Assertion failure in DOM -> before). (nielsdos)
diff --git a/Zend/tests/gh16615_001.phpt b/Zend/tests/gh16615_001.phpt
@@ -0,0 +1,23 @@
+--TEST--
+GH-16615 001 (Assertion failure in zend_std_read_property)
+--FILE--
+<?php
+
+class Foo {
+    public string $bar {
+        set => $value;
+    }
+}
+
+$reflector = new ReflectionClass(Foo::class);
+
+// Adds IS_PROP_LAZY to prop flags
+$foo = $reflector->newLazyGhost(function ($ghost) {
+    $ghost->bar = 'bar';
+});
+
+echo $foo->bar;
+
+?>
+--EXPECT--
+bar
diff --git a/Zend/tests/gh16615_002.phpt b/Zend/tests/gh16615_002.phpt
@@ -0,0 +1,24 @@
+--TEST--
+GH-16615 002 (Assertion failure in zend_std_read_property)
+--FILE--
+<?php
+
+class Foo {
+    public string $bar {
+        set => $value;
+    }
+    public function __clone() {
+        try {
+            echo $this->bar;
+        } catch (Error $e) {
+            printf("%s: %s\n", $e::class, $e->getMessage());
+        }
+    }
+}
+
+// Adds IS_PROP_REINITABLE to prop flags
+clone new Foo();
+
+?>
+--EXPECT--
+Error: Typed property Foo::$bar must not be accessed before initialization
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
@@ -791,7 +791,7 @@ ZEND_API zval *zend_std_read_property(zend_object *zobj, zend_string *name, int
 			if (UNEXPECTED(Z_TYPE_P(retval) == IS_UNDEF)) {
 				/* As hooked properties can't be unset, the only way to end up with an undef
 				 * value is via an uninitialized property. */
-				ZEND_ASSERT(Z_PROP_FLAG_P(retval) == IS_PROP_UNINIT);
+				ZEND_ASSERT(Z_PROP_FLAG_P(retval) & IS_PROP_UNINIT);
 				goto uninit_error;
 			}
 

Original file line number	Diff line number	Diff line change
`@@ -791,7 +791,7 @@ ZEND_API zval zend_std_read_property(zend_object zobj, zend_string *name, int`
`791`	`791`	`if (UNEXPECTED(Z_TYPE_P(retval) == IS_UNDEF)) {`
`792`	`792`	`/* As hooked properties can't be unset, the only way to end up with an undef`
`793`	`793`	`* value is via an uninitialized property. */`
`794`		`- ZEND_ASSERT(Z_PROP_FLAG_P(retval) == IS_PROP_UNINIT);`
	`794`	`+ ZEND_ASSERT(Z_PROP_FLAG_P(retval) & IS_PROP_UNINIT);`
`795`	`795`	`goto uninit_error;`
`796`	`796`	`}`
`797`	`797`