-

Author: nicolas-grekas

Zend/zend_API.c

@@ -1744,7 +1744,7 @@ ZEND_API void object_properties_load(zend_object *object, const HashTable *prope
 				zval *slot = OBJ_PROP(object, property_info->offset);
 				if (UNEXPECTED((property_info->flags & ZEND_ACC_READONLY) && !Z_ISUNDEF_P(slot))) {
 					if (Z_PROP_FLAG_P(slot) & IS_PROP_REINITABLE) {
-						Z_PROP_FLAG_P(slot) &= ~IS_PROP_REINITABLE;
+						Z_PROP_FLAG_P(slot) &= ~(IS_PROP_REINITABLE | IS_PROP_CTOR_REINITABLE);
 					} else {
 						zend_readonly_property_modification_error(property_info);
 						return;

Zend/zend_execute.c

@@ -1074,7 +1074,7 @@ static zend_never_inline zval* zend_assign_to_typed_prop(const zend_property_inf
 
 	if (UNEXPECTED(info->flags & (ZEND_ACC_READONLY|ZEND_ACC_PPP_SET_MASK))) {
 		if ((info->flags & ZEND_ACC_READONLY)
-		 && (!zend_readonly_property_is_reinitable(property_val)
+		 && (!zend_readonly_property_is_reinitable_for_context(property_val, info)
 		     || zend_is_foreign_cpp_overwrite(property_val, info))) {
 			zend_readonly_property_modification_error(info);
 			return &EG(uninitialized_zval);
@@ -1093,7 +1093,7 @@ static zend_never_inline zval* zend_assign_to_typed_prop(const zend_property_inf
 		return &EG(uninitialized_zval);
 	}
 
-	Z_PROP_FLAG_P(property_val) &= ~IS_PROP_REINITABLE;
+	Z_PROP_FLAG_P(property_val) &= ~(IS_PROP_REINITABLE | IS_PROP_CTOR_REINITABLE);
 
 	return zend_assign_to_variable_ex(property_val, &tmp, IS_TMP_VAR, EX_USES_STRICT_TYPES(), garbage_ptr);
 }
@@ -5930,14 +5930,14 @@ static zend_never_inline void zend_ctor_clear_promoted_readonly_reinitable_slow(
 			 && zend_has_more_derived_promoted_override(obj->ce, ctor_scope, prop_info->name)) {
 				continue;
 			}
-			Z_PROP_FLAG_P(OBJ_PROP(obj, prop_info->offset)) &= ~IS_PROP_REINITABLE;
+			Z_PROP_FLAG_P(OBJ_PROP(obj, prop_info->offset)) &= ~(IS_PROP_REINITABLE | IS_PROP_CTOR_REINITABLE);
 		}
 	} ZEND_HASH_FOREACH_END();
 }
 
 /* Clear IS_PROP_REINITABLE from all promoted readonly properties of the exiting
  * constructor's scope. Called for both 'new Foo()' and 'parent::__construct()'. */
-static zend_always_inline void zend_ctor_clear_promoted_readonly_reinitable(zend_execute_data *ex, uint32_t call_info)
+ZEND_API void ZEND_FASTCALL zend_ctor_clear_promoted_readonly_reinitable(zend_execute_data *ex, uint32_t call_info)
 {
 	if ((call_info & ZEND_CALL_HAS_THIS)
 	 && (ex->func->common.fn_flags & ZEND_ACC_CTOR)

Zend/zend_execute.h

@@ -623,6 +623,48 @@ static zend_always_inline bool zend_has_active_derived_ctor_with_promoted_proper
 	return false;
 }
 
+static zend_always_inline bool zend_has_active_ctor_with_promoted_property(
+	const zend_execute_data *ex, zend_object *obj, zend_string *property_name)
+{
+	for (const zend_execute_data *frame = ex; frame != NULL; frame = frame->prev_execute_data) {
+		if (!(ZEND_CALL_INFO(frame) & ZEND_CALL_HAS_THIS)
+		 || !(frame->func->common.fn_flags & ZEND_ACC_CTOR)
+		 || Z_OBJ(frame->This) != obj) {
+			continue;
+		}
+
+		zend_class_entry *scope = frame->func->common.scope;
+		if (scope == NULL) {
+			continue;
+		}
+
+		zend_property_info *scope_prop = (zend_property_info *) zend_hash_find_ptr(
+			&scope->properties_info, property_name);
+		if (scope_prop != NULL
+		 && (scope_prop->flags & (ZEND_ACC_READONLY | ZEND_ACC_PROMOTED))
+			== (ZEND_ACC_READONLY | ZEND_ACC_PROMOTED)) {
+			return true;
+		}
+	}
+
+	return false;
+}
+
+static zend_always_inline bool zend_readonly_property_is_reinitable_for_context(
+	const zval *property_val, const zend_property_info *prop_info)
+{
+	if (!(Z_PROP_FLAG_P(property_val) & IS_PROP_REINITABLE)) {
+		return false;
+	}
+	if (!(Z_PROP_FLAG_P(property_val) & IS_PROP_CTOR_REINITABLE)) {
+		return true;
+	}
+	zend_execute_data *ex = EG(current_execute_data);
+	return ex
+		&& (ZEND_CALL_INFO(ex) & ZEND_CALL_HAS_THIS)
+		&& zend_has_active_ctor_with_promoted_property(ex, Z_OBJ(ex->This), prop_info->name);
+}
+
 /* Check if a foreign constructor is attempting a CPP initial assignment on an
  * already-initialized property owned by a different class (e.g., child has CPP
  * for $x, parent's CPP also tries to set $x on the child's object). */
@@ -655,6 +697,7 @@ ZEND_COLD void zend_verify_class_constant_type_error(const zend_class_constant *
 ZEND_API bool zend_verify_property_type(const zend_property_info *info, zval *property, bool strict);
 ZEND_COLD void zend_verify_property_type_error(const zend_property_info *info, const zval *property);
 ZEND_COLD void zend_magic_get_property_type_inconsistency_error(const zend_property_info *info, const zval *property);
+ZEND_API void ZEND_FASTCALL zend_ctor_clear_promoted_readonly_reinitable(zend_execute_data *ex, uint32_t call_info);
 
 #define ZEND_REF_ADD_TYPE_SOURCE(ref, source) \
 	zend_ref_add_type_source(&ZEND_REF_TYPE_SOURCES(ref), source)

Zend/zend_object_handlers.c

@@ -1068,7 +1068,7 @@ ZEND_API zval *zend_std_write_property(zend_object *zobj, zend_string *name, zva
 			if (error) {
 				if ((prop_info->flags & ZEND_ACC_READONLY)
 				 && Z_TYPE_P(variable_ptr) != IS_UNDEF
-				 && (!zend_readonly_property_is_reinitable(variable_ptr)
+				 && (!zend_readonly_property_is_reinitable_for_context(variable_ptr, prop_info)
 				     || zend_is_foreign_cpp_overwrite(variable_ptr, prop_info))) {
 					zend_readonly_property_modification_error(prop_info);
 					variable_ptr = &EG(error_zval);
@@ -1135,9 +1135,9 @@ ZEND_API zval *zend_std_write_property(zend_object *zobj, zend_string *name, zva
 					}
 				}
 				if (reinitable) {
-					Z_PROP_FLAG_P(variable_ptr) = IS_PROP_REINITABLE;
+					Z_PROP_FLAG_P(variable_ptr) = IS_PROP_REINITABLE | IS_PROP_CTOR_REINITABLE;
 				} else {
-					Z_PROP_FLAG_P(variable_ptr) &= ~(IS_PROP_UNINIT|IS_PROP_REINITABLE);
+					Z_PROP_FLAG_P(variable_ptr) &= ~(IS_PROP_UNINIT|IS_PROP_REINITABLE|IS_PROP_CTOR_REINITABLE);
 				}
 				value = &tmp;
 			}
@@ -1556,7 +1556,7 @@ ZEND_API void zend_std_unset_property(zend_object *zobj, zend_string *name, void
 			if (error) {
 				if ((prop_info->flags & ZEND_ACC_READONLY)
 				 && Z_TYPE_P(slot) != IS_UNDEF
-				 && !(Z_PROP_FLAG_P(slot) & IS_PROP_REINITABLE)) {
+				 && !zend_readonly_property_is_reinitable_for_context(slot, prop_info)) {
 					zend_readonly_property_unset_error(prop_info->ce, name);
 					return;
 				}

Zend/zend_objects.c

@@ -208,7 +208,8 @@ ZEND_API void ZEND_FASTCALL zend_objects_clone_members(zend_object *new_object,
 			ZVAL_COPY_VALUE_PROP(dst, src);
 			zval_add_ref(dst);
 			if (has_clone_method) {
-				/* Unconditionally add the IS_PROP_REINITABLE flag to avoid a potential cache miss of property_info */
+				/* Clone opens its own reinitability window; stale ctor-only state must not leak into it. */
+				Z_PROP_FLAG_P(dst) &= ~IS_PROP_CTOR_REINITABLE;
 				Z_PROP_FLAG_P(dst) |= IS_PROP_REINITABLE;
 			}
 
@@ -257,7 +258,8 @@ ZEND_API void ZEND_FASTCALL zend_objects_clone_members(zend_object *new_object,
 				zval_add_ref(&new_prop);
 			}
 			if (has_clone_method) {
-				/* Unconditionally add the IS_PROP_REINITABLE flag to avoid a potential cache miss of property_info */
+				/* Clone opens its own reinitability window; stale ctor-only state must not leak into it. */
+				Z_PROP_FLAG_P(&new_prop) &= ~IS_PROP_CTOR_REINITABLE;
 				Z_PROP_FLAG_P(&new_prop) |= IS_PROP_REINITABLE;
 			}
 			if (EXPECTED(key)) {
@@ -274,8 +276,8 @@ ZEND_API void ZEND_FASTCALL zend_objects_clone_members(zend_object *new_object,
 		if (ZEND_CLASS_HAS_READONLY_PROPS(new_object->ce)) {
 			for (uint32_t i = 0; i < new_object->ce->default_properties_count; i++) {
 				zval* prop = OBJ_PROP_NUM(new_object, i);
-				/* Unconditionally remove the IS_PROP_REINITABLE flag to avoid a potential cache miss of property_info */
-				Z_PROP_FLAG_P(prop) &= ~IS_PROP_REINITABLE;
+				/* Close both clone-opened and any stale ctor-opened reinitability state. */
+				Z_PROP_FLAG_P(prop) &= ~(IS_PROP_REINITABLE | IS_PROP_CTOR_REINITABLE);
 			}
 		}
 	}
@@ -290,6 +292,7 @@ ZEND_API zend_object *zend_objects_clone_obj_with(zend_object *old_object, const
 		if (ZEND_CLASS_HAS_READONLY_PROPS(new_object->ce)) {
 			for (uint32_t i = 0; i < new_object->ce->default_properties_count; i++) {
 				zval* prop = OBJ_PROP_NUM(new_object, i);
+				Z_PROP_FLAG_P(prop) &= ~IS_PROP_CTOR_REINITABLE;
 				Z_PROP_FLAG_P(prop) |= IS_PROP_REINITABLE;
 			}
 		}

Zend/zend_types.h

@@ -1594,6 +1594,7 @@ static zend_always_inline uint32_t zval_delref_p(zval* pz) {
 #define IS_PROP_UNINIT (1<<0)
 #define IS_PROP_REINITABLE (1<<1)  /* It has impact only on readonly properties */
 #define IS_PROP_LAZY (1<<2)
+#define IS_PROP_CTOR_REINITABLE (1<<3)
 #define Z_PROP_FLAG_P(z) Z_EXTRA_P(z)
 #define ZVAL_COPY_VALUE_PROP(z, v) \
 	do { *(z) = *(v); } while (0)

ext/opcache/jit/zend_jit_helpers.c

@@ -2807,7 +2807,7 @@ static zend_always_inline bool verify_readonly_and_avis(zval *property_val, zend
 {
 	if (UNEXPECTED(info->flags & (ZEND_ACC_READONLY|ZEND_ACC_PPP_SET_MASK))) {
 		if ((info->flags & ZEND_ACC_READONLY)
-		 && (!zend_readonly_property_is_reinitable(property_val)
+		 && (!zend_readonly_property_is_reinitable_for_context(property_val, info)
 		     || zend_is_foreign_cpp_overwrite(property_val, info))) {
 			zend_readonly_property_modification_error(info);
 			return false;
@@ -2852,7 +2852,7 @@ static void ZEND_FASTCALL zend_jit_assign_to_typed_prop(zval *property_val, zend
 		return;
 	}
 
-	Z_PROP_FLAG_P(property_val) &= ~IS_PROP_REINITABLE;
+	Z_PROP_FLAG_P(property_val) &= ~(IS_PROP_REINITABLE | IS_PROP_CTOR_REINITABLE);
 
 	value = zend_assign_to_variable_ex(property_val, &tmp, IS_TMP_VAR, EX_USES_STRICT_TYPES(), &garbage);
 	if (result) {
@@ -2909,7 +2909,7 @@ static void ZEND_FASTCALL zend_jit_assign_op_to_typed_prop(zval *zptr, zend_prop
 
 	binary_op(&z_copy, zptr, value);
 	if (EXPECTED(zend_verify_property_type(prop_info, &z_copy, EX_USES_STRICT_TYPES()))) {
-		Z_PROP_FLAG_P(zptr) &= ~IS_PROP_REINITABLE;
+		Z_PROP_FLAG_P(zptr) &= ~(IS_PROP_REINITABLE | IS_PROP_CTOR_REINITABLE);
 		zval_ptr_dtor(zptr);
 		ZVAL_COPY_VALUE(zptr, &z_copy);
 	} else {
@@ -3006,13 +3006,13 @@ static void ZEND_FASTCALL zend_jit_inc_typed_prop(zval *var_ptr, zend_property_i
 			zend_long val = _zend_jit_throw_inc_prop_error(prop_info);
 			ZVAL_LONG(var_ptr, val);
 		} else {
-			Z_PROP_FLAG_P(var_ptr) &= ~IS_PROP_REINITABLE;
+			Z_PROP_FLAG_P(var_ptr) &= ~(IS_PROP_REINITABLE | IS_PROP_CTOR_REINITABLE);
 		}
 	} else if (UNEXPECTED(!zend_verify_property_type(prop_info, var_ptr, EX_USES_STRICT_TYPES()))) {
 		zval_ptr_dtor(var_ptr);
 		ZVAL_COPY_VALUE(var_ptr, &tmp);
 	} else {
-		Z_PROP_FLAG_P(var_ptr) &= ~IS_PROP_REINITABLE;
+		Z_PROP_FLAG_P(var_ptr) &= ~(IS_PROP_REINITABLE | IS_PROP_CTOR_REINITABLE);
 		zval_ptr_dtor(&tmp);
 	}
 }
@@ -3038,13 +3038,13 @@ static void ZEND_FASTCALL zend_jit_dec_typed_prop(zval *var_ptr, zend_property_i
 			zend_long val = _zend_jit_throw_dec_prop_error(prop_info);
 			ZVAL_LONG(var_ptr, val);
 		} else {
-			Z_PROP_FLAG_P(var_ptr) &= ~IS_PROP_REINITABLE;
+			Z_PROP_FLAG_P(var_ptr) &= ~(IS_PROP_REINITABLE | IS_PROP_CTOR_REINITABLE);
 		}
 	} else if (UNEXPECTED(!zend_verify_property_type(prop_info, var_ptr, EX_USES_STRICT_TYPES()))) {
 		zval_ptr_dtor(var_ptr);
 		ZVAL_COPY_VALUE(var_ptr, &tmp);
 	} else {
-		Z_PROP_FLAG_P(var_ptr) &= ~IS_PROP_REINITABLE;
+		Z_PROP_FLAG_P(var_ptr) &= ~(IS_PROP_REINITABLE | IS_PROP_CTOR_REINITABLE);
 		zval_ptr_dtor(&tmp);
 	}
 }
@@ -3086,14 +3086,14 @@ static void ZEND_FASTCALL zend_jit_post_inc_typed_prop(zval *var_ptr, zend_prope
 			zend_long val = _zend_jit_throw_inc_prop_error(prop_info);
 			ZVAL_LONG(var_ptr, val);
 		} else {
-			Z_PROP_FLAG_P(var_ptr) &= ~IS_PROP_REINITABLE;
+			Z_PROP_FLAG_P(var_ptr) &= ~(IS_PROP_REINITABLE | IS_PROP_CTOR_REINITABLE);
 		}
 	} else if (UNEXPECTED(!zend_verify_property_type(prop_info, var_ptr, EX_USES_STRICT_TYPES()))) {
 		zval_ptr_dtor(var_ptr);
 		ZVAL_COPY_VALUE(var_ptr, result);
 		ZVAL_UNDEF(result);
 	} else {
-		Z_PROP_FLAG_P(var_ptr) &= ~IS_PROP_REINITABLE;
+		Z_PROP_FLAG_P(var_ptr) &= ~(IS_PROP_REINITABLE | IS_PROP_CTOR_REINITABLE);
 	}
 }
 
@@ -3120,14 +3120,14 @@ static void ZEND_FASTCALL zend_jit_post_dec_typed_prop(zval *var_ptr, zend_prope
 			zend_long val = _zend_jit_throw_dec_prop_error(prop_info);
 			ZVAL_LONG(var_ptr, val);
 		} else {
-			Z_PROP_FLAG_P(var_ptr) &= ~IS_PROP_REINITABLE;
+			Z_PROP_FLAG_P(var_ptr) &= ~(IS_PROP_REINITABLE | IS_PROP_CTOR_REINITABLE);
 		}
 	} else if (UNEXPECTED(!zend_verify_property_type(prop_info, var_ptr, EX_USES_STRICT_TYPES()))) {
 		zval_ptr_dtor(var_ptr);
 		ZVAL_COPY_VALUE(var_ptr, result);
 		ZVAL_UNDEF(result);
 	} else {
-		Z_PROP_FLAG_P(var_ptr) &= ~IS_PROP_REINITABLE;
+		Z_PROP_FLAG_P(var_ptr) &= ~(IS_PROP_REINITABLE | IS_PROP_CTOR_REINITABLE);
 	}
 }
 

ext/opcache/jit/zend_jit_vm_helpers.c

@@ -58,6 +58,7 @@ ZEND_OPCODE_HANDLER_RET ZEND_OPCODE_HANDLER_CCONV zend_jit_leave_func_helper_tai
 		}
 
 		zend_vm_stack_free_extra_args_ex(call_info, execute_data);
+		zend_ctor_clear_promoted_readonly_reinitable(execute_data, call_info);
 		if (UNEXPECTED(call_info & ZEND_CALL_RELEASE_THIS)) {
 			OBJ_RELEASE(Z_OBJ(execute_data->This));
 		} else if (UNEXPECTED(call_info & ZEND_CALL_CLOSURE)) {
@@ -109,6 +110,7 @@ ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_jit_leave_nested_func_helper(ZEND_OPC
 	}
 
 	zend_vm_stack_free_extra_args_ex(call_info, execute_data);
+	zend_ctor_clear_promoted_readonly_reinitable(execute_data, call_info);
 	if (UNEXPECTED(call_info & ZEND_CALL_RELEASE_THIS)) {
 		OBJ_RELEASE(Z_OBJ(execute_data->This));
 	} else if (UNEXPECTED(call_info & ZEND_CALL_CLOSURE)) {
@@ -151,6 +153,7 @@ ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_jit_leave_top_func_helper(ZEND_OPCODE
 		}
 		zend_vm_stack_free_extra_args_ex(call_info, execute_data);
 	}
+	zend_ctor_clear_promoted_readonly_reinitable(execute_data, call_info);
 	if (UNEXPECTED(call_info & ZEND_CALL_HAS_EXTRA_NAMED_PARAMS)) {
 		zend_free_extra_named_params(EX(extra_named_params));
 	}