Fix GH-21478: Forward property operations to real instance for initialized lazy proxies

Author: iliaal

Zend/tests/lazy_objects/gh18038-002.phpt

@@ -34,5 +34,4 @@ var_dump($obj->prop);
 --EXPECT--
 init
 string(19) "RealInstance::__set"
-string(12) "Proxy::__set"
 int(2)

Zend/tests/lazy_objects/gh18038-004.phpt

@@ -36,7 +36,6 @@ var_dump($real->prop);
 --EXPECTF--
 init
 string(19) "RealInstance::__get"
-string(12) "Proxy::__get"
 
 Warning: Undefined property: RealInstance::$prop in %s on line %d
 NULL

Zend/tests/lazy_objects/gh18038-007.phpt

@@ -36,6 +36,5 @@ var_dump(isset($real->prop['']));
 --EXPECT--
 init
 string(21) "RealInstance::__isset"
-string(14) "Proxy::__isset"
 bool(false)
 bool(false)

Zend/tests/lazy_objects/gh18038-009.phpt

@@ -36,6 +36,5 @@ var_dump(isset($real->prop));
 --EXPECT--
 init
 string(21) "RealInstance::__isset"
-string(14) "Proxy::__isset"
 bool(false)
 bool(false)

Zend/tests/lazy_objects/gh21478-isset.phpt

@@ -0,0 +1,30 @@
+--TEST--
+GH-21478: __isset on lazy proxy should not double-invoke when real instance guard is set
+--FILE--
+<?php
+
+class Foo {
+    public $_;
+
+    public function __isset($name) {
+        global $proxy;
+        printf("__isset(\$%s) on %s\n", $name, $this::class);
+        return isset($proxy->{$name});
+    }
+}
+
+class Bar extends Foo {}
+
+$rc = new ReflectionClass(Bar::class);
+$proxy = $rc->newLazyProxy(function () {
+    echo "Init\n";
+    return new Foo();
+});
+
+$real = $rc->initializeLazyObject($proxy);
+isset($real->x);
+
+?>
+--EXPECT--
+Init
+__isset($x) on Foo

Zend/tests/lazy_objects/gh21478-proxy-get-override.phpt

@@ -0,0 +1,30 @@
+--TEST--
+GH-21478: Proxy's own __get runs when accessed directly (not from real instance)
+--FILE--
+<?php
+
+class Foo {
+    private $_;
+
+    public function __get($name) {
+        echo __CLASS__, " ", $name, "\n";
+    }
+}
+
+class Bar extends Foo {
+    public function __get($name) {
+        echo __CLASS__, " ", $name, "\n";
+    }
+}
+
+$rc = new ReflectionClass(Bar::class);
+$proxy = $rc->newLazyProxy(function () {
+    return new Foo();
+});
+$rc->initializeLazyObject($proxy);
+
+$proxy->x;
+
+?>
+--EXPECT--
+Bar x

Zend/tests/lazy_objects/gh21478-set.phpt

@@ -0,0 +1,32 @@
+--TEST--
+GH-21478: __set on lazy proxy should not double-invoke when real instance guard is set
+--FILE--
+<?php
+
+#[AllowDynamicProperties]
+class Foo {
+    public $_;
+
+    public function __set($name, $value) {
+        global $proxy;
+        printf("__set(\$%s) on %s\n", $name, $this::class);
+        $proxy->{$name} = $value;
+    }
+}
+
+#[AllowDynamicProperties]
+class Bar extends Foo {}
+
+$rc = new ReflectionClass(Bar::class);
+$proxy = $rc->newLazyProxy(function () {
+    echo "Init\n";
+    return new Foo();
+});
+
+$real = $rc->initializeLazyObject($proxy);
+$real->x = 1;
+
+?>
+--EXPECT--
+Init
+__set($x) on Foo

Zend/tests/lazy_objects/gh21478-unset.phpt

@@ -0,0 +1,30 @@
+--TEST--
+GH-21478: __unset on lazy proxy should not double-invoke when real instance guard is set
+--FILE--
+<?php
+
+class Foo {
+    public $_;
+
+    public function __unset($name) {
+        global $proxy;
+        printf("__unset(\$%s) on %s\n", $name, $this::class);
+        unset($proxy->{$name});
+    }
+}
+
+class Bar extends Foo {}
+
+$rc = new ReflectionClass(Bar::class);
+$proxy = $rc->newLazyProxy(function () {
+    echo "Init\n";
+    return new Foo();
+});
+
+$real = $rc->initializeLazyObject($proxy);
+unset($real->x);
+
+?>
+--EXPECT--
+Init
+__unset($x) on Foo

Zend/tests/lazy_objects/gh21478.phpt

@@ -0,0 +1,32 @@
+--TEST--
+GH-21478 (Property access on lazy proxy may invoke magic method despite real instance guards)
+--FILE--
+<?php
+
+class Foo {
+    public $_;
+
+    public function __get($name) {
+        global $proxy;
+        printf("__get(\$%s) on %s\n", $name, $this::class);
+        return $proxy->{$name};
+    }
+}
+
+class Bar extends Foo {}
+
+$rc = new ReflectionClass(Bar::class);
+$proxy = $rc->newLazyProxy(function () {
+    echo "Init\n";
+    return new Foo();
+});
+
+$real = $rc->initializeLazyObject($proxy);
+$real->x;
+
+?>
+--EXPECTF--
+Init
+__get($x) on Foo
+
+Warning: Undefined property: Foo::$x in %s on line %d

Zend/zend_object_handlers.c

@@ -886,6 +886,23 @@ ZEND_API zval *zend_std_read_property(zend_object *zobj, zend_string *name, int
 
 	retval = &EG(uninitialized_zval);
 
+	/* For initialized lazy proxies: if the real instance's magic method
+	 * guard is already set for this property, we are inside a recursive
+	 * call from the real instance's __get/__isset. Forward directly to
+	 * the real instance to avoid double invocation. (GH-21478) */
+	if (UNEXPECTED(zend_object_is_lazy_proxy(zobj)
+			&& zend_lazy_object_initialized(zobj))) {
+		zend_object *instance = zend_lazy_object_get_instance(zobj);
+		if (instance->ce->ce_flags & ZEND_ACC_USE_GUARDS) {
+			uint32_t *instance_guard = zend_get_property_guard(instance, name);
+			uint32_t guard_type = ((type == BP_VAR_IS) && zobj->ce->__isset)
+				? IN_ISSET : IN_GET;
+			if ((*instance_guard) & guard_type) {
+				return zend_std_read_property(instance, name, type, cache_slot, rv);
+			}
+		}
+	}
+
 	/* magic isset */
 	if ((type == BP_VAR_IS) && zobj->ce->__isset) {
 		zval tmp_result;
@@ -1203,6 +1220,20 @@ found:;
 		goto exit;
 	}
 
+	/* For initialized lazy proxies: if the real instance's __set guard
+	 * is already set, we are inside a recursive call from the real
+	 * instance's __set. Forward directly to avoid double invocation. */
+	if (UNEXPECTED(zend_object_is_lazy_proxy(zobj)
+			&& zend_lazy_object_initialized(zobj))) {
+		zend_object *instance = zend_lazy_object_get_instance(zobj);
+		if (instance->ce->ce_flags & ZEND_ACC_USE_GUARDS) {
+			uint32_t *instance_guard = zend_get_property_guard(instance, name);
+			if ((*instance_guard) & IN_SET) {
+				return zend_std_write_property(instance, name, value, cache_slot);
+			}
+		}
+	}
+
 	/* magic set */
 	if (zobj->ce->__set) {
 		if (!guard) {
@@ -1595,6 +1626,21 @@ ZEND_API void zend_std_unset_property(zend_object *zobj, zend_string *name, void
 		return;
 	}
 
+	/* For initialized lazy proxies: if the real instance's __unset guard
+	 * is already set, we are inside a recursive call from the real
+	 * instance's __unset. Forward directly to avoid double invocation. */
+	if (UNEXPECTED(zend_object_is_lazy_proxy(zobj)
+			&& zend_lazy_object_initialized(zobj))) {
+		zend_object *instance = zend_lazy_object_get_instance(zobj);
+		if (instance->ce->ce_flags & ZEND_ACC_USE_GUARDS) {
+			uint32_t *instance_guard = zend_get_property_guard(instance, name);
+			if ((*instance_guard) & IN_UNSET) {
+				zend_std_unset_property(instance, name, cache_slot);
+				return;
+			}
+		}
+	}
+
 	/* magic unset */
 	if (zobj->ce->__unset) {
 		if (!guard) {
@@ -2412,6 +2458,20 @@ ZEND_API int zend_std_has_property(zend_object *zobj, zend_string *name, int has
 		goto exit;
 	}
 
+	/* For initialized lazy proxies: if the real instance's __isset guard
+	 * is already set, we are inside a recursive call from the real
+	 * instance's __isset. Forward directly to avoid double invocation. */
+	if (UNEXPECTED(zend_object_is_lazy_proxy(zobj)
+			&& zend_lazy_object_initialized(zobj))) {
+		zend_object *instance = zend_lazy_object_get_instance(zobj);
+		if (instance->ce->ce_flags & ZEND_ACC_USE_GUARDS) {
+			uint32_t *instance_guard = zend_get_property_guard(instance, name);
+			if ((*instance_guard) & IN_ISSET) {
+				return zend_std_has_property(instance, name, has_set_exists, cache_slot);
+			}
+		}
+	}
+
 	if (!zobj->ce->__isset) {
 		goto lazy_init;
 	}