zend_save_lexical_state() can be nested multiple times, for example for
the parser initialization and then in the heredoc lexing. The input
should not be freed if we restore to the same filtered string.
Closes GH-16716.
The zend_hash_update_ind() variant unwraps indirects, rather than creating them.
Don't use _zend_hash_append_ind() because the property might already exist.
Fixes GH-16725
Closes GH-16805
zend_is_callable_ex() can unfortunately emit a deprecation, and then
a user error handler can throw an exception. This causes an assert
failure at ZEND_VM_NEXT_OPCODE(). We fix this by checking if there's an
exception after zend_is_callable_ex().
Closes GH-16803.
We asserted that Z_PROP_FLAG_P(retval) was exactly IS_PROP_UNINIT, but this is a
bit field and it may contain irrelevant bits. For instance it may contain
IS_PROP_REINITABLE during clone, or IS_PROP_LAZY if the object is lazy.
Fixes GH-16615
Closes GH-16639
If a lazy object is created for a class whose constants can not be updated, then
we have created an instance of a non-instantiable class. This breaks the
expectations of clone.
Here I ensure that a class has its constants updated before creating a lazy
instance of it.
Fixes OSS-Fuzz #71407
Closes GH-15856
This check was forgotten in the original implementation. Relaxing this
restriction shouldn't be hard, but needs some work. We either need to prevent
merging of cache slots for R/RW/W, or we need to introduce an additional check
when writing to the property indirectly. This check is currently present only
for direct writes.
Closes GH-16462
zend_hash_get_current_key() does not return a string with incremented
refcount, so it shouldn't get released. This release caused a UAF later
when the attribute was destroyed. This wasn't noticed earlier because
object_init_with_constructor() was only ever tested with interned
strings.
Closes GH-16349.
Supporting object reset while its properties are being iterated would increase
complexity for little benefit. Furthermore it may not be possible to ensure a
consistent behavior between ghosts and proxies (wrt to iteration position).
Iteration is detected by checking if the object's properties ht has iterators.
This requires refactoring the hooked get_iterator() implementation to ensure
that it creates a properties ht iterator immediately.
Closes GH-15960
Adding a stack check here as I consider serialization to be a more
sensitive place where erroring out with an exception seems appropriate.
Closes GH-16159.
