1 /*
2    +----------------------------------------------------------------------+
3    | Zend Engine                                                          |
4    +----------------------------------------------------------------------+
5    | Copyright (c) Zend Technologies Ltd. (http://www.zend.com)           |
6    +----------------------------------------------------------------------+
7    | This source file is subject to version 2.00 of the Zend license,     |
8    | that is bundled with this package in the file LICENSE, and is        |
9    | available through the world-wide-web at the following url:           |
10    | http://www.zend.com/license/2_00.txt.                                |
11    | If you did not receive a copy of the Zend license and are unable to  |
12    | obtain it through the world-wide-web, please send a note to          |
13    | license@zend.com so we can mail you a copy immediately.              |
14    +----------------------------------------------------------------------+
15    | Authors: Andi Gutmans <andi@php.net>                                 |
16    |          Zeev Suraski <zeev@php.net>                                 |
17    |          Dmitry Stogov <dmitry@php.net>                              |
18    +----------------------------------------------------------------------+
19 */
20 
21 #include "zend.h"
22 #include "zend_globals.h"
23 #include "zend_variables.h"
24 #include "zend_API.h"
25 #include "zend_objects.h"
26 #include "zend_objects_API.h"
27 #include "zend_object_handlers.h"
28 #include "zend_interfaces.h"
29 #include "zend_exceptions.h"
30 #include "zend_closures.h"
31 #include "zend_compile.h"
32 #include "zend_hash.h"
33 
34 #define DEBUG_OBJECT_HANDLERS 0
35 
36 #define ZEND_WRONG_PROPERTY_OFFSET   0
37 
38 /* guard flags */
39 #define IN_GET		(1<<0)
40 #define IN_SET		(1<<1)
41 #define IN_UNSET	(1<<2)
42 #define IN_ISSET	(1<<3)
43 
44 /*
45   __X accessors explanation:
46 
47   if we have __get and property that is not part of the properties array is
48   requested, we call __get handler. If it fails, we return uninitialized.
49 
50   if we have __set and property that is not part of the properties array is
51   set, we call __set handler. If it fails, we do not change the array.
52 
53   for both handlers above, when we are inside __get/__set, no further calls for
54   __get/__set for this property of this object will be made, to prevent endless
55   recursion and enable accessors to change properties array.
56 
57   if we have __call and method which is not part of the class function table is
58   called, we cal __call handler.
59 */
60 
rebuild_object_properties(zend_object *zobj)61 ZEND_API void rebuild_object_properties(zend_object *zobj) /* {{{ */
62 {
63 	if (!zobj->properties) {
64 		zend_property_info *prop_info;
65 		zend_class_entry *ce = zobj->ce;
66 		uint32_t flags = 0;
67 
68 		zobj->properties = zend_new_array(ce->default_properties_count);
69 		if (ce->default_properties_count) {
70 			zend_hash_real_init_mixed(zobj->properties);
71 			ZEND_HASH_FOREACH_PTR(&ce->properties_info, prop_info) {
72 				if (!(prop_info->flags & ZEND_ACC_STATIC)) {
73 					flags |= prop_info->flags;
74 
75 					if (UNEXPECTED(Z_TYPE_P(OBJ_PROP(zobj, prop_info->offset)) == IS_UNDEF)) {
76 						HT_FLAGS(zobj->properties) |= HASH_FLAG_HAS_EMPTY_IND;
77 					}
78 
79 					_zend_hash_append_ind(zobj->properties, prop_info->name,
80 						OBJ_PROP(zobj, prop_info->offset));
81 				}
82 			} ZEND_HASH_FOREACH_END();
83 			if (flags & ZEND_ACC_CHANGED) {
84 				while (ce->parent && ce->parent->default_properties_count) {
85 					ce = ce->parent;
86 					ZEND_HASH_FOREACH_PTR(&ce->properties_info, prop_info) {
87 						if (prop_info->ce == ce &&
88 						    !(prop_info->flags & ZEND_ACC_STATIC) &&
89 						    (prop_info->flags & ZEND_ACC_PRIVATE)) {
90 							zval zv;
91 
92 							if (UNEXPECTED(Z_TYPE_P(OBJ_PROP(zobj, prop_info->offset)) == IS_UNDEF)) {
93 								HT_FLAGS(zobj->properties) |= HASH_FLAG_HAS_EMPTY_IND;
94 							}
95 
96 							ZVAL_INDIRECT(&zv, OBJ_PROP(zobj, prop_info->offset));
97 							zend_hash_add(zobj->properties, prop_info->name, &zv);
98 						}
99 					} ZEND_HASH_FOREACH_END();
100 				}
101 			}
102 		}
103 	}
104 }
105 /* }}} */
106 
zend_std_get_properties(zval *object)107 ZEND_API HashTable *zend_std_get_properties(zval *object) /* {{{ */
108 {
109 	zend_object *zobj;
110 	zobj = Z_OBJ_P(object);
111 	if (!zobj->properties) {
112 		rebuild_object_properties(zobj);
113 	}
114 	return zobj->properties;
115 }
116 /* }}} */
117 
zend_std_get_gc(zval *object, zval **table, int *n)118 ZEND_API HashTable *zend_std_get_gc(zval *object, zval **table, int *n) /* {{{ */
119 {
120 	if (Z_OBJ_HANDLER_P(object, get_properties) != zend_std_get_properties) {
121 		*table = NULL;
122 		*n = 0;
123 		return Z_OBJ_HANDLER_P(object, get_properties)(object);
124 	} else {
125 		zend_object *zobj = Z_OBJ_P(object);
126 
127 		if (zobj->properties) {
128 			*table = NULL;
129 			*n = 0;
130 			if (UNEXPECTED(GC_REFCOUNT(zobj->properties) > 1)
131 			 && EXPECTED(!(GC_FLAGS(zobj->properties) & IS_ARRAY_IMMUTABLE))) {
132 				GC_DELREF(zobj->properties);
133 				zobj->properties = zend_array_dup(zobj->properties);
134 			}
135 			return zobj->properties;
136 		} else {
137 			*table = zobj->properties_table;
138 			*n = zobj->ce->default_properties_count;
139 			return NULL;
140 		}
141 	}
142 }
143 /* }}} */
144 
zend_std_get_debug_info(zval *object, int *is_temp)145 ZEND_API HashTable *zend_std_get_debug_info(zval *object, int *is_temp) /* {{{ */
146 {
147 	zend_class_entry *ce = Z_OBJCE_P(object);
148 	zval retval;
149 	HashTable *ht;
150 
151 	if (!ce->__debugInfo) {
152 		*is_temp = 0;
153 		return Z_OBJ_HANDLER_P(object, get_properties)(object);
154 	}
155 
156 	zend_call_method_with_0_params(object, ce, &ce->__debugInfo, ZEND_DEBUGINFO_FUNC_NAME, &retval);
157 	if (Z_TYPE(retval) == IS_ARRAY) {
158 		if (!Z_REFCOUNTED(retval)) {
159 			*is_temp = 1;
160 			return zend_array_dup(Z_ARRVAL(retval));
161 		} else if (Z_REFCOUNT(retval) <= 1) {
162 			*is_temp = 1;
163 			ht = Z_ARR(retval);
164 			return ht;
165 		} else {
166 			*is_temp = 0;
167 			zval_ptr_dtor(&retval);
168 			return Z_ARRVAL(retval);
169 		}
170 	} else if (Z_TYPE(retval) == IS_NULL) {
171 		*is_temp = 1;
172 		ht = zend_new_array(0);
173 		return ht;
174 	}
175 
176 	zend_error_noreturn(E_ERROR, ZEND_DEBUGINFO_FUNC_NAME "() must return an array");
177 
178 	return NULL; /* Compilers are dumb and don't understand that noreturn means that the function does NOT need a return value... */
179 }
180 /* }}} */
181 
zend_std_call_getter(zend_object *zobj, zend_string *prop_name, zval *retval)182 static void zend_std_call_getter(zend_object *zobj, zend_string *prop_name, zval *retval) /* {{{ */
183 {
184 	zend_class_entry *ce = zobj->ce;
185 	zend_class_entry *orig_fake_scope = EG(fake_scope);
186 	zend_fcall_info fci;
187 	zend_fcall_info_cache fcic;
188 	zval member;
189 
190 	EG(fake_scope) = NULL;
191 
192 	/* __get handler is called with one argument:
193 	      property name
194 
195 	   it should return whether the call was successful or not
196 	*/
197 
198 	ZVAL_STR(&member, prop_name);
199 
200 	fci.size = sizeof(fci);
201 	fci.object = zobj;
202 	fci.retval = retval;
203 	fci.param_count = 1;
204 	fci.params = &member;
205 	fci.no_separation = 1;
206 	ZVAL_UNDEF(&fci.function_name); /* Unused */
207 
208 	fcic.function_handler = ce->__get;
209 	fcic.called_scope = ce;
210 	fcic.object = zobj;
211 
212 	zend_call_function(&fci, &fcic);
213 
214 	EG(fake_scope) = orig_fake_scope;
215 }
216 /* }}} */
217 
zend_std_call_setter(zend_object *zobj, zend_string *prop_name, zval *value)218 static void zend_std_call_setter(zend_object *zobj, zend_string *prop_name, zval *value) /* {{{ */
219 {
220 	zend_class_entry *ce = zobj->ce;
221 	zend_class_entry *orig_fake_scope = EG(fake_scope);
222 	zend_fcall_info fci;
223 	zend_fcall_info_cache fcic;
224 	zval args[2], ret;
225 
226 	EG(fake_scope) = NULL;
227 
228 	/* __set handler is called with two arguments:
229 	     property name
230 	     value to be set
231 	*/
232 
233 	ZVAL_STR(&args[0], prop_name);
234 	ZVAL_COPY_VALUE(&args[1], value);
235 	ZVAL_UNDEF(&ret);
236 
237 	fci.size = sizeof(fci);
238 	fci.object = zobj;
239 	fci.retval = &ret;
240 	fci.param_count = 2;
241 	fci.params = args;
242 	fci.no_separation = 1;
243 	ZVAL_UNDEF(&fci.function_name); /* Unused */
244 
245 	fcic.function_handler = ce->__set;
246 	fcic.called_scope = ce;
247 	fcic.object = zobj;
248 
249 	zend_call_function(&fci, &fcic);
250 	zval_ptr_dtor(&ret);
251 
252 	EG(fake_scope) = orig_fake_scope;
253 }
254 /* }}} */
255 
zend_std_call_unsetter(zend_object *zobj, zend_string *prop_name)256 static void zend_std_call_unsetter(zend_object *zobj, zend_string *prop_name) /* {{{ */
257 {
258 	zend_class_entry *ce = zobj->ce;
259 	zend_class_entry *orig_fake_scope = EG(fake_scope);
260 	zend_fcall_info fci;
261 	zend_fcall_info_cache fcic;
262 	zval ret, member;
263 
264 	EG(fake_scope) = NULL;
265 
266 	/* __unset handler is called with one argument:
267 	      property name
268 	*/
269 
270 	ZVAL_STR(&member, prop_name);
271 	ZVAL_UNDEF(&ret);
272 
273 	fci.size = sizeof(fci);
274 	fci.object = zobj;
275 	fci.retval = &ret;
276 	fci.param_count = 1;
277 	fci.params = &member;
278 	fci.no_separation = 1;
279 	ZVAL_UNDEF(&fci.function_name); /* Unused */
280 
281 	fcic.function_handler = ce->__unset;
282 	fcic.called_scope = ce;
283 	fcic.object = zobj;
284 
285 	zend_call_function(&fci, &fcic);
286 	zval_ptr_dtor(&ret);
287 
288 	EG(fake_scope) = orig_fake_scope;
289 }
290 /* }}} */
291 
zend_std_call_issetter(zend_object *zobj, zend_string *prop_name, zval *retval)292 static void zend_std_call_issetter(zend_object *zobj, zend_string *prop_name, zval *retval) /* {{{ */
293 {
294 	zend_class_entry *ce = zobj->ce;
295 	zend_class_entry *orig_fake_scope = EG(fake_scope);
296 	zend_fcall_info fci;
297 	zend_fcall_info_cache fcic;
298 	zval member;
299 
300 	EG(fake_scope) = NULL;
301 
302 	/* __isset handler is called with one argument:
303 	      property name
304 
305 	   it should return whether the property is set or not
306 	*/
307 
308 	ZVAL_STR(&member, prop_name);
309 
310 	fci.size = sizeof(fci);
311 	fci.object = zobj;
312 	fci.retval = retval;
313 	fci.param_count = 1;
314 	fci.params = &member;
315 	fci.no_separation = 1;
316 	ZVAL_UNDEF(&fci.function_name); /* Unused */
317 
318 	fcic.function_handler = ce->__isset;
319 	fcic.called_scope = ce;
320 	fcic.object = zobj;
321 
322 	zend_call_function(&fci, &fcic);
323 
324 	EG(fake_scope) = orig_fake_scope;
325 }
326 /* }}} */
327 
328 
is_derived_class(zend_class_entry *child_class, zend_class_entry *parent_class)329 static zend_always_inline zend_bool is_derived_class(zend_class_entry *child_class, zend_class_entry *parent_class) /* {{{ */
330 {
331 	child_class = child_class->parent;
332 	while (child_class) {
333 		if (child_class == parent_class) {
334 			return 1;
335 		}
336 		child_class = child_class->parent;
337 	}
338 
339 	return 0;
340 }
341 /* }}} */
342 
is_protected_compatible_scope(zend_class_entry *ce, zend_class_entry *scope)343 static zend_never_inline int is_protected_compatible_scope(zend_class_entry *ce, zend_class_entry *scope) /* {{{ */
344 {
345 	return scope &&
346 		(is_derived_class(ce, scope) || is_derived_class(scope, ce));
347 }
348 /* }}} */
349 
zend_get_parent_private_property(zend_class_entry *scope, zend_class_entry *ce, zend_string *member)350 static zend_never_inline zend_property_info *zend_get_parent_private_property(zend_class_entry *scope, zend_class_entry *ce, zend_string *member) /* {{{ */
351 {
352 	zval *zv;
353 	zend_property_info *prop_info;
354 
355 	if (scope != ce && scope && is_derived_class(ce, scope)) {
356 		zv = zend_hash_find(&scope->properties_info, member);
357 		if (zv != NULL) {
358 			prop_info = (zend_property_info*)Z_PTR_P(zv);
359 			if ((prop_info->flags & ZEND_ACC_PRIVATE)
360 			 && prop_info->ce == scope) {
361 				return prop_info;
362 			}
363 		}
364 	}
365 	return NULL;
366 }
367 /* }}} */
368 
zend_bad_property_access(zend_property_info *property_info, zend_class_entry *ce, zend_string *member)369 static ZEND_COLD zend_never_inline void zend_bad_property_access(zend_property_info *property_info, zend_class_entry *ce, zend_string *member) /* {{{ */
370 {
371 	zend_throw_error(NULL, "Cannot access %s property %s::$%s", zend_visibility_string(property_info->flags), ZSTR_VAL(ce->name), ZSTR_VAL(member));
372 }
373 /* }}} */
374 
zend_bad_property_name(void)375 static ZEND_COLD zend_never_inline void zend_bad_property_name(void) /* {{{ */
376 {
377 	zend_throw_error(NULL, "Cannot access property started with '\\0'");
378 }
379 /* }}} */
380 
zend_get_property_offset(zend_class_entry *ce, zend_string *member, int silent, void **cache_slot, zend_property_info **info_ptr)381 static zend_always_inline uintptr_t zend_get_property_offset(zend_class_entry *ce, zend_string *member, int silent, void **cache_slot, zend_property_info **info_ptr) /* {{{ */
382 {
383 	zval *zv;
384 	zend_property_info *property_info;
385 	uint32_t flags;
386 	zend_class_entry *scope;
387 	uintptr_t offset;
388 
389 	if (cache_slot && EXPECTED(ce == CACHED_PTR_EX(cache_slot))) {
390 		*info_ptr = CACHED_PTR_EX(cache_slot + 2);
391 		return (uintptr_t)CACHED_PTR_EX(cache_slot + 1);
392 	}
393 
394 	if (UNEXPECTED(zend_hash_num_elements(&ce->properties_info) == 0)
395 	 || UNEXPECTED((zv = zend_hash_find(&ce->properties_info, member)) == NULL)) {
396 		if (UNEXPECTED(ZSTR_VAL(member)[0] == '\0') && ZSTR_LEN(member) != 0) {
397 			if (!silent) {
398 				zend_bad_property_name();
399 			}
400 			return ZEND_WRONG_PROPERTY_OFFSET;
401 		}
402 dynamic:
403 		if (cache_slot) {
404 			CACHE_POLYMORPHIC_PTR_EX(cache_slot, ce, (void*)ZEND_DYNAMIC_PROPERTY_OFFSET);
405 			CACHE_PTR_EX(cache_slot + 2, NULL);
406 		}
407 		return ZEND_DYNAMIC_PROPERTY_OFFSET;
408 	}
409 
410 	property_info = (zend_property_info*)Z_PTR_P(zv);
411 	flags = property_info->flags;
412 
413 	if (flags & (ZEND_ACC_CHANGED|ZEND_ACC_PRIVATE|ZEND_ACC_PROTECTED)) {
414 		if (UNEXPECTED(EG(fake_scope))) {
415 			scope = EG(fake_scope);
416 		} else {
417 			scope = zend_get_executed_scope();
418 		}
419 
420 		if (property_info->ce != scope) {
421 			if (flags & ZEND_ACC_CHANGED) {
422 				zend_property_info *p = zend_get_parent_private_property(scope, ce, member);
423 
424 				/* If there is a public/protected instance property on ce, don't try to use a
425 				 * private static property on scope. If both are static, prefer the static
426 				 * property on scope. This will throw a static property notice, rather than
427 				 * a visibility error. */
428 				if (p && (!(p->flags & ZEND_ACC_STATIC) || (flags & ZEND_ACC_STATIC))) {
429 					property_info = p;
430 					flags = property_info->flags;
431 					goto found;
432 				} else if (flags & ZEND_ACC_PUBLIC) {
433 					goto found;
434 				}
435 			}
436 			if (flags & ZEND_ACC_PRIVATE) {
437 				if (property_info->ce != ce) {
438 					goto dynamic;
439 				} else {
440 wrong:
441 					/* Information was available, but we were denied access.  Error out. */
442 					if (!silent) {
443 						zend_bad_property_access(property_info, ce, member);
444 					}
445 					return ZEND_WRONG_PROPERTY_OFFSET;
446 				}
447 			} else {
448 				ZEND_ASSERT(flags & ZEND_ACC_PROTECTED);
449 				if (UNEXPECTED(!is_protected_compatible_scope(property_info->ce, scope))) {
450 					goto wrong;
451 				}
452 			}
453 		}
454 	}
455 
456 found:
457 	if (UNEXPECTED(flags & ZEND_ACC_STATIC)) {
458 		if (!silent) {
459 			zend_error(E_NOTICE, "Accessing static property %s::$%s as non static", ZSTR_VAL(ce->name), ZSTR_VAL(member));
460 		}
461 		return ZEND_DYNAMIC_PROPERTY_OFFSET;
462 	}
463 
464 	offset = property_info->offset;
465 	if (EXPECTED(!property_info->type)) {
466 		property_info = NULL;
467 	} else {
468 		*info_ptr = property_info;
469 	}
470 	if (cache_slot) {
471 		CACHE_POLYMORPHIC_PTR_EX(cache_slot, ce, (void*)(uintptr_t)offset);
472 		CACHE_PTR_EX(cache_slot + 2, property_info);
473 	}
474 	return offset;
475 }
476 /* }}} */
477 
zend_wrong_offset(zend_class_entry *ce, zend_string *member)478 static ZEND_COLD void zend_wrong_offset(zend_class_entry *ce, zend_string *member) /* {{{ */
479 {
480 	zend_property_info *dummy;
481 
482 	/* Trigger the correct error */
483 	zend_get_property_offset(ce, member, 0, NULL, &dummy);
484 }
485 /* }}} */
486 
zend_get_property_info(zend_class_entry *ce, zend_string *member, int silent)487 ZEND_API zend_property_info *zend_get_property_info(zend_class_entry *ce, zend_string *member, int silent) /* {{{ */
488 {
489 	zval *zv;
490 	zend_property_info *property_info;
491 	uint32_t flags;
492 	zend_class_entry *scope;
493 
494 	if (UNEXPECTED(zend_hash_num_elements(&ce->properties_info) == 0)
495 	 || EXPECTED((zv = zend_hash_find(&ce->properties_info, member)) == NULL)) {
496 		if (UNEXPECTED(ZSTR_VAL(member)[0] == '\0') && ZSTR_LEN(member) != 0) {
497 			if (!silent) {
498 				zend_bad_property_name();
499 			}
500 			return ZEND_WRONG_PROPERTY_INFO;
501 		}
502 dynamic:
503 		return NULL;
504 	}
505 
506 	property_info = (zend_property_info*)Z_PTR_P(zv);
507 	flags = property_info->flags;
508 
509 	if (flags & (ZEND_ACC_CHANGED|ZEND_ACC_PRIVATE|ZEND_ACC_PROTECTED)) {
510 		if (UNEXPECTED(EG(fake_scope))) {
511 			scope = EG(fake_scope);
512 		} else {
513 			scope = zend_get_executed_scope();
514 		}
515 		if (property_info->ce != scope) {
516 			if (flags & ZEND_ACC_CHANGED) {
517 				zend_property_info *p = zend_get_parent_private_property(scope, ce, member);
518 
519 				if (p) {
520 					property_info = p;
521 					flags = property_info->flags;
522 					goto found;
523 				} else if (flags & ZEND_ACC_PUBLIC) {
524 					goto found;
525 				}
526 			}
527 			if (flags & ZEND_ACC_PRIVATE) {
528 				if (property_info->ce != ce) {
529 					goto dynamic;
530 				} else {
531 wrong:
532 					/* Information was available, but we were denied access.  Error out. */
533 					if (!silent) {
534 						zend_bad_property_access(property_info, ce, member);
535 					}
536 					return ZEND_WRONG_PROPERTY_INFO;
537 				}
538 			} else {
539 				ZEND_ASSERT(flags & ZEND_ACC_PROTECTED);
540 				if (UNEXPECTED(!is_protected_compatible_scope(property_info->ce, scope))) {
541 					goto wrong;
542 				}
543 			}
544 		}
545 	}
546 
547 found:
548 	if (UNEXPECTED(flags & ZEND_ACC_STATIC)) {
549 		if (!silent) {
550 			zend_error(E_NOTICE, "Accessing static property %s::$%s as non static", ZSTR_VAL(ce->name), ZSTR_VAL(member));
551 		}
552 	}
553 	return property_info;
554 }
555 /* }}} */
556 
zend_check_property_access(zend_object *zobj, zend_string *prop_info_name, zend_bool is_dynamic)557 ZEND_API int zend_check_property_access(zend_object *zobj, zend_string *prop_info_name, zend_bool is_dynamic) /* {{{ */
558 {
559 	zend_property_info *property_info;
560 	const char *class_name = NULL;
561 	const char *prop_name;
562 	zend_string *member;
563 	size_t prop_name_len;
564 
565 	if (ZSTR_VAL(prop_info_name)[0] == 0) {
566 		if (is_dynamic) {
567 			return SUCCESS;
568 		}
569 
570 		zend_unmangle_property_name_ex(prop_info_name, &class_name, &prop_name, &prop_name_len);
571 		member = zend_string_init(prop_name, prop_name_len, 0);
572 		property_info = zend_get_property_info(zobj->ce, member, 1);
573 		zend_string_release_ex(member, 0);
574 		if (property_info == NULL || property_info == ZEND_WRONG_PROPERTY_INFO) {
575 			return FAILURE;
576 		}
577 
578 		if (class_name[0] != '*') {
579 			if (!(property_info->flags & ZEND_ACC_PRIVATE)) {
580 				/* we we're looking for a private prop but found a non private one of the same name */
581 				return FAILURE;
582 			} else if (strcmp(ZSTR_VAL(prop_info_name)+1, ZSTR_VAL(property_info->name)+1)) {
583 				/* we we're looking for a private prop but found a private one of the same name but another class */
584 				return FAILURE;
585 			}
586 		} else {
587 			ZEND_ASSERT(property_info->flags & ZEND_ACC_PROTECTED);
588 		}
589 		return SUCCESS;
590 	} else {
591 		property_info = zend_get_property_info(zobj->ce, prop_info_name, 1);
592 		if (property_info == NULL) {
593 			ZEND_ASSERT(is_dynamic);
594 			return SUCCESS;
595 		} else if (property_info == ZEND_WRONG_PROPERTY_INFO) {
596 			return FAILURE;
597 		}
598 		return (property_info->flags & ZEND_ACC_PUBLIC) ? SUCCESS : FAILURE;
599 	}
600 }
601 /* }}} */
602 
zend_property_guard_dtor(zval *el)603 static void zend_property_guard_dtor(zval *el) /* {{{ */ {
604 	uint32_t *ptr = (uint32_t*)Z_PTR_P(el);
605 	if (EXPECTED(!(((zend_uintptr_t)ptr) & 1))) {
606 		efree_size(ptr, sizeof(uint32_t));
607 	}
608 }
609 /* }}} */
610 
zend_get_property_guard(zend_object *zobj, zend_string *member)611 ZEND_API uint32_t *zend_get_property_guard(zend_object *zobj, zend_string *member) /* {{{ */
612 {
613 	HashTable *guards;
614 	zval *zv;
615 	uint32_t *ptr;
616 
617 	ZEND_ASSERT(zobj->ce->ce_flags & ZEND_ACC_USE_GUARDS);
618 	zv = zobj->properties_table + zobj->ce->default_properties_count;
619 	if (EXPECTED(Z_TYPE_P(zv) == IS_STRING)) {
620 		zend_string *str = Z_STR_P(zv);
621 		if (EXPECTED(str == member) ||
622 		     /* "str" always has a pre-calculated hash value here */
623 		    (EXPECTED(ZSTR_H(str) == zend_string_hash_val(member)) &&
624 		     EXPECTED(zend_string_equal_content(str, member)))) {
625 			return &Z_PROPERTY_GUARD_P(zv);
626 		} else if (EXPECTED(Z_PROPERTY_GUARD_P(zv) == 0)) {
627 			zval_ptr_dtor_str(zv);
628 			ZVAL_STR_COPY(zv, member);
629 			return &Z_PROPERTY_GUARD_P(zv);
630 		} else {
631 			ALLOC_HASHTABLE(guards);
632 			zend_hash_init(guards, 8, NULL, zend_property_guard_dtor, 0);
633 			/* mark pointer as "special" using low bit */
634 			zend_hash_add_new_ptr(guards, str,
635 				(void*)(((zend_uintptr_t)&Z_PROPERTY_GUARD_P(zv)) | 1));
636 			zval_ptr_dtor_str(zv);
637 			ZVAL_ARR(zv, guards);
638 		}
639 	} else if (EXPECTED(Z_TYPE_P(zv) == IS_ARRAY)) {
640 		guards = Z_ARRVAL_P(zv);
641 		ZEND_ASSERT(guards != NULL);
642 		zv = zend_hash_find(guards, member);
643 		if (zv != NULL) {
644 			return (uint32_t*)(((zend_uintptr_t)Z_PTR_P(zv)) & ~1);
645 		}
646 	} else {
647 		ZEND_ASSERT(Z_TYPE_P(zv) == IS_UNDEF);
648 		ZVAL_STR_COPY(zv, member);
649 		Z_PROPERTY_GUARD_P(zv) = 0;
650 		return &Z_PROPERTY_GUARD_P(zv);
651 	}
652 	/* we have to allocate uint32_t separately because ht->arData may be reallocated */
653 	ptr = (uint32_t*)emalloc(sizeof(uint32_t));
654 	*ptr = 0;
655 	return (uint32_t*)zend_hash_add_new_ptr(guards, member, ptr);
656 }
657 /* }}} */
658 
zend_std_read_property(zval *object, zval *member, int type, void **cache_slot, zval *rv)659 ZEND_API zval *zend_std_read_property(zval *object, zval *member, int type, void **cache_slot, zval *rv) /* {{{ */
660 {
661 	zend_object *zobj;
662 	zend_string *name, *tmp_name;
663 	zval *retval;
664 	uintptr_t property_offset;
665 	zend_property_info *prop_info = NULL;
666 	uint32_t *guard = NULL;
667 
668 	zobj = Z_OBJ_P(object);
669 	name = zval_try_get_tmp_string(member, &tmp_name);
670 	if (UNEXPECTED(!name)) {
671 		return &EG(uninitialized_zval);
672 	}
673 
674 #if DEBUG_OBJECT_HANDLERS
675 	fprintf(stderr, "Read object #%d property: %s\n", Z_OBJ_HANDLE_P(object), ZSTR_VAL(name));
676 #endif
677 
678 	/* make zend_get_property_info silent if we have getter - we may want to use it */
679 	property_offset = zend_get_property_offset(zobj->ce, name, (type == BP_VAR_IS) || (zobj->ce->__get != NULL), cache_slot, &prop_info);
680 
681 	if (EXPECTED(IS_VALID_PROPERTY_OFFSET(property_offset))) {
682 		retval = OBJ_PROP(zobj, property_offset);
683 		if (EXPECTED(Z_TYPE_P(retval) != IS_UNDEF)) {
684 			goto exit;
685 		}
686 		if (UNEXPECTED(Z_PROP_FLAG_P(retval) == IS_PROP_UNINIT)) {
687 			/* Skip __get() for uninitialized typed properties */
688 			goto uninit_error;
689 		}
690 	} else if (EXPECTED(IS_DYNAMIC_PROPERTY_OFFSET(property_offset))) {
691 		if (EXPECTED(zobj->properties != NULL)) {
692 			if (!IS_UNKNOWN_DYNAMIC_PROPERTY_OFFSET(property_offset)) {
693 				uintptr_t idx = ZEND_DECODE_DYN_PROP_OFFSET(property_offset);
694 
695 				if (EXPECTED(idx < zobj->properties->nNumUsed * sizeof(Bucket))) {
696 					Bucket *p = (Bucket*)((char*)zobj->properties->arData + idx);
697 
698 					if (EXPECTED(Z_TYPE(p->val) != IS_UNDEF) &&
699 				        (EXPECTED(p->key == name) ||
700 				         (EXPECTED(p->h == ZSTR_H(name)) &&
701 				          EXPECTED(p->key != NULL) &&
702 				          EXPECTED(zend_string_equal_content(p->key, name))))) {
703 						retval = &p->val;
704 						goto exit;
705 					}
706 				}
707 				CACHE_PTR_EX(cache_slot + 1, (void*)ZEND_DYNAMIC_PROPERTY_OFFSET);
708 			}
709 			retval = zend_hash_find(zobj->properties, name);
710 			if (EXPECTED(retval)) {
711 				if (cache_slot) {
712 					uintptr_t idx = (char*)retval - (char*)zobj->properties->arData;
713 					CACHE_PTR_EX(cache_slot + 1, (void*)ZEND_ENCODE_DYN_PROP_OFFSET(idx));
714 				}
715 				goto exit;
716 			}
717 		}
718 	} else if (UNEXPECTED(EG(exception))) {
719 		retval = &EG(uninitialized_zval);
720 		goto exit;
721 	}
722 
723 	/* magic isset */
724 	if ((type == BP_VAR_IS) && zobj->ce->__isset) {
725 		zval tmp_result;
726 		guard = zend_get_property_guard(zobj, name);
727 
728 		if (!((*guard) & IN_ISSET)) {
729 			if (!tmp_name && !ZSTR_IS_INTERNED(name)) {
730 				tmp_name = zend_string_copy(name);
731 			}
732 			GC_ADDREF(zobj);
733 			ZVAL_UNDEF(&tmp_result);
734 
735 			*guard |= IN_ISSET;
736 			zend_std_call_issetter(zobj, name, &tmp_result);
737 			*guard &= ~IN_ISSET;
738 
739 			if (!zend_is_true(&tmp_result)) {
740 				retval = &EG(uninitialized_zval);
741 				OBJ_RELEASE(zobj);
742 				zval_ptr_dtor(&tmp_result);
743 				goto exit;
744 			}
745 
746 			zval_ptr_dtor(&tmp_result);
747 			if (zobj->ce->__get && !((*guard) & IN_GET)) {
748 				goto call_getter;
749 			}
750 			OBJ_RELEASE(zobj);
751 		} else if (zobj->ce->__get && !((*guard) & IN_GET)) {
752 			goto call_getter_addref;
753 		}
754 	} else if (zobj->ce->__get) {
755 		/* magic get */
756 		guard = zend_get_property_guard(zobj, name);
757 		if (!((*guard) & IN_GET)) {
758 			/* have getter - try with it! */
759 call_getter_addref:
760 			GC_ADDREF(zobj);
761 call_getter:
762 			*guard |= IN_GET; /* prevent circular getting */
763 			zend_std_call_getter(zobj, name, rv);
764 			*guard &= ~IN_GET;
765 
766 			if (Z_TYPE_P(rv) != IS_UNDEF) {
767 				retval = rv;
768 				if (!Z_ISREF_P(rv) &&
769 				    (type == BP_VAR_W || type == BP_VAR_RW  || type == BP_VAR_UNSET)) {
770 					if (UNEXPECTED(Z_TYPE_P(rv) != IS_OBJECT)) {
771 						zend_error(E_NOTICE, "Indirect modification of overloaded property %s::$%s has no effect", ZSTR_VAL(zobj->ce->name), ZSTR_VAL(name));
772 					}
773 				}
774 			} else {
775 				retval = &EG(uninitialized_zval);
776 			}
777 
778 			if (UNEXPECTED(prop_info)) {
779 				zend_verify_prop_assignable_by_ref(prop_info, retval, (zobj->ce->__get->common.fn_flags & ZEND_ACC_STRICT_TYPES) != 0);
780 			}
781 
782 			OBJ_RELEASE(zobj);
783 			goto exit;
784 		} else if (UNEXPECTED(IS_WRONG_PROPERTY_OFFSET(property_offset))) {
785 			/* Trigger the correct error */
786 			zend_get_property_offset(zobj->ce, name, 0, NULL, &prop_info);
787 			ZEND_ASSERT(EG(exception));
788 			retval = &EG(uninitialized_zval);
789 			goto exit;
790 		}
791 	}
792 
793 uninit_error:
794 	if (type != BP_VAR_IS) {
795 		if (UNEXPECTED(prop_info)) {
796 			zend_throw_error(NULL, "Typed property %s::$%s must not be accessed before initialization",
797 				ZSTR_VAL(prop_info->ce->name),
798 				ZSTR_VAL(name));
799 		} else {
800 			zend_error(E_NOTICE,"Undefined property: %s::$%s", ZSTR_VAL(zobj->ce->name), ZSTR_VAL(name));
801 		}
802 	}
803 	retval = &EG(uninitialized_zval);
804 
805 exit:
806 	zend_tmp_string_release(tmp_name);
807 
808 	return retval;
809 }
810 /* }}} */
811 
property_uses_strict_typesnull812 static zend_always_inline zend_bool property_uses_strict_types() {
813 	zend_execute_data *execute_data = EG(current_execute_data);
814 	return execute_data
815 		&& execute_data->func
816 		&& ZEND_CALL_USES_STRICT_TYPES(EG(current_execute_data));
817 }
818 
zend_std_write_property(zval *object, zval *member, zval *value, void **cache_slot)819 ZEND_API zval *zend_std_write_property(zval *object, zval *member, zval *value, void **cache_slot) /* {{{ */
820 {
821 	zend_object *zobj;
822 	zend_string *name, *tmp_name;
823 	zval *variable_ptr, tmp;
824 	uintptr_t property_offset;
825 	zend_property_info *prop_info = NULL;
826 	ZEND_ASSERT(!Z_ISREF_P(value));
827 
828 	zobj = Z_OBJ_P(object);
829 	name = zval_try_get_tmp_string(member, &tmp_name);
830 	if (UNEXPECTED(!name)) {
831 		return value;
832 	}
833 
834 	property_offset = zend_get_property_offset(zobj->ce, name, (zobj->ce->__set != NULL), cache_slot, &prop_info);
835 
836 	if (EXPECTED(IS_VALID_PROPERTY_OFFSET(property_offset))) {
837 		variable_ptr = OBJ_PROP(zobj, property_offset);
838 		if (Z_TYPE_P(variable_ptr) != IS_UNDEF) {
839 			Z_TRY_ADDREF_P(value);
840 
841 			if (UNEXPECTED(prop_info)) {
842 				ZVAL_COPY_VALUE(&tmp, value);
843 				if (UNEXPECTED(!zend_verify_property_type(prop_info, &tmp, property_uses_strict_types()))) {
844 					Z_TRY_DELREF_P(value);
845 					variable_ptr = &EG(error_zval);
846 					goto exit;
847 				}
848 				value = &tmp;
849 			}
850 
851 found:
852 			zend_assign_to_variable(variable_ptr, value, IS_TMP_VAR, property_uses_strict_types());
853 			goto exit;
854 		}
855 		if (Z_PROP_FLAG_P(variable_ptr) == IS_PROP_UNINIT) {
856 			/* Writes to uninitializde typed properties bypass __set(). */
857 			Z_PROP_FLAG_P(variable_ptr) = 0;
858 			goto write_std_property;
859 		}
860 	} else if (EXPECTED(IS_DYNAMIC_PROPERTY_OFFSET(property_offset))) {
861 		if (EXPECTED(zobj->properties != NULL)) {
862 			if (UNEXPECTED(GC_REFCOUNT(zobj->properties) > 1)) {
863 				if (EXPECTED(!(GC_FLAGS(zobj->properties) & IS_ARRAY_IMMUTABLE))) {
864 					GC_DELREF(zobj->properties);
865 				}
866 				zobj->properties = zend_array_dup(zobj->properties);
867 			}
868 			if ((variable_ptr = zend_hash_find(zobj->properties, name)) != NULL) {
869 				Z_TRY_ADDREF_P(value);
870 				goto found;
871 			}
872 		}
873 	} else if (UNEXPECTED(EG(exception))) {
874 		variable_ptr = &EG(error_zval);
875 		goto exit;
876 	}
877 
878 	/* magic set */
879 	if (zobj->ce->__set) {
880 		uint32_t *guard = zend_get_property_guard(zobj, name);
881 
882 		if (!((*guard) & IN_SET)) {
883 			GC_ADDREF(zobj);
884 			(*guard) |= IN_SET; /* prevent circular setting */
885 			zend_std_call_setter(zobj, name, value);
886 			(*guard) &= ~IN_SET;
887 			OBJ_RELEASE(zobj);
888 			variable_ptr = value;
889 		} else if (EXPECTED(!IS_WRONG_PROPERTY_OFFSET(property_offset))) {
890 			goto write_std_property;
891 		} else {
892 			/* Trigger the correct error */
893 			zend_wrong_offset(zobj->ce, name);
894 			ZEND_ASSERT(EG(exception));
895 			variable_ptr = &EG(error_zval);
896 			goto exit;
897 		}
898 	} else {
899 		ZEND_ASSERT(!IS_WRONG_PROPERTY_OFFSET(property_offset));
900 write_std_property:
901 		Z_TRY_ADDREF_P(value);
902 		if (EXPECTED(IS_VALID_PROPERTY_OFFSET(property_offset))) {
903 
904 			variable_ptr = OBJ_PROP(zobj, property_offset);
905 
906 			if (UNEXPECTED(prop_info)) {
907 				ZVAL_COPY_VALUE(&tmp, value);
908 				if (UNEXPECTED(!zend_verify_property_type(prop_info, &tmp, property_uses_strict_types()))) {
909 					zval_ptr_dtor(value);
910 					goto exit;
911 				}
912 				value = &tmp;
913 				goto found; /* might have been updated via e.g. __toString() */
914 			}
915 
916 			ZVAL_COPY_VALUE(variable_ptr, value);
917 		} else {
918 			if (!zobj->properties) {
919 				rebuild_object_properties(zobj);
920 			}
921 			variable_ptr = zend_hash_add_new(zobj->properties, name, value);
922 		}
923 	}
924 
925 exit:
926 	zend_tmp_string_release(tmp_name);
927 	return variable_ptr;
928 }
929 /* }}} */
930 
zend_bad_array_access(zend_class_entry *ce)931 static ZEND_COLD zend_never_inline void zend_bad_array_access(zend_class_entry *ce) /* {{{ */
932 {
933 	zend_throw_error(NULL, "Cannot use object of type %s as array", ZSTR_VAL(ce->name));
934 }
935 /* }}} */
936 
zend_std_read_dimension(zval *object, zval *offset, int type, zval *rv)937 ZEND_API zval *zend_std_read_dimension(zval *object, zval *offset, int type, zval *rv) /* {{{ */
938 {
939 	zend_class_entry *ce = Z_OBJCE_P(object);
940 	zval tmp_offset, tmp_object;
941 
942 	if (EXPECTED(instanceof_function_ex(ce, zend_ce_arrayaccess, 1) != 0)) {
943 		if (offset == NULL) {
944 			/* [] construct */
945 			ZVAL_NULL(&tmp_offset);
946 		} else {
947 			ZVAL_COPY_DEREF(&tmp_offset, offset);
948 		}
949 
950 		Z_ADDREF_P(object);
951 		ZVAL_OBJ(&tmp_object, Z_OBJ_P(object));
952 		if (type == BP_VAR_IS) {
953 			zend_call_method_with_1_params(&tmp_object, ce, NULL, "offsetexists", rv, &tmp_offset);
954 			if (UNEXPECTED(Z_ISUNDEF_P(rv))) {
955 				zval_ptr_dtor(&tmp_object);
956 				zval_ptr_dtor(&tmp_offset);
957 				return NULL;
958 			}
959 			if (!i_zend_is_true(rv)) {
960 				zval_ptr_dtor(&tmp_object);
961 				zval_ptr_dtor(&tmp_offset);
962 				zval_ptr_dtor(rv);
963 				return &EG(uninitialized_zval);
964 			}
965 			zval_ptr_dtor(rv);
966 		}
967 
968 		zend_call_method_with_1_params(&tmp_object, ce, NULL, "offsetget", rv, &tmp_offset);
969 
970 		zval_ptr_dtor(&tmp_object);
971 		zval_ptr_dtor(&tmp_offset);
972 
973 		if (UNEXPECTED(Z_TYPE_P(rv) == IS_UNDEF)) {
974 			if (UNEXPECTED(!EG(exception))) {
975 				zend_throw_error(NULL, "Undefined offset for object of type %s used as array", ZSTR_VAL(ce->name));
976 			}
977 			return NULL;
978 		}
979 		return rv;
980 	} else {
981 	    zend_bad_array_access(ce);
982 		return NULL;
983 	}
984 }
985 /* }}} */
986 
zend_std_write_dimension(zval *object, zval *offset, zval *value)987 ZEND_API void zend_std_write_dimension(zval *object, zval *offset, zval *value) /* {{{ */
988 {
989 	zend_class_entry *ce = Z_OBJCE_P(object);
990 	zval tmp_offset, tmp_object;
991 
992 	if (EXPECTED(instanceof_function_ex(ce, zend_ce_arrayaccess, 1) != 0)) {
993 		if (!offset) {
994 			ZVAL_NULL(&tmp_offset);
995 		} else {
996 			ZVAL_COPY_DEREF(&tmp_offset, offset);
997 		}
998 		Z_ADDREF_P(object);
999 		ZVAL_OBJ(&tmp_object, Z_OBJ_P(object));
1000 		zend_call_method_with_2_params(&tmp_object, ce, NULL, "offsetset", NULL, &tmp_offset, value);
1001 		zval_ptr_dtor(&tmp_object);
1002 		zval_ptr_dtor(&tmp_offset);
1003 	} else {
1004 	    zend_bad_array_access(ce);
1005 	}
1006 }
1007 /* }}} */
1008 
zend_std_has_dimension(zval *object, zval *offset, int check_empty)1009 ZEND_API int zend_std_has_dimension(zval *object, zval *offset, int check_empty) /* {{{ */
1010 {
1011 	zend_class_entry *ce = Z_OBJCE_P(object);
1012 	zval retval, tmp_offset, tmp_object;
1013 	int result;
1014 
1015 	if (EXPECTED(instanceof_function_ex(ce, zend_ce_arrayaccess, 1) != 0)) {
1016 		ZVAL_COPY_DEREF(&tmp_offset, offset);
1017 		Z_ADDREF_P(object);
1018 		ZVAL_OBJ(&tmp_object, Z_OBJ_P(object));
1019 		zend_call_method_with_1_params(&tmp_object, ce, NULL, "offsetexists", &retval, &tmp_offset);
1020 		result = i_zend_is_true(&retval);
1021 		zval_ptr_dtor(&retval);
1022 		if (check_empty && result && EXPECTED(!EG(exception))) {
1023 			zend_call_method_with_1_params(&tmp_object, ce, NULL, "offsetget", &retval, &tmp_offset);
1024 			result = i_zend_is_true(&retval);
1025 			zval_ptr_dtor(&retval);
1026 		}
1027 		zval_ptr_dtor(&tmp_object);
1028 		zval_ptr_dtor(&tmp_offset);
1029 	} else {
1030 	    zend_bad_array_access(ce);
1031 		return 0;
1032 	}
1033 	return result;
1034 }
1035 /* }}} */
1036 
zend_std_get_property_ptr_ptr(zval *object, zval *member, int type, void **cache_slot)1037 ZEND_API zval *zend_std_get_property_ptr_ptr(zval *object, zval *member, int type, void **cache_slot) /* {{{ */
1038 {
1039 	zend_object *zobj;
1040 	zend_string *name, *tmp_name;
1041 	zval *retval = NULL;
1042 	uintptr_t property_offset;
1043 	zend_property_info *prop_info = NULL;
1044 
1045 	zobj = Z_OBJ_P(object);
1046 	name = zval_try_get_tmp_string(member, &tmp_name);
1047 	if (UNEXPECTED(!name)) {
1048 		return &EG(error_zval);
1049 	}
1050 
1051 #if DEBUG_OBJECT_HANDLERS
1052 	fprintf(stderr, "Ptr object #%d property: %s\n", Z_OBJ_HANDLE_P(object), ZSTR_VAL(name));
1053 #endif
1054 
1055 	property_offset = zend_get_property_offset(zobj->ce, name, (zobj->ce->__get != NULL), cache_slot, &prop_info);
1056 
1057 	if (EXPECTED(IS_VALID_PROPERTY_OFFSET(property_offset))) {
1058 		retval = OBJ_PROP(zobj, property_offset);
1059 		if (UNEXPECTED(Z_TYPE_P(retval) == IS_UNDEF)) {
1060 			if (EXPECTED(!zobj->ce->__get) ||
1061 			    UNEXPECTED((*zend_get_property_guard(zobj, name)) & IN_GET) ||
1062 			    UNEXPECTED(prop_info && Z_PROP_FLAG_P(retval) == IS_PROP_UNINIT)) {
1063 				if (UNEXPECTED(type == BP_VAR_RW || type == BP_VAR_R)) {
1064 					if (UNEXPECTED(prop_info)) {
1065 						zend_throw_error(NULL,
1066 							"Typed property %s::$%s must not be accessed before initialization",
1067 							ZSTR_VAL(prop_info->ce->name),
1068 							ZSTR_VAL(name));
1069 						retval = &EG(error_zval);
1070 					} else {
1071 						ZVAL_NULL(retval);
1072 						zend_error(E_NOTICE, "Undefined property: %s::$%s", ZSTR_VAL(zobj->ce->name), ZSTR_VAL(name));
1073 					}
1074 				}
1075 			} else {
1076 				/* we do have getter - fail and let it try again with usual get/set */
1077 				retval = NULL;
1078 			}
1079 		}
1080 	} else if (EXPECTED(IS_DYNAMIC_PROPERTY_OFFSET(property_offset))) {
1081 		if (EXPECTED(zobj->properties)) {
1082 			if (UNEXPECTED(GC_REFCOUNT(zobj->properties) > 1)) {
1083 				if (EXPECTED(!(GC_FLAGS(zobj->properties) & IS_ARRAY_IMMUTABLE))) {
1084 					GC_DELREF(zobj->properties);
1085 				}
1086 				zobj->properties = zend_array_dup(zobj->properties);
1087 			}
1088 		    if (EXPECTED((retval = zend_hash_find(zobj->properties, name)) != NULL)) {
1089 				zend_tmp_string_release(tmp_name);
1090 				return retval;
1091 		    }
1092 		}
1093 		if (EXPECTED(!zobj->ce->__get) ||
1094 		    UNEXPECTED((*zend_get_property_guard(zobj, name)) & IN_GET)) {
1095 			if (UNEXPECTED(!zobj->properties)) {
1096 				rebuild_object_properties(zobj);
1097 			}
1098 			retval = zend_hash_update(zobj->properties, name, &EG(uninitialized_zval));
1099 			/* Notice is thrown after creation of the property, to avoid EG(std_property_info)
1100 			 * being overwritten in an error handler. */
1101 			if (UNEXPECTED(type == BP_VAR_RW || type == BP_VAR_R)) {
1102 				zend_error(E_NOTICE, "Undefined property: %s::$%s", ZSTR_VAL(zobj->ce->name), ZSTR_VAL(name));
1103 			}
1104 		}
1105 	} else if (zobj->ce->__get == NULL) {
1106 		retval = &EG(error_zval);
1107 	}
1108 
1109 	zend_tmp_string_release(tmp_name);
1110 	return retval;
1111 }
1112 /* }}} */
1113 
zend_std_unset_property(zval *object, zval *member, void **cache_slot)1114 ZEND_API void zend_std_unset_property(zval *object, zval *member, void **cache_slot) /* {{{ */
1115 {
1116 	zend_object *zobj;
1117 	zend_string *name, *tmp_name;
1118 	uintptr_t property_offset;
1119 	zend_property_info *prop_info = NULL;
1120 
1121 	zobj = Z_OBJ_P(object);
1122 	name = zval_try_get_tmp_string(member, &tmp_name);
1123 	if (UNEXPECTED(!name)) {
1124 		return;
1125 	}
1126 
1127 	property_offset = zend_get_property_offset(zobj->ce, name, (zobj->ce->__unset != NULL), cache_slot, &prop_info);
1128 
1129 	if (EXPECTED(IS_VALID_PROPERTY_OFFSET(property_offset))) {
1130 		zval *slot = OBJ_PROP(zobj, property_offset);
1131 
1132 		if (Z_TYPE_P(slot) != IS_UNDEF) {
1133 			if (UNEXPECTED(Z_ISREF_P(slot)) &&
1134 					(ZEND_DEBUG || ZEND_REF_HAS_TYPE_SOURCES(Z_REF_P(slot)))) {
1135 				if (prop_info) {
1136 					ZEND_REF_DEL_TYPE_SOURCE(Z_REF_P(slot), prop_info);
1137 				}
1138 			}
1139 			zval_ptr_dtor(slot);
1140 			ZVAL_UNDEF(slot);
1141 			if (zobj->properties) {
1142 				HT_FLAGS(zobj->properties) |= HASH_FLAG_HAS_EMPTY_IND;
1143 			}
1144 			goto exit;
1145 		}
1146 		if (UNEXPECTED(Z_PROP_FLAG_P(slot) == IS_PROP_UNINIT)) {
1147 			/* Reset the IS_PROP_UNINIT flag, if it exists and bypass __unset(). */
1148 			Z_PROP_FLAG_P(slot) = 0;
1149 			goto exit;
1150 		}
1151 	} else if (EXPECTED(IS_DYNAMIC_PROPERTY_OFFSET(property_offset))
1152 	 && EXPECTED(zobj->properties != NULL)) {
1153 		if (UNEXPECTED(GC_REFCOUNT(zobj->properties) > 1)) {
1154 			if (EXPECTED(!(GC_FLAGS(zobj->properties) & IS_ARRAY_IMMUTABLE))) {
1155 				GC_DELREF(zobj->properties);
1156 			}
1157 			zobj->properties = zend_array_dup(zobj->properties);
1158 		}
1159 		if (EXPECTED(zend_hash_del(zobj->properties, name) != FAILURE)) {
1160 			goto exit;
1161 		}
1162 	} else if (UNEXPECTED(EG(exception))) {
1163 		goto exit;
1164 	}
1165 
1166 	/* magic unset */
1167 	if (zobj->ce->__unset) {
1168 		uint32_t *guard = zend_get_property_guard(zobj, name);
1169 		if (!((*guard) & IN_UNSET)) {
1170 			/* have unseter - try with it! */
1171 			(*guard) |= IN_UNSET; /* prevent circular unsetting */
1172 			zend_std_call_unsetter(zobj, name);
1173 			(*guard) &= ~IN_UNSET;
1174 		} else if (UNEXPECTED(IS_WRONG_PROPERTY_OFFSET(property_offset))) {
1175 			/* Trigger the correct error */
1176 			zend_wrong_offset(zobj->ce, name);
1177 			ZEND_ASSERT(EG(exception));
1178 			goto exit;
1179 		} else {
1180 			/* Nothing to do: The property already does not exist. */
1181 		}
1182 	}
1183 
1184 exit:
1185 	zend_tmp_string_release(tmp_name);
1186 }
1187 /* }}} */
1188 
zend_std_unset_dimension(zval *object, zval *offset)1189 ZEND_API void zend_std_unset_dimension(zval *object, zval *offset) /* {{{ */
1190 {
1191 	zend_class_entry *ce = Z_OBJCE_P(object);
1192 	zval tmp_offset, tmp_object;
1193 
1194 	if (instanceof_function_ex(ce, zend_ce_arrayaccess, 1)) {
1195 		ZVAL_COPY_DEREF(&tmp_offset, offset);
1196 		Z_ADDREF_P(object);
1197 		ZVAL_OBJ(&tmp_object, Z_OBJ_P(object));
1198 		zend_call_method_with_1_params(&tmp_object, ce, NULL, "offsetunset", NULL, &tmp_offset);
1199 		zval_ptr_dtor(&tmp_object);
1200 		zval_ptr_dtor(&tmp_offset);
1201 	} else {
1202 	    zend_bad_array_access(ce);
1203 	}
1204 }
1205 /* }}} */
1206 
zend_get_parent_private_method(zend_class_entry *scope, zend_class_entry *ce, zend_string *function_name)1207 static zend_never_inline zend_function *zend_get_parent_private_method(zend_class_entry *scope, zend_class_entry *ce, zend_string *function_name) /* {{{ */
1208 {
1209 	zval *func;
1210 	zend_function *fbc;
1211 
1212 	if (scope != ce && scope && is_derived_class(ce, scope)) {
1213 		func = zend_hash_find(&scope->function_table, function_name);
1214 		if (func != NULL) {
1215 			fbc = Z_FUNC_P(func);
1216 			if (fbc->common.fn_flags & ZEND_ACC_PRIVATE
1217 			 && fbc->common.scope == scope) {
1218 				return fbc;
1219 			}
1220 		}
1221 	}
1222 	return NULL;
1223 }
1224 /* }}} */
1225 
1226 /* Ensures that we're allowed to call a protected method.
1227  */
zend_check_protected(zend_class_entry *ce, zend_class_entry *scope)1228 ZEND_API int zend_check_protected(zend_class_entry *ce, zend_class_entry *scope) /* {{{ */
1229 {
1230 	zend_class_entry *fbc_scope = ce;
1231 
1232 	/* Is the context that's calling the function, the same as one of
1233 	 * the function's parents?
1234 	 */
1235 	while (fbc_scope) {
1236 		if (fbc_scope==scope) {
1237 			return 1;
1238 		}
1239 		fbc_scope = fbc_scope->parent;
1240 	}
1241 
1242 	/* Is the function's scope the same as our current object context,
1243 	 * or any of the parents of our context?
1244 	 */
1245 	while (scope) {
1246 		if (scope==ce) {
1247 			return 1;
1248 		}
1249 		scope = scope->parent;
1250 	}
1251 	return 0;
1252 }
1253 /* }}} */
1254 
zend_get_call_trampoline_func(zend_class_entry *ce, zend_string *method_name, int is_static)1255 ZEND_API zend_function *zend_get_call_trampoline_func(zend_class_entry *ce, zend_string *method_name, int is_static) /* {{{ */
1256 {
1257 	size_t mname_len;
1258 	zend_op_array *func;
1259 	zend_function *fbc = is_static ? ce->__callstatic : ce->__call;
1260 	/* We use non-NULL value to avoid useless run_time_cache allocation.
1261 	 * The low bit must be zero, to not be interpreted as a MAP_PTR offset.
1262 	 */
1263 	static const void *dummy = (void*)(intptr_t)2;
1264 
1265 	ZEND_ASSERT(fbc);
1266 
1267 	if (EXPECTED(EG(trampoline).common.function_name == NULL)) {
1268 		func = &EG(trampoline).op_array;
1269 	} else {
1270 		func = ecalloc(1, sizeof(zend_op_array));
1271 	}
1272 
1273 	func->type = ZEND_USER_FUNCTION;
1274 	func->arg_flags[0] = 0;
1275 	func->arg_flags[1] = 0;
1276 	func->arg_flags[2] = 0;
1277 	func->fn_flags = ZEND_ACC_CALL_VIA_TRAMPOLINE | ZEND_ACC_PUBLIC;
1278 	if (is_static) {
1279 		func->fn_flags |= ZEND_ACC_STATIC;
1280 	}
1281 	func->opcodes = &EG(call_trampoline_op);
1282 	ZEND_MAP_PTR_INIT(func->run_time_cache, (void***)&dummy);
1283 	func->scope = fbc->common.scope;
1284 	/* reserve space for arguments, local and temporary variables */
1285 	func->T = (fbc->type == ZEND_USER_FUNCTION)? MAX(fbc->op_array.last_var + fbc->op_array.T, 2) : 2;
1286 	func->filename = (fbc->type == ZEND_USER_FUNCTION)? fbc->op_array.filename : ZSTR_EMPTY_ALLOC();
1287 	func->line_start = (fbc->type == ZEND_USER_FUNCTION)? fbc->op_array.line_start : 0;
1288 	func->line_end = (fbc->type == ZEND_USER_FUNCTION)? fbc->op_array.line_end : 0;
1289 
1290 	//??? keep compatibility for "\0" characters
1291 	//??? see: Zend/tests/bug46238.phpt
1292 	if (UNEXPECTED((mname_len = strlen(ZSTR_VAL(method_name))) != ZSTR_LEN(method_name))) {
1293 		func->function_name = zend_string_init(ZSTR_VAL(method_name), mname_len, 0);
1294 	} else {
1295 		func->function_name = zend_string_copy(method_name);
1296 	}
1297 
1298 	func->prototype = NULL;
1299 	func->num_args = 0;
1300 	func->required_num_args = 0;
1301 	func->arg_info = 0;
1302 
1303 	return (zend_function*)func;
1304 }
1305 /* }}} */
1306 
zend_get_user_call_function(zend_class_entry *ce, zend_string *method_name)1307 static zend_always_inline zend_function *zend_get_user_call_function(zend_class_entry *ce, zend_string *method_name) /* {{{ */
1308 {
1309 	return zend_get_call_trampoline_func(ce, method_name, 0);
1310 }
1311 /* }}} */
1312 
zend_bad_method_call(zend_function *fbc, zend_string *method_name, zend_class_entry *scope)1313 static ZEND_COLD zend_never_inline void zend_bad_method_call(zend_function *fbc, zend_string *method_name, zend_class_entry *scope) /* {{{ */
1314 {
1315 	zend_throw_error(NULL, "Call to %s method %s::%s() from context '%s'", zend_visibility_string(fbc->common.fn_flags), ZEND_FN_SCOPE_NAME(fbc), ZSTR_VAL(method_name), scope ? ZSTR_VAL(scope->name) : "");
1316 }
1317 /* }}} */
1318 
zend_std_get_method(zend_object **obj_ptr, zend_string *method_name, const zval *key)1319 ZEND_API zend_function *zend_std_get_method(zend_object **obj_ptr, zend_string *method_name, const zval *key) /* {{{ */
1320 {
1321 	zend_object *zobj = *obj_ptr;
1322 	zval *func;
1323 	zend_function *fbc;
1324 	zend_string *lc_method_name;
1325 	zend_class_entry *scope;
1326 	ALLOCA_FLAG(use_heap);
1327 
1328 	if (EXPECTED(key != NULL)) {
1329 		lc_method_name = Z_STR_P(key);
1330 #ifdef ZEND_ALLOCA_MAX_SIZE
1331 		use_heap = 0;
1332 #endif
1333 	} else {
1334 		ZSTR_ALLOCA_ALLOC(lc_method_name, ZSTR_LEN(method_name), use_heap);
1335 		zend_str_tolower_copy(ZSTR_VAL(lc_method_name), ZSTR_VAL(method_name), ZSTR_LEN(method_name));
1336 	}
1337 
1338 	if (UNEXPECTED((func = zend_hash_find(&zobj->ce->function_table, lc_method_name)) == NULL)) {
1339 		if (UNEXPECTED(!key)) {
1340 			ZSTR_ALLOCA_FREE(lc_method_name, use_heap);
1341 		}
1342 		if (zobj->ce->__call) {
1343 			return zend_get_user_call_function(zobj->ce, method_name);
1344 		} else {
1345 			return NULL;
1346 		}
1347 	}
1348 
1349 	fbc = Z_FUNC_P(func);
1350 
1351 	/* Check access level */
1352 	if (fbc->op_array.fn_flags & (ZEND_ACC_CHANGED|ZEND_ACC_PRIVATE|ZEND_ACC_PROTECTED)) {
1353 		scope = zend_get_executed_scope();
1354 
1355 		if (fbc->common.scope != scope) {
1356 			if (fbc->op_array.fn_flags & ZEND_ACC_CHANGED) {
1357 				zend_function *updated_fbc = zend_get_parent_private_method(scope, zobj->ce, lc_method_name);
1358 
1359 				if (EXPECTED(updated_fbc != NULL)) {
1360 					fbc = updated_fbc;
1361 					goto exit;
1362 				} else if (fbc->op_array.fn_flags & ZEND_ACC_PUBLIC) {
1363 					goto exit;
1364 				}
1365 			}
1366 			if (UNEXPECTED(fbc->op_array.fn_flags & ZEND_ACC_PRIVATE)
1367 			 || UNEXPECTED(!zend_check_protected(zend_get_function_root_class(fbc), scope))) {
1368 				if (zobj->ce->__call) {
1369 					fbc = zend_get_user_call_function(zobj->ce, method_name);
1370 				} else {
1371 					zend_bad_method_call(fbc, method_name, scope);
1372 					fbc = NULL;
1373 				}
1374 			}
1375 		}
1376 	}
1377 
1378 exit:
1379 	if (UNEXPECTED(!key)) {
1380 		ZSTR_ALLOCA_FREE(lc_method_name, use_heap);
1381 	}
1382 	return fbc;
1383 }
1384 /* }}} */
1385 
zend_get_user_callstatic_function(zend_class_entry *ce, zend_string *method_name)1386 static zend_always_inline zend_function *zend_get_user_callstatic_function(zend_class_entry *ce, zend_string *method_name) /* {{{ */
1387 {
1388 	return zend_get_call_trampoline_func(ce, method_name, 1);
1389 }
1390 /* }}} */
1391 
zend_std_get_static_method(zend_class_entry *ce, zend_string *function_name, const zval *key)1392 ZEND_API zend_function *zend_std_get_static_method(zend_class_entry *ce, zend_string *function_name, const zval *key) /* {{{ */
1393 {
1394 	zend_function *fbc = NULL;
1395 	zend_string *lc_function_name;
1396 	zend_object *object;
1397 	zend_class_entry *scope;
1398 
1399 	if (EXPECTED(key != NULL)) {
1400 		lc_function_name = Z_STR_P(key);
1401 	} else {
1402 		lc_function_name = zend_string_tolower(function_name);
1403 	}
1404 
1405 	do {
1406 		zval *func = zend_hash_find(&ce->function_table, lc_function_name);
1407 		if (EXPECTED(func != NULL)) {
1408 			fbc = Z_FUNC_P(func);
1409 		} else if (ce->constructor
1410 			&& ZSTR_LEN(lc_function_name) == ZSTR_LEN(ce->name)
1411 			&& zend_binary_strncasecmp(ZSTR_VAL(lc_function_name), ZSTR_LEN(lc_function_name), ZSTR_VAL(ce->name), ZSTR_LEN(lc_function_name), ZSTR_LEN(lc_function_name)) == 0
1412 			/* Only change the method to the constructor if the constructor isn't called __construct
1413 			 * we check for __ so we can be binary safe for lowering, we should use ZEND_CONSTRUCTOR_FUNC_NAME
1414 			 */
1415 			&& (ZSTR_VAL(ce->constructor->common.function_name)[0] != '_'
1416 				|| ZSTR_VAL(ce->constructor->common.function_name)[1] != '_')) {
1417 			fbc = ce->constructor;
1418 		} else {
1419 			if (UNEXPECTED(!key)) {
1420 				zend_string_release_ex(lc_function_name, 0);
1421 			}
1422 			if (ce->__call &&
1423 				(object = zend_get_this_object(EG(current_execute_data))) != NULL &&
1424 			    instanceof_function(object->ce, ce)) {
1425 				/* Call the top-level defined __call().
1426 				 * see: tests/classes/__call_004.phpt  */
1427 
1428 				zend_class_entry *call_ce = object->ce;
1429 
1430 				while (!call_ce->__call) {
1431 					call_ce = call_ce->parent;
1432 				}
1433 				return zend_get_user_call_function(call_ce, function_name);
1434 			} else if (ce->__callstatic) {
1435 				return zend_get_user_callstatic_function(ce, function_name);
1436 			} else {
1437 	   			return NULL;
1438 			}
1439 		}
1440 	} while (0);
1441 
1442 #if MBO_0
1443 	/* right now this function is used for non static method lookup too */
1444 	/* Is the function static */
1445 	if (UNEXPECTED(!(fbc->common.fn_flags & ZEND_ACC_STATIC))) {
1446 		zend_error_noreturn(E_ERROR, "Cannot call non static method %s::%s() without object", ZEND_FN_SCOPE_NAME(fbc), ZSTR_VAL(fbc->common.function_name));
1447 	}
1448 #endif
1449 	if (!(fbc->op_array.fn_flags & ZEND_ACC_PUBLIC)) {
1450 		scope = zend_get_executed_scope();
1451 		if (UNEXPECTED(fbc->common.scope != scope)) {
1452 			if (UNEXPECTED(fbc->op_array.fn_flags & ZEND_ACC_PRIVATE)
1453 			 || UNEXPECTED(!zend_check_protected(zend_get_function_root_class(fbc), scope))) {
1454 				if (ce->__callstatic) {
1455 					fbc = zend_get_user_callstatic_function(ce, function_name);
1456 				} else {
1457 					zend_bad_method_call(fbc, function_name, scope);
1458 					fbc = NULL;
1459 				}
1460 			}
1461 		}
1462 	}
1463 
1464 	if (UNEXPECTED(!key)) {
1465 		zend_string_release_ex(lc_function_name, 0);
1466 	}
1467 
1468 	return fbc;
1469 }
1470 /* }}} */
1471 
zend_class_init_statics(zend_class_entry *class_type)1472 ZEND_API void zend_class_init_statics(zend_class_entry *class_type) /* {{{ */
1473 {
1474 	int i;
1475 	zval *p;
1476 
1477 	if (class_type->default_static_members_count && !CE_STATIC_MEMBERS(class_type)) {
1478 		if (class_type->parent) {
1479 			zend_class_init_statics(class_type->parent);
1480 		}
1481 
1482 		ZEND_MAP_PTR_SET(class_type->static_members_table, emalloc(sizeof(zval) * class_type->default_static_members_count));
1483 		for (i = 0; i < class_type->default_static_members_count; i++) {
1484 			p = &class_type->default_static_members_table[i];
1485 			if (Z_TYPE_P(p) == IS_INDIRECT) {
1486 				zval *q = &CE_STATIC_MEMBERS(class_type->parent)[i];
1487 				ZVAL_DEINDIRECT(q);
1488 				ZVAL_INDIRECT(&CE_STATIC_MEMBERS(class_type)[i], q);
1489 			} else {
1490 				ZVAL_COPY_OR_DUP(&CE_STATIC_MEMBERS(class_type)[i], p);
1491 			}
1492 		}
1493 	}
1494 } /* }}} */
1495 
zend_std_get_static_property_with_info(zend_class_entry *ce, zend_string *property_name, int type, zend_property_info **property_info_ptr)1496 ZEND_API zval *zend_std_get_static_property_with_info(zend_class_entry *ce, zend_string *property_name, int type, zend_property_info **property_info_ptr) /* {{{ */
1497 {
1498 	zval *ret;
1499 	zend_class_entry *scope;
1500 	zend_property_info *property_info = zend_hash_find_ptr(&ce->properties_info, property_name);
1501 	*property_info_ptr = property_info;
1502 
1503 	if (UNEXPECTED(property_info == NULL)) {
1504 		goto undeclared_property;
1505 	}
1506 
1507 	if (!(property_info->flags & ZEND_ACC_PUBLIC)) {
1508 		if (UNEXPECTED(EG(fake_scope))) {
1509 			scope = EG(fake_scope);
1510 		} else {
1511 			scope = zend_get_executed_scope();
1512 		}
1513 		if (property_info->ce != scope) {
1514 			if (UNEXPECTED(property_info->flags & ZEND_ACC_PRIVATE)
1515 			 || UNEXPECTED(!is_protected_compatible_scope(property_info->ce, scope))) {
1516 				if (type != BP_VAR_IS) {
1517 					zend_bad_property_access(property_info, ce, property_name);
1518 				}
1519 				return NULL;
1520 			}
1521 		}
1522 	}
1523 
1524 	if (UNEXPECTED((property_info->flags & ZEND_ACC_STATIC) == 0)) {
1525 		goto undeclared_property;
1526 	}
1527 
1528 	if (UNEXPECTED(!(ce->ce_flags & ZEND_ACC_CONSTANTS_UPDATED))) {
1529 		if (UNEXPECTED(zend_update_class_constants(ce)) != SUCCESS) {
1530 			return NULL;
1531 		}
1532 	}
1533 
1534 	/* check if static properties were destroyed */
1535 	if (UNEXPECTED(CE_STATIC_MEMBERS(ce) == NULL)) {
1536 		if (ce->type == ZEND_INTERNAL_CLASS || (ce->ce_flags & (ZEND_ACC_IMMUTABLE|ZEND_ACC_PRELOADED))) {
1537 			zend_class_init_statics(ce);
1538 		} else {
1539 undeclared_property:
1540 			if (type != BP_VAR_IS) {
1541 				zend_throw_error(NULL, "Access to undeclared static property: %s::$%s", ZSTR_VAL(ce->name), ZSTR_VAL(property_name));
1542 			}
1543 			return NULL;
1544 		}
1545 	}
1546 
1547 	ret = CE_STATIC_MEMBERS(ce) + property_info->offset;
1548 	ZVAL_DEINDIRECT(ret);
1549 
1550 	if (UNEXPECTED((type == BP_VAR_R || type == BP_VAR_RW)
1551 				&& Z_TYPE_P(ret) == IS_UNDEF && property_info->type != 0)) {
1552 		zend_throw_error(NULL, "Typed static property %s::$%s must not be accessed before initialization",
1553 			ZSTR_VAL(property_info->ce->name),
1554 			zend_get_unmangled_property_name(property_name));
1555 		return NULL;
1556 	}
1557 
1558 	return ret;
1559 }
1560 /* }}} */
1561 
zend_std_get_static_property(zend_class_entry *ce, zend_string *property_name, int type)1562 ZEND_API zval *zend_std_get_static_property(zend_class_entry *ce, zend_string *property_name, int type) /* {{{ */
1563 {
1564 	zend_property_info *prop_info;
1565 	return zend_std_get_static_property_with_info(ce, property_name, type, &prop_info);
1566 }
1567 
zend_std_unset_static_property(zend_class_entry *ce, zend_string *property_name)1568 ZEND_API ZEND_COLD zend_bool zend_std_unset_static_property(zend_class_entry *ce, zend_string *property_name) /* {{{ */
1569 {
1570 	zend_throw_error(NULL, "Attempt to unset static property %s::$%s", ZSTR_VAL(ce->name), ZSTR_VAL(property_name));
1571 	return 0;
1572 }
1573 /* }}} */
1574 
zend_bad_constructor_call(zend_function *constructor, zend_class_entry *scope)1575 static ZEND_COLD zend_never_inline void zend_bad_constructor_call(zend_function *constructor, zend_class_entry *scope) /* {{{ */
1576 {
1577 	if (scope) {
1578 		zend_throw_error(NULL, "Call to %s %s::%s() from context '%s'", zend_visibility_string(constructor->common.fn_flags), ZSTR_VAL(constructor->common.scope->name), ZSTR_VAL(constructor->common.function_name), ZSTR_VAL(scope->name));
1579 	} else {
1580 		zend_throw_error(NULL, "Call to %s %s::%s() from invalid context", zend_visibility_string(constructor->common.fn_flags), ZSTR_VAL(constructor->common.scope->name), ZSTR_VAL(constructor->common.function_name));
1581 	}
1582 }
1583 /* }}} */
1584 
zend_std_get_constructor(zend_object *zobj)1585 ZEND_API zend_function *zend_std_get_constructor(zend_object *zobj) /* {{{ */
1586 {
1587 	zend_function *constructor = zobj->ce->constructor;
1588 	zend_class_entry *scope;
1589 
1590 	if (constructor) {
1591 		if (UNEXPECTED(!(constructor->op_array.fn_flags & ZEND_ACC_PUBLIC))) {
1592 			if (UNEXPECTED(EG(fake_scope))) {
1593 				scope = EG(fake_scope);
1594 			} else {
1595 				scope = zend_get_executed_scope();
1596 			}
1597 			if (UNEXPECTED(constructor->common.scope != scope)) {
1598 				if (UNEXPECTED(constructor->op_array.fn_flags & ZEND_ACC_PRIVATE)
1599 				 || UNEXPECTED(!zend_check_protected(zend_get_function_root_class(constructor), scope))) {
1600 					zend_bad_constructor_call(constructor, scope);
1601 					constructor = NULL;
1602 				}
1603 			}
1604 		}
1605 	}
1606 
1607 	return constructor;
1608 }
1609 /* }}} */
1610 
zend_std_compare_objects(zval *o1, zval *o2)1611 ZEND_API int zend_std_compare_objects(zval *o1, zval *o2) /* {{{ */
1612 {
1613 	zend_object *zobj1, *zobj2;
1614 
1615 	zobj1 = Z_OBJ_P(o1);
1616 	zobj2 = Z_OBJ_P(o2);
1617 
1618 	if (zobj1 == zobj2) {
1619 		return 0; /* the same object */
1620 	}
1621 	if (zobj1->ce != zobj2->ce) {
1622 		return 1; /* different classes */
1623 	}
1624 	if (!zobj1->properties && !zobj2->properties) {
1625 		zend_property_info *info;
1626 
1627 		if (!zobj1->ce->default_properties_count) {
1628 			return 0;
1629 		}
1630 
1631 		/* It's enough to protect only one of the objects.
1632 		 * The second one may be referenced from the first and this may cause
1633 		 * false recursion detection.
1634 		 */
1635 		/* use bitwise OR to make only one conditional jump */
1636 		if (UNEXPECTED(Z_IS_RECURSIVE_P(o1))) {
1637 			zend_error_noreturn(E_ERROR, "Nesting level too deep - recursive dependency?");
1638 		}
1639 		Z_PROTECT_RECURSION_P(o1);
1640 
1641 		ZEND_HASH_FOREACH_PTR(&zobj1->ce->properties_info, info) {
1642 			zval *p1 = OBJ_PROP(zobj1, info->offset);
1643 			zval *p2 = OBJ_PROP(zobj2, info->offset);
1644 
1645 			if (info->flags & ZEND_ACC_STATIC) {
1646 				continue;
1647 			}
1648 
1649 			if (Z_TYPE_P(p1) != IS_UNDEF) {
1650 				if (Z_TYPE_P(p2) != IS_UNDEF) {
1651 					zval result;
1652 
1653 					if (compare_function(&result, p1, p2)==FAILURE) {
1654 						Z_UNPROTECT_RECURSION_P(o1);
1655 						return 1;
1656 					}
1657 					if (Z_LVAL(result) != 0) {
1658 						Z_UNPROTECT_RECURSION_P(o1);
1659 						return Z_LVAL(result);
1660 					}
1661 				} else {
1662 					Z_UNPROTECT_RECURSION_P(o1);
1663 					return 1;
1664 				}
1665 			} else {
1666 				if (Z_TYPE_P(p2) != IS_UNDEF) {
1667 					Z_UNPROTECT_RECURSION_P(o1);
1668 					return 1;
1669 				}
1670 			}
1671 		} ZEND_HASH_FOREACH_END();
1672 
1673 		Z_UNPROTECT_RECURSION_P(o1);
1674 		return 0;
1675 	} else {
1676 		if (!zobj1->properties) {
1677 			rebuild_object_properties(zobj1);
1678 		}
1679 		if (!zobj2->properties) {
1680 			rebuild_object_properties(zobj2);
1681 		}
1682 		return zend_compare_symbol_tables(zobj1->properties, zobj2->properties);
1683 	}
1684 }
1685 /* }}} */
1686 
zend_std_has_property(zval *object, zval *member, int has_set_exists, void **cache_slot)1687 ZEND_API int zend_std_has_property(zval *object, zval *member, int has_set_exists, void **cache_slot) /* {{{ */
1688 {
1689 	zend_object *zobj;
1690 	int result;
1691 	zval *value = NULL;
1692 	zend_string *name, *tmp_name;
1693 	uintptr_t property_offset;
1694 	zend_property_info *prop_info = NULL;
1695 
1696 	zobj = Z_OBJ_P(object);
1697 	name = zval_try_get_tmp_string(member, &tmp_name);
1698 	if (UNEXPECTED(!name)) {
1699 		return 0;
1700 	}
1701 
1702 	property_offset = zend_get_property_offset(zobj->ce, name, 1, cache_slot, &prop_info);
1703 
1704 	if (EXPECTED(IS_VALID_PROPERTY_OFFSET(property_offset))) {
1705 		value = OBJ_PROP(zobj, property_offset);
1706 		if (Z_TYPE_P(value) != IS_UNDEF) {
1707 			goto found;
1708 		}
1709 		if (UNEXPECTED(Z_PROP_FLAG_P(value) == IS_PROP_UNINIT)) {
1710 			/* Skip __isset() for uninitialized typed properties */
1711 			result = 0;
1712 			goto exit;
1713 		}
1714 	} else if (EXPECTED(IS_DYNAMIC_PROPERTY_OFFSET(property_offset))) {
1715 		if (EXPECTED(zobj->properties != NULL)) {
1716 			if (!IS_UNKNOWN_DYNAMIC_PROPERTY_OFFSET(property_offset)) {
1717 				uintptr_t idx = ZEND_DECODE_DYN_PROP_OFFSET(property_offset);
1718 
1719 				if (EXPECTED(idx < zobj->properties->nNumUsed * sizeof(Bucket))) {
1720 					Bucket *p = (Bucket*)((char*)zobj->properties->arData + idx);
1721 
1722 					if (EXPECTED(Z_TYPE(p->val) != IS_UNDEF) &&
1723 				        (EXPECTED(p->key == name) ||
1724 				         (EXPECTED(p->h == ZSTR_H(name)) &&
1725 				          EXPECTED(p->key != NULL) &&
1726 				          EXPECTED(zend_string_equal_content(p->key, name))))) {
1727 						value = &p->val;
1728 						goto found;
1729 					}
1730 				}
1731 				CACHE_PTR_EX(cache_slot + 1, (void*)ZEND_DYNAMIC_PROPERTY_OFFSET);
1732 			}
1733 			value = zend_hash_find(zobj->properties, name);
1734 			if (value) {
1735 				if (cache_slot) {
1736 					uintptr_t idx = (char*)value - (char*)zobj->properties->arData;
1737 					CACHE_PTR_EX(cache_slot + 1, (void*)ZEND_ENCODE_DYN_PROP_OFFSET(idx));
1738 				}
1739 found:
1740 				if (has_set_exists == ZEND_PROPERTY_NOT_EMPTY) {
1741 					result = zend_is_true(value);
1742 				} else if (has_set_exists < ZEND_PROPERTY_NOT_EMPTY) {
1743 					ZEND_ASSERT(has_set_exists == ZEND_PROPERTY_ISSET);
1744 					ZVAL_DEREF(value);
1745 					result = (Z_TYPE_P(value) != IS_NULL);
1746 				} else {
1747 					ZEND_ASSERT(has_set_exists == ZEND_PROPERTY_EXISTS);
1748 					result = 1;
1749 				}
1750 				goto exit;
1751 			}
1752 		}
1753 	} else if (UNEXPECTED(EG(exception))) {
1754 		result = 0;
1755 		goto exit;
1756 	}
1757 
1758 	result = 0;
1759 	if ((has_set_exists != ZEND_PROPERTY_EXISTS) && zobj->ce->__isset) {
1760 		uint32_t *guard = zend_get_property_guard(zobj, name);
1761 
1762 		if (!((*guard) & IN_ISSET)) {
1763 			zval rv;
1764 
1765 			/* have issetter - try with it! */
1766 			if (!tmp_name && !ZSTR_IS_INTERNED(name)) {
1767 				tmp_name = zend_string_copy(name);
1768 			}
1769 			GC_ADDREF(zobj);
1770 			(*guard) |= IN_ISSET; /* prevent circular getting */
1771 			zend_std_call_issetter(zobj, name, &rv);
1772 			result = zend_is_true(&rv);
1773 			zval_ptr_dtor(&rv);
1774 			if (has_set_exists == ZEND_PROPERTY_NOT_EMPTY && result) {
1775 				if (EXPECTED(!EG(exception)) && zobj->ce->__get && !((*guard) & IN_GET)) {
1776 					(*guard) |= IN_GET;
1777 					zend_std_call_getter(zobj, name, &rv);
1778 					(*guard) &= ~IN_GET;
1779 					result = i_zend_is_true(&rv);
1780 					zval_ptr_dtor(&rv);
1781 				} else {
1782 					result = 0;
1783 				}
1784 			}
1785 			(*guard) &= ~IN_ISSET;
1786 			OBJ_RELEASE(zobj);
1787 		}
1788 	}
1789 
1790 exit:
1791 	zend_tmp_string_release(tmp_name);
1792 	return result;
1793 }
1794 /* }}} */
1795 
zend_std_get_class_name(const zend_object *zobj)1796 ZEND_API zend_string *zend_std_get_class_name(const zend_object *zobj) /* {{{ */
1797 {
1798 	return zend_string_copy(zobj->ce->name);
1799 }
1800 /* }}} */
1801 
zend_std_cast_object_tostring(zval *readobj, zval *writeobj, int type)1802 ZEND_API int zend_std_cast_object_tostring(zval *readobj, zval *writeobj, int type) /* {{{ */
1803 {
1804 	zval retval;
1805 	zend_class_entry *ce;
1806 
1807 	switch (type) {
1808 		case IS_STRING:
1809 			ce = Z_OBJCE_P(readobj);
1810 			if (ce->__tostring) {
1811 				zend_class_entry *fake_scope = EG(fake_scope);
1812 				EG(fake_scope) = NULL;
1813 				zend_call_method_with_0_params(readobj, ce, &ce->__tostring, "__tostring", &retval);
1814 				EG(fake_scope) = fake_scope;
1815 				if (EXPECTED(Z_TYPE(retval) == IS_STRING)) {
1816 					ZVAL_COPY_VALUE(writeobj, &retval);
1817 					return SUCCESS;
1818 				}
1819 				zval_ptr_dtor(&retval);
1820 				if (!EG(exception)) {
1821 					zend_throw_error(NULL, "Method %s::__toString() must return a string value", ZSTR_VAL(ce->name));
1822 				}
1823 			}
1824 			return FAILURE;
1825 		case _IS_BOOL:
1826 			ZVAL_TRUE(writeobj);
1827 			return SUCCESS;
1828 		case IS_LONG:
1829 			ce = Z_OBJCE_P(readobj);
1830 			zend_error(E_NOTICE, "Object of class %s could not be converted to int", ZSTR_VAL(ce->name));
1831 			ZVAL_LONG(writeobj, 1);
1832 			return SUCCESS;
1833 		case IS_DOUBLE:
1834 			ce = Z_OBJCE_P(readobj);
1835 			zend_error(E_NOTICE, "Object of class %s could not be converted to float", ZSTR_VAL(ce->name));
1836 			ZVAL_DOUBLE(writeobj, 1);
1837 			return SUCCESS;
1838 		case _IS_NUMBER:
1839 			ce = Z_OBJCE_P(readobj);
1840 			zend_error(E_NOTICE, "Object of class %s could not be converted to number", ZSTR_VAL(ce->name));
1841 			ZVAL_LONG(writeobj, 1);
1842 			return SUCCESS;
1843 		default:
1844 			ZVAL_NULL(writeobj);
1845 			break;
1846 	}
1847 	return FAILURE;
1848 }
1849 /* }}} */
1850 
zend_std_get_closure(zval *obj, zend_class_entry **ce_ptr, zend_function **fptr_ptr, zend_object **obj_ptr)1851 ZEND_API int zend_std_get_closure(zval *obj, zend_class_entry **ce_ptr, zend_function **fptr_ptr, zend_object **obj_ptr) /* {{{ */
1852 {
1853 	zval *func;
1854 	zend_class_entry *ce = Z_OBJCE_P(obj);
1855 
1856 	if ((func = zend_hash_find_ex(&ce->function_table, ZSTR_KNOWN(ZEND_STR_MAGIC_INVOKE), 1)) == NULL) {
1857 		return FAILURE;
1858 	}
1859 	*fptr_ptr = Z_FUNC_P(func);
1860 
1861 	*ce_ptr = ce;
1862 	if ((*fptr_ptr)->common.fn_flags & ZEND_ACC_STATIC) {
1863 		if (obj_ptr) {
1864 			*obj_ptr = NULL;
1865 		}
1866 	} else {
1867 		if (obj_ptr) {
1868 			*obj_ptr = Z_OBJ_P(obj);
1869 		}
1870 	}
1871 	return SUCCESS;
1872 }
1873 /* }}} */
1874 
zend_std_get_properties_for(zval *obj, zend_prop_purpose purpose)1875 ZEND_API HashTable *zend_std_get_properties_for(zval *obj, zend_prop_purpose purpose) {
1876 	HashTable *ht;
1877 	switch (purpose) {
1878 		case ZEND_PROP_PURPOSE_DEBUG:
1879 			if (Z_OBJ_HT_P(obj)->get_debug_info) {
1880 				int is_temp;
1881 				ht = Z_OBJ_HT_P(obj)->get_debug_info(obj, &is_temp);
1882 				if (ht && !is_temp && !(GC_FLAGS(ht) & GC_IMMUTABLE)) {
1883 					GC_ADDREF(ht);
1884 				}
1885 				return ht;
1886 			}
1887 			/* break missing intentionally */
1888 		case ZEND_PROP_PURPOSE_ARRAY_CAST:
1889 		case ZEND_PROP_PURPOSE_SERIALIZE:
1890 		case ZEND_PROP_PURPOSE_VAR_EXPORT:
1891 		case ZEND_PROP_PURPOSE_JSON:
1892 		case _ZEND_PROP_PURPOSE_ARRAY_KEY_EXISTS:
1893 			ht = Z_OBJ_HT_P(obj)->get_properties(obj);
1894 			if (ht && !(GC_FLAGS(ht) & GC_IMMUTABLE)) {
1895 				GC_ADDREF(ht);
1896 			}
1897 			return ht;
1898 		default:
1899 			ZEND_ASSERT(0);
1900 			return NULL;
1901 	}
1902 }
1903 
zend_get_properties_for(zval *obj, zend_prop_purpose purpose)1904 ZEND_API HashTable *zend_get_properties_for(zval *obj, zend_prop_purpose purpose) {
1905 	if (Z_OBJ_HT_P(obj)->get_properties_for) {
1906 		return Z_OBJ_HT_P(obj)->get_properties_for(obj, purpose);
1907 	}
1908 
1909 	return zend_std_get_properties_for(obj, purpose);
1910 }
1911 
1912 ZEND_API const zend_object_handlers std_object_handlers = {
1913 	0,										/* offset */
1914 
1915 	zend_object_std_dtor,					/* free_obj */
1916 	zend_objects_destroy_object,			/* dtor_obj */
1917 	zend_objects_clone_obj,					/* clone_obj */
1918 
1919 	zend_std_read_property,					/* read_property */
1920 	zend_std_write_property,				/* write_property */
1921 	zend_std_read_dimension,				/* read_dimension */
1922 	zend_std_write_dimension,				/* write_dimension */
1923 	zend_std_get_property_ptr_ptr,			/* get_property_ptr_ptr */
1924 	NULL,									/* get */
1925 	NULL,									/* set */
1926 	zend_std_has_property,					/* has_property */
1927 	zend_std_unset_property,				/* unset_property */
1928 	zend_std_has_dimension,					/* has_dimension */
1929 	zend_std_unset_dimension,				/* unset_dimension */
1930 	zend_std_get_properties,				/* get_properties */
1931 	zend_std_get_method,					/* get_method */
1932 	NULL,									/* call_method */
1933 	zend_std_get_constructor,				/* get_constructor */
1934 	zend_std_get_class_name,				/* get_class_name */
1935 	zend_std_compare_objects,				/* compare_objects */
1936 	zend_std_cast_object_tostring,			/* cast_object */
1937 	NULL,									/* count_elements */
1938 	zend_std_get_debug_info,				/* get_debug_info */
1939 	zend_std_get_closure,					/* get_closure */
1940 	zend_std_get_gc,						/* get_gc */
1941 	NULL,									/* do_operation */
1942 	NULL,									/* compare */
1943 	NULL,									/* get_properties_for */
1944 };
1945