Fix zend_get_property_info_for_slot() for lazy objects (#15855)

zend_get_property_info_for_slot(obj, slot) assumes that 'slot' belongs to 'obj', but that may not be the case for lazy proxies.

Fortunately, the property info is often already available in path when it is needed.

For other cases, I make zend_get_property_info_for_slot() aware of lazy objects, and add zend_get_property_info_for_slot_self() for cases where the 'slot' is known to belong to the object itself.

Fixes oss-fuzz #71446

Author: arnaud-lb

Zend/tests/lazy_objects/array_walk.phpt

@@ -0,0 +1,36 @@
+--TEST--
+Lazy Objects: array_walk()
+--FILE--
+<?php
+
+class C {
+    public int $a = 1;
+}
+
+
+$reflector = new ReflectionClass(C::class);
+$obj = $reflector->newLazyProxy(function () {
+    return new C();
+});
+
+array_walk($obj, function (&$value, $key) {
+    try {
+        $value = 'string';
+    } catch (Error $e) {
+        printf("%s: %s\n", $e::class, $e->getMessage());
+    }
+    $value = 2;
+});
+
+var_dump($obj);
+
+?>
+--EXPECTF--
+TypeError: Cannot assign string to reference held by property C::$a of type int
+lazy proxy object(C)#%d (1) {
+  ["instance"]=>
+  object(C)#%d (1) {
+    ["a"]=>
+    int(2)
+  }
+}

Zend/tests/lazy_objects/oss_fuzz_71446.phpt

@@ -0,0 +1,22 @@
+--TEST--
+oss-fuzz #71446
+--FILE--
+<?php
+
+class C {
+    public mixed $a;
+    function __sleep() {
+        return['a'];
+    }
+}
+
+$reflector = new ReflectionClass(C::class);
+
+$obj = $reflector->newLazyProxy(function() {
+    $c = new C;
+    return $c;
+});
+
+serialize($obj);
+?>
+--EXPECTF--

Zend/tests/lazy_objects/serialize___sleep.phpt

@@ -0,0 +1,42 @@
+--TEST--
+Lazy Objects: serialize with __sleep fetches property info from the real instance
+--FILE--
+<?php
+
+class C {
+    public mixed $a;
+    private mixed $b = 1;
+    function __sleep() {
+        return['a', 'b'];
+    }
+}
+
+$reflector = new ReflectionClass(C::class);
+
+print "Init on serialize and successful initialization\n";
+
+$obj = $reflector->newLazyProxy(function() {
+    $c = new C;
+    return $c;
+});
+
+var_dump(serialize($obj));
+
+print "Init on serialize and failed initialization\n";
+
+$obj = $reflector->newLazyProxy(function() {
+    throw new \Exception('initializer');
+});
+
+try {
+    var_dump(serialize($obj));
+} catch (Exception $e) {
+    printf("%s: %s\n", $e::class, $e->getMessage());
+}
+
+?>
+--EXPECTF--
+Init on serialize and successful initialization
+string(27) "O:1:"C":1:{s:4:"%0C%0b";i:1;}"
+Init on serialize and failed initialization
+Exception: initializer

Zend/tests/lazy_objects/typed_properties_001.phpt

@@ -0,0 +1,37 @@
+--TEST--
+Typed property assignment by ref with variable name on proxy
+--FILE--
+<?php
+
+class Test {
+    public int $prop;
+}
+
+$name = new class {
+    public function __toString() {
+        return 'prop';
+    }
+};
+
+$reflector = new ReflectionClass(Test::class);
+$test = $reflector->newLazyProxy(function () {
+    return new Test();
+});
+$ref = "foobar";
+try {
+    $test->$name =& $ref;
+} catch (TypeError $e) {
+    echo $e->getMessage(), "\n";
+}
+var_dump($test);
+
+?>
+--EXPECTF--
+Cannot assign string to property Test::$prop of type int
+lazy proxy object(Test)#%d (1) {
+  ["instance"]=>
+  object(Test)#%d (0) {
+    ["prop"]=>
+    uninitialized(int)
+  }
+}

Zend/tests/lazy_objects/typed_properties_002.phpt

@@ -0,0 +1,60 @@
+--TEST--
+Typed property assignment by ref with variable name on proxy
+--FILE--
+<?php
+
+interface I {}
+interface J {}
+
+class A implements I {}
+class B implements J {}
+class C implements I, J {}
+
+class Test {
+    public function __construct(
+        public I $a,
+        public J $b,
+    ) {
+    }
+}
+
+function test($obj, $a, $b) {
+    $obj->$b =& $obj->$a;
+    try {
+        $obj->$a = new B;
+    } catch (Error $e) {
+        printf("%s: %s\n", $e::class, $e->getMessage());
+    }
+    try {
+        $obj->$b = new A;
+    } catch (Error $e) {
+        printf("%s: %s\n", $e::class, $e->getMessage());
+    }
+    $obj->$a = new C;
+    unset($obj->$a);
+    $obj->$b = new B;
+}
+
+$reflector = new ReflectionClass(Test::class);
+$obj = $reflector->newLazyProxy(function () {
+    return new Test(new C, new C);
+});
+
+test($obj, 'a', 'b');
+
+var_dump($obj);
+
+?>
+--EXPECTF--
+TypeError: Cannot assign B to property Test::$a of type I
+TypeError: Cannot assign A to property Test::$b of type J
+lazy proxy object(Test)#%d (1) {
+  ["instance"]=>
+  object(Test)#%d (1) {
+    ["a"]=>
+    uninitialized(I)
+    ["b"]=>
+    object(B)#%d (0) {
+    }
+  }
+}

Zend/tests/lazy_objects/typed_properties_003.phpt

@@ -0,0 +1,44 @@
+--TEST--
+Typed property assign op cached
+--FILE--
+<?php
+
+class Test {
+    public int $prop = 0;
+}
+
+function op($obj, $prop) {
+    $obj->$prop += 1;
+}
+function pre($obj, $prop) {
+    return ++$obj->$prop;
+}
+function post($obj, $prop) {
+    return $obj->$prop++;
+}
+
+$reflector = new ReflectionClass(Test::class);
+$obj = $reflector->newLazyProxy(function () {
+    return new Test();
+});
+
+op($obj, 'prop');
+op($obj, 'prop');
+
+pre($obj, 'prop');
+pre($obj, 'prop');
+
+post($obj, 'prop');
+post($obj, 'prop');
+
+var_dump($obj);
+
+?>
+--EXPECTF--
+lazy proxy object(Test)#%d (1) {
+  ["instance"]=>
+  object(Test)#%d (1) {
+    ["prop"]=>
+    int(6)
+  }
+}

Zend/tests/lazy_objects/typed_properties_004.phpt

@@ -0,0 +1,45 @@
+--TEST--
+Lazy Objects: Foreach by ref over typed properties
+--FILE--
+<?php
+
+class C {
+    public int $a = 1;
+    private int $_b = 1;
+    public int $b {
+        &get { $value = &$this->_b; return $value; }
+    }
+}
+
+$reflector = new ReflectionClass(C::class);
+$obj = $reflector->newLazyProxy(function () {
+    return new C();
+});
+
+foreach ($obj as $key => &$value) {
+    var_dump($key);
+    try {
+        $value = 'string';
+    } catch (Error $e) {
+        printf("%s: %s\n", $e::class, $e->getMessage());
+    }
+    $value = 2;
+}
+
+var_dump($obj);
+
+?>
+--EXPECTF--
+string(1) "a"
+TypeError: Cannot assign string to reference held by property C::$a of type int
+string(1) "b"
+TypeError: Cannot assign string to reference held by property C::$_b of type int
+lazy proxy object(C)#%d (1) {
+  ["instance"]=>
+  object(C)#%d (2) {
+    ["a"]=>
+    int(2)
+    ["_b":"C":private]=>
+    &int(2)
+  }
+}