Fix oss-fuzz-61469: Undef dynamic property in ++/-- unset in error handler

[Girgias]

So this issue is caused by the undefined property warning generated in the standard get_property_ptr_ptr object handler.

I suppose this might have been a pre-existing issue if an extension get_property_ptr_ptr handler did something to the ZVAL but considering what needs to be done this seems unlikely.

The easiest solution is to just consider the value as null and move forward with it.

@dstogov is this approach a good idea or not?

[iluuu1994]

I'll need to look into this in detail, but when I checked the oss-fuzz report this was an issue for ++, -- (pre and post), += and -= alike.

[Girgias]

Indeed, I was confused why the pre increment change also worked for post increment. But it seems there is a compile time optimization to rewrite a post increment to a pre one if the return value is not used. (Or a for loop might also leave the post increment)

Confirmed and fixed the binop case

[dstogov]

It looks like the problem is already fixed by a3a3964
Anyway, it make sense to commit the tests.

[Girgias]

It looks like the problem is already fixed by a3a3964 Anyway, it make sense to commit the tests.

I'm not sure this is totally fixed, as if I revert the VM changes the following test:

--TEST--
OSS Fuzz #61469: Undef variable in ++/-- for dynamic property that is unset in error handler
--FILE--
<?php
class C {
    function errorHandle() {
        unset($this->a);
    }
}
$c = new C;
set_error_handler([$c,'errorHandle']);
$c->a += 5;
var_dump($c->a);
?>

Results in dumping int(5), same with the pre increment variations. But every other test continues to dump NULL

[dstogov]

Approved.

Please, also take a look into oss-fuzz 61865, that looks similar

<?php
class C {
    public $a;
    function errorHandler() {
        unset($this->a);
    }
}
$c=new C;
set_error_handler([$c,'errorHandler']);
array($y);
(++$c->a);