Segmentation fault with reflection

[YuanchengJiang]

Description

The following code:

<?php
class C {
public $a {
get { return $this->a; }
set($value) { $this->a = $value; }
}
public function __construct(int $a) {}
}
function test(string $name, object $obj) {
var_dump($obj->a);var_dump($obj);
}
$reflector = new ReflectionClass(C::class);var_dump($reflector);
$obj = $reflector->newLazyGhost(function ($obj) {
$obj->__construct(1);var_dump($obj);
});
test('Ghost', $obj);var_dump($obj);
$obj = $reflector->newLazyProxy(function ($obj) {
return new C(1);
});
test('Proxy', $obj);var_dump($obj);
?>

Resulted in this output (JIT 1211):

object(ReflectionClass)#1 (1) {
  ["name"]=>
  string(1) "C"
}
object(C)#3 (1) {
  ["a"]=>
  NULL
}
NULL
object(C)#3 (1) {
  ["a"]=>
  NULL
}
object(C)#3 (1) {
  ["a"]=>
  NULL
}
*RECURSION*
Segmentation fault (core dumped)

But I expected this output instead:

object(ReflectionClass)#1 (1) {
  ["name"]=>
  string(1) "C"
}
object(C)#3 (1) {
  ["a"]=>
  NULL
}
NULL
object(C)#3 (1) {
  ["a"]=>
  NULL
}
object(C)#3 (1) {
  ["a"]=>
  NULL
}
NULL
lazy proxy object(C)#4 (1) {
  ["instance"]=>
  object(C)#3 (1) {
    ["a"]=>
    NULL
  }
}
lazy proxy object(C)#4 (1) {
  ["instance"]=>
  object(C)#3 (1) {
    ["a"]=>
    NULL
  }
}

PHP Version

nightly

Operating System

ubuntu 22.04

[devnexen]

object(ReflectionClass)#1 (1) {
  ["name"]=>
  string(1) "C"
}
object(C)#3 (1) {
  ["a"]=>
  NULL
}
NULL
object(C)#3 (1) {
  ["a"]=>
  NULL
}
object(C)#3 (1) {
  ["a"]=>
  NULL
}
object(C)#3 (1) {
  ["a"]=>
  NULL
}
zend_mm_heap corrupted
AddressSanitizer:DEADLYSIGNAL
=================================================================
==487==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00019e7f2024 bp 0x00016bbd82c0 sp 0x00016bbd82a0 T0)
==487==The signal is caused by a READ memory access.
==487==Hint: address points to the zero page.
    #0 0x19e7f2024 in __kill+0x8 (libsystem_kernel.dylib:arm64e+0x9024)
    #1 0x1052ae1e4 in zend_mm_get_next_free_slot zend_alloc.c:1326
    #2 0x1052ad4a8 in zend_mm_gc zend_alloc.c:2116
    #3 0x1052bb2b8 in zend_mm_alloc_huge zend_alloc.c:1937
    #4 0x1052b32b8 in zend_mm_alloc_heap zend_alloc.c:1513
    #5 0x1052b5650 in _emalloc zend_alloc.c:2740
    #6 0x105441674 in zend_vm_stack_new_page zend_execute.h:252
    #7 0x105441ce4 in zend_vm_stack_extend zend_execute.c:227
    #8 0x105449f10 in zend_vm_stack_push_call_frame_ex zend_execute.h:276
    #9 0x1056c3c84 in ZEND_INIT_FCALL_OFFSET_SPEC_CONST_HANDLER zend_vm_execute.h:4062
    #10 0x114ea553c  (<unknown module>)
    #11 0x10546106c in execute_ex zend_vm_execute.h:58565
    #12 0x105461a9c in zend_execute zend_vm_execute.h:64217
    #13 0x105946fc0 in zend_execute_script zend.c:1932
    #14 0x104fef90c in php_execute_script_ex main.c:2574
    #15 0x104fefe28 in php_execute_script main.c:2614
    #16 0x10594faa4 in do_cli php_cli.c:935
    #17 0x10594c810 in main php_cli.c:1310
    #18 0x19e4a8270  (<unknown module>)

==487==Register values:
 x[0] = 0x0000000000000000   x[1] = 0x0000000000000000   x[2] = 0x0000000000000001   x[3] = 0x000000019e85d450  
 x[4] = 0x0000000106697420   x[5] = 0x000000016bbd82a0   x[6] = 0x0000000000000020   x[7] = 0x0000000000000000  
 x[8] = 0x0000000202f6b2ec   x[9] = 0x0000000202f75888  x[10] = 0x0000000000000002  x[11] = 0x0000010000000000  
x[12] = 0x00000000fffffffd  x[13] = 0x0000000000000000  x[14] = 0x0000000000000000  x[15] = 0x0000000000000000  
x[16] = 0x0000000000000025  x[17] = 0x000000020b143f08  x[18] = 0x0000000000000000  x[19] = 0x0000000202cd4050  
x[20] = 0x0000000202cd40a0  x[21] = 0x0000000202cd4050  x[22] = 0x000000016bbdaf68  x[23] = 0x000000016bbdaf68  
x[24] = 0x000000019e4a2000  x[25] = 0x0000000000000000  x[26] = 0x0000000000000000  x[27] = 0x00000001098060a0  
x[28] = 0x0000000000000000     fp = 0x000000016bbd82c0     lr = 0x00000001052ae054     sp = 0x000000016bbd82a0  
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (libsystem_kernel.dylib:arm64e+0x9024) in __kill+0x8
==487==ABORTING