Mark object non-lazy before deleting info in zend_lazy_object_realize()

arnaud-lb · arnaud-lb · commit 877b3ba8e08b · 2026-01-30T17:06:24.000+01:00
diff --git a/Zend/tests/lazy_objects/gh20657-001.phpt b/Zend/tests/lazy_objects/gh20657-001.phpt
@@ -0,0 +1,32 @@
+--TEST--
+GH-20657: GC during zend_lazy_object_realize()
+--CREDITS--
+vi3tL0u1s
+--FILE--
+<?php
+
+class C {
+    public $a;
+}
+
+$reflector = new ReflectionClass(C::class);
+
+for ($i = 0; $i < 10000; $i++) {
+    $obj = $reflector->newLazyGhost(function ($obj) {});
+
+    // Add to roots
+    $obj2 = $obj;
+    unset($obj2);
+
+    // Initialize all props to mark object non-lazy. Also create a cycle.
+    $reflector->getProperty('a')->setRawValueWithoutLazyInitialization($obj, $obj);
+}
+
+var_dump($obj);
+
+?>
+--EXPECTF--
+object(C)#%d (1) {
+  ["a"]=>
+  *RECURSION*
+}
diff --git a/Zend/tests/lazy_objects/gh20657-002.phpt b/Zend/tests/lazy_objects/gh20657-002.phpt
@@ -0,0 +1,43 @@
+--TEST--
+GH-20657 002: GC during zend_lazy_object_realize() - reset as lazy during realize()
+--FILE--
+<?php
+
+class C {
+    public $a;
+}
+
+class D {
+    public $self;
+    public function __construct() {
+        $this->self = $this;
+    }
+    public function __destruct() {
+        global $obj, $reflector;
+        $reflector->resetAsLazyGhost($obj, function () {});
+    }
+}
+
+new D();
+
+$reflector = new ReflectionClass(C::class);
+
+for ($i = 0; $i < 10000; $i++) {
+    $obj = $reflector->newLazyGhost(function ($obj) {});
+
+    // Add to roots
+    $obj2 = $obj;
+    unset($obj2);
+
+    // Initialize all props to mark object non-lazy. Also create a cycle.
+    $reflector->getProperty('a')->setRawValueWithoutLazyInitialization($obj, $obj);
+}
+
+var_dump($obj);
+
+?>
+--EXPECTF--
+object(C)#%d (1) {
+  ["a"]=>
+  *RECURSION*
+}
diff --git a/Zend/zend_lazy_objects.c b/Zend/zend_lazy_objects.c
@@ -678,15 +678,14 @@ void zend_lazy_object_realize(zend_object *obj)
 	ZEND_ASSERT(zend_object_is_lazy(obj));
 	ZEND_ASSERT(!zend_lazy_object_initialized(obj));
 
-	zend_lazy_object_del_info(obj);
-
 #if ZEND_DEBUG
 	for (int i = 0; i < obj->ce->default_properties_count; i++) {
 		ZEND_ASSERT(!(Z_PROP_FLAG_P(&obj->properties_table[i]) & IS_PROP_LAZY));
 	}
 #endif
 
 	OBJ_EXTRA_FLAGS(obj) &= ~(IS_OBJ_LAZY_UNINITIALIZED | IS_OBJ_LAZY_PROXY);
+	zend_lazy_object_del_info(obj);
 }
 
 ZEND_API HashTable *zend_lazy_object_get_properties(zend_object *object)

Original file line number	Diff line number	Diff line change
`@@ -678,15 +678,14 @@ void zend_lazy_object_realize(zend_object *obj)`
`678`	`678`	`ZEND_ASSERT(zend_object_is_lazy(obj));`
`679`	`679`	`ZEND_ASSERT(!zend_lazy_object_initialized(obj));`
`680`	`680`
`681`		`- zend_lazy_object_del_info(obj);`
`682`		`-`
`683`	`681`	`#if ZEND_DEBUG`
`684`	`682`	`for (int i = 0; i < obj->ce->default_properties_count; i++) {`
`685`	`683`	`ZEND_ASSERT(!(Z_PROP_FLAG_P(&obj->properties_table[i]) & IS_PROP_LAZY));`
`686`	`684`	`}`
`687`	`685`	`#endif`
`688`	`686`
`689`	`687`	`OBJ_EXTRA_FLAGS(obj) &= ~(IS_OBJ_LAZY_UNINITIALIZED \| IS_OBJ_LAZY_PROXY);`
	`688`	`+ zend_lazy_object_del_info(obj);`
`690`	`689`	`}`
`691`	`690`
`692`	`691`	`ZEND_API HashTable zend_lazy_object_get_properties(zend_object object)`