Fix reassigning when calling the constructor twice

Author: nicolas-grekas

Zend/tests/readonly_props/cpp_reassign_direct_ctor_call.phpt

@@ -0,0 +1,51 @@
+--TEST--
+Promoted readonly properties cannot be reassigned when __construct() is called directly
+--FILE--
+<?php
+
+class Foo {
+    public function __construct(
+        public readonly string $value = 'default',
+    ) {
+        // Don't use reassignment here, leave it available
+    }
+}
+
+$obj = new Foo('initial');
+echo "Initial value: " . $obj->value . "\n";
+
+// Direct call to __construct() should NOT allow reassignment
+try {
+    $obj->__construct('modified');
+    echo "After direct __construct: " . $obj->value . "\n";
+} catch (Error $e) {
+    echo "Error: " . $e->getMessage() . "\n";
+}
+
+// Also test with a class that uses reassignment
+class Bar {
+    public function __construct(
+        public readonly string $value = 'default',
+    ) {
+        $this->value = strtoupper($this->value);
+    }
+}
+
+$bar = new Bar('hello');
+echo "Bar initial value: " . $bar->value . "\n";
+
+// Direct call should fail during the CPP assignment (property not UNINIT)
+// Note: The error happens inside the constructor because CPP assignment happens first
+try {
+    $bar->__construct('world');
+    echo "After direct __construct: " . $bar->value . "\n";
+} catch (Error $e) {
+    echo "Error: " . $e->getMessage() . "\n";
+}
+
+?>
+--EXPECT--
+Initial value: initial
+Error: Cannot modify readonly property Foo::$value
+Bar initial value: HELLO
+Error: Cannot modify readonly property Bar::$value

Zend/tests/readonly_props/cpp_reassign_reflection.phpt

@@ -0,0 +1,81 @@
+--TEST--
+Promoted readonly property reassignment works when object created via reflection
+--FILE--
+<?php
+
+class Foo {
+    public function __construct(
+        public readonly string $bar = 'default',
+    ) {
+        $this->bar = 'overwritten in constructor';
+    }
+}
+
+// Test 1: Object created via reflection without constructor, then __construct() called
+echo "Test 1: Reflection newInstanceWithoutConstructor + explicit __construct()\n";
+$ref = new ReflectionClass(Foo::class);
+$obj = $ref->newInstanceWithoutConstructor();
+
+// Property should be uninitialized at this point
+try {
+    echo $obj->bar;
+    echo "ERROR: Should have thrown for uninitialized property\n";
+} catch (Error $e) {
+    echo "OK: " . $e->getMessage() . "\n";
+}
+
+// Now call constructor - reassignment should work
+$obj->__construct('explicit call');
+echo "After __construct: " . $obj->bar . "\n";
+
+// Second __construct() call should fail
+echo "\nTest 2: Second __construct() call should fail\n";
+try {
+    $obj->__construct('second call');
+    echo "ERROR: Second __construct() should have failed\n";
+} catch (Error $e) {
+    echo "OK: " . $e->getMessage() . "\n";
+}
+
+// Test 3: Normal new still works
+echo "\nTest 3: Normal 'new' still works\n";
+$obj2 = new Foo('via new');
+echo "After new: " . $obj2->bar . "\n";
+
+// Second call should fail
+try {
+    $obj2->__construct('second call');
+    echo "ERROR: Should have failed\n";
+} catch (Error $e) {
+    echo "OK: " . $e->getMessage() . "\n";
+}
+
+// Test 4: Reflection newInstanceArgs (calls constructor)
+echo "\nTest 4: Reflection newInstanceArgs\n";
+$obj3 = $ref->newInstanceArgs(['via newInstanceArgs']);
+echo "After newInstanceArgs: " . $obj3->bar . "\n";
+
+// Second call should fail
+try {
+    $obj3->__construct('second call');
+    echo "ERROR: Should have failed\n";
+} catch (Error $e) {
+    echo "OK: " . $e->getMessage() . "\n";
+}
+
+?>
+--EXPECT--
+Test 1: Reflection newInstanceWithoutConstructor + explicit __construct()
+OK: Typed property Foo::$bar must not be accessed before initialization
+After __construct: overwritten in constructor
+
+Test 2: Second __construct() call should fail
+OK: Cannot modify readonly property Foo::$bar
+
+Test 3: Normal 'new' still works
+After new: overwritten in constructor
+OK: Cannot modify readonly property Foo::$bar
+
+Test 4: Reflection newInstanceArgs
+After newInstanceArgs: overwritten in constructor
+OK: Cannot modify readonly property Foo::$bar

Zend/zend_object_handlers.c

@@ -49,7 +49,7 @@
 /* Check if we're within a constructor call chain for the given object.
  * Walks up the call stack to find if any frame is a constructor for zobj.
  * This allows reassignment from the constructor or methods/closures called from it. */
-ZEND_API bool zend_is_in_constructor(const zend_object *zobj)
+static bool zend_is_in_constructor(const zend_object *zobj)
 {
 	zend_execute_data *ex = EG(current_execute_data);
 	while (ex) {
@@ -64,6 +64,20 @@ ZEND_API bool zend_is_in_constructor(const zend_object *zobj)
 	return false;
 }
 
+/* Check if we're in the FIRST construction of an object.
+ * Uses the IS_OBJ_CTOR_CALLED flag which is set when a constructor completes.
+ * This allows both 'new' and explicit __construct() calls on reflection-created objects. */
+ZEND_API bool zend_is_in_original_construction(const zend_object *zobj)
+{
+	/* If a constructor has already completed on this object, this is not original construction */
+	if (zobj->extra_flags & IS_OBJ_CTOR_CALLED) {
+		return false;
+	}
+
+	/* Verify we're actually in a constructor for this object */
+	return zend_is_in_constructor(zobj);
+}
+
 static zend_arg_info zend_call_trampoline_arginfo[1] = {{0}};
 static zend_arg_info zend_property_hook_arginfo[1] = {{0}};
 

Zend/zend_object_handlers.h

@@ -276,7 +276,7 @@ ZEND_API zend_result zend_std_get_closure(zend_object *obj, zend_class_entry **c
 ZEND_API HashTable *rebuild_object_properties_internal(zend_object *zobj);
 ZEND_API ZEND_COLD zend_never_inline void zend_bad_method_call(const zend_function *fbc, const zend_string *method_name, const zend_class_entry *scope);
 ZEND_API ZEND_COLD zend_never_inline void zend_abstract_method_call(const zend_function *fbc);
-ZEND_API bool zend_is_in_constructor(const zend_object *zobj);
+ZEND_API bool zend_is_in_original_construction(const zend_object *zobj);
 
 /* Check if a readonly property can be modified (has REINITABLE or CPP_REINITABLE flag and is in constructor) */
 static zend_always_inline bool zend_is_readonly_property_modifiable(zval *property_val, const zend_property_info *prop_info, zend_object *zobj)
@@ -285,7 +285,7 @@ static zend_always_inline bool zend_is_readonly_property_modifiable(zval *proper
 		return true;
 	}
 	if ((Z_PROP_FLAG_P(property_val) & IS_PROP_CPP_REINITABLE)
-	    && zend_is_in_constructor(zobj)) {
+	    && zend_is_in_original_construction(zobj)) {
 		return true;
 	}
 	return false;

Zend/zend_types.h

@@ -858,6 +858,7 @@ static zend_always_inline uint32_t zval_gc_info(uint32_t gc_type_info) {
 
 #define IS_OBJ_LAZY_UNINITIALIZED   (1U<<31) /* Virtual proxy or uninitialized Ghost */
 #define IS_OBJ_LAZY_PROXY           (1U<<30) /* Virtual proxy (may be initialized) */
+#define IS_OBJ_CTOR_CALLED          (1U<<29) /* A constructor has completed on this object */
 
 #define OBJ_EXTRA_FLAGS(obj)		((obj)->extra_flags)
 

Zend/zend_vm_def.h

@@ -2975,7 +2975,12 @@ ZEND_VM_HOT_HELPER(zend_leave_helper, ANY, ANY)
 		call_info = EX_CALL_INFO();
 #endif
 		if (UNEXPECTED(call_info & ZEND_CALL_RELEASE_THIS)) {
-			OBJ_RELEASE(Z_OBJ(execute_data->This));
+			zend_object *obj = Z_OBJ(execute_data->This);
+			/* Mark that a constructor has completed on this object */
+			if (EX(func)->common.fn_flags & ZEND_ACC_CTOR) {
+				obj->extra_flags |= IS_OBJ_CTOR_CALLED;
+			}
+			OBJ_RELEASE(obj);
 		} else if (UNEXPECTED(call_info & ZEND_CALL_CLOSURE)) {
 			OBJ_RELEASE(ZEND_CLOSURE_OBJECT(EX(func)));
 		}
@@ -3009,7 +3014,12 @@ ZEND_VM_HOT_HELPER(zend_leave_helper, ANY, ANY)
 		zend_vm_stack_free_extra_args_ex(call_info, execute_data);
 
 		if (UNEXPECTED(call_info & ZEND_CALL_RELEASE_THIS)) {
-			OBJ_RELEASE(Z_OBJ(execute_data->This));
+			zend_object *obj = Z_OBJ(execute_data->This);
+			/* Mark that a constructor has completed on this object */
+			if (EX(func)->common.fn_flags & ZEND_ACC_CTOR) {
+				obj->extra_flags |= IS_OBJ_CTOR_CALLED;
+			}
+			OBJ_RELEASE(obj);
 		} else if (UNEXPECTED(call_info & ZEND_CALL_CLOSURE)) {
 			OBJ_RELEASE(ZEND_CLOSURE_OBJECT(EX(func)));
 		}