Fix GH-15938: Hold onto the container after a get_property_ptr_ptr() call

[arnaud-lb]

Effects performed after a get_property_ptr_ptr() call may make the property pointer invalid by freeing or reallocating its container.

The container might be the object itself, the properties ht, a proxied object. For internal classes, this can be anything else.

Here we change the get_property_ptr_ptr handler so it exposes the actual container. The caller can then increase its refcount if any operation performed before the last access to the property could render the property invalid.

The get_property_ptr_ptr() implementation has the responsibility of ensuring that while the container's refcount is incremented, the property pointer remains valid.

Fixes GH-15938

cc @iluuu1994 @nielsdos

[iluuu1994]

The approach seems reasonable. It's a bit unfortunate that this API change is necessary only because of internal classes with fetch_ptr_ptr to custom storage that may also move, which should be very rare. FWIU, the properties table RC could simply always be increased along with the object RC, making that problem go away. For internal classes, maybe we could fix the issue in a different way by flagging the object for the duration of the ptr lifetime, and prevent changes being made to objects with such flags. This would require checks in multiple places, so might not be a better solution.

In any case, I don't object to this approach.

[ndossche]

This approach seems relatively simple and I can't immediately think of a problem. Will need to test more intensively coming week.

[derickr]

I have no objections either.

[dstogov]

I see this like a wrong direction...

[arnaud-lb]

@dstogov I'm happy to explore other directions.

The root of the problem is that we may have to coerce to string with __toString() after fetching the property ptr, but this may invalidate it. We can not coerce before fetching the property for two reasons:

• We may have to coerce the property value itself (https://gist.github.com/arnaud-lb/3812c14120a7a43217811508c8717382)
• The concat operation may be overloaded by the property value (Fix volatile INDICECT with .= #15961 (comment))

I can think of the following alternatives solutions:

• Consider the pointer invalid after a __toString() call, so fetch it again, or fallback or zend_assign_op_overloaded_property(). This moves complexity to zend_binary_assign_op_typed_prop() / concat_function() / users of get_property_ptr_ptr().
• Detect that the pointer was invalidated, but I don't think it's feasible or cheaper than the proposed solution. The pointer can be invalidated in many ways. If it's an obj->properties hash bucket, the bucket may be removed, or the hash table may be reallocated. If it's a pointer to obj->properties_table, the object itself maybe freed. If the object is lazy, it maybe a pointer to another object that may be freed.
• Deprecate __toString() for implicit coercion

[dstogov]

• Deprecate __toString() for implicit coercion

How can we detect the "implicit coercion"?

I think, this class of problems, should be fixed by disabling magic functions to do destructive things.
Just terminate the script without an attempt to recover.