State-dependant segfault in ReflectionObject::getProperties

[jnvsor]

Description

The following code:

<?php

require __DIR__ . '/kint.phar';

$xml = <<<XML
<form name="test"></form>
XML;

$simplexml = simplexml_load_string($xml);

var_dump($simplexml['name']);
$reflector = new ReflectionObject($simplexml['name']);
$rprops = $reflector->getProperties();

Resulted in this output:

object(SimpleXMLElement)#3 (1) {
  [0]=>
  string(4) "test"
}
Segmentation fault

But I expected this output instead:

object(SimpleXMLElement)#3 (1) {
  [0]=>
  string(4) "test"
}

---

The phar isn't actually used in the segfaulting code, but when I don't load it it works fine. The initialization of the phar probably causes some internal state change revealing this bug.

Since I built the phar I've attempted to track down the internal cause of the issue. Locally I've reduced it to these files:

/src/Kint.php
/src/FacadeInterface.php
/src/Utils.php
/init_phar.php
/init.php
/init_helpers.php

Removing the call to Utils::composerSkipFlags from init.php:64 will stop the segfault. It's not caused by loading the class, since calling another Utils method instead works fine.

This occurs even when the entirety of Utils is stubbed to:

namespace Kint;

final class Utils
{
    public static function composerSkipFlags(): void
    {
    }
}

Meanwhile, removing most of the methods from the Kint class suddenly makes calling the other methods from Utils cause the segfault again.

Removing or changing the return type of any of the following Kint methods will fix the segfault:

dumpVar
shortenPath
getIdeLink
getSingleCall

So long story short something strange is happening internally and I don't have the tools to debug it further.

GDB backtrace:

#0  0x0000555555716972 in ?? ()
#1  0x000055555571a942 in ?? ()
#2  0x00005555558be278 in execute_ex ()
#3  0x00005555558be895 in zend_execute ()
#4  0x000055555584d828 in zend_execute_scripts ()
#5  0x00005555557e7f7e in php_execute_script ()
#6  0x00005555559340cd in ?? ()
#7  0x000055555567be07 in ?? ()
#8  0x00007ffff744618a in __libc_start_call_main (main=main@entry=0x55555567bb20, argc=argc@entry=2, 
    argv=argv@entry=0x7fffffffe648) at ../sysdeps/nptl/libc_start_call_main.h:58
#9  0x00007ffff7446245 in __libc_start_main_impl (main=0x55555567bb20, argc=2, argv=0x7fffffffe648, 
    init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe638)
    at ../csu/libc-start.c:381
#10 0x000055555567d071 in _start ()

Full version info:

PHP 8.2.4 (cli) (built: Mar 16 2023 14:24:40) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.2.4, Copyright (c) Zend Technologies
    with Zend OPcache v8.2.4, Copyright (c), by Zend Technologies

Debian sid package php8.2-cli version 8.2.4-1

PHP Version

PHP 8.2.4

Operating System

Debian Sid

[nielsdos]

Thanks for the very clear report. I can reproduce this on 8.2+.
It's a variant of GH-10200. I applied the same concept for the fix here and it works.
I'm submitting a PR soon.