Fix incorrect properties_info_table access

Author: iluuu1994

Zend/zend_compile.h

@@ -463,7 +463,10 @@ typedef struct _zend_property_info {
 #define OBJ_PROP_TO_OFFSET(num) \
 	((uint32_t)(XtOffsetOf(zend_object, properties_table) + sizeof(zval) * (num)))
 #define OBJ_PROP_TO_NUM(offset) \
-	((offset - OBJ_PROP_TO_OFFSET(0)) / sizeof(zval))
+	(((offset) - OBJ_PROP_TO_OFFSET(0)) / sizeof(zval))
+
+#define Z_PROP_TABLE_OFFSET(prop_info) \
+	OBJ_PROP_TO_NUM(!((prop_info)->prototype->flags & ZEND_ACC_VIRTUAL) ? (prop_info)->prototype->offset : (prop_info)->offset)
 
 typedef struct _zend_class_constant {
 	zval value; /* flags are stored in u2 */

Zend/zend_inheritance.c

@@ -1675,11 +1675,7 @@ void zend_build_properties_info_table(zend_class_entry *ce)
 	ZEND_HASH_MAP_FOREACH_PTR(&ce->properties_info, prop) {
 		if (prop->ce == ce && (prop->flags & ZEND_ACC_STATIC) == 0
 		 && !(prop->flags & ZEND_ACC_VIRTUAL)) {
-			if (!(prop->prototype->flags & ZEND_ACC_VIRTUAL)) {
-				table[OBJ_PROP_TO_NUM(prop->prototype->offset)] = prop;
-			} else {
-				table[OBJ_PROP_TO_NUM(prop->offset)] = prop;
-			}
+			table[Z_PROP_TABLE_OFFSET(prop)] = prop;
 		}
 	} ZEND_HASH_FOREACH_END();
 }

ext/opcache/jit/zend_jit_ir.c

@@ -14377,7 +14377,7 @@ static int zend_jit_fetch_obj(zend_jit_ctx         *jit,
 					ref = ir_CONST_ADDR(prop_info);
 				} else {
 					int prop_info_offset =
-						(((prop_info->prototype->offset - (sizeof(zend_object) - sizeof(zval))) / sizeof(zval)) * sizeof(void*));
+						(((Z_PROP_TABLE_OFFSET(prop_info) - (sizeof(zend_object) - sizeof(zval))) / sizeof(zval)) * sizeof(void*));
 
 					ref = ir_LOAD_A(ir_ADD_OFFSET(obj_ref, offsetof(zend_object, ce)));
 					ref = ir_LOAD_A(ir_ADD_OFFSET(ref, offsetof(zend_class_entry, properties_info_table)));
@@ -14778,7 +14778,7 @@ static int zend_jit_assign_obj(zend_jit_ctx         *jit,
 				ref = ir_CONST_ADDR(prop_info);
 			} else {
 				int prop_info_offset =
-					(((prop_info->prototype->offset - (sizeof(zend_object) - sizeof(zval))) / sizeof(zval)) * sizeof(void*));
+					(((Z_PROP_TABLE_OFFSET(prop_info) - (sizeof(zend_object) - sizeof(zval))) / sizeof(zval)) * sizeof(void*));
 
 				ref = ir_LOAD_A(ir_ADD_OFFSET(obj_ref, offsetof(zend_object, ce)));
 				ref = ir_LOAD_A(ir_ADD_OFFSET(ref, offsetof(zend_class_entry, properties_info_table)));
@@ -15134,7 +15134,7 @@ static int zend_jit_assign_obj_op(zend_jit_ctx         *jit,
 				ref = ir_CONST_ADDR(prop_info);
 			} else {
 				int prop_info_offset =
-					(((prop_info->prototype->offset - (sizeof(zend_object) - sizeof(zval))) / sizeof(zval)) * sizeof(void*));
+					(((Z_PROP_TABLE_OFFSET(prop_info) - (sizeof(zend_object) - sizeof(zval))) / sizeof(zval)) * sizeof(void*));
 
 				ref = ir_LOAD_A(ir_ADD_OFFSET(obj_ref, offsetof(zend_object, ce)));
 				ref = ir_LOAD_A(ir_ADD_OFFSET(ref, offsetof(zend_class_entry, properties_info_table)));
@@ -15524,7 +15524,7 @@ static int zend_jit_incdec_obj(zend_jit_ctx         *jit,
 				ref = ir_CONST_ADDR(prop_info);
 			} else {
 				int prop_info_offset =
-					(((prop_info->prototype->offset - (sizeof(zend_object) - sizeof(zval))) / sizeof(zval)) * sizeof(void*));
+					(((Z_PROP_TABLE_OFFSET(prop_info) - (sizeof(zend_object) - sizeof(zval))) / sizeof(zval)) * sizeof(void*));
 
 				ref = ir_LOAD_A(ir_ADD_OFFSET(obj_ref, offsetof(zend_object, ce)));
 				ref = ir_LOAD_A(ir_ADD_OFFSET(ref, offsetof(zend_class_entry, properties_info_table)));