Avoid allocating property slot for virtual properties

Author: iluuu1994

Zend/zend_API.c

@@ -4562,6 +4562,15 @@ ZEND_API zend_property_info *zend_declare_typed_property(zend_class_entry *ce, z
 		}
 	}
 
+	/* Virtual properties have no backing storage, the offset should never be used. However, the
+	 * virtual flag cannot be definitively determined at compile time. Allow using default values
+	 * anyway, and assert after inheritance that the property is not actually virtual. */
+	if (access_type & ZEND_ACC_VIRTUAL) {
+		if (Z_TYPE_P(property) == IS_UNDEF) {
+			property_info->offset = (uint32_t)-1;
+			goto skip_property_storage;
+		}
+	}
 	if (access_type & ZEND_ACC_STATIC) {
 		if ((property_info_ptr = zend_hash_find_ptr(&ce->properties_info, name)) != NULL) {
 			ZEND_ASSERT(property_info_ptr->flags & ZEND_ACC_STATIC);
@@ -4611,6 +4620,7 @@ ZEND_API zend_property_info *zend_declare_typed_property(zend_class_entry *ce, z
 		ZVAL_COPY_VALUE(property_default_ptr, property);
 		Z_PROP_FLAG_P(property_default_ptr) = Z_ISUNDEF_P(property) ? IS_PROP_UNINIT : 0;
 	}
+skip_property_storage:
 	if (ce->type & ZEND_INTERNAL_CLASS) {
 		/* Must be interned to avoid ZTS data races */
 		if (is_persistent_class(ce)) {

Zend/zend_inheritance.c

@@ -1481,24 +1481,33 @@ static void do_inherit_property(zend_property_info *parent_info, zend_string *ke
 				/* If we added props to the child property, we use the childs slot for
 				 * storage to keep the parent slot set to null. This automatically picks
 				 * the slow path in the JIT. */
-				bool use_parent_prop = !parent_info->hooks && child_info->hooks;
+				bool use_child_prop = !parent_info->hooks && child_info->hooks;
+
+				if (use_child_prop && child_info->offset == ZEND_VIRTUAL_PROPERTY_OFFSET) {
+					child_info->offset = OBJ_PROP_TO_OFFSET(ce->default_properties_count);
+					ce->default_properties_count++;
+					ce->default_properties_table = perealloc(ce->default_properties_table, sizeof(zval) * ce->default_properties_count, ce->type == ZEND_INTERNAL_CLASS);
+					zval *property_default_ptr = &ce->default_properties_table[OBJ_PROP_TO_NUM(child_info->offset)];
+					ZVAL_UNDEF(property_default_ptr);
+					Z_PROP_FLAG_P(property_default_ptr) = IS_PROP_UNINIT;
+				}
 
 				if (child_info->offset != ZEND_VIRTUAL_PROPERTY_OFFSET) {
 					int parent_num = OBJ_PROP_TO_NUM(parent_info->offset);
 
 					/* Don't keep default properties in GC (they may be freed by opcache) */
 					zval_ptr_dtor_nogc(&(ce->default_properties_table[parent_num]));
 
-					if (use_parent_prop) {
+					if (use_child_prop) {
+						ZVAL_UNDEF(&ce->default_properties_table[parent_num]);
+					} else {
 						int child_num = OBJ_PROP_TO_NUM(child_info->offset);
 						ce->default_properties_table[parent_num] = ce->default_properties_table[child_num];
 						ZVAL_UNDEF(&ce->default_properties_table[child_num]);
-					} else {
-						ZVAL_UNDEF(&ce->default_properties_table[parent_num]);
 					}
 				}
 
-				if (use_parent_prop) {
+				if (!use_child_prop) {
 					child_info->offset = parent_info->offset;
 				}
 				child_info->flags &= ~ZEND_ACC_VIRTUAL;