Remove dynamic defs from property hooks

Otherwise this hits an assertion failure in pass2 reversal and causes a
subsequent crash.

Closes GH-19206.

Author: nielsdos

NEWS

@@ -47,6 +47,7 @@ PHP                                                                        NEWS
   . Reset global pointers to prevent use-after-free in zend_jit_status().
     (Florian Engelhardt)
   . Fix issue with JIT restart and hooks. (nielsdos)
+  . Fix crash with dynamic function defs in hooks during preload. (nielsdos)
 
 - OpenSSL:
   . Fixed bug GH-18986 (OpenSSL backend: incorrect RAND_{load,write}_file()

ext/opcache/ZendAccelerator.c

@@ -4132,6 +4132,24 @@ static void preload_link(void)
 				preload_remove_declares(op_array);
 			}
 		} ZEND_HASH_FOREACH_END();
+
+		if (ce->num_hooked_props > 0) {
+			zend_property_info *info;
+
+			ZEND_HASH_MAP_FOREACH_PTR(&ce->properties_info, info) {
+				if (info->hooks) {
+					for (uint32_t i = 0; i < ZEND_PROPERTY_HOOK_COUNT; i++) {
+						if (info->hooks[i]) {
+							op_array = &info->hooks[i]->op_array;
+							ZEND_ASSERT(op_array->type == ZEND_USER_FUNCTION);
+							if (!(op_array->fn_flags & ZEND_ACC_TRAIT_CLONE)) {
+								preload_remove_declares(op_array);
+							}
+						}
+					}
+				}
+			} ZEND_HASH_FOREACH_END();
+		}
 	} ZEND_HASH_FOREACH_END();
 }
 

ext/opcache/tests/preload_dynamic_def_removal.inc

@@ -5,6 +5,15 @@ class Test {
             echo "dynamic\n";
         }
     }      
+
+    public int $hook {
+        get {
+            function dynamic_in_hook() {
+                echo "dynamic in hook\n";
+            }
+            return 1;
+        }
+    }
 }       
 
 function func() {
@@ -16,3 +25,4 @@ function func() {
 $test = new Test; 
 $test->method();
 func();
+$test->hook;

ext/opcache/tests/preload_dynamic_def_removal.phpt

@@ -15,7 +15,9 @@ if (PHP_OS_FAMILY == 'Windows') die('skip Preloading is not supported on Windows
 <?php
 dynamic();
 dynamic2();
+dynamic_in_hook();
 ?>
 --EXPECT--
 dynamic
 dynamic2
+dynamic in hook