Fix prop info fetching from prop slot with added hooks

Fixes GH-18268
Closes GH-18271

Author: iluuu1994

NEWS

@@ -7,6 +7,8 @@ PHP                                                                        NEWS
     evaluation). (ilutov)
   . Fixed bug GH-18038 (Lazy proxy calls magic methods twice). (Arnaud)
   . Fixed bug GH-18209 (Use-after-free in extract() with EXTR_REFS). (ilutov)
+  . Fixed bug GH-18268 (Segfault in array_walk() on object with added property
+    hooks). (ilutov)
 
 - DBA:
   . FIxed bug GH-18247 dba_popen() memory leak on invalid path. (David Carlier)

Zend/tests/property_hooks/gh18268.phpt

@@ -0,0 +1,23 @@
+--TEST--
+GH-18268: array_walk() on object with added property hooks
+--FILE--
+<?php
+
+class A {
+    public $prop = 42;
+}
+
+class B extends A {
+    public $prop = 42 {
+        set {}
+    }
+}
+
+$b = new B;
+array_walk($b, function (&$item) {
+    var_dump($item);
+});
+
+?>
+--EXPECT--
+int(42)

Zend/zend_compile.h

@@ -464,6 +464,8 @@ typedef struct _zend_property_info {
 	((uint32_t)(XtOffsetOf(zend_object, properties_table) + sizeof(zval) * (num)))
 #define OBJ_PROP_TO_NUM(offset) \
 	(((offset) - OBJ_PROP_TO_OFFSET(0)) / sizeof(zval))
+#define OBJ_PROP_SLOT_TO_OFFSET(obj, slot) \
+	((uintptr_t)(slot) - (uintptr_t)(obj))
 
 typedef struct _zend_class_constant {
 	zval value; /* flags are stored in u2 */

Zend/zend_objects_API.c

@@ -203,7 +203,7 @@ ZEND_API void ZEND_FASTCALL zend_objects_store_del(zend_object *object) /* {{{ *
 
 ZEND_API ZEND_COLD zend_property_info *zend_get_property_info_for_slot_slow(zend_object *obj, zval *slot)
 {
-	uintptr_t offset = (uintptr_t)slot - (uintptr_t)obj->properties_table;
+	uintptr_t offset = OBJ_PROP_SLOT_TO_OFFSET(obj, slot);
 	zend_property_info *prop_info;
 	ZEND_HASH_MAP_FOREACH_PTR(&obj->ce->properties_info, prop_info) {
 		if (prop_info->offset == offset) {