Fix phpGH-17736: Assertion failure zend_reference_destroy()

The cache slot for FETCH_OBJ_W in function `test` is primed with the
class for C. The next call uses a simplexml instance and reuses the same
cache slot. simplexml's get_property_ptr handler does not use the cache
slot, so the old values remain in the cache slot. When
`zend_handle_fetch_obj_flags` is called this is not guarded by a check
for the class entry. So we end up using the prop_info from the property
C::$a instead of the simplexml property.

This patch adds a check for the class entry. I placed the check as late
as possible to avoid as much overhead as possible.
An alternative solution is to write NULLs to the cache slot in the
get_property_ptr handlers of extensions that don't use the cache slot,
but that is not general: not only simplexml would need changes, maybe
even third party extensions would need changes as well.

Author: nielsdos

Zend/zend_execute.c

@@ -3267,7 +3267,7 @@ static zend_always_inline void zend_fetch_property_address(zval *result, zval *c
 
 		if (prop_op_type == IS_CONST) {
 			prop_info = CACHED_PTR_EX(cache_slot + 2);
-			if (prop_info) {
+			if (prop_info && EXPECTED(zobj->ce == CACHED_PTR_EX(cache_slot))) {
 				if (UNEXPECTED(!zend_handle_fetch_obj_flags(result, ptr, NULL, prop_info, flags))) {
 					goto end;
 				}

ext/simplexml/tests/gh17736.phpt

@@ -0,0 +1,20 @@
+--TEST--
+GH-17736 (Assertion failure zend_reference_destroy())
+--EXTENSIONS--
+simplexml
+--FILE--
+<?php
+$o1 = new SimpleXMlElement('<a/>');
+class C {
+    public int $a = 1;
+}
+function test($obj) {
+    $ref =& $obj->a;
+}
+$obj = new C;
+test($obj);
+test($o1);
+echo "Done\n";
+?>
+--EXPECT--
+Done