Merge branch 'PHP-8.3' into PHP-8.4

* PHP-8.3:
  Fix GH-17736: Assertion failure zend_reference_destroy()

Author: nielsdos

NEWS

@@ -12,6 +12,9 @@ PHP                                                                        NEWS
   . Fixed bug GH-17913 (ReflectionFunction::isDeprecated() returns incorrect
     results for closures created from magic __call()). (timwolla)
 
+- Treewide:
+  . Fixed bug GH-17736 (Assertion failure zend_reference_destroy()). (nielsdos)
+
 27 Feb 2025, PHP 8.4.5
 
 - BCMath:

Zend/zend_execute.c

@@ -3424,6 +3424,9 @@ static zend_always_inline void zend_fetch_property_address(zval *result, zval *c
 				return;
 			}
 		}
+	} else if (prop_op_type == IS_CONST) {
+		/* CE mismatch, make cache slot consistent */
+		cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
 	}
 
 	/* Pointer on property callback is required */

ext/date/php_date.c

@@ -4618,6 +4618,7 @@ static zval *date_interval_get_property_ptr_ptr(zend_object *object, zend_string
 		zend_string_equals_literal(name, "days") ||
 		zend_string_equals_literal(name, "invert") ) {
 		/* Fallback to read_property. */
+		cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
 		ret = NULL;
 	} else {
 		ret = zend_std_get_property_ptr_ptr(object, name, type, cache_slot);

ext/dom/php_dom.c

@@ -362,6 +362,7 @@ static zval *dom_get_property_ptr_ptr(zend_object *object, zend_string *name, in
 		return zend_std_get_property_ptr_ptr(object, name, type, cache_slot);
 	}
 
+	cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
 	return NULL;
 }
 

ext/pdo/pdo_stmt.c

@@ -2491,6 +2491,7 @@ static zval *pdo_row_get_property_ptr_ptr(zend_object *object, zend_string *name
 	ZEND_IGNORE_VALUE(type);
 	ZEND_IGNORE_VALUE(cache_slot);
 
+	cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
 	return NULL;
 }
 

ext/simplexml/simplexml.c

@@ -639,6 +639,8 @@ static zval *sxe_property_get_adr(zend_object *object, zend_string *zname, int f
 	SXE_ITER        type;
 	zval            member;
 
+	cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
+
 	sxe = php_sxe_fetch_object(object);
 	GET_NODE(sxe, node);
 	if (UNEXPECTED(!node)) {

ext/simplexml/tests/gh17736.phpt

@@ -0,0 +1,20 @@
+--TEST--
+GH-17736 (Assertion failure zend_reference_destroy())
+--EXTENSIONS--
+simplexml
+--FILE--
+<?php
+$o1 = new SimpleXMLElement('<a/>');
+class C {
+    public int $a = 1;
+}
+function test($obj) {
+    $ref =& $obj->a;
+}
+$obj = new C;
+test($obj);
+test($o1);
+echo "Done\n";
+?>
+--EXPECT--
+Done

ext/snmp/snmp.c

@@ -1861,6 +1861,7 @@ static zval *php_snmp_get_property_ptr_ptr(zend_object *object, zend_string *nam
 		return zend_std_get_property_ptr_ptr(object, name, type, cache_slot);
 	}
 
+	cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
 	return NULL;
 }
 

ext/spl/spl_array.c

@@ -861,6 +861,8 @@ static zval *spl_array_get_property_ptr_ptr(zend_object *object, zend_string *na
 
 	if ((intern->ar_flags & SPL_ARRAY_ARRAY_AS_PROPS) != 0
 		&& !zend_std_has_property(object, name, ZEND_PROPERTY_EXISTS, NULL)) {
+		cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
+
 		/* If object has offsetGet() overridden, then fallback to read_property,
 		 * which will call offsetGet(). */
 		zval member;

ext/xmlreader/php_xmlreader.c

@@ -113,10 +113,12 @@ static int xmlreader_property_reader(xmlreader_object *obj, xmlreader_prop_handl
 zval *xmlreader_get_property_ptr_ptr(zend_object *object, zend_string *name, int type, void **cache_slot)
 {
 	zval *retval = NULL;
-	xmlreader_prop_handler *hnd = zend_hash_find_ptr(&xmlreader_prop_handlers, name);
 
+	xmlreader_prop_handler *hnd = zend_hash_find_ptr(&xmlreader_prop_handlers, name);
 	if (hnd == NULL) {
 		retval = zend_std_get_property_ptr_ptr(object, name, type, cache_slot);
+	} else {
+		cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
 	}
 
 	return retval;

ext/zip/php_zip.c

@@ -889,6 +889,8 @@ static zval *php_zip_get_property_ptr_ptr(zend_object *object, zend_string *name
 	zval *retval = NULL;
 	zip_prop_handler *hnd = NULL;
 
+	cache_slot[0] = cache_slot[1] = cache_slot[2] = NULL;
+
 	obj = php_zip_fetch_object(object);
 
 	if (obj->prop_handler != NULL) {