Assertion failure when freeing rvalue of ASSIGN_OBJ with typed refs and __toString()

### Description

The following code:

```php
<?php

class C {
    public string $a = '';
    public $b;
    function __toString() {
        global $c; // turns rvalue into a ref
        return '';
    }
}

$c = new C;
$c->b = &$c->a;
$c->b = $c;
```

Resulted in this output:
```
zend_execute.c:4093: i_zval_ptr_dtor_noref: Assertion `zval_get_type(&(*(zval_ptr))) != 10' failed.
```

Root cause is that we call `zend_assign_to_variable_ex()` / `zend_assign_to_typed_ref_ex()` with value_type=IS_TMP_VAR, when `value` may be a CV slot here: https://github.com/php/php-src/blob/02c67b47f728f915e6015c2fd52c6e1f7a27b172/Zend/zend_object_handlers.c#L875-L876

Therefore the slot may have been modified when reaching this call: https://github.com/php/php-src/blob/02c67b47f728f915e6015c2fd52c6e1f7a27b172/Zend/zend_execute.c#L3665

With the code above, the assertion fails because `orig_value` is now a ref.

### PHP Version

```plain
PHP 8.3
```

### Operating System

_No response_

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Assertion failure when freeing rvalue of ASSIGN_OBJ with typed refs and __toString() #20316

Description

PHP Version

Operating System

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

	variable_ptr = zend_assign_to_variable_ex(
	variable_ptr, value, IS_TMP_VAR, property_uses_strict_types(), &garbage);

Assertion failure when freeing rvalue of ASSIGN_OBJ with typed refs and __toString() #20316

Description

Description

PHP Version

Operating System

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions