Assertion failure in Zend VM during foreach with LazyProxy reassignment and garbage collection (ZEND_INIT_FCALL_SPEC_CONST_HANDLER)

[vi3tL0u1s]

Description

The following code:

<?php
class C{
public $a;
}
function test($o){$r = new ReflectionClass(C::class);
$r->getProperty('a')->setRawValueWithoutLazyInitialization($o,3);
foreach($o as $x=>&$y)$o = $r->x = $r->newLazyProxy(function(){});gc_collect_cycles();
}
$r = new ReflectionClass(C::class);$o = $r->x = $r->newLazyProxy(function(){});test($o);
?>

Resulted in this output:

php: Zend/zend_vm_execute.h:4187: const zend_op *ZEND_INIT_FCALL_SPEC_CONST_HANDLER(zend_execute_data *, const zend_op *): Assertion `!(executor_globals.exception)' failed.
Aborted

Commit:

6872cf2eef921b9d27fa300ca5a7ad3bc27aee1c

Configurations:

CC="clang" CXX="clang++" CFLAGS="-fsanitize=address -g -O0" CXXFLAGS="-fsanitize=address -g -O0" ./configure --enable-debug --enable-address-sanitizer --disable-shared --with-pic

PHP Version

PHP 8.5.0-dev (cli) (built: Oct  7 2025 05:51:18) (NTS DEBUG)
Copyright (c) The PHP Group
Zend Engine v4.6.0-dev, Copyright (c) Zend Technologies
    with Zend OPcache v8.5.0-dev, Copyright (c), by Zend Technologies

Operating System

Ubuntu 22.04

[nielsdos]

Checked, same root cause as #20085, same patch fixes it. Closing as duplicate.