Merge branch 'PHP-7.4'

* PHP-7.4:
  Fixed second part of the bug #78379 (Cast to object confuses GC, causes crash)

diff --cc Zend/zend_gc.c
index 7a997a485d6a2dd4556fbfb799fbcff500191a2c,97a7edaac2e0eee44635158a3841c18e34faa454..e5c961d3d05c1133efd32c150c35f99014d55e10
--- 1/Zend/zend_gc.c
--- 2/Zend/zend_gc.c
+++ b/Zend/zend_gc.c
@@@ -696,10 -696,13 +696,11 @@@ tail_call
                if (EXPECTED(!(OBJ_FLAGS(ref) & IS_OBJ_FREE_CALLED))) {
                        int n;
                        zval *zv, *end;
 -                      zval tmp;
  
 -                      ZVAL_OBJ(&tmp, obj);
 -                      ht = obj->handlers->get_gc(&tmp, &zv, &n);
 +                      ht = obj->handlers->get_gc(obj, &zv, &n);
                        end = zv + n;
-                       if (EXPECTED(!ht)) {
+                       if (EXPECTED(!ht) || UNEXPECTED(GC_REF_CHECK_COLOR(ht, GC_BLACK))) {
+                               ht = NULL;
                                if (!n) goto next;
                                while (!Z_REFCOUNTED_P(--end)) {
                                        if (zv == end) goto next;
@@@ -811,10 -816,13 +814,11 @@@ static void gc_mark_grey(zend_refcounte
                        if (EXPECTED(!(OBJ_FLAGS(ref) & IS_OBJ_FREE_CALLED))) {
                                int n;
                                zval *zv, *end;
 -                              zval tmp;
  
 -                              ZVAL_OBJ(&tmp, obj);
 -                              ht = obj->handlers->get_gc(&tmp, &zv, &n);
 +                              ht = obj->handlers->get_gc(obj, &zv, &n);
                                end = zv + n;
-                               if (EXPECTED(!ht)) {
+                               if (EXPECTED(!ht) || UNEXPECTED(GC_REF_CHECK_COLOR(ht, GC_GREY))) {
+                                       ht = NULL;
                                        if (!n) goto next;
                                        while (!Z_REFCOUNTED_P(--end)) {
                                                if (zv == end) goto next;
@@@ -997,10 -1007,13 +1003,11 @@@ tail_call
                                if (EXPECTED(!(OBJ_FLAGS(ref) & IS_OBJ_FREE_CALLED))) {
                                        int n;
                                        zval *zv, *end;
 -                                      zval tmp;
  
 -                                      ZVAL_OBJ(&tmp, obj);
 -                                      ht = obj->handlers->get_gc(&tmp, &zv, &n);
 +                                      ht = obj->handlers->get_gc(obj, &zv, &n);
                                        end = zv + n;
-                                       if (EXPECTED(!ht)) {
+                                       if (EXPECTED(!ht) || UNEXPECTED(!GC_REF_CHECK_COLOR(ht, GC_GREY))) {
+                                               ht = NULL;
                                                if (!n) goto next;
                                                while (!Z_REFCOUNTED_P(--end)) {
                                                        if (zv == end) goto next;
@@@ -1165,9 -1181,11 +1174,10 @@@ static int gc_collect_white(zend_refcou
                                  || obj->ce->destructor != NULL)) {
                                        *flags |= GC_HAS_DESTRUCTORS;
                                }
 -                              ZVAL_OBJ(&tmp, obj);
 -                              ht = obj->handlers->get_gc(&tmp, &zv, &n);
 +                              ht = obj->handlers->get_gc(obj, &zv, &n);
                                end = zv + n;
-                               if (EXPECTED(!ht)) {
+                               if (EXPECTED(!ht) || UNEXPECTED(GC_REF_CHECK_COLOR(ht, GC_BLACK))) {
+                                       ht = NULL;
                                        if (!n) goto next;
                                        while (!Z_REFCOUNTED_P(--end)) {
                                                /* count non-refcounted for compatibility ??? */