HashTable use-after-destroy during lazy proxy __get() with dynamic properties

[vi3tL0u1s]

Description

The following code:

<?php
#[AllowDynamicProperties]
class RealInstance {
    public $_;
    public function __get($name) {
        global $obj;
        $obj->foo ??= $obj->$$a[] =&$$a;
        $a[] =$$a; 
        $x[!0] =$$a;
        return $this->name;
    }
}
class Proxy extends RealInstance {
    public function r_get($name) {
        return $this->$name;
    }
}
$rc = new ReflectionClass(Proxy::class);
$obj = $rc->newLazyProxy(function () {
    return new RealInstance;
});
$real = $rc->initializeLazyObject($obj);
var_dump($real->prop);

Resulted in this output:

/path/to/php-src/Zend/zend_hash.c(2699) : ht=0x7f6a9f802900 is already destroyed
php: /path/to/php-src/Zend/zend_hash.c:73: void _zend_is_inconsistent(const HashTable *, const char *, int): Assertion `0' failed.
Aborted

Notes

This bug triggers the same hash table use-after-destroy assertion as #20286 but via a different execution path.

Commit:

56795d2810e

Build configuration:

CC="clang" CXX="clang++" CFLAGS="-fsanitize=address -g -O0" CXXFLAGS="-fsanitize=address -g -O0" LDFLAGS="-fsanitize=address" ./buildconf --force && ./configure --enable-debug --enable-address-sanitizer --disable-shared --with-pic --enable-mbstring --with-zlib

PHP Version

PHP 8.6.0-dev (cli) (built: Nov 29 2025 14:32:34) (NTS DEBUG)
Copyright (c) The PHP Group
Zend Engine v4.6.0-dev, Copyright (c) Zend Technologies
    with Zend OPcache v8.6.0-dev, Copyright (c), by Zend Technologies

Operating System

Ubuntu 22.04