Fix use-after-free of object released in hook

Fixes GH-16040
Closes GH-16058

NEWS

@@ -2,6 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.4.0RC2
 
+- Core:
+  . Fixed bug GH-16040 (Use-after-free of object released in hook). (ilutov)
+
 - DOM:
   . Fixed bug GH-16039 (Segmentation fault (access null pointer) in
     ext/dom/parentnode/tree.c). (nielsdos)

Zend/tests/property_hooks/gh16040.phpt

@@ -0,0 +1,20 @@
+--TEST--
+GH-16040: Use-after-free of object released in hook
+--FILE--
+<?php
+
+class A {
+    public $bar {
+        get {
+            $GLOBALS['a'] = null;
+            return 42;
+        }
+    }
+}
+
+$a = new A();
+var_dump($a->bar);
+
+?>
+--EXPECT--
+int(42)

Zend/zend_object_handlers.c

@@ -828,8 +828,8 @@ try_again:
 
 		if (EXPECTED(cache_slot
 		 && zend_execute_ex == execute_ex
-		 && zobj->ce->default_object_handlers->read_property == zend_std_read_property
-		 && !zobj->ce->create_object
+		 && ce->default_object_handlers->read_property == zend_std_read_property
+		 && !ce->create_object
 		 && !zend_is_in_hook(prop_info)
 		 && !(prop_info->hooks[ZEND_PROPERTY_HOOK_GET]->common.fn_flags & ZEND_ACC_RETURN_REFERENCE))) {
 			ZEND_SET_PROPERTY_HOOK_SIMPLE_GET(cache_slot);