Fix borked SCCP of array containing partial object

In SCCP, arrays containing partial objects must be marked as partial so that
their values are not accidentally propagated.

Fixes GH-21227
Closes GH-21232

NEWS

@@ -34,6 +34,8 @@ PHP                                                                        NEWS
 - Opcache:
   . Fixed bug GH-20718 ("Insufficient shared memory" when using JIT on Solaris).
     (Petr Sumbera)
+  . Fixed bug GH-21227 (Borked SCCP of array containing partial object).
+    (ilutov)
 
 - PDO_PGSQL:
   . Fixed bug GH-21055 (connection attribute status typo for GSS negotiation).

Zend/Optimizer/sccp.c

@@ -965,7 +965,7 @@ static void sccp_visit_instr(scdf_ctx *scdf, zend_op *opline, zend_ssa_op *ssa_o
 					SET_RESULT(op1, &zv);
 				} else if (ct_eval_assign_dim(&zv, data, op2) == SUCCESS) {
 					/* Mark array containing partial array as partial */
-					if (IS_PARTIAL_ARRAY(data)) {
+					if (IS_PARTIAL_ARRAY(data) || IS_PARTIAL_OBJECT(data)) {
 						MAKE_PARTIAL_ARRAY(&zv);
 					}
 					SET_RESULT(result, data);
@@ -1165,7 +1165,7 @@ static void sccp_visit_instr(scdf_ctx *scdf, zend_op *opline, zend_ssa_op *ssa_o
 						/* We can't add NEXT element into partial array (skip it) */
 						SET_RESULT(result, &zv);
 					} else if (ct_eval_add_array_elem(&zv, op1, op2) == SUCCESS) {
-						if (IS_PARTIAL_ARRAY(op1)) {
+						if (IS_PARTIAL_ARRAY(op1) || IS_PARTIAL_OBJECT(op1)) {
 							MAKE_PARTIAL_ARRAY(&zv);
 						}
 						SET_RESULT(result, &zv);

ext/opcache/tests/gh21227.phpt

@@ -0,0 +1,23 @@
+--TEST--
+GH-21227: Borked SCCP of array containing partial object
+--CREDITS--
+Daniel Chong (chongwick)
+--EXTENSIONS--
+opcache
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+--FILE--
+<?php
+
+function test() {
+    $obj->a = 3;
+    $objs = [];
+    $obj = new stdClass;
+    $objs[] = $obj;
+}
+
+?>
+===DONE===
+--EXPECT--
+===DONE===