Fix RC=1 references of declared properties when casting objects to arrays

Fixes GH-8655.
Closes GH-8737.

NEWS

@@ -7,6 +7,8 @@ PHP                                                                        NEWS
   . Fixed leak in Enum::from/tryFrom for internal enums when using JIT (ilutov)
   . Fixed calling internal methods with a static return type from
     extension code. (Sara)
+  . Fixed bug GH-8655 (Casting an object to array does not unwrap refcount=1
+    references). (Nicolas Grekas)
 
 - Date:
   . Fixed bug #72963 (Null-byte injection in CreateFromFormat and related

Zend/tests/bugGH-8655.phpt

@@ -0,0 +1,29 @@
+--TEST--
+Bug GH-8655 (zval reference is not released when targetting a declared property)
+--FILE--
+<?php
+class Foo
+{
+    public $foo;
+}
+
+function hydrate($properties, $object)
+{
+    foreach ($properties as $name => &$value) {
+        $object->$name = &$value;
+    }
+};
+
+$object = new Foo;
+
+hydrate(['foo' => 123], $object);
+
+$arrayCast = (array) $object;
+
+$object->foo = 234;
+var_dump(ReflectionReference::fromArrayElement($arrayCast, 'foo'));
+echo $arrayCast['foo'];
+?>
+--EXPECT--
+NULL
+123

Zend/zend_object_handlers.c

@@ -111,6 +111,10 @@ ZEND_API HashTable *zend_std_build_object_properties_array(zend_object *zobj) /*
 				continue;
 			}
 
+			if (Z_ISREF_P(prop) && Z_REFCOUNT_P(prop) == 1) {
+				prop = Z_REFVAL_P(prop);
+			}
+
 			Z_TRY_ADDREF_P(prop);
 			_zend_hash_append(ht, prop_info->name, prop);
 		}