Fix closure GC handler for fake closures

Fixes oss-fuzz #31135.

Zend/tests/closures/closure_from_callable_gc.phpt

@@ -0,0 +1,27 @@
+--TEST--
+Closure::fromCallabl() and GC
+--FILE--
+<?php
+
+class Test {
+    public function method() {}
+
+    public function method2($y) {
+        static $x;
+        $x = $y;
+    }
+}
+
+$fn = Closure::fromCallable([new Test, 'method2']);
+$fn($fn);
+unset($fn); // Still referenced from static var.
+gc_collect_cycles();
+
+$fn = Closure::fromCallable([new Test, 'method']);
+$fn2 = $fn; unset($fn2); // Add to root buffer.
+gc_collect_cycles();
+
+?>
+===DONE===
+--EXPECT--
+===DONE===

Zend/zend_closures.c

@@ -620,8 +620,9 @@ static HashTable *zend_closure_get_gc(zend_object *obj, zval **table, int *n) /*
 
 	*table = Z_TYPE(closure->this_ptr) != IS_NULL ? &closure->this_ptr : NULL;
 	*n = Z_TYPE(closure->this_ptr) != IS_NULL ? 1 : 0;
-	return (closure->func.type == ZEND_USER_FUNCTION &&
-		closure->func.op_array.static_variables) ?
+	/* Fake closures don't own the static variables they reference. */
+	return (closure->func.type == ZEND_USER_FUNCTION
+			&& !(closure->func.op_array.fn_flags & ZEND_ACC_FAKE_CLOSURE)) ?
 		ZEND_MAP_PTR_GET(closure->func.op_array.static_variables_ptr) : NULL;
 }
 /* }}} */