fix: leak one refcount in ZBox<ZendClassObject<T>>::set_zval

[ptondereau]

Description

This one surfaced from biscuit-php while refactoring an exception type with #[php(prop)] fields thrown via with_object. Tests stayed green, but PHP 8.5.2-dev printed _zend_hash_str_add_or_update_i at shutdown, easy to read as harmless debug-build noise. Bisecting (#[php(prop)] on or off, ZendClassObject::new vs from_class) narrowed it to the set_zval impl on ZBox<ZendClassObject<T>>. The sibling impl ZBox<ZendObject>::set_zval in src/types/object.rs already carried the dec_count workaround, with a comment from the original author flagging it, the class-object impl was the one that never got the same treatment.

While returning a ZendClassObject<T> from Rust to PHP through into_zval, the box's only reference was being preserved by into_raw and then a second one was being added by set_object, leaving the object stuck at refcount 2. The zval would later release one, but the count never reached zero. Every exception built that way, every class object handed back from a #[php(prop)] getter, every PHP-visible value coming out of that path leaked a copy on shutdown. On a debug PHP build the leak then propagated into shared class storage and tripped _zend_hash_str_add_or_update_i on module shutdown; on release builds it was just silent bytes piling up request after request.

The fix mirrors what ZBox<ZendObject>::set_zval in src/types/object.rs has been doing all along: drop one reference before handing the raw pointer to set_object, so the post-insertion count lands on the expected 1. The companion impl for RegisteredEnum + RegisteredClass in src/enum_.rs had the same shape and the same bug, so it got the same one-line correction.

Coverage closes the loop. A class extending \Exception with a #[php(prop)] field is now thrown 1024 times through the exact buggy entry point (ZendClassObject::new(...).into_zval(...) + with_object), and the test asserts that memory growth stays under 8 KB. Without the fix it climbs past 600 KB. Memory growth was chosen over the debug-only HT assertion so the regression remains visible on release PHP builds as well.

While auditing, the original draft analysis around throw_object (in src/exception.rs) was found to be incorrect: zend_throw_exception_object does not addref on the success path across PHP 8.1 → 8.5, so the current ManuallyDrop flow already balances correctly. No change there.

Checklist

• I have read the contribution guidelines and the code of conduct.
• I have added tests that prove my code works as expected.
• I have added documentation if applicable.
• I have added a migration guide if applicable.

[coveralls]

Coverage Report for CI Build 25676991317

Coverage decreased (-0.01%) to 66.23%

Details

• Coverage decreased (-0.01%) from the base build.
• Patch coverage: 4 uncovered changes across 2 files (0 of 4 lines covered, 0.0%).
• No coverage regressions found.

Uncovered Changes

File	Changed	Covered	%
src/enum_.rs	2	0	0.0%
src/types/class_object.rs	2	0	0.0%

Coverage Regressions

No coverage regressions found.

---

Coverage Stats

Relevant Lines:	13065
Covered Lines:	8653
Line Coverage:	66.23%
Coverage Strength:	33.26 hits per line

---

💛 - Coveralls

[github-actions]

Bencher Report

Branch	fix/class-object-refcount-leak
Testbed	PHP 8.4.21 (cli) (built: May 8 2026 04:58:07) (NTS)

⚠️ WARNING: Truncated view!

The full continuous benchmarking report exceeds the maximum length allowed on this platform.

⚠️ WARNING: No Threshold found!

Without a Threshold, no Alerts will ever be generated.

🐰 View full continuous benchmarking report in Bencher