Fix mis-compilation of by-reference nullsafe operator

Fixes oss-fuzz #60011
Closes GH-11540

Co-authored-by: Dmitry Stogov <dmitry@zend.com>
Co-authored-by: Niels Dossche <7771979+nielsdos@users.noreply.github.com>

NEWS

@@ -8,6 +8,10 @@ PHP                                                                        NEWS
 - CLI:
   . Fix interrupted CLI output causing the process to exit. (nielsdos)
 
+- Core:
+  . Fixed oss-fuzz #60011 (Mis-compilation of by-reference nullsafe operator).
+    (ilutov)
+
 - Date:
   . Fixed bug GH-11368 (Date modify returns invalid datetime). (Derick)
 

Zend/tests/oss_fuzz_60011_1.phpt

@@ -0,0 +1,8 @@
+--TEST--
+oss-fuzz #60011 (Incorrect order of instruction with nullsafe operator)
+--FILE--
+<?php
+[&$y]=$y->y?->y;
+?>
+--EXPECTF--
+Fatal error: Cannot take reference of a nullsafe chain in %s on line %d

Zend/tests/oss_fuzz_60011_2.phpt

@@ -0,0 +1,8 @@
+--TEST--
+oss-fuzz #60011 (Incorrect order of instruction with nullsafe operator)
+--FILE--
+<?php
+[&$y]=$y?->y->y;
+?>
+--EXPECTF--
+Fatal error: Cannot take reference of a nullsafe chain in %s on line %d

Zend/zend_compile.c

@@ -3257,6 +3257,9 @@ static void zend_compile_assign(znode *result, zend_ast *ast) /* {{{ */
 				if (!zend_is_variable_or_call(expr_ast)) {
 					zend_error_noreturn(E_COMPILE_ERROR,
 						"Cannot assign reference to non referenceable value");
+				} else if (zend_ast_is_short_circuited(expr_ast)) {
+					zend_error_noreturn(E_COMPILE_ERROR,
+						"Cannot take reference of a nullsafe chain");
 				}
 
 				zend_compile_var(&expr_node, expr_ast, BP_VAR_W, 1);