Memory leak when calling a static method inside an xpath query

[flmommens]

Description

Calling a static method inside an xpath query like so
$xpath->query("//a[php:function('MyClass::myMethod()')]")
generates a memory leak with PHP 8.1 and PHP 8.2. It used to work fine with PHP 7.2.

I have written a minimal script to reproduce the issue.

<?php

class MyClass
{
    public static function doesNothing(string $var): bool {
        return true;
    }
}

libxml_use_internal_errors(true);
$html = file_get_contents('hacks.html');
$doc = new DOMDocument();
$i = 0;
while(true) {
    $doc->loadHTML($html);
    $xpath = new DOMXpath($doc);
    $xpath->registerNamespace("php", "http://php.net/xpath");
    $xpath->registerPHPFunctions();
    $list =  $xpath->query("//a[php:function('MyClass::doesNothing', string(@href))]");
    echo $i++, "\r";
    libxml_clear_errors();
    usleep(10000);
}

I'm running PHP 8.1.18 and PHP 8.2.6 from Ondřej Surý packages on a Ubuntu 22.04 server. The problem is also present with the vanilla PHP (8.1.2).

I'm attaching the zipped hacks.html used in the above code for convenience but any HTML will trigger the issue.
hacks.zip

PHP Version

PHP 8.2.6

Operating System

Ubuntu 22.04

[nielsdos]

It's a type confusion bug, kinda. zend_make_callable may change the function name of the fci to become an array, causing a crash in debug mode on zval_ptr_dtor_str(&fci.function_name); in dom_xpath_ext_function_php. On a production build it doesn't crash but only causes a leak.
I'll also check the other zend_make_callable cases.