SplFixedArray incorrectly handles references in deserialization

### Description

The following code:

```php
<?
for ($i = 0; $i <= 2; $i++) {
    $tok = $conditions;
    $x[0] = &$$array;     
    $a[] = !$a; 
    $$a[0] =&rsort($a);
    unset($a[3][0]);
    $conditions = $b = new SplFixedArray(2);
    $b[0] = $$stdClassCollection = new SplObjectStorage;
    $v[0] = &$a;
    $a = unserialize(serialize($GLOBALS));
}
```

Resulted in this output:
```
Notice: Only variables should be assigned by reference in /path/to/poc.php on line 6
php: /path/to/php-src/Zend/zend_execute.h:216: void zend_safe_assign_to_variable_noref(zval *, zval *): Assertion `zval_get_type(&(*(variable_ptr))) != 10' failed.
Aborted
```

Commit:
```
56795d2810e
```

Build configuration:
```
CC="clang" CXX="clang++" CFLAGS="-fsanitize=address -g -O0" CXXFLAGS="-fsanitize=address -g -O0" LDFLAGS="-fsanitize=address" ./buildconf --force && ./configure --enable-debug --enable-address-sanitizer --disable-shared --with-pic --enable-mbstring --with-zlib
```


### PHP Version

```plain
PHP 8.6.0-dev (cli) (built: Nov 29 2025 14:32:34) (NTS DEBUG)
Copyright (c) The PHP Group
Zend Engine v4.6.0-dev, Copyright (c) Zend Technologies
    with Zend OPcache v8.6.0-dev, Copyright (c), by Zend Technologies
```

### Operating System

Ubuntu 22.04

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

SplFixedArray incorrectly handles references in deserialization #20614

Description

PHP Version

Operating System

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

SplFixedArray incorrectly handles references in deserialization #20614

Description

Description

PHP Version

Operating System

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions