I also have some doubts about the accuracy of the first part (you may only modify it if its reference count is 1). Why 1? Since zend_std_write_property increments the refcount before storing the zval in the hash table, it would make more sense if it read "...its reference count is 0". Together with issue raised in body of the bug report, it makes me think perhaps this comment was written thinking the refcount would be incremented before the call to write_property.

Where's the value modified in zend_std_weite_property()?

Usually in zend_object.properties hash table. This is the code executed if the hash table lookup is successful (otherwise there's a fallback to __set) and the zval* stored is different from the one passed:

if (PZVAL_IS_REF(*variable_ptr)) {
	zval garbage = **variable_ptr; /* old value should be destroyed */

	/* To check: can't *variable_ptr be some system variable like error_zval here? */
	Z_TYPE_PP(variable_ptr) = Z_TYPE_P(value);
	(*variable_ptr)->value = value->value;
	if (Z_REFCOUNT_P(value) > 0) {
		zval_copy_ctor(*variable_ptr);
	}
	zval_dtor(&garbage);
} else {
	zval *garbage = *variable_ptr;

	/* if we assign referenced variable, we should separate it */
	Z_ADDREF_P(value);
	if (PZVAL_IS_REF(value)) {
		SEPARATE_ZVAL(&value);
	}
	*variable_ptr = value;
	zval_ptr_dtor(&garbage);
}

As you can see, the reference count is changed.

Well, re-reading I think I misread your question. So to be clear:

The comment reads:
«You should NOT modify the reference count of the value passed to you»
zend_std_write_property() changes the the reference count of the passed "value" zval if
1. the property already exists in the object properties hash table or it doesn't exist but there is no __set magic
2. the value stored (if any) is not the same as the "value" passed
3. the value passed is not a reference, or at least, if it is, its refcount is 1

The call to __set itself may modify the refcount of "value".