Description:
------------
Our current logic in garbage collector assumes that, if we have a refcount not higher than before, the data can be safely freed.

Which is not a valid assumption as the following snippet demonstrates: if the value is incremented by backing up and decremented again by manual unset(), the refcount is still equal; thus the garbage collector will free it, even though it cannot.

The relevant snippet within zend_gc.c, after invoking destructors, on each remaining root:

if (GC_REFCOUNT(current->ref) > current->refcount) {
  	gc_remove_nested_data_from_buffer(current->ref, current);
}


Test script:
---------------
(function() {
        $foo = new class {
                public $bar;

                function __destruct() {
                        global $bak;
                        $bak = $this->bar;
                        unset($this->bar); // do not fulfil the condition
                }
        };

        $bar = new stdClass;
        $bar->foo = $foo;
        $foo->bar = $bar;
})();

gc_collect_cycles();

var_dump($bak);


Expected result:
----------------
object(stdClass)#3 (1) {
  ["foo"]=>
  object(class@anonymous)#2 (1) {
    ["bar"]=>
    *RECURSION*
  }
}


Actual result:
--------------
Segmentation fault (or at least valgrind warning)