Fix GH-21478: Forward read_property to real instance for initialized lazy proxies

For initialized lazy proxies, the proxy and real instance have separate
magic method guard slots. When the real instance's __get/__isset is
running and code inside it accesses the proxy, the proxy's guard is
clear, causing __get/__isset to fire on the proxy too (double invocation).

Check whether the real instance's guard is already set before invoking
magic methods on the proxy. If it is, forward to the real instance
(we're inside a recursive call). If not, the proxy was accessed directly
and its own magic methods should run as normal.

Author: iliaal

Zend/tests/lazy_objects/gh18038-004.phpt

@@ -36,7 +36,6 @@ var_dump($real->prop);
 --EXPECTF--
 init
 string(19) "RealInstance::__get"
-string(12) "Proxy::__get"
 
 Warning: Undefined property: RealInstance::$prop in %s on line %d
 NULL

Zend/tests/lazy_objects/gh18038-007.phpt

@@ -36,6 +36,5 @@ var_dump(isset($real->prop['']));
 --EXPECT--
 init
 string(21) "RealInstance::__isset"
-string(14) "Proxy::__isset"
 bool(false)
 bool(false)

Zend/tests/lazy_objects/gh20875.phpt

@@ -31,14 +31,6 @@ Warning: Undefined variable $a in %s on line %d
 
 Warning: Undefined variable $v in %s on line %d
 
-Notice: Indirect modification of overloaded property A::$b has no effect in %s on line %d
-
-Warning: Undefined variable $x in %s on line %d
-
-Notice: Object of class stdClass could not be converted to int in %s on line %d
-
-Warning: Undefined variable $v in %s on line %d
-
 Notice: Indirect modification of overloaded property A::$f has no effect in %s on line %d
 
 Fatal error: Uncaught Error: Cannot assign by reference to overloaded object in %s:%d

Zend/tests/lazy_objects/gh21478-proxy-get-override.phpt

@@ -0,0 +1,30 @@
+--TEST--
+GH-21478: Proxy's own __get runs when accessed directly (not from real instance)
+--FILE--
+<?php
+
+class Foo {
+    private $_;
+
+    public function __get($name) {
+        echo __CLASS__, " ", $name, "\n";
+    }
+}
+
+class Bar extends Foo {
+    public function __get($name) {
+        echo __CLASS__, " ", $name, "\n";
+    }
+}
+
+$rc = new ReflectionClass(Bar::class);
+$proxy = $rc->newLazyProxy(function () {
+    return new Foo();
+});
+$rc->initializeLazyObject($proxy);
+
+$proxy->x;
+
+?>
+--EXPECT--
+Bar x

Zend/tests/lazy_objects/gh21478.phpt

@@ -0,0 +1,32 @@
+--TEST--
+GH-21478 (Property access on lazy proxy may invoke magic method despite real instance guards)
+--FILE--
+<?php
+
+class Foo {
+    public $_;
+
+    public function __get($name) {
+        global $proxy;
+        printf("__get(\$%s) on %s\n", $name, $this::class);
+        return $proxy->{$name};
+    }
+}
+
+class Bar extends Foo {}
+
+$rc = new ReflectionClass(Bar::class);
+$proxy = $rc->newLazyProxy(function () {
+    echo "Init\n";
+    return new Foo();
+});
+
+$real = $rc->initializeLazyObject($proxy);
+$real->x;
+
+?>
+--EXPECTF--
+Init
+__get($x) on Foo
+
+Warning: Undefined property: Foo::$x in %s on line %d

Zend/zend_object_handlers.c

@@ -893,6 +893,23 @@ ZEND_API zval *zend_std_read_property(zend_object *zobj, zend_string *name, int
 
 	retval = &EG(uninitialized_zval);
 
+	/* For initialized lazy proxies: if the real instance's magic method
+	 * guard is already set for this property, we are inside a recursive
+	 * call from the real instance's __get/__isset. Forward directly to
+	 * the real instance to avoid double invocation. (GH-21478) */
+	if (UNEXPECTED(zend_object_is_lazy_proxy(zobj)
+			&& zend_lazy_object_initialized(zobj))) {
+		zend_object *instance = zend_lazy_object_get_instance(zobj);
+		if (instance->ce->ce_flags & ZEND_ACC_USE_GUARDS) {
+			uint32_t *instance_guard = zend_get_property_guard(instance, name);
+			uint32_t guard_type = ((type == BP_VAR_IS) && zobj->ce->__isset)
+				? IN_ISSET : IN_GET;
+			if ((*instance_guard) & guard_type) {
+				return zend_std_read_property(instance, name, type, cache_slot, rv);
+			}
+		}
+	}
+
 	/* magic isset */
 	if ((type == BP_VAR_IS) && zobj->ce->__isset) {
 		zval tmp_result;