deepclone_hydrate: skip null→uninit shortcut on lazy objects

The shortcut sets IS_PROP_UNINIT on OBJ_PROP(obj, pi->offset) directly.
On a lazy object with NO_LAZY_INIT set, the entry to dc_write_backed_property
doesn't route through zend_update_property_ex, and the shortcut would fire
before the Reflection-based lazy path at the bottom of the function — so a
null value for a non-nullable typed prop on a lazy object could end up
mutating the slot while the lazy-props counter and IS_PROP_LAZY flags
remained in their pre-write state.

Gating the shortcut on zend_lazy_object_initialized(obj) lets the Reflection
path handle lazy objects consistently (it will TypeError on null for a
non-nullable prop, matching what a real write would do).

Author: nicolas-grekas

deepclone.c

@@ -753,12 +753,18 @@ static bool dc_write_backed_property(zend_object *obj, zend_property_info *pi,
 	}
 
 	/* null → uninitialized for non-nullable typed slots; hooked props excluded
-	 * (no backing slot to "unset", and the set hook may handle null itself). */
+	 * (no backing slot to "unset", and the set hook may handle null itself).
+	 * Skip the shortcut on lazy objects — a direct slot write would bypass
+	 * the lazy-props bookkeeping. On NO_LAZY_INIT + lazy we fall through to
+	 * the Reflection-based path below, which enforces type semantics. */
 	if (Z_TYPE_P(value) == IS_NULL
 		&& ZEND_TYPE_IS_SET(pi->type)
 		&& !ZEND_TYPE_ALLOW_NULL(pi->type)
-		&& !DC_PROP_HAS_HOOKS(pi))
-	{
+		&& !DC_PROP_HAS_HOOKS(pi)
+#if PHP_VERSION_ID >= 80400
+		&& zend_lazy_object_initialized(obj)
+#endif
+	) {
 		if (Z_TYPE_P(slot) != IS_UNDEF) {
 			zval old;
 			ZVAL_COPY_VALUE(&old, slot);