Address review: tighter guards + lazy-object safety + engine-routed dynamic writes

Review feedback from @arnaudlb (PR #12):

1. Simplify dc_is_backed_declared_property():
   !(pi->flags & ZEND_ACC_VIRTUAL) already implies pi->offset ==
   ZEND_VIRTUAL_PROPERTY_OFFSET, and IS_HOOKED_PROPERTY_OFFSET() is only
   meaningful on offsets returned by zend_get_property_offset(), not on
   the raw pi->offset. Collapse to a single bitmask test.

2. Narrow the backed-enum scalar cast:
   Add `(ZEND_TYPE_PURE_MASK(pi->type) & ~MAY_BE_NULL) == 0` so the cast
   only fires for types of the form `Enum` or `?Enum`. Unions like
   `Enum|string|int` already accept the scalar literally — casting it to
   the enum case would be surprising.

3. Lazy-object safety in dc_write_backed_property():
   Check !zend_lazy_object_initialized(obj) at the top and, when the flag
   is absent, route through zend_update_property_ex() which triggers the
   lazy realization hook. Direct OBJ_PROP slot writes on a lazy ghost
   left it in a half-initialized state. DEEPCLONE_HYDRATE_NO_LAZY_INIT
   keeps its existing opt-out fast path.

4. Dynamic-property fallback via zend_update_property_ex():
   Swap zend_std_write_property() for zend_update_property_ex() so any
   overridden write_property handler on internal classes or extensions
   is respected. Picks up the appropriate scope via scope_ce ?: obj_ce.

A2 (null → unset on non-nullable typed) and A3 (scalar → backed-enum
cast) stay property-type-only, as discussed: the coercions are driven
by the target type at hydration time, which is stable within a single
execution.

Author: nicolas-grekas

deepclone.c

@@ -638,15 +638,12 @@ static zend_always_inline bool dc_class_allowed(HashTable *set, zend_string *nam
 
 static zend_always_inline bool dc_is_backed_declared_property(zend_property_info *pi)
 {
-	/* A "backed declared property" is a non-static, non-virtual property with
-	 * a real backing slot (offset >= ZEND_FIRST_PROPERTY_OFFSET). Hooked
-	 * non-virtual properties qualify (they have a real offset); virtual
-	 * properties and hook-metadata offsets do not. */
-	return pi
-		&& !(pi->flags & ZEND_ACC_STATIC)
-		&& !(pi->flags & ZEND_ACC_VIRTUAL)
-		&& pi->offset != ZEND_VIRTUAL_PROPERTY_OFFSET
-		&& !IS_HOOKED_PROPERTY_OFFSET(pi->offset);
+	/* Non-static, non-virtual property with a real backing slot. ZEND_ACC_VIRTUAL
+	 * is the definitive flag — virtual props also have pi->offset set to
+	 * ZEND_VIRTUAL_PROPERTY_OFFSET, and IS_HOOKED_PROPERTY_OFFSET() is only
+	 * meaningful on offsets returned by zend_get_property_offset(), not on
+	 * the raw pi->offset (per arnaudlb's review feedback). */
+	return pi && !(pi->flags & (ZEND_ACC_STATIC | ZEND_ACC_VIRTUAL));
 }
 
 static zend_always_inline bool dc_is_std_scope_property(zend_property_info *pi)
@@ -736,6 +733,15 @@ static bool dc_write_backed_property(zend_object *obj, zend_property_info *pi,
 #if PHP_VERSION_ID >= 80400
 	bool call_hooks   = (flags & DEEPCLONE_HYDRATE_CALL_HOOKS) != 0;
 	bool no_lazy_init = (flags & DEEPCLONE_HYDRATE_NO_LAZY_INIT) != 0;
+
+	/* Lazy objects: a direct slot write would bypass the engine's realization
+	 * hook and leave the object in a half-initialized state. Route through
+	 * zend_update_property_ex, which triggers realization on the first write.
+	 * NO_LAZY_INIT has its own fast path below that deliberately opts out. */
+	if (!no_lazy_init && UNEXPECTED(!zend_lazy_object_initialized(obj))) {
+		zend_update_property_ex(pi->ce, obj, name, value);
+		return !EG(exception);
+	}
 #endif
 	zval *slot = OBJ_PROP(obj, pi->offset);
 
@@ -773,7 +779,11 @@ static bool dc_write_backed_property(zend_object *obj, zend_property_info *pi,
 	bool enum_holder_used = false;
 	if ((Z_TYPE_P(value) == IS_LONG || Z_TYPE_P(value) == IS_STRING)
 		&& ZEND_TYPE_HAS_NAME(pi->type)
-		&& !ZEND_TYPE_HAS_LIST(pi->type))
+		&& !ZEND_TYPE_HAS_LIST(pi->type)
+		/* Only cast for types of the form `Enum` or `?Enum` — reject unions like
+		 * `Enum|string|int` where the caller explicitly opted into accepting scalars
+		 * (per arnaudlb's review feedback). */
+		&& (ZEND_TYPE_PURE_MASK(pi->type) & ~MAY_BE_NULL) == 0)
 	{
 		zend_class_entry *type_ce = zend_lookup_class_ex(
 			ZEND_TYPE_NAME(pi->type), NULL, ZEND_FETCH_CLASS_NO_AUTOLOAD);
@@ -3337,10 +3347,13 @@ PHP_FUNCTION(deepclone_hydrate)
 						RETURN_THROWS();
 					}
 				} else {
-					/* Fallback: dynamic property or unknown name. Matches
-					 * unserialize(): the engine rejects NUL-prefix names with
-					 * \Error and accepts NUL-in-middle as raw dynamic props. */
-					zend_std_write_property(obj, prop_name, prop_val, NULL);
+					/* Fallback: dynamic property or unknown name. Goes through
+					 * zend_update_property_ex so any custom write_property handler
+					 * (internal classes, extensions overriding default handlers) is
+					 * respected. Matches unserialize(): the engine rejects NUL-prefix
+					 * names with \Error, NUL-in-middle is stored as a raw dynamic
+					 * property. */
+					zend_update_property_ex(scope_ce ?: obj_ce, obj, prop_name, prop_val);
 					if (UNEXPECTED(EG(exception))) {
 						if (prop_name_owned) zend_string_release(prop_name);
 						EG(fake_scope) = old_scope;