Fix scope dispose ref_count: guard ref and ZEND_ASYNC_SCOPE_RELEASE

- scope_dispose: keep ref_count=1 as guard during disposal, drop guard
  ref only before efree. Removes premature DEL_REF that caused
  use-after-free when finally handlers created child scopes.
- finally_handlers_iterator_dtor: use ZEND_ASYNC_SCOPE_RELEASE instead
  of manual DEL_REF + try_to_dispose to avoid double-decrement with
  scope_dispose's >1 path.
- Update test 033 expected output for changed finally handler ordering.

Author: EdmondDantes

coroutine.c

@@ -1223,13 +1223,7 @@ static void finally_handlers_iterator_dtor(zend_async_iterator_t *zend_iterator)
 	efree(context);
 	iterator->extended_data = NULL;
 
-	if (ZEND_ASYNC_EVENT_REFCOUNT(&scope->scope.event) > 0) {
-		ZEND_ASYNC_EVENT_DEL_REF(&scope->scope.event);
-
-		if (ZEND_ASYNC_EVENT_REFCOUNT(&scope->scope.event) <= 1) {
-			scope->scope.try_to_dispose(&scope->scope);
-		}
-	}
+	ZEND_ASYNC_SCOPE_RELEASE(&scope->scope);
 
 	if (composite_exception != NULL) {
 		async_rethrow_exception(composite_exception);

scope.c

@@ -1086,8 +1086,12 @@ static bool scope_dispose(zend_async_event_t *scope_event)
 		return true;
 	}
 
-	if (ZEND_ASYNC_EVENT_REFCOUNT(scope_event) == 1) {
-		ZEND_ASYNC_EVENT_DEL_REF(scope_event);
+	// Keep ref_count=1 as a guard during disposal.
+	// Callbacks, child scope disposal, and finally handlers may create new child scopes
+	// that reference this scope as parent. They must not see ref_count=0.
+	// The DISPOSING flag prevents re-entrant calls to scope_dispose.
+	if (ZEND_ASYNC_EVENT_REFCOUNT(scope_event) == 0) {
+		ZEND_ASYNC_EVENT_ADD_REF(scope_event);
 	}
 
 	ZEND_ASYNC_SCOPE_SET_DISPOSING(&scope->scope);
@@ -1119,15 +1123,23 @@ static bool scope_dispose(zend_async_event_t *scope_event)
 
 	if (scope->finally_handlers != NULL && zend_hash_num_elements(scope->finally_handlers) > 0 &&
 		async_scope_call_finally_handlers(scope)) {
-		// If finally handlers were called, we don't dispose the scope yet
-		ZEND_ASYNC_EVENT_ADD_REF(&scope->scope.event);
+		// Finally handlers spawned coroutines — scope stays alive.
+		// Guard ref is already in place (ref_count was kept at 1).
 		if (critical_exception) {
 			async_spawn_and_throw(critical_exception, &scope->scope, 0);
 		}
 		ZEND_ASYNC_SCOPE_CLR_DISPOSING(&scope->scope);
 		return true;
 	}
 
+	// Drop the guard ref before freeing.
+	ZEND_ASYNC_EVENT_DEL_REF(scope_event);
+	if (ZEND_ASYNC_EVENT_REFCOUNT(scope_event) > 0) {
+		// Someone added refs during dispose — scope stays alive.
+		ZEND_ASYNC_SCOPE_CLR_DISPOSING(&scope->scope);
+		return true;
+	}
+
 	if (scope->scope.parent_scope) {
 		zend_async_scope_remove_child(scope->scope.parent_scope, &scope->scope);
 	}