Test script for reproducible segfault in error_handler during GC involved an SplFileObject

test.php

<?php

class Hash
{
        # I first encountered the segfault in CakePHP. I don't understand why it's causing problem though.
        # Modified from CakePHP as of 2020-06-17: /lib/Cake/Utility/Hash.php
        # https://github.com/cakephp/cakephp/blob/5e10cae204079ba10a8b0f497d4802f382a05da9/src/Utility/Hash.php
        public static function merge(array $data, $merge) {
                $args = array_slice(func_get_args(), 1);
                $return = $data;
                $stack = [];

                foreach ($args as &$curArg) {
                    $stack[] = [(array)$curArg, &$return];
                }
        }
}

class Target
{
        public $sfo;
        public function __construct($sfo) {
                $this->sfo = $sfo;
        }
        public function __destruct() {
                // If the SplFileObject is destructed first,
                // underlying FD is no longer valid and will cause error upon calling flock
                $this->sfo->flock(2);
        }
}

class Run
{
        static $sfo;
        static $foo;
        public static function main() {
                // Creation ordering is important for repro
                // $sfo needed to be destructed before $foo.

                // The filename is not important, but make sure there is no permission error in creating
                Run::$sfo = new SplFileObject("/tmp/test", "c+");
                Run::$foo = new Target(Run::$sfo);

                set_error_handler(['Run', "handleError"]);
        }

        public static function handleError($errno, $errstr) {
                printf("Handle Error %s, %s\n", $errno, $errstr);

                // This function call will cause segmentation fault
                Hash::merge(["a"=>"b"], ["c"=>"d"]);
        }
}

Run::main();