Fix GH-11347: Memory leak when calling a static method inside an xpath query

It's a type confusion bug. `zend_make_callable` may change the function name
of the fci to become an array, causing a crash in debug mode on
`zval_ptr_dtor_str(&fci.function_name);` in `dom_xpath_ext_function_php`.
On a production build it doesn't crash but only causes a leak, because
the array elements are not destroyed, only the array container itself
is. We can use the nogc variant because it cannot contain cycles, the
potential array can only contain 2 strings.

Closes GH-11350.

NEWS

@@ -19,6 +19,8 @@ PHP                                                                        NEWS
     DOMDocument::getElementsByTagNameNS. (nielsdos)
   . Fix DOMElement::append() and DOMElement::prepend() hierarchy checks.
     (nielsdos)
+  . Fixed bug GH-11347 (Memory leak when calling a static method inside an
+    xpath query). (nielsdos)
 
 - Opcache:
   . Fix allocation loop in zend_shared_alloc_startup(). (nielsdos)

ext/dom/tests/gh11347.phpt

@@ -0,0 +1,26 @@
+--TEST--
+GH-11347 (Memory leak when calling a static method inside an xpath query)
+--EXTENSIONS--
+dom
+--FILE--
+<?php
+
+class MyClass
+{
+    public static function dump(string $var) {
+        var_dump($var);
+    }
+}
+
+$doc = new DOMDocument();
+$doc->loadHTML('<a href="https://php.net">hello</a>');
+$xpath = new DOMXpath($doc);
+$xpath->registerNamespace("php", "http://php.net/xpath");
+$xpath->registerPHPFunctions();
+$xpath->query("//a[php:function('MyClass::dump', string(@href))]");
+
+?>
+Done
+--EXPECT--
+string(15) "https://php.net"
+Done

ext/dom/xpath.c

@@ -182,7 +182,7 @@ static void dom_xpath_ext_function_php(xmlXPathParserContextPtr ctxt, int nargs,
 	}
 cleanup:
 	zend_string_release_ex(callable, 0);
-	zval_ptr_dtor_str(&fci.function_name);
+	zval_ptr_dtor_nogc(&fci.function_name);
 	if (fci.param_count > 0) {
 		for (i = 0; i < nargs - 1; i++) {
 			zval_ptr_dtor(&fci.params[i]);