Fix OSS-Fuzz #427814452

Pipe compilation uses a temporary znode with QM_ASSIGN to remove
references. Assert compilation wants to look at the operand AST and
convert it to a string. However the original AST is lost due to the
temporary znode. To solve this we either have to handle this specially
in pipe compilation [1], or store the AST anyway somehow.
Special casing this either way is not worth the complexity in my
opinion, especially as it looks like a dynamic call anyway due to the
FCC syntax.

[1] Prototype (incomplete) at
    https://gist.github.com/nielsdos/50dc71718639c3af05db84a4dea6eb71
    shows this is not worthwhile in my opinion.

Author: nielsdos

Zend/tests/pipe_operator/oss_fuzz_427814452.phpt

@@ -0,0 +1,26 @@
+--TEST--
+OSS-Fuzz #427814452
+--FILE--
+<?php
+
+try {
+    false |> assert(...);
+} catch (\AssertionError $e) {
+    echo $e::class, ": '", $e->getMessage(), "'\n";
+}
+try {
+    0 |> "assert"(...);
+} catch (\AssertionError $e) {
+    echo $e::class, ": '", $e->getMessage(), "'\n";
+}
+try {
+    false |> ("a"."ssert")(...);
+} catch (\AssertionError $e) {
+    echo $e::class, ": '", $e->getMessage(), "'\n";
+}
+
+?>
+--EXPECT--
+AssertionError: ''
+AssertionError: ''
+AssertionError: ''

Zend/zend_compile.c

@@ -4356,7 +4356,10 @@ static void zend_compile_assert(znode *result, zend_ast_list *args, zend_string
 		}
 		opline->result.num = zend_alloc_cache_slot();
 
-		if (args->children == 1) {
+		/* Skip adding a message on piped assert(...) calls, hence the ZEND_AST_ZNODE check.
+		 * We don't have access to the original AST anyway, so we would either need to duplicate
+		 * this logic in pipe compilation or store the AST. Neither seems worth the complexity. */
+		if (args->children == 1 && args->child[0]->kind != ZEND_AST_ZNODE) {
 			/* add "assert(condition) as assertion message */
 			zend_ast *arg = zend_ast_create_zval_from_str(
 				zend_ast_export("assert(", args->child[0], ")"));