Fix RC inference of op1 of FETCH_OBJ and INIT_METHOD_CALL

dstogov · iluuu1994 · commit 6666cc83c53c · 2024-12-18T19:08:51.000+01:00
Fixes GH-17151 Closes GH-17152
diff --git a/NEWS b/NEWS
@@ -51,6 +51,8 @@ PHP                                                                        NEWS
   . opcache_get_configuration() properly reports jit_prof_threshold. (cmb)
   . Fixed bug GH-17140 (Assertion failure in JIT trace exit with
     ZEND_FETCH_DIM_FUNC_ARG). (nielsdos, Dmitry)
+  . Fixed bug GH-17151 (Incorrect RC inference of op1 of FETCH_OBJ and
+    INIT_METHOD_CALL). (Dmitry, ilutov)
 
 - PCNTL:
   . Fix memory leak in cleanup code of pcntl_exec() when a non stringable
diff --git a/Zend/Optimizer/zend_inference.c b/Zend/Optimizer/zend_inference.c
@@ -1968,6 +1968,10 @@ static uint32_t get_ssa_alias_types(zend_ssa_alias_kind alias) {
 					/* TODO: support for array keys and ($str . "")*/   \
 					__type |= MAY_BE_RCN;                               \
 				}                                                       \
+				if ((__type & MAY_BE_RC1) && (__type & MAY_BE_OBJECT)) {\
+					/* TODO: object may be captured by magic handlers */\
+					__type |= MAY_BE_RCN;                               \
+				}                                                       \
 				if (__ssa_var->alias) {									\
 					__type |= get_ssa_alias_types(__ssa_var->alias);	\
 				}														\
diff --git a/ext/opcache/jit/zend_jit_ir.c b/ext/opcache/jit/zend_jit_ir.c
@@ -14426,6 +14426,7 @@ static int zend_jit_fetch_obj(zend_jit_ctx         *jit,
 		ir_MERGE_list(slow_inputs);
 		jit_SET_EX_OPLINE(jit, opline);
 
+		op1_info |= MAY_BE_RC1 | MAY_BE_RCN; /* object may be captured/released in magic handler */
 		if (opline->opcode == ZEND_FETCH_OBJ_W) {
 			ir_CALL_1(IR_VOID, ir_CONST_FC_FUNC(zend_jit_fetch_obj_w_slow), obj_ref);
 			ir_END_list(end_inputs);
