From bf1a24e105e2409d833a6e4015d72d7970c5f0ec Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Fri, 13 Dec 2024 18:24:31 +0100
Subject: [PATCH] Fix GH-17140 (Assertion failure in JIT trace exit with
 ZEND_FETCH_DIM_FUNC_ARG)

ZEND_FETCH_DIM_FUNC_ARG should also be repeated on undefined access,
consistent to how ZEND_FETCH_DIM_R is handled. The opcode was just
missing from the assertion list.
---
 ext/opcache/jit/zend_jit_trace.c   |  2 +-
 ext/opcache/tests/jit/gh17140.phpt | 33 ++++++++++++++++++++++++++++++
 2 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 ext/opcache/tests/jit/gh17140.phpt

diff --git a/ext/opcache/jit/zend_jit_trace.c b/ext/opcache/jit/zend_jit_trace.c
index da66a903c170a..9ba186c4bc5d2 100644
--- a/ext/opcache/jit/zend_jit_trace.c
+++ b/ext/opcache/jit/zend_jit_trace.c
@@ -8585,7 +8585,7 @@ int ZEND_FASTCALL zend_jit_trace_exit(uint32_t exit_num, zend_jit_registers_buf
 				if (op->opcode == ZEND_FETCH_DIM_IS || op->opcode == ZEND_FETCH_OBJ_IS) {
 					ZVAL_NULL(EX_VAR_NUM(i));
 				} else {
-					assert(op->opcode == ZEND_FETCH_DIM_R || op->opcode == ZEND_FETCH_LIST_R || op->opcode == ZEND_FETCH_OBJ_R);
+					assert(op->opcode == ZEND_FETCH_DIM_R || op->opcode == ZEND_FETCH_LIST_R || op->opcode == ZEND_FETCH_OBJ_R || op->opcode == ZEND_FETCH_DIM_FUNC_ARG);
 					repeat_last_opline = 1;
 				}
 			} else {
diff --git a/ext/opcache/tests/jit/gh17140.phpt b/ext/opcache/tests/jit/gh17140.phpt
new file mode 100644
index 0000000000000..a37277f69ba9a
--- /dev/null
+++ b/ext/opcache/tests/jit/gh17140.phpt
@@ -0,0 +1,33 @@
+--TEST--
+GH-17140 (Assertion failure in JIT trace exit with ZEND_FETCH_DIM_FUNC_ARG)
+--EXTENSIONS--
+opcache
+--INI--
+opcache.jit=1254
+opcache.jit_buffer_size=32M
+opcache.jit_hot_func=1
+opcache.jit_hot_side_exit=1
+--FILE--
+<?php
+namespace Foo;
+function test() {
+    $a['x'][1] = true;
+    for ($fusion = 0; $i < 3; $i++) {
+        var_dump($a['x'][0]);
+    }
+}
+test();
+?>
+--EXPECTF--
+Warning: Undefined variable $i in %s on line %d
+
+Warning: Undefined array key 0 in %s on line %d
+NULL
+
+Warning: Undefined variable $i in %s on line %d
+
+Warning: Undefined array key 0 in %s on line %d
+NULL
+
+Warning: Undefined array key 0 in %s on line %d
+NULL