Fix GH-18037: SEGV Zend/zend_execute.c

A frameless icall with 3 arguments is a special case because it uses
OP_DATA, but this was not added to the list, so the opline pointed to
the wrong address resulting in UBSAN report or crash.

Closes GH-18048.

NEWS

@@ -40,6 +40,7 @@ PHP                                                                        NEWS
   . Fixed bug GH-15834 (Segfault with hook "simple get" cache slot and minimal
     JIT). (nielsdos)
   . Fixed bug GH-17966 (Symfony JIT 1205 assertion failure). (nielsdos)
+  . Fixed bug GH-18037 (SEGV Zend/zend_execute.c). (nielsdos)
 
 - Standard:
   . Fix memory leaks in array_any() / array_all(). (nielsdos)

ext/opcache/jit/zend_jit_ir.c

@@ -4209,6 +4209,7 @@ static int zend_jit_handler(zend_jit_ctx *jit, const zend_op *opline, int may_th
 		case ZEND_ASSIGN_STATIC_PROP_OP:
 		case ZEND_ASSIGN_STATIC_PROP_REF:
 		case ZEND_ASSIGN_OBJ_REF:
+		case ZEND_FRAMELESS_ICALL_3:
 			zend_jit_set_last_valid_opline(jit, opline + 2);
 			break;
 		default:

ext/opcache/tests/jit/gh18037.phpt

@@ -0,0 +1,24 @@
+--TEST--
+GH-18037 (SEGV Zend/zend_execute.c)
+--EXTENSIONS--
+opcache
+--INI--
+opcache.jit=1201
+--FILE--
+<?php
+function test_helper()
+{
+    $list = [];
+    \in_array($list[0], $list, true) !== $list->matches();
+}
+
+test_helper();
+?>
+--EXPECTF--
+Warning: Undefined array key 0 in %s on line %d
+
+Fatal error: Uncaught Error: Call to a member function matches() on array in %s:%d
+Stack trace:
+#0 %s(%d): test_helper()
+#1 {main}
+  thrown in %s on line %d