From 6ab36fb6f92a6d0862f2da218e50a9280a9a384f Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@zend.com>
Date: Thu, 7 Oct 2021 14:34:18 +0300
Subject: [PATCH] JIT: Fixed incorrect reference handling in PRE_INC/DEC_OBJ

---
 ext/opcache/jit/zend_jit_helpers.c     |  2 ++
 ext/opcache/tests/jit/inc_obj_003.phpt | 20 ++++++++++++++++++++
 2 files changed, 22 insertions(+)
 create mode 100644 ext/opcache/tests/jit/inc_obj_003.phpt

diff --git a/ext/opcache/jit/zend_jit_helpers.c b/ext/opcache/jit/zend_jit_helpers.c
index 7dd6d9b02ae..5ca5815605e 100644
--- a/ext/opcache/jit/zend_jit_helpers.c
+++ b/ext/opcache/jit/zend_jit_helpers.c
@@ -2367,12 +2367,14 @@ static void ZEND_FASTCALL zend_jit_dec_typed_prop(zval *var_ptr, zend_property_i
 
 static void ZEND_FASTCALL zend_jit_pre_inc_typed_prop(zval *var_ptr, zend_property_info *prop_info, zval *result)
 {
+	ZVAL_DEREF(var_ptr);
 	zend_jit_inc_typed_prop(var_ptr, prop_info);
 	ZVAL_COPY(result, var_ptr);
 }
 
 static void ZEND_FASTCALL zend_jit_pre_dec_typed_prop(zval *var_ptr, zend_property_info *prop_info, zval *result)
 {
+	ZVAL_DEREF(var_ptr);
 	zend_jit_dec_typed_prop(var_ptr, prop_info);
 	ZVAL_COPY(result, var_ptr);
 }
diff --git a/ext/opcache/tests/jit/inc_obj_003.phpt b/ext/opcache/tests/jit/inc_obj_003.phpt
new file mode 100644
index 00000000000..3e1eef52215
--- /dev/null
+++ b/ext/opcache/tests/jit/inc_obj_003.phpt
@@ -0,0 +1,20 @@
+--TEST--
+PRE_INC_OBJ: 003
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=1M
+opcache.protect_memory=1
+--FILE--
+<?php
+class Test {
+    public float $prop = 1.0;
+}
+$test = new Test;
+$r = &$test->prop;
+$v = --$test->prop;
+var_dump($v);
+?>
+--EXPECT--
+float(0)
\ No newline at end of file