From 57c62eb2b34385a9c2ab4e7ab802c4a361483ba1 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+ndossche@users.noreply.github.com>
Date: Sat, 10 Jan 2026 17:42:01 +0100
Subject: [PATCH] Fix GH-20890: Segfault in zval_undefined_cv with non-simple
 property hook with minimal tracing JIT

This is similar to f6c2e40a11 but for minimal JIT + tracing JIT.
Most of the times the tracing JIT shouldn't rely on going to the VM, but
in some cases, like in minimal JIT, it can and then it hits the same
bug.

Closes GH-20897.
---
 NEWS                               |  4 ++++
 ext/opcache/jit/zend_jit_trace.c   |  8 +++++++
 ext/opcache/tests/jit/gh20890.phpt | 37 ++++++++++++++++++++++++++++++
 3 files changed, 49 insertions(+)
 create mode 100644 ext/opcache/tests/jit/gh20890.phpt

diff --git a/NEWS b/NEWS
index 80b69c11cf8..4a2dbd15249 100644
--- a/NEWS
+++ b/NEWS
@@ -25,6 +25,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-20836 (Stack overflow in mb_convert_variables with
     recursive array references). (alexandre-daubois)
 
+- Opcache:
+  . Fixed bug GH-20890 (Segfault in zval_undefined_cv with non-simple
+    property hook with minimal tracing JIT). (ndossche)
+
 - Phar:
   . Fixed bug GH-20882 (buildFromIterator breaks with missing base directory).
     (ndossche)
diff --git a/ext/opcache/jit/zend_jit_trace.c b/ext/opcache/jit/zend_jit_trace.c
index 9d2de55e294..41393f721cf 100644
--- a/ext/opcache/jit/zend_jit_trace.c
+++ b/ext/opcache/jit/zend_jit_trace.c
@@ -328,6 +328,14 @@ static int zend_jit_trace_may_exit(const zend_op_array *op_array, const zend_op
 			// TODO: recompilation may change target ???
 			return 0;
 #endif
+		case ZEND_FETCH_OBJ_R:
+			if (opline->op2_type == IS_CONST) {
+				const zend_class_entry *ce = opline->op1_type == IS_UNUSED ? op_array->scope : NULL;
+				if (!ce || !(ce->ce_flags & ZEND_ACC_FINAL) || ce->num_hooked_props > 0) {
+					return 1;
+				}
+			}
+			break;
 		case ZEND_RETURN_BY_REF:
 		case ZEND_RETURN:
 			/* return */
diff --git a/ext/opcache/tests/jit/gh20890.phpt b/ext/opcache/tests/jit/gh20890.phpt
new file mode 100644
index 00000000000..c375c379fcc
--- /dev/null
+++ b/ext/opcache/tests/jit/gh20890.phpt
@@ -0,0 +1,37 @@
+--TEST--
+GH-20890 (Segfault in zval_undefined_cv with non-simple property hook with minimal tracing JIT)
+--CREDITS--
+Moonster8282
+--EXTENSIONS--
+opcache
+--INI--
+opcache.jit=1251
+--FILE--
+<?php
+class HookJIT {
+    private int $readCount = 0;
+
+    public int $computed {
+        get {
+            $this->readCount++;
+            return $this->readCount * 2;
+        }
+    }
+}
+
+function hook_hot_path($obj, $iterations) {
+    $sum = 0;
+    for ($i = 0; $i < $iterations; $i++) {
+        $sum += $obj->computed;
+    }
+    return $sum;
+}
+
+echo "Testing property hook in hot path...\n";
+$obj = new HookJIT();
+$result = hook_hot_path($obj, 100);
+echo "Result: $result\n";
+?>
+--EXPECT--
+Testing property hook in hot path...
+Result: 10100