From d59ae9345cea5359baeb53883e8e55a783387e21 Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@php.net>
Date: Tue, 2 Sep 2025 10:04:40 +0300
Subject: [PATCH] Cleanup SSA(s) in case of fatal error during tracing JIT

This fixes segfault becuse of UAF in ext/standard/tests/gh14643_longname.phpt
---
 ext/opcache/jit/zend_jit_trace.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/ext/opcache/jit/zend_jit_trace.c b/ext/opcache/jit/zend_jit_trace.c
index 2502b22a608..9d2de55e294 100644
--- a/ext/opcache/jit/zend_jit_trace.c
+++ b/ext/opcache/jit/zend_jit_trace.c
@@ -4064,6 +4064,7 @@ static const void *zend_jit_trace(zend_jit_trace_rec *trace_buffer, uint32_t par
 	zend_jit_trace_rec *p;
 	zend_jit_op_array_trace_extension *jit_extension;
 	int num_op_arrays = 0;
+	bool do_bailout = 0;
 	zend_jit_trace_info *t;
 	const zend_op_array *op_arrays[ZEND_JIT_TRACE_MAX_FUNCS];
 	uint8_t smart_branch_opcode;
@@ -4094,6 +4095,8 @@ static const void *zend_jit_trace(zend_jit_trace_rec *trace_buffer, uint32_t par
 
 	checkpoint = zend_arena_checkpoint(CG(arena));
 
+	zend_try {
+
 	ssa = zend_jit_trace_build_tssa(trace_buffer, parent_trace, exit_num, script, op_arrays, &num_op_arrays);
 
 	if (!ssa) {
@@ -7286,6 +7289,10 @@ jit_failure:
 		zend_string_release(name);
 	}
 
+	} zend_catch {
+		do_bailout = 1;
+	}  zend_end_try();
+
 jit_cleanup:
 	/* Clean up used op_arrays */
 	while (num_op_arrays > 0) {
@@ -7306,6 +7313,10 @@ jit_cleanup:
 	JIT_G(current_frame) = NULL;
 	JIT_G(current_trace) = NULL;
 
+	if (do_bailout) {
+		zend_bailout();
+	}
+
 	return handler;
 }