From f88445bdf894b2f0b3f4efcf5176de3cc33c4350 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Fri, 31 Jan 2025 21:41:45 +0100
Subject: [PATCH] Fix GH-17654: Multiple classes using same trait causes
 function JIT crash

This test has two classes that use the same trait. In function JIT mode
the same cache slot will be used. This causes problems because it is
primed for the first class and then reused for the second class,
resulting in an incorrect type check failure.

The current check for a megamorphic trait call requires current_frame to
not be NULL, but this is only set in tracing mode and not in function
mode.

This patch corrects the check.

Closes GH-17660.
---
 NEWS                                |  4 +++
 ext/opcache/jit/zend_jit_arm64.dasc |  6 ++---
 ext/opcache/jit/zend_jit_x86.dasc   |  6 ++---
 ext/opcache/tests/jit/gh17654.phpt  | 38 +++++++++++++++++++++++++++++
 4 files changed, 48 insertions(+), 6 deletions(-)
 create mode 100644 ext/opcache/tests/jit/gh17654.phpt

diff --git a/NEWS b/NEWS
index 8469bdc9df8..aace72eb49f 100644
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-17618 (UnhandledMatchError does not take
     zend.exception_ignore_args=1 into account). (timwolla)
 
+- Opcache:
+  . Fixed bug GH-17654 (Multiple classes using same trait causes function
+    JIT crash). (nielsdos)
+
 - PHPDBG:
   . Partially fixed bug GH-17387 (Trivial crash in phpdbg lexer). (nielsdos)
   . Fix memory leak in phpdbg calling registered function. (nielsdos)
diff --git a/ext/opcache/jit/zend_jit_arm64.dasc b/ext/opcache/jit/zend_jit_arm64.dasc
index 2cbf6864308..ec6fae8819f 100644
--- a/ext/opcache/jit/zend_jit_arm64.dasc
+++ b/ext/opcache/jit/zend_jit_arm64.dasc
@@ -9200,9 +9200,9 @@ static int zend_jit_do_fcall(dasm_State **Dst, const zend_op *opline, const zend
 			func = call_info->callee_func;
 		}
 		if ((op_array->fn_flags & ZEND_ACC_TRAIT_CLONE)
-		 && JIT_G(current_frame)
-		 && JIT_G(current_frame)->call
-		 && !JIT_G(current_frame)->call->func) {
+		 && (!JIT_G(current_frame) ||
+		     !JIT_G(current_frame)->call ||
+		     !JIT_G(current_frame)->call->func)) {
 			call_info = NULL; func = NULL; /* megamorphic call from trait */
 		}
 	}
diff --git a/ext/opcache/jit/zend_jit_x86.dasc b/ext/opcache/jit/zend_jit_x86.dasc
index 9cf0c6cd8e8..f65dc769db5 100644
--- a/ext/opcache/jit/zend_jit_x86.dasc
+++ b/ext/opcache/jit/zend_jit_x86.dasc
@@ -9931,9 +9931,9 @@ static int zend_jit_do_fcall(dasm_State **Dst, const zend_op *opline, const zend
 			func = call_info->callee_func;
 		}
 		if ((op_array->fn_flags & ZEND_ACC_TRAIT_CLONE)
-		 && JIT_G(current_frame)
-		 && JIT_G(current_frame)->call
-		 && !JIT_G(current_frame)->call->func) {
+		 && (!JIT_G(current_frame) ||
+		     !JIT_G(current_frame)->call ||
+		     !JIT_G(current_frame)->call->func)) {
 			call_info = NULL; func = NULL; /* megamorphic call from trait */
 		}
 	}
diff --git a/ext/opcache/tests/jit/gh17654.phpt b/ext/opcache/tests/jit/gh17654.phpt
new file mode 100644
index 00000000000..59d9205b37f
--- /dev/null
+++ b/ext/opcache/tests/jit/gh17654.phpt
@@ -0,0 +1,38 @@
+--TEST--
+GH-17654 (Multiple classes using same trait causes function JIT crash)
+--EXTENSIONS--
+opcache
+--INI--
+opcache.jit=1214
+opcache.jit_buffer_size=16M
+--FILE--
+<?php
+trait TestTrait {
+	public function addUnit(string $x) {
+		self::addRawUnit($this, $x);
+	}
+
+	public function addRawUnit(self $data, string $x) {
+		var_dump($x);
+	}
+}
+
+class Test {
+	use TestTrait;
+}
+
+class Test2 {
+	use TestTrait;
+}
+
+function main()
+{
+	(new Test2)->addUnit("test2");
+	(new Test)->addUnit("test");
+}
+
+main();
+?>
+--EXPECT--
+string(5) "test2"
+string(4) "test"