Merge branch 'PHP-8.4' into PHP-8.5

* PHP-8.4:
  Fix segfault in Tracing JIT with object reference (GH-20818)

NEWS

@@ -31,6 +31,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-20836 (Stack overflow in mb_convert_variables with
     recursive array references). (alexandre-daubois)
 
+- Opcache:
+  . Fixed bug GH-20818 (Segfault in Tracing JIT with object reference).
+    (khasinski)
+
 - Phar:
   . Fixed bug GH-20882 (buildFromIterator breaks with missing base directory).
     (ndossche)

ext/opcache/jit/zend_jit_ir.c

@@ -17196,6 +17196,7 @@ static int zend_jit_trace_handler(zend_jit_ctx *jit, const zend_op_array *op_arr
 						SET_STACK_TYPE(stack, EX_VAR_TO_NUM(opline->op2.var), IS_UNKNOWN, 1);
 					}
 					break;
+				case ZEND_FE_RESET_RW:
 				case ZEND_BIND_INIT_STATIC_OR_JMP:
 					if (opline->op1_type == IS_CV) {
 						old_info = STACK_INFO(stack, EX_VAR_TO_NUM(opline->op1.var));
@@ -17220,6 +17221,7 @@ static int zend_jit_trace_handler(zend_jit_ctx *jit, const zend_op_array *op_arr
 						SET_STACK_INFO(stack, EX_VAR_TO_NUM(opline->op2.var), old_info);
 					}
 					break;
+				case ZEND_FE_RESET_RW:
 				case ZEND_BIND_INIT_STATIC_OR_JMP:
 					if (opline->op1_type == IS_CV) {
 						SET_STACK_INFO(stack, EX_VAR_TO_NUM(opline->op1.var), old_info);

ext/opcache/tests/jit/gh20818.phpt

@@ -0,0 +1,30 @@
+--TEST--
+GH-20818 (Segfault in Tracing JIT with Object Reference)
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.jit=tracing
+opcache.jit_buffer_size=1M
+--FILE--
+<?php
+
+function process($data) {
+    foreach ($data as &$v) {}
+}
+
+$data = [
+    (object) ["" => 1],
+    (object) ["" => 1],
+    (object) [],
+];
+
+for ($i = 0; $i < 200; $i += 1) {
+    foreach ($data as $entry) {
+        process($entry);
+    }
+}
+
+echo "Done\n";
+?>
+--EXPECT--
+Done