From b47a48ff80fdade1f7f44b906da27ea18061464b Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@zend.com>
Date: Thu, 7 Oct 2021 21:24:38 +0300
Subject: [PATCH] Fixed bug #81512 (Unexpected behavior with arrays and JIT)

---
 NEWS                                |  1 +
 ext/opcache/jit/zend_jit_trace.c    | 13 +++++++++++
 ext/opcache/tests/jit/bug81512.phpt | 34 +++++++++++++++++++++++++++++
 3 files changed, 48 insertions(+)
 create mode 100644 ext/opcache/tests/jit/bug81512.phpt

diff --git a/NEWS b/NEWS
index e5c07163e073c..e31c8b25984b2 100644
--- a/NEWS
+++ b/NEWS
@@ -28,6 +28,7 @@ PHP                                                                        NEWS
 - Opcache:
   . Fixed bug #81472 (Cannot support large linux major/minor device number when
     read /proc/self/maps). (Lin Yang)
+  . Fixed bug #81512 (Unexpected behavior with arrays and JIT). (Dmitry)
 
 - Reflection:
   . ReflectionAttribute is no longer final. (sasezaki)
diff --git a/ext/opcache/jit/zend_jit_trace.c b/ext/opcache/jit/zend_jit_trace.c
index acce9324d78f4..8e7f715d198c9 100644
--- a/ext/opcache/jit/zend_jit_trace.c
+++ b/ext/opcache/jit/zend_jit_trace.c
@@ -1840,6 +1840,18 @@ static zend_ssa *zend_jit_trace_build_tssa(zend_jit_trace_rec *trace_buffer, uin
 				case ZEND_CHECK_UNDEF_ARGS:
 				case ZEND_INCLUDE_OR_EVAL:
 					max_used_stack = used_stack = -1;
+				case ZEND_TYPE_CHECK:
+					if (opline->extended_value == MAY_BE_RESOURCE) {
+						// TODO: support for is_resource() ???
+						break;
+					}
+					if (op1_type != IS_UNKNOWN
+					 && (opline->extended_value == (1 << op1_type)
+					  || opline->extended_value == MAY_BE_ANY - (1 << op1_type))) {
+						/* add guards only for exact checks, to avoid code duplication */
+						ADD_OP1_TRACE_GUARD();
+					}
+					break;
 				default:
 					break;
 			}
@@ -4904,6 +4916,7 @@ static const void *zend_jit_trace(zend_jit_trace_rec *trace_buffer, uint32_t par
 							break;
 						}
 						op1_info = OP1_INFO();
+						CHECK_OP1_TRACE_TYPE();
 						if ((opline->result_type & (IS_SMART_BRANCH_JMPZ|IS_SMART_BRANCH_JMPNZ)) != 0) {
 							zend_bool exit_if_true = 0;
 							const zend_op *exit_opline = zend_jit_trace_get_exit_opline(p + 1, opline + 1, &exit_if_true);
diff --git a/ext/opcache/tests/jit/bug81512.phpt b/ext/opcache/tests/jit/bug81512.phpt
new file mode 100644
index 0000000000000..822079f28184f
--- /dev/null
+++ b/ext/opcache/tests/jit/bug81512.phpt
@@ -0,0 +1,34 @@
+--TEST--
+Bug #81512: Unexpected behavior with arrays and JIT
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=1M
+--FILE--
+<?php
+$pipe = [['val1'],['val2'],];
+
+for ($i = 0; $i < 30; ++$i) {
+        echo "$i ";
+        if (!is_pipeline($pipe)) {
+                echo 'ERROR ';
+        }
+}
+
+function is_pipeline($pipeline): bool {
+        foreach ($pipeline as $stage) {
+                if (!is_array($stage)) {
+                		var_dump($stage);
+                        return false; // must never happen
+                }
+
+                $stage = (array) $stage;
+                reset($stage);
+        }
+
+        return true;
+}
+?>
+--EXPECT--
+0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29