wudi · pull · Nov 18, 2024 · Nov 18, 2024 · Nov 18, 2024 · Nov 18, 2024
diff --git a/Zend/tests/gh16725.phpt b/Zend/tests/gh16725.phpt
@@ -0,0 +1,27 @@
+--TEST--
+GH-16725: Incorrect access check for non-hooked props in hooked object iterator
+--FILE--
+<?php
+
+class C implements JsonSerializable
+{
+    private string $prop1 { get => 'bar'; }
+
+    public function __construct(
+        private string $prop2,
+    ) {}
+
+    public function jsonSerialize(): mixed {
+        return get_object_vars($this);
+    }
+}
+
+$obj = new C('foo');
+var_dump(get_object_vars($obj));
+echo json_encode($obj);
+
+?>
+--EXPECT--
+array(0) {
+}
+{"prop1":"bar","prop2":"foo"}
diff --git a/Zend/zend_property_hooks.c b/Zend/zend_property_hooks.c
@@ -89,7 +89,8 @@ static zend_array *zho_build_properties_ex(zend_object *zobj, bool check_access,
 				if (UNEXPECTED(Z_TYPE_P(OBJ_PROP(zobj, prop_info->offset)) == IS_UNDEF)) {
 					HT_FLAGS(properties) |= HASH_FLAG_HAS_EMPTY_IND;
 				}
-				zend_hash_update_ind(properties, property_name, OBJ_PROP(zobj, prop_info->offset));
+				zval *tmp = zend_hash_lookup(properties, property_name);
+				ZVAL_INDIRECT(tmp, OBJ_PROP(zobj, prop_info->offset));
 			}
 skip_property:
 			if (property_name != prop_info->name) {

diff --git a/ext/opcache/jit/zend_jit_vm_helpers.c b/ext/opcache/jit/zend_jit_vm_helpers.c
@@ -961,7 +961,15 @@ zend_jit_trace_stop ZEND_FASTCALL zend_jit_trace_execute(zend_execute_data  *ex,
 				(zend_jit_op_array_trace_extension*)ZEND_FUNC_INFO(op_array);
 			if (UNEXPECTED(!jit_extension)
 			 || UNEXPECTED(!(jit_extension->func_info.flags & ZEND_FUNC_JIT_ON_HOT_TRACE))) {
-				stop = ZEND_JIT_TRACE_STOP_INTERPRETER;
+#ifdef HAVE_GCC_GLOBAL_REGS
+				if (execute_data->prev_execute_data != prev_execute_data) {
+#else
+				if (rc < 0) {
+#endif
+					stop = ZEND_JIT_TRACE_STOP_RETURN;
+				} else {
+					stop = ZEND_JIT_TRACE_STOP_INTERPRETER;
+				}
 				break;
 			}
 			offset = jit_extension->offset;

diff --git a/ext/opcache/tests/jit/gh16829.phpt b/ext/opcache/tests/jit/gh16829.phpt
@@ -0,0 +1,14 @@
+--TEST--
+GH-16829 (Segmentation fault with opcache.jit=tracing enabled on aarch64)
+--INI--
+opcache.jit_buffer_size=32M
+--EXTENSIONS--
+opcache
+--FILE--
+<?php
+touch(__DIR__ . '/gh16829_1.inc');
+require_once(__DIR__ . '/gh16829_1.inc');
+?>
+DONE
+--EXPECT--
+DONE
diff --git a/ext/opcache/tests/jit/gh16829_1.inc b/ext/opcache/tests/jit/gh16829_1.inc
@@ -0,0 +1,16 @@
+<?php
+# inline Reproducer class definition and segfaults will go away
+require_once(__DIR__ . '/gh16829_2.inc');
+
+# remove $someVar1\2 or $someVar3 and loop at the end of the file and segfaults will go away
+$someVar2 = null;
+$someVar1 = null;
+$someVar3 = [];
+
+for ($i = 0; $i < 10; $i++) {
+    Reproducer::loops();
+}
+
+foreach ($someVar3 as $_) {
+}
+?>
diff --git a/ext/opcache/tests/jit/gh16829_2.inc b/ext/opcache/tests/jit/gh16829_2.inc
@@ -0,0 +1,23 @@
+<?php
+class Reproducer
+{
+    /**
+     * Remove $params arg and segfaults will go away
+     */
+    public static function loops(array $params = []): int
+    {
+        $arrCount = 2000;
+        # Replace `$arrCount % 16` with 0 and segfaults will go away
+        $arrCount2 = $arrCount - $arrCount % 16;
+        $result = 0;
+
+        for ($baseIdx = 0; $baseIdx < $arrCount2; $baseIdx++) {
+        }
+
+        while ($baseIdx < $arrCount) {
+        }
+
+        return $result;
+    }
+}
+?>