From 535b1781506e3daeb692368a4292552981acdab2 Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Wed, 18 Dec 2024 15:15:11 +0100
Subject: [PATCH 1/2] Add tests for GH-17151

---
 ext/opcache/tests/jit/gh17151_1.phpt | 22 +++++++++++++++++++++
 ext/opcache/tests/jit/gh17151_2.phpt | 29 ++++++++++++++++++++++++++++
 ext/opcache/tests/jit/gh17151_3.phpt | 25 ++++++++++++++++++++++++
 3 files changed, 76 insertions(+)
 create mode 100644 ext/opcache/tests/jit/gh17151_1.phpt
 create mode 100644 ext/opcache/tests/jit/gh17151_2.phpt
 create mode 100644 ext/opcache/tests/jit/gh17151_3.phpt

diff --git a/ext/opcache/tests/jit/gh17151_1.phpt b/ext/opcache/tests/jit/gh17151_1.phpt
new file mode 100644
index 0000000000000..57c9bd142b72f
--- /dev/null
+++ b/ext/opcache/tests/jit/gh17151_1.phpt
@@ -0,0 +1,22 @@
+--TEST--
+GH-17151: ZEND_FETCH_OBJ_R may modify RC of op1
+--FILE--
+<?php
+
+class C {
+    public function __get($name) {
+        return $this;
+    }
+}
+
+function test() {
+    $x = (new C)->bar;
+    var_dump($x);
+}
+
+test();
+
+?>
+--EXPECTF--
+object(C)#%d (0) {
+}
diff --git a/ext/opcache/tests/jit/gh17151_2.phpt b/ext/opcache/tests/jit/gh17151_2.phpt
new file mode 100644
index 0000000000000..26e1acbab7d9e
--- /dev/null
+++ b/ext/opcache/tests/jit/gh17151_2.phpt
@@ -0,0 +1,29 @@
+--TEST--
+GH-17151: ZEND_FETCH_OBJ_R may modify RC of op1
+--FILE--
+<?php
+
+class C {
+    public static $prop;
+
+    public function __get($name) {
+        C::$prop = null;
+    }
+
+    public function __destruct() {
+        echo __METHOD__, "\n";
+    }
+}
+
+function test() {
+    C::$prop = new C();
+    C::$prop->bar;
+}
+
+test();
+echo "Done\n";
+
+?>
+--EXPECT--
+C::__destruct
+Done
diff --git a/ext/opcache/tests/jit/gh17151_3.phpt b/ext/opcache/tests/jit/gh17151_3.phpt
new file mode 100644
index 0000000000000..5e42d357a68a7
--- /dev/null
+++ b/ext/opcache/tests/jit/gh17151_3.phpt
@@ -0,0 +1,25 @@
+--TEST--
+GH-17151: Method calls may modify RC of ZEND_INIT_METHOD_CALL op1
+--FILE--
+<?php
+
+class C {
+    public static $prop;
+
+    public function storeThis() {
+        self::$prop = $this;
+    }
+}
+
+function test() {
+    $c = new C();
+    $c->storeThis();
+    $c = null;
+}
+
+test();
+
+?>
+===DONE===
+--EXPECT--
+===DONE===

From ee3c98aa058457e73ece1bccc2d0c65739341cc7 Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@zend.com>
Date: Wed, 18 Dec 2024 15:38:49 +0100
Subject: [PATCH 2/2] Fix RC tracking for objects

Fixes GH-17151
---
 Zend/Optimizer/zend_inference.c | 4 ++++
 ext/opcache/jit/zend_jit_ir.c   | 1 +
 2 files changed, 5 insertions(+)

diff --git a/Zend/Optimizer/zend_inference.c b/Zend/Optimizer/zend_inference.c
index 7169238893159..fc6b9b421b628 100644
--- a/Zend/Optimizer/zend_inference.c
+++ b/Zend/Optimizer/zend_inference.c
@@ -1968,6 +1968,10 @@ static uint32_t get_ssa_alias_types(zend_ssa_alias_kind alias) {
 					/* TODO: support for array keys and ($str . "")*/   \
 					__type |= MAY_BE_RCN;                               \
 				}                                                       \
+				if ((__type & MAY_BE_RC1) && (__type & MAY_BE_OBJECT)) {\
+					/* TODO: object may be captured by magic handlers */\
+					__type |= MAY_BE_RCN;                               \
+				}                                                       \
 				if (__ssa_var->alias) {									\
 					__type |= get_ssa_alias_types(__ssa_var->alias);	\
 				}														\
diff --git a/ext/opcache/jit/zend_jit_ir.c b/ext/opcache/jit/zend_jit_ir.c
index 843d3ae90d84c..5661fec934f7d 100644
--- a/ext/opcache/jit/zend_jit_ir.c
+++ b/ext/opcache/jit/zend_jit_ir.c
@@ -14426,6 +14426,7 @@ static int zend_jit_fetch_obj(zend_jit_ctx         *jit,
 		ir_MERGE_list(slow_inputs);
 		jit_SET_EX_OPLINE(jit, opline);
 
+		op1_info |= MAY_BE_RC1 | MAY_BE_RCN; /* object may be captured/released in magic handler */
 		if (opline->opcode == ZEND_FETCH_OBJ_W) {
 			ir_CALL_1(IR_VOID, ir_CONST_FC_FUNC(zend_jit_fetch_obj_w_slow), obj_ref);
 			ir_END_list(end_inputs);