From 41937d8d85c24a1088b6a8f645baf8346ca84742 Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@zend.com>
Date: Mon, 23 Sep 2024 16:08:14 +0300
Subject: [PATCH] Fix GH-15973: Segmentation fault in JIT mode 1135

---
 ext/opcache/jit/zend_jit_arm64.dasc |  4 +++-
 ext/opcache/jit/zend_jit_x86.dasc   |  4 +++-
 ext/opcache/tests/jit/gh15973.phpt  | 24 ++++++++++++++++++++++++
 3 files changed, 30 insertions(+), 2 deletions(-)
 create mode 100644 ext/opcache/tests/jit/gh15973.phpt

diff --git a/ext/opcache/jit/zend_jit_arm64.dasc b/ext/opcache/jit/zend_jit_arm64.dasc
index 05219b3cfae31..90e27fcf5165c 100644
--- a/ext/opcache/jit/zend_jit_arm64.dasc
+++ b/ext/opcache/jit/zend_jit_arm64.dasc
@@ -13829,7 +13829,9 @@ static int zend_jit_load_this(dasm_State **Dst, uint32_t var)
 
 static int zend_jit_fetch_this(dasm_State **Dst, const zend_op *opline, const zend_op_array *op_array, bool check_only)
 {
-	if (!op_array->scope || (op_array->fn_flags & ZEND_ACC_STATIC)) {
+	if (!op_array->scope ||
+			(op_array->fn_flags & ZEND_ACC_STATIC) ||
+			((op_array->fn_flags & (ZEND_ACC_CLOSURE|ZEND_ACC_IMMUTABLE)) == ZEND_ACC_CLOSURE)) {
 		if (JIT_G(trigger) == ZEND_JIT_ON_HOT_TRACE) {
 			if (!JIT_G(current_frame) ||
 			    !TRACE_FRAME_IS_THIS_CHECKED(JIT_G(current_frame))) {
diff --git a/ext/opcache/jit/zend_jit_x86.dasc b/ext/opcache/jit/zend_jit_x86.dasc
index 999295ef01a94..c5622141f564f 100644
--- a/ext/opcache/jit/zend_jit_x86.dasc
+++ b/ext/opcache/jit/zend_jit_x86.dasc
@@ -14749,7 +14749,9 @@ static int zend_jit_load_this(dasm_State **Dst, uint32_t var)
 
 static int zend_jit_fetch_this(dasm_State **Dst, const zend_op *opline, const zend_op_array *op_array, bool check_only)
 {
-	if (!op_array->scope || (op_array->fn_flags & ZEND_ACC_STATIC)) {
+	if (!op_array->scope ||
+			(op_array->fn_flags & ZEND_ACC_STATIC) ||
+			((op_array->fn_flags & (ZEND_ACC_CLOSURE|ZEND_ACC_IMMUTABLE)) == ZEND_ACC_CLOSURE)) {
 		if (JIT_G(trigger) == ZEND_JIT_ON_HOT_TRACE) {
 			if (!JIT_G(current_frame) ||
 			    !TRACE_FRAME_IS_THIS_CHECKED(JIT_G(current_frame))) {
diff --git a/ext/opcache/tests/jit/gh15973.phpt b/ext/opcache/tests/jit/gh15973.phpt
new file mode 100644
index 0000000000000..fcf893bccf1b5
--- /dev/null
+++ b/ext/opcache/tests/jit/gh15973.phpt
@@ -0,0 +1,24 @@
+--TEST--
+GH-15973 (Segmentation fault in JIT mode 1135)
+--EXTENSIONS--
+opcache
+--INI--
+opcache.jit=1215
+opcache.jit_buffer_size=64M
+--FILE--
+<?php
+class Test {
+}
+$appendProp2 = (function() {
+$this->prop[] = 1;
+})->bindTo($test, Test::class);
+$appendProp2();
+?>
+--EXPECTF--
+Warning: Undefined variable $test in %sgh15973.php on line 6
+
+Fatal error: Uncaught Error: Using $this when not in object context in %sgh15973.php:5
+Stack trace:
+#0 %sgh15973.php(7): Test::{closure}()
+#1 {main}
+  thrown in %sgh15973.php on line 5
\ No newline at end of file