Dev news

Commit 57c62eb2b34 for php.net

commit 57c62eb2b34385a9c2ab4e7ab802c4a361483ba1
Author: Niels Dossche <7771979+ndossche@users.noreply.github.com>
Date:   Sat Jan 10 17:42:01 2026 +0100

    Fix GH-20890: Segfault in zval_undefined_cv with non-simple property hook with minimal tracing JIT

    This is similar to f6c2e40a11 but for minimal JIT + tracing JIT.
    Most of the times the tracing JIT shouldn't rely on going to the VM, but
    in some cases, like in minimal JIT, it can and then it hits the same
    bug.

    Closes GH-20897.

diff --git a/NEWS b/NEWS
index 80b69c11cf8..4a2dbd15249 100644
--- a/NEWS
+++ b/NEWS
@@ -25,6 +25,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-20836 (Stack overflow in mb_convert_variables with
     recursive array references). (alexandre-daubois)

+- Opcache:
+  . Fixed bug GH-20890 (Segfault in zval_undefined_cv with non-simple
+    property hook with minimal tracing JIT). (ndossche)
+
 - Phar:
   . Fixed bug GH-20882 (buildFromIterator breaks with missing base directory).
     (ndossche)
diff --git a/ext/opcache/jit/zend_jit_trace.c b/ext/opcache/jit/zend_jit_trace.c
index 9d2de55e294..41393f721cf 100644
--- a/ext/opcache/jit/zend_jit_trace.c
+++ b/ext/opcache/jit/zend_jit_trace.c
@@ -328,6 +328,14 @@ static int zend_jit_trace_may_exit(const zend_op_array *op_array, const zend_op
 			// TODO: recompilation may change target ???
 			return 0;
 #endif
+		case ZEND_FETCH_OBJ_R:
+			if (opline->op2_type == IS_CONST) {
+				const zend_class_entry *ce = opline->op1_type == IS_UNUSED ? op_array->scope : NULL;
+				if (!ce || !(ce->ce_flags & ZEND_ACC_FINAL) || ce->num_hooked_props > 0) {
+					return 1;
+				}
+			}
+			break;
 		case ZEND_RETURN_BY_REF:
 		case ZEND_RETURN:
 			/* return */
diff --git a/ext/opcache/tests/jit/gh20890.phpt b/ext/opcache/tests/jit/gh20890.phpt
new file mode 100644
index 00000000000..c375c379fcc
--- /dev/null
+++ b/ext/opcache/tests/jit/gh20890.phpt
@@ -0,0 +1,37 @@
+--TEST--
+GH-20890 (Segfault in zval_undefined_cv with non-simple property hook with minimal tracing JIT)
+--CREDITS--
+Moonster8282
+--EXTENSIONS--
+opcache
+--INI--
+opcache.jit=1251
+--FILE--
+<?php
+class HookJIT {
+    private int $readCount = 0;
+
+    public int $computed {
+        get {
+            $this->readCount++;
+            return $this->readCount * 2;
+        }
+    }
+}
+
+function hook_hot_path($obj, $iterations) {
+    $sum = 0;
+    for ($i = 0; $i < $iterations; $i++) {
+        $sum += $obj->computed;
+    }
+    return $sum;
+}
+
+echo "Testing property hook in hot path...\n";
+$obj = new HookJIT();
+$result = hook_hot_path($obj, 100);
+echo "Result: $result\n";
+?>
+--EXPECT--
+Testing property hook in hot path...
+Result: 10100