Fix GH-17577: JIT packed type guard crash

When a guard check is created for a variable to check if it's a packed array,
it is possible that there was no prior type check for that variable.
This happens in the global scope for example when the variable aliases.
In the test, this causes a dereference of address 8 because the integer
element in `$a` is interpreted as an array address.
This patch adds a type check if a prior one was not inserted.

Author: nielsdos

ext/opcache/jit/zend_jit_trace.c

@@ -4168,6 +4168,15 @@ static const void *zend_jit_trace(zend_jit_trace_rec *trace_buffer, uint32_t par
 			 && (ssa->vars[i].use_chain != -1
 			  || (ssa->vars[i].phi_use_chain
 			   && !(ssa->var_info[ssa->vars[i].phi_use_chain->ssa_var].type & MAY_BE_PACKED_GUARD)))) {
+				/* The variable type is not checked in all cases above, for example when alias != NO_ALIAS.
+				 * We must emit a type check before dereferencing the array in zend_jit_packed_guard(). */
+				if ((info & MAY_BE_GUARD) != 0) {
+					if (!zend_jit_type_guard(&dasm_state, opline, EX_NUM_TO_VAR(i), IS_ARRAY)) {
+						goto jit_failure;
+					}
+					info &= ~MAY_BE_GUARD;
+				}
+
 				if (!zend_jit_packed_guard(&dasm_state, opline, EX_NUM_TO_VAR(i), info)) {
 					goto jit_failure;
 				}

ext/opcache/tests/jit/gh17577.phpt

@@ -0,0 +1,27 @@
+--TEST--
+GH-17577 (JIT packed type guard crash)
+--EXTENSIONS--
+opcache
+--INI--
+opcache.jit_buffer_size=16M
+opcache.jit_hot_func=1
+--FILE--
+<?php
+$a = array(
+    array(1,2,3),
+    0,
+);
+function my_dump($var) {
+}
+foreach($a as $b) {
+    for ($i = 0; $i < 3; $i++) {
+        my_dump($b[$i]);
+    }
+}
+?>
+--EXPECTF--
+Warning: Trying to access array offset on int in %s on line %d
+
+Warning: Trying to access array offset on int in %s on line %d
+
+Warning: Trying to access array offset on int in %s on line %d