From 7055459efabf1f426f355bb42bca2ffcf3fa3a55 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Sat, 7 Oct 2023 23:46:29 +0200
Subject: [PATCH] Fix GH-12380: JIT+private array property access inside
 closure accesses private property in child class

For private fields, the scope has to be taken into account, otherwise
the property info may come from the wrong ce.
---
 ext/opcache/jit/zend_jit.c         |  6 ++-
 ext/opcache/tests/jit/gh12380.phpt | 62 ++++++++++++++++++++++++++++++
 2 files changed, 67 insertions(+), 1 deletion(-)
 create mode 100644 ext/opcache/tests/jit/gh12380.phpt

diff --git a/ext/opcache/jit/zend_jit.c b/ext/opcache/jit/zend_jit.c
index 8c6934dfb6358..d969f744e6b4b 100644
--- a/ext/opcache/jit/zend_jit.c
+++ b/ext/opcache/jit/zend_jit.c
@@ -650,7 +650,11 @@ static zend_property_info* zend_get_known_property_info(const zend_op_array *op_
 		return info;
 	} else if (on_this) {
 		if (ce == info->ce) {
-			return info;
+			if (ce == op_array->scope) {
+				return info;
+			} else {
+				return NULL;
+			}
 		} else if ((info->flags & ZEND_ACC_PROTECTED)
 				&& instanceof_function_slow(ce, info->ce)) {
 			return info;
diff --git a/ext/opcache/tests/jit/gh12380.phpt b/ext/opcache/tests/jit/gh12380.phpt
new file mode 100644
index 0000000000000..75a0a9cc41824
--- /dev/null
+++ b/ext/opcache/tests/jit/gh12380.phpt
@@ -0,0 +1,62 @@
+--TEST--
+GH-12380: JIT+private array property access inside closure accesses private property in child class
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=1M
+opcache.protect_memory=1
+opcache.jit=tracing
+opcache.jit_hot_loop=1
+opcache.jit_hot_func=1
+opcache.jit_hot_return=1
+opcache.jit_hot_side_exit=1
+--EXTENSIONS--
+opcache
+--FILE--
+<?php
+
+abstract class a
+{
+    private int $v = 1;
+
+    public function test(): void
+    {
+        var_dump($this->v);
+        (function (): void {
+            var_dump($this->v);
+        })();
+    }
+}
+
+final class b extends a {
+    private int $v = 0;
+}
+$a = new b;
+
+for ($i = 0; $i < 10; $i++) {
+    $a->test();
+}
+
+?>
+--EXPECT--
+int(1)
+int(1)
+int(1)
+int(1)
+int(1)
+int(1)
+int(1)
+int(1)
+int(1)
+int(1)
+int(1)
+int(1)
+int(1)
+int(1)
+int(1)
+int(1)
+int(1)
+int(1)
+int(1)
+int(1)