From f2dcd13daf3c6334ba9baca29861a3d3df48b31a Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Thu, 13 Mar 2025 21:05:33 +0100
Subject: [PATCH] Fix GH-18037: SEGV Zend/zend_execute.c

A frameless icall with 3 arguments is a special case because it uses
OP_DATA, but this was not added to the list, so the opline pointed to
the wrong address resulting in UBSAN report or crash.
---
 ext/opcache/jit/zend_jit_ir.c      |  1 +
 ext/opcache/tests/jit/gh18037.phpt | 24 ++++++++++++++++++++++++
 2 files changed, 25 insertions(+)
 create mode 100644 ext/opcache/tests/jit/gh18037.phpt

diff --git a/ext/opcache/jit/zend_jit_ir.c b/ext/opcache/jit/zend_jit_ir.c
index 32c58f24c7cd2..7ff6522ba2c4a 100644
--- a/ext/opcache/jit/zend_jit_ir.c
+++ b/ext/opcache/jit/zend_jit_ir.c
@@ -4209,6 +4209,7 @@ static int zend_jit_handler(zend_jit_ctx *jit, const zend_op *opline, int may_th
 		case ZEND_ASSIGN_STATIC_PROP_OP:
 		case ZEND_ASSIGN_STATIC_PROP_REF:
 		case ZEND_ASSIGN_OBJ_REF:
+		case ZEND_FRAMELESS_ICALL_3:
 			zend_jit_set_last_valid_opline(jit, opline + 2);
 			break;
 		default:
diff --git a/ext/opcache/tests/jit/gh18037.phpt b/ext/opcache/tests/jit/gh18037.phpt
new file mode 100644
index 0000000000000..26de60228e8cb
--- /dev/null
+++ b/ext/opcache/tests/jit/gh18037.phpt
@@ -0,0 +1,24 @@
+--TEST--
+GH-18037 (SEGV Zend/zend_execute.c)
+--EXTENSIONS--
+opcache
+--INI--
+opcache.jit=1201
+--FILE--
+<?php
+function test_helper()
+{
+    $list = [];
+    \in_array($list[0], $list, true) !== $list->matches();
+}
+
+test_helper();
+?>
+--EXPECTF--
+Warning: Undefined array key 0 in %s on line %d
+
+Fatal error: Uncaught Error: Call to a member function matches() on array in %s:%d
+Stack trace:
+#0 %s(%d): test_helper()
+#1 {main}
+  thrown in %s on line %d