JIT: Fixed incorrect FETCH_OBJ_W code for typed property

Author: dstogov

ext/opcache/jit/zend_jit_x86.dasc

@@ -12839,7 +12839,11 @@ static int zend_jit_fetch_obj(dasm_State          **Dst,
 			|.cold_code
 			|1:
 			|	test dword [FCARG2a + offsetof(zend_property_info, flags)], ZEND_ACC_READONLY
-			|	jz >3
+			if (flags) {
+				|	jz >3
+			} else {
+				|	jz >4
+			}
 			|	IF_NOT_Z_TYPE FCARG1a, IS_OBJECT, >2
 			|	GET_Z_PTR r0, FCARG1a
 			|	GC_ADDREF r0
@@ -12873,6 +12877,7 @@ static int zend_jit_fetch_obj(dasm_State          **Dst,
 				ZEND_ASSERT(flags == 0);
 			}
 			|.code
+			|4:
 		}
 	} else {
 		prop_addr = ZEND_ADDR_MEM_ZVAL(ZREG_FCARG1, prop_info->offset);

ext/opcache/tests/jit/fetch_obj_007.phpt

@@ -0,0 +1,31 @@
+--TEST--
+JIT: FETCH_OBJ 007
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=1M
+--FILE--
+<?php
+class C {
+    public ?C $prop = null;
+}
+function foo($obj) {
+    $obj->prop->prop = null;
+}
+
+$obj = new C;
+$obj->prop = new C;
+for ($i = 0; $i < 10; $i++) {
+    foo($obj);
+}
+var_dump($obj);
+?>
+--EXPECT--
+object(C)#1 (1) {
+  ["prop"]=>
+  object(C)#2 (1) {
+    ["prop"]=>
+    NULL
+  }
+}