Merge branch 'PHP-8.5'

* PHP-8.5:
  Fix segfault in Tracing JIT with object reference (GH-20818)

Author: iluuu1994

ext/opcache/jit/zend_jit_ir.c

@@ -17199,6 +17199,7 @@ static int zend_jit_trace_handler(zend_jit_ctx *jit, const zend_op_array *op_arr
 						SET_STACK_TYPE(stack, EX_VAR_TO_NUM(opline->op2.var), IS_UNKNOWN, 1);
 					}
 					break;
+				case ZEND_FE_RESET_RW:
 				case ZEND_BIND_INIT_STATIC_OR_JMP:
 					if (opline->op1_type == IS_CV) {
 						old_info = STACK_INFO(stack, EX_VAR_TO_NUM(opline->op1.var));
@@ -17223,6 +17224,7 @@ static int zend_jit_trace_handler(zend_jit_ctx *jit, const zend_op_array *op_arr
 						SET_STACK_INFO(stack, EX_VAR_TO_NUM(opline->op2.var), old_info);
 					}
 					break;
+				case ZEND_FE_RESET_RW:
 				case ZEND_BIND_INIT_STATIC_OR_JMP:
 					if (opline->op1_type == IS_CV) {
 						SET_STACK_INFO(stack, EX_VAR_TO_NUM(opline->op1.var), old_info);

ext/opcache/tests/jit/gh20818.phpt

@@ -0,0 +1,30 @@
+--TEST--
+GH-20818 (Segfault in Tracing JIT with Object Reference)
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.jit=tracing
+opcache.jit_buffer_size=1M
+--FILE--
+<?php
+
+function process($data) {
+    foreach ($data as &$v) {}
+}
+
+$data = [
+    (object) ["" => 1],
+    (object) ["" => 1],
+    (object) [],
+];
+
+for ($i = 0; $i < 200; $i += 1) {
+    foreach ($data as $entry) {
+        process($entry);
+    }
+}
+
+echo "Done\n";
+?>
+--EXPECT--
+Done