Merge branch 'PHP-8.4'

* PHP-8.4:
  Fix GH-17140 (Assertion failure in JIT trace exit with ZEND_FETCH_DIM_FUNC_ARG)
  Fix GH-16255: Unexpected nan value in ext/gd/libgd/gd_filter.c

Author: nielsdos

ext/gd/gd.c

@@ -3739,7 +3739,24 @@ PHP_FUNCTION(imageconvolution)
 			}
 		}
 	}
-	res = gdImageConvolution(im_src, matrix, (float)div, (float)offset);
+
+	if (UNEXPECTED(!zend_finite(div))) {
+		zend_argument_value_error(3, "must be finite");
+		RETURN_THROWS();
+	}
+
+	float div_float = (float) div;
+	if (UNEXPECTED(div_float == 0.0f)) {
+		zend_argument_value_error(3, "must not be 0");
+		RETURN_THROWS();
+	}
+
+	if (UNEXPECTED(!zend_finite(offset))) {
+		zend_argument_value_error(4, "must be finite");
+		RETURN_THROWS();
+	}
+
+	res = gdImageConvolution(im_src, matrix, div_float, (float) offset);
 
 	if (res) {
 		RETURN_TRUE;

ext/gd/tests/gh16255.phpt

@@ -0,0 +1,34 @@
+--TEST--
+GH-16255 (Unexpected nan value in ext/gd/libgd/gd_filter.c)
+--EXTENSIONS--
+gd
+--CREDITS--
+cmb69
+--FILE--
+<?php
+$matrix = array(array(1, 0, 1), array(0, 5, 0), array(1, 0, 1));
+$im = imagecreatetruecolor(40, 40);
+
+try {
+    imageconvolution($im, $matrix, NAN, 1.0);
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+
+try {
+    imageconvolution($im, $matrix,  2.225E-307, 1.0);
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+
+try {
+    imageconvolution($im, $matrix, 1, NAN);
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+imageconvolution(): Argument #3 ($divisor) must be finite
+imageconvolution(): Argument #3 ($divisor) must not be 0
+imageconvolution(): Argument #4 ($offset) must be finite

ext/opcache/jit/zend_jit_trace.c

@@ -8654,7 +8654,7 @@ int ZEND_FASTCALL zend_jit_trace_exit(uint32_t exit_num, zend_jit_registers_buf
 				if (op->opcode == ZEND_FETCH_DIM_IS || op->opcode == ZEND_FETCH_OBJ_IS) {
 					ZVAL_NULL(EX_VAR_NUM(i));
 				} else {
-					assert(op->opcode == ZEND_FETCH_DIM_R || op->opcode == ZEND_FETCH_LIST_R || op->opcode == ZEND_FETCH_OBJ_R);
+					ZEND_ASSERT(op->opcode == ZEND_FETCH_DIM_R || op->opcode == ZEND_FETCH_LIST_R || op->opcode == ZEND_FETCH_OBJ_R || op->opcode == ZEND_FETCH_DIM_FUNC_ARG || op->opcode == ZEND_FETCH_OBJ_FUNC_ARG);
 					repeat_last_opline = 1;
 				}
 			} else {

ext/opcache/tests/jit/gh17140_1.phpt

@@ -0,0 +1,33 @@
+--TEST--
+GH-17140 (Assertion failure in JIT trace exit with ZEND_FETCH_DIM_FUNC_ARG)
+--EXTENSIONS--
+opcache
+--INI--
+opcache.jit=1254
+opcache.jit_buffer_size=32M
+opcache.jit_hot_func=1
+opcache.jit_hot_side_exit=1
+--FILE--
+<?php
+namespace Foo;
+function test() {
+    $a['x'][1] = true;
+    for ($fusion = 0; $i < 3; $i++) {
+        var_dump($a['x'][0]);
+    }
+}
+test();
+?>
+--EXPECTF--
+Warning: Undefined variable $i in %s on line %d
+
+Warning: Undefined array key 0 in %s on line %d
+NULL
+
+Warning: Undefined variable $i in %s on line %d
+
+Warning: Undefined array key 0 in %s on line %d
+NULL
+
+Warning: Undefined array key 0 in %s on line %d
+NULL

ext/opcache/tests/jit/gh17140_2.phpt

@@ -0,0 +1,40 @@
+--TEST--
+GH-17140 (Assertion failure in JIT trace exit with ZEND_FETCH_OBJ_FUNC_ARG)
+--EXTENSIONS--
+opcache
+--INI--
+opcache.jit=1254
+opcache.jit_buffer_size=32M
+opcache.jit_hot_func=1
+opcache.jit_hot_side_exit=1
+--FILE--
+<?php
+namespace Foo;
+class X {
+        public $a = 1;
+        public $b;
+        function __construct() {
+                unset($this->b);
+        }
+}
+function test() {
+    $a['x'] = new X;
+    for ($fusion = 0; $i < 3; $i++) {
+        var_dump($a['x']->b);
+    }
+}
+test();
+?>
+--EXPECTF--
+Warning: Undefined variable $i in %s on line %d
+
+Warning: Undefined property: Foo\X::$b in %s on line %d
+NULL
+
+Warning: Undefined variable $i in %s on line %d
+
+Warning: Undefined property: Foo\X::$b in %s on line %d
+NULL
+
+Warning: Undefined property: Foo\X::$b in %s on line %d
+NULL