From 9854f2078a7edde09e9f7ddfbbe6485b9e48be46 Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Sat, 21 Feb 2026 02:34:38 +0100
Subject: [PATCH 1/2] Fix missing reference unwrap for FE_FETCH_R in JIT

Fixes GH-21264
---
 ext/opcache/jit/zend_jit_ir.c      |  7 +++++
 ext/opcache/tests/jit/gh21264.phpt | 47 ++++++++++++++++++++++++++++++
 2 files changed, 54 insertions(+)
 create mode 100644 ext/opcache/tests/jit/gh21264.phpt

diff --git a/ext/opcache/jit/zend_jit_ir.c b/ext/opcache/jit/zend_jit_ir.c
index ace1206682042..19b3ce125733a 100644
--- a/ext/opcache/jit/zend_jit_ir.c
+++ b/ext/opcache/jit/zend_jit_ir.c
@@ -14105,6 +14105,13 @@ static int zend_jit_fe_fetch(zend_jit_ctx *jit, const zend_op *opline, uint32_t
 				return 0;
 			}
 		} else {
+			// JIT: ZVAL_DEREF(value);
+			if (val_info & MAY_BE_REF) {
+				ir_ref ref = jit_ZVAL_ADDR(jit, val_addr);
+				ref = jit_ZVAL_DEREF_ref(jit, ref);
+				val_addr = ZEND_ADDR_REF_ZVAL(ref);
+				val_info &= ~MAY_BE_REF;
+			}
 			// JIT: ZVAL_COPY(res, value);
 			jit_ZVAL_COPY(jit, var_addr, -1, val_addr, val_info, true);
 		}
diff --git a/ext/opcache/tests/jit/gh21264.phpt b/ext/opcache/tests/jit/gh21264.phpt
new file mode 100644
index 0000000000000..ec6cf407fa3b3
--- /dev/null
+++ b/ext/opcache/tests/jit/gh21264.phpt
@@ -0,0 +1,47 @@
+--TEST--
+GH-21264: Missing reference unwrap for FE_FETCH_R in JIT
+--EXTENSIONS--
+opcache
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.jit=function
+--FILE--
+<?php
+
+class C {
+    public array $array;
+
+    public static function identity($x) {
+        return $x;
+    }
+
+    public function test() {
+        return array_map(self::identity(...), $this->array);
+    }
+}
+
+function test() {
+    $c = new C;
+    $element = 'qux';
+    $c->array = [&$element, &$element];
+    var_dump($c->test());
+}
+
+test();
+test();
+
+?>
+--EXPECT--
+array(2) {
+  [0]=>
+  string(3) "qux"
+  [1]=>
+  string(3) "qux"
+}
+array(2) {
+  [0]=>
+  string(3) "qux"
+  [1]=>
+  string(3) "qux"
+}

From 93fb1f60f0b93fc566c3727a7b165eebe07b03fe Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Sat, 21 Feb 2026 11:43:07 +0100
Subject: [PATCH 2/2] Add another test case

---
 .../jit/{gh21264.phpt => gh21264-1.phpt}      |  0
 ext/opcache/tests/jit/gh21264-2.phpt          | 31 +++++++++++++++++++
 2 files changed, 31 insertions(+)
 rename ext/opcache/tests/jit/{gh21264.phpt => gh21264-1.phpt} (100%)
 create mode 100644 ext/opcache/tests/jit/gh21264-2.phpt

diff --git a/ext/opcache/tests/jit/gh21264.phpt b/ext/opcache/tests/jit/gh21264-1.phpt
similarity index 100%
rename from ext/opcache/tests/jit/gh21264.phpt
rename to ext/opcache/tests/jit/gh21264-1.phpt
diff --git a/ext/opcache/tests/jit/gh21264-2.phpt b/ext/opcache/tests/jit/gh21264-2.phpt
new file mode 100644
index 0000000000000..0729546a959d4
--- /dev/null
+++ b/ext/opcache/tests/jit/gh21264-2.phpt
@@ -0,0 +1,31 @@
+--TEST--
+GH-21264: Missing reference unwrap for FE_FETCH_R in JIT
+--EXTENSIONS--
+opcache
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.jit=tracing
+--FILE--
+<?php
+
+class C {
+    public $prop = 0;
+}
+
+function test($array) {
+    $c = new C;
+    foreach ($array as $c->prop) {
+        $c->prop++;
+    }
+}
+
+$element = 0;
+$array = [&$element, &$element];
+test($array);
+test($array);
+var_dump($element);
+
+?>
+--EXPECT--
+int(0)