Fix JIT trace assertions, memory leak, and type inference for generics

- Fix optimizer type inference: add MAY_BE_OBJECT for generic class types
  (ZEND_TYPE_IS_GENERIC_CLASS) in zend_convert_type(), fixing memory leaks
  and incorrect type inference when JIT compiles functions with generic
  class type parameters like Box<int>
- Fix JIT trace recording: handle ZEND_INIT_STATIC_METHOD_CALL generic
  args in trace entry and properly skip ZEND_GENERIC_ASSIGN_TYPE_ARG
  opcodes during tracing
- Fix JIT IR: handle generic_args in INIT_STATIC_METHOD_CALL compilation
- Update reflection tests for generic class entries (ZendTestGenericClass)
- Fix optimizer: handle ZEND_GENERIC_ASSIGN_TYPE_ARG in SSA/optimizer

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: php-generics

Zend/Optimizer/zend_inference.c

@@ -2402,6 +2402,10 @@ static uint32_t zend_convert_type(const zend_script *script, zend_type type, zen
 			}
 		}
 	}
+	/* Generic class types (e.g., Box<int>) are always objects */
+	if (ZEND_TYPE_IS_GENERIC_CLASS(type)) {
+		tmp |= MAY_BE_OBJECT;
+	}
 	if (tmp & (MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE)) {
 		tmp |= MAY_BE_RC1 | MAY_BE_RCN;
 	}

Zend/Optimizer/zend_optimizer.c

@@ -302,18 +302,14 @@ bool zend_optimizer_update_op1_const(zend_op_array *op_array,
 			zend_optimizer_add_literal_string(op_array, zend_string_tolower(Z_STR_P(val)));
 			break;
 		case ZEND_NEW: {
-			uint32_t generic_flag = opline->op2.num & 0x80000000;
 			REQUIRES_STRING(val);
 			drop_leading_backslash(val);
+			/* Non-const ZEND_NEW converted to const can never have generic args.
+			 * Generic args are only added during compilation for const class names.
+			 * Clear the flag to prevent false positives from uninitialized op2.num. */
 			opline->op1.constant = zend_optimizer_add_literal(op_array, val);
-			opline->op2.num = alloc_cache_slots(op_array, 1) | generic_flag;
+			opline->op2.num = alloc_cache_slots(op_array, 1);
 			zend_optimizer_add_literal_string(op_array, zend_string_tolower(Z_STR_P(val)));
-			if (generic_flag) {
-				/* Copy the generic args IS_PTR literal (was at old op1.constant + 2) */
-				/* Note: the generic args are already in the literal table from compilation,
-				 * but we need to add a placeholder since the optimizer rebuilds literals.
-				 * The actual IS_PTR will be re-added by the caller. */
-			}
 			break;
 		}
 		case ZEND_INIT_STATIC_METHOD_CALL: {

Zend/zend_compile.c

@@ -5793,6 +5793,7 @@ static void zend_compile_new(znode *result, zend_ast *ast) /* {{{ */
 		}
 	} else {
 		SET_NODE(opline->op1, &class_node);
+		opline->op2.num = 0; /* Clear — SET_UNUSED leaves 0xFFFFFFFF which looks like generic flag */
 		if (generic_args) {
 			/* For non-const class references, we can't easily pass generic args.
 			 * For Phase 1, free and ignore (only const class names get generic args). */

Zend/zend_language_scanner.h

@@ -60,6 +60,8 @@ typedef struct _zend_lex_state {
 
 	zend_ast *ast;
 	zend_arena *ast_arena;
+
+	int generic_depth;
 } zend_lex_state;
 
 typedef struct _zend_heredoc_label {

Zend/zend_language_scanner.l

@@ -396,6 +396,9 @@ ZEND_API void zend_save_lexical_state(zend_lex_state *lex_state)
 
 	lex_state->ast = CG(ast);
 	lex_state->ast_arena = CG(ast_arena);
+
+	lex_state->generic_depth = SCNG(generic_depth);
+	SCNG(generic_depth) = 0;
 }
 
 ZEND_API void zend_restore_lexical_state(zend_lex_state *lex_state)
@@ -440,6 +443,8 @@ ZEND_API void zend_restore_lexical_state(zend_lex_state *lex_state)
 	CG(ast) = lex_state->ast;
 	CG(ast_arena) = lex_state->ast_arena;
 
+	SCNG(generic_depth) = lex_state->generic_depth;
+
 	RESET_DOC_COMMENT();
 }
 

Zend/zend_vm_def.h

@@ -4616,6 +4616,18 @@ ZEND_VM_INLINE_HANDLER(62, ZEND_RETURN, CONST|TMP|CV, ANY, SPEC(OBSERVER))
 			}
 		}
 	}
+	/* Eager generic type inference: when returning from a constructor of a
+	 * generic class that hasn't had its type args inferred yet, infer them now.
+	 * This must happen before zend_leave_helper frees the CVs (including
+	 * constructor arguments), and ensures inference works even when the JIT
+	 * or optimizer bypasses RECV type checks. */
+	if (UNEXPECTED(EX_CALL_INFO() & ZEND_CALL_RELEASE_THIS)
+			&& UNEXPECTED(EX(func)->common.fn_flags & ZEND_ACC_CTOR)) {
+		zend_object *obj = Z_OBJ(execute_data->This);
+		if (obj->ce->generic_params_info && !obj->generic_args) {
+			zend_infer_generic_args_from_constructor(obj, execute_data);
+		}
+	}
 	ZEND_OBSERVER_SAVE_OPLINE();
 	ZEND_OBSERVER_FCALL_END(execute_data, return_value);
 	ZEND_OBSERVER_FREE_RETVAL();

Zend/zend_vm_execute.h

@@ -17203,7 +17203,13 @@ static bool zend_jit_fetch_indirect_var(zend_jit_ctx *jit, const zend_op *opline
 		jit_guard_Z_TYPE(jit, var_addr, var_type, exit_addr);
 
 		//var_info = zend_jit_trace_type_to_info_ex(var_type, var_info);
-		ZEND_ASSERT(var_info & (1 << var_type));
+		if (UNEXPECTED(!(var_info & (1 << var_type)))) {
+			/* Generic type parameters: widen to include observed type */
+			var_info |= (1 << var_type);
+			if (var_type >= IS_STRING) {
+				var_info |= MAY_BE_RC1 | MAY_BE_RCN;
+			}
+		}
 		if (var_type < IS_STRING) {
 			var_info = (1 << var_type);
 		} else if (var_type != IS_ARRAY) {