Cleanup SSA(s) in case of fatal error during tracing JIT

This fixes segfault becuse of UAF in ext/standard/tests/gh14643_longname.phpt

Author: dstogov

ext/opcache/jit/zend_jit_trace.c

@@ -4064,6 +4064,7 @@ static const void *zend_jit_trace(zend_jit_trace_rec *trace_buffer, uint32_t par
 	zend_jit_trace_rec *p;
 	zend_jit_op_array_trace_extension *jit_extension;
 	int num_op_arrays = 0;
+	bool do_bailout = 0;
 	zend_jit_trace_info *t;
 	const zend_op_array *op_arrays[ZEND_JIT_TRACE_MAX_FUNCS];
 	uint8_t smart_branch_opcode;
@@ -4094,6 +4095,8 @@ static const void *zend_jit_trace(zend_jit_trace_rec *trace_buffer, uint32_t par
 
 	checkpoint = zend_arena_checkpoint(CG(arena));
 
+	zend_try {
+
 	ssa = zend_jit_trace_build_tssa(trace_buffer, parent_trace, exit_num, script, op_arrays, &num_op_arrays);
 
 	if (!ssa) {
@@ -7286,6 +7289,10 @@ static const void *zend_jit_trace(zend_jit_trace_rec *trace_buffer, uint32_t par
 		zend_string_release(name);
 	}
 
+	} zend_catch {
+		do_bailout = 1;
+	}  zend_end_try();
+
 jit_cleanup:
 	/* Clean up used op_arrays */
 	while (num_op_arrays > 0) {
@@ -7306,6 +7313,10 @@ static const void *zend_jit_trace(zend_jit_trace_rec *trace_buffer, uint32_t par
 	JIT_G(current_frame) = NULL;
 	JIT_G(current_trace) = NULL;
 
+	if (do_bailout) {
+		zend_bailout();
+	}
+
 	return handler;
 }