diff --git a/ext/opcache/jit/zend_jit_helpers.c b/ext/opcache/jit/zend_jit_helpers.c
index 8fd7d94317b5d..177feea3afa6e 100644
--- a/ext/opcache/jit/zend_jit_helpers.c
+++ b/ext/opcache/jit/zend_jit_helpers.c
@@ -1718,7 +1718,7 @@ static void ZEND_FASTCALL zend_jit_fast_assign_concat_helper(zval *op1, zval *op
 	zend_string *result_str;
 	uint32_t flags = ZSTR_GET_COPYABLE_CONCAT_PROPERTIES_BOTH(Z_STR_P(op1), Z_STR_P(op2));
 
-	if (UNEXPECTED(op1_len > SIZE_MAX - op2_len)) {
+	if (UNEXPECTED(op1_len > ZSTR_MAX_LEN - op2_len)) {
 		zend_throw_error(NULL, "String size overflow");
 		return;
 	}
@@ -1754,7 +1754,7 @@ static void ZEND_FASTCALL zend_jit_fast_concat_helper(zval *result, zval *op1, z
 	zend_string *result_str;
 	uint32_t flags = ZSTR_GET_COPYABLE_CONCAT_PROPERTIES_BOTH(Z_STR_P(op1), Z_STR_P(op2));
 
-	if (UNEXPECTED(op1_len > SIZE_MAX - op2_len)) {
+	if (UNEXPECTED(op1_len > ZSTR_MAX_LEN - op2_len)) {
 		zend_throw_error(NULL, "String size overflow");
 		return;
 	}
@@ -1778,7 +1778,7 @@ static void ZEND_FASTCALL zend_jit_fast_concat_tmp_helper(zval *result, zval *op
 	zend_string *result_str;
 	uint32_t flags = ZSTR_GET_COPYABLE_CONCAT_PROPERTIES_BOTH(Z_STR_P(op1), Z_STR_P(op2));
 
-	if (UNEXPECTED(op1_len > SIZE_MAX - op2_len)) {
+	if (UNEXPECTED(op1_len > ZSTR_MAX_LEN - op2_len)) {
 		zend_throw_error(NULL, "String size overflow");
 		return;
 	}
diff --git a/ext/opcache/jit/zend_jit_ir.c b/ext/opcache/jit/zend_jit_ir.c
index b8ff64706c076..69c80ff63304e 100644
--- a/ext/opcache/jit/zend_jit_ir.c
+++ b/ext/opcache/jit/zend_jit_ir.c
@@ -4213,6 +4213,7 @@ static int zend_jit_handler(zend_jit_ctx *jit, const zend_op *opline, int may_th
 		case ZEND_ASSIGN_STATIC_PROP_OP:
 		case ZEND_ASSIGN_STATIC_PROP_REF:
 		case ZEND_ASSIGN_OBJ_REF:
+		case ZEND_FRAMELESS_ICALL_3:
 			zend_jit_set_last_valid_opline(jit, opline + 2);
 			break;
 		default:
diff --git a/ext/opcache/tests/jit/gh18037.phpt b/ext/opcache/tests/jit/gh18037.phpt
new file mode 100644
index 0000000000000..26de60228e8cb
--- /dev/null
+++ b/ext/opcache/tests/jit/gh18037.phpt
@@ -0,0 +1,24 @@
+--TEST--
+GH-18037 (SEGV Zend/zend_execute.c)
+--EXTENSIONS--
+opcache
+--INI--
+opcache.jit=1201
+--FILE--
+<?php
+function test_helper()
+{
+    $list = [];
+    \in_array($list[0], $list, true) !== $list->matches();
+}
+
+test_helper();
+?>
+--EXPECTF--
+Warning: Undefined array key 0 in %s on line %d
+
+Fatal error: Uncaught Error: Call to a member function matches() on array in %s:%d
+Stack trace:
+#0 %s(%d): test_helper()
+#1 {main}
+  thrown in %s on line %d
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 3e386254b7e43..937e9f41b845e 100644
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -665,12 +665,14 @@ static bool spl_array_has_dimension_ex(bool check_inherited, zend_object *object
 		}
 	}
 
+	/* empty() check the value is not falsy, isset() only check it is not null */
+	bool result = check_empty ? zend_is_true(value) : Z_TYPE_P(value) != IS_NULL;
+
 	if (value == &rv) {
 		zval_ptr_dtor(&rv);
 	}
 
-	/* empty() check the value is not falsy, isset() only check it is not null */
-	return check_empty ? zend_is_true(value) : Z_TYPE_P(value) != IS_NULL;
+	return result;
 } /* }}} */
 
 static int spl_array_has_dimension(zend_object *object, zval *offset, int check_empty) /* {{{ */
diff --git a/ext/spl/tests/gh18018.phpt b/ext/spl/tests/gh18018.phpt
new file mode 100644
index 0000000000000..06fa7fc3d0e55
--- /dev/null
+++ b/ext/spl/tests/gh18018.phpt
@@ -0,0 +1,20 @@
+--TEST--
+GH-18018 (RC1 data returned from offsetGet causes UAF in ArrayObject)
+--FILE--
+<?php
+class Crap extends ArrayObject
+{
+    public function offsetGet($offset): mixed
+    {
+        return [random_int(1,1)];
+    }
+}
+
+$values = ['qux' => 1];
+
+$object = new Crap($values);
+
+var_dump(empty($object['qux']));
+?>
+--EXPECT--
+bool(false)