Tracing JIT: Eliminate useless guards for CONCAT

Fixes oss-fuzz #45285

Author: dstogov

ext/opcache/jit/zend_jit_trace.c

@@ -1612,6 +1612,14 @@ static zend_ssa *zend_jit_trace_build_tssa(zend_jit_trace_rec *trace_buffer, uin
 					}
 					ADD_OP1_TRACE_GUARD();
 					break;
+				case ZEND_CONCAT:
+				case ZEND_FAST_CONCAT:
+					if ((opline->op1_type == IS_CONST || orig_op1_type == IS_STRING)
+					 && (opline->op2_type == IS_CONST || orig_op2_type == IS_STRING)) {
+						ADD_OP2_TRACE_GUARD();
+						ADD_OP1_TRACE_GUARD();
+					}
+					break;
 				case ZEND_IS_EQUAL:
 				case ZEND_IS_NOT_EQUAL:
 				case ZEND_IS_SMALLER:
@@ -1630,8 +1638,6 @@ static zend_ssa *zend_jit_trace_build_tssa(zend_jit_trace_rec *trace_buffer, uin
 				case ZEND_SUB:
 				case ZEND_MUL:
 //				case ZEND_DIV: // TODO: check for division by zero ???
-				case ZEND_CONCAT:
-				case ZEND_FAST_CONCAT:
 					ADD_OP2_TRACE_GUARD();
 					/* break missing intentionally */
 				case ZEND_ECHO:

ext/opcache/tests/jit/fetch_dim_r_012.phpt

@@ -0,0 +1,38 @@
+--TEST--
+JIT FETCH_DIM_R: 012
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=1M
+--FILE--
+<?php
+function foo() {
+	$a = 0; $a1 = []; $a2 = [];
+    for($i = 0; $i < 6; $i++) {
+        $a1[] = &$y;
+        $a2["$a1[$a] "] = $a += $y;
+    }
+    var_dump($a1, $a2);
+}
+foo();
+?>
+--EXPECT--
+array(6) {
+  [0]=>
+  &NULL
+  [1]=>
+  &NULL
+  [2]=>
+  &NULL
+  [3]=>
+  &NULL
+  [4]=>
+  &NULL
+  [5]=>
+  &NULL
+}
+array(1) {
+  [" "]=>
+  int(0)
+}