Fixes GH-18262. See #18262 (comment).

In zend_jit_fetch_obj(), we may emit a type guard (in zend_jit_guard_fetch_result_type()) before the exception check. When an exception is throw while fetching a property and the guard fails, we ignore the exception and start side tracing. In GH-18262 an assertion fails during tracing because EG(exception) is set.

Here I add a new exit flag ZEND_JIT_EXIT_CHECK_EXCEPTION, that enables exception checking during exit/deoptimization. This seems ideal because this ensures that house keeping is done before exception handling (freeing op1), and avoids duplicating the exception check in zend_jit_fetch_obj(). Also, it is my understanding that deoptimization is required before handling the exception in this case.

We already checked for exceptions during exit/deoptimization, but only when ZEND_JIT_EXIT_FREE_OP1 or ZEND_JIT_EXIT_FREE_OP2 were set (presumably to handle exceptions thrown during dtor). Here I make it possible to request it explicitly with ZEND_JIT_EXIT_CHECK_EXCEPTION.

I had to change exception checking in zend_jit_trace_exit() to handle two issues:

• By returning 1, we were telling the caller (zend_jit_trace_exit_stub()) to execute the original op handler of EG(current_execute_data)->opline, but in reality we want to execute EX(opline), which should be EG(exception_op).
• EX(opline) is set to %r15 in zend_jit_trace_exit_stub() before calling zend_jit_trace_exit(), but this may be the address of a zend_execute_data when IP is being reused to cache EX(call) (which was the case here). This is usually not an issue because we override EX(opline) again in zend_jit_trace_exit_stub(), in most cases, except when checking exceptions.

BTW, I think it may be possible to stop reusing IP / %r15 for holding the value of EX(opline) (edit: I meant EX(call)) in the new JIT? From my understanding this was very convenient in the old JIT, but it seems unnecessary now.