Fix type inference

This dixes oss-fuzz #47921

Author: dstogov

Zend/Optimizer/zend_inference.c

@@ -3231,20 +3231,30 @@ static zend_always_inline int _zend_update_type_info(
 							key_type |= MAY_BE_ARRAY_PACKED;
 						}
 						if (t1 & MAY_BE_ARRAY) {
-							key_type |= (MAY_BE_HASH_ONLY(t1) || (t1 & (MAY_BE_UNDEF|MAY_BE_NULL|MAY_BE_FALSE))) ?
+							key_type |= MAY_BE_HASH_ONLY(t1) ?
 								MAY_BE_ARRAY_NUMERIC_HASH : MAY_BE_ARRAY_KEY_LONG;
 						}
 					} else {
 						if (t2 & (MAY_BE_LONG|MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_RESOURCE|MAY_BE_DOUBLE)) {
-							key_type |= (MAY_BE_HASH_ONLY(t1) || (t1 & (MAY_BE_UNDEF|MAY_BE_NULL|MAY_BE_FALSE))) ?
-								MAY_BE_ARRAY_NUMERIC_HASH : MAY_BE_ARRAY_KEY_LONG;
+							if (t1 & (MAY_BE_UNDEF|MAY_BE_NULL|MAY_BE_FALSE)) {
+								key_type |= MAY_BE_ARRAY_PACKED;
+							}
+							if (t1 & MAY_BE_ARRAY) {
+								key_type |= MAY_BE_HASH_ONLY(t1) ?
+									MAY_BE_ARRAY_NUMERIC_HASH : MAY_BE_ARRAY_KEY_LONG;
+						    }
 						}
 						if (t2 & MAY_BE_STRING) {
 							key_type |= MAY_BE_ARRAY_KEY_STRING;
 							if (opline->op2_type != IS_CONST) {
 								// FIXME: numeric string
-								key_type |= (MAY_BE_HASH_ONLY(t1) || (t1 & (MAY_BE_UNDEF|MAY_BE_NULL|MAY_BE_FALSE))) ?
-									MAY_BE_ARRAY_NUMERIC_HASH : MAY_BE_ARRAY_KEY_LONG;
+								if (t1 & (MAY_BE_UNDEF|MAY_BE_NULL|MAY_BE_FALSE)) {
+									key_type |= MAY_BE_ARRAY_PACKED;
+								}
+								if (t1 & MAY_BE_ARRAY) {
+									key_type |= MAY_BE_HASH_ONLY(t1) ?
+										MAY_BE_ARRAY_NUMERIC_HASH : MAY_BE_ARRAY_KEY_LONG;
+							    }
 							}
 						}
 						if (t2 & (MAY_BE_UNDEF | MAY_BE_NULL)) {

ext/opcache/tests/opt/inference_011.phpt

@@ -0,0 +1,17 @@
+--TEST--
+Type inference 011: FETCH_DIM_FUNC_ARG
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.optimization_level=-1
+--FILE--
+<?php
+function() {
+    for(; $a++; $a=y+6) {
+        y($a[y]);
+    }
+}
+?>
+DONE
+--EXPECTF--
+DONE