Fix inference for assignment of known object to reference

nikic · nikic · commit b08aac0451d4 · 2022-04-15T22:14:44.000+02:00
We cannot retain the ce information in that case, we have to
assume the ce may change indirectly through the reference.

Fixes oss-fuzz #46720.
diff --git a/Zend/tests/assign_obj_to_ref_inference.phpt b/Zend/tests/assign_obj_to_ref_inference.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Assigning an object of known type to a reference variable
+--FILE--
+<?php
+
+class Test {
+    public int $x = 42;
+}
+
+function test() {
+    $r =& $o;
+    $o = new Test;
+    $r = new stdClass;
+    $r->x = 3.141;
+    var_dump(is_float($o->x));
+}
+test();
+
+?>
+--EXPECT--
+bool(true)
diff --git a/ext/opcache/Optimizer/zend_inference.c b/ext/opcache/Optimizer/zend_inference.c
@@ -2740,7 +2740,11 @@ static zend_always_inline int _zend_update_type_info(
 					tmp |= MAY_BE_DOUBLE;
 				}
 				UPDATE_SSA_TYPE(tmp, ssa_op->op1_def);
-				COPY_SSA_OBJ_TYPE(ssa_op->op2_use, ssa_op->op1_def);
+				if (tmp & MAY_BE_REF) {
+					UPDATE_SSA_OBJ_TYPE(NULL, 0, ssa_op->op1_def);
+				} else {
+					COPY_SSA_OBJ_TYPE(ssa_op->op2_use, ssa_op->op1_def);
+				}
 			}
 			if (ssa_op->result_def >= 0) {
 				if (tmp & MAY_BE_REF) {

Original file line number	Diff line number	Diff line change
`@@ -2740,7 +2740,11 @@ static zend_always_inline int _zend_update_type_info(`
`2740`	`2740`	`tmp \|= MAY_BE_DOUBLE;`
`2741`	`2741`	`}`
`2742`	`2742`	`UPDATE_SSA_TYPE(tmp, ssa_op->op1_def);`
`2743`		`- COPY_SSA_OBJ_TYPE(ssa_op->op2_use, ssa_op->op1_def);`
	`2743`	`+ if (tmp & MAY_BE_REF) {`
	`2744`	`+ UPDATE_SSA_OBJ_TYPE(NULL, 0, ssa_op->op1_def);`
	`2745`	`+ } else {`
	`2746`	`+ COPY_SSA_OBJ_TYPE(ssa_op->op2_use, ssa_op->op1_def);`
	`2747`	`+ }`
`2744`	`2748`	`}`
`2745`	`2749`	`if (ssa_op->result_def >= 0) {`
`2746`	`2750`	`if (tmp & MAY_BE_REF) {`