Fix type inference

dstogov · dstogov · commit b86c6245cc7d · 2022-06-06T11:13:53.000+03:00
This fixes oss-fuzz #47777
diff --git a/Zend/Optimizer/zend_inference.c b/Zend/Optimizer/zend_inference.c
@@ -3231,17 +3231,20 @@ static zend_always_inline int _zend_update_type_info(
 							key_type |= MAY_BE_ARRAY_PACKED;
 						}
 						if (t1 & MAY_BE_ARRAY) {
-							key_type |= MAY_BE_HASH_ONLY(t1) ? MAY_BE_ARRAY_NUMERIC_HASH : MAY_BE_ARRAY_KEY_LONG;
+							key_type |= (MAY_BE_HASH_ONLY(t1) || (t1 & (MAY_BE_UNDEF|MAY_BE_NULL|MAY_BE_FALSE))) ?
+								MAY_BE_ARRAY_NUMERIC_HASH : MAY_BE_ARRAY_KEY_LONG;
 						}
 					} else {
 						if (t2 & (MAY_BE_LONG|MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_RESOURCE|MAY_BE_DOUBLE)) {
-							key_type |= MAY_BE_HASH_ONLY(t1) ? MAY_BE_ARRAY_NUMERIC_HASH : MAY_BE_ARRAY_KEY_LONG;
+							key_type |= (MAY_BE_HASH_ONLY(t1) || (t1 & (MAY_BE_UNDEF|MAY_BE_NULL|MAY_BE_FALSE))) ?
+								MAY_BE_ARRAY_NUMERIC_HASH : MAY_BE_ARRAY_KEY_LONG;
 						}
 						if (t2 & MAY_BE_STRING) {
 							key_type |= MAY_BE_ARRAY_KEY_STRING;
 							if (opline->op2_type != IS_CONST) {
 								// FIXME: numeric string
-								key_type |= MAY_BE_HASH_ONLY(t1) ? MAY_BE_ARRAY_NUMERIC_HASH : MAY_BE_ARRAY_KEY_LONG;
+								key_type |= (MAY_BE_HASH_ONLY(t1) || (t1 & (MAY_BE_UNDEF|MAY_BE_NULL|MAY_BE_FALSE))) ?
+									MAY_BE_ARRAY_NUMERIC_HASH : MAY_BE_ARRAY_KEY_LONG;
 							}
 						}
 						if (t2 & (MAY_BE_UNDEF | MAY_BE_NULL)) {
diff --git a/ext/opcache/tests/opt/inference_009.phpt b/ext/opcache/tests/opt/inference_009.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Type inference 009: FRTCH_DIM_W
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.optimization_level=-1
+--FILE--
+<?php
+function y() {
+    for(;;) {
+        $arr[y][]=y;
+        $arr=[''=>y];
+    }
+}
+?>
+DONE
+--EXPECT--
+DONE

Original file line number	Diff line number	Diff line change
`@@ -3231,17 +3231,20 @@ static zend_always_inline int _zend_update_type_info(`
`3231`	`3231`	`key_type \|= MAY_BE_ARRAY_PACKED;`
`3232`	`3232`	`}`
`3233`	`3233`	`if (t1 & MAY_BE_ARRAY) {`
`3234`		`- key_type \|= MAY_BE_HASH_ONLY(t1) ? MAY_BE_ARRAY_NUMERIC_HASH : MAY_BE_ARRAY_KEY_LONG;`
	`3234`	`+ key_type \|= (MAY_BE_HASH_ONLY(t1) \|\| (t1 & (MAY_BE_UNDEF\|MAY_BE_NULL\|MAY_BE_FALSE))) ?`
	`3235`	`+ MAY_BE_ARRAY_NUMERIC_HASH : MAY_BE_ARRAY_KEY_LONG;`
`3235`	`3236`	`}`
`3236`	`3237`	`} else {`
`3237`	`3238`	`if (t2 & (MAY_BE_LONG\|MAY_BE_FALSE\|MAY_BE_TRUE\|MAY_BE_RESOURCE\|MAY_BE_DOUBLE)) {`
`3238`		`- key_type \|= MAY_BE_HASH_ONLY(t1) ? MAY_BE_ARRAY_NUMERIC_HASH : MAY_BE_ARRAY_KEY_LONG;`
	`3239`	`+ key_type \|= (MAY_BE_HASH_ONLY(t1) \|\| (t1 & (MAY_BE_UNDEF\|MAY_BE_NULL\|MAY_BE_FALSE))) ?`
	`3240`	`+ MAY_BE_ARRAY_NUMERIC_HASH : MAY_BE_ARRAY_KEY_LONG;`
`3239`	`3241`	`}`
`3240`	`3242`	`if (t2 & MAY_BE_STRING) {`
`3241`	`3243`	`key_type \|= MAY_BE_ARRAY_KEY_STRING;`
`3242`	`3244`	`if (opline->op2_type != IS_CONST) {`
`3243`	`3245`	`// FIXME: numeric string`
`3244`		`- key_type \|= MAY_BE_HASH_ONLY(t1) ? MAY_BE_ARRAY_NUMERIC_HASH : MAY_BE_ARRAY_KEY_LONG;`
	`3246`	`+ key_type \|= (MAY_BE_HASH_ONLY(t1) \|\| (t1 & (MAY_BE_UNDEF\|MAY_BE_NULL\|MAY_BE_FALSE))) ?`
	`3247`	`+ MAY_BE_ARRAY_NUMERIC_HASH : MAY_BE_ARRAY_KEY_LONG;`
`3245`	`3248`	`}`
`3246`	`3249`	`}`
`3247`	`3250`	`if (t2 & (MAY_BE_UNDEF \| MAY_BE_NULL)) {`