Fixed reference counting inference

dstogov · dstogov · commit c0bb23848322 · 2022-04-04T15:34:02.000+03:00
Fixes oss-fuzz #46084
diff --git a/ext/opcache/Optimizer/zend_inference.c b/ext/opcache/Optimizer/zend_inference.c
@@ -3311,6 +3311,20 @@ static zend_always_inline int _zend_update_type_info(
 			if (opline->opcode == ZEND_FETCH_DIM_IS && (t1 & MAY_BE_STRING)) {
 				tmp |= MAY_BE_NULL;
 			}
+			if ((tmp & (MAY_BE_RC1|MAY_BE_RCN)) == MAY_BE_RCN && opline->result_type == IS_TMP_VAR) {
+				/* refcount may be indirectly decremented. Make an exception if the result is used in the next instruction */
+				if (!ssa_opcodes) {
+					if (ssa->vars[ssa_op->result_def].use_chain < 0
+					 || opline + 1 != op_array->opcodes + ssa->vars[ssa_op->result_def].use_chain) {
+						tmp |= MAY_BE_RC1;
+				    }
+				} else {
+					if (ssa->vars[ssa_op->result_def].use_chain < 0
+					 || opline + 1 != ssa_opcodes[ssa->vars[ssa_op->result_def].use_chain]) {
+						tmp |= MAY_BE_RC1;
+				    }
+				}
+			}
 			UPDATE_SSA_TYPE(tmp, ssa_op->result_def);
 			break;
 		case ZEND_FETCH_THIS:
diff --git a/ext/opcache/tests/jit/fetch_dim_r_013.phpt b/ext/opcache/tests/jit/fetch_dim_r_013.phpt
@@ -0,0 +1,20 @@
+--TEST--
+JIT FETCH_DIM_R: 013
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=1M
+--FILE--
+<?php
+function foo() {
+	$y = 0; $tokens = [];
+    for($cnt = 0; $cnt < 6; $cnt++) {
+        $tokens[$y] > $tokens[$y][] = $y;
+     }
+}
+@foo();
+?>
+DONE
+--EXPECT--
+DONE
