Fix bug #81272: Fix func info for functions returning EMPTY_ARRAY

The empty array has refcount > 1, so we should indicate this in
func info. In most cases this renders the func info redundant,
so drop it entirely.

Author: nikic

NEWS

@@ -18,6 +18,7 @@ PHP                                                                        NEWS
     enabled). (Dmitry)
   . Fixed bug #81206 (Multiple PHP processes crash with JIT enabled). (cmb,
     Nikita)
+  . Fixed bug #81272 (Segfault in var[] after array_slice with JIT). (Nikita)
 
 - Standard:
   . Fixed bug #72146 (Integer overflow on substr_replace). (cmb)

ext/opcache/Optimizer/zend_func_info.c

@@ -368,13 +368,11 @@ static const func_info_t func_infos[] = {
 	FN("min",                          UNKNOWN_INFO),
 	FN("max",                          UNKNOWN_INFO),
 	F1("compact",                      MAY_BE_ARRAY | MAY_BE_ARRAY_KEY_STRING | MAY_BE_ARRAY_OF_REF | MAY_BE_ARRAY_OF_ANY),
-	F1("array_fill",                   MAY_BE_ARRAY | MAY_BE_ARRAY_KEY_LONG | MAY_BE_ARRAY_OF_ANY),
+	FN("array_fill",                   MAY_BE_ARRAY | MAY_BE_ARRAY_KEY_LONG | MAY_BE_ARRAY_OF_ANY),
 	F1("array_fill_keys",              MAY_BE_ARRAY | MAY_BE_ARRAY_KEY_ANY | MAY_BE_ARRAY_OF_REF | MAY_BE_ARRAY_OF_ANY),
 	FC("range",                        zend_range_info),
 	FN("array_pop",                    UNKNOWN_INFO),
 	FN("array_shift",                  UNKNOWN_INFO),
-	F1("array_splice",                 MAY_BE_ARRAY | MAY_BE_ARRAY_KEY_ANY | MAY_BE_ARRAY_OF_REF | MAY_BE_ARRAY_OF_ANY),
-	F1("array_slice",                  MAY_BE_ARRAY | MAY_BE_ARRAY_KEY_ANY | MAY_BE_ARRAY_OF_REF | MAY_BE_ARRAY_OF_ANY),
 	F1("array_replace",                MAY_BE_ARRAY | MAY_BE_ARRAY_KEY_ANY | MAY_BE_ARRAY_OF_REF | MAY_BE_ARRAY_OF_ANY),
 	F1("array_replace_recursive",      MAY_BE_ARRAY | MAY_BE_ARRAY_KEY_ANY | MAY_BE_ARRAY_OF_REF | MAY_BE_ARRAY_OF_ANY),
 	FN("array_keys",                   MAY_BE_ARRAY | MAY_BE_ARRAY_KEY_LONG | MAY_BE_ARRAY_OF_LONG | MAY_BE_ARRAY_OF_STRING),
@@ -400,9 +398,6 @@ static const func_info_t func_infos[] = {
 	F1("array_udiff_assoc",            MAY_BE_ARRAY | MAY_BE_ARRAY_KEY_ANY | MAY_BE_ARRAY_OF_REF | MAY_BE_ARRAY_OF_ANY),
 	F1("array_diff_uassoc",            MAY_BE_ARRAY | MAY_BE_ARRAY_KEY_ANY | MAY_BE_ARRAY_OF_REF | MAY_BE_ARRAY_OF_ANY),
 	F1("array_udiff_uassoc",           MAY_BE_ARRAY | MAY_BE_ARRAY_KEY_ANY | MAY_BE_ARRAY_OF_REF | MAY_BE_ARRAY_OF_ANY),
-	F1("array_filter",                 MAY_BE_ARRAY | MAY_BE_ARRAY_KEY_ANY | MAY_BE_ARRAY_OF_REF | MAY_BE_ARRAY_OF_ANY),
-	F1("array_chunk",                  MAY_BE_ARRAY | MAY_BE_ARRAY_KEY_ANY | MAY_BE_ARRAY_OF_REF | MAY_BE_ARRAY_OF_ANY),
-	F1("array_combine",                MAY_BE_ARRAY | MAY_BE_ARRAY_KEY_ANY | MAY_BE_ARRAY_OF_REF | MAY_BE_ARRAY_OF_ANY),
 	F1("str_rot13",                    MAY_BE_STRING),
 	F1("stream_get_filters",           MAY_BE_ARRAY | MAY_BE_ARRAY_KEY_LONG | MAY_BE_ARRAY_OF_STRING),
 	F1("stream_bucket_make_writeable", MAY_BE_NULL | MAY_BE_OBJECT),
@@ -563,7 +558,7 @@ static const func_info_t func_infos[] = {
 
 	/* ext/json */
 	F1("json_encode",                           MAY_BE_FALSE | MAY_BE_STRING),
-	F1("json_decode",                           MAY_BE_ANY | MAY_BE_ARRAY_KEY_ANY | MAY_BE_ARRAY_OF_ANY),
+	FN("json_decode",                           MAY_BE_ANY | MAY_BE_ARRAY_KEY_ANY | MAY_BE_ARRAY_OF_ANY),
 	F1("json_last_error_msg",                   MAY_BE_STRING),
 
 	/* ext/xml */

ext/opcache/tests/bug81272.phpt

@@ -0,0 +1,21 @@
+--TEST--
+Bug #81272: Segfault in var[] after array_slice with JIT
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.jit_buffer_size=16M
+opcache.jit=function
+--FILE--
+<?php
+
+function test() {
+    $newPages = array_slice([], 0, 0);
+    $newPages[] = null;
+}
+
+test();
+
+?>
+===DONE===
+--EXPECT--
+===DONE===