Fix type inference

dstogov · dstogov · commit 3e78964742c0 · 2022-04-25T12:15:55.000+03:00
Use MAY_BE_NULL result (insted of empty) for ASSIGN_DIM with invalid arguments
This fixes oss-fuzz #46840
diff --git a/ext/opcache/Optimizer/zend_inference.c b/ext/opcache/Optimizer/zend_inference.c
@@ -2639,6 +2639,9 @@ static zend_always_inline int _zend_update_type_info(
 						tmp |= MAY_BE_NULL|MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_LONG|MAY_BE_DOUBLE|MAY_BE_STRING;
 					}
 				}
+				if (!tmp) {
+					tmp = MAY_BE_NULL;
+				}
 				tmp |= MAY_BE_RC1 | MAY_BE_RCN;
 				UPDATE_SSA_TYPE(tmp, ssa_op->result_def);
 			}
diff --git a/ext/opcache/tests/opt/inference_005.phpt b/ext/opcache/tests/opt/inference_005.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Type inference 005: Use MAY_BE_NULL result (insted of empty) for ASSIGN_DIM with invalid arguments
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.optimization_level=-1
+--FILE--
+<?php
+function foo() {
+    $a = $r[] = $r = [] & $y;
+    +list(&$y) = $a;
+}
+?>
+DONE
+--EXPECT--
+DONE

Original file line number	Diff line number	Diff line change
`@@ -2639,6 +2639,9 @@ static zend_always_inline int _zend_update_type_info(`
`2639`	`2639`	`tmp \|= MAY_BE_NULL\|MAY_BE_FALSE\|MAY_BE_TRUE\|MAY_BE_LONG\|MAY_BE_DOUBLE\|MAY_BE_STRING;`
`2640`	`2640`	`}`
`2641`	`2641`	`}`
	`2642`	`+ if (!tmp) {`
	`2643`	`+ tmp = MAY_BE_NULL;`
	`2644`	`+ }`
`2642`	`2645`	`tmp \|= MAY_BE_RC1 \| MAY_BE_RCN;`
`2643`	`2646`	`UPDATE_SSA_TYPE(tmp, ssa_op->result_def);`
`2644`	`2647`	`}`