Tracing JIT: Fixed incorrect assumption about stack slot type

Fixes oss-fuzz #46404

Author: dstogov

ext/opcache/jit/zend_jit_internal.h

@@ -360,6 +360,9 @@ typedef union _zend_jit_trace_stack {
 		(_stack)[_slot].reg = _reg; \
 		(_stack)[_slot].flags = _flags; \
 	} while (0)
+#define RESET_STACK_MEM_TYPE(_stack, _slot) do { \
+		(_stack)[_slot].mem_type = IS_UNKNOWN; \
+	} while (0)
 
 /* trace info flags */
 #define ZEND_JIT_TRACE_CHECK_INTERRUPT (1<<0)

ext/opcache/jit/zend_jit_trace.c

@@ -5939,6 +5939,9 @@ static const void *zend_jit_trace(zend_jit_trace_rec *trace_buffer, uint32_t par
 					} else {
 						SET_STACK_TYPE(stack, EX_VAR_TO_NUM(opline->result.var), type,
 							(type == IS_UNKNOWN || !ra || !ra[ssa_op->result_def]));
+						if (ssa->var_info[ssa_op->result_def].type & MAY_BE_INDIRECT) {
+							RESET_STACK_MEM_TYPE(stack, EX_VAR_TO_NUM(opline->result.var));
+						}
 						if (type != IS_UNKNOWN) {
 							ssa->var_info[ssa_op->result_def].type &= ~MAY_BE_GUARD;
 							if (opline->opcode == ZEND_FETCH_THIS

ext/opcache/tests/jit/fetch_dim_r_014.phpt

@@ -0,0 +1,19 @@
+--TEST--
+JIT FETCH_DIM_R: 014
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=1M
+--FILE--
+<?php
+function foo() {
+    $s =+ $y;
+    $tokenthiss[$i=$s][] = $y = $y;
+    $tokenthiss[$i][$i] + $y;
+}
+@foo();
+?>
+DONE
+--EXPECT--
+DONE