Fix incorrect constant propagation for VERIFY_RETURN_TYPE

Fixes oss-fuzz #46616

Author: dstogov

Zend/Optimizer/sccp.c

@@ -1721,6 +1721,10 @@ static zval *value_from_type_and_range(sccp_ctx *ctx, int var_num, zval *tmp) {
 	}
 
 	if (!(info->type & ((MAY_BE_ANY|MAY_BE_UNDEF)-MAY_BE_NULL))) {
+		if (ssa->vars[var_num].definition >= 0 
+		 && ctx->scdf.op_array->opcodes[ssa->vars[var_num].definition].opcode == ZEND_VERIFY_RETURN_TYPE) {
+			return NULL;
+		}
 		ZVAL_NULL(tmp);
 		return tmp;
 	}

ext/opcache/tests/opt/sccp_039.phpt

@@ -0,0 +1,15 @@
+--TEST--
+SCCP 039: Incorrect constant propagation for VERIFY_RETURN_TYPE
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.optimization_level=-1
+--FILE--
+<?php
+function foo(): null {
+    return Y;
+}
+?>
+DONE
+--EXPECT--
+DONE