php
diff --git a/‎Zend/Optimizer/zend_func_info.c
Lines changed: 1 addition & 3 deletions b/‎Zend/Optimizer/zend_func_info.c
Lines changed: 1 addition & 3 deletions
diff --git a/‎Zend/Optimizer/zend_optimizer.c
Lines changed: 20 additions & 0 deletions b/‎Zend/Optimizer/zend_optimizer.c
Lines changed: 20 additions & 0 deletions
diff --git a/‎Zend/tests/gh10168/wrong_assign_to_variable.phpt
Lines changed: 4 additions & 0 deletions b/‎Zend/tests/gh10168/wrong_assign_to_variable.phpt
Lines changed: 4 additions & 0 deletions
diff --git a/‎Zend/zend_execute.c
Lines changed: 27 additions & 5 deletions b/‎Zend/zend_execute.c
Lines changed: 27 additions & 5 deletions
@@ -77,9 +77,7 @@ static uint32_t zend_range_info(const zend_call_info *call_info, const zend_ssa
 		}
 		if ((t1 & ((MAY_BE_ANY|MAY_BE_UNDEF)-MAY_BE_DOUBLE))
 				&& (t2 & ((MAY_BE_ANY|MAY_BE_UNDEF)-MAY_BE_DOUBLE))) {
-			if ((t3 & MAY_BE_ANY) != MAY_BE_DOUBLE) {
-				tmp |= MAY_BE_ARRAY_OF_LONG;
-			}
+			tmp |= MAY_BE_ARRAY_OF_LONG;
 		}
 		if (tmp & MAY_BE_ARRAY_OF_ANY) {
 			tmp |= MAY_BE_ARRAY_PACKED;
 
@@ -1332,6 +1332,26 @@ static void zend_redo_pass_two_ex(zend_op_array *op_array, zend_ssa *ssa)
 				}
 				break;
 		}
+#ifdef ZEND_VERIFY_TYPE_INFERENCE
+		if (ssa_op->op1_use >= 0) {
+			opline->op1_use_type = ssa->var_info[ssa_op->op1_use].type;
+		}
+		if (ssa_op->op2_use >= 0) {
+			opline->op2_use_type = ssa->var_info[ssa_op->op2_use].type;
+		}
+		if (ssa_op->result_use >= 0) {
+			opline->result_use_type = ssa->var_info[ssa_op->result_use].type;
+		}
+		if (ssa_op->op1_def >= 0) {
+			opline->op1_def_type = ssa->var_info[ssa_op->op1_def].type;
+		}
+		if (ssa_op->op2_def >= 0) {
+			opline->op2_def_type = ssa->var_info[ssa_op->op2_def].type;
+		}
+		if (ssa_op->result_def >= 0) {
+			opline->result_def_type = ssa->var_info[ssa_op->result_def].type;
+		}
+#endif
 		zend_vm_set_opcode_handler_ex(opline, op1_info, op2_info, res_info);
 		opline++;
 	}
 
@@ -1,5 +1,9 @@
 --TEST--
 GH-10168: Wrong assign to variable
+--SKIPIF--
+<?php
+if (defined('ZEND_VERIFY_TYPE_INFERENCE')) die('skip Destructor side-effects violate type inference');
+?>
 --FILE--
 <?php
 
 
@@ -5439,31 +5439,53 @@ static void zend_verify_inference_def(zend_execute_data *execute_data, const zen
 		zend_verify_type_inference(EX_VAR(opline->op1.var), opline->op1_def_type, opline->op1_type, execute_data, opline, "op1_def");
 	}
 	if (opline->op2_def_type
-	 && (opline->op2_type & (IS_TMP_VAR|IS_VAR|IS_CV))) {
+	 && (opline->op2_type & (IS_TMP_VAR|IS_VAR|IS_CV))
+	 /* ZEND_FE_FETCH_R[W] does not define a result in the last iteration. */
+	 && opline->opcode != ZEND_FE_FETCH_R
+	 && opline->opcode != ZEND_FE_FETCH_RW) {
 		zend_verify_type_inference(EX_VAR(opline->op2.var), opline->op2_def_type, opline->op2_type, execute_data, opline, "op2_def");
 	}
 	if (opline->result_def_type
 	 && (opline->result_type & (IS_TMP_VAR|IS_VAR|IS_CV))
 	 && opline->opcode != ZEND_ROPE_INIT
 	 && opline->opcode != ZEND_ROPE_ADD
-	 // Some jump opcode handlers don't set result when it's never read
+	 /* Some jump opcode handlers don't set result when it's never read. */
 	 && opline->opcode != ZEND_JMP_SET
 	 && opline->opcode != ZEND_JMP_NULL
 	 && opline->opcode != ZEND_COALESCE
-	 && opline->opcode != ZEND_ASSERT_CHECK) {
+	 && opline->opcode != ZEND_ASSERT_CHECK
+	 /* Smart branches may not declare result. */
+	 && !zend_is_smart_branch(opline)
+	 /* Calls only initialize result when returning from the called function. */
+	 && opline->opcode != ZEND_DO_FCALL
+	 && opline->opcode != ZEND_DO_ICALL
+	 && opline->opcode != ZEND_DO_UCALL
+	 && opline->opcode != ZEND_DO_FCALL_BY_NAME
+	 /* ZEND_FE_FETCH_R[W] does not define a result in the last iteration. */
+	 && opline->opcode != ZEND_FE_FETCH_R
+	 && opline->opcode != ZEND_FE_FETCH_RW) {
 		zend_verify_type_inference(EX_VAR(opline->result.var), opline->result_def_type, opline->result_type, execute_data, opline, "result_def");
+
+		/* Verify return value in the context of caller. */
+		if ((opline->opcode == ZEND_RETURN || opline->opcode == ZEND_RETURN_BY_REF)
+		 && execute_data->prev_execute_data
+		 && execute_data->prev_execute_data->func
+		 && ZEND_USER_CODE(execute_data->prev_execute_data->func->type)) {
+			zend_execute_data *prev_execute_data = execute_data->prev_execute_data;
+			const zend_op *opline = execute_data->prev_execute_data->opline;
+			zend_verify_type_inference(ZEND_CALL_VAR(prev_execute_data, opline->result.var), opline->result_def_type, opline->result_type, prev_execute_data, opline, "result_def");
+		}
 	}
 }
 
 # define ZEND_VERIFY_INFERENCE_USE() zend_verify_inference_use(execute_data, OPLINE);
-# define ZEND_VERIFY_INFERENCE_DEF() zend_verify_inference_def(execute_data, OPLINE);
+# define ZEND_VERIFY_INFERENCE_DEF(execute_data, opline) zend_verify_inference_def(execute_data, opline);
 #else
 # define ZEND_VERIFY_INFERENCE_USE()
 # define ZEND_VERIFY_INFERENCE_DEF()
 #endif
 
 #define ZEND_VM_NEXT_OPCODE_EX(check_exception, skip) \
-	ZEND_VERIFY_INFERENCE_DEF() \
 	CHECK_SYMBOL_TABLES() \
 	if (check_exception) { \
 		OPLINE = EX(opline) + (skip); \
Original file line number	Diff line number	Diff line change
`@@ -77,9 +77,7 @@ static uint32_t zend_range_info(const zend_call_info *call_info, const zend_ssa`
`77`	`77`	`}`
`78`	`78`	`if ((t1 & ((MAY_BE_ANY\|MAY_BE_UNDEF)-MAY_BE_DOUBLE))`
`79`	`79`	`&& (t2 & ((MAY_BE_ANY\|MAY_BE_UNDEF)-MAY_BE_DOUBLE))) {`
`80`		`- if ((t3 & MAY_BE_ANY) != MAY_BE_DOUBLE) {`
`81`		`- tmp \|= MAY_BE_ARRAY_OF_LONG;`
`82`		`- }`
	`80`	`+ tmp \|= MAY_BE_ARRAY_OF_LONG;`
`83`	`81`	`}`
`84`	`82`	`if (tmp & MAY_BE_ARRAY_OF_ANY) {`
`85`	`83`	`tmp \|= MAY_BE_ARRAY_PACKED;`