Fix constant propagation for JMP_NULL

We must not destroy the source when propagating to op1 of JMP_NULL because the
same TMP_VAR will be used again in the false block.

Fixes oss-fuzz #60736

Author: iluuu1994

Zend/Optimizer/block_pass.c

@@ -173,10 +173,14 @@ static void zend_optimize_block(zend_basic_block *block, zend_op_array *op_array
 					 && opline->opcode != ZEND_SWITCH_STRING
 					 && opline->opcode != ZEND_MATCH
 					 && zend_optimizer_update_op1_const(op_array, opline, &c)) {
-						VAR_SOURCE(op1) = NULL;
-						literal_dtor(&ZEND_OP1_LITERAL(src));
-						MAKE_NOP(src);
-						++(*opt_count);
+						/* Don't remove QM_ASSIGN for JMP_NULL because the same TMP_VAR is used in a
+						 * later instruction and will be removed then. */
+						if (opline->opcode != ZEND_JMP_NULL) {
+							VAR_SOURCE(op1) = NULL;
+							literal_dtor(&ZEND_OP1_LITERAL(src));
+							MAKE_NOP(src);
+							++(*opt_count);
+						}
 					} else {
 						zval_ptr_dtor_nogc(&c);
 					}

Zend/tests/oss_fuzz_60736.phpt

@@ -0,0 +1,8 @@
+--TEST--
+oss-fuzz #60736: Bad constant propagation in JMP_NULL
+--FILE--
+<?php
+(1?4:y)?->y;
+?>
+--EXPECTF--
+Warning: Attempt to read property "y" on int in %s on line %d