JIT: Fix incorrect reference counting inference

dstogov · dstogov · commit c1036194d6fa · 2021-11-30T12:58:54.000+03:00
Fixes oss-fuzz #40747
diff --git a/ext/opcache/Optimizer/zend_inference.c b/ext/opcache/Optimizer/zend_inference.c
@@ -2591,6 +2591,9 @@ static zend_always_inline int _zend_update_type_info(
 			} else if (opline->opcode == ZEND_ASSIGN_STATIC_PROP) {
 				/* Nothing to do */
 			} else {
+				if (opline->opcode == ZEND_ASSIGN_OP && ssa_op->result_def >= 0 && (tmp & MAY_BE_RC1)) {
+					tmp |= MAY_BE_RCN;
+				}
 				UPDATE_SSA_TYPE(tmp, ssa_op->op1_def);
 			}
 			if (ssa_op->result_def >= 0) {
diff --git a/ext/opcache/tests/jit/assign_op_007.phpt b/ext/opcache/tests/jit/assign_op_007.phpt
@@ -0,0 +1,22 @@
+--TEST--
+JIT ASSIGN_OP: 007 Arrays merging with return value 
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=1M
+--FILE--
+<?php
+function test() {
+	$a = [];
+    for ($i=0; $i < 2; $i++) {
+        $a += $a + $a += $a;
+        $a['b'] += 1;
+    }
+}
+test();
+?>
+DONE
+--EXPECTF--
+Warning: Undefined array key "b" in %sassign_op_007.php on line 6
+DONE
