Fix DCE of unreachable phi in cycle

We can't remove a trivial phi of the form x = phi(x), because we
don't have a replacement value. We could drop the whole block
though. SCCP would normally do this, but in this particular case
we only determine non-reachability based on type information.

Fixes oss-fuzz #39316.

Author: nikic

Zend/tests/unreachable_phi_cycle.phpt

@@ -0,0 +1,15 @@
+--TEST--
+Unreachable phi cycle
+--FILE--
+<?php
+// The inner loop is dead, but SCCP reachability analysis doesn't realize this,
+// as this is determined based on type information.
+function test() {
+    for (; $i--;) {
+        for(; x;);
+    }
+}
+test();
+?>
+--EXPECTF--
+Warning: Undefined variable $i in %s on line %d

ext/opcache/Optimizer/dce.c

@@ -436,13 +436,19 @@ static inline int get_common_phi_source(zend_ssa *ssa, zend_ssa_phi *phi) {
 	int common_source = -1;
 	int source;
 	FOREACH_PHI_SOURCE(phi, source) {
+		if (source == phi->ssa_var) {
+			continue;
+		}
 		if (common_source == -1) {
 			common_source = source;
-		} else if (common_source != source && source != phi->ssa_var) {
+		} else if (common_source != source) {
 			return -1;
 		}
 	} FOREACH_PHI_SOURCE_END();
-	ZEND_ASSERT(common_source != -1);
+
+	/* If all sources are phi->ssa_var this phi must be in an unreachable cycle.
+	 * We can't easily drop the phi in that case, as we don't have something to replace it with.
+	 * Ideally SCCP would eliminate the whole cycle. */
 	return common_source;
 }