JIT: Fix trace type inference

dstogov · dstogov · commit ee8f9d75c0ce · 2022-01-14T16:43:50.000+03:00
Fixes oss-fuzz #43597
diff --git a/ext/opcache/jit/zend_jit_trace.c b/ext/opcache/jit/zend_jit_trace.c
@@ -1556,6 +1556,11 @@ static zend_ssa *zend_jit_trace_build_tssa(zend_jit_trace_rec *trace_buffer, uin
 					if (opline->result_type != IS_UNUSED) {
 						break;
 					}
+					if (op3_type != IS_UNKNOWN
+					 && !zend_jit_supported_binary_op(
+							opline->extended_value, MAY_BE_ANY, (1<<op3_type))) {
+						break;
+					}
 					/* break missing intentionally */
 				case ZEND_ASSIGN_DIM:
 					if (opline->op1_type == IS_CV) {
diff --git a/ext/opcache/tests/jit/assign_dim_010.phpt b/ext/opcache/tests/jit/assign_dim_010.phpt
@@ -0,0 +1,24 @@
+--TEST--
+JIT ASSIGN_DIM: 010
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=1M
+--FILE--
+<?php
+function test() {
+    for($i=0; $i<10; $i++) {
+        $a[] &= $y;
+        $a = false;
+        $a[] =& $y;
+     }
+}
+test();
+?>
+DONE
+--EXPECTF--
+Warning: Undefined variable $a in %sassign_dim_010.php on line 4
+
+Warning: Undefined variable $y in %sassign_dim_010.php on line 4
+DONE
