From 81cb005ef7787954b4adab3543e3c443f9dd293e Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@zend.com>
Date: Mon, 5 Sep 2022 12:55:50 +0300
Subject: [PATCH] Fix type inference

Fixes oss-fuzz #50792
---
 ext/opcache/Optimizer/zend_inference.c         |  3 +++
 .../tests/jit/fetch_dim_func_arg_002.phpt      | 18 ++++++++++++++++++
 2 files changed, 21 insertions(+)
 create mode 100644 ext/opcache/tests/jit/fetch_dim_func_arg_002.phpt

diff --git a/ext/opcache/Optimizer/zend_inference.c b/ext/opcache/Optimizer/zend_inference.c
index 1eed2b9c121..559997a3ea2 100644
--- a/ext/opcache/Optimizer/zend_inference.c
+++ b/ext/opcache/Optimizer/zend_inference.c
@@ -3319,6 +3319,9 @@ static zend_always_inline int _zend_update_type_info(
 				opline->op1_type,
 				opline->result_type == IS_VAR,
 				opline->op2_type == IS_UNUSED);
+			if (opline->opcode == ZEND_FETCH_DIM_FUNC_ARG && (t1 & (MAY_BE_TRUE|MAY_BE_LONG|MAY_BE_DOUBLE|MAY_BE_RESOURCE))) {
+				tmp |= MAY_BE_NULL;
+			}
 			if (opline->opcode == ZEND_FETCH_DIM_IS && (t1 & MAY_BE_STRING)) {
 				tmp |= MAY_BE_NULL;
 			}
diff --git a/ext/opcache/tests/jit/fetch_dim_func_arg_002.phpt b/ext/opcache/tests/jit/fetch_dim_func_arg_002.phpt
new file mode 100644
index 00000000000..a80fb0b2bc5
--- /dev/null
+++ b/ext/opcache/tests/jit/fetch_dim_func_arg_002.phpt
@@ -0,0 +1,18 @@
+--TEST--
+JIT FETCH_DIM_FUNC_ARG: 002
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=1M
+--SKIPIF--
+<?php require_once('skipif.inc'); ?>
+--FILE--
+<?php
+new class(true[""]) {
+}
+?>
+DONE
+--EXPECTF--
+Warning: Trying to access array offset on value of type bool in %sfetch_dim_func_arg_002.php on line 2
+DONE