Fix type inference

This fizes oss-fuzz #47044
2025-08-16 05:58:45 +02:00 · 2022-05-11 12:39:26 +03:00 · 2022-05-11 12:39:26 +03:00 · 84c1e99ecf
commit 84c1e99ecf
parent f1fc58ed8d
2 changed files with 24 additions and 1 deletions
--- a/Zend/Optimizer/zend_inference.c
+++ b/Zend/Optimizer/zend_inference.c
@ -3227,7 +3227,12 @@ static zend_always_inline int _zend_update_type_info(
 						tmp |= t1 & (MAY_BE_RC1|MAY_BE_RCN);
 					}
 					if (opline->op2_type == IS_UNUSED) {
-						key_type |= MAY_BE_HASH_ONLY(t1) ? MAY_BE_ARRAY_NUMERIC_HASH : MAY_BE_ARRAY_KEY_LONG;
+						if (t1 & (MAY_BE_UNDEF|MAY_BE_NULL)) {
+							key_type |= MAY_BE_ARRAY_PACKED;
+						}
+						if (t1 & MAY_BE_ARRAY) {
+							key_type |= MAY_BE_HASH_ONLY(t1) ? MAY_BE_ARRAY_NUMERIC_HASH : MAY_BE_ARRAY_KEY_LONG;
+						}
 					} else {
 						if (t2 & (MAY_BE_LONG|MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_RESOURCE|MAY_BE_DOUBLE)) {
 							key_type |= MAY_BE_HASH_ONLY(t1) ? MAY_BE_ARRAY_NUMERIC_HASH : MAY_BE_ARRAY_KEY_LONG;
--- a/ext/opcache/tests/opt/inference_007.phpt
+++ b/ext/opcache/tests/opt/inference_007.phpt
@ -0,0 +1,18 @@
+--TEST--
+Type inference 007: Incorrect array key type inference
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.optimization_level=-1
+--FILE--
+<?php
+function y() {
+    for(;;) {
+        s($array[]);
+        $array = array(""=>"");
+    }
+}
+?>
+DONE
+--EXPECT--
+DONE