Fix type inference

This fixes oss-fuzz #47777

Zend/Optimizer/zend_inference.c

@@ -3231,17 +3231,20 @@ static zend_always_inline int _zend_update_type_info(
 							key_type |= MAY_BE_ARRAY_PACKED;
 						}
 						if (t1 & MAY_BE_ARRAY) {
-							key_type |= MAY_BE_HASH_ONLY(t1) ? MAY_BE_ARRAY_NUMERIC_HASH : MAY_BE_ARRAY_KEY_LONG;
+							key_type |= (MAY_BE_HASH_ONLY(t1) || (t1 & (MAY_BE_UNDEF|MAY_BE_NULL|MAY_BE_FALSE))) ?
+								MAY_BE_ARRAY_NUMERIC_HASH : MAY_BE_ARRAY_KEY_LONG;
 						}
 					} else {
 						if (t2 & (MAY_BE_LONG|MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_RESOURCE|MAY_BE_DOUBLE)) {
-							key_type |= MAY_BE_HASH_ONLY(t1) ? MAY_BE_ARRAY_NUMERIC_HASH : MAY_BE_ARRAY_KEY_LONG;
+							key_type |= (MAY_BE_HASH_ONLY(t1) || (t1 & (MAY_BE_UNDEF|MAY_BE_NULL|MAY_BE_FALSE))) ?
+								MAY_BE_ARRAY_NUMERIC_HASH : MAY_BE_ARRAY_KEY_LONG;
 						}
 						if (t2 & MAY_BE_STRING) {
 							key_type |= MAY_BE_ARRAY_KEY_STRING;
 							if (opline->op2_type != IS_CONST) {
 								// FIXME: numeric string
-								key_type |= MAY_BE_HASH_ONLY(t1) ? MAY_BE_ARRAY_NUMERIC_HASH : MAY_BE_ARRAY_KEY_LONG;
+								key_type |= (MAY_BE_HASH_ONLY(t1) || (t1 & (MAY_BE_UNDEF|MAY_BE_NULL|MAY_BE_FALSE))) ?
+									MAY_BE_ARRAY_NUMERIC_HASH : MAY_BE_ARRAY_KEY_LONG;
 							}
 						}
 						if (t2 & (MAY_BE_UNDEF | MAY_BE_NULL)) {

ext/opcache/tests/opt/inference_009.phpt

@@ -0,0 +1,18 @@
+--TEST--
+Type inference 009: FRTCH_DIM_W
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.optimization_level=-1
+--FILE--
+<?php
+function y() {
+    for(;;) {
+        $arr[y][]=y;
+        $arr=[''=>y];
+    }
+}
+?>
+DONE
+--EXPECT--
+DONE