Fix type inference

Fixes oss-fuzz #55358

Author: dstogov

Zend/Optimizer/zend_inference.c

@@ -2537,12 +2537,26 @@ static zend_always_inline int _zend_update_type_info(
 				} else if (opline->opcode == ZEND_ASSIGN_OBJ_OP) {
 					/* The return value must also satisfy the property type */
 					if (prop_info) {
-						tmp &= zend_fetch_prop_type(script, prop_info, NULL);
+						t1 = zend_fetch_prop_type(script, prop_info, NULL);
+						if ((t1 & (MAY_BE_LONG|MAY_BE_DOUBLE)) == MAY_BE_LONG
+						 && (tmp & (MAY_BE_LONG|MAY_BE_DOUBLE)) == MAY_BE_DOUBLE) {
+							/* DOUBLE may be auto-converted to LONG */
+							tmp |= MAY_BE_LONG;
+							tmp &= ~MAY_BE_DOUBLE;
+						}
+						tmp &= t1;
 					}
 				} else if (opline->opcode == ZEND_ASSIGN_STATIC_PROP_OP) {
 					/* The return value must also satisfy the property type */
 					if (prop_info) {
-						tmp &= zend_fetch_prop_type(script, prop_info, NULL);
+						t1 = zend_fetch_prop_type(script, prop_info, NULL);
+						if ((t1 & (MAY_BE_LONG|MAY_BE_DOUBLE)) == MAY_BE_LONG
+						 && (tmp & (MAY_BE_LONG|MAY_BE_DOUBLE)) == MAY_BE_DOUBLE) {
+							/* DOUBLE may be auto-converted to LONG */
+							tmp |= MAY_BE_LONG;
+							tmp &= ~MAY_BE_DOUBLE;
+						}
+						tmp &= t1;
 					}
 				} else {
 					if (tmp & MAY_BE_REF) {

ext/opcache/tests/jit/assign_obj_op_003.phpt

@@ -0,0 +1,26 @@
+--TEST--
+JIT ASSIGN_OBJ_OP: invalid type inference
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=1M
+--FILE--
+<?php
+class Foo {
+    public int $bar=0;
+    function __construct() {
+        try {
+            +$this->bar += 1.3;
+        } catch(y) {
+        }
+    }
+}
+var_dump(new Foo);
+?>
+--EXPECTF--
+Deprecated: Implicit conversion from float 1.3 to int loses precision in %sassign_obj_op_003.php on line 6
+object(Foo)#1 (1) {
+  ["bar"]=>
+  int(1)
+}