Fix type inference for FETCH_DI_UNSET

Fixes oss-fuzz #48507

Author: dstogov

ext/opcache/Optimizer/zend_inference.c

@@ -3298,7 +3298,12 @@ static zend_always_inline int _zend_update_type_info(
 						ZEND_ASSERT(j < 0 && "There should only be one use");
 					}
 				}
-				if (((tmp & MAY_BE_ARRAY) && (tmp & MAY_BE_ARRAY_KEY_ANY)) || opline->opcode == ZEND_FETCH_DIM_FUNC_ARG) {
+				if (((tmp & MAY_BE_ARRAY) && (tmp & MAY_BE_ARRAY_KEY_ANY))
+				 || opline->opcode == ZEND_FETCH_DIM_FUNC_ARG
+				 || opline->opcode == ZEND_FETCH_DIM_R
+				 || opline->opcode == ZEND_FETCH_DIM_IS
+				 || opline->opcode == ZEND_FETCH_DIM_UNSET
+				 || opline->opcode == ZEND_FETCH_LIST_R) {
 					UPDATE_SSA_TYPE(tmp, ssa_op->op1_def);
 				} else {
 					/* invalid key type */

ext/opcache/tests/opt/inference_012.phpt

@@ -0,0 +1,26 @@
+--TEST--
+Type inference 012: FETCH_DIM_UNSET
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.optimization_level=-1
+--FILE--
+<?php
+function test() {
+    $closure = function() {return "string";};
+    unset($x['b'][$closure()]['d']);
+    $x = $arr;
+    $arr = ['a' => $closure(), 'b' => [$closure() => []]];
+    $x = $arr;
+    unset($x['b'][$closure()]['d']);
+    $x = $arr;
+}
+
+test();
+?>
+DONE
+--EXPECTF--
+Warning: Undefined variable $x in %sinference_012.php on line 4
+
+Warning: Undefined variable $arr in %sinference_012.php on line 5
+DONE