Fixed codegenertion for FETCH_DIM_W

dstogov · dstogov · commit c8cb68ad0a1b · 2023-10-30T11:19:49.000+03:00
Fixes oss-fuzz #63664
diff --git a/ext/opcache/jit/zend_jit_ir.c b/ext/opcache/jit/zend_jit_ir.c
@@ -12450,6 +12450,9 @@ static int zend_jit_fetch_dim(zend_jit_ctx   *jit,
 					jit_set_Z_TYPE_INFO(jit, res_addr, IS_NULL);
 					end_inputs = ir_END();
 				}
+			} else if (!(op2_info & (MAY_BE_ANY|MAY_BE_UNDEF))) {
+				/* impossible dead path */
+				end_inputs = ir_END();
 			} else {
 				ZEND_ASSERT(end_inputs == IR_UNUSED);
 			}
diff --git a/ext/opcache/tests/jit/fetch_dim_w_004.phpt b/ext/opcache/tests/jit/fetch_dim_w_004.phpt
@@ -0,0 +1,44 @@
+--TEST--
+JIT FETCH_DIM_W: 004
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=1M
+--FILE--
+<?php
+function create_references(&$array) {
+    foreach ($a as $key => $value) {
+        create_references($array[$key]);
+    }
+}
+
+function change_copy($copy) {
+        $copy['b']['z']['z'] = $copy['b'];
+}
+
+$data = [
+    'a' => [
+        'b' => [],
+    ],
+];
+
+@create_references($data);
+
+$copy = $data['a'];
+var_dump($copy);
+
+change_copy($copy);
+var_dump($copy); //RECURSION
+?>
+--EXPECT--
+array(1) {
+  ["b"]=>
+  array(0) {
+  }
+}
+array(1) {
+  ["b"]=>
+  array(0) {
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -12450,6 +12450,9 @@ static int zend_jit_fetch_dim(zend_jit_ctx *jit,`
`12450`	`12450`	`jit_set_Z_TYPE_INFO(jit, res_addr, IS_NULL);`
`12451`	`12451`	`end_inputs = ir_END();`
`12452`	`12452`	`}`
	`12453`	`+ } else if (!(op2_info & (MAY_BE_ANY\|MAY_BE_UNDEF))) {`
	`12454`	`+ /* impossible dead path */`
	`12455`	`+ end_inputs = ir_END();`
`12453`	`12456`	`} else {`
`12454`	`12457`	`ZEND_ASSERT(end_inputs == IR_UNUSED);`
`12455`	`12458`	`}`