From: Nikita Popov <nikita.ppv@gmail.com>
Date: Fri, 30 Oct 2020 14:48:03 +0000 (+0100)
Subject: Fix SSA integrity violation for type inference in dead code
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=83738281eb9f2577eda1c76a6acfe644d6fcc6c1;p=php

Fix SSA integrity violation for type inference in dead code

The foreach body can never be executed and thus may contain empty
types. We should still uphold our SSA integrity invariants in that
case.
---

diff --git a/Zend/tests/dead_array_type_inference.phpt b/Zend/tests/dead_array_type_inference.phpt
new file mode 100644
index 0000000000..51f9b05816
--- /dev/null
+++ b/Zend/tests/dead_array_type_inference.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Make sure type inference upholds invariants for dead arrays
+--FILE--
+<?php
+
+function test() {
+    foreach ($a as $v) {
+        $b[] = $v;
+    }
+}
+
+test();
+
+?>
+--EXPECTF--
+Notice: Undefined variable: a in %s on line %d
+
+Warning: Invalid argument supplied for foreach() in %s on line %d
diff --git a/ext/opcache/Optimizer/zend_inference.c b/ext/opcache/Optimizer/zend_inference.c
index fa494794cb..368f68108d 100644
--- a/ext/opcache/Optimizer/zend_inference.c
+++ b/ext/opcache/Optimizer/zend_inference.c
@@ -2106,24 +2106,28 @@ static uint32_t assign_dim_result_type(
 		tmp |= MAY_BE_RC1 | MAY_BE_RCN;
 	}
 	if (tmp & MAY_BE_ARRAY) {
-		if (value_type & MAY_BE_UNDEF) {
-			tmp |= MAY_BE_ARRAY_OF_NULL;
-		}
-		if (dim_op_type == IS_UNUSED) {
-			tmp |= MAY_BE_ARRAY_KEY_LONG;
-		} else {
-			if (dim_type & (MAY_BE_LONG|MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_RESOURCE|MAY_BE_DOUBLE)) {
-				tmp |= MAY_BE_ARRAY_KEY_LONG;
+		/* Only add key type if we have a value type. We want to maintain the invariant that a
+		 * key type exists iff a value type exists even in dead code that may use empty types. */
+		if (value_type & (MAY_BE_ANY|MAY_BE_UNDEF)) {
+			if (value_type & MAY_BE_UNDEF) {
+				tmp |= MAY_BE_ARRAY_OF_NULL;
 			}
-			if (dim_type & MAY_BE_STRING) {
-				tmp |= MAY_BE_ARRAY_KEY_STRING;
-				if (dim_op_type != IS_CONST) {
-					// FIXME: numeric string
+			if (dim_op_type == IS_UNUSED) {
+				tmp |= MAY_BE_ARRAY_KEY_LONG;
+			} else {
+				if (dim_type & (MAY_BE_LONG|MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_RESOURCE|MAY_BE_DOUBLE)) {
 					tmp |= MAY_BE_ARRAY_KEY_LONG;
 				}
-			}
-			if (dim_type & (MAY_BE_UNDEF|MAY_BE_NULL)) {
-				tmp |= MAY_BE_ARRAY_KEY_STRING;
+				if (dim_type & MAY_BE_STRING) {
+					tmp |= MAY_BE_ARRAY_KEY_STRING;
+					if (dim_op_type != IS_CONST) {
+						// FIXME: numeric string
+						tmp |= MAY_BE_ARRAY_KEY_LONG;
+					}
+				}
+				if (dim_type & (MAY_BE_UNDEF|MAY_BE_NULL)) {
+					tmp |= MAY_BE_ARRAY_KEY_STRING;
+				}
 			}
 		}
 		/* Only add value type if we have a key type. It might be that the key type is illegal