From a1eaaa692e91fa28ee1ba050150547cd1317be87 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Fri, 17 Apr 2020 09:48:15 +0200
Subject: [PATCH] Fix #79475: [JIT] func_get_args() assertion violation

`func_get_args()` may return `zend_empty_array`, which has refcount 2
to enforce separation.   We have to cater to that during type inference
so that the optimization in the JIT macro `SEPARATE_ARRAY` doesn't
prevent the separation.
---
 ext/opcache/Optimizer/zend_func_info.c |  2 +-
 ext/opcache/Optimizer/zend_inference.c |  2 +-
 ext/opcache/tests/bug79475.phpt        | 15 +++++++++++++++
 3 files changed, 17 insertions(+), 2 deletions(-)
 create mode 100644 ext/opcache/tests/bug79475.phpt

diff --git a/ext/opcache/Optimizer/zend_func_info.c b/ext/opcache/Optimizer/zend_func_info.c
index 7cde2dd34f..c9c567ffbf 100644
--- a/ext/opcache/Optimizer/zend_func_info.c
+++ b/ext/opcache/Optimizer/zend_func_info.c
@@ -93,7 +93,7 @@ static const func_info_t func_infos[] = {
 	/* zend */
 	F1("zend_version",            MAY_BE_STRING),
 	FN("func_get_arg",            UNKNOWN_INFO),
-	F1("func_get_args",           MAY_BE_FALSE | MAY_BE_ARRAY | MAY_BE_ARRAY_KEY_LONG | MAY_BE_ARRAY_OF_ANY),
+	FN("func_get_args",           MAY_BE_FALSE | MAY_BE_ARRAY | MAY_BE_ARRAY_KEY_LONG | MAY_BE_ARRAY_OF_ANY),
 	F1("get_class_vars",          MAY_BE_FALSE | MAY_BE_ARRAY | MAY_BE_ARRAY_KEY_STRING | MAY_BE_ARRAY_OF_ANY | MAY_BE_ARRAY_OF_REF),
 	FN("get_object_vars",         MAY_BE_ARRAY | MAY_BE_ARRAY_KEY_ANY | MAY_BE_ARRAY_OF_ANY | MAY_BE_ARRAY_OF_REF),
 	FN("get_mangled_object_vars", MAY_BE_ARRAY | MAY_BE_ARRAY_KEY_ANY | MAY_BE_ARRAY_OF_ANY | MAY_BE_ARRAY_OF_REF),
diff --git a/ext/opcache/Optimizer/zend_inference.c b/ext/opcache/Optimizer/zend_inference.c
index 8144185d07..f868f78265 100644
--- a/ext/opcache/Optimizer/zend_inference.c
+++ b/ext/opcache/Optimizer/zend_inference.c
@@ -3465,7 +3465,7 @@ static zend_always_inline int _zend_update_type_info(
 			UPDATE_SSA_TYPE(MAY_BE_LONG, ssa_op->result_def);
 			break;
 		case ZEND_FUNC_GET_ARGS:
-			UPDATE_SSA_TYPE(MAY_BE_RC1| MAY_BE_ARRAY | MAY_BE_ARRAY_KEY_LONG | MAY_BE_ARRAY_OF_ANY, ssa_op->result_def);
+			UPDATE_SSA_TYPE(MAY_BE_RC1|MAY_BE_RCN| MAY_BE_ARRAY | MAY_BE_ARRAY_KEY_LONG | MAY_BE_ARRAY_OF_ANY, ssa_op->result_def);
 			break;
 		case ZEND_GET_CLASS:
 		case ZEND_GET_CALLED_CLASS:
diff --git a/ext/opcache/tests/bug79475.phpt b/ext/opcache/tests/bug79475.phpt
new file mode 100644
index 0000000000..6f536c25f0
--- /dev/null
+++ b/ext/opcache/tests/bug79475.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #79475 ([JIT] func_get_args() assertion violation)
+--SKIPIF--
+<?php require_once('skipif.inc'); ?>
+--FILE--
+<?php
+function foo() {
+    $args = func_get_args();
+    $args[] = "bar";
+}
+foo();
+echo "done\n";
+?>
+--EXPECT--
+done
-- 
2.40.0