Handle FETCH_DIM_R after FETCH_DIM_FUNC_ARG in inference

This can happen if a call is optimized, but FETCH_DIM_FUNC_ARG cannot be converted to FETCH_DIM_R because it uses an UNUSED op2, which is not supported by FETCH_DIM_R. Fixes oss-fuzz 6144185837682688.
2026-03-24 00:02:20 +01:00 · 2021-11-01 14:25:27 +01:00
parent f8ec5a1d4c
commit 2e29817005
2 changed files with 16 additions and 0 deletions
--- a/Zend/tests/func_arg_fetch_optimization.phpt
+++ b/Zend/tests/func_arg_fetch_optimization.phpt
@@ -0,0 +1,15 @@
+--TEST--
+FETCH_DIM_FUNC_ARG that cannot be optimized to FETCH_DIM_R because it appends
+--FILE--
+<?php
+function test($x) {
+    test($x[][$y]);
+}
+try {
+    test([]);
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+?>
+--EXPECT--
+Cannot use [] for reading
--- a/ext/opcache/Optimizer/zend_inference.c
+++ b/ext/opcache/Optimizer/zend_inference.c
@@ -3389,6 +3389,7 @@ static zend_always_inline int _zend_update_type_info(
 								 * is already an object. */
 								break;
 							case ZEND_SEND_VAR:
+							case ZEND_FETCH_DIM_R:
 								/* This can occur if a DIM_FETCH_FUNC_ARG with UNUSED op2 is left
 								 * behind, because it can't be converted to DIM_FETCH_R. */
 								break;