From 3661c1932c3c04f29331f4892d0e60c7b7ba612f Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Wed, 6 Oct 2021 10:48:14 +0200
Subject: [PATCH] Fix array cast type inference wrt packed arrays

Use KEY_LONG instead of PACKED if it's possible for the array to
be empty. It won't be packed in that case.

Fixes oss-fuzz #39650.
---
 Zend/Optimizer/zend_inference.c     |  4 ++--
 ext/opcache/tests/jit/cast_002.phpt | 21 +++++++++++++++++++++
 2 files changed, 23 insertions(+), 2 deletions(-)
 create mode 100644 ext/opcache/tests/jit/cast_002.phpt

diff --git a/Zend/Optimizer/zend_inference.c b/Zend/Optimizer/zend_inference.c
index 0b1b2c350ed..ffaed45b4a4 100644
--- a/Zend/Optimizer/zend_inference.c
+++ b/Zend/Optimizer/zend_inference.c
@@ -2534,8 +2534,8 @@ static zend_always_inline int _zend_update_type_info(
 				}
 				if (t1 & MAY_BE_OBJECT) {
 					tmp |= MAY_BE_ARRAY_KEY_ANY | MAY_BE_ARRAY_OF_ANY | MAY_BE_ARRAY_OF_REF;
-				} else {
-					tmp |= ((t1 & (MAY_BE_ANY - MAY_BE_NULL)) << MAY_BE_ARRAY_SHIFT) | ((t1 & (MAY_BE_ANY - MAY_BE_NULL)) ? MAY_BE_ARRAY_PACKED : 0);
+				} else if (t1 & (MAY_BE_ANY - MAY_BE_NULL)) {
+					tmp |= ((t1 & (MAY_BE_ANY - MAY_BE_NULL)) << MAY_BE_ARRAY_SHIFT) | ((t1 & MAY_BE_NULL) ? MAY_BE_ARRAY_KEY_LONG : MAY_BE_ARRAY_PACKED);
 				}
 			}
 			UPDATE_SSA_TYPE(tmp, ssa_op->result_def);
diff --git a/ext/opcache/tests/jit/cast_002.phpt b/ext/opcache/tests/jit/cast_002.phpt
new file mode 100644
index 00000000000..a1b8d48bd2c
--- /dev/null
+++ b/ext/opcache/tests/jit/cast_002.phpt
@@ -0,0 +1,21 @@
+--TEST--
+JIT CAST: 002
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=1M
+--FILE--
+<?php
+function test(?int $i) {
+    $a = (array) $i;
+    $a[-1] = 1;
+    var_dump($a);
+}
+test(null);
+?>
+--EXPECT--
+array(1) {
+  [-1]=>
+  int(1)
+}