From 1e55c9760178f9d5e1de8b251537b3e8ccf44feb Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@zend.com>
Date: Fri, 1 Dec 2023 17:08:16 +0300
Subject: [PATCH] Fixed type inference

Fixes oss-fuzz #64577, #64579, #64589
---
 Zend/Optimizer/zend_inference.c          |  3 ++-
 ext/opcache/tests/opt/inference_024.phpt | 23 +++++++++++++++++++++++
 2 files changed, 25 insertions(+), 1 deletion(-)
 create mode 100644 ext/opcache/tests/opt/inference_024.phpt

diff --git a/Zend/Optimizer/zend_inference.c b/Zend/Optimizer/zend_inference.c
index 549287efa2d..16edb2cc82e 100644
--- a/Zend/Optimizer/zend_inference.c
+++ b/Zend/Optimizer/zend_inference.c
@@ -3673,7 +3673,8 @@ static zend_always_inline zend_result _zend_update_type_info(
 						tmp &= ~MAY_BE_ARRAY_EMPTY;
 					}
 				}
-				if (((tmp & MAY_BE_ARRAY) && (tmp & MAY_BE_ARRAY_KEY_ANY))
+				if (!(tmp & MAY_BE_ARRAY)
+				 || (tmp & MAY_BE_ARRAY_KEY_ANY)
 				 || opline->opcode == ZEND_FETCH_DIM_FUNC_ARG
 				 || opline->opcode == ZEND_FETCH_DIM_R
 				 || opline->opcode == ZEND_FETCH_DIM_IS
diff --git a/ext/opcache/tests/opt/inference_024.phpt b/ext/opcache/tests/opt/inference_024.phpt
new file mode 100644
index 00000000000..a34ac5c1ece
--- /dev/null
+++ b/ext/opcache/tests/opt/inference_024.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Type inference 024: FETCH_DIM_W
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.optimization_level=-1
+--FILE--
+<?php
+function foo() {
+    for ($cnt = 0; $cnt < 6; $cnt++) {
+        $b = new SplFixedArray(1);
+        $b[0] = $a;
+        $g = &$b[0];
+        $b = new SplFixedArray(1);
+        $b[0] = $b;
+        $g = &$b[0];
+    }
+}
+@foo();
+?>
+DONE
+--EXPECT--
+DONE