From c163ff68dabb427214eaf82da0e0e66357646c11 Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@zend.com>
Date: Wed, 25 Oct 2023 12:01:28 +0300
Subject: [PATCH] Fixed code generation for ASSIGN_DIM

Fixes oss-fuzz #63563
---
 ext/opcache/jit/zend_jit_ir.c             | 26 ++++++++++++-----------
 ext/opcache/tests/jit/assign_dim_016.phpt | 20 +++++++++++++++++
 2 files changed, 34 insertions(+), 12 deletions(-)
 create mode 100644 ext/opcache/tests/jit/assign_dim_016.phpt

diff --git a/ext/opcache/jit/zend_jit_ir.c b/ext/opcache/jit/zend_jit_ir.c
index 64584774cc6..44dc192ffc0 100644
--- a/ext/opcache/jit/zend_jit_ir.c
+++ b/ext/opcache/jit/zend_jit_ir.c
@@ -12799,19 +12799,21 @@ static int zend_jit_assign_dim(zend_jit_ctx *jit, const zend_op *opline, uint32_
 				var_info |= MAY_BE_RC1;
 			}
 
-			ir_MERGE_N(found_inputs->count, found_inputs->refs);
-			ref = ir_PHI_N(IR_ADDR, found_values->count, found_values->refs);
-			var_addr = ZEND_ADDR_REF_ZVAL(ref);
+			if (found_inputs->count) {
+				ir_MERGE_N(found_inputs->count, found_inputs->refs);
+				ref = ir_PHI_N(IR_ADDR, found_values->count, found_values->refs);
+				var_addr = ZEND_ADDR_REF_ZVAL(ref);
 
-			// JIT: value = zend_assign_to_variable(variable_ptr, value, OP_DATA_TYPE);
-			if (opline->op1_type == IS_VAR) {
-				ZEND_ASSERT(opline->result_type == IS_UNUSED);
-				if (!zend_jit_assign_to_variable_call(jit, opline, var_addr, var_addr, var_info, -1, (opline+1)->op1_type, op3_addr, val_info, res_addr, 0)) {
-					return 0;
-				}
-			} else {
-				if (!zend_jit_assign_to_variable(jit, opline, var_addr, var_addr, var_info, -1, (opline+1)->op1_type, op3_addr, val_info, res_addr, 0, 0)) {
-					return 0;
+				// JIT: value = zend_assign_to_variable(variable_ptr, value, OP_DATA_TYPE);
+				if (opline->op1_type == IS_VAR) {
+					ZEND_ASSERT(opline->result_type == IS_UNUSED);
+					if (!zend_jit_assign_to_variable_call(jit, opline, var_addr, var_addr, var_info, -1, (opline+1)->op1_type, op3_addr, val_info, res_addr, 0)) {
+						return 0;
+					}
+				} else {
+					if (!zend_jit_assign_to_variable(jit, opline, var_addr, var_addr, var_info, -1, (opline+1)->op1_type, op3_addr, val_info, res_addr, 0, 0)) {
+						return 0;
+					}
 				}
 			}
 		}
diff --git a/ext/opcache/tests/jit/assign_dim_016.phpt b/ext/opcache/tests/jit/assign_dim_016.phpt
new file mode 100644
index 00000000000..896c8329d91
--- /dev/null
+++ b/ext/opcache/tests/jit/assign_dim_016.phpt
@@ -0,0 +1,20 @@
+--TEST--
+JIT ASSIGN_DIM: 016
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=1M
+--FILE--
+<?php
+function foo() {
+    $y[~$y] = 42;
+}
+@foo();
+?>
+--EXPECTF--
+Fatal error: Uncaught TypeError: Cannot perform bitwise not on null in %sassign_dim_016.php:3
+Stack trace:
+#0 %sassign_dim_016.php(5): foo()
+#1 {main}
+  thrown in %sassign_dim_016.php on line 3