Fixed type inference

Fixes oss-fuzz #65150
php · Dec 18, 2023 · 731734d · 731734d
1 parent c67f6f4
commit 731734d
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 1 deletion.
diff --git a/Zend/Optimizer/zend_inference.c b/Zend/Optimizer/zend_inference.c
@@ -2825,8 +2825,15 @@ static zend_always_inline zend_result _zend_update_type_info(
 							/* DOUBLE may be auto-converted to LONG */
 							tmp |= MAY_BE_LONG;
 							tmp &= ~MAY_BE_DOUBLE;
+						} else if ((t1 & (MAY_BE_LONG|MAY_BE_DOUBLE|MAY_BE_STRING)) == MAY_BE_STRING
+						 && (tmp & (MAY_BE_LONG|MAY_BE_DOUBLE))) {
+							/* LONG/DOUBLE may be auto-converted to STRING */
+							tmp |= MAY_BE_STRING;
+							tmp &= ~(MAY_BE_LONG|MAY_BE_DOUBLE);
 						}
 						tmp &= t1;
+					} else {
+						tmp |= MAY_BE_LONG | MAY_BE_STRING;
 					}
 				} else if (opline->opcode == ZEND_ASSIGN_STATIC_PROP_OP) {
 					/* The return value must also satisfy the property type */
@@ -2837,8 +2844,15 @@ static zend_always_inline zend_result _zend_update_type_info(
 							/* DOUBLE may be auto-converted to LONG */
 							tmp |= MAY_BE_LONG;
 							tmp &= ~MAY_BE_DOUBLE;
+						} else if ((t1 & (MAY_BE_LONG|MAY_BE_DOUBLE|MAY_BE_STRING)) == MAY_BE_STRING
+						 && (tmp & (MAY_BE_LONG|MAY_BE_DOUBLE))) {
+							/* LONG/DOUBLE may be auto-converted to STRING */
+							tmp |= MAY_BE_STRING;
+							tmp &= ~(MAY_BE_LONG|MAY_BE_DOUBLE);
 						}
 						tmp &= t1;
+					} else {
+						tmp |= MAY_BE_LONG | MAY_BE_STRING;
 					}
 				} else {
 					if (tmp & MAY_BE_REF) {

diff --git a/Zend/Optimizer/zend_optimizer.c b/Zend/Optimizer/zend_optimizer.c
@@ -797,7 +797,9 @@ zend_class_entry *zend_optimizer_get_class_entry(
 	}
 
 	ce = zend_hash_find_ptr(CG(class_table), lcname);
-	if (ce && ce->type == ZEND_INTERNAL_CLASS) {
+	if (ce
+	 && (ce->type == ZEND_INTERNAL_CLASS
+	  || (op_array && ce->info.user.filename == op_array->filename))) {
 		return ce;
 	}
 

diff --git a/ext/opcache/tests/jit/assign_static_prop_op_001.phpt b/ext/opcache/tests/jit/assign_static_prop_op_001.phpt
@@ -0,0 +1,23 @@
+--TEST--
+JIT ASSIGN_STATIC_PROP_OP: 001
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=1M
+--EXTENSIONS--
+opcache
+--FILE--
+<?php
+function ref () {
+}
+class Foo {
+      static $i;
+      static string $s;
+}
+Foo::$i = 1;
+Foo::$s = Foo::$i;
+var_dump(Foo::$s -= ref());
+?>
+--EXPECT--
+string(1) "1"