Preserve key/value type invariant in range() type inference

nikic · nikic · commit f0cf999223b2 · 2021-10-11T12:41:46.000+02:00
Don't set PACKED key type if no value type is set.

Fixes oss-fuzz 6718410667458560.
diff --git a/Zend/Optimizer/zend_func_info.c b/Zend/Optimizer/zend_func_info.c
@@ -61,7 +61,7 @@ static uint32_t zend_range_info(const zend_call_info *call_info, const zend_ssa
 		uint32_t t2 = _ssa_op1_info(op_array, ssa, call_info->arg_info[1].opline,
 			&ssa->ops[call_info->arg_info[1].opline - op_array->opcodes]);
 		uint32_t t3 = 0;
-		uint32_t tmp = MAY_BE_RC1 | MAY_BE_ARRAY | MAY_BE_ARRAY_PACKED;
+		uint32_t tmp = MAY_BE_RC1 | MAY_BE_ARRAY;
 
 		if (call_info->num_args == 3) {
 			t3 = _ssa_op1_info(op_array, ssa, call_info->arg_info[2].opline,
@@ -81,6 +81,9 @@ static uint32_t zend_range_info(const zend_call_info *call_info, const zend_ssa
 				tmp |= MAY_BE_ARRAY_OF_LONG;
 			}
 		}
+		if (tmp & MAY_BE_ARRAY_OF_ANY) {
+			tmp |= MAY_BE_ARRAY_PACKED;
+		}
 		return tmp;
 	} else {
 		/* May throw */
diff --git a/ext/opcache/tests/invalid_array_key_type.phpt b/ext/opcache/tests/invalid_array_key_type.phpt
@@ -19,6 +19,9 @@ function test2() {
 function test3() {
     foreach (range(0, $undef) as $v) { }
 }
+function test4() {
+    var_dump(range(0, ~$u));
+}
 
 ?>
 ===DONE===
