From aa7280264e9b42a287cf38c68a019ca516db01dd Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@zend.com>
Date: Mon, 6 Dec 2021 11:30:03 +0300
Subject: [PATCH] Fix refcount inferemce ($a += $a returns old array with RCN)

Fixes oss-fuzz #41670
---
 ext/opcache/Optimizer/zend_inference.c   |  2 +-
 ext/opcache/tests/jit/assign_op_008.phpt | 22 ++++++++++++++++++++++
 2 files changed, 23 insertions(+), 1 deletion(-)
 create mode 100644 ext/opcache/tests/jit/assign_op_008.phpt

diff --git a/ext/opcache/Optimizer/zend_inference.c b/ext/opcache/Optimizer/zend_inference.c
index f7e28643f44..92ae858b707 100644
--- a/ext/opcache/Optimizer/zend_inference.c
+++ b/ext/opcache/Optimizer/zend_inference.c
@@ -2570,7 +2570,7 @@ static zend_always_inline int _zend_update_type_info(
 				ssa, opline->extended_value, t1, t2,
 				opline->opcode == ZEND_ASSIGN_OP ? ssa_op->op1_def : -1, optimization_level);
 			if (tmp & (MAY_BE_STRING|MAY_BE_ARRAY)) {
-				tmp |= MAY_BE_RC1;
+				tmp |= MAY_BE_RC1 | MAY_BE_RCN;
 			}
 			if (tmp & (MAY_BE_OBJECT|MAY_BE_RESOURCE)) {
 				tmp |= MAY_BE_RC1 | MAY_BE_RCN;
diff --git a/ext/opcache/tests/jit/assign_op_008.phpt b/ext/opcache/tests/jit/assign_op_008.phpt
new file mode 100644
index 00000000000..efd9418741f
--- /dev/null
+++ b/ext/opcache/tests/jit/assign_op_008.phpt
@@ -0,0 +1,22 @@
+--TEST--
+JIT ASSIGN_OP: 008 Arrays merging with itself
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.file_update_protection=0
+opcache.jit_buffer_size=1M
+--FILE--
+<?php
+function test() {
+	$a = [];
+    for ($i = 0; $i < 2; $i++) {
+        $a + $a += $a;
+        $a['b'] += 1;
+    }
+}
+test();
+?>
+DONE
+--EXPECTF--
+Warning: Undefined array key "b" in %sassign_op_008.php on line 6
+DONE