Fixed GH-10008: Narrowing occurred during type inference of ZEND_ADD_ARRAY_ELEMENT

Backport implementation of iterative Pearce's SCC finding algoritm (#12528)

Fixes GH-11795

Fixed GH-12511: Use must be in next opline assertion with patched infection

Fixed GH-12509: JIT assertion when running php-parser tests

Fixed incorrect type inference

Fixed GH-12262: Tracing JIT assertion crash when using phpstan

Revert "Fix GH-10008: Narrowing occurred during type inference of ZEND_ADD_ARRAY_ELEMENT"

Although it passes CI on 8.1, it causes CI failures in the JIT on 8.2 and
higher.
See https:

Revert "Fix GH-10008: Narrowing occurred during type inference of ZEND_ADD_ARRAY_ELEMENT"

Although it passes CI on 8.1, it causes CI failures in the JIT on 8.2 and
higher.
See https://github.com/php/php-src/actions/runs/6357716718/job/17269225001

This reverts commit e72fc12058dc0ee7bfe534dfa3daf46f3b357190.

show more ...

Fix GH-10008: Narrowing occurred during type inference of ZEND_ADD_ARRAY_ELEMENT

This test triggers narrowing for two ops: first ZEND_ADD_ARRAY_ELEMENT,
and then ZEND_ASSIGN.

Th

Fix GH-10008: Narrowing occurred during type inference of ZEND_ADD_ARRAY_ELEMENT

This test triggers narrowing for two ops: first ZEND_ADD_ARRAY_ELEMENT,
and then ZEND_ASSIGN.

The type inference happens in the following order:
1) The ZEND_ADD_ARRAY_ELEMENT infers type 0x40e04080 (packed flag is set),
arr_type=0 at this point because it hasn't been set by ZEND_INIT_ARRAY yet.
2) The ZEND_INIT_ARRAY infers type 0x40804080
3) The ZEND_ADD_ARRAY_ELEMENT infers type 0x40e04080, arr_type=0x40804080,
which does not have the packed flag set while the existing result of
ZEND_ADD_ARRAY_ELEMENT has the packed flag set.

This seems to occur because of the phi node introduced by the while
loop. If I remove the loop the problem goes away.

As Arnaud noted, this seems to be caused by a too wide type inference
for arr_type==0. We should keep the invariant that if x>=y then
key_type(x) >= key_type(y).
If we write the possible results down in a table we get:

```
arr_type resulting key type
--------------- --------------------------------------------------------------------------
HASH_ONLY -> MAY_BE_ARRAY_NUMERIC_HASH
PACKED_ONLY -> MAY_BE_ARRAY_NUMERIC_HASH | MAY_BE_ARRAY_PACKED (== MAY_BE_ARRAY_KEY_LONG)
HASH || PACKED -> MAY_BE_ARRAY_NUMERIC_HASH | MAY_BE_ARRAY_PACKED (== MAY_BE_ARRAY_KEY_LONG)
0 -> MAY_BE_ARRAY_NUMERIC_HASH | MAY_BE_ARRAY_PACKED (== MAY_BE_ARRAY_KEY_LONG)
```

As we can see, `HASH_ONLY > 0` but
`MAY_BE_ARRAY_NUMERIC_HASH < MAY_BE_ARRAY_NUMERIC_HASH | MAY_BE_ARRAY_PACKED`,
which violates the invariant.
Instead if we modify the zero case to have MAY_BE_ARRAY_NUMERIC_HASH instead,
we get the following table which satisfies the invariant.

```
arr_type resulting key type
--------------- --------------------------------------------------------------------------
HASH_ONLY -> MAY_BE_ARRAY_NUMERIC_HASH
PACKED_ONLY -> MAY_BE_ARRAY_NUMERIC_HASH | MAY_BE_ARRAY_PACKED (== MAY_BE_ARRAY_KEY_LONG)
HASH || PACKED -> MAY_BE_ARRAY_NUMERIC_HASH | MAY_BE_ARRAY_PACKED (== MAY_BE_ARRAY_KEY_LONG)
0 -> MAY_BE_ARRAY_NUMERIC_HASH
```

Broke in 1ffbb73.
Closes GH-10294.

show more ...

Fix too wide OR and AND range inference

There is a typo which causes the AND and OR range inference to infer a
wider range than necessary. Fix this typo. There are many ranges for
wh

Fix too wide OR and AND range inference

There is a typo which causes the AND and OR range inference to infer a
wider range than necessary. Fix this typo. There are many ranges for
which the inference is too wide, I just picked one for AND and one for
OR that I found through symbolic execution.

In this example test, the previous range inferred for test_or was [-27..-1]
instead of [-20..-1].
And the previous range inferred for test_and was [-32..-25]
instead of [-28..-25].

Closes GH-11170.

show more ...

Allow FETCH_OBJ_W and FETCH_STATIC_PROP_W to return INDIRECT/UNDEF zval for uninitialized typed properties (#11048)

Fix RC1 assumption for typed properties with __get

Unsetting typed properties resorts back to __get which may have RC1.

Closes GH-10833

Fix updating SSA object type for *_ASSIGN_OP (#10458)

The code fetched the class entry into ce for objects and static
properties. However, when the actual update needs to take place (whe

Fix updating SSA object type for *_ASSIGN_OP (#10458)

The code fetched the class entry into ce for objects and static
properties. However, when the actual update needs to take place (when
result_def exists), the class entry in ce was reset to NULL. So the SSA
object type update never happened. Fetch the class entry in the
result_def>=0 case instead after the reset of ce to NULL.

show more ...

Fix type inference

Fixes oss-fuzz #55358

Fix incorrect check condition in type inference (#10425)

The "nothing to do" case would never be hit because the switch block
would execute if the opcode is ZEND_ASSIGN_STATIC_PROP_OP,

Fix incorrect check condition in type inference (#10425)

The "nothing to do" case would never be hit because the switch block
would execute if the opcode is ZEND_ASSIGN_STATIC_PROP_OP,
not ZEND_ASSIGN_STATIC_PROP. This meant that we were falling through to
the else block. Fix this by correcting the check condition.

show more ...

Merge branch 'PHP-8.0' into PHP-8.1

* PHP-8.0:
Fix type inference

Fix type inference

Fixes oss-fuzz #50272

Fix type inference

Fixes oss-fuzz #49423 and #49474

Fix type inference

Fixes oss-fuzz #48908

Merge branch 'PHP-8.0' into PHP-8.1

* PHP-8.0:
Fix type inference for FETCH_DI_UNSET

Fix type inference

This dixes oss-fuzz #47921

Fix type inference

This fixes oss-fuzz #47920

Fix type inference

This fixes oss-fuzz #47777

Merge branch 'PHP-8.0' into PHP-8.1

* PHP-8.0:
Fix type inference

Fix type inference

This fizes oss-fuzz #47044

Merge branch 'PHP-8.0' into PHP-8.1

* PHP-8.0:
Fix type inference