Skip to content

Fix GH-17144: type inference narrowing on ZEND_FETCH_DIM_W#22

Closed
iliaal wants to merge 1 commit intoPHP-8.4from
fix/gh-17144-fetch-dim-w-narrowing
Closed

Fix GH-17144: type inference narrowing on ZEND_FETCH_DIM_W#22
iliaal wants to merge 1 commit intoPHP-8.4from
fix/gh-17144-fetch-dim-w-narrowing

Conversation

@iliaal
Copy link
Copy Markdown
Owner

@iliaal iliaal commented Apr 8, 2026

Summary

FETCH_DIM_W stripped MAY_BE_ARRAY_EMPTY only inside a block guarded by key_type & (MAY_BE_ARRAY_KEY_LONG|MAY_BE_ARRAY_KEY_STRING). When the key operand's type widened across loop iterations (e.g. from MAY_BE_ARRAY to include scalar types), key_type went from 0 to non-zero, causing the flag to be stripped on the second pass but not the first. This violated monotonicity and triggered the narrowing assertion.

Strips MAY_BE_ARRAY_EMPTY for write opcodes (W, RW, LIST_W) regardless of key_type, since a dimension write makes the array non-empty.

Fixes php#17144

@iliaal
Fix phpGH-17144: type inference narrowing on ZEND_FETCH_DIM_W
41c8478 
FETCH_DIM_W stripped MAY_BE_ARRAY_EMPTY only when key_type had valid
key bits. When the key operand's type widened across loop iterations
(from MAY_BE_ARRAY to include scalar types), key_type transitioned
from 0 to non-zero, causing MAY_BE_ARRAY_EMPTY to be stripped on the
second pass but not the first. This violated monotonicity.

Strip MAY_BE_ARRAY_EMPTY for write opcodes (W, RW, LIST_W) regardless
of key_type, since a dimension write makes the array non-empty.

Closes phpGH-17144
@iliaal iliaal closed this Apr 8, 2026
@iliaal
Copy link
Copy Markdown
Owner Author

iliaal commented Apr 8, 2026

Promoted to php#21674.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@iliaal