Fix memory leak

This fixes oss-fuzz #47448

Author: dstogov

ext/opcache/Optimizer/sccp.c

@@ -2234,8 +2234,39 @@ static int try_remove_definition(sccp_ctx *ctx, int var_num, zend_ssa_var *var,
 		}
 
 		if (ssa_op->result_def == var_num) {
-			if (ssa_op->op1_def >= 0
-					|| ssa_op->op2_def >= 0) {
+			if (ssa_op->op1_def >= 0 || ssa_op->op2_def >= 0) {
+				if (var->use_chain < 0 && var->phi_use_chain == NULL) {
+					switch (opline->opcode) {
+						case ZEND_ASSIGN:
+						case ZEND_ASSIGN_REF:
+						case ZEND_ASSIGN_DIM:
+						case ZEND_ASSIGN_OBJ:
+						case ZEND_ASSIGN_OBJ_REF:
+						case ZEND_ASSIGN_STATIC_PROP:
+						case ZEND_ASSIGN_STATIC_PROP_REF:
+						case ZEND_ASSIGN_OP:
+						case ZEND_ASSIGN_DIM_OP:
+						case ZEND_ASSIGN_OBJ_OP:
+						case ZEND_ASSIGN_STATIC_PROP_OP:
+						case ZEND_PRE_INC:
+						case ZEND_PRE_DEC:
+						case ZEND_PRE_INC_OBJ:
+						case ZEND_PRE_DEC_OBJ:
+						case ZEND_DO_ICALL:
+						case ZEND_DO_UCALL:
+						case ZEND_DO_FCALL_BY_NAME:
+						case ZEND_DO_FCALL:
+						case ZEND_INCLUDE_OR_EVAL:
+						case ZEND_YIELD:
+						case ZEND_YIELD_FROM:
+						case ZEND_ASSERT_CHECK:
+							opline->result_type = IS_UNUSED;
+							zend_ssa_remove_result_def(ssa, ssa_op);
+							break;
+						default:
+							break;
+					}	
+				}
 				/* we cannot remove instruction that defines other variables */
 				return 0;
 			} else if (opline->opcode == ZEND_JMPZ_EX

ext/opcache/tests/opt/sccp_040.phpt

@@ -0,0 +1,22 @@
+--TEST--
+SCCP 040: Memory leak
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.optimization_level=-1
+--FILE--
+<?php
+function f() {
+    $y[] = $arr[] = array($y);
+    $arr();
+}
+f();
+?>
+--EXPECTF--
+Warning: Undefined variable $y in %ssccp_040.php on line 3
+
+Fatal error: Uncaught Error: Array callback must have exactly two elements in %ssccp_040.php:4
+Stack trace:
+#0 %ssccp_040.php(6): f()
+#1 {main}
+  thrown in %ssccp_040.php on line 4