Fix RC inference narrowing for ASSIGN_OBJ

Fixes oss-fuzz #66519
Closes GH-13345

Author: iluuu1994

Zend/Optimizer/zend_inference.c

@@ -3030,12 +3030,12 @@ static zend_always_inline zend_result _zend_update_type_info(
 		case ZEND_ASSIGN_OBJ:
 			if (opline->op1_type == IS_CV) {
 				zend_class_entry *ce = ssa_var_info[ssa_op->op1_use].ce;
-				bool add_rc = !ce
+				bool add_rc = (t1 & (MAY_BE_OBJECT|MAY_BE_REF)) && (!ce
 					|| ce->__set
 					/* Non-default write_property may be set within create_object. */
 					|| ce->create_object
 					|| ce->default_object_handlers->write_property != zend_std_write_property
-					|| ssa_var_info[ssa_op->op1_use].is_instanceof;
+					|| ssa_var_info[ssa_op->op1_use].is_instanceof);
 				tmp = (t1 & (MAY_BE_REF|MAY_BE_OBJECT|MAY_BE_RC1|MAY_BE_RCN))|(add_rc ? (MAY_BE_RC1|MAY_BE_RCN) : 0);
 				UPDATE_SSA_TYPE(tmp, ssa_op->op1_def);
 				COPY_SSA_OBJ_TYPE(ssa_op->op1_use, ssa_op->op1_def);

ext/opcache/tests/oss_fuzz_66519.phpt

@@ -0,0 +1,18 @@
+--TEST--
+oss-fuzz #66519: Fix RC inference narrowing for ASSIGN_OBJ
+--EXTENSIONS--
+opcache
+--INI--
+opcache.enable_cli=1
+--FILE--
+<?php
+function test() {
+    for (;;) {
+        [] ?? $oj->y = y;
+        $oj = new stdClass;
+    }
+}
+?>
+===DONE===
+--EXPECT--
+===DONE===