fix: prevent int overflow crash when comparing against PHP_INT_MAX/MIN

eyupcanakman · eyupcanakman · commit bea0b2d02993 · 2026-03-05T16:30:53.000+03:00
When an int is compared against PHP_INT_MAX (e.g. $v <= PHP_INT_MAX) and psalm evaluates the negated assertion (> PHP_INT_MAX) in the else branch, reconcileIsGreaterThan computes PHP_INT_MAX + 1, which silently overflows from int to float. Passing that float to TIntRange::contains(int $i) under strict_types=1 raises a fatal TypeError. The same underflow occurs in reconcileIsLessThan when the assertion value is PHP_INT_MIN. Add !is_int() guards after each arithmetic step. When the guard fires, no integer can satisfy the comparison (> PHP_INT_MAX or < PHP_INT_MIN), so all TIntRange, TInt, and TLiteralInt types are removed from the union. Fixes #11209.
diff --git a/src/Psalm/Internal/Type/SimpleAssertionReconciler.php b/src/Psalm/Internal/Type/SimpleAssertionReconciler.php
@@ -1964,6 +1964,25 @@ private static function reconcileIsGreaterThan(
         //we add 1 from the assertion value because we're on a strict operator
         $assertion_value = $assertion->value + 1;
 
+        if (!is_int($assertion_value)) {
+            // PHP_INT_MAX + 1 overflows to float; no integer can satisfy > PHP_INT_MAX.
+            if ($assertion->doesFilterNullOrFalse() &&
+                ($existing_var_type->hasType('null') || $existing_var_type->hasType('false'))
+            ) {
+                $existing_var_type->removeType('null');
+                $existing_var_type->removeType('false');
+            }
+            foreach ($existing_var_type->getAtomicTypes() as $atomic_type) {
+                if ($atomic_type instanceof TIntRange
+                    || $atomic_type instanceof TInt
+                    || $atomic_type instanceof TLiteralInt
+                ) {
+                    $existing_var_type->removeType($atomic_type->getKey());
+                }
+            }
+            return $existing_var_type->freeze();
+        }
+
         $redundant = true;
 
         if ($assertion->doesFilterNullOrFalse() &&
@@ -2013,7 +2032,7 @@ private static function reconcileIsGreaterThan(
                         $existing_var_type->addType(new TIntRange($assertion_value, $atomic_type->value));
                     }
                 }*/
-            } elseif ($atomic_type instanceof TInt && is_int($assertion_value)) {
+            } elseif ($atomic_type instanceof TInt) {
                 $redundant = false;
                 $existing_var_type->removeType($atomic_type->getKey());
                 $existing_var_type->addType(new TIntRange($assertion_value, null));
@@ -2073,6 +2092,25 @@ private static function reconcileIsLessThan(
         $assertion_value = $assertion->value - 1;
         $existing_var_type = $existing_var_type->getBuilder();
 
+        if (!is_int($assertion_value)) {
+            // PHP_INT_MIN - 1 underflows to float; no integer can satisfy < PHP_INT_MIN.
+            if ($assertion->doesFilterNullOrFalse() &&
+                ($existing_var_type->hasType('null') || $existing_var_type->hasType('false'))
+            ) {
+                $existing_var_type->removeType('null');
+                $existing_var_type->removeType('false');
+            }
+            foreach ($existing_var_type->getAtomicTypes() as $atomic_type) {
+                if ($atomic_type instanceof TIntRange
+                    || $atomic_type instanceof TInt
+                    || $atomic_type instanceof TLiteralInt
+                ) {
+                    $existing_var_type->removeType($atomic_type->getKey());
+                }
+            }
+            return $existing_var_type->freeze();
+        }
+
         $redundant = true;
 
         if ($assertion->doesFilterNullOrFalse() &&
diff --git a/tests/IntRangeTest.php b/tests/IntRangeTest.php
@@ -1034,6 +1034,29 @@ function bar(int $_a, int $_b): void {}
                     '$z' => 'int<min, 9223372036854775807>|null',
                 ],
             ],
+            'noInternalErrorOnGreaterThanPhpIntMax' => [
+                'code' => '<?php
+                    function packInteger(int $value): void {
+                        if ($value >= 0) {
+                        } elseif ($value <= 9223372036854775807) {
+                        }
+                    }
+                ',
+                'assertions' => [],
+                'ignored_issues' => ['RedundantCondition'],
+            ],
+            // Psalm does not currently emit RedundantCondition for the >= direction at PHP_INT_MIN,
+            // so no ignored_issues entry is needed here (unlike the <= PHP_INT_MAX case above).
+            'noInternalErrorOnLessThanPhpIntMin' => [
+                'code' => '<?php
+                    function checkBound(int $value): void {
+                        if ($value <= 0) {
+                        } elseif ($value >= -9223372036854775808) {
+                        }
+                    }
+                ',
+                'assertions' => [],
+            ],
         ];
     }
 
