Fix crashes with empty string as SetElem base

It needs to convert the key to a real TypedValue, and needs
to side exit (via throw).

hphp/runtime/vm/jit/vectortranslator.cpp

@@ -156,7 +156,7 @@ void VectorEffects::init(Opcode op, const Type origBase,
     // definitely happen but those cases aren't handled yet. In a perfect world
     // we would remove Type::Null from baseType here but that can produce types
     // that are tricky to guard against and doesn't buy us much right now.
-    if (!baseBoxed || !baseType.isString()) {
+    if (!baseBoxed && (!baseType.isString() || op == SetProp)) {
       /*
        * Uses of boxed types are always guarded, in case the inner
        * type was modified. If the base type was String, its extremely

hphp/runtime/vm/member_operations.h

@@ -687,7 +687,11 @@ inline StringData* SetElem(TypedValue* base, TypedValue* key, Cell* value) {
   case KindOfString: {
     int baseLen = base->m_data.pstr->size();
     if (baseLen == 0) {
+      initScratchKey<keyType>(scratch, key);
       SetElemEmptyish(base, key, value);
+      if (!setResult) {
+        throw InvalidSetMException(*value);
+      }
     } else {
       // Convert key to string offset.
       int64_t x = castKeyToInt<keyType>(key);

hphp/test/slow/array/promote_string.php

@@ -0,0 +1,11 @@
+<?php
+
+function test($a, $f) {
+  $a[0] = $f;
+  $a[$f] = $f;
+  $a[1] = 1;
+  $a['foo'] = 'foo';
+  return $a;
+}
+
+var_dump(test("", "f".isset($g)?"x":""));

hphp/test/slow/array/promote_string.php.expect

@@ -0,0 +1,10 @@
+array(4) {
+  [0]=>
+  string(1) "x"
+  ["x"]=>
+  string(1) "x"
+  [1]=>
+  int(1)
+  ["foo"]=>
+  string(3) "foo"
+}