1 /*
2 +----------------------------------------------------------------------+
3 | Zend OPcache |
4 +----------------------------------------------------------------------+
5 | Copyright (c) The PHP Group |
6 +----------------------------------------------------------------------+
7 | This source file is subject to version 3.01 of the PHP license, |
8 | that is bundled with this package in the file LICENSE, and is |
9 | available through the world-wide-web at the following url: |
10 | http://www.php.net/license/3_01.txt |
11 | If you did not receive a copy of the PHP license and are unable to |
12 | obtain it through the world-wide-web, please send a note to |
13 | license@php.net so we can mail you a copy immediately. |
14 +----------------------------------------------------------------------+
15 | Authors: Dmitry Stogov <dmitry@php.net> |
16 +----------------------------------------------------------------------+
17 */
18
19 #include "php.h"
20 #include "Optimizer/zend_optimizer.h"
21 #include "Optimizer/zend_optimizer_internal.h"
22 #include "zend_API.h"
23 #include "zend_constants.h"
24 #include "zend_execute.h"
25 #include "zend_vm.h"
26 #include "zend_bitset.h"
27 #include "zend_cfg.h"
28 #include "zend_ssa.h"
29 #include "zend_func_info.h"
30 #include "zend_call_graph.h"
31 #include "zend_inference.h"
32 #include "zend_dump.h"
33
34 #ifndef ZEND_DEBUG_DFA
35 # define ZEND_DEBUG_DFA ZEND_DEBUG
36 #endif
37
38 #if ZEND_DEBUG_DFA
39 # include "ssa_integrity.c"
40 #endif
41
zend_dfa_analyze_op_array(zend_op_array * op_array,zend_optimizer_ctx * ctx,zend_ssa * ssa)42 int zend_dfa_analyze_op_array(zend_op_array *op_array, zend_optimizer_ctx *ctx, zend_ssa *ssa)
43 {
44 uint32_t build_flags;
45
46 if (op_array->last_try_catch) {
47 /* TODO: we can't analyze functions with try/catch/finally ??? */
48 return FAILURE;
49 }
50
51 /* Build SSA */
52 memset(ssa, 0, sizeof(zend_ssa));
53
54 if (zend_build_cfg(&ctx->arena, op_array, ZEND_CFG_NO_ENTRY_PREDECESSORS, &ssa->cfg) != SUCCESS) {
55 return FAILURE;
56 }
57
58 if ((ssa->cfg.flags & ZEND_FUNC_INDIRECT_VAR_ACCESS)) {
59 /* TODO: we can't analyze functions with indirect variable access ??? */
60 return FAILURE;
61 }
62
63 if (zend_cfg_build_predecessors(&ctx->arena, &ssa->cfg) != SUCCESS) {
64 return FAILURE;
65 }
66
67 if (ctx->debug_level & ZEND_DUMP_DFA_CFG) {
68 zend_dump_op_array(op_array, ZEND_DUMP_CFG, "dfa cfg", &ssa->cfg);
69 }
70
71 /* Compute Dominators Tree */
72 if (zend_cfg_compute_dominators_tree(op_array, &ssa->cfg) != SUCCESS) {
73 return FAILURE;
74 }
75
76 /* Identify reducible and irreducible loops */
77 if (zend_cfg_identify_loops(op_array, &ssa->cfg) != SUCCESS) {
78 return FAILURE;
79 }
80
81 if (ctx->debug_level & ZEND_DUMP_DFA_DOMINATORS) {
82 zend_dump_dominators(op_array, &ssa->cfg);
83 }
84
85 build_flags = 0;
86 if (ctx->debug_level & ZEND_DUMP_DFA_LIVENESS) {
87 build_flags |= ZEND_SSA_DEBUG_LIVENESS;
88 }
89 if (ctx->debug_level & ZEND_DUMP_DFA_PHI) {
90 build_flags |= ZEND_SSA_DEBUG_PHI_PLACEMENT;
91 }
92 if (zend_build_ssa(&ctx->arena, ctx->script, op_array, build_flags, ssa) != SUCCESS) {
93 return FAILURE;
94 }
95
96 if (ctx->debug_level & ZEND_DUMP_DFA_SSA) {
97 zend_dump_op_array(op_array, ZEND_DUMP_SSA, "dfa ssa", ssa);
98 }
99
100
101 if (zend_ssa_compute_use_def_chains(&ctx->arena, op_array, ssa) != SUCCESS){
102 return FAILURE;
103 }
104
105 if (zend_ssa_find_false_dependencies(op_array, ssa) != SUCCESS) {
106 return FAILURE;
107 }
108
109 if (zend_ssa_find_sccs(op_array, ssa) != SUCCESS){
110 return FAILURE;
111 }
112
113 if (zend_ssa_inference(&ctx->arena, op_array, ctx->script, ssa, ctx->optimization_level) != SUCCESS) {
114 return FAILURE;
115 }
116
117 if (zend_ssa_escape_analysis(ctx->script, op_array, ssa) != SUCCESS) {
118 return FAILURE;
119 }
120
121 if (ctx->debug_level & ZEND_DUMP_DFA_SSA_VARS) {
122 zend_dump_ssa_variables(op_array, ssa, 0);
123 }
124
125 return SUCCESS;
126 }
127
zend_ssa_remove_nops(zend_op_array * op_array,zend_ssa * ssa,zend_optimizer_ctx * ctx)128 static void zend_ssa_remove_nops(zend_op_array *op_array, zend_ssa *ssa, zend_optimizer_ctx *ctx)
129 {
130 zend_basic_block *blocks = ssa->cfg.blocks;
131 zend_basic_block *blocks_end = blocks + ssa->cfg.blocks_count;
132 zend_basic_block *b;
133 zend_func_info *func_info;
134 int j;
135 uint32_t i = 0;
136 uint32_t target = 0;
137 uint32_t *shiftlist;
138 ALLOCA_FLAG(use_heap);
139
140 shiftlist = (uint32_t *)do_alloca(sizeof(uint32_t) * op_array->last, use_heap);
141 memset(shiftlist, 0, sizeof(uint32_t) * op_array->last);
142 /* remove empty callee_info */
143 func_info = ZEND_FUNC_INFO(op_array);
144 if (func_info) {
145 zend_call_info **call_info = &func_info->callee_info;
146 while ((*call_info)) {
147 if ((*call_info)->caller_init_opline->opcode == ZEND_NOP) {
148 *call_info = (*call_info)->next_callee;
149 } else {
150 call_info = &(*call_info)->next_callee;
151 }
152 }
153 }
154
155 for (b = blocks; b < blocks_end; b++) {
156 if (b->flags & (ZEND_BB_REACHABLE|ZEND_BB_UNREACHABLE_FREE)) {
157 if (b->len) {
158 uint32_t new_start, old_end;
159 while (i < b->start) {
160 shiftlist[i] = i - target;
161 i++;
162 }
163
164 if (b->flags & ZEND_BB_UNREACHABLE_FREE) {
165 /* Only keep the FREE for the loop var */
166 ZEND_ASSERT(op_array->opcodes[b->start].opcode == ZEND_FREE
167 || op_array->opcodes[b->start].opcode == ZEND_FE_FREE);
168 b->len = 1;
169 }
170
171 new_start = target;
172 old_end = b->start + b->len;
173 while (i < old_end) {
174 shiftlist[i] = i - target;
175 if (EXPECTED(op_array->opcodes[i].opcode != ZEND_NOP)) {
176 if (i != target) {
177 op_array->opcodes[target] = op_array->opcodes[i];
178 ssa->ops[target] = ssa->ops[i];
179 ssa->cfg.map[target] = b - blocks;
180 }
181 target++;
182 }
183 i++;
184 }
185 b->start = new_start;
186 if (target != old_end) {
187 zend_op *opline;
188 zend_op *new_opline;
189
190 b->len = target - b->start;
191 opline = op_array->opcodes + old_end - 1;
192 if (opline->opcode == ZEND_NOP) {
193 continue;
194 }
195
196 new_opline = op_array->opcodes + target - 1;
197 zend_optimizer_migrate_jump(op_array, new_opline, opline);
198 }
199 } else {
200 b->start = target;
201 }
202 } else {
203 b->start = target;
204 b->len = 0;
205 }
206 }
207
208 if (target != op_array->last) {
209 /* reset rest opcodes */
210 for (i = target; i < op_array->last; i++) {
211 MAKE_NOP(op_array->opcodes + i);
212 }
213
214 /* update SSA variables */
215 for (j = 0; j < ssa->vars_count; j++) {
216 if (ssa->vars[j].definition >= 0) {
217 ssa->vars[j].definition -= shiftlist[ssa->vars[j].definition];
218 }
219 if (ssa->vars[j].use_chain >= 0) {
220 ssa->vars[j].use_chain -= shiftlist[ssa->vars[j].use_chain];
221 }
222 }
223 for (i = 0; i < op_array->last; i++) {
224 if (ssa->ops[i].op1_use_chain >= 0) {
225 ssa->ops[i].op1_use_chain -= shiftlist[ssa->ops[i].op1_use_chain];
226 }
227 if (ssa->ops[i].op2_use_chain >= 0) {
228 ssa->ops[i].op2_use_chain -= shiftlist[ssa->ops[i].op2_use_chain];
229 }
230 if (ssa->ops[i].res_use_chain >= 0) {
231 ssa->ops[i].res_use_chain -= shiftlist[ssa->ops[i].res_use_chain];
232 }
233 }
234
235 /* update branch targets */
236 for (b = blocks; b < blocks_end; b++) {
237 if ((b->flags & ZEND_BB_REACHABLE) && b->len != 0) {
238 zend_op *opline = op_array->opcodes + b->start + b->len - 1;
239 zend_optimizer_shift_jump(op_array, opline, shiftlist);
240 }
241 }
242
243 /* update try/catch array */
244 for (j = 0; j < op_array->last_try_catch; j++) {
245 op_array->try_catch_array[j].try_op -= shiftlist[op_array->try_catch_array[j].try_op];
246 op_array->try_catch_array[j].catch_op -= shiftlist[op_array->try_catch_array[j].catch_op];
247 if (op_array->try_catch_array[j].finally_op) {
248 op_array->try_catch_array[j].finally_op -= shiftlist[op_array->try_catch_array[j].finally_op];
249 op_array->try_catch_array[j].finally_end -= shiftlist[op_array->try_catch_array[j].finally_end];
250 }
251 }
252
253 /* update early binding list */
254 if (op_array->fn_flags & ZEND_ACC_EARLY_BINDING) {
255 uint32_t *opline_num = &ctx->script->first_early_binding_opline;
256
257 ZEND_ASSERT(op_array == &ctx->script->main_op_array);
258 do {
259 *opline_num -= shiftlist[*opline_num];
260 opline_num = &op_array->opcodes[*opline_num].result.opline_num;
261 } while (*opline_num != (uint32_t)-1);
262 }
263
264 /* update call graph */
265 if (func_info) {
266 zend_call_info *call_info = func_info->callee_info;
267 while (call_info) {
268 call_info->caller_init_opline -=
269 shiftlist[call_info->caller_init_opline - op_array->opcodes];
270 if (call_info->caller_call_opline) {
271 call_info->caller_call_opline -=
272 shiftlist[call_info->caller_call_opline - op_array->opcodes];
273 }
274 call_info = call_info->next_callee;
275 }
276 }
277
278 op_array->last = target;
279 }
280 free_alloca(shiftlist, use_heap);
281 }
282
safe_instanceof(zend_class_entry * ce1,zend_class_entry * ce2)283 static zend_bool safe_instanceof(zend_class_entry *ce1, zend_class_entry *ce2) {
284 if (ce1 == ce2) {
285 return 1;
286 }
287 if (!(ce1->ce_flags & ZEND_ACC_LINKED)) {
288 /* This case could be generalized, similarly to unlinked_instanceof */
289 return 0;
290 }
291 return instanceof_function(ce1, ce2);
292 }
293
can_elide_return_type_check(zend_op_array * op_array,zend_ssa * ssa,zend_ssa_op * ssa_op)294 static inline zend_bool can_elide_return_type_check(
295 zend_op_array *op_array, zend_ssa *ssa, zend_ssa_op *ssa_op) {
296 zend_arg_info *info = &op_array->arg_info[-1];
297 zend_ssa_var_info *use_info = &ssa->var_info[ssa_op->op1_use];
298 zend_ssa_var_info *def_info = &ssa->var_info[ssa_op->op1_def];
299
300 /* TODO: It would be better to rewrite this without using def_info,
301 * which may not be an exact representation of the type. */
302 if (use_info->type & MAY_BE_REF) {
303 return 0;
304 }
305
306 /* A type is possible that is not in the allowed types */
307 if ((use_info->type & (MAY_BE_ANY|MAY_BE_UNDEF)) & ~(def_info->type & MAY_BE_ANY)) {
308 return 0;
309 }
310
311 /* These types are not represented exactly */
312 if (ZEND_TYPE_FULL_MASK(info->type) & (MAY_BE_CALLABLE|MAY_BE_ITERABLE|MAY_BE_STATIC)) {
313 return 0;
314 }
315
316 if (ZEND_TYPE_HAS_CLASS(info->type)) {
317 if (!use_info->ce || !def_info->ce || !safe_instanceof(use_info->ce, def_info->ce)) {
318 return 0;
319 }
320 }
321
322 return 1;
323 }
324
opline_supports_assign_contraction(zend_op_array * op_array,zend_ssa * ssa,zend_op * opline,int src_var,uint32_t cv_var)325 static zend_bool opline_supports_assign_contraction(
326 zend_op_array *op_array, zend_ssa *ssa, zend_op *opline, int src_var, uint32_t cv_var) {
327 if (opline->opcode == ZEND_NEW) {
328 /* see Zend/tests/generators/aborted_yield_during_new.phpt */
329 return 0;
330 }
331
332 if (opline->opcode == ZEND_DO_ICALL || opline->opcode == ZEND_DO_UCALL
333 || opline->opcode == ZEND_DO_FCALL || opline->opcode == ZEND_DO_FCALL_BY_NAME) {
334 /* Function calls may dtor the return value after it has already been written -- allow
335 * direct assignment only for types where a double-dtor does not matter. */
336 uint32_t type = ssa->var_info[src_var].type;
337 uint32_t simple = MAY_BE_NULL|MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_LONG|MAY_BE_DOUBLE;
338 return !((type & MAY_BE_ANY) & ~simple);
339 }
340
341 if (opline->opcode == ZEND_POST_INC || opline->opcode == ZEND_POST_DEC) {
342 /* POST_INC/DEC write the result variable before performing the inc/dec. For $i = $i++
343 * eliding the temporary variable would thus yield an incorrect result. */
344 return opline->op1_type != IS_CV || opline->op1.var != cv_var;
345 }
346
347 if (opline->opcode == ZEND_INIT_ARRAY) {
348 /* INIT_ARRAY initializes the result array before reading key/value. */
349 return (opline->op1_type != IS_CV || opline->op1.var != cv_var)
350 && (opline->op2_type != IS_CV || opline->op2.var != cv_var);
351 }
352
353 if (opline->opcode == ZEND_CAST
354 && (opline->extended_value == IS_ARRAY || opline->extended_value == IS_OBJECT)) {
355 /* CAST to array/object may initialize the result to an empty array/object before
356 * reading the expression. */
357 return opline->op1_type != IS_CV || opline->op1.var != cv_var;
358 }
359
360 if ((opline->opcode == ZEND_ASSIGN_OP
361 || opline->opcode == ZEND_ASSIGN_OBJ
362 || opline->opcode == ZEND_ASSIGN_DIM)
363 && opline->op1_type == IS_CV
364 && opline->op1.var == cv_var
365 && zend_may_throw(opline, &ssa->ops[ssa->vars[src_var].definition], op_array, ssa)) {
366 return 0;
367 }
368
369 return 1;
370 }
371
variable_defined_or_used_in_range(zend_ssa * ssa,int var,int start,int end)372 static bool variable_defined_or_used_in_range(zend_ssa *ssa, int var, int start, int end)
373 {
374 while (start < end) {
375 const zend_ssa_op *ssa_op = &ssa->ops[start];
376 if ((ssa_op->op1_def >= 0 && ssa->vars[ssa_op->op1_def].var == var) ||
377 (ssa_op->op2_def >= 0 && ssa->vars[ssa_op->op2_def].var == var) ||
378 (ssa_op->result_def >= 0 && ssa->vars[ssa_op->result_def].var == var) ||
379 (ssa_op->op1_use >= 0 && ssa->vars[ssa_op->op1_use].var == var) ||
380 (ssa_op->op2_use >= 0 && ssa->vars[ssa_op->op2_use].var == var) ||
381 (ssa_op->result_use >= 0 && ssa->vars[ssa_op->result_use].var == var)
382 ) {
383 return 1;
384 }
385 start++;
386 }
387 return 0;
388 }
389
zend_dfa_optimize_calls(zend_op_array * op_array,zend_ssa * ssa)390 int zend_dfa_optimize_calls(zend_op_array *op_array, zend_ssa *ssa)
391 {
392 zend_func_info *func_info = ZEND_FUNC_INFO(op_array);
393 int removed_ops = 0;
394
395 if (func_info->callee_info) {
396 zend_call_info *call_info = func_info->callee_info;
397
398 do {
399 if (call_info->caller_call_opline
400 && call_info->caller_call_opline->opcode == ZEND_DO_ICALL
401 && call_info->callee_func
402 && zend_string_equals_literal(call_info->callee_func->common.function_name, "in_array")
403 && (call_info->caller_init_opline->extended_value == 2
404 || (call_info->caller_init_opline->extended_value == 3
405 && (call_info->caller_call_opline - 1)->opcode == ZEND_SEND_VAL
406 && (call_info->caller_call_opline - 1)->op1_type == IS_CONST))) {
407
408 zend_op *send_array;
409 zend_op *send_needly;
410 zend_bool strict = 0;
411
412 if (call_info->caller_init_opline->extended_value == 2) {
413 send_array = call_info->caller_call_opline - 1;
414 send_needly = call_info->caller_call_opline - 2;
415 } else {
416 if (zend_is_true(CT_CONSTANT_EX(op_array, (call_info->caller_call_opline - 1)->op1.constant))) {
417 strict = 1;
418 }
419 send_array = call_info->caller_call_opline - 2;
420 send_needly = call_info->caller_call_opline - 3;
421 }
422
423 if (send_array->opcode == ZEND_SEND_VAL
424 && send_array->op1_type == IS_CONST
425 && Z_TYPE_P(CT_CONSTANT_EX(op_array, send_array->op1.constant)) == IS_ARRAY
426 && (send_needly->opcode == ZEND_SEND_VAL
427 || send_needly->opcode == ZEND_SEND_VAR)
428 ) {
429 int ok = 1;
430
431 HashTable *src = Z_ARRVAL_P(CT_CONSTANT_EX(op_array, send_array->op1.constant));
432 HashTable *dst;
433 zval *val, tmp;
434 zend_ulong idx;
435
436 ZVAL_TRUE(&tmp);
437 dst = zend_new_array(zend_hash_num_elements(src));
438 if (strict) {
439 ZEND_HASH_FOREACH_VAL(src, val) {
440 if (Z_TYPE_P(val) == IS_STRING) {
441 zend_hash_add(dst, Z_STR_P(val), &tmp);
442 } else if (Z_TYPE_P(val) == IS_LONG) {
443 zend_hash_index_add(dst, Z_LVAL_P(val), &tmp);
444 } else {
445 zend_array_destroy(dst);
446 ok = 0;
447 break;
448 }
449 } ZEND_HASH_FOREACH_END();
450 } else {
451 ZEND_HASH_FOREACH_VAL(src, val) {
452 if (Z_TYPE_P(val) != IS_STRING || ZEND_HANDLE_NUMERIC(Z_STR_P(val), idx)) {
453 zend_array_destroy(dst);
454 ok = 0;
455 break;
456 }
457 zend_hash_add(dst, Z_STR_P(val), &tmp);
458 } ZEND_HASH_FOREACH_END();
459 }
460
461 if (ok) {
462 uint32_t op_num = send_needly - op_array->opcodes;
463 zend_ssa_op *ssa_op = ssa->ops + op_num;
464
465 if (ssa_op->op1_use >= 0) {
466 /* Reconstruct SSA */
467 int var_num = ssa_op->op1_use;
468 zend_ssa_var *var = ssa->vars + var_num;
469
470 ZEND_ASSERT(ssa_op->op1_def < 0);
471 zend_ssa_unlink_use_chain(ssa, op_num, ssa_op->op1_use);
472 ssa_op->op1_use = -1;
473 ssa_op->op1_use_chain = -1;
474 op_num = call_info->caller_call_opline - op_array->opcodes;
475 ssa_op = ssa->ops + op_num;
476 ssa_op->op1_use = var_num;
477 ssa_op->op1_use_chain = var->use_chain;
478 var->use_chain = op_num;
479 }
480
481 ZVAL_ARR(&tmp, dst);
482
483 /* Update opcode */
484 call_info->caller_call_opline->opcode = ZEND_IN_ARRAY;
485 call_info->caller_call_opline->extended_value = strict;
486 call_info->caller_call_opline->op1_type = send_needly->op1_type;
487 call_info->caller_call_opline->op1.num = send_needly->op1.num;
488 call_info->caller_call_opline->op2_type = IS_CONST;
489 call_info->caller_call_opline->op2.constant = zend_optimizer_add_literal(op_array, &tmp);
490 if (call_info->caller_init_opline->extended_value == 3) {
491 MAKE_NOP(call_info->caller_call_opline - 1);
492 }
493 MAKE_NOP(call_info->caller_init_opline);
494 MAKE_NOP(send_needly);
495 MAKE_NOP(send_array);
496 removed_ops++;
497
498 op_num = call_info->caller_call_opline - op_array->opcodes;
499 ssa_op = ssa->ops + op_num;
500 if (ssa_op->result_def >= 0) {
501 int var = ssa_op->result_def;
502 int use = ssa->vars[var].use_chain;
503
504 /* If the result is used only in a JMPZ/JMPNZ, replace result type with
505 * IS_TMP_VAR, which will enable use of smart branches. Don't do this
506 * in other cases, as not all opcodes support both VAR and TMP. */
507 if (ssa->vars[var].phi_use_chain == NULL
508 && ssa->ops[use].op1_use == var
509 && ssa->ops[use].op1_use_chain == -1
510 && (op_array->opcodes[use].opcode == ZEND_JMPZ
511 || op_array->opcodes[use].opcode == ZEND_JMPNZ)) {
512 call_info->caller_call_opline->result_type = IS_TMP_VAR;
513 op_array->opcodes[use].op1_type = IS_TMP_VAR;
514 }
515 }
516 }
517 }
518 }
519 call_info = call_info->next_callee;
520 } while (call_info);
521 }
522
523 return removed_ops;
524 }
525
take_successor_0(zend_ssa * ssa,int block_num,zend_basic_block * block)526 static zend_always_inline void take_successor_0(zend_ssa *ssa, int block_num, zend_basic_block *block)
527 {
528 if (block->successors_count == 2) {
529 if (block->successors[1] != block->successors[0]) {
530 zend_ssa_remove_predecessor(ssa, block_num, block->successors[1]);
531 }
532 block->successors_count = 1;
533 }
534 }
535
take_successor_1(zend_ssa * ssa,int block_num,zend_basic_block * block)536 static zend_always_inline void take_successor_1(zend_ssa *ssa, int block_num, zend_basic_block *block)
537 {
538 if (block->successors_count == 2) {
539 if (block->successors[1] != block->successors[0]) {
540 zend_ssa_remove_predecessor(ssa, block_num, block->successors[0]);
541 block->successors[0] = block->successors[1];
542 }
543 block->successors_count = 1;
544 }
545 }
546
take_successor_ex(zend_ssa * ssa,int block_num,zend_basic_block * block,int target_block)547 static zend_always_inline void take_successor_ex(zend_ssa *ssa, int block_num, zend_basic_block *block, int target_block)
548 {
549 int i;
550
551 for (i = 0; i < block->successors_count; i++) {
552 if (block->successors[i] != target_block) {
553 zend_ssa_remove_predecessor(ssa, block_num, block->successors[i]);
554 }
555 }
556 block->successors[0] = target_block;
557 block->successors_count = 1;
558 }
559
compress_block(zend_op_array * op_array,zend_basic_block * block)560 static void compress_block(zend_op_array *op_array, zend_basic_block *block)
561 {
562 while (block->len > 0) {
563 zend_op *opline = &op_array->opcodes[block->start + block->len - 1];
564
565 if (opline->opcode == ZEND_NOP) {
566 block->len--;
567 } else {
568 break;
569 }
570 }
571 }
572
replace_predecessor(zend_ssa * ssa,int block_id,int old_pred,int new_pred)573 static void replace_predecessor(zend_ssa *ssa, int block_id, int old_pred, int new_pred) {
574 zend_basic_block *block = &ssa->cfg.blocks[block_id];
575 int *predecessors = &ssa->cfg.predecessors[block->predecessor_offset];
576 zend_ssa_phi *phi;
577
578 int i;
579 int old_pred_idx = -1;
580 int new_pred_idx = -1;
581 for (i = 0; i < block->predecessors_count; i++) {
582 if (predecessors[i] == old_pred) {
583 old_pred_idx = i;
584 }
585 if (predecessors[i] == new_pred) {
586 new_pred_idx = i;
587 }
588 }
589
590 ZEND_ASSERT(old_pred_idx != -1);
591 if (new_pred_idx == -1) {
592 /* If the new predecessor doesn't exist yet, simply rewire the old one */
593 predecessors[old_pred_idx] = new_pred;
594 } else {
595 /* Otherwise, rewiring the old predecessor would make the new predecessor appear
596 * twice, which violates our CFG invariants. Remove the old predecessor instead. */
597 memmove(
598 predecessors + old_pred_idx,
599 predecessors + old_pred_idx + 1,
600 sizeof(int) * (block->predecessors_count - old_pred_idx - 1)
601 );
602
603 /* Also remove the corresponding phi node entries */
604 for (phi = ssa->blocks[block_id].phis; phi; phi = phi->next) {
605 if (phi->pi >= 0) {
606 if (phi->pi == old_pred || phi->pi == new_pred) {
607 zend_ssa_rename_var_uses(
608 ssa, phi->ssa_var, phi->sources[0], /* update_types */ 0);
609 zend_ssa_remove_phi(ssa, phi);
610 }
611 } else {
612 memmove(
613 phi->sources + old_pred_idx,
614 phi->sources + old_pred_idx + 1,
615 sizeof(int) * (block->predecessors_count - old_pred_idx - 1)
616 );
617 }
618 }
619
620 block->predecessors_count--;
621 }
622 }
623
zend_ssa_replace_control_link(zend_op_array * op_array,zend_ssa * ssa,int from,int to,int new_to)624 static void zend_ssa_replace_control_link(zend_op_array *op_array, zend_ssa *ssa, int from, int to, int new_to)
625 {
626 zend_basic_block *src = &ssa->cfg.blocks[from];
627 zend_basic_block *old = &ssa->cfg.blocks[to];
628 zend_basic_block *dst = &ssa->cfg.blocks[new_to];
629 int i;
630 zend_op *opline;
631
632 for (i = 0; i < src->successors_count; i++) {
633 if (src->successors[i] == to) {
634 src->successors[i] = new_to;
635 }
636 }
637
638 if (src->len > 0) {
639 opline = op_array->opcodes + src->start + src->len - 1;
640 switch (opline->opcode) {
641 case ZEND_JMP:
642 case ZEND_FAST_CALL:
643 ZEND_ASSERT(ZEND_OP1_JMP_ADDR(opline) == op_array->opcodes + old->start);
644 ZEND_SET_OP_JMP_ADDR(opline, opline->op1, op_array->opcodes + dst->start);
645 break;
646 case ZEND_JMPZNZ:
647 if (ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, opline->extended_value) == old->start) {
648 opline->extended_value = ZEND_OPLINE_NUM_TO_OFFSET(op_array, opline, dst->start);
649 }
650 /* break missing intentionally */
651 case ZEND_JMPZ:
652 case ZEND_JMPNZ:
653 case ZEND_JMPZ_EX:
654 case ZEND_JMPNZ_EX:
655 case ZEND_FE_RESET_R:
656 case ZEND_FE_RESET_RW:
657 case ZEND_JMP_SET:
658 case ZEND_COALESCE:
659 case ZEND_ASSERT_CHECK:
660 case ZEND_JMP_NULL:
661 if (ZEND_OP2_JMP_ADDR(opline) == op_array->opcodes + old->start) {
662 ZEND_SET_OP_JMP_ADDR(opline, opline->op2, op_array->opcodes + dst->start);
663 }
664 break;
665 case ZEND_CATCH:
666 if (!(opline->extended_value & ZEND_LAST_CATCH)) {
667 if (ZEND_OP2_JMP_ADDR(opline) == op_array->opcodes + old->start) {
668 ZEND_SET_OP_JMP_ADDR(opline, opline->op2, op_array->opcodes + dst->start);
669 }
670 }
671 break;
672 case ZEND_FE_FETCH_R:
673 case ZEND_FE_FETCH_RW:
674 if (ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, opline->extended_value) == old->start) {
675 opline->extended_value = ZEND_OPLINE_NUM_TO_OFFSET(op_array, opline, dst->start);
676 }
677 break;
678 case ZEND_SWITCH_LONG:
679 case ZEND_SWITCH_STRING:
680 case ZEND_MATCH:
681 {
682 HashTable *jumptable = Z_ARRVAL(ZEND_OP2_LITERAL(opline));
683 zval *zv;
684 ZEND_HASH_FOREACH_VAL(jumptable, zv) {
685 if (ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, Z_LVAL_P(zv)) == old->start) {
686 Z_LVAL_P(zv) = ZEND_OPLINE_NUM_TO_OFFSET(op_array, opline, dst->start);
687 }
688 } ZEND_HASH_FOREACH_END();
689 if (ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, opline->extended_value) == old->start) {
690 opline->extended_value = ZEND_OPLINE_NUM_TO_OFFSET(op_array, opline, dst->start);
691 }
692 break;
693 }
694 }
695 }
696
697 replace_predecessor(ssa, new_to, to, from);
698 }
699
zend_ssa_unlink_block(zend_op_array * op_array,zend_ssa * ssa,zend_basic_block * block,int block_num)700 static void zend_ssa_unlink_block(zend_op_array *op_array, zend_ssa *ssa, zend_basic_block *block, int block_num)
701 {
702 if (block->predecessors_count == 1 && ssa->blocks[block_num].phis == NULL) {
703 int *predecessors, i;
704 zend_basic_block *fe_fetch_block = NULL;
705
706 ZEND_ASSERT(block->successors_count == 1);
707 predecessors = &ssa->cfg.predecessors[block->predecessor_offset];
708 if (block->predecessors_count == 1 && (block->flags & ZEND_BB_FOLLOW)) {
709 zend_basic_block *pred_block = &ssa->cfg.blocks[predecessors[0]];
710
711 if (pred_block->len > 0 && (pred_block->flags & ZEND_BB_REACHABLE)) {
712 if ((op_array->opcodes[pred_block->start + pred_block->len - 1].opcode == ZEND_FE_FETCH_R
713 || op_array->opcodes[pred_block->start + pred_block->len - 1].opcode == ZEND_FE_FETCH_RW)
714 && op_array->opcodes[pred_block->start + pred_block->len - 1].op2_type == IS_CV) {
715 fe_fetch_block = pred_block;
716 }
717 }
718 }
719 for (i = 0; i < block->predecessors_count; i++) {
720 zend_ssa_replace_control_link(op_array, ssa, predecessors[i], block_num, block->successors[0]);
721 }
722 zend_ssa_remove_block(op_array, ssa, block_num);
723 if (fe_fetch_block && fe_fetch_block->successors[0] == fe_fetch_block->successors[1]) {
724 /* The body of "foreach" loop was removed */
725 int ssa_var = ssa->ops[fe_fetch_block->start + fe_fetch_block->len - 1].op2_def;
726 if (ssa_var >= 0) {
727 zend_ssa_remove_uses_of_var(ssa, ssa_var);
728 }
729 }
730 }
731 }
732
zend_dfa_optimize_jmps(zend_op_array * op_array,zend_ssa * ssa)733 static int zend_dfa_optimize_jmps(zend_op_array *op_array, zend_ssa *ssa)
734 {
735 int removed_ops = 0;
736 int block_num = 0;
737
738 for (block_num = 1; block_num < ssa->cfg.blocks_count; block_num++) {
739 zend_basic_block *block = &ssa->cfg.blocks[block_num];
740
741 if (!(block->flags & ZEND_BB_REACHABLE)) {
742 continue;
743 }
744 compress_block(op_array, block);
745 if (block->len == 0) {
746 zend_ssa_unlink_block(op_array, ssa, block, block_num);
747 }
748 }
749
750 block_num = 0;
751 while (block_num < ssa->cfg.blocks_count
752 && !(ssa->cfg.blocks[block_num].flags & ZEND_BB_REACHABLE)) {
753 block_num++;
754 }
755 while (block_num < ssa->cfg.blocks_count) {
756 int next_block_num = block_num + 1;
757 zend_basic_block *block = &ssa->cfg.blocks[block_num];
758 uint32_t op_num;
759 zend_op *opline;
760 zend_ssa_op *ssa_op;
761 zend_bool can_follow = 1;
762
763 while (next_block_num < ssa->cfg.blocks_count
764 && !(ssa->cfg.blocks[next_block_num].flags & ZEND_BB_REACHABLE)) {
765 if (ssa->cfg.blocks[next_block_num].flags & ZEND_BB_UNREACHABLE_FREE) {
766 can_follow = 0;
767 }
768 next_block_num++;
769 }
770
771 if (block->len) {
772 op_num = block->start + block->len - 1;
773 opline = op_array->opcodes + op_num;
774 ssa_op = ssa->ops + op_num;
775
776 switch (opline->opcode) {
777 case ZEND_JMP:
778 optimize_jmp:
779 if (block->successors[0] == next_block_num && can_follow) {
780 MAKE_NOP(opline);
781 removed_ops++;
782 goto optimize_nop;
783 }
784 break;
785 case ZEND_JMPZ:
786 optimize_jmpz:
787 if (opline->op1_type == IS_CONST) {
788 if (zend_is_true(CT_CONSTANT_EX(op_array, opline->op1.constant))) {
789 MAKE_NOP(opline);
790 removed_ops++;
791 take_successor_1(ssa, block_num, block);
792 goto optimize_nop;
793 } else {
794 opline->opcode = ZEND_JMP;
795 COPY_NODE(opline->op1, opline->op2);
796 take_successor_0(ssa, block_num, block);
797 goto optimize_jmp;
798 }
799 } else {
800 if (block->successors[0] == next_block_num && can_follow) {
801 take_successor_0(ssa, block_num, block);
802 if (opline->op1_type == IS_CV && (OP1_INFO() & MAY_BE_UNDEF)) {
803 opline->opcode = ZEND_CHECK_VAR;
804 opline->op2.num = 0;
805 } else if (opline->op1_type == IS_CV || !(OP1_INFO() & (MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
806 zend_ssa_remove_instr(ssa, opline, ssa_op);
807 removed_ops++;
808 goto optimize_nop;
809 } else {
810 opline->opcode = ZEND_FREE;
811 opline->op2.num = 0;
812 }
813 }
814 }
815 break;
816 case ZEND_JMPNZ:
817 optimize_jmpnz:
818 if (opline->op1_type == IS_CONST) {
819 if (zend_is_true(CT_CONSTANT_EX(op_array, opline->op1.constant))) {
820 opline->opcode = ZEND_JMP;
821 COPY_NODE(opline->op1, opline->op2);
822 take_successor_0(ssa, block_num, block);
823 goto optimize_jmp;
824 } else {
825 MAKE_NOP(opline);
826 removed_ops++;
827 take_successor_1(ssa, block_num, block);
828 goto optimize_nop;
829 }
830 } else if (block->successors_count == 2) {
831 if (block->successors[0] == next_block_num && can_follow) {
832 take_successor_0(ssa, block_num, block);
833 if (opline->op1_type == IS_CV && (OP1_INFO() & MAY_BE_UNDEF)) {
834 opline->opcode = ZEND_CHECK_VAR;
835 opline->op2.num = 0;
836 } else if (opline->op1_type == IS_CV || !(OP1_INFO() & (MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
837 zend_ssa_remove_instr(ssa, opline, ssa_op);
838 removed_ops++;
839 goto optimize_nop;
840 } else {
841 opline->opcode = ZEND_FREE;
842 opline->op2.num = 0;
843 }
844 }
845 }
846 break;
847 case ZEND_JMPZNZ:
848 if (opline->op1_type == IS_CONST) {
849 if (zend_is_true(CT_CONSTANT_EX(op_array, opline->op1.constant))) {
850 zend_op *target_opline = ZEND_OFFSET_TO_OPLINE(opline, opline->extended_value);
851 ZEND_SET_OP_JMP_ADDR(opline, opline->op1, target_opline);
852 take_successor_1(ssa, block_num, block);
853 } else {
854 zend_op *target_opline = ZEND_OP2_JMP_ADDR(opline);
855 ZEND_SET_OP_JMP_ADDR(opline, opline->op1, target_opline);
856 take_successor_0(ssa, block_num, block);
857 }
858 opline->op1_type = IS_UNUSED;
859 opline->extended_value = 0;
860 opline->opcode = ZEND_JMP;
861 goto optimize_jmp;
862 } else if (block->successors_count == 2) {
863 if (block->successors[0] == block->successors[1]) {
864 take_successor_0(ssa, block_num, block);
865 if (block->successors[0] == next_block_num && can_follow) {
866 if (opline->op1_type == IS_CV && (OP1_INFO() & MAY_BE_UNDEF)) {
867 opline->opcode = ZEND_CHECK_VAR;
868 opline->op2.num = 0;
869 } else if (opline->op1_type == IS_CV || !(OP1_INFO() & (MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
870 zend_ssa_remove_instr(ssa, opline, ssa_op);
871 removed_ops++;
872 goto optimize_nop;
873 } else {
874 opline->opcode = ZEND_FREE;
875 opline->op2.num = 0;
876 }
877 } else if ((opline->op1_type == IS_CV && !(OP1_INFO() & MAY_BE_UNDEF)) || !(OP1_INFO() & (MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
878 ZEND_ASSERT(ssa_op->op1_use >= 0);
879 zend_ssa_unlink_use_chain(ssa, op_num, ssa_op->op1_use);
880 ssa_op->op1_use = -1;
881 ssa_op->op1_use_chain = -1;
882 opline->opcode = ZEND_JMP;
883 opline->op1_type = IS_UNUSED;
884 opline->op1.num = opline->op2.num;
885 goto optimize_jmp;
886 }
887 }
888 }
889 break;
890 case ZEND_JMPZ_EX:
891 if (ssa->vars[ssa_op->result_def].use_chain < 0
892 && ssa->vars[ssa_op->result_def].phi_use_chain == NULL) {
893 opline->opcode = ZEND_JMPZ;
894 opline->result_type = IS_UNUSED;
895 zend_ssa_remove_result_def(ssa, ssa_op);
896 goto optimize_jmpz;
897 } else if (opline->op1_type == IS_CONST) {
898 if (zend_is_true(CT_CONSTANT_EX(op_array, opline->op1.constant))) {
899 opline->opcode = ZEND_QM_ASSIGN;
900 take_successor_1(ssa, block_num, block);
901 }
902 }
903 break;
904 case ZEND_JMPNZ_EX:
905 if (ssa->vars[ssa_op->result_def].use_chain < 0
906 && ssa->vars[ssa_op->result_def].phi_use_chain == NULL) {
907 opline->opcode = ZEND_JMPNZ;
908 opline->result_type = IS_UNUSED;
909 zend_ssa_remove_result_def(ssa, ssa_op);
910 goto optimize_jmpnz;
911 } else if (opline->op1_type == IS_CONST) {
912 if (!zend_is_true(CT_CONSTANT_EX(op_array, opline->op1.constant))) {
913 opline->opcode = ZEND_QM_ASSIGN;
914 take_successor_1(ssa, block_num, block);
915 }
916 }
917 break;
918 case ZEND_JMP_SET:
919 if (ssa->vars[ssa_op->result_def].use_chain < 0
920 && ssa->vars[ssa_op->result_def].phi_use_chain == NULL) {
921 opline->opcode = ZEND_JMPNZ;
922 opline->result_type = IS_UNUSED;
923 zend_ssa_remove_result_def(ssa, ssa_op);
924 goto optimize_jmpnz;
925 } else if (opline->op1_type == IS_CONST) {
926 if (!zend_is_true(CT_CONSTANT_EX(op_array, opline->op1.constant))) {
927 MAKE_NOP(opline);
928 removed_ops++;
929 take_successor_1(ssa, block_num, block);
930 zend_ssa_remove_result_def(ssa, ssa_op);
931 goto optimize_nop;
932 }
933 }
934 break;
935 case ZEND_COALESCE:
936 {
937 zend_ssa_var *var = &ssa->vars[ssa_op->result_def];
938 if (opline->op1_type == IS_CONST
939 && var->use_chain < 0 && var->phi_use_chain == NULL) {
940 if (Z_TYPE_P(CT_CONSTANT_EX(op_array, opline->op1.constant)) == IS_NULL) {
941 zend_ssa_remove_result_def(ssa, ssa_op);
942 MAKE_NOP(opline);
943 removed_ops++;
944 take_successor_1(ssa, block_num, block);
945 goto optimize_nop;
946 } else {
947 opline->opcode = ZEND_JMP;
948 opline->result_type = IS_UNUSED;
949 zend_ssa_remove_result_def(ssa, ssa_op);
950 COPY_NODE(opline->op1, opline->op2);
951 take_successor_0(ssa, block_num, block);
952 goto optimize_jmp;
953 }
954 }
955 break;
956 }
957 case ZEND_JMP_NULL:
958 {
959 zend_ssa_var *var = &ssa->vars[ssa_op->result_def];
960 if (opline->op1_type == IS_CONST
961 && var->use_chain < 0 && var->phi_use_chain == NULL) {
962 if (Z_TYPE_P(CT_CONSTANT_EX(op_array, opline->op1.constant)) == IS_NULL) {
963 opline->opcode = ZEND_JMP;
964 opline->result_type = IS_UNUSED;
965 zend_ssa_remove_result_def(ssa, ssa_op);
966 COPY_NODE(opline->op1, opline->op2);
967 take_successor_0(ssa, block_num, block);
968 goto optimize_jmp;
969 } else {
970 zend_ssa_remove_result_def(ssa, ssa_op);
971 MAKE_NOP(opline);
972 removed_ops++;
973 take_successor_1(ssa, block_num, block);
974 goto optimize_nop;
975 }
976 }
977 break;
978 }
979 case ZEND_SWITCH_LONG:
980 case ZEND_SWITCH_STRING:
981 case ZEND_MATCH:
982 if (opline->op1_type == IS_CONST) {
983 zval *zv = CT_CONSTANT_EX(op_array, opline->op1.constant);
984 zend_uchar type = Z_TYPE_P(zv);
985 zend_bool correct_type =
986 (opline->opcode == ZEND_SWITCH_LONG && type == IS_LONG)
987 || (opline->opcode == ZEND_SWITCH_STRING && type == IS_STRING)
988 || (opline->opcode == ZEND_MATCH && (type == IS_LONG || type == IS_STRING));
989
990 if (!correct_type) {
991 removed_ops++;
992 MAKE_NOP(opline);
993 opline->extended_value = 0;
994 take_successor_ex(ssa, block_num, block, block->successors[block->successors_count - 1]);
995 goto optimize_nop;
996 } else {
997 HashTable *jmptable = Z_ARRVAL_P(CT_CONSTANT_EX(op_array, opline->op2.constant));
998 zval *jmp_zv = type == IS_LONG
999 ? zend_hash_index_find(jmptable, Z_LVAL_P(zv))
1000 : zend_hash_find(jmptable, Z_STR_P(zv));
1001
1002 uint32_t target;
1003 if (jmp_zv) {
1004 target = ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, Z_LVAL_P(jmp_zv));
1005 } else {
1006 target = ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, opline->extended_value);
1007 }
1008 opline->opcode = ZEND_JMP;
1009 opline->extended_value = 0;
1010 SET_UNUSED(opline->op1);
1011 ZEND_SET_OP_JMP_ADDR(opline, opline->op1, op_array->opcodes + target);
1012 SET_UNUSED(opline->op2);
1013 take_successor_ex(ssa, block_num, block, ssa->cfg.map[target]);
1014 goto optimize_jmp;
1015 }
1016 }
1017 break;
1018 case ZEND_NOP:
1019 optimize_nop:
1020 compress_block(op_array, block);
1021 if (block->len == 0) {
1022 if (block_num > 0) {
1023 zend_ssa_unlink_block(op_array, ssa, block, block_num);
1024 /* backtrack to previous basic block */
1025 do {
1026 block_num--;
1027 } while (block_num >= 0
1028 && !(ssa->cfg.blocks[block_num].flags & ZEND_BB_REACHABLE));
1029 if (block_num >= 0) {
1030 continue;
1031 }
1032 }
1033 }
1034 break;
1035 default:
1036 break;
1037 }
1038 }
1039
1040 block_num = next_block_num;
1041 }
1042
1043 return removed_ops;
1044 }
1045
zend_dfa_try_to_replace_result(zend_op_array * op_array,zend_ssa * ssa,int def,int cv_var)1046 static int zend_dfa_try_to_replace_result(zend_op_array *op_array, zend_ssa *ssa, int def, int cv_var)
1047 {
1048 int result_var = ssa->ops[def].result_def;
1049 int cv = EX_NUM_TO_VAR(ssa->vars[cv_var].var);
1050
1051 if (result_var >= 0
1052 && !(ssa->var_info[cv_var].type & MAY_BE_REF)
1053 && ssa->vars[cv_var].alias == NO_ALIAS
1054 && ssa->vars[result_var].phi_use_chain == NULL
1055 && ssa->vars[result_var].sym_use_chain == NULL) {
1056 int use = ssa->vars[result_var].use_chain;
1057
1058 if (use >= 0
1059 && zend_ssa_next_use(ssa->ops, result_var, use) < 0
1060 && op_array->opcodes[use].opcode != ZEND_FREE
1061 && op_array->opcodes[use].opcode != ZEND_SEND_VAL
1062 && op_array->opcodes[use].opcode != ZEND_SEND_VAL_EX
1063 && op_array->opcodes[use].opcode != ZEND_VERIFY_RETURN_TYPE
1064 && op_array->opcodes[use].opcode != ZEND_YIELD) {
1065 if (use > def) {
1066 int i = use;
1067 const zend_op *opline = &op_array->opcodes[use];
1068
1069 while (i > def) {
1070 if ((opline->op1_type == IS_CV && opline->op1.var == cv)
1071 || (opline->op2_type == IS_CV && opline->op2.var == cv)
1072 || (opline->result_type == IS_CV && opline->result.var == cv)) {
1073 return 0;
1074 }
1075 opline--;
1076 i--;
1077 }
1078
1079 /* Update opcodes and reconstruct SSA */
1080 ssa->vars[result_var].definition = -1;
1081 ssa->vars[result_var].use_chain = -1;
1082 ssa->ops[def].result_def = -1;
1083
1084 op_array->opcodes[def].result_type = IS_UNUSED;
1085 op_array->opcodes[def].result.var = 0;
1086
1087 if (ssa->ops[use].op1_use == result_var) {
1088 ssa->ops[use].op1_use = cv_var;
1089 ssa->ops[use].op1_use_chain = ssa->vars[cv_var].use_chain;
1090 ssa->vars[cv_var].use_chain = use;
1091
1092 op_array->opcodes[use].op1_type = IS_CV;
1093 op_array->opcodes[use].op1.var = cv;
1094 } else if (ssa->ops[use].op2_use == result_var) {
1095 ssa->ops[use].op2_use = cv_var;
1096 ssa->ops[use].op2_use_chain = ssa->vars[cv_var].use_chain;
1097 ssa->vars[cv_var].use_chain = use;
1098
1099 op_array->opcodes[use].op2_type = IS_CV;
1100 op_array->opcodes[use].op2.var = cv;
1101 } else if (ssa->ops[use].result_use == result_var) {
1102 ssa->ops[use].result_use = cv_var;
1103 ssa->ops[use].res_use_chain = ssa->vars[cv_var].use_chain;
1104 ssa->vars[cv_var].use_chain = use;
1105
1106 op_array->opcodes[use].result_type = IS_CV;
1107 op_array->opcodes[use].result.var = cv;
1108 }
1109
1110 return 1;
1111 }
1112 }
1113 }
1114
1115 return 0;
1116 }
1117
zend_dfa_optimize_op_array(zend_op_array * op_array,zend_optimizer_ctx * ctx,zend_ssa * ssa,zend_call_info ** call_map)1118 void zend_dfa_optimize_op_array(zend_op_array *op_array, zend_optimizer_ctx *ctx, zend_ssa *ssa, zend_call_info **call_map)
1119 {
1120 if (ctx->debug_level & ZEND_DUMP_BEFORE_DFA_PASS) {
1121 zend_dump_op_array(op_array, ZEND_DUMP_SSA, "before dfa pass", ssa);
1122 }
1123
1124 if (ssa->var_info) {
1125 int op_1;
1126 int v;
1127 int remove_nops = 0;
1128 zend_op *opline;
1129 zend_ssa_op *ssa_op;
1130 zval tmp;
1131
1132 #if ZEND_DEBUG_DFA
1133 ssa_verify_integrity(op_array, ssa, "before dfa");
1134 #endif
1135
1136 if (ZEND_OPTIMIZER_PASS_8 & ctx->optimization_level) {
1137 if (sccp_optimize_op_array(ctx, op_array, ssa, call_map)) {
1138 remove_nops = 1;
1139 }
1140
1141 if (zend_dfa_optimize_jmps(op_array, ssa)) {
1142 remove_nops = 1;
1143 }
1144
1145 #if ZEND_DEBUG_DFA
1146 ssa_verify_integrity(op_array, ssa, "after sccp");
1147 #endif
1148 if (ZEND_FUNC_INFO(op_array)) {
1149 if (zend_dfa_optimize_calls(op_array, ssa)) {
1150 remove_nops = 1;
1151 }
1152 }
1153 if (ctx->debug_level & ZEND_DUMP_AFTER_PASS_8) {
1154 zend_dump_op_array(op_array, ZEND_DUMP_SSA, "after sccp pass", ssa);
1155 }
1156 #if ZEND_DEBUG_DFA
1157 ssa_verify_integrity(op_array, ssa, "after calls");
1158 #endif
1159 }
1160
1161 if (ZEND_OPTIMIZER_PASS_14 & ctx->optimization_level) {
1162 if (dce_optimize_op_array(op_array, ssa, 0)) {
1163 remove_nops = 1;
1164 }
1165 if (zend_dfa_optimize_jmps(op_array, ssa)) {
1166 remove_nops = 1;
1167 }
1168 if (ctx->debug_level & ZEND_DUMP_AFTER_PASS_14) {
1169 zend_dump_op_array(op_array, ZEND_DUMP_SSA, "after dce pass", ssa);
1170 }
1171 #if ZEND_DEBUG_DFA
1172 ssa_verify_integrity(op_array, ssa, "after dce");
1173 #endif
1174 }
1175
1176 for (v = op_array->last_var; v < ssa->vars_count; v++) {
1177
1178 op_1 = ssa->vars[v].definition;
1179
1180 if (op_1 < 0) {
1181 continue;
1182 }
1183
1184 opline = op_array->opcodes + op_1;
1185 ssa_op = &ssa->ops[op_1];
1186
1187 /* Convert LONG constants to DOUBLE */
1188 if (ssa->var_info[v].use_as_double) {
1189 if (opline->opcode == ZEND_ASSIGN
1190 && opline->op2_type == IS_CONST
1191 && ssa->ops[op_1].op1_def == v
1192 && !RETURN_VALUE_USED(opline)
1193 ) {
1194
1195 // op_1: ASSIGN ? -> #v [use_as_double], long(?) => ASSIGN ? -> #v, double(?)
1196
1197 zval *zv = CT_CONSTANT_EX(op_array, opline->op2.constant);
1198 ZEND_ASSERT(Z_TYPE_INFO_P(zv) == IS_LONG);
1199 ZVAL_DOUBLE(&tmp, zval_get_double(zv));
1200 opline->op2.constant = zend_optimizer_add_literal(op_array, &tmp);
1201
1202 } else if (opline->opcode == ZEND_QM_ASSIGN
1203 && opline->op1_type == IS_CONST
1204 ) {
1205
1206 // op_1: QM_ASSIGN #v [use_as_double], long(?) => QM_ASSIGN #v, double(?)
1207
1208 zval *zv = CT_CONSTANT_EX(op_array, opline->op1.constant);
1209 ZEND_ASSERT(Z_TYPE_INFO_P(zv) == IS_LONG);
1210 ZVAL_DOUBLE(&tmp, zval_get_double(zv));
1211 opline->op1.constant = zend_optimizer_add_literal(op_array, &tmp);
1212 }
1213
1214 } else {
1215 if (opline->opcode == ZEND_ADD
1216 || opline->opcode == ZEND_SUB
1217 || opline->opcode == ZEND_MUL
1218 || opline->opcode == ZEND_IS_EQUAL
1219 || opline->opcode == ZEND_IS_NOT_EQUAL
1220 || opline->opcode == ZEND_IS_SMALLER
1221 || opline->opcode == ZEND_IS_SMALLER_OR_EQUAL
1222 ) {
1223
1224 if (opline->op1_type == IS_CONST && opline->op2_type != IS_CONST) {
1225 zval *zv = CT_CONSTANT_EX(op_array, opline->op1.constant);
1226
1227 if ((OP2_INFO() & MAY_BE_ANY) == MAY_BE_DOUBLE
1228 && Z_TYPE_INFO_P(zv) == IS_LONG) {
1229
1230 // op_1: #v.? = ADD long(?), #?.? [double] => #v.? = ADD double(?), #?.? [double]
1231
1232 ZVAL_DOUBLE(&tmp, zval_get_double(zv));
1233 opline->op1.constant = zend_optimizer_add_literal(op_array, &tmp);
1234 zv = CT_CONSTANT_EX(op_array, opline->op1.constant);
1235 }
1236 if (opline->opcode == ZEND_ADD) {
1237 zv = CT_CONSTANT_EX(op_array, opline->op1.constant);
1238
1239 if (((OP2_INFO() & (MAY_BE_ANY|MAY_BE_UNDEF)) == MAY_BE_LONG
1240 && Z_TYPE_INFO_P(zv) == IS_LONG
1241 && Z_LVAL_P(zv) == 0)
1242 || ((OP2_INFO() & (MAY_BE_ANY|MAY_BE_UNDEF)) == MAY_BE_DOUBLE
1243 && Z_TYPE_INFO_P(zv) == IS_DOUBLE
1244 && Z_DVAL_P(zv) == 0.0)) {
1245
1246 // op_1: #v.? = ADD 0, #?.? [double,long] => #v.? = QM_ASSIGN #?.?
1247
1248 opline->opcode = ZEND_QM_ASSIGN;
1249 opline->op1_type = opline->op2_type;
1250 opline->op1.var = opline->op2.var;
1251 opline->op2_type = IS_UNUSED;
1252 opline->op2.num = 0;
1253 ssa->ops[op_1].op1_use = ssa->ops[op_1].op2_use;
1254 ssa->ops[op_1].op1_use_chain = ssa->ops[op_1].op2_use_chain;
1255 ssa->ops[op_1].op2_use = -1;
1256 ssa->ops[op_1].op2_use_chain = -1;
1257 }
1258 }
1259 } else if (opline->op1_type != IS_CONST && opline->op2_type == IS_CONST) {
1260 zval *zv = CT_CONSTANT_EX(op_array, opline->op2.constant);
1261
1262 if ((OP1_INFO() & MAY_BE_ANY) == MAY_BE_DOUBLE
1263 && Z_TYPE_INFO_P(CT_CONSTANT_EX(op_array, opline->op2.constant)) == IS_LONG) {
1264
1265 // op_1: #v.? = ADD #?.? [double], long(?) => #v.? = ADD #?.? [double], double(?)
1266
1267 ZVAL_DOUBLE(&tmp, zval_get_double(zv));
1268 opline->op2.constant = zend_optimizer_add_literal(op_array, &tmp);
1269 zv = CT_CONSTANT_EX(op_array, opline->op2.constant);
1270 }
1271 if (opline->opcode == ZEND_ADD || opline->opcode == ZEND_SUB) {
1272 if (((OP1_INFO() & (MAY_BE_ANY|MAY_BE_UNDEF)) == MAY_BE_LONG
1273 && Z_TYPE_INFO_P(zv) == IS_LONG
1274 && Z_LVAL_P(zv) == 0)
1275 || ((OP1_INFO() & (MAY_BE_ANY|MAY_BE_UNDEF)) == MAY_BE_DOUBLE
1276 && Z_TYPE_INFO_P(zv) == IS_DOUBLE
1277 && Z_DVAL_P(zv) == 0.0)) {
1278
1279 // op_1: #v.? = ADD #?.? [double,long], 0 => #v.? = QM_ASSIGN #?.?
1280
1281 opline->opcode = ZEND_QM_ASSIGN;
1282 opline->op2_type = IS_UNUSED;
1283 opline->op2.num = 0;
1284 }
1285 }
1286 }
1287 } else if (opline->opcode == ZEND_CONCAT) {
1288 if (!(OP1_INFO() & MAY_BE_OBJECT)
1289 && !(OP2_INFO() & MAY_BE_OBJECT)) {
1290 opline->opcode = ZEND_FAST_CONCAT;
1291 }
1292 } else if (opline->opcode == ZEND_VERIFY_RETURN_TYPE
1293 && opline->op1_type != IS_CONST
1294 && ssa->ops[op_1].op1_def == v
1295 && ssa->ops[op_1].op1_use >= 0
1296 && ssa->ops[op_1].op1_use_chain == -1
1297 && ssa->vars[v].use_chain >= 0
1298 && can_elide_return_type_check(op_array, ssa, &ssa->ops[op_1])) {
1299
1300 // op_1: VERIFY_RETURN_TYPE #orig_var.? [T] -> #v.? [T] => NOP
1301
1302 int orig_var = ssa->ops[op_1].op1_use;
1303 if (zend_ssa_unlink_use_chain(ssa, op_1, orig_var)) {
1304
1305 int ret = ssa->vars[v].use_chain;
1306
1307 ssa->ops[ret].op1_use = orig_var;
1308 ssa->ops[ret].op1_use_chain = ssa->vars[orig_var].use_chain;
1309 ssa->vars[orig_var].use_chain = ret;
1310
1311 ssa->vars[v].definition = -1;
1312 ssa->vars[v].use_chain = -1;
1313
1314 ssa->ops[op_1].op1_def = -1;
1315 ssa->ops[op_1].op1_use = -1;
1316
1317 MAKE_NOP(opline);
1318 remove_nops = 1;
1319 }
1320 }
1321 }
1322
1323 if (opline->opcode == ZEND_QM_ASSIGN
1324 && ssa->ops[op_1].result_def == v
1325 && opline->op1_type & (IS_TMP_VAR|IS_VAR)
1326 && !(ssa->var_info[v].type & (MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))
1327 ) {
1328
1329 int src_var = ssa->ops[op_1].op1_use;
1330
1331 if (src_var >= 0
1332 && !(ssa->var_info[src_var].type & MAY_BE_REF)
1333 && ssa->vars[src_var].definition >= 0
1334 && ssa->ops[ssa->vars[src_var].definition].result_def == src_var
1335 && ssa->ops[ssa->vars[src_var].definition].result_use < 0
1336 && ssa->vars[src_var].use_chain == op_1
1337 && ssa->ops[op_1].op1_use_chain < 0
1338 && !ssa->vars[src_var].phi_use_chain
1339 && !ssa->vars[src_var].sym_use_chain
1340 && opline_supports_assign_contraction(
1341 op_array, ssa, &op_array->opcodes[ssa->vars[src_var].definition],
1342 src_var, opline->result.var)
1343 && !variable_defined_or_used_in_range(ssa, EX_VAR_TO_NUM(opline->result.var),
1344 ssa->vars[src_var].definition+1, op_1)
1345 ) {
1346
1347 int orig_var = ssa->ops[op_1].result_use;
1348 int op_2 = ssa->vars[src_var].definition;
1349
1350 // op_2: #src_var.T = OP ... => #v.CV = OP ...
1351 // op_1: QM_ASSIGN #src_var.T #orig_var.CV [undef,scalar] -> #v.CV, NOP
1352
1353 if (orig_var < 0 || zend_ssa_unlink_use_chain(ssa, op_1, orig_var)) {
1354 /* Reconstruct SSA */
1355 ssa->vars[v].definition = op_2;
1356 ssa->ops[op_2].result_def = v;
1357
1358 ssa->vars[src_var].definition = -1;
1359 ssa->vars[src_var].use_chain = -1;
1360
1361 ssa->ops[op_1].op1_use = -1;
1362 ssa->ops[op_1].op1_def = -1;
1363 ssa->ops[op_1].op1_use_chain = -1;
1364 ssa->ops[op_1].result_use = -1;
1365 ssa->ops[op_1].result_def = -1;
1366 ssa->ops[op_1].res_use_chain = -1;
1367
1368 /* Update opcodes */
1369 op_array->opcodes[op_2].result_type = opline->result_type;
1370 op_array->opcodes[op_2].result.var = opline->result.var;
1371
1372 MAKE_NOP(opline);
1373 remove_nops = 1;
1374
1375 if (op_array->opcodes[op_2].opcode == ZEND_SUB
1376 && op_array->opcodes[op_2].op1_type == op_array->opcodes[op_2].result_type
1377 && op_array->opcodes[op_2].op1.var == op_array->opcodes[op_2].result.var
1378 && op_array->opcodes[op_2].op2_type == IS_CONST
1379 && Z_TYPE_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op2.constant)) == IS_LONG
1380 && Z_LVAL_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op2.constant)) == 1
1381 && ssa->ops[op_2].op1_use >= 0
1382 && !(ssa->var_info[ssa->ops[op_2].op1_use].type & (MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1383
1384 op_array->opcodes[op_2].opcode = ZEND_PRE_DEC;
1385 SET_UNUSED(op_array->opcodes[op_2].op2);
1386 SET_UNUSED(op_array->opcodes[op_2].result);
1387
1388 ssa->ops[op_2].result_def = -1;
1389 ssa->ops[op_2].op1_def = v;
1390
1391 } else if (op_array->opcodes[op_2].opcode == ZEND_ADD
1392 && op_array->opcodes[op_2].op1_type == op_array->opcodes[op_2].result_type
1393 && op_array->opcodes[op_2].op1.var == op_array->opcodes[op_2].result.var
1394 && op_array->opcodes[op_2].op2_type == IS_CONST
1395 && Z_TYPE_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op2.constant)) == IS_LONG
1396 && Z_LVAL_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op2.constant)) == 1
1397 && ssa->ops[op_2].op1_use >= 0
1398 && !(ssa->var_info[ssa->ops[op_2].op1_use].type & (MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1399
1400 op_array->opcodes[op_2].opcode = ZEND_PRE_INC;
1401 SET_UNUSED(op_array->opcodes[op_2].op2);
1402 SET_UNUSED(op_array->opcodes[op_2].result);
1403
1404 ssa->ops[op_2].result_def = -1;
1405 ssa->ops[op_2].op1_def = v;
1406
1407 } else if (op_array->opcodes[op_2].opcode == ZEND_ADD
1408 && op_array->opcodes[op_2].op2_type == op_array->opcodes[op_2].result_type
1409 && op_array->opcodes[op_2].op2.var == op_array->opcodes[op_2].result.var
1410 && op_array->opcodes[op_2].op1_type == IS_CONST
1411 && Z_TYPE_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op1.constant)) == IS_LONG
1412 && Z_LVAL_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op1.constant)) == 1
1413 && ssa->ops[op_2].op2_use >= 0
1414 && !(ssa->var_info[ssa->ops[op_2].op2_use].type & (MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1415
1416 op_array->opcodes[op_2].opcode = ZEND_PRE_INC;
1417 op_array->opcodes[op_2].op1_type = op_array->opcodes[op_2].op2_type;
1418 op_array->opcodes[op_2].op1.var = op_array->opcodes[op_2].op2.var;
1419 SET_UNUSED(op_array->opcodes[op_2].op2);
1420 SET_UNUSED(op_array->opcodes[op_2].result);
1421
1422 ssa->ops[op_2].result_def = -1;
1423 ssa->ops[op_2].op1_def = v;
1424 ssa->ops[op_2].op1_use = ssa->ops[op_2].op2_use;
1425 ssa->ops[op_2].op1_use_chain = ssa->ops[op_2].op2_use_chain;
1426 ssa->ops[op_2].op2_use = -1;
1427 ssa->ops[op_2].op2_use_chain = -1;
1428 }
1429 }
1430 }
1431 }
1432
1433 if (ssa->vars[v].var >= op_array->last_var) {
1434 /* skip TMP and VAR */
1435 continue;
1436 }
1437
1438 if (ssa->ops[op_1].op1_def == v
1439 && RETURN_VALUE_USED(opline)) {
1440 if (opline->opcode == ZEND_ASSIGN
1441 || opline->opcode == ZEND_ASSIGN_OP
1442 || opline->opcode == ZEND_PRE_INC
1443 || opline->opcode == ZEND_PRE_DEC) {
1444 zend_dfa_try_to_replace_result(op_array, ssa, op_1, v);
1445 } else if (opline->opcode == ZEND_POST_INC) {
1446 int result_var = ssa->ops[op_1].result_def;
1447
1448 if (result_var >= 0
1449 && (ssa->var_info[result_var].type & ((MAY_BE_ANY|MAY_BE_REF|MAY_BE_UNDEF) - (MAY_BE_LONG|MAY_BE_DOUBLE))) == 0) {
1450 int use = ssa->vars[result_var].use_chain;
1451
1452 if (use >= 0 && op_array->opcodes[use].opcode == ZEND_IS_SMALLER
1453 && ssa->ops[use].op1_use == result_var
1454 && zend_dfa_try_to_replace_result(op_array, ssa, op_1, v)) {
1455 opline->opcode = ZEND_PRE_INC;
1456 op_array->opcodes[use].opcode = ZEND_IS_SMALLER_OR_EQUAL;
1457 }
1458 }
1459 } else if (opline->opcode == ZEND_POST_DEC) {
1460 int result_var = ssa->ops[op_1].result_def;
1461
1462 if (result_var >= 0
1463 && (ssa->var_info[result_var].type & ((MAY_BE_ANY|MAY_BE_REF|MAY_BE_UNDEF) - (MAY_BE_LONG|MAY_BE_DOUBLE))) == 0) {
1464 int use = ssa->vars[result_var].use_chain;
1465
1466 if (use >= 0 && op_array->opcodes[use].opcode == ZEND_IS_SMALLER
1467 && ssa->ops[use].op2_use == result_var
1468 && zend_dfa_try_to_replace_result(op_array, ssa, op_1, v)) {
1469 opline->opcode = ZEND_PRE_DEC;
1470 op_array->opcodes[use].opcode = ZEND_IS_SMALLER_OR_EQUAL;
1471 }
1472 }
1473 }
1474 }
1475
1476 if (opline->opcode == ZEND_ASSIGN
1477 && ssa->ops[op_1].op1_def == v
1478 && !RETURN_VALUE_USED(opline)
1479 ) {
1480 int orig_var = ssa->ops[op_1].op1_use;
1481
1482 if (orig_var >= 0
1483 && !(ssa->var_info[orig_var].type & (MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))
1484 ) {
1485 int src_var = ssa->ops[op_1].op2_use;
1486
1487 if ((opline->op2_type & (IS_TMP_VAR|IS_VAR))
1488 && src_var >= 0
1489 && !(ssa->var_info[src_var].type & MAY_BE_REF)
1490 && ssa->vars[src_var].definition >= 0
1491 && ssa->ops[ssa->vars[src_var].definition].result_def == src_var
1492 && ssa->ops[ssa->vars[src_var].definition].result_use < 0
1493 && ssa->vars[src_var].use_chain == op_1
1494 && ssa->ops[op_1].op2_use_chain < 0
1495 && !ssa->vars[src_var].phi_use_chain
1496 && !ssa->vars[src_var].sym_use_chain
1497 && opline_supports_assign_contraction(
1498 op_array, ssa, &op_array->opcodes[ssa->vars[src_var].definition],
1499 src_var, opline->op1.var)
1500 && !variable_defined_or_used_in_range(ssa, EX_VAR_TO_NUM(opline->op1.var),
1501 ssa->vars[src_var].definition+1, op_1)
1502 ) {
1503
1504 int op_2 = ssa->vars[src_var].definition;
1505
1506 // op_2: #src_var.T = OP ... => #v.CV = OP ...
1507 // op_1: ASSIGN #orig_var.CV [undef,scalar] -> #v.CV, #src_var.T NOP
1508
1509 if (zend_ssa_unlink_use_chain(ssa, op_1, orig_var)) {
1510 /* Reconstruct SSA */
1511 ssa->vars[v].definition = op_2;
1512 ssa->ops[op_2].result_def = v;
1513
1514 ssa->vars[src_var].definition = -1;
1515 ssa->vars[src_var].use_chain = -1;
1516
1517 ssa->ops[op_1].op1_use = -1;
1518 ssa->ops[op_1].op2_use = -1;
1519 ssa->ops[op_1].op1_def = -1;
1520 ssa->ops[op_1].op1_use_chain = -1;
1521
1522 /* Update opcodes */
1523 op_array->opcodes[op_2].result_type = opline->op1_type;
1524 op_array->opcodes[op_2].result.var = opline->op1.var;
1525
1526 MAKE_NOP(opline);
1527 remove_nops = 1;
1528
1529 if (op_array->opcodes[op_2].opcode == ZEND_SUB
1530 && op_array->opcodes[op_2].op1_type == op_array->opcodes[op_2].result_type
1531 && op_array->opcodes[op_2].op1.var == op_array->opcodes[op_2].result.var
1532 && op_array->opcodes[op_2].op2_type == IS_CONST
1533 && Z_TYPE_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op2.constant)) == IS_LONG
1534 && Z_LVAL_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op2.constant)) == 1
1535 && ssa->ops[op_2].op1_use >= 0
1536 && !(ssa->var_info[ssa->ops[op_2].op1_use].type & (MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1537
1538 op_array->opcodes[op_2].opcode = ZEND_PRE_DEC;
1539 SET_UNUSED(op_array->opcodes[op_2].op2);
1540 SET_UNUSED(op_array->opcodes[op_2].result);
1541
1542 ssa->ops[op_2].result_def = -1;
1543 ssa->ops[op_2].op1_def = v;
1544
1545 } else if (op_array->opcodes[op_2].opcode == ZEND_ADD
1546 && op_array->opcodes[op_2].op1_type == op_array->opcodes[op_2].result_type
1547 && op_array->opcodes[op_2].op1.var == op_array->opcodes[op_2].result.var
1548 && op_array->opcodes[op_2].op2_type == IS_CONST
1549 && Z_TYPE_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op2.constant)) == IS_LONG
1550 && Z_LVAL_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op2.constant)) == 1
1551 && ssa->ops[op_2].op1_use >= 0
1552 && !(ssa->var_info[ssa->ops[op_2].op1_use].type & (MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1553
1554 op_array->opcodes[op_2].opcode = ZEND_PRE_INC;
1555 SET_UNUSED(op_array->opcodes[op_2].op2);
1556 SET_UNUSED(op_array->opcodes[op_2].result);
1557
1558 ssa->ops[op_2].result_def = -1;
1559 ssa->ops[op_2].op1_def = v;
1560
1561 } else if (op_array->opcodes[op_2].opcode == ZEND_ADD
1562 && op_array->opcodes[op_2].op2_type == op_array->opcodes[op_2].result_type
1563 && op_array->opcodes[op_2].op2.var == op_array->opcodes[op_2].result.var
1564 && op_array->opcodes[op_2].op1_type == IS_CONST
1565 && Z_TYPE_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op1.constant)) == IS_LONG
1566 && Z_LVAL_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op1.constant)) == 1
1567 && ssa->ops[op_2].op2_use >= 0
1568 && !(ssa->var_info[ssa->ops[op_2].op2_use].type & (MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1569
1570 op_array->opcodes[op_2].opcode = ZEND_PRE_INC;
1571 op_array->opcodes[op_2].op1_type = op_array->opcodes[op_2].op2_type;
1572 op_array->opcodes[op_2].op1.var = op_array->opcodes[op_2].op2.var;
1573 SET_UNUSED(op_array->opcodes[op_2].op2);
1574 SET_UNUSED(op_array->opcodes[op_2].result);
1575
1576 ssa->ops[op_2].result_def = -1;
1577 ssa->ops[op_2].op1_def = v;
1578 ssa->ops[op_2].op1_use = ssa->ops[op_2].op2_use;
1579 ssa->ops[op_2].op1_use_chain = ssa->ops[op_2].op2_use_chain;
1580 ssa->ops[op_2].op2_use = -1;
1581 ssa->ops[op_2].op2_use_chain = -1;
1582 }
1583 }
1584 } else if (opline->op2_type == IS_CONST
1585 || ((opline->op2_type & (IS_TMP_VAR|IS_VAR|IS_CV))
1586 && ssa->ops[op_1].op2_use >= 0
1587 && ssa->ops[op_1].op2_def < 0)
1588 ) {
1589
1590 // op_1: ASSIGN #orig_var.CV [undef,scalar] -> #v.CV, CONST|TMPVAR => QM_ASSIGN v.CV, CONST|TMPVAR
1591
1592 if (ssa->ops[op_1].op1_use != ssa->ops[op_1].op2_use) {
1593 zend_ssa_unlink_use_chain(ssa, op_1, orig_var);
1594 } else {
1595 ssa->ops[op_1].op2_use_chain = ssa->ops[op_1].op1_use_chain;
1596 }
1597
1598 /* Reconstruct SSA */
1599 ssa->ops[op_1].result_def = v;
1600 ssa->ops[op_1].op1_def = -1;
1601 ssa->ops[op_1].op1_use = ssa->ops[op_1].op2_use;
1602 ssa->ops[op_1].op1_use_chain = ssa->ops[op_1].op2_use_chain;
1603 ssa->ops[op_1].op2_use = -1;
1604 ssa->ops[op_1].op2_use_chain = -1;
1605
1606 /* Update opcode */
1607 opline->result_type = opline->op1_type;
1608 opline->result.var = opline->op1.var;
1609 opline->op1_type = opline->op2_type;
1610 opline->op1.var = opline->op2.var;
1611 opline->op2_type = IS_UNUSED;
1612 opline->op2.var = 0;
1613 opline->opcode = ZEND_QM_ASSIGN;
1614 }
1615 }
1616
1617 } else if (opline->opcode == ZEND_ASSIGN_OP
1618 && opline->extended_value == ZEND_ADD
1619 && ssa->ops[op_1].op1_def == v
1620 && opline->op2_type == IS_CONST
1621 && Z_TYPE_P(CT_CONSTANT_EX(op_array, opline->op2.constant)) == IS_LONG
1622 && Z_LVAL_P(CT_CONSTANT_EX(op_array, opline->op2.constant)) == 1
1623 && ssa->ops[op_1].op1_use >= 0
1624 && !(ssa->var_info[ssa->ops[op_1].op1_use].type & (MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1625
1626 // op_1: ASSIGN_ADD #?.CV [undef,null,int,foat] ->#v.CV, int(1) => PRE_INC #?.CV ->#v.CV
1627
1628 opline->opcode = ZEND_PRE_INC;
1629 opline->extended_value = 0;
1630 SET_UNUSED(opline->op2);
1631
1632 } else if (opline->opcode == ZEND_ASSIGN_OP
1633 && opline->extended_value == ZEND_SUB
1634 && ssa->ops[op_1].op1_def == v
1635 && opline->op2_type == IS_CONST
1636 && Z_TYPE_P(CT_CONSTANT_EX(op_array, opline->op2.constant)) == IS_LONG
1637 && Z_LVAL_P(CT_CONSTANT_EX(op_array, opline->op2.constant)) == 1
1638 && ssa->ops[op_1].op1_use >= 0
1639 && !(ssa->var_info[ssa->ops[op_1].op1_use].type & (MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1640
1641 // op_1: ASSIGN_SUB #?.CV [undef,null,int,foat] -> #v.CV, int(1) => PRE_DEC #?.CV ->#v.CV
1642
1643 opline->opcode = ZEND_PRE_DEC;
1644 opline->extended_value = 0;
1645 SET_UNUSED(opline->op2);
1646
1647 } else if (ssa->ops[op_1].op1_def == v
1648 && !RETURN_VALUE_USED(opline)
1649 && ssa->ops[op_1].op1_use >= 0
1650 && !(ssa->var_info[ssa->ops[op_1].op1_use].type & (MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))
1651 && opline->opcode == ZEND_ASSIGN_OP
1652 && opline->extended_value != ZEND_CONCAT) {
1653
1654 // op_1: ASSIGN_OP #orig_var.CV [undef,null,bool,int,double] -> #v.CV, ? => #v.CV = ADD #orig_var.CV, ?
1655
1656 /* Reconstruct SSA */
1657 ssa->ops[op_1].result_def = ssa->ops[op_1].op1_def;
1658 ssa->ops[op_1].op1_def = -1;
1659
1660 /* Update opcode */
1661 opline->opcode = opline->extended_value;
1662 opline->extended_value = 0;
1663 opline->result_type = opline->op1_type;
1664 opline->result.var = opline->op1.var;
1665
1666 }
1667 }
1668
1669 #if ZEND_DEBUG_DFA
1670 ssa_verify_integrity(op_array, ssa, "after dfa");
1671 #endif
1672
1673 if (remove_nops) {
1674 zend_ssa_remove_nops(op_array, ssa, ctx);
1675 #if ZEND_DEBUG_DFA
1676 ssa_verify_integrity(op_array, ssa, "after nop");
1677 #endif
1678 }
1679 }
1680
1681 if (ctx->debug_level & ZEND_DUMP_AFTER_DFA_PASS) {
1682 zend_dump_op_array(op_array, ZEND_DUMP_SSA, "after dfa pass", ssa);
1683 }
1684 }
1685
zend_optimize_dfa(zend_op_array * op_array,zend_optimizer_ctx * ctx)1686 void zend_optimize_dfa(zend_op_array *op_array, zend_optimizer_ctx *ctx)
1687 {
1688 void *checkpoint = zend_arena_checkpoint(ctx->arena);
1689 zend_ssa ssa;
1690
1691 if (zend_dfa_analyze_op_array(op_array, ctx, &ssa) != SUCCESS) {
1692 zend_arena_release(&ctx->arena, checkpoint);
1693 return;
1694 }
1695
1696 zend_dfa_optimize_op_array(op_array, ctx, &ssa, NULL);
1697
1698 /* Destroy SSA */
1699 zend_arena_release(&ctx->arena, checkpoint);
1700 }
1701
