xref: /PHP-8.4/Zend/Optimizer/dfa_pass.c (revision 1a07bb92)
1 /*
2    +----------------------------------------------------------------------+
3    | Zend OPcache                                                         |
4    +----------------------------------------------------------------------+
5    | Copyright (c) The PHP Group                                          |
6    +----------------------------------------------------------------------+
7    | This source file is subject to version 3.01 of the PHP license,      |
8    | that is bundled with this package in the file LICENSE, and is        |
9    | available through the world-wide-web at the following url:           |
10    | https://www.php.net/license/3_01.txt                                 |
11    | If you did not receive a copy of the PHP license and are unable to   |
12    | obtain it through the world-wide-web, please send a note to          |
13    | license@php.net so we can mail you a copy immediately.               |
14    +----------------------------------------------------------------------+
15    | Authors: Dmitry Stogov <dmitry@php.net>                              |
16    +----------------------------------------------------------------------+
17 */
18 
19 #include "Optimizer/zend_optimizer.h"
20 #include "Optimizer/zend_optimizer_internal.h"
21 #include "zend_API.h"
22 #include "zend_constants.h"
23 #include "zend_execute.h"
24 #include "zend_vm.h"
25 #include "zend_bitset.h"
26 #include "zend_cfg.h"
27 #include "zend_ssa.h"
28 #include "zend_func_info.h"
29 #include "zend_call_graph.h"
30 #include "zend_inference.h"
31 #include "zend_dump.h"
32 
33 #ifndef ZEND_DEBUG_DFA
34 # define ZEND_DEBUG_DFA ZEND_DEBUG
35 #endif
36 
37 #if ZEND_DEBUG_DFA
38 # include "ssa_integrity.c"
39 #endif
40 
zend_dfa_analyze_op_array(zend_op_array * op_array,zend_optimizer_ctx * ctx,zend_ssa * ssa)41 zend_result zend_dfa_analyze_op_array(zend_op_array *op_array, zend_optimizer_ctx *ctx, zend_ssa *ssa)
42 {
43 	uint32_t build_flags;
44 
45 	if (op_array->last_try_catch) {
46 		/* TODO: we can't analyze functions with try/catch/finally ??? */
47 		return FAILURE;
48 	}
49 
50     /* Build SSA */
51 	memset(ssa, 0, sizeof(zend_ssa));
52 
53 	zend_build_cfg(&ctx->arena, op_array, ZEND_CFG_NO_ENTRY_PREDECESSORS, &ssa->cfg);
54 
55 	if ((ssa->cfg.flags & ZEND_FUNC_INDIRECT_VAR_ACCESS)) {
56 		/* TODO: we can't analyze functions with indirect variable access ??? */
57 		return FAILURE;
58 	}
59 
60 	zend_cfg_build_predecessors(&ctx->arena, &ssa->cfg);
61 
62 	if (ctx->debug_level & ZEND_DUMP_DFA_CFG) {
63 		zend_dump_op_array(op_array, ZEND_DUMP_CFG, "dfa cfg", &ssa->cfg);
64 	}
65 
66 	/* Compute Dominators Tree */
67 	zend_cfg_compute_dominators_tree(op_array, &ssa->cfg);
68 
69 	/* Identify reducible and irreducible loops */
70 	zend_cfg_identify_loops(op_array, &ssa->cfg);
71 
72 	if (ctx->debug_level & ZEND_DUMP_DFA_DOMINATORS) {
73 		zend_dump_dominators(op_array, &ssa->cfg);
74 	}
75 
76 	build_flags = 0;
77 	if (ctx->debug_level & ZEND_DUMP_DFA_LIVENESS) {
78 		build_flags |= ZEND_SSA_DEBUG_LIVENESS;
79 	}
80 	if (ctx->debug_level & ZEND_DUMP_DFA_PHI) {
81 		build_flags |= ZEND_SSA_DEBUG_PHI_PLACEMENT;
82 	}
83 	if (zend_build_ssa(&ctx->arena, ctx->script, op_array, build_flags, ssa) == FAILURE) {
84 		return FAILURE;
85 	}
86 
87 	if (ctx->debug_level & ZEND_DUMP_DFA_SSA) {
88 		zend_dump_op_array(op_array, ZEND_DUMP_SSA, "dfa ssa", ssa);
89 	}
90 
91 
92 	zend_ssa_compute_use_def_chains(&ctx->arena, op_array, ssa);
93 
94 	zend_ssa_find_false_dependencies(op_array, ssa);
95 
96 	zend_ssa_find_sccs(op_array, ssa);
97 
98 	if (zend_ssa_inference(&ctx->arena, op_array, ctx->script, ssa, ctx->optimization_level) == FAILURE) {
99 		return FAILURE;
100 	}
101 
102 	if (zend_ssa_escape_analysis(ctx->script, op_array, ssa) == FAILURE) {
103 		return FAILURE;
104 	}
105 
106 	if (ctx->debug_level & ZEND_DUMP_DFA_SSA_VARS) {
107 		zend_dump_ssa_variables(op_array, ssa, 0);
108 	}
109 
110 	return SUCCESS;
111 }
112 
zend_ssa_remove_nops(zend_op_array * op_array,zend_ssa * ssa,zend_optimizer_ctx * ctx)113 static void zend_ssa_remove_nops(zend_op_array *op_array, zend_ssa *ssa, zend_optimizer_ctx *ctx)
114 {
115 	zend_basic_block *blocks = ssa->cfg.blocks;
116 	zend_basic_block *blocks_end = blocks + ssa->cfg.blocks_count;
117 	zend_basic_block *b;
118 	zend_func_info *func_info;
119 	int j;
120 	uint32_t i = 0;
121 	uint32_t target = 0;
122 	uint32_t *shiftlist;
123 	ALLOCA_FLAG(use_heap);
124 
125 	shiftlist = (uint32_t *)do_alloca(sizeof(uint32_t) * op_array->last, use_heap);
126 	memset(shiftlist, 0, sizeof(uint32_t) * op_array->last);
127 	/* remove empty callee_info */
128 	func_info = ZEND_FUNC_INFO(op_array);
129 	if (func_info) {
130 		zend_call_info **call_info = &func_info->callee_info;
131 		while ((*call_info)) {
132 			if ((*call_info)->caller_init_opline->opcode == ZEND_NOP) {
133 				*call_info = (*call_info)->next_callee;
134 			} else {
135 				call_info = &(*call_info)->next_callee;
136 			}
137 		}
138 	}
139 
140 	for (b = blocks; b < blocks_end; b++) {
141 		if (b->flags & (ZEND_BB_REACHABLE|ZEND_BB_UNREACHABLE_FREE)) {
142 			if (b->len) {
143 				uint32_t new_start, old_end;
144 				while (i < b->start) {
145 					shiftlist[i] = i - target;
146 					i++;
147 				}
148 
149 				if (b->flags & ZEND_BB_UNREACHABLE_FREE) {
150 					/* Only keep the FREE for the loop var */
151 					ZEND_ASSERT(op_array->opcodes[b->start].opcode == ZEND_FREE
152 							|| op_array->opcodes[b->start].opcode == ZEND_FE_FREE);
153 					b->len = 1;
154 				}
155 
156 				new_start = target;
157 				old_end = b->start + b->len;
158 				while (i < old_end) {
159 					shiftlist[i] = i - target;
160 					if (EXPECTED(op_array->opcodes[i].opcode != ZEND_NOP)) {
161 						if (i != target) {
162 							op_array->opcodes[target] = op_array->opcodes[i];
163 							ssa->ops[target] = ssa->ops[i];
164 							ssa->cfg.map[target] = b - blocks;
165 						}
166 						target++;
167 					}
168 					i++;
169 				}
170 				b->start = new_start;
171 				if (target != old_end) {
172 					zend_op *opline;
173 					zend_op *new_opline;
174 
175 					b->len = target - b->start;
176 					opline = op_array->opcodes + old_end - 1;
177 					if (opline->opcode == ZEND_NOP) {
178 						continue;
179 					}
180 
181 					new_opline = op_array->opcodes + target - 1;
182 					zend_optimizer_migrate_jump(op_array, new_opline, opline);
183 				}
184 			} else {
185 				b->start = target;
186 			}
187 		} else {
188 			b->start = target;
189 			b->len = 0;
190 		}
191 	}
192 
193 	if (target != op_array->last) {
194 		/* reset rest opcodes */
195 		for (i = target; i < op_array->last; i++) {
196 			MAKE_NOP(op_array->opcodes + i);
197 		}
198 
199 		/* update SSA variables */
200 		for (j = 0; j < ssa->vars_count; j++) {
201 			if (ssa->vars[j].definition >= 0) {
202 				ssa->vars[j].definition -= shiftlist[ssa->vars[j].definition];
203 			}
204 			if (ssa->vars[j].use_chain >= 0) {
205 				ssa->vars[j].use_chain -= shiftlist[ssa->vars[j].use_chain];
206 			}
207 		}
208 		for (i = 0; i < op_array->last; i++) {
209 			if (ssa->ops[i].op1_use_chain >= 0) {
210 				ssa->ops[i].op1_use_chain -= shiftlist[ssa->ops[i].op1_use_chain];
211 			}
212 			if (ssa->ops[i].op2_use_chain >= 0) {
213 				ssa->ops[i].op2_use_chain -= shiftlist[ssa->ops[i].op2_use_chain];
214 			}
215 			if (ssa->ops[i].res_use_chain >= 0) {
216 				ssa->ops[i].res_use_chain -= shiftlist[ssa->ops[i].res_use_chain];
217 			}
218 		}
219 
220 		/* update branch targets */
221 		for (b = blocks; b < blocks_end; b++) {
222 			if ((b->flags & ZEND_BB_REACHABLE) && b->len != 0) {
223 				zend_op *opline = op_array->opcodes + b->start + b->len - 1;
224 				zend_optimizer_shift_jump(op_array, opline, shiftlist);
225 			}
226 		}
227 
228 		/* update try/catch array */
229 		for (j = 0; j < op_array->last_try_catch; j++) {
230 			op_array->try_catch_array[j].try_op -= shiftlist[op_array->try_catch_array[j].try_op];
231 			op_array->try_catch_array[j].catch_op -= shiftlist[op_array->try_catch_array[j].catch_op];
232 			if (op_array->try_catch_array[j].finally_op) {
233 				op_array->try_catch_array[j].finally_op -= shiftlist[op_array->try_catch_array[j].finally_op];
234 				op_array->try_catch_array[j].finally_end -= shiftlist[op_array->try_catch_array[j].finally_end];
235 			}
236 		}
237 
238 		/* update call graph */
239 		if (func_info) {
240 			zend_call_info *call_info = func_info->callee_info;
241 			while (call_info) {
242 				call_info->caller_init_opline -=
243 					shiftlist[call_info->caller_init_opline - op_array->opcodes];
244 				if (call_info->caller_call_opline) {
245 					call_info->caller_call_opline -=
246 						shiftlist[call_info->caller_call_opline - op_array->opcodes];
247 				}
248 				call_info = call_info->next_callee;
249 			}
250 		}
251 
252 		op_array->last = target;
253 	}
254 	free_alloca(shiftlist, use_heap);
255 }
256 
safe_instanceof(zend_class_entry * ce1,zend_class_entry * ce2)257 static bool safe_instanceof(zend_class_entry *ce1, zend_class_entry *ce2) {
258 	if (ce1 == ce2) {
259 		return 1;
260 	}
261 	if (!(ce1->ce_flags & ZEND_ACC_LINKED)) {
262 		/* This case could be generalized, similarly to unlinked_instanceof */
263 		return 0;
264 	}
265 	return instanceof_function(ce1, ce2);
266 }
267 
can_elide_list_type(const zend_script * script,const zend_op_array * op_array,const zend_ssa_var_info * use_info,zend_type type)268 static inline bool can_elide_list_type(
269 	const zend_script *script, const zend_op_array *op_array,
270 	const zend_ssa_var_info *use_info, zend_type type)
271 {
272 	zend_type *single_type;
273 	/* For intersection: result==false is failure, default is success.
274 	 * For union: result==true is success, default is failure. */
275 	bool is_intersection = ZEND_TYPE_IS_INTERSECTION(type);
276 	ZEND_TYPE_FOREACH(type, single_type) {
277 		if (ZEND_TYPE_HAS_LIST(*single_type)) {
278 			ZEND_ASSERT(!is_intersection);
279 			return can_elide_list_type(script, op_array, use_info, *single_type);
280 		}
281 		if (ZEND_TYPE_HAS_NAME(*single_type)) {
282 			zend_string *lcname = zend_string_tolower(ZEND_TYPE_NAME(*single_type));
283 			zend_class_entry *ce = zend_optimizer_get_class_entry(script, op_array, lcname);
284 			zend_string_release(lcname);
285 			bool result = ce && safe_instanceof(use_info->ce, ce);
286 			if (result == !is_intersection) {
287 				return result;
288 			}
289 		}
290 	} ZEND_TYPE_FOREACH_END();
291 	return is_intersection;
292 }
293 
can_elide_return_type_check(const zend_script * script,zend_op_array * op_array,zend_ssa * ssa,zend_ssa_op * ssa_op)294 static inline bool can_elide_return_type_check(
295 		const zend_script *script, zend_op_array *op_array, zend_ssa *ssa, zend_ssa_op *ssa_op) {
296 	zend_arg_info *arg_info = &op_array->arg_info[-1];
297 	zend_ssa_var_info *use_info = &ssa->var_info[ssa_op->op1_use];
298 	uint32_t use_type = use_info->type & (MAY_BE_ANY|MAY_BE_UNDEF);
299 	if (use_type & MAY_BE_REF) {
300 		return 0;
301 	}
302 
303 	if (use_type & MAY_BE_UNDEF) {
304 		use_type &= ~MAY_BE_UNDEF;
305 		use_type |= MAY_BE_NULL;
306 	}
307 
308 	uint32_t disallowed_types = use_type & ~ZEND_TYPE_PURE_MASK(arg_info->type);
309 	if (!disallowed_types) {
310 		/* Only contains allowed types. */
311 		return true;
312 	}
313 
314 	if (disallowed_types == MAY_BE_OBJECT && use_info->ce && ZEND_TYPE_IS_COMPLEX(arg_info->type)) {
315 		return can_elide_list_type(script, op_array, use_info, arg_info->type);
316 	}
317 
318 	return false;
319 }
320 
opline_supports_assign_contraction(zend_op_array * op_array,zend_ssa * ssa,zend_op * opline,int src_var,uint32_t cv_var)321 static bool opline_supports_assign_contraction(
322 		zend_op_array *op_array, zend_ssa *ssa, zend_op *opline, int src_var, uint32_t cv_var) {
323 	if (opline->opcode == ZEND_NEW) {
324 		/* see Zend/tests/generators/aborted_yield_during_new.phpt */
325 		return 0;
326 	}
327 
328 	/* Frameless calls override the return value, but the return value may overlap with the arguments. */
329 	switch (opline->opcode) {
330 		case ZEND_FRAMELESS_ICALL_3:
331 			if ((opline + 1)->op1_type == IS_CV && (opline + 1)->op1.var == cv_var) return 0;
332 			ZEND_FALLTHROUGH;
333 		case ZEND_FRAMELESS_ICALL_2:
334 			if (opline->op2_type == IS_CV && opline->op2.var == cv_var) return 0;
335 			ZEND_FALLTHROUGH;
336 		case ZEND_FRAMELESS_ICALL_1:
337 			if (opline->op1_type == IS_CV && opline->op1.var == cv_var) return 0;
338 			return 1;
339 	}
340 
341 	if (opline->opcode == ZEND_DO_ICALL || opline->opcode == ZEND_DO_UCALL
342 			|| opline->opcode == ZEND_DO_FCALL || opline->opcode == ZEND_DO_FCALL_BY_NAME) {
343 		/* Function calls may dtor the return value after it has already been written -- allow
344 		 * direct assignment only for types where a double-dtor does not matter. */
345 		uint32_t type = ssa->var_info[src_var].type;
346 		uint32_t simple = MAY_BE_NULL|MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_LONG|MAY_BE_DOUBLE;
347 		return !((type & MAY_BE_ANY) & ~simple);
348 	}
349 
350 	if (opline->opcode == ZEND_POST_INC || opline->opcode == ZEND_POST_DEC) {
351 		/* POST_INC/DEC write the result variable before performing the inc/dec. For $i = $i++
352 		 * eliding the temporary variable would thus yield an incorrect result. */
353 		return opline->op1_type != IS_CV || opline->op1.var != cv_var;
354 	}
355 
356 	if (opline->opcode == ZEND_INIT_ARRAY) {
357 		/* INIT_ARRAY initializes the result array before reading key/value. */
358 		return (opline->op1_type != IS_CV || opline->op1.var != cv_var)
359 			&& (opline->op2_type != IS_CV || opline->op2.var != cv_var);
360 	}
361 
362 	if (opline->opcode == ZEND_CAST
363 			&& (opline->extended_value == IS_ARRAY || opline->extended_value == IS_OBJECT)) {
364 		/* CAST to array/object may initialize the result to an empty array/object before
365 		 * reading the expression. */
366 		return opline->op1_type != IS_CV || opline->op1.var != cv_var;
367 	}
368 
369 	if ((opline->opcode == ZEND_ASSIGN_OP
370 	  || opline->opcode == ZEND_ASSIGN_OBJ
371 	  || opline->opcode == ZEND_ASSIGN_DIM
372 	  || opline->opcode == ZEND_ASSIGN_OBJ_OP
373 	  || opline->opcode == ZEND_ASSIGN_DIM_OP)
374 	 && opline->op1_type == IS_CV
375 	 && opline->op1.var == cv_var
376 	 && zend_may_throw(opline, &ssa->ops[ssa->vars[src_var].definition], op_array, ssa)) {
377 		return 0;
378 	}
379 
380 	return 1;
381 }
382 
variable_defined_or_used_in_range(zend_ssa * ssa,int var,int start,int end)383 static bool variable_defined_or_used_in_range(zend_ssa *ssa, int var, int start, int end)
384 {
385 	while (start < end) {
386 		const zend_ssa_op *ssa_op = &ssa->ops[start];
387 		if ((ssa_op->op1_def >= 0 && ssa->vars[ssa_op->op1_def].var == var) ||
388 			(ssa_op->op2_def >= 0 && ssa->vars[ssa_op->op2_def].var == var) ||
389 			(ssa_op->result_def >= 0 && ssa->vars[ssa_op->result_def].var == var) ||
390 			(ssa_op->op1_use >= 0 && ssa->vars[ssa_op->op1_use].var == var) ||
391 			(ssa_op->op2_use >= 0 && ssa->vars[ssa_op->op2_use].var == var) ||
392 			(ssa_op->result_use >= 0 && ssa->vars[ssa_op->result_use].var == var)
393 		) {
394 			return 1;
395 		}
396 		start++;
397 	}
398 	return 0;
399 }
400 
zend_dfa_optimize_calls(zend_op_array * op_array,zend_ssa * ssa)401 int zend_dfa_optimize_calls(zend_op_array *op_array, zend_ssa *ssa)
402 {
403 	zend_func_info *func_info = ZEND_FUNC_INFO(op_array);
404 	int removed_ops = 0;
405 
406 	if (func_info->callee_info) {
407 		zend_call_info *call_info = func_info->callee_info;
408 
409 		do {
410 			if (call_info->caller_call_opline
411 			 && call_info->caller_call_opline->opcode == ZEND_DO_ICALL
412 			 && call_info->callee_func
413 			 && zend_string_equals_literal(call_info->callee_func->common.function_name, "in_array")
414 			 && (call_info->caller_init_opline->extended_value == 2
415 			  || (call_info->caller_init_opline->extended_value == 3
416 			   && (call_info->caller_call_opline - 1)->opcode == ZEND_SEND_VAL
417 			   && (call_info->caller_call_opline - 1)->op1_type == IS_CONST))) {
418 
419 				zend_op *send_array;
420 				zend_op *send_needly;
421 				bool strict = 0;
422 				ZEND_ASSERT(!call_info->is_prototype);
423 
424 				if (call_info->caller_init_opline->extended_value == 2) {
425 					send_array = call_info->caller_call_opline - 1;
426 					send_needly = call_info->caller_call_opline - 2;
427 				} else {
428 					if (zend_is_true(CT_CONSTANT_EX(op_array, (call_info->caller_call_opline - 1)->op1.constant))) {
429 						strict = 1;
430 					}
431 					send_array = call_info->caller_call_opline - 2;
432 					send_needly = call_info->caller_call_opline - 3;
433 				}
434 
435 				if (send_array->opcode == ZEND_SEND_VAL
436 				 && send_array->op1_type == IS_CONST
437 				 && Z_TYPE_P(CT_CONSTANT_EX(op_array, send_array->op1.constant)) == IS_ARRAY
438 				 && (send_needly->opcode == ZEND_SEND_VAL
439 				  || send_needly->opcode == ZEND_SEND_VAR)
440 			    ) {
441 					bool ok = 1;
442 
443 					HashTable *src = Z_ARRVAL_P(CT_CONSTANT_EX(op_array, send_array->op1.constant));
444 					HashTable *dst;
445 					zval *val, tmp;
446 					zend_ulong idx;
447 
448 					ZVAL_TRUE(&tmp);
449 					dst = zend_new_array(zend_hash_num_elements(src));
450 					if (strict) {
451 						ZEND_HASH_FOREACH_VAL(src, val) {
452 							if (Z_TYPE_P(val) == IS_STRING) {
453 								zend_hash_add(dst, Z_STR_P(val), &tmp);
454 							} else if (Z_TYPE_P(val) == IS_LONG) {
455 								zend_hash_index_add(dst, Z_LVAL_P(val), &tmp);
456 							} else {
457 								zend_array_destroy(dst);
458 								ok = 0;
459 								break;
460 							}
461 						} ZEND_HASH_FOREACH_END();
462 					} else {
463 						ZEND_HASH_FOREACH_VAL(src, val) {
464 							if (Z_TYPE_P(val) != IS_STRING || ZEND_HANDLE_NUMERIC(Z_STR_P(val), idx)) {
465 								zend_array_destroy(dst);
466 								ok = 0;
467 								break;
468 							}
469 							zend_hash_add(dst, Z_STR_P(val), &tmp);
470 						} ZEND_HASH_FOREACH_END();
471 					}
472 
473 					if (ok) {
474 						uint32_t op_num = send_needly - op_array->opcodes;
475 						zend_ssa_op *ssa_op = ssa->ops + op_num;
476 
477 						if (ssa_op->op1_use >= 0) {
478 							/* Reconstruct SSA */
479 							int var_num = ssa_op->op1_use;
480 							zend_ssa_var *var = ssa->vars + var_num;
481 
482 							ZEND_ASSERT(ssa_op->op1_def < 0);
483 							zend_ssa_unlink_use_chain(ssa, op_num, ssa_op->op1_use);
484 							ssa_op->op1_use = -1;
485 							ssa_op->op1_use_chain = -1;
486 							op_num = call_info->caller_call_opline - op_array->opcodes;
487 							ssa_op = ssa->ops + op_num;
488 							ssa_op->op1_use = var_num;
489 							ssa_op->op1_use_chain = var->use_chain;
490 							var->use_chain = op_num;
491 						}
492 
493 						ZVAL_ARR(&tmp, dst);
494 
495 						/* Update opcode */
496 						call_info->caller_call_opline->opcode = ZEND_IN_ARRAY;
497 						call_info->caller_call_opline->extended_value = strict;
498 						call_info->caller_call_opline->op1_type = send_needly->op1_type;
499 						call_info->caller_call_opline->op1.num = send_needly->op1.num;
500 						call_info->caller_call_opline->op2_type = IS_CONST;
501 						call_info->caller_call_opline->op2.constant = zend_optimizer_add_literal(op_array, &tmp);
502 						if (call_info->caller_init_opline->extended_value == 3) {
503 							MAKE_NOP(call_info->caller_call_opline - 1);
504 						}
505 						MAKE_NOP(call_info->caller_init_opline);
506 						MAKE_NOP(send_needly);
507 						MAKE_NOP(send_array);
508 						removed_ops++;
509 
510 						op_num = call_info->caller_call_opline - op_array->opcodes;
511 						ssa_op = ssa->ops + op_num;
512 						if (ssa_op->result_def >= 0) {
513 							int var = ssa_op->result_def;
514 							int use = ssa->vars[var].use_chain;
515 
516 							/* If the result is used only in a JMPZ/JMPNZ, replace result type with
517 							 * IS_TMP_VAR, which will enable use of smart branches. Don't do this
518 							 * in other cases, as not all opcodes support both VAR and TMP. */
519 							if (ssa->vars[var].phi_use_chain == NULL
520 								&& ssa->ops[use].op1_use == var
521 								&& ssa->ops[use].op1_use_chain == -1
522 								&& (op_array->opcodes[use].opcode == ZEND_JMPZ
523 									|| op_array->opcodes[use].opcode == ZEND_JMPNZ)) {
524 								call_info->caller_call_opline->result_type = IS_TMP_VAR;
525 								op_array->opcodes[use].op1_type = IS_TMP_VAR;
526 							}
527 						}
528 					}
529 				}
530 			}
531 			call_info = call_info->next_callee;
532 		} while (call_info);
533 	}
534 
535 	return removed_ops;
536 }
537 
take_successor_0(zend_ssa * ssa,int block_num,zend_basic_block * block)538 static zend_always_inline void take_successor_0(zend_ssa *ssa, int block_num, zend_basic_block *block)
539 {
540 	if (block->successors_count == 2) {
541 		if (block->successors[1] != block->successors[0]) {
542 			zend_ssa_remove_predecessor(ssa, block_num, block->successors[1]);
543 		}
544 		block->successors_count = 1;
545 	}
546 }
547 
take_successor_1(zend_ssa * ssa,int block_num,zend_basic_block * block)548 static zend_always_inline void take_successor_1(zend_ssa *ssa, int block_num, zend_basic_block *block)
549 {
550 	if (block->successors_count == 2) {
551 		if (block->successors[1] != block->successors[0]) {
552 			zend_ssa_remove_predecessor(ssa, block_num, block->successors[0]);
553 			block->successors[0] = block->successors[1];
554 		}
555 		block->successors_count = 1;
556 	}
557 }
558 
take_successor_ex(zend_ssa * ssa,int block_num,zend_basic_block * block,int target_block)559 static zend_always_inline void take_successor_ex(zend_ssa *ssa, int block_num, zend_basic_block *block, int target_block)
560 {
561 	int i;
562 
563 	for (i = 0; i < block->successors_count; i++) {
564 		if (block->successors[i] != target_block) {
565 			zend_ssa_remove_predecessor(ssa, block_num, block->successors[i]);
566 		}
567 	}
568 	block->successors[0] = target_block;
569 	block->successors_count = 1;
570 }
571 
compress_block(zend_op_array * op_array,zend_basic_block * block)572 static void compress_block(zend_op_array *op_array, zend_basic_block *block)
573 {
574 	while (block->len > 0) {
575 		zend_op *opline = &op_array->opcodes[block->start + block->len - 1];
576 
577 		if (opline->opcode == ZEND_NOP) {
578 			block->len--;
579 		} else {
580 			break;
581 		}
582 	}
583 }
584 
replace_predecessor(zend_ssa * ssa,int block_id,int old_pred,int new_pred)585 static void replace_predecessor(zend_ssa *ssa, int block_id, int old_pred, int new_pred) {
586 	zend_basic_block *block = &ssa->cfg.blocks[block_id];
587 	int *predecessors = &ssa->cfg.predecessors[block->predecessor_offset];
588 	zend_ssa_phi *phi;
589 
590 	int i;
591 	int old_pred_idx = -1;
592 	int new_pred_idx = -1;
593 	for (i = 0; i < block->predecessors_count; i++) {
594 		if (predecessors[i] == old_pred) {
595 			old_pred_idx = i;
596 		}
597 		if (predecessors[i] == new_pred) {
598 			new_pred_idx = i;
599 		}
600 	}
601 
602 	ZEND_ASSERT(old_pred_idx != -1);
603 	if (new_pred_idx == -1) {
604 		/* If the new predecessor doesn't exist yet, simply rewire the old one */
605 		predecessors[old_pred_idx] = new_pred;
606 	} else {
607 		/* Otherwise, rewiring the old predecessor would make the new predecessor appear
608 		 * twice, which violates our CFG invariants. Remove the old predecessor instead. */
609 		memmove(
610 			predecessors + old_pred_idx,
611 			predecessors + old_pred_idx + 1,
612 			sizeof(int) * (block->predecessors_count - old_pred_idx - 1)
613 		);
614 
615 		/* Also remove the corresponding phi node entries */
616 		for (phi = ssa->blocks[block_id].phis; phi; phi = phi->next) {
617 			if (phi->pi >= 0) {
618 				if (phi->pi == old_pred || phi->pi == new_pred) {
619 					zend_ssa_rename_var_uses(
620 						ssa, phi->ssa_var, phi->sources[0], /* update_types */ 0);
621 					zend_ssa_remove_phi(ssa, phi);
622 				}
623 			} else {
624 				memmove(
625 					phi->sources + old_pred_idx,
626 					phi->sources + old_pred_idx + 1,
627 					sizeof(int) * (block->predecessors_count - old_pred_idx - 1)
628 				);
629 			}
630 		}
631 
632 		block->predecessors_count--;
633 	}
634 }
635 
zend_ssa_replace_control_link(zend_op_array * op_array,zend_ssa * ssa,int from,int to,int new_to)636 static void zend_ssa_replace_control_link(zend_op_array *op_array, zend_ssa *ssa, int from, int to, int new_to)
637 {
638 	zend_basic_block *src = &ssa->cfg.blocks[from];
639 	zend_basic_block *old = &ssa->cfg.blocks[to];
640 	zend_basic_block *dst = &ssa->cfg.blocks[new_to];
641 	int i;
642 	zend_op *opline;
643 
644 	for (i = 0; i < src->successors_count; i++) {
645 		if (src->successors[i] == to) {
646 			src->successors[i] = new_to;
647 		}
648 	}
649 
650 	if (src->len > 0) {
651 		opline = op_array->opcodes + src->start + src->len - 1;
652 		switch (opline->opcode) {
653 			case ZEND_JMP:
654 			case ZEND_FAST_CALL:
655 				ZEND_ASSERT(ZEND_OP1_JMP_ADDR(opline) == op_array->opcodes + old->start);
656 				ZEND_SET_OP_JMP_ADDR(opline, opline->op1, op_array->opcodes + dst->start);
657 				break;
658 			case ZEND_JMPZ:
659 			case ZEND_JMPNZ:
660 			case ZEND_JMPZ_EX:
661 			case ZEND_JMPNZ_EX:
662 			case ZEND_FE_RESET_R:
663 			case ZEND_FE_RESET_RW:
664 			case ZEND_JMP_SET:
665 			case ZEND_COALESCE:
666 			case ZEND_ASSERT_CHECK:
667 			case ZEND_JMP_NULL:
668 			case ZEND_BIND_INIT_STATIC_OR_JMP:
669 			case ZEND_JMP_FRAMELESS:
670 				if (ZEND_OP2_JMP_ADDR(opline) == op_array->opcodes + old->start) {
671 					ZEND_SET_OP_JMP_ADDR(opline, opline->op2, op_array->opcodes + dst->start);
672 				}
673 				break;
674 			case ZEND_CATCH:
675 				if (!(opline->extended_value & ZEND_LAST_CATCH)) {
676 					if (ZEND_OP2_JMP_ADDR(opline) == op_array->opcodes + old->start) {
677 						ZEND_SET_OP_JMP_ADDR(opline, opline->op2, op_array->opcodes + dst->start);
678 					}
679 				}
680 				break;
681 			case ZEND_FE_FETCH_R:
682 			case ZEND_FE_FETCH_RW:
683 				if (ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, opline->extended_value) == old->start) {
684 					opline->extended_value = ZEND_OPLINE_NUM_TO_OFFSET(op_array, opline, dst->start);
685 				}
686 				break;
687 			case ZEND_SWITCH_LONG:
688 			case ZEND_SWITCH_STRING:
689 			case ZEND_MATCH:
690 				{
691 					HashTable *jumptable = Z_ARRVAL(ZEND_OP2_LITERAL(opline));
692 					zval *zv;
693 					ZEND_HASH_FOREACH_VAL(jumptable, zv) {
694 						if (ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, Z_LVAL_P(zv)) == old->start) {
695 							Z_LVAL_P(zv) = ZEND_OPLINE_NUM_TO_OFFSET(op_array, opline, dst->start);
696 						}
697 					} ZEND_HASH_FOREACH_END();
698 					if (ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, opline->extended_value) == old->start) {
699 						opline->extended_value = ZEND_OPLINE_NUM_TO_OFFSET(op_array, opline, dst->start);
700 					}
701 					break;
702 				}
703 		}
704 	}
705 
706 	replace_predecessor(ssa, new_to, to, from);
707 }
708 
zend_ssa_unlink_block(zend_op_array * op_array,zend_ssa * ssa,zend_basic_block * block,int block_num)709 static void zend_ssa_unlink_block(zend_op_array *op_array, zend_ssa *ssa, zend_basic_block *block, int block_num)
710 {
711 	if (block->predecessors_count == 1 && ssa->blocks[block_num].phis == NULL) {
712 		int *predecessors, i;
713 		zend_basic_block *fe_fetch_block = NULL;
714 
715 		ZEND_ASSERT(block->successors_count == 1);
716 		predecessors = &ssa->cfg.predecessors[block->predecessor_offset];
717 		if (block->predecessors_count == 1 && (block->flags & ZEND_BB_FOLLOW)) {
718 			zend_basic_block *pred_block = &ssa->cfg.blocks[predecessors[0]];
719 
720 			if (pred_block->len > 0 && (pred_block->flags & ZEND_BB_REACHABLE)) {
721 				if ((op_array->opcodes[pred_block->start + pred_block->len - 1].opcode == ZEND_FE_FETCH_R
722 				 || op_array->opcodes[pred_block->start + pred_block->len - 1].opcode == ZEND_FE_FETCH_RW)
723 				  && op_array->opcodes[pred_block->start + pred_block->len - 1].op2_type == IS_CV) {
724 					fe_fetch_block = pred_block;
725 			    }
726 			}
727 		}
728 		for (i = 0; i < block->predecessors_count; i++) {
729 			zend_ssa_replace_control_link(op_array, ssa, predecessors[i], block_num, block->successors[0]);
730 		}
731 		zend_ssa_remove_block(op_array, ssa, block_num);
732 		if (fe_fetch_block && fe_fetch_block->successors[0] == fe_fetch_block->successors[1]) {
733 			/* The body of "foreach" loop was removed */
734 			int ssa_var = ssa->ops[fe_fetch_block->start + fe_fetch_block->len - 1].op2_def;
735 			if (ssa_var >= 0) {
736 				zend_ssa_remove_uses_of_var(ssa, ssa_var);
737 			}
738 		}
739 	}
740 }
741 
zend_dfa_optimize_jmps(zend_op_array * op_array,zend_ssa * ssa)742 static int zend_dfa_optimize_jmps(zend_op_array *op_array, zend_ssa *ssa)
743 {
744 	int removed_ops = 0;
745 	int block_num = 0;
746 
747 	for (block_num = 1; block_num < ssa->cfg.blocks_count; block_num++) {
748 		zend_basic_block *block = &ssa->cfg.blocks[block_num];
749 
750 		if (!(block->flags & ZEND_BB_REACHABLE)) {
751 			continue;
752 		}
753 		compress_block(op_array, block);
754 		if (block->len == 0) {
755 			zend_ssa_unlink_block(op_array, ssa, block, block_num);
756 		}
757 	}
758 
759 	block_num = 0;
760 	while (block_num < ssa->cfg.blocks_count
761 		&& !(ssa->cfg.blocks[block_num].flags & ZEND_BB_REACHABLE)) {
762 		block_num++;
763 	}
764 	while (block_num < ssa->cfg.blocks_count) {
765 		int next_block_num = block_num + 1;
766 		zend_basic_block *block = &ssa->cfg.blocks[block_num];
767 		uint32_t op_num;
768 		zend_op *opline;
769 		zend_ssa_op *ssa_op;
770 		bool can_follow = 1;
771 
772 		while (next_block_num < ssa->cfg.blocks_count
773 			&& !(ssa->cfg.blocks[next_block_num].flags & ZEND_BB_REACHABLE)) {
774 			if (ssa->cfg.blocks[next_block_num].flags & ZEND_BB_UNREACHABLE_FREE) {
775 				can_follow = 0;
776 			}
777 			next_block_num++;
778 		}
779 
780 		if (block->len) {
781 			op_num = block->start + block->len - 1;
782 			opline = op_array->opcodes + op_num;
783 			ssa_op = ssa->ops + op_num;
784 
785 			switch (opline->opcode) {
786 				case ZEND_JMP:
787 optimize_jmp:
788 					if (block->successors[0] == next_block_num && can_follow) {
789 						MAKE_NOP(opline);
790 						removed_ops++;
791 						goto optimize_nop;
792 					}
793 					break;
794 				case ZEND_JMPZ:
795 optimize_jmpz:
796 					if (opline->op1_type == IS_CONST) {
797 						if (zend_is_true(CT_CONSTANT_EX(op_array, opline->op1.constant))) {
798 							MAKE_NOP(opline);
799 							removed_ops++;
800 							take_successor_1(ssa, block_num, block);
801 							goto optimize_nop;
802 						} else {
803 							opline->opcode = ZEND_JMP;
804 							COPY_NODE(opline->op1, opline->op2);
805 							take_successor_0(ssa, block_num, block);
806 							goto optimize_jmp;
807 						}
808 					} else {
809 						if (block->successors[0] == next_block_num && can_follow) {
810 							take_successor_0(ssa, block_num, block);
811 							if (opline->op1_type == IS_CV && (OP1_INFO() & MAY_BE_UNDEF)) {
812 								opline->opcode = ZEND_CHECK_VAR;
813 								opline->op2.num = 0;
814 							} else if (opline->op1_type == IS_CV || !(OP1_INFO() & (MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
815 								zend_ssa_remove_instr(ssa, opline, ssa_op);
816 								removed_ops++;
817 								goto optimize_nop;
818 							} else {
819 								opline->opcode = ZEND_FREE;
820 								opline->op2.num = 0;
821 							}
822 						}
823 					}
824 					break;
825 				case ZEND_JMPNZ:
826 optimize_jmpnz:
827 					if (opline->op1_type == IS_CONST) {
828 						if (zend_is_true(CT_CONSTANT_EX(op_array, opline->op1.constant))) {
829 							opline->opcode = ZEND_JMP;
830 							COPY_NODE(opline->op1, opline->op2);
831 							take_successor_0(ssa, block_num, block);
832 							goto optimize_jmp;
833 						} else {
834 							MAKE_NOP(opline);
835 							removed_ops++;
836 							take_successor_1(ssa, block_num, block);
837 							goto optimize_nop;
838 						}
839 					} else if (block->successors_count == 2) {
840 						if (block->successors[0] == next_block_num && can_follow) {
841 							take_successor_0(ssa, block_num, block);
842 							if (opline->op1_type == IS_CV && (OP1_INFO() & MAY_BE_UNDEF)) {
843 								opline->opcode = ZEND_CHECK_VAR;
844 								opline->op2.num = 0;
845 							} else if (opline->op1_type == IS_CV || !(OP1_INFO() & (MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
846 								zend_ssa_remove_instr(ssa, opline, ssa_op);
847 								removed_ops++;
848 								goto optimize_nop;
849 							} else {
850 								opline->opcode = ZEND_FREE;
851 								opline->op2.num = 0;
852 							}
853 						}
854 					}
855 					break;
856 				case ZEND_JMPZ_EX:
857 					if (ssa->vars[ssa_op->result_def].use_chain < 0
858 							&& ssa->vars[ssa_op->result_def].phi_use_chain == NULL) {
859 						opline->opcode = ZEND_JMPZ;
860 						opline->result_type = IS_UNUSED;
861 						zend_ssa_remove_result_def(ssa, ssa_op);
862 						goto optimize_jmpz;
863 					} else if (opline->op1_type == IS_CONST) {
864 						if (zend_is_true(CT_CONSTANT_EX(op_array, opline->op1.constant))) {
865 							opline->opcode = ZEND_BOOL;
866 							take_successor_1(ssa, block_num, block);
867 						}
868 					}
869 					break;
870 				case ZEND_JMPNZ_EX:
871 					if (ssa->vars[ssa_op->result_def].use_chain < 0
872 							&& ssa->vars[ssa_op->result_def].phi_use_chain == NULL) {
873 						opline->opcode = ZEND_JMPNZ;
874 						opline->result_type = IS_UNUSED;
875 						zend_ssa_remove_result_def(ssa, ssa_op);
876 						goto optimize_jmpnz;
877 					} else if (opline->op1_type == IS_CONST) {
878 						if (!zend_is_true(CT_CONSTANT_EX(op_array, opline->op1.constant))) {
879 							opline->opcode = ZEND_BOOL;
880 							take_successor_1(ssa, block_num, block);
881 						}
882 					}
883 					break;
884 				case ZEND_JMP_SET:
885 					if (ssa->vars[ssa_op->result_def].use_chain < 0
886 							&& ssa->vars[ssa_op->result_def].phi_use_chain == NULL) {
887 						opline->opcode = ZEND_JMPNZ;
888 						opline->result_type = IS_UNUSED;
889 						zend_ssa_remove_result_def(ssa, ssa_op);
890 						goto optimize_jmpnz;
891 					} else if (opline->op1_type == IS_CONST) {
892 						if (!zend_is_true(CT_CONSTANT_EX(op_array, opline->op1.constant))) {
893 							MAKE_NOP(opline);
894 							removed_ops++;
895 							take_successor_1(ssa, block_num, block);
896 							zend_ssa_remove_result_def(ssa, ssa_op);
897 							goto optimize_nop;
898 						}
899 					}
900 					break;
901 				case ZEND_COALESCE:
902 				{
903 					zend_ssa_var *var = &ssa->vars[ssa_op->result_def];
904 					if (opline->op1_type == IS_CONST
905 							&& var->use_chain < 0 && var->phi_use_chain == NULL) {
906 						if (Z_TYPE_P(CT_CONSTANT_EX(op_array, opline->op1.constant)) == IS_NULL) {
907 							zend_ssa_remove_result_def(ssa, ssa_op);
908 							MAKE_NOP(opline);
909 							removed_ops++;
910 							take_successor_1(ssa, block_num, block);
911 							goto optimize_nop;
912 						} else {
913 							opline->opcode = ZEND_JMP;
914 							opline->result_type = IS_UNUSED;
915 							zend_ssa_remove_result_def(ssa, ssa_op);
916 							COPY_NODE(opline->op1, opline->op2);
917 							take_successor_0(ssa, block_num, block);
918 							goto optimize_jmp;
919 						}
920 					}
921 					break;
922 				}
923 				case ZEND_JMP_NULL:
924 				{
925 					zend_ssa_var *var = &ssa->vars[ssa_op->result_def];
926 					if (opline->op1_type == IS_CONST
927 							&& var->use_chain < 0 && var->phi_use_chain == NULL) {
928 						if (Z_TYPE_P(CT_CONSTANT_EX(op_array, opline->op1.constant)) == IS_NULL) {
929 							opline->opcode = ZEND_JMP;
930 							opline->result_type = IS_UNUSED;
931 							zend_ssa_remove_result_def(ssa, ssa_op);
932 							COPY_NODE(opline->op1, opline->op2);
933 							take_successor_0(ssa, block_num, block);
934 							goto optimize_jmp;
935 						} else {
936 							zend_ssa_remove_result_def(ssa, ssa_op);
937 							MAKE_NOP(opline);
938 							removed_ops++;
939 							take_successor_1(ssa, block_num, block);
940 							goto optimize_nop;
941 						}
942 					}
943 					break;
944 				}
945 				case ZEND_SWITCH_LONG:
946 				case ZEND_SWITCH_STRING:
947 				case ZEND_MATCH:
948 					if (opline->op1_type == IS_CONST) {
949 						zval *zv = CT_CONSTANT_EX(op_array, opline->op1.constant);
950 						uint8_t type = Z_TYPE_P(zv);
951 						bool correct_type =
952 							(opline->opcode == ZEND_SWITCH_LONG && type == IS_LONG)
953 							|| (opline->opcode == ZEND_SWITCH_STRING && type == IS_STRING)
954 							|| (opline->opcode == ZEND_MATCH && (type == IS_LONG || type == IS_STRING));
955 
956 						/* Switch statements have a fallback chain for loose comparison. In those
957 						 * cases the SWITCH_* instruction is a NOP. Match does strict comparison and
958 						 * thus jumps to the default branch on mismatched types, so we need to
959 						 * convert MATCH to a jmp. */
960 						if (!correct_type && opline->opcode != ZEND_MATCH) {
961 							removed_ops++;
962 							MAKE_NOP(opline);
963 							opline->extended_value = 0;
964 							take_successor_ex(ssa, block_num, block, block->successors[block->successors_count - 1]);
965 							goto optimize_nop;
966 						}
967 
968 						uint32_t target;
969 						if (correct_type) {
970 							HashTable *jmptable = Z_ARRVAL_P(CT_CONSTANT_EX(op_array, opline->op2.constant));
971 							zval *jmp_zv = type == IS_LONG
972 								? zend_hash_index_find(jmptable, Z_LVAL_P(zv))
973 								: zend_hash_find(jmptable, Z_STR_P(zv));
974 
975 							if (jmp_zv) {
976 								target = ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, Z_LVAL_P(jmp_zv));
977 							} else {
978 								target = ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, opline->extended_value);
979 							}
980 						} else {
981 							ZEND_ASSERT(opline->opcode == ZEND_MATCH);
982 							target = ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, opline->extended_value);
983 						}
984 						opline->opcode = ZEND_JMP;
985 						opline->extended_value = 0;
986 						SET_UNUSED(opline->op1);
987 						ZEND_SET_OP_JMP_ADDR(opline, opline->op1, op_array->opcodes + target);
988 						SET_UNUSED(opline->op2);
989 						take_successor_ex(ssa, block_num, block, ssa->cfg.map[target]);
990 						goto optimize_jmp;
991 					}
992 					break;
993 				case ZEND_NOP:
994 optimize_nop:
995 					compress_block(op_array, block);
996 					if (block->len == 0) {
997 						if (block_num > 0) {
998 							zend_ssa_unlink_block(op_array, ssa, block, block_num);
999 							/* backtrack to previous basic block */
1000 							do {
1001 								block_num--;
1002 							} while (block_num >= 0
1003 								&& !(ssa->cfg.blocks[block_num].flags & ZEND_BB_REACHABLE));
1004 							if (block_num >= 0) {
1005 								continue;
1006 							}
1007 						}
1008 					}
1009 					break;
1010 				default:
1011 					break;
1012 			}
1013 		}
1014 
1015 		block_num = next_block_num;
1016 	}
1017 
1018 	return removed_ops;
1019 }
1020 
zend_dfa_try_to_replace_result(zend_op_array * op_array,zend_ssa * ssa,int def,int cv_var)1021 static bool zend_dfa_try_to_replace_result(zend_op_array *op_array, zend_ssa *ssa, int def, int cv_var)
1022 {
1023 	int result_var = ssa->ops[def].result_def;
1024 	uint32_t cv = EX_NUM_TO_VAR(ssa->vars[cv_var].var);
1025 
1026 	if (result_var >= 0
1027 	 && !(ssa->var_info[cv_var].type & MAY_BE_REF)
1028 	 && ssa->vars[cv_var].alias == NO_ALIAS
1029 	 && ssa->vars[result_var].phi_use_chain == NULL
1030 	 && ssa->vars[result_var].sym_use_chain == NULL) {
1031 		int use = ssa->vars[result_var].use_chain;
1032 
1033 		if (use >= 0
1034 		 && zend_ssa_next_use(ssa->ops, result_var, use) < 0
1035 		 && op_array->opcodes[use].opcode != ZEND_FREE
1036 		 && op_array->opcodes[use].opcode != ZEND_SEND_VAL
1037 		 && op_array->opcodes[use].opcode != ZEND_SEND_VAL_EX
1038 		 && op_array->opcodes[use].opcode != ZEND_VERIFY_RETURN_TYPE
1039 		 && op_array->opcodes[use].opcode != ZEND_YIELD) {
1040 			if (use > def) {
1041 				int i = use;
1042 				const zend_op *opline = &op_array->opcodes[use];
1043 
1044 				while (i > def) {
1045 					if ((opline->op1_type == IS_CV && opline->op1.var == cv)
1046 					 || (opline->op2_type == IS_CV && opline->op2.var == cv)
1047 					 || (opline->result_type == IS_CV && opline->result.var == cv)) {
1048 						return 0;
1049 					}
1050 					opline--;
1051 					i--;
1052 				}
1053 
1054 				/* Update opcodes and reconstruct SSA */
1055 				ssa->vars[result_var].definition = -1;
1056 				ssa->vars[result_var].use_chain = -1;
1057 				ssa->ops[def].result_def = -1;
1058 
1059 				op_array->opcodes[def].result_type = IS_UNUSED;
1060 				op_array->opcodes[def].result.var = 0;
1061 
1062 				if (ssa->ops[use].op1_use == result_var) {
1063 					ssa->ops[use].op1_use = cv_var;
1064 					ssa->ops[use].op1_use_chain = ssa->vars[cv_var].use_chain;
1065 					ssa->vars[cv_var].use_chain = use;
1066 
1067 					op_array->opcodes[use].op1_type = IS_CV;
1068 					op_array->opcodes[use].op1.var = cv;
1069 				} else if (ssa->ops[use].op2_use == result_var) {
1070 					ssa->ops[use].op2_use = cv_var;
1071 					ssa->ops[use].op2_use_chain = ssa->vars[cv_var].use_chain;
1072 					ssa->vars[cv_var].use_chain = use;
1073 
1074 					op_array->opcodes[use].op2_type = IS_CV;
1075 					op_array->opcodes[use].op2.var = cv;
1076 				} else if (ssa->ops[use].result_use == result_var) {
1077 					ssa->ops[use].result_use = cv_var;
1078 					ssa->ops[use].res_use_chain = ssa->vars[cv_var].use_chain;
1079 					ssa->vars[cv_var].use_chain = use;
1080 
1081 					op_array->opcodes[use].result_type = IS_CV;
1082 					op_array->opcodes[use].result.var = cv;
1083 				}
1084 
1085 				return 1;
1086 			}
1087 		}
1088 	}
1089 
1090 	return 0;
1091 }
1092 
zend_dfa_optimize_op_array(zend_op_array * op_array,zend_optimizer_ctx * ctx,zend_ssa * ssa,zend_call_info ** call_map)1093 void zend_dfa_optimize_op_array(zend_op_array *op_array, zend_optimizer_ctx *ctx, zend_ssa *ssa, zend_call_info **call_map)
1094 {
1095 	if (ctx->debug_level & ZEND_DUMP_BEFORE_DFA_PASS) {
1096 		zend_dump_op_array(op_array, ZEND_DUMP_SSA, "before dfa pass", ssa);
1097 	}
1098 
1099 	if (ssa->var_info) {
1100 		int op_1;
1101 		int v;
1102 		int remove_nops = 0;
1103 		zend_op *opline;
1104 		zend_ssa_op *ssa_op;
1105 		zval tmp;
1106 
1107 #if ZEND_DEBUG_DFA
1108 		ssa_verify_integrity(op_array, ssa, "before dfa");
1109 #endif
1110 
1111 		if (ZEND_OPTIMIZER_PASS_8 & ctx->optimization_level) {
1112 			if (sccp_optimize_op_array(ctx, op_array, ssa, call_map)) {
1113 				remove_nops = 1;
1114 			}
1115 
1116 			if (zend_dfa_optimize_jmps(op_array, ssa)) {
1117 				remove_nops = 1;
1118 			}
1119 
1120 #if ZEND_DEBUG_DFA
1121 			ssa_verify_integrity(op_array, ssa, "after sccp");
1122 #endif
1123 			if (ZEND_FUNC_INFO(op_array)) {
1124 				if (zend_dfa_optimize_calls(op_array, ssa)) {
1125 					remove_nops = 1;
1126 				}
1127 			}
1128 			if (ctx->debug_level & ZEND_DUMP_AFTER_PASS_8) {
1129 				zend_dump_op_array(op_array, ZEND_DUMP_SSA, "after sccp pass", ssa);
1130 			}
1131 #if ZEND_DEBUG_DFA
1132 			ssa_verify_integrity(op_array, ssa, "after calls");
1133 #endif
1134 		}
1135 
1136 		if (ZEND_OPTIMIZER_PASS_14 & ctx->optimization_level) {
1137 			if (dce_optimize_op_array(op_array, ctx, ssa, 0)) {
1138 				remove_nops = 1;
1139 			}
1140 			if (zend_dfa_optimize_jmps(op_array, ssa)) {
1141 				remove_nops = 1;
1142 			}
1143 			if (ctx->debug_level & ZEND_DUMP_AFTER_PASS_14) {
1144 				zend_dump_op_array(op_array, ZEND_DUMP_SSA, "after dce pass", ssa);
1145 			}
1146 #if ZEND_DEBUG_DFA
1147 			ssa_verify_integrity(op_array, ssa, "after dce");
1148 #endif
1149 		}
1150 
1151 		for (v = op_array->last_var; v < ssa->vars_count; v++) {
1152 
1153 			op_1 = ssa->vars[v].definition;
1154 
1155 			if (op_1 < 0) {
1156 				continue;
1157 			}
1158 
1159 			opline = op_array->opcodes + op_1;
1160 			ssa_op = &ssa->ops[op_1];
1161 
1162 			/* Convert LONG constants to DOUBLE */
1163 			if (ssa->var_info[v].use_as_double) {
1164 				if (opline->opcode == ZEND_ASSIGN
1165 				 && opline->op2_type == IS_CONST
1166 				 && ssa->ops[op_1].op1_def == v
1167 				 && !RETURN_VALUE_USED(opline)
1168 				) {
1169 
1170 // op_1: ASSIGN ? -> #v [use_as_double], long(?) => ASSIGN ? -> #v, double(?)
1171 
1172 					zval *zv = CT_CONSTANT_EX(op_array, opline->op2.constant);
1173 					ZEND_ASSERT(Z_TYPE_INFO_P(zv) == IS_LONG);
1174 					ZVAL_DOUBLE(&tmp, zval_get_double(zv));
1175 					opline->op2.constant = zend_optimizer_add_literal(op_array, &tmp);
1176 
1177 				} else if (opline->opcode == ZEND_QM_ASSIGN
1178 				 && opline->op1_type == IS_CONST
1179 				) {
1180 
1181 // op_1: QM_ASSIGN #v [use_as_double], long(?) => QM_ASSIGN #v, double(?)
1182 
1183 					zval *zv = CT_CONSTANT_EX(op_array, opline->op1.constant);
1184 					ZEND_ASSERT(Z_TYPE_INFO_P(zv) == IS_LONG);
1185 					ZVAL_DOUBLE(&tmp, zval_get_double(zv));
1186 					opline->op1.constant = zend_optimizer_add_literal(op_array, &tmp);
1187 				}
1188 
1189 			} else {
1190 				if (opline->opcode == ZEND_ADD
1191 				 || opline->opcode == ZEND_SUB
1192 				 || opline->opcode == ZEND_MUL
1193 				 || opline->opcode == ZEND_IS_EQUAL
1194 				 || opline->opcode == ZEND_IS_NOT_EQUAL
1195 				 || opline->opcode == ZEND_IS_SMALLER
1196 				 || opline->opcode == ZEND_IS_SMALLER_OR_EQUAL
1197 				) {
1198 
1199 					if (opline->op1_type == IS_CONST && opline->op2_type != IS_CONST) {
1200 						zval *zv = CT_CONSTANT_EX(op_array, opline->op1.constant);
1201 
1202 						if ((OP2_INFO() & MAY_BE_ANY) == MAY_BE_DOUBLE
1203 						 && Z_TYPE_INFO_P(zv) == IS_LONG) {
1204 
1205 // op_1: #v.? = ADD long(?), #?.? [double] => #v.? = ADD double(?), #?.? [double]
1206 
1207 							ZVAL_DOUBLE(&tmp, zval_get_double(zv));
1208 							opline->op1.constant = zend_optimizer_add_literal(op_array, &tmp);
1209 							zv = CT_CONSTANT_EX(op_array, opline->op1.constant);
1210 						}
1211 						if (opline->opcode == ZEND_ADD) {
1212 							zv = CT_CONSTANT_EX(op_array, opline->op1.constant);
1213 
1214 							if (((OP2_INFO() & (MAY_BE_ANY|MAY_BE_UNDEF)) == MAY_BE_LONG
1215 							  && Z_TYPE_INFO_P(zv) == IS_LONG
1216 							  && Z_LVAL_P(zv) == 0)
1217 							 || ((OP2_INFO() & (MAY_BE_ANY|MAY_BE_UNDEF)) == MAY_BE_DOUBLE
1218 							  && Z_TYPE_INFO_P(zv) == IS_DOUBLE
1219 							  && Z_DVAL_P(zv) == 0.0)) {
1220 
1221 // op_1: #v.? = ADD 0, #?.? [double,long] => #v.? = QM_ASSIGN #?.?
1222 
1223 								opline->opcode = ZEND_QM_ASSIGN;
1224 								opline->op1_type = opline->op2_type;
1225 								opline->op1.var = opline->op2.var;
1226 								opline->op2_type = IS_UNUSED;
1227 								opline->op2.num = 0;
1228 								ssa->ops[op_1].op1_use = ssa->ops[op_1].op2_use;
1229 								ssa->ops[op_1].op1_use_chain = ssa->ops[op_1].op2_use_chain;
1230 								ssa->ops[op_1].op2_use = -1;
1231 								ssa->ops[op_1].op2_use_chain = -1;
1232 							}
1233 						} else if (opline->opcode == ZEND_MUL
1234 						 && (OP2_INFO() & ((MAY_BE_ANY|MAY_BE_UNDEF)-(MAY_BE_LONG|MAY_BE_DOUBLE))) == 0) {
1235 							zv = CT_CONSTANT_EX(op_array, opline->op1.constant);
1236 
1237 							if ((Z_TYPE_INFO_P(zv) == IS_LONG
1238 							  && Z_LVAL_P(zv) == 2)
1239 							 || (Z_TYPE_INFO_P(zv) == IS_DOUBLE
1240 							  && Z_DVAL_P(zv) == 2.0
1241 							  && !(OP2_INFO() & MAY_BE_LONG))) {
1242 
1243 // op_1: #v.? = MUL 2, #x.? [double,long] => #v.? = ADD #x.?, #x.?
1244 
1245 								opline->opcode = ZEND_ADD;
1246 								opline->op1_type = opline->op2_type;
1247 								opline->op1.var = opline->op2.var;
1248 								ssa->ops[op_1].op1_use = ssa->ops[op_1].op2_use;
1249 								ssa->ops[op_1].op1_use_chain = ssa->ops[op_1].op2_use_chain;
1250 							}
1251 						}
1252 					} else if (opline->op1_type != IS_CONST && opline->op2_type == IS_CONST) {
1253 						zval *zv = CT_CONSTANT_EX(op_array, opline->op2.constant);
1254 
1255 						if ((OP1_INFO() & MAY_BE_ANY) == MAY_BE_DOUBLE
1256 						 && Z_TYPE_INFO_P(CT_CONSTANT_EX(op_array, opline->op2.constant)) == IS_LONG) {
1257 
1258 // op_1: #v.? = ADD #?.? [double], long(?) => #v.? = ADD #?.? [double], double(?)
1259 
1260 							ZVAL_DOUBLE(&tmp, zval_get_double(zv));
1261 							opline->op2.constant = zend_optimizer_add_literal(op_array, &tmp);
1262 							zv = CT_CONSTANT_EX(op_array, opline->op2.constant);
1263 						}
1264 						if (opline->opcode == ZEND_ADD || opline->opcode == ZEND_SUB) {
1265 							if (((OP1_INFO() & (MAY_BE_ANY|MAY_BE_UNDEF)) == MAY_BE_LONG
1266 							  && Z_TYPE_INFO_P(zv) == IS_LONG
1267 							  && Z_LVAL_P(zv) == 0)
1268 							 || ((OP1_INFO() & (MAY_BE_ANY|MAY_BE_UNDEF)) == MAY_BE_DOUBLE
1269 							  && Z_TYPE_INFO_P(zv) == IS_DOUBLE
1270 							  && Z_DVAL_P(zv) == 0.0)) {
1271 
1272 // op_1: #v.? = ADD #?.? [double,long], 0 => #v.? = QM_ASSIGN #?.?
1273 
1274 								opline->opcode = ZEND_QM_ASSIGN;
1275 								opline->op2_type = IS_UNUSED;
1276 								opline->op2.num = 0;
1277 							}
1278 						} else if (opline->opcode == ZEND_MUL
1279 						 && (OP1_INFO() & ((MAY_BE_ANY|MAY_BE_UNDEF)-(MAY_BE_LONG|MAY_BE_DOUBLE))) == 0) {
1280 							zv = CT_CONSTANT_EX(op_array, opline->op2.constant);
1281 
1282 							if ((Z_TYPE_INFO_P(zv) == IS_LONG
1283 							  && Z_LVAL_P(zv) == 2)
1284 							 || (Z_TYPE_INFO_P(zv) == IS_DOUBLE
1285 							  && Z_DVAL_P(zv) == 2.0
1286 							  && !(OP1_INFO() & MAY_BE_LONG))) {
1287 
1288 // op_1: #v.? = MUL #x.? [double,long], 2 => #v.? = ADD #x.?, #x.?
1289 
1290 								opline->opcode = ZEND_ADD;
1291 								opline->op2_type = opline->op1_type;
1292 								opline->op2.var = opline->op1.var;
1293 								ssa->ops[op_1].op2_use = ssa->ops[op_1].op1_use;
1294 								ssa->ops[op_1].op2_use_chain = ssa->ops[op_1].op1_use_chain;
1295 							}
1296 						}
1297 					}
1298 				} else if (opline->opcode == ZEND_CONCAT) {
1299 					if (!(OP1_INFO() & MAY_BE_OBJECT)
1300 					 && !(OP2_INFO() & MAY_BE_OBJECT)) {
1301 						opline->opcode = ZEND_FAST_CONCAT;
1302 					}
1303 				} else if (opline->opcode == ZEND_VERIFY_RETURN_TYPE
1304 				 && opline->op1_type != IS_CONST
1305 				 && ssa->ops[op_1].op1_def == v
1306 				 && ssa->ops[op_1].op1_use >= 0) {
1307 					int orig_var = ssa->ops[op_1].op1_use;
1308 					int ret = ssa->vars[v].use_chain;
1309 
1310 					if (ssa->ops[op_1].op1_use_chain == -1
1311 					 && can_elide_return_type_check(ctx->script, op_array, ssa, &ssa->ops[op_1])) {
1312 
1313 // op_1: VERIFY_RETURN_TYPE #orig_var.? [T] -> #v.? [T] => NOP
1314 
1315 						zend_ssa_unlink_use_chain(ssa, op_1, orig_var);
1316 
1317 						if (ret >= 0) {
1318 							ssa->ops[ret].op1_use = orig_var;
1319 							ssa->ops[ret].op1_use_chain = ssa->vars[orig_var].use_chain;
1320 							ssa->vars[orig_var].use_chain = ret;
1321 						}
1322 
1323 						ssa->vars[v].definition = -1;
1324 						ssa->vars[v].use_chain = -1;
1325 
1326 						ssa->ops[op_1].op1_def = -1;
1327 						ssa->ops[op_1].op1_use = -1;
1328 
1329 						MAKE_NOP(opline);
1330 						remove_nops = 1;
1331 					} else if (ret >= 0
1332 					 && ssa->ops[ret].op1_use == v
1333 					 && ssa->ops[ret].op1_use_chain == -1
1334 					 && can_elide_return_type_check(ctx->script, op_array, ssa, &ssa->ops[op_1])) {
1335 
1336 // op_1: VERIFY_RETURN_TYPE #orig_var.? [T] -> #v.? [T] => NOP
1337 
1338 						zend_ssa_replace_use_chain(ssa, op_1, ret, orig_var);
1339 
1340 						ssa->ops[ret].op1_use = orig_var;
1341 						ssa->ops[ret].op1_use_chain = ssa->ops[op_1].op1_use_chain;
1342 
1343 						ssa->vars[v].definition = -1;
1344 						ssa->vars[v].use_chain = -1;
1345 
1346 						ssa->ops[op_1].op1_def = -1;
1347 						ssa->ops[op_1].op1_use = -1;
1348 
1349 						MAKE_NOP(opline);
1350 						remove_nops = 1;
1351 					}
1352 				}
1353 			}
1354 
1355 			if (opline->opcode == ZEND_QM_ASSIGN
1356 			 && ssa->ops[op_1].result_def == v
1357 			 && opline->op1_type & (IS_TMP_VAR|IS_VAR)
1358 			 && !(ssa->var_info[v].type & (MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))
1359 			) {
1360 
1361 				int src_var = ssa->ops[op_1].op1_use;
1362 
1363 				if (src_var >= 0
1364 				 && !(ssa->var_info[src_var].type & MAY_BE_REF)
1365 				 && (ssa->var_info[src_var].type & (MAY_BE_UNDEF|MAY_BE_ANY))
1366 				 && ssa->vars[src_var].definition >= 0
1367 				 && ssa->ops[ssa->vars[src_var].definition].result_def == src_var
1368 				 && ssa->ops[ssa->vars[src_var].definition].result_use < 0
1369 				 && ssa->vars[src_var].use_chain == op_1
1370 				 && ssa->ops[op_1].op1_use_chain < 0
1371 				 && !ssa->vars[src_var].phi_use_chain
1372 				 && !ssa->vars[src_var].sym_use_chain
1373 				 && opline_supports_assign_contraction(
1374 					 op_array, ssa, &op_array->opcodes[ssa->vars[src_var].definition],
1375 					 src_var, opline->result.var)
1376 				 && !variable_defined_or_used_in_range(ssa, EX_VAR_TO_NUM(opline->result.var),
1377 						ssa->vars[src_var].definition+1, op_1)
1378 				) {
1379 
1380 					int orig_var = ssa->ops[op_1].result_use;
1381 					int op_2 = ssa->vars[src_var].definition;
1382 
1383 // op_2: #src_var.T = OP ...                                        => #v.CV = OP ...
1384 // op_1: QM_ASSIGN #src_var.T #orig_var.CV [undef,scalar] -> #v.CV,    NOP
1385 
1386 					if (orig_var >= 0) {
1387 						zend_ssa_unlink_use_chain(ssa, op_1, orig_var);
1388 					}
1389 
1390 					/* Reconstruct SSA */
1391 					ssa->vars[v].definition = op_2;
1392 					ssa->ops[op_2].result_def = v;
1393 
1394 					ssa->vars[src_var].definition = -1;
1395 					ssa->vars[src_var].use_chain = -1;
1396 
1397 					ssa->ops[op_1].op1_use = -1;
1398 					ssa->ops[op_1].op1_def = -1;
1399 					ssa->ops[op_1].op1_use_chain = -1;
1400 					ssa->ops[op_1].result_use = -1;
1401 					ssa->ops[op_1].result_def = -1;
1402 					ssa->ops[op_1].res_use_chain = -1;
1403 
1404 					/* Update opcodes */
1405 					op_array->opcodes[op_2].result_type = opline->result_type;
1406 					op_array->opcodes[op_2].result.var = opline->result.var;
1407 
1408 					MAKE_NOP(opline);
1409 					remove_nops = 1;
1410 
1411 					if (op_array->opcodes[op_2].opcode == ZEND_SUB
1412 					 && op_array->opcodes[op_2].op1_type == op_array->opcodes[op_2].result_type
1413 					 && op_array->opcodes[op_2].op1.var == op_array->opcodes[op_2].result.var
1414 					 && op_array->opcodes[op_2].op2_type == IS_CONST
1415 					 && Z_TYPE_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op2.constant)) == IS_LONG
1416 					 && Z_LVAL_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op2.constant)) == 1
1417 					 && ssa->ops[op_2].op1_use >= 0
1418 					 && !(ssa->var_info[ssa->ops[op_2].op1_use].type & (MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1419 
1420 						op_array->opcodes[op_2].opcode = ZEND_PRE_DEC;
1421 						SET_UNUSED(op_array->opcodes[op_2].op2);
1422 						SET_UNUSED(op_array->opcodes[op_2].result);
1423 
1424 						ssa->ops[op_2].result_def = -1;
1425 						ssa->ops[op_2].op1_def = v;
1426 
1427 					} else if (op_array->opcodes[op_2].opcode == ZEND_ADD
1428 					 && op_array->opcodes[op_2].op1_type == op_array->opcodes[op_2].result_type
1429 					 && op_array->opcodes[op_2].op1.var == op_array->opcodes[op_2].result.var
1430 					 && op_array->opcodes[op_2].op2_type == IS_CONST
1431 					 && Z_TYPE_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op2.constant)) == IS_LONG
1432 					 && Z_LVAL_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op2.constant)) == 1
1433 					 && ssa->ops[op_2].op1_use >= 0
1434 					 && !(ssa->var_info[ssa->ops[op_2].op1_use].type & (MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1435 
1436 						op_array->opcodes[op_2].opcode = ZEND_PRE_INC;
1437 						SET_UNUSED(op_array->opcodes[op_2].op2);
1438 						SET_UNUSED(op_array->opcodes[op_2].result);
1439 
1440 						ssa->ops[op_2].result_def = -1;
1441 						ssa->ops[op_2].op1_def = v;
1442 
1443 					} else if (op_array->opcodes[op_2].opcode == ZEND_ADD
1444 					 && op_array->opcodes[op_2].op2_type == op_array->opcodes[op_2].result_type
1445 					 && op_array->opcodes[op_2].op2.var == op_array->opcodes[op_2].result.var
1446 					 && op_array->opcodes[op_2].op1_type == IS_CONST
1447 					 && Z_TYPE_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op1.constant)) == IS_LONG
1448 					 && Z_LVAL_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op1.constant)) == 1
1449 					 && ssa->ops[op_2].op2_use >= 0
1450 					 && !(ssa->var_info[ssa->ops[op_2].op2_use].type & (MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1451 
1452 						op_array->opcodes[op_2].opcode = ZEND_PRE_INC;
1453 						op_array->opcodes[op_2].op1_type = op_array->opcodes[op_2].op2_type;
1454 						op_array->opcodes[op_2].op1.var = op_array->opcodes[op_2].op2.var;
1455 						SET_UNUSED(op_array->opcodes[op_2].op2);
1456 						SET_UNUSED(op_array->opcodes[op_2].result);
1457 
1458 						ssa->ops[op_2].result_def = -1;
1459 						ssa->ops[op_2].op1_def = v;
1460 						ssa->ops[op_2].op1_use = ssa->ops[op_2].op2_use;
1461 						ssa->ops[op_2].op1_use_chain = ssa->ops[op_2].op2_use_chain;
1462 						ssa->ops[op_2].op2_use = -1;
1463 						ssa->ops[op_2].op2_use_chain = -1;
1464 					}
1465 				}
1466 			}
1467 
1468 			if (ssa->vars[v].var >= op_array->last_var) {
1469 				/* skip TMP and VAR */
1470 				continue;
1471 			}
1472 
1473 			if (ssa->ops[op_1].op1_def == v
1474 			 && RETURN_VALUE_USED(opline)) {
1475 				if (opline->opcode == ZEND_ASSIGN
1476 				 || opline->opcode == ZEND_ASSIGN_OP
1477 				 || opline->opcode == ZEND_PRE_INC
1478 				 || opline->opcode == ZEND_PRE_DEC) {
1479 					zend_dfa_try_to_replace_result(op_array, ssa, op_1, v);
1480 				} else if (opline->opcode == ZEND_POST_INC) {
1481 					int result_var = ssa->ops[op_1].result_def;
1482 
1483 					if (result_var >= 0
1484 					 && (ssa->var_info[result_var].type & ((MAY_BE_ANY|MAY_BE_REF|MAY_BE_UNDEF) - (MAY_BE_LONG|MAY_BE_DOUBLE))) == 0) {
1485 						int use = ssa->vars[result_var].use_chain;
1486 
1487 						if (use >= 0 && op_array->opcodes[use].opcode == ZEND_IS_SMALLER
1488 						 && ssa->ops[use].op1_use == result_var
1489 						 && zend_dfa_try_to_replace_result(op_array, ssa, op_1, v)) {
1490 							opline->opcode = ZEND_PRE_INC;
1491 							op_array->opcodes[use].opcode = ZEND_IS_SMALLER_OR_EQUAL;
1492 						}
1493 					}
1494 				} else if (opline->opcode == ZEND_POST_DEC) {
1495 					int result_var = ssa->ops[op_1].result_def;
1496 
1497 					if (result_var >= 0
1498 					 && (ssa->var_info[result_var].type & ((MAY_BE_ANY|MAY_BE_REF|MAY_BE_UNDEF) - (MAY_BE_LONG|MAY_BE_DOUBLE))) == 0) {
1499 						int use = ssa->vars[result_var].use_chain;
1500 
1501 						if (use >= 0 && op_array->opcodes[use].opcode == ZEND_IS_SMALLER
1502 						 && ssa->ops[use].op2_use == result_var
1503 						 && zend_dfa_try_to_replace_result(op_array, ssa, op_1, v)) {
1504 							opline->opcode = ZEND_PRE_DEC;
1505 							op_array->opcodes[use].opcode = ZEND_IS_SMALLER_OR_EQUAL;
1506 						}
1507 					}
1508 				}
1509 			}
1510 
1511 			if (opline->opcode == ZEND_ASSIGN
1512 			 && ssa->ops[op_1].op1_def == v
1513 			 && !RETURN_VALUE_USED(opline)
1514 			) {
1515 				int orig_var = ssa->ops[op_1].op1_use;
1516 
1517 				if (orig_var >= 0
1518 				 && !(ssa->var_info[orig_var].type & (MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))
1519 				) {
1520 					int src_var = ssa->ops[op_1].op2_use;
1521 
1522 					if ((opline->op2_type & (IS_TMP_VAR|IS_VAR))
1523 					 && src_var >= 0
1524 					 && !(ssa->var_info[src_var].type & MAY_BE_REF)
1525 					 && (ssa->var_info[src_var].type & (MAY_BE_UNDEF|MAY_BE_ANY))
1526 					 && ssa->vars[src_var].definition >= 0
1527 					 && ssa->ops[ssa->vars[src_var].definition].result_def == src_var
1528 					 && ssa->ops[ssa->vars[src_var].definition].result_use < 0
1529 					 && ssa->vars[src_var].use_chain == op_1
1530 					 && ssa->ops[op_1].op2_use_chain < 0
1531 					 && !ssa->vars[src_var].phi_use_chain
1532 					 && !ssa->vars[src_var].sym_use_chain
1533 					 && opline_supports_assign_contraction(
1534 						 op_array, ssa, &op_array->opcodes[ssa->vars[src_var].definition],
1535 						 src_var, opline->op1.var)
1536 					 && !variable_defined_or_used_in_range(ssa, EX_VAR_TO_NUM(opline->op1.var),
1537 							ssa->vars[src_var].definition+1, op_1)
1538 					) {
1539 
1540 						int op_2 = ssa->vars[src_var].definition;
1541 
1542 // op_2: #src_var.T = OP ...                                     => #v.CV = OP ...
1543 // op_1: ASSIGN #orig_var.CV [undef,scalar] -> #v.CV, #src_var.T    NOP
1544 
1545 						zend_ssa_unlink_use_chain(ssa, op_1, orig_var);
1546 						/* Reconstruct SSA */
1547 						ssa->vars[v].definition = op_2;
1548 						ssa->ops[op_2].result_def = v;
1549 
1550 						ssa->vars[src_var].definition = -1;
1551 						ssa->vars[src_var].use_chain = -1;
1552 
1553 						ssa->ops[op_1].op1_use = -1;
1554 						ssa->ops[op_1].op2_use = -1;
1555 						ssa->ops[op_1].op1_def = -1;
1556 						ssa->ops[op_1].op1_use_chain = -1;
1557 
1558 						/* Update opcodes */
1559 						op_array->opcodes[op_2].result_type = opline->op1_type;
1560 						op_array->opcodes[op_2].result.var = opline->op1.var;
1561 
1562 						MAKE_NOP(opline);
1563 						remove_nops = 1;
1564 
1565 						if (op_array->opcodes[op_2].opcode == ZEND_SUB
1566 						 && op_array->opcodes[op_2].op1_type == op_array->opcodes[op_2].result_type
1567 						 && op_array->opcodes[op_2].op1.var == op_array->opcodes[op_2].result.var
1568 						 && op_array->opcodes[op_2].op2_type == IS_CONST
1569 						 && Z_TYPE_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op2.constant)) == IS_LONG
1570 						 && Z_LVAL_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op2.constant)) == 1
1571 						 && ssa->ops[op_2].op1_use >= 0
1572 						 && !(ssa->var_info[ssa->ops[op_2].op1_use].type & (MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1573 
1574 							op_array->opcodes[op_2].opcode = ZEND_PRE_DEC;
1575 							SET_UNUSED(op_array->opcodes[op_2].op2);
1576 							SET_UNUSED(op_array->opcodes[op_2].result);
1577 
1578 							ssa->ops[op_2].result_def = -1;
1579 							ssa->ops[op_2].op1_def = v;
1580 
1581 						} else if (op_array->opcodes[op_2].opcode == ZEND_ADD
1582 						 && op_array->opcodes[op_2].op1_type == op_array->opcodes[op_2].result_type
1583 						 && op_array->opcodes[op_2].op1.var == op_array->opcodes[op_2].result.var
1584 						 && op_array->opcodes[op_2].op2_type == IS_CONST
1585 						 && Z_TYPE_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op2.constant)) == IS_LONG
1586 						 && Z_LVAL_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op2.constant)) == 1
1587 						 && ssa->ops[op_2].op1_use >= 0
1588 						 && !(ssa->var_info[ssa->ops[op_2].op1_use].type & (MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1589 
1590 							op_array->opcodes[op_2].opcode = ZEND_PRE_INC;
1591 							SET_UNUSED(op_array->opcodes[op_2].op2);
1592 							SET_UNUSED(op_array->opcodes[op_2].result);
1593 
1594 							ssa->ops[op_2].result_def = -1;
1595 							ssa->ops[op_2].op1_def = v;
1596 
1597 						} else if (op_array->opcodes[op_2].opcode == ZEND_ADD
1598 						 && op_array->opcodes[op_2].op2_type == op_array->opcodes[op_2].result_type
1599 						 && op_array->opcodes[op_2].op2.var == op_array->opcodes[op_2].result.var
1600 						 && op_array->opcodes[op_2].op1_type == IS_CONST
1601 						 && Z_TYPE_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op1.constant)) == IS_LONG
1602 						 && Z_LVAL_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op1.constant)) == 1
1603 						 && ssa->ops[op_2].op2_use >= 0
1604 						 && !(ssa->var_info[ssa->ops[op_2].op2_use].type & (MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1605 
1606 							op_array->opcodes[op_2].opcode = ZEND_PRE_INC;
1607 							op_array->opcodes[op_2].op1_type = op_array->opcodes[op_2].op2_type;
1608 							op_array->opcodes[op_2].op1.var = op_array->opcodes[op_2].op2.var;
1609 							SET_UNUSED(op_array->opcodes[op_2].op2);
1610 							SET_UNUSED(op_array->opcodes[op_2].result);
1611 
1612 							ssa->ops[op_2].result_def = -1;
1613 							ssa->ops[op_2].op1_def = v;
1614 							ssa->ops[op_2].op1_use = ssa->ops[op_2].op2_use;
1615 							ssa->ops[op_2].op1_use_chain = ssa->ops[op_2].op2_use_chain;
1616 							ssa->ops[op_2].op2_use = -1;
1617 							ssa->ops[op_2].op2_use_chain = -1;
1618 						}
1619 					} else if (opline->op2_type == IS_CONST
1620 					 || ((opline->op2_type & (IS_TMP_VAR|IS_VAR|IS_CV))
1621 					     && ssa->ops[op_1].op2_use >= 0
1622 					     && ssa->ops[op_1].op2_def < 0)
1623 					) {
1624 
1625 // op_1: ASSIGN #orig_var.CV [undef,scalar] -> #v.CV, CONST|TMPVAR => QM_ASSIGN v.CV, CONST|TMPVAR
1626 
1627 						if (ssa->ops[op_1].op1_use != ssa->ops[op_1].op2_use) {
1628 							zend_ssa_unlink_use_chain(ssa, op_1, orig_var);
1629 						} else {
1630 							ssa->ops[op_1].op2_use_chain = ssa->ops[op_1].op1_use_chain;
1631 						}
1632 
1633 						/* Reconstruct SSA */
1634 						ssa->ops[op_1].result_def = v;
1635 						ssa->ops[op_1].op1_def = -1;
1636 						ssa->ops[op_1].op1_use = ssa->ops[op_1].op2_use;
1637 						ssa->ops[op_1].op1_use_chain = ssa->ops[op_1].op2_use_chain;
1638 						ssa->ops[op_1].op2_use = -1;
1639 						ssa->ops[op_1].op2_use_chain = -1;
1640 
1641 						/* Update opcode */
1642 						opline->result_type = opline->op1_type;
1643 						opline->result.var = opline->op1.var;
1644 						opline->op1_type = opline->op2_type;
1645 						opline->op1.var = opline->op2.var;
1646 						opline->op2_type = IS_UNUSED;
1647 						opline->op2.var = 0;
1648 						opline->opcode = ZEND_QM_ASSIGN;
1649 					}
1650 				}
1651 
1652 			} else if (opline->opcode == ZEND_ASSIGN_OP
1653 			 && opline->extended_value == ZEND_ADD
1654 			 && ssa->ops[op_1].op1_def == v
1655 			 && opline->op2_type == IS_CONST
1656 			 && Z_TYPE_P(CT_CONSTANT_EX(op_array, opline->op2.constant)) == IS_LONG
1657 			 && Z_LVAL_P(CT_CONSTANT_EX(op_array, opline->op2.constant)) == 1
1658 			 && ssa->ops[op_1].op1_use >= 0
1659 			 && !(ssa->var_info[ssa->ops[op_1].op1_use].type & (MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1660 
1661 // op_1: ASSIGN_ADD #?.CV [undef,null,int,foat] ->#v.CV, int(1) => PRE_INC #?.CV ->#v.CV
1662 
1663 				opline->opcode = ZEND_PRE_INC;
1664 				opline->extended_value = 0;
1665 				SET_UNUSED(opline->op2);
1666 
1667 			} else if (opline->opcode == ZEND_ASSIGN_OP
1668 			 && opline->extended_value == ZEND_SUB
1669 			 && ssa->ops[op_1].op1_def == v
1670 			 && opline->op2_type == IS_CONST
1671 			 && Z_TYPE_P(CT_CONSTANT_EX(op_array, opline->op2.constant)) == IS_LONG
1672 			 && Z_LVAL_P(CT_CONSTANT_EX(op_array, opline->op2.constant)) == 1
1673 			 && ssa->ops[op_1].op1_use >= 0
1674 			 && !(ssa->var_info[ssa->ops[op_1].op1_use].type & (MAY_BE_UNDEF|MAY_BE_NULL|MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1675 
1676 // op_1: ASSIGN_SUB #?.CV [undef,null,int,foat] -> #v.CV, int(1) => PRE_DEC #?.CV ->#v.CV
1677 
1678 				opline->opcode = ZEND_PRE_DEC;
1679 				opline->extended_value = 0;
1680 				SET_UNUSED(opline->op2);
1681 
1682 			} else if (ssa->ops[op_1].op1_def == v
1683 			 && !RETURN_VALUE_USED(opline)
1684 			 && ssa->ops[op_1].op1_use >= 0
1685 			 && !(ssa->var_info[ssa->ops[op_1].op1_use].type & (MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))
1686 			 && opline->opcode == ZEND_ASSIGN_OP
1687 			 && opline->extended_value != ZEND_CONCAT) {
1688 
1689 // op_1: ASSIGN_OP #orig_var.CV [undef,null,bool,int,double] -> #v.CV, ? => #v.CV = ADD #orig_var.CV, ?
1690 
1691 				/* Reconstruct SSA */
1692 				ssa->ops[op_1].result_def = ssa->ops[op_1].op1_def;
1693 				ssa->ops[op_1].op1_def = -1;
1694 
1695 				/* Update opcode */
1696 				opline->opcode = opline->extended_value;
1697 				opline->extended_value = 0;
1698 				opline->result_type = opline->op1_type;
1699 				opline->result.var = opline->op1.var;
1700 
1701 			}
1702 		}
1703 
1704 #if ZEND_DEBUG_DFA
1705 		ssa_verify_integrity(op_array, ssa, "after dfa");
1706 #endif
1707 
1708 		if (remove_nops) {
1709 			zend_ssa_remove_nops(op_array, ssa, ctx);
1710 #if ZEND_DEBUG_DFA
1711 			ssa_verify_integrity(op_array, ssa, "after nop");
1712 #endif
1713 		}
1714 	}
1715 
1716 	if (ctx->debug_level & ZEND_DUMP_AFTER_DFA_PASS) {
1717 		zend_dump_op_array(op_array, ZEND_DUMP_SSA, "after dfa pass", ssa);
1718 	}
1719 }
1720 
zend_optimize_dfa(zend_op_array * op_array,zend_optimizer_ctx * ctx)1721 void zend_optimize_dfa(zend_op_array *op_array, zend_optimizer_ctx *ctx)
1722 {
1723 	void *checkpoint = zend_arena_checkpoint(ctx->arena);
1724 	zend_ssa ssa;
1725 
1726 	if (zend_dfa_analyze_op_array(op_array, ctx, &ssa) == FAILURE) {
1727 		zend_arena_release(&ctx->arena, checkpoint);
1728 		return;
1729 	}
1730 
1731 	zend_dfa_optimize_op_array(op_array, ctx, &ssa, NULL);
1732 
1733 	/* Destroy SSA */
1734 	zend_arena_release(&ctx->arena, checkpoint);
1735 }
1736