1 /*
2 +----------------------------------------------------------------------+
3 | Zend OPcache |
4 +----------------------------------------------------------------------+
5 | Copyright (c) The PHP Group |
6 +----------------------------------------------------------------------+
7 | This source file is subject to version 3.01 of the PHP license, |
8 | that is bundled with this package in the file LICENSE, and is |
9 | available through the world-wide-web at the following url: |
10 | https://www.php.net/license/3_01.txt |
11 | If you did not receive a copy of the PHP license and are unable to |
12 | obtain it through the world-wide-web, please send a note to |
13 | license@php.net so we can mail you a copy immediately. |
14 +----------------------------------------------------------------------+
15 | Authors: Dmitry Stogov <dmitry@php.net> |
16 +----------------------------------------------------------------------+
17 */
18
19 #include "Optimizer/zend_optimizer.h"
20 #include "Optimizer/zend_optimizer_internal.h"
21 #include "zend_API.h"
22 #include "zend_constants.h"
23 #include "zend_execute.h"
24 #include "zend_vm.h"
25 #include "zend_bitset.h"
26 #include "zend_cfg.h"
27 #include "zend_ssa.h"
28 #include "zend_func_info.h"
29 #include "zend_call_graph.h"
30 #include "zend_inference.h"
31 #include "zend_dump.h"
32
33 #ifndef ZEND_DEBUG_DFA
34 # define ZEND_DEBUG_DFA ZEND_DEBUG
35 #endif
36
37 #if ZEND_DEBUG_DFA
38 # include "ssa_integrity.c"
39 #endif
40
zend_dfa_analyze_op_array(zend_op_array * op_array,zend_optimizer_ctx * ctx,zend_ssa * ssa)41 int zend_dfa_analyze_op_array(zend_op_array *op_array, zend_optimizer_ctx *ctx, zend_ssa *ssa)
42 {
43 uint32_t build_flags;
44
45 if (op_array->last_try_catch) {
46 /* TODO: we can't analyze functions with try/catch/finally ??? */
47 return FAILURE;
48 }
49
50 /* Build SSA */
51 memset(ssa, 0, sizeof(zend_ssa));
52
53 if (zend_build_cfg(&ctx->arena, op_array, ZEND_CFG_NO_ENTRY_PREDECESSORS, &ssa->cfg) != SUCCESS) {
54 return FAILURE;
55 }
56
57 if ((ssa->cfg.flags & ZEND_FUNC_INDIRECT_VAR_ACCESS)) {
58 /* TODO: we can't analyze functions with indirect variable access ??? */
59 return FAILURE;
60 }
61
62 if (zend_cfg_build_predecessors(&ctx->arena, &ssa->cfg) != SUCCESS) {
63 return FAILURE;
64 }
65
66 if (ctx->debug_level & ZEND_DUMP_DFA_CFG) {
67 zend_dump_op_array(op_array, ZEND_DUMP_CFG, "dfa cfg", &ssa->cfg);
68 }
69
70 /* Compute Dominators Tree */
71 if (zend_cfg_compute_dominators_tree(op_array, &ssa->cfg) != SUCCESS) {
72 return FAILURE;
73 }
74
75 /* Identify reducible and irreducible loops */
76 if (zend_cfg_identify_loops(op_array, &ssa->cfg) != SUCCESS) {
77 return FAILURE;
78 }
79
80 if (ctx->debug_level & ZEND_DUMP_DFA_DOMINATORS) {
81 zend_dump_dominators(op_array, &ssa->cfg);
82 }
83
84 build_flags = 0;
85 if (ctx->debug_level & ZEND_DUMP_DFA_LIVENESS) {
86 build_flags |= ZEND_SSA_DEBUG_LIVENESS;
87 }
88 if (ctx->debug_level & ZEND_DUMP_DFA_PHI) {
89 build_flags |= ZEND_SSA_DEBUG_PHI_PLACEMENT;
90 }
91 if (zend_build_ssa(&ctx->arena, ctx->script, op_array, build_flags, ssa) != SUCCESS) {
92 return FAILURE;
93 }
94
95 if (ctx->debug_level & ZEND_DUMP_DFA_SSA) {
96 zend_dump_op_array(op_array, ZEND_DUMP_SSA, "dfa ssa", ssa);
97 }
98
99
100 if (zend_ssa_compute_use_def_chains(&ctx->arena, op_array, ssa) != SUCCESS){
101 return FAILURE;
102 }
103
104 if (zend_ssa_find_false_dependencies(op_array, ssa) != SUCCESS) {
105 return FAILURE;
106 }
107
108 if (zend_ssa_find_sccs(op_array, ssa) != SUCCESS){
109 return FAILURE;
110 }
111
112 if (zend_ssa_inference(&ctx->arena, op_array, ctx->script, ssa, ctx->optimization_level) != SUCCESS) {
113 return FAILURE;
114 }
115
116 if (zend_ssa_escape_analysis(ctx->script, op_array, ssa) != SUCCESS) {
117 return FAILURE;
118 }
119
120 if (ctx->debug_level & ZEND_DUMP_DFA_SSA_VARS) {
121 zend_dump_ssa_variables(op_array, ssa, 0);
122 }
123
124 return SUCCESS;
125 }
126
zend_ssa_remove_nops(zend_op_array * op_array,zend_ssa * ssa,zend_optimizer_ctx * ctx)127 static void zend_ssa_remove_nops(zend_op_array *op_array, zend_ssa *ssa, zend_optimizer_ctx *ctx)
128 {
129 zend_basic_block *blocks = ssa->cfg.blocks;
130 zend_basic_block *blocks_end = blocks + ssa->cfg.blocks_count;
131 zend_basic_block *b;
132 zend_func_info *func_info;
133 int j;
134 uint32_t i = 0;
135 uint32_t target = 0;
136 uint32_t *shiftlist;
137 ALLOCA_FLAG(use_heap);
138
139 shiftlist = (uint32_t *)do_alloca(sizeof(uint32_t) * op_array->last, use_heap);
140 memset(shiftlist, 0, sizeof(uint32_t) * op_array->last);
141 /* remove empty callee_info */
142 func_info = ZEND_FUNC_INFO(op_array);
143 if (func_info) {
144 zend_call_info **call_info = &func_info->callee_info;
145 while ((*call_info)) {
146 if ((*call_info)->caller_init_opline->opcode == ZEND_NOP) {
147 *call_info = (*call_info)->next_callee;
148 } else {
149 call_info = &(*call_info)->next_callee;
150 }
151 }
152 }
153
154 for (b = blocks; b < blocks_end; b++) {
155 if (b->flags & (ZEND_BB_REACHABLE|ZEND_BB_UNREACHABLE_FREE)) {
156 if (b->len) {
157 uint32_t new_start, old_end;
158 while (i < b->start) {
159 shiftlist[i] = i - target;
160 i++;
161 }
162
163 if (b->flags & ZEND_BB_UNREACHABLE_FREE) {
164 /* Only keep the FREE for the loop var */
165 ZEND_ASSERT(op_array->opcodes[b->start].opcode == ZEND_FREE
166 || op_array->opcodes[b->start].opcode == ZEND_FE_FREE);
167 b->len = 1;
168 }
169
170 new_start = target;
171 old_end = b->start + b->len;
172 while (i < old_end) {
173 shiftlist[i] = i - target;
174 if (EXPECTED(op_array->opcodes[i].opcode != ZEND_NOP)) {
175 if (i != target) {
176 op_array->opcodes[target] = op_array->opcodes[i];
177 ssa->ops[target] = ssa->ops[i];
178 ssa->cfg.map[target] = b - blocks;
179 }
180 target++;
181 }
182 i++;
183 }
184 b->start = new_start;
185 if (target != old_end) {
186 zend_op *opline;
187 zend_op *new_opline;
188
189 b->len = target - b->start;
190 opline = op_array->opcodes + old_end - 1;
191 if (opline->opcode == ZEND_NOP) {
192 continue;
193 }
194
195 new_opline = op_array->opcodes + target - 1;
196 zend_optimizer_migrate_jump(op_array, new_opline, opline);
197 }
198 } else {
199 b->start = target;
200 }
201 } else {
202 b->start = target;
203 b->len = 0;
204 }
205 }
206
207 if (target != op_array->last) {
208 /* reset rest opcodes */
209 for (i = target; i < op_array->last; i++) {
210 MAKE_NOP(op_array->opcodes + i);
211 }
212
213 /* update SSA variables */
214 for (j = 0; j < ssa->vars_count; j++) {
215 if (ssa->vars[j].definition >= 0) {
216 ssa->vars[j].definition -= shiftlist[ssa->vars[j].definition];
217 }
218 if (ssa->vars[j].use_chain >= 0) {
219 ssa->vars[j].use_chain -= shiftlist[ssa->vars[j].use_chain];
220 }
221 }
222 for (i = 0; i < op_array->last; i++) {
223 if (ssa->ops[i].op1_use_chain >= 0) {
224 ssa->ops[i].op1_use_chain -= shiftlist[ssa->ops[i].op1_use_chain];
225 }
226 if (ssa->ops[i].op2_use_chain >= 0) {
227 ssa->ops[i].op2_use_chain -= shiftlist[ssa->ops[i].op2_use_chain];
228 }
229 if (ssa->ops[i].res_use_chain >= 0) {
230 ssa->ops[i].res_use_chain -= shiftlist[ssa->ops[i].res_use_chain];
231 }
232 }
233
234 /* update branch targets */
235 for (b = blocks; b < blocks_end; b++) {
236 if ((b->flags & ZEND_BB_REACHABLE) && b->len != 0) {
237 zend_op *opline = op_array->opcodes + b->start + b->len - 1;
238 zend_optimizer_shift_jump(op_array, opline, shiftlist);
239 }
240 }
241
242 /* update try/catch array */
243 for (j = 0; j < op_array->last_try_catch; j++) {
244 op_array->try_catch_array[j].try_op -= shiftlist[op_array->try_catch_array[j].try_op];
245 op_array->try_catch_array[j].catch_op -= shiftlist[op_array->try_catch_array[j].catch_op];
246 if (op_array->try_catch_array[j].finally_op) {
247 op_array->try_catch_array[j].finally_op -= shiftlist[op_array->try_catch_array[j].finally_op];
248 op_array->try_catch_array[j].finally_end -= shiftlist[op_array->try_catch_array[j].finally_end];
249 }
250 }
251
252 /* update early binding list */
253 if (op_array->fn_flags & ZEND_ACC_EARLY_BINDING) {
254 uint32_t *opline_num = &ctx->script->first_early_binding_opline;
255
256 ZEND_ASSERT(op_array == &ctx->script->main_op_array);
257 do {
258 *opline_num -= shiftlist[*opline_num];
259 opline_num = &op_array->opcodes[*opline_num].result.opline_num;
260 } while (*opline_num != (uint32_t)-1);
261 }
262
263 /* update call graph */
264 if (func_info) {
265 zend_call_info *call_info = func_info->callee_info;
266 while (call_info) {
267 call_info->caller_init_opline -=
268 shiftlist[call_info->caller_init_opline - op_array->opcodes];
269 if (call_info->caller_call_opline) {
270 call_info->caller_call_opline -=
271 shiftlist[call_info->caller_call_opline - op_array->opcodes];
272 }
273 call_info = call_info->next_callee;
274 }
275 }
276
277 op_array->last = target;
278 }
279 free_alloca(shiftlist, use_heap);
280 }
281
safe_instanceof(zend_class_entry * ce1,zend_class_entry * ce2)282 static bool safe_instanceof(zend_class_entry *ce1, zend_class_entry *ce2) {
283 if (ce1 == ce2) {
284 return 1;
285 }
286 if (!(ce1->ce_flags & ZEND_ACC_LINKED)) {
287 /* This case could be generalized, similarly to unlinked_instanceof */
288 return 0;
289 }
290 return instanceof_function(ce1, ce2);
291 }
292
can_elide_return_type_check(const zend_script * script,zend_op_array * op_array,zend_ssa * ssa,zend_ssa_op * ssa_op)293 static inline bool can_elide_return_type_check(
294 const zend_script *script, zend_op_array *op_array, zend_ssa *ssa, zend_ssa_op *ssa_op) {
295 zend_arg_info *arg_info = &op_array->arg_info[-1];
296 zend_ssa_var_info *use_info = &ssa->var_info[ssa_op->op1_use];
297 uint32_t use_type = use_info->type & (MAY_BE_ANY|MAY_BE_UNDEF);
298 if (use_type & MAY_BE_REF) {
299 return 0;
300 }
301
302 if (use_type & MAY_BE_UNDEF) {
303 use_type &= ~MAY_BE_UNDEF;
304 use_type |= MAY_BE_NULL;
305 }
306
307 uint32_t disallowed_types = use_type & ~ZEND_TYPE_PURE_MASK(arg_info->type);
308 if (!disallowed_types) {
309 /* Only contains allowed types. */
310 return true;
311 }
312
313 if (disallowed_types == MAY_BE_OBJECT && use_info->ce && ZEND_TYPE_IS_COMPLEX(arg_info->type)) {
314 zend_type *single_type;
315 /* For intersection: result==false is failure, default is success.
316 * For union: result==true is success, default is failure. */
317 bool is_intersection = ZEND_TYPE_IS_INTERSECTION(arg_info->type);
318 ZEND_TYPE_FOREACH(arg_info->type, single_type) {
319 if (ZEND_TYPE_HAS_NAME(*single_type)) {
320 zend_string *lcname = zend_string_tolower(ZEND_TYPE_NAME(*single_type));
321 zend_class_entry *ce = zend_optimizer_get_class_entry(script, lcname);
322 zend_string_release(lcname);
323 bool result = ce && safe_instanceof(use_info->ce, ce);
324 if (result == !is_intersection) {
325 return result;
326 }
327 }
328 } ZEND_TYPE_FOREACH_END();
329 return is_intersection;
330 }
331
332 return false;
333 }
334
opline_supports_assign_contraction(zend_op_array * op_array,zend_ssa * ssa,zend_op * opline,int src_var,uint32_t cv_var)335 static bool opline_supports_assign_contraction(
336 zend_op_array *op_array, zend_ssa *ssa, zend_op *opline, int src_var, uint32_t cv_var) {
337 if (opline->opcode == ZEND_NEW) {
338 /* see Zend/tests/generators/aborted_yield_during_new.phpt */
339 return 0;
340 }
341
342 if (opline->opcode == ZEND_DO_ICALL || opline->opcode == ZEND_DO_UCALL
343 || opline->opcode == ZEND_DO_FCALL || opline->opcode == ZEND_DO_FCALL_BY_NAME) {
344 /* Function calls may dtor the return value after it has already been written -- allow
345 * direct assignment only for types where a double-dtor does not matter. */
346 uint32_t type = ssa->var_info[src_var].type;
347 uint32_t simple = MAY_BE_NULL|MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_LONG|MAY_BE_DOUBLE;
348 return !((type & MAY_BE_ANY) & ~simple);
349 }
350
351 if (opline->opcode == ZEND_POST_INC || opline->opcode == ZEND_POST_DEC) {
352 /* POST_INC/DEC write the result variable before performing the inc/dec. For $i = $i++
353 * eliding the temporary variable would thus yield an incorrect result. */
354 return opline->op1_type != IS_CV || opline->op1.var != cv_var;
355 }
356
357 if (opline->opcode == ZEND_INIT_ARRAY) {
358 /* INIT_ARRAY initializes the result array before reading key/value. */
359 return (opline->op1_type != IS_CV || opline->op1.var != cv_var)
360 && (opline->op2_type != IS_CV || opline->op2.var != cv_var);
361 }
362
363 if (opline->opcode == ZEND_CAST
364 && (opline->extended_value == IS_ARRAY || opline->extended_value == IS_OBJECT)) {
365 /* CAST to array/object may initialize the result to an empty array/object before
366 * reading the expression. */
367 return opline->op1_type != IS_CV || opline->op1.var != cv_var;
368 }
369
370 if ((opline->opcode == ZEND_ASSIGN_OP
371 || opline->opcode == ZEND_ASSIGN_OBJ
372 || opline->opcode == ZEND_ASSIGN_DIM
373 || opline->opcode == ZEND_ASSIGN_OBJ_OP
374 || opline->opcode == ZEND_ASSIGN_DIM_OP)
375 && opline->op1_type == IS_CV
376 && opline->op1.var == cv_var
377 && zend_may_throw(opline, &ssa->ops[ssa->vars[src_var].definition], op_array, ssa)) {
378 return 0;
379 }
380
381 return 1;
382 }
383
variable_defined_or_used_in_range(zend_ssa * ssa,int var,int start,int end)384 static bool variable_defined_or_used_in_range(zend_ssa *ssa, int var, int start, int end)
385 {
386 while (start < end) {
387 const zend_ssa_op *ssa_op = &ssa->ops[start];
388 if ((ssa_op->op1_def >= 0 && ssa->vars[ssa_op->op1_def].var == var) ||
389 (ssa_op->op2_def >= 0 && ssa->vars[ssa_op->op2_def].var == var) ||
390 (ssa_op->result_def >= 0 && ssa->vars[ssa_op->result_def].var == var) ||
391 (ssa_op->op1_use >= 0 && ssa->vars[ssa_op->op1_use].var == var) ||
392 (ssa_op->op2_use >= 0 && ssa->vars[ssa_op->op2_use].var == var) ||
393 (ssa_op->result_use >= 0 && ssa->vars[ssa_op->result_use].var == var)
394 ) {
395 return 1;
396 }
397 start++;
398 }
399 return 0;
400 }
401
zend_dfa_optimize_calls(zend_op_array * op_array,zend_ssa * ssa)402 int zend_dfa_optimize_calls(zend_op_array *op_array, zend_ssa *ssa)
403 {
404 zend_func_info *func_info = ZEND_FUNC_INFO(op_array);
405 int removed_ops = 0;
406
407 if (func_info->callee_info) {
408 zend_call_info *call_info = func_info->callee_info;
409
410 do {
411 if (call_info->caller_call_opline
412 && call_info->caller_call_opline->opcode == ZEND_DO_ICALL
413 && call_info->callee_func
414 && zend_string_equals_literal(call_info->callee_func->common.function_name, "in_array")
415 && (call_info->caller_init_opline->extended_value == 2
416 || (call_info->caller_init_opline->extended_value == 3
417 && (call_info->caller_call_opline - 1)->opcode == ZEND_SEND_VAL
418 && (call_info->caller_call_opline - 1)->op1_type == IS_CONST))) {
419
420 zend_op *send_array;
421 zend_op *send_needly;
422 bool strict = 0;
423 ZEND_ASSERT(!call_info->is_prototype);
424
425 if (call_info->caller_init_opline->extended_value == 2) {
426 send_array = call_info->caller_call_opline - 1;
427 send_needly = call_info->caller_call_opline - 2;
428 } else {
429 if (zend_is_true(CT_CONSTANT_EX(op_array, (call_info->caller_call_opline - 1)->op1.constant))) {
430 strict = 1;
431 }
432 send_array = call_info->caller_call_opline - 2;
433 send_needly = call_info->caller_call_opline - 3;
434 }
435
436 if (send_array->opcode == ZEND_SEND_VAL
437 && send_array->op1_type == IS_CONST
438 && Z_TYPE_P(CT_CONSTANT_EX(op_array, send_array->op1.constant)) == IS_ARRAY
439 && (send_needly->opcode == ZEND_SEND_VAL
440 || send_needly->opcode == ZEND_SEND_VAR)
441 ) {
442 int ok = 1;
443
444 HashTable *src = Z_ARRVAL_P(CT_CONSTANT_EX(op_array, send_array->op1.constant));
445 HashTable *dst;
446 zval *val, tmp;
447 zend_ulong idx;
448
449 ZVAL_TRUE(&tmp);
450 dst = zend_new_array(zend_hash_num_elements(src));
451 if (strict) {
452 ZEND_HASH_FOREACH_VAL(src, val) {
453 if (Z_TYPE_P(val) == IS_STRING) {
454 zend_hash_add(dst, Z_STR_P(val), &tmp);
455 } else if (Z_TYPE_P(val) == IS_LONG) {
456 zend_hash_index_add(dst, Z_LVAL_P(val), &tmp);
457 } else {
458 zend_array_destroy(dst);
459 ok = 0;
460 break;
461 }
462 } ZEND_HASH_FOREACH_END();
463 } else {
464 ZEND_HASH_FOREACH_VAL(src, val) {
465 if (Z_TYPE_P(val) != IS_STRING || ZEND_HANDLE_NUMERIC(Z_STR_P(val), idx)) {
466 zend_array_destroy(dst);
467 ok = 0;
468 break;
469 }
470 zend_hash_add(dst, Z_STR_P(val), &tmp);
471 } ZEND_HASH_FOREACH_END();
472 }
473
474 if (ok) {
475 uint32_t op_num = send_needly - op_array->opcodes;
476 zend_ssa_op *ssa_op = ssa->ops + op_num;
477
478 if (ssa_op->op1_use >= 0) {
479 /* Reconstruct SSA */
480 int var_num = ssa_op->op1_use;
481 zend_ssa_var *var = ssa->vars + var_num;
482
483 ZEND_ASSERT(ssa_op->op1_def < 0);
484 zend_ssa_unlink_use_chain(ssa, op_num, ssa_op->op1_use);
485 ssa_op->op1_use = -1;
486 ssa_op->op1_use_chain = -1;
487 op_num = call_info->caller_call_opline - op_array->opcodes;
488 ssa_op = ssa->ops + op_num;
489 ssa_op->op1_use = var_num;
490 ssa_op->op1_use_chain = var->use_chain;
491 var->use_chain = op_num;
492 }
493
494 ZVAL_ARR(&tmp, dst);
495
496 /* Update opcode */
497 call_info->caller_call_opline->opcode = ZEND_IN_ARRAY;
498 call_info->caller_call_opline->extended_value = strict;
499 call_info->caller_call_opline->op1_type = send_needly->op1_type;
500 call_info->caller_call_opline->op1.num = send_needly->op1.num;
501 call_info->caller_call_opline->op2_type = IS_CONST;
502 call_info->caller_call_opline->op2.constant = zend_optimizer_add_literal(op_array, &tmp);
503 if (call_info->caller_init_opline->extended_value == 3) {
504 MAKE_NOP(call_info->caller_call_opline - 1);
505 }
506 MAKE_NOP(call_info->caller_init_opline);
507 MAKE_NOP(send_needly);
508 MAKE_NOP(send_array);
509 removed_ops++;
510
511 op_num = call_info->caller_call_opline - op_array->opcodes;
512 ssa_op = ssa->ops + op_num;
513 if (ssa_op->result_def >= 0) {
514 int var = ssa_op->result_def;
515 int use = ssa->vars[var].use_chain;
516
517 /* If the result is used only in a JMPZ/JMPNZ, replace result type with
518 * IS_TMP_VAR, which will enable use of smart branches. Don't do this
519 * in other cases, as not all opcodes support both VAR and TMP. */
520 if (ssa->vars[var].phi_use_chain == NULL
521 && ssa->ops[use].op1_use == var
522 && ssa->ops[use].op1_use_chain == -1
523 && (op_array->opcodes[use].opcode == ZEND_JMPZ
524 || op_array->opcodes[use].opcode == ZEND_JMPNZ)) {
525 call_info->caller_call_opline->result_type = IS_TMP_VAR;
526 op_array->opcodes[use].op1_type = IS_TMP_VAR;
527 }
528 }
529 }
530 }
531 }
532 call_info = call_info->next_callee;
533 } while (call_info);
534 }
535
536 return removed_ops;
537 }
538
take_successor_0(zend_ssa * ssa,int block_num,zend_basic_block * block)539 static zend_always_inline void take_successor_0(zend_ssa *ssa, int block_num, zend_basic_block *block)
540 {
541 if (block->successors_count == 2) {
542 if (block->successors[1] != block->successors[0]) {
543 zend_ssa_remove_predecessor(ssa, block_num, block->successors[1]);
544 }
545 block->successors_count = 1;
546 }
547 }
548
take_successor_1(zend_ssa * ssa,int block_num,zend_basic_block * block)549 static zend_always_inline void take_successor_1(zend_ssa *ssa, int block_num, zend_basic_block *block)
550 {
551 if (block->successors_count == 2) {
552 if (block->successors[1] != block->successors[0]) {
553 zend_ssa_remove_predecessor(ssa, block_num, block->successors[0]);
554 block->successors[0] = block->successors[1];
555 }
556 block->successors_count = 1;
557 }
558 }
559
take_successor_ex(zend_ssa * ssa,int block_num,zend_basic_block * block,int target_block)560 static zend_always_inline void take_successor_ex(zend_ssa *ssa, int block_num, zend_basic_block *block, int target_block)
561 {
562 int i;
563
564 for (i = 0; i < block->successors_count; i++) {
565 if (block->successors[i] != target_block) {
566 zend_ssa_remove_predecessor(ssa, block_num, block->successors[i]);
567 }
568 }
569 block->successors[0] = target_block;
570 block->successors_count = 1;
571 }
572
compress_block(zend_op_array * op_array,zend_basic_block * block)573 static void compress_block(zend_op_array *op_array, zend_basic_block *block)
574 {
575 while (block->len > 0) {
576 zend_op *opline = &op_array->opcodes[block->start + block->len - 1];
577
578 if (opline->opcode == ZEND_NOP) {
579 block->len--;
580 } else {
581 break;
582 }
583 }
584 }
585
replace_predecessor(zend_ssa * ssa,int block_id,int old_pred,int new_pred)586 static void replace_predecessor(zend_ssa *ssa, int block_id, int old_pred, int new_pred) {
587 zend_basic_block *block = &ssa->cfg.blocks[block_id];
588 int *predecessors = &ssa->cfg.predecessors[block->predecessor_offset];
589 zend_ssa_phi *phi;
590
591 int i;
592 int old_pred_idx = -1;
593 int new_pred_idx = -1;
594 for (i = 0; i < block->predecessors_count; i++) {
595 if (predecessors[i] == old_pred) {
596 old_pred_idx = i;
597 }
598 if (predecessors[i] == new_pred) {
599 new_pred_idx = i;
600 }
601 }
602
603 ZEND_ASSERT(old_pred_idx != -1);
604 if (new_pred_idx == -1) {
605 /* If the new predecessor doesn't exist yet, simply rewire the old one */
606 predecessors[old_pred_idx] = new_pred;
607 } else {
608 /* Otherwise, rewiring the old predecessor would make the new predecessor appear
609 * twice, which violates our CFG invariants. Remove the old predecessor instead. */
610 memmove(
611 predecessors + old_pred_idx,
612 predecessors + old_pred_idx + 1,
613 sizeof(int) * (block->predecessors_count - old_pred_idx - 1)
614 );
615
616 /* Also remove the corresponding phi node entries */
617 for (phi = ssa->blocks[block_id].phis; phi; phi = phi->next) {
618 if (phi->pi >= 0) {
619 if (phi->pi == old_pred || phi->pi == new_pred) {
620 zend_ssa_rename_var_uses(
621 ssa, phi->ssa_var, phi->sources[0], /* update_types */ 0);
622 zend_ssa_remove_phi(ssa, phi);
623 }
624 } else {
625 memmove(
626 phi->sources + old_pred_idx,
627 phi->sources + old_pred_idx + 1,
628 sizeof(int) * (block->predecessors_count - old_pred_idx - 1)
629 );
630 }
631 }
632
633 block->predecessors_count--;
634 }
635 }
636
zend_ssa_replace_control_link(zend_op_array * op_array,zend_ssa * ssa,int from,int to,int new_to)637 static void zend_ssa_replace_control_link(zend_op_array *op_array, zend_ssa *ssa, int from, int to, int new_to)
638 {
639 zend_basic_block *src = &ssa->cfg.blocks[from];
640 zend_basic_block *old = &ssa->cfg.blocks[to];
641 zend_basic_block *dst = &ssa->cfg.blocks[new_to];
642 int i;
643 zend_op *opline;
644
645 for (i = 0; i < src->successors_count; i++) {
646 if (src->successors[i] == to) {
647 src->successors[i] = new_to;
648 }
649 }
650
651 if (src->len > 0) {
652 opline = op_array->opcodes + src->start + src->len - 1;
653 switch (opline->opcode) {
654 case ZEND_JMP:
655 case ZEND_FAST_CALL:
656 ZEND_ASSERT(ZEND_OP1_JMP_ADDR(opline) == op_array->opcodes + old->start);
657 ZEND_SET_OP_JMP_ADDR(opline, opline->op1, op_array->opcodes + dst->start);
658 break;
659 case ZEND_JMPZNZ:
660 if (ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, opline->extended_value) == old->start) {
661 opline->extended_value = ZEND_OPLINE_NUM_TO_OFFSET(op_array, opline, dst->start);
662 }
663 ZEND_FALLTHROUGH;
664 case ZEND_JMPZ:
665 case ZEND_JMPNZ:
666 case ZEND_JMPZ_EX:
667 case ZEND_JMPNZ_EX:
668 case ZEND_FE_RESET_R:
669 case ZEND_FE_RESET_RW:
670 case ZEND_JMP_SET:
671 case ZEND_COALESCE:
672 case ZEND_ASSERT_CHECK:
673 case ZEND_JMP_NULL:
674 if (ZEND_OP2_JMP_ADDR(opline) == op_array->opcodes + old->start) {
675 ZEND_SET_OP_JMP_ADDR(opline, opline->op2, op_array->opcodes + dst->start);
676 }
677 break;
678 case ZEND_CATCH:
679 if (!(opline->extended_value & ZEND_LAST_CATCH)) {
680 if (ZEND_OP2_JMP_ADDR(opline) == op_array->opcodes + old->start) {
681 ZEND_SET_OP_JMP_ADDR(opline, opline->op2, op_array->opcodes + dst->start);
682 }
683 }
684 break;
685 case ZEND_FE_FETCH_R:
686 case ZEND_FE_FETCH_RW:
687 if (ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, opline->extended_value) == old->start) {
688 opline->extended_value = ZEND_OPLINE_NUM_TO_OFFSET(op_array, opline, dst->start);
689 }
690 break;
691 case ZEND_SWITCH_LONG:
692 case ZEND_SWITCH_STRING:
693 case ZEND_MATCH:
694 {
695 HashTable *jumptable = Z_ARRVAL(ZEND_OP2_LITERAL(opline));
696 zval *zv;
697 ZEND_HASH_FOREACH_VAL(jumptable, zv) {
698 if (ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, Z_LVAL_P(zv)) == old->start) {
699 Z_LVAL_P(zv) = ZEND_OPLINE_NUM_TO_OFFSET(op_array, opline, dst->start);
700 }
701 } ZEND_HASH_FOREACH_END();
702 if (ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, opline->extended_value) == old->start) {
703 opline->extended_value = ZEND_OPLINE_NUM_TO_OFFSET(op_array, opline, dst->start);
704 }
705 break;
706 }
707 }
708 }
709
710 replace_predecessor(ssa, new_to, to, from);
711 }
712
zend_ssa_unlink_block(zend_op_array * op_array,zend_ssa * ssa,zend_basic_block * block,int block_num)713 static void zend_ssa_unlink_block(zend_op_array *op_array, zend_ssa *ssa, zend_basic_block *block, int block_num)
714 {
715 if (block->predecessors_count == 1 && ssa->blocks[block_num].phis == NULL) {
716 int *predecessors, i;
717 zend_basic_block *fe_fetch_block = NULL;
718
719 ZEND_ASSERT(block->successors_count == 1);
720 predecessors = &ssa->cfg.predecessors[block->predecessor_offset];
721 if (block->predecessors_count == 1 && (block->flags & ZEND_BB_FOLLOW)) {
722 zend_basic_block *pred_block = &ssa->cfg.blocks[predecessors[0]];
723
724 if (pred_block->len > 0 && (pred_block->flags & ZEND_BB_REACHABLE)) {
725 if ((op_array->opcodes[pred_block->start + pred_block->len - 1].opcode == ZEND_FE_FETCH_R
726 || op_array->opcodes[pred_block->start + pred_block->len - 1].opcode == ZEND_FE_FETCH_RW)
727 && op_array->opcodes[pred_block->start + pred_block->len - 1].op2_type == IS_CV) {
728 fe_fetch_block = pred_block;
729 }
730 }
731 }
732 for (i = 0; i < block->predecessors_count; i++) {
733 zend_ssa_replace_control_link(op_array, ssa, predecessors[i], block_num, block->successors[0]);
734 }
735 zend_ssa_remove_block(op_array, ssa, block_num);
736 if (fe_fetch_block && fe_fetch_block->successors[0] == fe_fetch_block->successors[1]) {
737 /* The body of "foreach" loop was removed */
738 int ssa_var = ssa->ops[fe_fetch_block->start + fe_fetch_block->len - 1].op2_def;
739 if (ssa_var >= 0) {
740 zend_ssa_remove_uses_of_var(ssa, ssa_var);
741 }
742 }
743 }
744 }
745
zend_dfa_optimize_jmps(zend_op_array * op_array,zend_ssa * ssa)746 static int zend_dfa_optimize_jmps(zend_op_array *op_array, zend_ssa *ssa)
747 {
748 int removed_ops = 0;
749 int block_num = 0;
750
751 for (block_num = 1; block_num < ssa->cfg.blocks_count; block_num++) {
752 zend_basic_block *block = &ssa->cfg.blocks[block_num];
753
754 if (!(block->flags & ZEND_BB_REACHABLE)) {
755 continue;
756 }
757 compress_block(op_array, block);
758 if (block->len == 0) {
759 zend_ssa_unlink_block(op_array, ssa, block, block_num);
760 }
761 }
762
763 block_num = 0;
764 while (block_num < ssa->cfg.blocks_count
765 && !(ssa->cfg.blocks[block_num].flags & ZEND_BB_REACHABLE)) {
766 block_num++;
767 }
768 while (block_num < ssa->cfg.blocks_count) {
769 int next_block_num = block_num + 1;
770 zend_basic_block *block = &ssa->cfg.blocks[block_num];
771 uint32_t op_num;
772 zend_op *opline;
773 zend_ssa_op *ssa_op;
774 bool can_follow = 1;
775
776 while (next_block_num < ssa->cfg.blocks_count
777 && !(ssa->cfg.blocks[next_block_num].flags & ZEND_BB_REACHABLE)) {
778 if (ssa->cfg.blocks[next_block_num].flags & ZEND_BB_UNREACHABLE_FREE) {
779 can_follow = 0;
780 }
781 next_block_num++;
782 }
783
784 if (block->len) {
785 op_num = block->start + block->len - 1;
786 opline = op_array->opcodes + op_num;
787 ssa_op = ssa->ops + op_num;
788
789 switch (opline->opcode) {
790 case ZEND_JMP:
791 optimize_jmp:
792 if (block->successors[0] == next_block_num && can_follow) {
793 MAKE_NOP(opline);
794 removed_ops++;
795 goto optimize_nop;
796 }
797 break;
798 case ZEND_JMPZ:
799 optimize_jmpz:
800 if (opline->op1_type == IS_CONST) {
801 if (zend_is_true(CT_CONSTANT_EX(op_array, opline->op1.constant))) {
802 MAKE_NOP(opline);
803 removed_ops++;
804 take_successor_1(ssa, block_num, block);
805 goto optimize_nop;
806 } else {
807 opline->opcode = ZEND_JMP;
808 COPY_NODE(opline->op1, opline->op2);
809 take_successor_0(ssa, block_num, block);
810 goto optimize_jmp;
811 }
812 } else {
813 if (block->successors[0] == next_block_num && can_follow) {
814 take_successor_0(ssa, block_num, block);
815 if (opline->op1_type == IS_CV && (OP1_INFO() & MAY_BE_UNDEF)) {
816 opline->opcode = ZEND_CHECK_VAR;
817 opline->op2.num = 0;
818 } else if (opline->op1_type == IS_CV || !(OP1_INFO() & (MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
819 zend_ssa_remove_instr(ssa, opline, ssa_op);
820 removed_ops++;
821 goto optimize_nop;
822 } else {
823 opline->opcode = ZEND_FREE;
824 opline->op2.num = 0;
825 }
826 }
827 }
828 break;
829 case ZEND_JMPNZ:
830 optimize_jmpnz:
831 if (opline->op1_type == IS_CONST) {
832 if (zend_is_true(CT_CONSTANT_EX(op_array, opline->op1.constant))) {
833 opline->opcode = ZEND_JMP;
834 COPY_NODE(opline->op1, opline->op2);
835 take_successor_0(ssa, block_num, block);
836 goto optimize_jmp;
837 } else {
838 MAKE_NOP(opline);
839 removed_ops++;
840 take_successor_1(ssa, block_num, block);
841 goto optimize_nop;
842 }
843 } else if (block->successors_count == 2) {
844 if (block->successors[0] == next_block_num && can_follow) {
845 take_successor_0(ssa, block_num, block);
846 if (opline->op1_type == IS_CV && (OP1_INFO() & MAY_BE_UNDEF)) {
847 opline->opcode = ZEND_CHECK_VAR;
848 opline->op2.num = 0;
849 } else if (opline->op1_type == IS_CV || !(OP1_INFO() & (MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
850 zend_ssa_remove_instr(ssa, opline, ssa_op);
851 removed_ops++;
852 goto optimize_nop;
853 } else {
854 opline->opcode = ZEND_FREE;
855 opline->op2.num = 0;
856 }
857 }
858 }
859 break;
860 case ZEND_JMPZNZ:
861 if (opline->op1_type == IS_CONST) {
862 if (zend_is_true(CT_CONSTANT_EX(op_array, opline->op1.constant))) {
863 zend_op *target_opline = ZEND_OFFSET_TO_OPLINE(opline, opline->extended_value);
864 ZEND_SET_OP_JMP_ADDR(opline, opline->op1, target_opline);
865 take_successor_1(ssa, block_num, block);
866 } else {
867 zend_op *target_opline = ZEND_OP2_JMP_ADDR(opline);
868 ZEND_SET_OP_JMP_ADDR(opline, opline->op1, target_opline);
869 take_successor_0(ssa, block_num, block);
870 }
871 opline->op1_type = IS_UNUSED;
872 opline->extended_value = 0;
873 opline->opcode = ZEND_JMP;
874 goto optimize_jmp;
875 } else if (block->successors_count == 2) {
876 if (block->successors[0] == block->successors[1]) {
877 take_successor_0(ssa, block_num, block);
878 if (block->successors[0] == next_block_num && can_follow) {
879 if (opline->op1_type == IS_CV && (OP1_INFO() & MAY_BE_UNDEF)) {
880 opline->opcode = ZEND_CHECK_VAR;
881 opline->op2.num = 0;
882 } else if (opline->op1_type == IS_CV || !(OP1_INFO() & (MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
883 zend_ssa_remove_instr(ssa, opline, ssa_op);
884 removed_ops++;
885 goto optimize_nop;
886 } else {
887 opline->opcode = ZEND_FREE;
888 opline->op2.num = 0;
889 }
890 } else if ((opline->op1_type == IS_CV && !(OP1_INFO() & MAY_BE_UNDEF)) || !(OP1_INFO() & (MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
891 ZEND_ASSERT(ssa_op->op1_use >= 0);
892 zend_ssa_unlink_use_chain(ssa, op_num, ssa_op->op1_use);
893 ssa_op->op1_use = -1;
894 ssa_op->op1_use_chain = -1;
895 opline->opcode = ZEND_JMP;
896 opline->op1_type = IS_UNUSED;
897 opline->op1.num = opline->op2.num;
898 goto optimize_jmp;
899 }
900 }
901 }
902 break;
903 case ZEND_JMPZ_EX:
904 if (ssa->vars[ssa_op->result_def].use_chain < 0
905 && ssa->vars[ssa_op->result_def].phi_use_chain == NULL) {
906 opline->opcode = ZEND_JMPZ;
907 opline->result_type = IS_UNUSED;
908 zend_ssa_remove_result_def(ssa, ssa_op);
909 goto optimize_jmpz;
910 } else if (opline->op1_type == IS_CONST) {
911 if (zend_is_true(CT_CONSTANT_EX(op_array, opline->op1.constant))) {
912 opline->opcode = ZEND_QM_ASSIGN;
913 take_successor_1(ssa, block_num, block);
914 }
915 }
916 break;
917 case ZEND_JMPNZ_EX:
918 if (ssa->vars[ssa_op->result_def].use_chain < 0
919 && ssa->vars[ssa_op->result_def].phi_use_chain == NULL) {
920 opline->opcode = ZEND_JMPNZ;
921 opline->result_type = IS_UNUSED;
922 zend_ssa_remove_result_def(ssa, ssa_op);
923 goto optimize_jmpnz;
924 } else if (opline->op1_type == IS_CONST) {
925 if (!zend_is_true(CT_CONSTANT_EX(op_array, opline->op1.constant))) {
926 opline->opcode = ZEND_QM_ASSIGN;
927 take_successor_1(ssa, block_num, block);
928 }
929 }
930 break;
931 case ZEND_JMP_SET:
932 if (ssa->vars[ssa_op->result_def].use_chain < 0
933 && ssa->vars[ssa_op->result_def].phi_use_chain == NULL) {
934 opline->opcode = ZEND_JMPNZ;
935 opline->result_type = IS_UNUSED;
936 zend_ssa_remove_result_def(ssa, ssa_op);
937 goto optimize_jmpnz;
938 } else if (opline->op1_type == IS_CONST) {
939 if (!zend_is_true(CT_CONSTANT_EX(op_array, opline->op1.constant))) {
940 MAKE_NOP(opline);
941 removed_ops++;
942 take_successor_1(ssa, block_num, block);
943 zend_ssa_remove_result_def(ssa, ssa_op);
944 goto optimize_nop;
945 }
946 }
947 break;
948 case ZEND_COALESCE:
949 {
950 zend_ssa_var *var = &ssa->vars[ssa_op->result_def];
951 if (opline->op1_type == IS_CONST
952 && var->use_chain < 0 && var->phi_use_chain == NULL) {
953 if (Z_TYPE_P(CT_CONSTANT_EX(op_array, opline->op1.constant)) == IS_NULL) {
954 zend_ssa_remove_result_def(ssa, ssa_op);
955 MAKE_NOP(opline);
956 removed_ops++;
957 take_successor_1(ssa, block_num, block);
958 goto optimize_nop;
959 } else {
960 opline->opcode = ZEND_JMP;
961 opline->result_type = IS_UNUSED;
962 zend_ssa_remove_result_def(ssa, ssa_op);
963 COPY_NODE(opline->op1, opline->op2);
964 take_successor_0(ssa, block_num, block);
965 goto optimize_jmp;
966 }
967 }
968 break;
969 }
970 case ZEND_JMP_NULL:
971 {
972 zend_ssa_var *var = &ssa->vars[ssa_op->result_def];
973 if (opline->op1_type == IS_CONST
974 && var->use_chain < 0 && var->phi_use_chain == NULL) {
975 if (Z_TYPE_P(CT_CONSTANT_EX(op_array, opline->op1.constant)) == IS_NULL) {
976 opline->opcode = ZEND_JMP;
977 opline->result_type = IS_UNUSED;
978 zend_ssa_remove_result_def(ssa, ssa_op);
979 COPY_NODE(opline->op1, opline->op2);
980 take_successor_0(ssa, block_num, block);
981 goto optimize_jmp;
982 } else {
983 zend_ssa_remove_result_def(ssa, ssa_op);
984 MAKE_NOP(opline);
985 removed_ops++;
986 take_successor_1(ssa, block_num, block);
987 goto optimize_nop;
988 }
989 }
990 break;
991 }
992 case ZEND_SWITCH_LONG:
993 case ZEND_SWITCH_STRING:
994 case ZEND_MATCH:
995 if (opline->op1_type == IS_CONST) {
996 zval *zv = CT_CONSTANT_EX(op_array, opline->op1.constant);
997 zend_uchar type = Z_TYPE_P(zv);
998 bool correct_type =
999 (opline->opcode == ZEND_SWITCH_LONG && type == IS_LONG)
1000 || (opline->opcode == ZEND_SWITCH_STRING && type == IS_STRING)
1001 || (opline->opcode == ZEND_MATCH && (type == IS_LONG || type == IS_STRING));
1002
1003 /* Switch statements have a fallback chain for loose comparison. In those
1004 * cases the SWITCH_* instruction is a NOP. Match does strict comparison and
1005 * thus jumps to the default branch on mismatched types, so we need to
1006 * convert MATCH to a jmp. */
1007 if (!correct_type && opline->opcode != ZEND_MATCH) {
1008 removed_ops++;
1009 MAKE_NOP(opline);
1010 opline->extended_value = 0;
1011 take_successor_ex(ssa, block_num, block, block->successors[block->successors_count - 1]);
1012 goto optimize_nop;
1013 }
1014
1015 uint32_t target;
1016 if (correct_type) {
1017 HashTable *jmptable = Z_ARRVAL_P(CT_CONSTANT_EX(op_array, opline->op2.constant));
1018 zval *jmp_zv = type == IS_LONG
1019 ? zend_hash_index_find(jmptable, Z_LVAL_P(zv))
1020 : zend_hash_find(jmptable, Z_STR_P(zv));
1021
1022 if (jmp_zv) {
1023 target = ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, Z_LVAL_P(jmp_zv));
1024 } else {
1025 target = ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, opline->extended_value);
1026 }
1027 } else {
1028 ZEND_ASSERT(opline->opcode == ZEND_MATCH);
1029 target = ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, opline->extended_value);
1030 }
1031 opline->opcode = ZEND_JMP;
1032 opline->extended_value = 0;
1033 SET_UNUSED(opline->op1);
1034 ZEND_SET_OP_JMP_ADDR(opline, opline->op1, op_array->opcodes + target);
1035 SET_UNUSED(opline->op2);
1036 take_successor_ex(ssa, block_num, block, ssa->cfg.map[target]);
1037 goto optimize_jmp;
1038 }
1039 break;
1040 case ZEND_NOP:
1041 optimize_nop:
1042 compress_block(op_array, block);
1043 if (block->len == 0) {
1044 if (block_num > 0) {
1045 zend_ssa_unlink_block(op_array, ssa, block, block_num);
1046 /* backtrack to previous basic block */
1047 do {
1048 block_num--;
1049 } while (block_num >= 0
1050 && !(ssa->cfg.blocks[block_num].flags & ZEND_BB_REACHABLE));
1051 if (block_num >= 0) {
1052 continue;
1053 }
1054 }
1055 }
1056 break;
1057 default:
1058 break;
1059 }
1060 }
1061
1062 block_num = next_block_num;
1063 }
1064
1065 return removed_ops;
1066 }
1067
zend_dfa_try_to_replace_result(zend_op_array * op_array,zend_ssa * ssa,int def,int cv_var)1068 static int zend_dfa_try_to_replace_result(zend_op_array *op_array, zend_ssa *ssa, int def, int cv_var)
1069 {
1070 int result_var = ssa->ops[def].result_def;
1071 int cv = EX_NUM_TO_VAR(ssa->vars[cv_var].var);
1072
1073 if (result_var >= 0
1074 && !(ssa->var_info[cv_var].type & MAY_BE_REF)
1075 && ssa->vars[cv_var].alias == NO_ALIAS
1076 && ssa->vars[result_var].phi_use_chain == NULL
1077 && ssa->vars[result_var].sym_use_chain == NULL) {
1078 int use = ssa->vars[result_var].use_chain;
1079
1080 if (use >= 0
1081 && zend_ssa_next_use(ssa->ops, result_var, use) < 0
1082 && op_array->opcodes[use].opcode != ZEND_FREE
1083 && op_array->opcodes[use].opcode != ZEND_SEND_VAL
1084 && op_array->opcodes[use].opcode != ZEND_SEND_VAL_EX
1085 && op_array->opcodes[use].opcode != ZEND_VERIFY_RETURN_TYPE
1086 && op_array->opcodes[use].opcode != ZEND_YIELD) {
1087 if (use > def) {
1088 int i = use;
1089 const zend_op *opline = &op_array->opcodes[use];
1090
1091 while (i > def) {
1092 if ((opline->op1_type == IS_CV && opline->op1.var == cv)
1093 || (opline->op2_type == IS_CV && opline->op2.var == cv)
1094 || (opline->result_type == IS_CV && opline->result.var == cv)) {
1095 return 0;
1096 }
1097 opline--;
1098 i--;
1099 }
1100
1101 /* Update opcodes and reconstruct SSA */
1102 ssa->vars[result_var].definition = -1;
1103 ssa->vars[result_var].use_chain = -1;
1104 ssa->ops[def].result_def = -1;
1105
1106 op_array->opcodes[def].result_type = IS_UNUSED;
1107 op_array->opcodes[def].result.var = 0;
1108
1109 if (ssa->ops[use].op1_use == result_var) {
1110 ssa->ops[use].op1_use = cv_var;
1111 ssa->ops[use].op1_use_chain = ssa->vars[cv_var].use_chain;
1112 ssa->vars[cv_var].use_chain = use;
1113
1114 op_array->opcodes[use].op1_type = IS_CV;
1115 op_array->opcodes[use].op1.var = cv;
1116 } else if (ssa->ops[use].op2_use == result_var) {
1117 ssa->ops[use].op2_use = cv_var;
1118 ssa->ops[use].op2_use_chain = ssa->vars[cv_var].use_chain;
1119 ssa->vars[cv_var].use_chain = use;
1120
1121 op_array->opcodes[use].op2_type = IS_CV;
1122 op_array->opcodes[use].op2.var = cv;
1123 } else if (ssa->ops[use].result_use == result_var) {
1124 ssa->ops[use].result_use = cv_var;
1125 ssa->ops[use].res_use_chain = ssa->vars[cv_var].use_chain;
1126 ssa->vars[cv_var].use_chain = use;
1127
1128 op_array->opcodes[use].result_type = IS_CV;
1129 op_array->opcodes[use].result.var = cv;
1130 }
1131
1132 return 1;
1133 }
1134 }
1135 }
1136
1137 return 0;
1138 }
1139
zend_dfa_optimize_op_array(zend_op_array * op_array,zend_optimizer_ctx * ctx,zend_ssa * ssa,zend_call_info ** call_map)1140 void zend_dfa_optimize_op_array(zend_op_array *op_array, zend_optimizer_ctx *ctx, zend_ssa *ssa, zend_call_info **call_map)
1141 {
1142 if (ctx->debug_level & ZEND_DUMP_BEFORE_DFA_PASS) {
1143 zend_dump_op_array(op_array, ZEND_DUMP_SSA, "before dfa pass", ssa);
1144 }
1145
1146 if (ssa->var_info) {
1147 int op_1;
1148 int v;
1149 int remove_nops = 0;
1150 zend_op *opline;
1151 zend_ssa_op *ssa_op;
1152 zval tmp;
1153
1154 #if ZEND_DEBUG_DFA
1155 ssa_verify_integrity(op_array, ssa, "before dfa");
1156 #endif
1157
1158 if (ZEND_OPTIMIZER_PASS_8 & ctx->optimization_level) {
1159 if (sccp_optimize_op_array(ctx, op_array, ssa, call_map)) {
1160 remove_nops = 1;
1161 }
1162
1163 if (zend_dfa_optimize_jmps(op_array, ssa)) {
1164 remove_nops = 1;
1165 }
1166
1167 #if ZEND_DEBUG_DFA
1168 ssa_verify_integrity(op_array, ssa, "after sccp");
1169 #endif
1170 if (ZEND_FUNC_INFO(op_array)) {
1171 if (zend_dfa_optimize_calls(op_array, ssa)) {
1172 remove_nops = 1;
1173 }
1174 }
1175 if (ctx->debug_level & ZEND_DUMP_AFTER_PASS_8) {
1176 zend_dump_op_array(op_array, ZEND_DUMP_SSA, "after sccp pass", ssa);
1177 }
1178 #if ZEND_DEBUG_DFA
1179 ssa_verify_integrity(op_array, ssa, "after calls");
1180 #endif
1181 }
1182
1183 if (ZEND_OPTIMIZER_PASS_14 & ctx->optimization_level) {
1184 if (dce_optimize_op_array(op_array, ssa, 0)) {
1185 remove_nops = 1;
1186 }
1187 if (zend_dfa_optimize_jmps(op_array, ssa)) {
1188 remove_nops = 1;
1189 }
1190 if (ctx->debug_level & ZEND_DUMP_AFTER_PASS_14) {
1191 zend_dump_op_array(op_array, ZEND_DUMP_SSA, "after dce pass", ssa);
1192 }
1193 #if ZEND_DEBUG_DFA
1194 ssa_verify_integrity(op_array, ssa, "after dce");
1195 #endif
1196 }
1197
1198 for (v = op_array->last_var; v < ssa->vars_count; v++) {
1199
1200 op_1 = ssa->vars[v].definition;
1201
1202 if (op_1 < 0) {
1203 continue;
1204 }
1205
1206 opline = op_array->opcodes + op_1;
1207 ssa_op = &ssa->ops[op_1];
1208
1209 /* Convert LONG constants to DOUBLE */
1210 if (ssa->var_info[v].use_as_double) {
1211 if (opline->opcode == ZEND_ASSIGN
1212 && opline->op2_type == IS_CONST
1213 && ssa->ops[op_1].op1_def == v
1214 && !RETURN_VALUE_USED(opline)
1215 ) {
1216
1217 // op_1: ASSIGN ? -> #v [use_as_double], long(?) => ASSIGN ? -> #v, double(?)
1218
1219 zval *zv = CT_CONSTANT_EX(op_array, opline->op2.constant);
1220 ZEND_ASSERT(Z_TYPE_INFO_P(zv) == IS_LONG);
1221 ZVAL_DOUBLE(&tmp, zval_get_double(zv));
1222 opline->op2.constant = zend_optimizer_add_literal(op_array, &tmp);
1223
1224 } else if (opline->opcode == ZEND_QM_ASSIGN
1225 && opline->op1_type == IS_CONST
1226 ) {
1227
1228 // op_1: QM_ASSIGN #v [use_as_double], long(?) => QM_ASSIGN #v, double(?)
1229
1230 zval *zv = CT_CONSTANT_EX(op_array, opline->op1.constant);
1231 ZEND_ASSERT(Z_TYPE_INFO_P(zv) == IS_LONG);
1232 ZVAL_DOUBLE(&tmp, zval_get_double(zv));
1233 opline->op1.constant = zend_optimizer_add_literal(op_array, &tmp);
1234 }
1235
1236 } else {
1237 if (opline->opcode == ZEND_ADD
1238 || opline->opcode == ZEND_SUB
1239 || opline->opcode == ZEND_MUL
1240 || opline->opcode == ZEND_IS_EQUAL
1241 || opline->opcode == ZEND_IS_NOT_EQUAL
1242 || opline->opcode == ZEND_IS_SMALLER
1243 || opline->opcode == ZEND_IS_SMALLER_OR_EQUAL
1244 ) {
1245
1246 if (opline->op1_type == IS_CONST && opline->op2_type != IS_CONST) {
1247 zval *zv = CT_CONSTANT_EX(op_array, opline->op1.constant);
1248
1249 if ((OP2_INFO() & MAY_BE_ANY) == MAY_BE_DOUBLE
1250 && Z_TYPE_INFO_P(zv) == IS_LONG) {
1251
1252 // op_1: #v.? = ADD long(?), #?.? [double] => #v.? = ADD double(?), #?.? [double]
1253
1254 ZVAL_DOUBLE(&tmp, zval_get_double(zv));
1255 opline->op1.constant = zend_optimizer_add_literal(op_array, &tmp);
1256 zv = CT_CONSTANT_EX(op_array, opline->op1.constant);
1257 }
1258 if (opline->opcode == ZEND_ADD) {
1259 zv = CT_CONSTANT_EX(op_array, opline->op1.constant);
1260
1261 if (((OP2_INFO() & (MAY_BE_ANY|MAY_BE_UNDEF)) == MAY_BE_LONG
1262 && Z_TYPE_INFO_P(zv) == IS_LONG
1263 && Z_LVAL_P(zv) == 0)
1264 || ((OP2_INFO() & (MAY_BE_ANY|MAY_BE_UNDEF)) == MAY_BE_DOUBLE
1265 && Z_TYPE_INFO_P(zv) == IS_DOUBLE
1266 && Z_DVAL_P(zv) == 0.0)) {
1267
1268 // op_1: #v.? = ADD 0, #?.? [double,long] => #v.? = QM_ASSIGN #?.?
1269
1270 opline->opcode = ZEND_QM_ASSIGN;
1271 opline->op1_type = opline->op2_type;
1272 opline->op1.var = opline->op2.var;
1273 opline->op2_type = IS_UNUSED;
1274 opline->op2.num = 0;
1275 ssa->ops[op_1].op1_use = ssa->ops[op_1].op2_use;
1276 ssa->ops[op_1].op1_use_chain = ssa->ops[op_1].op2_use_chain;
1277 ssa->ops[op_1].op2_use = -1;
1278 ssa->ops[op_1].op2_use_chain = -1;
1279 }
1280 } else if (opline->opcode == ZEND_MUL
1281 && (OP2_INFO() & ((MAY_BE_ANY|MAY_BE_UNDEF)-(MAY_BE_LONG|MAY_BE_DOUBLE))) == 0) {
1282 zv = CT_CONSTANT_EX(op_array, opline->op1.constant);
1283
1284 if ((Z_TYPE_INFO_P(zv) == IS_LONG
1285 && Z_LVAL_P(zv) == 2)
1286 || (Z_TYPE_INFO_P(zv) == IS_DOUBLE
1287 && Z_DVAL_P(zv) == 2.0
1288 && !(OP2_INFO() & MAY_BE_LONG))) {
1289
1290 // op_1: #v.? = MUL 2, #x.? [double,long] => #v.? = ADD #x.?, #x.?
1291
1292 opline->opcode = ZEND_ADD;
1293 opline->op1_type = opline->op2_type;
1294 opline->op1.var = opline->op2.var;
1295 ssa->ops[op_1].op1_use = ssa->ops[op_1].op2_use;
1296 ssa->ops[op_1].op1_use_chain = ssa->ops[op_1].op2_use_chain;
1297 }
1298 }
1299 } else if (opline->op1_type != IS_CONST && opline->op2_type == IS_CONST) {
1300 zval *zv = CT_CONSTANT_EX(op_array, opline->op2.constant);
1301
1302 if ((OP1_INFO() & MAY_BE_ANY) == MAY_BE_DOUBLE
1303 && Z_TYPE_INFO_P(CT_CONSTANT_EX(op_array, opline->op2.constant)) == IS_LONG) {
1304
1305 // op_1: #v.? = ADD #?.? [double], long(?) => #v.? = ADD #?.? [double], double(?)
1306
1307 ZVAL_DOUBLE(&tmp, zval_get_double(zv));
1308 opline->op2.constant = zend_optimizer_add_literal(op_array, &tmp);
1309 zv = CT_CONSTANT_EX(op_array, opline->op2.constant);
1310 }
1311 if (opline->opcode == ZEND_ADD || opline->opcode == ZEND_SUB) {
1312 if (((OP1_INFO() & (MAY_BE_ANY|MAY_BE_UNDEF)) == MAY_BE_LONG
1313 && Z_TYPE_INFO_P(zv) == IS_LONG
1314 && Z_LVAL_P(zv) == 0)
1315 || ((OP1_INFO() & (MAY_BE_ANY|MAY_BE_UNDEF)) == MAY_BE_DOUBLE
1316 && Z_TYPE_INFO_P(zv) == IS_DOUBLE
1317 && Z_DVAL_P(zv) == 0.0)) {
1318
1319 // op_1: #v.? = ADD #?.? [double,long], 0 => #v.? = QM_ASSIGN #?.?
1320
1321 opline->opcode = ZEND_QM_ASSIGN;
1322 opline->op2_type = IS_UNUSED;
1323 opline->op2.num = 0;
1324 }
1325 } else if (opline->opcode == ZEND_MUL
1326 && (OP1_INFO() & ((MAY_BE_ANY|MAY_BE_UNDEF)-(MAY_BE_LONG|MAY_BE_DOUBLE))) == 0) {
1327 zv = CT_CONSTANT_EX(op_array, opline->op2.constant);
1328
1329 if ((Z_TYPE_INFO_P(zv) == IS_LONG
1330 && Z_LVAL_P(zv) == 2)
1331 || (Z_TYPE_INFO_P(zv) == IS_DOUBLE
1332 && Z_DVAL_P(zv) == 2.0
1333 && !(OP1_INFO() & MAY_BE_LONG))) {
1334
1335 // op_1: #v.? = MUL #x.? [double,long], 2 => #v.? = ADD #x.?, #x.?
1336
1337 opline->opcode = ZEND_ADD;
1338 opline->op2_type = opline->op1_type;
1339 opline->op2.var = opline->op1.var;
1340 ssa->ops[op_1].op2_use = ssa->ops[op_1].op1_use;
1341 ssa->ops[op_1].op2_use_chain = ssa->ops[op_1].op1_use_chain;
1342 }
1343 }
1344 }
1345 } else if (opline->opcode == ZEND_CONCAT) {
1346 if (!(OP1_INFO() & MAY_BE_OBJECT)
1347 && !(OP2_INFO() & MAY_BE_OBJECT)) {
1348 opline->opcode = ZEND_FAST_CONCAT;
1349 }
1350 } else if (opline->opcode == ZEND_VERIFY_RETURN_TYPE
1351 && opline->op1_type != IS_CONST
1352 && ssa->ops[op_1].op1_def == v
1353 && ssa->ops[op_1].op1_use >= 0
1354 && ssa->ops[op_1].op1_use_chain == -1
1355 && can_elide_return_type_check(ctx->script, op_array, ssa, &ssa->ops[op_1])) {
1356
1357 // op_1: VERIFY_RETURN_TYPE #orig_var.? [T] -> #v.? [T] => NOP
1358
1359 int orig_var = ssa->ops[op_1].op1_use;
1360 if (zend_ssa_unlink_use_chain(ssa, op_1, orig_var)) {
1361
1362 int ret = ssa->vars[v].use_chain;
1363 if (ret >= 0) {
1364 ssa->ops[ret].op1_use = orig_var;
1365 ssa->ops[ret].op1_use_chain = ssa->vars[orig_var].use_chain;
1366 ssa->vars[orig_var].use_chain = ret;
1367 }
1368
1369 ssa->vars[v].definition = -1;
1370 ssa->vars[v].use_chain = -1;
1371
1372 ssa->ops[op_1].op1_def = -1;
1373 ssa->ops[op_1].op1_use = -1;
1374
1375 MAKE_NOP(opline);
1376 remove_nops = 1;
1377 }
1378 }
1379 }
1380
1381 if (opline->opcode == ZEND_QM_ASSIGN
1382 && ssa->ops[op_1].result_def == v
1383 && opline->op1_type & (IS_TMP_VAR|IS_VAR)
1384 && !(ssa->var_info[v].type & (MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))
1385 ) {
1386
1387 int src_var = ssa->ops[op_1].op1_use;
1388
1389 if (src_var >= 0
1390 && !(ssa->var_info[src_var].type & MAY_BE_REF)
1391 && (ssa->var_info[src_var].type & (MAY_BE_UNDEF|MAY_BE_ANY))
1392 && ssa->vars[src_var].definition >= 0
1393 && ssa->ops[ssa->vars[src_var].definition].result_def == src_var
1394 && ssa->ops[ssa->vars[src_var].definition].result_use < 0
1395 && ssa->vars[src_var].use_chain == op_1
1396 && ssa->ops[op_1].op1_use_chain < 0
1397 && !ssa->vars[src_var].phi_use_chain
1398 && !ssa->vars[src_var].sym_use_chain
1399 && opline_supports_assign_contraction(
1400 op_array, ssa, &op_array->opcodes[ssa->vars[src_var].definition],
1401 src_var, opline->result.var)
1402 && !variable_defined_or_used_in_range(ssa, EX_VAR_TO_NUM(opline->result.var),
1403 ssa->vars[src_var].definition+1, op_1)
1404 ) {
1405
1406 int orig_var = ssa->ops[op_1].result_use;
1407 int op_2 = ssa->vars[src_var].definition;
1408
1409 // op_2: #src_var.T = OP ... => #v.CV = OP ...
1410 // op_1: QM_ASSIGN #src_var.T #orig_var.CV [undef,scalar] -> #v.CV, NOP
1411
1412 if (orig_var < 0 || zend_ssa_unlink_use_chain(ssa, op_1, orig_var)) {
1413 /* Reconstruct SSA */
1414 ssa->vars[v].definition = op_2;
1415 ssa->ops[op_2].result_def = v;
1416
1417 ssa->vars[src_var].definition = -1;
1418 ssa->vars[src_var].use_chain = -1;
1419
1420 ssa->ops[op_1].op1_use = -1;
1421 ssa->ops[op_1].op1_def = -1;
1422 ssa->ops[op_1].op1_use_chain = -1;
1423 ssa->ops[op_1].result_use = -1;
1424 ssa->ops[op_1].result_def = -1;
1425 ssa->ops[op_1].res_use_chain = -1;
1426
1427 /* Update opcodes */
1428 op_array->opcodes[op_2].result_type = opline->result_type;
1429 op_array->opcodes[op_2].result.var = opline->result.var;
1430
1431 MAKE_NOP(opline);
1432 remove_nops = 1;
1433
1434 if (op_array->opcodes[op_2].opcode == ZEND_SUB
1435 && op_array->opcodes[op_2].op1_type == op_array->opcodes[op_2].result_type
1436 && op_array->opcodes[op_2].op1.var == op_array->opcodes[op_2].result.var
1437 && op_array->opcodes[op_2].op2_type == IS_CONST
1438 && Z_TYPE_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op2.constant)) == IS_LONG
1439 && Z_LVAL_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op2.constant)) == 1
1440 && ssa->ops[op_2].op1_use >= 0
1441 && !(ssa->var_info[ssa->ops[op_2].op1_use].type & (MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1442
1443 op_array->opcodes[op_2].opcode = ZEND_PRE_DEC;
1444 SET_UNUSED(op_array->opcodes[op_2].op2);
1445 SET_UNUSED(op_array->opcodes[op_2].result);
1446
1447 ssa->ops[op_2].result_def = -1;
1448 ssa->ops[op_2].op1_def = v;
1449
1450 } else if (op_array->opcodes[op_2].opcode == ZEND_ADD
1451 && op_array->opcodes[op_2].op1_type == op_array->opcodes[op_2].result_type
1452 && op_array->opcodes[op_2].op1.var == op_array->opcodes[op_2].result.var
1453 && op_array->opcodes[op_2].op2_type == IS_CONST
1454 && Z_TYPE_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op2.constant)) == IS_LONG
1455 && Z_LVAL_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op2.constant)) == 1
1456 && ssa->ops[op_2].op1_use >= 0
1457 && !(ssa->var_info[ssa->ops[op_2].op1_use].type & (MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1458
1459 op_array->opcodes[op_2].opcode = ZEND_PRE_INC;
1460 SET_UNUSED(op_array->opcodes[op_2].op2);
1461 SET_UNUSED(op_array->opcodes[op_2].result);
1462
1463 ssa->ops[op_2].result_def = -1;
1464 ssa->ops[op_2].op1_def = v;
1465
1466 } else if (op_array->opcodes[op_2].opcode == ZEND_ADD
1467 && op_array->opcodes[op_2].op2_type == op_array->opcodes[op_2].result_type
1468 && op_array->opcodes[op_2].op2.var == op_array->opcodes[op_2].result.var
1469 && op_array->opcodes[op_2].op1_type == IS_CONST
1470 && Z_TYPE_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op1.constant)) == IS_LONG
1471 && Z_LVAL_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op1.constant)) == 1
1472 && ssa->ops[op_2].op2_use >= 0
1473 && !(ssa->var_info[ssa->ops[op_2].op2_use].type & (MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1474
1475 op_array->opcodes[op_2].opcode = ZEND_PRE_INC;
1476 op_array->opcodes[op_2].op1_type = op_array->opcodes[op_2].op2_type;
1477 op_array->opcodes[op_2].op1.var = op_array->opcodes[op_2].op2.var;
1478 SET_UNUSED(op_array->opcodes[op_2].op2);
1479 SET_UNUSED(op_array->opcodes[op_2].result);
1480
1481 ssa->ops[op_2].result_def = -1;
1482 ssa->ops[op_2].op1_def = v;
1483 ssa->ops[op_2].op1_use = ssa->ops[op_2].op2_use;
1484 ssa->ops[op_2].op1_use_chain = ssa->ops[op_2].op2_use_chain;
1485 ssa->ops[op_2].op2_use = -1;
1486 ssa->ops[op_2].op2_use_chain = -1;
1487 }
1488 }
1489 }
1490 }
1491
1492 if (ssa->vars[v].var >= op_array->last_var) {
1493 /* skip TMP and VAR */
1494 continue;
1495 }
1496
1497 if (ssa->ops[op_1].op1_def == v
1498 && RETURN_VALUE_USED(opline)) {
1499 if (opline->opcode == ZEND_ASSIGN
1500 || opline->opcode == ZEND_ASSIGN_OP
1501 || opline->opcode == ZEND_PRE_INC
1502 || opline->opcode == ZEND_PRE_DEC) {
1503 zend_dfa_try_to_replace_result(op_array, ssa, op_1, v);
1504 } else if (opline->opcode == ZEND_POST_INC) {
1505 int result_var = ssa->ops[op_1].result_def;
1506
1507 if (result_var >= 0
1508 && (ssa->var_info[result_var].type & ((MAY_BE_ANY|MAY_BE_REF|MAY_BE_UNDEF) - (MAY_BE_LONG|MAY_BE_DOUBLE))) == 0) {
1509 int use = ssa->vars[result_var].use_chain;
1510
1511 if (use >= 0 && op_array->opcodes[use].opcode == ZEND_IS_SMALLER
1512 && ssa->ops[use].op1_use == result_var
1513 && zend_dfa_try_to_replace_result(op_array, ssa, op_1, v)) {
1514 opline->opcode = ZEND_PRE_INC;
1515 op_array->opcodes[use].opcode = ZEND_IS_SMALLER_OR_EQUAL;
1516 }
1517 }
1518 } else if (opline->opcode == ZEND_POST_DEC) {
1519 int result_var = ssa->ops[op_1].result_def;
1520
1521 if (result_var >= 0
1522 && (ssa->var_info[result_var].type & ((MAY_BE_ANY|MAY_BE_REF|MAY_BE_UNDEF) - (MAY_BE_LONG|MAY_BE_DOUBLE))) == 0) {
1523 int use = ssa->vars[result_var].use_chain;
1524
1525 if (use >= 0 && op_array->opcodes[use].opcode == ZEND_IS_SMALLER
1526 && ssa->ops[use].op2_use == result_var
1527 && zend_dfa_try_to_replace_result(op_array, ssa, op_1, v)) {
1528 opline->opcode = ZEND_PRE_DEC;
1529 op_array->opcodes[use].opcode = ZEND_IS_SMALLER_OR_EQUAL;
1530 }
1531 }
1532 }
1533 }
1534
1535 if (opline->opcode == ZEND_ASSIGN
1536 && ssa->ops[op_1].op1_def == v
1537 && !RETURN_VALUE_USED(opline)
1538 ) {
1539 int orig_var = ssa->ops[op_1].op1_use;
1540
1541 if (orig_var >= 0
1542 && !(ssa->var_info[orig_var].type & (MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))
1543 ) {
1544 int src_var = ssa->ops[op_1].op2_use;
1545
1546 if ((opline->op2_type & (IS_TMP_VAR|IS_VAR))
1547 && src_var >= 0
1548 && !(ssa->var_info[src_var].type & MAY_BE_REF)
1549 && (ssa->var_info[src_var].type & (MAY_BE_UNDEF|MAY_BE_ANY))
1550 && ssa->vars[src_var].definition >= 0
1551 && ssa->ops[ssa->vars[src_var].definition].result_def == src_var
1552 && ssa->ops[ssa->vars[src_var].definition].result_use < 0
1553 && ssa->vars[src_var].use_chain == op_1
1554 && ssa->ops[op_1].op2_use_chain < 0
1555 && !ssa->vars[src_var].phi_use_chain
1556 && !ssa->vars[src_var].sym_use_chain
1557 && opline_supports_assign_contraction(
1558 op_array, ssa, &op_array->opcodes[ssa->vars[src_var].definition],
1559 src_var, opline->op1.var)
1560 && !variable_defined_or_used_in_range(ssa, EX_VAR_TO_NUM(opline->op1.var),
1561 ssa->vars[src_var].definition+1, op_1)
1562 ) {
1563
1564 int op_2 = ssa->vars[src_var].definition;
1565
1566 // op_2: #src_var.T = OP ... => #v.CV = OP ...
1567 // op_1: ASSIGN #orig_var.CV [undef,scalar] -> #v.CV, #src_var.T NOP
1568
1569 if (zend_ssa_unlink_use_chain(ssa, op_1, orig_var)) {
1570 /* Reconstruct SSA */
1571 ssa->vars[v].definition = op_2;
1572 ssa->ops[op_2].result_def = v;
1573
1574 ssa->vars[src_var].definition = -1;
1575 ssa->vars[src_var].use_chain = -1;
1576
1577 ssa->ops[op_1].op1_use = -1;
1578 ssa->ops[op_1].op2_use = -1;
1579 ssa->ops[op_1].op1_def = -1;
1580 ssa->ops[op_1].op1_use_chain = -1;
1581
1582 /* Update opcodes */
1583 op_array->opcodes[op_2].result_type = opline->op1_type;
1584 op_array->opcodes[op_2].result.var = opline->op1.var;
1585
1586 MAKE_NOP(opline);
1587 remove_nops = 1;
1588
1589 if (op_array->opcodes[op_2].opcode == ZEND_SUB
1590 && op_array->opcodes[op_2].op1_type == op_array->opcodes[op_2].result_type
1591 && op_array->opcodes[op_2].op1.var == op_array->opcodes[op_2].result.var
1592 && op_array->opcodes[op_2].op2_type == IS_CONST
1593 && Z_TYPE_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op2.constant)) == IS_LONG
1594 && Z_LVAL_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op2.constant)) == 1
1595 && ssa->ops[op_2].op1_use >= 0
1596 && !(ssa->var_info[ssa->ops[op_2].op1_use].type & (MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1597
1598 op_array->opcodes[op_2].opcode = ZEND_PRE_DEC;
1599 SET_UNUSED(op_array->opcodes[op_2].op2);
1600 SET_UNUSED(op_array->opcodes[op_2].result);
1601
1602 ssa->ops[op_2].result_def = -1;
1603 ssa->ops[op_2].op1_def = v;
1604
1605 } else if (op_array->opcodes[op_2].opcode == ZEND_ADD
1606 && op_array->opcodes[op_2].op1_type == op_array->opcodes[op_2].result_type
1607 && op_array->opcodes[op_2].op1.var == op_array->opcodes[op_2].result.var
1608 && op_array->opcodes[op_2].op2_type == IS_CONST
1609 && Z_TYPE_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op2.constant)) == IS_LONG
1610 && Z_LVAL_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op2.constant)) == 1
1611 && ssa->ops[op_2].op1_use >= 0
1612 && !(ssa->var_info[ssa->ops[op_2].op1_use].type & (MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1613
1614 op_array->opcodes[op_2].opcode = ZEND_PRE_INC;
1615 SET_UNUSED(op_array->opcodes[op_2].op2);
1616 SET_UNUSED(op_array->opcodes[op_2].result);
1617
1618 ssa->ops[op_2].result_def = -1;
1619 ssa->ops[op_2].op1_def = v;
1620
1621 } else if (op_array->opcodes[op_2].opcode == ZEND_ADD
1622 && op_array->opcodes[op_2].op2_type == op_array->opcodes[op_2].result_type
1623 && op_array->opcodes[op_2].op2.var == op_array->opcodes[op_2].result.var
1624 && op_array->opcodes[op_2].op1_type == IS_CONST
1625 && Z_TYPE_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op1.constant)) == IS_LONG
1626 && Z_LVAL_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op1.constant)) == 1
1627 && ssa->ops[op_2].op2_use >= 0
1628 && !(ssa->var_info[ssa->ops[op_2].op2_use].type & (MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1629
1630 op_array->opcodes[op_2].opcode = ZEND_PRE_INC;
1631 op_array->opcodes[op_2].op1_type = op_array->opcodes[op_2].op2_type;
1632 op_array->opcodes[op_2].op1.var = op_array->opcodes[op_2].op2.var;
1633 SET_UNUSED(op_array->opcodes[op_2].op2);
1634 SET_UNUSED(op_array->opcodes[op_2].result);
1635
1636 ssa->ops[op_2].result_def = -1;
1637 ssa->ops[op_2].op1_def = v;
1638 ssa->ops[op_2].op1_use = ssa->ops[op_2].op2_use;
1639 ssa->ops[op_2].op1_use_chain = ssa->ops[op_2].op2_use_chain;
1640 ssa->ops[op_2].op2_use = -1;
1641 ssa->ops[op_2].op2_use_chain = -1;
1642 }
1643 }
1644 } else if (opline->op2_type == IS_CONST
1645 || ((opline->op2_type & (IS_TMP_VAR|IS_VAR|IS_CV))
1646 && ssa->ops[op_1].op2_use >= 0
1647 && ssa->ops[op_1].op2_def < 0)
1648 ) {
1649
1650 // op_1: ASSIGN #orig_var.CV [undef,scalar] -> #v.CV, CONST|TMPVAR => QM_ASSIGN v.CV, CONST|TMPVAR
1651
1652 if (ssa->ops[op_1].op1_use != ssa->ops[op_1].op2_use) {
1653 zend_ssa_unlink_use_chain(ssa, op_1, orig_var);
1654 } else {
1655 ssa->ops[op_1].op2_use_chain = ssa->ops[op_1].op1_use_chain;
1656 }
1657
1658 /* Reconstruct SSA */
1659 ssa->ops[op_1].result_def = v;
1660 ssa->ops[op_1].op1_def = -1;
1661 ssa->ops[op_1].op1_use = ssa->ops[op_1].op2_use;
1662 ssa->ops[op_1].op1_use_chain = ssa->ops[op_1].op2_use_chain;
1663 ssa->ops[op_1].op2_use = -1;
1664 ssa->ops[op_1].op2_use_chain = -1;
1665
1666 /* Update opcode */
1667 opline->result_type = opline->op1_type;
1668 opline->result.var = opline->op1.var;
1669 opline->op1_type = opline->op2_type;
1670 opline->op1.var = opline->op2.var;
1671 opline->op2_type = IS_UNUSED;
1672 opline->op2.var = 0;
1673 opline->opcode = ZEND_QM_ASSIGN;
1674 }
1675 }
1676
1677 } else if (opline->opcode == ZEND_ASSIGN_OP
1678 && opline->extended_value == ZEND_ADD
1679 && ssa->ops[op_1].op1_def == v
1680 && opline->op2_type == IS_CONST
1681 && Z_TYPE_P(CT_CONSTANT_EX(op_array, opline->op2.constant)) == IS_LONG
1682 && Z_LVAL_P(CT_CONSTANT_EX(op_array, opline->op2.constant)) == 1
1683 && ssa->ops[op_1].op1_use >= 0
1684 && !(ssa->var_info[ssa->ops[op_1].op1_use].type & (MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1685
1686 // op_1: ASSIGN_ADD #?.CV [undef,null,int,foat] ->#v.CV, int(1) => PRE_INC #?.CV ->#v.CV
1687
1688 opline->opcode = ZEND_PRE_INC;
1689 opline->extended_value = 0;
1690 SET_UNUSED(opline->op2);
1691
1692 } else if (opline->opcode == ZEND_ASSIGN_OP
1693 && opline->extended_value == ZEND_SUB
1694 && ssa->ops[op_1].op1_def == v
1695 && opline->op2_type == IS_CONST
1696 && Z_TYPE_P(CT_CONSTANT_EX(op_array, opline->op2.constant)) == IS_LONG
1697 && Z_LVAL_P(CT_CONSTANT_EX(op_array, opline->op2.constant)) == 1
1698 && ssa->ops[op_1].op1_use >= 0
1699 && !(ssa->var_info[ssa->ops[op_1].op1_use].type & (MAY_BE_UNDEF|MAY_BE_NULL|MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1700
1701 // op_1: ASSIGN_SUB #?.CV [undef,null,int,foat] -> #v.CV, int(1) => PRE_DEC #?.CV ->#v.CV
1702
1703 opline->opcode = ZEND_PRE_DEC;
1704 opline->extended_value = 0;
1705 SET_UNUSED(opline->op2);
1706
1707 } else if (ssa->ops[op_1].op1_def == v
1708 && !RETURN_VALUE_USED(opline)
1709 && ssa->ops[op_1].op1_use >= 0
1710 && !(ssa->var_info[ssa->ops[op_1].op1_use].type & (MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))
1711 && opline->opcode == ZEND_ASSIGN_OP
1712 && opline->extended_value != ZEND_CONCAT) {
1713
1714 // op_1: ASSIGN_OP #orig_var.CV [undef,null,bool,int,double] -> #v.CV, ? => #v.CV = ADD #orig_var.CV, ?
1715
1716 /* Reconstruct SSA */
1717 ssa->ops[op_1].result_def = ssa->ops[op_1].op1_def;
1718 ssa->ops[op_1].op1_def = -1;
1719
1720 /* Update opcode */
1721 opline->opcode = opline->extended_value;
1722 opline->extended_value = 0;
1723 opline->result_type = opline->op1_type;
1724 opline->result.var = opline->op1.var;
1725
1726 }
1727 }
1728
1729 #if ZEND_DEBUG_DFA
1730 ssa_verify_integrity(op_array, ssa, "after dfa");
1731 #endif
1732
1733 if (remove_nops) {
1734 zend_ssa_remove_nops(op_array, ssa, ctx);
1735 #if ZEND_DEBUG_DFA
1736 ssa_verify_integrity(op_array, ssa, "after nop");
1737 #endif
1738 }
1739 }
1740
1741 if (ctx->debug_level & ZEND_DUMP_AFTER_DFA_PASS) {
1742 zend_dump_op_array(op_array, ZEND_DUMP_SSA, "after dfa pass", ssa);
1743 }
1744 }
1745
zend_optimize_dfa(zend_op_array * op_array,zend_optimizer_ctx * ctx)1746 void zend_optimize_dfa(zend_op_array *op_array, zend_optimizer_ctx *ctx)
1747 {
1748 void *checkpoint = zend_arena_checkpoint(ctx->arena);
1749 zend_ssa ssa;
1750
1751 if (zend_dfa_analyze_op_array(op_array, ctx, &ssa) != SUCCESS) {
1752 zend_arena_release(&ctx->arena, checkpoint);
1753 return;
1754 }
1755
1756 zend_dfa_optimize_op_array(op_array, ctx, &ssa, NULL);
1757
1758 /* Destroy SSA */
1759 zend_arena_release(&ctx->arena, checkpoint);
1760 }
1761