1 /*
2 +----------------------------------------------------------------------+
3 | Zend OPcache |
4 +----------------------------------------------------------------------+
5 | Copyright (c) The PHP Group |
6 +----------------------------------------------------------------------+
7 | This source file is subject to version 3.01 of the PHP license, |
8 | that is bundled with this package in the file LICENSE, and is |
9 | available through the world-wide-web at the following url: |
10 | https://www.php.net/license/3_01.txt |
11 | If you did not receive a copy of the PHP license and are unable to |
12 | obtain it through the world-wide-web, please send a note to |
13 | license@php.net so we can mail you a copy immediately. |
14 +----------------------------------------------------------------------+
15 | Authors: Dmitry Stogov <dmitry@php.net> |
16 +----------------------------------------------------------------------+
17 */
18
19 #include "Optimizer/zend_optimizer.h"
20 #include "Optimizer/zend_optimizer_internal.h"
21 #include "zend_API.h"
22 #include "zend_constants.h"
23 #include "zend_execute.h"
24 #include "zend_vm.h"
25 #include "zend_bitset.h"
26 #include "zend_cfg.h"
27 #include "zend_ssa.h"
28 #include "zend_func_info.h"
29 #include "zend_call_graph.h"
30 #include "zend_inference.h"
31 #include "zend_dump.h"
32
33 #ifndef ZEND_DEBUG_DFA
34 # define ZEND_DEBUG_DFA ZEND_DEBUG
35 #endif
36
37 #if ZEND_DEBUG_DFA
38 # include "ssa_integrity.c"
39 #endif
40
zend_dfa_analyze_op_array(zend_op_array * op_array,zend_optimizer_ctx * ctx,zend_ssa * ssa)41 zend_result zend_dfa_analyze_op_array(zend_op_array *op_array, zend_optimizer_ctx *ctx, zend_ssa *ssa)
42 {
43 uint32_t build_flags;
44
45 if (op_array->last_try_catch) {
46 /* TODO: we can't analyze functions with try/catch/finally ??? */
47 return FAILURE;
48 }
49
50 /* Build SSA */
51 memset(ssa, 0, sizeof(zend_ssa));
52
53 zend_build_cfg(&ctx->arena, op_array, ZEND_CFG_NO_ENTRY_PREDECESSORS, &ssa->cfg);
54
55 if ((ssa->cfg.flags & ZEND_FUNC_INDIRECT_VAR_ACCESS)) {
56 /* TODO: we can't analyze functions with indirect variable access ??? */
57 return FAILURE;
58 }
59
60 zend_cfg_build_predecessors(&ctx->arena, &ssa->cfg);
61
62 if (ctx->debug_level & ZEND_DUMP_DFA_CFG) {
63 zend_dump_op_array(op_array, ZEND_DUMP_CFG, "dfa cfg", &ssa->cfg);
64 }
65
66 /* Compute Dominators Tree */
67 zend_cfg_compute_dominators_tree(op_array, &ssa->cfg);
68
69 /* Identify reducible and irreducible loops */
70 zend_cfg_identify_loops(op_array, &ssa->cfg);
71
72 if (ctx->debug_level & ZEND_DUMP_DFA_DOMINATORS) {
73 zend_dump_dominators(op_array, &ssa->cfg);
74 }
75
76 build_flags = 0;
77 if (ctx->debug_level & ZEND_DUMP_DFA_LIVENESS) {
78 build_flags |= ZEND_SSA_DEBUG_LIVENESS;
79 }
80 if (ctx->debug_level & ZEND_DUMP_DFA_PHI) {
81 build_flags |= ZEND_SSA_DEBUG_PHI_PLACEMENT;
82 }
83 if (zend_build_ssa(&ctx->arena, ctx->script, op_array, build_flags, ssa) == FAILURE) {
84 return FAILURE;
85 }
86
87 if (ctx->debug_level & ZEND_DUMP_DFA_SSA) {
88 zend_dump_op_array(op_array, ZEND_DUMP_SSA, "dfa ssa", ssa);
89 }
90
91
92 zend_ssa_compute_use_def_chains(&ctx->arena, op_array, ssa);
93
94 zend_ssa_find_false_dependencies(op_array, ssa);
95
96 zend_ssa_find_sccs(op_array, ssa);
97
98 if (zend_ssa_inference(&ctx->arena, op_array, ctx->script, ssa, ctx->optimization_level) == FAILURE) {
99 return FAILURE;
100 }
101
102 if (zend_ssa_escape_analysis(ctx->script, op_array, ssa) == FAILURE) {
103 return FAILURE;
104 }
105
106 if (ctx->debug_level & ZEND_DUMP_DFA_SSA_VARS) {
107 zend_dump_ssa_variables(op_array, ssa, 0);
108 }
109
110 return SUCCESS;
111 }
112
zend_ssa_remove_nops(zend_op_array * op_array,zend_ssa * ssa,zend_optimizer_ctx * ctx)113 static void zend_ssa_remove_nops(zend_op_array *op_array, zend_ssa *ssa, zend_optimizer_ctx *ctx)
114 {
115 zend_basic_block *blocks = ssa->cfg.blocks;
116 zend_basic_block *blocks_end = blocks + ssa->cfg.blocks_count;
117 zend_basic_block *b;
118 zend_func_info *func_info;
119 int j;
120 uint32_t i = 0;
121 uint32_t target = 0;
122 uint32_t *shiftlist;
123 ALLOCA_FLAG(use_heap);
124
125 shiftlist = (uint32_t *)do_alloca(sizeof(uint32_t) * op_array->last, use_heap);
126 memset(shiftlist, 0, sizeof(uint32_t) * op_array->last);
127 /* remove empty callee_info */
128 func_info = ZEND_FUNC_INFO(op_array);
129 if (func_info) {
130 zend_call_info **call_info = &func_info->callee_info;
131 while ((*call_info)) {
132 if ((*call_info)->caller_init_opline->opcode == ZEND_NOP) {
133 *call_info = (*call_info)->next_callee;
134 } else {
135 call_info = &(*call_info)->next_callee;
136 }
137 }
138 }
139
140 for (b = blocks; b < blocks_end; b++) {
141 if (b->flags & (ZEND_BB_REACHABLE|ZEND_BB_UNREACHABLE_FREE)) {
142 if (b->len) {
143 uint32_t new_start, old_end;
144 while (i < b->start) {
145 shiftlist[i] = i - target;
146 i++;
147 }
148
149 if (b->flags & ZEND_BB_UNREACHABLE_FREE) {
150 /* Only keep the FREE for the loop var */
151 ZEND_ASSERT(op_array->opcodes[b->start].opcode == ZEND_FREE
152 || op_array->opcodes[b->start].opcode == ZEND_FE_FREE);
153 b->len = 1;
154 }
155
156 new_start = target;
157 old_end = b->start + b->len;
158 while (i < old_end) {
159 shiftlist[i] = i - target;
160 if (EXPECTED(op_array->opcodes[i].opcode != ZEND_NOP)) {
161 if (i != target) {
162 op_array->opcodes[target] = op_array->opcodes[i];
163 ssa->ops[target] = ssa->ops[i];
164 ssa->cfg.map[target] = b - blocks;
165 }
166 target++;
167 }
168 i++;
169 }
170 b->start = new_start;
171 if (target != old_end) {
172 zend_op *opline;
173 zend_op *new_opline;
174
175 b->len = target - b->start;
176 opline = op_array->opcodes + old_end - 1;
177 if (opline->opcode == ZEND_NOP) {
178 continue;
179 }
180
181 new_opline = op_array->opcodes + target - 1;
182 zend_optimizer_migrate_jump(op_array, new_opline, opline);
183 }
184 } else {
185 b->start = target;
186 }
187 } else {
188 b->start = target;
189 b->len = 0;
190 }
191 }
192
193 if (target != op_array->last) {
194 /* reset rest opcodes */
195 for (i = target; i < op_array->last; i++) {
196 MAKE_NOP(op_array->opcodes + i);
197 }
198
199 /* update SSA variables */
200 for (j = 0; j < ssa->vars_count; j++) {
201 if (ssa->vars[j].definition >= 0) {
202 ssa->vars[j].definition -= shiftlist[ssa->vars[j].definition];
203 }
204 if (ssa->vars[j].use_chain >= 0) {
205 ssa->vars[j].use_chain -= shiftlist[ssa->vars[j].use_chain];
206 }
207 }
208 for (i = 0; i < op_array->last; i++) {
209 if (ssa->ops[i].op1_use_chain >= 0) {
210 ssa->ops[i].op1_use_chain -= shiftlist[ssa->ops[i].op1_use_chain];
211 }
212 if (ssa->ops[i].op2_use_chain >= 0) {
213 ssa->ops[i].op2_use_chain -= shiftlist[ssa->ops[i].op2_use_chain];
214 }
215 if (ssa->ops[i].res_use_chain >= 0) {
216 ssa->ops[i].res_use_chain -= shiftlist[ssa->ops[i].res_use_chain];
217 }
218 }
219
220 /* update branch targets */
221 for (b = blocks; b < blocks_end; b++) {
222 if ((b->flags & ZEND_BB_REACHABLE) && b->len != 0) {
223 zend_op *opline = op_array->opcodes + b->start + b->len - 1;
224 zend_optimizer_shift_jump(op_array, opline, shiftlist);
225 }
226 }
227
228 /* update try/catch array */
229 for (j = 0; j < op_array->last_try_catch; j++) {
230 op_array->try_catch_array[j].try_op -= shiftlist[op_array->try_catch_array[j].try_op];
231 op_array->try_catch_array[j].catch_op -= shiftlist[op_array->try_catch_array[j].catch_op];
232 if (op_array->try_catch_array[j].finally_op) {
233 op_array->try_catch_array[j].finally_op -= shiftlist[op_array->try_catch_array[j].finally_op];
234 op_array->try_catch_array[j].finally_end -= shiftlist[op_array->try_catch_array[j].finally_end];
235 }
236 }
237
238 /* update call graph */
239 if (func_info) {
240 zend_call_info *call_info = func_info->callee_info;
241 while (call_info) {
242 call_info->caller_init_opline -=
243 shiftlist[call_info->caller_init_opline - op_array->opcodes];
244 if (call_info->caller_call_opline) {
245 call_info->caller_call_opline -=
246 shiftlist[call_info->caller_call_opline - op_array->opcodes];
247 }
248 call_info = call_info->next_callee;
249 }
250 }
251
252 op_array->last = target;
253 }
254 free_alloca(shiftlist, use_heap);
255 }
256
safe_instanceof(zend_class_entry * ce1,zend_class_entry * ce2)257 static bool safe_instanceof(zend_class_entry *ce1, zend_class_entry *ce2) {
258 if (ce1 == ce2) {
259 return 1;
260 }
261 if (!(ce1->ce_flags & ZEND_ACC_LINKED)) {
262 /* This case could be generalized, similarly to unlinked_instanceof */
263 return 0;
264 }
265 return instanceof_function(ce1, ce2);
266 }
267
can_elide_list_type(const zend_script * script,const zend_op_array * op_array,const zend_ssa_var_info * use_info,zend_type type)268 static inline bool can_elide_list_type(
269 const zend_script *script, const zend_op_array *op_array,
270 const zend_ssa_var_info *use_info, zend_type type)
271 {
272 zend_type *single_type;
273 /* For intersection: result==false is failure, default is success.
274 * For union: result==true is success, default is failure. */
275 bool is_intersection = ZEND_TYPE_IS_INTERSECTION(type);
276 ZEND_TYPE_FOREACH(type, single_type) {
277 if (ZEND_TYPE_HAS_LIST(*single_type)) {
278 ZEND_ASSERT(!is_intersection);
279 return can_elide_list_type(script, op_array, use_info, *single_type);
280 }
281 if (ZEND_TYPE_HAS_NAME(*single_type)) {
282 zend_string *lcname = zend_string_tolower(ZEND_TYPE_NAME(*single_type));
283 zend_class_entry *ce = zend_optimizer_get_class_entry(script, op_array, lcname);
284 zend_string_release(lcname);
285 bool result = ce && safe_instanceof(use_info->ce, ce);
286 if (result == !is_intersection) {
287 return result;
288 }
289 }
290 } ZEND_TYPE_FOREACH_END();
291 return is_intersection;
292 }
293
can_elide_return_type_check(const zend_script * script,zend_op_array * op_array,zend_ssa * ssa,zend_ssa_op * ssa_op)294 static inline bool can_elide_return_type_check(
295 const zend_script *script, zend_op_array *op_array, zend_ssa *ssa, zend_ssa_op *ssa_op) {
296 zend_arg_info *arg_info = &op_array->arg_info[-1];
297 zend_ssa_var_info *use_info = &ssa->var_info[ssa_op->op1_use];
298 uint32_t use_type = use_info->type & (MAY_BE_ANY|MAY_BE_UNDEF);
299 if (use_type & MAY_BE_REF) {
300 return 0;
301 }
302
303 if (use_type & MAY_BE_UNDEF) {
304 use_type &= ~MAY_BE_UNDEF;
305 use_type |= MAY_BE_NULL;
306 }
307
308 uint32_t disallowed_types = use_type & ~ZEND_TYPE_PURE_MASK(arg_info->type);
309 if (!disallowed_types) {
310 /* Only contains allowed types. */
311 return true;
312 }
313
314 if (disallowed_types == MAY_BE_OBJECT && use_info->ce && ZEND_TYPE_IS_COMPLEX(arg_info->type)) {
315 return can_elide_list_type(script, op_array, use_info, arg_info->type);
316 }
317
318 return false;
319 }
320
opline_supports_assign_contraction(zend_op_array * op_array,zend_ssa * ssa,zend_op * opline,int src_var,uint32_t cv_var)321 static bool opline_supports_assign_contraction(
322 zend_op_array *op_array, zend_ssa *ssa, zend_op *opline, int src_var, uint32_t cv_var) {
323 if (opline->opcode == ZEND_NEW) {
324 /* see Zend/tests/generators/aborted_yield_during_new.phpt */
325 return 0;
326 }
327
328 if (opline->opcode == ZEND_DO_ICALL || opline->opcode == ZEND_DO_UCALL
329 || opline->opcode == ZEND_DO_FCALL || opline->opcode == ZEND_DO_FCALL_BY_NAME) {
330 /* Function calls may dtor the return value after it has already been written -- allow
331 * direct assignment only for types where a double-dtor does not matter. */
332 uint32_t type = ssa->var_info[src_var].type;
333 uint32_t simple = MAY_BE_NULL|MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_LONG|MAY_BE_DOUBLE;
334 return !((type & MAY_BE_ANY) & ~simple);
335 }
336
337 if (opline->opcode == ZEND_POST_INC || opline->opcode == ZEND_POST_DEC) {
338 /* POST_INC/DEC write the result variable before performing the inc/dec. For $i = $i++
339 * eliding the temporary variable would thus yield an incorrect result. */
340 return opline->op1_type != IS_CV || opline->op1.var != cv_var;
341 }
342
343 if (opline->opcode == ZEND_INIT_ARRAY) {
344 /* INIT_ARRAY initializes the result array before reading key/value. */
345 return (opline->op1_type != IS_CV || opline->op1.var != cv_var)
346 && (opline->op2_type != IS_CV || opline->op2.var != cv_var);
347 }
348
349 if (opline->opcode == ZEND_CAST
350 && (opline->extended_value == IS_ARRAY || opline->extended_value == IS_OBJECT)) {
351 /* CAST to array/object may initialize the result to an empty array/object before
352 * reading the expression. */
353 return opline->op1_type != IS_CV || opline->op1.var != cv_var;
354 }
355
356 if ((opline->opcode == ZEND_ASSIGN_OP
357 || opline->opcode == ZEND_ASSIGN_OBJ
358 || opline->opcode == ZEND_ASSIGN_DIM
359 || opline->opcode == ZEND_ASSIGN_OBJ_OP
360 || opline->opcode == ZEND_ASSIGN_DIM_OP)
361 && opline->op1_type == IS_CV
362 && opline->op1.var == cv_var
363 && zend_may_throw(opline, &ssa->ops[ssa->vars[src_var].definition], op_array, ssa)) {
364 return 0;
365 }
366
367 return 1;
368 }
369
variable_defined_or_used_in_range(zend_ssa * ssa,int var,int start,int end)370 static bool variable_defined_or_used_in_range(zend_ssa *ssa, int var, int start, int end)
371 {
372 while (start < end) {
373 const zend_ssa_op *ssa_op = &ssa->ops[start];
374 if ((ssa_op->op1_def >= 0 && ssa->vars[ssa_op->op1_def].var == var) ||
375 (ssa_op->op2_def >= 0 && ssa->vars[ssa_op->op2_def].var == var) ||
376 (ssa_op->result_def >= 0 && ssa->vars[ssa_op->result_def].var == var) ||
377 (ssa_op->op1_use >= 0 && ssa->vars[ssa_op->op1_use].var == var) ||
378 (ssa_op->op2_use >= 0 && ssa->vars[ssa_op->op2_use].var == var) ||
379 (ssa_op->result_use >= 0 && ssa->vars[ssa_op->result_use].var == var)
380 ) {
381 return 1;
382 }
383 start++;
384 }
385 return 0;
386 }
387
zend_dfa_optimize_calls(zend_op_array * op_array,zend_ssa * ssa)388 int zend_dfa_optimize_calls(zend_op_array *op_array, zend_ssa *ssa)
389 {
390 zend_func_info *func_info = ZEND_FUNC_INFO(op_array);
391 int removed_ops = 0;
392
393 if (func_info->callee_info) {
394 zend_call_info *call_info = func_info->callee_info;
395
396 do {
397 if (call_info->caller_call_opline
398 && call_info->caller_call_opline->opcode == ZEND_DO_ICALL
399 && call_info->callee_func
400 && zend_string_equals_literal(call_info->callee_func->common.function_name, "in_array")
401 && (call_info->caller_init_opline->extended_value == 2
402 || (call_info->caller_init_opline->extended_value == 3
403 && (call_info->caller_call_opline - 1)->opcode == ZEND_SEND_VAL
404 && (call_info->caller_call_opline - 1)->op1_type == IS_CONST))) {
405
406 zend_op *send_array;
407 zend_op *send_needly;
408 bool strict = 0;
409 ZEND_ASSERT(!call_info->is_prototype);
410
411 if (call_info->caller_init_opline->extended_value == 2) {
412 send_array = call_info->caller_call_opline - 1;
413 send_needly = call_info->caller_call_opline - 2;
414 } else {
415 if (zend_is_true(CT_CONSTANT_EX(op_array, (call_info->caller_call_opline - 1)->op1.constant))) {
416 strict = 1;
417 }
418 send_array = call_info->caller_call_opline - 2;
419 send_needly = call_info->caller_call_opline - 3;
420 }
421
422 if (send_array->opcode == ZEND_SEND_VAL
423 && send_array->op1_type == IS_CONST
424 && Z_TYPE_P(CT_CONSTANT_EX(op_array, send_array->op1.constant)) == IS_ARRAY
425 && (send_needly->opcode == ZEND_SEND_VAL
426 || send_needly->opcode == ZEND_SEND_VAR)
427 ) {
428 bool ok = 1;
429
430 HashTable *src = Z_ARRVAL_P(CT_CONSTANT_EX(op_array, send_array->op1.constant));
431 HashTable *dst;
432 zval *val, tmp;
433 zend_ulong idx;
434
435 ZVAL_TRUE(&tmp);
436 dst = zend_new_array(zend_hash_num_elements(src));
437 if (strict) {
438 ZEND_HASH_FOREACH_VAL(src, val) {
439 if (Z_TYPE_P(val) == IS_STRING) {
440 zend_hash_add(dst, Z_STR_P(val), &tmp);
441 } else if (Z_TYPE_P(val) == IS_LONG) {
442 zend_hash_index_add(dst, Z_LVAL_P(val), &tmp);
443 } else {
444 zend_array_destroy(dst);
445 ok = 0;
446 break;
447 }
448 } ZEND_HASH_FOREACH_END();
449 } else {
450 ZEND_HASH_FOREACH_VAL(src, val) {
451 if (Z_TYPE_P(val) != IS_STRING || ZEND_HANDLE_NUMERIC(Z_STR_P(val), idx)) {
452 zend_array_destroy(dst);
453 ok = 0;
454 break;
455 }
456 zend_hash_add(dst, Z_STR_P(val), &tmp);
457 } ZEND_HASH_FOREACH_END();
458 }
459
460 if (ok) {
461 uint32_t op_num = send_needly - op_array->opcodes;
462 zend_ssa_op *ssa_op = ssa->ops + op_num;
463
464 if (ssa_op->op1_use >= 0) {
465 /* Reconstruct SSA */
466 int var_num = ssa_op->op1_use;
467 zend_ssa_var *var = ssa->vars + var_num;
468
469 ZEND_ASSERT(ssa_op->op1_def < 0);
470 zend_ssa_unlink_use_chain(ssa, op_num, ssa_op->op1_use);
471 ssa_op->op1_use = -1;
472 ssa_op->op1_use_chain = -1;
473 op_num = call_info->caller_call_opline - op_array->opcodes;
474 ssa_op = ssa->ops + op_num;
475 ssa_op->op1_use = var_num;
476 ssa_op->op1_use_chain = var->use_chain;
477 var->use_chain = op_num;
478 }
479
480 ZVAL_ARR(&tmp, dst);
481
482 /* Update opcode */
483 call_info->caller_call_opline->opcode = ZEND_IN_ARRAY;
484 call_info->caller_call_opline->extended_value = strict;
485 call_info->caller_call_opline->op1_type = send_needly->op1_type;
486 call_info->caller_call_opline->op1.num = send_needly->op1.num;
487 call_info->caller_call_opline->op2_type = IS_CONST;
488 call_info->caller_call_opline->op2.constant = zend_optimizer_add_literal(op_array, &tmp);
489 if (call_info->caller_init_opline->extended_value == 3) {
490 MAKE_NOP(call_info->caller_call_opline - 1);
491 }
492 MAKE_NOP(call_info->caller_init_opline);
493 MAKE_NOP(send_needly);
494 MAKE_NOP(send_array);
495 removed_ops++;
496
497 op_num = call_info->caller_call_opline - op_array->opcodes;
498 ssa_op = ssa->ops + op_num;
499 if (ssa_op->result_def >= 0) {
500 int var = ssa_op->result_def;
501 int use = ssa->vars[var].use_chain;
502
503 /* If the result is used only in a JMPZ/JMPNZ, replace result type with
504 * IS_TMP_VAR, which will enable use of smart branches. Don't do this
505 * in other cases, as not all opcodes support both VAR and TMP. */
506 if (ssa->vars[var].phi_use_chain == NULL
507 && ssa->ops[use].op1_use == var
508 && ssa->ops[use].op1_use_chain == -1
509 && (op_array->opcodes[use].opcode == ZEND_JMPZ
510 || op_array->opcodes[use].opcode == ZEND_JMPNZ)) {
511 call_info->caller_call_opline->result_type = IS_TMP_VAR;
512 op_array->opcodes[use].op1_type = IS_TMP_VAR;
513 }
514 }
515 }
516 }
517 }
518 call_info = call_info->next_callee;
519 } while (call_info);
520 }
521
522 return removed_ops;
523 }
524
take_successor_0(zend_ssa * ssa,int block_num,zend_basic_block * block)525 static zend_always_inline void take_successor_0(zend_ssa *ssa, int block_num, zend_basic_block *block)
526 {
527 if (block->successors_count == 2) {
528 if (block->successors[1] != block->successors[0]) {
529 zend_ssa_remove_predecessor(ssa, block_num, block->successors[1]);
530 }
531 block->successors_count = 1;
532 }
533 }
534
take_successor_1(zend_ssa * ssa,int block_num,zend_basic_block * block)535 static zend_always_inline void take_successor_1(zend_ssa *ssa, int block_num, zend_basic_block *block)
536 {
537 if (block->successors_count == 2) {
538 if (block->successors[1] != block->successors[0]) {
539 zend_ssa_remove_predecessor(ssa, block_num, block->successors[0]);
540 block->successors[0] = block->successors[1];
541 }
542 block->successors_count = 1;
543 }
544 }
545
take_successor_ex(zend_ssa * ssa,int block_num,zend_basic_block * block,int target_block)546 static zend_always_inline void take_successor_ex(zend_ssa *ssa, int block_num, zend_basic_block *block, int target_block)
547 {
548 int i;
549
550 for (i = 0; i < block->successors_count; i++) {
551 if (block->successors[i] != target_block) {
552 zend_ssa_remove_predecessor(ssa, block_num, block->successors[i]);
553 }
554 }
555 block->successors[0] = target_block;
556 block->successors_count = 1;
557 }
558
compress_block(zend_op_array * op_array,zend_basic_block * block)559 static void compress_block(zend_op_array *op_array, zend_basic_block *block)
560 {
561 while (block->len > 0) {
562 zend_op *opline = &op_array->opcodes[block->start + block->len - 1];
563
564 if (opline->opcode == ZEND_NOP) {
565 block->len--;
566 } else {
567 break;
568 }
569 }
570 }
571
replace_predecessor(zend_ssa * ssa,int block_id,int old_pred,int new_pred)572 static void replace_predecessor(zend_ssa *ssa, int block_id, int old_pred, int new_pred) {
573 zend_basic_block *block = &ssa->cfg.blocks[block_id];
574 int *predecessors = &ssa->cfg.predecessors[block->predecessor_offset];
575 zend_ssa_phi *phi;
576
577 int i;
578 int old_pred_idx = -1;
579 int new_pred_idx = -1;
580 for (i = 0; i < block->predecessors_count; i++) {
581 if (predecessors[i] == old_pred) {
582 old_pred_idx = i;
583 }
584 if (predecessors[i] == new_pred) {
585 new_pred_idx = i;
586 }
587 }
588
589 ZEND_ASSERT(old_pred_idx != -1);
590 if (new_pred_idx == -1) {
591 /* If the new predecessor doesn't exist yet, simply rewire the old one */
592 predecessors[old_pred_idx] = new_pred;
593 } else {
594 /* Otherwise, rewiring the old predecessor would make the new predecessor appear
595 * twice, which violates our CFG invariants. Remove the old predecessor instead. */
596 memmove(
597 predecessors + old_pred_idx,
598 predecessors + old_pred_idx + 1,
599 sizeof(int) * (block->predecessors_count - old_pred_idx - 1)
600 );
601
602 /* Also remove the corresponding phi node entries */
603 for (phi = ssa->blocks[block_id].phis; phi; phi = phi->next) {
604 if (phi->pi >= 0) {
605 if (phi->pi == old_pred || phi->pi == new_pred) {
606 zend_ssa_rename_var_uses(
607 ssa, phi->ssa_var, phi->sources[0], /* update_types */ 0);
608 zend_ssa_remove_phi(ssa, phi);
609 }
610 } else {
611 memmove(
612 phi->sources + old_pred_idx,
613 phi->sources + old_pred_idx + 1,
614 sizeof(int) * (block->predecessors_count - old_pred_idx - 1)
615 );
616 }
617 }
618
619 block->predecessors_count--;
620 }
621 }
622
zend_ssa_replace_control_link(zend_op_array * op_array,zend_ssa * ssa,int from,int to,int new_to)623 static void zend_ssa_replace_control_link(zend_op_array *op_array, zend_ssa *ssa, int from, int to, int new_to)
624 {
625 zend_basic_block *src = &ssa->cfg.blocks[from];
626 zend_basic_block *old = &ssa->cfg.blocks[to];
627 zend_basic_block *dst = &ssa->cfg.blocks[new_to];
628 int i;
629 zend_op *opline;
630
631 for (i = 0; i < src->successors_count; i++) {
632 if (src->successors[i] == to) {
633 src->successors[i] = new_to;
634 }
635 }
636
637 if (src->len > 0) {
638 opline = op_array->opcodes + src->start + src->len - 1;
639 switch (opline->opcode) {
640 case ZEND_JMP:
641 case ZEND_FAST_CALL:
642 ZEND_ASSERT(ZEND_OP1_JMP_ADDR(opline) == op_array->opcodes + old->start);
643 ZEND_SET_OP_JMP_ADDR(opline, opline->op1, op_array->opcodes + dst->start);
644 break;
645 case ZEND_JMPZ:
646 case ZEND_JMPNZ:
647 case ZEND_JMPZ_EX:
648 case ZEND_JMPNZ_EX:
649 case ZEND_FE_RESET_R:
650 case ZEND_FE_RESET_RW:
651 case ZEND_JMP_SET:
652 case ZEND_COALESCE:
653 case ZEND_ASSERT_CHECK:
654 case ZEND_JMP_NULL:
655 case ZEND_BIND_INIT_STATIC_OR_JMP:
656 case ZEND_JMP_FRAMELESS:
657 if (ZEND_OP2_JMP_ADDR(opline) == op_array->opcodes + old->start) {
658 ZEND_SET_OP_JMP_ADDR(opline, opline->op2, op_array->opcodes + dst->start);
659 }
660 break;
661 case ZEND_CATCH:
662 if (!(opline->extended_value & ZEND_LAST_CATCH)) {
663 if (ZEND_OP2_JMP_ADDR(opline) == op_array->opcodes + old->start) {
664 ZEND_SET_OP_JMP_ADDR(opline, opline->op2, op_array->opcodes + dst->start);
665 }
666 }
667 break;
668 case ZEND_FE_FETCH_R:
669 case ZEND_FE_FETCH_RW:
670 if (ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, opline->extended_value) == old->start) {
671 opline->extended_value = ZEND_OPLINE_NUM_TO_OFFSET(op_array, opline, dst->start);
672 }
673 break;
674 case ZEND_SWITCH_LONG:
675 case ZEND_SWITCH_STRING:
676 case ZEND_MATCH:
677 {
678 HashTable *jumptable = Z_ARRVAL(ZEND_OP2_LITERAL(opline));
679 zval *zv;
680 ZEND_HASH_FOREACH_VAL(jumptable, zv) {
681 if (ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, Z_LVAL_P(zv)) == old->start) {
682 Z_LVAL_P(zv) = ZEND_OPLINE_NUM_TO_OFFSET(op_array, opline, dst->start);
683 }
684 } ZEND_HASH_FOREACH_END();
685 if (ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, opline->extended_value) == old->start) {
686 opline->extended_value = ZEND_OPLINE_NUM_TO_OFFSET(op_array, opline, dst->start);
687 }
688 break;
689 }
690 }
691 }
692
693 replace_predecessor(ssa, new_to, to, from);
694 }
695
zend_ssa_unlink_block(zend_op_array * op_array,zend_ssa * ssa,zend_basic_block * block,int block_num)696 static void zend_ssa_unlink_block(zend_op_array *op_array, zend_ssa *ssa, zend_basic_block *block, int block_num)
697 {
698 if (block->predecessors_count == 1 && ssa->blocks[block_num].phis == NULL) {
699 int *predecessors, i;
700 zend_basic_block *fe_fetch_block = NULL;
701
702 ZEND_ASSERT(block->successors_count == 1);
703 predecessors = &ssa->cfg.predecessors[block->predecessor_offset];
704 if (block->predecessors_count == 1 && (block->flags & ZEND_BB_FOLLOW)) {
705 zend_basic_block *pred_block = &ssa->cfg.blocks[predecessors[0]];
706
707 if (pred_block->len > 0 && (pred_block->flags & ZEND_BB_REACHABLE)) {
708 if ((op_array->opcodes[pred_block->start + pred_block->len - 1].opcode == ZEND_FE_FETCH_R
709 || op_array->opcodes[pred_block->start + pred_block->len - 1].opcode == ZEND_FE_FETCH_RW)
710 && op_array->opcodes[pred_block->start + pred_block->len - 1].op2_type == IS_CV) {
711 fe_fetch_block = pred_block;
712 }
713 }
714 }
715 for (i = 0; i < block->predecessors_count; i++) {
716 zend_ssa_replace_control_link(op_array, ssa, predecessors[i], block_num, block->successors[0]);
717 }
718 zend_ssa_remove_block(op_array, ssa, block_num);
719 if (fe_fetch_block && fe_fetch_block->successors[0] == fe_fetch_block->successors[1]) {
720 /* The body of "foreach" loop was removed */
721 int ssa_var = ssa->ops[fe_fetch_block->start + fe_fetch_block->len - 1].op2_def;
722 if (ssa_var >= 0) {
723 zend_ssa_remove_uses_of_var(ssa, ssa_var);
724 }
725 }
726 }
727 }
728
zend_dfa_optimize_jmps(zend_op_array * op_array,zend_ssa * ssa)729 static int zend_dfa_optimize_jmps(zend_op_array *op_array, zend_ssa *ssa)
730 {
731 int removed_ops = 0;
732 int block_num = 0;
733
734 for (block_num = 1; block_num < ssa->cfg.blocks_count; block_num++) {
735 zend_basic_block *block = &ssa->cfg.blocks[block_num];
736
737 if (!(block->flags & ZEND_BB_REACHABLE)) {
738 continue;
739 }
740 compress_block(op_array, block);
741 if (block->len == 0) {
742 zend_ssa_unlink_block(op_array, ssa, block, block_num);
743 }
744 }
745
746 block_num = 0;
747 while (block_num < ssa->cfg.blocks_count
748 && !(ssa->cfg.blocks[block_num].flags & ZEND_BB_REACHABLE)) {
749 block_num++;
750 }
751 while (block_num < ssa->cfg.blocks_count) {
752 int next_block_num = block_num + 1;
753 zend_basic_block *block = &ssa->cfg.blocks[block_num];
754 uint32_t op_num;
755 zend_op *opline;
756 zend_ssa_op *ssa_op;
757 bool can_follow = 1;
758
759 while (next_block_num < ssa->cfg.blocks_count
760 && !(ssa->cfg.blocks[next_block_num].flags & ZEND_BB_REACHABLE)) {
761 if (ssa->cfg.blocks[next_block_num].flags & ZEND_BB_UNREACHABLE_FREE) {
762 can_follow = 0;
763 }
764 next_block_num++;
765 }
766
767 if (block->len) {
768 op_num = block->start + block->len - 1;
769 opline = op_array->opcodes + op_num;
770 ssa_op = ssa->ops + op_num;
771
772 switch (opline->opcode) {
773 case ZEND_JMP:
774 optimize_jmp:
775 if (block->successors[0] == next_block_num && can_follow) {
776 MAKE_NOP(opline);
777 removed_ops++;
778 goto optimize_nop;
779 }
780 break;
781 case ZEND_JMPZ:
782 optimize_jmpz:
783 if (opline->op1_type == IS_CONST) {
784 if (zend_is_true(CT_CONSTANT_EX(op_array, opline->op1.constant))) {
785 MAKE_NOP(opline);
786 removed_ops++;
787 take_successor_1(ssa, block_num, block);
788 goto optimize_nop;
789 } else {
790 opline->opcode = ZEND_JMP;
791 COPY_NODE(opline->op1, opline->op2);
792 take_successor_0(ssa, block_num, block);
793 goto optimize_jmp;
794 }
795 } else {
796 if (block->successors[0] == next_block_num && can_follow) {
797 take_successor_0(ssa, block_num, block);
798 if (opline->op1_type == IS_CV && (OP1_INFO() & MAY_BE_UNDEF)) {
799 opline->opcode = ZEND_CHECK_VAR;
800 opline->op2.num = 0;
801 } else if (opline->op1_type == IS_CV || !(OP1_INFO() & (MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
802 zend_ssa_remove_instr(ssa, opline, ssa_op);
803 removed_ops++;
804 goto optimize_nop;
805 } else {
806 opline->opcode = ZEND_FREE;
807 opline->op2.num = 0;
808 }
809 }
810 }
811 break;
812 case ZEND_JMPNZ:
813 optimize_jmpnz:
814 if (opline->op1_type == IS_CONST) {
815 if (zend_is_true(CT_CONSTANT_EX(op_array, opline->op1.constant))) {
816 opline->opcode = ZEND_JMP;
817 COPY_NODE(opline->op1, opline->op2);
818 take_successor_0(ssa, block_num, block);
819 goto optimize_jmp;
820 } else {
821 MAKE_NOP(opline);
822 removed_ops++;
823 take_successor_1(ssa, block_num, block);
824 goto optimize_nop;
825 }
826 } else if (block->successors_count == 2) {
827 if (block->successors[0] == next_block_num && can_follow) {
828 take_successor_0(ssa, block_num, block);
829 if (opline->op1_type == IS_CV && (OP1_INFO() & MAY_BE_UNDEF)) {
830 opline->opcode = ZEND_CHECK_VAR;
831 opline->op2.num = 0;
832 } else if (opline->op1_type == IS_CV || !(OP1_INFO() & (MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
833 zend_ssa_remove_instr(ssa, opline, ssa_op);
834 removed_ops++;
835 goto optimize_nop;
836 } else {
837 opline->opcode = ZEND_FREE;
838 opline->op2.num = 0;
839 }
840 }
841 }
842 break;
843 case ZEND_JMPZ_EX:
844 if (ssa->vars[ssa_op->result_def].use_chain < 0
845 && ssa->vars[ssa_op->result_def].phi_use_chain == NULL) {
846 opline->opcode = ZEND_JMPZ;
847 opline->result_type = IS_UNUSED;
848 zend_ssa_remove_result_def(ssa, ssa_op);
849 goto optimize_jmpz;
850 } else if (opline->op1_type == IS_CONST) {
851 if (zend_is_true(CT_CONSTANT_EX(op_array, opline->op1.constant))) {
852 opline->opcode = ZEND_BOOL;
853 take_successor_1(ssa, block_num, block);
854 }
855 }
856 break;
857 case ZEND_JMPNZ_EX:
858 if (ssa->vars[ssa_op->result_def].use_chain < 0
859 && ssa->vars[ssa_op->result_def].phi_use_chain == NULL) {
860 opline->opcode = ZEND_JMPNZ;
861 opline->result_type = IS_UNUSED;
862 zend_ssa_remove_result_def(ssa, ssa_op);
863 goto optimize_jmpnz;
864 } else if (opline->op1_type == IS_CONST) {
865 if (!zend_is_true(CT_CONSTANT_EX(op_array, opline->op1.constant))) {
866 opline->opcode = ZEND_BOOL;
867 take_successor_1(ssa, block_num, block);
868 }
869 }
870 break;
871 case ZEND_JMP_SET:
872 if (ssa->vars[ssa_op->result_def].use_chain < 0
873 && ssa->vars[ssa_op->result_def].phi_use_chain == NULL) {
874 opline->opcode = ZEND_JMPNZ;
875 opline->result_type = IS_UNUSED;
876 zend_ssa_remove_result_def(ssa, ssa_op);
877 goto optimize_jmpnz;
878 } else if (opline->op1_type == IS_CONST) {
879 if (!zend_is_true(CT_CONSTANT_EX(op_array, opline->op1.constant))) {
880 MAKE_NOP(opline);
881 removed_ops++;
882 take_successor_1(ssa, block_num, block);
883 zend_ssa_remove_result_def(ssa, ssa_op);
884 goto optimize_nop;
885 }
886 }
887 break;
888 case ZEND_COALESCE:
889 {
890 zend_ssa_var *var = &ssa->vars[ssa_op->result_def];
891 if (opline->op1_type == IS_CONST
892 && var->use_chain < 0 && var->phi_use_chain == NULL) {
893 if (Z_TYPE_P(CT_CONSTANT_EX(op_array, opline->op1.constant)) == IS_NULL) {
894 zend_ssa_remove_result_def(ssa, ssa_op);
895 MAKE_NOP(opline);
896 removed_ops++;
897 take_successor_1(ssa, block_num, block);
898 goto optimize_nop;
899 } else {
900 opline->opcode = ZEND_JMP;
901 opline->result_type = IS_UNUSED;
902 zend_ssa_remove_result_def(ssa, ssa_op);
903 COPY_NODE(opline->op1, opline->op2);
904 take_successor_0(ssa, block_num, block);
905 goto optimize_jmp;
906 }
907 }
908 break;
909 }
910 case ZEND_JMP_NULL:
911 {
912 zend_ssa_var *var = &ssa->vars[ssa_op->result_def];
913 if (opline->op1_type == IS_CONST
914 && var->use_chain < 0 && var->phi_use_chain == NULL) {
915 if (Z_TYPE_P(CT_CONSTANT_EX(op_array, opline->op1.constant)) == IS_NULL) {
916 opline->opcode = ZEND_JMP;
917 opline->result_type = IS_UNUSED;
918 zend_ssa_remove_result_def(ssa, ssa_op);
919 COPY_NODE(opline->op1, opline->op2);
920 take_successor_0(ssa, block_num, block);
921 goto optimize_jmp;
922 } else {
923 zend_ssa_remove_result_def(ssa, ssa_op);
924 MAKE_NOP(opline);
925 removed_ops++;
926 take_successor_1(ssa, block_num, block);
927 goto optimize_nop;
928 }
929 }
930 break;
931 }
932 case ZEND_SWITCH_LONG:
933 case ZEND_SWITCH_STRING:
934 case ZEND_MATCH:
935 if (opline->op1_type == IS_CONST) {
936 zval *zv = CT_CONSTANT_EX(op_array, opline->op1.constant);
937 uint8_t type = Z_TYPE_P(zv);
938 bool correct_type =
939 (opline->opcode == ZEND_SWITCH_LONG && type == IS_LONG)
940 || (opline->opcode == ZEND_SWITCH_STRING && type == IS_STRING)
941 || (opline->opcode == ZEND_MATCH && (type == IS_LONG || type == IS_STRING));
942
943 /* Switch statements have a fallback chain for loose comparison. In those
944 * cases the SWITCH_* instruction is a NOP. Match does strict comparison and
945 * thus jumps to the default branch on mismatched types, so we need to
946 * convert MATCH to a jmp. */
947 if (!correct_type && opline->opcode != ZEND_MATCH) {
948 removed_ops++;
949 MAKE_NOP(opline);
950 opline->extended_value = 0;
951 take_successor_ex(ssa, block_num, block, block->successors[block->successors_count - 1]);
952 goto optimize_nop;
953 }
954
955 uint32_t target;
956 if (correct_type) {
957 HashTable *jmptable = Z_ARRVAL_P(CT_CONSTANT_EX(op_array, opline->op2.constant));
958 zval *jmp_zv = type == IS_LONG
959 ? zend_hash_index_find(jmptable, Z_LVAL_P(zv))
960 : zend_hash_find(jmptable, Z_STR_P(zv));
961
962 if (jmp_zv) {
963 target = ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, Z_LVAL_P(jmp_zv));
964 } else {
965 target = ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, opline->extended_value);
966 }
967 } else {
968 ZEND_ASSERT(opline->opcode == ZEND_MATCH);
969 target = ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, opline->extended_value);
970 }
971 opline->opcode = ZEND_JMP;
972 opline->extended_value = 0;
973 SET_UNUSED(opline->op1);
974 ZEND_SET_OP_JMP_ADDR(opline, opline->op1, op_array->opcodes + target);
975 SET_UNUSED(opline->op2);
976 take_successor_ex(ssa, block_num, block, ssa->cfg.map[target]);
977 goto optimize_jmp;
978 }
979 break;
980 case ZEND_NOP:
981 optimize_nop:
982 compress_block(op_array, block);
983 if (block->len == 0) {
984 if (block_num > 0) {
985 zend_ssa_unlink_block(op_array, ssa, block, block_num);
986 /* backtrack to previous basic block */
987 do {
988 block_num--;
989 } while (block_num >= 0
990 && !(ssa->cfg.blocks[block_num].flags & ZEND_BB_REACHABLE));
991 if (block_num >= 0) {
992 continue;
993 }
994 }
995 }
996 break;
997 default:
998 break;
999 }
1000 }
1001
1002 block_num = next_block_num;
1003 }
1004
1005 return removed_ops;
1006 }
1007
zend_dfa_try_to_replace_result(zend_op_array * op_array,zend_ssa * ssa,int def,int cv_var)1008 static bool zend_dfa_try_to_replace_result(zend_op_array *op_array, zend_ssa *ssa, int def, int cv_var)
1009 {
1010 int result_var = ssa->ops[def].result_def;
1011 int cv = EX_NUM_TO_VAR(ssa->vars[cv_var].var);
1012
1013 if (result_var >= 0
1014 && !(ssa->var_info[cv_var].type & MAY_BE_REF)
1015 && ssa->vars[cv_var].alias == NO_ALIAS
1016 && ssa->vars[result_var].phi_use_chain == NULL
1017 && ssa->vars[result_var].sym_use_chain == NULL) {
1018 int use = ssa->vars[result_var].use_chain;
1019
1020 if (use >= 0
1021 && zend_ssa_next_use(ssa->ops, result_var, use) < 0
1022 && op_array->opcodes[use].opcode != ZEND_FREE
1023 && op_array->opcodes[use].opcode != ZEND_SEND_VAL
1024 && op_array->opcodes[use].opcode != ZEND_SEND_VAL_EX
1025 && op_array->opcodes[use].opcode != ZEND_VERIFY_RETURN_TYPE
1026 && op_array->opcodes[use].opcode != ZEND_YIELD) {
1027 if (use > def) {
1028 int i = use;
1029 const zend_op *opline = &op_array->opcodes[use];
1030
1031 while (i > def) {
1032 if ((opline->op1_type == IS_CV && opline->op1.var == cv)
1033 || (opline->op2_type == IS_CV && opline->op2.var == cv)
1034 || (opline->result_type == IS_CV && opline->result.var == cv)) {
1035 return 0;
1036 }
1037 opline--;
1038 i--;
1039 }
1040
1041 /* Update opcodes and reconstruct SSA */
1042 ssa->vars[result_var].definition = -1;
1043 ssa->vars[result_var].use_chain = -1;
1044 ssa->ops[def].result_def = -1;
1045
1046 op_array->opcodes[def].result_type = IS_UNUSED;
1047 op_array->opcodes[def].result.var = 0;
1048
1049 if (ssa->ops[use].op1_use == result_var) {
1050 ssa->ops[use].op1_use = cv_var;
1051 ssa->ops[use].op1_use_chain = ssa->vars[cv_var].use_chain;
1052 ssa->vars[cv_var].use_chain = use;
1053
1054 op_array->opcodes[use].op1_type = IS_CV;
1055 op_array->opcodes[use].op1.var = cv;
1056 } else if (ssa->ops[use].op2_use == result_var) {
1057 ssa->ops[use].op2_use = cv_var;
1058 ssa->ops[use].op2_use_chain = ssa->vars[cv_var].use_chain;
1059 ssa->vars[cv_var].use_chain = use;
1060
1061 op_array->opcodes[use].op2_type = IS_CV;
1062 op_array->opcodes[use].op2.var = cv;
1063 } else if (ssa->ops[use].result_use == result_var) {
1064 ssa->ops[use].result_use = cv_var;
1065 ssa->ops[use].res_use_chain = ssa->vars[cv_var].use_chain;
1066 ssa->vars[cv_var].use_chain = use;
1067
1068 op_array->opcodes[use].result_type = IS_CV;
1069 op_array->opcodes[use].result.var = cv;
1070 }
1071
1072 return 1;
1073 }
1074 }
1075 }
1076
1077 return 0;
1078 }
1079
zend_dfa_optimize_op_array(zend_op_array * op_array,zend_optimizer_ctx * ctx,zend_ssa * ssa,zend_call_info ** call_map)1080 void zend_dfa_optimize_op_array(zend_op_array *op_array, zend_optimizer_ctx *ctx, zend_ssa *ssa, zend_call_info **call_map)
1081 {
1082 if (ctx->debug_level & ZEND_DUMP_BEFORE_DFA_PASS) {
1083 zend_dump_op_array(op_array, ZEND_DUMP_SSA, "before dfa pass", ssa);
1084 }
1085
1086 if (ssa->var_info) {
1087 int op_1;
1088 int v;
1089 int remove_nops = 0;
1090 zend_op *opline;
1091 zend_ssa_op *ssa_op;
1092 zval tmp;
1093
1094 #if ZEND_DEBUG_DFA
1095 ssa_verify_integrity(op_array, ssa, "before dfa");
1096 #endif
1097
1098 if (ZEND_OPTIMIZER_PASS_8 & ctx->optimization_level) {
1099 if (sccp_optimize_op_array(ctx, op_array, ssa, call_map)) {
1100 remove_nops = 1;
1101 }
1102
1103 if (zend_dfa_optimize_jmps(op_array, ssa)) {
1104 remove_nops = 1;
1105 }
1106
1107 #if ZEND_DEBUG_DFA
1108 ssa_verify_integrity(op_array, ssa, "after sccp");
1109 #endif
1110 if (ZEND_FUNC_INFO(op_array)) {
1111 if (zend_dfa_optimize_calls(op_array, ssa)) {
1112 remove_nops = 1;
1113 }
1114 }
1115 if (ctx->debug_level & ZEND_DUMP_AFTER_PASS_8) {
1116 zend_dump_op_array(op_array, ZEND_DUMP_SSA, "after sccp pass", ssa);
1117 }
1118 #if ZEND_DEBUG_DFA
1119 ssa_verify_integrity(op_array, ssa, "after calls");
1120 #endif
1121 }
1122
1123 if (ZEND_OPTIMIZER_PASS_14 & ctx->optimization_level) {
1124 if (dce_optimize_op_array(op_array, ctx, ssa, 0)) {
1125 remove_nops = 1;
1126 }
1127 if (zend_dfa_optimize_jmps(op_array, ssa)) {
1128 remove_nops = 1;
1129 }
1130 if (ctx->debug_level & ZEND_DUMP_AFTER_PASS_14) {
1131 zend_dump_op_array(op_array, ZEND_DUMP_SSA, "after dce pass", ssa);
1132 }
1133 #if ZEND_DEBUG_DFA
1134 ssa_verify_integrity(op_array, ssa, "after dce");
1135 #endif
1136 }
1137
1138 for (v = op_array->last_var; v < ssa->vars_count; v++) {
1139
1140 op_1 = ssa->vars[v].definition;
1141
1142 if (op_1 < 0) {
1143 continue;
1144 }
1145
1146 opline = op_array->opcodes + op_1;
1147 ssa_op = &ssa->ops[op_1];
1148
1149 /* Convert LONG constants to DOUBLE */
1150 if (ssa->var_info[v].use_as_double) {
1151 if (opline->opcode == ZEND_ASSIGN
1152 && opline->op2_type == IS_CONST
1153 && ssa->ops[op_1].op1_def == v
1154 && !RETURN_VALUE_USED(opline)
1155 ) {
1156
1157 // op_1: ASSIGN ? -> #v [use_as_double], long(?) => ASSIGN ? -> #v, double(?)
1158
1159 zval *zv = CT_CONSTANT_EX(op_array, opline->op2.constant);
1160 ZEND_ASSERT(Z_TYPE_INFO_P(zv) == IS_LONG);
1161 ZVAL_DOUBLE(&tmp, zval_get_double(zv));
1162 opline->op2.constant = zend_optimizer_add_literal(op_array, &tmp);
1163
1164 } else if (opline->opcode == ZEND_QM_ASSIGN
1165 && opline->op1_type == IS_CONST
1166 ) {
1167
1168 // op_1: QM_ASSIGN #v [use_as_double], long(?) => QM_ASSIGN #v, double(?)
1169
1170 zval *zv = CT_CONSTANT_EX(op_array, opline->op1.constant);
1171 ZEND_ASSERT(Z_TYPE_INFO_P(zv) == IS_LONG);
1172 ZVAL_DOUBLE(&tmp, zval_get_double(zv));
1173 opline->op1.constant = zend_optimizer_add_literal(op_array, &tmp);
1174 }
1175
1176 } else {
1177 if (opline->opcode == ZEND_ADD
1178 || opline->opcode == ZEND_SUB
1179 || opline->opcode == ZEND_MUL
1180 || opline->opcode == ZEND_IS_EQUAL
1181 || opline->opcode == ZEND_IS_NOT_EQUAL
1182 || opline->opcode == ZEND_IS_SMALLER
1183 || opline->opcode == ZEND_IS_SMALLER_OR_EQUAL
1184 ) {
1185
1186 if (opline->op1_type == IS_CONST && opline->op2_type != IS_CONST) {
1187 zval *zv = CT_CONSTANT_EX(op_array, opline->op1.constant);
1188
1189 if ((OP2_INFO() & MAY_BE_ANY) == MAY_BE_DOUBLE
1190 && Z_TYPE_INFO_P(zv) == IS_LONG) {
1191
1192 // op_1: #v.? = ADD long(?), #?.? [double] => #v.? = ADD double(?), #?.? [double]
1193
1194 ZVAL_DOUBLE(&tmp, zval_get_double(zv));
1195 opline->op1.constant = zend_optimizer_add_literal(op_array, &tmp);
1196 zv = CT_CONSTANT_EX(op_array, opline->op1.constant);
1197 }
1198 if (opline->opcode == ZEND_ADD) {
1199 zv = CT_CONSTANT_EX(op_array, opline->op1.constant);
1200
1201 if (((OP2_INFO() & (MAY_BE_ANY|MAY_BE_UNDEF)) == MAY_BE_LONG
1202 && Z_TYPE_INFO_P(zv) == IS_LONG
1203 && Z_LVAL_P(zv) == 0)
1204 || ((OP2_INFO() & (MAY_BE_ANY|MAY_BE_UNDEF)) == MAY_BE_DOUBLE
1205 && Z_TYPE_INFO_P(zv) == IS_DOUBLE
1206 && Z_DVAL_P(zv) == 0.0)) {
1207
1208 // op_1: #v.? = ADD 0, #?.? [double,long] => #v.? = QM_ASSIGN #?.?
1209
1210 opline->opcode = ZEND_QM_ASSIGN;
1211 opline->op1_type = opline->op2_type;
1212 opline->op1.var = opline->op2.var;
1213 opline->op2_type = IS_UNUSED;
1214 opline->op2.num = 0;
1215 ssa->ops[op_1].op1_use = ssa->ops[op_1].op2_use;
1216 ssa->ops[op_1].op1_use_chain = ssa->ops[op_1].op2_use_chain;
1217 ssa->ops[op_1].op2_use = -1;
1218 ssa->ops[op_1].op2_use_chain = -1;
1219 }
1220 } else if (opline->opcode == ZEND_MUL
1221 && (OP2_INFO() & ((MAY_BE_ANY|MAY_BE_UNDEF)-(MAY_BE_LONG|MAY_BE_DOUBLE))) == 0) {
1222 zv = CT_CONSTANT_EX(op_array, opline->op1.constant);
1223
1224 if ((Z_TYPE_INFO_P(zv) == IS_LONG
1225 && Z_LVAL_P(zv) == 2)
1226 || (Z_TYPE_INFO_P(zv) == IS_DOUBLE
1227 && Z_DVAL_P(zv) == 2.0
1228 && !(OP2_INFO() & MAY_BE_LONG))) {
1229
1230 // op_1: #v.? = MUL 2, #x.? [double,long] => #v.? = ADD #x.?, #x.?
1231
1232 opline->opcode = ZEND_ADD;
1233 opline->op1_type = opline->op2_type;
1234 opline->op1.var = opline->op2.var;
1235 ssa->ops[op_1].op1_use = ssa->ops[op_1].op2_use;
1236 ssa->ops[op_1].op1_use_chain = ssa->ops[op_1].op2_use_chain;
1237 }
1238 }
1239 } else if (opline->op1_type != IS_CONST && opline->op2_type == IS_CONST) {
1240 zval *zv = CT_CONSTANT_EX(op_array, opline->op2.constant);
1241
1242 if ((OP1_INFO() & MAY_BE_ANY) == MAY_BE_DOUBLE
1243 && Z_TYPE_INFO_P(CT_CONSTANT_EX(op_array, opline->op2.constant)) == IS_LONG) {
1244
1245 // op_1: #v.? = ADD #?.? [double], long(?) => #v.? = ADD #?.? [double], double(?)
1246
1247 ZVAL_DOUBLE(&tmp, zval_get_double(zv));
1248 opline->op2.constant = zend_optimizer_add_literal(op_array, &tmp);
1249 zv = CT_CONSTANT_EX(op_array, opline->op2.constant);
1250 }
1251 if (opline->opcode == ZEND_ADD || opline->opcode == ZEND_SUB) {
1252 if (((OP1_INFO() & (MAY_BE_ANY|MAY_BE_UNDEF)) == MAY_BE_LONG
1253 && Z_TYPE_INFO_P(zv) == IS_LONG
1254 && Z_LVAL_P(zv) == 0)
1255 || ((OP1_INFO() & (MAY_BE_ANY|MAY_BE_UNDEF)) == MAY_BE_DOUBLE
1256 && Z_TYPE_INFO_P(zv) == IS_DOUBLE
1257 && Z_DVAL_P(zv) == 0.0)) {
1258
1259 // op_1: #v.? = ADD #?.? [double,long], 0 => #v.? = QM_ASSIGN #?.?
1260
1261 opline->opcode = ZEND_QM_ASSIGN;
1262 opline->op2_type = IS_UNUSED;
1263 opline->op2.num = 0;
1264 }
1265 } else if (opline->opcode == ZEND_MUL
1266 && (OP1_INFO() & ((MAY_BE_ANY|MAY_BE_UNDEF)-(MAY_BE_LONG|MAY_BE_DOUBLE))) == 0) {
1267 zv = CT_CONSTANT_EX(op_array, opline->op2.constant);
1268
1269 if ((Z_TYPE_INFO_P(zv) == IS_LONG
1270 && Z_LVAL_P(zv) == 2)
1271 || (Z_TYPE_INFO_P(zv) == IS_DOUBLE
1272 && Z_DVAL_P(zv) == 2.0
1273 && !(OP1_INFO() & MAY_BE_LONG))) {
1274
1275 // op_1: #v.? = MUL #x.? [double,long], 2 => #v.? = ADD #x.?, #x.?
1276
1277 opline->opcode = ZEND_ADD;
1278 opline->op2_type = opline->op1_type;
1279 opline->op2.var = opline->op1.var;
1280 ssa->ops[op_1].op2_use = ssa->ops[op_1].op1_use;
1281 ssa->ops[op_1].op2_use_chain = ssa->ops[op_1].op1_use_chain;
1282 }
1283 }
1284 }
1285 } else if (opline->opcode == ZEND_CONCAT) {
1286 if (!(OP1_INFO() & MAY_BE_OBJECT)
1287 && !(OP2_INFO() & MAY_BE_OBJECT)) {
1288 opline->opcode = ZEND_FAST_CONCAT;
1289 }
1290 } else if (opline->opcode == ZEND_VERIFY_RETURN_TYPE
1291 && opline->op1_type != IS_CONST
1292 && ssa->ops[op_1].op1_def == v
1293 && ssa->ops[op_1].op1_use >= 0) {
1294 int orig_var = ssa->ops[op_1].op1_use;
1295 int ret = ssa->vars[v].use_chain;
1296
1297 if (ssa->ops[op_1].op1_use_chain == -1
1298 && can_elide_return_type_check(ctx->script, op_array, ssa, &ssa->ops[op_1])) {
1299
1300 // op_1: VERIFY_RETURN_TYPE #orig_var.? [T] -> #v.? [T] => NOP
1301
1302 zend_ssa_unlink_use_chain(ssa, op_1, orig_var);
1303
1304 if (ret >= 0) {
1305 ssa->ops[ret].op1_use = orig_var;
1306 ssa->ops[ret].op1_use_chain = ssa->vars[orig_var].use_chain;
1307 ssa->vars[orig_var].use_chain = ret;
1308 }
1309
1310 ssa->vars[v].definition = -1;
1311 ssa->vars[v].use_chain = -1;
1312
1313 ssa->ops[op_1].op1_def = -1;
1314 ssa->ops[op_1].op1_use = -1;
1315
1316 MAKE_NOP(opline);
1317 remove_nops = 1;
1318 } else if (ret >= 0
1319 && ssa->ops[ret].op1_use == v
1320 && ssa->ops[ret].op1_use_chain == -1
1321 && can_elide_return_type_check(ctx->script, op_array, ssa, &ssa->ops[op_1])) {
1322
1323 // op_1: VERIFY_RETURN_TYPE #orig_var.? [T] -> #v.? [T] => NOP
1324
1325 zend_ssa_replace_use_chain(ssa, op_1, ret, orig_var);
1326
1327 ssa->ops[ret].op1_use = orig_var;
1328 ssa->ops[ret].op1_use_chain = ssa->ops[op_1].op1_use_chain;
1329
1330 ssa->vars[v].definition = -1;
1331 ssa->vars[v].use_chain = -1;
1332
1333 ssa->ops[op_1].op1_def = -1;
1334 ssa->ops[op_1].op1_use = -1;
1335
1336 MAKE_NOP(opline);
1337 remove_nops = 1;
1338 }
1339 }
1340 }
1341
1342 if (opline->opcode == ZEND_QM_ASSIGN
1343 && ssa->ops[op_1].result_def == v
1344 && opline->op1_type & (IS_TMP_VAR|IS_VAR)
1345 && !(ssa->var_info[v].type & (MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))
1346 ) {
1347
1348 int src_var = ssa->ops[op_1].op1_use;
1349
1350 if (src_var >= 0
1351 && !(ssa->var_info[src_var].type & MAY_BE_REF)
1352 && (ssa->var_info[src_var].type & (MAY_BE_UNDEF|MAY_BE_ANY))
1353 && ssa->vars[src_var].definition >= 0
1354 && ssa->ops[ssa->vars[src_var].definition].result_def == src_var
1355 && ssa->ops[ssa->vars[src_var].definition].result_use < 0
1356 && ssa->vars[src_var].use_chain == op_1
1357 && ssa->ops[op_1].op1_use_chain < 0
1358 && !ssa->vars[src_var].phi_use_chain
1359 && !ssa->vars[src_var].sym_use_chain
1360 && opline_supports_assign_contraction(
1361 op_array, ssa, &op_array->opcodes[ssa->vars[src_var].definition],
1362 src_var, opline->result.var)
1363 && !variable_defined_or_used_in_range(ssa, EX_VAR_TO_NUM(opline->result.var),
1364 ssa->vars[src_var].definition+1, op_1)
1365 ) {
1366
1367 int orig_var = ssa->ops[op_1].result_use;
1368 int op_2 = ssa->vars[src_var].definition;
1369
1370 // op_2: #src_var.T = OP ... => #v.CV = OP ...
1371 // op_1: QM_ASSIGN #src_var.T #orig_var.CV [undef,scalar] -> #v.CV, NOP
1372
1373 if (orig_var >= 0) {
1374 zend_ssa_unlink_use_chain(ssa, op_1, orig_var);
1375 }
1376
1377 /* Reconstruct SSA */
1378 ssa->vars[v].definition = op_2;
1379 ssa->ops[op_2].result_def = v;
1380
1381 ssa->vars[src_var].definition = -1;
1382 ssa->vars[src_var].use_chain = -1;
1383
1384 ssa->ops[op_1].op1_use = -1;
1385 ssa->ops[op_1].op1_def = -1;
1386 ssa->ops[op_1].op1_use_chain = -1;
1387 ssa->ops[op_1].result_use = -1;
1388 ssa->ops[op_1].result_def = -1;
1389 ssa->ops[op_1].res_use_chain = -1;
1390
1391 /* Update opcodes */
1392 op_array->opcodes[op_2].result_type = opline->result_type;
1393 op_array->opcodes[op_2].result.var = opline->result.var;
1394
1395 MAKE_NOP(opline);
1396 remove_nops = 1;
1397
1398 if (op_array->opcodes[op_2].opcode == ZEND_SUB
1399 && op_array->opcodes[op_2].op1_type == op_array->opcodes[op_2].result_type
1400 && op_array->opcodes[op_2].op1.var == op_array->opcodes[op_2].result.var
1401 && op_array->opcodes[op_2].op2_type == IS_CONST
1402 && Z_TYPE_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op2.constant)) == IS_LONG
1403 && Z_LVAL_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op2.constant)) == 1
1404 && ssa->ops[op_2].op1_use >= 0
1405 && !(ssa->var_info[ssa->ops[op_2].op1_use].type & (MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1406
1407 op_array->opcodes[op_2].opcode = ZEND_PRE_DEC;
1408 SET_UNUSED(op_array->opcodes[op_2].op2);
1409 SET_UNUSED(op_array->opcodes[op_2].result);
1410
1411 ssa->ops[op_2].result_def = -1;
1412 ssa->ops[op_2].op1_def = v;
1413
1414 } else if (op_array->opcodes[op_2].opcode == ZEND_ADD
1415 && op_array->opcodes[op_2].op1_type == op_array->opcodes[op_2].result_type
1416 && op_array->opcodes[op_2].op1.var == op_array->opcodes[op_2].result.var
1417 && op_array->opcodes[op_2].op2_type == IS_CONST
1418 && Z_TYPE_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op2.constant)) == IS_LONG
1419 && Z_LVAL_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op2.constant)) == 1
1420 && ssa->ops[op_2].op1_use >= 0
1421 && !(ssa->var_info[ssa->ops[op_2].op1_use].type & (MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1422
1423 op_array->opcodes[op_2].opcode = ZEND_PRE_INC;
1424 SET_UNUSED(op_array->opcodes[op_2].op2);
1425 SET_UNUSED(op_array->opcodes[op_2].result);
1426
1427 ssa->ops[op_2].result_def = -1;
1428 ssa->ops[op_2].op1_def = v;
1429
1430 } else if (op_array->opcodes[op_2].opcode == ZEND_ADD
1431 && op_array->opcodes[op_2].op2_type == op_array->opcodes[op_2].result_type
1432 && op_array->opcodes[op_2].op2.var == op_array->opcodes[op_2].result.var
1433 && op_array->opcodes[op_2].op1_type == IS_CONST
1434 && Z_TYPE_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op1.constant)) == IS_LONG
1435 && Z_LVAL_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op1.constant)) == 1
1436 && ssa->ops[op_2].op2_use >= 0
1437 && !(ssa->var_info[ssa->ops[op_2].op2_use].type & (MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1438
1439 op_array->opcodes[op_2].opcode = ZEND_PRE_INC;
1440 op_array->opcodes[op_2].op1_type = op_array->opcodes[op_2].op2_type;
1441 op_array->opcodes[op_2].op1.var = op_array->opcodes[op_2].op2.var;
1442 SET_UNUSED(op_array->opcodes[op_2].op2);
1443 SET_UNUSED(op_array->opcodes[op_2].result);
1444
1445 ssa->ops[op_2].result_def = -1;
1446 ssa->ops[op_2].op1_def = v;
1447 ssa->ops[op_2].op1_use = ssa->ops[op_2].op2_use;
1448 ssa->ops[op_2].op1_use_chain = ssa->ops[op_2].op2_use_chain;
1449 ssa->ops[op_2].op2_use = -1;
1450 ssa->ops[op_2].op2_use_chain = -1;
1451 }
1452 }
1453 }
1454
1455 if (ssa->vars[v].var >= op_array->last_var) {
1456 /* skip TMP and VAR */
1457 continue;
1458 }
1459
1460 if (ssa->ops[op_1].op1_def == v
1461 && RETURN_VALUE_USED(opline)) {
1462 if (opline->opcode == ZEND_ASSIGN
1463 || opline->opcode == ZEND_ASSIGN_OP
1464 || opline->opcode == ZEND_PRE_INC
1465 || opline->opcode == ZEND_PRE_DEC) {
1466 zend_dfa_try_to_replace_result(op_array, ssa, op_1, v);
1467 } else if (opline->opcode == ZEND_POST_INC) {
1468 int result_var = ssa->ops[op_1].result_def;
1469
1470 if (result_var >= 0
1471 && (ssa->var_info[result_var].type & ((MAY_BE_ANY|MAY_BE_REF|MAY_BE_UNDEF) - (MAY_BE_LONG|MAY_BE_DOUBLE))) == 0) {
1472 int use = ssa->vars[result_var].use_chain;
1473
1474 if (use >= 0 && op_array->opcodes[use].opcode == ZEND_IS_SMALLER
1475 && ssa->ops[use].op1_use == result_var
1476 && zend_dfa_try_to_replace_result(op_array, ssa, op_1, v)) {
1477 opline->opcode = ZEND_PRE_INC;
1478 op_array->opcodes[use].opcode = ZEND_IS_SMALLER_OR_EQUAL;
1479 }
1480 }
1481 } else if (opline->opcode == ZEND_POST_DEC) {
1482 int result_var = ssa->ops[op_1].result_def;
1483
1484 if (result_var >= 0
1485 && (ssa->var_info[result_var].type & ((MAY_BE_ANY|MAY_BE_REF|MAY_BE_UNDEF) - (MAY_BE_LONG|MAY_BE_DOUBLE))) == 0) {
1486 int use = ssa->vars[result_var].use_chain;
1487
1488 if (use >= 0 && op_array->opcodes[use].opcode == ZEND_IS_SMALLER
1489 && ssa->ops[use].op2_use == result_var
1490 && zend_dfa_try_to_replace_result(op_array, ssa, op_1, v)) {
1491 opline->opcode = ZEND_PRE_DEC;
1492 op_array->opcodes[use].opcode = ZEND_IS_SMALLER_OR_EQUAL;
1493 }
1494 }
1495 }
1496 }
1497
1498 if (opline->opcode == ZEND_ASSIGN
1499 && ssa->ops[op_1].op1_def == v
1500 && !RETURN_VALUE_USED(opline)
1501 ) {
1502 int orig_var = ssa->ops[op_1].op1_use;
1503
1504 if (orig_var >= 0
1505 && !(ssa->var_info[orig_var].type & (MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))
1506 ) {
1507 int src_var = ssa->ops[op_1].op2_use;
1508
1509 if ((opline->op2_type & (IS_TMP_VAR|IS_VAR))
1510 && src_var >= 0
1511 && !(ssa->var_info[src_var].type & MAY_BE_REF)
1512 && (ssa->var_info[src_var].type & (MAY_BE_UNDEF|MAY_BE_ANY))
1513 && ssa->vars[src_var].definition >= 0
1514 && ssa->ops[ssa->vars[src_var].definition].result_def == src_var
1515 && ssa->ops[ssa->vars[src_var].definition].result_use < 0
1516 && ssa->vars[src_var].use_chain == op_1
1517 && ssa->ops[op_1].op2_use_chain < 0
1518 && !ssa->vars[src_var].phi_use_chain
1519 && !ssa->vars[src_var].sym_use_chain
1520 && opline_supports_assign_contraction(
1521 op_array, ssa, &op_array->opcodes[ssa->vars[src_var].definition],
1522 src_var, opline->op1.var)
1523 && !variable_defined_or_used_in_range(ssa, EX_VAR_TO_NUM(opline->op1.var),
1524 ssa->vars[src_var].definition+1, op_1)
1525 ) {
1526
1527 int op_2 = ssa->vars[src_var].definition;
1528
1529 // op_2: #src_var.T = OP ... => #v.CV = OP ...
1530 // op_1: ASSIGN #orig_var.CV [undef,scalar] -> #v.CV, #src_var.T NOP
1531
1532 zend_ssa_unlink_use_chain(ssa, op_1, orig_var);
1533 /* Reconstruct SSA */
1534 ssa->vars[v].definition = op_2;
1535 ssa->ops[op_2].result_def = v;
1536
1537 ssa->vars[src_var].definition = -1;
1538 ssa->vars[src_var].use_chain = -1;
1539
1540 ssa->ops[op_1].op1_use = -1;
1541 ssa->ops[op_1].op2_use = -1;
1542 ssa->ops[op_1].op1_def = -1;
1543 ssa->ops[op_1].op1_use_chain = -1;
1544
1545 /* Update opcodes */
1546 op_array->opcodes[op_2].result_type = opline->op1_type;
1547 op_array->opcodes[op_2].result.var = opline->op1.var;
1548
1549 MAKE_NOP(opline);
1550 remove_nops = 1;
1551
1552 if (op_array->opcodes[op_2].opcode == ZEND_SUB
1553 && op_array->opcodes[op_2].op1_type == op_array->opcodes[op_2].result_type
1554 && op_array->opcodes[op_2].op1.var == op_array->opcodes[op_2].result.var
1555 && op_array->opcodes[op_2].op2_type == IS_CONST
1556 && Z_TYPE_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op2.constant)) == IS_LONG
1557 && Z_LVAL_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op2.constant)) == 1
1558 && ssa->ops[op_2].op1_use >= 0
1559 && !(ssa->var_info[ssa->ops[op_2].op1_use].type & (MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1560
1561 op_array->opcodes[op_2].opcode = ZEND_PRE_DEC;
1562 SET_UNUSED(op_array->opcodes[op_2].op2);
1563 SET_UNUSED(op_array->opcodes[op_2].result);
1564
1565 ssa->ops[op_2].result_def = -1;
1566 ssa->ops[op_2].op1_def = v;
1567
1568 } else if (op_array->opcodes[op_2].opcode == ZEND_ADD
1569 && op_array->opcodes[op_2].op1_type == op_array->opcodes[op_2].result_type
1570 && op_array->opcodes[op_2].op1.var == op_array->opcodes[op_2].result.var
1571 && op_array->opcodes[op_2].op2_type == IS_CONST
1572 && Z_TYPE_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op2.constant)) == IS_LONG
1573 && Z_LVAL_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op2.constant)) == 1
1574 && ssa->ops[op_2].op1_use >= 0
1575 && !(ssa->var_info[ssa->ops[op_2].op1_use].type & (MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1576
1577 op_array->opcodes[op_2].opcode = ZEND_PRE_INC;
1578 SET_UNUSED(op_array->opcodes[op_2].op2);
1579 SET_UNUSED(op_array->opcodes[op_2].result);
1580
1581 ssa->ops[op_2].result_def = -1;
1582 ssa->ops[op_2].op1_def = v;
1583
1584 } else if (op_array->opcodes[op_2].opcode == ZEND_ADD
1585 && op_array->opcodes[op_2].op2_type == op_array->opcodes[op_2].result_type
1586 && op_array->opcodes[op_2].op2.var == op_array->opcodes[op_2].result.var
1587 && op_array->opcodes[op_2].op1_type == IS_CONST
1588 && Z_TYPE_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op1.constant)) == IS_LONG
1589 && Z_LVAL_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op1.constant)) == 1
1590 && ssa->ops[op_2].op2_use >= 0
1591 && !(ssa->var_info[ssa->ops[op_2].op2_use].type & (MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1592
1593 op_array->opcodes[op_2].opcode = ZEND_PRE_INC;
1594 op_array->opcodes[op_2].op1_type = op_array->opcodes[op_2].op2_type;
1595 op_array->opcodes[op_2].op1.var = op_array->opcodes[op_2].op2.var;
1596 SET_UNUSED(op_array->opcodes[op_2].op2);
1597 SET_UNUSED(op_array->opcodes[op_2].result);
1598
1599 ssa->ops[op_2].result_def = -1;
1600 ssa->ops[op_2].op1_def = v;
1601 ssa->ops[op_2].op1_use = ssa->ops[op_2].op2_use;
1602 ssa->ops[op_2].op1_use_chain = ssa->ops[op_2].op2_use_chain;
1603 ssa->ops[op_2].op2_use = -1;
1604 ssa->ops[op_2].op2_use_chain = -1;
1605 }
1606 } else if (opline->op2_type == IS_CONST
1607 || ((opline->op2_type & (IS_TMP_VAR|IS_VAR|IS_CV))
1608 && ssa->ops[op_1].op2_use >= 0
1609 && ssa->ops[op_1].op2_def < 0)
1610 ) {
1611
1612 // op_1: ASSIGN #orig_var.CV [undef,scalar] -> #v.CV, CONST|TMPVAR => QM_ASSIGN v.CV, CONST|TMPVAR
1613
1614 if (ssa->ops[op_1].op1_use != ssa->ops[op_1].op2_use) {
1615 zend_ssa_unlink_use_chain(ssa, op_1, orig_var);
1616 } else {
1617 ssa->ops[op_1].op2_use_chain = ssa->ops[op_1].op1_use_chain;
1618 }
1619
1620 /* Reconstruct SSA */
1621 ssa->ops[op_1].result_def = v;
1622 ssa->ops[op_1].op1_def = -1;
1623 ssa->ops[op_1].op1_use = ssa->ops[op_1].op2_use;
1624 ssa->ops[op_1].op1_use_chain = ssa->ops[op_1].op2_use_chain;
1625 ssa->ops[op_1].op2_use = -1;
1626 ssa->ops[op_1].op2_use_chain = -1;
1627
1628 /* Update opcode */
1629 opline->result_type = opline->op1_type;
1630 opline->result.var = opline->op1.var;
1631 opline->op1_type = opline->op2_type;
1632 opline->op1.var = opline->op2.var;
1633 opline->op2_type = IS_UNUSED;
1634 opline->op2.var = 0;
1635 opline->opcode = ZEND_QM_ASSIGN;
1636 }
1637 }
1638
1639 } else if (opline->opcode == ZEND_ASSIGN_OP
1640 && opline->extended_value == ZEND_ADD
1641 && ssa->ops[op_1].op1_def == v
1642 && opline->op2_type == IS_CONST
1643 && Z_TYPE_P(CT_CONSTANT_EX(op_array, opline->op2.constant)) == IS_LONG
1644 && Z_LVAL_P(CT_CONSTANT_EX(op_array, opline->op2.constant)) == 1
1645 && ssa->ops[op_1].op1_use >= 0
1646 && !(ssa->var_info[ssa->ops[op_1].op1_use].type & (MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1647
1648 // op_1: ASSIGN_ADD #?.CV [undef,null,int,foat] ->#v.CV, int(1) => PRE_INC #?.CV ->#v.CV
1649
1650 opline->opcode = ZEND_PRE_INC;
1651 opline->extended_value = 0;
1652 SET_UNUSED(opline->op2);
1653
1654 } else if (opline->opcode == ZEND_ASSIGN_OP
1655 && opline->extended_value == ZEND_SUB
1656 && ssa->ops[op_1].op1_def == v
1657 && opline->op2_type == IS_CONST
1658 && Z_TYPE_P(CT_CONSTANT_EX(op_array, opline->op2.constant)) == IS_LONG
1659 && Z_LVAL_P(CT_CONSTANT_EX(op_array, opline->op2.constant)) == 1
1660 && ssa->ops[op_1].op1_use >= 0
1661 && !(ssa->var_info[ssa->ops[op_1].op1_use].type & (MAY_BE_UNDEF|MAY_BE_NULL|MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1662
1663 // op_1: ASSIGN_SUB #?.CV [undef,null,int,foat] -> #v.CV, int(1) => PRE_DEC #?.CV ->#v.CV
1664
1665 opline->opcode = ZEND_PRE_DEC;
1666 opline->extended_value = 0;
1667 SET_UNUSED(opline->op2);
1668
1669 } else if (ssa->ops[op_1].op1_def == v
1670 && !RETURN_VALUE_USED(opline)
1671 && ssa->ops[op_1].op1_use >= 0
1672 && !(ssa->var_info[ssa->ops[op_1].op1_use].type & (MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))
1673 && opline->opcode == ZEND_ASSIGN_OP
1674 && opline->extended_value != ZEND_CONCAT) {
1675
1676 // op_1: ASSIGN_OP #orig_var.CV [undef,null,bool,int,double] -> #v.CV, ? => #v.CV = ADD #orig_var.CV, ?
1677
1678 /* Reconstruct SSA */
1679 ssa->ops[op_1].result_def = ssa->ops[op_1].op1_def;
1680 ssa->ops[op_1].op1_def = -1;
1681
1682 /* Update opcode */
1683 opline->opcode = opline->extended_value;
1684 opline->extended_value = 0;
1685 opline->result_type = opline->op1_type;
1686 opline->result.var = opline->op1.var;
1687
1688 }
1689 }
1690
1691 #if ZEND_DEBUG_DFA
1692 ssa_verify_integrity(op_array, ssa, "after dfa");
1693 #endif
1694
1695 if (remove_nops) {
1696 zend_ssa_remove_nops(op_array, ssa, ctx);
1697 #if ZEND_DEBUG_DFA
1698 ssa_verify_integrity(op_array, ssa, "after nop");
1699 #endif
1700 }
1701 }
1702
1703 if (ctx->debug_level & ZEND_DUMP_AFTER_DFA_PASS) {
1704 zend_dump_op_array(op_array, ZEND_DUMP_SSA, "after dfa pass", ssa);
1705 }
1706 }
1707
zend_optimize_dfa(zend_op_array * op_array,zend_optimizer_ctx * ctx)1708 void zend_optimize_dfa(zend_op_array *op_array, zend_optimizer_ctx *ctx)
1709 {
1710 void *checkpoint = zend_arena_checkpoint(ctx->arena);
1711 zend_ssa ssa;
1712
1713 if (zend_dfa_analyze_op_array(op_array, ctx, &ssa) == FAILURE) {
1714 zend_arena_release(&ctx->arena, checkpoint);
1715 return;
1716 }
1717
1718 zend_dfa_optimize_op_array(op_array, ctx, &ssa, NULL);
1719
1720 /* Destroy SSA */
1721 zend_arena_release(&ctx->arena, checkpoint);
1722 }
1723
