1 /*
2 +----------------------------------------------------------------------+
3 | Zend OPcache |
4 +----------------------------------------------------------------------+
5 | Copyright (c) The PHP Group |
6 +----------------------------------------------------------------------+
7 | This source file is subject to version 3.01 of the PHP license, |
8 | that is bundled with this package in the file LICENSE, and is |
9 | available through the world-wide-web at the following url: |
10 | https://www.php.net/license/3_01.txt |
11 | If you did not receive a copy of the PHP license and are unable to |
12 | obtain it through the world-wide-web, please send a note to |
13 | license@php.net so we can mail you a copy immediately. |
14 +----------------------------------------------------------------------+
15 | Authors: Dmitry Stogov <dmitry@php.net> |
16 +----------------------------------------------------------------------+
17 */
18
19 #include "Optimizer/zend_optimizer.h"
20 #include "Optimizer/zend_optimizer_internal.h"
21 #include "zend_API.h"
22 #include "zend_constants.h"
23 #include "zend_execute.h"
24 #include "zend_vm.h"
25 #include "zend_bitset.h"
26 #include "zend_cfg.h"
27 #include "zend_ssa.h"
28 #include "zend_func_info.h"
29 #include "zend_call_graph.h"
30 #include "zend_inference.h"
31 #include "zend_dump.h"
32
33 #ifndef ZEND_DEBUG_DFA
34 # define ZEND_DEBUG_DFA ZEND_DEBUG
35 #endif
36
37 #if ZEND_DEBUG_DFA
38 # include "ssa_integrity.c"
39 #endif
40
zend_dfa_analyze_op_array(zend_op_array * op_array,zend_optimizer_ctx * ctx,zend_ssa * ssa)41 zend_result zend_dfa_analyze_op_array(zend_op_array *op_array, zend_optimizer_ctx *ctx, zend_ssa *ssa)
42 {
43 uint32_t build_flags;
44
45 if (op_array->last_try_catch) {
46 /* TODO: we can't analyze functions with try/catch/finally ??? */
47 return FAILURE;
48 }
49
50 /* Build SSA */
51 memset(ssa, 0, sizeof(zend_ssa));
52
53 zend_build_cfg(&ctx->arena, op_array, ZEND_CFG_NO_ENTRY_PREDECESSORS, &ssa->cfg);
54
55 if ((ssa->cfg.flags & ZEND_FUNC_INDIRECT_VAR_ACCESS)) {
56 /* TODO: we can't analyze functions with indirect variable access ??? */
57 return FAILURE;
58 }
59
60 zend_cfg_build_predecessors(&ctx->arena, &ssa->cfg);
61
62 if (ctx->debug_level & ZEND_DUMP_DFA_CFG) {
63 zend_dump_op_array(op_array, ZEND_DUMP_CFG, "dfa cfg", &ssa->cfg);
64 }
65
66 /* Compute Dominators Tree */
67 zend_cfg_compute_dominators_tree(op_array, &ssa->cfg);
68
69 /* Identify reducible and irreducible loops */
70 zend_cfg_identify_loops(op_array, &ssa->cfg);
71
72 if (ctx->debug_level & ZEND_DUMP_DFA_DOMINATORS) {
73 zend_dump_dominators(op_array, &ssa->cfg);
74 }
75
76 build_flags = 0;
77 if (ctx->debug_level & ZEND_DUMP_DFA_LIVENESS) {
78 build_flags |= ZEND_SSA_DEBUG_LIVENESS;
79 }
80 if (ctx->debug_level & ZEND_DUMP_DFA_PHI) {
81 build_flags |= ZEND_SSA_DEBUG_PHI_PLACEMENT;
82 }
83 if (zend_build_ssa(&ctx->arena, ctx->script, op_array, build_flags, ssa) == FAILURE) {
84 return FAILURE;
85 }
86
87 if (ctx->debug_level & ZEND_DUMP_DFA_SSA) {
88 zend_dump_op_array(op_array, ZEND_DUMP_SSA, "dfa ssa", ssa);
89 }
90
91
92 zend_ssa_compute_use_def_chains(&ctx->arena, op_array, ssa);
93
94 zend_ssa_find_false_dependencies(op_array, ssa);
95
96 zend_ssa_find_sccs(op_array, ssa);
97
98 if (zend_ssa_inference(&ctx->arena, op_array, ctx->script, ssa, ctx->optimization_level) == FAILURE) {
99 return FAILURE;
100 }
101
102 if (zend_ssa_escape_analysis(ctx->script, op_array, ssa) == FAILURE) {
103 return FAILURE;
104 }
105
106 if (ctx->debug_level & ZEND_DUMP_DFA_SSA_VARS) {
107 zend_dump_ssa_variables(op_array, ssa, 0);
108 }
109
110 return SUCCESS;
111 }
112
zend_ssa_remove_nops(zend_op_array * op_array,zend_ssa * ssa,zend_optimizer_ctx * ctx)113 static void zend_ssa_remove_nops(zend_op_array *op_array, zend_ssa *ssa, zend_optimizer_ctx *ctx)
114 {
115 zend_basic_block *blocks = ssa->cfg.blocks;
116 zend_basic_block *blocks_end = blocks + ssa->cfg.blocks_count;
117 zend_basic_block *b;
118 zend_func_info *func_info;
119 int j;
120 uint32_t i = 0;
121 uint32_t target = 0;
122 uint32_t *shiftlist;
123 ALLOCA_FLAG(use_heap);
124
125 shiftlist = (uint32_t *)do_alloca(sizeof(uint32_t) * op_array->last, use_heap);
126 memset(shiftlist, 0, sizeof(uint32_t) * op_array->last);
127 /* remove empty callee_info */
128 func_info = ZEND_FUNC_INFO(op_array);
129 if (func_info) {
130 zend_call_info **call_info = &func_info->callee_info;
131 while ((*call_info)) {
132 if ((*call_info)->caller_init_opline->opcode == ZEND_NOP) {
133 *call_info = (*call_info)->next_callee;
134 } else {
135 call_info = &(*call_info)->next_callee;
136 }
137 }
138 }
139
140 for (b = blocks; b < blocks_end; b++) {
141 if (b->flags & (ZEND_BB_REACHABLE|ZEND_BB_UNREACHABLE_FREE)) {
142 if (b->len) {
143 uint32_t new_start, old_end;
144 while (i < b->start) {
145 shiftlist[i] = i - target;
146 i++;
147 }
148
149 if (b->flags & ZEND_BB_UNREACHABLE_FREE) {
150 /* Only keep the FREE for the loop var */
151 ZEND_ASSERT(op_array->opcodes[b->start].opcode == ZEND_FREE
152 || op_array->opcodes[b->start].opcode == ZEND_FE_FREE);
153 b->len = 1;
154 }
155
156 new_start = target;
157 old_end = b->start + b->len;
158 while (i < old_end) {
159 shiftlist[i] = i - target;
160 if (EXPECTED(op_array->opcodes[i].opcode != ZEND_NOP)) {
161 if (i != target) {
162 op_array->opcodes[target] = op_array->opcodes[i];
163 ssa->ops[target] = ssa->ops[i];
164 ssa->cfg.map[target] = b - blocks;
165 }
166 target++;
167 }
168 i++;
169 }
170 b->start = new_start;
171 if (target != old_end) {
172 zend_op *opline;
173 zend_op *new_opline;
174
175 b->len = target - b->start;
176 opline = op_array->opcodes + old_end - 1;
177 if (opline->opcode == ZEND_NOP) {
178 continue;
179 }
180
181 new_opline = op_array->opcodes + target - 1;
182 zend_optimizer_migrate_jump(op_array, new_opline, opline);
183 }
184 } else {
185 b->start = target;
186 }
187 } else {
188 b->start = target;
189 b->len = 0;
190 }
191 }
192
193 if (target != op_array->last) {
194 /* reset rest opcodes */
195 for (i = target; i < op_array->last; i++) {
196 MAKE_NOP(op_array->opcodes + i);
197 }
198
199 /* update SSA variables */
200 for (j = 0; j < ssa->vars_count; j++) {
201 if (ssa->vars[j].definition >= 0) {
202 ssa->vars[j].definition -= shiftlist[ssa->vars[j].definition];
203 }
204 if (ssa->vars[j].use_chain >= 0) {
205 ssa->vars[j].use_chain -= shiftlist[ssa->vars[j].use_chain];
206 }
207 }
208 for (i = 0; i < op_array->last; i++) {
209 if (ssa->ops[i].op1_use_chain >= 0) {
210 ssa->ops[i].op1_use_chain -= shiftlist[ssa->ops[i].op1_use_chain];
211 }
212 if (ssa->ops[i].op2_use_chain >= 0) {
213 ssa->ops[i].op2_use_chain -= shiftlist[ssa->ops[i].op2_use_chain];
214 }
215 if (ssa->ops[i].res_use_chain >= 0) {
216 ssa->ops[i].res_use_chain -= shiftlist[ssa->ops[i].res_use_chain];
217 }
218 }
219
220 /* update branch targets */
221 for (b = blocks; b < blocks_end; b++) {
222 if ((b->flags & ZEND_BB_REACHABLE) && b->len != 0) {
223 zend_op *opline = op_array->opcodes + b->start + b->len - 1;
224 zend_optimizer_shift_jump(op_array, opline, shiftlist);
225 }
226 }
227
228 /* update try/catch array */
229 for (j = 0; j < op_array->last_try_catch; j++) {
230 op_array->try_catch_array[j].try_op -= shiftlist[op_array->try_catch_array[j].try_op];
231 op_array->try_catch_array[j].catch_op -= shiftlist[op_array->try_catch_array[j].catch_op];
232 if (op_array->try_catch_array[j].finally_op) {
233 op_array->try_catch_array[j].finally_op -= shiftlist[op_array->try_catch_array[j].finally_op];
234 op_array->try_catch_array[j].finally_end -= shiftlist[op_array->try_catch_array[j].finally_end];
235 }
236 }
237
238 /* update call graph */
239 if (func_info) {
240 zend_call_info *call_info = func_info->callee_info;
241 while (call_info) {
242 call_info->caller_init_opline -=
243 shiftlist[call_info->caller_init_opline - op_array->opcodes];
244 if (call_info->caller_call_opline) {
245 call_info->caller_call_opline -=
246 shiftlist[call_info->caller_call_opline - op_array->opcodes];
247 }
248 call_info = call_info->next_callee;
249 }
250 }
251
252 op_array->last = target;
253 }
254 free_alloca(shiftlist, use_heap);
255 }
256
safe_instanceof(zend_class_entry * ce1,zend_class_entry * ce2)257 static bool safe_instanceof(zend_class_entry *ce1, zend_class_entry *ce2) {
258 if (ce1 == ce2) {
259 return 1;
260 }
261 if (!(ce1->ce_flags & ZEND_ACC_LINKED)) {
262 /* This case could be generalized, similarly to unlinked_instanceof */
263 return 0;
264 }
265 return instanceof_function(ce1, ce2);
266 }
267
can_elide_list_type(const zend_script * script,const zend_op_array * op_array,const zend_ssa_var_info * use_info,zend_type type)268 static inline bool can_elide_list_type(
269 const zend_script *script, const zend_op_array *op_array,
270 const zend_ssa_var_info *use_info, zend_type type)
271 {
272 zend_type *single_type;
273 /* For intersection: result==false is failure, default is success.
274 * For union: result==true is success, default is failure. */
275 bool is_intersection = ZEND_TYPE_IS_INTERSECTION(type);
276 ZEND_TYPE_FOREACH(type, single_type) {
277 if (ZEND_TYPE_HAS_LIST(*single_type)) {
278 ZEND_ASSERT(!is_intersection);
279 return can_elide_list_type(script, op_array, use_info, *single_type);
280 }
281 if (ZEND_TYPE_HAS_NAME(*single_type)) {
282 zend_string *lcname = zend_string_tolower(ZEND_TYPE_NAME(*single_type));
283 zend_class_entry *ce = zend_optimizer_get_class_entry(script, op_array, lcname);
284 zend_string_release(lcname);
285 bool result = ce && safe_instanceof(use_info->ce, ce);
286 if (result == !is_intersection) {
287 return result;
288 }
289 }
290 } ZEND_TYPE_FOREACH_END();
291 return is_intersection;
292 }
293
can_elide_return_type_check(const zend_script * script,zend_op_array * op_array,zend_ssa * ssa,zend_ssa_op * ssa_op)294 static inline bool can_elide_return_type_check(
295 const zend_script *script, zend_op_array *op_array, zend_ssa *ssa, zend_ssa_op *ssa_op) {
296 zend_arg_info *arg_info = &op_array->arg_info[-1];
297 zend_ssa_var_info *use_info = &ssa->var_info[ssa_op->op1_use];
298 uint32_t use_type = use_info->type & (MAY_BE_ANY|MAY_BE_UNDEF);
299 if (use_type & MAY_BE_REF) {
300 return 0;
301 }
302
303 if (use_type & MAY_BE_UNDEF) {
304 use_type &= ~MAY_BE_UNDEF;
305 use_type |= MAY_BE_NULL;
306 }
307
308 uint32_t disallowed_types = use_type & ~ZEND_TYPE_PURE_MASK(arg_info->type);
309 if (!disallowed_types) {
310 /* Only contains allowed types. */
311 return true;
312 }
313
314 if (disallowed_types == MAY_BE_OBJECT && use_info->ce && ZEND_TYPE_IS_COMPLEX(arg_info->type)) {
315 return can_elide_list_type(script, op_array, use_info, arg_info->type);
316 }
317
318 return false;
319 }
320
opline_supports_assign_contraction(zend_op_array * op_array,zend_ssa * ssa,zend_op * opline,int src_var,uint32_t cv_var)321 static bool opline_supports_assign_contraction(
322 zend_op_array *op_array, zend_ssa *ssa, zend_op *opline, int src_var, uint32_t cv_var) {
323 if (opline->opcode == ZEND_NEW) {
324 /* see Zend/tests/generators/aborted_yield_during_new.phpt */
325 return 0;
326 }
327
328 /* Frameless calls override the return value, but the return value may overlap with the arguments. */
329 switch (opline->opcode) {
330 case ZEND_FRAMELESS_ICALL_3:
331 if ((opline + 1)->op1_type == IS_CV && (opline + 1)->op1.var == cv_var) return 0;
332 ZEND_FALLTHROUGH;
333 case ZEND_FRAMELESS_ICALL_2:
334 if (opline->op2_type == IS_CV && opline->op2.var == cv_var) return 0;
335 ZEND_FALLTHROUGH;
336 case ZEND_FRAMELESS_ICALL_1:
337 if (opline->op1_type == IS_CV && opline->op1.var == cv_var) return 0;
338 return 1;
339 }
340
341 if (opline->opcode == ZEND_DO_ICALL || opline->opcode == ZEND_DO_UCALL
342 || opline->opcode == ZEND_DO_FCALL || opline->opcode == ZEND_DO_FCALL_BY_NAME) {
343 /* Function calls may dtor the return value after it has already been written -- allow
344 * direct assignment only for types where a double-dtor does not matter. */
345 uint32_t type = ssa->var_info[src_var].type;
346 uint32_t simple = MAY_BE_NULL|MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_LONG|MAY_BE_DOUBLE;
347 return !((type & MAY_BE_ANY) & ~simple);
348 }
349
350 if (opline->opcode == ZEND_POST_INC || opline->opcode == ZEND_POST_DEC) {
351 /* POST_INC/DEC write the result variable before performing the inc/dec. For $i = $i++
352 * eliding the temporary variable would thus yield an incorrect result. */
353 return opline->op1_type != IS_CV || opline->op1.var != cv_var;
354 }
355
356 if (opline->opcode == ZEND_INIT_ARRAY) {
357 /* INIT_ARRAY initializes the result array before reading key/value. */
358 return (opline->op1_type != IS_CV || opline->op1.var != cv_var)
359 && (opline->op2_type != IS_CV || opline->op2.var != cv_var);
360 }
361
362 if (opline->opcode == ZEND_CAST
363 && (opline->extended_value == IS_ARRAY || opline->extended_value == IS_OBJECT)) {
364 /* CAST to array/object may initialize the result to an empty array/object before
365 * reading the expression. */
366 return opline->op1_type != IS_CV || opline->op1.var != cv_var;
367 }
368
369 if ((opline->opcode == ZEND_ASSIGN_OP
370 || opline->opcode == ZEND_ASSIGN_OBJ
371 || opline->opcode == ZEND_ASSIGN_DIM
372 || opline->opcode == ZEND_ASSIGN_OBJ_OP
373 || opline->opcode == ZEND_ASSIGN_DIM_OP)
374 && opline->op1_type == IS_CV
375 && opline->op1.var == cv_var
376 && zend_may_throw(opline, &ssa->ops[ssa->vars[src_var].definition], op_array, ssa)) {
377 return 0;
378 }
379
380 return 1;
381 }
382
variable_defined_or_used_in_range(zend_ssa * ssa,int var,int start,int end)383 static bool variable_defined_or_used_in_range(zend_ssa *ssa, int var, int start, int end)
384 {
385 while (start < end) {
386 const zend_ssa_op *ssa_op = &ssa->ops[start];
387 if ((ssa_op->op1_def >= 0 && ssa->vars[ssa_op->op1_def].var == var) ||
388 (ssa_op->op2_def >= 0 && ssa->vars[ssa_op->op2_def].var == var) ||
389 (ssa_op->result_def >= 0 && ssa->vars[ssa_op->result_def].var == var) ||
390 (ssa_op->op1_use >= 0 && ssa->vars[ssa_op->op1_use].var == var) ||
391 (ssa_op->op2_use >= 0 && ssa->vars[ssa_op->op2_use].var == var) ||
392 (ssa_op->result_use >= 0 && ssa->vars[ssa_op->result_use].var == var)
393 ) {
394 return 1;
395 }
396 start++;
397 }
398 return 0;
399 }
400
zend_dfa_optimize_calls(zend_op_array * op_array,zend_ssa * ssa)401 int zend_dfa_optimize_calls(zend_op_array *op_array, zend_ssa *ssa)
402 {
403 zend_func_info *func_info = ZEND_FUNC_INFO(op_array);
404 int removed_ops = 0;
405
406 if (func_info->callee_info) {
407 zend_call_info *call_info = func_info->callee_info;
408
409 do {
410 if (call_info->caller_call_opline
411 && call_info->caller_call_opline->opcode == ZEND_DO_ICALL
412 && call_info->callee_func
413 && zend_string_equals_literal(call_info->callee_func->common.function_name, "in_array")
414 && (call_info->caller_init_opline->extended_value == 2
415 || (call_info->caller_init_opline->extended_value == 3
416 && (call_info->caller_call_opline - 1)->opcode == ZEND_SEND_VAL
417 && (call_info->caller_call_opline - 1)->op1_type == IS_CONST))) {
418
419 zend_op *send_array;
420 zend_op *send_needly;
421 bool strict = 0;
422 ZEND_ASSERT(!call_info->is_prototype);
423
424 if (call_info->caller_init_opline->extended_value == 2) {
425 send_array = call_info->caller_call_opline - 1;
426 send_needly = call_info->caller_call_opline - 2;
427 } else {
428 if (zend_is_true(CT_CONSTANT_EX(op_array, (call_info->caller_call_opline - 1)->op1.constant))) {
429 strict = 1;
430 }
431 send_array = call_info->caller_call_opline - 2;
432 send_needly = call_info->caller_call_opline - 3;
433 }
434
435 if (send_array->opcode == ZEND_SEND_VAL
436 && send_array->op1_type == IS_CONST
437 && Z_TYPE_P(CT_CONSTANT_EX(op_array, send_array->op1.constant)) == IS_ARRAY
438 && (send_needly->opcode == ZEND_SEND_VAL
439 || send_needly->opcode == ZEND_SEND_VAR)
440 ) {
441 bool ok = 1;
442
443 HashTable *src = Z_ARRVAL_P(CT_CONSTANT_EX(op_array, send_array->op1.constant));
444 HashTable *dst;
445 zval *val, tmp;
446 zend_ulong idx;
447
448 ZVAL_TRUE(&tmp);
449 dst = zend_new_array(zend_hash_num_elements(src));
450 if (strict) {
451 ZEND_HASH_FOREACH_VAL(src, val) {
452 if (Z_TYPE_P(val) == IS_STRING) {
453 zend_hash_add(dst, Z_STR_P(val), &tmp);
454 } else if (Z_TYPE_P(val) == IS_LONG) {
455 zend_hash_index_add(dst, Z_LVAL_P(val), &tmp);
456 } else {
457 zend_array_destroy(dst);
458 ok = 0;
459 break;
460 }
461 } ZEND_HASH_FOREACH_END();
462 } else {
463 ZEND_HASH_FOREACH_VAL(src, val) {
464 if (Z_TYPE_P(val) != IS_STRING || ZEND_HANDLE_NUMERIC(Z_STR_P(val), idx)) {
465 zend_array_destroy(dst);
466 ok = 0;
467 break;
468 }
469 zend_hash_add(dst, Z_STR_P(val), &tmp);
470 } ZEND_HASH_FOREACH_END();
471 }
472
473 if (ok) {
474 uint32_t op_num = send_needly - op_array->opcodes;
475 zend_ssa_op *ssa_op = ssa->ops + op_num;
476
477 if (ssa_op->op1_use >= 0) {
478 /* Reconstruct SSA */
479 int var_num = ssa_op->op1_use;
480 zend_ssa_var *var = ssa->vars + var_num;
481
482 ZEND_ASSERT(ssa_op->op1_def < 0);
483 zend_ssa_unlink_use_chain(ssa, op_num, ssa_op->op1_use);
484 ssa_op->op1_use = -1;
485 ssa_op->op1_use_chain = -1;
486 op_num = call_info->caller_call_opline - op_array->opcodes;
487 ssa_op = ssa->ops + op_num;
488 ssa_op->op1_use = var_num;
489 ssa_op->op1_use_chain = var->use_chain;
490 var->use_chain = op_num;
491 }
492
493 ZVAL_ARR(&tmp, dst);
494
495 /* Update opcode */
496 call_info->caller_call_opline->opcode = ZEND_IN_ARRAY;
497 call_info->caller_call_opline->extended_value = strict;
498 call_info->caller_call_opline->op1_type = send_needly->op1_type;
499 call_info->caller_call_opline->op1.num = send_needly->op1.num;
500 call_info->caller_call_opline->op2_type = IS_CONST;
501 call_info->caller_call_opline->op2.constant = zend_optimizer_add_literal(op_array, &tmp);
502 if (call_info->caller_init_opline->extended_value == 3) {
503 MAKE_NOP(call_info->caller_call_opline - 1);
504 }
505 MAKE_NOP(call_info->caller_init_opline);
506 MAKE_NOP(send_needly);
507 MAKE_NOP(send_array);
508 removed_ops++;
509
510 op_num = call_info->caller_call_opline - op_array->opcodes;
511 ssa_op = ssa->ops + op_num;
512 if (ssa_op->result_def >= 0) {
513 int var = ssa_op->result_def;
514 int use = ssa->vars[var].use_chain;
515
516 /* If the result is used only in a JMPZ/JMPNZ, replace result type with
517 * IS_TMP_VAR, which will enable use of smart branches. Don't do this
518 * in other cases, as not all opcodes support both VAR and TMP. */
519 if (ssa->vars[var].phi_use_chain == NULL
520 && ssa->ops[use].op1_use == var
521 && ssa->ops[use].op1_use_chain == -1
522 && (op_array->opcodes[use].opcode == ZEND_JMPZ
523 || op_array->opcodes[use].opcode == ZEND_JMPNZ)) {
524 call_info->caller_call_opline->result_type = IS_TMP_VAR;
525 op_array->opcodes[use].op1_type = IS_TMP_VAR;
526 }
527 }
528 }
529 }
530 }
531 call_info = call_info->next_callee;
532 } while (call_info);
533 }
534
535 return removed_ops;
536 }
537
take_successor_0(zend_ssa * ssa,int block_num,zend_basic_block * block)538 static zend_always_inline void take_successor_0(zend_ssa *ssa, int block_num, zend_basic_block *block)
539 {
540 if (block->successors_count == 2) {
541 if (block->successors[1] != block->successors[0]) {
542 zend_ssa_remove_predecessor(ssa, block_num, block->successors[1]);
543 }
544 block->successors_count = 1;
545 }
546 }
547
take_successor_1(zend_ssa * ssa,int block_num,zend_basic_block * block)548 static zend_always_inline void take_successor_1(zend_ssa *ssa, int block_num, zend_basic_block *block)
549 {
550 if (block->successors_count == 2) {
551 if (block->successors[1] != block->successors[0]) {
552 zend_ssa_remove_predecessor(ssa, block_num, block->successors[0]);
553 block->successors[0] = block->successors[1];
554 }
555 block->successors_count = 1;
556 }
557 }
558
take_successor_ex(zend_ssa * ssa,int block_num,zend_basic_block * block,int target_block)559 static zend_always_inline void take_successor_ex(zend_ssa *ssa, int block_num, zend_basic_block *block, int target_block)
560 {
561 int i;
562
563 for (i = 0; i < block->successors_count; i++) {
564 if (block->successors[i] != target_block) {
565 zend_ssa_remove_predecessor(ssa, block_num, block->successors[i]);
566 }
567 }
568 block->successors[0] = target_block;
569 block->successors_count = 1;
570 }
571
compress_block(zend_op_array * op_array,zend_basic_block * block)572 static void compress_block(zend_op_array *op_array, zend_basic_block *block)
573 {
574 while (block->len > 0) {
575 zend_op *opline = &op_array->opcodes[block->start + block->len - 1];
576
577 if (opline->opcode == ZEND_NOP) {
578 block->len--;
579 } else {
580 break;
581 }
582 }
583 }
584
replace_predecessor(zend_ssa * ssa,int block_id,int old_pred,int new_pred)585 static void replace_predecessor(zend_ssa *ssa, int block_id, int old_pred, int new_pred) {
586 zend_basic_block *block = &ssa->cfg.blocks[block_id];
587 int *predecessors = &ssa->cfg.predecessors[block->predecessor_offset];
588 zend_ssa_phi *phi;
589
590 int i;
591 int old_pred_idx = -1;
592 int new_pred_idx = -1;
593 for (i = 0; i < block->predecessors_count; i++) {
594 if (predecessors[i] == old_pred) {
595 old_pred_idx = i;
596 }
597 if (predecessors[i] == new_pred) {
598 new_pred_idx = i;
599 }
600 }
601
602 ZEND_ASSERT(old_pred_idx != -1);
603 if (new_pred_idx == -1) {
604 /* If the new predecessor doesn't exist yet, simply rewire the old one */
605 predecessors[old_pred_idx] = new_pred;
606 } else {
607 /* Otherwise, rewiring the old predecessor would make the new predecessor appear
608 * twice, which violates our CFG invariants. Remove the old predecessor instead. */
609 memmove(
610 predecessors + old_pred_idx,
611 predecessors + old_pred_idx + 1,
612 sizeof(int) * (block->predecessors_count - old_pred_idx - 1)
613 );
614
615 /* Also remove the corresponding phi node entries */
616 for (phi = ssa->blocks[block_id].phis; phi; phi = phi->next) {
617 if (phi->pi >= 0) {
618 if (phi->pi == old_pred || phi->pi == new_pred) {
619 zend_ssa_rename_var_uses(
620 ssa, phi->ssa_var, phi->sources[0], /* update_types */ 0);
621 zend_ssa_remove_phi(ssa, phi);
622 }
623 } else {
624 memmove(
625 phi->sources + old_pred_idx,
626 phi->sources + old_pred_idx + 1,
627 sizeof(int) * (block->predecessors_count - old_pred_idx - 1)
628 );
629 }
630 }
631
632 block->predecessors_count--;
633 }
634 }
635
zend_ssa_replace_control_link(zend_op_array * op_array,zend_ssa * ssa,int from,int to,int new_to)636 static void zend_ssa_replace_control_link(zend_op_array *op_array, zend_ssa *ssa, int from, int to, int new_to)
637 {
638 zend_basic_block *src = &ssa->cfg.blocks[from];
639 zend_basic_block *old = &ssa->cfg.blocks[to];
640 zend_basic_block *dst = &ssa->cfg.blocks[new_to];
641 int i;
642 zend_op *opline;
643
644 for (i = 0; i < src->successors_count; i++) {
645 if (src->successors[i] == to) {
646 src->successors[i] = new_to;
647 }
648 }
649
650 if (src->len > 0) {
651 opline = op_array->opcodes + src->start + src->len - 1;
652 switch (opline->opcode) {
653 case ZEND_JMP:
654 case ZEND_FAST_CALL:
655 ZEND_ASSERT(ZEND_OP1_JMP_ADDR(opline) == op_array->opcodes + old->start);
656 ZEND_SET_OP_JMP_ADDR(opline, opline->op1, op_array->opcodes + dst->start);
657 break;
658 case ZEND_JMPZ:
659 case ZEND_JMPNZ:
660 case ZEND_JMPZ_EX:
661 case ZEND_JMPNZ_EX:
662 case ZEND_FE_RESET_R:
663 case ZEND_FE_RESET_RW:
664 case ZEND_JMP_SET:
665 case ZEND_COALESCE:
666 case ZEND_ASSERT_CHECK:
667 case ZEND_JMP_NULL:
668 case ZEND_BIND_INIT_STATIC_OR_JMP:
669 case ZEND_JMP_FRAMELESS:
670 if (ZEND_OP2_JMP_ADDR(opline) == op_array->opcodes + old->start) {
671 ZEND_SET_OP_JMP_ADDR(opline, opline->op2, op_array->opcodes + dst->start);
672 }
673 break;
674 case ZEND_CATCH:
675 if (!(opline->extended_value & ZEND_LAST_CATCH)) {
676 if (ZEND_OP2_JMP_ADDR(opline) == op_array->opcodes + old->start) {
677 ZEND_SET_OP_JMP_ADDR(opline, opline->op2, op_array->opcodes + dst->start);
678 }
679 }
680 break;
681 case ZEND_FE_FETCH_R:
682 case ZEND_FE_FETCH_RW:
683 if (ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, opline->extended_value) == old->start) {
684 opline->extended_value = ZEND_OPLINE_NUM_TO_OFFSET(op_array, opline, dst->start);
685 }
686 break;
687 case ZEND_SWITCH_LONG:
688 case ZEND_SWITCH_STRING:
689 case ZEND_MATCH:
690 {
691 HashTable *jumptable = Z_ARRVAL(ZEND_OP2_LITERAL(opline));
692 zval *zv;
693 ZEND_HASH_FOREACH_VAL(jumptable, zv) {
694 if (ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, Z_LVAL_P(zv)) == old->start) {
695 Z_LVAL_P(zv) = ZEND_OPLINE_NUM_TO_OFFSET(op_array, opline, dst->start);
696 }
697 } ZEND_HASH_FOREACH_END();
698 if (ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, opline->extended_value) == old->start) {
699 opline->extended_value = ZEND_OPLINE_NUM_TO_OFFSET(op_array, opline, dst->start);
700 }
701 break;
702 }
703 }
704 }
705
706 replace_predecessor(ssa, new_to, to, from);
707 }
708
zend_ssa_unlink_block(zend_op_array * op_array,zend_ssa * ssa,zend_basic_block * block,int block_num)709 static void zend_ssa_unlink_block(zend_op_array *op_array, zend_ssa *ssa, zend_basic_block *block, int block_num)
710 {
711 if (block->predecessors_count == 1 && ssa->blocks[block_num].phis == NULL) {
712 int *predecessors, i;
713 zend_basic_block *fe_fetch_block = NULL;
714
715 ZEND_ASSERT(block->successors_count == 1);
716 predecessors = &ssa->cfg.predecessors[block->predecessor_offset];
717 if (block->predecessors_count == 1 && (block->flags & ZEND_BB_FOLLOW)) {
718 zend_basic_block *pred_block = &ssa->cfg.blocks[predecessors[0]];
719
720 if (pred_block->len > 0 && (pred_block->flags & ZEND_BB_REACHABLE)) {
721 if ((op_array->opcodes[pred_block->start + pred_block->len - 1].opcode == ZEND_FE_FETCH_R
722 || op_array->opcodes[pred_block->start + pred_block->len - 1].opcode == ZEND_FE_FETCH_RW)
723 && op_array->opcodes[pred_block->start + pred_block->len - 1].op2_type == IS_CV) {
724 fe_fetch_block = pred_block;
725 }
726 }
727 }
728 for (i = 0; i < block->predecessors_count; i++) {
729 zend_ssa_replace_control_link(op_array, ssa, predecessors[i], block_num, block->successors[0]);
730 }
731 zend_ssa_remove_block(op_array, ssa, block_num);
732 if (fe_fetch_block && fe_fetch_block->successors[0] == fe_fetch_block->successors[1]) {
733 /* The body of "foreach" loop was removed */
734 int ssa_var = ssa->ops[fe_fetch_block->start + fe_fetch_block->len - 1].op2_def;
735 if (ssa_var >= 0) {
736 zend_ssa_remove_uses_of_var(ssa, ssa_var);
737 }
738 }
739 }
740 }
741
zend_dfa_optimize_jmps(zend_op_array * op_array,zend_ssa * ssa)742 static int zend_dfa_optimize_jmps(zend_op_array *op_array, zend_ssa *ssa)
743 {
744 int removed_ops = 0;
745 int block_num = 0;
746
747 for (block_num = 1; block_num < ssa->cfg.blocks_count; block_num++) {
748 zend_basic_block *block = &ssa->cfg.blocks[block_num];
749
750 if (!(block->flags & ZEND_BB_REACHABLE)) {
751 continue;
752 }
753 compress_block(op_array, block);
754 if (block->len == 0) {
755 zend_ssa_unlink_block(op_array, ssa, block, block_num);
756 }
757 }
758
759 block_num = 0;
760 while (block_num < ssa->cfg.blocks_count
761 && !(ssa->cfg.blocks[block_num].flags & ZEND_BB_REACHABLE)) {
762 block_num++;
763 }
764 while (block_num < ssa->cfg.blocks_count) {
765 int next_block_num = block_num + 1;
766 zend_basic_block *block = &ssa->cfg.blocks[block_num];
767 uint32_t op_num;
768 zend_op *opline;
769 zend_ssa_op *ssa_op;
770 bool can_follow = 1;
771
772 while (next_block_num < ssa->cfg.blocks_count
773 && !(ssa->cfg.blocks[next_block_num].flags & ZEND_BB_REACHABLE)) {
774 if (ssa->cfg.blocks[next_block_num].flags & ZEND_BB_UNREACHABLE_FREE) {
775 can_follow = 0;
776 }
777 next_block_num++;
778 }
779
780 if (block->len) {
781 op_num = block->start + block->len - 1;
782 opline = op_array->opcodes + op_num;
783 ssa_op = ssa->ops + op_num;
784
785 switch (opline->opcode) {
786 case ZEND_JMP:
787 optimize_jmp:
788 if (block->successors[0] == next_block_num && can_follow) {
789 MAKE_NOP(opline);
790 removed_ops++;
791 goto optimize_nop;
792 }
793 break;
794 case ZEND_JMPZ:
795 optimize_jmpz:
796 if (opline->op1_type == IS_CONST) {
797 if (zend_is_true(CT_CONSTANT_EX(op_array, opline->op1.constant))) {
798 MAKE_NOP(opline);
799 removed_ops++;
800 take_successor_1(ssa, block_num, block);
801 goto optimize_nop;
802 } else {
803 opline->opcode = ZEND_JMP;
804 COPY_NODE(opline->op1, opline->op2);
805 take_successor_0(ssa, block_num, block);
806 goto optimize_jmp;
807 }
808 } else {
809 if (block->successors[0] == next_block_num && can_follow) {
810 take_successor_0(ssa, block_num, block);
811 if (opline->op1_type == IS_CV && (OP1_INFO() & MAY_BE_UNDEF)) {
812 opline->opcode = ZEND_CHECK_VAR;
813 opline->op2.num = 0;
814 } else if (opline->op1_type == IS_CV || !(OP1_INFO() & (MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
815 zend_ssa_remove_instr(ssa, opline, ssa_op);
816 removed_ops++;
817 goto optimize_nop;
818 } else {
819 opline->opcode = ZEND_FREE;
820 opline->op2.num = 0;
821 }
822 }
823 }
824 break;
825 case ZEND_JMPNZ:
826 optimize_jmpnz:
827 if (opline->op1_type == IS_CONST) {
828 if (zend_is_true(CT_CONSTANT_EX(op_array, opline->op1.constant))) {
829 opline->opcode = ZEND_JMP;
830 COPY_NODE(opline->op1, opline->op2);
831 take_successor_0(ssa, block_num, block);
832 goto optimize_jmp;
833 } else {
834 MAKE_NOP(opline);
835 removed_ops++;
836 take_successor_1(ssa, block_num, block);
837 goto optimize_nop;
838 }
839 } else if (block->successors_count == 2) {
840 if (block->successors[0] == next_block_num && can_follow) {
841 take_successor_0(ssa, block_num, block);
842 if (opline->op1_type == IS_CV && (OP1_INFO() & MAY_BE_UNDEF)) {
843 opline->opcode = ZEND_CHECK_VAR;
844 opline->op2.num = 0;
845 } else if (opline->op1_type == IS_CV || !(OP1_INFO() & (MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
846 zend_ssa_remove_instr(ssa, opline, ssa_op);
847 removed_ops++;
848 goto optimize_nop;
849 } else {
850 opline->opcode = ZEND_FREE;
851 opline->op2.num = 0;
852 }
853 }
854 }
855 break;
856 case ZEND_JMPZ_EX:
857 if (ssa->vars[ssa_op->result_def].use_chain < 0
858 && ssa->vars[ssa_op->result_def].phi_use_chain == NULL) {
859 opline->opcode = ZEND_JMPZ;
860 opline->result_type = IS_UNUSED;
861 zend_ssa_remove_result_def(ssa, ssa_op);
862 goto optimize_jmpz;
863 } else if (opline->op1_type == IS_CONST) {
864 if (zend_is_true(CT_CONSTANT_EX(op_array, opline->op1.constant))) {
865 opline->opcode = ZEND_BOOL;
866 take_successor_1(ssa, block_num, block);
867 }
868 }
869 break;
870 case ZEND_JMPNZ_EX:
871 if (ssa->vars[ssa_op->result_def].use_chain < 0
872 && ssa->vars[ssa_op->result_def].phi_use_chain == NULL) {
873 opline->opcode = ZEND_JMPNZ;
874 opline->result_type = IS_UNUSED;
875 zend_ssa_remove_result_def(ssa, ssa_op);
876 goto optimize_jmpnz;
877 } else if (opline->op1_type == IS_CONST) {
878 if (!zend_is_true(CT_CONSTANT_EX(op_array, opline->op1.constant))) {
879 opline->opcode = ZEND_BOOL;
880 take_successor_1(ssa, block_num, block);
881 }
882 }
883 break;
884 case ZEND_JMP_SET:
885 if (ssa->vars[ssa_op->result_def].use_chain < 0
886 && ssa->vars[ssa_op->result_def].phi_use_chain == NULL) {
887 opline->opcode = ZEND_JMPNZ;
888 opline->result_type = IS_UNUSED;
889 zend_ssa_remove_result_def(ssa, ssa_op);
890 goto optimize_jmpnz;
891 } else if (opline->op1_type == IS_CONST) {
892 if (!zend_is_true(CT_CONSTANT_EX(op_array, opline->op1.constant))) {
893 MAKE_NOP(opline);
894 removed_ops++;
895 take_successor_1(ssa, block_num, block);
896 zend_ssa_remove_result_def(ssa, ssa_op);
897 goto optimize_nop;
898 }
899 }
900 break;
901 case ZEND_COALESCE:
902 {
903 zend_ssa_var *var = &ssa->vars[ssa_op->result_def];
904 if (opline->op1_type == IS_CONST
905 && var->use_chain < 0 && var->phi_use_chain == NULL) {
906 if (Z_TYPE_P(CT_CONSTANT_EX(op_array, opline->op1.constant)) == IS_NULL) {
907 zend_ssa_remove_result_def(ssa, ssa_op);
908 MAKE_NOP(opline);
909 removed_ops++;
910 take_successor_1(ssa, block_num, block);
911 goto optimize_nop;
912 } else {
913 opline->opcode = ZEND_JMP;
914 opline->result_type = IS_UNUSED;
915 zend_ssa_remove_result_def(ssa, ssa_op);
916 COPY_NODE(opline->op1, opline->op2);
917 take_successor_0(ssa, block_num, block);
918 goto optimize_jmp;
919 }
920 }
921 break;
922 }
923 case ZEND_JMP_NULL:
924 {
925 zend_ssa_var *var = &ssa->vars[ssa_op->result_def];
926 if (opline->op1_type == IS_CONST
927 && var->use_chain < 0 && var->phi_use_chain == NULL) {
928 if (Z_TYPE_P(CT_CONSTANT_EX(op_array, opline->op1.constant)) == IS_NULL) {
929 opline->opcode = ZEND_JMP;
930 opline->result_type = IS_UNUSED;
931 zend_ssa_remove_result_def(ssa, ssa_op);
932 COPY_NODE(opline->op1, opline->op2);
933 take_successor_0(ssa, block_num, block);
934 goto optimize_jmp;
935 } else {
936 zend_ssa_remove_result_def(ssa, ssa_op);
937 MAKE_NOP(opline);
938 removed_ops++;
939 take_successor_1(ssa, block_num, block);
940 goto optimize_nop;
941 }
942 }
943 break;
944 }
945 case ZEND_SWITCH_LONG:
946 case ZEND_SWITCH_STRING:
947 case ZEND_MATCH:
948 if (opline->op1_type == IS_CONST) {
949 zval *zv = CT_CONSTANT_EX(op_array, opline->op1.constant);
950 uint8_t type = Z_TYPE_P(zv);
951 bool correct_type =
952 (opline->opcode == ZEND_SWITCH_LONG && type == IS_LONG)
953 || (opline->opcode == ZEND_SWITCH_STRING && type == IS_STRING)
954 || (opline->opcode == ZEND_MATCH && (type == IS_LONG || type == IS_STRING));
955
956 /* Switch statements have a fallback chain for loose comparison. In those
957 * cases the SWITCH_* instruction is a NOP. Match does strict comparison and
958 * thus jumps to the default branch on mismatched types, so we need to
959 * convert MATCH to a jmp. */
960 if (!correct_type && opline->opcode != ZEND_MATCH) {
961 removed_ops++;
962 MAKE_NOP(opline);
963 opline->extended_value = 0;
964 take_successor_ex(ssa, block_num, block, block->successors[block->successors_count - 1]);
965 goto optimize_nop;
966 }
967
968 uint32_t target;
969 if (correct_type) {
970 HashTable *jmptable = Z_ARRVAL_P(CT_CONSTANT_EX(op_array, opline->op2.constant));
971 zval *jmp_zv = type == IS_LONG
972 ? zend_hash_index_find(jmptable, Z_LVAL_P(zv))
973 : zend_hash_find(jmptable, Z_STR_P(zv));
974
975 if (jmp_zv) {
976 target = ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, Z_LVAL_P(jmp_zv));
977 } else {
978 target = ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, opline->extended_value);
979 }
980 } else {
981 ZEND_ASSERT(opline->opcode == ZEND_MATCH);
982 target = ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, opline->extended_value);
983 }
984 opline->opcode = ZEND_JMP;
985 opline->extended_value = 0;
986 SET_UNUSED(opline->op1);
987 ZEND_SET_OP_JMP_ADDR(opline, opline->op1, op_array->opcodes + target);
988 SET_UNUSED(opline->op2);
989 take_successor_ex(ssa, block_num, block, ssa->cfg.map[target]);
990 goto optimize_jmp;
991 }
992 break;
993 case ZEND_NOP:
994 optimize_nop:
995 compress_block(op_array, block);
996 if (block->len == 0) {
997 if (block_num > 0) {
998 zend_ssa_unlink_block(op_array, ssa, block, block_num);
999 /* backtrack to previous basic block */
1000 do {
1001 block_num--;
1002 } while (block_num >= 0
1003 && !(ssa->cfg.blocks[block_num].flags & ZEND_BB_REACHABLE));
1004 if (block_num >= 0) {
1005 continue;
1006 }
1007 }
1008 }
1009 break;
1010 default:
1011 break;
1012 }
1013 }
1014
1015 block_num = next_block_num;
1016 }
1017
1018 return removed_ops;
1019 }
1020
zend_dfa_try_to_replace_result(zend_op_array * op_array,zend_ssa * ssa,int def,int cv_var)1021 static bool zend_dfa_try_to_replace_result(zend_op_array *op_array, zend_ssa *ssa, int def, int cv_var)
1022 {
1023 int result_var = ssa->ops[def].result_def;
1024 uint32_t cv = EX_NUM_TO_VAR(ssa->vars[cv_var].var);
1025
1026 if (result_var >= 0
1027 && !(ssa->var_info[cv_var].type & MAY_BE_REF)
1028 && ssa->vars[cv_var].alias == NO_ALIAS
1029 && ssa->vars[result_var].phi_use_chain == NULL
1030 && ssa->vars[result_var].sym_use_chain == NULL) {
1031 int use = ssa->vars[result_var].use_chain;
1032
1033 if (use >= 0
1034 && zend_ssa_next_use(ssa->ops, result_var, use) < 0
1035 && op_array->opcodes[use].opcode != ZEND_FREE
1036 && op_array->opcodes[use].opcode != ZEND_SEND_VAL
1037 && op_array->opcodes[use].opcode != ZEND_SEND_VAL_EX
1038 && op_array->opcodes[use].opcode != ZEND_VERIFY_RETURN_TYPE
1039 && op_array->opcodes[use].opcode != ZEND_YIELD) {
1040 if (use > def) {
1041 int i = use;
1042 const zend_op *opline = &op_array->opcodes[use];
1043
1044 while (i > def) {
1045 if ((opline->op1_type == IS_CV && opline->op1.var == cv)
1046 || (opline->op2_type == IS_CV && opline->op2.var == cv)
1047 || (opline->result_type == IS_CV && opline->result.var == cv)) {
1048 return 0;
1049 }
1050 opline--;
1051 i--;
1052 }
1053
1054 /* Update opcodes and reconstruct SSA */
1055 ssa->vars[result_var].definition = -1;
1056 ssa->vars[result_var].use_chain = -1;
1057 ssa->ops[def].result_def = -1;
1058
1059 op_array->opcodes[def].result_type = IS_UNUSED;
1060 op_array->opcodes[def].result.var = 0;
1061
1062 if (ssa->ops[use].op1_use == result_var) {
1063 ssa->ops[use].op1_use = cv_var;
1064 ssa->ops[use].op1_use_chain = ssa->vars[cv_var].use_chain;
1065 ssa->vars[cv_var].use_chain = use;
1066
1067 op_array->opcodes[use].op1_type = IS_CV;
1068 op_array->opcodes[use].op1.var = cv;
1069 } else if (ssa->ops[use].op2_use == result_var) {
1070 ssa->ops[use].op2_use = cv_var;
1071 ssa->ops[use].op2_use_chain = ssa->vars[cv_var].use_chain;
1072 ssa->vars[cv_var].use_chain = use;
1073
1074 op_array->opcodes[use].op2_type = IS_CV;
1075 op_array->opcodes[use].op2.var = cv;
1076 } else if (ssa->ops[use].result_use == result_var) {
1077 ssa->ops[use].result_use = cv_var;
1078 ssa->ops[use].res_use_chain = ssa->vars[cv_var].use_chain;
1079 ssa->vars[cv_var].use_chain = use;
1080
1081 op_array->opcodes[use].result_type = IS_CV;
1082 op_array->opcodes[use].result.var = cv;
1083 }
1084
1085 return 1;
1086 }
1087 }
1088 }
1089
1090 return 0;
1091 }
1092
zend_dfa_optimize_op_array(zend_op_array * op_array,zend_optimizer_ctx * ctx,zend_ssa * ssa,zend_call_info ** call_map)1093 void zend_dfa_optimize_op_array(zend_op_array *op_array, zend_optimizer_ctx *ctx, zend_ssa *ssa, zend_call_info **call_map)
1094 {
1095 if (ctx->debug_level & ZEND_DUMP_BEFORE_DFA_PASS) {
1096 zend_dump_op_array(op_array, ZEND_DUMP_SSA, "before dfa pass", ssa);
1097 }
1098
1099 if (ssa->var_info) {
1100 int op_1;
1101 int v;
1102 int remove_nops = 0;
1103 zend_op *opline;
1104 zend_ssa_op *ssa_op;
1105 zval tmp;
1106
1107 #if ZEND_DEBUG_DFA
1108 ssa_verify_integrity(op_array, ssa, "before dfa");
1109 #endif
1110
1111 if (ZEND_OPTIMIZER_PASS_8 & ctx->optimization_level) {
1112 if (sccp_optimize_op_array(ctx, op_array, ssa, call_map)) {
1113 remove_nops = 1;
1114 }
1115
1116 if (zend_dfa_optimize_jmps(op_array, ssa)) {
1117 remove_nops = 1;
1118 }
1119
1120 #if ZEND_DEBUG_DFA
1121 ssa_verify_integrity(op_array, ssa, "after sccp");
1122 #endif
1123 if (ZEND_FUNC_INFO(op_array)) {
1124 if (zend_dfa_optimize_calls(op_array, ssa)) {
1125 remove_nops = 1;
1126 }
1127 }
1128 if (ctx->debug_level & ZEND_DUMP_AFTER_PASS_8) {
1129 zend_dump_op_array(op_array, ZEND_DUMP_SSA, "after sccp pass", ssa);
1130 }
1131 #if ZEND_DEBUG_DFA
1132 ssa_verify_integrity(op_array, ssa, "after calls");
1133 #endif
1134 }
1135
1136 if (ZEND_OPTIMIZER_PASS_14 & ctx->optimization_level) {
1137 if (dce_optimize_op_array(op_array, ctx, ssa, 0)) {
1138 remove_nops = 1;
1139 }
1140 if (zend_dfa_optimize_jmps(op_array, ssa)) {
1141 remove_nops = 1;
1142 }
1143 if (ctx->debug_level & ZEND_DUMP_AFTER_PASS_14) {
1144 zend_dump_op_array(op_array, ZEND_DUMP_SSA, "after dce pass", ssa);
1145 }
1146 #if ZEND_DEBUG_DFA
1147 ssa_verify_integrity(op_array, ssa, "after dce");
1148 #endif
1149 }
1150
1151 for (v = op_array->last_var; v < ssa->vars_count; v++) {
1152
1153 op_1 = ssa->vars[v].definition;
1154
1155 if (op_1 < 0) {
1156 continue;
1157 }
1158
1159 opline = op_array->opcodes + op_1;
1160 ssa_op = &ssa->ops[op_1];
1161
1162 /* Convert LONG constants to DOUBLE */
1163 if (ssa->var_info[v].use_as_double) {
1164 if (opline->opcode == ZEND_ASSIGN
1165 && opline->op2_type == IS_CONST
1166 && ssa->ops[op_1].op1_def == v
1167 && !RETURN_VALUE_USED(opline)
1168 ) {
1169
1170 // op_1: ASSIGN ? -> #v [use_as_double], long(?) => ASSIGN ? -> #v, double(?)
1171
1172 zval *zv = CT_CONSTANT_EX(op_array, opline->op2.constant);
1173 ZEND_ASSERT(Z_TYPE_INFO_P(zv) == IS_LONG);
1174 ZVAL_DOUBLE(&tmp, zval_get_double(zv));
1175 opline->op2.constant = zend_optimizer_add_literal(op_array, &tmp);
1176
1177 } else if (opline->opcode == ZEND_QM_ASSIGN
1178 && opline->op1_type == IS_CONST
1179 ) {
1180
1181 // op_1: QM_ASSIGN #v [use_as_double], long(?) => QM_ASSIGN #v, double(?)
1182
1183 zval *zv = CT_CONSTANT_EX(op_array, opline->op1.constant);
1184 ZEND_ASSERT(Z_TYPE_INFO_P(zv) == IS_LONG);
1185 ZVAL_DOUBLE(&tmp, zval_get_double(zv));
1186 opline->op1.constant = zend_optimizer_add_literal(op_array, &tmp);
1187 }
1188
1189 } else {
1190 if (opline->opcode == ZEND_ADD
1191 || opline->opcode == ZEND_SUB
1192 || opline->opcode == ZEND_MUL
1193 || opline->opcode == ZEND_IS_EQUAL
1194 || opline->opcode == ZEND_IS_NOT_EQUAL
1195 || opline->opcode == ZEND_IS_SMALLER
1196 || opline->opcode == ZEND_IS_SMALLER_OR_EQUAL
1197 ) {
1198
1199 if (opline->op1_type == IS_CONST && opline->op2_type != IS_CONST) {
1200 zval *zv = CT_CONSTANT_EX(op_array, opline->op1.constant);
1201
1202 if ((OP2_INFO() & MAY_BE_ANY) == MAY_BE_DOUBLE
1203 && Z_TYPE_INFO_P(zv) == IS_LONG) {
1204
1205 // op_1: #v.? = ADD long(?), #?.? [double] => #v.? = ADD double(?), #?.? [double]
1206
1207 ZVAL_DOUBLE(&tmp, zval_get_double(zv));
1208 opline->op1.constant = zend_optimizer_add_literal(op_array, &tmp);
1209 zv = CT_CONSTANT_EX(op_array, opline->op1.constant);
1210 }
1211 if (opline->opcode == ZEND_ADD) {
1212 zv = CT_CONSTANT_EX(op_array, opline->op1.constant);
1213
1214 if (((OP2_INFO() & (MAY_BE_ANY|MAY_BE_UNDEF)) == MAY_BE_LONG
1215 && Z_TYPE_INFO_P(zv) == IS_LONG
1216 && Z_LVAL_P(zv) == 0)
1217 || ((OP2_INFO() & (MAY_BE_ANY|MAY_BE_UNDEF)) == MAY_BE_DOUBLE
1218 && Z_TYPE_INFO_P(zv) == IS_DOUBLE
1219 && Z_DVAL_P(zv) == 0.0)) {
1220
1221 // op_1: #v.? = ADD 0, #?.? [double,long] => #v.? = QM_ASSIGN #?.?
1222
1223 opline->opcode = ZEND_QM_ASSIGN;
1224 opline->op1_type = opline->op2_type;
1225 opline->op1.var = opline->op2.var;
1226 opline->op2_type = IS_UNUSED;
1227 opline->op2.num = 0;
1228 ssa->ops[op_1].op1_use = ssa->ops[op_1].op2_use;
1229 ssa->ops[op_1].op1_use_chain = ssa->ops[op_1].op2_use_chain;
1230 ssa->ops[op_1].op2_use = -1;
1231 ssa->ops[op_1].op2_use_chain = -1;
1232 }
1233 } else if (opline->opcode == ZEND_MUL
1234 && (OP2_INFO() & ((MAY_BE_ANY|MAY_BE_UNDEF)-(MAY_BE_LONG|MAY_BE_DOUBLE))) == 0) {
1235 zv = CT_CONSTANT_EX(op_array, opline->op1.constant);
1236
1237 if ((Z_TYPE_INFO_P(zv) == IS_LONG
1238 && Z_LVAL_P(zv) == 2)
1239 || (Z_TYPE_INFO_P(zv) == IS_DOUBLE
1240 && Z_DVAL_P(zv) == 2.0
1241 && !(OP2_INFO() & MAY_BE_LONG))) {
1242
1243 // op_1: #v.? = MUL 2, #x.? [double,long] => #v.? = ADD #x.?, #x.?
1244
1245 opline->opcode = ZEND_ADD;
1246 opline->op1_type = opline->op2_type;
1247 opline->op1.var = opline->op2.var;
1248 ssa->ops[op_1].op1_use = ssa->ops[op_1].op2_use;
1249 ssa->ops[op_1].op1_use_chain = ssa->ops[op_1].op2_use_chain;
1250 }
1251 }
1252 } else if (opline->op1_type != IS_CONST && opline->op2_type == IS_CONST) {
1253 zval *zv = CT_CONSTANT_EX(op_array, opline->op2.constant);
1254
1255 if ((OP1_INFO() & MAY_BE_ANY) == MAY_BE_DOUBLE
1256 && Z_TYPE_INFO_P(CT_CONSTANT_EX(op_array, opline->op2.constant)) == IS_LONG) {
1257
1258 // op_1: #v.? = ADD #?.? [double], long(?) => #v.? = ADD #?.? [double], double(?)
1259
1260 ZVAL_DOUBLE(&tmp, zval_get_double(zv));
1261 opline->op2.constant = zend_optimizer_add_literal(op_array, &tmp);
1262 zv = CT_CONSTANT_EX(op_array, opline->op2.constant);
1263 }
1264 if (opline->opcode == ZEND_ADD || opline->opcode == ZEND_SUB) {
1265 if (((OP1_INFO() & (MAY_BE_ANY|MAY_BE_UNDEF)) == MAY_BE_LONG
1266 && Z_TYPE_INFO_P(zv) == IS_LONG
1267 && Z_LVAL_P(zv) == 0)
1268 || ((OP1_INFO() & (MAY_BE_ANY|MAY_BE_UNDEF)) == MAY_BE_DOUBLE
1269 && Z_TYPE_INFO_P(zv) == IS_DOUBLE
1270 && Z_DVAL_P(zv) == 0.0)) {
1271
1272 // op_1: #v.? = ADD #?.? [double,long], 0 => #v.? = QM_ASSIGN #?.?
1273
1274 opline->opcode = ZEND_QM_ASSIGN;
1275 opline->op2_type = IS_UNUSED;
1276 opline->op2.num = 0;
1277 }
1278 } else if (opline->opcode == ZEND_MUL
1279 && (OP1_INFO() & ((MAY_BE_ANY|MAY_BE_UNDEF)-(MAY_BE_LONG|MAY_BE_DOUBLE))) == 0) {
1280 zv = CT_CONSTANT_EX(op_array, opline->op2.constant);
1281
1282 if ((Z_TYPE_INFO_P(zv) == IS_LONG
1283 && Z_LVAL_P(zv) == 2)
1284 || (Z_TYPE_INFO_P(zv) == IS_DOUBLE
1285 && Z_DVAL_P(zv) == 2.0
1286 && !(OP1_INFO() & MAY_BE_LONG))) {
1287
1288 // op_1: #v.? = MUL #x.? [double,long], 2 => #v.? = ADD #x.?, #x.?
1289
1290 opline->opcode = ZEND_ADD;
1291 opline->op2_type = opline->op1_type;
1292 opline->op2.var = opline->op1.var;
1293 ssa->ops[op_1].op2_use = ssa->ops[op_1].op1_use;
1294 ssa->ops[op_1].op2_use_chain = ssa->ops[op_1].op1_use_chain;
1295 }
1296 }
1297 }
1298 } else if (opline->opcode == ZEND_CONCAT) {
1299 if (!(OP1_INFO() & MAY_BE_OBJECT)
1300 && !(OP2_INFO() & MAY_BE_OBJECT)) {
1301 opline->opcode = ZEND_FAST_CONCAT;
1302 }
1303 } else if (opline->opcode == ZEND_VERIFY_RETURN_TYPE
1304 && opline->op1_type != IS_CONST
1305 && ssa->ops[op_1].op1_def == v
1306 && ssa->ops[op_1].op1_use >= 0) {
1307 int orig_var = ssa->ops[op_1].op1_use;
1308 int ret = ssa->vars[v].use_chain;
1309
1310 if (ssa->ops[op_1].op1_use_chain == -1
1311 && can_elide_return_type_check(ctx->script, op_array, ssa, &ssa->ops[op_1])) {
1312
1313 // op_1: VERIFY_RETURN_TYPE #orig_var.? [T] -> #v.? [T] => NOP
1314
1315 zend_ssa_unlink_use_chain(ssa, op_1, orig_var);
1316
1317 if (ret >= 0) {
1318 ssa->ops[ret].op1_use = orig_var;
1319 ssa->ops[ret].op1_use_chain = ssa->vars[orig_var].use_chain;
1320 ssa->vars[orig_var].use_chain = ret;
1321 }
1322
1323 ssa->vars[v].definition = -1;
1324 ssa->vars[v].use_chain = -1;
1325
1326 ssa->ops[op_1].op1_def = -1;
1327 ssa->ops[op_1].op1_use = -1;
1328
1329 MAKE_NOP(opline);
1330 remove_nops = 1;
1331 } else if (ret >= 0
1332 && ssa->ops[ret].op1_use == v
1333 && ssa->ops[ret].op1_use_chain == -1
1334 && can_elide_return_type_check(ctx->script, op_array, ssa, &ssa->ops[op_1])) {
1335
1336 // op_1: VERIFY_RETURN_TYPE #orig_var.? [T] -> #v.? [T] => NOP
1337
1338 zend_ssa_replace_use_chain(ssa, op_1, ret, orig_var);
1339
1340 ssa->ops[ret].op1_use = orig_var;
1341 ssa->ops[ret].op1_use_chain = ssa->ops[op_1].op1_use_chain;
1342
1343 ssa->vars[v].definition = -1;
1344 ssa->vars[v].use_chain = -1;
1345
1346 ssa->ops[op_1].op1_def = -1;
1347 ssa->ops[op_1].op1_use = -1;
1348
1349 MAKE_NOP(opline);
1350 remove_nops = 1;
1351 }
1352 }
1353 }
1354
1355 if (opline->opcode == ZEND_QM_ASSIGN
1356 && ssa->ops[op_1].result_def == v
1357 && opline->op1_type & (IS_TMP_VAR|IS_VAR)
1358 && !(ssa->var_info[v].type & (MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))
1359 ) {
1360
1361 int src_var = ssa->ops[op_1].op1_use;
1362
1363 if (src_var >= 0
1364 && !(ssa->var_info[src_var].type & MAY_BE_REF)
1365 && (ssa->var_info[src_var].type & (MAY_BE_UNDEF|MAY_BE_ANY))
1366 && ssa->vars[src_var].definition >= 0
1367 && ssa->ops[ssa->vars[src_var].definition].result_def == src_var
1368 && ssa->ops[ssa->vars[src_var].definition].result_use < 0
1369 && ssa->vars[src_var].use_chain == op_1
1370 && ssa->ops[op_1].op1_use_chain < 0
1371 && !ssa->vars[src_var].phi_use_chain
1372 && !ssa->vars[src_var].sym_use_chain
1373 && opline_supports_assign_contraction(
1374 op_array, ssa, &op_array->opcodes[ssa->vars[src_var].definition],
1375 src_var, opline->result.var)
1376 && !variable_defined_or_used_in_range(ssa, EX_VAR_TO_NUM(opline->result.var),
1377 ssa->vars[src_var].definition+1, op_1)
1378 ) {
1379
1380 int orig_var = ssa->ops[op_1].result_use;
1381 int op_2 = ssa->vars[src_var].definition;
1382
1383 // op_2: #src_var.T = OP ... => #v.CV = OP ...
1384 // op_1: QM_ASSIGN #src_var.T #orig_var.CV [undef,scalar] -> #v.CV, NOP
1385
1386 if (orig_var >= 0) {
1387 zend_ssa_unlink_use_chain(ssa, op_1, orig_var);
1388 }
1389
1390 /* Reconstruct SSA */
1391 ssa->vars[v].definition = op_2;
1392 ssa->ops[op_2].result_def = v;
1393
1394 ssa->vars[src_var].definition = -1;
1395 ssa->vars[src_var].use_chain = -1;
1396
1397 ssa->ops[op_1].op1_use = -1;
1398 ssa->ops[op_1].op1_def = -1;
1399 ssa->ops[op_1].op1_use_chain = -1;
1400 ssa->ops[op_1].result_use = -1;
1401 ssa->ops[op_1].result_def = -1;
1402 ssa->ops[op_1].res_use_chain = -1;
1403
1404 /* Update opcodes */
1405 op_array->opcodes[op_2].result_type = opline->result_type;
1406 op_array->opcodes[op_2].result.var = opline->result.var;
1407
1408 MAKE_NOP(opline);
1409 remove_nops = 1;
1410
1411 if (op_array->opcodes[op_2].opcode == ZEND_SUB
1412 && op_array->opcodes[op_2].op1_type == op_array->opcodes[op_2].result_type
1413 && op_array->opcodes[op_2].op1.var == op_array->opcodes[op_2].result.var
1414 && op_array->opcodes[op_2].op2_type == IS_CONST
1415 && Z_TYPE_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op2.constant)) == IS_LONG
1416 && Z_LVAL_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op2.constant)) == 1
1417 && ssa->ops[op_2].op1_use >= 0
1418 && !(ssa->var_info[ssa->ops[op_2].op1_use].type & (MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1419
1420 op_array->opcodes[op_2].opcode = ZEND_PRE_DEC;
1421 SET_UNUSED(op_array->opcodes[op_2].op2);
1422 SET_UNUSED(op_array->opcodes[op_2].result);
1423
1424 ssa->ops[op_2].result_def = -1;
1425 ssa->ops[op_2].op1_def = v;
1426
1427 } else if (op_array->opcodes[op_2].opcode == ZEND_ADD
1428 && op_array->opcodes[op_2].op1_type == op_array->opcodes[op_2].result_type
1429 && op_array->opcodes[op_2].op1.var == op_array->opcodes[op_2].result.var
1430 && op_array->opcodes[op_2].op2_type == IS_CONST
1431 && Z_TYPE_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op2.constant)) == IS_LONG
1432 && Z_LVAL_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op2.constant)) == 1
1433 && ssa->ops[op_2].op1_use >= 0
1434 && !(ssa->var_info[ssa->ops[op_2].op1_use].type & (MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1435
1436 op_array->opcodes[op_2].opcode = ZEND_PRE_INC;
1437 SET_UNUSED(op_array->opcodes[op_2].op2);
1438 SET_UNUSED(op_array->opcodes[op_2].result);
1439
1440 ssa->ops[op_2].result_def = -1;
1441 ssa->ops[op_2].op1_def = v;
1442
1443 } else if (op_array->opcodes[op_2].opcode == ZEND_ADD
1444 && op_array->opcodes[op_2].op2_type == op_array->opcodes[op_2].result_type
1445 && op_array->opcodes[op_2].op2.var == op_array->opcodes[op_2].result.var
1446 && op_array->opcodes[op_2].op1_type == IS_CONST
1447 && Z_TYPE_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op1.constant)) == IS_LONG
1448 && Z_LVAL_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op1.constant)) == 1
1449 && ssa->ops[op_2].op2_use >= 0
1450 && !(ssa->var_info[ssa->ops[op_2].op2_use].type & (MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1451
1452 op_array->opcodes[op_2].opcode = ZEND_PRE_INC;
1453 op_array->opcodes[op_2].op1_type = op_array->opcodes[op_2].op2_type;
1454 op_array->opcodes[op_2].op1.var = op_array->opcodes[op_2].op2.var;
1455 SET_UNUSED(op_array->opcodes[op_2].op2);
1456 SET_UNUSED(op_array->opcodes[op_2].result);
1457
1458 ssa->ops[op_2].result_def = -1;
1459 ssa->ops[op_2].op1_def = v;
1460 ssa->ops[op_2].op1_use = ssa->ops[op_2].op2_use;
1461 ssa->ops[op_2].op1_use_chain = ssa->ops[op_2].op2_use_chain;
1462 ssa->ops[op_2].op2_use = -1;
1463 ssa->ops[op_2].op2_use_chain = -1;
1464 }
1465 }
1466 }
1467
1468 if (ssa->vars[v].var >= op_array->last_var) {
1469 /* skip TMP and VAR */
1470 continue;
1471 }
1472
1473 if (ssa->ops[op_1].op1_def == v
1474 && RETURN_VALUE_USED(opline)) {
1475 if (opline->opcode == ZEND_ASSIGN
1476 || opline->opcode == ZEND_ASSIGN_OP
1477 || opline->opcode == ZEND_PRE_INC
1478 || opline->opcode == ZEND_PRE_DEC) {
1479 zend_dfa_try_to_replace_result(op_array, ssa, op_1, v);
1480 } else if (opline->opcode == ZEND_POST_INC) {
1481 int result_var = ssa->ops[op_1].result_def;
1482
1483 if (result_var >= 0
1484 && (ssa->var_info[result_var].type & ((MAY_BE_ANY|MAY_BE_REF|MAY_BE_UNDEF) - (MAY_BE_LONG|MAY_BE_DOUBLE))) == 0) {
1485 int use = ssa->vars[result_var].use_chain;
1486
1487 if (use >= 0 && op_array->opcodes[use].opcode == ZEND_IS_SMALLER
1488 && ssa->ops[use].op1_use == result_var
1489 && zend_dfa_try_to_replace_result(op_array, ssa, op_1, v)) {
1490 opline->opcode = ZEND_PRE_INC;
1491 op_array->opcodes[use].opcode = ZEND_IS_SMALLER_OR_EQUAL;
1492 }
1493 }
1494 } else if (opline->opcode == ZEND_POST_DEC) {
1495 int result_var = ssa->ops[op_1].result_def;
1496
1497 if (result_var >= 0
1498 && (ssa->var_info[result_var].type & ((MAY_BE_ANY|MAY_BE_REF|MAY_BE_UNDEF) - (MAY_BE_LONG|MAY_BE_DOUBLE))) == 0) {
1499 int use = ssa->vars[result_var].use_chain;
1500
1501 if (use >= 0 && op_array->opcodes[use].opcode == ZEND_IS_SMALLER
1502 && ssa->ops[use].op2_use == result_var
1503 && zend_dfa_try_to_replace_result(op_array, ssa, op_1, v)) {
1504 opline->opcode = ZEND_PRE_DEC;
1505 op_array->opcodes[use].opcode = ZEND_IS_SMALLER_OR_EQUAL;
1506 }
1507 }
1508 }
1509 }
1510
1511 if (opline->opcode == ZEND_ASSIGN
1512 && ssa->ops[op_1].op1_def == v
1513 && !RETURN_VALUE_USED(opline)
1514 ) {
1515 int orig_var = ssa->ops[op_1].op1_use;
1516
1517 if (orig_var >= 0
1518 && !(ssa->var_info[orig_var].type & (MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))
1519 ) {
1520 int src_var = ssa->ops[op_1].op2_use;
1521
1522 if ((opline->op2_type & (IS_TMP_VAR|IS_VAR))
1523 && src_var >= 0
1524 && !(ssa->var_info[src_var].type & MAY_BE_REF)
1525 && (ssa->var_info[src_var].type & (MAY_BE_UNDEF|MAY_BE_ANY))
1526 && ssa->vars[src_var].definition >= 0
1527 && ssa->ops[ssa->vars[src_var].definition].result_def == src_var
1528 && ssa->ops[ssa->vars[src_var].definition].result_use < 0
1529 && ssa->vars[src_var].use_chain == op_1
1530 && ssa->ops[op_1].op2_use_chain < 0
1531 && !ssa->vars[src_var].phi_use_chain
1532 && !ssa->vars[src_var].sym_use_chain
1533 && opline_supports_assign_contraction(
1534 op_array, ssa, &op_array->opcodes[ssa->vars[src_var].definition],
1535 src_var, opline->op1.var)
1536 && !variable_defined_or_used_in_range(ssa, EX_VAR_TO_NUM(opline->op1.var),
1537 ssa->vars[src_var].definition+1, op_1)
1538 ) {
1539
1540 int op_2 = ssa->vars[src_var].definition;
1541
1542 // op_2: #src_var.T = OP ... => #v.CV = OP ...
1543 // op_1: ASSIGN #orig_var.CV [undef,scalar] -> #v.CV, #src_var.T NOP
1544
1545 zend_ssa_unlink_use_chain(ssa, op_1, orig_var);
1546 /* Reconstruct SSA */
1547 ssa->vars[v].definition = op_2;
1548 ssa->ops[op_2].result_def = v;
1549
1550 ssa->vars[src_var].definition = -1;
1551 ssa->vars[src_var].use_chain = -1;
1552
1553 ssa->ops[op_1].op1_use = -1;
1554 ssa->ops[op_1].op2_use = -1;
1555 ssa->ops[op_1].op1_def = -1;
1556 ssa->ops[op_1].op1_use_chain = -1;
1557
1558 /* Update opcodes */
1559 op_array->opcodes[op_2].result_type = opline->op1_type;
1560 op_array->opcodes[op_2].result.var = opline->op1.var;
1561
1562 MAKE_NOP(opline);
1563 remove_nops = 1;
1564
1565 if (op_array->opcodes[op_2].opcode == ZEND_SUB
1566 && op_array->opcodes[op_2].op1_type == op_array->opcodes[op_2].result_type
1567 && op_array->opcodes[op_2].op1.var == op_array->opcodes[op_2].result.var
1568 && op_array->opcodes[op_2].op2_type == IS_CONST
1569 && Z_TYPE_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op2.constant)) == IS_LONG
1570 && Z_LVAL_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op2.constant)) == 1
1571 && ssa->ops[op_2].op1_use >= 0
1572 && !(ssa->var_info[ssa->ops[op_2].op1_use].type & (MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1573
1574 op_array->opcodes[op_2].opcode = ZEND_PRE_DEC;
1575 SET_UNUSED(op_array->opcodes[op_2].op2);
1576 SET_UNUSED(op_array->opcodes[op_2].result);
1577
1578 ssa->ops[op_2].result_def = -1;
1579 ssa->ops[op_2].op1_def = v;
1580
1581 } else if (op_array->opcodes[op_2].opcode == ZEND_ADD
1582 && op_array->opcodes[op_2].op1_type == op_array->opcodes[op_2].result_type
1583 && op_array->opcodes[op_2].op1.var == op_array->opcodes[op_2].result.var
1584 && op_array->opcodes[op_2].op2_type == IS_CONST
1585 && Z_TYPE_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op2.constant)) == IS_LONG
1586 && Z_LVAL_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op2.constant)) == 1
1587 && ssa->ops[op_2].op1_use >= 0
1588 && !(ssa->var_info[ssa->ops[op_2].op1_use].type & (MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1589
1590 op_array->opcodes[op_2].opcode = ZEND_PRE_INC;
1591 SET_UNUSED(op_array->opcodes[op_2].op2);
1592 SET_UNUSED(op_array->opcodes[op_2].result);
1593
1594 ssa->ops[op_2].result_def = -1;
1595 ssa->ops[op_2].op1_def = v;
1596
1597 } else if (op_array->opcodes[op_2].opcode == ZEND_ADD
1598 && op_array->opcodes[op_2].op2_type == op_array->opcodes[op_2].result_type
1599 && op_array->opcodes[op_2].op2.var == op_array->opcodes[op_2].result.var
1600 && op_array->opcodes[op_2].op1_type == IS_CONST
1601 && Z_TYPE_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op1.constant)) == IS_LONG
1602 && Z_LVAL_P(CT_CONSTANT_EX(op_array, op_array->opcodes[op_2].op1.constant)) == 1
1603 && ssa->ops[op_2].op2_use >= 0
1604 && !(ssa->var_info[ssa->ops[op_2].op2_use].type & (MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1605
1606 op_array->opcodes[op_2].opcode = ZEND_PRE_INC;
1607 op_array->opcodes[op_2].op1_type = op_array->opcodes[op_2].op2_type;
1608 op_array->opcodes[op_2].op1.var = op_array->opcodes[op_2].op2.var;
1609 SET_UNUSED(op_array->opcodes[op_2].op2);
1610 SET_UNUSED(op_array->opcodes[op_2].result);
1611
1612 ssa->ops[op_2].result_def = -1;
1613 ssa->ops[op_2].op1_def = v;
1614 ssa->ops[op_2].op1_use = ssa->ops[op_2].op2_use;
1615 ssa->ops[op_2].op1_use_chain = ssa->ops[op_2].op2_use_chain;
1616 ssa->ops[op_2].op2_use = -1;
1617 ssa->ops[op_2].op2_use_chain = -1;
1618 }
1619 } else if (opline->op2_type == IS_CONST
1620 || ((opline->op2_type & (IS_TMP_VAR|IS_VAR|IS_CV))
1621 && ssa->ops[op_1].op2_use >= 0
1622 && ssa->ops[op_1].op2_def < 0)
1623 ) {
1624
1625 // op_1: ASSIGN #orig_var.CV [undef,scalar] -> #v.CV, CONST|TMPVAR => QM_ASSIGN v.CV, CONST|TMPVAR
1626
1627 if (ssa->ops[op_1].op1_use != ssa->ops[op_1].op2_use) {
1628 zend_ssa_unlink_use_chain(ssa, op_1, orig_var);
1629 } else {
1630 ssa->ops[op_1].op2_use_chain = ssa->ops[op_1].op1_use_chain;
1631 }
1632
1633 /* Reconstruct SSA */
1634 ssa->ops[op_1].result_def = v;
1635 ssa->ops[op_1].op1_def = -1;
1636 ssa->ops[op_1].op1_use = ssa->ops[op_1].op2_use;
1637 ssa->ops[op_1].op1_use_chain = ssa->ops[op_1].op2_use_chain;
1638 ssa->ops[op_1].op2_use = -1;
1639 ssa->ops[op_1].op2_use_chain = -1;
1640
1641 /* Update opcode */
1642 opline->result_type = opline->op1_type;
1643 opline->result.var = opline->op1.var;
1644 opline->op1_type = opline->op2_type;
1645 opline->op1.var = opline->op2.var;
1646 opline->op2_type = IS_UNUSED;
1647 opline->op2.var = 0;
1648 opline->opcode = ZEND_QM_ASSIGN;
1649 }
1650 }
1651
1652 } else if (opline->opcode == ZEND_ASSIGN_OP
1653 && opline->extended_value == ZEND_ADD
1654 && ssa->ops[op_1].op1_def == v
1655 && opline->op2_type == IS_CONST
1656 && Z_TYPE_P(CT_CONSTANT_EX(op_array, opline->op2.constant)) == IS_LONG
1657 && Z_LVAL_P(CT_CONSTANT_EX(op_array, opline->op2.constant)) == 1
1658 && ssa->ops[op_1].op1_use >= 0
1659 && !(ssa->var_info[ssa->ops[op_1].op1_use].type & (MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1660
1661 // op_1: ASSIGN_ADD #?.CV [undef,null,int,foat] ->#v.CV, int(1) => PRE_INC #?.CV ->#v.CV
1662
1663 opline->opcode = ZEND_PRE_INC;
1664 opline->extended_value = 0;
1665 SET_UNUSED(opline->op2);
1666
1667 } else if (opline->opcode == ZEND_ASSIGN_OP
1668 && opline->extended_value == ZEND_SUB
1669 && ssa->ops[op_1].op1_def == v
1670 && opline->op2_type == IS_CONST
1671 && Z_TYPE_P(CT_CONSTANT_EX(op_array, opline->op2.constant)) == IS_LONG
1672 && Z_LVAL_P(CT_CONSTANT_EX(op_array, opline->op2.constant)) == 1
1673 && ssa->ops[op_1].op1_use >= 0
1674 && !(ssa->var_info[ssa->ops[op_1].op1_use].type & (MAY_BE_UNDEF|MAY_BE_NULL|MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1675
1676 // op_1: ASSIGN_SUB #?.CV [undef,null,int,foat] -> #v.CV, int(1) => PRE_DEC #?.CV ->#v.CV
1677
1678 opline->opcode = ZEND_PRE_DEC;
1679 opline->extended_value = 0;
1680 SET_UNUSED(opline->op2);
1681
1682 } else if (ssa->ops[op_1].op1_def == v
1683 && !RETURN_VALUE_USED(opline)
1684 && ssa->ops[op_1].op1_use >= 0
1685 && !(ssa->var_info[ssa->ops[op_1].op1_use].type & (MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))
1686 && opline->opcode == ZEND_ASSIGN_OP
1687 && opline->extended_value != ZEND_CONCAT) {
1688
1689 // op_1: ASSIGN_OP #orig_var.CV [undef,null,bool,int,double] -> #v.CV, ? => #v.CV = ADD #orig_var.CV, ?
1690
1691 /* Reconstruct SSA */
1692 ssa->ops[op_1].result_def = ssa->ops[op_1].op1_def;
1693 ssa->ops[op_1].op1_def = -1;
1694
1695 /* Update opcode */
1696 opline->opcode = opline->extended_value;
1697 opline->extended_value = 0;
1698 opline->result_type = opline->op1_type;
1699 opline->result.var = opline->op1.var;
1700
1701 }
1702 }
1703
1704 #if ZEND_DEBUG_DFA
1705 ssa_verify_integrity(op_array, ssa, "after dfa");
1706 #endif
1707
1708 if (remove_nops) {
1709 zend_ssa_remove_nops(op_array, ssa, ctx);
1710 #if ZEND_DEBUG_DFA
1711 ssa_verify_integrity(op_array, ssa, "after nop");
1712 #endif
1713 }
1714 }
1715
1716 if (ctx->debug_level & ZEND_DUMP_AFTER_DFA_PASS) {
1717 zend_dump_op_array(op_array, ZEND_DUMP_SSA, "after dfa pass", ssa);
1718 }
1719 }
1720
zend_optimize_dfa(zend_op_array * op_array,zend_optimizer_ctx * ctx)1721 void zend_optimize_dfa(zend_op_array *op_array, zend_optimizer_ctx *ctx)
1722 {
1723 void *checkpoint = zend_arena_checkpoint(ctx->arena);
1724 zend_ssa ssa;
1725
1726 if (zend_dfa_analyze_op_array(op_array, ctx, &ssa) == FAILURE) {
1727 zend_arena_release(&ctx->arena, checkpoint);
1728 return;
1729 }
1730
1731 zend_dfa_optimize_op_array(op_array, ctx, &ssa, NULL);
1732
1733 /* Destroy SSA */
1734 zend_arena_release(&ctx->arena, checkpoint);
1735 }
1736
