1 /*
2    +----------------------------------------------------------------------+
3    | Zend OPcache                                                         |
4    +----------------------------------------------------------------------+
5    | Copyright (c) The PHP Group                                          |
6    +----------------------------------------------------------------------+
7    | This source file is subject to version 3.01 of the PHP license,      |
8    | that is bundled with this package in the file LICENSE, and is        |
9    | available through the world-wide-web at the following url:           |
10    | http://www.php.net/license/3_01.txt                                  |
11    | If you did not receive a copy of the PHP license and are unable to   |
12    | obtain it through the world-wide-web, please send a note to          |
13    | license@php.net so we can mail you a copy immediately.               |
14    +----------------------------------------------------------------------+
15    | Authors: Dmitry Stogov <dmitry@php.net>                              |
16    +----------------------------------------------------------------------+
17 */
18 
19 #include "php.h"
20 #include "Optimizer/zend_optimizer.h"
21 #include "Optimizer/zend_optimizer_internal.h"
22 #include "zend_API.h"
23 #include "zend_constants.h"
24 #include "zend_execute.h"
25 #include "zend_vm.h"
26 #include "zend_bitset.h"
27 #include "zend_cfg.h"
28 #include "zend_ssa.h"
29 #include "zend_func_info.h"
30 #include "zend_call_graph.h"
31 #include "zend_inference.h"
32 #include "zend_dump.h"
33 
34 #ifndef ZEND_DEBUG_DFA
35 # define ZEND_DEBUG_DFA ZEND_DEBUG
36 #endif
37 
38 #if ZEND_DEBUG_DFA
39 # include "ssa_integrity.c"
40 #endif
41 
zend_dfa_analyze_op_array(zend_op_array *op_array, zend_optimizer_ctx *ctx, zend_ssa *ssa)42 int zend_dfa_analyze_op_array(zend_op_array *op_array, zend_optimizer_ctx *ctx, zend_ssa *ssa)
43 {
44 	uint32_t build_flags;
45 
46 	if (op_array->last_try_catch) {
47 		/* TODO: we can't analyze functions with try/catch/finally ??? */
48 		return FAILURE;
49 	}
50 
51     /* Build SSA */
52 	memset(ssa, 0, sizeof(zend_ssa));
53 
54 	if (zend_build_cfg(&ctx->arena, op_array, ZEND_CFG_NO_ENTRY_PREDECESSORS, &ssa->cfg) != SUCCESS) {
55 		return FAILURE;
56 	}
57 
58 	if ((ssa->cfg.flags & ZEND_FUNC_INDIRECT_VAR_ACCESS)) {
59 		/* TODO: we can't analyze functions with indirect variable access ??? */
60 		return FAILURE;
61 	}
62 
63 	if (zend_cfg_build_predecessors(&ctx->arena, &ssa->cfg) != SUCCESS) {
64 		return FAILURE;
65 	}
66 
67 	if (ctx->debug_level & ZEND_DUMP_DFA_CFG) {
68 		zend_dump_op_array(op_array, ZEND_DUMP_CFG, "dfa cfg", &ssa->cfg);
69 	}
70 
71 	/* Compute Dominators Tree */
72 	if (zend_cfg_compute_dominators_tree(op_array, &ssa->cfg) != SUCCESS) {
73 		return FAILURE;
74 	}
75 
76 	/* Identify reducible and irreducible loops */
77 	if (zend_cfg_identify_loops(op_array, &ssa->cfg) != SUCCESS) {
78 		return FAILURE;
79 	}
80 
81 	if (ctx->debug_level & ZEND_DUMP_DFA_DOMINATORS) {
82 		zend_dump_dominators(op_array, &ssa->cfg);
83 	}
84 
85 	build_flags = 0;
86 	if (ctx->debug_level & ZEND_DUMP_DFA_LIVENESS) {
87 		build_flags |= ZEND_SSA_DEBUG_LIVENESS;
88 	}
89 	if (ctx->debug_level & ZEND_DUMP_DFA_PHI) {
90 		build_flags |= ZEND_SSA_DEBUG_PHI_PLACEMENT;
91 	}
92 	if (zend_build_ssa(&ctx->arena, ctx->script, op_array, build_flags, ssa) != SUCCESS) {
93 		return FAILURE;
94 	}
95 
96 	if (ctx->debug_level & ZEND_DUMP_DFA_SSA) {
97 		zend_dump_op_array(op_array, ZEND_DUMP_SSA, "dfa ssa", ssa);
98 	}
99 
100 
101 	if (zend_ssa_compute_use_def_chains(&ctx->arena, op_array, ssa) != SUCCESS){
102 		return FAILURE;
103 	}
104 
105 	if (zend_ssa_find_false_dependencies(op_array, ssa) != SUCCESS) {
106 		return FAILURE;
107 	}
108 
109 	if (zend_ssa_find_sccs(op_array, ssa) != SUCCESS){
110 		return FAILURE;
111 	}
112 
113 	if (zend_ssa_inference(&ctx->arena, op_array, ctx->script, ssa, ctx->optimization_level) != SUCCESS) {
114 		return FAILURE;
115 	}
116 
117 	if (zend_ssa_escape_analysis(ctx->script, op_array, ssa) != SUCCESS) {
118 		return FAILURE;
119 	}
120 
121 	if (ctx->debug_level & ZEND_DUMP_DFA_SSA_VARS) {
122 		zend_dump_ssa_variables(op_array, ssa, 0);
123 	}
124 
125 	return SUCCESS;
126 }
127 
is_smart_branch_inhibiting_nop( zend_op_array *op_array, uint32_t target, uint32_t current, zend_basic_block *b, zend_basic_block *blocks_end)128 static zend_bool is_smart_branch_inhibiting_nop(
129 		zend_op_array *op_array, uint32_t target, uint32_t current,
130 		zend_basic_block *b, zend_basic_block *blocks_end)
131 {
132 	uint32_t next;
133 	/* Target points one past the last non-nop instruction. Make sure there is one. */
134 	if (target == 0) {
135 		return 0;
136 	}
137 
138 	/* Find the next instruction, skipping unreachable or empty blocks. */
139 	next = current + 1;
140 	if (next >= b->start + b->len) {
141 		do {
142 			b++;
143 			if (b == blocks_end) {
144 				return 0;
145 			}
146 		} while (!(b->flags & ZEND_BB_REACHABLE) || b->len == 0);
147 		next = b->start;
148 	}
149 
150 	return (op_array->opcodes[next].opcode == ZEND_JMPZ ||
151 		 op_array->opcodes[next].opcode == ZEND_JMPNZ) &&
152 		zend_is_smart_branch(op_array->opcodes + target - 1);
153 }
154 
zend_ssa_remove_nops(zend_op_array *op_array, zend_ssa *ssa, zend_optimizer_ctx *ctx)155 static void zend_ssa_remove_nops(zend_op_array *op_array, zend_ssa *ssa, zend_optimizer_ctx *ctx)
156 {
157 	zend_basic_block *blocks = ssa->cfg.blocks;
158 	zend_basic_block *blocks_end = blocks + ssa->cfg.blocks_count;
159 	zend_basic_block *b;
160 	zend_func_info *func_info;
161 	int j;
162 	uint32_t i = 0;
163 	uint32_t target = 0;
164 	uint32_t *shiftlist;
165 	ALLOCA_FLAG(use_heap);
166 
167 	shiftlist = (uint32_t *)do_alloca(sizeof(uint32_t) * op_array->last, use_heap);
168 	memset(shiftlist, 0, sizeof(uint32_t) * op_array->last);
169 	/* remove empty callee_info */
170 	func_info = ZEND_FUNC_INFO(op_array);
171 	if (func_info) {
172 		zend_call_info **call_info = &func_info->callee_info;
173 		while ((*call_info)) {
174 			if ((*call_info)->caller_init_opline->opcode == ZEND_NOP) {
175 				*call_info = (*call_info)->next_callee;
176 			} else {
177 				call_info = &(*call_info)->next_callee;
178 			}
179 		}
180 	}
181 
182 	for (b = blocks; b < blocks_end; b++) {
183 		if (b->flags & (ZEND_BB_REACHABLE|ZEND_BB_UNREACHABLE_FREE)) {
184 			if (b->len) {
185 				uint32_t new_start, old_end;
186 				while (i < b->start) {
187 					shiftlist[i] = i - target;
188 					i++;
189 				}
190 
191 				if (b->flags & ZEND_BB_UNREACHABLE_FREE) {
192 					/* Only keep the FREE for the loop var */
193 					ZEND_ASSERT(op_array->opcodes[b->start].opcode == ZEND_FREE
194 							|| op_array->opcodes[b->start].opcode == ZEND_FE_FREE);
195 					b->len = 1;
196 				}
197 
198 				new_start = target;
199 				old_end = b->start + b->len;
200 				while (i < old_end) {
201 					shiftlist[i] = i - target;
202 					if (EXPECTED(op_array->opcodes[i].opcode != ZEND_NOP) ||
203 						is_smart_branch_inhibiting_nop(op_array, target, i, b, blocks_end)) {
204 						if (i != target) {
205 							op_array->opcodes[target] = op_array->opcodes[i];
206 							ssa->ops[target] = ssa->ops[i];
207 							ssa->cfg.map[target] = b - blocks;
208 						}
209 						target++;
210 					}
211 					i++;
212 				}
213 				b->start = new_start;
214 				if (target != old_end) {
215 					zend_op *opline;
216 					zend_op *new_opline;
217 
218 					b->len = target - b->start;
219 					opline = op_array->opcodes + old_end - 1;
220 					if (opline->opcode == ZEND_NOP) {
221 						continue;
222 					}
223 
224 					new_opline = op_array->opcodes + target - 1;
225 					zend_optimizer_migrate_jump(op_array, new_opline, opline);
226 				}
227 			} else {
228 				b->start = target;
229 			}
230 		} else {
231 			b->start = target;
232 			b->len = 0;
233 		}
234 	}
235 
236 	if (target != op_array->last) {
237 		/* reset rest opcodes */
238 		for (i = target; i < op_array->last; i++) {
239 			MAKE_NOP(op_array->opcodes + i);
240 		}
241 
242 		/* update SSA variables */
243 		for (j = 0; j < ssa->vars_count; j++) {
244 			if (ssa->vars[j].definition >= 0) {
245 				ssa->vars[j].definition -= shiftlist[ssa->vars[j].definition];
246 			}
247 			if (ssa->vars[j].use_chain >= 0) {
248 				ssa->vars[j].use_chain -= shiftlist[ssa->vars[j].use_chain];
249 			}
250 		}
251 		for (i = 0; i < op_array->last; i++) {
252 			if (ssa->ops[i].op1_use_chain >= 0) {
253 				ssa->ops[i].op1_use_chain -= shiftlist[ssa->ops[i].op1_use_chain];
254 			}
255 			if (ssa->ops[i].op2_use_chain >= 0) {
256 				ssa->ops[i].op2_use_chain -= shiftlist[ssa->ops[i].op2_use_chain];
257 			}
258 			if (ssa->ops[i].res_use_chain >= 0) {
259 				ssa->ops[i].res_use_chain -= shiftlist[ssa->ops[i].res_use_chain];
260 			}
261 		}
262 
263 		/* update branch targets */
264 		for (b = blocks; b < blocks_end; b++) {
265 			if ((b->flags & ZEND_BB_REACHABLE) && b->len != 0) {
266 				zend_op *opline = op_array->opcodes + b->start + b->len - 1;
267 				zend_optimizer_shift_jump(op_array, opline, shiftlist);
268 			}
269 		}
270 
271 		/* update try/catch array */
272 		for (j = 0; j < op_array->last_try_catch; j++) {
273 			op_array->try_catch_array[j].try_op -= shiftlist[op_array->try_catch_array[j].try_op];
274 			op_array->try_catch_array[j].catch_op -= shiftlist[op_array->try_catch_array[j].catch_op];
275 			if (op_array->try_catch_array[j].finally_op) {
276 				op_array->try_catch_array[j].finally_op -= shiftlist[op_array->try_catch_array[j].finally_op];
277 				op_array->try_catch_array[j].finally_end -= shiftlist[op_array->try_catch_array[j].finally_end];
278 			}
279 		}
280 
281 		/* update early binding list */
282 		if (op_array->fn_flags & ZEND_ACC_EARLY_BINDING) {
283 			uint32_t *opline_num = &ctx->script->first_early_binding_opline;
284 
285 			ZEND_ASSERT(op_array == &ctx->script->main_op_array);
286 			do {
287 				*opline_num -= shiftlist[*opline_num];
288 				opline_num = &op_array->opcodes[*opline_num].result.opline_num;
289 			} while (*opline_num != (uint32_t)-1);
290 		}
291 
292 		/* update call graph */
293 		if (func_info) {
294 			zend_call_info *call_info = func_info->callee_info;
295 			while (call_info) {
296 				call_info->caller_init_opline -=
297 					shiftlist[call_info->caller_init_opline - op_array->opcodes];
298 				if (call_info->caller_call_opline) {
299 					call_info->caller_call_opline -=
300 						shiftlist[call_info->caller_call_opline - op_array->opcodes];
301 				}
302 				call_info = call_info->next_callee;
303 			}
304 		}
305 
306 		op_array->last = target;
307 	}
308 	free_alloca(shiftlist, use_heap);
309 }
310 
safe_instanceof(zend_class_entry *ce1, zend_class_entry *ce2)311 static zend_bool safe_instanceof(zend_class_entry *ce1, zend_class_entry *ce2) {
312 	if (ce1 == ce2) {
313 		return 1;
314 	}
315 	if (!(ce1->ce_flags & ZEND_ACC_LINKED)) {
316 		/* This case could be generalized, similarly to unlinked_instanceof */
317 		return 0;
318 	}
319 	return instanceof_function(ce1, ce2);
320 }
321 
can_elide_return_type_check( zend_op_array *op_array, zend_ssa *ssa, zend_ssa_op *ssa_op)322 static inline zend_bool can_elide_return_type_check(
323 		zend_op_array *op_array, zend_ssa *ssa, zend_ssa_op *ssa_op) {
324 	zend_arg_info *info = &op_array->arg_info[-1];
325 	zend_ssa_var_info *use_info = &ssa->var_info[ssa_op->op1_use];
326 	zend_ssa_var_info *def_info = &ssa->var_info[ssa_op->op1_def];
327 
328 	if (use_info->type & MAY_BE_REF) {
329 		return 0;
330 	}
331 
332 	/* A type is possible that is not in the allowed types */
333 	if ((use_info->type & (MAY_BE_ANY|MAY_BE_UNDEF)) & ~(def_info->type & MAY_BE_ANY)) {
334 		return 0;
335 	}
336 
337 	/* These types are not represented exactly */
338 	if (ZEND_TYPE_CODE(info->type) == IS_CALLABLE || ZEND_TYPE_CODE(info->type) == IS_ITERABLE) {
339 		return 0;
340 	}
341 
342 	if (ZEND_TYPE_IS_CLASS(info->type)) {
343 		if (!use_info->ce || !def_info->ce || !safe_instanceof(use_info->ce, def_info->ce)) {
344 			return 0;
345 		}
346 	}
347 
348 	return 1;
349 }
350 
opline_supports_assign_contraction( zend_ssa *ssa, zend_op *opline, int src_var, uint32_t cv_var)351 static zend_bool opline_supports_assign_contraction(
352 		zend_ssa *ssa, zend_op *opline, int src_var, uint32_t cv_var) {
353 	if (opline->opcode == ZEND_NEW) {
354 		/* see Zend/tests/generators/aborted_yield_during_new.phpt */
355 		return 0;
356 	}
357 
358 	if (opline->opcode == ZEND_DO_ICALL || opline->opcode == ZEND_DO_UCALL
359 			|| opline->opcode == ZEND_DO_FCALL || opline->opcode == ZEND_DO_FCALL_BY_NAME) {
360 		/* Function calls may dtor the return value after it has already been written -- allow
361 		 * direct assignment only for types where a double-dtor does not matter. */
362 		uint32_t type = ssa->var_info[src_var].type;
363 		uint32_t simple = MAY_BE_NULL|MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_LONG|MAY_BE_DOUBLE;
364 		return !((type & MAY_BE_ANY) & ~simple);
365 	}
366 
367 	if (opline->opcode == ZEND_POST_INC || opline->opcode == ZEND_POST_DEC) {
368 		/* POST_INC/DEC write the result variable before performing the inc/dec. For $i = $i++
369 		 * eliding the temporary variable would thus yield an incorrect result. */
370 		return opline->op1_type != IS_CV || opline->op1.var != cv_var;
371 	}
372 
373 	if (opline->opcode == ZEND_INIT_ARRAY) {
374 		/* INIT_ARRAY initializes the result array before reading key/value. */
375 		return (opline->op1_type != IS_CV || opline->op1.var != cv_var)
376 			&& (opline->op2_type != IS_CV || opline->op2.var != cv_var);
377 	}
378 
379 	if (opline->opcode == ZEND_CAST
380 			&& (opline->extended_value == IS_ARRAY || opline->extended_value == IS_OBJECT)) {
381 		/* CAST to array/object may initialize the result to an empty array/object before
382 		 * reading the expression. */
383 		return opline->op1_type != IS_CV || opline->op1.var != cv_var;
384 	}
385 
386 	return 1;
387 }
388 
zend_dfa_optimize_calls(zend_op_array *op_array, zend_ssa *ssa)389 int zend_dfa_optimize_calls(zend_op_array *op_array, zend_ssa *ssa)
390 {
391 	zend_func_info *func_info = ZEND_FUNC_INFO(op_array);
392 	int removed_ops = 0;
393 
394 	if (func_info->callee_info) {
395 		zend_call_info *call_info = func_info->callee_info;
396 
397 		do {
398 			if (call_info->caller_call_opline
399 			 && call_info->caller_call_opline->opcode == ZEND_DO_ICALL
400 			 && call_info->callee_func
401 			 && ZSTR_LEN(call_info->callee_func->common.function_name) == sizeof("in_array")-1
402 			 && memcmp(ZSTR_VAL(call_info->callee_func->common.function_name), "in_array", sizeof("in_array")-1) == 0
403 			 && (call_info->caller_init_opline->extended_value == 2
404 			  || (call_info->caller_init_opline->extended_value == 3
405 			   && (call_info->caller_call_opline - 1)->opcode == ZEND_SEND_VAL
406 			   && (call_info->caller_call_opline - 1)->op1_type == IS_CONST))) {
407 
408 				zend_op *send_array;
409 				zend_op *send_needly;
410 				zend_bool strict = 0;
411 
412 				if (call_info->caller_init_opline->extended_value == 2) {
413 					send_array = call_info->caller_call_opline - 1;
414 					send_needly = call_info->caller_call_opline - 2;
415 				} else {
416 					if (zend_is_true(CT_CONSTANT_EX(op_array, (call_info->caller_call_opline - 1)->op1.constant))) {
417 						strict = 1;
418 					}
419 					send_array = call_info->caller_call_opline - 2;
420 					send_needly = call_info->caller_call_opline - 3;
421 				}
422 
423 				if (send_array->opcode == ZEND_SEND_VAL
424 				 && send_array->op1_type == IS_CONST
425 				 && Z_TYPE_P(CT_CONSTANT_EX(op_array, send_array->op1.constant)) == IS_ARRAY
426 				 && (send_needly->opcode == ZEND_SEND_VAL
427 				  || send_needly->opcode == ZEND_SEND_VAR)
428 			    ) {
429 					int ok = 1;
430 
431 					HashTable *src = Z_ARRVAL_P(CT_CONSTANT_EX(op_array, send_array->op1.constant));
432 					HashTable *dst;
433 					zval *val, tmp;
434 					zend_ulong idx;
435 
436 					ZVAL_TRUE(&tmp);
437 					dst = zend_new_array(zend_hash_num_elements(src));
438 					if (strict) {
439 						ZEND_HASH_FOREACH_VAL(src, val) {
440 							if (Z_TYPE_P(val) == IS_STRING) {
441 								zend_hash_add(dst, Z_STR_P(val), &tmp);
442 							} else if (Z_TYPE_P(val) == IS_LONG) {
443 								zend_hash_index_add(dst, Z_LVAL_P(val), &tmp);
444 							} else {
445 								zend_array_destroy(dst);
446 								ok = 0;
447 								break;
448 							}
449 						} ZEND_HASH_FOREACH_END();
450 					} else {
451 						ZEND_HASH_FOREACH_VAL(src, val) {
452 							if (Z_TYPE_P(val) != IS_STRING || ZEND_HANDLE_NUMERIC(Z_STR_P(val), idx)) {
453 								zend_array_destroy(dst);
454 								ok = 0;
455 								break;
456 							}
457 							zend_hash_add(dst, Z_STR_P(val), &tmp);
458 						} ZEND_HASH_FOREACH_END();
459 					}
460 
461 					if (ok) {
462 						uint32_t op_num = send_needly - op_array->opcodes;
463 						zend_ssa_op *ssa_op = ssa->ops + op_num;
464 
465 						if (ssa_op->op1_use >= 0) {
466 							/* Reconstruct SSA */
467 							int var_num = ssa_op->op1_use;
468 							zend_ssa_var *var = ssa->vars + var_num;
469 
470 							ZEND_ASSERT(ssa_op->op1_def < 0);
471 							zend_ssa_unlink_use_chain(ssa, op_num, ssa_op->op1_use);
472 							ssa_op->op1_use = -1;
473 							ssa_op->op1_use_chain = -1;
474 							op_num = call_info->caller_call_opline - op_array->opcodes;
475 							ssa_op = ssa->ops + op_num;
476 							ssa_op->op1_use = var_num;
477 							ssa_op->op1_use_chain = var->use_chain;
478 							var->use_chain = op_num;
479 						}
480 
481 						ZVAL_ARR(&tmp, dst);
482 
483 						/* Update opcode */
484 						call_info->caller_call_opline->opcode = ZEND_IN_ARRAY;
485 						call_info->caller_call_opline->extended_value = strict;
486 						call_info->caller_call_opline->op1_type = send_needly->op1_type;
487 						call_info->caller_call_opline->op1.num = send_needly->op1.num;
488 						call_info->caller_call_opline->op2_type = IS_CONST;
489 						call_info->caller_call_opline->op2.constant = zend_optimizer_add_literal(op_array, &tmp);
490 						if (call_info->caller_init_opline->extended_value == 3) {
491 							MAKE_NOP(call_info->caller_call_opline - 1);
492 						}
493 						MAKE_NOP(call_info->caller_init_opline);
494 						MAKE_NOP(send_needly);
495 						MAKE_NOP(send_array);
496 						removed_ops++;
497 
498 					}
499 				}
500 			}
501 			call_info = call_info->next_callee;
502 		} while (call_info);
503 	}
504 
505 	return removed_ops;
506 }
507 
take_successor_0(zend_ssa *ssa, int block_num, zend_basic_block *block)508 static zend_always_inline void take_successor_0(zend_ssa *ssa, int block_num, zend_basic_block *block)
509 {
510 	if (block->successors_count == 2) {
511 		if (block->successors[1] != block->successors[0]) {
512 			zend_ssa_remove_predecessor(ssa, block_num, block->successors[1]);
513 		}
514 		block->successors_count = 1;
515 	}
516 }
517 
take_successor_1(zend_ssa *ssa, int block_num, zend_basic_block *block)518 static zend_always_inline void take_successor_1(zend_ssa *ssa, int block_num, zend_basic_block *block)
519 {
520 	if (block->successors_count == 2) {
521 		if (block->successors[1] != block->successors[0]) {
522 			zend_ssa_remove_predecessor(ssa, block_num, block->successors[0]);
523 			block->successors[0] = block->successors[1];
524 		}
525 		block->successors_count = 1;
526 	}
527 }
528 
take_successor_ex(zend_ssa *ssa, int block_num, zend_basic_block *block, int target_block)529 static zend_always_inline void take_successor_ex(zend_ssa *ssa, int block_num, zend_basic_block *block, int target_block)
530 {
531 	int i;
532 
533 	for (i = 0; i < block->successors_count; i++) {
534 		if (block->successors[i] != target_block) {
535 			zend_ssa_remove_predecessor(ssa, block_num, block->successors[i]);
536 		}
537 	}
538 	block->successors[0] = target_block;
539 	block->successors_count = 1;
540 }
541 
compress_block(zend_op_array *op_array, zend_basic_block *block)542 static void compress_block(zend_op_array *op_array, zend_basic_block *block)
543 {
544 	while (block->len > 0) {
545 		zend_op *opline = &op_array->opcodes[block->start + block->len - 1];
546 
547 		if (opline->opcode == ZEND_NOP
548 				&& (block->len == 1 || !zend_is_smart_branch(opline - 1))) {
549 			block->len--;
550 		} else {
551 			break;
552 		}
553 	}
554 }
555 
replace_predecessor(zend_ssa *ssa, int block_id, int old_pred, int new_pred)556 static void replace_predecessor(zend_ssa *ssa, int block_id, int old_pred, int new_pred) {
557 	zend_basic_block *block = &ssa->cfg.blocks[block_id];
558 	int *predecessors = &ssa->cfg.predecessors[block->predecessor_offset];
559 	zend_ssa_phi *phi;
560 
561 	int i;
562 	int old_pred_idx = -1;
563 	int new_pred_idx = -1;
564 	for (i = 0; i < block->predecessors_count; i++) {
565 		if (predecessors[i] == old_pred) {
566 			old_pred_idx = i;
567 		}
568 		if (predecessors[i] == new_pred) {
569 			new_pred_idx = i;
570 		}
571 	}
572 
573 	ZEND_ASSERT(old_pred_idx != -1);
574 	if (new_pred_idx == -1) {
575 		/* If the new predecessor doesn't exist yet, simply rewire the old one */
576 		predecessors[old_pred_idx] = new_pred;
577 	} else {
578 		/* Otherwise, rewiring the old predecessor would make the new predecessor appear
579 		 * twice, which violates our CFG invariants. Remove the old predecessor instead. */
580 		memmove(
581 			predecessors + old_pred_idx,
582 			predecessors + old_pred_idx + 1,
583 			sizeof(int) * (block->predecessors_count - old_pred_idx - 1)
584 		);
585 
586 		/* Also remove the corresponding phi node entries */
587 		for (phi = ssa->blocks[block_id].phis; phi; phi = phi->next) {
588 			memmove(
589 				phi->sources + old_pred_idx,
590 				phi->sources + old_pred_idx + 1,
591 				sizeof(int) * (block->predecessors_count - old_pred_idx - 1)
592 			);
593 		}
594 
595 		block->predecessors_count--;
596 	}
597 }
598 
zend_ssa_replace_control_link(zend_op_array *op_array, zend_ssa *ssa, int from, int to, int new_to)599 static void zend_ssa_replace_control_link(zend_op_array *op_array, zend_ssa *ssa, int from, int to, int new_to)
600 {
601 	zend_basic_block *src = &ssa->cfg.blocks[from];
602 	zend_basic_block *old = &ssa->cfg.blocks[to];
603 	zend_basic_block *dst = &ssa->cfg.blocks[new_to];
604 	int i;
605 	zend_op *opline;
606 
607 	for (i = 0; i < src->successors_count; i++) {
608 		if (src->successors[i] == to) {
609 			src->successors[i] = new_to;
610 		}
611 	}
612 
613 	if (src->len > 0) {
614 		opline = op_array->opcodes + src->start + src->len - 1;
615 		switch (opline->opcode) {
616 			case ZEND_JMP:
617 			case ZEND_FAST_CALL:
618 				ZEND_ASSERT(ZEND_OP1_JMP_ADDR(opline) == op_array->opcodes + old->start);
619 				ZEND_SET_OP_JMP_ADDR(opline, opline->op1, op_array->opcodes + dst->start);
620 				break;
621 			case ZEND_JMPZNZ:
622 				if (ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, opline->extended_value) == old->start) {
623 					opline->extended_value = ZEND_OPLINE_NUM_TO_OFFSET(op_array, opline, dst->start);
624 				}
625 				/* break missing intentionally */
626 			case ZEND_JMPZ:
627 			case ZEND_JMPNZ:
628 			case ZEND_JMPZ_EX:
629 			case ZEND_JMPNZ_EX:
630 			case ZEND_FE_RESET_R:
631 			case ZEND_FE_RESET_RW:
632 			case ZEND_JMP_SET:
633 			case ZEND_COALESCE:
634 			case ZEND_ASSERT_CHECK:
635 				if (ZEND_OP2_JMP_ADDR(opline) == op_array->opcodes + old->start) {
636 					ZEND_SET_OP_JMP_ADDR(opline, opline->op2, op_array->opcodes + dst->start);
637 				}
638 				break;
639 			case ZEND_CATCH:
640 				if (!(opline->extended_value & ZEND_LAST_CATCH)) {
641 					if (ZEND_OP2_JMP_ADDR(opline) == op_array->opcodes + old->start) {
642 						ZEND_SET_OP_JMP_ADDR(opline, opline->op2, op_array->opcodes + dst->start);
643 					}
644 				}
645 				break;
646 			case ZEND_FE_FETCH_R:
647 			case ZEND_FE_FETCH_RW:
648 				if (ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, opline->extended_value) == old->start) {
649 					opline->extended_value = ZEND_OPLINE_NUM_TO_OFFSET(op_array, opline, dst->start);
650 				}
651 				break;
652 			case ZEND_SWITCH_LONG:
653 			case ZEND_SWITCH_STRING:
654 				{
655 					HashTable *jumptable = Z_ARRVAL(ZEND_OP2_LITERAL(opline));
656 					zval *zv;
657 					ZEND_HASH_FOREACH_VAL(jumptable, zv) {
658 						if (ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, Z_LVAL_P(zv)) == old->start) {
659 							Z_LVAL_P(zv) = ZEND_OPLINE_NUM_TO_OFFSET(op_array, opline, dst->start);
660 						}
661 					} ZEND_HASH_FOREACH_END();
662 					if (ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, opline->extended_value) == old->start) {
663 						opline->extended_value = ZEND_OPLINE_NUM_TO_OFFSET(op_array, opline, dst->start);
664 					}
665 					break;
666 				}
667 		}
668 	}
669 
670 	replace_predecessor(ssa, new_to, to, from);
671 }
672 
zend_ssa_unlink_block(zend_op_array *op_array, zend_ssa *ssa, zend_basic_block *block, int block_num)673 static void zend_ssa_unlink_block(zend_op_array *op_array, zend_ssa *ssa, zend_basic_block *block, int block_num)
674 {
675 	if (block->predecessors_count == 1 && ssa->blocks[block_num].phis == NULL) {
676 		int *predecessors, i;
677 
678 		ZEND_ASSERT(block->successors_count == 1);
679 		predecessors = &ssa->cfg.predecessors[block->predecessor_offset];
680 		for (i = 0; i < block->predecessors_count; i++) {
681 			zend_ssa_replace_control_link(op_array, ssa, predecessors[i], block_num, block->successors[0]);
682 		}
683 		zend_ssa_remove_block(op_array, ssa, block_num);
684 	}
685 }
686 
zend_dfa_optimize_jmps(zend_op_array *op_array, zend_ssa *ssa)687 static int zend_dfa_optimize_jmps(zend_op_array *op_array, zend_ssa *ssa)
688 {
689 	int removed_ops = 0;
690 	int block_num = 0;
691 
692 	for (block_num = 1; block_num < ssa->cfg.blocks_count; block_num++) {
693 		zend_basic_block *block = &ssa->cfg.blocks[block_num];
694 
695 		if (!(block->flags & ZEND_BB_REACHABLE)) {
696 			continue;
697 		}
698 		compress_block(op_array, block);
699 		if (block->len == 0) {
700 			zend_ssa_unlink_block(op_array, ssa, block, block_num);
701 		}
702 	}
703 
704 	block_num = 0;
705 	while (block_num < ssa->cfg.blocks_count
706 		&& !(ssa->cfg.blocks[block_num].flags & ZEND_BB_REACHABLE)) {
707 		block_num++;
708 	}
709 	while (block_num < ssa->cfg.blocks_count) {
710 		int next_block_num = block_num + 1;
711 		zend_basic_block *block = &ssa->cfg.blocks[block_num];
712 		uint32_t op_num;
713 		zend_op *opline;
714 		zend_ssa_op *ssa_op;
715 
716 		while (next_block_num < ssa->cfg.blocks_count
717 			&& !(ssa->cfg.blocks[next_block_num].flags & ZEND_BB_REACHABLE)) {
718 			next_block_num++;
719 		}
720 
721 		if (block->len) {
722 			op_num = block->start + block->len - 1;
723 			opline = op_array->opcodes + op_num;
724 			ssa_op = ssa->ops + op_num;
725 
726 			switch (opline->opcode) {
727 				case ZEND_JMP:
728 optimize_jmp:
729 					if (block->successors[0] == next_block_num) {
730 						MAKE_NOP(opline);
731 						removed_ops++;
732 						goto optimize_nop;
733 					}
734 					break;
735 				case ZEND_JMPZ:
736 optimize_jmpz:
737 					if (opline->op1_type == IS_CONST) {
738 						if (zend_is_true(CT_CONSTANT_EX(op_array, opline->op1.constant))) {
739 							MAKE_NOP(opline);
740 							removed_ops++;
741 							take_successor_1(ssa, block_num, block);
742 							goto optimize_nop;
743 						} else {
744 							opline->opcode = ZEND_JMP;
745 							COPY_NODE(opline->op1, opline->op2);
746 							take_successor_0(ssa, block_num, block);
747 							goto optimize_jmp;
748 						}
749 					} else {
750 						if (block->successors[0] == next_block_num) {
751 							take_successor_0(ssa, block_num, block);
752 							if (opline->op1_type == IS_CV && (OP1_INFO() & MAY_BE_UNDEF)) {
753 								opline->opcode = ZEND_CHECK_VAR;
754 								opline->op2.num = 0;
755 							} else if (opline->op1_type == IS_CV || !(OP1_INFO() & (MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
756 								zend_ssa_remove_instr(ssa, opline, ssa_op);
757 								removed_ops++;
758 								goto optimize_nop;
759 							} else {
760 								opline->opcode = ZEND_FREE;
761 								opline->op2.num = 0;
762 							}
763 						}
764 					}
765 					break;
766 				case ZEND_JMPNZ:
767 optimize_jmpnz:
768 					if (opline->op1_type == IS_CONST) {
769 						if (zend_is_true(CT_CONSTANT_EX(op_array, opline->op1.constant))) {
770 							opline->opcode = ZEND_JMP;
771 							COPY_NODE(opline->op1, opline->op2);
772 							take_successor_0(ssa, block_num, block);
773 							goto optimize_jmp;
774 						} else {
775 							MAKE_NOP(opline);
776 							removed_ops++;
777 							take_successor_1(ssa, block_num, block);
778 							goto optimize_nop;
779 						}
780 					} else if (block->successors_count == 2) {
781 						if (block->successors[0] == next_block_num) {
782 							take_successor_0(ssa, block_num, block);
783 							if (opline->op1_type == IS_CV && (OP1_INFO() & MAY_BE_UNDEF)) {
784 								opline->opcode = ZEND_CHECK_VAR;
785 								opline->op2.num = 0;
786 							} else if (opline->op1_type == IS_CV || !(OP1_INFO() & (MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
787 								zend_ssa_remove_instr(ssa, opline, ssa_op);
788 								removed_ops++;
789 								goto optimize_nop;
790 							} else {
791 								opline->opcode = ZEND_FREE;
792 								opline->op2.num = 0;
793 							}
794 						}
795 					}
796 					break;
797 				case ZEND_JMPZNZ:
798 					if (opline->op1_type == IS_CONST) {
799 						if (zend_is_true(CT_CONSTANT_EX(op_array, opline->op1.constant))) {
800 							zend_op *target_opline = ZEND_OFFSET_TO_OPLINE(opline, opline->extended_value);
801 							ZEND_SET_OP_JMP_ADDR(opline, opline->op1, target_opline);
802 							take_successor_1(ssa, block_num, block);
803 						} else {
804 							zend_op *target_opline = ZEND_OP2_JMP_ADDR(opline);
805 							ZEND_SET_OP_JMP_ADDR(opline, opline->op1, target_opline);
806 							take_successor_0(ssa, block_num, block);
807 						}
808 						opline->op1_type = IS_UNUSED;
809 						opline->extended_value = 0;
810 						opline->opcode = ZEND_JMP;
811 						goto optimize_jmp;
812 					} else if (block->successors_count == 2) {
813 						if (block->successors[0] == block->successors[1]) {
814 							take_successor_0(ssa, block_num, block);
815 							if (block->successors[0] == next_block_num) {
816 								if (opline->op1_type == IS_CV && (OP1_INFO() & MAY_BE_UNDEF)) {
817 									opline->opcode = ZEND_CHECK_VAR;
818 									opline->op2.num = 0;
819 								} else if (opline->op1_type == IS_CV || !(OP1_INFO() & (MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
820 									zend_ssa_remove_instr(ssa, opline, ssa_op);
821 									removed_ops++;
822 									goto optimize_nop;
823 								} else {
824 									opline->opcode = ZEND_FREE;
825 									opline->op2.num = 0;
826 								}
827 							} else if ((opline->op1_type == IS_CV && !(OP1_INFO() & MAY_BE_UNDEF)) || !(OP1_INFO() & (MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
828 								ZEND_ASSERT(ssa_op->op1_use >= 0);
829 								zend_ssa_unlink_use_chain(ssa, op_num, ssa_op->op1_use);
830 								ssa_op->op1_use = -1;
831 								ssa_op->op1_use_chain = -1;
832 								opline->opcode = ZEND_JMP;
833 								opline->op1_type = IS_UNUSED;
834 								opline->op1.num = opline->op2.num;
835 								goto optimize_jmp;
836 							}
837 						}
838 					}
839 					break;
840 				case ZEND_JMPZ_EX:
841 					if (ssa->vars[ssa_op->result_def].use_chain < 0
842 							&& ssa->vars[ssa_op->result_def].phi_use_chain == NULL) {
843 						opline->opcode = ZEND_JMPZ;
844 						opline->result_type = IS_UNUSED;
845 						zend_ssa_remove_result_def(ssa, ssa_op);
846 						goto optimize_jmpz;
847 					} else if (opline->op1_type == IS_CONST) {
848 						if (zend_is_true(CT_CONSTANT_EX(op_array, opline->op1.constant))) {
849 							opline->opcode = ZEND_QM_ASSIGN;
850 							take_successor_1(ssa, block_num, block);
851 						}
852 					}
853 					break;
854 				case ZEND_JMPNZ_EX:
855 					if (ssa->vars[ssa_op->result_def].use_chain < 0
856 							&& ssa->vars[ssa_op->result_def].phi_use_chain == NULL) {
857 						opline->opcode = ZEND_JMPNZ;
858 						opline->result_type = IS_UNUSED;
859 						zend_ssa_remove_result_def(ssa, ssa_op);
860 						goto optimize_jmpnz;
861 					} else if (opline->op1_type == IS_CONST) {
862 						if (!zend_is_true(CT_CONSTANT_EX(op_array, opline->op1.constant))) {
863 							opline->opcode = ZEND_QM_ASSIGN;
864 							take_successor_1(ssa, block_num, block);
865 						}
866 					}
867 					break;
868 				case ZEND_JMP_SET:
869 					if (ssa->vars[ssa_op->result_def].use_chain < 0
870 							&& ssa->vars[ssa_op->result_def].phi_use_chain == NULL) {
871 						opline->opcode = ZEND_JMPNZ;
872 						opline->result_type = IS_UNUSED;
873 						zend_ssa_remove_result_def(ssa, ssa_op);
874 						goto optimize_jmpnz;
875 					} else if (opline->op1_type == IS_CONST) {
876 						if (!zend_is_true(CT_CONSTANT_EX(op_array, opline->op1.constant))) {
877 							MAKE_NOP(opline);
878 							removed_ops++;
879 							take_successor_1(ssa, block_num, block);
880 							zend_ssa_remove_result_def(ssa, ssa_op);
881 							goto optimize_nop;
882 						}
883 					}
884 					break;
885 				case ZEND_COALESCE:
886 				{
887 					zend_ssa_var *var = &ssa->vars[ssa_op->result_def];
888 					if (opline->op1_type == IS_CONST
889 							&& var->use_chain < 0 && var->phi_use_chain == NULL) {
890 						if (Z_TYPE_P(CT_CONSTANT_EX(op_array, opline->op1.constant)) == IS_NULL) {
891 							zend_ssa_remove_result_def(ssa, ssa_op);
892 							MAKE_NOP(opline);
893 							removed_ops++;
894 							take_successor_1(ssa, block_num, block);
895 							goto optimize_nop;
896 						} else {
897 							opline->opcode = ZEND_JMP;
898 							opline->result_type = IS_UNUSED;
899 							zend_ssa_remove_result_def(ssa, ssa_op);
900 							COPY_NODE(opline->op1, opline->op2);
901 							take_successor_0(ssa, block_num, block);
902 							goto optimize_jmp;
903 						}
904 					}
905 					break;
906 				}
907 				case ZEND_SWITCH_LONG:
908 					if (opline->op1_type == IS_CONST) {
909 						zval *zv = CT_CONSTANT_EX(op_array, opline->op1.constant);
910 						if (Z_TYPE_P(zv) != IS_LONG) {
911 							removed_ops++;
912 							MAKE_NOP(opline);
913 							opline->extended_value = 0;
914 							take_successor_ex(ssa, block_num, block, block->successors[0]);
915 							goto optimize_nop;
916 						} else {
917 							HashTable *jmptable = Z_ARRVAL_P(CT_CONSTANT_EX(op_array, opline->op2.constant));
918 							zval *jmp_zv = zend_hash_index_find(jmptable, Z_LVAL_P(zv));
919 							uint32_t target;
920 
921 							if (jmp_zv) {
922 								target = ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, Z_LVAL_P(jmp_zv));
923 							} else {
924 								target = ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, opline->extended_value);
925 							}
926 							opline->opcode = ZEND_JMP;
927 							opline->extended_value = 0;
928 							SET_UNUSED(opline->op1);
929 							ZEND_SET_OP_JMP_ADDR(opline, opline->op1, op_array->opcodes + target);
930 							SET_UNUSED(opline->op2);
931 							take_successor_ex(ssa, block_num, block, ssa->cfg.map[target]);
932 							goto optimize_jmp;
933 						}
934 					}
935 					break;
936 				case ZEND_SWITCH_STRING:
937 					if (opline->op1_type == IS_CONST) {
938 						zval *zv = CT_CONSTANT_EX(op_array, opline->op1.constant);
939 						if (Z_TYPE_P(zv) != IS_STRING) {
940 							removed_ops++;
941 							MAKE_NOP(opline);
942 							opline->extended_value = 0;
943 							take_successor_ex(ssa, block_num, block, block->successors[0]);
944 							goto optimize_nop;
945 						} else {
946 							HashTable *jmptable = Z_ARRVAL_P(CT_CONSTANT_EX(op_array, opline->op2.constant));
947 							zval *jmp_zv = zend_hash_find(jmptable, Z_STR_P(zv));
948 							uint32_t target;
949 
950 							if (jmp_zv) {
951 								target = ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, Z_LVAL_P(jmp_zv));
952 							} else {
953 								target = ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, opline->extended_value);
954 							}
955 							opline->opcode = ZEND_JMP;
956 							opline->extended_value = 0;
957 							SET_UNUSED(opline->op1);
958 							ZEND_SET_OP_JMP_ADDR(opline, opline->op1, op_array->opcodes + target);
959 							SET_UNUSED(opline->op2);
960 							take_successor_ex(ssa, block_num, block, ssa->cfg.map[target]);
961 							goto optimize_jmp;
962 						}
963 					}
964 					break;
965 				case ZEND_NOP:
966 optimize_nop:
967 					compress_block(op_array, block);
968 					if (block->len == 0) {
969 						if (block_num > 0) {
970 							zend_ssa_unlink_block(op_array, ssa, block, block_num);
971 							/* backtrack to previous basic block */
972 							do {
973 								block_num--;
974 							} while (block_num >= 0
975 								&& !(ssa->cfg.blocks[block_num].flags & ZEND_BB_REACHABLE));
976 							if (block_num >= 0) {
977 								continue;
978 							}
979 						}
980 					}
981 					break;
982 				default:
983 					break;
984 			}
985 		}
986 
987 		block_num = next_block_num;
988 	}
989 
990 	return removed_ops;
991 }
992 
zend_dfa_optimize_op_array(zend_op_array *op_array, zend_optimizer_ctx *ctx, zend_ssa *ssa, zend_call_info **call_map)993 void zend_dfa_optimize_op_array(zend_op_array *op_array, zend_optimizer_ctx *ctx, zend_ssa *ssa, zend_call_info **call_map)
994 {
995 	if (ctx->debug_level & ZEND_DUMP_BEFORE_DFA_PASS) {
996 		zend_dump_op_array(op_array, ZEND_DUMP_SSA, "before dfa pass", ssa);
997 	}
998 
999 	if (ssa->var_info) {
1000 		int op_1;
1001 		int v;
1002 		int remove_nops = 0;
1003 		zend_op *opline;
1004 		zval tmp;
1005 
1006 #if ZEND_DEBUG_DFA
1007 		ssa_verify_integrity(op_array, ssa, "before dfa");
1008 #endif
1009 
1010 		if (ZEND_OPTIMIZER_PASS_8 & ctx->optimization_level) {
1011 			if (sccp_optimize_op_array(ctx, op_array, ssa, call_map)) {
1012 				remove_nops = 1;
1013 			}
1014 
1015 			if (zend_dfa_optimize_jmps(op_array, ssa)) {
1016 				remove_nops = 1;
1017 			}
1018 
1019 #if ZEND_DEBUG_DFA
1020 			ssa_verify_integrity(op_array, ssa, "after sccp");
1021 #endif
1022 			if (ZEND_FUNC_INFO(op_array)) {
1023 				if (zend_dfa_optimize_calls(op_array, ssa)) {
1024 					remove_nops = 1;
1025 				}
1026 			}
1027 			if (ctx->debug_level & ZEND_DUMP_AFTER_PASS_8) {
1028 				zend_dump_op_array(op_array, ZEND_DUMP_SSA, "after sccp pass", ssa);
1029 			}
1030 #if ZEND_DEBUG_DFA
1031 			ssa_verify_integrity(op_array, ssa, "after calls");
1032 #endif
1033 		}
1034 
1035 		if (ZEND_OPTIMIZER_PASS_14 & ctx->optimization_level) {
1036 			if (dce_optimize_op_array(op_array, ssa, 0)) {
1037 				remove_nops = 1;
1038 			}
1039 			if (zend_dfa_optimize_jmps(op_array, ssa)) {
1040 				remove_nops = 1;
1041 			}
1042 			if (ctx->debug_level & ZEND_DUMP_AFTER_PASS_14) {
1043 				zend_dump_op_array(op_array, ZEND_DUMP_SSA, "after dce pass", ssa);
1044 			}
1045 #if ZEND_DEBUG_DFA
1046 			ssa_verify_integrity(op_array, ssa, "after dce");
1047 #endif
1048 		}
1049 
1050 		for (v = op_array->last_var; v < ssa->vars_count; v++) {
1051 
1052 			op_1 = ssa->vars[v].definition;
1053 
1054 			if (op_1 < 0) {
1055 				continue;
1056 			}
1057 
1058 			opline = op_array->opcodes + op_1;
1059 
1060 			/* Convert LONG constants to DOUBLE */
1061 			if (ssa->var_info[v].use_as_double) {
1062 				if (opline->opcode == ZEND_ASSIGN
1063 				 && opline->op2_type == IS_CONST
1064 				 && ssa->ops[op_1].op1_def == v
1065 				 && !RETURN_VALUE_USED(opline)
1066 				) {
1067 
1068 // op_1: ASSIGN ? -> #v [use_as_double], long(?) => ASSIGN ? -> #v, double(?)
1069 
1070 					zval *zv = CT_CONSTANT_EX(op_array, opline->op2.constant);
1071 					ZEND_ASSERT(Z_TYPE_INFO_P(zv) == IS_LONG);
1072 					ZVAL_DOUBLE(&tmp, zval_get_double(zv));
1073 					opline->op2.constant = zend_optimizer_add_literal(op_array, &tmp);
1074 
1075 				} else if (opline->opcode == ZEND_QM_ASSIGN
1076 				 && opline->op1_type == IS_CONST
1077 				) {
1078 
1079 // op_1: QM_ASSIGN #v [use_as_double], long(?) => QM_ASSIGN #v, double(?)
1080 
1081 					zval *zv = CT_CONSTANT_EX(op_array, opline->op1.constant);
1082 					ZEND_ASSERT(Z_TYPE_INFO_P(zv) == IS_LONG);
1083 					ZVAL_DOUBLE(&tmp, zval_get_double(zv));
1084 					opline->op1.constant = zend_optimizer_add_literal(op_array, &tmp);
1085 				}
1086 
1087 			} else {
1088 				if (opline->opcode == ZEND_ADD
1089 				 || opline->opcode == ZEND_SUB
1090 				 || opline->opcode == ZEND_MUL
1091 				 || opline->opcode == ZEND_IS_EQUAL
1092 				 || opline->opcode == ZEND_IS_NOT_EQUAL
1093 				 || opline->opcode == ZEND_IS_SMALLER
1094 				 || opline->opcode == ZEND_IS_SMALLER_OR_EQUAL
1095 				) {
1096 
1097 					if (opline->op1_type == IS_CONST
1098 					 && opline->op2_type != IS_CONST
1099 					 && (OP2_INFO() & MAY_BE_ANY) == MAY_BE_DOUBLE
1100 					 && Z_TYPE_INFO_P(CT_CONSTANT_EX(op_array, opline->op1.constant)) == IS_LONG
1101 					) {
1102 
1103 // op_1: #v.? = ADD long(?), #?.? [double] => #v.? = ADD double(?), #?.? [double]
1104 
1105 						zval *zv = CT_CONSTANT_EX(op_array, opline->op1.constant);
1106 						ZVAL_DOUBLE(&tmp, zval_get_double(zv));
1107 						opline->op1.constant = zend_optimizer_add_literal(op_array, &tmp);
1108 
1109 					} else if (opline->op1_type != IS_CONST
1110 					 && opline->op2_type == IS_CONST
1111 					 && (OP1_INFO() & MAY_BE_ANY) == MAY_BE_DOUBLE
1112 					 && Z_TYPE_INFO_P(CT_CONSTANT_EX(op_array, opline->op2.constant)) == IS_LONG
1113 					) {
1114 
1115 // op_1: #v.? = ADD #?.? [double], long(?) => #v.? = ADD #?.? [double], double(?)
1116 
1117 						zval *zv = CT_CONSTANT_EX(op_array, opline->op2.constant);
1118 						ZVAL_DOUBLE(&tmp, zval_get_double(zv));
1119 						opline->op2.constant = zend_optimizer_add_literal(op_array, &tmp);
1120 					}
1121 				} else if (opline->opcode == ZEND_CONCAT) {
1122 					if (!(OP1_INFO() & MAY_BE_OBJECT)
1123 					 && !(OP2_INFO() & MAY_BE_OBJECT)) {
1124 						opline->opcode = ZEND_FAST_CONCAT;
1125 					}
1126 				} else if (opline->opcode == ZEND_VERIFY_RETURN_TYPE
1127 				 && opline->op1_type != IS_CONST
1128 				 && ssa->ops[op_1].op1_def == v
1129 				 && ssa->ops[op_1].op1_use >= 0
1130 				 && ssa->ops[op_1].op1_use_chain == -1
1131 				 && ssa->vars[v].use_chain >= 0
1132 				 && can_elide_return_type_check(op_array, ssa, &ssa->ops[op_1])) {
1133 
1134 // op_1: VERIFY_RETURN_TYPE #orig_var.? [T] -> #v.? [T] => NOP
1135 
1136 					int orig_var = ssa->ops[op_1].op1_use;
1137 					if (zend_ssa_unlink_use_chain(ssa, op_1, orig_var)) {
1138 
1139 						int ret = ssa->vars[v].use_chain;
1140 
1141 						ssa->ops[ret].op1_use = orig_var;
1142 						ssa->ops[ret].op1_use_chain = ssa->vars[orig_var].use_chain;
1143 						ssa->vars[orig_var].use_chain = ret;
1144 
1145 						ssa->vars[v].definition = -1;
1146 						ssa->vars[v].use_chain = -1;
1147 
1148 						ssa->ops[op_1].op1_def = -1;
1149 						ssa->ops[op_1].op1_use = -1;
1150 
1151 						MAKE_NOP(opline);
1152 						remove_nops = 1;
1153 					}
1154 				}
1155 			}
1156 
1157 			if (ssa->vars[v].var >= op_array->last_var) {
1158 				/* skip TMP and VAR */
1159 				continue;
1160 			}
1161 
1162 			if (opline->opcode == ZEND_ASSIGN
1163 			 && ssa->ops[op_1].op1_def == v
1164 			 && !RETURN_VALUE_USED(opline)
1165 			) {
1166 				int orig_var = ssa->ops[op_1].op1_use;
1167 
1168 				if (orig_var >= 0
1169 				 && !(ssa->var_info[orig_var].type & (MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))
1170 				) {
1171 
1172 					int src_var = ssa->ops[op_1].op2_use;
1173 
1174 					if ((opline->op2_type & (IS_TMP_VAR|IS_VAR))
1175 					 && src_var >= 0
1176 					 && !(ssa->var_info[src_var].type & MAY_BE_REF)
1177 					 && ssa->vars[src_var].definition >= 0
1178 					 && ssa->ops[ssa->vars[src_var].definition].result_def == src_var
1179 					 && ssa->ops[ssa->vars[src_var].definition].result_use < 0
1180 					 && ssa->vars[src_var].use_chain == op_1
1181 					 && ssa->ops[op_1].op2_use_chain < 0
1182 					 && !ssa->vars[src_var].phi_use_chain
1183 					 && !ssa->vars[src_var].sym_use_chain
1184 					 && opline_supports_assign_contraction(
1185 						 ssa, &op_array->opcodes[ssa->vars[src_var].definition],
1186 						 src_var, opline->op1.var)
1187 					) {
1188 
1189 						int op_2 = ssa->vars[src_var].definition;
1190 
1191 // op_2: #src_var.T = OP ...                                     => #v.CV = OP ...
1192 // op_1: ASSIGN #orig_var.CV [undef,scalar] -> #v.CV, #src_var.T    NOP
1193 
1194 						if (zend_ssa_unlink_use_chain(ssa, op_1, orig_var)) {
1195 							/* Reconstruct SSA */
1196 							ssa->vars[v].definition = op_2;
1197 							ssa->ops[op_2].result_def = v;
1198 
1199 							ssa->vars[src_var].definition = -1;
1200 							ssa->vars[src_var].use_chain = -1;
1201 
1202 							ssa->ops[op_1].op1_use = -1;
1203 							ssa->ops[op_1].op2_use = -1;
1204 							ssa->ops[op_1].op1_def = -1;
1205 							ssa->ops[op_1].op1_use_chain = -1;
1206 
1207 							/* Update opcodes */
1208 							op_array->opcodes[op_2].result_type = opline->op1_type;
1209 							op_array->opcodes[op_2].result.var = opline->op1.var;
1210 							MAKE_NOP(opline);
1211 							remove_nops = 1;
1212 						}
1213 					} else if (opline->op2_type == IS_CONST
1214 					 || ((opline->op2_type & (IS_TMP_VAR|IS_VAR|IS_CV))
1215 					     && ssa->ops[op_1].op2_use >= 0
1216 					     && ssa->ops[op_1].op2_def < 0)
1217 					) {
1218 
1219 // op_1: ASSIGN #orig_var.CV [undef,scalar] -> #v.CV, CONST|TMPVAR => QM_ASSIGN v.CV, CONST|TMPVAR
1220 
1221 						if (ssa->ops[op_1].op1_use != ssa->ops[op_1].op2_use) {
1222 							zend_ssa_unlink_use_chain(ssa, op_1, orig_var);
1223 						} else {
1224 							ssa->ops[op_1].op2_use_chain = ssa->ops[op_1].op1_use_chain;
1225 						}
1226 
1227 						/* Reconstruct SSA */
1228 						ssa->ops[op_1].result_def = v;
1229 						ssa->ops[op_1].op1_def = -1;
1230 						ssa->ops[op_1].op1_use = ssa->ops[op_1].op2_use;
1231 						ssa->ops[op_1].op1_use_chain = ssa->ops[op_1].op2_use_chain;
1232 						ssa->ops[op_1].op2_use = -1;
1233 						ssa->ops[op_1].op2_use_chain = -1;
1234 
1235 						/* Update opcode */
1236 						opline->result_type = opline->op1_type;
1237 						opline->result.var = opline->op1.var;
1238 						opline->op1_type = opline->op2_type;
1239 						opline->op1.var = opline->op2.var;
1240 						opline->op2_type = IS_UNUSED;
1241 						opline->op2.var = 0;
1242 						opline->opcode = ZEND_QM_ASSIGN;
1243 					}
1244 				}
1245 
1246 			} else if (opline->opcode == ZEND_ASSIGN_OP
1247 			 && opline->extended_value == ZEND_ADD
1248 			 && ssa->ops[op_1].op1_def == v
1249 			 && opline->op2_type == IS_CONST
1250 			 && Z_TYPE_P(CT_CONSTANT_EX(op_array, opline->op2.constant)) == IS_LONG
1251 			 && Z_LVAL_P(CT_CONSTANT_EX(op_array, opline->op2.constant)) == 1
1252 			 && ssa->ops[op_1].op1_use >= 0
1253 			 && !(ssa->var_info[ssa->ops[op_1].op1_use].type & (MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1254 
1255 // op_1: ASSIGN_ADD #?.CV [undef,null,int,foat] ->#v.CV, int(1) => PRE_INC #?.CV ->#v.CV
1256 
1257 				opline->opcode = ZEND_PRE_INC;
1258 				opline->extended_value = 0;
1259 				SET_UNUSED(opline->op2);
1260 
1261 			} else if (opline->opcode == ZEND_ASSIGN_OP
1262 			 && opline->extended_value == ZEND_SUB
1263 			 && ssa->ops[op_1].op1_def == v
1264 			 && opline->op2_type == IS_CONST
1265 			 && Z_TYPE_P(CT_CONSTANT_EX(op_array, opline->op2.constant)) == IS_LONG
1266 			 && Z_LVAL_P(CT_CONSTANT_EX(op_array, opline->op2.constant)) == 1
1267 			 && ssa->ops[op_1].op1_use >= 0
1268 			 && !(ssa->var_info[ssa->ops[op_1].op1_use].type & (MAY_BE_FALSE|MAY_BE_TRUE|MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))) {
1269 
1270 // op_1: ASSIGN_SUB #?.CV [undef,null,int,foat] -> #v.CV, int(1) => PRE_DEC #?.CV ->#v.CV
1271 
1272 				opline->opcode = ZEND_PRE_DEC;
1273 				opline->extended_value = 0;
1274 				SET_UNUSED(opline->op2);
1275 
1276 			} else if (ssa->ops[op_1].op1_def == v
1277 			 && !RETURN_VALUE_USED(opline)
1278 			 && ssa->ops[op_1].op1_use >= 0
1279 			 && !(ssa->var_info[ssa->ops[op_1].op1_use].type & (MAY_BE_STRING|MAY_BE_ARRAY|MAY_BE_OBJECT|MAY_BE_RESOURCE|MAY_BE_REF))
1280 			 && opline->opcode == ZEND_ASSIGN_OP
1281 			 && opline->extended_value != ZEND_CONCAT) {
1282 
1283 // op_1: ASSIGN_OP #orig_var.CV [undef,null,bool,int,double] -> #v.CV, ? => #v.CV = ADD #orig_var.CV, ?
1284 
1285 				/* Reconstruct SSA */
1286 				ssa->ops[op_1].result_def = ssa->ops[op_1].op1_def;
1287 				ssa->ops[op_1].op1_def = -1;
1288 
1289 				/* Update opcode */
1290 				opline->opcode = opline->extended_value;
1291 				opline->extended_value = 0;
1292 				opline->result_type = opline->op1_type;
1293 				opline->result.var = opline->op1.var;
1294 
1295 			}
1296 		}
1297 
1298 #if ZEND_DEBUG_DFA
1299 		ssa_verify_integrity(op_array, ssa, "after dfa");
1300 #endif
1301 
1302 		if (remove_nops) {
1303 			zend_ssa_remove_nops(op_array, ssa, ctx);
1304 #if ZEND_DEBUG_DFA
1305 			ssa_verify_integrity(op_array, ssa, "after nop");
1306 #endif
1307 		}
1308 	}
1309 
1310 	if (ctx->debug_level & ZEND_DUMP_AFTER_DFA_PASS) {
1311 		zend_dump_op_array(op_array, ZEND_DUMP_SSA, "after dfa pass", ssa);
1312 	}
1313 }
1314 
zend_optimize_dfa(zend_op_array *op_array, zend_optimizer_ctx *ctx)1315 void zend_optimize_dfa(zend_op_array *op_array, zend_optimizer_ctx *ctx)
1316 {
1317 	void *checkpoint = zend_arena_checkpoint(ctx->arena);
1318 	zend_ssa ssa;
1319 
1320 	if (zend_dfa_analyze_op_array(op_array, ctx, &ssa) != SUCCESS) {
1321 		zend_arena_release(&ctx->arena, checkpoint);
1322 		return;
1323 	}
1324 
1325 	zend_dfa_optimize_op_array(op_array, ctx, &ssa, NULL);
1326 
1327 	/* Destroy SSA */
1328 	zend_arena_release(&ctx->arena, checkpoint);
1329 }
1330