1/*
2   +----------------------------------------------------------------------+
3   | Zend OPcache                                                         |
4   +----------------------------------------------------------------------+
5   | Copyright (c) 1998-2016 The PHP Group                                |
6   +----------------------------------------------------------------------+
7   | This source file is subject to version 3.01 of the PHP license,      |
8   | that is bundled with this package in the file LICENSE, and is        |
9   | available through the world-wide-web at the following url:           |
10   | http://www.php.net/license/3_01.txt                                  |
11   | If you did not receive a copy of the PHP license and are unable to   |
12   | obtain it through the world-wide-web, please send a note to          |
13   | license@php.net so we can mail you a copy immediately.               |
14   +----------------------------------------------------------------------+
15   | Authors: Andi Gutmans <andi@zend.com>                                |
16   |          Zeev Suraski <zeev@zend.com>                                |
17   |          Stanislav Malyshev <stas@zend.com>                          |
18   |          Dmitry Stogov <dmitry@zend.com>                             |
19   +----------------------------------------------------------------------+
20*/
21
22#include "php.h"
23#include "Optimizer/zend_optimizer.h"
24#include "Optimizer/zend_optimizer_internal.h"
25#include "zend_API.h"
26#include "zend_constants.h"
27#include "zend_execute.h"
28#include "zend_vm.h"
29#include "zend_bitset.h"
30#include "zend_cfg.h"
31#include "zend_dump.h"
32
33/* Checks if a constant (like "true") may be replaced by its value */
34int zend_optimizer_get_persistent_constant(zend_string *name, zval *result, int copy)
35{
36	zend_constant *c;
37	char *lookup_name;
38	int retval = 1;
39	ALLOCA_FLAG(use_heap);
40
41	if ((c = zend_hash_find_ptr(EG(zend_constants), name)) == NULL) {
42		lookup_name = do_alloca(ZSTR_LEN(name) + 1, use_heap);
43		memcpy(lookup_name, ZSTR_VAL(name), ZSTR_LEN(name) + 1);
44		zend_str_tolower(lookup_name, ZSTR_LEN(name));
45
46		if ((c = zend_hash_str_find_ptr(EG(zend_constants), lookup_name, ZSTR_LEN(name))) != NULL) {
47			if (!(c->flags & CONST_CT_SUBST) || (c->flags & CONST_CS)) {
48				retval = 0;
49			}
50		} else {
51			retval = 0;
52		}
53		free_alloca(lookup_name, use_heap);
54	}
55
56	if (retval) {
57		if (c->flags & CONST_PERSISTENT) {
58			ZVAL_COPY_VALUE(result, &c->value);
59			if (copy) {
60				zval_copy_ctor(result);
61			}
62		} else {
63			retval = 0;
64		}
65	}
66
67	return retval;
68}
69
70/* CFG back references management */
71
72#define DEL_SOURCE(from, to)
73#define ADD_SOURCE(from, to)
74
75/* Data dependencies macros */
76
77#define VAR_NUM_EX(op) VAR_NUM((op).var)
78
79#define VAR_SOURCE(op) Tsource[VAR_NUM(op.var)]
80#define SET_VAR_SOURCE(opline) Tsource[VAR_NUM(opline->result.var)] = opline
81
82#define convert_to_string_safe(v) \
83	if (Z_TYPE_P((v)) == IS_NULL) { \
84		ZVAL_STRINGL((v), "", 0); \
85	} else { \
86		convert_to_string((v)); \
87	}
88
89static void strip_leading_nops(zend_op_array *op_array, zend_basic_block *b)
90{
91	zend_op *opcodes = op_array->opcodes;
92
93	while (opcodes[b->start].opcode == ZEND_NOP && b->start < b->end) {
94		b->start++;
95	}
96}
97
98static void strip_nops(zend_op_array *op_array, zend_basic_block *b)
99{
100	uint32_t i, j;
101
102	strip_leading_nops(op_array, b);
103
104	/* strip the inside NOPs */
105	i = j = b->start + 1;
106	while (i <= b->end) {
107		if (op_array->opcodes[i].opcode != ZEND_NOP) {
108			if (i != j) {
109				op_array->opcodes[j] = op_array->opcodes[i];
110			}
111			j++;
112		}
113		i++;
114	}
115	b->end = j - 1;
116	while (j < i) {
117		MAKE_NOP(op_array->opcodes + j);
118		j++;
119	}
120}
121
122static void zend_optimize_block(zend_basic_block *block, zend_op_array *op_array, zend_bitset used_ext, zend_cfg *cfg, zend_op **Tsource)
123{
124	zend_op *opline, *src;
125	zend_op *end, *last_op = NULL;
126
127	/* remove leading NOPs */
128	strip_leading_nops(op_array, block);
129
130	opline = op_array->opcodes + block->start;
131	end = op_array->opcodes + block->end + 1;
132	while (opline < end) {
133
134		/* Constant Propagation: strip X = QM_ASSIGN(const) */
135		if ((opline->op1_type & (IS_TMP_VAR|IS_VAR)) &&
136		    opline->opcode != ZEND_FREE) {
137			src = VAR_SOURCE(opline->op1);
138			if (src &&
139			    src->opcode == ZEND_QM_ASSIGN &&
140			    src->op1_type == IS_CONST) {
141
142				znode_op op1 = opline->op1;
143				zval c = ZEND_OP1_LITERAL(src);
144
145				zval_copy_ctor(&c);
146				if (zend_optimizer_update_op1_const(op_array, opline, &c)) {
147					zend_optimizer_remove_live_range(op_array, op1.var);
148					VAR_SOURCE(op1) = NULL;
149					literal_dtor(&ZEND_OP1_LITERAL(src));
150					MAKE_NOP(src);
151				}
152			}
153		}
154
155		/* Constant Propagation: strip X = QM_ASSIGN(const) */
156		if (opline->op2_type & (IS_TMP_VAR|IS_VAR)) {
157			src = VAR_SOURCE(opline->op2);
158			if (src &&
159			    src->opcode == ZEND_QM_ASSIGN &&
160			    src->op1_type == IS_CONST) {
161
162				znode_op op2 = opline->op2;
163				zval c = ZEND_OP1_LITERAL(src);
164
165				zval_copy_ctor(&c);
166				if (zend_optimizer_update_op2_const(op_array, opline, &c)) {
167					zend_optimizer_remove_live_range(op_array, op2.var);
168					VAR_SOURCE(op2) = NULL;
169					literal_dtor(&ZEND_OP1_LITERAL(src));
170					MAKE_NOP(src);
171				}
172			}
173		}
174
175		if (opline->opcode == ZEND_ECHO) {
176			if (opline->op1_type & (IS_TMP_VAR|IS_VAR)) {
177				src = VAR_SOURCE(opline->op1);
178				if (src &&
179				    src->opcode == ZEND_CAST &&
180				    src->extended_value == IS_STRING) {
181					/* T = CAST(X, String), ECHO(T) => NOP, ECHO(X) */
182					VAR_SOURCE(opline->op1) = NULL;
183					COPY_NODE(opline->op1, src->op1);
184					MAKE_NOP(src);
185				}
186			}
187
188			if (opline->op1_type == IS_CONST) {
189				if (last_op && last_op->opcode == ZEND_ECHO &&
190				    last_op->op1_type == IS_CONST &&
191				    Z_TYPE(ZEND_OP1_LITERAL(opline)) != IS_DOUBLE &&
192				    Z_TYPE(ZEND_OP1_LITERAL(last_op)) != IS_DOUBLE) {
193					/* compress consecutive ECHO's.
194					 * Float to string conversion may be affected by current
195					 * locale setting.
196					 */
197					int l, old_len;
198
199					if (Z_TYPE(ZEND_OP1_LITERAL(opline)) != IS_STRING) {
200						convert_to_string_safe(&ZEND_OP1_LITERAL(opline));
201					}
202					if (Z_TYPE(ZEND_OP1_LITERAL(last_op)) != IS_STRING) {
203						convert_to_string_safe(&ZEND_OP1_LITERAL(last_op));
204					}
205					old_len = Z_STRLEN(ZEND_OP1_LITERAL(last_op));
206					l = old_len + Z_STRLEN(ZEND_OP1_LITERAL(opline));
207					if (!Z_REFCOUNTED(ZEND_OP1_LITERAL(last_op))) {
208						zend_string *tmp = zend_string_alloc(l, 0);
209					memcpy(ZSTR_VAL(tmp), Z_STRVAL(ZEND_OP1_LITERAL(last_op)), old_len);
210						Z_STR(ZEND_OP1_LITERAL(last_op)) = tmp;
211					} else {
212						Z_STR(ZEND_OP1_LITERAL(last_op)) = zend_string_extend(Z_STR(ZEND_OP1_LITERAL(last_op)), l, 0);
213					}
214					Z_TYPE_INFO(ZEND_OP1_LITERAL(last_op)) = IS_STRING_EX;
215					memcpy(Z_STRVAL(ZEND_OP1_LITERAL(last_op)) + old_len, Z_STRVAL(ZEND_OP1_LITERAL(opline)), Z_STRLEN(ZEND_OP1_LITERAL(opline)));
216					Z_STRVAL(ZEND_OP1_LITERAL(last_op))[l] = '\0';
217					zval_dtor(&ZEND_OP1_LITERAL(opline));
218					Z_STR(ZEND_OP1_LITERAL(opline)) = zend_new_interned_string(Z_STR(ZEND_OP1_LITERAL(last_op)));
219					if (!Z_REFCOUNTED(ZEND_OP1_LITERAL(opline))) {
220						Z_TYPE_FLAGS(ZEND_OP1_LITERAL(opline)) &= ~ (IS_TYPE_REFCOUNTED | IS_TYPE_COPYABLE);
221					}
222					ZVAL_NULL(&ZEND_OP1_LITERAL(last_op));
223					MAKE_NOP(last_op);
224				}
225				last_op = opline;
226			} else {
227				last_op = NULL;
228			}
229		} else {
230			last_op = NULL;
231		}
232
233		switch (opline->opcode) {
234
235			case ZEND_FREE:
236				if (opline->op1_type == IS_TMP_VAR) {
237					src = VAR_SOURCE(opline->op1);
238					if (src &&
239					    (src->opcode == ZEND_BOOL || src->opcode == ZEND_BOOL_NOT)) {
240						/* T = BOOL(X), FREE(T) => NOP */
241						if (ZEND_OP1_TYPE(src) == IS_CONST) {
242							literal_dtor(&ZEND_OP1_LITERAL(src));
243						}
244						VAR_SOURCE(opline->op1) = NULL;
245						MAKE_NOP(src);
246						MAKE_NOP(opline);
247					}
248				} else if (opline->op1_type == IS_VAR) {
249					src = VAR_SOURCE(opline->op1);
250					/* V = OP, FREE(V) => OP. NOP */
251					if (src &&
252					    src->opcode != ZEND_FETCH_R &&
253					    src->opcode != ZEND_FETCH_STATIC_PROP_R &&
254					    src->opcode != ZEND_FETCH_DIM_R &&
255					    src->opcode != ZEND_FETCH_OBJ_R) {
256						if (opline->extended_value & ZEND_FREE_ON_RETURN) {
257							/* mark as removed (empty live range) */
258							op_array->live_range[opline->op2.num].var = (uint32_t)-1;
259						}
260						ZEND_RESULT_TYPE(src) |= EXT_TYPE_UNUSED;
261						MAKE_NOP(opline);
262					}
263				}
264				break;
265
266#if 0
267		/* pre-evaluate functions:
268		   constant(x)
269		   defined(x)
270		   function_exists(x)
271		   extension_loaded(x)
272		   BAD: interacts badly with Accelerator
273		*/
274		if((ZEND_OP1_TYPE(opline) & IS_VAR) &&
275		   VAR_SOURCE(opline->op1) && VAR_SOURCE(opline->op1)->opcode == ZEND_DO_CF_FCALL &&
276		   VAR_SOURCE(opline->op1)->extended_value == 1) {
277			zend_op *fcall = VAR_SOURCE(opline->op1);
278			zend_op *sv = fcall-1;
279			if(sv >= block->start_opline && sv->opcode == ZEND_SEND_VAL &&
280			   ZEND_OP1_TYPE(sv) == IS_CONST && Z_TYPE(OPLINE_OP1_LITERAL(sv)) == IS_STRING &&
281			   Z_LVAL(OPLINE_OP2_LITERAL(sv)) == 1
282			   ) {
283				zval *arg = &OPLINE_OP1_LITERAL(sv);
284				char *fname = FUNCTION_CACHE->funcs[Z_LVAL(ZEND_OP1_LITERAL(fcall))].function_name;
285				int flen = FUNCTION_CACHE->funcs[Z_LVAL(ZEND_OP1_LITERAL(fcall))].name_len;
286				if(flen == sizeof("defined")-1 && zend_binary_strcasecmp(fname, flen, "defined", sizeof("defined")-1) == 0) {
287					zval c;
288					if(zend_optimizer_get_persistent_constant(Z_STR_P(arg), &c, 0 ELS_CC) != 0) {
289						literal_dtor(arg);
290						MAKE_NOP(sv);
291						MAKE_NOP(fcall);
292						LITERAL_BOOL(opline->op1, 1);
293						ZEND_OP1_TYPE(opline) = IS_CONST;
294					}
295				} else if((flen == sizeof("function_exists")-1 && zend_binary_strcasecmp(fname, flen, "function_exists", sizeof("function_exists")-1) == 0) ||
296						  (flen == sizeof("is_callable")-1 && zend_binary_strcasecmp(fname, flen, "is_callable", sizeof("is_callable")-1) == 0)
297						  ) {
298					zend_function *function;
299					if((function = zend_hash_find_ptr(EG(function_table), Z_STR_P(arg))) != NULL) {
300						literal_dtor(arg);
301						MAKE_NOP(sv);
302						MAKE_NOP(fcall);
303						LITERAL_BOOL(opline->op1, 1);
304						ZEND_OP1_TYPE(opline) = IS_CONST;
305					}
306				} else if(flen == sizeof("constant")-1 && zend_binary_strcasecmp(fname, flen, "constant", sizeof("constant")-1) == 0) {
307					zval c;
308					if(zend_optimizer_get_persistent_constant(Z_STR_P(arg), &c, 1 ELS_CC) != 0) {
309						literal_dtor(arg);
310						MAKE_NOP(sv);
311						MAKE_NOP(fcall);
312						ZEND_OP1_LITERAL(opline) = zend_optimizer_add_literal(op_array, &c);
313						/* no copy ctor - get already copied it */
314						ZEND_OP1_TYPE(opline) = IS_CONST;
315					}
316				} else if(flen == sizeof("extension_loaded")-1 && zend_binary_strcasecmp(fname, flen, "extension_loaded", sizeof("extension_loaded")-1) == 0) {
317					if(zend_hash_exists(&module_registry, Z_STR_P(arg))) {
318						literal_dtor(arg);
319						MAKE_NOP(sv);
320						MAKE_NOP(fcall);
321						LITERAL_BOOL(opline->op1, 1);
322						ZEND_OP1_TYPE(opline) = IS_CONST;
323					}
324				}
325			}
326		}
327#endif
328
329			case ZEND_FETCH_LIST:
330				if (opline->op1_type & (IS_TMP_VAR|IS_VAR)) {
331					/* LIST variable will be deleted later by FREE */
332					Tsource[VAR_NUM(opline->op1.var)] = NULL;
333				}
334				break;
335
336			case ZEND_CASE:
337				if (opline->op1_type & (IS_TMP_VAR|IS_VAR)) {
338					/* CASE variable will be deleted later by FREE, so we can't optimize it */
339					Tsource[VAR_NUM(opline->op1.var)] = NULL;
340					break;
341				}
342				if (opline->op1_type == IS_CONST &&
343				    opline->op2_type == IS_CONST) {
344					break;
345				}
346				/* break missing intentionally */
347
348			case ZEND_IS_EQUAL:
349			case ZEND_IS_NOT_EQUAL:
350				if (opline->op1_type == IS_CONST &&
351				    opline->op2_type == IS_CONST) {
352					goto optimize_constant_binary_op;
353				}
354		        /* IS_EQ(TRUE, X)      => BOOL(X)
355		         * IS_EQ(FALSE, X)     => BOOL_NOT(X)
356		         * IS_NOT_EQ(TRUE, X)  => BOOL_NOT(X)
357		         * IS_NOT_EQ(FALSE, X) => BOOL(X)
358		         * CASE(TRUE, X)       => BOOL(X)
359		         * CASE(FALSE, X)      => BOOL_NOT(X)
360		         */
361				if (opline->op1_type == IS_CONST &&
362					(Z_TYPE(ZEND_OP1_LITERAL(opline)) == IS_FALSE ||
363					 Z_TYPE(ZEND_OP1_LITERAL(opline)) == IS_TRUE)) {
364					/* Optimization of comparison with "null" is not safe,
365					 * because ("0" == null) is not equal to !("0")
366					 */
367					opline->opcode =
368						((opline->opcode != ZEND_IS_NOT_EQUAL) == ((Z_TYPE(ZEND_OP1_LITERAL(opline))) == IS_TRUE)) ?
369						ZEND_BOOL : ZEND_BOOL_NOT;
370					COPY_NODE(opline->op1, opline->op2);
371					SET_UNUSED(opline->op2);
372					goto optimize_bool;
373				} else if (opline->op2_type == IS_CONST &&
374				           (Z_TYPE(ZEND_OP2_LITERAL(opline)) == IS_FALSE ||
375				            Z_TYPE(ZEND_OP2_LITERAL(opline)) == IS_TRUE)) {
376					/* Optimization of comparison with "null" is not safe,
377					 * because ("0" == null) is not equal to !("0")
378					 */
379					opline->opcode =
380						((opline->opcode != ZEND_IS_NOT_EQUAL) == ((Z_TYPE(ZEND_OP2_LITERAL(opline))) == IS_TRUE)) ?
381						ZEND_BOOL : ZEND_BOOL_NOT;
382					SET_UNUSED(opline->op2);
383					goto optimize_bool;
384				}
385				break;
386
387			case ZEND_BOOL:
388			case ZEND_BOOL_NOT:
389			optimize_bool:
390				if (opline->op1_type == IS_CONST) {
391					goto optimize_const_unary_op;
392				}
393				if (opline->op1_type == IS_TMP_VAR &&
394				    !zend_bitset_in(used_ext, VAR_NUM(opline->op1.var))) {
395					src = VAR_SOURCE(opline->op1);
396					if (src) {
397						switch (src->opcode) {
398							case ZEND_BOOL_NOT:
399								/* T = BOOL_NOT(X) + BOOL(T) -> NOP, BOOL_NOT(X) */
400								VAR_SOURCE(opline->op1) = NULL;
401								COPY_NODE(opline->op1, src->op1);
402								opline->opcode = (opline->opcode == ZEND_BOOL) ? ZEND_BOOL_NOT : ZEND_BOOL;
403								MAKE_NOP(src);
404								goto optimize_bool;
405							case ZEND_BOOL:
406								/* T = BOOL(X) + BOOL(T) -> NOP, BOOL(X) */
407								VAR_SOURCE(opline->op1) = NULL;
408								COPY_NODE(opline->op1, src->op1);
409								MAKE_NOP(src);
410								goto optimize_bool;
411							case ZEND_IS_EQUAL:
412								if (opline->opcode == ZEND_BOOL_NOT) {
413									src->opcode = ZEND_IS_NOT_EQUAL;
414								}
415								COPY_NODE(src->result, opline->result);
416								SET_VAR_SOURCE(src);
417								MAKE_NOP(opline);
418								break;
419							case ZEND_IS_NOT_EQUAL:
420								if (opline->opcode == ZEND_BOOL_NOT) {
421									src->opcode = ZEND_IS_EQUAL;
422								}
423								COPY_NODE(src->result, opline->result);
424								SET_VAR_SOURCE(src);
425								MAKE_NOP(opline);
426								break;
427							case ZEND_IS_IDENTICAL:
428								if (opline->opcode == ZEND_BOOL_NOT) {
429									src->opcode = ZEND_IS_NOT_IDENTICAL;
430								}
431								COPY_NODE(src->result, opline->result);
432								SET_VAR_SOURCE(src);
433								MAKE_NOP(opline);
434								break;
435							case ZEND_IS_NOT_IDENTICAL:
436								if (opline->opcode == ZEND_BOOL_NOT) {
437									src->opcode = ZEND_IS_IDENTICAL;
438								}
439								COPY_NODE(src->result, opline->result);
440								SET_VAR_SOURCE(src);
441								MAKE_NOP(opline);
442								break;
443							case ZEND_IS_SMALLER:
444								if (opline->opcode == ZEND_BOOL_NOT) {
445									zend_uchar tmp_type;
446									uint32_t tmp;
447
448									src->opcode = ZEND_IS_SMALLER_OR_EQUAL;
449									tmp_type = src->op1_type;
450									src->op1_type = src->op2_type;
451									src->op2_type = tmp_type;
452									tmp = src->op1.num;
453									src->op1.num = src->op2.num;
454									src->op2.num = tmp;
455								}
456								COPY_NODE(src->result, opline->result);
457								SET_VAR_SOURCE(src);
458								MAKE_NOP(opline);
459								break;
460							case ZEND_IS_SMALLER_OR_EQUAL:
461								if (opline->opcode == ZEND_BOOL_NOT) {
462									zend_uchar tmp_type;
463									uint32_t tmp;
464
465									src->opcode = ZEND_IS_SMALLER;
466									tmp_type = src->op1_type;
467									src->op1_type = src->op2_type;
468									src->op2_type = tmp_type;
469									tmp = src->op1.num;
470									src->op1.num = src->op2.num;
471									src->op2.num = tmp;
472								}
473								COPY_NODE(src->result, opline->result);
474								SET_VAR_SOURCE(src);
475								MAKE_NOP(opline);
476								break;
477							case ZEND_ISSET_ISEMPTY_VAR:
478							case ZEND_ISSET_ISEMPTY_DIM_OBJ:
479							case ZEND_ISSET_ISEMPTY_PROP_OBJ:
480							case ZEND_ISSET_ISEMPTY_STATIC_PROP:
481							case ZEND_INSTANCEOF:
482							case ZEND_TYPE_CHECK:
483							case ZEND_DEFINED:
484								if (opline->opcode == ZEND_BOOL_NOT) {
485									break;
486								}
487								COPY_NODE(src->result, opline->result);
488								SET_VAR_SOURCE(src);
489								MAKE_NOP(opline);
490								break;
491						}
492					}
493				}
494				break;
495
496			case ZEND_JMPZ:
497			case ZEND_JMPNZ:
498			case ZEND_JMPZ_EX:
499			case ZEND_JMPNZ_EX:
500			case ZEND_JMPZNZ:
501			optimize_jmpznz:
502				if (opline->op1_type == IS_TMP_VAR &&
503				    (!zend_bitset_in(used_ext, VAR_NUM(opline->op1.var)) ||
504				     (opline->result_type == opline->op1_type &&
505				      opline->result.var == opline->op1.var))) {
506					src = VAR_SOURCE(opline->op1);
507					if (src) {
508						if (src->opcode == ZEND_BOOL_NOT &&
509						    opline->opcode != ZEND_JMPZ_EX &&
510						    opline->opcode != ZEND_JMPNZ_EX) {
511							VAR_SOURCE(opline->op1) = NULL;
512							COPY_NODE(opline->op1, src->op1);
513							if (opline->opcode == ZEND_JMPZ) {
514								/* T = BOOL_NOT(X) + JMPZ(T) -> NOP, JMPNZ(X) */
515								opline->opcode = ZEND_JMPNZ;
516							} else if (opline->opcode == ZEND_JMPNZ) {
517								/* T = BOOL_NOT(X) + JMPNZ(T) -> NOP, JMPZ(X) */
518								opline->opcode = ZEND_JMPZ;
519#if 0
520							} else if (opline->opcode == ZEND_JMPZ_EX) {
521								/* T = BOOL_NOT(X) + JMPZ_EX(T) -> NOP, JMPNZ_EX(X) */
522								opline->opcode = ZEND_JMPNZ_EX;
523							} else if (opline->opcode == ZEND_JMPNZ_EX) {
524								/* T = BOOL_NOT(X) + JMPNZ_EX(T) -> NOP, JMPZ_EX(X) */
525								opline->opcode = ZEND_JMPZ;
526#endif
527							} else {
528								/* T = BOOL_NOT(X) + JMPZNZ(T,L1,L2) -> NOP, JMPZNZ(X,L2,L1) */
529								uint32_t tmp;
530
531								ZEND_ASSERT(opline->opcode == ZEND_JMPZNZ);
532								tmp = block->successors[0];
533								block->successors[0] = block->successors[1];
534								block->successors[1] = tmp;
535							}
536							MAKE_NOP(src);
537							goto optimize_jmpznz;
538						} else if (src->opcode == ZEND_BOOL ||
539						           src->opcode == ZEND_QM_ASSIGN) {
540							VAR_SOURCE(opline->op1) = NULL;
541							COPY_NODE(opline->op1, src->op1);
542							MAKE_NOP(src);
543							goto optimize_jmpznz;
544						}
545					}
546				}
547				break;
548
549			case ZEND_CONCAT:
550			case ZEND_FAST_CONCAT:
551				if (opline->op1_type == IS_CONST &&
552				    opline->op2_type == IS_CONST) {
553					goto optimize_constant_binary_op;
554				}
555
556				if (opline->op2_type == IS_CONST &&
557				    opline->op1_type == IS_TMP_VAR) {
558
559					src = VAR_SOURCE(opline->op1);
560				    if (src &&
561					    (src->opcode == ZEND_CONCAT ||
562					     src->opcode == ZEND_FAST_CONCAT) &&
563					    src->op2_type == IS_CONST) {
564						/* compress consecutive CONCATs */
565						int l, old_len;
566
567						if (Z_TYPE(ZEND_OP2_LITERAL(opline)) != IS_STRING) {
568							convert_to_string_safe(&ZEND_OP2_LITERAL(opline));
569						}
570						if (Z_TYPE(ZEND_OP2_LITERAL(src)) != IS_STRING) {
571							convert_to_string_safe(&ZEND_OP2_LITERAL(src));
572						}
573
574						VAR_SOURCE(opline->op1) = NULL;
575						COPY_NODE(opline->op1, src->op1);
576						old_len = Z_STRLEN(ZEND_OP2_LITERAL(src));
577						l = old_len + Z_STRLEN(ZEND_OP2_LITERAL(opline));
578						if (!Z_REFCOUNTED(ZEND_OP2_LITERAL(src))) {
579							zend_string *tmp = zend_string_alloc(l, 0);
580							memcpy(ZSTR_VAL(tmp), Z_STRVAL(ZEND_OP2_LITERAL(src)), old_len);
581							Z_STR(ZEND_OP2_LITERAL(src)) = tmp;
582						} else {
583							Z_STR(ZEND_OP2_LITERAL(src)) = zend_string_extend(Z_STR(ZEND_OP2_LITERAL(src)), l, 0);
584						}
585						Z_TYPE_INFO(ZEND_OP2_LITERAL(src)) = IS_STRING_EX;
586						memcpy(Z_STRVAL(ZEND_OP2_LITERAL(src)) + old_len, Z_STRVAL(ZEND_OP2_LITERAL(opline)), Z_STRLEN(ZEND_OP2_LITERAL(opline)));
587						Z_STRVAL(ZEND_OP2_LITERAL(src))[l] = '\0';
588						zend_string_release(Z_STR(ZEND_OP2_LITERAL(opline)));
589						Z_STR(ZEND_OP2_LITERAL(opline)) = zend_new_interned_string(Z_STR(ZEND_OP2_LITERAL(src)));
590						if (!Z_REFCOUNTED(ZEND_OP2_LITERAL(opline))) {
591							Z_TYPE_FLAGS(ZEND_OP2_LITERAL(opline)) &= ~ (IS_TYPE_REFCOUNTED | IS_TYPE_COPYABLE);
592						}
593						ZVAL_NULL(&ZEND_OP2_LITERAL(src));
594						MAKE_NOP(src);
595					}
596				}
597
598				if (opline->op1_type & (IS_TMP_VAR|IS_VAR)) {
599					src = VAR_SOURCE(opline->op1);
600					if (src &&
601					    src->opcode == ZEND_CAST &&
602					    src->extended_value == IS_STRING) {
603						/* convert T1 = CAST(STRING, X), T2 = CONCAT(T1, Y) to T2 = CONCAT(X,Y) */
604						VAR_SOURCE(opline->op1) = NULL;
605						COPY_NODE(opline->op1, src->op1);
606						MAKE_NOP(src);
607					}
608	            }
609				if (opline->op2_type & (IS_TMP_VAR|IS_VAR)) {
610					src = VAR_SOURCE(opline->op2);
611					if (src &&
612					    src->opcode == ZEND_CAST &&
613					    src->extended_value == IS_STRING) {
614						/* convert T1 = CAST(STRING, X), T2 = CONCAT(Y, T1) to T2 = CONCAT(Y,X) */
615						zend_op *src = VAR_SOURCE(opline->op2);
616						VAR_SOURCE(opline->op2) = NULL;
617						COPY_NODE(opline->op2, src->op1);
618						MAKE_NOP(src);
619					}
620				}
621				if (opline->op1_type == IS_CONST &&
622				    Z_TYPE(ZEND_OP1_LITERAL(opline)) == IS_STRING &&
623				    Z_STRLEN(ZEND_OP1_LITERAL(opline)) == 0) {
624					/* convert CONCAT('', X) => CAST(STRING, X) */
625					literal_dtor(&ZEND_OP1_LITERAL(opline));
626					opline->opcode = ZEND_CAST;
627					opline->extended_value = IS_STRING;
628					COPY_NODE(opline->op1, opline->op2);
629					opline->op2_type = IS_UNUSED;
630					opline->op2.var = 0;
631				} else if (opline->op2_type == IS_CONST &&
632			           Z_TYPE(ZEND_OP2_LITERAL(opline)) == IS_STRING &&
633			           Z_STRLEN(ZEND_OP2_LITERAL(opline)) == 0) {
634					/* convert CONCAT(X, '') => CAST(STRING, X) */
635					literal_dtor(&ZEND_OP2_LITERAL(opline));
636					opline->opcode = ZEND_CAST;
637					opline->extended_value = IS_STRING;
638					opline->op2_type = IS_UNUSED;
639					opline->op2.var = 0;
640				} else if (opline->opcode == ZEND_CONCAT &&
641				           (opline->op1_type == IS_CONST ||
642				            (opline->op1_type == IS_TMP_VAR &&
643				             VAR_SOURCE(opline->op1) &&
644				             (VAR_SOURCE(opline->op1)->opcode == ZEND_FAST_CONCAT ||
645				              VAR_SOURCE(opline->op1)->opcode == ZEND_ROPE_END ||
646				              VAR_SOURCE(opline->op1)->opcode == ZEND_FETCH_CONSTANT ||
647				              VAR_SOURCE(opline->op1)->opcode == ZEND_FETCH_CLASS_CONSTANT))) &&
648				           (opline->op2_type == IS_CONST ||
649				            (opline->op2_type == IS_TMP_VAR &&
650				             VAR_SOURCE(opline->op2) &&
651				             (VAR_SOURCE(opline->op2)->opcode == ZEND_FAST_CONCAT ||
652				              VAR_SOURCE(opline->op2)->opcode == ZEND_ROPE_END ||
653				              VAR_SOURCE(opline->op2)->opcode == ZEND_FETCH_CONSTANT ||
654				              VAR_SOURCE(opline->op2)->opcode == ZEND_FETCH_CLASS_CONSTANT)))) {
655					opline->opcode = ZEND_FAST_CONCAT;
656				}
657				break;
658
659			case ZEND_ADD:
660			case ZEND_SUB:
661			case ZEND_MUL:
662			case ZEND_DIV:
663			case ZEND_MOD:
664			case ZEND_SL:
665			case ZEND_SR:
666			case ZEND_IS_SMALLER:
667			case ZEND_IS_SMALLER_OR_EQUAL:
668			case ZEND_IS_IDENTICAL:
669			case ZEND_IS_NOT_IDENTICAL:
670			case ZEND_BOOL_XOR:
671			case ZEND_BW_OR:
672			case ZEND_BW_AND:
673			case ZEND_BW_XOR:
674				if (opline->op1_type == IS_CONST &&
675				    opline->op2_type == IS_CONST) {
676					/* evaluate constant expressions */
677					binary_op_type binary_op;
678					zval result;
679					int er;
680
681optimize_constant_binary_op:
682					binary_op = get_binary_op(opline->opcode);
683		            if ((opline->opcode == ZEND_DIV || opline->opcode == ZEND_MOD) &&
684		                zval_get_long(&ZEND_OP2_LITERAL(opline)) == 0) {
685						SET_VAR_SOURCE(opline);
686		                opline++;
687						continue;
688		            } else if ((opline->opcode == ZEND_SL || opline->opcode == ZEND_SR) &&
689		                zval_get_long(&ZEND_OP2_LITERAL(opline)) < 0) {
690						SET_VAR_SOURCE(opline);
691		                opline++;
692						continue;
693					}
694					er = EG(error_reporting);
695					EG(error_reporting) = 0;
696					if (binary_op(&result, &ZEND_OP1_LITERAL(opline), &ZEND_OP2_LITERAL(opline)) == SUCCESS) {
697						literal_dtor(&ZEND_OP1_LITERAL(opline));
698						literal_dtor(&ZEND_OP2_LITERAL(opline));
699						opline->opcode = ZEND_QM_ASSIGN;
700						SET_UNUSED(opline->op2);
701						zend_optimizer_update_op1_const(op_array, opline, &result);
702					}
703					EG(error_reporting) = er;
704				}
705				break;
706
707			case ZEND_BW_NOT:
708				if (opline->op1_type == IS_CONST) {
709					/* evaluate constant unary ops */
710					unary_op_type unary_op;
711					zval result;
712
713optimize_const_unary_op:
714					unary_op = get_unary_op(opline->opcode);
715					if (unary_op) {
716						unary_op(&result, &ZEND_OP1_LITERAL(opline));
717						literal_dtor(&ZEND_OP1_LITERAL(opline));
718					} else {
719						/* BOOL */
720						result = ZEND_OP1_LITERAL(opline);
721						convert_to_boolean(&result);
722						ZVAL_NULL(&ZEND_OP1_LITERAL(opline));
723					}
724					opline->opcode = ZEND_QM_ASSIGN;
725					zend_optimizer_update_op1_const(op_array, opline, &result);
726				}
727				break;
728
729			case ZEND_RETURN:
730			case ZEND_EXIT:
731				if (opline->op1_type & (IS_TMP_VAR|IS_VAR)) {
732					src = VAR_SOURCE(opline->op1);
733					if (src && src->opcode == ZEND_QM_ASSIGN) {
734						/* T = QM_ASSIGN(X), RETURN(T) to NOP, RETURN(X) */
735						VAR_SOURCE(opline->op1) = NULL;
736						COPY_NODE(opline->op1, src->op1);
737						MAKE_NOP(src);
738					}
739				}
740				break;
741
742			case ZEND_QM_ASSIGN:
743				if (opline->op1_type == opline->result_type &&
744				    opline->op1.var == opline->result.var) {
745					/* strip T = QM_ASSIGN(T) */
746					MAKE_NOP(opline);
747				}
748				break;
749		}
750
751		/* get variable source */
752		if (opline->result_type == IS_VAR || opline->result_type == IS_TMP_VAR) {
753			SET_VAR_SOURCE(opline);
754		}
755		opline++;
756	}
757
758	strip_nops(op_array, block);
759}
760
761/* Rebuild plain (optimized) op_array from CFG */
762static void assemble_code_blocks(zend_cfg *cfg, zend_op_array *op_array)
763{
764	zend_basic_block *blocks = cfg->blocks;
765	zend_basic_block *end = blocks + cfg->blocks_count;
766	zend_basic_block *b;
767	zend_op *new_opcodes;
768	zend_op *opline;
769	uint32_t len = 0;
770	int n;
771
772	for (b = blocks; b < end; b++) {
773		if (b->flags & ZEND_BB_REACHABLE) {
774			ZEND_ASSERT(b->start <= b->end);
775			opline = op_array->opcodes + b->end;
776			if (opline->opcode == ZEND_JMP) {
777				zend_basic_block *next = b + 1;
778
779				while (next < end && (!(next->flags & ZEND_BB_REACHABLE) || next->start > next->end)) {
780					next++;
781				}
782				if (next < end && next == blocks + b->successors[0]) {
783					/* JMP to the next block - strip it */
784					MAKE_NOP(opline);
785					if (b->end == 0) {
786						b->start++;
787					} else {
788						b->end--;
789					}
790				}
791			} else if (b->start == b->end && opline->opcode == ZEND_NOP) {
792				/* skip empty block */
793				b->start++;
794			}
795			len += b->end - b->start + 1;
796		} else if (b->start <= b->end) {
797			/* this block will not be used, delete all constants there */
798			zend_op *op;
799			zend_op *end = op_array->opcodes + b->end ;
800			for (op = op_array->opcodes + b->start; op <= end; op++) {
801				if (ZEND_OP1_TYPE(op) == IS_CONST) {
802					literal_dtor(&ZEND_OP1_LITERAL(op));
803				}
804				if (ZEND_OP2_TYPE(op) == IS_CONST) {
805					literal_dtor(&ZEND_OP2_LITERAL(op));
806				}
807			}
808		}
809	}
810
811	new_opcodes = emalloc(len * sizeof(zend_op));
812	opline = new_opcodes;
813
814	/* Copy code of reachable blocks into a single buffer */
815	for (b = blocks; b < end; b++) {
816		if (b->flags & ZEND_BB_REACHABLE) {
817			if (b->start <= b->end) {
818				uint32_t n = b->end - b->start + 1;
819				memcpy(opline, op_array->opcodes + b->start, n * sizeof(zend_op));
820				b->start = opline - new_opcodes;
821				b->end = opline - new_opcodes + n - 1;
822				opline += n;
823			} else {
824				b->flags |= ZEND_BB_EMPTY;
825				b->start = b->end = opline - new_opcodes;
826			}
827		}
828	}
829
830	/* adjust jump targets */
831	efree(op_array->opcodes);
832	op_array->opcodes = new_opcodes;
833	op_array->last = len;
834
835	for (b = blocks; b < end; b++) {
836		if (!(b->flags & ZEND_BB_REACHABLE) || b->start > b->end) {
837			continue;
838		}
839		opline = op_array->opcodes + b->end;
840		switch (opline->opcode) {
841			case ZEND_FAST_CALL:
842			case ZEND_JMP:
843				ZEND_SET_OP_JMP_ADDR(opline, opline->op1, new_opcodes + blocks[b->successors[0]].start);
844				break;
845			case ZEND_JMPZNZ:
846				opline->extended_value = ZEND_OPLINE_TO_OFFSET(opline, new_opcodes + blocks[b->successors[1]].start);
847				/* break missing intentionally */
848			case ZEND_JMPZ:
849			case ZEND_JMPNZ:
850			case ZEND_JMPZ_EX:
851			case ZEND_JMPNZ_EX:
852			case ZEND_FE_RESET_R:
853			case ZEND_FE_RESET_RW:
854			case ZEND_NEW:
855			case ZEND_JMP_SET:
856			case ZEND_COALESCE:
857			case ZEND_ASSERT_CHECK:
858				ZEND_SET_OP_JMP_ADDR(opline, opline->op2, new_opcodes + blocks[b->successors[0]].start);
859				break;
860			case ZEND_CATCH:
861				if (!opline->result.var) {
862					opline->extended_value = ZEND_OPLINE_TO_OFFSET(opline, new_opcodes + blocks[b->successors[0]].start);
863				}
864				break;
865			case ZEND_DECLARE_ANON_CLASS:
866			case ZEND_DECLARE_ANON_INHERITED_CLASS:
867			case ZEND_FE_FETCH_R:
868			case ZEND_FE_FETCH_RW:
869				opline->extended_value = ZEND_OPLINE_TO_OFFSET(opline, new_opcodes + blocks[b->successors[0]].start);
870				break;
871		}
872	}
873
874	/* adjust exception jump targets & remove unused try_catch_array entries */
875	if (op_array->last_try_catch) {
876		int i, j;
877		uint32_t *map;
878		ALLOCA_FLAG(use_heap);
879
880		map = (uint32_t *)do_alloca(sizeof(uint32_t) * op_array->last_try_catch, use_heap);
881		for (i = 0, j = 0; i< op_array->last_try_catch; i++) {
882			if (blocks[cfg->map[op_array->try_catch_array[i].try_op]].flags & ZEND_BB_REACHABLE) {
883				map[i] = j;
884				op_array->try_catch_array[j].try_op = blocks[cfg->map[op_array->try_catch_array[i].try_op]].start;
885				if (op_array->try_catch_array[i].catch_op) {
886					op_array->try_catch_array[j].catch_op = blocks[cfg->map[op_array->try_catch_array[i].catch_op]].start;
887				} else {
888					op_array->try_catch_array[j].catch_op =  0;
889				}
890				if (op_array->try_catch_array[i].finally_op) {
891					op_array->try_catch_array[j].finally_op = blocks[cfg->map[op_array->try_catch_array[i].finally_op]].start;
892				} else {
893					op_array->try_catch_array[j].finally_op =  0;
894				}
895				if (!op_array->try_catch_array[i].finally_end) {
896					op_array->try_catch_array[j].finally_end = 0;
897				} else {
898					op_array->try_catch_array[j].finally_end = blocks[cfg->map[op_array->try_catch_array[i].finally_end]].start;
899				}
900				j++;
901			}
902		}
903		if (i != j) {
904			op_array->last_try_catch = j;
905			if (op_array->fn_flags & ZEND_ACC_HAS_FINALLY_BLOCK) {
906				zend_op *opline = new_opcodes;
907				zend_op *end = opline + len;
908				while (opline < end) {
909					if ((opline->opcode == ZEND_FAST_CALL ||
910					     opline->opcode == ZEND_FAST_RET) &&
911					    opline->extended_value &&
912					    opline->op2.num < (uint32_t)j) {
913						opline->op2.num = map[opline->op2.num];
914					}
915					opline++;
916				}
917			}
918		}
919		free_alloca(map, use_heap);
920	}
921
922	/* adjust loop jump targets & remove unused live range entries */
923	if (op_array->last_live_range) {
924		int i, j;
925		uint32_t *map;
926		ALLOCA_FLAG(use_heap);
927
928		map = (uint32_t *)do_alloca(sizeof(uint32_t) * op_array->last_live_range, use_heap);
929
930		for (i = 0, j = 0; i < op_array->last_live_range; i++) {
931			if (op_array->live_range[i].var == (uint32_t)-1) {
932				/* this live range already removed */
933				continue;
934			}
935			if (!(blocks[cfg->map[op_array->live_range[i].start]].flags & ZEND_BB_REACHABLE)) {
936				ZEND_ASSERT(!(blocks[cfg->map[op_array->live_range[i].end]].flags & ZEND_BB_REACHABLE));
937			} else {
938				uint32_t start_op = blocks[cfg->map[op_array->live_range[i].start]].start;
939				uint32_t end_op = blocks[cfg->map[op_array->live_range[i].end]].start;
940
941				if (start_op == end_op) {
942					/* skip empty live range */
943					continue;
944				}
945				op_array->live_range[i].start = start_op;
946				op_array->live_range[i].end = end_op;
947				map[i] = j;
948				if (i != j) {
949					op_array->live_range[j]  = op_array->live_range[i];
950				}
951				j++;
952			}
953		}
954
955		if (i != j) {
956			zend_op *opline = new_opcodes;
957			zend_op *end = opline + len;
958
959			op_array->last_live_range = j;
960			while (opline != end) {
961				if ((opline->opcode == ZEND_FREE || opline->opcode == ZEND_FE_FREE) &&
962				    opline->extended_value == ZEND_FREE_ON_RETURN) {
963					ZEND_ASSERT(opline->op2.num < (uint32_t) i);
964					opline->op2.num = map[opline->op2.num];
965				}
966				opline++;
967			}
968		}
969		free_alloca(map, use_heap);
970	}
971
972	/* adjust early binding list */
973	if (op_array->early_binding != (uint32_t)-1) {
974		uint32_t *opline_num = &op_array->early_binding;
975		zend_op *end;
976
977		opline = op_array->opcodes;
978		end = opline + op_array->last;
979		while (opline < end) {
980			if (opline->opcode == ZEND_DECLARE_INHERITED_CLASS_DELAYED) {
981				*opline_num = opline - op_array->opcodes;
982				opline_num = &ZEND_RESULT(opline).opline_num;
983			}
984			++opline;
985		}
986		*opline_num = -1;
987	}
988
989	/* rebuild map (just for printing) */
990	memset(cfg->map, -1, sizeof(int) * op_array->last);
991	for (n = 0; n < cfg->blocks_count; n++) {
992		if (cfg->blocks[n].flags & ZEND_BB_REACHABLE) {
993			cfg->map[cfg->blocks[n].start] = n;
994		}
995	}
996}
997
998static void zend_jmp_optimization(zend_basic_block *block, zend_op_array *op_array, zend_cfg *cfg, zend_uchar *same_t)
999{
1000	/* last_op is the last opcode of the current block */
1001	zend_basic_block *blocks = cfg->blocks;
1002	zend_op *last_op;
1003
1004	ZEND_ASSERT(block->start <= block->end);
1005	last_op = op_array->opcodes + block->end;
1006	switch (last_op->opcode) {
1007		case ZEND_JMP:
1008			{
1009				zend_basic_block *target_block = blocks + block->successors[0];
1010				zend_op *target = op_array->opcodes + target_block->start;
1011				int next = (block - blocks) + 1;
1012
1013				while (next < cfg->blocks_count && !(blocks[next].flags & ZEND_BB_REACHABLE)) {
1014					/* find used one */
1015					next++;
1016				}
1017
1018				/* JMP(next) -> NOP */
1019				if (block->successors[0] == next) {
1020					MAKE_NOP(last_op);
1021					if (block->start != block->end) {
1022						block->end--;
1023					}
1024					break;
1025				}
1026
1027				if (target->opcode == ZEND_JMP &&
1028					block->successors[0] != target_block->successors[0] &&
1029					!(target_block->flags & ZEND_BB_PROTECTED)) {
1030					/* JMP L, L: JMP L1 -> JMP L1 */
1031					*last_op = *target;
1032					DEL_SOURCE(block, block->successors[0]);
1033					block->successors[0] = target_block->successors[0];
1034					ADD_SOURCE(block, block->successors[0]);
1035				} else if (target->opcode == ZEND_JMPZNZ &&
1036				           !(target_block->flags & ZEND_BB_PROTECTED)) {
1037					/* JMP L, L: JMPZNZ L1,L2 -> JMPZNZ L1,L2 */
1038					*last_op = *target;
1039					if (ZEND_OP1_TYPE(last_op) == IS_CONST) {
1040						zval zv = ZEND_OP1_LITERAL(last_op);
1041						zval_copy_ctor(&zv);
1042						last_op->op1.constant = zend_optimizer_add_literal(op_array, &zv);
1043					}
1044					DEL_SOURCE(block, block->successors[0]);
1045					block->successors[0] = target_block->successors[0];
1046					block->successors[1] = target_block->successors[1];
1047					ADD_SOURCE(block, block->successors[0]);
1048					ADD_SOURCE(block, block->successors[1]);
1049				} else if ((target->opcode == ZEND_RETURN ||
1050				            target->opcode == ZEND_RETURN_BY_REF ||
1051				            target->opcode == ZEND_EXIT) &&
1052				           !(op_array->fn_flags & ZEND_ACC_HAS_FINALLY_BLOCK)) {
1053					/* JMP L, L: RETURN to immediate RETURN */
1054					*last_op = *target;
1055					if (ZEND_OP1_TYPE(last_op) == IS_CONST) {
1056						zval zv = ZEND_OP1_LITERAL(last_op);
1057						zval_copy_ctor(&zv);
1058						last_op->op1.constant = zend_optimizer_add_literal(op_array, &zv);
1059					}
1060					DEL_SOURCE(block, block->successors[0]);
1061					block->successors[0] = -1;
1062#if 0
1063				/* Temporarily disabled - see bug #0025274 */
1064				} else if (0&& block->op1_to != block &&
1065			           block->op1_to != blocks &&
1066						   op_array->last_try_catch == 0 &&
1067				           target->opcode != ZEND_FREE) {
1068				    /* Block Reordering (saves one JMP on each "for" loop iteration)
1069				     * It is disabled for some cases (ZEND_FREE)
1070				     * which may break register allocation.
1071            	     */
1072					zend_bool can_reorder = 0;
1073					zend_block_source *cs = block->op1_to->sources;
1074
1075					/* the "target" block doesn't had any followed block */
1076					while(cs) {
1077						if (cs->from->follow_to == block->op1_to) {
1078							can_reorder = 0;
1079							break;
1080						}
1081						cs = cs->next;
1082					}
1083					if (can_reorder) {
1084						next = block->op1_to;
1085						/* the "target" block is not followed by current "block" */
1086						while (next->follow_to != NULL) {
1087							if (next->follow_to == block) {
1088								can_reorder = 0;
1089								break;
1090							}
1091							next = next->follow_to;
1092						}
1093						if (can_reorder) {
1094							zend_basic_block *prev = blocks;
1095
1096							while (prev->next != block->op1_to) {
1097								prev = prev->next;
1098							}
1099							prev->next = next->next;
1100							next->next = block->next;
1101							block->next = block->op1_to;
1102
1103							block->follow_to = block->op1_to;
1104							block->op1_to = NULL;
1105							MAKE_NOP(last_op);
1106							block->len--;
1107							if(block->len == 0) {
1108								/* this block is nothing but NOP now */
1109								delete_code_block(block, ctx);
1110							}
1111							break;
1112						}
1113					}
1114#endif
1115				}
1116			}
1117			break;
1118
1119		case ZEND_JMPZ:
1120		case ZEND_JMPNZ:
1121			/* constant conditional JMPs */
1122			if (ZEND_OP1_TYPE(last_op) == IS_CONST) {
1123				int should_jmp = zend_is_true(&ZEND_OP1_LITERAL(last_op));
1124
1125				if (last_op->opcode == ZEND_JMPZ) {
1126					should_jmp = !should_jmp;
1127				}
1128				literal_dtor(&ZEND_OP1_LITERAL(last_op));
1129				ZEND_OP1_TYPE(last_op) = IS_UNUSED;
1130				if (should_jmp) {
1131					/* JMPNZ(true) -> JMP */
1132					last_op->opcode = ZEND_JMP;
1133					DEL_SOURCE(block, block->successors[1]);
1134					block->successors[1] = -1;
1135				} else {
1136					/* JMPNZ(false) -> NOP */
1137					MAKE_NOP(last_op);
1138					DEL_SOURCE(block, block->successors[0]);
1139					block->successors[0] = block->successors[1];
1140					block->successors[1] = -1;
1141				}
1142				break;
1143			}
1144
1145			if (block->successors[0] == block->successors[1]) {
1146				/* L: JMP[N]Z(X, L+1) -> NOP or FREE(X) */
1147
1148				if (last_op->op1_type & (IS_VAR|IS_TMP_VAR)) {
1149					last_op->opcode = ZEND_FREE;
1150					last_op->op2.num = 0;
1151				} else {
1152					MAKE_NOP(last_op);
1153				}
1154				block->successors[1] = -1;
1155				break;
1156			}
1157
1158			if (1) {
1159				zend_uchar same_type = ZEND_OP1_TYPE(last_op);
1160				uint32_t same_var = VAR_NUM_EX(last_op->op1);
1161				zend_op *target;
1162				zend_op *target_end;
1163				zend_basic_block *target_block = blocks + block->successors[0];
1164
1165next_target:
1166				target = op_array->opcodes + target_block->start;
1167				target_end = op_array->opcodes + target_block->end + 1;
1168				while (target < target_end && target->opcode == ZEND_NOP) {
1169					target++;
1170				}
1171
1172				/* next block is only NOP's */
1173				if (target == target_end) {
1174					target_block = blocks + target_block->successors[0];
1175					goto next_target;
1176				} else if (target->opcode == INV_COND(last_op->opcode) &&
1177					/* JMPZ(X, L), L: JMPNZ(X, L2) -> JMPZ(X, L+1) */
1178				   (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1179				   same_type == ZEND_OP1_TYPE(target) &&
1180				   same_var == VAR_NUM_EX(target->op1) &&
1181				   !(target_block->flags & ZEND_BB_PROTECTED)
1182				   ) {
1183					DEL_SOURCE(block, block->successors[0]);
1184					block->successors[0] = target_block->successors[1];
1185					ADD_SOURCE(block, block->successors[0]);
1186				} else if (target->opcode == INV_COND_EX(last_op->opcode) &&
1187							(ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1188				    		same_type == ZEND_OP1_TYPE(target) &&
1189				    		same_var == VAR_NUM_EX(target->op1) &&
1190							!(target_block->flags & ZEND_BB_PROTECTED)) {
1191					/* JMPZ(X, L), L: X = JMPNZ_EX(X, L2) -> JMPZ(X, L+1) */
1192					last_op->opcode += 3;
1193					last_op->result = target->result;
1194					DEL_SOURCE(block, block->successors[0]);
1195					block->successors[0] = target_block->successors[1];
1196					ADD_SOURCE(block, block->successors[0]);
1197				} else if (target->opcode == last_op->opcode &&
1198						   (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1199						   same_type == ZEND_OP1_TYPE(target) &&
1200						   same_var == VAR_NUM_EX(target->op1) &&
1201						   !(target_block->flags & ZEND_BB_PROTECTED)) {
1202					/* JMPZ(X, L), L: JMPZ(X, L2) -> JMPZ(X, L2) */
1203					DEL_SOURCE(block, block->successors[0]);
1204					block->successors[0] = target_block->successors[0];
1205					ADD_SOURCE(block, block->successors[0]);
1206				} else if (target->opcode == ZEND_JMP &&
1207				           !(target_block->flags & ZEND_BB_PROTECTED)) {
1208					/* JMPZ(X, L), L: JMP(L2) -> JMPZ(X, L2) */
1209					DEL_SOURCE(block, block->successors[0]);
1210					block->successors[0] = target_block->successors[0];
1211					ADD_SOURCE(block, block->successors[0]);
1212				} else if (target->opcode == ZEND_JMPZNZ &&
1213				           (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1214				           same_type == ZEND_OP1_TYPE(target) &&
1215				           same_var == VAR_NUM_EX(target->op1) &&
1216				           !(target_block->flags & ZEND_BB_PROTECTED)) {
1217					/* JMPZ(X, L), L: JMPZNZ(X, L2, L3) -> JMPZ(X, L2) */
1218					DEL_SOURCE(block, block->successors[0]);
1219					if (last_op->opcode == ZEND_JMPZ) {
1220						block->successors[0] = target_block->successors[0];
1221					} else {
1222						block->successors[0] = target_block->successors[1];
1223					}
1224					ADD_SOURCE(block, block->successors[0]);
1225				}
1226			}
1227
1228			if (last_op->opcode == ZEND_JMPZ || last_op->opcode == ZEND_JMPNZ) {
1229				zend_op *target;
1230				zend_op *target_end;
1231				zend_basic_block *target_block;
1232
1233				while (1) {
1234					target_block = blocks + block->successors[1];
1235					target = op_array->opcodes + target_block->start;
1236					target_end = op_array->opcodes + target_block->start + 1;
1237					while (target < target_end && target->opcode == ZEND_NOP) {
1238						target++;
1239					}
1240
1241					/* next block is only NOP's */
1242					if (target == target_end && !(target_block->flags & ZEND_BB_PROTECTED)) {
1243						DEL_SOURCE(block, block->successors[1]);
1244						block->successors[1] = target_block->successors[0];
1245						ADD_SOURCE(block, block->successors[1]);
1246					} else {
1247						break;
1248					}
1249				}
1250				/* JMPZ(X,L1), JMP(L2) -> JMPZNZ(X,L1,L2) */
1251				if (target->opcode == ZEND_JMP &&
1252					!(target_block->flags & ZEND_BB_PROTECTED)) {
1253					DEL_SOURCE(block, block->successors[1]);
1254					if (last_op->opcode == ZEND_JMPZ) {
1255						block->successors[1] = target_block->successors[0];
1256						ADD_SOURCE(block, block->successors[1]);
1257					} else {
1258						block->successors[1] = block->successors[0];
1259						block->successors[0] = target_block->successors[0];
1260						ADD_SOURCE(block, block->successors[0]);
1261					}
1262					last_op->opcode = ZEND_JMPZNZ;
1263				}
1264			}
1265			break;
1266
1267		case ZEND_JMPNZ_EX:
1268		case ZEND_JMPZ_EX:
1269			/* constant conditional JMPs */
1270			if (ZEND_OP1_TYPE(last_op) == IS_CONST) {
1271				int should_jmp = zend_is_true(&ZEND_OP1_LITERAL(last_op));
1272
1273				if (last_op->opcode == ZEND_JMPZ_EX) {
1274					should_jmp = !should_jmp;
1275				}
1276				if (!should_jmp) {
1277					/* T = JMPZ_EX(true,L)   -> T = QM_ASSIGN(true)
1278					 * T = JMPNZ_EX(false,L) -> T = QM_ASSIGN(false)
1279					 */
1280					last_op->opcode = ZEND_QM_ASSIGN;
1281					SET_UNUSED(last_op->op2);
1282					DEL_SOURCE(block, block->successors[0]);
1283					block->successors[0] = block->successors[1];
1284					block->successors[1] = -1;
1285				}
1286				break;
1287			}
1288
1289			if (1) {
1290				zend_op *target, *target_end;
1291				zend_basic_block *target_block;
1292				int var_num = op_array->last_var + op_array->T;
1293
1294				if (var_num <= 0) {
1295   					return;
1296				}
1297				memset(same_t, 0, var_num);
1298				same_t[VAR_NUM_EX(last_op->op1)] |= ZEND_OP1_TYPE(last_op);
1299				same_t[VAR_NUM_EX(last_op->result)] |= ZEND_RESULT_TYPE(last_op);
1300				target_block = blocks + block->successors[0];
1301next_target_ex:
1302				target = op_array->opcodes + target_block->start;
1303				target_end = op_array->opcodes + target_block->end + 1;
1304				while (target < target_end && target->opcode == ZEND_NOP) {
1305					target++;
1306				}
1307 				/* next block is only NOP's */
1308				if (target == target_end) {
1309					target_block = blocks + target_block->successors[0];
1310					goto next_target_ex;
1311				} else if (target->opcode == last_op->opcode-3 &&
1312						   (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1313						   (same_t[VAR_NUM_EX(target->op1)] & ZEND_OP1_TYPE(target)) != 0 &&
1314						   !(target_block->flags & ZEND_BB_PROTECTED)) {
1315					/* T = JMPZ_EX(X, L1), L1: JMPZ({X|T}, L2) -> T = JMPZ_EX(X, L2) */
1316					DEL_SOURCE(block, block->successors[0]);
1317					block->successors[0] = target_block->successors[0];
1318					ADD_SOURCE(block, block->successors[0]);
1319				} else if (target->opcode == INV_EX_COND(last_op->opcode) &&
1320					   	   (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1321						   (same_t[VAR_NUM_EX(target->op1)] & ZEND_OP1_TYPE(target)) != 0 &&
1322						   !(target_block->flags & ZEND_BB_PROTECTED)) {
1323					/* T = JMPZ_EX(X, L1), L1: JMPNZ({X|T1}, L2) -> T = JMPZ_EX(X, L1+1) */
1324					DEL_SOURCE(block, block->successors[0]);
1325					block->successors[0] = target_block->successors[1];
1326					ADD_SOURCE(block, block->successors[0]);
1327				} else if (target->opcode == INV_EX_COND_EX(last_op->opcode) &&
1328					       (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1329						   (same_t[VAR_NUM_EX(target->op1)] & ZEND_OP1_TYPE(target)) != 0 &&
1330						   (same_t[VAR_NUM_EX(target->result)] & ZEND_RESULT_TYPE(target)) != 0 &&
1331						   !(target_block->flags & ZEND_BB_PROTECTED)) {
1332					/* T = JMPZ_EX(X, L1), L1: T = JMPNZ_EX(T, L2) -> T = JMPZ_EX(X, L1+1) */
1333					DEL_SOURCE(block, block->successors[0]);
1334					block->successors[0] = target_block->successors[1];
1335					ADD_SOURCE(block, block->successors[0]);
1336				} else if (target->opcode == last_op->opcode &&
1337						   (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1338						   (same_t[VAR_NUM_EX(target->op1)] & ZEND_OP1_TYPE(target)) != 0 &&
1339						   (same_t[VAR_NUM_EX(target->result)] & ZEND_RESULT_TYPE(target)) != 0 &&
1340						   !(target_block->flags & ZEND_BB_PROTECTED)) {
1341					/* T = JMPZ_EX(X, L1), L1: T = JMPZ({X|T}, L2) -> T = JMPZ_EX(X, L2) */
1342					DEL_SOURCE(block, block->successors[0]);
1343					block->successors[0] = target_block->successors[0];
1344					ADD_SOURCE(block, block->successors[0]);
1345				} else if (target->opcode == ZEND_JMP &&
1346						   !(target_block->flags & ZEND_BB_PROTECTED)) {
1347					/* T = JMPZ_EX(X, L), L: JMP(L2) -> T = JMPZ(X, L2) */
1348					DEL_SOURCE(block, block->successors[0]);
1349					block->successors[0] = target_block->successors[0];
1350					ADD_SOURCE(block, block->successors[0]);
1351				} else if (target->opcode == ZEND_JMPZNZ &&
1352						   (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1353						   (same_t[VAR_NUM_EX(target->op1)] & ZEND_OP1_TYPE(target)) != 0 &&
1354						   !(target_block->flags & ZEND_BB_PROTECTED)) {
1355					/* T = JMPZ_EX(X, L), L: JMPZNZ({X|T}, L2, L3) -> T = JMPZ_EX(X, L2) */
1356					DEL_SOURCE(block, block->successors[0]);
1357					if (last_op->opcode == ZEND_JMPZ_EX) {
1358						block->successors[0] = target_block->successors[0];
1359					} else {
1360						block->successors[0] = target_block->successors[1];
1361					}
1362					ADD_SOURCE(block, block->successors[0]);
1363				}
1364			}
1365			break;
1366
1367		case ZEND_JMPZNZ: {
1368			int next = (block - blocks) + 1;
1369
1370			while (next < cfg->blocks_count && !(blocks[next].flags & ZEND_BB_REACHABLE)) {
1371				/* find first accessed one */
1372				next++;
1373			}
1374
1375			if (ZEND_OP1_TYPE(last_op) == IS_CONST) {
1376				if (!zend_is_true(&ZEND_OP1_LITERAL(last_op))) {
1377					/* JMPZNZ(false,L1,L2) -> JMP(L1) */
1378					literal_dtor(&ZEND_OP1_LITERAL(last_op));
1379					last_op->opcode = ZEND_JMP;
1380					SET_UNUSED(last_op->op1);
1381					SET_UNUSED(last_op->op2);
1382					DEL_SOURCE(block, block->successors[1]);
1383					block->successors[1] = -1;
1384				} else {
1385					/* JMPZNZ(true,L1,L2) -> JMP(L2) */
1386					literal_dtor(&ZEND_OP1_LITERAL(last_op));
1387					last_op->opcode = ZEND_JMP;
1388					SET_UNUSED(last_op->op1);
1389					SET_UNUSED(last_op->op2);
1390					DEL_SOURCE(block, block->successors[0]);
1391					block->successors[0] = block->successors[1];
1392					block->successors[1] = -1;
1393				}
1394			} else if (block->successors[0] == block->successors[1]) {
1395				/* both goto the same one - it's JMP */
1396				if (!(last_op->op1_type & (IS_VAR|IS_TMP_VAR))) {
1397					/* JMPZNZ(?,L,L) -> JMP(L) */
1398					last_op->opcode = ZEND_JMP;
1399					SET_UNUSED(last_op->op1);
1400					SET_UNUSED(last_op->op2);
1401					block->successors[1] = -1;
1402				}
1403			} else if (block->successors[0] == next) {
1404				/* jumping to next on Z - can follow to it and jump only on NZ */
1405				/* JMPZNZ(X,L1,L2) L1: -> JMPNZ(X,L2) */
1406				last_op->opcode = ZEND_JMPNZ;
1407				block->successors[0] = block->successors[1];
1408				block->successors[1] = next;
1409				/* no need to add source */
1410			} else if (block->successors[1] == next) {
1411				/* jumping to next on NZ - can follow to it and jump only on Z */
1412				/* JMPZNZ(X,L1,L2) L2: -> JMPZ(X,L1) */
1413				last_op->opcode = ZEND_JMPZ;
1414				/* no need to add source */
1415			}
1416
1417			if (last_op->opcode == ZEND_JMPZNZ) {
1418				zend_uchar same_type = ZEND_OP1_TYPE(last_op);
1419				zend_uchar same_var = VAR_NUM_EX(last_op->op1);
1420				zend_op *target;
1421				zend_op *target_end;
1422				zend_basic_block *target_block = blocks + block->successors[0];
1423
1424next_target_znz:
1425				target = op_array->opcodes + target_block->start;
1426				target_end = op_array->opcodes + target_block->end + 1;
1427				while (target < target_end && target->opcode == ZEND_NOP) {
1428					target++;
1429				}
1430				/* next block is only NOP's */
1431				if (target == target_end) {
1432					target_block = blocks + target_block->successors[0];
1433					goto next_target_znz;
1434				} else if ((target->opcode == ZEND_JMPZ || target->opcode == ZEND_JMPZNZ) &&
1435						   (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1436						   same_type == ZEND_OP1_TYPE(target) &&
1437						   same_var == VAR_NUM_EX(target->op1) &&
1438						   !(target_block->flags & ZEND_BB_PROTECTED)) {
1439				    /* JMPZNZ(X, L1, L2), L1: JMPZ(X, L3) -> JMPZNZ(X, L3, L2) */
1440					DEL_SOURCE(block, block->successors[0]);
1441					block->successors[0] = target_block->successors[0];
1442					ADD_SOURCE(block, block->successors[0]);
1443				} else if (target->opcode == ZEND_JMPNZ &&
1444						   (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1445						   same_type == ZEND_OP1_TYPE(target) &&
1446						   same_var == VAR_NUM_EX(target->op1) &&
1447						   !(target_block->flags & ZEND_BB_PROTECTED)) {
1448                    /* JMPZNZ(X, L1, L2), L1: X = JMPNZ(X, L3) -> JMPZNZ(X, L1+1, L2) */
1449					DEL_SOURCE(block, block->successors[0]);
1450					block->successors[0] = target_block->successors[1];
1451					ADD_SOURCE(block, block->successors[0]);
1452				} else if (target->opcode == ZEND_JMP &&
1453					       !(target_block->flags & ZEND_BB_PROTECTED)) {
1454                    /* JMPZNZ(X, L1, L2), L1: JMP(L3) -> JMPZNZ(X, L3, L2) */
1455					DEL_SOURCE(block, block->successors[0]);
1456					block->successors[0] = target_block->successors[0];
1457					ADD_SOURCE(block, block->successors[0]);
1458				}
1459			}
1460			break;
1461		}
1462	}
1463}
1464
1465/* Global data dependencies */
1466
1467/* Find a set of variables which are used outside of the block where they are
1468 * defined. We won't apply some optimization patterns for such variables. */
1469static void zend_t_usage(zend_cfg *cfg, zend_op_array *op_array, zend_bitset used_ext, zend_optimizer_ctx *ctx)
1470{
1471	int n;
1472	zend_basic_block *block, *next_block;
1473	uint32_t var_num;
1474	uint32_t bitset_len;
1475	zend_bitset usage;
1476	zend_bitset defined_here;
1477	void *checkpoint;
1478	zend_op *opline, *end;
1479
1480
1481	if (op_array->T == 0) {
1482		/* shortcut - if no Ts, nothing to do */
1483		return;
1484	}
1485
1486	checkpoint = zend_arena_checkpoint(ctx->arena);
1487	bitset_len = zend_bitset_len(op_array->last_var + op_array->T);
1488	defined_here = zend_arena_alloc(&ctx->arena, bitset_len * ZEND_BITSET_ELM_SIZE);
1489
1490	zend_bitset_clear(defined_here, bitset_len);
1491	for (n = 1; n < cfg->blocks_count; n++) {
1492		block = cfg->blocks + n;
1493
1494		if (!(block->flags & ZEND_BB_REACHABLE)) {
1495			continue;
1496		}
1497
1498		opline = op_array->opcodes + block->start;
1499		end = op_array->opcodes + block->end + 1;
1500		if (!(block->flags & ZEND_BB_FOLLOW) ||
1501		    (block->flags & ZEND_BB_TARGET)) {
1502			/* Skip continuation of "extended" BB */
1503			zend_bitset_clear(defined_here, bitset_len);
1504		}
1505
1506		while (opline<end) {
1507			if (opline->op1_type == IS_VAR || opline->op1_type == IS_TMP_VAR) {
1508				var_num = VAR_NUM(opline->op1.var);
1509				if (!zend_bitset_in(defined_here, var_num)) {
1510					zend_bitset_incl(used_ext, var_num);
1511				}
1512			}
1513			if (opline->op2_type == IS_VAR) {
1514				var_num = VAR_NUM(opline->op2.var);
1515				if (opline->opcode == ZEND_FE_FETCH_R ||
1516				    opline->opcode == ZEND_FE_FETCH_RW) {
1517					/* these opcode use the op2 as result */
1518					zend_bitset_incl(defined_here, var_num);
1519				} else if (!zend_bitset_in(defined_here, var_num)) {
1520					zend_bitset_incl(used_ext, var_num);
1521				}
1522			} else if (opline->op2_type == IS_TMP_VAR) {
1523				var_num = VAR_NUM(opline->op2.var);
1524				if (!zend_bitset_in(defined_here, var_num)) {
1525					zend_bitset_incl(used_ext, var_num);
1526				}
1527			}
1528
1529			if (opline->result_type == IS_VAR) {
1530				var_num = VAR_NUM(opline->result.var);
1531				zend_bitset_incl(defined_here, var_num);
1532			} else if (opline->result_type == IS_TMP_VAR) {
1533				var_num = VAR_NUM(opline->result.var);
1534				switch (opline->opcode) {
1535					case ZEND_ADD_ARRAY_ELEMENT:
1536					case ZEND_ROPE_ADD:
1537						/* these opcodes use the result as argument */
1538						if (!zend_bitset_in(defined_here, var_num)) {
1539							zend_bitset_incl(used_ext, var_num);
1540						}
1541						break;
1542					default :
1543						zend_bitset_incl(defined_here, var_num);
1544				}
1545			}
1546			opline++;
1547		}
1548	}
1549
1550	if (ctx->debug_level & ZEND_DUMP_BLOCK_PASS_VARS) {
1551		int printed = 0;
1552		uint32_t i;
1553
1554		for (i = op_array->last_var; i< op_array->T; i++) {
1555			if (zend_bitset_in(used_ext, i)) {
1556				if (!printed) {
1557					fprintf(stderr, "NON-LOCAL-VARS: %d", i);
1558					printed = 1;
1559				} else {
1560					fprintf(stderr, ", %d", i);
1561				}
1562			}
1563		}
1564		if (printed) {
1565			fprintf(stderr, "\n");
1566		}
1567	}
1568
1569	usage = defined_here;
1570	next_block = NULL;
1571	for (n = cfg->blocks_count; n > 0;) {
1572		block = cfg->blocks + (--n);
1573
1574		if (!(block->flags & ZEND_BB_REACHABLE)) {
1575			continue;
1576		}
1577
1578		opline = op_array->opcodes + block->end;
1579		end = op_array->opcodes + block->start;
1580		if (!next_block ||
1581		    !(next_block->flags & ZEND_BB_FOLLOW) ||
1582		    (next_block->flags & ZEND_BB_TARGET)) {
1583			/* Skip continuation of "extended" BB */
1584			zend_bitset_copy(usage, used_ext, bitset_len);
1585		} else if (block->successors[1] != -1) {
1586			zend_bitset_union(usage, used_ext, bitset_len);
1587		}
1588		next_block = block;
1589
1590		while (opline >= end) {
1591			/* usage checks */
1592			if (opline->result_type == IS_VAR) {
1593				if (!zend_bitset_in(usage, VAR_NUM(opline->result.var))) {
1594					switch (opline->opcode) {
1595						case ZEND_ASSIGN_ADD:
1596						case ZEND_ASSIGN_SUB:
1597						case ZEND_ASSIGN_MUL:
1598						case ZEND_ASSIGN_DIV:
1599						case ZEND_ASSIGN_POW:
1600						case ZEND_ASSIGN_MOD:
1601						case ZEND_ASSIGN_SL:
1602						case ZEND_ASSIGN_SR:
1603						case ZEND_ASSIGN_CONCAT:
1604						case ZEND_ASSIGN_BW_OR:
1605						case ZEND_ASSIGN_BW_AND:
1606						case ZEND_ASSIGN_BW_XOR:
1607						case ZEND_PRE_INC:
1608						case ZEND_PRE_DEC:
1609						case ZEND_ASSIGN:
1610						case ZEND_ASSIGN_REF:
1611						case ZEND_DO_FCALL:
1612						case ZEND_DO_ICALL:
1613						case ZEND_DO_UCALL:
1614						case ZEND_DO_FCALL_BY_NAME:
1615							opline->result_type |= EXT_TYPE_UNUSED;
1616							break;
1617					}
1618				} else {
1619					zend_bitset_excl(usage, VAR_NUM(opline->result.var));
1620				}
1621			} else if (opline->result_type == IS_TMP_VAR) {
1622				if (!zend_bitset_in(usage, VAR_NUM(opline->result.var))) {
1623					switch (opline->opcode) {
1624						case ZEND_POST_INC:
1625						case ZEND_POST_DEC:
1626							opline->opcode -= 2;
1627							opline->result_type = IS_VAR | EXT_TYPE_UNUSED;
1628							break;
1629						case ZEND_QM_ASSIGN:
1630						case ZEND_BOOL:
1631						case ZEND_BOOL_NOT:
1632							if (ZEND_OP1_TYPE(opline) == IS_CONST) {
1633								literal_dtor(&ZEND_OP1_LITERAL(opline));
1634							}
1635							MAKE_NOP(opline);
1636							break;
1637						case ZEND_JMPZ_EX:
1638						case ZEND_JMPNZ_EX:
1639							opline->opcode -= 3;
1640							SET_UNUSED(opline->result);
1641							break;
1642						case ZEND_ADD_ARRAY_ELEMENT:
1643						case ZEND_ROPE_ADD:
1644							zend_bitset_incl(usage, VAR_NUM(opline->result.var));
1645							break;
1646					}
1647				} else {
1648					switch (opline->opcode) {
1649						case ZEND_ADD_ARRAY_ELEMENT:
1650						case ZEND_ROPE_ADD:
1651							break;
1652						default:
1653							zend_bitset_excl(usage, VAR_NUM(opline->result.var));
1654							break;
1655					}
1656				}
1657			}
1658
1659			if (opline->op2_type == IS_VAR) {
1660				switch (opline->opcode) {
1661					case ZEND_FE_FETCH_R:
1662					case ZEND_FE_FETCH_RW:
1663						zend_bitset_excl(usage, VAR_NUM(opline->op2.var));
1664						break;
1665					default:
1666						zend_bitset_incl(usage, VAR_NUM(opline->op2.var));
1667						break;
1668				}
1669			} else if (opline->op2_type == IS_TMP_VAR) {
1670				zend_bitset_incl(usage, VAR_NUM(opline->op2.var));
1671			}
1672
1673			if (opline->op1_type == IS_VAR || opline->op1_type == IS_TMP_VAR) {
1674				zend_bitset_incl(usage, VAR_NUM(opline->op1.var));
1675			}
1676
1677			opline--;
1678		}
1679	}
1680
1681	zend_arena_release(&ctx->arena, checkpoint);
1682}
1683
1684static void zend_merge_blocks(zend_op_array *op_array, zend_cfg *cfg)
1685{
1686	int i;
1687	zend_basic_block *b, *bb;
1688	zend_basic_block *prev = NULL;
1689
1690	for (i = 0; i < cfg->blocks_count; i++) {
1691		b = cfg->blocks + i;
1692		if (b->flags & ZEND_BB_REACHABLE) {
1693			if ((b->flags & ZEND_BB_FOLLOW) &&
1694			    !(b->flags & (ZEND_BB_TARGET | ZEND_BB_PROTECTED)) &&
1695			    prev &&
1696			    prev->successors[0] == i && prev->successors[1] == -1) {
1697
1698				if (op_array->opcodes[prev->end].opcode == ZEND_JMP) {
1699					MAKE_NOP(op_array->opcodes + prev->end);
1700				}
1701
1702				for (bb = prev + 1; bb != b; bb++) {
1703					zend_op *op = op_array->opcodes + bb->start;
1704					zend_op *end = op_array->opcodes + bb->end;
1705					while (op <= end) {
1706						if (ZEND_OP1_TYPE(op) == IS_CONST) {
1707							literal_dtor(&ZEND_OP1_LITERAL(op));
1708						}
1709						if (ZEND_OP2_TYPE(op) == IS_CONST) {
1710							literal_dtor(&ZEND_OP2_LITERAL(op));
1711						}
1712						MAKE_NOP(op);
1713						op++;
1714					}
1715					/* make block empty */
1716					bb->start = bb->end + 1;
1717				}
1718
1719				/* re-link */
1720			    prev->flags |= (b->flags & ZEND_BB_EXIT);
1721				prev->end = b->end;
1722				prev->successors[0] = b->successors[0];
1723				prev->successors[1] = b->successors[1];
1724
1725				/* unlink & make block empty and unreachable */
1726				b->flags = 0;
1727				b->start = b->end + 1;
1728				b->successors[0] = -1;
1729				b->successors[1] = -1;
1730			} else {
1731				prev = b;
1732			}
1733		}
1734	}
1735}
1736
1737#define PASSES 3
1738
1739void zend_optimize_cfg(zend_op_array *op_array, zend_optimizer_ctx *ctx)
1740{
1741	zend_cfg cfg;
1742	zend_basic_block *blocks, *end, *b;
1743	int pass;
1744	uint32_t bitset_len;
1745	zend_bitset usage;
1746	void *checkpoint;
1747	zend_op **Tsource;
1748	zend_uchar *same_t;
1749
1750    /* Build CFG */
1751	checkpoint = zend_arena_checkpoint(ctx->arena);
1752	if (zend_build_cfg(&ctx->arena, op_array, 0, &cfg, NULL) != SUCCESS) {
1753		zend_arena_release(&ctx->arena, checkpoint);
1754		return;
1755	}
1756
1757	if (ctx->debug_level & ZEND_DUMP_BEFORE_BLOCK_PASS) {
1758		zend_dump_op_array(op_array, ZEND_DUMP_CFG, "before block pass", &cfg);
1759	}
1760
1761	if (op_array->last_var || op_array->T) {
1762		bitset_len = zend_bitset_len(op_array->last_var + op_array->T);
1763		Tsource = zend_arena_calloc(&ctx->arena, op_array->last_var + op_array->T, sizeof(zend_op *));
1764		same_t = zend_arena_alloc(&ctx->arena, op_array->last_var + op_array->T);
1765		usage = zend_arena_alloc(&ctx->arena, bitset_len * ZEND_BITSET_ELM_SIZE);
1766	} else {
1767		bitset_len = 0;
1768		Tsource = NULL;
1769		same_t = NULL;
1770		usage = NULL;
1771	}
1772	blocks = cfg.blocks;
1773	end = blocks + cfg.blocks_count;
1774	for (pass = 0; pass < PASSES; pass++) {
1775		/* Compute data dependencies */
1776		zend_bitset_clear(usage, bitset_len);
1777		zend_t_usage(&cfg, op_array, usage, ctx);
1778
1779		/* optimize each basic block separately */
1780		for (b = blocks; b < end; b++) {
1781			if (!(b->flags & ZEND_BB_REACHABLE)) {
1782				continue;
1783			}
1784			/* we track data dependencies only insight a single basic block */
1785			if (!(b->flags & ZEND_BB_FOLLOW) ||
1786			    (b->flags & ZEND_BB_TARGET)) {
1787				/* Skip continuation of "extended" BB */
1788				memset(Tsource, 0, (op_array->last_var + op_array->T) * sizeof(zend_op *));
1789			}
1790			zend_optimize_block(b, op_array, usage, &cfg, Tsource);
1791		}
1792
1793		/* Jump optimization for each block */
1794		for (b = blocks; b < end; b++) {
1795			if (b->flags & ZEND_BB_REACHABLE) {
1796				zend_jmp_optimization(b, op_array, &cfg, same_t);
1797			}
1798		}
1799
1800		/* Eliminate unreachable basic blocks */
1801		zend_cfg_remark_reachable_blocks(op_array, &cfg);
1802
1803		/* Merge Blocks */
1804		zend_merge_blocks(op_array, &cfg);
1805	}
1806
1807	zend_bitset_clear(usage, bitset_len);
1808	zend_t_usage(&cfg, op_array, usage, ctx);
1809	assemble_code_blocks(&cfg, op_array);
1810
1811	if (ctx->debug_level & ZEND_DUMP_AFTER_BLOCK_PASS) {
1812		zend_dump_op_array(op_array, ZEND_DUMP_CFG | ZEND_DUMP_HIDE_UNREACHABLE, "after block pass", &cfg);
1813	}
1814
1815	/* Destroy CFG */
1816	zend_arena_release(&ctx->arena, checkpoint);
1817}
1818