1/*
2   +----------------------------------------------------------------------+
3   | Zend OPcache                                                         |
4   +----------------------------------------------------------------------+
5   | Copyright (c) 1998-2015 The PHP Group                                |
6   +----------------------------------------------------------------------+
7   | This source file is subject to version 3.01 of the PHP license,      |
8   | that is bundled with this package in the file LICENSE, and is        |
9   | available through the world-wide-web at the following url:           |
10   | http://www.php.net/license/3_01.txt                                  |
11   | If you did not receive a copy of the PHP license and are unable to   |
12   | obtain it through the world-wide-web, please send a note to          |
13   | license@php.net so we can mail you a copy immediately.               |
14   +----------------------------------------------------------------------+
15   | Authors: Andi Gutmans <andi@zend.com>                                |
16   |          Zeev Suraski <zeev@zend.com>                                |
17   |          Stanislav Malyshev <stas@zend.com>                          |
18   |          Dmitry Stogov <dmitry@zend.com>                             |
19   +----------------------------------------------------------------------+
20*/
21
22#include "php.h"
23#include "Optimizer/zend_optimizer.h"
24#include "Optimizer/zend_optimizer_internal.h"
25#include "zend_API.h"
26#include "zend_constants.h"
27#include "zend_execute.h"
28#include "zend_vm.h"
29
30#define DEBUG_BLOCKPASS 0
31
32/* Checks if a constant (like "true") may be replaced by its value */
33int zend_optimizer_get_persistent_constant(zend_string *name, zval *result, int copy)
34{
35    zend_constant *c;
36    char *lookup_name;
37    int retval = 1;
38    ALLOCA_FLAG(use_heap);
39
40    if ((c = zend_hash_find_ptr(EG(zend_constants), name)) == NULL) {
41        lookup_name = DO_ALLOCA(name->len + 1);
42        memcpy(lookup_name, name->val, name->len + 1);
43        zend_str_tolower(lookup_name, name->len);
44
45        if ((c = zend_hash_str_find_ptr(EG(zend_constants), lookup_name, name->len)) != NULL) {
46            if (!(c->flags & CONST_CT_SUBST) || (c->flags & CONST_CS)) {
47                retval = 0;
48            }
49        } else {
50            retval = 0;
51        }
52        FREE_ALLOCA(lookup_name);
53    }
54
55    if (retval) {
56        if (c->flags & CONST_PERSISTENT) {
57            ZVAL_COPY_VALUE(result, &c->value);
58            if (copy) {
59                zval_copy_ctor(result);
60            }
61        } else {
62            retval = 0;
63        }
64    }
65
66    return retval;
67}
68
69#if DEBUG_BLOCKPASS
70# define BLOCK_REF(b) b?op_array->opcodes-b->start_opline:-1
71
72static inline void print_block(zend_code_block *block, zend_op *opcodes, char *txt)
73{
74    fprintf(stderr, "%sBlock: %d-%d (%d)", txt, block->start_opline - opcodes, block->start_opline - opcodes + block->len - 1, block->len);
75    if (!block->access) {
76        fprintf(stderr, " unused");
77    }
78    if (block->op1_to) {
79        fprintf(stderr, " 1: %d", block->op1_to->start_opline - opcodes);
80    }
81    if (block->op2_to) {
82        fprintf(stderr, " 2: %d", block->op2_to->start_opline - opcodes);
83    }
84    if (block->ext_to) {
85        fprintf(stderr, " e: %d", block->ext_to->start_opline - opcodes);
86    }
87    if (block->follow_to) {
88        fprintf(stderr, " f: %d", block->follow_to->start_opline - opcodes);
89    }
90
91    if (block->sources) {
92        zend_block_source *bs = block->sources;
93        fprintf(stderr, " s:");
94        while (bs) {
95            fprintf(stderr, " %d", bs->from->start_opline - opcodes);
96            bs = bs->next;
97        }
98    }
99
100    fprintf(stderr, "\n");
101    fflush(stderr);
102}
103#else
104#define print_block(a,b,c)
105#endif
106
107#define START_BLOCK_OP(opno) blocks[opno].start_opline = &op_array->opcodes[opno]; blocks[opno].start_opline_no = opno; blocks[opno].access = 1
108
109/* find code blocks in op_array
110   code block is a set of opcodes with single flow of control, i.e. without jmps,
111   branches, etc. */
112static int find_code_blocks(zend_op_array *op_array, zend_cfg *cfg, zend_optimizer_ctx *ctx)
113{
114    zend_op *opline;
115    zend_op *end = op_array->opcodes + op_array->last;
116    zend_code_block *blocks, *cur_block;
117    uint32_t opno = 0;
118
119    memset(cfg, 0, sizeof(zend_cfg));
120    blocks = cfg->blocks = zend_arena_calloc(&ctx->arena, op_array->last + 2, sizeof(zend_code_block));
121    opline = op_array->opcodes;
122    blocks[0].start_opline = opline;
123    blocks[0].start_opline_no = 0;
124    while (opline < end) {
125        switch((unsigned)opline->opcode) {
126            case ZEND_GOTO:
127                /* would not optimize GOTOs - we cannot really know where it jumps,
128                 * so these optimizations are too dangerous */
129                return 0;
130            case ZEND_FAST_CALL:
131                START_BLOCK_OP(ZEND_OP1(opline).opline_num);
132                if (opline->extended_value) {
133                    START_BLOCK_OP(ZEND_OP2(opline).opline_num);
134                }
135                START_BLOCK_OP(opno + 1);
136                break;
137            case ZEND_FAST_RET:
138                if (opline->extended_value) {
139                    START_BLOCK_OP(ZEND_OP2(opline).opline_num);
140                }
141                START_BLOCK_OP(opno + 1);
142                break;
143            case ZEND_JMP:
144            case ZEND_DECLARE_ANON_CLASS:
145            case ZEND_DECLARE_ANON_INHERITED_CLASS:
146                START_BLOCK_OP(ZEND_OP1(opline).opline_num);
147                /* break missing intentionally */
148            case ZEND_RETURN:
149            case ZEND_RETURN_BY_REF:
150            case ZEND_GENERATOR_RETURN:
151            case ZEND_EXIT:
152            case ZEND_THROW:
153                /* start new block from this+1 */
154                START_BLOCK_OP(opno + 1);
155                break;
156                /* TODO: if conditional jmp depends on constant,
157                         don't start block that won't be executed */
158            case ZEND_CATCH:
159                START_BLOCK_OP(opline->extended_value);
160                START_BLOCK_OP(opno + 1);
161                break;
162            case ZEND_JMPZNZ:
163                START_BLOCK_OP(opline->extended_value);
164            case ZEND_JMPZ:
165            case ZEND_JMPNZ:
166            case ZEND_JMPZ_EX:
167            case ZEND_JMPNZ_EX:
168            case ZEND_FE_RESET_R:
169            case ZEND_FE_RESET_RW:
170            case ZEND_NEW:
171            case ZEND_JMP_SET:
172            case ZEND_COALESCE:
173            case ZEND_ASSERT_CHECK:
174                START_BLOCK_OP(ZEND_OP2(opline).opline_num);
175                START_BLOCK_OP(opno + 1);
176                break;
177            case ZEND_FE_FETCH_R:
178            case ZEND_FE_FETCH_RW:
179                START_BLOCK_OP(opline->extended_value);
180                START_BLOCK_OP(opno + 1);
181                break;
182        }
183        opno++;
184        opline++;
185    }
186
187    /* first find block start points */
188    if (op_array->last_try_catch) {
189        int i;
190        cfg->try = zend_arena_calloc(&ctx->arena, op_array->last_try_catch, sizeof(zend_code_block *));
191        cfg->catch = zend_arena_calloc(&ctx->arena, op_array->last_try_catch, sizeof(zend_code_block *));
192        for (i = 0; i< op_array->last_try_catch; i++) {
193            cfg->try[i] = &blocks[op_array->try_catch_array[i].try_op];
194            cfg->catch[i] = &blocks[op_array->try_catch_array[i].catch_op];
195            START_BLOCK_OP(op_array->try_catch_array[i].try_op);
196            START_BLOCK_OP(op_array->try_catch_array[i].catch_op);
197            blocks[op_array->try_catch_array[i].try_op].protected = 1;
198        }
199    }
200    /* Currently, we don't optimize op_arrays with BRK/CONT/GOTO opcodes,
201     * but, we have to keep brk_cont_array to avoid memory leaks during
202     * exception handling */
203    if (op_array->last_brk_cont) {
204        int i, j;
205
206        j = 0;
207        for (i = 0; i< op_array->last_brk_cont; i++) {
208            if (op_array->brk_cont_array[i].start >= 0 &&
209                (op_array->opcodes[op_array->brk_cont_array[i].brk].opcode == ZEND_FREE ||
210                 op_array->opcodes[op_array->brk_cont_array[i].brk].opcode == ZEND_FE_FREE ||
211                 op_array->opcodes[op_array->brk_cont_array[i].brk].opcode == ZEND_END_SILENCE)) {
212                int parent = op_array->brk_cont_array[i].parent;
213
214                while (parent >= 0 &&
215                       op_array->brk_cont_array[parent].start < 0 &&
216                       (op_array->opcodes[op_array->brk_cont_array[parent].brk].opcode != ZEND_FREE ||
217                        op_array->opcodes[op_array->brk_cont_array[parent].brk].opcode != ZEND_FE_FREE ||
218                        op_array->opcodes[op_array->brk_cont_array[parent].brk].opcode != ZEND_END_SILENCE)) {
219                    parent = op_array->brk_cont_array[parent].parent;
220                }
221                op_array->brk_cont_array[i].parent = parent;
222                j++;
223            }
224        }
225        if (j) {
226            cfg->loop_start = zend_arena_calloc(&ctx->arena, op_array->last_brk_cont, sizeof(zend_code_block *));
227            cfg->loop_cont  = zend_arena_calloc(&ctx->arena, op_array->last_brk_cont, sizeof(zend_code_block *));
228            cfg->loop_brk   = zend_arena_calloc(&ctx->arena, op_array->last_brk_cont, sizeof(zend_code_block *));
229            j = 0;
230            for (i = 0; i< op_array->last_brk_cont; i++) {
231                if (op_array->brk_cont_array[i].start >= 0 &&
232                    (op_array->opcodes[op_array->brk_cont_array[i].brk].opcode == ZEND_FREE ||
233                     op_array->opcodes[op_array->brk_cont_array[i].brk].opcode == ZEND_FE_FREE ||
234                     op_array->opcodes[op_array->brk_cont_array[i].brk].opcode == ZEND_END_SILENCE)) {
235                    if (i != j) {
236                        op_array->brk_cont_array[j] = op_array->brk_cont_array[i];
237                    }
238                    cfg->loop_start[j] = &blocks[op_array->brk_cont_array[j].start];
239                    cfg->loop_cont[j]  = &blocks[op_array->brk_cont_array[j].cont];
240                    cfg->loop_brk[j]   = &blocks[op_array->brk_cont_array[j].brk];
241                    START_BLOCK_OP(op_array->brk_cont_array[j].start);
242                    START_BLOCK_OP(op_array->brk_cont_array[j].cont);
243                    START_BLOCK_OP(op_array->brk_cont_array[j].brk);
244                    blocks[op_array->brk_cont_array[j].start].protected = 1;
245                    blocks[op_array->brk_cont_array[j].brk].protected = 1;
246                    j++;
247                }
248            }
249            op_array->last_brk_cont = j;
250        } else {
251            efree(op_array->brk_cont_array);
252            op_array->brk_cont_array = NULL;
253            op_array->last_brk_cont = 0;
254        }
255    }
256
257    /* Build CFG (Control Flow Graph) */
258    cur_block = blocks;
259    for (opno = 1; opno < op_array->last; opno++) {
260        if (blocks[opno].start_opline) {
261            /* found new block start */
262            cur_block->len = blocks[opno].start_opline - cur_block->start_opline;
263            cur_block->next = &blocks[opno];
264            /* what is the last OP of previous block? */
265            opline = blocks[opno].start_opline - 1;
266            if (opline->opcode == ZEND_OP_DATA) {
267                opline--;
268            }
269            switch((unsigned)opline->opcode) {
270                case ZEND_RETURN:
271                case ZEND_RETURN_BY_REF:
272                case ZEND_GENERATOR_RETURN:
273                case ZEND_EXIT:
274                case ZEND_THROW:
275                    break;
276                case ZEND_FAST_CALL:
277                    if (opline->extended_value) {
278                        cur_block->op2_to = &blocks[ZEND_OP2(opline).opline_num];
279                    }
280                    cur_block->op1_to = &blocks[ZEND_OP1(opline).opline_num];
281                    break;
282                case ZEND_FAST_RET:
283                    if (opline->extended_value) {
284                        cur_block->op2_to = &blocks[ZEND_OP2(opline).opline_num];
285                    }
286                    break;
287                case ZEND_JMP:
288                    cur_block->op1_to = &blocks[ZEND_OP1(opline).opline_num];
289                    break;
290                case ZEND_DECLARE_ANON_CLASS:
291                case ZEND_DECLARE_ANON_INHERITED_CLASS:
292                    cur_block->op1_to = &blocks[ZEND_OP1(opline).opline_num];
293                    cur_block->follow_to = &blocks[opno];
294                    break;
295                case ZEND_JMPZNZ:
296                    cur_block->op2_to = &blocks[ZEND_OP2(opline).opline_num];
297                    cur_block->ext_to = &blocks[opline->extended_value];
298                    break;
299                case ZEND_CATCH:
300                    cur_block->ext_to = &blocks[opline->extended_value];
301                    cur_block->follow_to = &blocks[opno];
302                    break;
303                case ZEND_FE_FETCH_R:
304                case ZEND_FE_FETCH_RW:
305                    cur_block->ext_to = &blocks[opline->extended_value];
306                    cur_block->follow_to = &blocks[opno];
307                    break;
308                case ZEND_JMPZ:
309                case ZEND_JMPNZ:
310                case ZEND_JMPZ_EX:
311                case ZEND_JMPNZ_EX:
312                case ZEND_FE_RESET_R:
313                case ZEND_FE_RESET_RW:
314                case ZEND_NEW:
315                case ZEND_JMP_SET:
316                case ZEND_COALESCE:
317                case ZEND_ASSERT_CHECK:
318                    cur_block->op2_to = &blocks[ZEND_OP2(opline).opline_num];
319                    /* break missing intentionally */
320                default:
321                    /* next block follows this */
322                    cur_block->follow_to = &blocks[opno];
323                    break;
324            }
325            print_block(cur_block, op_array->opcodes, "");
326            cur_block = cur_block->next;
327        }
328    }
329    cur_block->len = end - cur_block->start_opline;
330    cur_block->next = &blocks[op_array->last + 1];
331    print_block(cur_block, op_array->opcodes, "");
332
333    return 1;
334}
335
336/* CFG back references management */
337
338#define ADD_SOURCE(fromb, tob) { \
339    zend_block_source *__s = tob->sources; \
340    while (__s && __s->from != fromb) __s = __s->next; \
341    if (__s == NULL) { \
342        zend_block_source *__t = zend_arena_alloc(&ctx->arena, sizeof(zend_block_source)); \
343        __t->next = tob->sources; \
344        tob->sources = __t; \
345        __t->from = fromb; \
346    } \
347}
348
349#define DEL_SOURCE(cs) do { \
350        *(cs) = (*(cs))->next; \
351    } while (0)
352
353
354static inline void replace_source(zend_block_source *list, zend_code_block *old, zend_code_block *new)
355{
356    /* replace all references to 'old' in 'list' with 'new' */
357    zend_block_source **cs;
358    int found = 0;
359
360    for (cs = &list; *cs; cs = &((*cs)->next)) {
361        if ((*cs)->from == new) {
362            if (found) {
363                DEL_SOURCE(cs);
364            } else {
365                found = 1;
366            }
367        }
368
369        if ((*cs)->from == old) {
370            if (found) {
371                DEL_SOURCE(cs);
372            } else {
373                (*cs)->from = new;
374                found = 1;
375            }
376        }
377    }
378}
379
380static inline void del_source(zend_code_block *from, zend_code_block *to)
381{
382    /* delete source 'from' from 'to'-s sources list */
383    zend_block_source **cs = &to->sources;
384
385    if (to->sources == NULL) {
386        to->access = 0;
387        return;
388    }
389
390    while (*cs) {
391        if ((*cs)->from == from) {
392            DEL_SOURCE(cs);
393            break;
394        }
395        cs = &((*cs)->next);
396    }
397
398    if (to->sources == NULL) {
399        /* 'to' has no more sources - it's unused, will be stripped */
400        to->access = 0;
401        return;
402    }
403
404    if (!to->protected && to->sources->next == NULL) {
405        /* source to only one block */
406        zend_code_block *from_block = to->sources->from;
407
408        if (from_block->access && from_block->follow_to == to &&
409            from_block->op1_to == NULL &&
410            from_block->op2_to == NULL &&
411            from_block->ext_to == NULL) {
412            /* this block follows it's only predecessor - we can join them */
413            zend_op *new_to = from_block->start_opline + from_block->len;
414            if (new_to != to->start_opline) {
415                /* move block to new location */
416                memmove(new_to, to->start_opline, sizeof(zend_op)*to->len);
417            }
418            /* join blocks' lengths */
419            from_block->len += to->len;
420            /* move 'to'`s references to 'from' */
421            to->start_opline = NULL;
422            to->access = 0;
423            to->sources = NULL;
424            from_block->follow_to = to->follow_to;
425            if (to->op1_to) {
426                from_block->op1_to = to->op1_to;
427                replace_source(to->op1_to->sources, to, from_block);
428            }
429            if (to->op2_to) {
430                from_block->op2_to = to->op2_to;
431                replace_source(to->op2_to->sources, to, from_block);
432            }
433            if (to->ext_to) {
434                from_block->ext_to = to->ext_to;
435                replace_source(to->ext_to->sources, to, from_block);
436            }
437            if (to->follow_to) {
438                replace_source(to->follow_to->sources, to, from_block);
439            }
440            /* remove "to" from list */
441        }
442    }
443}
444
445static void delete_code_block(zend_code_block *block, zend_optimizer_ctx *ctx)
446{
447    if (block->protected) {
448        return;
449    }
450    if (block->follow_to) {
451        zend_block_source *bs = block->sources;
452        while (bs) {
453            zend_code_block *from_block = bs->from;
454            zend_code_block *to = block->follow_to;
455            if (from_block->op1_to == block) {
456                from_block->op1_to = to;
457                ADD_SOURCE(from_block, to);
458            }
459            if (from_block->op2_to == block) {
460                from_block->op2_to = to;
461                ADD_SOURCE(from_block, to);
462            }
463            if (from_block->ext_to == block) {
464                from_block->ext_to = to;
465                ADD_SOURCE(from_block, to);
466            }
467            if (from_block->follow_to == block) {
468                from_block->follow_to = to;
469                ADD_SOURCE(from_block, to);
470            }
471            bs = bs->next;
472        }
473    }
474    block->access = 0;
475}
476
477static void zend_access_path(zend_code_block *block, zend_optimizer_ctx *ctx)
478{
479    if (block->access) {
480        return;
481    }
482
483    block->access = 1;
484    if (block->op1_to) {
485        zend_access_path(block->op1_to, ctx);
486        ADD_SOURCE(block, block->op1_to);
487    }
488    if (block->op2_to) {
489        zend_access_path(block->op2_to, ctx);
490        ADD_SOURCE(block, block->op2_to);
491    }
492    if (block->ext_to) {
493        zend_access_path(block->ext_to, ctx);
494        ADD_SOURCE(block, block->ext_to);
495    }
496    if (block->follow_to) {
497        zend_access_path(block->follow_to, ctx);
498        ADD_SOURCE(block, block->follow_to);
499    }
500}
501
502/* Traverse CFG, mark reachable basic blocks and build back references */
503static void zend_rebuild_access_path(zend_cfg *cfg, zend_op_array *op_array, int find_start, zend_optimizer_ctx *ctx)
504{
505    zend_code_block *blocks = cfg->blocks;
506    zend_code_block *start = find_start? NULL : blocks;
507    zend_code_block *b;
508
509    /* Mark all blocks as unaccessible and destroy back references */
510    b = blocks;
511    while (b != NULL) {
512        if (!start && b->access) {
513            start = b;
514        }
515        b->access = 0;
516        b->sources = NULL;
517        b = b->next;
518    }
519
520    /* Walk thorough all paths */
521    zend_access_path(start, ctx);
522
523    /* Add brk/cont paths */
524    if (op_array->last_brk_cont) {
525        int i;
526        for (i=0; i< op_array->last_brk_cont; i++) {
527            zend_access_path(cfg->loop_start[i], ctx);
528            zend_access_path(cfg->loop_cont[i], ctx);
529            zend_access_path(cfg->loop_brk[i], ctx);
530        }
531    }
532
533    /* Add exception paths */
534    if (op_array->last_try_catch) {
535        int i;
536        for (i=0; i< op_array->last_try_catch; i++) {
537            if (!cfg->catch[i]->access) {
538                zend_access_path(cfg->catch[i], ctx);
539            }
540        }
541    }
542}
543
544/* Data dependencies macros */
545
546#define VAR_NUM_EX(op) VAR_NUM((op).var)
547
548#define VAR_SOURCE(op) Tsource[VAR_NUM(op.var)]
549#define SET_VAR_SOURCE(opline) Tsource[VAR_NUM(opline->result.var)] = opline
550
551#define VAR_UNSET(op) do { if (op ## _type & (IS_TMP_VAR|IS_VAR)) {VAR_SOURCE(op) = NULL;}} while (0)
552
553#define convert_to_string_safe(v) \
554    if (Z_TYPE_P((v)) == IS_NULL) { \
555        ZVAL_STRINGL((v), "", 0); \
556    } else { \
557        convert_to_string((v)); \
558    }
559
560static void strip_nop(zend_code_block *block, zend_optimizer_ctx *ctx)
561{
562    zend_op *opline = block->start_opline;
563    zend_op *end, *new_end;
564
565    /* remove leading NOPs */
566    while (block->len > 0 && block->start_opline->opcode == ZEND_NOP) {
567        if (block->len == 1) {
568            /* this block is all NOPs, join with following block */
569            if (block->follow_to) {
570                delete_code_block(block, ctx);
571            }
572            return;
573        }
574        block->start_opline++;
575        block->start_opline_no++;
576        block->len--;
577    }
578
579    /* strip the inside NOPs */
580    opline = new_end = block->start_opline;
581    end = opline + block->len;
582
583    while (opline < end) {
584        zend_op *src;
585        int len = 0;
586
587        while (opline < end && opline->opcode == ZEND_NOP) {
588            opline++;
589        }
590        src = opline;
591
592        while (opline < end && opline->opcode != ZEND_NOP) {
593            opline++;
594        }
595        len = opline - src;
596
597        /* move up non-NOP opcodes */
598        memmove(new_end, src, len*sizeof(zend_op));
599
600        new_end += len;
601    }
602    block->len = new_end - block->start_opline;
603}
604
605static void zend_optimize_block(zend_code_block *block, zend_op_array *op_array, char *used_ext, zend_cfg *cfg, zend_optimizer_ctx *ctx)
606{
607    zend_op *opline = block->start_opline;
608    zend_op *end, *last_op = NULL;
609    zend_op **Tsource = cfg->Tsource;
610
611    print_block(block, op_array->opcodes, "Opt ");
612
613    /* remove leading NOPs */
614    while (block->len > 0 && block->start_opline->opcode == ZEND_NOP) {
615        if (block->len == 1) {
616            /* this block is all NOPs, join with following block */
617            if (block->follow_to) {
618                delete_code_block(block, ctx);
619            }
620            return;
621        }
622        block->start_opline++;
623        block->start_opline_no++;
624        block->len--;
625    }
626
627    /* we track data dependencies only insight a single basic block */
628    memset(Tsource, 0, (op_array->last_var + op_array->T) * sizeof(zend_op *));
629    opline = block->start_opline;
630    end = opline + block->len;
631    while ((op_array->T) && (opline < end)) {
632        /* strip X = QM_ASSIGN(const) */
633        if ((ZEND_OP1_TYPE(opline) & (IS_TMP_VAR|IS_VAR)) &&
634            VAR_SOURCE(opline->op1) &&
635            VAR_SOURCE(opline->op1)->opcode == ZEND_QM_ASSIGN &&
636            ZEND_OP1_TYPE(VAR_SOURCE(opline->op1)) == IS_CONST &&
637            opline->opcode != ZEND_CASE &&         /* CASE _always_ expects variable */
638            opline->opcode != ZEND_FETCH_LIST &&
639            (opline->opcode != ZEND_FE_RESET_R || opline->opcode != ZEND_FE_RESET_RW) &&
640            opline->opcode != ZEND_FREE
641            ) {
642            zend_op *src = VAR_SOURCE(opline->op1);
643            zval c = ZEND_OP1_LITERAL(src);
644            VAR_UNSET(opline->op1);
645            zval_copy_ctor(&c);
646            zend_optimizer_update_op1_const(op_array, opline, &c);
647            literal_dtor(&ZEND_OP1_LITERAL(src));
648            MAKE_NOP(src);
649        }
650
651        /* T = QM_ASSIGN(C), F(T) => NOP, F(C) */
652        if ((ZEND_OP2_TYPE(opline) & (IS_TMP_VAR|IS_VAR)) &&
653            VAR_SOURCE(opline->op2) &&
654            VAR_SOURCE(opline->op2)->opcode == ZEND_QM_ASSIGN &&
655            ZEND_OP1_TYPE(VAR_SOURCE(opline->op2)) == IS_CONST) {
656            zend_op *src = VAR_SOURCE(opline->op2);
657            zval c = ZEND_OP1_LITERAL(src);
658            VAR_UNSET(opline->op2);
659            zval_copy_ctor(&c);
660            zend_optimizer_update_op2_const(op_array, opline, &c);
661            literal_dtor(&ZEND_OP1_LITERAL(src));
662            MAKE_NOP(src);
663        }
664
665        /* T = CAST(X, String), ECHO(T) => NOP, ECHO(X) */
666        if (opline->opcode == ZEND_ECHO &&
667            ZEND_OP1_TYPE(opline) & (IS_TMP_VAR|IS_VAR) &&
668            VAR_SOURCE(opline->op1) &&
669            VAR_SOURCE(opline->op1)->opcode == ZEND_CAST &&
670            VAR_SOURCE(opline->op1)->extended_value == IS_STRING) {
671            zend_op *src = VAR_SOURCE(opline->op1);
672            COPY_NODE(opline->op1, src->op1);
673            MAKE_NOP(src);
674        }
675
676       /* T = BOOL(X), FREE(T) => NOP */
677        if (opline->opcode == ZEND_FREE &&
678            ZEND_OP1_TYPE(opline) == IS_TMP_VAR &&
679            VAR_SOURCE(opline->op1)) {
680            zend_op *src = VAR_SOURCE(opline->op1);
681            if (src->opcode == ZEND_BOOL) {
682                if (ZEND_OP1_TYPE(src) == IS_CONST) {
683                    literal_dtor(&ZEND_OP1_LITERAL(src));
684                }
685                MAKE_NOP(src);
686                MAKE_NOP(opline);
687            }
688        }
689
690#if 0
691        /* pre-evaluate functions:
692           constant(x)
693           defined(x)
694           function_exists(x)
695           extension_loaded(x)
696           BAD: interacts badly with Accelerator
697        */
698        if((ZEND_OP1_TYPE(opline) & IS_VAR) &&
699           VAR_SOURCE(opline->op1) && VAR_SOURCE(opline->op1)->opcode == ZEND_DO_CF_FCALL &&
700           VAR_SOURCE(opline->op1)->extended_value == 1) {
701            zend_op *fcall = VAR_SOURCE(opline->op1);
702            zend_op *sv = fcall-1;
703            if(sv >= block->start_opline && sv->opcode == ZEND_SEND_VAL &&
704               ZEND_OP1_TYPE(sv) == IS_CONST && Z_TYPE(OPLINE_OP1_LITERAL(sv)) == IS_STRING &&
705               Z_LVAL(OPLINE_OP2_LITERAL(sv)) == 1
706               ) {
707                zval *arg = &OPLINE_OP1_LITERAL(sv);
708                char *fname = FUNCTION_CACHE->funcs[Z_LVAL(ZEND_OP1_LITERAL(fcall))].function_name;
709                int flen = FUNCTION_CACHE->funcs[Z_LVAL(ZEND_OP1_LITERAL(fcall))].name_len;
710                if(flen == sizeof("defined")-1 && zend_binary_strcasecmp(fname, flen, "defined", sizeof("defined")-1) == 0) {
711                    zval c;
712                    if(zend_optimizer_get_persistent_constant(Z_STR_P(arg), &c, 0 ELS_CC) != 0) {
713                        literal_dtor(arg);
714                        MAKE_NOP(sv);
715                        MAKE_NOP(fcall);
716                        LITERAL_BOOL(opline->op1, 1);
717                        ZEND_OP1_TYPE(opline) = IS_CONST;
718                    }
719                } else if((flen == sizeof("function_exists")-1 && zend_binary_strcasecmp(fname, flen, "function_exists", sizeof("function_exists")-1) == 0) ||
720                          (flen == sizeof("is_callable")-1 && zend_binary_strcasecmp(fname, flen, "is_callable", sizeof("is_callable")-1) == 0)
721                          ) {
722                    zend_function *function;
723                    if((function = zend_hash_find_ptr(EG(function_table), Z_STR_P(arg))) != NULL) {
724                        literal_dtor(arg);
725                        MAKE_NOP(sv);
726                        MAKE_NOP(fcall);
727                        LITERAL_BOOL(opline->op1, 1);
728                        ZEND_OP1_TYPE(opline) = IS_CONST;
729                    }
730                } else if(flen == sizeof("constant")-1 && zend_binary_strcasecmp(fname, flen, "constant", sizeof("constant")-1) == 0) {
731                    zval c;
732                    if(zend_optimizer_get_persistent_constant(Z_STR_P(arg), &c, 1 ELS_CC) != 0) {
733                        literal_dtor(arg);
734                        MAKE_NOP(sv);
735                        MAKE_NOP(fcall);
736                        ZEND_OP1_LITERAL(opline) = zend_optimizer_add_literal(op_array, &c);
737                        /* no copy ctor - get already copied it */
738                        ZEND_OP1_TYPE(opline) = IS_CONST;
739                    }
740                } else if(flen == sizeof("extension_loaded")-1 && zend_binary_strcasecmp(fname, flen, "extension_loaded", sizeof("extension_loaded")-1) == 0) {
741                    if(zend_hash_exists(&module_registry, Z_STR_P(arg))) {
742                        literal_dtor(arg);
743                        MAKE_NOP(sv);
744                        MAKE_NOP(fcall);
745                        LITERAL_BOOL(opline->op1, 1);
746                        ZEND_OP1_TYPE(opline) = IS_CONST;
747                    }
748                }
749            }
750        }
751#endif
752
753        /* IS_EQ(TRUE, X)      => BOOL(X)
754         * IS_EQ(FALSE, X)     => BOOL_NOT(X)
755         * IS_NOT_EQ(TRUE, X)  => BOOL_NOT(X)
756         * IS_NOT_EQ(FALSE, X) => BOOL(X)
757         * CASE(TRUE, X)       => BOOL(X)
758         * CASE(FALSE, X)      => BOOL_NOT(X)
759         */
760        if (opline->opcode == ZEND_IS_EQUAL ||
761            opline->opcode == ZEND_IS_NOT_EQUAL ||
762            opline->opcode == ZEND_CASE) {
763            if (ZEND_OP1_TYPE(opline) == IS_CONST &&
764// TODO: Optimization of comparison with null may be not safe ???
765#if 1
766                (Z_TYPE(ZEND_OP1_LITERAL(opline)) == IS_FALSE ||
767                 Z_TYPE(ZEND_OP1_LITERAL(opline)) == IS_TRUE)) {
768#else
769                 Z_TYPE(ZEND_OP1_LITERAL(opline)) <= IS_TRUE) {
770#endif
771                opline->opcode =
772                    ((opline->opcode != ZEND_IS_NOT_EQUAL) == ((Z_TYPE(ZEND_OP1_LITERAL(opline))) == IS_TRUE)) ?
773                    ZEND_BOOL : ZEND_BOOL_NOT;
774                COPY_NODE(opline->op1, opline->op2);
775                SET_UNUSED(opline->op2);
776            } else if (ZEND_OP2_TYPE(opline) == IS_CONST &&
777// TODO: Optimization of comparison with null may be not safe ???
778#if 1
779                       (Z_TYPE(ZEND_OP2_LITERAL(opline)) == IS_FALSE ||
780                        Z_TYPE(ZEND_OP2_LITERAL(opline)) == IS_TRUE)) {
781#else
782                        Z_TYPE(ZEND_OP2_LITERAL(opline)) <= IS_TRUE) {
783#endif
784                opline->opcode =
785                    ((opline->opcode != ZEND_IS_NOT_EQUAL) == ((Z_TYPE(ZEND_OP2_LITERAL(opline))) == IS_TRUE)) ?
786                    ZEND_BOOL : ZEND_BOOL_NOT;
787                SET_UNUSED(opline->op2);
788            }
789        }
790
791        if ((opline->opcode == ZEND_BOOL ||
792            opline->opcode == ZEND_BOOL_NOT ||
793            opline->opcode == ZEND_JMPZ ||
794            opline->opcode == ZEND_JMPNZ ||
795            opline->opcode == ZEND_JMPZNZ) &&
796            ZEND_OP1_TYPE(opline) == IS_TMP_VAR &&
797            VAR_SOURCE(opline->op1) != NULL &&
798            !used_ext[VAR_NUM(ZEND_OP1(opline).var)] &&
799            VAR_SOURCE(opline->op1)->opcode == ZEND_BOOL_NOT) {
800            /* T = BOOL_NOT(X) + JMPZ(T) -> NOP, JMPNZ(X) */
801            zend_op *src = VAR_SOURCE(opline->op1);
802
803            COPY_NODE(opline->op1, src->op1);
804
805            switch (opline->opcode) {
806                case ZEND_BOOL:
807                    /* T = BOOL_NOT(X) + BOOL(T) -> NOP, BOOL_NOT(X) */
808                    opline->opcode = ZEND_BOOL_NOT;
809                    break;
810                case ZEND_BOOL_NOT:
811                    /* T = BOOL_NOT(X) + BOOL_BOOL(T) -> NOP, BOOL(X) */
812                    opline->opcode = ZEND_BOOL;
813                    break;
814                case ZEND_JMPZ:
815                    /* T = BOOL_NOT(X) + JMPZ(T,L) -> NOP, JMPNZ(X,L) */
816                    opline->opcode = ZEND_JMPNZ;
817                    break;
818                case ZEND_JMPNZ:
819                    /* T = BOOL_NOT(X) + JMPNZ(T,L) -> NOP, JMPZ(X,L) */
820                    opline->opcode = ZEND_JMPZ;
821                    break;
822                case ZEND_JMPZNZ:
823                {
824                    /* T = BOOL_NOT(X) + JMPZNZ(T,L1,L2) -> NOP, JMPZNZ(X,L2,L1) */
825                    int op_t;
826                    zend_code_block *op_b;
827
828                    op_t = opline->extended_value;
829                    opline->extended_value = ZEND_OP2(opline).opline_num;
830                    ZEND_OP2(opline).opline_num = op_t;
831
832                    op_b = block->ext_to;
833                    block->ext_to = block->op2_to;
834                    block->op2_to = op_b;
835                }
836                break;
837            }
838
839            VAR_UNSET(opline->op1);
840            MAKE_NOP(src);
841            continue;
842        } else
843#if 0
844        /* T = BOOL_NOT(X) + T = JMPZ_EX(T, X) -> T = BOOL_NOT(X), JMPNZ(X) */
845        if(0 && (opline->opcode == ZEND_JMPZ_EX ||
846            opline->opcode == ZEND_JMPNZ_EX) &&
847           ZEND_OP1_TYPE(opline) == IS_TMP_VAR &&
848           VAR_SOURCE(opline->op1) != NULL &&
849           VAR_SOURCE(opline->op1)->opcode == ZEND_BOOL_NOT &&
850           ZEND_OP1(opline).var == ZEND_RESULT(opline).var
851           ) {
852            zend_op *src = VAR_SOURCE(opline->op1);
853            if(opline->opcode == ZEND_JMPZ_EX) {
854                opline->opcode = ZEND_JMPNZ;
855            } else {
856                opline->opcode = ZEND_JMPZ;
857            }
858            COPY_NODE(opline->op1, src->op1);
859            SET_UNUSED(opline->result);
860            continue;
861        } else
862#endif
863        /* T = BOOL(X) + JMPZ(T) -> NOP, JMPZ(X) */
864        if ((opline->opcode == ZEND_BOOL ||
865            opline->opcode == ZEND_BOOL_NOT ||
866            opline->opcode == ZEND_JMPZ ||
867            opline->opcode == ZEND_JMPZ_EX ||
868            opline->opcode == ZEND_JMPNZ_EX ||
869            opline->opcode == ZEND_JMPNZ ||
870            opline->opcode == ZEND_JMPZNZ) &&
871            (ZEND_OP1_TYPE(opline) & (IS_TMP_VAR|IS_VAR)) &&
872            VAR_SOURCE(opline->op1) != NULL &&
873            (!used_ext[VAR_NUM(ZEND_OP1(opline).var)] ||
874            ((ZEND_RESULT_TYPE(opline) & (IS_TMP_VAR|IS_VAR)) &&
875             ZEND_RESULT(opline).var == ZEND_OP1(opline).var)) &&
876            (VAR_SOURCE(opline->op1)->opcode == ZEND_BOOL ||
877            VAR_SOURCE(opline->op1)->opcode == ZEND_QM_ASSIGN)) {
878            zend_op *src = VAR_SOURCE(opline->op1);
879            COPY_NODE(opline->op1, src->op1);
880
881            VAR_UNSET(opline->op1);
882            MAKE_NOP(src);
883            continue;
884        } else if (last_op && opline->opcode == ZEND_ECHO &&
885                  last_op->opcode == ZEND_ECHO &&
886                  ZEND_OP1_TYPE(opline) == IS_CONST &&
887                  Z_TYPE(ZEND_OP1_LITERAL(opline)) != IS_DOUBLE &&
888                  ZEND_OP1_TYPE(last_op) == IS_CONST &&
889                  Z_TYPE(ZEND_OP1_LITERAL(last_op)) != IS_DOUBLE) {
890            /* compress consecutive ECHO's.
891             * Float to string conversion may be affected by current
892             * locale setting.
893             */
894            int l, old_len;
895
896            if (Z_TYPE(ZEND_OP1_LITERAL(opline)) != IS_STRING) {
897                convert_to_string_safe(&ZEND_OP1_LITERAL(opline));
898            }
899            if (Z_TYPE(ZEND_OP1_LITERAL(last_op)) != IS_STRING) {
900                convert_to_string_safe(&ZEND_OP1_LITERAL(last_op));
901            }
902            old_len = Z_STRLEN(ZEND_OP1_LITERAL(last_op));
903            l = old_len + Z_STRLEN(ZEND_OP1_LITERAL(opline));
904            if (!Z_REFCOUNTED(ZEND_OP1_LITERAL(last_op))) {
905                zend_string *tmp = zend_string_alloc(l, 0);
906                memcpy(tmp->val, Z_STRVAL(ZEND_OP1_LITERAL(last_op)), old_len);
907                Z_STR(ZEND_OP1_LITERAL(last_op)) = tmp;
908            } else {
909                Z_STR(ZEND_OP1_LITERAL(last_op)) = zend_string_extend(Z_STR(ZEND_OP1_LITERAL(last_op)), l, 0);
910            }
911            Z_TYPE_INFO(ZEND_OP1_LITERAL(last_op)) = IS_STRING_EX;
912            memcpy(Z_STRVAL(ZEND_OP1_LITERAL(last_op)) + old_len, Z_STRVAL(ZEND_OP1_LITERAL(opline)), Z_STRLEN(ZEND_OP1_LITERAL(opline)));
913            Z_STRVAL(ZEND_OP1_LITERAL(last_op))[l] = '\0';
914            zval_dtor(&ZEND_OP1_LITERAL(opline));
915            Z_STR(ZEND_OP1_LITERAL(opline)) = zend_new_interned_string(Z_STR(ZEND_OP1_LITERAL(last_op)));
916            if (!Z_REFCOUNTED(ZEND_OP1_LITERAL(opline))) {
917                Z_TYPE_FLAGS(ZEND_OP1_LITERAL(opline)) &= ~ (IS_TYPE_REFCOUNTED | IS_TYPE_COPYABLE);
918            }
919            ZVAL_NULL(&ZEND_OP1_LITERAL(last_op));
920            MAKE_NOP(last_op);
921        } else if ((opline->opcode == ZEND_CONCAT) &&
922                  ZEND_OP2_TYPE(opline) == IS_CONST &&
923                  ZEND_OP1_TYPE(opline) == IS_TMP_VAR &&
924                  VAR_SOURCE(opline->op1) &&
925                  (VAR_SOURCE(opline->op1)->opcode == ZEND_CONCAT ||
926                   VAR_SOURCE(opline->op1)->opcode == ZEND_FAST_CONCAT) &&
927                  ZEND_OP2_TYPE(VAR_SOURCE(opline->op1)) == IS_CONST &&
928                  ZEND_RESULT(VAR_SOURCE(opline->op1)).var == ZEND_OP1(opline).var) {
929            /* compress consecutive CONCAT/ADD_STRING/ADD_CHARs */
930            zend_op *src = VAR_SOURCE(opline->op1);
931            int l, old_len;
932
933            if (Z_TYPE(ZEND_OP2_LITERAL(opline)) != IS_STRING) {
934                convert_to_string_safe(&ZEND_OP2_LITERAL(opline));
935            }
936            if (Z_TYPE(ZEND_OP2_LITERAL(src)) != IS_STRING) {
937                convert_to_string_safe(&ZEND_OP2_LITERAL(src));
938            }
939
940            VAR_UNSET(opline->op1);
941            COPY_NODE(opline->op1, src->op1);
942            old_len = Z_STRLEN(ZEND_OP2_LITERAL(src));
943            l = old_len + Z_STRLEN(ZEND_OP2_LITERAL(opline));
944            if (!Z_REFCOUNTED(ZEND_OP2_LITERAL(src))) {
945                zend_string *tmp = zend_string_alloc(l, 0);
946                memcpy(tmp->val, Z_STRVAL(ZEND_OP2_LITERAL(src)), old_len);
947                Z_STR(ZEND_OP2_LITERAL(last_op)) = tmp;
948            } else {
949                Z_STR(ZEND_OP2_LITERAL(src)) = zend_string_extend(Z_STR(ZEND_OP2_LITERAL(src)), l, 0);
950            }
951            Z_TYPE_INFO(ZEND_OP2_LITERAL(last_op)) = IS_STRING_EX;
952            memcpy(Z_STRVAL(ZEND_OP2_LITERAL(src)) + old_len, Z_STRVAL(ZEND_OP2_LITERAL(opline)), Z_STRLEN(ZEND_OP2_LITERAL(opline)));
953            Z_STRVAL(ZEND_OP2_LITERAL(src))[l] = '\0';
954            zend_string_release(Z_STR(ZEND_OP2_LITERAL(opline)));
955            Z_STR(ZEND_OP2_LITERAL(opline)) = zend_new_interned_string(Z_STR(ZEND_OP2_LITERAL(src)));
956            if (!Z_REFCOUNTED(ZEND_OP2_LITERAL(opline))) {
957                Z_TYPE_FLAGS(ZEND_OP2_LITERAL(opline)) &= ~ (IS_TYPE_REFCOUNTED | IS_TYPE_COPYABLE);
958            }
959            ZVAL_NULL(&ZEND_OP2_LITERAL(src));
960            MAKE_NOP(src);
961        } else if ((opline->opcode == ZEND_ADD ||
962                    opline->opcode == ZEND_SUB ||
963                    opline->opcode == ZEND_MUL ||
964                    opline->opcode == ZEND_DIV ||
965                    opline->opcode == ZEND_MOD ||
966                    opline->opcode == ZEND_SL ||
967                    opline->opcode == ZEND_SR ||
968                    opline->opcode == ZEND_CONCAT ||
969                    opline->opcode == ZEND_FAST_CONCAT ||
970                    opline->opcode == ZEND_IS_EQUAL ||
971                    opline->opcode == ZEND_IS_NOT_EQUAL ||
972                    opline->opcode == ZEND_IS_SMALLER ||
973                    opline->opcode == ZEND_IS_SMALLER_OR_EQUAL ||
974                    opline->opcode == ZEND_IS_IDENTICAL ||
975                    opline->opcode == ZEND_IS_NOT_IDENTICAL ||
976                    opline->opcode == ZEND_BOOL_XOR ||
977                    opline->opcode == ZEND_BW_OR ||
978                    opline->opcode == ZEND_BW_AND ||
979                    opline->opcode == ZEND_BW_XOR) &&
980                    ZEND_OP1_TYPE(opline)==IS_CONST &&
981                    ZEND_OP2_TYPE(opline)==IS_CONST) {
982            /* evaluate constant expressions */
983            binary_op_type binary_op = get_binary_op(opline->opcode);
984            zval result;
985            int er;
986
987            if ((opline->opcode == ZEND_DIV || opline->opcode == ZEND_MOD) &&
988                ((Z_TYPE(ZEND_OP2_LITERAL(opline)) == IS_LONG &&
989                  Z_LVAL(ZEND_OP2_LITERAL(opline)) == 0) ||
990                 (Z_TYPE(ZEND_OP2_LITERAL(opline)) == IS_DOUBLE &&
991                  Z_DVAL(ZEND_OP2_LITERAL(opline)) == 0.0))) {
992                if (RESULT_USED(opline)) {
993                    SET_VAR_SOURCE(opline);
994                }
995                opline++;
996                continue;
997            }
998            er = EG(error_reporting);
999            EG(error_reporting) = 0;
1000            if (binary_op(&result, &ZEND_OP1_LITERAL(opline), &ZEND_OP2_LITERAL(opline)) == SUCCESS) {
1001                literal_dtor(&ZEND_OP1_LITERAL(opline));
1002                literal_dtor(&ZEND_OP2_LITERAL(opline));
1003                opline->opcode = ZEND_QM_ASSIGN;
1004                SET_UNUSED(opline->op2);
1005                zend_optimizer_update_op1_const(op_array, opline, &result);
1006            }
1007            EG(error_reporting) = er;
1008        } else if ((opline->opcode == ZEND_BOOL ||
1009                    opline->opcode == ZEND_BOOL_NOT ||
1010                    opline->opcode == ZEND_BW_NOT) && ZEND_OP1_TYPE(opline) == IS_CONST) {
1011            /* evaluate constant unary ops */
1012            unary_op_type unary_op = get_unary_op(opline->opcode);
1013            zval result;
1014
1015            if (unary_op) {
1016                unary_op(&result, &ZEND_OP1_LITERAL(opline));
1017                literal_dtor(&ZEND_OP1_LITERAL(opline));
1018            } else {
1019                /* BOOL */
1020                result = ZEND_OP1_LITERAL(opline);
1021                convert_to_boolean(&result);
1022                ZVAL_NULL(&ZEND_OP1_LITERAL(opline));
1023            }
1024            opline->opcode = ZEND_QM_ASSIGN;
1025            zend_optimizer_update_op1_const(op_array, opline, &result);
1026        } else if ((opline->opcode == ZEND_RETURN || opline->opcode == ZEND_EXIT) &&
1027                    (ZEND_OP1_TYPE(opline) & (IS_TMP_VAR|IS_VAR)) &&
1028                    VAR_SOURCE(opline->op1) &&
1029                    VAR_SOURCE(opline->op1)->opcode == ZEND_QM_ASSIGN) {
1030            /* T = QM_ASSIGN(X), RETURN(T) to RETURN(X) */
1031            zend_op *src = VAR_SOURCE(opline->op1);
1032            VAR_UNSET(opline->op1);
1033            COPY_NODE(opline->op1, src->op1);
1034            MAKE_NOP(src);
1035        } else if (opline->opcode == ZEND_CONCAT || opline->opcode == ZEND_FAST_CONCAT) {
1036            if ((ZEND_OP1_TYPE(opline) & (IS_TMP_VAR|IS_VAR)) &&
1037                VAR_SOURCE(opline->op1) &&
1038                VAR_SOURCE(opline->op1)->opcode == ZEND_CAST &&
1039                VAR_SOURCE(opline->op1)->extended_value == IS_STRING) {
1040                /* convert T1 = CAST(STRING, X), T2 = CONCAT(T1, Y) to T2 = CONCAT(X,Y) */
1041                zend_op *src = VAR_SOURCE(opline->op1);
1042                VAR_UNSET(opline->op1);
1043                COPY_NODE(opline->op1, src->op1);
1044                MAKE_NOP(src);
1045            }
1046            if ((ZEND_OP2_TYPE(opline) & (IS_TMP_VAR|IS_VAR)) &&
1047                VAR_SOURCE(opline->op2) &&
1048                VAR_SOURCE(opline->op2)->opcode == ZEND_CAST &&
1049                VAR_SOURCE(opline->op2)->extended_value == IS_STRING) {
1050                /* convert T1 = CAST(STRING, X), T2 = CONCAT(Y, T1) to T2 = CONCAT(Y,X) */
1051                zend_op *src = VAR_SOURCE(opline->op2);
1052                VAR_UNSET(opline->op2);
1053                COPY_NODE(opline->op2, src->op1);
1054                MAKE_NOP(src);
1055            }
1056            if (ZEND_OP1_TYPE(opline) == IS_CONST &&
1057                Z_TYPE(ZEND_OP1_LITERAL(opline)) == IS_STRING &&
1058                Z_STRLEN(ZEND_OP1_LITERAL(opline)) == 0) {
1059                /* convert CONCAT('', X) => CAST(STRING, X) */
1060                literal_dtor(&ZEND_OP1_LITERAL(opline));
1061                opline->opcode = ZEND_CAST;
1062                opline->extended_value = IS_STRING;
1063                COPY_NODE(opline->op1, opline->op2);
1064                opline->op2_type = IS_UNUSED;
1065                opline->op2.var = 0;
1066            } else if (ZEND_OP2_TYPE(opline) == IS_CONST &&
1067                       Z_TYPE(ZEND_OP2_LITERAL(opline)) == IS_STRING &&
1068                       Z_STRLEN(ZEND_OP2_LITERAL(opline)) == 0) {
1069                /* convert CONCAT(X, '') => CAST(STRING, X) */
1070                literal_dtor(&ZEND_OP2_LITERAL(opline));
1071                opline->opcode = ZEND_CAST;
1072                opline->extended_value = IS_STRING;
1073                opline->op2_type = IS_UNUSED;
1074                opline->op2.var = 0;
1075            } else if (opline->opcode == ZEND_CONCAT &&
1076                       (opline->op1_type == IS_CONST ||
1077                        (opline->op1_type == IS_TMP_VAR &&
1078                         VAR_SOURCE(opline->op1) &&
1079                         (VAR_SOURCE(opline->op1)->opcode == ZEND_FAST_CONCAT ||
1080                          VAR_SOURCE(opline->op1)->opcode == ZEND_ROPE_END ||
1081                          VAR_SOURCE(opline->op1)->opcode == ZEND_FETCH_CONSTANT))) &&
1082                       (opline->op2_type == IS_CONST ||
1083                        (opline->op2_type == IS_TMP_VAR &&
1084                         VAR_SOURCE(opline->op2) &&
1085                         (VAR_SOURCE(opline->op2)->opcode == ZEND_FAST_CONCAT ||
1086                          VAR_SOURCE(opline->op2)->opcode == ZEND_ROPE_END ||
1087                          VAR_SOURCE(opline->op2)->opcode == ZEND_FETCH_CONSTANT)))) {
1088                opline->opcode = ZEND_FAST_CONCAT;
1089            }
1090        } else if (opline->opcode == ZEND_QM_ASSIGN &&
1091                    ZEND_OP1_TYPE(opline) == ZEND_RESULT_TYPE(opline) &&
1092                    ZEND_OP1(opline).var == ZEND_RESULT(opline).var) {
1093            /* strip T = QM_ASSIGN(T) */
1094            MAKE_NOP(opline);
1095        } else if (opline->opcode == ZEND_BOOL &&
1096                    ZEND_OP1_TYPE(opline) == IS_TMP_VAR &&
1097                    VAR_SOURCE(opline->op1) &&
1098                    (VAR_SOURCE(opline->op1)->opcode == ZEND_IS_EQUAL ||
1099                    VAR_SOURCE(opline->op1)->opcode == ZEND_IS_NOT_EQUAL ||
1100                    VAR_SOURCE(opline->op1)->opcode == ZEND_IS_SMALLER ||
1101                    VAR_SOURCE(opline->op1)->opcode == ZEND_IS_SMALLER_OR_EQUAL ||
1102                    VAR_SOURCE(opline->op1)->opcode == ZEND_BOOL ||
1103                    VAR_SOURCE(opline->op1)->opcode == ZEND_IS_IDENTICAL ||
1104                    VAR_SOURCE(opline->op1)->opcode == ZEND_IS_NOT_IDENTICAL ||
1105                    VAR_SOURCE(opline->op1)->opcode == ZEND_ISSET_ISEMPTY_VAR ||
1106                    VAR_SOURCE(opline->op1)->opcode == ZEND_ISSET_ISEMPTY_DIM_OBJ) &&
1107                    !used_ext[VAR_NUM(ZEND_OP1(opline).var)]) {
1108            /* T = IS_SMALLER(X, Y), T1 = BOOL(T) => T = IS_SMALLER(X, Y), T1 = QM_ASSIGN(T) */
1109            zend_op *src = VAR_SOURCE(opline->op1);
1110            COPY_NODE(src->result, opline->result);
1111            SET_VAR_SOURCE(src);
1112            MAKE_NOP(opline);
1113        }
1114        /* get variable source */
1115        if (RESULT_USED(opline)) {
1116            SET_VAR_SOURCE(opline);
1117        }
1118        if (opline->opcode != ZEND_NOP) {
1119            last_op = opline;
1120        }
1121        opline++;
1122    }
1123
1124    strip_nop(block, ctx);
1125}
1126
1127/* Rebuild plain (optimized) op_array from CFG */
1128static void assemble_code_blocks(zend_cfg *cfg, zend_op_array *op_array)
1129{
1130    zend_code_block *blocks = cfg->blocks;
1131    zend_op *new_opcodes = emalloc(op_array->last * sizeof(zend_op));
1132    zend_op *opline = new_opcodes;
1133    zend_code_block *cur_block = blocks;
1134
1135    /* Copy code of reachable blocks into a single buffer */
1136    while (cur_block) {
1137        if (cur_block->access) {
1138            memcpy(opline, cur_block->start_opline, cur_block->len * sizeof(zend_op));
1139            cur_block->start_opline = opline;
1140            opline += cur_block->len;
1141            if ((opline - 1)->opcode == ZEND_JMP) {
1142                zend_code_block *next;
1143                next = cur_block->next;
1144                while (next && !next->access) {
1145                    next = next->next;
1146                }
1147                if (next && next == cur_block->op1_to) {
1148                    /* JMP to the next block - strip it */
1149                    cur_block->follow_to = cur_block->op1_to;
1150                    cur_block->op1_to = NULL;
1151                    MAKE_NOP((opline - 1));
1152                    opline--;
1153                    cur_block->len--;
1154                }
1155            }
1156        } else {
1157            /* this block will not be used, delete all constants there */
1158            zend_op *_opl;
1159            zend_op *end = cur_block->start_opline + cur_block->len;
1160            for (_opl = cur_block->start_opline; _opl && _opl < end; _opl++) {
1161                if (ZEND_OP1_TYPE(_opl) == IS_CONST) {
1162                    literal_dtor(&ZEND_OP1_LITERAL(_opl));
1163                }
1164                if (ZEND_OP2_TYPE(_opl) == IS_CONST) {
1165                    literal_dtor(&ZEND_OP2_LITERAL(_opl));
1166                }
1167            }
1168        }
1169        cur_block = cur_block->next;
1170    }
1171
1172    op_array->last = opline-new_opcodes;
1173
1174    /* adjust exception jump targets */
1175    if (op_array->last_try_catch) {
1176        int i, j;
1177        for (i = 0, j = 0; i< op_array->last_try_catch; i++) {
1178            if (cfg->try[i]->access) {
1179                op_array->try_catch_array[j].try_op = cfg->try[i]->start_opline - new_opcodes;
1180                op_array->try_catch_array[j].catch_op = cfg->catch[i]->start_opline - new_opcodes;
1181                j++;
1182            }
1183        }
1184        op_array->last_try_catch = j;
1185    }
1186
1187    /* adjust loop jump targets */
1188    if (op_array->last_brk_cont) {
1189        int i;
1190        for (i = 0; i< op_array->last_brk_cont; i++) {
1191            op_array->brk_cont_array[i].start = cfg->loop_start[i]->start_opline - new_opcodes;
1192            op_array->brk_cont_array[i].cont = cfg->loop_cont[i]->start_opline - new_opcodes;
1193            op_array->brk_cont_array[i].brk = cfg->loop_brk[i]->start_opline - new_opcodes;
1194        }
1195    }
1196
1197    /* adjust jump targets */
1198    for (cur_block = blocks; cur_block; cur_block = cur_block->next) {
1199        if (!cur_block->access) {
1200            continue;
1201        }
1202        opline = cur_block->start_opline + cur_block->len - 1;
1203        if (opline->opcode == ZEND_OP_DATA) {
1204            opline--;
1205        }
1206        if (cur_block->op1_to) {
1207            ZEND_OP1(opline).opline_num = cur_block->op1_to->start_opline - new_opcodes;
1208        }
1209        if (cur_block->op2_to) {
1210            ZEND_OP2(opline).opline_num = cur_block->op2_to->start_opline - new_opcodes;
1211        }
1212        if (cur_block->ext_to) {
1213            opline->extended_value = cur_block->ext_to->start_opline - new_opcodes;
1214        }
1215        print_block(cur_block, new_opcodes, "Out ");
1216    }
1217    efree(op_array->opcodes);
1218    op_array->opcodes = erealloc(new_opcodes, op_array->last * sizeof(zend_op));
1219
1220    /* adjust early binding list */
1221    if (op_array->early_binding != (uint32_t)-1) {
1222        uint32_t *opline_num = &op_array->early_binding;
1223        zend_op *end;
1224
1225        opline = op_array->opcodes;
1226        end = opline + op_array->last;
1227        while (opline < end) {
1228            if (opline->opcode == ZEND_DECLARE_INHERITED_CLASS_DELAYED) {
1229                *opline_num = opline - op_array->opcodes;
1230                opline_num = &ZEND_RESULT(opline).opline_num;
1231            }
1232            ++opline;
1233        }
1234        *opline_num = -1;
1235    }
1236}
1237
1238static void zend_jmp_optimization(zend_code_block *block, zend_op_array *op_array, zend_code_block *blocks, zend_cfg *cfg, zend_optimizer_ctx *ctx)
1239{
1240    /* last_op is the last opcode of the current block */
1241    zend_op *last_op = (block->start_opline + block->len - 1);
1242
1243    if (!block->len) {
1244        return;
1245    }
1246    switch (last_op->opcode) {
1247        case ZEND_JMP:
1248            {
1249                zend_op *target = block->op1_to->start_opline;
1250                zend_code_block *next = block->next;
1251
1252                while (next && !next->access) {
1253                    /* find used one */
1254                    next = next->next;
1255                }
1256
1257                /* JMP(next) -> NOP */
1258                if (block->op1_to == next) {
1259                    block->follow_to = block->op1_to;
1260                    block->op1_to = NULL;
1261                    MAKE_NOP(last_op);
1262                    block->len--;
1263                    if (block->len == 0) {
1264                        /* this block is nothing but NOP now */
1265                        delete_code_block(block, ctx);
1266                    }
1267                    break;
1268                }
1269
1270                if (((target->opcode == ZEND_JMP &&
1271                    block->op1_to != block->op1_to->op1_to) ||
1272                    target->opcode == ZEND_JMPZNZ) &&
1273                    !block->op1_to->protected) {
1274                    /* JMP L, L: JMP L1 -> JMP L1 */
1275                    /* JMP L, L: JMPZNZ L1,L2 -> JMPZNZ L1,L2 */
1276                    *last_op = *target;
1277                    if (ZEND_OP1_TYPE(last_op) == IS_CONST) {
1278                        zval zv = ZEND_OP1_LITERAL(last_op);
1279                        zval_copy_ctor(&zv);
1280                        last_op->op1.constant = zend_optimizer_add_literal(op_array, &zv);
1281                    }
1282                    del_source(block, block->op1_to);
1283                    if (block->op1_to->op2_to) {
1284                        block->op2_to = block->op1_to->op2_to;
1285                        ADD_SOURCE(block, block->op2_to);
1286                    }
1287                    if (block->op1_to->ext_to) {
1288                        block->ext_to = block->op1_to->ext_to;
1289                        ADD_SOURCE(block, block->ext_to);
1290                    }
1291                    if (block->op1_to->op1_to) {
1292                        block->op1_to = block->op1_to->op1_to;
1293                        ADD_SOURCE(block, block->op1_to);
1294                    } else {
1295                        block->op1_to = NULL;
1296                    }
1297                } else if (target->opcode == ZEND_RETURN ||
1298                          target->opcode == ZEND_RETURN_BY_REF ||
1299                          target->opcode == ZEND_FAST_RET ||
1300                          target->opcode == ZEND_EXIT) {
1301                    /* JMP L, L: RETURN to immediate RETURN */
1302                    *last_op = *target;
1303                    if (ZEND_OP1_TYPE(last_op) == IS_CONST) {
1304                        zval zv = ZEND_OP1_LITERAL(last_op);
1305                        zval_copy_ctor(&zv);
1306                        last_op->op1.constant = zend_optimizer_add_literal(op_array, &zv);
1307                    }
1308                    del_source(block, block->op1_to);
1309                    block->op1_to = NULL;
1310#if 0
1311                /* Temporarily disabled - see bug #0025274 */
1312                } else if (0&& block->op1_to != block &&
1313                       block->op1_to != blocks &&
1314                           op_array->last_try_catch == 0 &&
1315                           target->opcode != ZEND_FREE) {
1316                    /* Block Reordering (saves one JMP on each "for" loop iteration)
1317                     * It is disabled for some cases (ZEND_FREE)
1318                     * which may break register allocation.
1319                     */
1320                    zend_bool can_reorder = 0;
1321                    zend_block_source *cs = block->op1_to->sources;
1322
1323                    /* the "target" block doesn't had any followed block */
1324                    while(cs) {
1325                        if (cs->from->follow_to == block->op1_to) {
1326                            can_reorder = 0;
1327                            break;
1328                        }
1329                        cs = cs->next;
1330                    }
1331                    if (can_reorder) {
1332                        next = block->op1_to;
1333                        /* the "target" block is not followed by current "block" */
1334                        while (next->follow_to != NULL) {
1335                            if (next->follow_to == block) {
1336                                can_reorder = 0;
1337                                break;
1338                            }
1339                            next = next->follow_to;
1340                        }
1341                        if (can_reorder) {
1342                            zend_code_block *prev = blocks;
1343
1344                            while (prev->next != block->op1_to) {
1345                                prev = prev->next;
1346                            }
1347                            prev->next = next->next;
1348                            next->next = block->next;
1349                            block->next = block->op1_to;
1350
1351                            block->follow_to = block->op1_to;
1352                            block->op1_to = NULL;
1353                            MAKE_NOP(last_op);
1354                            block->len--;
1355                            if(block->len == 0) {
1356                                /* this block is nothing but NOP now */
1357                                delete_code_block(block, ctx);
1358                            }
1359                            break;
1360                        }
1361                    }
1362#endif
1363                }
1364            }
1365            break;
1366
1367        case ZEND_JMPZ:
1368        case ZEND_JMPNZ:
1369            /* constant conditional JMPs */
1370            if (ZEND_OP1_TYPE(last_op) == IS_CONST) {
1371                int should_jmp = zend_is_true(&ZEND_OP1_LITERAL(last_op));
1372
1373                if (last_op->opcode == ZEND_JMPZ) {
1374                    should_jmp = !should_jmp;
1375                }
1376                literal_dtor(&ZEND_OP1_LITERAL(last_op));
1377                ZEND_OP1_TYPE(last_op) = IS_UNUSED;
1378                if (should_jmp) {
1379                    /* JMPNZ(true) -> JMP */
1380                    last_op->opcode = ZEND_JMP;
1381                    COPY_NODE(last_op->op1, last_op->op2);
1382                    block->op1_to = block->op2_to;
1383                    del_source(block, block->follow_to);
1384                    block->op2_to = NULL;
1385                    block->follow_to = NULL;
1386                } else {
1387                    /* JMPNZ(false) -> NOP */
1388                    MAKE_NOP(last_op);
1389                    del_source(block, block->op2_to);
1390                    block->op2_to = NULL;
1391                }
1392                break;
1393            }
1394
1395            if (block->op2_to) {
1396                zend_uchar same_type = ZEND_OP1_TYPE(last_op);
1397                uint32_t same_var = VAR_NUM_EX(last_op->op1);
1398                zend_op *target;
1399                zend_op *target_end;
1400                zend_code_block *target_block = block->op2_to;;
1401
1402next_target:
1403                target = target_block->start_opline;
1404                target_end = target_block->start_opline + target_block->len;
1405                while (target < target_end && target->opcode == ZEND_NOP) {
1406                    target++;
1407                }
1408
1409                /* next block is only NOP's */
1410                if (target == target_end) {
1411                    target_block = target_block->follow_to;
1412                    goto next_target;
1413                } else if (target->opcode == INV_COND(last_op->opcode) &&
1414                    /* JMPZ(X, L), L: JMPNZ(X, L2) -> JMPZ(X, L+1) */
1415                   (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1416                   same_type == ZEND_OP1_TYPE(target) &&
1417                   same_var == VAR_NUM_EX(target->op1) &&
1418                   target_block->follow_to &&
1419                   !target_block->protected
1420                   ) {
1421                    del_source(block, block->op2_to);
1422                    block->op2_to = target_block->follow_to;
1423                    ADD_SOURCE(block, block->op2_to);
1424                } else if (target->opcode == INV_COND_EX(last_op->opcode) &&
1425                            (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1426                            same_type == ZEND_OP1_TYPE(target) &&
1427                            same_var == VAR_NUM_EX(target->op1) &&
1428                            target_block->follow_to &&
1429                            !target_block->protected) {
1430                    /* JMPZ(X, L), L: X = JMPNZ_EX(X, L2) -> JMPZ(X, L+1) */
1431                    last_op->opcode += 3;
1432                    last_op->result = target->result;
1433                    del_source(block, block->op2_to);
1434                    block->op2_to = target_block->follow_to;
1435                    ADD_SOURCE(block, block->op2_to);
1436                } else if (target_block->op2_to &&
1437                           target->opcode == last_op->opcode &&
1438                           (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1439                           same_type == ZEND_OP1_TYPE(target) &&
1440                           same_var == VAR_NUM_EX(target->op1) &&
1441                           !target_block->protected) {
1442                    /* JMPZ(X, L), L: JMPZ(X, L2) -> JMPZ(X, L2) */
1443                    del_source(block, block->op2_to);
1444                    block->op2_to = target_block->op2_to;
1445                    ADD_SOURCE(block, block->op2_to);
1446                } else if (target_block->op1_to &&
1447                            target->opcode == ZEND_JMP &&
1448                            !target_block->protected) {
1449                    /* JMPZ(X, L), L: JMP(L2) -> JMPZ(X, L2) */
1450                    del_source(block, block->op2_to);
1451                    block->op2_to = target_block->op1_to;
1452                    ADD_SOURCE(block, block->op2_to);
1453                } else if (target_block->op2_to &&
1454                            target_block->ext_to &&
1455                            target->opcode == ZEND_JMPZNZ &&
1456                            (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1457                            same_type == ZEND_OP1_TYPE(target) &&
1458                            same_var == VAR_NUM_EX(target->op1) &&
1459                            !target_block->protected) {
1460                    /* JMPZ(X, L), L: JMPZNZ(X, L2, L3) -> JMPZ(X, L2) */
1461                    del_source(block, block->op2_to);
1462                    if (last_op->opcode == ZEND_JMPZ) {
1463                        block->op2_to = target_block->op2_to;
1464                    } else {
1465                        block->op2_to = target_block->ext_to;
1466                    }
1467                    ADD_SOURCE(block, block->op2_to);
1468                }
1469            }
1470
1471            if (block->follow_to &&
1472                (last_op->opcode == ZEND_JMPZ || last_op->opcode == ZEND_JMPNZ)) {
1473                zend_op *target;
1474                zend_op *target_end;
1475
1476                while (1) {
1477                    target = block->follow_to->start_opline;
1478                    target_end = block->follow_to->start_opline + block->follow_to->len;
1479                    while (target < target_end && target->opcode == ZEND_NOP) {
1480                        target++;
1481                    }
1482
1483                    /* next block is only NOP's */
1484                    if (target == target_end && ! block->follow_to->protected) {
1485                        del_source(block, block->follow_to);
1486                        block->follow_to = block->follow_to->follow_to;
1487                        ADD_SOURCE(block, block->follow_to);
1488                    } else {
1489                        break;
1490                    }
1491                }
1492                /* JMPZ(X,L1), JMP(L2) -> JMPZNZ(X,L1,L2) */
1493                if (target->opcode == ZEND_JMP &&
1494                    block->follow_to->op1_to &&
1495                    !block->follow_to->protected) {
1496                    del_source(block, block->follow_to);
1497                    if (last_op->opcode == ZEND_JMPZ) {
1498                        block->ext_to = block->follow_to->op1_to;
1499                        ADD_SOURCE(block, block->ext_to);
1500                    } else {
1501                        block->ext_to = block->op2_to;
1502                        block->op2_to = block->follow_to->op1_to;
1503                        ADD_SOURCE(block, block->op2_to);
1504                    }
1505                    block->follow_to = NULL;
1506                    last_op->opcode = ZEND_JMPZNZ;
1507                }
1508            }
1509            break;
1510
1511        case ZEND_JMPNZ_EX:
1512        case ZEND_JMPZ_EX:
1513            /* constant conditional JMPs */
1514            if (ZEND_OP1_TYPE(last_op) == IS_CONST) {
1515                int should_jmp = zend_is_true(&ZEND_OP1_LITERAL(last_op));
1516
1517                if (last_op->opcode == ZEND_JMPZ_EX) {
1518                    should_jmp = !should_jmp;
1519                }
1520                if (!should_jmp) {
1521                    /* T = JMPZ_EX(true,L)   -> T = QM_ASSIGN(true)
1522                     * T = JMPNZ_EX(false,L) -> T = QM_ASSIGN(false)
1523                     */
1524                    last_op->opcode = ZEND_QM_ASSIGN;
1525                    SET_UNUSED(last_op->op2);
1526                    del_source(block, block->op2_to);
1527                    block->op2_to = NULL;
1528                }
1529                break;
1530            }
1531
1532            if (block->op2_to) {
1533                zend_op *target, *target_end;
1534                char *same_t=NULL;
1535                zend_code_block *target_block;
1536                int var_num = op_array->last_var + op_array->T;
1537
1538                if (var_num <= 0) {
1539                    return;
1540                }
1541                same_t = cfg->same_t;
1542                memset(same_t, 0, var_num);
1543                same_t[VAR_NUM_EX(last_op->op1)] |= ZEND_OP1_TYPE(last_op);
1544                same_t[VAR_NUM_EX(last_op->result)] |= ZEND_RESULT_TYPE(last_op);
1545                target_block = block->op2_to;
1546next_target_ex:
1547                target = target_block->start_opline;
1548                target_end = target_block->start_opline + target_block->len;
1549                while (target < target_end && target->opcode == ZEND_NOP) {
1550                    target++;
1551                }
1552                /* next block is only NOP's */
1553                if (target == target_end) {
1554                    target_block = target_block->follow_to;
1555                    goto next_target_ex;
1556                } else if (target_block->op2_to &&
1557                           target->opcode == last_op->opcode-3 &&
1558                           (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1559                           (same_t[VAR_NUM_EX(target->op1)] & ZEND_OP1_TYPE(target)) != 0 &&
1560                           !target_block->protected) {
1561                    /* T = JMPZ_EX(X, L1), L1: JMPZ({X|T}, L2) -> T = JMPZ_EX(X, L2) */
1562                    del_source(block, block->op2_to);
1563                    block->op2_to = target_block->op2_to;
1564                    ADD_SOURCE(block, block->op2_to);
1565                } else if (target_block->op2_to &&
1566                           target->opcode == INV_EX_COND(last_op->opcode) &&
1567                           (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1568                           (same_t[VAR_NUM_EX(target->op1)] & ZEND_OP1_TYPE(target)) != 0 &&
1569                           !target_block->protected) {
1570                    /* T = JMPZ_EX(X, L1), L1: JMPNZ({X|T1}, L2) -> T = JMPZ_EX(X, L1+1) */
1571                    del_source(block, block->op2_to);
1572                    block->op2_to = target_block->follow_to;
1573                    ADD_SOURCE(block, block->op2_to);
1574                } else if (target_block->op2_to &&
1575                           target->opcode == INV_EX_COND_EX(last_op->opcode) &&
1576                           (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1577                           (same_t[VAR_NUM_EX(target->op1)] & ZEND_OP1_TYPE(target)) != 0 &&
1578                           (same_t[VAR_NUM_EX(target->result)] & ZEND_RESULT_TYPE(target)) != 0 &&
1579                           !target_block->protected) {
1580                    /* T = JMPZ_EX(X, L1), L1: T = JMPNZ_EX(T, L2) -> T = JMPZ_EX(X, L1+1) */
1581                    del_source(block, block->op2_to);
1582                    block->op2_to = target_block->follow_to;
1583                    ADD_SOURCE(block, block->op2_to);
1584                } else if (target_block->op2_to &&
1585                           target->opcode == last_op->opcode &&
1586                           (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1587                           (same_t[VAR_NUM_EX(target->op1)] & ZEND_OP1_TYPE(target)) != 0 &&
1588                           (same_t[VAR_NUM_EX(target->result)] & ZEND_RESULT_TYPE(target)) != 0 &&
1589                           !target_block->protected) {
1590                    /* T = JMPZ_EX(X, L1), L1: T = JMPZ({X|T}, L2) -> T = JMPZ_EX(X, L2) */
1591                    del_source(block, block->op2_to);
1592                    block->op2_to = target_block->op2_to;
1593                    ADD_SOURCE(block, block->op2_to);
1594                } else if (target_block->op1_to &&
1595                           target->opcode == ZEND_JMP &&
1596                           !target_block->protected) {
1597                    /* T = JMPZ_EX(X, L), L: JMP(L2) -> T = JMPZ(X, L2) */
1598                    del_source(block, block->op2_to);
1599                    block->op2_to = target_block->op1_to;
1600                    ADD_SOURCE(block, block->op2_to);
1601                } else if (target_block->op2_to &&
1602                           target_block->ext_to &&
1603                           target->opcode == ZEND_JMPZNZ &&
1604                           (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1605                           (same_t[VAR_NUM_EX(target->op1)] & ZEND_OP1_TYPE(target)) != 0 &&
1606                           !target_block->protected) {
1607                    /* T = JMPZ_EX(X, L), L: JMPZNZ({X|T}, L2, L3) -> T = JMPZ_EX(X, L2) */
1608                    del_source(block, block->op2_to);
1609                    if (last_op->opcode == ZEND_JMPZ_EX) {
1610                        block->op2_to = target_block->op2_to;
1611                    } else {
1612                        block->op2_to = target_block->ext_to;
1613                    }
1614                    ADD_SOURCE(block, block->op2_to);
1615                }
1616            }
1617            break;
1618
1619        case ZEND_JMPZNZ: {
1620            zend_code_block *next = block->next;
1621
1622            while (next && !next->access) {
1623                /* find first accessed one */
1624                next = next->next;
1625            }
1626
1627            if (ZEND_OP1_TYPE(last_op) == IS_CONST) {
1628                if (!zend_is_true(&ZEND_OP1_LITERAL(last_op))) {
1629                    /* JMPZNZ(false,L1,L2) -> JMP(L1) */
1630                    zend_code_block *todel;
1631
1632                    literal_dtor(&ZEND_OP1_LITERAL(last_op));
1633                    last_op->opcode = ZEND_JMP;
1634                    SET_UNUSED(last_op->op1);
1635                    SET_UNUSED(last_op->op2);
1636                    block->op1_to = block->op2_to;
1637                    todel = block->ext_to;
1638                    block->op2_to = NULL;
1639                    block->ext_to = NULL;
1640                    del_source(block, todel);
1641                } else {
1642                    /* JMPZNZ(true,L1,L2) -> JMP(L2) */
1643                    zend_code_block *todel;
1644
1645                    literal_dtor(&ZEND_OP1_LITERAL(last_op));
1646                    last_op->opcode = ZEND_JMP;
1647                    SET_UNUSED(last_op->op1);
1648                    SET_UNUSED(last_op->op2);
1649                    block->op1_to = block->ext_to;
1650                    todel =  block->op2_to;
1651                    block->op2_to = NULL;
1652                    block->ext_to = NULL;
1653                    del_source(block, todel);
1654                }
1655            } else if (block->op2_to == block->ext_to) {
1656                /* both goto the same one - it's JMP */
1657                if (!(last_op->op1_type & (IS_VAR|IS_TMP_VAR))) {
1658                    /* JMPZNZ(?,L,L) -> JMP(L) */
1659                    last_op->opcode = ZEND_JMP;
1660                    SET_UNUSED(last_op->op1);
1661                    SET_UNUSED(last_op->op2);
1662                    block->op1_to = block->op2_to;
1663                    block->op2_to = NULL;
1664                    block->ext_to = NULL;
1665                }
1666            } else if (block->op2_to == next) {
1667                /* jumping to next on Z - can follow to it and jump only on NZ */
1668                /* JMPZNZ(X,L1,L2) L1: -> JMPNZ(X,L2) */
1669                last_op->opcode = ZEND_JMPNZ;
1670                block->op2_to = block->ext_to;
1671                block->follow_to = next;
1672                block->ext_to = NULL;
1673                /* no need to add source - it's block->op2_to */
1674            } else if (block->ext_to == next) {
1675                /* jumping to next on NZ - can follow to it and jump only on Z */
1676                /* JMPZNZ(X,L1,L2) L2: -> JMPZ(X,L1) */
1677                last_op->opcode = ZEND_JMPZ;
1678                block->follow_to = next;
1679                block->ext_to = NULL;
1680                /* no need to add source - it's block->ext_to */
1681            }
1682
1683            if (last_op->opcode == ZEND_JMPZNZ && block->op2_to) {
1684                zend_uchar same_type = ZEND_OP1_TYPE(last_op);
1685                zend_uchar same_var = VAR_NUM_EX(last_op->op1);
1686                zend_op *target;
1687                zend_op *target_end;
1688                zend_code_block *target_block = block->op2_to;
1689
1690next_target_znz:
1691                target = target_block->start_opline;
1692                target_end = target_block->start_opline + target_block->len;
1693                while (target < target_end && target->opcode == ZEND_NOP) {
1694                    target++;
1695                }
1696                /* next block is only NOP's */
1697                if (target == target_end) {
1698                    target_block = target_block->follow_to;
1699                    goto next_target_znz;
1700                } else if (target_block->op2_to &&
1701                           (target->opcode == ZEND_JMPZ || target->opcode == ZEND_JMPZNZ) &&
1702                           (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1703                           same_type == ZEND_OP1_TYPE(target) &&
1704                           same_var == VAR_NUM_EX(target->op1) &&
1705                           !target_block->protected) {
1706                    /* JMPZNZ(X, L1, L2), L1: JMPZ(X, L3) -> JMPZNZ(X, L3, L2) */
1707                    del_source(block, block->op2_to);
1708                    block->op2_to = target_block->op2_to;
1709                    ADD_SOURCE(block, block->op2_to);
1710                } else if (target->opcode == ZEND_JMPNZ &&
1711                           (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1712                           same_type == ZEND_OP1_TYPE(target) &&
1713                           same_var == VAR_NUM_EX(target->op1) &&
1714                           target_block->follow_to &&
1715                           !target_block->protected) {
1716                    /* JMPZNZ(X, L1, L2), L1: X = JMPNZ(X, L3) -> JMPZNZ(X, L1+1, L2) */
1717                    del_source(block, block->op2_to);
1718                    block->op2_to = target_block->follow_to;
1719                    ADD_SOURCE(block, block->op2_to);
1720                } else if (target_block->op1_to &&
1721                           target->opcode == ZEND_JMP &&
1722                           !target_block->protected) {
1723                    /* JMPZNZ(X, L1, L2), L1: JMP(L3) -> JMPZNZ(X, L3, L2) */
1724                    del_source(block, block->op2_to);
1725                    block->op2_to = target_block->op1_to;
1726                    ADD_SOURCE(block, block->op2_to);
1727                }
1728            }
1729            break;
1730        }
1731    }
1732}
1733
1734/* Global data dependencies */
1735
1736#define T_USAGE(op) do { \
1737        if ((op ## _type & (IS_VAR | IS_TMP_VAR)) && \
1738           !defined_here[VAR_NUM(op.var)] && !used_ext[VAR_NUM(op.var)]) {  \
1739            used_ext[VAR_NUM(op.var)] = 1;                                  \
1740        } \
1741    } while (0)
1742
1743#define NEVER_USED(op) ((op ## _type & (IS_VAR | IS_TMP_VAR)) && !usage[VAR_NUM(op.var)]) /* !used_ext[op.var] && */
1744#define RES_NEVER_USED(opline) (opline->result_type == IS_UNUSED || NEVER_USED(opline->result))
1745
1746/* Find a set of variables which are used outside of the block where they are
1747 * defined. We won't apply some optimization patterns for such variables. */
1748static void zend_t_usage(zend_code_block *block, zend_op_array *op_array, char *used_ext, zend_optimizer_ctx *ctx)
1749{
1750    zend_code_block *next_block = block->next;
1751    char *usage;
1752    char *defined_here;
1753    void *checkpoint;
1754
1755    if (op_array->T == 0) {
1756        /* shortcut - if no Ts, nothing to do */
1757        return;
1758    }
1759
1760    checkpoint = zend_arena_checkpoint(ctx->arena);
1761    usage = zend_arena_alloc(&ctx->arena, op_array->last_var + op_array->T);
1762    memset(usage, 0, op_array->last_var + op_array->T);
1763    defined_here = zend_arena_alloc(&ctx->arena, op_array->last_var + op_array->T);
1764
1765    while (next_block) {
1766        zend_op *opline = next_block->start_opline;
1767        zend_op *end = opline + next_block->len;
1768
1769        if (!next_block->access) {
1770            next_block = next_block->next;
1771            continue;
1772        }
1773        memset(defined_here, 0, op_array->last_var + op_array->T);
1774
1775        while (opline<end) {
1776            T_USAGE(opline->op1);
1777            if (opline->op2_type & (IS_VAR | IS_TMP_VAR)) {
1778                if (opline->opcode == ZEND_FE_FETCH_R || opline->opcode == ZEND_FE_FETCH_RW) {
1779                    /* these opcode use the op2 as result */
1780                    defined_here[VAR_NUM(ZEND_OP2(opline).var)] = 1;
1781                } else {
1782                    T_USAGE(opline->op2);
1783                }
1784            }
1785
1786            if (RESULT_USED(opline)) {
1787                if (!defined_here[VAR_NUM(ZEND_RESULT(opline).var)] && !used_ext[VAR_NUM(ZEND_RESULT(opline).var)] &&
1788                    opline->opcode == ZEND_ADD_ARRAY_ELEMENT) {
1789                    /* these opcode use the result as argument */
1790                    used_ext[VAR_NUM(ZEND_RESULT(opline).var)] = 1;
1791                }
1792                defined_here[VAR_NUM(ZEND_RESULT(opline).var)] = 1;
1793            }
1794            opline++;
1795        }
1796        next_block = next_block->next;
1797    }
1798
1799#if DEBUG_BLOCKPASS
1800    {
1801        int i;
1802        for (i = op_array->last_var; i< op_array->T; i++) {
1803            fprintf(stderr, "T%d: %c\n", i, used_ext[i] + '0');
1804        }
1805    }
1806#endif
1807
1808    while (block) {
1809        zend_op *opline = block->start_opline + block->len - 1;
1810
1811        if (!block->access) {
1812            block = block->next;
1813            continue;
1814        }
1815
1816        memcpy(usage, used_ext, op_array->last_var + op_array->T);
1817
1818        while (opline >= block->start_opline) {
1819            /* usage checks */
1820            if (RES_NEVER_USED(opline)) {
1821                switch (opline->opcode) {
1822                    case ZEND_ASSIGN_ADD:
1823                    case ZEND_ASSIGN_SUB:
1824                    case ZEND_ASSIGN_MUL:
1825                    case ZEND_ASSIGN_DIV:
1826                    case ZEND_ASSIGN_MOD:
1827                    case ZEND_ASSIGN_SL:
1828                    case ZEND_ASSIGN_SR:
1829                    case ZEND_ASSIGN_CONCAT:
1830                    case ZEND_ASSIGN_BW_OR:
1831                    case ZEND_ASSIGN_BW_AND:
1832                    case ZEND_ASSIGN_BW_XOR:
1833                    case ZEND_PRE_INC:
1834                    case ZEND_PRE_DEC:
1835                    case ZEND_POST_INC:
1836                    case ZEND_POST_DEC:
1837                    case ZEND_ASSIGN:
1838                    case ZEND_ASSIGN_REF:
1839                    case ZEND_DO_FCALL:
1840                    case ZEND_DO_ICALL:
1841                    case ZEND_DO_UCALL:
1842                    case ZEND_DO_FCALL_BY_NAME:
1843                        if (ZEND_RESULT_TYPE(opline) == IS_VAR) {
1844                            ZEND_RESULT_TYPE(opline) |= EXT_TYPE_UNUSED;
1845                        }
1846                        break;
1847                    case ZEND_QM_ASSIGN:
1848                    case ZEND_BOOL:
1849                    case ZEND_BOOL_NOT:
1850                        if (ZEND_OP1_TYPE(opline) == IS_CONST) {
1851                            literal_dtor(&ZEND_OP1_LITERAL(opline));
1852                        }
1853                        MAKE_NOP(opline);
1854                        break;
1855                    case ZEND_JMPZ_EX:
1856                    case ZEND_JMPNZ_EX:
1857                        opline->opcode -= 3;
1858                        SET_UNUSED(opline->result);
1859                        break;
1860                }
1861            }
1862
1863            if (opline->opcode == ZEND_ADD_ARRAY_ELEMENT) {
1864                if (ZEND_OP1_TYPE(opline) == IS_VAR || ZEND_OP1_TYPE(opline) == IS_TMP_VAR) {
1865                    usage[VAR_NUM(ZEND_RESULT(opline).var)] = 1;
1866                }
1867            } else {
1868                if (RESULT_USED(opline)) {
1869                    usage[VAR_NUM(ZEND_RESULT(opline).var)] = 0;
1870                }
1871            }
1872
1873            if (ZEND_OP1_TYPE(opline) == IS_VAR || ZEND_OP1_TYPE(opline) == IS_TMP_VAR) {
1874                usage[VAR_NUM(ZEND_OP1(opline).var)] = 1;
1875            }
1876
1877            if (ZEND_OP2_TYPE(opline) == IS_VAR || ZEND_OP2_TYPE(opline) == IS_TMP_VAR) {
1878                usage[VAR_NUM(ZEND_OP2(opline).var)] = 1;
1879            }
1880
1881            if ((ZEND_RESULT_TYPE(opline) & IS_VAR) &&
1882                (ZEND_RESULT_TYPE(opline) & EXT_TYPE_UNUSED) &&
1883                usage[VAR_NUM(ZEND_RESULT(opline).var)]) {
1884                ZEND_RESULT_TYPE(opline) &= ~EXT_TYPE_UNUSED;
1885            }
1886
1887            opline--;
1888        }
1889        block = block->next;
1890    } /* end blocks */
1891
1892    zend_arena_release(&ctx->arena, checkpoint);
1893}
1894
1895#define PASSES 3
1896
1897void optimize_cfg(zend_op_array *op_array, zend_optimizer_ctx *ctx)
1898{
1899    zend_cfg cfg;
1900    zend_code_block *cur_block;
1901    int pass;
1902    char *usage;
1903    void *checkpoint;
1904
1905#if DEBUG_BLOCKPASS
1906    fprintf(stderr, "File %s func %s\n", op_array->filename, op_array->function_name? op_array->function_name : "main");
1907    fflush(stderr);
1908#endif
1909
1910    if (op_array->fn_flags & ZEND_ACC_HAS_FINALLY_BLOCK) {
1911        return;
1912    }
1913
1914    /* Build CFG */
1915    checkpoint = zend_arena_checkpoint(ctx->arena);
1916    if (!find_code_blocks(op_array, &cfg, ctx)) {
1917        zend_arena_release(&ctx->arena, checkpoint);
1918        return;
1919    }
1920
1921    zend_rebuild_access_path(&cfg, op_array, 0, ctx);
1922    /* full rebuild here to produce correct sources! */
1923    if (op_array->last_var || op_array->T) {
1924        cfg.Tsource = zend_arena_calloc(&ctx->arena, op_array->last_var + op_array->T, sizeof(zend_op *));
1925        cfg.same_t = zend_arena_alloc(&ctx->arena, op_array->last_var + op_array->T);
1926        usage = zend_arena_alloc(&ctx->arena, op_array->last_var + op_array->T);
1927    } else {
1928        cfg.Tsource = NULL;
1929        cfg.same_t = NULL;
1930        usage = NULL;
1931    }
1932    for (pass = 0; pass < PASSES; pass++) {
1933        /* Compute data dependencies */
1934        memset(usage, 0, op_array->last_var + op_array->T);
1935        zend_t_usage(cfg.blocks, op_array, usage, ctx);
1936
1937        /* optimize each basic block separately */
1938        for (cur_block = cfg.blocks; cur_block; cur_block = cur_block->next) {
1939            if (!cur_block->access) {
1940                continue;
1941            }
1942            zend_optimize_block(cur_block, op_array, usage, &cfg, ctx);
1943        }
1944
1945        /* Jump optimization for each block */
1946        for (cur_block = cfg.blocks; cur_block; cur_block = cur_block->next) {
1947            if (!cur_block->access) {
1948                continue;
1949            }
1950            zend_jmp_optimization(cur_block, op_array, cfg.blocks, &cfg, ctx);
1951        }
1952
1953        /* Eliminate unreachable basic blocks */
1954        zend_rebuild_access_path(&cfg, op_array, 1, ctx);
1955    }
1956
1957    memset(usage, 0, op_array->last_var + op_array->T);
1958    zend_t_usage(cfg.blocks, op_array, usage, ctx);
1959    assemble_code_blocks(&cfg, op_array);
1960
1961    /* Destroy CFG */
1962    zend_arena_release(&ctx->arena, checkpoint);
1963}
1964