1/*
2   +----------------------------------------------------------------------+
3   | Zend OPcache                                                         |
4   +----------------------------------------------------------------------+
5   | Copyright (c) 1998-2016 The PHP Group                                |
6   +----------------------------------------------------------------------+
7   | This source file is subject to version 3.01 of the PHP license,      |
8   | that is bundled with this package in the file LICENSE, and is        |
9   | available through the world-wide-web at the following url:           |
10   | http://www.php.net/license/3_01.txt                                  |
11   | If you did not receive a copy of the PHP license and are unable to   |
12   | obtain it through the world-wide-web, please send a note to          |
13   | license@php.net so we can mail you a copy immediately.               |
14   +----------------------------------------------------------------------+
15   | Authors: Andi Gutmans <andi@zend.com>                                |
16   |          Zeev Suraski <zeev@zend.com>                                |
17   |          Stanislav Malyshev <stas@zend.com>                          |
18   |          Dmitry Stogov <dmitry@zend.com>                             |
19   +----------------------------------------------------------------------+
20*/
21
22#include "php.h"
23#include "Optimizer/zend_optimizer.h"
24#include "Optimizer/zend_optimizer_internal.h"
25#include "zend_API.h"
26#include "zend_constants.h"
27#include "zend_execute.h"
28#include "zend_vm.h"
29#include "zend_bitset.h"
30#include "zend_cfg.h"
31#include "zend_dump.h"
32
33/* Checks if a constant (like "true") may be replaced by its value */
34int zend_optimizer_get_persistent_constant(zend_string *name, zval *result, int copy)
35{
36	zend_constant *c;
37	char *lookup_name;
38	int retval = 1;
39	ALLOCA_FLAG(use_heap);
40
41	if ((c = zend_hash_find_ptr(EG(zend_constants), name)) == NULL) {
42		lookup_name = do_alloca(ZSTR_LEN(name) + 1, use_heap);
43		memcpy(lookup_name, ZSTR_VAL(name), ZSTR_LEN(name) + 1);
44		zend_str_tolower(lookup_name, ZSTR_LEN(name));
45
46		if ((c = zend_hash_str_find_ptr(EG(zend_constants), lookup_name, ZSTR_LEN(name))) != NULL) {
47			if (!(c->flags & CONST_CT_SUBST) || (c->flags & CONST_CS)) {
48				retval = 0;
49			}
50		} else {
51			retval = 0;
52		}
53		free_alloca(lookup_name, use_heap);
54	}
55
56	if (retval) {
57		if (c->flags & CONST_PERSISTENT) {
58			ZVAL_COPY_VALUE(result, &c->value);
59			if (copy) {
60				zval_copy_ctor(result);
61			}
62		} else {
63			retval = 0;
64		}
65	}
66
67	return retval;
68}
69
70/* CFG back references management */
71
72#define DEL_SOURCE(from, to)
73#define ADD_SOURCE(from, to)
74
75/* Data dependencies macros */
76
77#define VAR_NUM_EX(op) VAR_NUM((op).var)
78
79#define VAR_SOURCE(op) Tsource[VAR_NUM(op.var)]
80#define SET_VAR_SOURCE(opline) Tsource[VAR_NUM(opline->result.var)] = opline
81
82#define convert_to_string_safe(v) \
83	if (Z_TYPE_P((v)) == IS_NULL) { \
84		ZVAL_STRINGL((v), "", 0); \
85	} else { \
86		convert_to_string((v)); \
87	}
88
89static void strip_leading_nops(zend_op_array *op_array, zend_basic_block *b)
90{
91	zend_op *opcodes = op_array->opcodes;
92
93	while (opcodes[b->start].opcode == ZEND_NOP && b->start < b->end) {
94		b->start++;
95	}
96}
97
98static void strip_nops(zend_op_array *op_array, zend_basic_block *b)
99{
100	uint32_t i, j;
101
102	strip_leading_nops(op_array, b);
103
104	/* strip the inside NOPs */
105	i = j = b->start + 1;
106	while (i <= b->end) {
107		if (op_array->opcodes[i].opcode != ZEND_NOP) {
108			if (i != j) {
109				op_array->opcodes[j] = op_array->opcodes[i];
110			}
111			j++;
112		}
113		i++;
114	}
115	b->end = j - 1;
116	while (j < i) {
117		MAKE_NOP(op_array->opcodes + j);
118		j++;
119	}
120}
121
122static void zend_optimize_block(zend_basic_block *block, zend_op_array *op_array, zend_bitset used_ext, zend_cfg *cfg, zend_op **Tsource)
123{
124	zend_op *opline, *src;
125	zend_op *end, *last_op = NULL;
126
127	/* remove leading NOPs */
128	strip_leading_nops(op_array, block);
129
130	opline = op_array->opcodes + block->start;
131	end = op_array->opcodes + block->end + 1;
132	while (opline < end) {
133
134		/* Constant Propagation: strip X = QM_ASSIGN(const) */
135		if ((opline->op1_type & (IS_TMP_VAR|IS_VAR)) &&
136		    opline->opcode != ZEND_FREE) {
137			src = VAR_SOURCE(opline->op1);
138			if (src &&
139			    src->opcode == ZEND_QM_ASSIGN &&
140			    src->op1_type == IS_CONST) {
141
142				znode_op op1 = opline->op1;
143				zval c = ZEND_OP1_LITERAL(src);
144
145				zval_copy_ctor(&c);
146				if (zend_optimizer_update_op1_const(op_array, opline, &c)) {
147					zend_optimizer_remove_live_range(op_array, op1.var);
148					VAR_SOURCE(op1) = NULL;
149					literal_dtor(&ZEND_OP1_LITERAL(src));
150					MAKE_NOP(src);
151				}
152			}
153		}
154
155		/* Constant Propagation: strip X = QM_ASSIGN(const) */
156		if (opline->op2_type & (IS_TMP_VAR|IS_VAR)) {
157			src = VAR_SOURCE(opline->op2);
158			if (src &&
159			    src->opcode == ZEND_QM_ASSIGN &&
160			    src->op1_type == IS_CONST) {
161
162				znode_op op2 = opline->op2;
163				zval c = ZEND_OP1_LITERAL(src);
164
165				zval_copy_ctor(&c);
166				if (zend_optimizer_update_op2_const(op_array, opline, &c)) {
167					zend_optimizer_remove_live_range(op_array, op2.var);
168					VAR_SOURCE(op2) = NULL;
169					literal_dtor(&ZEND_OP1_LITERAL(src));
170					MAKE_NOP(src);
171				}
172			}
173		}
174
175		if (opline->opcode == ZEND_ECHO) {
176			if (opline->op1_type & (IS_TMP_VAR|IS_VAR)) {
177				src = VAR_SOURCE(opline->op1);
178				if (src &&
179				    src->opcode == ZEND_CAST &&
180				    src->extended_value == IS_STRING) {
181					/* T = CAST(X, String), ECHO(T) => NOP, ECHO(X) */
182					VAR_SOURCE(opline->op1) = NULL;
183					COPY_NODE(opline->op1, src->op1);
184					MAKE_NOP(src);
185				}
186			}
187
188			if (opline->op1_type == IS_CONST) {
189				if (last_op && last_op->opcode == ZEND_ECHO &&
190				    last_op->op1_type == IS_CONST &&
191				    Z_TYPE(ZEND_OP1_LITERAL(opline)) != IS_DOUBLE &&
192				    Z_TYPE(ZEND_OP1_LITERAL(last_op)) != IS_DOUBLE) {
193					/* compress consecutive ECHO's.
194					 * Float to string conversion may be affected by current
195					 * locale setting.
196					 */
197					int l, old_len;
198
199					if (Z_TYPE(ZEND_OP1_LITERAL(opline)) != IS_STRING) {
200						convert_to_string_safe(&ZEND_OP1_LITERAL(opline));
201					}
202					if (Z_TYPE(ZEND_OP1_LITERAL(last_op)) != IS_STRING) {
203						convert_to_string_safe(&ZEND_OP1_LITERAL(last_op));
204					}
205					old_len = Z_STRLEN(ZEND_OP1_LITERAL(last_op));
206					l = old_len + Z_STRLEN(ZEND_OP1_LITERAL(opline));
207					if (!Z_REFCOUNTED(ZEND_OP1_LITERAL(last_op))) {
208						zend_string *tmp = zend_string_alloc(l, 0);
209						memcpy(ZSTR_VAL(tmp), Z_STRVAL(ZEND_OP1_LITERAL(last_op)), old_len);
210						Z_STR(ZEND_OP1_LITERAL(last_op)) = tmp;
211					} else {
212						Z_STR(ZEND_OP1_LITERAL(last_op)) = zend_string_extend(Z_STR(ZEND_OP1_LITERAL(last_op)), l, 0);
213					}
214					Z_TYPE_INFO(ZEND_OP1_LITERAL(last_op)) = IS_STRING_EX;
215					memcpy(Z_STRVAL(ZEND_OP1_LITERAL(last_op)) + old_len, Z_STRVAL(ZEND_OP1_LITERAL(opline)), Z_STRLEN(ZEND_OP1_LITERAL(opline)));
216					Z_STRVAL(ZEND_OP1_LITERAL(last_op))[l] = '\0';
217					zval_dtor(&ZEND_OP1_LITERAL(opline));
218					ZVAL_STR(&ZEND_OP1_LITERAL(opline), zend_new_interned_string(Z_STR(ZEND_OP1_LITERAL(last_op))));
219					ZVAL_NULL(&ZEND_OP1_LITERAL(last_op));
220					MAKE_NOP(last_op);
221				}
222				last_op = opline;
223			} else {
224				last_op = NULL;
225			}
226		} else {
227			last_op = NULL;
228		}
229
230		switch (opline->opcode) {
231
232			case ZEND_FREE:
233				if (opline->op1_type == IS_TMP_VAR) {
234					src = VAR_SOURCE(opline->op1);
235					if (src &&
236					    (src->opcode == ZEND_BOOL || src->opcode == ZEND_BOOL_NOT)) {
237						/* T = BOOL(X), FREE(T) => NOP */
238						if (ZEND_OP1_TYPE(src) == IS_CONST) {
239							literal_dtor(&ZEND_OP1_LITERAL(src));
240						}
241						VAR_SOURCE(opline->op1) = NULL;
242						MAKE_NOP(src);
243						MAKE_NOP(opline);
244					}
245				} else if (opline->op1_type == IS_VAR) {
246					src = VAR_SOURCE(opline->op1);
247					/* V = OP, FREE(V) => OP. NOP */
248					if (src &&
249					    src->opcode != ZEND_FETCH_R &&
250					    src->opcode != ZEND_FETCH_STATIC_PROP_R &&
251					    src->opcode != ZEND_FETCH_DIM_R &&
252					    src->opcode != ZEND_FETCH_OBJ_R &&
253					    src->opcode != ZEND_NEW) {
254						if (opline->extended_value & ZEND_FREE_ON_RETURN) {
255							/* mark as removed (empty live range) */
256							op_array->live_range[opline->op2.num].var = (uint32_t)-1;
257						}
258						ZEND_RESULT_TYPE(src) = IS_UNUSED;
259						MAKE_NOP(opline);
260					}
261				}
262				break;
263
264#if 0
265		/* pre-evaluate functions:
266		   constant(x)
267		   defined(x)
268		   function_exists(x)
269		   extension_loaded(x)
270		   BAD: interacts badly with Accelerator
271		*/
272		if((ZEND_OP1_TYPE(opline) & IS_VAR) &&
273		   VAR_SOURCE(opline->op1) && VAR_SOURCE(opline->op1)->opcode == ZEND_DO_CF_FCALL &&
274		   VAR_SOURCE(opline->op1)->extended_value == 1) {
275			zend_op *fcall = VAR_SOURCE(opline->op1);
276			zend_op *sv = fcall-1;
277			if(sv >= block->start_opline && sv->opcode == ZEND_SEND_VAL &&
278			   ZEND_OP1_TYPE(sv) == IS_CONST && Z_TYPE(OPLINE_OP1_LITERAL(sv)) == IS_STRING &&
279			   Z_LVAL(OPLINE_OP2_LITERAL(sv)) == 1
280			   ) {
281				zval *arg = &OPLINE_OP1_LITERAL(sv);
282				char *fname = FUNCTION_CACHE->funcs[Z_LVAL(ZEND_OP1_LITERAL(fcall))].function_name;
283				int flen = FUNCTION_CACHE->funcs[Z_LVAL(ZEND_OP1_LITERAL(fcall))].name_len;
284				if(flen == sizeof("defined")-1 && zend_binary_strcasecmp(fname, flen, "defined", sizeof("defined")-1) == 0) {
285					zval c;
286					if(zend_optimizer_get_persistent_constant(Z_STR_P(arg), &c, 0 ELS_CC) != 0) {
287						literal_dtor(arg);
288						MAKE_NOP(sv);
289						MAKE_NOP(fcall);
290						LITERAL_BOOL(opline->op1, 1);
291						ZEND_OP1_TYPE(opline) = IS_CONST;
292					}
293				} else if((flen == sizeof("function_exists")-1 && zend_binary_strcasecmp(fname, flen, "function_exists", sizeof("function_exists")-1) == 0) ||
294						  (flen == sizeof("is_callable")-1 && zend_binary_strcasecmp(fname, flen, "is_callable", sizeof("is_callable")-1) == 0)
295						  ) {
296					zend_function *function;
297					if((function = zend_hash_find_ptr(EG(function_table), Z_STR_P(arg))) != NULL) {
298						literal_dtor(arg);
299						MAKE_NOP(sv);
300						MAKE_NOP(fcall);
301						LITERAL_BOOL(opline->op1, 1);
302						ZEND_OP1_TYPE(opline) = IS_CONST;
303					}
304				} else if(flen == sizeof("constant")-1 && zend_binary_strcasecmp(fname, flen, "constant", sizeof("constant")-1) == 0) {
305					zval c;
306					if(zend_optimizer_get_persistent_constant(Z_STR_P(arg), &c, 1 ELS_CC) != 0) {
307						literal_dtor(arg);
308						MAKE_NOP(sv);
309						MAKE_NOP(fcall);
310						ZEND_OP1_LITERAL(opline) = zend_optimizer_add_literal(op_array, &c);
311						/* no copy ctor - get already copied it */
312						ZEND_OP1_TYPE(opline) = IS_CONST;
313					}
314				} else if(flen == sizeof("extension_loaded")-1 && zend_binary_strcasecmp(fname, flen, "extension_loaded", sizeof("extension_loaded")-1) == 0) {
315					if(zend_hash_exists(&module_registry, Z_STR_P(arg))) {
316						literal_dtor(arg);
317						MAKE_NOP(sv);
318						MAKE_NOP(fcall);
319						LITERAL_BOOL(opline->op1, 1);
320						ZEND_OP1_TYPE(opline) = IS_CONST;
321					}
322				}
323			}
324		}
325#endif
326
327			case ZEND_FETCH_LIST:
328				if (opline->op1_type & (IS_TMP_VAR|IS_VAR)) {
329					/* LIST variable will be deleted later by FREE */
330					Tsource[VAR_NUM(opline->op1.var)] = NULL;
331				}
332				break;
333
334			case ZEND_CASE:
335				if (opline->op1_type & (IS_TMP_VAR|IS_VAR)) {
336					/* CASE variable will be deleted later by FREE, so we can't optimize it */
337					Tsource[VAR_NUM(opline->op1.var)] = NULL;
338					break;
339				}
340				if (opline->op1_type == IS_CONST &&
341				    opline->op2_type == IS_CONST) {
342					break;
343				}
344				/* break missing intentionally */
345
346			case ZEND_IS_EQUAL:
347			case ZEND_IS_NOT_EQUAL:
348				if (opline->op1_type == IS_CONST &&
349				    opline->op2_type == IS_CONST) {
350					goto optimize_constant_binary_op;
351				}
352		        /* IS_EQ(TRUE, X)      => BOOL(X)
353		         * IS_EQ(FALSE, X)     => BOOL_NOT(X)
354		         * IS_NOT_EQ(TRUE, X)  => BOOL_NOT(X)
355		         * IS_NOT_EQ(FALSE, X) => BOOL(X)
356		         * CASE(TRUE, X)       => BOOL(X)
357		         * CASE(FALSE, X)      => BOOL_NOT(X)
358		         */
359				if (opline->op1_type == IS_CONST &&
360					(Z_TYPE(ZEND_OP1_LITERAL(opline)) == IS_FALSE ||
361					 Z_TYPE(ZEND_OP1_LITERAL(opline)) == IS_TRUE)) {
362					/* Optimization of comparison with "null" is not safe,
363					 * because ("0" == null) is not equal to !("0")
364					 */
365					opline->opcode =
366						((opline->opcode != ZEND_IS_NOT_EQUAL) == ((Z_TYPE(ZEND_OP1_LITERAL(opline))) == IS_TRUE)) ?
367						ZEND_BOOL : ZEND_BOOL_NOT;
368					COPY_NODE(opline->op1, opline->op2);
369					SET_UNUSED(opline->op2);
370					goto optimize_bool;
371				} else if (opline->op2_type == IS_CONST &&
372				           (Z_TYPE(ZEND_OP2_LITERAL(opline)) == IS_FALSE ||
373				            Z_TYPE(ZEND_OP2_LITERAL(opline)) == IS_TRUE)) {
374					/* Optimization of comparison with "null" is not safe,
375					 * because ("0" == null) is not equal to !("0")
376					 */
377					opline->opcode =
378						((opline->opcode != ZEND_IS_NOT_EQUAL) == ((Z_TYPE(ZEND_OP2_LITERAL(opline))) == IS_TRUE)) ?
379						ZEND_BOOL : ZEND_BOOL_NOT;
380					SET_UNUSED(opline->op2);
381					goto optimize_bool;
382				}
383				break;
384
385			case ZEND_BOOL:
386			case ZEND_BOOL_NOT:
387			optimize_bool:
388				if (opline->op1_type == IS_CONST) {
389					goto optimize_const_unary_op;
390				}
391				if (opline->op1_type == IS_TMP_VAR &&
392				    !zend_bitset_in(used_ext, VAR_NUM(opline->op1.var))) {
393					src = VAR_SOURCE(opline->op1);
394					if (src) {
395						switch (src->opcode) {
396							case ZEND_BOOL_NOT:
397								/* T = BOOL_NOT(X) + BOOL(T) -> NOP, BOOL_NOT(X) */
398								VAR_SOURCE(opline->op1) = NULL;
399								COPY_NODE(opline->op1, src->op1);
400								opline->opcode = (opline->opcode == ZEND_BOOL) ? ZEND_BOOL_NOT : ZEND_BOOL;
401								MAKE_NOP(src);
402								goto optimize_bool;
403							case ZEND_BOOL:
404								/* T = BOOL(X) + BOOL(T) -> NOP, BOOL(X) */
405								VAR_SOURCE(opline->op1) = NULL;
406								COPY_NODE(opline->op1, src->op1);
407								MAKE_NOP(src);
408								goto optimize_bool;
409							case ZEND_IS_EQUAL:
410								if (opline->opcode == ZEND_BOOL_NOT) {
411									src->opcode = ZEND_IS_NOT_EQUAL;
412								}
413								COPY_NODE(src->result, opline->result);
414								SET_VAR_SOURCE(src);
415								MAKE_NOP(opline);
416								break;
417							case ZEND_IS_NOT_EQUAL:
418								if (opline->opcode == ZEND_BOOL_NOT) {
419									src->opcode = ZEND_IS_EQUAL;
420								}
421								COPY_NODE(src->result, opline->result);
422								SET_VAR_SOURCE(src);
423								MAKE_NOP(opline);
424								break;
425							case ZEND_IS_IDENTICAL:
426								if (opline->opcode == ZEND_BOOL_NOT) {
427									src->opcode = ZEND_IS_NOT_IDENTICAL;
428								}
429								COPY_NODE(src->result, opline->result);
430								SET_VAR_SOURCE(src);
431								MAKE_NOP(opline);
432								break;
433							case ZEND_IS_NOT_IDENTICAL:
434								if (opline->opcode == ZEND_BOOL_NOT) {
435									src->opcode = ZEND_IS_IDENTICAL;
436								}
437								COPY_NODE(src->result, opline->result);
438								SET_VAR_SOURCE(src);
439								MAKE_NOP(opline);
440								break;
441							case ZEND_IS_SMALLER:
442								if (opline->opcode == ZEND_BOOL_NOT) {
443									zend_uchar tmp_type;
444									uint32_t tmp;
445
446									src->opcode = ZEND_IS_SMALLER_OR_EQUAL;
447									tmp_type = src->op1_type;
448									src->op1_type = src->op2_type;
449									src->op2_type = tmp_type;
450									tmp = src->op1.num;
451									src->op1.num = src->op2.num;
452									src->op2.num = tmp;
453								}
454								COPY_NODE(src->result, opline->result);
455								SET_VAR_SOURCE(src);
456								MAKE_NOP(opline);
457								break;
458							case ZEND_IS_SMALLER_OR_EQUAL:
459								if (opline->opcode == ZEND_BOOL_NOT) {
460									zend_uchar tmp_type;
461									uint32_t tmp;
462
463									src->opcode = ZEND_IS_SMALLER;
464									tmp_type = src->op1_type;
465									src->op1_type = src->op2_type;
466									src->op2_type = tmp_type;
467									tmp = src->op1.num;
468									src->op1.num = src->op2.num;
469									src->op2.num = tmp;
470								}
471								COPY_NODE(src->result, opline->result);
472								SET_VAR_SOURCE(src);
473								MAKE_NOP(opline);
474								break;
475							case ZEND_ISSET_ISEMPTY_VAR:
476							case ZEND_ISSET_ISEMPTY_DIM_OBJ:
477							case ZEND_ISSET_ISEMPTY_PROP_OBJ:
478							case ZEND_ISSET_ISEMPTY_STATIC_PROP:
479							case ZEND_INSTANCEOF:
480							case ZEND_TYPE_CHECK:
481							case ZEND_DEFINED:
482								if (opline->opcode == ZEND_BOOL_NOT) {
483									break;
484								}
485								COPY_NODE(src->result, opline->result);
486								SET_VAR_SOURCE(src);
487								MAKE_NOP(opline);
488								break;
489						}
490					}
491				}
492				break;
493
494			case ZEND_JMPZ:
495			case ZEND_JMPNZ:
496			case ZEND_JMPZ_EX:
497			case ZEND_JMPNZ_EX:
498			case ZEND_JMPZNZ:
499			optimize_jmpznz:
500				if (opline->op1_type == IS_TMP_VAR &&
501				    (!zend_bitset_in(used_ext, VAR_NUM(opline->op1.var)) ||
502				     (opline->result_type == opline->op1_type &&
503				      opline->result.var == opline->op1.var))) {
504					src = VAR_SOURCE(opline->op1);
505					if (src) {
506						if (src->opcode == ZEND_BOOL_NOT &&
507						    opline->opcode != ZEND_JMPZ_EX &&
508						    opline->opcode != ZEND_JMPNZ_EX) {
509							VAR_SOURCE(opline->op1) = NULL;
510							COPY_NODE(opline->op1, src->op1);
511							if (opline->opcode == ZEND_JMPZ) {
512								/* T = BOOL_NOT(X) + JMPZ(T) -> NOP, JMPNZ(X) */
513								opline->opcode = ZEND_JMPNZ;
514							} else if (opline->opcode == ZEND_JMPNZ) {
515								/* T = BOOL_NOT(X) + JMPNZ(T) -> NOP, JMPZ(X) */
516								opline->opcode = ZEND_JMPZ;
517#if 0
518							} else if (opline->opcode == ZEND_JMPZ_EX) {
519								/* T = BOOL_NOT(X) + JMPZ_EX(T) -> NOP, JMPNZ_EX(X) */
520								opline->opcode = ZEND_JMPNZ_EX;
521							} else if (opline->opcode == ZEND_JMPNZ_EX) {
522								/* T = BOOL_NOT(X) + JMPNZ_EX(T) -> NOP, JMPZ_EX(X) */
523								opline->opcode = ZEND_JMPZ;
524#endif
525							} else {
526								/* T = BOOL_NOT(X) + JMPZNZ(T,L1,L2) -> NOP, JMPZNZ(X,L2,L1) */
527								uint32_t tmp;
528
529								ZEND_ASSERT(opline->opcode == ZEND_JMPZNZ);
530								tmp = block->successors[0];
531								block->successors[0] = block->successors[1];
532								block->successors[1] = tmp;
533							}
534							MAKE_NOP(src);
535							goto optimize_jmpznz;
536						} else if (src->opcode == ZEND_BOOL ||
537						           src->opcode == ZEND_QM_ASSIGN) {
538							VAR_SOURCE(opline->op1) = NULL;
539							COPY_NODE(opline->op1, src->op1);
540							MAKE_NOP(src);
541							goto optimize_jmpznz;
542						}
543					}
544				}
545				break;
546
547			case ZEND_CONCAT:
548			case ZEND_FAST_CONCAT:
549				if (opline->op1_type == IS_CONST &&
550				    opline->op2_type == IS_CONST) {
551					goto optimize_constant_binary_op;
552				}
553
554				if (opline->op2_type == IS_CONST &&
555				    opline->op1_type == IS_TMP_VAR) {
556
557					src = VAR_SOURCE(opline->op1);
558				    if (src &&
559					    (src->opcode == ZEND_CONCAT ||
560					     src->opcode == ZEND_FAST_CONCAT) &&
561					    src->op2_type == IS_CONST) {
562						/* compress consecutive CONCATs */
563						int l, old_len;
564
565						if (Z_TYPE(ZEND_OP2_LITERAL(opline)) != IS_STRING) {
566							convert_to_string_safe(&ZEND_OP2_LITERAL(opline));
567						}
568						if (Z_TYPE(ZEND_OP2_LITERAL(src)) != IS_STRING) {
569							convert_to_string_safe(&ZEND_OP2_LITERAL(src));
570						}
571
572						VAR_SOURCE(opline->op1) = NULL;
573						COPY_NODE(opline->op1, src->op1);
574						old_len = Z_STRLEN(ZEND_OP2_LITERAL(src));
575						l = old_len + Z_STRLEN(ZEND_OP2_LITERAL(opline));
576						if (!Z_REFCOUNTED(ZEND_OP2_LITERAL(src))) {
577							zend_string *tmp = zend_string_alloc(l, 0);
578							memcpy(ZSTR_VAL(tmp), Z_STRVAL(ZEND_OP2_LITERAL(src)), old_len);
579							Z_STR(ZEND_OP2_LITERAL(src)) = tmp;
580						} else {
581							Z_STR(ZEND_OP2_LITERAL(src)) = zend_string_extend(Z_STR(ZEND_OP2_LITERAL(src)), l, 0);
582						}
583						Z_TYPE_INFO(ZEND_OP2_LITERAL(src)) = IS_STRING_EX;
584						memcpy(Z_STRVAL(ZEND_OP2_LITERAL(src)) + old_len, Z_STRVAL(ZEND_OP2_LITERAL(opline)), Z_STRLEN(ZEND_OP2_LITERAL(opline)));
585						Z_STRVAL(ZEND_OP2_LITERAL(src))[l] = '\0';
586						zend_string_release(Z_STR(ZEND_OP2_LITERAL(opline)));
587						ZVAL_STR(&ZEND_OP2_LITERAL(opline), zend_new_interned_string(Z_STR(ZEND_OP2_LITERAL(src))));
588						ZVAL_NULL(&ZEND_OP2_LITERAL(src));
589						MAKE_NOP(src);
590					}
591				}
592
593				if (opline->op1_type & (IS_TMP_VAR|IS_VAR)) {
594					src = VAR_SOURCE(opline->op1);
595					if (src &&
596					    src->opcode == ZEND_CAST &&
597					    src->extended_value == IS_STRING) {
598						/* convert T1 = CAST(STRING, X), T2 = CONCAT(T1, Y) to T2 = CONCAT(X,Y) */
599						VAR_SOURCE(opline->op1) = NULL;
600						COPY_NODE(opline->op1, src->op1);
601						MAKE_NOP(src);
602					}
603	            }
604				if (opline->op2_type & (IS_TMP_VAR|IS_VAR)) {
605					src = VAR_SOURCE(opline->op2);
606					if (src &&
607					    src->opcode == ZEND_CAST &&
608					    src->extended_value == IS_STRING) {
609						/* convert T1 = CAST(STRING, X), T2 = CONCAT(Y, T1) to T2 = CONCAT(Y,X) */
610						zend_op *src = VAR_SOURCE(opline->op2);
611						VAR_SOURCE(opline->op2) = NULL;
612						COPY_NODE(opline->op2, src->op1);
613						MAKE_NOP(src);
614					}
615				}
616				if (opline->op1_type == IS_CONST &&
617				    Z_TYPE(ZEND_OP1_LITERAL(opline)) == IS_STRING &&
618				    Z_STRLEN(ZEND_OP1_LITERAL(opline)) == 0) {
619					/* convert CONCAT('', X) => CAST(STRING, X) */
620					literal_dtor(&ZEND_OP1_LITERAL(opline));
621					opline->opcode = ZEND_CAST;
622					opline->extended_value = IS_STRING;
623					COPY_NODE(opline->op1, opline->op2);
624					opline->op2_type = IS_UNUSED;
625					opline->op2.var = 0;
626				} else if (opline->op2_type == IS_CONST &&
627			           Z_TYPE(ZEND_OP2_LITERAL(opline)) == IS_STRING &&
628			           Z_STRLEN(ZEND_OP2_LITERAL(opline)) == 0) {
629					/* convert CONCAT(X, '') => CAST(STRING, X) */
630					literal_dtor(&ZEND_OP2_LITERAL(opline));
631					opline->opcode = ZEND_CAST;
632					opline->extended_value = IS_STRING;
633					opline->op2_type = IS_UNUSED;
634					opline->op2.var = 0;
635				} else if (opline->opcode == ZEND_CONCAT &&
636				           (opline->op1_type == IS_CONST ||
637				            (opline->op1_type == IS_TMP_VAR &&
638				             VAR_SOURCE(opline->op1) &&
639				             (VAR_SOURCE(opline->op1)->opcode == ZEND_FAST_CONCAT ||
640				              VAR_SOURCE(opline->op1)->opcode == ZEND_ROPE_END ||
641				              VAR_SOURCE(opline->op1)->opcode == ZEND_FETCH_CONSTANT ||
642				              VAR_SOURCE(opline->op1)->opcode == ZEND_FETCH_CLASS_CONSTANT))) &&
643				           (opline->op2_type == IS_CONST ||
644				            (opline->op2_type == IS_TMP_VAR &&
645				             VAR_SOURCE(opline->op2) &&
646				             (VAR_SOURCE(opline->op2)->opcode == ZEND_FAST_CONCAT ||
647				              VAR_SOURCE(opline->op2)->opcode == ZEND_ROPE_END ||
648				              VAR_SOURCE(opline->op2)->opcode == ZEND_FETCH_CONSTANT ||
649				              VAR_SOURCE(opline->op2)->opcode == ZEND_FETCH_CLASS_CONSTANT)))) {
650					opline->opcode = ZEND_FAST_CONCAT;
651				}
652				break;
653
654			case ZEND_ADD:
655			case ZEND_SUB:
656			case ZEND_MUL:
657			case ZEND_DIV:
658			case ZEND_MOD:
659			case ZEND_SL:
660			case ZEND_SR:
661			case ZEND_IS_SMALLER:
662			case ZEND_IS_SMALLER_OR_EQUAL:
663			case ZEND_IS_IDENTICAL:
664			case ZEND_IS_NOT_IDENTICAL:
665			case ZEND_BOOL_XOR:
666			case ZEND_BW_OR:
667			case ZEND_BW_AND:
668			case ZEND_BW_XOR:
669				if (opline->op1_type == IS_CONST &&
670				    opline->op2_type == IS_CONST) {
671					/* evaluate constant expressions */
672					binary_op_type binary_op;
673					zval result;
674					int er;
675
676optimize_constant_binary_op:
677					binary_op = get_binary_op(opline->opcode);
678		            if ((opline->opcode == ZEND_DIV || opline->opcode == ZEND_MOD) &&
679		                zval_get_long(&ZEND_OP2_LITERAL(opline)) == 0) {
680						SET_VAR_SOURCE(opline);
681		                opline++;
682						continue;
683		            } else if ((opline->opcode == ZEND_SL || opline->opcode == ZEND_SR) &&
684		                zval_get_long(&ZEND_OP2_LITERAL(opline)) < 0) {
685						SET_VAR_SOURCE(opline);
686		                opline++;
687						continue;
688					} else if (zend_binary_op_produces_numeric_string_error(opline->opcode, &ZEND_OP1_LITERAL(opline), &ZEND_OP2_LITERAL(opline))) {
689						SET_VAR_SOURCE(opline);
690		                opline++;
691						continue;
692					}
693					er = EG(error_reporting);
694					EG(error_reporting) = 0;
695					if (binary_op(&result, &ZEND_OP1_LITERAL(opline), &ZEND_OP2_LITERAL(opline)) == SUCCESS) {
696						literal_dtor(&ZEND_OP1_LITERAL(opline));
697						literal_dtor(&ZEND_OP2_LITERAL(opline));
698						opline->opcode = ZEND_QM_ASSIGN;
699						SET_UNUSED(opline->op2);
700						zend_optimizer_update_op1_const(op_array, opline, &result);
701					}
702					EG(error_reporting) = er;
703				}
704				break;
705
706			case ZEND_BW_NOT:
707				if (opline->op1_type == IS_CONST) {
708					/* evaluate constant unary ops */
709					unary_op_type unary_op;
710					zval result;
711
712optimize_const_unary_op:
713					unary_op = get_unary_op(opline->opcode);
714					if (unary_op) {
715						unary_op(&result, &ZEND_OP1_LITERAL(opline));
716						literal_dtor(&ZEND_OP1_LITERAL(opline));
717					} else {
718						/* BOOL */
719						result = ZEND_OP1_LITERAL(opline);
720						convert_to_boolean(&result);
721						ZVAL_NULL(&ZEND_OP1_LITERAL(opline));
722					}
723					opline->opcode = ZEND_QM_ASSIGN;
724					zend_optimizer_update_op1_const(op_array, opline, &result);
725				}
726				break;
727
728			case ZEND_RETURN:
729			case ZEND_EXIT:
730				if (opline->op1_type & (IS_TMP_VAR|IS_VAR)) {
731					src = VAR_SOURCE(opline->op1);
732					if (src && src->opcode == ZEND_QM_ASSIGN) {
733						/* T = QM_ASSIGN(X), RETURN(T) to NOP, RETURN(X) */
734						VAR_SOURCE(opline->op1) = NULL;
735						COPY_NODE(opline->op1, src->op1);
736						MAKE_NOP(src);
737					}
738				}
739				break;
740
741			case ZEND_QM_ASSIGN:
742				if (opline->op1_type == opline->result_type &&
743				    opline->op1.var == opline->result.var) {
744					/* strip T = QM_ASSIGN(T) */
745					MAKE_NOP(opline);
746				}
747				break;
748		}
749
750		/* get variable source */
751		if (opline->result_type & (IS_VAR|IS_TMP_VAR)) {
752			SET_VAR_SOURCE(opline);
753		}
754		opline++;
755	}
756
757	strip_nops(op_array, block);
758}
759
760/* Rebuild plain (optimized) op_array from CFG */
761static void assemble_code_blocks(zend_cfg *cfg, zend_op_array *op_array)
762{
763	zend_basic_block *blocks = cfg->blocks;
764	zend_basic_block *end = blocks + cfg->blocks_count;
765	zend_basic_block *b;
766	zend_op *new_opcodes;
767	zend_op *opline;
768	uint32_t len = 0;
769	int n;
770
771	for (b = blocks; b < end; b++) {
772		if (b->flags & ZEND_BB_REACHABLE) {
773			ZEND_ASSERT(b->start <= b->end);
774			opline = op_array->opcodes + b->end;
775			if (opline->opcode == ZEND_JMP) {
776				zend_basic_block *next = b + 1;
777
778				while (next < end && (!(next->flags & ZEND_BB_REACHABLE) || next->start > next->end)) {
779					next++;
780				}
781				if (next < end && next == blocks + b->successors[0]) {
782					/* JMP to the next block - strip it */
783					MAKE_NOP(opline);
784					if (b->end == 0) {
785						b->start++;
786					} else {
787						b->end--;
788					}
789				}
790			} else if (b->start == b->end && opline->opcode == ZEND_NOP) {
791				/* skip empty block */
792				b->start++;
793			}
794			len += b->end - b->start + 1;
795		} else if (b->start <= b->end) {
796			/* this block will not be used, delete all constants there */
797			zend_op *op;
798			zend_op *end = op_array->opcodes + b->end ;
799			for (op = op_array->opcodes + b->start; op <= end; op++) {
800				if (ZEND_OP1_TYPE(op) == IS_CONST) {
801					literal_dtor(&ZEND_OP1_LITERAL(op));
802				}
803				if (ZEND_OP2_TYPE(op) == IS_CONST) {
804					literal_dtor(&ZEND_OP2_LITERAL(op));
805				}
806			}
807		}
808	}
809
810	new_opcodes = emalloc(len * sizeof(zend_op));
811	opline = new_opcodes;
812
813	/* Copy code of reachable blocks into a single buffer */
814	for (b = blocks; b < end; b++) {
815		if (b->flags & ZEND_BB_REACHABLE) {
816			if (b->start <= b->end) {
817				uint32_t n = b->end - b->start + 1;
818				memcpy(opline, op_array->opcodes + b->start, n * sizeof(zend_op));
819				b->start = opline - new_opcodes;
820				b->end = opline - new_opcodes + n - 1;
821				opline += n;
822			} else {
823				b->flags |= ZEND_BB_EMPTY;
824				b->start = b->end = opline - new_opcodes;
825			}
826		}
827	}
828
829	/* adjust jump targets */
830	efree(op_array->opcodes);
831	op_array->opcodes = new_opcodes;
832	op_array->last = len;
833
834	for (b = blocks; b < end; b++) {
835		if (!(b->flags & ZEND_BB_REACHABLE) || b->start > b->end) {
836			continue;
837		}
838		opline = op_array->opcodes + b->end;
839		switch (opline->opcode) {
840			case ZEND_FAST_CALL:
841			case ZEND_JMP:
842				ZEND_SET_OP_JMP_ADDR(opline, opline->op1, new_opcodes + blocks[b->successors[0]].start);
843				break;
844			case ZEND_JMPZNZ:
845				opline->extended_value = ZEND_OPLINE_TO_OFFSET(opline, new_opcodes + blocks[b->successors[1]].start);
846				/* break missing intentionally */
847			case ZEND_JMPZ:
848			case ZEND_JMPNZ:
849			case ZEND_JMPZ_EX:
850			case ZEND_JMPNZ_EX:
851			case ZEND_FE_RESET_R:
852			case ZEND_FE_RESET_RW:
853			case ZEND_JMP_SET:
854			case ZEND_COALESCE:
855			case ZEND_ASSERT_CHECK:
856				ZEND_SET_OP_JMP_ADDR(opline, opline->op2, new_opcodes + blocks[b->successors[0]].start);
857				break;
858			case ZEND_CATCH:
859				if (!opline->result.var) {
860					opline->extended_value = ZEND_OPLINE_TO_OFFSET(opline, new_opcodes + blocks[b->successors[0]].start);
861				}
862				break;
863			case ZEND_DECLARE_ANON_CLASS:
864			case ZEND_DECLARE_ANON_INHERITED_CLASS:
865			case ZEND_FE_FETCH_R:
866			case ZEND_FE_FETCH_RW:
867				opline->extended_value = ZEND_OPLINE_TO_OFFSET(opline, new_opcodes + blocks[b->successors[0]].start);
868				break;
869		}
870	}
871
872	/* adjust exception jump targets & remove unused try_catch_array entries */
873	if (op_array->last_try_catch) {
874		int i, j;
875		uint32_t *map;
876		ALLOCA_FLAG(use_heap);
877
878		map = (uint32_t *)do_alloca(sizeof(uint32_t) * op_array->last_try_catch, use_heap);
879		for (i = 0, j = 0; i< op_array->last_try_catch; i++) {
880			if (blocks[cfg->map[op_array->try_catch_array[i].try_op]].flags & ZEND_BB_REACHABLE) {
881				map[i] = j;
882				op_array->try_catch_array[j].try_op = blocks[cfg->map[op_array->try_catch_array[i].try_op]].start;
883				if (op_array->try_catch_array[i].catch_op) {
884					op_array->try_catch_array[j].catch_op = blocks[cfg->map[op_array->try_catch_array[i].catch_op]].start;
885				} else {
886					op_array->try_catch_array[j].catch_op =  0;
887				}
888				if (op_array->try_catch_array[i].finally_op) {
889					op_array->try_catch_array[j].finally_op = blocks[cfg->map[op_array->try_catch_array[i].finally_op]].start;
890				} else {
891					op_array->try_catch_array[j].finally_op =  0;
892				}
893				if (!op_array->try_catch_array[i].finally_end) {
894					op_array->try_catch_array[j].finally_end = 0;
895				} else {
896					op_array->try_catch_array[j].finally_end = blocks[cfg->map[op_array->try_catch_array[i].finally_end]].start;
897				}
898				j++;
899			}
900		}
901		if (i != j) {
902			op_array->last_try_catch = j;
903			if (op_array->fn_flags & ZEND_ACC_HAS_FINALLY_BLOCK) {
904				zend_op *opline = new_opcodes;
905				zend_op *end = opline + len;
906				while (opline < end) {
907					if ((opline->opcode == ZEND_FAST_CALL ||
908					     opline->opcode == ZEND_FAST_RET) &&
909					    opline->extended_value &&
910					    opline->op2.num < (uint32_t)j) {
911						opline->op2.num = map[opline->op2.num];
912					}
913					opline++;
914				}
915			}
916		}
917		free_alloca(map, use_heap);
918	}
919
920	/* adjust loop jump targets & remove unused live range entries */
921	if (op_array->last_live_range) {
922		int i, j;
923		uint32_t *map;
924		ALLOCA_FLAG(use_heap);
925
926		map = (uint32_t *)do_alloca(sizeof(uint32_t) * op_array->last_live_range, use_heap);
927
928		for (i = 0, j = 0; i < op_array->last_live_range; i++) {
929			if (op_array->live_range[i].var == (uint32_t)-1) {
930				/* this live range already removed */
931				continue;
932			}
933			if (!(blocks[cfg->map[op_array->live_range[i].start]].flags & ZEND_BB_REACHABLE)) {
934				ZEND_ASSERT(!(blocks[cfg->map[op_array->live_range[i].end]].flags & ZEND_BB_REACHABLE));
935			} else {
936				uint32_t start_op = blocks[cfg->map[op_array->live_range[i].start]].start;
937				uint32_t end_op = blocks[cfg->map[op_array->live_range[i].end]].start;
938
939				if (start_op == end_op) {
940					/* skip empty live range */
941					continue;
942				}
943				op_array->live_range[i].start = start_op;
944				op_array->live_range[i].end = end_op;
945				map[i] = j;
946				if (i != j) {
947					op_array->live_range[j]  = op_array->live_range[i];
948				}
949				j++;
950			}
951		}
952
953		if (i != j) {
954			if ((op_array->last_live_range = j)) {
955				zend_op *opline = new_opcodes;
956				zend_op *end = opline + len;
957				while (opline != end) {
958					if ((opline->opcode == ZEND_FREE || opline->opcode == ZEND_FE_FREE) &&
959							opline->extended_value == ZEND_FREE_ON_RETURN) {
960						ZEND_ASSERT(opline->op2.num < (uint32_t) i);
961						opline->op2.num = map[opline->op2.num];
962					}
963					opline++;
964				}
965			} else {
966				efree(op_array->live_range);
967				op_array->live_range = NULL;
968			}
969		}
970		free_alloca(map, use_heap);
971	}
972
973	/* adjust early binding list */
974	if (op_array->early_binding != (uint32_t)-1) {
975		uint32_t *opline_num = &op_array->early_binding;
976		zend_op *end;
977
978		opline = op_array->opcodes;
979		end = opline + op_array->last;
980		while (opline < end) {
981			if (opline->opcode == ZEND_DECLARE_INHERITED_CLASS_DELAYED) {
982				*opline_num = opline - op_array->opcodes;
983				opline_num = &ZEND_RESULT(opline).opline_num;
984			}
985			++opline;
986		}
987		*opline_num = -1;
988	}
989
990	/* rebuild map (just for printing) */
991	memset(cfg->map, -1, sizeof(int) * op_array->last);
992	for (n = 0; n < cfg->blocks_count; n++) {
993		if (cfg->blocks[n].flags & ZEND_BB_REACHABLE) {
994			cfg->map[cfg->blocks[n].start] = n;
995		}
996	}
997}
998
999static void zend_jmp_optimization(zend_basic_block *block, zend_op_array *op_array, zend_cfg *cfg, zend_uchar *same_t)
1000{
1001	/* last_op is the last opcode of the current block */
1002	zend_basic_block *blocks = cfg->blocks;
1003	zend_op *last_op;
1004
1005	ZEND_ASSERT(block->start <= block->end);
1006	last_op = op_array->opcodes + block->end;
1007	switch (last_op->opcode) {
1008		case ZEND_JMP:
1009			{
1010				zend_basic_block *target_block = blocks + block->successors[0];
1011				zend_op *target = op_array->opcodes + target_block->start;
1012				int next = (block - blocks) + 1;
1013
1014				while (next < cfg->blocks_count && !(blocks[next].flags & ZEND_BB_REACHABLE)) {
1015					/* find used one */
1016					next++;
1017				}
1018
1019				/* JMP(next) -> NOP */
1020				if (block->successors[0] == next) {
1021					MAKE_NOP(last_op);
1022					if (block->start != block->end) {
1023						block->end--;
1024					}
1025					break;
1026				}
1027
1028				if (target->opcode == ZEND_JMP &&
1029					block->successors[0] != target_block->successors[0] &&
1030					!(target_block->flags & ZEND_BB_PROTECTED)) {
1031					/* JMP L, L: JMP L1 -> JMP L1 */
1032					*last_op = *target;
1033					DEL_SOURCE(block, block->successors[0]);
1034					block->successors[0] = target_block->successors[0];
1035					ADD_SOURCE(block, block->successors[0]);
1036				} else if (target->opcode == ZEND_JMPZNZ &&
1037				           !(target_block->flags & ZEND_BB_PROTECTED)) {
1038					/* JMP L, L: JMPZNZ L1,L2 -> JMPZNZ L1,L2 */
1039					*last_op = *target;
1040					if (ZEND_OP1_TYPE(last_op) == IS_CONST) {
1041						zval zv = ZEND_OP1_LITERAL(last_op);
1042						zval_copy_ctor(&zv);
1043						last_op->op1.constant = zend_optimizer_add_literal(op_array, &zv);
1044					}
1045					DEL_SOURCE(block, block->successors[0]);
1046					block->successors[0] = target_block->successors[0];
1047					block->successors[1] = target_block->successors[1];
1048					ADD_SOURCE(block, block->successors[0]);
1049					ADD_SOURCE(block, block->successors[1]);
1050				} else if ((target->opcode == ZEND_RETURN ||
1051				            target->opcode == ZEND_RETURN_BY_REF ||
1052				            target->opcode == ZEND_EXIT) &&
1053				           !(op_array->fn_flags & ZEND_ACC_HAS_FINALLY_BLOCK)) {
1054					/* JMP L, L: RETURN to immediate RETURN */
1055					*last_op = *target;
1056					if (ZEND_OP1_TYPE(last_op) == IS_CONST) {
1057						zval zv = ZEND_OP1_LITERAL(last_op);
1058						zval_copy_ctor(&zv);
1059						last_op->op1.constant = zend_optimizer_add_literal(op_array, &zv);
1060					}
1061					DEL_SOURCE(block, block->successors[0]);
1062					block->successors[0] = -1;
1063#if 0
1064				/* Temporarily disabled - see bug #0025274 */
1065				} else if (0&& block->op1_to != block &&
1066			           block->op1_to != blocks &&
1067						   op_array->last_try_catch == 0 &&
1068				           target->opcode != ZEND_FREE) {
1069				    /* Block Reordering (saves one JMP on each "for" loop iteration)
1070				     * It is disabled for some cases (ZEND_FREE)
1071				     * which may break register allocation.
1072            	     */
1073					zend_bool can_reorder = 0;
1074					zend_block_source *cs = block->op1_to->sources;
1075
1076					/* the "target" block doesn't had any followed block */
1077					while(cs) {
1078						if (cs->from->follow_to == block->op1_to) {
1079							can_reorder = 0;
1080							break;
1081						}
1082						cs = cs->next;
1083					}
1084					if (can_reorder) {
1085						next = block->op1_to;
1086						/* the "target" block is not followed by current "block" */
1087						while (next->follow_to != NULL) {
1088							if (next->follow_to == block) {
1089								can_reorder = 0;
1090								break;
1091							}
1092							next = next->follow_to;
1093						}
1094						if (can_reorder) {
1095							zend_basic_block *prev = blocks;
1096
1097							while (prev->next != block->op1_to) {
1098								prev = prev->next;
1099							}
1100							prev->next = next->next;
1101							next->next = block->next;
1102							block->next = block->op1_to;
1103
1104							block->follow_to = block->op1_to;
1105							block->op1_to = NULL;
1106							MAKE_NOP(last_op);
1107							block->len--;
1108							if(block->len == 0) {
1109								/* this block is nothing but NOP now */
1110								delete_code_block(block, ctx);
1111							}
1112							break;
1113						}
1114					}
1115#endif
1116				}
1117			}
1118			break;
1119
1120		case ZEND_JMPZ:
1121		case ZEND_JMPNZ:
1122			/* constant conditional JMPs */
1123			if (ZEND_OP1_TYPE(last_op) == IS_CONST) {
1124				int should_jmp = zend_is_true(&ZEND_OP1_LITERAL(last_op));
1125
1126				if (last_op->opcode == ZEND_JMPZ) {
1127					should_jmp = !should_jmp;
1128				}
1129				literal_dtor(&ZEND_OP1_LITERAL(last_op));
1130				ZEND_OP1_TYPE(last_op) = IS_UNUSED;
1131				if (should_jmp) {
1132					/* JMPNZ(true) -> JMP */
1133					last_op->opcode = ZEND_JMP;
1134					DEL_SOURCE(block, block->successors[1]);
1135					block->successors[1] = -1;
1136				} else {
1137					/* JMPNZ(false) -> NOP */
1138					MAKE_NOP(last_op);
1139					DEL_SOURCE(block, block->successors[0]);
1140					block->successors[0] = block->successors[1];
1141					block->successors[1] = -1;
1142				}
1143				break;
1144			}
1145
1146			if (block->successors[0] == block->successors[1]) {
1147				/* L: JMP[N]Z(X, L+1) -> NOP or FREE(X) */
1148
1149				if (last_op->op1_type & (IS_VAR|IS_TMP_VAR)) {
1150					last_op->opcode = ZEND_FREE;
1151					last_op->op2.num = 0;
1152				} else {
1153					MAKE_NOP(last_op);
1154				}
1155				block->successors[1] = -1;
1156				break;
1157			}
1158
1159			if (1) {
1160				zend_uchar same_type = ZEND_OP1_TYPE(last_op);
1161				uint32_t same_var = VAR_NUM_EX(last_op->op1);
1162				zend_op *target;
1163				zend_op *target_end;
1164				zend_basic_block *target_block = blocks + block->successors[0];
1165
1166next_target:
1167				target = op_array->opcodes + target_block->start;
1168				target_end = op_array->opcodes + target_block->end + 1;
1169				while (target < target_end && target->opcode == ZEND_NOP) {
1170					target++;
1171				}
1172
1173				/* next block is only NOP's */
1174				if (target == target_end) {
1175					target_block = blocks + target_block->successors[0];
1176					goto next_target;
1177				} else if (target->opcode == INV_COND(last_op->opcode) &&
1178					/* JMPZ(X, L), L: JMPNZ(X, L2) -> JMPZ(X, L+1) */
1179				   (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1180				   same_type == ZEND_OP1_TYPE(target) &&
1181				   same_var == VAR_NUM_EX(target->op1) &&
1182				   !(target_block->flags & ZEND_BB_PROTECTED)
1183				   ) {
1184					DEL_SOURCE(block, block->successors[0]);
1185					block->successors[0] = target_block->successors[1];
1186					ADD_SOURCE(block, block->successors[0]);
1187				} else if (target->opcode == INV_COND_EX(last_op->opcode) &&
1188							(ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1189				    		same_type == ZEND_OP1_TYPE(target) &&
1190				    		same_var == VAR_NUM_EX(target->op1) &&
1191							!(target_block->flags & ZEND_BB_PROTECTED)) {
1192					/* JMPZ(X, L), L: T = JMPNZ_EX(X, L2) -> T = JMPZ_EX(X, L+1) */
1193					last_op->opcode += 3;
1194					COPY_NODE(last_op->result, target->result);
1195					DEL_SOURCE(block, block->successors[0]);
1196					block->successors[0] = target_block->successors[1];
1197					ADD_SOURCE(block, block->successors[0]);
1198				} else if (target->opcode == last_op->opcode &&
1199						   (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1200						   same_type == ZEND_OP1_TYPE(target) &&
1201						   same_var == VAR_NUM_EX(target->op1) &&
1202						   !(target_block->flags & ZEND_BB_PROTECTED)) {
1203					/* JMPZ(X, L), L: JMPZ(X, L2) -> JMPZ(X, L2) */
1204					DEL_SOURCE(block, block->successors[0]);
1205					block->successors[0] = target_block->successors[0];
1206					ADD_SOURCE(block, block->successors[0]);
1207				} else if (target->opcode == ZEND_JMP &&
1208				           !(target_block->flags & ZEND_BB_PROTECTED)) {
1209					/* JMPZ(X, L), L: JMP(L2) -> JMPZ(X, L2) */
1210					DEL_SOURCE(block, block->successors[0]);
1211					block->successors[0] = target_block->successors[0];
1212					ADD_SOURCE(block, block->successors[0]);
1213				} else if (target->opcode == ZEND_JMPZNZ &&
1214				           (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1215				           same_type == ZEND_OP1_TYPE(target) &&
1216				           same_var == VAR_NUM_EX(target->op1) &&
1217				           !(target_block->flags & ZEND_BB_PROTECTED)) {
1218					/* JMPZ(X, L), L: JMPZNZ(X, L2, L3) -> JMPZ(X, L2) */
1219					DEL_SOURCE(block, block->successors[0]);
1220					if (last_op->opcode == ZEND_JMPZ) {
1221						block->successors[0] = target_block->successors[0];
1222					} else {
1223						block->successors[0] = target_block->successors[1];
1224					}
1225					ADD_SOURCE(block, block->successors[0]);
1226				}
1227			}
1228
1229			if (last_op->opcode == ZEND_JMPZ || last_op->opcode == ZEND_JMPNZ) {
1230				zend_op *target;
1231				zend_op *target_end;
1232				zend_basic_block *target_block;
1233
1234				while (1) {
1235					target_block = blocks + block->successors[1];
1236					target = op_array->opcodes + target_block->start;
1237					target_end = op_array->opcodes + target_block->start + 1;
1238					while (target < target_end && target->opcode == ZEND_NOP) {
1239						target++;
1240					}
1241
1242					/* next block is only NOP's */
1243					if (target == target_end && !(target_block->flags & ZEND_BB_PROTECTED)) {
1244						DEL_SOURCE(block, block->successors[1]);
1245						block->successors[1] = target_block->successors[0];
1246						ADD_SOURCE(block, block->successors[1]);
1247					} else {
1248						break;
1249					}
1250				}
1251				/* JMPZ(X,L1), JMP(L2) -> JMPZNZ(X,L1,L2) */
1252				if (target->opcode == ZEND_JMP &&
1253					!(target_block->flags & ZEND_BB_PROTECTED)) {
1254					DEL_SOURCE(block, block->successors[1]);
1255					if (last_op->opcode == ZEND_JMPZ) {
1256						block->successors[1] = target_block->successors[0];
1257						ADD_SOURCE(block, block->successors[1]);
1258					} else {
1259						block->successors[1] = block->successors[0];
1260						block->successors[0] = target_block->successors[0];
1261						ADD_SOURCE(block, block->successors[0]);
1262					}
1263					last_op->opcode = ZEND_JMPZNZ;
1264				}
1265			}
1266			break;
1267
1268		case ZEND_JMPNZ_EX:
1269		case ZEND_JMPZ_EX:
1270			/* constant conditional JMPs */
1271			if (ZEND_OP1_TYPE(last_op) == IS_CONST) {
1272				int should_jmp = zend_is_true(&ZEND_OP1_LITERAL(last_op));
1273
1274				if (last_op->opcode == ZEND_JMPZ_EX) {
1275					should_jmp = !should_jmp;
1276				}
1277				if (!should_jmp) {
1278					/* T = JMPZ_EX(true,L)   -> T = QM_ASSIGN(true)
1279					 * T = JMPNZ_EX(false,L) -> T = QM_ASSIGN(false)
1280					 */
1281					last_op->opcode = ZEND_QM_ASSIGN;
1282					SET_UNUSED(last_op->op2);
1283					DEL_SOURCE(block, block->successors[0]);
1284					block->successors[0] = block->successors[1];
1285					block->successors[1] = -1;
1286				}
1287				break;
1288			}
1289
1290			if (1) {
1291				zend_op *target, *target_end;
1292				zend_basic_block *target_block;
1293				int var_num = op_array->last_var + op_array->T;
1294
1295				if (var_num <= 0) {
1296   					return;
1297				}
1298				memset(same_t, 0, var_num);
1299				same_t[VAR_NUM_EX(last_op->op1)] |= ZEND_OP1_TYPE(last_op);
1300				same_t[VAR_NUM_EX(last_op->result)] |= ZEND_RESULT_TYPE(last_op);
1301				target_block = blocks + block->successors[0];
1302next_target_ex:
1303				target = op_array->opcodes + target_block->start;
1304				target_end = op_array->opcodes + target_block->end + 1;
1305				while (target < target_end && target->opcode == ZEND_NOP) {
1306					target++;
1307				}
1308 				/* next block is only NOP's */
1309				if (target == target_end) {
1310					target_block = blocks + target_block->successors[0];
1311					goto next_target_ex;
1312				} else if (target->opcode == last_op->opcode-3 &&
1313						   (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1314						   (same_t[VAR_NUM_EX(target->op1)] & ZEND_OP1_TYPE(target)) != 0 &&
1315						   !(target_block->flags & ZEND_BB_PROTECTED)) {
1316					/* T = JMPZ_EX(X, L1), L1: JMPZ({X|T}, L2) -> T = JMPZ_EX(X, L2) */
1317					DEL_SOURCE(block, block->successors[0]);
1318					block->successors[0] = target_block->successors[0];
1319					ADD_SOURCE(block, block->successors[0]);
1320				} else if (target->opcode == INV_EX_COND(last_op->opcode) &&
1321					   	   (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1322						   (same_t[VAR_NUM_EX(target->op1)] & ZEND_OP1_TYPE(target)) != 0 &&
1323						   !(target_block->flags & ZEND_BB_PROTECTED)) {
1324					/* T = JMPZ_EX(X, L1), L1: JMPNZ({X|T1}, L2) -> T = JMPZ_EX(X, L1+1) */
1325					DEL_SOURCE(block, block->successors[0]);
1326					block->successors[0] = target_block->successors[1];
1327					ADD_SOURCE(block, block->successors[0]);
1328				} else if (target->opcode == INV_EX_COND_EX(last_op->opcode) &&
1329					       (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1330						   (same_t[VAR_NUM_EX(target->op1)] & ZEND_OP1_TYPE(target)) != 0 &&
1331						   (same_t[VAR_NUM_EX(target->result)] & ZEND_RESULT_TYPE(target)) != 0 &&
1332						   !(target_block->flags & ZEND_BB_PROTECTED)) {
1333					/* T = JMPZ_EX(X, L1), L1: T = JMPNZ_EX(T, L2) -> T = JMPZ_EX(X, L1+1) */
1334					DEL_SOURCE(block, block->successors[0]);
1335					block->successors[0] = target_block->successors[1];
1336					ADD_SOURCE(block, block->successors[0]);
1337				} else if (target->opcode == last_op->opcode &&
1338						   (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1339						   (same_t[VAR_NUM_EX(target->op1)] & ZEND_OP1_TYPE(target)) != 0 &&
1340						   (same_t[VAR_NUM_EX(target->result)] & ZEND_RESULT_TYPE(target)) != 0 &&
1341						   !(target_block->flags & ZEND_BB_PROTECTED)) {
1342					/* T = JMPZ_EX(X, L1), L1: T = JMPZ({X|T}, L2) -> T = JMPZ_EX(X, L2) */
1343					DEL_SOURCE(block, block->successors[0]);
1344					block->successors[0] = target_block->successors[0];
1345					ADD_SOURCE(block, block->successors[0]);
1346				} else if (target->opcode == ZEND_JMP &&
1347						   !(target_block->flags & ZEND_BB_PROTECTED)) {
1348					/* T = JMPZ_EX(X, L), L: JMP(L2) -> T = JMPZ(X, L2) */
1349					DEL_SOURCE(block, block->successors[0]);
1350					block->successors[0] = target_block->successors[0];
1351					ADD_SOURCE(block, block->successors[0]);
1352				} else if (target->opcode == ZEND_JMPZNZ &&
1353						   (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1354						   (same_t[VAR_NUM_EX(target->op1)] & ZEND_OP1_TYPE(target)) != 0 &&
1355						   !(target_block->flags & ZEND_BB_PROTECTED)) {
1356					/* T = JMPZ_EX(X, L), L: JMPZNZ({X|T}, L2, L3) -> T = JMPZ_EX(X, L2) */
1357					DEL_SOURCE(block, block->successors[0]);
1358					if (last_op->opcode == ZEND_JMPZ_EX) {
1359						block->successors[0] = target_block->successors[0];
1360					} else {
1361						block->successors[0] = target_block->successors[1];
1362					}
1363					ADD_SOURCE(block, block->successors[0]);
1364				}
1365			}
1366			break;
1367
1368		case ZEND_JMPZNZ: {
1369			int next = (block - blocks) + 1;
1370
1371			while (next < cfg->blocks_count && !(blocks[next].flags & ZEND_BB_REACHABLE)) {
1372				/* find first accessed one */
1373				next++;
1374			}
1375
1376			if (ZEND_OP1_TYPE(last_op) == IS_CONST) {
1377				if (!zend_is_true(&ZEND_OP1_LITERAL(last_op))) {
1378					/* JMPZNZ(false,L1,L2) -> JMP(L1) */
1379					literal_dtor(&ZEND_OP1_LITERAL(last_op));
1380					last_op->opcode = ZEND_JMP;
1381					SET_UNUSED(last_op->op1);
1382					SET_UNUSED(last_op->op2);
1383					DEL_SOURCE(block, block->successors[1]);
1384					block->successors[1] = -1;
1385				} else {
1386					/* JMPZNZ(true,L1,L2) -> JMP(L2) */
1387					literal_dtor(&ZEND_OP1_LITERAL(last_op));
1388					last_op->opcode = ZEND_JMP;
1389					SET_UNUSED(last_op->op1);
1390					SET_UNUSED(last_op->op2);
1391					DEL_SOURCE(block, block->successors[0]);
1392					block->successors[0] = block->successors[1];
1393					block->successors[1] = -1;
1394				}
1395			} else if (block->successors[0] == block->successors[1]) {
1396				/* both goto the same one - it's JMP */
1397				if (!(last_op->op1_type & (IS_VAR|IS_TMP_VAR))) {
1398					/* JMPZNZ(?,L,L) -> JMP(L) */
1399					last_op->opcode = ZEND_JMP;
1400					SET_UNUSED(last_op->op1);
1401					SET_UNUSED(last_op->op2);
1402					block->successors[1] = -1;
1403				}
1404			} else if (block->successors[0] == next) {
1405				/* jumping to next on Z - can follow to it and jump only on NZ */
1406				/* JMPZNZ(X,L1,L2) L1: -> JMPNZ(X,L2) */
1407				last_op->opcode = ZEND_JMPNZ;
1408				block->successors[0] = block->successors[1];
1409				block->successors[1] = next;
1410				/* no need to add source */
1411			} else if (block->successors[1] == next) {
1412				/* jumping to next on NZ - can follow to it and jump only on Z */
1413				/* JMPZNZ(X,L1,L2) L2: -> JMPZ(X,L1) */
1414				last_op->opcode = ZEND_JMPZ;
1415				/* no need to add source */
1416			}
1417
1418			if (last_op->opcode == ZEND_JMPZNZ) {
1419				zend_uchar same_type = ZEND_OP1_TYPE(last_op);
1420				zend_uchar same_var = VAR_NUM_EX(last_op->op1);
1421				zend_op *target;
1422				zend_op *target_end;
1423				zend_basic_block *target_block = blocks + block->successors[0];
1424
1425next_target_znz:
1426				target = op_array->opcodes + target_block->start;
1427				target_end = op_array->opcodes + target_block->end + 1;
1428				while (target < target_end && target->opcode == ZEND_NOP) {
1429					target++;
1430				}
1431				/* next block is only NOP's */
1432				if (target == target_end) {
1433					target_block = blocks + target_block->successors[0];
1434					goto next_target_znz;
1435				} else if ((target->opcode == ZEND_JMPZ || target->opcode == ZEND_JMPZNZ) &&
1436						   (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1437						   same_type == ZEND_OP1_TYPE(target) &&
1438						   same_var == VAR_NUM_EX(target->op1) &&
1439						   !(target_block->flags & ZEND_BB_PROTECTED)) {
1440				    /* JMPZNZ(X, L1, L2), L1: JMPZ(X, L3) -> JMPZNZ(X, L3, L2) */
1441					DEL_SOURCE(block, block->successors[0]);
1442					block->successors[0] = target_block->successors[0];
1443					ADD_SOURCE(block, block->successors[0]);
1444				} else if (target->opcode == ZEND_JMPNZ &&
1445						   (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1446						   same_type == ZEND_OP1_TYPE(target) &&
1447						   same_var == VAR_NUM_EX(target->op1) &&
1448						   !(target_block->flags & ZEND_BB_PROTECTED)) {
1449                    /* JMPZNZ(X, L1, L2), L1: X = JMPNZ(X, L3) -> JMPZNZ(X, L1+1, L2) */
1450					DEL_SOURCE(block, block->successors[0]);
1451					block->successors[0] = target_block->successors[1];
1452					ADD_SOURCE(block, block->successors[0]);
1453				} else if (target->opcode == ZEND_JMP &&
1454					       !(target_block->flags & ZEND_BB_PROTECTED)) {
1455                    /* JMPZNZ(X, L1, L2), L1: JMP(L3) -> JMPZNZ(X, L3, L2) */
1456					DEL_SOURCE(block, block->successors[0]);
1457					block->successors[0] = target_block->successors[0];
1458					ADD_SOURCE(block, block->successors[0]);
1459				}
1460			}
1461			break;
1462		}
1463	}
1464}
1465
1466/* Global data dependencies */
1467
1468/* Find a set of variables which are used outside of the block where they are
1469 * defined. We won't apply some optimization patterns for such variables. */
1470static void zend_t_usage(zend_cfg *cfg, zend_op_array *op_array, zend_bitset used_ext, zend_optimizer_ctx *ctx)
1471{
1472	int n;
1473	zend_basic_block *block, *next_block;
1474	uint32_t var_num;
1475	uint32_t bitset_len;
1476	zend_bitset usage;
1477	zend_bitset defined_here;
1478	void *checkpoint;
1479	zend_op *opline, *end;
1480
1481
1482	if (op_array->T == 0) {
1483		/* shortcut - if no Ts, nothing to do */
1484		return;
1485	}
1486
1487	checkpoint = zend_arena_checkpoint(ctx->arena);
1488	bitset_len = zend_bitset_len(op_array->last_var + op_array->T);
1489	defined_here = zend_arena_alloc(&ctx->arena, bitset_len * ZEND_BITSET_ELM_SIZE);
1490
1491	zend_bitset_clear(defined_here, bitset_len);
1492	for (n = 1; n < cfg->blocks_count; n++) {
1493		block = cfg->blocks + n;
1494
1495		if (!(block->flags & ZEND_BB_REACHABLE)) {
1496			continue;
1497		}
1498
1499		opline = op_array->opcodes + block->start;
1500		end = op_array->opcodes + block->end + 1;
1501		if (!(block->flags & ZEND_BB_FOLLOW) ||
1502		    (block->flags & ZEND_BB_TARGET)) {
1503			/* Skip continuation of "extended" BB */
1504			zend_bitset_clear(defined_here, bitset_len);
1505		}
1506
1507		while (opline<end) {
1508			if (opline->op1_type & (IS_VAR|IS_TMP_VAR)) {
1509				var_num = VAR_NUM(opline->op1.var);
1510				if (!zend_bitset_in(defined_here, var_num)) {
1511					zend_bitset_incl(used_ext, var_num);
1512				}
1513			}
1514			if (opline->op2_type == IS_VAR) {
1515				var_num = VAR_NUM(opline->op2.var);
1516				if (opline->opcode == ZEND_FE_FETCH_R ||
1517				    opline->opcode == ZEND_FE_FETCH_RW) {
1518					/* these opcode use the op2 as result */
1519					zend_bitset_incl(defined_here, var_num);
1520				} else if (!zend_bitset_in(defined_here, var_num)) {
1521					zend_bitset_incl(used_ext, var_num);
1522				}
1523			} else if (opline->op2_type == IS_TMP_VAR) {
1524				var_num = VAR_NUM(opline->op2.var);
1525				if (!zend_bitset_in(defined_here, var_num)) {
1526					zend_bitset_incl(used_ext, var_num);
1527				}
1528			}
1529
1530			if (opline->result_type == IS_VAR) {
1531				var_num = VAR_NUM(opline->result.var);
1532				zend_bitset_incl(defined_here, var_num);
1533			} else if (opline->result_type == IS_TMP_VAR) {
1534				var_num = VAR_NUM(opline->result.var);
1535				switch (opline->opcode) {
1536					case ZEND_ADD_ARRAY_ELEMENT:
1537					case ZEND_ROPE_ADD:
1538						/* these opcodes use the result as argument */
1539						if (!zend_bitset_in(defined_here, var_num)) {
1540							zend_bitset_incl(used_ext, var_num);
1541						}
1542						break;
1543					default :
1544						zend_bitset_incl(defined_here, var_num);
1545				}
1546			}
1547			opline++;
1548		}
1549	}
1550
1551	if (ctx->debug_level & ZEND_DUMP_BLOCK_PASS_VARS) {
1552		int printed = 0;
1553		uint32_t i;
1554
1555		for (i = op_array->last_var; i< op_array->T; i++) {
1556			if (zend_bitset_in(used_ext, i)) {
1557				if (!printed) {
1558					fprintf(stderr, "NON-LOCAL-VARS: %d", i);
1559					printed = 1;
1560				} else {
1561					fprintf(stderr, ", %d", i);
1562				}
1563			}
1564		}
1565		if (printed) {
1566			fprintf(stderr, "\n");
1567		}
1568	}
1569
1570	usage = defined_here;
1571	next_block = NULL;
1572	for (n = cfg->blocks_count; n > 0;) {
1573		block = cfg->blocks + (--n);
1574
1575		if (!(block->flags & ZEND_BB_REACHABLE)) {
1576			continue;
1577		}
1578
1579		opline = op_array->opcodes + block->end;
1580		end = op_array->opcodes + block->start;
1581		if (!next_block ||
1582		    !(next_block->flags & ZEND_BB_FOLLOW) ||
1583		    (next_block->flags & ZEND_BB_TARGET)) {
1584			/* Skip continuation of "extended" BB */
1585			zend_bitset_copy(usage, used_ext, bitset_len);
1586		} else if (block->successors[1] != -1) {
1587			zend_bitset_union(usage, used_ext, bitset_len);
1588		}
1589		next_block = block;
1590
1591		while (opline >= end) {
1592			/* usage checks */
1593			if (opline->result_type == IS_VAR) {
1594				if (!zend_bitset_in(usage, VAR_NUM(opline->result.var))) {
1595					switch (opline->opcode) {
1596						case ZEND_ASSIGN_ADD:
1597						case ZEND_ASSIGN_SUB:
1598						case ZEND_ASSIGN_MUL:
1599						case ZEND_ASSIGN_DIV:
1600						case ZEND_ASSIGN_POW:
1601						case ZEND_ASSIGN_MOD:
1602						case ZEND_ASSIGN_SL:
1603						case ZEND_ASSIGN_SR:
1604						case ZEND_ASSIGN_CONCAT:
1605						case ZEND_ASSIGN_BW_OR:
1606						case ZEND_ASSIGN_BW_AND:
1607						case ZEND_ASSIGN_BW_XOR:
1608						case ZEND_PRE_INC:
1609						case ZEND_PRE_DEC:
1610						case ZEND_ASSIGN:
1611						case ZEND_ASSIGN_REF:
1612						case ZEND_DO_FCALL:
1613						case ZEND_DO_ICALL:
1614						case ZEND_DO_UCALL:
1615						case ZEND_DO_FCALL_BY_NAME:
1616							opline->result_type = IS_UNUSED;
1617							break;
1618					}
1619				} else {
1620					zend_bitset_excl(usage, VAR_NUM(opline->result.var));
1621				}
1622			} else if (opline->result_type == IS_TMP_VAR) {
1623				if (!zend_bitset_in(usage, VAR_NUM(opline->result.var))) {
1624					switch (opline->opcode) {
1625						case ZEND_POST_INC:
1626						case ZEND_POST_DEC:
1627							opline->opcode -= 2;
1628							opline->result_type = IS_UNUSED;
1629							break;
1630						case ZEND_QM_ASSIGN:
1631						case ZEND_BOOL:
1632						case ZEND_BOOL_NOT:
1633							if (ZEND_OP1_TYPE(opline) == IS_CONST) {
1634								literal_dtor(&ZEND_OP1_LITERAL(opline));
1635							} else if (ZEND_OP1_TYPE(opline) == IS_TMP_VAR) {
1636								opline->opcode = ZEND_FREE;
1637							} else {
1638								MAKE_NOP(opline);
1639							}
1640							break;
1641						case ZEND_JMPZ_EX:
1642						case ZEND_JMPNZ_EX:
1643							opline->opcode -= 3;
1644							SET_UNUSED(opline->result);
1645							break;
1646						case ZEND_ADD_ARRAY_ELEMENT:
1647						case ZEND_ROPE_ADD:
1648							zend_bitset_incl(usage, VAR_NUM(opline->result.var));
1649							break;
1650					}
1651				} else {
1652					switch (opline->opcode) {
1653						case ZEND_ADD_ARRAY_ELEMENT:
1654						case ZEND_ROPE_ADD:
1655							break;
1656						default:
1657							zend_bitset_excl(usage, VAR_NUM(opline->result.var));
1658							break;
1659					}
1660				}
1661			}
1662
1663			if (opline->op2_type == IS_VAR) {
1664				switch (opline->opcode) {
1665					case ZEND_FE_FETCH_R:
1666					case ZEND_FE_FETCH_RW:
1667						zend_bitset_excl(usage, VAR_NUM(opline->op2.var));
1668						break;
1669					default:
1670						zend_bitset_incl(usage, VAR_NUM(opline->op2.var));
1671						break;
1672				}
1673			} else if (opline->op2_type == IS_TMP_VAR) {
1674				zend_bitset_incl(usage, VAR_NUM(opline->op2.var));
1675			}
1676
1677			if (opline->op1_type & (IS_VAR|IS_TMP_VAR)) {
1678				zend_bitset_incl(usage, VAR_NUM(opline->op1.var));
1679			}
1680
1681			opline--;
1682		}
1683	}
1684
1685	zend_arena_release(&ctx->arena, checkpoint);
1686}
1687
1688static void zend_merge_blocks(zend_op_array *op_array, zend_cfg *cfg)
1689{
1690	int i;
1691	zend_basic_block *b, *bb;
1692	zend_basic_block *prev = NULL;
1693
1694	for (i = 0; i < cfg->blocks_count; i++) {
1695		b = cfg->blocks + i;
1696		if (b->flags & ZEND_BB_REACHABLE) {
1697			if ((b->flags & ZEND_BB_FOLLOW) &&
1698			    !(b->flags & (ZEND_BB_TARGET | ZEND_BB_PROTECTED)) &&
1699			    prev &&
1700			    prev->successors[0] == i && prev->successors[1] == -1) {
1701
1702				if (op_array->opcodes[prev->end].opcode == ZEND_JMP) {
1703					MAKE_NOP(op_array->opcodes + prev->end);
1704				}
1705
1706				for (bb = prev + 1; bb != b; bb++) {
1707					zend_op *op = op_array->opcodes + bb->start;
1708					zend_op *end = op_array->opcodes + bb->end;
1709					while (op <= end) {
1710						if (ZEND_OP1_TYPE(op) == IS_CONST) {
1711							literal_dtor(&ZEND_OP1_LITERAL(op));
1712						}
1713						if (ZEND_OP2_TYPE(op) == IS_CONST) {
1714							literal_dtor(&ZEND_OP2_LITERAL(op));
1715						}
1716						MAKE_NOP(op);
1717						op++;
1718					}
1719					/* make block empty */
1720					bb->start = bb->end + 1;
1721				}
1722
1723				/* re-link */
1724			    prev->flags |= (b->flags & ZEND_BB_EXIT);
1725				prev->end = b->end;
1726				prev->successors[0] = b->successors[0];
1727				prev->successors[1] = b->successors[1];
1728
1729				/* unlink & make block empty and unreachable */
1730				b->flags = 0;
1731				b->start = b->end + 1;
1732				b->successors[0] = -1;
1733				b->successors[1] = -1;
1734			} else {
1735				prev = b;
1736			}
1737		}
1738	}
1739}
1740
1741#define PASSES 3
1742
1743void zend_optimize_cfg(zend_op_array *op_array, zend_optimizer_ctx *ctx)
1744{
1745	zend_cfg cfg;
1746	zend_basic_block *blocks, *end, *b;
1747	int pass;
1748	uint32_t bitset_len;
1749	zend_bitset usage;
1750	void *checkpoint;
1751	zend_op **Tsource;
1752	zend_uchar *same_t;
1753
1754    /* Build CFG */
1755	checkpoint = zend_arena_checkpoint(ctx->arena);
1756	if (zend_build_cfg(&ctx->arena, op_array, ZEND_CFG_SPLIT_AT_LIVE_RANGES, &cfg, NULL) != SUCCESS) {
1757		zend_arena_release(&ctx->arena, checkpoint);
1758		return;
1759	}
1760
1761	if (ctx->debug_level & ZEND_DUMP_BEFORE_BLOCK_PASS) {
1762		zend_dump_op_array(op_array, ZEND_DUMP_CFG, "before block pass", &cfg);
1763	}
1764
1765	if (op_array->last_var || op_array->T) {
1766		bitset_len = zend_bitset_len(op_array->last_var + op_array->T);
1767		Tsource = zend_arena_calloc(&ctx->arena, op_array->last_var + op_array->T, sizeof(zend_op *));
1768		same_t = zend_arena_alloc(&ctx->arena, op_array->last_var + op_array->T);
1769		usage = zend_arena_alloc(&ctx->arena, bitset_len * ZEND_BITSET_ELM_SIZE);
1770	} else {
1771		bitset_len = 0;
1772		Tsource = NULL;
1773		same_t = NULL;
1774		usage = NULL;
1775	}
1776	blocks = cfg.blocks;
1777	end = blocks + cfg.blocks_count;
1778	for (pass = 0; pass < PASSES; pass++) {
1779		/* Compute data dependencies */
1780		zend_bitset_clear(usage, bitset_len);
1781		zend_t_usage(&cfg, op_array, usage, ctx);
1782
1783		/* optimize each basic block separately */
1784		for (b = blocks; b < end; b++) {
1785			if (!(b->flags & ZEND_BB_REACHABLE)) {
1786				continue;
1787			}
1788			/* we track data dependencies only insight a single basic block */
1789			if (!(b->flags & ZEND_BB_FOLLOW) ||
1790			    (b->flags & ZEND_BB_TARGET)) {
1791				/* Skip continuation of "extended" BB */
1792				memset(Tsource, 0, (op_array->last_var + op_array->T) * sizeof(zend_op *));
1793			}
1794			zend_optimize_block(b, op_array, usage, &cfg, Tsource);
1795		}
1796
1797		/* Jump optimization for each block */
1798		for (b = blocks; b < end; b++) {
1799			if (b->flags & ZEND_BB_REACHABLE) {
1800				zend_jmp_optimization(b, op_array, &cfg, same_t);
1801			}
1802		}
1803
1804		/* Eliminate unreachable basic blocks */
1805		zend_cfg_remark_reachable_blocks(op_array, &cfg);
1806
1807		/* Merge Blocks */
1808		zend_merge_blocks(op_array, &cfg);
1809	}
1810
1811	zend_bitset_clear(usage, bitset_len);
1812	zend_t_usage(&cfg, op_array, usage, ctx);
1813	assemble_code_blocks(&cfg, op_array);
1814
1815	if (ctx->debug_level & ZEND_DUMP_AFTER_BLOCK_PASS) {
1816		zend_dump_op_array(op_array, ZEND_DUMP_CFG | ZEND_DUMP_HIDE_UNREACHABLE, "after block pass", &cfg);
1817	}
1818
1819	/* Destroy CFG */
1820	zend_arena_release(&ctx->arena, checkpoint);
1821}
1822