1/*
2   +----------------------------------------------------------------------+
3   | Zend OPcache                                                         |
4   +----------------------------------------------------------------------+
5   | Copyright (c) 1998-2015 The PHP Group                                |
6   +----------------------------------------------------------------------+
7   | This source file is subject to version 3.01 of the PHP license,      |
8   | that is bundled with this package in the file LICENSE, and is        |
9   | available through the world-wide-web at the following url:           |
10   | http://www.php.net/license/3_01.txt                                  |
11   | If you did not receive a copy of the PHP license and are unable to   |
12   | obtain it through the world-wide-web, please send a note to          |
13   | license@php.net so we can mail you a copy immediately.               |
14   +----------------------------------------------------------------------+
15   | Authors: Andi Gutmans <andi@zend.com>                                |
16   |          Zeev Suraski <zeev@zend.com>                                |
17   |          Stanislav Malyshev <stas@zend.com>                          |
18   |          Dmitry Stogov <dmitry@zend.com>                             |
19   +----------------------------------------------------------------------+
20*/
21
22#include "php.h"
23#include "Optimizer/zend_optimizer.h"
24#include "Optimizer/zend_optimizer_internal.h"
25#include "zend_API.h"
26#include "zend_constants.h"
27#include "zend_execute.h"
28#include "zend_vm.h"
29
30#define DEBUG_BLOCKPASS 0
31
32/* Checks if a constant (like "true") may be replaced by its value */
33int zend_optimizer_get_persistent_constant(zend_string *name, zval *result, int copy)
34{
35    zend_constant *c;
36    char *lookup_name;
37    int retval = 1;
38    ALLOCA_FLAG(use_heap);
39
40    if ((c = zend_hash_find_ptr(EG(zend_constants), name)) == NULL) {
41        lookup_name = DO_ALLOCA(name->len + 1);
42        memcpy(lookup_name, name->val, name->len + 1);
43        zend_str_tolower(lookup_name, name->len);
44
45        if ((c = zend_hash_str_find_ptr(EG(zend_constants), lookup_name, name->len)) != NULL) {
46            if (!(c->flags & CONST_CT_SUBST) || (c->flags & CONST_CS)) {
47                retval = 0;
48            }
49        } else {
50            retval = 0;
51        }
52        FREE_ALLOCA(lookup_name);
53    }
54
55    if (retval) {
56        if (c->flags & CONST_PERSISTENT) {
57            ZVAL_COPY_VALUE(result, &c->value);
58            if (copy) {
59                zval_copy_ctor(result);
60            }
61        } else {
62            retval = 0;
63        }
64    }
65
66    return retval;
67}
68
69#if DEBUG_BLOCKPASS
70# define BLOCK_REF(b) b?op_array->opcodes-b->start_opline:-1
71
72static inline void print_block(zend_code_block *block, zend_op *opcodes, char *txt)
73{
74    fprintf(stderr, "%sBlock: %d-%d (%d)", txt, block->start_opline - opcodes, block->start_opline - opcodes + block->len - 1, block->len);
75    if (!block->access) {
76        fprintf(stderr, " unused");
77    }
78    if (block->op1_to) {
79        fprintf(stderr, " 1: %d", block->op1_to->start_opline - opcodes);
80    }
81    if (block->op2_to) {
82        fprintf(stderr, " 2: %d", block->op2_to->start_opline - opcodes);
83    }
84    if (block->ext_to) {
85        fprintf(stderr, " e: %d", block->ext_to->start_opline - opcodes);
86    }
87    if (block->follow_to) {
88        fprintf(stderr, " f: %d", block->follow_to->start_opline - opcodes);
89    }
90
91    if (block->sources) {
92        zend_block_source *bs = block->sources;
93        fprintf(stderr, " s:");
94        while (bs) {
95            fprintf(stderr, " %d", bs->from->start_opline - opcodes);
96            bs = bs->next;
97        }
98    }
99
100    fprintf(stderr, "\n");
101    fflush(stderr);
102}
103#else
104#define print_block(a,b,c)
105#endif
106
107#define START_BLOCK_OP(opno) blocks[opno].start_opline = &op_array->opcodes[opno]; blocks[opno].start_opline_no = opno; blocks[opno].access = 1
108
109/* find code blocks in op_array
110   code block is a set of opcodes with single flow of control, i.e. without jmps,
111   branches, etc. */
112static int find_code_blocks(zend_op_array *op_array, zend_cfg *cfg, zend_optimizer_ctx *ctx)
113{
114    zend_op *opline;
115    zend_op *end = op_array->opcodes + op_array->last;
116    zend_code_block *blocks, *cur_block;
117    uint32_t opno = 0;
118
119    memset(cfg, 0, sizeof(zend_cfg));
120    blocks = cfg->blocks = zend_arena_calloc(&ctx->arena, op_array->last + 2, sizeof(zend_code_block));
121    opline = op_array->opcodes;
122    blocks[0].start_opline = opline;
123    blocks[0].start_opline_no = 0;
124    while (opline < end) {
125        switch((unsigned)opline->opcode) {
126            case ZEND_BRK:
127            case ZEND_CONT:
128            case ZEND_GOTO:
129                /* would not optimize non-optimized BRK/CONTs - we cannot
130                 really know where it jumps, so these optimizations are
131                too dangerous */
132                return 0;
133            case ZEND_FAST_CALL:
134                START_BLOCK_OP(ZEND_OP1(opline).opline_num);
135                if (opline->extended_value) {
136                    START_BLOCK_OP(ZEND_OP2(opline).opline_num);
137                }
138                START_BLOCK_OP(opno + 1);
139                break;
140            case ZEND_FAST_RET:
141                if (opline->extended_value) {
142                    START_BLOCK_OP(ZEND_OP2(opline).opline_num);
143                }
144                START_BLOCK_OP(opno + 1);
145                break;
146            case ZEND_JMP:
147                START_BLOCK_OP(ZEND_OP1(opline).opline_num);
148                /* break missing intentionally */
149            case ZEND_RETURN:
150            case ZEND_RETURN_BY_REF:
151            case ZEND_GENERATOR_RETURN:
152            case ZEND_EXIT:
153            case ZEND_THROW:
154                /* start new block from this+1 */
155                START_BLOCK_OP(opno + 1);
156                break;
157                /* TODO: if conditional jmp depends on constant,
158                         don't start block that won't be executed */
159            case ZEND_CATCH:
160                START_BLOCK_OP(opline->extended_value);
161                START_BLOCK_OP(opno + 1);
162                break;
163            case ZEND_JMPZNZ:
164                START_BLOCK_OP(opline->extended_value);
165            case ZEND_JMPZ:
166            case ZEND_JMPNZ:
167            case ZEND_JMPZ_EX:
168            case ZEND_JMPNZ_EX:
169            case ZEND_FE_RESET_R:
170            case ZEND_FE_RESET_RW:
171            case ZEND_NEW:
172            case ZEND_JMP_SET:
173            case ZEND_COALESCE:
174            case ZEND_ASSERT_CHECK:
175                START_BLOCK_OP(ZEND_OP2(opline).opline_num);
176                START_BLOCK_OP(opno + 1);
177                break;
178            case ZEND_FE_FETCH_R:
179            case ZEND_FE_FETCH_RW:
180                START_BLOCK_OP(ZEND_OP2(opline).opline_num);
181                START_BLOCK_OP(opno + 2);
182                break;
183        }
184        opno++;
185        opline++;
186    }
187
188    /* first find block start points */
189    if (op_array->last_try_catch) {
190        int i;
191        cfg->try = zend_arena_calloc(&ctx->arena, op_array->last_try_catch, sizeof(zend_code_block *));
192        cfg->catch = zend_arena_calloc(&ctx->arena, op_array->last_try_catch, sizeof(zend_code_block *));
193        for (i = 0; i< op_array->last_try_catch; i++) {
194            cfg->try[i] = &blocks[op_array->try_catch_array[i].try_op];
195            cfg->catch[i] = &blocks[op_array->try_catch_array[i].catch_op];
196            START_BLOCK_OP(op_array->try_catch_array[i].try_op);
197            START_BLOCK_OP(op_array->try_catch_array[i].catch_op);
198            blocks[op_array->try_catch_array[i].try_op].protected = 1;
199        }
200    }
201    /* Currently, we don't optimize op_arrays with BRK/CONT/GOTO opcodes,
202     * but, we have to keep brk_cont_array to avoid memory leaks during
203     * exception handling */
204    if (op_array->last_brk_cont) {
205        int i, j;
206
207        j = 0;
208        for (i = 0; i< op_array->last_brk_cont; i++) {
209            if (op_array->brk_cont_array[i].start >= 0 &&
210                (op_array->opcodes[op_array->brk_cont_array[i].brk].opcode == ZEND_FREE ||
211                 op_array->opcodes[op_array->brk_cont_array[i].brk].opcode == ZEND_FE_FREE ||
212                 op_array->opcodes[op_array->brk_cont_array[i].brk].opcode == ZEND_END_SILENCE)) {
213                int parent = op_array->brk_cont_array[i].parent;
214
215                while (parent >= 0 &&
216                       op_array->brk_cont_array[parent].start < 0 &&
217                       (op_array->opcodes[op_array->brk_cont_array[parent].brk].opcode != ZEND_FREE ||
218                        op_array->opcodes[op_array->brk_cont_array[parent].brk].opcode != ZEND_FE_FREE ||
219                        op_array->opcodes[op_array->brk_cont_array[parent].brk].opcode != ZEND_END_SILENCE)) {
220                    parent = op_array->brk_cont_array[parent].parent;
221                }
222                op_array->brk_cont_array[i].parent = parent;
223                j++;
224            }
225        }
226        if (j) {
227            cfg->loop_start = zend_arena_calloc(&ctx->arena, op_array->last_brk_cont, sizeof(zend_code_block *));
228            cfg->loop_cont  = zend_arena_calloc(&ctx->arena, op_array->last_brk_cont, sizeof(zend_code_block *));
229            cfg->loop_brk   = zend_arena_calloc(&ctx->arena, op_array->last_brk_cont, sizeof(zend_code_block *));
230            j = 0;
231            for (i = 0; i< op_array->last_brk_cont; i++) {
232                if (op_array->brk_cont_array[i].start >= 0 &&
233                    (op_array->opcodes[op_array->brk_cont_array[i].brk].opcode == ZEND_FREE ||
234                     op_array->opcodes[op_array->brk_cont_array[i].brk].opcode == ZEND_FE_FREE ||
235                     op_array->opcodes[op_array->brk_cont_array[i].brk].opcode == ZEND_END_SILENCE)) {
236                    if (i != j) {
237                        op_array->brk_cont_array[j] = op_array->brk_cont_array[i];
238                    }
239                    cfg->loop_start[j] = &blocks[op_array->brk_cont_array[j].start];
240                    cfg->loop_cont[j]  = &blocks[op_array->brk_cont_array[j].cont];
241                    cfg->loop_brk[j]   = &blocks[op_array->brk_cont_array[j].brk];
242                    START_BLOCK_OP(op_array->brk_cont_array[j].start);
243                    START_BLOCK_OP(op_array->brk_cont_array[j].cont);
244                    START_BLOCK_OP(op_array->brk_cont_array[j].brk);
245                    blocks[op_array->brk_cont_array[j].start].protected = 1;
246                    blocks[op_array->brk_cont_array[j].brk].protected = 1;
247                    j++;
248                }
249            }
250            op_array->last_brk_cont = j;
251        } else {
252            efree(op_array->brk_cont_array);
253            op_array->brk_cont_array = NULL;
254            op_array->last_brk_cont = 0;
255        }
256    }
257
258    /* Build CFG (Control Flow Graph) */
259    cur_block = blocks;
260    for (opno = 1; opno < op_array->last; opno++) {
261        if (blocks[opno].start_opline) {
262            /* found new block start */
263            cur_block->len = blocks[opno].start_opline - cur_block->start_opline;
264            cur_block->next = &blocks[opno];
265            /* what is the last OP of previous block? */
266            opline = blocks[opno].start_opline - 1;
267            if (opline->opcode == ZEND_OP_DATA) {
268                opline--;
269            }
270            switch((unsigned)opline->opcode) {
271                case ZEND_RETURN:
272                case ZEND_RETURN_BY_REF:
273                case ZEND_GENERATOR_RETURN:
274                case ZEND_EXIT:
275                case ZEND_THROW:
276                    break;
277                case ZEND_FAST_CALL:
278                    if (opline->extended_value) {
279                        cur_block->op2_to = &blocks[ZEND_OP2(opline).opline_num];
280                    }
281                    cur_block->op1_to = &blocks[ZEND_OP1(opline).opline_num];
282                    break;
283                case ZEND_FAST_RET:
284                    if (opline->extended_value) {
285                        cur_block->op2_to = &blocks[ZEND_OP2(opline).opline_num];
286                    }
287                    break;
288                case ZEND_JMP:
289                    cur_block->op1_to = &blocks[ZEND_OP1(opline).opline_num];
290                    break;
291                case ZEND_JMPZNZ:
292                    cur_block->op2_to = &blocks[ZEND_OP2(opline).opline_num];
293                    cur_block->ext_to = &blocks[opline->extended_value];
294                    break;
295                case ZEND_CATCH:
296                    cur_block->ext_to = &blocks[opline->extended_value];
297                    cur_block->follow_to = &blocks[opno];
298                    break;
299                case ZEND_JMPZ:
300                case ZEND_JMPNZ:
301                case ZEND_JMPZ_EX:
302                case ZEND_JMPNZ_EX:
303                case ZEND_FE_RESET_R:
304                case ZEND_FE_RESET_RW:
305                case ZEND_NEW:
306                case ZEND_JMP_SET:
307                case ZEND_COALESCE:
308                case ZEND_FE_FETCH_R:
309                case ZEND_FE_FETCH_RW:
310                case ZEND_ASSERT_CHECK:
311                    cur_block->op2_to = &blocks[ZEND_OP2(opline).opline_num];
312                    /* break missing intentionally */
313                default:
314                    /* next block follows this */
315                    cur_block->follow_to = &blocks[opno];
316                    break;
317            }
318            print_block(cur_block, op_array->opcodes, "");
319            cur_block = cur_block->next;
320        }
321    }
322    cur_block->len = end - cur_block->start_opline;
323    cur_block->next = &blocks[op_array->last + 1];
324    print_block(cur_block, op_array->opcodes, "");
325
326    return 1;
327}
328
329/* CFG back references management */
330
331#define ADD_SOURCE(fromb, tob) { \
332    zend_block_source *__s = tob->sources; \
333    while (__s && __s->from != fromb) __s = __s->next; \
334    if (__s == NULL) { \
335        zend_block_source *__t = zend_arena_alloc(&ctx->arena, sizeof(zend_block_source)); \
336        __t->next = tob->sources; \
337        tob->sources = __t; \
338        __t->from = fromb; \
339    } \
340}
341
342#define DEL_SOURCE(cs) do { \
343        *(cs) = (*(cs))->next; \
344    } while (0)
345
346
347static inline void replace_source(zend_block_source *list, zend_code_block *old, zend_code_block *new)
348{
349    /* replace all references to 'old' in 'list' with 'new' */
350    zend_block_source **cs;
351    int found = 0;
352
353    for (cs = &list; *cs; cs = &((*cs)->next)) {
354        if ((*cs)->from == new) {
355            if (found) {
356                DEL_SOURCE(cs);
357            } else {
358                found = 1;
359            }
360        }
361
362        if ((*cs)->from == old) {
363            if (found) {
364                DEL_SOURCE(cs);
365            } else {
366                (*cs)->from = new;
367                found = 1;
368            }
369        }
370    }
371}
372
373static inline void del_source(zend_code_block *from, zend_code_block *to)
374{
375    /* delete source 'from' from 'to'-s sources list */
376    zend_block_source **cs = &to->sources;
377
378    if (to->sources == NULL) {
379        to->access = 0;
380        return;
381    }
382
383    while (*cs) {
384        if ((*cs)->from == from) {
385            DEL_SOURCE(cs);
386            break;
387        }
388        cs = &((*cs)->next);
389    }
390
391    if (to->sources == NULL) {
392        /* 'to' has no more sources - it's unused, will be stripped */
393        to->access = 0;
394        return;
395    }
396
397    if (!to->protected && to->sources->next == NULL) {
398        /* source to only one block */
399        zend_code_block *from_block = to->sources->from;
400
401        if (from_block->access && from_block->follow_to == to &&
402            from_block->op1_to == NULL &&
403            from_block->op2_to == NULL &&
404            from_block->ext_to == NULL) {
405            /* this block follows it's only predecessor - we can join them */
406            zend_op *new_to = from_block->start_opline + from_block->len;
407            if (new_to != to->start_opline) {
408                /* move block to new location */
409                memmove(new_to, to->start_opline, sizeof(zend_op)*to->len);
410            }
411            /* join blocks' lengths */
412            from_block->len += to->len;
413            /* move 'to'`s references to 'from' */
414            to->start_opline = NULL;
415            to->access = 0;
416            to->sources = NULL;
417            from_block->follow_to = to->follow_to;
418            if (to->op1_to) {
419                from_block->op1_to = to->op1_to;
420                replace_source(to->op1_to->sources, to, from_block);
421            }
422            if (to->op2_to) {
423                from_block->op2_to = to->op2_to;
424                replace_source(to->op2_to->sources, to, from_block);
425            }
426            if (to->ext_to) {
427                from_block->ext_to = to->ext_to;
428                replace_source(to->ext_to->sources, to, from_block);
429            }
430            if (to->follow_to) {
431                replace_source(to->follow_to->sources, to, from_block);
432            }
433            /* remove "to" from list */
434        }
435    }
436}
437
438static void delete_code_block(zend_code_block *block, zend_optimizer_ctx *ctx)
439{
440    if (block->protected) {
441        return;
442    }
443    if (block->follow_to) {
444        zend_block_source *bs = block->sources;
445        while (bs) {
446            zend_code_block *from_block = bs->from;
447            zend_code_block *to = block->follow_to;
448            if (from_block->op1_to == block) {
449                from_block->op1_to = to;
450                ADD_SOURCE(from_block, to);
451            }
452            if (from_block->op2_to == block) {
453                from_block->op2_to = to;
454                ADD_SOURCE(from_block, to);
455            }
456            if (from_block->ext_to == block) {
457                from_block->ext_to = to;
458                ADD_SOURCE(from_block, to);
459            }
460            if (from_block->follow_to == block) {
461                from_block->follow_to = to;
462                ADD_SOURCE(from_block, to);
463            }
464            bs = bs->next;
465        }
466    }
467    block->access = 0;
468}
469
470static void zend_access_path(zend_code_block *block, zend_optimizer_ctx *ctx)
471{
472    if (block->access) {
473        return;
474    }
475
476    block->access = 1;
477    if (block->op1_to) {
478        zend_access_path(block->op1_to, ctx);
479        ADD_SOURCE(block, block->op1_to);
480    }
481    if (block->op2_to) {
482        zend_access_path(block->op2_to, ctx);
483        ADD_SOURCE(block, block->op2_to);
484    }
485    if (block->ext_to) {
486        zend_access_path(block->ext_to, ctx);
487        ADD_SOURCE(block, block->ext_to);
488    }
489    if (block->follow_to) {
490        zend_access_path(block->follow_to, ctx);
491        ADD_SOURCE(block, block->follow_to);
492    }
493}
494
495/* Traverse CFG, mark reachable basic blocks and build back references */
496static void zend_rebuild_access_path(zend_cfg *cfg, zend_op_array *op_array, int find_start, zend_optimizer_ctx *ctx)
497{
498    zend_code_block *blocks = cfg->blocks;
499    zend_code_block *start = find_start? NULL : blocks;
500    zend_code_block *b;
501
502    /* Mark all blocks as unaccessible and destroy back references */
503    b = blocks;
504    while (b != NULL) {
505        if (!start && b->access) {
506            start = b;
507        }
508        b->access = 0;
509        b->sources = NULL;
510        b = b->next;
511    }
512
513    /* Walk thorough all paths */
514    zend_access_path(start, ctx);
515
516    /* Add brk/cont paths */
517    if (op_array->last_brk_cont) {
518        int i;
519        for (i=0; i< op_array->last_brk_cont; i++) {
520            zend_access_path(cfg->loop_start[i], ctx);
521            zend_access_path(cfg->loop_cont[i], ctx);
522            zend_access_path(cfg->loop_brk[i], ctx);
523        }
524    }
525
526    /* Add exception paths */
527    if (op_array->last_try_catch) {
528        int i;
529        for (i=0; i< op_array->last_try_catch; i++) {
530            if (!cfg->catch[i]->access) {
531                zend_access_path(cfg->catch[i], ctx);
532            }
533        }
534    }
535}
536
537/* Data dependencies macros */
538
539#define VAR_NUM_EX(op) VAR_NUM((op).var)
540
541#define VAR_SOURCE(op) Tsource[VAR_NUM(op.var)]
542#define SET_VAR_SOURCE(opline) Tsource[VAR_NUM(opline->result.var)] = opline
543
544#define VAR_UNSET(op) do { if (op ## _type & (IS_TMP_VAR|IS_VAR)) {VAR_SOURCE(op) = NULL;}} while (0)
545
546#define convert_to_string_safe(v) \
547    if (Z_TYPE_P((v)) == IS_NULL) { \
548        ZVAL_STRINGL((v), "", 0); \
549    } else { \
550        convert_to_string((v)); \
551    }
552
553static void strip_nop(zend_code_block *block, zend_optimizer_ctx *ctx)
554{
555    zend_op *opline = block->start_opline;
556    zend_op *end, *new_end;
557
558    /* remove leading NOPs */
559    while (block->len > 0 && block->start_opline->opcode == ZEND_NOP) {
560        if (block->len == 1) {
561            /* this block is all NOPs, join with following block */
562            if (block->follow_to) {
563                delete_code_block(block, ctx);
564            }
565            return;
566        }
567        block->start_opline++;
568        block->start_opline_no++;
569        block->len--;
570    }
571
572    /* strip the inside NOPs */
573    opline = new_end = block->start_opline;
574    end = opline + block->len;
575
576    while (opline < end) {
577        zend_op *src;
578        int len = 0;
579
580        while (opline < end && opline->opcode == ZEND_NOP) {
581            opline++;
582        }
583        src = opline;
584
585        while (opline < end && opline->opcode != ZEND_NOP) {
586            opline++;
587        }
588        len = opline - src;
589
590        /* move up non-NOP opcodes */
591        memmove(new_end, src, len*sizeof(zend_op));
592
593        new_end += len;
594    }
595    block->len = new_end - block->start_opline;
596}
597
598static void zend_optimize_block(zend_code_block *block, zend_op_array *op_array, char *used_ext, zend_cfg *cfg, zend_optimizer_ctx *ctx)
599{
600    zend_op *opline = block->start_opline;
601    zend_op *end, *last_op = NULL;
602    zend_op **Tsource = cfg->Tsource;
603
604    print_block(block, op_array->opcodes, "Opt ");
605
606    /* remove leading NOPs */
607    while (block->len > 0 && block->start_opline->opcode == ZEND_NOP) {
608        if (block->len == 1) {
609            /* this block is all NOPs, join with following block */
610            if (block->follow_to) {
611                delete_code_block(block, ctx);
612            }
613            return;
614        }
615        block->start_opline++;
616        block->start_opline_no++;
617        block->len--;
618    }
619
620    /* we track data dependencies only insight a single basic block */
621    memset(Tsource, 0, (op_array->last_var + op_array->T) * sizeof(zend_op *));
622    opline = block->start_opline;
623    end = opline + block->len;
624    while ((op_array->T) && (opline < end)) {
625        /* strip X = QM_ASSIGN(const) */
626        if ((ZEND_OP1_TYPE(opline) & (IS_TMP_VAR|IS_VAR)) &&
627            VAR_SOURCE(opline->op1) &&
628            VAR_SOURCE(opline->op1)->opcode == ZEND_QM_ASSIGN &&
629            ZEND_OP1_TYPE(VAR_SOURCE(opline->op1)) == IS_CONST &&
630            opline->opcode != ZEND_CASE &&         /* CASE _always_ expects variable */
631            opline->opcode != ZEND_FETCH_LIST &&
632            (opline->opcode != ZEND_FE_RESET_R || opline->opcode != ZEND_FE_RESET_RW) &&
633            opline->opcode != ZEND_FREE
634            ) {
635            zend_op *src = VAR_SOURCE(opline->op1);
636            zval c = ZEND_OP1_LITERAL(src);
637            VAR_UNSET(opline->op1);
638            zval_copy_ctor(&c);
639            zend_optimizer_update_op1_const(op_array, opline, &c);
640            literal_dtor(&ZEND_OP1_LITERAL(src));
641            MAKE_NOP(src);
642        }
643
644        /* T = QM_ASSIGN(C), F(T) => NOP, F(C) */
645        if ((ZEND_OP2_TYPE(opline) & (IS_TMP_VAR|IS_VAR)) &&
646            VAR_SOURCE(opline->op2) &&
647            VAR_SOURCE(opline->op2)->opcode == ZEND_QM_ASSIGN &&
648            ZEND_OP1_TYPE(VAR_SOURCE(opline->op2)) == IS_CONST) {
649            zend_op *src = VAR_SOURCE(opline->op2);
650            zval c = ZEND_OP1_LITERAL(src);
651            VAR_UNSET(opline->op2);
652            zval_copy_ctor(&c);
653            zend_optimizer_update_op2_const(op_array, opline, &c);
654            literal_dtor(&ZEND_OP1_LITERAL(src));
655            MAKE_NOP(src);
656        }
657
658        /* T = CAST(X, String), ECHO(T) => NOP, ECHO(X) */
659        if (opline->opcode == ZEND_ECHO &&
660            ZEND_OP1_TYPE(opline) & (IS_TMP_VAR|IS_VAR) &&
661            VAR_SOURCE(opline->op1) &&
662            VAR_SOURCE(opline->op1)->opcode == ZEND_CAST &&
663            VAR_SOURCE(opline->op1)->extended_value == IS_STRING) {
664            zend_op *src = VAR_SOURCE(opline->op1);
665            COPY_NODE(opline->op1, src->op1);
666            MAKE_NOP(src);
667        }
668
669       /* T = BOOL(X), FREE(T) => NOP */
670        if (opline->opcode == ZEND_FREE &&
671            ZEND_OP1_TYPE(opline) == IS_TMP_VAR &&
672            VAR_SOURCE(opline->op1)) {
673            zend_op *src = VAR_SOURCE(opline->op1);
674            if (src->opcode == ZEND_BOOL) {
675                if (ZEND_OP1_TYPE(src) == IS_CONST) {
676                    literal_dtor(&ZEND_OP1_LITERAL(src));
677                }
678                MAKE_NOP(src);
679                MAKE_NOP(opline);
680            }
681        }
682
683#if 0
684        /* pre-evaluate functions:
685           constant(x)
686           defined(x)
687           function_exists(x)
688           extension_loaded(x)
689           BAD: interacts badly with Accelerator
690        */
691        if((ZEND_OP1_TYPE(opline) & IS_VAR) &&
692           VAR_SOURCE(opline->op1) && VAR_SOURCE(opline->op1)->opcode == ZEND_DO_CF_FCALL &&
693           VAR_SOURCE(opline->op1)->extended_value == 1) {
694            zend_op *fcall = VAR_SOURCE(opline->op1);
695            zend_op *sv = fcall-1;
696            if(sv >= block->start_opline && sv->opcode == ZEND_SEND_VAL &&
697               ZEND_OP1_TYPE(sv) == IS_CONST && Z_TYPE(OPLINE_OP1_LITERAL(sv)) == IS_STRING &&
698               Z_LVAL(OPLINE_OP2_LITERAL(sv)) == 1
699               ) {
700                zval *arg = &OPLINE_OP1_LITERAL(sv);
701                char *fname = FUNCTION_CACHE->funcs[Z_LVAL(ZEND_OP1_LITERAL(fcall))].function_name;
702                int flen = FUNCTION_CACHE->funcs[Z_LVAL(ZEND_OP1_LITERAL(fcall))].name_len;
703                if(flen == sizeof("defined")-1 && zend_binary_strcasecmp(fname, flen, "defined", sizeof("defined")-1) == 0) {
704                    zval c;
705                    if(zend_optimizer_get_persistent_constant(Z_STR_P(arg), &c, 0 ELS_CC) != 0) {
706                        literal_dtor(arg);
707                        MAKE_NOP(sv);
708                        MAKE_NOP(fcall);
709                        LITERAL_BOOL(opline->op1, 1);
710                        ZEND_OP1_TYPE(opline) = IS_CONST;
711                    }
712                } else if((flen == sizeof("function_exists")-1 && zend_binary_strcasecmp(fname, flen, "function_exists", sizeof("function_exists")-1) == 0) ||
713                          (flen == sizeof("is_callable")-1 && zend_binary_strcasecmp(fname, flen, "is_callable", sizeof("is_callable")-1) == 0)
714                          ) {
715                    zend_function *function;
716                    if((function = zend_hash_find_ptr(EG(function_table), Z_STR_P(arg))) != NULL) {
717                        literal_dtor(arg);
718                        MAKE_NOP(sv);
719                        MAKE_NOP(fcall);
720                        LITERAL_BOOL(opline->op1, 1);
721                        ZEND_OP1_TYPE(opline) = IS_CONST;
722                    }
723                } else if(flen == sizeof("constant")-1 && zend_binary_strcasecmp(fname, flen, "constant", sizeof("constant")-1) == 0) {
724                    zval c;
725                    if(zend_optimizer_get_persistent_constant(Z_STR_P(arg), &c, 1 ELS_CC) != 0) {
726                        literal_dtor(arg);
727                        MAKE_NOP(sv);
728                        MAKE_NOP(fcall);
729                        ZEND_OP1_LITERAL(opline) = zend_optimizer_add_literal(op_array, &c);
730                        /* no copy ctor - get already copied it */
731                        ZEND_OP1_TYPE(opline) = IS_CONST;
732                    }
733                } else if(flen == sizeof("extension_loaded")-1 && zend_binary_strcasecmp(fname, flen, "extension_loaded", sizeof("extension_loaded")-1) == 0) {
734                    if(zend_hash_exists(&module_registry, Z_STR_P(arg))) {
735                        literal_dtor(arg);
736                        MAKE_NOP(sv);
737                        MAKE_NOP(fcall);
738                        LITERAL_BOOL(opline->op1, 1);
739                        ZEND_OP1_TYPE(opline) = IS_CONST;
740                    }
741                }
742            }
743        }
744#endif
745
746        /* IS_EQ(TRUE, X)      => BOOL(X)
747         * IS_EQ(FALSE, X)     => BOOL_NOT(X)
748         * IS_NOT_EQ(TRUE, X)  => BOOL_NOT(X)
749         * IS_NOT_EQ(FALSE, X) => BOOL(X)
750         * CASE(TRUE, X)       => BOOL(X)
751         * CASE(FALSE, X)      => BOOL_NOT(X)
752         */
753        if (opline->opcode == ZEND_IS_EQUAL ||
754            opline->opcode == ZEND_IS_NOT_EQUAL ||
755            opline->opcode == ZEND_CASE) {
756            if (ZEND_OP1_TYPE(opline) == IS_CONST &&
757// TODO: Optimization of comparison with null may be not safe ???
758#if 1
759                (Z_TYPE(ZEND_OP1_LITERAL(opline)) == IS_FALSE ||
760                 Z_TYPE(ZEND_OP1_LITERAL(opline)) == IS_TRUE)) {
761#else
762                 Z_TYPE(ZEND_OP1_LITERAL(opline)) <= IS_TRUE) {
763#endif
764                opline->opcode =
765                    ((opline->opcode != ZEND_IS_NOT_EQUAL) == ((Z_TYPE(ZEND_OP1_LITERAL(opline))) == IS_TRUE)) ?
766                    ZEND_BOOL : ZEND_BOOL_NOT;
767                COPY_NODE(opline->op1, opline->op2);
768                SET_UNUSED(opline->op2);
769            } else if (ZEND_OP2_TYPE(opline) == IS_CONST &&
770// TODO: Optimization of comparison with null may be not safe ???
771#if 1
772                       (Z_TYPE(ZEND_OP2_LITERAL(opline)) == IS_FALSE ||
773                        Z_TYPE(ZEND_OP2_LITERAL(opline)) == IS_TRUE)) {
774#else
775                        Z_TYPE(ZEND_OP2_LITERAL(opline)) <= IS_TRUE) {
776#endif
777                opline->opcode =
778                    ((opline->opcode != ZEND_IS_NOT_EQUAL) == ((Z_TYPE(ZEND_OP2_LITERAL(opline))) == IS_TRUE)) ?
779                    ZEND_BOOL : ZEND_BOOL_NOT;
780                SET_UNUSED(opline->op2);
781            }
782        }
783
784        if ((opline->opcode == ZEND_BOOL ||
785            opline->opcode == ZEND_BOOL_NOT ||
786            opline->opcode == ZEND_JMPZ ||
787            opline->opcode == ZEND_JMPNZ ||
788            opline->opcode == ZEND_JMPZNZ) &&
789            ZEND_OP1_TYPE(opline) == IS_TMP_VAR &&
790            VAR_SOURCE(opline->op1) != NULL &&
791            !used_ext[VAR_NUM(ZEND_OP1(opline).var)] &&
792            VAR_SOURCE(opline->op1)->opcode == ZEND_BOOL_NOT) {
793            /* T = BOOL_NOT(X) + JMPZ(T) -> NOP, JMPNZ(X) */
794            zend_op *src = VAR_SOURCE(opline->op1);
795
796            COPY_NODE(opline->op1, src->op1);
797
798            switch (opline->opcode) {
799                case ZEND_BOOL:
800                    /* T = BOOL_NOT(X) + BOOL(T) -> NOP, BOOL_NOT(X) */
801                    opline->opcode = ZEND_BOOL_NOT;
802                    break;
803                case ZEND_BOOL_NOT:
804                    /* T = BOOL_NOT(X) + BOOL_BOOL(T) -> NOP, BOOL(X) */
805                    opline->opcode = ZEND_BOOL;
806                    break;
807                case ZEND_JMPZ:
808                    /* T = BOOL_NOT(X) + JMPZ(T,L) -> NOP, JMPNZ(X,L) */
809                    opline->opcode = ZEND_JMPNZ;
810                    break;
811                case ZEND_JMPNZ:
812                    /* T = BOOL_NOT(X) + JMPNZ(T,L) -> NOP, JMPZ(X,L) */
813                    opline->opcode = ZEND_JMPZ;
814                    break;
815                case ZEND_JMPZNZ:
816                {
817                    /* T = BOOL_NOT(X) + JMPZNZ(T,L1,L2) -> NOP, JMPZNZ(X,L2,L1) */
818                    int op_t;
819                    zend_code_block *op_b;
820
821                    op_t = opline->extended_value;
822                    opline->extended_value = ZEND_OP2(opline).opline_num;
823                    ZEND_OP2(opline).opline_num = op_t;
824
825                    op_b = block->ext_to;
826                    block->ext_to = block->op2_to;
827                    block->op2_to = op_b;
828                }
829                break;
830            }
831
832            VAR_UNSET(opline->op1);
833            MAKE_NOP(src);
834            continue;
835        } else
836#if 0
837        /* T = BOOL_NOT(X) + T = JMPZ_EX(T, X) -> T = BOOL_NOT(X), JMPNZ(X) */
838        if(0 && (opline->opcode == ZEND_JMPZ_EX ||
839            opline->opcode == ZEND_JMPNZ_EX) &&
840           ZEND_OP1_TYPE(opline) == IS_TMP_VAR &&
841           VAR_SOURCE(opline->op1) != NULL &&
842           VAR_SOURCE(opline->op1)->opcode == ZEND_BOOL_NOT &&
843           ZEND_OP1(opline).var == ZEND_RESULT(opline).var
844           ) {
845            zend_op *src = VAR_SOURCE(opline->op1);
846            if(opline->opcode == ZEND_JMPZ_EX) {
847                opline->opcode = ZEND_JMPNZ;
848            } else {
849                opline->opcode = ZEND_JMPZ;
850            }
851            COPY_NODE(opline->op1, src->op1);
852            SET_UNUSED(opline->result);
853            continue;
854        } else
855#endif
856        /* T = BOOL(X) + JMPZ(T) -> NOP, JMPZ(X) */
857        if ((opline->opcode == ZEND_BOOL ||
858            opline->opcode == ZEND_BOOL_NOT ||
859            opline->opcode == ZEND_JMPZ ||
860            opline->opcode == ZEND_JMPZ_EX ||
861            opline->opcode == ZEND_JMPNZ_EX ||
862            opline->opcode == ZEND_JMPNZ ||
863            opline->opcode == ZEND_JMPZNZ) &&
864            (ZEND_OP1_TYPE(opline) & (IS_TMP_VAR|IS_VAR)) &&
865            VAR_SOURCE(opline->op1) != NULL &&
866            (!used_ext[VAR_NUM(ZEND_OP1(opline).var)] ||
867            ((ZEND_RESULT_TYPE(opline) & (IS_TMP_VAR|IS_VAR)) &&
868             ZEND_RESULT(opline).var == ZEND_OP1(opline).var)) &&
869            (VAR_SOURCE(opline->op1)->opcode == ZEND_BOOL ||
870            VAR_SOURCE(opline->op1)->opcode == ZEND_QM_ASSIGN)) {
871            zend_op *src = VAR_SOURCE(opline->op1);
872            COPY_NODE(opline->op1, src->op1);
873
874            VAR_UNSET(opline->op1);
875            MAKE_NOP(src);
876            continue;
877        } else if (last_op && opline->opcode == ZEND_ECHO &&
878                  last_op->opcode == ZEND_ECHO &&
879                  ZEND_OP1_TYPE(opline) == IS_CONST &&
880                  Z_TYPE(ZEND_OP1_LITERAL(opline)) != IS_DOUBLE &&
881                  ZEND_OP1_TYPE(last_op) == IS_CONST &&
882                  Z_TYPE(ZEND_OP1_LITERAL(last_op)) != IS_DOUBLE) {
883            /* compress consecutive ECHO's.
884             * Float to string conversion may be affected by current
885             * locale setting.
886             */
887            int l, old_len;
888
889            if (Z_TYPE(ZEND_OP1_LITERAL(opline)) != IS_STRING) {
890                convert_to_string_safe(&ZEND_OP1_LITERAL(opline));
891            }
892            if (Z_TYPE(ZEND_OP1_LITERAL(last_op)) != IS_STRING) {
893                convert_to_string_safe(&ZEND_OP1_LITERAL(last_op));
894            }
895            old_len = Z_STRLEN(ZEND_OP1_LITERAL(last_op));
896            l = old_len + Z_STRLEN(ZEND_OP1_LITERAL(opline));
897            if (!Z_REFCOUNTED(ZEND_OP1_LITERAL(last_op))) {
898                zend_string *tmp = zend_string_alloc(l, 0);
899                memcpy(tmp->val, Z_STRVAL(ZEND_OP1_LITERAL(last_op)), old_len);
900                Z_STR(ZEND_OP1_LITERAL(last_op)) = tmp;
901            } else {
902                Z_STR(ZEND_OP1_LITERAL(last_op)) = zend_string_extend(Z_STR(ZEND_OP1_LITERAL(last_op)), l, 0);
903            }
904            Z_TYPE_INFO(ZEND_OP1_LITERAL(last_op)) = IS_STRING_EX;
905            memcpy(Z_STRVAL(ZEND_OP1_LITERAL(last_op)) + old_len, Z_STRVAL(ZEND_OP1_LITERAL(opline)), Z_STRLEN(ZEND_OP1_LITERAL(opline)));
906            Z_STRVAL(ZEND_OP1_LITERAL(last_op))[l] = '\0';
907            zval_dtor(&ZEND_OP1_LITERAL(opline));
908            Z_STR(ZEND_OP1_LITERAL(opline)) = zend_new_interned_string(Z_STR(ZEND_OP1_LITERAL(last_op)));
909            if (!Z_REFCOUNTED(ZEND_OP1_LITERAL(opline))) {
910                Z_TYPE_FLAGS(ZEND_OP1_LITERAL(opline)) &= ~ (IS_TYPE_REFCOUNTED | IS_TYPE_COPYABLE);
911            }
912            ZVAL_NULL(&ZEND_OP1_LITERAL(last_op));
913            MAKE_NOP(last_op);
914        } else if ((opline->opcode == ZEND_CONCAT) &&
915                  ZEND_OP2_TYPE(opline) == IS_CONST &&
916                  ZEND_OP1_TYPE(opline) == IS_TMP_VAR &&
917                  VAR_SOURCE(opline->op1) &&
918                  (VAR_SOURCE(opline->op1)->opcode == ZEND_CONCAT ||
919                   VAR_SOURCE(opline->op1)->opcode == ZEND_FAST_CONCAT) &&
920                  ZEND_OP2_TYPE(VAR_SOURCE(opline->op1)) == IS_CONST &&
921                  ZEND_RESULT(VAR_SOURCE(opline->op1)).var == ZEND_OP1(opline).var) {
922            /* compress consecutive CONCAT/ADD_STRING/ADD_CHARs */
923            zend_op *src = VAR_SOURCE(opline->op1);
924            int l, old_len;
925
926            if (Z_TYPE(ZEND_OP2_LITERAL(opline)) != IS_STRING) {
927                convert_to_string_safe(&ZEND_OP2_LITERAL(opline));
928            }
929            if (Z_TYPE(ZEND_OP2_LITERAL(src)) != IS_STRING) {
930                convert_to_string_safe(&ZEND_OP2_LITERAL(src));
931            }
932
933            VAR_UNSET(opline->op1);
934            COPY_NODE(opline->op1, src->op1);
935            old_len = Z_STRLEN(ZEND_OP2_LITERAL(src));
936            l = old_len + Z_STRLEN(ZEND_OP2_LITERAL(opline));
937            if (!Z_REFCOUNTED(ZEND_OP2_LITERAL(src))) {
938                zend_string *tmp = zend_string_alloc(l, 0);
939                memcpy(tmp->val, Z_STRVAL(ZEND_OP2_LITERAL(src)), old_len);
940                Z_STR(ZEND_OP2_LITERAL(last_op)) = tmp;
941            } else {
942                Z_STR(ZEND_OP2_LITERAL(src)) = zend_string_extend(Z_STR(ZEND_OP2_LITERAL(src)), l, 0);
943            }
944            Z_TYPE_INFO(ZEND_OP2_LITERAL(last_op)) = IS_STRING_EX;
945            memcpy(Z_STRVAL(ZEND_OP2_LITERAL(src)) + old_len, Z_STRVAL(ZEND_OP2_LITERAL(opline)), Z_STRLEN(ZEND_OP2_LITERAL(opline)));
946            Z_STRVAL(ZEND_OP2_LITERAL(src))[l] = '\0';
947            zend_string_release(Z_STR(ZEND_OP2_LITERAL(opline)));
948            Z_STR(ZEND_OP2_LITERAL(opline)) = zend_new_interned_string(Z_STR(ZEND_OP2_LITERAL(src)));
949            if (!Z_REFCOUNTED(ZEND_OP2_LITERAL(opline))) {
950                Z_TYPE_FLAGS(ZEND_OP2_LITERAL(opline)) &= ~ (IS_TYPE_REFCOUNTED | IS_TYPE_COPYABLE);
951            }
952            ZVAL_NULL(&ZEND_OP2_LITERAL(src));
953            MAKE_NOP(src);
954        } else if ((opline->opcode == ZEND_ADD ||
955                    opline->opcode == ZEND_SUB ||
956                    opline->opcode == ZEND_MUL ||
957                    opline->opcode == ZEND_DIV ||
958                    opline->opcode == ZEND_MOD ||
959                    opline->opcode == ZEND_SL ||
960                    opline->opcode == ZEND_SR ||
961                    opline->opcode == ZEND_CONCAT ||
962                    opline->opcode == ZEND_FAST_CONCAT ||
963                    opline->opcode == ZEND_IS_EQUAL ||
964                    opline->opcode == ZEND_IS_NOT_EQUAL ||
965                    opline->opcode == ZEND_IS_SMALLER ||
966                    opline->opcode == ZEND_IS_SMALLER_OR_EQUAL ||
967                    opline->opcode == ZEND_IS_IDENTICAL ||
968                    opline->opcode == ZEND_IS_NOT_IDENTICAL ||
969                    opline->opcode == ZEND_BOOL_XOR ||
970                    opline->opcode == ZEND_BW_OR ||
971                    opline->opcode == ZEND_BW_AND ||
972                    opline->opcode == ZEND_BW_XOR) &&
973                    ZEND_OP1_TYPE(opline)==IS_CONST &&
974                    ZEND_OP2_TYPE(opline)==IS_CONST) {
975            /* evaluate constant expressions */
976            binary_op_type binary_op = get_binary_op(opline->opcode);
977            zval result;
978            int er;
979
980            if ((opline->opcode == ZEND_DIV || opline->opcode == ZEND_MOD) &&
981                ((Z_TYPE(ZEND_OP2_LITERAL(opline)) == IS_LONG &&
982                  Z_LVAL(ZEND_OP2_LITERAL(opline)) == 0) ||
983                 (Z_TYPE(ZEND_OP2_LITERAL(opline)) == IS_DOUBLE &&
984                  Z_DVAL(ZEND_OP2_LITERAL(opline)) == 0.0))) {
985                if (RESULT_USED(opline)) {
986                    SET_VAR_SOURCE(opline);
987                }
988                opline++;
989                continue;
990            }
991            er = EG(error_reporting);
992            EG(error_reporting) = 0;
993            if (binary_op(&result, &ZEND_OP1_LITERAL(opline), &ZEND_OP2_LITERAL(opline)) == SUCCESS) {
994                literal_dtor(&ZEND_OP1_LITERAL(opline));
995                literal_dtor(&ZEND_OP2_LITERAL(opline));
996                opline->opcode = ZEND_QM_ASSIGN;
997                SET_UNUSED(opline->op2);
998                zend_optimizer_update_op1_const(op_array, opline, &result);
999            }
1000            EG(error_reporting) = er;
1001        } else if ((opline->opcode == ZEND_BOOL ||
1002                    opline->opcode == ZEND_BOOL_NOT ||
1003                    opline->opcode == ZEND_BW_NOT) && ZEND_OP1_TYPE(opline) == IS_CONST) {
1004            /* evaluate constant unary ops */
1005            unary_op_type unary_op = get_unary_op(opline->opcode);
1006            zval result;
1007
1008            if (unary_op) {
1009                unary_op(&result, &ZEND_OP1_LITERAL(opline));
1010                literal_dtor(&ZEND_OP1_LITERAL(opline));
1011            } else {
1012                /* BOOL */
1013                result = ZEND_OP1_LITERAL(opline);
1014                convert_to_boolean(&result);
1015                ZVAL_NULL(&ZEND_OP1_LITERAL(opline));
1016            }
1017            opline->opcode = ZEND_QM_ASSIGN;
1018            zend_optimizer_update_op1_const(op_array, opline, &result);
1019        } else if ((opline->opcode == ZEND_RETURN || opline->opcode == ZEND_EXIT) &&
1020                    (ZEND_OP1_TYPE(opline) & (IS_TMP_VAR|IS_VAR)) &&
1021                    VAR_SOURCE(opline->op1) &&
1022                    VAR_SOURCE(opline->op1)->opcode == ZEND_QM_ASSIGN) {
1023            /* T = QM_ASSIGN(X), RETURN(T) to RETURN(X) */
1024            zend_op *src = VAR_SOURCE(opline->op1);
1025            VAR_UNSET(opline->op1);
1026            COPY_NODE(opline->op1, src->op1);
1027            MAKE_NOP(src);
1028        } else if (opline->opcode == ZEND_CONCAT || opline->opcode == ZEND_FAST_CONCAT) {
1029            if ((ZEND_OP1_TYPE(opline) & (IS_TMP_VAR|IS_VAR)) &&
1030                VAR_SOURCE(opline->op1) &&
1031                VAR_SOURCE(opline->op1)->opcode == ZEND_CAST &&
1032                VAR_SOURCE(opline->op1)->extended_value == IS_STRING) {
1033                /* convert T1 = CAST(STRING, X), T2 = CONCAT(T1, Y) to T2 = CONCAT(X,Y) */
1034                zend_op *src = VAR_SOURCE(opline->op1);
1035                VAR_UNSET(opline->op1);
1036                COPY_NODE(opline->op1, src->op1);
1037                MAKE_NOP(src);
1038            }
1039            if ((ZEND_OP2_TYPE(opline) & (IS_TMP_VAR|IS_VAR)) &&
1040                VAR_SOURCE(opline->op2) &&
1041                VAR_SOURCE(opline->op2)->opcode == ZEND_CAST &&
1042                VAR_SOURCE(opline->op2)->extended_value == IS_STRING) {
1043                /* convert T1 = CAST(STRING, X), T2 = CONCAT(Y, T1) to T2 = CONCAT(Y,X) */
1044                zend_op *src = VAR_SOURCE(opline->op2);
1045                VAR_UNSET(opline->op2);
1046                COPY_NODE(opline->op2, src->op1);
1047                MAKE_NOP(src);
1048            }
1049            if (ZEND_OP1_TYPE(opline) == IS_CONST &&
1050                Z_TYPE(ZEND_OP1_LITERAL(opline)) == IS_STRING &&
1051                Z_STRLEN(ZEND_OP1_LITERAL(opline)) == 0) {
1052                /* convert CONCAT('', X) => CAST(STRING, X) */
1053                literal_dtor(&ZEND_OP1_LITERAL(opline));
1054                opline->opcode = ZEND_CAST;
1055                opline->extended_value = IS_STRING;
1056                COPY_NODE(opline->op1, opline->op2);
1057                opline->op2_type = IS_UNUSED;
1058                opline->op2.var = 0;
1059            } else if (ZEND_OP2_TYPE(opline) == IS_CONST &&
1060                       Z_TYPE(ZEND_OP2_LITERAL(opline)) == IS_STRING &&
1061                       Z_STRLEN(ZEND_OP2_LITERAL(opline)) == 0) {
1062                /* convert CONCAT(X, '') => CAST(STRING, X) */
1063                literal_dtor(&ZEND_OP2_LITERAL(opline));
1064                opline->opcode = ZEND_CAST;
1065                opline->extended_value = IS_STRING;
1066                opline->op2_type = IS_UNUSED;
1067                opline->op2.var = 0;
1068            } else if (opline->opcode == ZEND_CONCAT &&
1069                       (opline->op1_type == IS_CONST ||
1070                        (opline->op1_type == IS_TMP_VAR &&
1071                         VAR_SOURCE(opline->op1) &&
1072                         (VAR_SOURCE(opline->op1)->opcode == ZEND_FAST_CONCAT ||
1073                          VAR_SOURCE(opline->op1)->opcode == ZEND_ROPE_END ||
1074                          VAR_SOURCE(opline->op1)->opcode == ZEND_FETCH_CONSTANT))) &&
1075                       (opline->op2_type == IS_CONST ||
1076                        (opline->op2_type == IS_TMP_VAR &&
1077                         VAR_SOURCE(opline->op2) &&
1078                         (VAR_SOURCE(opline->op2)->opcode == ZEND_FAST_CONCAT ||
1079                          VAR_SOURCE(opline->op2)->opcode == ZEND_ROPE_END ||
1080                          VAR_SOURCE(opline->op2)->opcode == ZEND_FETCH_CONSTANT)))) {
1081                opline->opcode = ZEND_FAST_CONCAT;
1082            }
1083        } else if (opline->opcode == ZEND_QM_ASSIGN &&
1084                    ZEND_OP1_TYPE(opline) == ZEND_RESULT_TYPE(opline) &&
1085                    ZEND_OP1(opline).var == ZEND_RESULT(opline).var) {
1086            /* strip T = QM_ASSIGN(T) */
1087            MAKE_NOP(opline);
1088        } else if (opline->opcode == ZEND_BOOL &&
1089                    ZEND_OP1_TYPE(opline) == IS_TMP_VAR &&
1090                    VAR_SOURCE(opline->op1) &&
1091                    (VAR_SOURCE(opline->op1)->opcode == ZEND_IS_EQUAL ||
1092                    VAR_SOURCE(opline->op1)->opcode == ZEND_IS_NOT_EQUAL ||
1093                    VAR_SOURCE(opline->op1)->opcode == ZEND_IS_SMALLER ||
1094                    VAR_SOURCE(opline->op1)->opcode == ZEND_IS_SMALLER_OR_EQUAL ||
1095                    VAR_SOURCE(opline->op1)->opcode == ZEND_BOOL ||
1096                    VAR_SOURCE(opline->op1)->opcode == ZEND_IS_IDENTICAL ||
1097                    VAR_SOURCE(opline->op1)->opcode == ZEND_IS_NOT_IDENTICAL ||
1098                    VAR_SOURCE(opline->op1)->opcode == ZEND_ISSET_ISEMPTY_VAR ||
1099                    VAR_SOURCE(opline->op1)->opcode == ZEND_ISSET_ISEMPTY_DIM_OBJ) &&
1100                    !used_ext[VAR_NUM(ZEND_OP1(opline).var)]) {
1101            /* T = IS_SMALLER(X, Y), T1 = BOOL(T) => T = IS_SMALLER(X, Y), T1 = QM_ASSIGN(T) */
1102            zend_op *src = VAR_SOURCE(opline->op1);
1103            COPY_NODE(src->result, opline->result);
1104            SET_VAR_SOURCE(src);
1105            MAKE_NOP(opline);
1106        }
1107        /* get variable source */
1108        if (RESULT_USED(opline)) {
1109            SET_VAR_SOURCE(opline);
1110        }
1111        if (opline->opcode != ZEND_NOP) {
1112            last_op = opline;
1113        }
1114        opline++;
1115    }
1116
1117    strip_nop(block, ctx);
1118}
1119
1120/* Rebuild plain (optimized) op_array from CFG */
1121static void assemble_code_blocks(zend_cfg *cfg, zend_op_array *op_array)
1122{
1123    zend_code_block *blocks = cfg->blocks;
1124    zend_op *new_opcodes = emalloc(op_array->last * sizeof(zend_op));
1125    zend_op *opline = new_opcodes;
1126    zend_code_block *cur_block = blocks;
1127
1128    /* Copy code of reachable blocks into a single buffer */
1129    while (cur_block) {
1130        if (cur_block->access) {
1131            memcpy(opline, cur_block->start_opline, cur_block->len * sizeof(zend_op));
1132            cur_block->start_opline = opline;
1133            opline += cur_block->len;
1134            if ((opline - 1)->opcode == ZEND_JMP) {
1135                zend_code_block *next;
1136                next = cur_block->next;
1137                while (next && !next->access) {
1138                    next = next->next;
1139                }
1140                if (next && next == cur_block->op1_to) {
1141                    /* JMP to the next block - strip it */
1142                    cur_block->follow_to = cur_block->op1_to;
1143                    cur_block->op1_to = NULL;
1144                    MAKE_NOP((opline - 1));
1145                    opline--;
1146                    cur_block->len--;
1147                }
1148            }
1149        } else {
1150            /* this block will not be used, delete all constants there */
1151            zend_op *_opl;
1152            zend_op *end = cur_block->start_opline + cur_block->len;
1153            for (_opl = cur_block->start_opline; _opl && _opl < end; _opl++) {
1154                if (ZEND_OP1_TYPE(_opl) == IS_CONST) {
1155                    literal_dtor(&ZEND_OP1_LITERAL(_opl));
1156                }
1157                if (ZEND_OP2_TYPE(_opl) == IS_CONST) {
1158                    literal_dtor(&ZEND_OP2_LITERAL(_opl));
1159                }
1160            }
1161        }
1162        cur_block = cur_block->next;
1163    }
1164
1165    if ((opline-1)->opcode == ZEND_THROW) {
1166        /* if we finished with THROW, we need to add space between THROW and HANDLE to not confuse
1167           zend_throw_internal */
1168        MAKE_NOP(opline);
1169        opline->lineno = opline[-1].lineno;
1170        opline++;
1171    }
1172
1173    op_array->last = opline-new_opcodes;
1174
1175    /* adjust exception jump targets */
1176    if (op_array->last_try_catch) {
1177        int i, j;
1178        for (i = 0, j = 0; i< op_array->last_try_catch; i++) {
1179            if (cfg->try[i]->access) {
1180                op_array->try_catch_array[j].try_op = cfg->try[i]->start_opline - new_opcodes;
1181                op_array->try_catch_array[j].catch_op = cfg->catch[i]->start_opline - new_opcodes;
1182                j++;
1183            }
1184        }
1185        op_array->last_try_catch = j;
1186    }
1187
1188    /* adjust loop jump targets */
1189    if (op_array->last_brk_cont) {
1190        int i;
1191        for (i = 0; i< op_array->last_brk_cont; i++) {
1192            op_array->brk_cont_array[i].start = cfg->loop_start[i]->start_opline - new_opcodes;
1193            op_array->brk_cont_array[i].cont = cfg->loop_cont[i]->start_opline - new_opcodes;
1194            op_array->brk_cont_array[i].brk = cfg->loop_brk[i]->start_opline - new_opcodes;
1195        }
1196    }
1197
1198    /* adjust jump targets */
1199    for (cur_block = blocks; cur_block; cur_block = cur_block->next) {
1200        if (!cur_block->access) {
1201            continue;
1202        }
1203        opline = cur_block->start_opline + cur_block->len - 1;
1204        if (opline->opcode == ZEND_OP_DATA) {
1205            opline--;
1206        }
1207        if (cur_block->op1_to) {
1208            ZEND_OP1(opline).opline_num = cur_block->op1_to->start_opline - new_opcodes;
1209        }
1210        if (cur_block->op2_to) {
1211            ZEND_OP2(opline).opline_num = cur_block->op2_to->start_opline - new_opcodes;
1212        }
1213        if (cur_block->ext_to) {
1214            opline->extended_value = cur_block->ext_to->start_opline - new_opcodes;
1215        }
1216        print_block(cur_block, new_opcodes, "Out ");
1217    }
1218    efree(op_array->opcodes);
1219    op_array->opcodes = erealloc(new_opcodes, op_array->last * sizeof(zend_op));
1220
1221    /* adjust early binding list */
1222    if (op_array->early_binding != (uint32_t)-1) {
1223        uint32_t *opline_num = &op_array->early_binding;
1224        zend_op *end;
1225
1226        opline = op_array->opcodes;
1227        end = opline + op_array->last;
1228        while (opline < end) {
1229            if (opline->opcode == ZEND_DECLARE_INHERITED_CLASS_DELAYED) {
1230                *opline_num = opline - op_array->opcodes;
1231                opline_num = &ZEND_RESULT(opline).opline_num;
1232            }
1233            ++opline;
1234        }
1235        *opline_num = -1;
1236    }
1237}
1238
1239static void zend_jmp_optimization(zend_code_block *block, zend_op_array *op_array, zend_code_block *blocks, zend_cfg *cfg, zend_optimizer_ctx *ctx)
1240{
1241    /* last_op is the last opcode of the current block */
1242    zend_op *last_op = (block->start_opline + block->len - 1);
1243
1244    if (!block->len) {
1245        return;
1246    }
1247    switch (last_op->opcode) {
1248        case ZEND_JMP:
1249            {
1250                zend_op *target = block->op1_to->start_opline;
1251                zend_code_block *next = block->next;
1252
1253                while (next && !next->access) {
1254                    /* find used one */
1255                    next = next->next;
1256                }
1257
1258                /* JMP(next) -> NOP */
1259                if (block->op1_to == next) {
1260                    block->follow_to = block->op1_to;
1261                    block->op1_to = NULL;
1262                    MAKE_NOP(last_op);
1263                    block->len--;
1264                    if (block->len == 0) {
1265                        /* this block is nothing but NOP now */
1266                        delete_code_block(block, ctx);
1267                    }
1268                    break;
1269                }
1270
1271                if (((target->opcode == ZEND_JMP &&
1272                    block->op1_to != block->op1_to->op1_to) ||
1273                    target->opcode == ZEND_JMPZNZ) &&
1274                    !block->op1_to->protected) {
1275                    /* JMP L, L: JMP L1 -> JMP L1 */
1276                    /* JMP L, L: JMPZNZ L1,L2 -> JMPZNZ L1,L2 */
1277                    *last_op = *target;
1278                    if (ZEND_OP1_TYPE(last_op) == IS_CONST) {
1279                        zval zv = ZEND_OP1_LITERAL(last_op);
1280                        zval_copy_ctor(&zv);
1281                        last_op->op1.constant = zend_optimizer_add_literal(op_array, &zv);
1282                    }
1283                    del_source(block, block->op1_to);
1284                    if (block->op1_to->op2_to) {
1285                        block->op2_to = block->op1_to->op2_to;
1286                        ADD_SOURCE(block, block->op2_to);
1287                    }
1288                    if (block->op1_to->ext_to) {
1289                        block->ext_to = block->op1_to->ext_to;
1290                        ADD_SOURCE(block, block->ext_to);
1291                    }
1292                    if (block->op1_to->op1_to) {
1293                        block->op1_to = block->op1_to->op1_to;
1294                        ADD_SOURCE(block, block->op1_to);
1295                    } else {
1296                        block->op1_to = NULL;
1297                    }
1298                } else if (target->opcode == ZEND_RETURN ||
1299                          target->opcode == ZEND_RETURN_BY_REF ||
1300                          target->opcode == ZEND_FAST_RET ||
1301                          target->opcode == ZEND_EXIT) {
1302                    /* JMP L, L: RETURN to immediate RETURN */
1303                    *last_op = *target;
1304                    if (ZEND_OP1_TYPE(last_op) == IS_CONST) {
1305                        zval zv = ZEND_OP1_LITERAL(last_op);
1306                        zval_copy_ctor(&zv);
1307                        last_op->op1.constant = zend_optimizer_add_literal(op_array, &zv);
1308                    }
1309                    del_source(block, block->op1_to);
1310                    block->op1_to = NULL;
1311#if 0
1312                /* Temporarily disabled - see bug #0025274 */
1313                } else if (0&& block->op1_to != block &&
1314                       block->op1_to != blocks &&
1315                           op_array->last_try_catch == 0 &&
1316                           target->opcode != ZEND_FREE) {
1317                    /* Block Reordering (saves one JMP on each "for" loop iteration)
1318                     * It is disabled for some cases (ZEND_FREE)
1319                     * which may break register allocation.
1320                     */
1321                    zend_bool can_reorder = 0;
1322                    zend_block_source *cs = block->op1_to->sources;
1323
1324                    /* the "target" block doesn't had any followed block */
1325                    while(cs) {
1326                        if (cs->from->follow_to == block->op1_to) {
1327                            can_reorder = 0;
1328                            break;
1329                        }
1330                        cs = cs->next;
1331                    }
1332                    if (can_reorder) {
1333                        next = block->op1_to;
1334                        /* the "target" block is not followed by current "block" */
1335                        while (next->follow_to != NULL) {
1336                            if (next->follow_to == block) {
1337                                can_reorder = 0;
1338                                break;
1339                            }
1340                            next = next->follow_to;
1341                        }
1342                        if (can_reorder) {
1343                            zend_code_block *prev = blocks;
1344
1345                            while (prev->next != block->op1_to) {
1346                                prev = prev->next;
1347                            }
1348                            prev->next = next->next;
1349                            next->next = block->next;
1350                            block->next = block->op1_to;
1351
1352                            block->follow_to = block->op1_to;
1353                            block->op1_to = NULL;
1354                            MAKE_NOP(last_op);
1355                            block->len--;
1356                            if(block->len == 0) {
1357                                /* this block is nothing but NOP now */
1358                                delete_code_block(block, ctx);
1359                            }
1360                            break;
1361                        }
1362                    }
1363#endif
1364                }
1365            }
1366            break;
1367
1368        case ZEND_JMPZ:
1369        case ZEND_JMPNZ:
1370            /* constant conditional JMPs */
1371            if (ZEND_OP1_TYPE(last_op) == IS_CONST) {
1372                int should_jmp = zend_is_true(&ZEND_OP1_LITERAL(last_op));
1373
1374                if (last_op->opcode == ZEND_JMPZ) {
1375                    should_jmp = !should_jmp;
1376                }
1377                literal_dtor(&ZEND_OP1_LITERAL(last_op));
1378                ZEND_OP1_TYPE(last_op) = IS_UNUSED;
1379                if (should_jmp) {
1380                    /* JMPNZ(true) -> JMP */
1381                    last_op->opcode = ZEND_JMP;
1382                    COPY_NODE(last_op->op1, last_op->op2);
1383                    block->op1_to = block->op2_to;
1384                    del_source(block, block->follow_to);
1385                    block->op2_to = NULL;
1386                    block->follow_to = NULL;
1387                } else {
1388                    /* JMPNZ(false) -> NOP */
1389                    MAKE_NOP(last_op);
1390                    del_source(block, block->op2_to);
1391                    block->op2_to = NULL;
1392                }
1393                break;
1394            }
1395
1396            if (block->op2_to) {
1397                zend_uchar same_type = ZEND_OP1_TYPE(last_op);
1398                uint32_t same_var = VAR_NUM_EX(last_op->op1);
1399                zend_op *target;
1400                zend_op *target_end;
1401                zend_code_block *target_block = block->op2_to;;
1402
1403next_target:
1404                target = target_block->start_opline;
1405                target_end = target_block->start_opline + target_block->len;
1406                while (target < target_end && target->opcode == ZEND_NOP) {
1407                    target++;
1408                }
1409
1410                /* next block is only NOP's */
1411                if (target == target_end) {
1412                    target_block = target_block->follow_to;
1413                    goto next_target;
1414                } else if (target->opcode == INV_COND(last_op->opcode) &&
1415                    /* JMPZ(X, L), L: JMPNZ(X, L2) -> JMPZ(X, L+1) */
1416                   (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1417                   same_type == ZEND_OP1_TYPE(target) &&
1418                   same_var == VAR_NUM_EX(target->op1) &&
1419                   target_block->follow_to &&
1420                   !target_block->protected
1421                   ) {
1422                    del_source(block, block->op2_to);
1423                    block->op2_to = target_block->follow_to;
1424                    ADD_SOURCE(block, block->op2_to);
1425                } else if (target->opcode == INV_COND_EX(last_op->opcode) &&
1426                            (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1427                            same_type == ZEND_OP1_TYPE(target) &&
1428                            same_var == VAR_NUM_EX(target->op1) &&
1429                            target_block->follow_to &&
1430                            !target_block->protected) {
1431                    /* JMPZ(X, L), L: X = JMPNZ_EX(X, L2) -> JMPZ(X, L+1) */
1432                    last_op->opcode += 3;
1433                    last_op->result = target->result;
1434                    del_source(block, block->op2_to);
1435                    block->op2_to = target_block->follow_to;
1436                    ADD_SOURCE(block, block->op2_to);
1437                } else if (target_block->op2_to &&
1438                           target->opcode == last_op->opcode &&
1439                           (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1440                           same_type == ZEND_OP1_TYPE(target) &&
1441                           same_var == VAR_NUM_EX(target->op1) &&
1442                           !target_block->protected) {
1443                    /* JMPZ(X, L), L: JMPZ(X, L2) -> JMPZ(X, L2) */
1444                    del_source(block, block->op2_to);
1445                    block->op2_to = target_block->op2_to;
1446                    ADD_SOURCE(block, block->op2_to);
1447                } else if (target_block->op1_to &&
1448                            target->opcode == ZEND_JMP &&
1449                            !target_block->protected) {
1450                    /* JMPZ(X, L), L: JMP(L2) -> JMPZ(X, L2) */
1451                    del_source(block, block->op2_to);
1452                    block->op2_to = target_block->op1_to;
1453                    ADD_SOURCE(block, block->op2_to);
1454                } else if (target_block->op2_to &&
1455                            target_block->ext_to &&
1456                            target->opcode == ZEND_JMPZNZ &&
1457                            (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1458                            same_type == ZEND_OP1_TYPE(target) &&
1459                            same_var == VAR_NUM_EX(target->op1) &&
1460                            !target_block->protected) {
1461                    /* JMPZ(X, L), L: JMPZNZ(X, L2, L3) -> JMPZ(X, L2) */
1462                    del_source(block, block->op2_to);
1463                    if (last_op->opcode == ZEND_JMPZ) {
1464                        block->op2_to = target_block->op2_to;
1465                    } else {
1466                        block->op2_to = target_block->ext_to;
1467                    }
1468                    ADD_SOURCE(block, block->op2_to);
1469                }
1470            }
1471
1472            if (block->follow_to &&
1473                (last_op->opcode == ZEND_JMPZ || last_op->opcode == ZEND_JMPNZ)) {
1474                zend_op *target;
1475                zend_op *target_end;
1476
1477                while (1) {
1478                    target = block->follow_to->start_opline;
1479                    target_end = block->follow_to->start_opline + block->follow_to->len;
1480                    while (target < target_end && target->opcode == ZEND_NOP) {
1481                        target++;
1482                    }
1483
1484                    /* next block is only NOP's */
1485                    if (target == target_end && ! block->follow_to->protected) {
1486                        del_source(block, block->follow_to);
1487                        block->follow_to = block->follow_to->follow_to;
1488                        ADD_SOURCE(block, block->follow_to);
1489                    } else {
1490                        break;
1491                    }
1492                }
1493                /* JMPZ(X,L1), JMP(L2) -> JMPZNZ(X,L1,L2) */
1494                if (target->opcode == ZEND_JMP &&
1495                    block->follow_to->op1_to &&
1496                    !block->follow_to->protected) {
1497                    del_source(block, block->follow_to);
1498                    if (last_op->opcode == ZEND_JMPZ) {
1499                        block->ext_to = block->follow_to->op1_to;
1500                        ADD_SOURCE(block, block->ext_to);
1501                    } else {
1502                        block->ext_to = block->op2_to;
1503                        block->op2_to = block->follow_to->op1_to;
1504                        ADD_SOURCE(block, block->op2_to);
1505                    }
1506                    block->follow_to = NULL;
1507                    last_op->opcode = ZEND_JMPZNZ;
1508                }
1509            }
1510            break;
1511
1512        case ZEND_JMPNZ_EX:
1513        case ZEND_JMPZ_EX:
1514            /* constant conditional JMPs */
1515            if (ZEND_OP1_TYPE(last_op) == IS_CONST) {
1516                int should_jmp = zend_is_true(&ZEND_OP1_LITERAL(last_op));
1517
1518                if (last_op->opcode == ZEND_JMPZ_EX) {
1519                    should_jmp = !should_jmp;
1520                }
1521                if (!should_jmp) {
1522                    /* T = JMPZ_EX(true,L)   -> T = QM_ASSIGN(true)
1523                     * T = JMPNZ_EX(false,L) -> T = QM_ASSIGN(false)
1524                     */
1525                    last_op->opcode = ZEND_QM_ASSIGN;
1526                    SET_UNUSED(last_op->op2);
1527                    del_source(block, block->op2_to);
1528                    block->op2_to = NULL;
1529                }
1530                break;
1531            }
1532
1533            if (block->op2_to) {
1534                zend_op *target, *target_end;
1535                char *same_t=NULL;
1536                zend_code_block *target_block;
1537                int var_num = op_array->last_var + op_array->T;
1538
1539                if (var_num <= 0) {
1540                    return;
1541                }
1542                same_t = cfg->same_t;
1543                memset(same_t, 0, var_num);
1544                same_t[VAR_NUM_EX(last_op->op1)] |= ZEND_OP1_TYPE(last_op);
1545                same_t[VAR_NUM_EX(last_op->result)] |= ZEND_RESULT_TYPE(last_op);
1546                target_block = block->op2_to;
1547next_target_ex:
1548                target = target_block->start_opline;
1549                target_end = target_block->start_opline + target_block->len;
1550                while (target < target_end && target->opcode == ZEND_NOP) {
1551                    target++;
1552                }
1553                /* next block is only NOP's */
1554                if (target == target_end) {
1555                    target_block = target_block->follow_to;
1556                    goto next_target_ex;
1557                } else if (target_block->op2_to &&
1558                           target->opcode == last_op->opcode-3 &&
1559                           (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1560                           (same_t[VAR_NUM_EX(target->op1)] & ZEND_OP1_TYPE(target)) != 0 &&
1561                           !target_block->protected) {
1562                    /* T = JMPZ_EX(X, L1), L1: JMPZ({X|T}, L2) -> T = JMPZ_EX(X, L2) */
1563                    del_source(block, block->op2_to);
1564                    block->op2_to = target_block->op2_to;
1565                    ADD_SOURCE(block, block->op2_to);
1566                } else if (target_block->op2_to &&
1567                           target->opcode == INV_EX_COND(last_op->opcode) &&
1568                           (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1569                           (same_t[VAR_NUM_EX(target->op1)] & ZEND_OP1_TYPE(target)) != 0 &&
1570                           !target_block->protected) {
1571                    /* T = JMPZ_EX(X, L1), L1: JMPNZ({X|T1}, L2) -> T = JMPZ_EX(X, L1+1) */
1572                    del_source(block, block->op2_to);
1573                    block->op2_to = target_block->follow_to;
1574                    ADD_SOURCE(block, block->op2_to);
1575                } else if (target_block->op2_to &&
1576                           target->opcode == INV_EX_COND_EX(last_op->opcode) &&
1577                           (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1578                           (same_t[VAR_NUM_EX(target->op1)] & ZEND_OP1_TYPE(target)) != 0 &&
1579                           (same_t[VAR_NUM_EX(target->result)] & ZEND_RESULT_TYPE(target)) != 0 &&
1580                           !target_block->protected) {
1581                    /* T = JMPZ_EX(X, L1), L1: T = JMPNZ_EX(T, L2) -> T = JMPZ_EX(X, L1+1) */
1582                    del_source(block, block->op2_to);
1583                    block->op2_to = target_block->follow_to;
1584                    ADD_SOURCE(block, block->op2_to);
1585                } else if (target_block->op2_to &&
1586                           target->opcode == last_op->opcode &&
1587                           (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1588                           (same_t[VAR_NUM_EX(target->op1)] & ZEND_OP1_TYPE(target)) != 0 &&
1589                           (same_t[VAR_NUM_EX(target->result)] & ZEND_RESULT_TYPE(target)) != 0 &&
1590                           !target_block->protected) {
1591                    /* T = JMPZ_EX(X, L1), L1: T = JMPZ({X|T}, L2) -> T = JMPZ_EX(X, L2) */
1592                    del_source(block, block->op2_to);
1593                    block->op2_to = target_block->op2_to;
1594                    ADD_SOURCE(block, block->op2_to);
1595                } else if (target_block->op1_to &&
1596                           target->opcode == ZEND_JMP &&
1597                           !target_block->protected) {
1598                    /* T = JMPZ_EX(X, L), L: JMP(L2) -> T = JMPZ(X, L2) */
1599                    del_source(block, block->op2_to);
1600                    block->op2_to = target_block->op1_to;
1601                    ADD_SOURCE(block, block->op2_to);
1602                } else if (target_block->op2_to &&
1603                           target_block->ext_to &&
1604                           target->opcode == ZEND_JMPZNZ &&
1605                           (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1606                           (same_t[VAR_NUM_EX(target->op1)] & ZEND_OP1_TYPE(target)) != 0 &&
1607                           !target_block->protected) {
1608                    /* T = JMPZ_EX(X, L), L: JMPZNZ({X|T}, L2, L3) -> T = JMPZ_EX(X, L2) */
1609                    del_source(block, block->op2_to);
1610                    if (last_op->opcode == ZEND_JMPZ_EX) {
1611                        block->op2_to = target_block->op2_to;
1612                    } else {
1613                        block->op2_to = target_block->ext_to;
1614                    }
1615                    ADD_SOURCE(block, block->op2_to);
1616                }
1617            }
1618            break;
1619
1620        case ZEND_JMPZNZ: {
1621            zend_code_block *next = block->next;
1622
1623            while (next && !next->access) {
1624                /* find first accessed one */
1625                next = next->next;
1626            }
1627
1628            if (ZEND_OP1_TYPE(last_op) == IS_CONST) {
1629                if (!zend_is_true(&ZEND_OP1_LITERAL(last_op))) {
1630                    /* JMPZNZ(false,L1,L2) -> JMP(L1) */
1631                    zend_code_block *todel;
1632
1633                    literal_dtor(&ZEND_OP1_LITERAL(last_op));
1634                    last_op->opcode = ZEND_JMP;
1635                    SET_UNUSED(last_op->op1);
1636                    SET_UNUSED(last_op->op2);
1637                    block->op1_to = block->op2_to;
1638                    todel = block->ext_to;
1639                    block->op2_to = NULL;
1640                    block->ext_to = NULL;
1641                    del_source(block, todel);
1642                } else {
1643                    /* JMPZNZ(true,L1,L2) -> JMP(L2) */
1644                    zend_code_block *todel;
1645
1646                    literal_dtor(&ZEND_OP1_LITERAL(last_op));
1647                    last_op->opcode = ZEND_JMP;
1648                    SET_UNUSED(last_op->op1);
1649                    SET_UNUSED(last_op->op2);
1650                    block->op1_to = block->ext_to;
1651                    todel =  block->op2_to;
1652                    block->op2_to = NULL;
1653                    block->ext_to = NULL;
1654                    del_source(block, todel);
1655                }
1656            } else if (block->op2_to == block->ext_to) {
1657                /* both goto the same one - it's JMP */
1658                /* JMPZNZ(?,L,L) -> JMP(L) */
1659                last_op->opcode = ZEND_JMP;
1660                SET_UNUSED(last_op->op1);
1661                SET_UNUSED(last_op->op2);
1662                block->op1_to = block->op2_to;
1663                block->op2_to = NULL;
1664                block->ext_to = NULL;
1665            } else if (block->op2_to == next) {
1666                /* jumping to next on Z - can follow to it and jump only on NZ */
1667                /* JMPZNZ(X,L1,L2) L1: -> JMPNZ(X,L2) */
1668                last_op->opcode = ZEND_JMPNZ;
1669                block->op2_to = block->ext_to;
1670                block->follow_to = next;
1671                block->ext_to = NULL;
1672                /* no need to add source - it's block->op2_to */
1673            } else if (block->ext_to == next) {
1674                /* jumping to next on NZ - can follow to it and jump only on Z */
1675                /* JMPZNZ(X,L1,L2) L2: -> JMPZ(X,L1) */
1676                last_op->opcode = ZEND_JMPZ;
1677                block->follow_to = next;
1678                block->ext_to = NULL;
1679                /* no need to add source - it's block->ext_to */
1680            }
1681
1682            if (last_op->opcode == ZEND_JMPZNZ && block->op2_to) {
1683                zend_uchar same_type = ZEND_OP1_TYPE(last_op);
1684                zend_uchar same_var = VAR_NUM_EX(last_op->op1);
1685                zend_op *target;
1686                zend_op *target_end;
1687                zend_code_block *target_block = block->op2_to;
1688
1689next_target_znz:
1690                target = target_block->start_opline;
1691                target_end = target_block->start_opline + target_block->len;
1692                while (target < target_end && target->opcode == ZEND_NOP) {
1693                    target++;
1694                }
1695                /* next block is only NOP's */
1696                if (target == target_end) {
1697                    target_block = target_block->follow_to;
1698                    goto next_target_znz;
1699                } else if (target_block->op2_to &&
1700                           (target->opcode == ZEND_JMPZ || target->opcode == ZEND_JMPZNZ) &&
1701                           (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1702                           same_type == ZEND_OP1_TYPE(target) &&
1703                           same_var == VAR_NUM_EX(target->op1) &&
1704                           !target_block->protected) {
1705                    /* JMPZNZ(X, L1, L2), L1: JMPZ(X, L3) -> JMPZNZ(X, L3, L2) */
1706                    del_source(block, block->op2_to);
1707                    block->op2_to = target_block->op2_to;
1708                    ADD_SOURCE(block, block->op2_to);
1709                } else if (target->opcode == ZEND_JMPNZ &&
1710                           (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1711                           same_type == ZEND_OP1_TYPE(target) &&
1712                           same_var == VAR_NUM_EX(target->op1) &&
1713                           target_block->follow_to &&
1714                           !target_block->protected) {
1715                    /* JMPZNZ(X, L1, L2), L1: X = JMPNZ(X, L3) -> JMPZNZ(X, L1+1, L2) */
1716                    del_source(block, block->op2_to);
1717                    block->op2_to = target_block->follow_to;
1718                    ADD_SOURCE(block, block->op2_to);
1719                } else if (target_block->op1_to &&
1720                           target->opcode == ZEND_JMP &&
1721                           !target_block->protected) {
1722                    /* JMPZNZ(X, L1, L2), L1: JMP(L3) -> JMPZNZ(X, L3, L2) */
1723                    del_source(block, block->op2_to);
1724                    block->op2_to = target_block->op1_to;
1725                    ADD_SOURCE(block, block->op2_to);
1726                }
1727            }
1728            break;
1729        }
1730    }
1731}
1732
1733/* Global data dependencies */
1734
1735#define T_USAGE(op) do { \
1736        if ((op ## _type & (IS_VAR | IS_TMP_VAR)) && \
1737           !defined_here[VAR_NUM(op.var)] && !used_ext[VAR_NUM(op.var)]) {  \
1738            used_ext[VAR_NUM(op.var)] = 1;                                  \
1739        } \
1740    } while (0)
1741
1742#define NEVER_USED(op) ((op ## _type & (IS_VAR | IS_TMP_VAR)) && !usage[VAR_NUM(op.var)]) /* !used_ext[op.var] && */
1743#define RES_NEVER_USED(opline) (opline->result_type == IS_UNUSED || NEVER_USED(opline->result))
1744
1745/* Find a set of variables which are used outside of the block where they are
1746 * defined. We won't apply some optimization patterns for such variables. */
1747static void zend_t_usage(zend_code_block *block, zend_op_array *op_array, char *used_ext, zend_optimizer_ctx *ctx)
1748{
1749    zend_code_block *next_block = block->next;
1750    char *usage;
1751    char *defined_here;
1752    void *checkpoint;
1753
1754    if (op_array->T == 0) {
1755        /* shortcut - if no Ts, nothing to do */
1756        return;
1757    }
1758
1759    checkpoint = zend_arena_checkpoint(ctx->arena);
1760    usage = zend_arena_alloc(&ctx->arena, op_array->last_var + op_array->T);
1761    memset(usage, 0, op_array->last_var + op_array->T);
1762    defined_here = zend_arena_alloc(&ctx->arena, op_array->last_var + op_array->T);
1763
1764    while (next_block) {
1765        zend_op *opline = next_block->start_opline;
1766        zend_op *end = opline + next_block->len;
1767
1768        if (!next_block->access) {
1769            next_block = next_block->next;
1770            continue;
1771        }
1772        memset(defined_here, 0, op_array->last_var + op_array->T);
1773
1774        while (opline<end) {
1775            T_USAGE(opline->op1);
1776            T_USAGE(opline->op2);
1777
1778            if (RESULT_USED(opline)) {
1779                if (!defined_here[VAR_NUM(ZEND_RESULT(opline).var)] && !used_ext[VAR_NUM(ZEND_RESULT(opline).var)] &&
1780                    (opline->opcode == ZEND_RECV || opline->opcode == ZEND_RECV_INIT ||
1781                     opline->opcode == ZEND_RECV_VARIADIC ||
1782                    (opline->opcode == ZEND_OP_DATA && ZEND_RESULT_TYPE(opline) == IS_TMP_VAR) ||
1783                    opline->opcode == ZEND_ADD_ARRAY_ELEMENT)) {
1784                    /* these opcodes use the result as argument */
1785                    used_ext[VAR_NUM(ZEND_RESULT(opline).var)] = 1;
1786                }
1787                defined_here[VAR_NUM(ZEND_RESULT(opline).var)] = 1;
1788            }
1789            opline++;
1790        }
1791        next_block = next_block->next;
1792    }
1793
1794#if DEBUG_BLOCKPASS
1795    {
1796        int i;
1797        for (i = op_array->last_var; i< op_array->T; i++) {
1798            fprintf(stderr, "T%d: %c\n", i, used_ext[i] + '0');
1799        }
1800    }
1801#endif
1802
1803    while (block) {
1804        zend_op *opline = block->start_opline + block->len - 1;
1805
1806        if (!block->access) {
1807            block = block->next;
1808            continue;
1809        }
1810
1811        memcpy(usage, used_ext, op_array->last_var + op_array->T);
1812
1813        while (opline >= block->start_opline) {
1814            /* usage checks */
1815            if (RES_NEVER_USED(opline)) {
1816                switch (opline->opcode) {
1817                    case ZEND_ASSIGN_ADD:
1818                    case ZEND_ASSIGN_SUB:
1819                    case ZEND_ASSIGN_MUL:
1820                    case ZEND_ASSIGN_DIV:
1821                    case ZEND_ASSIGN_MOD:
1822                    case ZEND_ASSIGN_SL:
1823                    case ZEND_ASSIGN_SR:
1824                    case ZEND_ASSIGN_CONCAT:
1825                    case ZEND_ASSIGN_BW_OR:
1826                    case ZEND_ASSIGN_BW_AND:
1827                    case ZEND_ASSIGN_BW_XOR:
1828                    case ZEND_PRE_INC:
1829                    case ZEND_PRE_DEC:
1830                    case ZEND_POST_INC:
1831                    case ZEND_POST_DEC:
1832                    case ZEND_ASSIGN:
1833                    case ZEND_ASSIGN_REF:
1834                    case ZEND_DO_FCALL:
1835                    case ZEND_DO_ICALL:
1836                    case ZEND_DO_UCALL:
1837                    case ZEND_DO_FCALL_BY_NAME:
1838                        if (ZEND_RESULT_TYPE(opline) == IS_VAR) {
1839                            ZEND_RESULT_TYPE(opline) |= EXT_TYPE_UNUSED;
1840                        }
1841                        break;
1842                    case ZEND_QM_ASSIGN:
1843                    case ZEND_BOOL:
1844                    case ZEND_BOOL_NOT:
1845                        if (ZEND_OP1_TYPE(opline) == IS_CONST) {
1846                            literal_dtor(&ZEND_OP1_LITERAL(opline));
1847                        }
1848                        MAKE_NOP(opline);
1849                        break;
1850                    case ZEND_JMPZ_EX:
1851                    case ZEND_JMPNZ_EX:
1852                        opline->opcode -= 3;
1853                        SET_UNUSED(opline->result);
1854                        break;
1855                }
1856            }
1857
1858            if (opline->opcode == ZEND_RECV ||
1859                opline->opcode == ZEND_RECV_INIT ||
1860                opline->opcode == ZEND_RECV_VARIADIC ||
1861                opline->opcode == ZEND_ADD_ARRAY_ELEMENT) {
1862                if (ZEND_OP1_TYPE(opline) == IS_VAR || ZEND_OP1_TYPE(opline) == IS_TMP_VAR) {
1863                    usage[VAR_NUM(ZEND_RESULT(opline).var)] = 1;
1864                }
1865            } else {
1866                if (RESULT_USED(opline)) {
1867                    usage[VAR_NUM(ZEND_RESULT(opline).var)] = 0;
1868                }
1869            }
1870
1871            if (ZEND_OP1_TYPE(opline) == IS_VAR || ZEND_OP1_TYPE(opline) == IS_TMP_VAR) {
1872                usage[VAR_NUM(ZEND_OP1(opline).var)] = 1;
1873            }
1874
1875            if (ZEND_OP2_TYPE(opline) == IS_VAR || ZEND_OP2_TYPE(opline) == IS_TMP_VAR) {
1876                usage[VAR_NUM(ZEND_OP2(opline).var)] = 1;
1877            }
1878
1879            if ((ZEND_RESULT_TYPE(opline) & IS_VAR) &&
1880                (ZEND_RESULT_TYPE(opline) & EXT_TYPE_UNUSED) &&
1881                usage[VAR_NUM(ZEND_RESULT(opline).var)]) {
1882                ZEND_RESULT_TYPE(opline) &= ~EXT_TYPE_UNUSED;
1883            }
1884
1885            opline--;
1886        }
1887        block = block->next;
1888    } /* end blocks */
1889
1890    zend_arena_release(&ctx->arena, checkpoint);
1891}
1892
1893#define PASSES 3
1894
1895void optimize_cfg(zend_op_array *op_array, zend_optimizer_ctx *ctx)
1896{
1897    zend_cfg cfg;
1898    zend_code_block *cur_block;
1899    int pass;
1900    char *usage;
1901    void *checkpoint;
1902
1903#if DEBUG_BLOCKPASS
1904    fprintf(stderr, "File %s func %s\n", op_array->filename, op_array->function_name? op_array->function_name : "main");
1905    fflush(stderr);
1906#endif
1907
1908    if (op_array->fn_flags & ZEND_ACC_HAS_FINALLY_BLOCK) {
1909        return;
1910    }
1911
1912    /* Build CFG */
1913    checkpoint = zend_arena_checkpoint(ctx->arena);
1914    if (!find_code_blocks(op_array, &cfg, ctx)) {
1915        zend_arena_release(&ctx->arena, checkpoint);
1916        return;
1917    }
1918
1919    zend_rebuild_access_path(&cfg, op_array, 0, ctx);
1920    /* full rebuild here to produce correct sources! */
1921    if (op_array->last_var || op_array->T) {
1922        cfg.Tsource = zend_arena_calloc(&ctx->arena, op_array->last_var + op_array->T, sizeof(zend_op *));
1923        cfg.same_t = zend_arena_alloc(&ctx->arena, op_array->last_var + op_array->T);
1924        usage = zend_arena_alloc(&ctx->arena, op_array->last_var + op_array->T);
1925    } else {
1926        cfg.Tsource = NULL;
1927        cfg.same_t = NULL;
1928        usage = NULL;
1929    }
1930    for (pass = 0; pass < PASSES; pass++) {
1931        /* Compute data dependencies */
1932        memset(usage, 0, op_array->last_var + op_array->T);
1933        zend_t_usage(cfg.blocks, op_array, usage, ctx);
1934
1935        /* optimize each basic block separately */
1936        for (cur_block = cfg.blocks; cur_block; cur_block = cur_block->next) {
1937            if (!cur_block->access) {
1938                continue;
1939            }
1940            zend_optimize_block(cur_block, op_array, usage, &cfg, ctx);
1941        }
1942
1943        /* Jump optimization for each block */
1944        for (cur_block = cfg.blocks; cur_block; cur_block = cur_block->next) {
1945            if (!cur_block->access) {
1946                continue;
1947            }
1948            zend_jmp_optimization(cur_block, op_array, cfg.blocks, &cfg, ctx);
1949        }
1950
1951        /* Eliminate unreachable basic blocks */
1952        zend_rebuild_access_path(&cfg, op_array, 1, ctx);
1953    }
1954
1955    memset(usage, 0, op_array->last_var + op_array->T);
1956    zend_t_usage(cfg.blocks, op_array, usage, ctx);
1957    assemble_code_blocks(&cfg, op_array);
1958
1959    /* Destroy CFG */
1960    zend_arena_release(&ctx->arena, checkpoint);
1961}
1962