1/*
2   +----------------------------------------------------------------------+
3   | Zend OPcache                                                         |
4   +----------------------------------------------------------------------+
5   | Copyright (c) 1998-2016 The PHP Group                                |
6   +----------------------------------------------------------------------+
7   | This source file is subject to version 3.01 of the PHP license,      |
8   | that is bundled with this package in the file LICENSE, and is        |
9   | available through the world-wide-web at the following url:           |
10   | http://www.php.net/license/3_01.txt                                  |
11   | If you did not receive a copy of the PHP license and are unable to   |
12   | obtain it through the world-wide-web, please send a note to          |
13   | license@php.net so we can mail you a copy immediately.               |
14   +----------------------------------------------------------------------+
15   | Authors: Andi Gutmans <andi@zend.com>                                |
16   |          Zeev Suraski <zeev@zend.com>                                |
17   |          Stanislav Malyshev <stas@zend.com>                          |
18   |          Dmitry Stogov <dmitry@zend.com>                             |
19   +----------------------------------------------------------------------+
20*/
21
22#include "php.h"
23#include "Optimizer/zend_optimizer.h"
24#include "Optimizer/zend_optimizer_internal.h"
25#include "zend_API.h"
26#include "zend_constants.h"
27#include "zend_execute.h"
28#include "zend_vm.h"
29#include "zend_bitset.h"
30#include "zend_cfg.h"
31#include "zend_dump.h"
32
33/* Checks if a constant (like "true") may be replaced by its value */
34int zend_optimizer_get_persistent_constant(zend_string *name, zval *result, int copy)
35{
36	zend_constant *c;
37	char *lookup_name;
38	int retval = 1;
39	ALLOCA_FLAG(use_heap);
40
41	if ((c = zend_hash_find_ptr(EG(zend_constants), name)) == NULL) {
42		lookup_name = do_alloca(ZSTR_LEN(name) + 1, use_heap);
43		memcpy(lookup_name, ZSTR_VAL(name), ZSTR_LEN(name) + 1);
44		zend_str_tolower(lookup_name, ZSTR_LEN(name));
45
46		if ((c = zend_hash_str_find_ptr(EG(zend_constants), lookup_name, ZSTR_LEN(name))) != NULL) {
47			if (!(c->flags & CONST_CT_SUBST) || (c->flags & CONST_CS)) {
48				retval = 0;
49			}
50		} else {
51			retval = 0;
52		}
53		free_alloca(lookup_name, use_heap);
54	}
55
56	if (retval) {
57		if (c->flags & CONST_PERSISTENT) {
58			ZVAL_COPY_VALUE(result, &c->value);
59			if (copy) {
60				zval_copy_ctor(result);
61			}
62		} else {
63			retval = 0;
64		}
65	}
66
67	return retval;
68}
69
70/* CFG back references management */
71
72#define DEL_SOURCE(from, to)
73#define ADD_SOURCE(from, to)
74
75/* Data dependencies macros */
76
77#define VAR_NUM_EX(op) VAR_NUM((op).var)
78
79#define VAR_SOURCE(op) Tsource[VAR_NUM(op.var)]
80#define SET_VAR_SOURCE(opline) Tsource[VAR_NUM(opline->result.var)] = opline
81
82#define convert_to_string_safe(v) \
83	if (Z_TYPE_P((v)) == IS_NULL) { \
84		ZVAL_STRINGL((v), "", 0); \
85	} else { \
86		convert_to_string((v)); \
87	}
88
89static void strip_leading_nops(zend_op_array *op_array, zend_basic_block *b)
90{
91	zend_op *opcodes = op_array->opcodes;
92
93	while (b->len > 0 && opcodes[b->start].opcode == ZEND_NOP) {
94		b->start++;
95		b->len--;
96	}
97}
98
99static void strip_nops(zend_op_array *op_array, zend_basic_block *b)
100{
101	uint32_t i, j;
102
103	strip_leading_nops(op_array, b);
104	if (b->len == 0) {
105		return;
106	}
107
108	/* strip the inside NOPs */
109	i = j = b->start + 1;
110	while (i < b->start + b->len) {
111		if (op_array->opcodes[i].opcode != ZEND_NOP) {
112			if (i != j) {
113				op_array->opcodes[j] = op_array->opcodes[i];
114			}
115			j++;
116		}
117		i++;
118	}
119	b->len = j - b->start;
120	while (j < i) {
121		MAKE_NOP(op_array->opcodes + j);
122		j++;
123	}
124}
125
126static void zend_optimize_block(zend_basic_block *block, zend_op_array *op_array, zend_bitset used_ext, zend_cfg *cfg, zend_op **Tsource)
127{
128	zend_op *opline, *src;
129	zend_op *end, *last_op = NULL;
130
131	/* remove leading NOPs */
132	strip_leading_nops(op_array, block);
133
134	opline = op_array->opcodes + block->start;
135	end = opline + block->len;
136	while (opline < end) {
137		/* Constant Propagation: strip X = QM_ASSIGN(const) */
138		if ((opline->op1_type & (IS_TMP_VAR|IS_VAR)) &&
139		    opline->opcode != ZEND_FREE) {
140			src = VAR_SOURCE(opline->op1);
141			if (src &&
142			    src->opcode == ZEND_QM_ASSIGN &&
143			    src->op1_type == IS_CONST) {
144
145				znode_op op1 = opline->op1;
146				zval c = ZEND_OP1_LITERAL(src);
147
148				zval_copy_ctor(&c);
149				if (zend_optimizer_update_op1_const(op_array, opline, &c)) {
150					zend_optimizer_remove_live_range(op_array, op1.var);
151					VAR_SOURCE(op1) = NULL;
152					literal_dtor(&ZEND_OP1_LITERAL(src));
153					MAKE_NOP(src);
154				}
155			}
156		}
157
158		/* Constant Propagation: strip X = QM_ASSIGN(const) */
159		if (opline->op2_type & (IS_TMP_VAR|IS_VAR)) {
160			src = VAR_SOURCE(opline->op2);
161			if (src &&
162			    src->opcode == ZEND_QM_ASSIGN &&
163			    src->op1_type == IS_CONST) {
164
165				znode_op op2 = opline->op2;
166				zval c = ZEND_OP1_LITERAL(src);
167
168				zval_copy_ctor(&c);
169				if (zend_optimizer_update_op2_const(op_array, opline, &c)) {
170					zend_optimizer_remove_live_range(op_array, op2.var);
171					VAR_SOURCE(op2) = NULL;
172					literal_dtor(&ZEND_OP1_LITERAL(src));
173					MAKE_NOP(src);
174				}
175			}
176		}
177
178		if (opline->opcode == ZEND_ECHO) {
179			if (opline->op1_type & (IS_TMP_VAR|IS_VAR)) {
180				src = VAR_SOURCE(opline->op1);
181				if (src &&
182				    src->opcode == ZEND_CAST &&
183				    src->extended_value == IS_STRING) {
184					/* T = CAST(X, String), ECHO(T) => NOP, ECHO(X) */
185					VAR_SOURCE(opline->op1) = NULL;
186					COPY_NODE(opline->op1, src->op1);
187					MAKE_NOP(src);
188				}
189			}
190
191			if (opline->op1_type == IS_CONST) {
192				if (last_op && last_op->opcode == ZEND_ECHO &&
193				    last_op->op1_type == IS_CONST &&
194				    Z_TYPE(ZEND_OP1_LITERAL(opline)) != IS_DOUBLE &&
195				    Z_TYPE(ZEND_OP1_LITERAL(last_op)) != IS_DOUBLE) {
196					/* compress consecutive ECHO's.
197					 * Float to string conversion may be affected by current
198					 * locale setting.
199					 */
200					int l, old_len;
201
202					if (Z_TYPE(ZEND_OP1_LITERAL(opline)) != IS_STRING) {
203						convert_to_string_safe(&ZEND_OP1_LITERAL(opline));
204					}
205					if (Z_TYPE(ZEND_OP1_LITERAL(last_op)) != IS_STRING) {
206						convert_to_string_safe(&ZEND_OP1_LITERAL(last_op));
207					}
208					old_len = Z_STRLEN(ZEND_OP1_LITERAL(last_op));
209					l = old_len + Z_STRLEN(ZEND_OP1_LITERAL(opline));
210					if (!Z_REFCOUNTED(ZEND_OP1_LITERAL(last_op))) {
211						zend_string *tmp = zend_string_alloc(l, 0);
212						memcpy(ZSTR_VAL(tmp), Z_STRVAL(ZEND_OP1_LITERAL(last_op)), old_len);
213						Z_STR(ZEND_OP1_LITERAL(last_op)) = tmp;
214					} else {
215						Z_STR(ZEND_OP1_LITERAL(last_op)) = zend_string_extend(Z_STR(ZEND_OP1_LITERAL(last_op)), l, 0);
216					}
217					Z_TYPE_INFO(ZEND_OP1_LITERAL(last_op)) = IS_STRING_EX;
218					memcpy(Z_STRVAL(ZEND_OP1_LITERAL(last_op)) + old_len, Z_STRVAL(ZEND_OP1_LITERAL(opline)), Z_STRLEN(ZEND_OP1_LITERAL(opline)));
219					Z_STRVAL(ZEND_OP1_LITERAL(last_op))[l] = '\0';
220					zval_dtor(&ZEND_OP1_LITERAL(opline));
221					ZVAL_STR(&ZEND_OP1_LITERAL(opline), zend_new_interned_string(Z_STR(ZEND_OP1_LITERAL(last_op))));
222					ZVAL_NULL(&ZEND_OP1_LITERAL(last_op));
223					MAKE_NOP(last_op);
224				}
225				last_op = opline;
226			} else {
227				last_op = NULL;
228			}
229		} else {
230			last_op = NULL;
231		}
232
233		switch (opline->opcode) {
234
235			case ZEND_FREE:
236				if (opline->op1_type == IS_TMP_VAR) {
237					src = VAR_SOURCE(opline->op1);
238					if (src &&
239					    (src->opcode == ZEND_BOOL || src->opcode == ZEND_BOOL_NOT)) {
240						/* T = BOOL(X), FREE(T) => NOP */
241						if (ZEND_OP1_TYPE(src) == IS_CONST) {
242							literal_dtor(&ZEND_OP1_LITERAL(src));
243						}
244						VAR_SOURCE(opline->op1) = NULL;
245						MAKE_NOP(src);
246						MAKE_NOP(opline);
247					}
248				} else if (opline->op1_type == IS_VAR) {
249					src = VAR_SOURCE(opline->op1);
250					/* V = OP, FREE(V) => OP. NOP */
251					if (src &&
252					    src->opcode != ZEND_FETCH_R &&
253					    src->opcode != ZEND_FETCH_STATIC_PROP_R &&
254					    src->opcode != ZEND_FETCH_DIM_R &&
255					    src->opcode != ZEND_FETCH_OBJ_R &&
256					    src->opcode != ZEND_NEW) {
257						if (opline->extended_value & ZEND_FREE_ON_RETURN) {
258							/* mark as removed (empty live range) */
259							op_array->live_range[opline->op2.num].var = (uint32_t)-1;
260						}
261						ZEND_RESULT_TYPE(src) = IS_UNUSED;
262						MAKE_NOP(opline);
263					}
264				}
265				break;
266
267#if 0
268		/* pre-evaluate functions:
269		   constant(x)
270		   defined(x)
271		   function_exists(x)
272		   extension_loaded(x)
273		   BAD: interacts badly with Accelerator
274		*/
275		if((ZEND_OP1_TYPE(opline) & IS_VAR) &&
276		   VAR_SOURCE(opline->op1) && VAR_SOURCE(opline->op1)->opcode == ZEND_DO_CF_FCALL &&
277		   VAR_SOURCE(opline->op1)->extended_value == 1) {
278			zend_op *fcall = VAR_SOURCE(opline->op1);
279			zend_op *sv = fcall-1;
280			if(sv >= block->start_opline && sv->opcode == ZEND_SEND_VAL &&
281			   ZEND_OP1_TYPE(sv) == IS_CONST && Z_TYPE(OPLINE_OP1_LITERAL(sv)) == IS_STRING &&
282			   Z_LVAL(OPLINE_OP2_LITERAL(sv)) == 1
283			   ) {
284				zval *arg = &OPLINE_OP1_LITERAL(sv);
285				char *fname = FUNCTION_CACHE->funcs[Z_LVAL(ZEND_OP1_LITERAL(fcall))].function_name;
286				int flen = FUNCTION_CACHE->funcs[Z_LVAL(ZEND_OP1_LITERAL(fcall))].name_len;
287				if(flen == sizeof("defined")-1 && zend_binary_strcasecmp(fname, flen, "defined", sizeof("defined")-1) == 0) {
288					zval c;
289					if(zend_optimizer_get_persistent_constant(Z_STR_P(arg), &c, 0 ELS_CC) != 0) {
290						literal_dtor(arg);
291						MAKE_NOP(sv);
292						MAKE_NOP(fcall);
293						LITERAL_BOOL(opline->op1, 1);
294						ZEND_OP1_TYPE(opline) = IS_CONST;
295					}
296				} else if((flen == sizeof("function_exists")-1 && zend_binary_strcasecmp(fname, flen, "function_exists", sizeof("function_exists")-1) == 0) ||
297						  (flen == sizeof("is_callable")-1 && zend_binary_strcasecmp(fname, flen, "is_callable", sizeof("is_callable")-1) == 0)
298						  ) {
299					zend_function *function;
300					if((function = zend_hash_find_ptr(EG(function_table), Z_STR_P(arg))) != NULL) {
301						literal_dtor(arg);
302						MAKE_NOP(sv);
303						MAKE_NOP(fcall);
304						LITERAL_BOOL(opline->op1, 1);
305						ZEND_OP1_TYPE(opline) = IS_CONST;
306					}
307				} else if(flen == sizeof("constant")-1 && zend_binary_strcasecmp(fname, flen, "constant", sizeof("constant")-1) == 0) {
308					zval c;
309					if(zend_optimizer_get_persistent_constant(Z_STR_P(arg), &c, 1 ELS_CC) != 0) {
310						literal_dtor(arg);
311						MAKE_NOP(sv);
312						MAKE_NOP(fcall);
313						ZEND_OP1_LITERAL(opline) = zend_optimizer_add_literal(op_array, &c);
314						/* no copy ctor - get already copied it */
315						ZEND_OP1_TYPE(opline) = IS_CONST;
316					}
317				} else if(flen == sizeof("extension_loaded")-1 && zend_binary_strcasecmp(fname, flen, "extension_loaded", sizeof("extension_loaded")-1) == 0) {
318					if(zend_hash_exists(&module_registry, Z_STR_P(arg))) {
319						literal_dtor(arg);
320						MAKE_NOP(sv);
321						MAKE_NOP(fcall);
322						LITERAL_BOOL(opline->op1, 1);
323						ZEND_OP1_TYPE(opline) = IS_CONST;
324					}
325				}
326			}
327		}
328#endif
329
330			case ZEND_FETCH_LIST:
331				if (opline->op1_type & (IS_TMP_VAR|IS_VAR)) {
332					/* LIST variable will be deleted later by FREE */
333					Tsource[VAR_NUM(opline->op1.var)] = NULL;
334				}
335				break;
336
337			case ZEND_CASE:
338				if (opline->op1_type & (IS_TMP_VAR|IS_VAR)) {
339					/* CASE variable will be deleted later by FREE, so we can't optimize it */
340					Tsource[VAR_NUM(opline->op1.var)] = NULL;
341					break;
342				}
343				if (opline->op1_type == IS_CONST &&
344				    opline->op2_type == IS_CONST) {
345					break;
346				}
347				/* break missing intentionally */
348
349			case ZEND_IS_EQUAL:
350			case ZEND_IS_NOT_EQUAL:
351				if (opline->op1_type == IS_CONST &&
352				    opline->op2_type == IS_CONST) {
353					goto optimize_constant_binary_op;
354				}
355		        /* IS_EQ(TRUE, X)      => BOOL(X)
356		         * IS_EQ(FALSE, X)     => BOOL_NOT(X)
357		         * IS_NOT_EQ(TRUE, X)  => BOOL_NOT(X)
358		         * IS_NOT_EQ(FALSE, X) => BOOL(X)
359		         * CASE(TRUE, X)       => BOOL(X)
360		         * CASE(FALSE, X)      => BOOL_NOT(X)
361		         */
362				if (opline->op1_type == IS_CONST &&
363					(Z_TYPE(ZEND_OP1_LITERAL(opline)) == IS_FALSE ||
364					 Z_TYPE(ZEND_OP1_LITERAL(opline)) == IS_TRUE)) {
365					/* Optimization of comparison with "null" is not safe,
366					 * because ("0" == null) is not equal to !("0")
367					 */
368					opline->opcode =
369						((opline->opcode != ZEND_IS_NOT_EQUAL) == ((Z_TYPE(ZEND_OP1_LITERAL(opline))) == IS_TRUE)) ?
370						ZEND_BOOL : ZEND_BOOL_NOT;
371					COPY_NODE(opline->op1, opline->op2);
372					SET_UNUSED(opline->op2);
373					goto optimize_bool;
374				} else if (opline->op2_type == IS_CONST &&
375				           (Z_TYPE(ZEND_OP2_LITERAL(opline)) == IS_FALSE ||
376				            Z_TYPE(ZEND_OP2_LITERAL(opline)) == IS_TRUE)) {
377					/* Optimization of comparison with "null" is not safe,
378					 * because ("0" == null) is not equal to !("0")
379					 */
380					opline->opcode =
381						((opline->opcode != ZEND_IS_NOT_EQUAL) == ((Z_TYPE(ZEND_OP2_LITERAL(opline))) == IS_TRUE)) ?
382						ZEND_BOOL : ZEND_BOOL_NOT;
383					SET_UNUSED(opline->op2);
384					goto optimize_bool;
385				}
386				break;
387
388			case ZEND_BOOL:
389			case ZEND_BOOL_NOT:
390			optimize_bool:
391				if (opline->op1_type == IS_CONST) {
392					goto optimize_const_unary_op;
393				}
394				if (opline->op1_type == IS_TMP_VAR &&
395				    !zend_bitset_in(used_ext, VAR_NUM(opline->op1.var))) {
396					src = VAR_SOURCE(opline->op1);
397					if (src) {
398						switch (src->opcode) {
399							case ZEND_BOOL_NOT:
400								/* T = BOOL_NOT(X) + BOOL(T) -> NOP, BOOL_NOT(X) */
401								VAR_SOURCE(opline->op1) = NULL;
402								COPY_NODE(opline->op1, src->op1);
403								opline->opcode = (opline->opcode == ZEND_BOOL) ? ZEND_BOOL_NOT : ZEND_BOOL;
404								MAKE_NOP(src);
405								goto optimize_bool;
406							case ZEND_BOOL:
407								/* T = BOOL(X) + BOOL(T) -> NOP, BOOL(X) */
408								VAR_SOURCE(opline->op1) = NULL;
409								COPY_NODE(opline->op1, src->op1);
410								MAKE_NOP(src);
411								goto optimize_bool;
412							case ZEND_IS_EQUAL:
413								if (opline->opcode == ZEND_BOOL_NOT) {
414									src->opcode = ZEND_IS_NOT_EQUAL;
415								}
416								COPY_NODE(src->result, opline->result);
417								SET_VAR_SOURCE(src);
418								MAKE_NOP(opline);
419								break;
420							case ZEND_IS_NOT_EQUAL:
421								if (opline->opcode == ZEND_BOOL_NOT) {
422									src->opcode = ZEND_IS_EQUAL;
423								}
424								COPY_NODE(src->result, opline->result);
425								SET_VAR_SOURCE(src);
426								MAKE_NOP(opline);
427								break;
428							case ZEND_IS_IDENTICAL:
429								if (opline->opcode == ZEND_BOOL_NOT) {
430									src->opcode = ZEND_IS_NOT_IDENTICAL;
431								}
432								COPY_NODE(src->result, opline->result);
433								SET_VAR_SOURCE(src);
434								MAKE_NOP(opline);
435								break;
436							case ZEND_IS_NOT_IDENTICAL:
437								if (opline->opcode == ZEND_BOOL_NOT) {
438									src->opcode = ZEND_IS_IDENTICAL;
439								}
440								COPY_NODE(src->result, opline->result);
441								SET_VAR_SOURCE(src);
442								MAKE_NOP(opline);
443								break;
444							case ZEND_IS_SMALLER:
445								if (opline->opcode == ZEND_BOOL_NOT) {
446									zend_uchar tmp_type;
447									uint32_t tmp;
448
449									src->opcode = ZEND_IS_SMALLER_OR_EQUAL;
450									tmp_type = src->op1_type;
451									src->op1_type = src->op2_type;
452									src->op2_type = tmp_type;
453									tmp = src->op1.num;
454									src->op1.num = src->op2.num;
455									src->op2.num = tmp;
456								}
457								COPY_NODE(src->result, opline->result);
458								SET_VAR_SOURCE(src);
459								MAKE_NOP(opline);
460								break;
461							case ZEND_IS_SMALLER_OR_EQUAL:
462								if (opline->opcode == ZEND_BOOL_NOT) {
463									zend_uchar tmp_type;
464									uint32_t tmp;
465
466									src->opcode = ZEND_IS_SMALLER;
467									tmp_type = src->op1_type;
468									src->op1_type = src->op2_type;
469									src->op2_type = tmp_type;
470									tmp = src->op1.num;
471									src->op1.num = src->op2.num;
472									src->op2.num = tmp;
473								}
474								COPY_NODE(src->result, opline->result);
475								SET_VAR_SOURCE(src);
476								MAKE_NOP(opline);
477								break;
478							case ZEND_ISSET_ISEMPTY_VAR:
479							case ZEND_ISSET_ISEMPTY_DIM_OBJ:
480							case ZEND_ISSET_ISEMPTY_PROP_OBJ:
481							case ZEND_ISSET_ISEMPTY_STATIC_PROP:
482							case ZEND_INSTANCEOF:
483							case ZEND_TYPE_CHECK:
484							case ZEND_DEFINED:
485								if (opline->opcode == ZEND_BOOL_NOT) {
486									break;
487								}
488								COPY_NODE(src->result, opline->result);
489								SET_VAR_SOURCE(src);
490								MAKE_NOP(opline);
491								break;
492						}
493					}
494				}
495				break;
496
497			case ZEND_JMPZ:
498			case ZEND_JMPNZ:
499			case ZEND_JMPZ_EX:
500			case ZEND_JMPNZ_EX:
501			case ZEND_JMPZNZ:
502			optimize_jmpznz:
503				if (opline->op1_type == IS_TMP_VAR &&
504				    (!zend_bitset_in(used_ext, VAR_NUM(opline->op1.var)) ||
505				     (opline->result_type == opline->op1_type &&
506				      opline->result.var == opline->op1.var))) {
507					src = VAR_SOURCE(opline->op1);
508					if (src) {
509						if (src->opcode == ZEND_BOOL_NOT &&
510						    opline->opcode != ZEND_JMPZ_EX &&
511						    opline->opcode != ZEND_JMPNZ_EX) {
512							VAR_SOURCE(opline->op1) = NULL;
513							COPY_NODE(opline->op1, src->op1);
514							if (opline->opcode == ZEND_JMPZ) {
515								/* T = BOOL_NOT(X) + JMPZ(T) -> NOP, JMPNZ(X) */
516								opline->opcode = ZEND_JMPNZ;
517							} else if (opline->opcode == ZEND_JMPNZ) {
518								/* T = BOOL_NOT(X) + JMPNZ(T) -> NOP, JMPZ(X) */
519								opline->opcode = ZEND_JMPZ;
520#if 0
521							} else if (opline->opcode == ZEND_JMPZ_EX) {
522								/* T = BOOL_NOT(X) + JMPZ_EX(T) -> NOP, JMPNZ_EX(X) */
523								opline->opcode = ZEND_JMPNZ_EX;
524							} else if (opline->opcode == ZEND_JMPNZ_EX) {
525								/* T = BOOL_NOT(X) + JMPNZ_EX(T) -> NOP, JMPZ_EX(X) */
526								opline->opcode = ZEND_JMPZ;
527#endif
528							} else {
529								/* T = BOOL_NOT(X) + JMPZNZ(T,L1,L2) -> NOP, JMPZNZ(X,L2,L1) */
530								uint32_t tmp;
531
532								ZEND_ASSERT(opline->opcode == ZEND_JMPZNZ);
533								tmp = block->successors[0];
534								block->successors[0] = block->successors[1];
535								block->successors[1] = tmp;
536							}
537							MAKE_NOP(src);
538							goto optimize_jmpznz;
539						} else if (src->opcode == ZEND_BOOL ||
540						           src->opcode == ZEND_QM_ASSIGN) {
541							VAR_SOURCE(opline->op1) = NULL;
542							COPY_NODE(opline->op1, src->op1);
543							MAKE_NOP(src);
544							goto optimize_jmpznz;
545						}
546					}
547				}
548				break;
549
550			case ZEND_CONCAT:
551			case ZEND_FAST_CONCAT:
552				if (opline->op1_type == IS_CONST &&
553				    opline->op2_type == IS_CONST) {
554					goto optimize_constant_binary_op;
555				}
556
557				if (opline->op2_type == IS_CONST &&
558				    opline->op1_type == IS_TMP_VAR) {
559
560					src = VAR_SOURCE(opline->op1);
561				    if (src &&
562					    (src->opcode == ZEND_CONCAT ||
563					     src->opcode == ZEND_FAST_CONCAT) &&
564					    src->op2_type == IS_CONST) {
565						/* compress consecutive CONCATs */
566						int l, old_len;
567
568						if (Z_TYPE(ZEND_OP2_LITERAL(opline)) != IS_STRING) {
569							convert_to_string_safe(&ZEND_OP2_LITERAL(opline));
570						}
571						if (Z_TYPE(ZEND_OP2_LITERAL(src)) != IS_STRING) {
572							convert_to_string_safe(&ZEND_OP2_LITERAL(src));
573						}
574
575						VAR_SOURCE(opline->op1) = NULL;
576						COPY_NODE(opline->op1, src->op1);
577						old_len = Z_STRLEN(ZEND_OP2_LITERAL(src));
578						l = old_len + Z_STRLEN(ZEND_OP2_LITERAL(opline));
579						if (!Z_REFCOUNTED(ZEND_OP2_LITERAL(src))) {
580							zend_string *tmp = zend_string_alloc(l, 0);
581							memcpy(ZSTR_VAL(tmp), Z_STRVAL(ZEND_OP2_LITERAL(src)), old_len);
582							Z_STR(ZEND_OP2_LITERAL(src)) = tmp;
583						} else {
584							Z_STR(ZEND_OP2_LITERAL(src)) = zend_string_extend(Z_STR(ZEND_OP2_LITERAL(src)), l, 0);
585						}
586						Z_TYPE_INFO(ZEND_OP2_LITERAL(src)) = IS_STRING_EX;
587						memcpy(Z_STRVAL(ZEND_OP2_LITERAL(src)) + old_len, Z_STRVAL(ZEND_OP2_LITERAL(opline)), Z_STRLEN(ZEND_OP2_LITERAL(opline)));
588						Z_STRVAL(ZEND_OP2_LITERAL(src))[l] = '\0';
589						zend_string_release(Z_STR(ZEND_OP2_LITERAL(opline)));
590						ZVAL_STR(&ZEND_OP2_LITERAL(opline), zend_new_interned_string(Z_STR(ZEND_OP2_LITERAL(src))));
591						ZVAL_NULL(&ZEND_OP2_LITERAL(src));
592						MAKE_NOP(src);
593					}
594				}
595
596				if (opline->op1_type & (IS_TMP_VAR|IS_VAR)) {
597					src = VAR_SOURCE(opline->op1);
598					if (src &&
599					    src->opcode == ZEND_CAST &&
600					    src->extended_value == IS_STRING) {
601						/* convert T1 = CAST(STRING, X), T2 = CONCAT(T1, Y) to T2 = CONCAT(X,Y) */
602						VAR_SOURCE(opline->op1) = NULL;
603						COPY_NODE(opline->op1, src->op1);
604						MAKE_NOP(src);
605					}
606	            }
607				if (opline->op2_type & (IS_TMP_VAR|IS_VAR)) {
608					src = VAR_SOURCE(opline->op2);
609					if (src &&
610					    src->opcode == ZEND_CAST &&
611					    src->extended_value == IS_STRING) {
612						/* convert T1 = CAST(STRING, X), T2 = CONCAT(Y, T1) to T2 = CONCAT(Y,X) */
613						zend_op *src = VAR_SOURCE(opline->op2);
614						VAR_SOURCE(opline->op2) = NULL;
615						COPY_NODE(opline->op2, src->op1);
616						MAKE_NOP(src);
617					}
618				}
619				if (opline->op1_type == IS_CONST &&
620				    Z_TYPE(ZEND_OP1_LITERAL(opline)) == IS_STRING &&
621				    Z_STRLEN(ZEND_OP1_LITERAL(opline)) == 0) {
622					/* convert CONCAT('', X) => CAST(STRING, X) */
623					literal_dtor(&ZEND_OP1_LITERAL(opline));
624					opline->opcode = ZEND_CAST;
625					opline->extended_value = IS_STRING;
626					COPY_NODE(opline->op1, opline->op2);
627					opline->op2_type = IS_UNUSED;
628					opline->op2.var = 0;
629				} else if (opline->op2_type == IS_CONST &&
630			           Z_TYPE(ZEND_OP2_LITERAL(opline)) == IS_STRING &&
631			           Z_STRLEN(ZEND_OP2_LITERAL(opline)) == 0) {
632					/* convert CONCAT(X, '') => CAST(STRING, X) */
633					literal_dtor(&ZEND_OP2_LITERAL(opline));
634					opline->opcode = ZEND_CAST;
635					opline->extended_value = IS_STRING;
636					opline->op2_type = IS_UNUSED;
637					opline->op2.var = 0;
638				} else if (opline->opcode == ZEND_CONCAT &&
639				           (opline->op1_type == IS_CONST ||
640				            (opline->op1_type == IS_TMP_VAR &&
641				             VAR_SOURCE(opline->op1) &&
642				             (VAR_SOURCE(opline->op1)->opcode == ZEND_FAST_CONCAT ||
643				              VAR_SOURCE(opline->op1)->opcode == ZEND_ROPE_END ||
644				              VAR_SOURCE(opline->op1)->opcode == ZEND_FETCH_CONSTANT ||
645				              VAR_SOURCE(opline->op1)->opcode == ZEND_FETCH_CLASS_CONSTANT))) &&
646				           (opline->op2_type == IS_CONST ||
647				            (opline->op2_type == IS_TMP_VAR &&
648				             VAR_SOURCE(opline->op2) &&
649				             (VAR_SOURCE(opline->op2)->opcode == ZEND_FAST_CONCAT ||
650				              VAR_SOURCE(opline->op2)->opcode == ZEND_ROPE_END ||
651				              VAR_SOURCE(opline->op2)->opcode == ZEND_FETCH_CONSTANT ||
652				              VAR_SOURCE(opline->op2)->opcode == ZEND_FETCH_CLASS_CONSTANT)))) {
653					opline->opcode = ZEND_FAST_CONCAT;
654				}
655				break;
656
657			case ZEND_ADD:
658			case ZEND_SUB:
659			case ZEND_MUL:
660			case ZEND_DIV:
661			case ZEND_MOD:
662			case ZEND_SL:
663			case ZEND_SR:
664			case ZEND_IS_SMALLER:
665			case ZEND_IS_SMALLER_OR_EQUAL:
666			case ZEND_IS_IDENTICAL:
667			case ZEND_IS_NOT_IDENTICAL:
668			case ZEND_BOOL_XOR:
669			case ZEND_BW_OR:
670			case ZEND_BW_AND:
671			case ZEND_BW_XOR:
672				if (opline->op1_type == IS_CONST &&
673				    opline->op2_type == IS_CONST) {
674					/* evaluate constant expressions */
675					binary_op_type binary_op;
676					zval result;
677					int er;
678
679optimize_constant_binary_op:
680					binary_op = get_binary_op(opline->opcode);
681		            if ((opline->opcode == ZEND_DIV || opline->opcode == ZEND_MOD) &&
682		                zval_get_long(&ZEND_OP2_LITERAL(opline)) == 0) {
683						SET_VAR_SOURCE(opline);
684		                opline++;
685						continue;
686		            } else if ((opline->opcode == ZEND_SL || opline->opcode == ZEND_SR) &&
687		                zval_get_long(&ZEND_OP2_LITERAL(opline)) < 0) {
688						SET_VAR_SOURCE(opline);
689		                opline++;
690						continue;
691					} else if (zend_binary_op_produces_numeric_string_error(opline->opcode, &ZEND_OP1_LITERAL(opline), &ZEND_OP2_LITERAL(opline))) {
692						SET_VAR_SOURCE(opline);
693		                opline++;
694						continue;
695					}
696					er = EG(error_reporting);
697					EG(error_reporting) = 0;
698					if (binary_op(&result, &ZEND_OP1_LITERAL(opline), &ZEND_OP2_LITERAL(opline)) == SUCCESS) {
699						literal_dtor(&ZEND_OP1_LITERAL(opline));
700						literal_dtor(&ZEND_OP2_LITERAL(opline));
701						opline->opcode = ZEND_QM_ASSIGN;
702						SET_UNUSED(opline->op2);
703						zend_optimizer_update_op1_const(op_array, opline, &result);
704					}
705					EG(error_reporting) = er;
706				}
707				break;
708
709			case ZEND_BW_NOT:
710				if (opline->op1_type == IS_CONST) {
711					/* evaluate constant unary ops */
712					unary_op_type unary_op;
713					zval result;
714
715optimize_const_unary_op:
716					unary_op = get_unary_op(opline->opcode);
717					if (unary_op) {
718						unary_op(&result, &ZEND_OP1_LITERAL(opline));
719						literal_dtor(&ZEND_OP1_LITERAL(opline));
720					} else {
721						/* BOOL */
722						result = ZEND_OP1_LITERAL(opline);
723						convert_to_boolean(&result);
724						ZVAL_NULL(&ZEND_OP1_LITERAL(opline));
725					}
726					opline->opcode = ZEND_QM_ASSIGN;
727					zend_optimizer_update_op1_const(op_array, opline, &result);
728				}
729				break;
730
731			case ZEND_RETURN:
732			case ZEND_EXIT:
733				if (opline->op1_type & (IS_TMP_VAR|IS_VAR)) {
734					src = VAR_SOURCE(opline->op1);
735					if (src && src->opcode == ZEND_QM_ASSIGN) {
736						/* T = QM_ASSIGN(X), RETURN(T) to NOP, RETURN(X) */
737						VAR_SOURCE(opline->op1) = NULL;
738						COPY_NODE(opline->op1, src->op1);
739						MAKE_NOP(src);
740					}
741				}
742				break;
743
744			case ZEND_QM_ASSIGN:
745				if (opline->op1_type == opline->result_type &&
746				    opline->op1.var == opline->result.var) {
747					/* strip T = QM_ASSIGN(T) */
748					MAKE_NOP(opline);
749				}
750				break;
751		}
752
753		/* get variable source */
754		if (opline->result_type & (IS_VAR|IS_TMP_VAR)) {
755			SET_VAR_SOURCE(opline);
756		}
757		opline++;
758	}
759
760	strip_nops(op_array, block);
761}
762
763/* Rebuild plain (optimized) op_array from CFG */
764static void assemble_code_blocks(zend_cfg *cfg, zend_op_array *op_array)
765{
766	zend_basic_block *blocks = cfg->blocks;
767	zend_basic_block *end = blocks + cfg->blocks_count;
768	zend_basic_block *b;
769	zend_op *new_opcodes;
770	zend_op *opline;
771	uint32_t len = 0;
772	int n;
773
774	for (b = blocks; b < end; b++) {
775		if (b->len == 0) {
776			continue;
777		}
778		if (b->flags & ZEND_BB_REACHABLE) {
779			opline = op_array->opcodes + b->start + b->len - 1;
780			if (opline->opcode == ZEND_JMP) {
781				zend_basic_block *next = b + 1;
782
783				while (next < end && !(next->flags & ZEND_BB_REACHABLE)) {
784					next++;
785				}
786				if (next < end && next == blocks + b->successors[0]) {
787					/* JMP to the next block - strip it */
788					MAKE_NOP(opline);
789					b->len--;
790				}
791			} else if (b->len == 1 && opline->opcode == ZEND_NOP) {
792				/* skip empty block */
793				b->len--;
794			}
795			len += b->len;
796		} else {
797			/* this block will not be used, delete all constants there */
798			zend_op *op = op_array->opcodes + b->start;
799			zend_op *end = op + b->len;
800			for (; op < end; op++) {
801				if (ZEND_OP1_TYPE(op) == IS_CONST) {
802					literal_dtor(&ZEND_OP1_LITERAL(op));
803				}
804				if (ZEND_OP2_TYPE(op) == IS_CONST) {
805					literal_dtor(&ZEND_OP2_LITERAL(op));
806				}
807			}
808		}
809	}
810
811	new_opcodes = emalloc(len * sizeof(zend_op));
812	opline = new_opcodes;
813
814	/* Copy code of reachable blocks into a single buffer */
815	for (b = blocks; b < end; b++) {
816		if (b->flags & ZEND_BB_REACHABLE) {
817			memcpy(opline, op_array->opcodes + b->start, b->len * sizeof(zend_op));
818			b->start = opline - new_opcodes;
819			opline += b->len;
820		}
821	}
822
823	/* adjust jump targets */
824	efree(op_array->opcodes);
825	op_array->opcodes = new_opcodes;
826	op_array->last = len;
827
828	for (b = blocks; b < end; b++) {
829		if (!(b->flags & ZEND_BB_REACHABLE) || b->len == 0) {
830			continue;
831		}
832		opline = op_array->opcodes + b->start + b->len - 1;
833		switch (opline->opcode) {
834			case ZEND_FAST_CALL:
835			case ZEND_JMP:
836				ZEND_SET_OP_JMP_ADDR(opline, opline->op1, new_opcodes + blocks[b->successors[0]].start);
837				break;
838			case ZEND_JMPZNZ:
839				opline->extended_value = ZEND_OPLINE_TO_OFFSET(opline, new_opcodes + blocks[b->successors[1]].start);
840				/* break missing intentionally */
841			case ZEND_JMPZ:
842			case ZEND_JMPNZ:
843			case ZEND_JMPZ_EX:
844			case ZEND_JMPNZ_EX:
845			case ZEND_FE_RESET_R:
846			case ZEND_FE_RESET_RW:
847			case ZEND_JMP_SET:
848			case ZEND_COALESCE:
849			case ZEND_ASSERT_CHECK:
850				ZEND_SET_OP_JMP_ADDR(opline, opline->op2, new_opcodes + blocks[b->successors[0]].start);
851				break;
852			case ZEND_CATCH:
853				if (!opline->result.var) {
854					opline->extended_value = ZEND_OPLINE_TO_OFFSET(opline, new_opcodes + blocks[b->successors[0]].start);
855				}
856				break;
857			case ZEND_DECLARE_ANON_CLASS:
858			case ZEND_DECLARE_ANON_INHERITED_CLASS:
859			case ZEND_FE_FETCH_R:
860			case ZEND_FE_FETCH_RW:
861				opline->extended_value = ZEND_OPLINE_TO_OFFSET(opline, new_opcodes + blocks[b->successors[0]].start);
862				break;
863		}
864	}
865
866	/* adjust exception jump targets & remove unused try_catch_array entries */
867	if (op_array->last_try_catch) {
868		int i, j;
869		uint32_t *map;
870		ALLOCA_FLAG(use_heap);
871
872		map = (uint32_t *)do_alloca(sizeof(uint32_t) * op_array->last_try_catch, use_heap);
873		for (i = 0, j = 0; i< op_array->last_try_catch; i++) {
874			if (blocks[cfg->map[op_array->try_catch_array[i].try_op]].flags & ZEND_BB_REACHABLE) {
875				map[i] = j;
876				op_array->try_catch_array[j].try_op = blocks[cfg->map[op_array->try_catch_array[i].try_op]].start;
877				if (op_array->try_catch_array[i].catch_op) {
878					op_array->try_catch_array[j].catch_op = blocks[cfg->map[op_array->try_catch_array[i].catch_op]].start;
879				} else {
880					op_array->try_catch_array[j].catch_op =  0;
881				}
882				if (op_array->try_catch_array[i].finally_op) {
883					op_array->try_catch_array[j].finally_op = blocks[cfg->map[op_array->try_catch_array[i].finally_op]].start;
884				} else {
885					op_array->try_catch_array[j].finally_op =  0;
886				}
887				if (!op_array->try_catch_array[i].finally_end) {
888					op_array->try_catch_array[j].finally_end = 0;
889				} else {
890					op_array->try_catch_array[j].finally_end = blocks[cfg->map[op_array->try_catch_array[i].finally_end]].start;
891				}
892				j++;
893			}
894		}
895		if (i != j) {
896			op_array->last_try_catch = j;
897			if (op_array->fn_flags & ZEND_ACC_HAS_FINALLY_BLOCK) {
898				zend_op *opline = new_opcodes;
899				zend_op *end = opline + len;
900				while (opline < end) {
901					if (opline->opcode == ZEND_FAST_RET &&
902					    opline->op2.num != (uint32_t)-1 &&
903					    opline->op2.num < (uint32_t)j) {
904						opline->op2.num = map[opline->op2.num];
905					}
906					opline++;
907				}
908			}
909		}
910		free_alloca(map, use_heap);
911	}
912
913	/* adjust loop jump targets & remove unused live range entries */
914	if (op_array->last_live_range) {
915		int i, j;
916		uint32_t *map;
917		ALLOCA_FLAG(use_heap);
918
919		map = (uint32_t *)do_alloca(sizeof(uint32_t) * op_array->last_live_range, use_heap);
920
921		for (i = 0, j = 0; i < op_array->last_live_range; i++) {
922			if (op_array->live_range[i].var == (uint32_t)-1) {
923				/* this live range already removed */
924				continue;
925			}
926			if (!(blocks[cfg->map[op_array->live_range[i].start]].flags & ZEND_BB_REACHABLE)) {
927				ZEND_ASSERT(!(blocks[cfg->map[op_array->live_range[i].end]].flags & ZEND_BB_REACHABLE));
928			} else {
929				uint32_t start_op = blocks[cfg->map[op_array->live_range[i].start]].start;
930				uint32_t end_op = blocks[cfg->map[op_array->live_range[i].end]].start;
931
932				if (start_op == end_op) {
933					/* skip empty live range */
934					continue;
935				}
936				op_array->live_range[i].start = start_op;
937				op_array->live_range[i].end = end_op;
938				map[i] = j;
939				if (i != j) {
940					op_array->live_range[j]  = op_array->live_range[i];
941				}
942				j++;
943			}
944		}
945
946		if (i != j) {
947			if ((op_array->last_live_range = j)) {
948				zend_op *opline = new_opcodes;
949				zend_op *end = opline + len;
950				while (opline != end) {
951					if ((opline->opcode == ZEND_FREE || opline->opcode == ZEND_FE_FREE) &&
952							opline->extended_value == ZEND_FREE_ON_RETURN) {
953						ZEND_ASSERT(opline->op2.num < (uint32_t) i);
954						opline->op2.num = map[opline->op2.num];
955					}
956					opline++;
957				}
958			} else {
959				efree(op_array->live_range);
960				op_array->live_range = NULL;
961			}
962		}
963		free_alloca(map, use_heap);
964	}
965
966	/* adjust early binding list */
967	if (op_array->early_binding != (uint32_t)-1) {
968		uint32_t *opline_num = &op_array->early_binding;
969		zend_op *end;
970
971		opline = op_array->opcodes;
972		end = opline + op_array->last;
973		while (opline < end) {
974			if (opline->opcode == ZEND_DECLARE_INHERITED_CLASS_DELAYED) {
975				*opline_num = opline - op_array->opcodes;
976				opline_num = &ZEND_RESULT(opline).opline_num;
977			}
978			++opline;
979		}
980		*opline_num = -1;
981	}
982
983	/* rebuild map (just for printing) */
984	memset(cfg->map, -1, sizeof(int) * op_array->last);
985	for (n = 0; n < cfg->blocks_count; n++) {
986		if (cfg->blocks[n].flags & ZEND_BB_REACHABLE) {
987			cfg->map[cfg->blocks[n].start] = n;
988		}
989	}
990}
991
992static void zend_jmp_optimization(zend_basic_block *block, zend_op_array *op_array, zend_cfg *cfg, zend_uchar *same_t)
993{
994	/* last_op is the last opcode of the current block */
995	zend_basic_block *blocks = cfg->blocks;
996	zend_op *last_op;
997
998	if (block->len == 0) {
999		return;
1000	}
1001
1002	last_op = op_array->opcodes + block->start + block->len - 1;
1003	switch (last_op->opcode) {
1004		case ZEND_JMP:
1005			{
1006				zend_basic_block *target_block = blocks + block->successors[0];
1007				zend_op *target = op_array->opcodes + target_block->start;
1008				int next = (block - blocks) + 1;
1009
1010				while (next < cfg->blocks_count && !(blocks[next].flags & ZEND_BB_REACHABLE)) {
1011					/* find used one */
1012					next++;
1013				}
1014
1015				/* JMP(next) -> NOP */
1016				if (block->successors[0] == next) {
1017					MAKE_NOP(last_op);
1018					block->len--;
1019					break;
1020				}
1021
1022				if (target->opcode == ZEND_JMP &&
1023					block->successors[0] != target_block->successors[0] &&
1024					!(target_block->flags & ZEND_BB_PROTECTED)) {
1025					/* JMP L, L: JMP L1 -> JMP L1 */
1026					*last_op = *target;
1027					DEL_SOURCE(block, block->successors[0]);
1028					block->successors[0] = target_block->successors[0];
1029					ADD_SOURCE(block, block->successors[0]);
1030				} else if (target->opcode == ZEND_JMPZNZ &&
1031				           !(target_block->flags & ZEND_BB_PROTECTED)) {
1032					/* JMP L, L: JMPZNZ L1,L2 -> JMPZNZ L1,L2 */
1033					*last_op = *target;
1034					if (ZEND_OP1_TYPE(last_op) == IS_CONST) {
1035						zval zv = ZEND_OP1_LITERAL(last_op);
1036						zval_copy_ctor(&zv);
1037						last_op->op1.constant = zend_optimizer_add_literal(op_array, &zv);
1038					}
1039					DEL_SOURCE(block, block->successors[0]);
1040					block->successors[0] = target_block->successors[0];
1041					block->successors[1] = target_block->successors[1];
1042					ADD_SOURCE(block, block->successors[0]);
1043					ADD_SOURCE(block, block->successors[1]);
1044				} else if ((target->opcode == ZEND_RETURN ||
1045				            target->opcode == ZEND_RETURN_BY_REF ||
1046				            target->opcode == ZEND_EXIT) &&
1047				           !(op_array->fn_flags & ZEND_ACC_HAS_FINALLY_BLOCK)) {
1048					/* JMP L, L: RETURN to immediate RETURN */
1049					*last_op = *target;
1050					if (ZEND_OP1_TYPE(last_op) == IS_CONST) {
1051						zval zv = ZEND_OP1_LITERAL(last_op);
1052						zval_copy_ctor(&zv);
1053						last_op->op1.constant = zend_optimizer_add_literal(op_array, &zv);
1054					}
1055					DEL_SOURCE(block, block->successors[0]);
1056					block->successors[0] = -1;
1057#if 0
1058				/* Temporarily disabled - see bug #0025274 */
1059				} else if (0&& block->op1_to != block &&
1060			           block->op1_to != blocks &&
1061						   op_array->last_try_catch == 0 &&
1062				           target->opcode != ZEND_FREE) {
1063				    /* Block Reordering (saves one JMP on each "for" loop iteration)
1064				     * It is disabled for some cases (ZEND_FREE)
1065				     * which may break register allocation.
1066            	     */
1067					zend_bool can_reorder = 0;
1068					zend_block_source *cs = block->op1_to->sources;
1069
1070					/* the "target" block doesn't had any followed block */
1071					while(cs) {
1072						if (cs->from->follow_to == block->op1_to) {
1073							can_reorder = 0;
1074							break;
1075						}
1076						cs = cs->next;
1077					}
1078					if (can_reorder) {
1079						next = block->op1_to;
1080						/* the "target" block is not followed by current "block" */
1081						while (next->follow_to != NULL) {
1082							if (next->follow_to == block) {
1083								can_reorder = 0;
1084								break;
1085							}
1086							next = next->follow_to;
1087						}
1088						if (can_reorder) {
1089							zend_basic_block *prev = blocks;
1090
1091							while (prev->next != block->op1_to) {
1092								prev = prev->next;
1093							}
1094							prev->next = next->next;
1095							next->next = block->next;
1096							block->next = block->op1_to;
1097
1098							block->follow_to = block->op1_to;
1099							block->op1_to = NULL;
1100							MAKE_NOP(last_op);
1101							block->len--;
1102							if(block->len == 0) {
1103								/* this block is nothing but NOP now */
1104								delete_code_block(block, ctx);
1105							}
1106							break;
1107						}
1108					}
1109#endif
1110				}
1111			}
1112			break;
1113
1114		case ZEND_JMPZ:
1115		case ZEND_JMPNZ:
1116			/* constant conditional JMPs */
1117			if (ZEND_OP1_TYPE(last_op) == IS_CONST) {
1118				int should_jmp = zend_is_true(&ZEND_OP1_LITERAL(last_op));
1119
1120				if (last_op->opcode == ZEND_JMPZ) {
1121					should_jmp = !should_jmp;
1122				}
1123				literal_dtor(&ZEND_OP1_LITERAL(last_op));
1124				ZEND_OP1_TYPE(last_op) = IS_UNUSED;
1125				if (should_jmp) {
1126					/* JMPNZ(true) -> JMP */
1127					last_op->opcode = ZEND_JMP;
1128					DEL_SOURCE(block, block->successors[1]);
1129					block->successors[1] = -1;
1130				} else {
1131					/* JMPNZ(false) -> NOP */
1132					MAKE_NOP(last_op);
1133					DEL_SOURCE(block, block->successors[0]);
1134					block->successors[0] = block->successors[1];
1135					block->successors[1] = -1;
1136				}
1137				break;
1138			}
1139
1140			if (block->successors[0] == block->successors[1]) {
1141				/* L: JMP[N]Z(X, L+1) -> NOP or FREE(X) */
1142
1143				if (last_op->op1_type & (IS_VAR|IS_TMP_VAR)) {
1144					last_op->opcode = ZEND_FREE;
1145					last_op->op2.num = 0;
1146				} else {
1147					MAKE_NOP(last_op);
1148				}
1149				block->successors[1] = -1;
1150				break;
1151			}
1152
1153			if (1) {
1154				zend_uchar same_type = ZEND_OP1_TYPE(last_op);
1155				uint32_t same_var = VAR_NUM_EX(last_op->op1);
1156				zend_op *target;
1157				zend_op *target_end;
1158				zend_basic_block *target_block = blocks + block->successors[0];
1159
1160next_target:
1161				target = op_array->opcodes + target_block->start;
1162				target_end = target + target_block->len;
1163				while (target < target_end && target->opcode == ZEND_NOP) {
1164					target++;
1165				}
1166
1167				/* next block is only NOP's */
1168				if (target == target_end) {
1169					target_block = blocks + target_block->successors[0];
1170					goto next_target;
1171				} else if (target->opcode == INV_COND(last_op->opcode) &&
1172					/* JMPZ(X, L), L: JMPNZ(X, L2) -> JMPZ(X, L+1) */
1173				   (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1174				   same_type == ZEND_OP1_TYPE(target) &&
1175				   same_var == VAR_NUM_EX(target->op1) &&
1176				   !(target_block->flags & ZEND_BB_PROTECTED)
1177				   ) {
1178					DEL_SOURCE(block, block->successors[0]);
1179					block->successors[0] = target_block->successors[1];
1180					ADD_SOURCE(block, block->successors[0]);
1181				} else if (target->opcode == INV_COND_EX(last_op->opcode) &&
1182							(ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1183				    		same_type == ZEND_OP1_TYPE(target) &&
1184				    		same_var == VAR_NUM_EX(target->op1) &&
1185							!(target_block->flags & ZEND_BB_PROTECTED)) {
1186					/* JMPZ(X, L), L: T = JMPNZ_EX(X, L2) -> T = JMPZ_EX(X, L+1) */
1187					last_op->opcode += 3;
1188					COPY_NODE(last_op->result, target->result);
1189					DEL_SOURCE(block, block->successors[0]);
1190					block->successors[0] = target_block->successors[1];
1191					ADD_SOURCE(block, block->successors[0]);
1192				} else if (target->opcode == last_op->opcode &&
1193						   (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1194						   same_type == ZEND_OP1_TYPE(target) &&
1195						   same_var == VAR_NUM_EX(target->op1) &&
1196						   !(target_block->flags & ZEND_BB_PROTECTED)) {
1197					/* JMPZ(X, L), L: JMPZ(X, L2) -> JMPZ(X, L2) */
1198					DEL_SOURCE(block, block->successors[0]);
1199					block->successors[0] = target_block->successors[0];
1200					ADD_SOURCE(block, block->successors[0]);
1201				} else if (target->opcode == ZEND_JMP &&
1202				           !(target_block->flags & ZEND_BB_PROTECTED)) {
1203					/* JMPZ(X, L), L: JMP(L2) -> JMPZ(X, L2) */
1204					DEL_SOURCE(block, block->successors[0]);
1205					block->successors[0] = target_block->successors[0];
1206					ADD_SOURCE(block, block->successors[0]);
1207				} else if (target->opcode == ZEND_JMPZNZ &&
1208				           (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1209				           same_type == ZEND_OP1_TYPE(target) &&
1210				           same_var == VAR_NUM_EX(target->op1) &&
1211				           !(target_block->flags & ZEND_BB_PROTECTED)) {
1212					/* JMPZ(X, L), L: JMPZNZ(X, L2, L3) -> JMPZ(X, L2) */
1213					DEL_SOURCE(block, block->successors[0]);
1214					if (last_op->opcode == ZEND_JMPZ) {
1215						block->successors[0] = target_block->successors[0];
1216					} else {
1217						block->successors[0] = target_block->successors[1];
1218					}
1219					ADD_SOURCE(block, block->successors[0]);
1220				}
1221			}
1222
1223			if (last_op->opcode == ZEND_JMPZ || last_op->opcode == ZEND_JMPNZ) {
1224				zend_op *target;
1225				zend_op *target_end;
1226				zend_basic_block *target_block;
1227
1228				while (1) {
1229					target_block = blocks + block->successors[1];
1230					target = op_array->opcodes + target_block->start;
1231					target_end = op_array->opcodes + target_block->start + 1;
1232					while (target < target_end && target->opcode == ZEND_NOP) {
1233						target++;
1234					}
1235
1236					/* next block is only NOP's */
1237					if (target == target_end && !(target_block->flags & ZEND_BB_PROTECTED)) {
1238						DEL_SOURCE(block, block->successors[1]);
1239						block->successors[1] = target_block->successors[0];
1240						ADD_SOURCE(block, block->successors[1]);
1241					} else {
1242						break;
1243					}
1244				}
1245				/* JMPZ(X,L1), JMP(L2) -> JMPZNZ(X,L1,L2) */
1246				if (target->opcode == ZEND_JMP &&
1247					!(target_block->flags & ZEND_BB_PROTECTED)) {
1248					DEL_SOURCE(block, block->successors[1]);
1249					if (last_op->opcode == ZEND_JMPZ) {
1250						block->successors[1] = target_block->successors[0];
1251						ADD_SOURCE(block, block->successors[1]);
1252					} else {
1253						block->successors[1] = block->successors[0];
1254						block->successors[0] = target_block->successors[0];
1255						ADD_SOURCE(block, block->successors[0]);
1256					}
1257					last_op->opcode = ZEND_JMPZNZ;
1258				}
1259			}
1260			break;
1261
1262		case ZEND_JMPNZ_EX:
1263		case ZEND_JMPZ_EX:
1264			/* constant conditional JMPs */
1265			if (ZEND_OP1_TYPE(last_op) == IS_CONST) {
1266				int should_jmp = zend_is_true(&ZEND_OP1_LITERAL(last_op));
1267
1268				if (last_op->opcode == ZEND_JMPZ_EX) {
1269					should_jmp = !should_jmp;
1270				}
1271				if (!should_jmp) {
1272					/* T = JMPZ_EX(true,L)   -> T = QM_ASSIGN(true)
1273					 * T = JMPNZ_EX(false,L) -> T = QM_ASSIGN(false)
1274					 */
1275					last_op->opcode = ZEND_QM_ASSIGN;
1276					SET_UNUSED(last_op->op2);
1277					DEL_SOURCE(block, block->successors[0]);
1278					block->successors[0] = block->successors[1];
1279					block->successors[1] = -1;
1280				}
1281				break;
1282			}
1283
1284			if (1) {
1285				zend_op *target, *target_end;
1286				zend_basic_block *target_block;
1287				int var_num = op_array->last_var + op_array->T;
1288
1289				if (var_num <= 0) {
1290   					return;
1291				}
1292				memset(same_t, 0, var_num);
1293				same_t[VAR_NUM_EX(last_op->op1)] |= ZEND_OP1_TYPE(last_op);
1294				same_t[VAR_NUM_EX(last_op->result)] |= ZEND_RESULT_TYPE(last_op);
1295				target_block = blocks + block->successors[0];
1296next_target_ex:
1297				target = op_array->opcodes + target_block->start;
1298				target_end = target + target_block->len;
1299				while (target < target_end && target->opcode == ZEND_NOP) {
1300					target++;
1301				}
1302 				/* next block is only NOP's */
1303				if (target == target_end) {
1304					target_block = blocks + target_block->successors[0];
1305					goto next_target_ex;
1306				} else if (target->opcode == last_op->opcode-3 &&
1307						   (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1308						   (same_t[VAR_NUM_EX(target->op1)] & ZEND_OP1_TYPE(target)) != 0 &&
1309						   !(target_block->flags & ZEND_BB_PROTECTED)) {
1310					/* T = JMPZ_EX(X, L1), L1: JMPZ({X|T}, L2) -> T = JMPZ_EX(X, L2) */
1311					DEL_SOURCE(block, block->successors[0]);
1312					block->successors[0] = target_block->successors[0];
1313					ADD_SOURCE(block, block->successors[0]);
1314				} else if (target->opcode == INV_EX_COND(last_op->opcode) &&
1315					   	   (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1316						   (same_t[VAR_NUM_EX(target->op1)] & ZEND_OP1_TYPE(target)) != 0 &&
1317						   !(target_block->flags & ZEND_BB_PROTECTED)) {
1318					/* T = JMPZ_EX(X, L1), L1: JMPNZ({X|T1}, L2) -> T = JMPZ_EX(X, L1+1) */
1319					DEL_SOURCE(block, block->successors[0]);
1320					block->successors[0] = target_block->successors[1];
1321					ADD_SOURCE(block, block->successors[0]);
1322				} else if (target->opcode == INV_EX_COND_EX(last_op->opcode) &&
1323					       (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1324						   (same_t[VAR_NUM_EX(target->op1)] & ZEND_OP1_TYPE(target)) != 0 &&
1325						   (same_t[VAR_NUM_EX(target->result)] & ZEND_RESULT_TYPE(target)) != 0 &&
1326						   !(target_block->flags & ZEND_BB_PROTECTED)) {
1327					/* T = JMPZ_EX(X, L1), L1: T = JMPNZ_EX(T, L2) -> T = JMPZ_EX(X, L1+1) */
1328					DEL_SOURCE(block, block->successors[0]);
1329					block->successors[0] = target_block->successors[1];
1330					ADD_SOURCE(block, block->successors[0]);
1331				} else if (target->opcode == last_op->opcode &&
1332						   (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1333						   (same_t[VAR_NUM_EX(target->op1)] & ZEND_OP1_TYPE(target)) != 0 &&
1334						   (same_t[VAR_NUM_EX(target->result)] & ZEND_RESULT_TYPE(target)) != 0 &&
1335						   !(target_block->flags & ZEND_BB_PROTECTED)) {
1336					/* T = JMPZ_EX(X, L1), L1: T = JMPZ({X|T}, L2) -> T = JMPZ_EX(X, L2) */
1337					DEL_SOURCE(block, block->successors[0]);
1338					block->successors[0] = target_block->successors[0];
1339					ADD_SOURCE(block, block->successors[0]);
1340				} else if (target->opcode == ZEND_JMP &&
1341						   !(target_block->flags & ZEND_BB_PROTECTED)) {
1342					/* T = JMPZ_EX(X, L), L: JMP(L2) -> T = JMPZ(X, L2) */
1343					DEL_SOURCE(block, block->successors[0]);
1344					block->successors[0] = target_block->successors[0];
1345					ADD_SOURCE(block, block->successors[0]);
1346				} else if (target->opcode == ZEND_JMPZNZ &&
1347						   (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1348						   (same_t[VAR_NUM_EX(target->op1)] & ZEND_OP1_TYPE(target)) != 0 &&
1349						   !(target_block->flags & ZEND_BB_PROTECTED)) {
1350					/* T = JMPZ_EX(X, L), L: JMPZNZ({X|T}, L2, L3) -> T = JMPZ_EX(X, L2) */
1351					DEL_SOURCE(block, block->successors[0]);
1352					if (last_op->opcode == ZEND_JMPZ_EX) {
1353						block->successors[0] = target_block->successors[0];
1354					} else {
1355						block->successors[0] = target_block->successors[1];
1356					}
1357					ADD_SOURCE(block, block->successors[0]);
1358				}
1359			}
1360			break;
1361
1362		case ZEND_JMPZNZ: {
1363			int next = (block - blocks) + 1;
1364
1365			while (next < cfg->blocks_count && !(blocks[next].flags & ZEND_BB_REACHABLE)) {
1366				/* find first accessed one */
1367				next++;
1368			}
1369
1370			if (ZEND_OP1_TYPE(last_op) == IS_CONST) {
1371				if (!zend_is_true(&ZEND_OP1_LITERAL(last_op))) {
1372					/* JMPZNZ(false,L1,L2) -> JMP(L1) */
1373					literal_dtor(&ZEND_OP1_LITERAL(last_op));
1374					last_op->opcode = ZEND_JMP;
1375					SET_UNUSED(last_op->op1);
1376					SET_UNUSED(last_op->op2);
1377					DEL_SOURCE(block, block->successors[1]);
1378					block->successors[1] = -1;
1379				} else {
1380					/* JMPZNZ(true,L1,L2) -> JMP(L2) */
1381					literal_dtor(&ZEND_OP1_LITERAL(last_op));
1382					last_op->opcode = ZEND_JMP;
1383					SET_UNUSED(last_op->op1);
1384					SET_UNUSED(last_op->op2);
1385					DEL_SOURCE(block, block->successors[0]);
1386					block->successors[0] = block->successors[1];
1387					block->successors[1] = -1;
1388				}
1389			} else if (block->successors[0] == block->successors[1]) {
1390				/* both goto the same one - it's JMP */
1391				if (!(last_op->op1_type & (IS_VAR|IS_TMP_VAR))) {
1392					/* JMPZNZ(?,L,L) -> JMP(L) */
1393					last_op->opcode = ZEND_JMP;
1394					SET_UNUSED(last_op->op1);
1395					SET_UNUSED(last_op->op2);
1396					block->successors[1] = -1;
1397				}
1398			} else if (block->successors[0] == next) {
1399				/* jumping to next on Z - can follow to it and jump only on NZ */
1400				/* JMPZNZ(X,L1,L2) L1: -> JMPNZ(X,L2) */
1401				last_op->opcode = ZEND_JMPNZ;
1402				block->successors[0] = block->successors[1];
1403				block->successors[1] = next;
1404				/* no need to add source */
1405			} else if (block->successors[1] == next) {
1406				/* jumping to next on NZ - can follow to it and jump only on Z */
1407				/* JMPZNZ(X,L1,L2) L2: -> JMPZ(X,L1) */
1408				last_op->opcode = ZEND_JMPZ;
1409				/* no need to add source */
1410			}
1411
1412			if (last_op->opcode == ZEND_JMPZNZ) {
1413				zend_uchar same_type = ZEND_OP1_TYPE(last_op);
1414				zend_uchar same_var = VAR_NUM_EX(last_op->op1);
1415				zend_op *target;
1416				zend_op *target_end;
1417				zend_basic_block *target_block = blocks + block->successors[0];
1418
1419next_target_znz:
1420				target = op_array->opcodes + target_block->start;
1421				target_end = target + target_block->len;
1422				while (target < target_end && target->opcode == ZEND_NOP) {
1423					target++;
1424				}
1425				/* next block is only NOP's */
1426				if (target == target_end) {
1427					target_block = blocks + target_block->successors[0];
1428					goto next_target_znz;
1429				} else if ((target->opcode == ZEND_JMPZ || target->opcode == ZEND_JMPZNZ) &&
1430						   (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1431						   same_type == ZEND_OP1_TYPE(target) &&
1432						   same_var == VAR_NUM_EX(target->op1) &&
1433						   !(target_block->flags & ZEND_BB_PROTECTED)) {
1434				    /* JMPZNZ(X, L1, L2), L1: JMPZ(X, L3) -> JMPZNZ(X, L3, L2) */
1435					DEL_SOURCE(block, block->successors[0]);
1436					block->successors[0] = target_block->successors[0];
1437					ADD_SOURCE(block, block->successors[0]);
1438				} else if (target->opcode == ZEND_JMPNZ &&
1439						   (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1440						   same_type == ZEND_OP1_TYPE(target) &&
1441						   same_var == VAR_NUM_EX(target->op1) &&
1442						   !(target_block->flags & ZEND_BB_PROTECTED)) {
1443                    /* JMPZNZ(X, L1, L2), L1: X = JMPNZ(X, L3) -> JMPZNZ(X, L1+1, L2) */
1444					DEL_SOURCE(block, block->successors[0]);
1445					block->successors[0] = target_block->successors[1];
1446					ADD_SOURCE(block, block->successors[0]);
1447				} else if (target->opcode == ZEND_JMP &&
1448					       !(target_block->flags & ZEND_BB_PROTECTED)) {
1449                    /* JMPZNZ(X, L1, L2), L1: JMP(L3) -> JMPZNZ(X, L3, L2) */
1450					DEL_SOURCE(block, block->successors[0]);
1451					block->successors[0] = target_block->successors[0];
1452					ADD_SOURCE(block, block->successors[0]);
1453				}
1454			}
1455			break;
1456		}
1457	}
1458}
1459
1460/* Global data dependencies */
1461
1462/* Find a set of variables which are used outside of the block where they are
1463 * defined. We won't apply some optimization patterns for such variables. */
1464static void zend_t_usage(zend_cfg *cfg, zend_op_array *op_array, zend_bitset used_ext, zend_optimizer_ctx *ctx)
1465{
1466	int n;
1467	zend_basic_block *block, *next_block;
1468	uint32_t var_num;
1469	uint32_t bitset_len;
1470	zend_bitset usage;
1471	zend_bitset defined_here;
1472	void *checkpoint;
1473	zend_op *opline, *end;
1474
1475
1476	if (op_array->T == 0) {
1477		/* shortcut - if no Ts, nothing to do */
1478		return;
1479	}
1480
1481	checkpoint = zend_arena_checkpoint(ctx->arena);
1482	bitset_len = zend_bitset_len(op_array->last_var + op_array->T);
1483	defined_here = zend_arena_alloc(&ctx->arena, bitset_len * ZEND_BITSET_ELM_SIZE);
1484
1485	zend_bitset_clear(defined_here, bitset_len);
1486	for (n = 1; n < cfg->blocks_count; n++) {
1487		block = cfg->blocks + n;
1488
1489		if (!(block->flags & ZEND_BB_REACHABLE)) {
1490			continue;
1491		}
1492
1493		opline = op_array->opcodes + block->start;
1494		end = opline + block->len;
1495		if (!(block->flags & ZEND_BB_FOLLOW) ||
1496		    (block->flags & ZEND_BB_TARGET)) {
1497			/* Skip continuation of "extended" BB */
1498			zend_bitset_clear(defined_here, bitset_len);
1499		}
1500
1501		while (opline<end) {
1502			if (opline->op1_type & (IS_VAR|IS_TMP_VAR)) {
1503				var_num = VAR_NUM(opline->op1.var);
1504				if (!zend_bitset_in(defined_here, var_num)) {
1505					zend_bitset_incl(used_ext, var_num);
1506				}
1507			}
1508			if (opline->op2_type == IS_VAR) {
1509				var_num = VAR_NUM(opline->op2.var);
1510				if (opline->opcode == ZEND_FE_FETCH_R ||
1511				    opline->opcode == ZEND_FE_FETCH_RW) {
1512					/* these opcode use the op2 as result */
1513					zend_bitset_incl(defined_here, var_num);
1514				} else if (!zend_bitset_in(defined_here, var_num)) {
1515					zend_bitset_incl(used_ext, var_num);
1516				}
1517			} else if (opline->op2_type == IS_TMP_VAR) {
1518				var_num = VAR_NUM(opline->op2.var);
1519				if (!zend_bitset_in(defined_here, var_num)) {
1520					zend_bitset_incl(used_ext, var_num);
1521				}
1522			}
1523
1524			if (opline->result_type == IS_VAR) {
1525				var_num = VAR_NUM(opline->result.var);
1526				zend_bitset_incl(defined_here, var_num);
1527			} else if (opline->result_type == IS_TMP_VAR) {
1528				var_num = VAR_NUM(opline->result.var);
1529				switch (opline->opcode) {
1530					case ZEND_ADD_ARRAY_ELEMENT:
1531					case ZEND_ROPE_ADD:
1532						/* these opcodes use the result as argument */
1533						if (!zend_bitset_in(defined_here, var_num)) {
1534							zend_bitset_incl(used_ext, var_num);
1535						}
1536						break;
1537					default :
1538						zend_bitset_incl(defined_here, var_num);
1539				}
1540			}
1541			opline++;
1542		}
1543	}
1544
1545	if (ctx->debug_level & ZEND_DUMP_BLOCK_PASS_VARS) {
1546		int printed = 0;
1547		uint32_t i;
1548
1549		for (i = op_array->last_var; i< op_array->T; i++) {
1550			if (zend_bitset_in(used_ext, i)) {
1551				if (!printed) {
1552					fprintf(stderr, "NON-LOCAL-VARS: %d", i);
1553					printed = 1;
1554				} else {
1555					fprintf(stderr, ", %d", i);
1556				}
1557			}
1558		}
1559		if (printed) {
1560			fprintf(stderr, "\n");
1561		}
1562	}
1563
1564	usage = defined_here;
1565	next_block = NULL;
1566	for (n = cfg->blocks_count; n > 0;) {
1567		block = cfg->blocks + (--n);
1568
1569		if (!(block->flags & ZEND_BB_REACHABLE) || block->len == 0) {
1570			continue;
1571		}
1572
1573		end = op_array->opcodes + block->start;
1574		opline = end + block->len - 1;
1575		if (!next_block ||
1576		    !(next_block->flags & ZEND_BB_FOLLOW) ||
1577		    (next_block->flags & ZEND_BB_TARGET)) {
1578			/* Skip continuation of "extended" BB */
1579			zend_bitset_copy(usage, used_ext, bitset_len);
1580		} else if (block->successors[1] != -1) {
1581			zend_bitset_union(usage, used_ext, bitset_len);
1582		}
1583		next_block = block;
1584
1585		while (opline >= end) {
1586			/* usage checks */
1587			if (opline->result_type == IS_VAR) {
1588				if (!zend_bitset_in(usage, VAR_NUM(opline->result.var))) {
1589					switch (opline->opcode) {
1590						case ZEND_ASSIGN_ADD:
1591						case ZEND_ASSIGN_SUB:
1592						case ZEND_ASSIGN_MUL:
1593						case ZEND_ASSIGN_DIV:
1594						case ZEND_ASSIGN_POW:
1595						case ZEND_ASSIGN_MOD:
1596						case ZEND_ASSIGN_SL:
1597						case ZEND_ASSIGN_SR:
1598						case ZEND_ASSIGN_CONCAT:
1599						case ZEND_ASSIGN_BW_OR:
1600						case ZEND_ASSIGN_BW_AND:
1601						case ZEND_ASSIGN_BW_XOR:
1602						case ZEND_PRE_INC:
1603						case ZEND_PRE_DEC:
1604						case ZEND_ASSIGN:
1605						case ZEND_ASSIGN_REF:
1606						case ZEND_DO_FCALL:
1607						case ZEND_DO_ICALL:
1608						case ZEND_DO_UCALL:
1609						case ZEND_DO_FCALL_BY_NAME:
1610							opline->result_type = IS_UNUSED;
1611							break;
1612					}
1613				} else {
1614					zend_bitset_excl(usage, VAR_NUM(opline->result.var));
1615				}
1616			} else if (opline->result_type == IS_TMP_VAR) {
1617				if (!zend_bitset_in(usage, VAR_NUM(opline->result.var))) {
1618					switch (opline->opcode) {
1619						case ZEND_POST_INC:
1620						case ZEND_POST_DEC:
1621							opline->opcode -= 2;
1622							opline->result_type = IS_UNUSED;
1623							break;
1624						case ZEND_QM_ASSIGN:
1625						case ZEND_BOOL:
1626						case ZEND_BOOL_NOT:
1627							if (ZEND_OP1_TYPE(opline) == IS_CONST) {
1628								literal_dtor(&ZEND_OP1_LITERAL(opline));
1629							} else if (ZEND_OP1_TYPE(opline) == IS_TMP_VAR) {
1630								opline->opcode = ZEND_FREE;
1631							} else {
1632								MAKE_NOP(opline);
1633							}
1634							break;
1635						case ZEND_JMPZ_EX:
1636						case ZEND_JMPNZ_EX:
1637							opline->opcode -= 3;
1638							SET_UNUSED(opline->result);
1639							break;
1640						case ZEND_ADD_ARRAY_ELEMENT:
1641						case ZEND_ROPE_ADD:
1642							zend_bitset_incl(usage, VAR_NUM(opline->result.var));
1643							break;
1644					}
1645				} else {
1646					switch (opline->opcode) {
1647						case ZEND_ADD_ARRAY_ELEMENT:
1648						case ZEND_ROPE_ADD:
1649							break;
1650						default:
1651							zend_bitset_excl(usage, VAR_NUM(opline->result.var));
1652							break;
1653					}
1654				}
1655			}
1656
1657			if (opline->op2_type == IS_VAR) {
1658				switch (opline->opcode) {
1659					case ZEND_FE_FETCH_R:
1660					case ZEND_FE_FETCH_RW:
1661						zend_bitset_excl(usage, VAR_NUM(opline->op2.var));
1662						break;
1663					default:
1664						zend_bitset_incl(usage, VAR_NUM(opline->op2.var));
1665						break;
1666				}
1667			} else if (opline->op2_type == IS_TMP_VAR) {
1668				zend_bitset_incl(usage, VAR_NUM(opline->op2.var));
1669			}
1670
1671			if (opline->op1_type & (IS_VAR|IS_TMP_VAR)) {
1672				zend_bitset_incl(usage, VAR_NUM(opline->op1.var));
1673			}
1674
1675			opline--;
1676		}
1677	}
1678
1679	zend_arena_release(&ctx->arena, checkpoint);
1680}
1681
1682static void zend_merge_blocks(zend_op_array *op_array, zend_cfg *cfg)
1683{
1684	int i;
1685	zend_basic_block *b, *bb;
1686	zend_basic_block *prev = NULL;
1687
1688	for (i = 0; i < cfg->blocks_count; i++) {
1689		b = cfg->blocks + i;
1690		if (b->flags & ZEND_BB_REACHABLE) {
1691			if ((b->flags & ZEND_BB_FOLLOW) &&
1692			    !(b->flags & (ZEND_BB_TARGET | ZEND_BB_PROTECTED)) &&
1693			    prev &&
1694			    prev->successors[0] == i && prev->successors[1] == -1)
1695			{
1696				zend_op *last_op = op_array->opcodes + prev->start + prev->len - 1;
1697				if (prev->len != 0 && last_op->opcode == ZEND_JMP) {
1698					MAKE_NOP(last_op);
1699				}
1700
1701				for (bb = prev + 1; bb != b; bb++) {
1702					zend_op *op = op_array->opcodes + bb->start;
1703					zend_op *end = op + bb->len;
1704					while (op < end) {
1705						if (ZEND_OP1_TYPE(op) == IS_CONST) {
1706							literal_dtor(&ZEND_OP1_LITERAL(op));
1707						}
1708						if (ZEND_OP2_TYPE(op) == IS_CONST) {
1709							literal_dtor(&ZEND_OP2_LITERAL(op));
1710						}
1711						MAKE_NOP(op);
1712						op++;
1713					}
1714					/* make block empty */
1715					bb->len = 0;
1716				}
1717
1718				/* re-link */
1719				prev->flags |= (b->flags & ZEND_BB_EXIT);
1720				prev->len = b->start + b->len - prev->start;
1721				prev->successors[0] = b->successors[0];
1722				prev->successors[1] = b->successors[1];
1723
1724				/* unlink & make block empty and unreachable */
1725				b->flags = 0;
1726				b->len = 0;
1727				b->successors[0] = -1;
1728				b->successors[1] = -1;
1729			} else {
1730				prev = b;
1731			}
1732		}
1733	}
1734}
1735
1736#define PASSES 3
1737
1738void zend_optimize_cfg(zend_op_array *op_array, zend_optimizer_ctx *ctx)
1739{
1740	zend_cfg cfg;
1741	zend_basic_block *blocks, *end, *b;
1742	int pass;
1743	uint32_t bitset_len;
1744	zend_bitset usage;
1745	void *checkpoint;
1746	zend_op **Tsource;
1747	zend_uchar *same_t;
1748
1749    /* Build CFG */
1750	checkpoint = zend_arena_checkpoint(ctx->arena);
1751	if (zend_build_cfg(&ctx->arena, op_array, ZEND_CFG_SPLIT_AT_LIVE_RANGES, &cfg, NULL) != SUCCESS) {
1752		zend_arena_release(&ctx->arena, checkpoint);
1753		return;
1754	}
1755
1756	if (ctx->debug_level & ZEND_DUMP_BEFORE_BLOCK_PASS) {
1757		zend_dump_op_array(op_array, ZEND_DUMP_CFG, "before block pass", &cfg);
1758	}
1759
1760	if (op_array->last_var || op_array->T) {
1761		bitset_len = zend_bitset_len(op_array->last_var + op_array->T);
1762		Tsource = zend_arena_calloc(&ctx->arena, op_array->last_var + op_array->T, sizeof(zend_op *));
1763		same_t = zend_arena_alloc(&ctx->arena, op_array->last_var + op_array->T);
1764		usage = zend_arena_alloc(&ctx->arena, bitset_len * ZEND_BITSET_ELM_SIZE);
1765	} else {
1766		bitset_len = 0;
1767		Tsource = NULL;
1768		same_t = NULL;
1769		usage = NULL;
1770	}
1771	blocks = cfg.blocks;
1772	end = blocks + cfg.blocks_count;
1773	for (pass = 0; pass < PASSES; pass++) {
1774		/* Compute data dependencies */
1775		zend_bitset_clear(usage, bitset_len);
1776		zend_t_usage(&cfg, op_array, usage, ctx);
1777
1778		/* optimize each basic block separately */
1779		for (b = blocks; b < end; b++) {
1780			if (!(b->flags & ZEND_BB_REACHABLE)) {
1781				continue;
1782			}
1783			/* we track data dependencies only insight a single basic block */
1784			if (!(b->flags & ZEND_BB_FOLLOW) ||
1785			    (b->flags & ZEND_BB_TARGET)) {
1786				/* Skip continuation of "extended" BB */
1787				memset(Tsource, 0, (op_array->last_var + op_array->T) * sizeof(zend_op *));
1788			}
1789			zend_optimize_block(b, op_array, usage, &cfg, Tsource);
1790		}
1791
1792		/* Jump optimization for each block */
1793		for (b = blocks; b < end; b++) {
1794			if (b->flags & ZEND_BB_REACHABLE) {
1795				zend_jmp_optimization(b, op_array, &cfg, same_t);
1796			}
1797		}
1798
1799		/* Eliminate unreachable basic blocks */
1800		zend_cfg_remark_reachable_blocks(op_array, &cfg);
1801
1802		/* Merge Blocks */
1803		zend_merge_blocks(op_array, &cfg);
1804	}
1805
1806	zend_bitset_clear(usage, bitset_len);
1807	zend_t_usage(&cfg, op_array, usage, ctx);
1808	assemble_code_blocks(&cfg, op_array);
1809
1810	if (ctx->debug_level & ZEND_DUMP_AFTER_BLOCK_PASS) {
1811		zend_dump_op_array(op_array, ZEND_DUMP_CFG | ZEND_DUMP_HIDE_UNREACHABLE, "after block pass", &cfg);
1812	}
1813
1814	/* Destroy CFG */
1815	zend_arena_release(&ctx->arena, checkpoint);
1816}
1817