1/*
2   +----------------------------------------------------------------------+
3   | Zend OPcache                                                         |
4   +----------------------------------------------------------------------+
5   | Copyright (c) 1998-2015 The PHP Group                                |
6   +----------------------------------------------------------------------+
7   | This source file is subject to version 3.01 of the PHP license,      |
8   | that is bundled with this package in the file LICENSE, and is        |
9   | available through the world-wide-web at the following url:           |
10   | http://www.php.net/license/3_01.txt                                  |
11   | If you did not receive a copy of the PHP license and are unable to   |
12   | obtain it through the world-wide-web, please send a note to          |
13   | license@php.net so we can mail you a copy immediately.               |
14   +----------------------------------------------------------------------+
15   | Authors: Andi Gutmans <andi@zend.com>                                |
16   |          Zeev Suraski <zeev@zend.com>                                |
17   |          Stanislav Malyshev <stas@zend.com>                          |
18   |          Dmitry Stogov <dmitry@zend.com>                             |
19   +----------------------------------------------------------------------+
20*/
21
22#include "php.h"
23#include "Optimizer/zend_optimizer.h"
24#include "Optimizer/zend_optimizer_internal.h"
25#include "zend_API.h"
26#include "zend_constants.h"
27#include "zend_execute.h"
28#include "zend_vm.h"
29
30#define DEBUG_BLOCKPASS 0
31
32/* Checks if a constant (like "true") may be replaced by its value */
33int zend_optimizer_get_persistent_constant(zend_string *name, zval *result, int copy)
34{
35    zend_constant *c;
36    char *lookup_name;
37    int retval = 1;
38    ALLOCA_FLAG(use_heap);
39
40    if ((c = zend_hash_find_ptr(EG(zend_constants), name)) == NULL) {
41        lookup_name = DO_ALLOCA(ZSTR_LEN(name) + 1);
42        memcpy(lookup_name, ZSTR_VAL(name), ZSTR_LEN(name) + 1);
43        zend_str_tolower(lookup_name, ZSTR_LEN(name));
44
45        if ((c = zend_hash_str_find_ptr(EG(zend_constants), lookup_name, ZSTR_LEN(name))) != NULL) {
46            if (!(c->flags & CONST_CT_SUBST) || (c->flags & CONST_CS)) {
47                retval = 0;
48            }
49        } else {
50            retval = 0;
51        }
52        FREE_ALLOCA(lookup_name);
53    }
54
55    if (retval) {
56        if (c->flags & CONST_PERSISTENT) {
57            ZVAL_COPY_VALUE(result, &c->value);
58            if (copy) {
59                zval_copy_ctor(result);
60            }
61        } else {
62            retval = 0;
63        }
64    }
65
66    return retval;
67}
68
69#if DEBUG_BLOCKPASS
70# define BLOCK_REF(b) b?op_array->opcodes-b->start_opline:-1
71
72static inline void print_block(zend_code_block *block, zend_op *opcodes, char *txt)
73{
74    fprintf(stderr, "%sBlock: %d-%d (%d)", txt, block->start_opline - opcodes, block->start_opline - opcodes + block->len - 1, block->len);
75    if (!block->access) {
76        fprintf(stderr, " unused");
77    }
78    if (block->op1_to) {
79        fprintf(stderr, " 1: %d", block->op1_to->start_opline - opcodes);
80    }
81    if (block->op2_to) {
82        fprintf(stderr, " 2: %d", block->op2_to->start_opline - opcodes);
83    }
84    if (block->ext_to) {
85        fprintf(stderr, " e: %d", block->ext_to->start_opline - opcodes);
86    }
87    if (block->follow_to) {
88        fprintf(stderr, " f: %d", block->follow_to->start_opline - opcodes);
89    }
90
91    if (block->sources) {
92        zend_block_source *bs = block->sources;
93        fprintf(stderr, " s:");
94        while (bs) {
95            fprintf(stderr, " %d", bs->from->start_opline - opcodes);
96            bs = bs->next;
97        }
98    }
99
100    fprintf(stderr, "\n");
101    fflush(stderr);
102}
103#else
104#define print_block(a,b,c)
105#endif
106
107#define START_BLOCK_OP(opno) blocks[opno].start_opline = &op_array->opcodes[opno]; blocks[opno].start_opline_no = opno; blocks[opno].access = 1
108
109/* find code blocks in op_array
110   code block is a set of opcodes with single flow of control, i.e. without jmps,
111   branches, etc. */
112static int find_code_blocks(zend_op_array *op_array, zend_cfg *cfg, zend_optimizer_ctx *ctx)
113{
114    zend_op *opline;
115    zend_op *end = op_array->opcodes + op_array->last;
116    zend_code_block *blocks, *cur_block;
117    uint32_t opno = 0;
118
119    memset(cfg, 0, sizeof(zend_cfg));
120    blocks = cfg->blocks = zend_arena_calloc(&ctx->arena, op_array->last + 2, sizeof(zend_code_block));
121    opline = op_array->opcodes;
122    blocks[0].start_opline = opline;
123    blocks[0].start_opline_no = 0;
124    while (opline < end) {
125        switch((unsigned)opline->opcode) {
126            case ZEND_GOTO:
127                /* would not optimize GOTOs - we cannot really know where it jumps,
128                 * so these optimizations are too dangerous */
129                return 0;
130            case ZEND_FAST_CALL:
131                START_BLOCK_OP(ZEND_OP1(opline).opline_num);
132                if (opline->extended_value) {
133                    START_BLOCK_OP(ZEND_OP2(opline).opline_num);
134                }
135                START_BLOCK_OP(opno + 1);
136                break;
137            case ZEND_FAST_RET:
138                if (opline->extended_value) {
139                    START_BLOCK_OP(ZEND_OP2(opline).opline_num);
140                }
141                START_BLOCK_OP(opno + 1);
142                break;
143            case ZEND_JMP:
144            case ZEND_DECLARE_ANON_CLASS:
145            case ZEND_DECLARE_ANON_INHERITED_CLASS:
146                START_BLOCK_OP(ZEND_OP1(opline).opline_num);
147                /* break missing intentionally */
148            case ZEND_RETURN:
149            case ZEND_RETURN_BY_REF:
150            case ZEND_GENERATOR_RETURN:
151            case ZEND_EXIT:
152            case ZEND_THROW:
153                /* start new block from this+1 */
154                START_BLOCK_OP(opno + 1);
155                break;
156                /* TODO: if conditional jmp depends on constant,
157                         don't start block that won't be executed */
158            case ZEND_CATCH:
159                START_BLOCK_OP(opline->extended_value);
160                START_BLOCK_OP(opno + 1);
161                break;
162            case ZEND_JMPZNZ:
163                START_BLOCK_OP(opline->extended_value);
164            case ZEND_JMPZ:
165            case ZEND_JMPNZ:
166            case ZEND_JMPZ_EX:
167            case ZEND_JMPNZ_EX:
168            case ZEND_FE_RESET_R:
169            case ZEND_FE_RESET_RW:
170            case ZEND_NEW:
171            case ZEND_JMP_SET:
172            case ZEND_COALESCE:
173            case ZEND_ASSERT_CHECK:
174                START_BLOCK_OP(ZEND_OP2(opline).opline_num);
175                START_BLOCK_OP(opno + 1);
176                break;
177            case ZEND_FE_FETCH_R:
178            case ZEND_FE_FETCH_RW:
179                START_BLOCK_OP(opline->extended_value);
180                START_BLOCK_OP(opno + 1);
181                break;
182        }
183        opno++;
184        opline++;
185    }
186
187    /* first find block start points */
188    if (op_array->last_try_catch) {
189        int i;
190        cfg->try = zend_arena_calloc(&ctx->arena, op_array->last_try_catch, sizeof(zend_code_block *));
191        cfg->catch = zend_arena_calloc(&ctx->arena, op_array->last_try_catch, sizeof(zend_code_block *));
192        for (i = 0; i< op_array->last_try_catch; i++) {
193            cfg->try[i] = &blocks[op_array->try_catch_array[i].try_op];
194            cfg->catch[i] = &blocks[op_array->try_catch_array[i].catch_op];
195            START_BLOCK_OP(op_array->try_catch_array[i].try_op);
196            START_BLOCK_OP(op_array->try_catch_array[i].catch_op);
197            blocks[op_array->try_catch_array[i].try_op].protected = 1;
198        }
199    }
200    /* Currently, we don't optimize op_arrays with BRK/CONT/GOTO opcodes,
201     * but, we have to keep brk_cont_array to avoid memory leaks during
202     * exception handling */
203    if (op_array->last_brk_cont) {
204        int i, j;
205
206        j = 0;
207        for (i = 0; i< op_array->last_brk_cont; i++) {
208            if (op_array->brk_cont_array[i].start >= 0 &&
209                (op_array->opcodes[op_array->brk_cont_array[i].brk].opcode == ZEND_FREE ||
210                 op_array->opcodes[op_array->brk_cont_array[i].brk].opcode == ZEND_FE_FREE ||
211                 op_array->opcodes[op_array->brk_cont_array[i].brk].opcode == ZEND_ROPE_END ||
212                 op_array->opcodes[op_array->brk_cont_array[i].brk].opcode == ZEND_END_SILENCE)) {
213                int parent = op_array->brk_cont_array[i].parent;
214
215                while (parent >= 0 &&
216                       op_array->brk_cont_array[parent].start < 0 &&
217                       (op_array->opcodes[op_array->brk_cont_array[parent].brk].opcode != ZEND_FREE ||
218                        op_array->opcodes[op_array->brk_cont_array[parent].brk].opcode != ZEND_FE_FREE ||
219                         op_array->opcodes[op_array->brk_cont_array[i].brk].opcode != ZEND_ROPE_END ||
220                        op_array->opcodes[op_array->brk_cont_array[parent].brk].opcode != ZEND_END_SILENCE)) {
221                    parent = op_array->brk_cont_array[parent].parent;
222                }
223                op_array->brk_cont_array[i].parent = parent;
224                j++;
225            }
226        }
227        if (j) {
228            cfg->loop_start = zend_arena_calloc(&ctx->arena, op_array->last_brk_cont, sizeof(zend_code_block *));
229            cfg->loop_cont  = zend_arena_calloc(&ctx->arena, op_array->last_brk_cont, sizeof(zend_code_block *));
230            cfg->loop_brk   = zend_arena_calloc(&ctx->arena, op_array->last_brk_cont, sizeof(zend_code_block *));
231            j = 0;
232            for (i = 0; i< op_array->last_brk_cont; i++) {
233                if (op_array->brk_cont_array[i].start >= 0 &&
234                    (op_array->opcodes[op_array->brk_cont_array[i].brk].opcode == ZEND_FREE ||
235                     op_array->opcodes[op_array->brk_cont_array[i].brk].opcode == ZEND_FE_FREE ||
236                     op_array->opcodes[op_array->brk_cont_array[i].brk].opcode == ZEND_ROPE_END ||
237                     op_array->opcodes[op_array->brk_cont_array[i].brk].opcode == ZEND_END_SILENCE)) {
238                    if (i != j) {
239                        op_array->brk_cont_array[j] = op_array->brk_cont_array[i];
240                    }
241                    cfg->loop_start[j] = &blocks[op_array->brk_cont_array[j].start];
242                    cfg->loop_cont[j]  = &blocks[op_array->brk_cont_array[j].cont];
243                    cfg->loop_brk[j]   = &blocks[op_array->brk_cont_array[j].brk];
244                    START_BLOCK_OP(op_array->brk_cont_array[j].start);
245                    START_BLOCK_OP(op_array->brk_cont_array[j].cont);
246                    START_BLOCK_OP(op_array->brk_cont_array[j].brk);
247                    blocks[op_array->brk_cont_array[j].start].protected = 1;
248                    blocks[op_array->brk_cont_array[j].brk].protected = 1;
249                    j++;
250                }
251            }
252            op_array->last_brk_cont = j;
253        } else {
254            efree(op_array->brk_cont_array);
255            op_array->brk_cont_array = NULL;
256            op_array->last_brk_cont = 0;
257        }
258    }
259
260    /* Build CFG (Control Flow Graph) */
261    cur_block = blocks;
262    for (opno = 1; opno < op_array->last; opno++) {
263        if (blocks[opno].start_opline) {
264            /* found new block start */
265            cur_block->len = blocks[opno].start_opline - cur_block->start_opline;
266            cur_block->next = &blocks[opno];
267            /* what is the last OP of previous block? */
268            opline = blocks[opno].start_opline - 1;
269            if (opline->opcode == ZEND_OP_DATA) {
270                opline--;
271            }
272            switch((unsigned)opline->opcode) {
273                case ZEND_RETURN:
274                case ZEND_RETURN_BY_REF:
275                case ZEND_GENERATOR_RETURN:
276                case ZEND_EXIT:
277                case ZEND_THROW:
278                    break;
279                case ZEND_FAST_CALL:
280                    if (opline->extended_value) {
281                        cur_block->op2_to = &blocks[ZEND_OP2(opline).opline_num];
282                    }
283                    cur_block->op1_to = &blocks[ZEND_OP1(opline).opline_num];
284                    break;
285                case ZEND_FAST_RET:
286                    if (opline->extended_value) {
287                        cur_block->op2_to = &blocks[ZEND_OP2(opline).opline_num];
288                    }
289                    break;
290                case ZEND_JMP:
291                    cur_block->op1_to = &blocks[ZEND_OP1(opline).opline_num];
292                    break;
293                case ZEND_DECLARE_ANON_CLASS:
294                case ZEND_DECLARE_ANON_INHERITED_CLASS:
295                    cur_block->op1_to = &blocks[ZEND_OP1(opline).opline_num];
296                    cur_block->follow_to = &blocks[opno];
297                    break;
298                case ZEND_JMPZNZ:
299                    cur_block->op2_to = &blocks[ZEND_OP2(opline).opline_num];
300                    cur_block->ext_to = &blocks[opline->extended_value];
301                    break;
302                case ZEND_CATCH:
303                    cur_block->ext_to = &blocks[opline->extended_value];
304                    cur_block->follow_to = &blocks[opno];
305                    break;
306                case ZEND_FE_FETCH_R:
307                case ZEND_FE_FETCH_RW:
308                    cur_block->ext_to = &blocks[opline->extended_value];
309                    cur_block->follow_to = &blocks[opno];
310                    break;
311                case ZEND_JMPZ:
312                case ZEND_JMPNZ:
313                case ZEND_JMPZ_EX:
314                case ZEND_JMPNZ_EX:
315                case ZEND_FE_RESET_R:
316                case ZEND_FE_RESET_RW:
317                case ZEND_NEW:
318                case ZEND_JMP_SET:
319                case ZEND_COALESCE:
320                case ZEND_ASSERT_CHECK:
321                    cur_block->op2_to = &blocks[ZEND_OP2(opline).opline_num];
322                    /* break missing intentionally */
323                default:
324                    /* next block follows this */
325                    cur_block->follow_to = &blocks[opno];
326                    break;
327            }
328            print_block(cur_block, op_array->opcodes, "");
329            cur_block = cur_block->next;
330        }
331    }
332    cur_block->len = end - cur_block->start_opline;
333    cur_block->next = &blocks[op_array->last + 1];
334    print_block(cur_block, op_array->opcodes, "");
335
336    return 1;
337}
338
339/* CFG back references management */
340
341#define ADD_SOURCE(fromb, tob) { \
342    zend_block_source *__s = tob->sources; \
343    while (__s && __s->from != fromb) __s = __s->next; \
344    if (__s == NULL) { \
345        zend_block_source *__t = zend_arena_alloc(&ctx->arena, sizeof(zend_block_source)); \
346        __t->next = tob->sources; \
347        tob->sources = __t; \
348        __t->from = fromb; \
349    } \
350}
351
352#define DEL_SOURCE(cs) do { \
353        *(cs) = (*(cs))->next; \
354    } while (0)
355
356
357static inline void replace_source(zend_block_source *list, zend_code_block *old, zend_code_block *new)
358{
359    /* replace all references to 'old' in 'list' with 'new' */
360    zend_block_source **cs;
361    int found = 0;
362
363    for (cs = &list; *cs; cs = &((*cs)->next)) {
364        if ((*cs)->from == new) {
365            if (found) {
366                DEL_SOURCE(cs);
367            } else {
368                found = 1;
369            }
370        }
371
372        if ((*cs)->from == old) {
373            if (found) {
374                DEL_SOURCE(cs);
375            } else {
376                (*cs)->from = new;
377                found = 1;
378            }
379        }
380    }
381}
382
383static inline void del_source(zend_code_block *from, zend_code_block *to)
384{
385    /* delete source 'from' from 'to'-s sources list */
386    zend_block_source **cs = &to->sources;
387
388    if (to->sources == NULL) {
389        to->access = 0;
390        return;
391    }
392
393    while (*cs) {
394        if ((*cs)->from == from) {
395            DEL_SOURCE(cs);
396            break;
397        }
398        cs = &((*cs)->next);
399    }
400
401    if (to->sources == NULL) {
402        /* 'to' has no more sources - it's unused, will be stripped */
403        to->access = 0;
404        return;
405    }
406
407    if (!to->protected && to->sources->next == NULL) {
408        /* source to only one block */
409        zend_code_block *from_block = to->sources->from;
410
411        if (from_block->access && from_block->follow_to == to &&
412            from_block->op1_to == NULL &&
413            from_block->op2_to == NULL &&
414            from_block->ext_to == NULL) {
415            /* this block follows it's only predecessor - we can join them */
416            zend_op *new_to = from_block->start_opline + from_block->len;
417            if (new_to != to->start_opline) {
418                /* move block to new location */
419                memmove(new_to, to->start_opline, sizeof(zend_op)*to->len);
420            }
421            /* join blocks' lengths */
422            from_block->len += to->len;
423            /* move 'to'`s references to 'from' */
424            to->start_opline = NULL;
425            to->access = 0;
426            to->sources = NULL;
427            from_block->follow_to = to->follow_to;
428            if (to->op1_to) {
429                from_block->op1_to = to->op1_to;
430                replace_source(to->op1_to->sources, to, from_block);
431            }
432            if (to->op2_to) {
433                from_block->op2_to = to->op2_to;
434                replace_source(to->op2_to->sources, to, from_block);
435            }
436            if (to->ext_to) {
437                from_block->ext_to = to->ext_to;
438                replace_source(to->ext_to->sources, to, from_block);
439            }
440            if (to->follow_to) {
441                replace_source(to->follow_to->sources, to, from_block);
442            }
443            /* remove "to" from list */
444        }
445    }
446}
447
448static void delete_code_block(zend_code_block *block, zend_optimizer_ctx *ctx)
449{
450    if (block->protected) {
451        return;
452    }
453    if (block->follow_to) {
454        zend_block_source *bs = block->sources;
455        while (bs) {
456            zend_code_block *from_block = bs->from;
457            zend_code_block *to = block->follow_to;
458            if (from_block->op1_to == block) {
459                from_block->op1_to = to;
460                ADD_SOURCE(from_block, to);
461            }
462            if (from_block->op2_to == block) {
463                from_block->op2_to = to;
464                ADD_SOURCE(from_block, to);
465            }
466            if (from_block->ext_to == block) {
467                from_block->ext_to = to;
468                ADD_SOURCE(from_block, to);
469            }
470            if (from_block->follow_to == block) {
471                from_block->follow_to = to;
472                ADD_SOURCE(from_block, to);
473            }
474            bs = bs->next;
475        }
476    }
477    block->access = 0;
478}
479
480static void zend_access_path(zend_code_block *block, zend_optimizer_ctx *ctx)
481{
482    if (block->access) {
483        return;
484    }
485
486    block->access = 1;
487    if (block->op1_to) {
488        zend_access_path(block->op1_to, ctx);
489        ADD_SOURCE(block, block->op1_to);
490    }
491    if (block->op2_to) {
492        zend_access_path(block->op2_to, ctx);
493        ADD_SOURCE(block, block->op2_to);
494    }
495    if (block->ext_to) {
496        zend_access_path(block->ext_to, ctx);
497        ADD_SOURCE(block, block->ext_to);
498    }
499    if (block->follow_to) {
500        zend_access_path(block->follow_to, ctx);
501        ADD_SOURCE(block, block->follow_to);
502    }
503}
504
505/* Traverse CFG, mark reachable basic blocks and build back references */
506static void zend_rebuild_access_path(zend_cfg *cfg, zend_op_array *op_array, int find_start, zend_optimizer_ctx *ctx)
507{
508    zend_code_block *blocks = cfg->blocks;
509    zend_code_block *start = find_start? NULL : blocks;
510    zend_code_block *b;
511
512    /* Mark all blocks as unaccessible and destroy back references */
513    b = blocks;
514    while (b != NULL) {
515        if (!start && b->access) {
516            start = b;
517        }
518        b->access = 0;
519        b->sources = NULL;
520        b = b->next;
521    }
522
523    /* Walk thorough all paths */
524    zend_access_path(start, ctx);
525
526    /* Add brk/cont paths */
527    if (op_array->last_brk_cont) {
528        int i;
529        for (i=0; i< op_array->last_brk_cont; i++) {
530            zend_access_path(cfg->loop_start[i], ctx);
531            zend_access_path(cfg->loop_cont[i], ctx);
532            zend_access_path(cfg->loop_brk[i], ctx);
533        }
534    }
535
536    /* Add exception paths */
537    if (op_array->last_try_catch) {
538        int i;
539        for (i=0; i< op_array->last_try_catch; i++) {
540            if (!cfg->catch[i]->access) {
541                zend_access_path(cfg->catch[i], ctx);
542            }
543        }
544    }
545}
546
547/* Data dependencies macros */
548
549#define VAR_NUM_EX(op) VAR_NUM((op).var)
550
551#define VAR_SOURCE(op) Tsource[VAR_NUM(op.var)]
552#define SET_VAR_SOURCE(opline) Tsource[VAR_NUM(opline->result.var)] = opline
553
554#define VAR_UNSET(op) do { if (op ## _type & (IS_TMP_VAR|IS_VAR)) {VAR_SOURCE(op) = NULL;}} while (0)
555
556#define convert_to_string_safe(v) \
557    if (Z_TYPE_P((v)) == IS_NULL) { \
558        ZVAL_STRINGL((v), "", 0); \
559    } else { \
560        convert_to_string((v)); \
561    }
562
563static void strip_nop(zend_code_block *block, zend_optimizer_ctx *ctx)
564{
565    zend_op *opline = block->start_opline;
566    zend_op *end, *new_end;
567
568    /* remove leading NOPs */
569    while (block->len > 0 && block->start_opline->opcode == ZEND_NOP) {
570        if (block->len == 1) {
571            /* this block is all NOPs, join with following block */
572            if (block->follow_to) {
573                delete_code_block(block, ctx);
574            }
575            return;
576        }
577        block->start_opline++;
578        block->start_opline_no++;
579        block->len--;
580    }
581
582    /* strip the inside NOPs */
583    opline = new_end = block->start_opline;
584    end = opline + block->len;
585
586    while (opline < end) {
587        zend_op *src;
588        int len = 0;
589
590        while (opline < end && opline->opcode == ZEND_NOP) {
591            opline++;
592        }
593        src = opline;
594
595        while (opline < end && opline->opcode != ZEND_NOP) {
596            opline++;
597        }
598        len = opline - src;
599
600        /* move up non-NOP opcodes */
601        memmove(new_end, src, len*sizeof(zend_op));
602
603        new_end += len;
604    }
605    block->len = new_end - block->start_opline;
606}
607
608static void zend_optimize_block(zend_code_block *block, zend_op_array *op_array, char *used_ext, zend_cfg *cfg, zend_optimizer_ctx *ctx)
609{
610    zend_op *opline = block->start_opline;
611    zend_op *end, *last_op = NULL;
612    zend_op **Tsource = cfg->Tsource;
613
614    print_block(block, op_array->opcodes, "Opt ");
615
616    /* remove leading NOPs */
617    while (block->len > 0 && block->start_opline->opcode == ZEND_NOP) {
618        if (block->len == 1) {
619            /* this block is all NOPs, join with following block */
620            if (block->follow_to) {
621                delete_code_block(block, ctx);
622            }
623            return;
624        }
625        block->start_opline++;
626        block->start_opline_no++;
627        block->len--;
628    }
629
630    /* we track data dependencies only insight a single basic block */
631    memset(Tsource, 0, (op_array->last_var + op_array->T) * sizeof(zend_op *));
632    opline = block->start_opline;
633    end = opline + block->len;
634    while ((op_array->T) && (opline < end)) {
635        /* strip X = QM_ASSIGN(const) */
636        if ((ZEND_OP1_TYPE(opline) & (IS_TMP_VAR|IS_VAR)) &&
637            VAR_SOURCE(opline->op1) &&
638            VAR_SOURCE(opline->op1)->opcode == ZEND_QM_ASSIGN &&
639            ZEND_OP1_TYPE(VAR_SOURCE(opline->op1)) == IS_CONST &&
640            opline->opcode != ZEND_CASE &&         /* CASE _always_ expects variable */
641            opline->opcode != ZEND_FETCH_LIST &&
642            (opline->opcode != ZEND_FE_RESET_R || opline->opcode != ZEND_FE_RESET_RW) &&
643            opline->opcode != ZEND_FREE
644            ) {
645            zend_op *src = VAR_SOURCE(opline->op1);
646            zval c = ZEND_OP1_LITERAL(src);
647            VAR_UNSET(opline->op1);
648            zval_copy_ctor(&c);
649            zend_optimizer_update_op1_const(op_array, opline, &c);
650            literal_dtor(&ZEND_OP1_LITERAL(src));
651            MAKE_NOP(src);
652        }
653
654        /* T = QM_ASSIGN(C), F(T) => NOP, F(C) */
655        if ((ZEND_OP2_TYPE(opline) & (IS_TMP_VAR|IS_VAR)) &&
656            VAR_SOURCE(opline->op2) &&
657            VAR_SOURCE(opline->op2)->opcode == ZEND_QM_ASSIGN &&
658            ZEND_OP1_TYPE(VAR_SOURCE(opline->op2)) == IS_CONST) {
659            zend_op *src = VAR_SOURCE(opline->op2);
660            zval c = ZEND_OP1_LITERAL(src);
661            VAR_UNSET(opline->op2);
662            zval_copy_ctor(&c);
663            zend_optimizer_update_op2_const(op_array, opline, &c);
664            literal_dtor(&ZEND_OP1_LITERAL(src));
665            MAKE_NOP(src);
666        }
667
668        /* T = CAST(X, String), ECHO(T) => NOP, ECHO(X) */
669        if (opline->opcode == ZEND_ECHO &&
670            ZEND_OP1_TYPE(opline) & (IS_TMP_VAR|IS_VAR) &&
671            VAR_SOURCE(opline->op1) &&
672            VAR_SOURCE(opline->op1)->opcode == ZEND_CAST &&
673            VAR_SOURCE(opline->op1)->extended_value == IS_STRING) {
674            zend_op *src = VAR_SOURCE(opline->op1);
675            COPY_NODE(opline->op1, src->op1);
676            MAKE_NOP(src);
677        }
678
679       /* T = BOOL(X), FREE(T) => NOP */
680        if (opline->opcode == ZEND_FREE &&
681            ZEND_OP1_TYPE(opline) == IS_TMP_VAR &&
682            VAR_SOURCE(opline->op1)) {
683            zend_op *src = VAR_SOURCE(opline->op1);
684            if (src->opcode == ZEND_BOOL) {
685                if (ZEND_OP1_TYPE(src) == IS_CONST) {
686                    literal_dtor(&ZEND_OP1_LITERAL(src));
687                }
688                MAKE_NOP(src);
689                MAKE_NOP(opline);
690            }
691        }
692
693#if 0
694        /* pre-evaluate functions:
695           constant(x)
696           defined(x)
697           function_exists(x)
698           extension_loaded(x)
699           BAD: interacts badly with Accelerator
700        */
701        if((ZEND_OP1_TYPE(opline) & IS_VAR) &&
702           VAR_SOURCE(opline->op1) && VAR_SOURCE(opline->op1)->opcode == ZEND_DO_CF_FCALL &&
703           VAR_SOURCE(opline->op1)->extended_value == 1) {
704            zend_op *fcall = VAR_SOURCE(opline->op1);
705            zend_op *sv = fcall-1;
706            if(sv >= block->start_opline && sv->opcode == ZEND_SEND_VAL &&
707               ZEND_OP1_TYPE(sv) == IS_CONST && Z_TYPE(OPLINE_OP1_LITERAL(sv)) == IS_STRING &&
708               Z_LVAL(OPLINE_OP2_LITERAL(sv)) == 1
709               ) {
710                zval *arg = &OPLINE_OP1_LITERAL(sv);
711                char *fname = FUNCTION_CACHE->funcs[Z_LVAL(ZEND_OP1_LITERAL(fcall))].function_name;
712                int flen = FUNCTION_CACHE->funcs[Z_LVAL(ZEND_OP1_LITERAL(fcall))].name_len;
713                if(flen == sizeof("defined")-1 && zend_binary_strcasecmp(fname, flen, "defined", sizeof("defined")-1) == 0) {
714                    zval c;
715                    if(zend_optimizer_get_persistent_constant(Z_STR_P(arg), &c, 0 ELS_CC) != 0) {
716                        literal_dtor(arg);
717                        MAKE_NOP(sv);
718                        MAKE_NOP(fcall);
719                        LITERAL_BOOL(opline->op1, 1);
720                        ZEND_OP1_TYPE(opline) = IS_CONST;
721                    }
722                } else if((flen == sizeof("function_exists")-1 && zend_binary_strcasecmp(fname, flen, "function_exists", sizeof("function_exists")-1) == 0) ||
723                          (flen == sizeof("is_callable")-1 && zend_binary_strcasecmp(fname, flen, "is_callable", sizeof("is_callable")-1) == 0)
724                          ) {
725                    zend_function *function;
726                    if((function = zend_hash_find_ptr(EG(function_table), Z_STR_P(arg))) != NULL) {
727                        literal_dtor(arg);
728                        MAKE_NOP(sv);
729                        MAKE_NOP(fcall);
730                        LITERAL_BOOL(opline->op1, 1);
731                        ZEND_OP1_TYPE(opline) = IS_CONST;
732                    }
733                } else if(flen == sizeof("constant")-1 && zend_binary_strcasecmp(fname, flen, "constant", sizeof("constant")-1) == 0) {
734                    zval c;
735                    if(zend_optimizer_get_persistent_constant(Z_STR_P(arg), &c, 1 ELS_CC) != 0) {
736                        literal_dtor(arg);
737                        MAKE_NOP(sv);
738                        MAKE_NOP(fcall);
739                        ZEND_OP1_LITERAL(opline) = zend_optimizer_add_literal(op_array, &c);
740                        /* no copy ctor - get already copied it */
741                        ZEND_OP1_TYPE(opline) = IS_CONST;
742                    }
743                } else if(flen == sizeof("extension_loaded")-1 && zend_binary_strcasecmp(fname, flen, "extension_loaded", sizeof("extension_loaded")-1) == 0) {
744                    if(zend_hash_exists(&module_registry, Z_STR_P(arg))) {
745                        literal_dtor(arg);
746                        MAKE_NOP(sv);
747                        MAKE_NOP(fcall);
748                        LITERAL_BOOL(opline->op1, 1);
749                        ZEND_OP1_TYPE(opline) = IS_CONST;
750                    }
751                }
752            }
753        }
754#endif
755
756        /* IS_EQ(TRUE, X)      => BOOL(X)
757         * IS_EQ(FALSE, X)     => BOOL_NOT(X)
758         * IS_NOT_EQ(TRUE, X)  => BOOL_NOT(X)
759         * IS_NOT_EQ(FALSE, X) => BOOL(X)
760         * CASE(TRUE, X)       => BOOL(X)
761         * CASE(FALSE, X)      => BOOL_NOT(X)
762         */
763        if (opline->opcode == ZEND_IS_EQUAL ||
764            opline->opcode == ZEND_IS_NOT_EQUAL ||
765            opline->opcode == ZEND_CASE) {
766            if (ZEND_OP1_TYPE(opline) == IS_CONST &&
767                (Z_TYPE(ZEND_OP1_LITERAL(opline)) == IS_FALSE ||
768                 Z_TYPE(ZEND_OP1_LITERAL(opline)) == IS_TRUE)) {
769                /* T = IS_EQUAL(TRUE,  X)     => T = BOOL(X) */
770                /* T = IS_EQUAL(FALSE, X)     => T = BOOL_NOT(X) */
771                /* T = IS_NOT_EQUAL(TRUE,  X) => T = BOOL_NOT(X) */
772                /* T = IS_NOT_EQUAL(FALSE, X) => T = BOOL(X) */
773                /* Optimization of comparison with "null" is not safe,
774                 * because ("0" == null) is not equal to !("0")
775                 */
776                opline->opcode =
777                    ((opline->opcode != ZEND_IS_NOT_EQUAL) == ((Z_TYPE(ZEND_OP1_LITERAL(opline))) == IS_TRUE)) ?
778                    ZEND_BOOL : ZEND_BOOL_NOT;
779                COPY_NODE(opline->op1, opline->op2);
780                SET_UNUSED(opline->op2);
781            } else if (ZEND_OP2_TYPE(opline) == IS_CONST &&
782                       (Z_TYPE(ZEND_OP2_LITERAL(opline)) == IS_FALSE ||
783                        Z_TYPE(ZEND_OP2_LITERAL(opline)) == IS_TRUE)) {
784                /* T = IS_EQUAL(X, TRUE)      => T = BOOL(X) */
785                /* T = IS_EQUAL(X, FALSE)     => T = BOOL_NOT(X) */
786                /* T = IS_NOT_EQUAL(X, TRUE)  => T = BOOL_NOT(X) */
787                /* T = IS_NOT_EQUAL(X, FALSE) => T = BOOL(X) */
788                /* Optimization of comparison with "null" is not safe,
789                 * because ("0" == null) is not equal to !("0")
790                 */
791                opline->opcode =
792                    ((opline->opcode != ZEND_IS_NOT_EQUAL) == ((Z_TYPE(ZEND_OP2_LITERAL(opline))) == IS_TRUE)) ?
793                    ZEND_BOOL : ZEND_BOOL_NOT;
794                SET_UNUSED(opline->op2);
795            }
796        }
797
798        if ((opline->opcode == ZEND_BOOL ||
799            opline->opcode == ZEND_BOOL_NOT ||
800            opline->opcode == ZEND_JMPZ ||
801            opline->opcode == ZEND_JMPNZ ||
802            opline->opcode == ZEND_JMPZNZ) &&
803            ZEND_OP1_TYPE(opline) == IS_TMP_VAR &&
804            VAR_SOURCE(opline->op1) != NULL &&
805            !used_ext[VAR_NUM(ZEND_OP1(opline).var)] &&
806            VAR_SOURCE(opline->op1)->opcode == ZEND_BOOL_NOT) {
807            /* T = BOOL_NOT(X) + JMPZ(T) -> NOP, JMPNZ(X) */
808            zend_op *src = VAR_SOURCE(opline->op1);
809
810            COPY_NODE(opline->op1, src->op1);
811
812            switch (opline->opcode) {
813                case ZEND_BOOL:
814                    /* T = BOOL_NOT(X) + BOOL(T) -> NOP, BOOL_NOT(X) */
815                    opline->opcode = ZEND_BOOL_NOT;
816                    break;
817                case ZEND_BOOL_NOT:
818                    /* T = BOOL_NOT(X) + BOOL_BOOL(T) -> NOP, BOOL(X) */
819                    opline->opcode = ZEND_BOOL;
820                    break;
821                case ZEND_JMPZ:
822                    /* T = BOOL_NOT(X) + JMPZ(T,L) -> NOP, JMPNZ(X,L) */
823                    opline->opcode = ZEND_JMPNZ;
824                    break;
825                case ZEND_JMPNZ:
826                    /* T = BOOL_NOT(X) + JMPNZ(T,L) -> NOP, JMPZ(X,L) */
827                    opline->opcode = ZEND_JMPZ;
828                    break;
829                case ZEND_JMPZNZ:
830                {
831                    /* T = BOOL_NOT(X) + JMPZNZ(T,L1,L2) -> NOP, JMPZNZ(X,L2,L1) */
832                    int op_t;
833                    zend_code_block *op_b;
834
835                    op_t = opline->extended_value;
836                    opline->extended_value = ZEND_OP2(opline).opline_num;
837                    ZEND_OP2(opline).opline_num = op_t;
838
839                    op_b = block->ext_to;
840                    block->ext_to = block->op2_to;
841                    block->op2_to = op_b;
842                }
843                break;
844            }
845
846            VAR_UNSET(opline->op1);
847            MAKE_NOP(src);
848            continue;
849        } else
850#if 0
851        /* T = BOOL_NOT(X) + T = JMPZ_EX(T, X) -> T = BOOL_NOT(X), JMPNZ(X) */
852        if(0 && (opline->opcode == ZEND_JMPZ_EX ||
853            opline->opcode == ZEND_JMPNZ_EX) &&
854           ZEND_OP1_TYPE(opline) == IS_TMP_VAR &&
855           VAR_SOURCE(opline->op1) != NULL &&
856           VAR_SOURCE(opline->op1)->opcode == ZEND_BOOL_NOT &&
857           ZEND_OP1(opline).var == ZEND_RESULT(opline).var
858           ) {
859            zend_op *src = VAR_SOURCE(opline->op1);
860            if(opline->opcode == ZEND_JMPZ_EX) {
861                opline->opcode = ZEND_JMPNZ;
862            } else {
863                opline->opcode = ZEND_JMPZ;
864            }
865            COPY_NODE(opline->op1, src->op1);
866            SET_UNUSED(opline->result);
867            continue;
868        } else
869#endif
870        /* T = BOOL(X) + JMPZ(T) -> NOP, JMPZ(X) */
871        if ((opline->opcode == ZEND_BOOL ||
872            opline->opcode == ZEND_BOOL_NOT ||
873            opline->opcode == ZEND_JMPZ ||
874            opline->opcode == ZEND_JMPZ_EX ||
875            opline->opcode == ZEND_JMPNZ_EX ||
876            opline->opcode == ZEND_JMPNZ ||
877            opline->opcode == ZEND_JMPZNZ) &&
878            (ZEND_OP1_TYPE(opline) & (IS_TMP_VAR|IS_VAR)) &&
879            VAR_SOURCE(opline->op1) != NULL &&
880            (!used_ext[VAR_NUM(ZEND_OP1(opline).var)] ||
881            ((ZEND_RESULT_TYPE(opline) & (IS_TMP_VAR|IS_VAR)) &&
882             ZEND_RESULT(opline).var == ZEND_OP1(opline).var)) &&
883            (VAR_SOURCE(opline->op1)->opcode == ZEND_BOOL ||
884            VAR_SOURCE(opline->op1)->opcode == ZEND_QM_ASSIGN)) {
885            zend_op *src = VAR_SOURCE(opline->op1);
886            COPY_NODE(opline->op1, src->op1);
887
888            VAR_UNSET(opline->op1);
889            MAKE_NOP(src);
890            continue;
891        } else if (last_op && opline->opcode == ZEND_ECHO &&
892                  last_op->opcode == ZEND_ECHO &&
893                  ZEND_OP1_TYPE(opline) == IS_CONST &&
894                  Z_TYPE(ZEND_OP1_LITERAL(opline)) != IS_DOUBLE &&
895                  ZEND_OP1_TYPE(last_op) == IS_CONST &&
896                  Z_TYPE(ZEND_OP1_LITERAL(last_op)) != IS_DOUBLE) {
897            /* compress consecutive ECHO's.
898             * Float to string conversion may be affected by current
899             * locale setting.
900             */
901            int l, old_len;
902
903            if (Z_TYPE(ZEND_OP1_LITERAL(opline)) != IS_STRING) {
904                convert_to_string_safe(&ZEND_OP1_LITERAL(opline));
905            }
906            if (Z_TYPE(ZEND_OP1_LITERAL(last_op)) != IS_STRING) {
907                convert_to_string_safe(&ZEND_OP1_LITERAL(last_op));
908            }
909            old_len = Z_STRLEN(ZEND_OP1_LITERAL(last_op));
910            l = old_len + Z_STRLEN(ZEND_OP1_LITERAL(opline));
911            if (!Z_REFCOUNTED(ZEND_OP1_LITERAL(last_op))) {
912                zend_string *tmp = zend_string_alloc(l, 0);
913                memcpy(ZSTR_VAL(tmp), Z_STRVAL(ZEND_OP1_LITERAL(last_op)), old_len);
914                Z_STR(ZEND_OP1_LITERAL(last_op)) = tmp;
915            } else {
916                Z_STR(ZEND_OP1_LITERAL(last_op)) = zend_string_extend(Z_STR(ZEND_OP1_LITERAL(last_op)), l, 0);
917            }
918            Z_TYPE_INFO(ZEND_OP1_LITERAL(last_op)) = IS_STRING_EX;
919            memcpy(Z_STRVAL(ZEND_OP1_LITERAL(last_op)) + old_len, Z_STRVAL(ZEND_OP1_LITERAL(opline)), Z_STRLEN(ZEND_OP1_LITERAL(opline)));
920            Z_STRVAL(ZEND_OP1_LITERAL(last_op))[l] = '\0';
921            zval_dtor(&ZEND_OP1_LITERAL(opline));
922            Z_STR(ZEND_OP1_LITERAL(opline)) = zend_new_interned_string(Z_STR(ZEND_OP1_LITERAL(last_op)));
923            if (!Z_REFCOUNTED(ZEND_OP1_LITERAL(opline))) {
924                Z_TYPE_FLAGS(ZEND_OP1_LITERAL(opline)) &= ~ (IS_TYPE_REFCOUNTED | IS_TYPE_COPYABLE);
925            }
926            ZVAL_NULL(&ZEND_OP1_LITERAL(last_op));
927            MAKE_NOP(last_op);
928        } else if ((opline->opcode == ZEND_CONCAT) &&
929                  ZEND_OP2_TYPE(opline) == IS_CONST &&
930                  ZEND_OP1_TYPE(opline) == IS_TMP_VAR &&
931                  VAR_SOURCE(opline->op1) &&
932                  (VAR_SOURCE(opline->op1)->opcode == ZEND_CONCAT ||
933                   VAR_SOURCE(opline->op1)->opcode == ZEND_FAST_CONCAT) &&
934                  ZEND_OP2_TYPE(VAR_SOURCE(opline->op1)) == IS_CONST &&
935                  ZEND_RESULT(VAR_SOURCE(opline->op1)).var == ZEND_OP1(opline).var) {
936            /* compress consecutive CONCAT/ADD_STRING/ADD_CHARs */
937            zend_op *src = VAR_SOURCE(opline->op1);
938            int l, old_len;
939
940            if (Z_TYPE(ZEND_OP2_LITERAL(opline)) != IS_STRING) {
941                convert_to_string_safe(&ZEND_OP2_LITERAL(opline));
942            }
943            if (Z_TYPE(ZEND_OP2_LITERAL(src)) != IS_STRING) {
944                convert_to_string_safe(&ZEND_OP2_LITERAL(src));
945            }
946
947            VAR_UNSET(opline->op1);
948            COPY_NODE(opline->op1, src->op1);
949            old_len = Z_STRLEN(ZEND_OP2_LITERAL(src));
950            l = old_len + Z_STRLEN(ZEND_OP2_LITERAL(opline));
951            if (!Z_REFCOUNTED(ZEND_OP2_LITERAL(src))) {
952                zend_string *tmp = zend_string_alloc(l, 0);
953                memcpy(ZSTR_VAL(tmp), Z_STRVAL(ZEND_OP2_LITERAL(src)), old_len);
954                Z_STR(ZEND_OP2_LITERAL(last_op)) = tmp;
955            } else {
956                Z_STR(ZEND_OP2_LITERAL(src)) = zend_string_extend(Z_STR(ZEND_OP2_LITERAL(src)), l, 0);
957            }
958            Z_TYPE_INFO(ZEND_OP2_LITERAL(last_op)) = IS_STRING_EX;
959            memcpy(Z_STRVAL(ZEND_OP2_LITERAL(src)) + old_len, Z_STRVAL(ZEND_OP2_LITERAL(opline)), Z_STRLEN(ZEND_OP2_LITERAL(opline)));
960            Z_STRVAL(ZEND_OP2_LITERAL(src))[l] = '\0';
961            zend_string_release(Z_STR(ZEND_OP2_LITERAL(opline)));
962            Z_STR(ZEND_OP2_LITERAL(opline)) = zend_new_interned_string(Z_STR(ZEND_OP2_LITERAL(src)));
963            if (!Z_REFCOUNTED(ZEND_OP2_LITERAL(opline))) {
964                Z_TYPE_FLAGS(ZEND_OP2_LITERAL(opline)) &= ~ (IS_TYPE_REFCOUNTED | IS_TYPE_COPYABLE);
965            }
966            ZVAL_NULL(&ZEND_OP2_LITERAL(src));
967            MAKE_NOP(src);
968        } else if ((opline->opcode == ZEND_ADD ||
969                    opline->opcode == ZEND_SUB ||
970                    opline->opcode == ZEND_MUL ||
971                    opline->opcode == ZEND_DIV ||
972                    opline->opcode == ZEND_MOD ||
973                    opline->opcode == ZEND_SL ||
974                    opline->opcode == ZEND_SR ||
975                    opline->opcode == ZEND_CONCAT ||
976                    opline->opcode == ZEND_FAST_CONCAT ||
977                    opline->opcode == ZEND_IS_EQUAL ||
978                    opline->opcode == ZEND_IS_NOT_EQUAL ||
979                    opline->opcode == ZEND_IS_SMALLER ||
980                    opline->opcode == ZEND_IS_SMALLER_OR_EQUAL ||
981                    opline->opcode == ZEND_IS_IDENTICAL ||
982                    opline->opcode == ZEND_IS_NOT_IDENTICAL ||
983                    opline->opcode == ZEND_BOOL_XOR ||
984                    opline->opcode == ZEND_BW_OR ||
985                    opline->opcode == ZEND_BW_AND ||
986                    opline->opcode == ZEND_BW_XOR) &&
987                    ZEND_OP1_TYPE(opline)==IS_CONST &&
988                    ZEND_OP2_TYPE(opline)==IS_CONST) {
989            /* evaluate constant expressions */
990            binary_op_type binary_op = get_binary_op(opline->opcode);
991            zval result;
992            int er;
993
994            if ((opline->opcode == ZEND_DIV || opline->opcode == ZEND_MOD) &&
995                zval_get_long(&ZEND_OP2_LITERAL(opline)) == 0) {
996                if (RESULT_USED(opline)) {
997                    SET_VAR_SOURCE(opline);
998                }
999                opline++;
1000                continue;
1001            } else if ((opline->opcode == ZEND_SL || opline->opcode == ZEND_SR) &&
1002                zval_get_long(&ZEND_OP2_LITERAL(opline)) < 0) {
1003                if (RESULT_USED(opline)) {
1004                    SET_VAR_SOURCE(opline);
1005                }
1006                opline++;
1007                continue;
1008            }
1009            er = EG(error_reporting);
1010            EG(error_reporting) = 0;
1011            if (binary_op(&result, &ZEND_OP1_LITERAL(opline), &ZEND_OP2_LITERAL(opline)) == SUCCESS) {
1012                literal_dtor(&ZEND_OP1_LITERAL(opline));
1013                literal_dtor(&ZEND_OP2_LITERAL(opline));
1014                opline->opcode = ZEND_QM_ASSIGN;
1015                SET_UNUSED(opline->op2);
1016                zend_optimizer_update_op1_const(op_array, opline, &result);
1017            }
1018            EG(error_reporting) = er;
1019        } else if ((opline->opcode == ZEND_BOOL ||
1020                    opline->opcode == ZEND_BOOL_NOT ||
1021                    opline->opcode == ZEND_BW_NOT) && ZEND_OP1_TYPE(opline) == IS_CONST) {
1022            /* evaluate constant unary ops */
1023            unary_op_type unary_op = get_unary_op(opline->opcode);
1024            zval result;
1025
1026            if (unary_op) {
1027                unary_op(&result, &ZEND_OP1_LITERAL(opline));
1028                literal_dtor(&ZEND_OP1_LITERAL(opline));
1029            } else {
1030                /* BOOL */
1031                result = ZEND_OP1_LITERAL(opline);
1032                convert_to_boolean(&result);
1033                ZVAL_NULL(&ZEND_OP1_LITERAL(opline));
1034            }
1035            opline->opcode = ZEND_QM_ASSIGN;
1036            zend_optimizer_update_op1_const(op_array, opline, &result);
1037        } else if ((opline->opcode == ZEND_RETURN || opline->opcode == ZEND_EXIT) &&
1038                    (ZEND_OP1_TYPE(opline) & (IS_TMP_VAR|IS_VAR)) &&
1039                    VAR_SOURCE(opline->op1) &&
1040                    VAR_SOURCE(opline->op1)->opcode == ZEND_QM_ASSIGN) {
1041            /* T = QM_ASSIGN(X), RETURN(T) to RETURN(X) */
1042            zend_op *src = VAR_SOURCE(opline->op1);
1043            VAR_UNSET(opline->op1);
1044            COPY_NODE(opline->op1, src->op1);
1045            MAKE_NOP(src);
1046        } else if (opline->opcode == ZEND_CONCAT || opline->opcode == ZEND_FAST_CONCAT) {
1047            if ((ZEND_OP1_TYPE(opline) & (IS_TMP_VAR|IS_VAR)) &&
1048                VAR_SOURCE(opline->op1) &&
1049                VAR_SOURCE(opline->op1)->opcode == ZEND_CAST &&
1050                VAR_SOURCE(opline->op1)->extended_value == IS_STRING) {
1051                /* convert T1 = CAST(STRING, X), T2 = CONCAT(T1, Y) to T2 = CONCAT(X,Y) */
1052                zend_op *src = VAR_SOURCE(opline->op1);
1053                VAR_UNSET(opline->op1);
1054                COPY_NODE(opline->op1, src->op1);
1055                MAKE_NOP(src);
1056            }
1057            if ((ZEND_OP2_TYPE(opline) & (IS_TMP_VAR|IS_VAR)) &&
1058                VAR_SOURCE(opline->op2) &&
1059                VAR_SOURCE(opline->op2)->opcode == ZEND_CAST &&
1060                VAR_SOURCE(opline->op2)->extended_value == IS_STRING) {
1061                /* convert T1 = CAST(STRING, X), T2 = CONCAT(Y, T1) to T2 = CONCAT(Y,X) */
1062                zend_op *src = VAR_SOURCE(opline->op2);
1063                VAR_UNSET(opline->op2);
1064                COPY_NODE(opline->op2, src->op1);
1065                MAKE_NOP(src);
1066            }
1067            if (ZEND_OP1_TYPE(opline) == IS_CONST &&
1068                Z_TYPE(ZEND_OP1_LITERAL(opline)) == IS_STRING &&
1069                Z_STRLEN(ZEND_OP1_LITERAL(opline)) == 0) {
1070                /* convert CONCAT('', X) => CAST(STRING, X) */
1071                literal_dtor(&ZEND_OP1_LITERAL(opline));
1072                opline->opcode = ZEND_CAST;
1073                opline->extended_value = IS_STRING;
1074                COPY_NODE(opline->op1, opline->op2);
1075                opline->op2_type = IS_UNUSED;
1076                opline->op2.var = 0;
1077            } else if (ZEND_OP2_TYPE(opline) == IS_CONST &&
1078                       Z_TYPE(ZEND_OP2_LITERAL(opline)) == IS_STRING &&
1079                       Z_STRLEN(ZEND_OP2_LITERAL(opline)) == 0) {
1080                /* convert CONCAT(X, '') => CAST(STRING, X) */
1081                literal_dtor(&ZEND_OP2_LITERAL(opline));
1082                opline->opcode = ZEND_CAST;
1083                opline->extended_value = IS_STRING;
1084                opline->op2_type = IS_UNUSED;
1085                opline->op2.var = 0;
1086            } else if (opline->opcode == ZEND_CONCAT &&
1087                       (opline->op1_type == IS_CONST ||
1088                        (opline->op1_type == IS_TMP_VAR &&
1089                         VAR_SOURCE(opline->op1) &&
1090                         (VAR_SOURCE(opline->op1)->opcode == ZEND_FAST_CONCAT ||
1091                          VAR_SOURCE(opline->op1)->opcode == ZEND_ROPE_END ||
1092                          VAR_SOURCE(opline->op1)->opcode == ZEND_FETCH_CONSTANT))) &&
1093                       (opline->op2_type == IS_CONST ||
1094                        (opline->op2_type == IS_TMP_VAR &&
1095                         VAR_SOURCE(opline->op2) &&
1096                         (VAR_SOURCE(opline->op2)->opcode == ZEND_FAST_CONCAT ||
1097                          VAR_SOURCE(opline->op2)->opcode == ZEND_ROPE_END ||
1098                          VAR_SOURCE(opline->op2)->opcode == ZEND_FETCH_CONSTANT)))) {
1099                opline->opcode = ZEND_FAST_CONCAT;
1100            }
1101        } else if (opline->opcode == ZEND_QM_ASSIGN &&
1102                    ZEND_OP1_TYPE(opline) == ZEND_RESULT_TYPE(opline) &&
1103                    ZEND_OP1(opline).var == ZEND_RESULT(opline).var) {
1104            /* strip T = QM_ASSIGN(T) */
1105            MAKE_NOP(opline);
1106        } else if (opline->opcode == ZEND_BOOL &&
1107                    ZEND_OP1_TYPE(opline) == IS_TMP_VAR &&
1108                    VAR_SOURCE(opline->op1) &&
1109                    (VAR_SOURCE(opline->op1)->opcode == ZEND_IS_EQUAL ||
1110                    VAR_SOURCE(opline->op1)->opcode == ZEND_IS_NOT_EQUAL ||
1111                    VAR_SOURCE(opline->op1)->opcode == ZEND_IS_SMALLER ||
1112                    VAR_SOURCE(opline->op1)->opcode == ZEND_IS_SMALLER_OR_EQUAL ||
1113                    VAR_SOURCE(opline->op1)->opcode == ZEND_BOOL ||
1114                    VAR_SOURCE(opline->op1)->opcode == ZEND_IS_IDENTICAL ||
1115                    VAR_SOURCE(opline->op1)->opcode == ZEND_IS_NOT_IDENTICAL ||
1116                    VAR_SOURCE(opline->op1)->opcode == ZEND_ISSET_ISEMPTY_VAR ||
1117                    VAR_SOURCE(opline->op1)->opcode == ZEND_ISSET_ISEMPTY_DIM_OBJ) &&
1118                    !used_ext[VAR_NUM(ZEND_OP1(opline).var)]) {
1119            /* T = IS_SMALLER(X, Y), T1 = BOOL(T) => T = IS_SMALLER(X, Y), T1 = QM_ASSIGN(T) */
1120            zend_op *src = VAR_SOURCE(opline->op1);
1121            COPY_NODE(src->result, opline->result);
1122            SET_VAR_SOURCE(src);
1123            MAKE_NOP(opline);
1124        }
1125        /* get variable source */
1126        if (RESULT_USED(opline)) {
1127            SET_VAR_SOURCE(opline);
1128        }
1129        if (opline->opcode != ZEND_NOP) {
1130            last_op = opline;
1131        }
1132        opline++;
1133    }
1134
1135    strip_nop(block, ctx);
1136}
1137
1138/* Rebuild plain (optimized) op_array from CFG */
1139static void assemble_code_blocks(zend_cfg *cfg, zend_op_array *op_array)
1140{
1141    zend_code_block *blocks = cfg->blocks;
1142    zend_op *new_opcodes = emalloc(op_array->last * sizeof(zend_op));
1143    zend_op *opline = new_opcodes;
1144    zend_code_block *cur_block = blocks;
1145
1146    /* Copy code of reachable blocks into a single buffer */
1147    while (cur_block) {
1148        if (cur_block->access) {
1149            memcpy(opline, cur_block->start_opline, cur_block->len * sizeof(zend_op));
1150            cur_block->start_opline = opline;
1151            opline += cur_block->len;
1152            if ((opline - 1)->opcode == ZEND_JMP) {
1153                zend_code_block *next;
1154                next = cur_block->next;
1155                while (next && !next->access) {
1156                    next = next->next;
1157                }
1158                if (next && next == cur_block->op1_to) {
1159                    /* JMP to the next block - strip it */
1160                    cur_block->follow_to = cur_block->op1_to;
1161                    cur_block->op1_to = NULL;
1162                    MAKE_NOP((opline - 1));
1163                    opline--;
1164                    cur_block->len--;
1165                }
1166            }
1167        } else {
1168            /* this block will not be used, delete all constants there */
1169            zend_op *_opl;
1170            zend_op *end = cur_block->start_opline + cur_block->len;
1171            for (_opl = cur_block->start_opline; _opl && _opl < end; _opl++) {
1172                if (ZEND_OP1_TYPE(_opl) == IS_CONST) {
1173                    literal_dtor(&ZEND_OP1_LITERAL(_opl));
1174                }
1175                if (ZEND_OP2_TYPE(_opl) == IS_CONST) {
1176                    literal_dtor(&ZEND_OP2_LITERAL(_opl));
1177                }
1178            }
1179        }
1180        cur_block = cur_block->next;
1181    }
1182
1183    op_array->last = opline-new_opcodes;
1184
1185    /* adjust exception jump targets */
1186    if (op_array->last_try_catch) {
1187        int i, j;
1188        for (i = 0, j = 0; i< op_array->last_try_catch; i++) {
1189            if (cfg->try[i]->access) {
1190                op_array->try_catch_array[j].try_op = cfg->try[i]->start_opline - new_opcodes;
1191                op_array->try_catch_array[j].catch_op = cfg->catch[i]->start_opline - new_opcodes;
1192                j++;
1193            }
1194        }
1195        op_array->last_try_catch = j;
1196    }
1197
1198    /* adjust loop jump targets */
1199    if (op_array->last_brk_cont) {
1200        int i;
1201        for (i = 0; i< op_array->last_brk_cont; i++) {
1202            op_array->brk_cont_array[i].start = cfg->loop_start[i]->start_opline - new_opcodes;
1203            op_array->brk_cont_array[i].cont = cfg->loop_cont[i]->start_opline - new_opcodes;
1204            op_array->brk_cont_array[i].brk = cfg->loop_brk[i]->start_opline - new_opcodes;
1205        }
1206    }
1207
1208    /* adjust jump targets */
1209    for (cur_block = blocks; cur_block; cur_block = cur_block->next) {
1210        if (!cur_block->access) {
1211            continue;
1212        }
1213        opline = cur_block->start_opline + cur_block->len - 1;
1214        if (opline->opcode == ZEND_OP_DATA) {
1215            opline--;
1216        }
1217        if (cur_block->op1_to) {
1218            ZEND_OP1(opline).opline_num = cur_block->op1_to->start_opline - new_opcodes;
1219        }
1220        if (cur_block->op2_to) {
1221            ZEND_OP2(opline).opline_num = cur_block->op2_to->start_opline - new_opcodes;
1222        }
1223        if (cur_block->ext_to) {
1224            opline->extended_value = cur_block->ext_to->start_opline - new_opcodes;
1225        }
1226        print_block(cur_block, new_opcodes, "Out ");
1227    }
1228    efree(op_array->opcodes);
1229    op_array->opcodes = erealloc(new_opcodes, op_array->last * sizeof(zend_op));
1230
1231    /* adjust early binding list */
1232    if (op_array->early_binding != (uint32_t)-1) {
1233        uint32_t *opline_num = &op_array->early_binding;
1234        zend_op *end;
1235
1236        opline = op_array->opcodes;
1237        end = opline + op_array->last;
1238        while (opline < end) {
1239            if (opline->opcode == ZEND_DECLARE_INHERITED_CLASS_DELAYED) {
1240                *opline_num = opline - op_array->opcodes;
1241                opline_num = &ZEND_RESULT(opline).opline_num;
1242            }
1243            ++opline;
1244        }
1245        *opline_num = -1;
1246    }
1247}
1248
1249static void zend_jmp_optimization(zend_code_block *block, zend_op_array *op_array, zend_code_block *blocks, zend_cfg *cfg, zend_optimizer_ctx *ctx)
1250{
1251    /* last_op is the last opcode of the current block */
1252    zend_op *last_op = (block->start_opline + block->len - 1);
1253
1254    if (!block->len) {
1255        return;
1256    }
1257    switch (last_op->opcode) {
1258        case ZEND_JMP:
1259            {
1260                zend_op *target = block->op1_to->start_opline;
1261                zend_code_block *next = block->next;
1262
1263                while (next && !next->access) {
1264                    /* find used one */
1265                    next = next->next;
1266                }
1267
1268                /* JMP(next) -> NOP */
1269                if (block->op1_to == next) {
1270                    block->follow_to = block->op1_to;
1271                    block->op1_to = NULL;
1272                    MAKE_NOP(last_op);
1273                    block->len--;
1274                    if (block->len == 0) {
1275                        /* this block is nothing but NOP now */
1276                        delete_code_block(block, ctx);
1277                    }
1278                    break;
1279                }
1280
1281                if (((target->opcode == ZEND_JMP &&
1282                    block->op1_to != block->op1_to->op1_to) ||
1283                    target->opcode == ZEND_JMPZNZ) &&
1284                    !block->op1_to->protected) {
1285                    /* JMP L, L: JMP L1 -> JMP L1 */
1286                    /* JMP L, L: JMPZNZ L1,L2 -> JMPZNZ L1,L2 */
1287                    *last_op = *target;
1288                    if (ZEND_OP1_TYPE(last_op) == IS_CONST) {
1289                        zval zv = ZEND_OP1_LITERAL(last_op);
1290                        zval_copy_ctor(&zv);
1291                        last_op->op1.constant = zend_optimizer_add_literal(op_array, &zv);
1292                    }
1293                    del_source(block, block->op1_to);
1294                    if (block->op1_to->op2_to) {
1295                        block->op2_to = block->op1_to->op2_to;
1296                        ADD_SOURCE(block, block->op2_to);
1297                    }
1298                    if (block->op1_to->ext_to) {
1299                        block->ext_to = block->op1_to->ext_to;
1300                        ADD_SOURCE(block, block->ext_to);
1301                    }
1302                    if (block->op1_to->op1_to) {
1303                        block->op1_to = block->op1_to->op1_to;
1304                        ADD_SOURCE(block, block->op1_to);
1305                    } else {
1306                        block->op1_to = NULL;
1307                    }
1308                } else if (target->opcode == ZEND_RETURN ||
1309                          target->opcode == ZEND_RETURN_BY_REF ||
1310                          target->opcode == ZEND_FAST_RET ||
1311                          target->opcode == ZEND_EXIT) {
1312                    /* JMP L, L: RETURN to immediate RETURN */
1313                    *last_op = *target;
1314                    if (ZEND_OP1_TYPE(last_op) == IS_CONST) {
1315                        zval zv = ZEND_OP1_LITERAL(last_op);
1316                        zval_copy_ctor(&zv);
1317                        last_op->op1.constant = zend_optimizer_add_literal(op_array, &zv);
1318                    }
1319                    del_source(block, block->op1_to);
1320                    block->op1_to = NULL;
1321#if 0
1322                /* Temporarily disabled - see bug #0025274 */
1323                } else if (0&& block->op1_to != block &&
1324                       block->op1_to != blocks &&
1325                           op_array->last_try_catch == 0 &&
1326                           target->opcode != ZEND_FREE) {
1327                    /* Block Reordering (saves one JMP on each "for" loop iteration)
1328                     * It is disabled for some cases (ZEND_FREE)
1329                     * which may break register allocation.
1330                     */
1331                    zend_bool can_reorder = 0;
1332                    zend_block_source *cs = block->op1_to->sources;
1333
1334                    /* the "target" block doesn't had any followed block */
1335                    while(cs) {
1336                        if (cs->from->follow_to == block->op1_to) {
1337                            can_reorder = 0;
1338                            break;
1339                        }
1340                        cs = cs->next;
1341                    }
1342                    if (can_reorder) {
1343                        next = block->op1_to;
1344                        /* the "target" block is not followed by current "block" */
1345                        while (next->follow_to != NULL) {
1346                            if (next->follow_to == block) {
1347                                can_reorder = 0;
1348                                break;
1349                            }
1350                            next = next->follow_to;
1351                        }
1352                        if (can_reorder) {
1353                            zend_code_block *prev = blocks;
1354
1355                            while (prev->next != block->op1_to) {
1356                                prev = prev->next;
1357                            }
1358                            prev->next = next->next;
1359                            next->next = block->next;
1360                            block->next = block->op1_to;
1361
1362                            block->follow_to = block->op1_to;
1363                            block->op1_to = NULL;
1364                            MAKE_NOP(last_op);
1365                            block->len--;
1366                            if(block->len == 0) {
1367                                /* this block is nothing but NOP now */
1368                                delete_code_block(block, ctx);
1369                            }
1370                            break;
1371                        }
1372                    }
1373#endif
1374                }
1375            }
1376            break;
1377
1378        case ZEND_JMPZ:
1379        case ZEND_JMPNZ:
1380            /* constant conditional JMPs */
1381            if (ZEND_OP1_TYPE(last_op) == IS_CONST) {
1382                int should_jmp = zend_is_true(&ZEND_OP1_LITERAL(last_op));
1383
1384                if (last_op->opcode == ZEND_JMPZ) {
1385                    should_jmp = !should_jmp;
1386                }
1387                literal_dtor(&ZEND_OP1_LITERAL(last_op));
1388                ZEND_OP1_TYPE(last_op) = IS_UNUSED;
1389                if (should_jmp) {
1390                    /* JMPNZ(true) -> JMP */
1391                    last_op->opcode = ZEND_JMP;
1392                    COPY_NODE(last_op->op1, last_op->op2);
1393                    block->op1_to = block->op2_to;
1394                    del_source(block, block->follow_to);
1395                    block->op2_to = NULL;
1396                    block->follow_to = NULL;
1397                } else {
1398                    /* JMPNZ(false) -> NOP */
1399                    MAKE_NOP(last_op);
1400                    del_source(block, block->op2_to);
1401                    block->op2_to = NULL;
1402                }
1403                break;
1404            }
1405
1406            if (block->op2_to == block->follow_to) {
1407                /* L: JMPZ(X, L+1) -> NOP or FREE(X) */
1408
1409                if (last_op->op1_type == IS_VAR) {
1410                    zend_op **Tsource = cfg->Tsource;
1411                    zend_op *src = VAR_SOURCE(last_op->op1);
1412
1413                    if (src &&
1414                        src->opcode != ZEND_FETCH_R &&
1415                        src->opcode != ZEND_FETCH_DIM_R &&
1416                        src->opcode != ZEND_FETCH_OBJ_R) {
1417                        ZEND_RESULT_TYPE(src) |= EXT_TYPE_UNUSED;
1418                        MAKE_NOP(last_op);
1419                        block->op2_to = NULL;
1420                        break;
1421                    }
1422                }
1423                if (last_op->op1_type & (IS_VAR|IS_TMP_VAR)) {
1424                    last_op->opcode = ZEND_FREE;
1425                    last_op->op2.num = 0;
1426                    block->op2_to = NULL;
1427                } else {
1428                    MAKE_NOP(last_op);
1429                    block->op2_to = NULL;
1430                }
1431                break;
1432            }
1433
1434            if (block->op2_to) {
1435                zend_uchar same_type = ZEND_OP1_TYPE(last_op);
1436                uint32_t same_var = VAR_NUM_EX(last_op->op1);
1437                zend_op *target;
1438                zend_op *target_end;
1439                zend_code_block *target_block = block->op2_to;;
1440
1441next_target:
1442                target = target_block->start_opline;
1443                target_end = target_block->start_opline + target_block->len;
1444                while (target < target_end && target->opcode == ZEND_NOP) {
1445                    target++;
1446                }
1447
1448                /* next block is only NOP's */
1449                if (target == target_end) {
1450                    target_block = target_block->follow_to;
1451                    goto next_target;
1452                } else if (target->opcode == INV_COND(last_op->opcode) &&
1453                    /* JMPZ(X, L), L: JMPNZ(X, L2) -> JMPZ(X, L+1) */
1454                   (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1455                   same_type == ZEND_OP1_TYPE(target) &&
1456                   same_var == VAR_NUM_EX(target->op1) &&
1457                   target_block->follow_to &&
1458                   !target_block->protected
1459                   ) {
1460                    del_source(block, block->op2_to);
1461                    block->op2_to = target_block->follow_to;
1462                    ADD_SOURCE(block, block->op2_to);
1463                } else if (target->opcode == INV_COND_EX(last_op->opcode) &&
1464                            (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1465                            same_type == ZEND_OP1_TYPE(target) &&
1466                            same_var == VAR_NUM_EX(target->op1) &&
1467                            target_block->follow_to &&
1468                            !target_block->protected) {
1469                    /* JMPZ(X, L), L: X = JMPNZ_EX(X, L2) -> JMPZ(X, L+1) */
1470                    last_op->opcode += 3;
1471                    last_op->result = target->result;
1472                    del_source(block, block->op2_to);
1473                    block->op2_to = target_block->follow_to;
1474                    ADD_SOURCE(block, block->op2_to);
1475                } else if (target_block->op2_to &&
1476                           target->opcode == last_op->opcode &&
1477                           (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1478                           same_type == ZEND_OP1_TYPE(target) &&
1479                           same_var == VAR_NUM_EX(target->op1) &&
1480                           !target_block->protected) {
1481                    /* JMPZ(X, L), L: JMPZ(X, L2) -> JMPZ(X, L2) */
1482                    del_source(block, block->op2_to);
1483                    block->op2_to = target_block->op2_to;
1484                    ADD_SOURCE(block, block->op2_to);
1485                } else if (target_block->op1_to &&
1486                            target->opcode == ZEND_JMP &&
1487                            !target_block->protected) {
1488                    /* JMPZ(X, L), L: JMP(L2) -> JMPZ(X, L2) */
1489                    del_source(block, block->op2_to);
1490                    block->op2_to = target_block->op1_to;
1491                    ADD_SOURCE(block, block->op2_to);
1492                } else if (target_block->op2_to &&
1493                            target_block->ext_to &&
1494                            target->opcode == ZEND_JMPZNZ &&
1495                            (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1496                            same_type == ZEND_OP1_TYPE(target) &&
1497                            same_var == VAR_NUM_EX(target->op1) &&
1498                            !target_block->protected) {
1499                    /* JMPZ(X, L), L: JMPZNZ(X, L2, L3) -> JMPZ(X, L2) */
1500                    del_source(block, block->op2_to);
1501                    if (last_op->opcode == ZEND_JMPZ) {
1502                        block->op2_to = target_block->op2_to;
1503                    } else {
1504                        block->op2_to = target_block->ext_to;
1505                    }
1506                    ADD_SOURCE(block, block->op2_to);
1507                }
1508            }
1509
1510            if (block->follow_to &&
1511                (last_op->opcode == ZEND_JMPZ || last_op->opcode == ZEND_JMPNZ)) {
1512                zend_op *target;
1513                zend_op *target_end;
1514
1515                while (1) {
1516                    target = block->follow_to->start_opline;
1517                    target_end = block->follow_to->start_opline + block->follow_to->len;
1518                    while (target < target_end && target->opcode == ZEND_NOP) {
1519                        target++;
1520                    }
1521
1522                    /* next block is only NOP's */
1523                    if (target == target_end && ! block->follow_to->protected) {
1524                        del_source(block, block->follow_to);
1525                        block->follow_to = block->follow_to->follow_to;
1526                        ADD_SOURCE(block, block->follow_to);
1527                    } else {
1528                        break;
1529                    }
1530                }
1531                /* JMPZ(X,L1), JMP(L2) -> JMPZNZ(X,L1,L2) */
1532                if (target->opcode == ZEND_JMP &&
1533                    block->follow_to->op1_to &&
1534                    !block->follow_to->protected) {
1535                    del_source(block, block->follow_to);
1536                    if (last_op->opcode == ZEND_JMPZ) {
1537                        block->ext_to = block->follow_to->op1_to;
1538                        ADD_SOURCE(block, block->ext_to);
1539                    } else {
1540                        block->ext_to = block->op2_to;
1541                        block->op2_to = block->follow_to->op1_to;
1542                        ADD_SOURCE(block, block->op2_to);
1543                    }
1544                    block->follow_to = NULL;
1545                    last_op->opcode = ZEND_JMPZNZ;
1546                }
1547            }
1548            break;
1549
1550        case ZEND_JMPNZ_EX:
1551        case ZEND_JMPZ_EX:
1552            /* constant conditional JMPs */
1553            if (ZEND_OP1_TYPE(last_op) == IS_CONST) {
1554                int should_jmp = zend_is_true(&ZEND_OP1_LITERAL(last_op));
1555
1556                if (last_op->opcode == ZEND_JMPZ_EX) {
1557                    should_jmp = !should_jmp;
1558                }
1559                if (!should_jmp) {
1560                    /* T = JMPZ_EX(true,L)   -> T = QM_ASSIGN(true)
1561                     * T = JMPNZ_EX(false,L) -> T = QM_ASSIGN(false)
1562                     */
1563                    last_op->opcode = ZEND_QM_ASSIGN;
1564                    SET_UNUSED(last_op->op2);
1565                    del_source(block, block->op2_to);
1566                    block->op2_to = NULL;
1567                }
1568                break;
1569            }
1570
1571            if (block->op2_to) {
1572                zend_op *target, *target_end;
1573                char *same_t=NULL;
1574                zend_code_block *target_block;
1575                int var_num = op_array->last_var + op_array->T;
1576
1577                if (var_num <= 0) {
1578                    return;
1579                }
1580                same_t = cfg->same_t;
1581                memset(same_t, 0, var_num);
1582                same_t[VAR_NUM_EX(last_op->op1)] |= ZEND_OP1_TYPE(last_op);
1583                same_t[VAR_NUM_EX(last_op->result)] |= ZEND_RESULT_TYPE(last_op);
1584                target_block = block->op2_to;
1585next_target_ex:
1586                target = target_block->start_opline;
1587                target_end = target_block->start_opline + target_block->len;
1588                while (target < target_end && target->opcode == ZEND_NOP) {
1589                    target++;
1590                }
1591                /* next block is only NOP's */
1592                if (target == target_end) {
1593                    target_block = target_block->follow_to;
1594                    goto next_target_ex;
1595                } else if (target_block->op2_to &&
1596                           target->opcode == last_op->opcode-3 &&
1597                           (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1598                           (same_t[VAR_NUM_EX(target->op1)] & ZEND_OP1_TYPE(target)) != 0 &&
1599                           !target_block->protected) {
1600                    /* T = JMPZ_EX(X, L1), L1: JMPZ({X|T}, L2) -> T = JMPZ_EX(X, L2) */
1601                    del_source(block, block->op2_to);
1602                    block->op2_to = target_block->op2_to;
1603                    ADD_SOURCE(block, block->op2_to);
1604                } else if (target_block->op2_to &&
1605                           target->opcode == INV_EX_COND(last_op->opcode) &&
1606                           (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1607                           (same_t[VAR_NUM_EX(target->op1)] & ZEND_OP1_TYPE(target)) != 0 &&
1608                           !target_block->protected) {
1609                    /* T = JMPZ_EX(X, L1), L1: JMPNZ({X|T1}, L2) -> T = JMPZ_EX(X, L1+1) */
1610                    del_source(block, block->op2_to);
1611                    block->op2_to = target_block->follow_to;
1612                    ADD_SOURCE(block, block->op2_to);
1613                } else if (target_block->op2_to &&
1614                           target->opcode == INV_EX_COND_EX(last_op->opcode) &&
1615                           (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1616                           (same_t[VAR_NUM_EX(target->op1)] & ZEND_OP1_TYPE(target)) != 0 &&
1617                           (same_t[VAR_NUM_EX(target->result)] & ZEND_RESULT_TYPE(target)) != 0 &&
1618                           !target_block->protected) {
1619                    /* T = JMPZ_EX(X, L1), L1: T = JMPNZ_EX(T, L2) -> T = JMPZ_EX(X, L1+1) */
1620                    del_source(block, block->op2_to);
1621                    block->op2_to = target_block->follow_to;
1622                    ADD_SOURCE(block, block->op2_to);
1623                } else if (target_block->op2_to &&
1624                           target->opcode == last_op->opcode &&
1625                           (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1626                           (same_t[VAR_NUM_EX(target->op1)] & ZEND_OP1_TYPE(target)) != 0 &&
1627                           (same_t[VAR_NUM_EX(target->result)] & ZEND_RESULT_TYPE(target)) != 0 &&
1628                           !target_block->protected) {
1629                    /* T = JMPZ_EX(X, L1), L1: T = JMPZ({X|T}, L2) -> T = JMPZ_EX(X, L2) */
1630                    del_source(block, block->op2_to);
1631                    block->op2_to = target_block->op2_to;
1632                    ADD_SOURCE(block, block->op2_to);
1633                } else if (target_block->op1_to &&
1634                           target->opcode == ZEND_JMP &&
1635                           !target_block->protected) {
1636                    /* T = JMPZ_EX(X, L), L: JMP(L2) -> T = JMPZ(X, L2) */
1637                    del_source(block, block->op2_to);
1638                    block->op2_to = target_block->op1_to;
1639                    ADD_SOURCE(block, block->op2_to);
1640                } else if (target_block->op2_to &&
1641                           target_block->ext_to &&
1642                           target->opcode == ZEND_JMPZNZ &&
1643                           (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1644                           (same_t[VAR_NUM_EX(target->op1)] & ZEND_OP1_TYPE(target)) != 0 &&
1645                           !target_block->protected) {
1646                    /* T = JMPZ_EX(X, L), L: JMPZNZ({X|T}, L2, L3) -> T = JMPZ_EX(X, L2) */
1647                    del_source(block, block->op2_to);
1648                    if (last_op->opcode == ZEND_JMPZ_EX) {
1649                        block->op2_to = target_block->op2_to;
1650                    } else {
1651                        block->op2_to = target_block->ext_to;
1652                    }
1653                    ADD_SOURCE(block, block->op2_to);
1654                }
1655            }
1656            break;
1657
1658        case ZEND_JMPZNZ: {
1659            zend_code_block *next = block->next;
1660
1661            while (next && !next->access) {
1662                /* find first accessed one */
1663                next = next->next;
1664            }
1665
1666            if (ZEND_OP1_TYPE(last_op) == IS_CONST) {
1667                if (!zend_is_true(&ZEND_OP1_LITERAL(last_op))) {
1668                    /* JMPZNZ(false,L1,L2) -> JMP(L1) */
1669                    zend_code_block *todel;
1670
1671                    literal_dtor(&ZEND_OP1_LITERAL(last_op));
1672                    last_op->opcode = ZEND_JMP;
1673                    SET_UNUSED(last_op->op1);
1674                    SET_UNUSED(last_op->op2);
1675                    block->op1_to = block->op2_to;
1676                    todel = block->ext_to;
1677                    block->op2_to = NULL;
1678                    block->ext_to = NULL;
1679                    del_source(block, todel);
1680                } else {
1681                    /* JMPZNZ(true,L1,L2) -> JMP(L2) */
1682                    zend_code_block *todel;
1683
1684                    literal_dtor(&ZEND_OP1_LITERAL(last_op));
1685                    last_op->opcode = ZEND_JMP;
1686                    SET_UNUSED(last_op->op1);
1687                    SET_UNUSED(last_op->op2);
1688                    block->op1_to = block->ext_to;
1689                    todel =  block->op2_to;
1690                    block->op2_to = NULL;
1691                    block->ext_to = NULL;
1692                    del_source(block, todel);
1693                }
1694            } else if (block->op2_to == block->ext_to) {
1695                /* both goto the same one - it's JMP */
1696                if (!(last_op->op1_type & (IS_VAR|IS_TMP_VAR))) {
1697                    /* JMPZNZ(?,L,L) -> JMP(L) */
1698                    last_op->opcode = ZEND_JMP;
1699                    SET_UNUSED(last_op->op1);
1700                    SET_UNUSED(last_op->op2);
1701                    block->op1_to = block->op2_to;
1702                    block->op2_to = NULL;
1703                    block->ext_to = NULL;
1704                }
1705            } else if (block->op2_to == next) {
1706                /* jumping to next on Z - can follow to it and jump only on NZ */
1707                /* JMPZNZ(X,L1,L2) L1: -> JMPNZ(X,L2) */
1708                last_op->opcode = ZEND_JMPNZ;
1709                block->op2_to = block->ext_to;
1710                block->follow_to = next;
1711                block->ext_to = NULL;
1712                /* no need to add source - it's block->op2_to */
1713            } else if (block->ext_to == next) {
1714                /* jumping to next on NZ - can follow to it and jump only on Z */
1715                /* JMPZNZ(X,L1,L2) L2: -> JMPZ(X,L1) */
1716                last_op->opcode = ZEND_JMPZ;
1717                block->follow_to = next;
1718                block->ext_to = NULL;
1719                /* no need to add source - it's block->ext_to */
1720            }
1721
1722            if (last_op->opcode == ZEND_JMPZNZ && block->op2_to) {
1723                zend_uchar same_type = ZEND_OP1_TYPE(last_op);
1724                zend_uchar same_var = VAR_NUM_EX(last_op->op1);
1725                zend_op *target;
1726                zend_op *target_end;
1727                zend_code_block *target_block = block->op2_to;
1728
1729next_target_znz:
1730                target = target_block->start_opline;
1731                target_end = target_block->start_opline + target_block->len;
1732                while (target < target_end && target->opcode == ZEND_NOP) {
1733                    target++;
1734                }
1735                /* next block is only NOP's */
1736                if (target == target_end) {
1737                    target_block = target_block->follow_to;
1738                    goto next_target_znz;
1739                } else if (target_block->op2_to &&
1740                           (target->opcode == ZEND_JMPZ || target->opcode == ZEND_JMPZNZ) &&
1741                           (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1742                           same_type == ZEND_OP1_TYPE(target) &&
1743                           same_var == VAR_NUM_EX(target->op1) &&
1744                           !target_block->protected) {
1745                    /* JMPZNZ(X, L1, L2), L1: JMPZ(X, L3) -> JMPZNZ(X, L3, L2) */
1746                    del_source(block, block->op2_to);
1747                    block->op2_to = target_block->op2_to;
1748                    ADD_SOURCE(block, block->op2_to);
1749                } else if (target->opcode == ZEND_JMPNZ &&
1750                           (ZEND_OP1_TYPE(target) & (IS_TMP_VAR|IS_CV)) &&
1751                           same_type == ZEND_OP1_TYPE(target) &&
1752                           same_var == VAR_NUM_EX(target->op1) &&
1753                           target_block->follow_to &&
1754                           !target_block->protected) {
1755                    /* JMPZNZ(X, L1, L2), L1: X = JMPNZ(X, L3) -> JMPZNZ(X, L1+1, L2) */
1756                    del_source(block, block->op2_to);
1757                    block->op2_to = target_block->follow_to;
1758                    ADD_SOURCE(block, block->op2_to);
1759                } else if (target_block->op1_to &&
1760                           target->opcode == ZEND_JMP &&
1761                           !target_block->protected) {
1762                    /* JMPZNZ(X, L1, L2), L1: JMP(L3) -> JMPZNZ(X, L3, L2) */
1763                    del_source(block, block->op2_to);
1764                    block->op2_to = target_block->op1_to;
1765                    ADD_SOURCE(block, block->op2_to);
1766                }
1767            }
1768            break;
1769        }
1770    }
1771}
1772
1773/* Global data dependencies */
1774
1775#define T_USAGE(op) do { \
1776        if ((op ## _type & (IS_VAR | IS_TMP_VAR)) && \
1777           !defined_here[VAR_NUM(op.var)] && !used_ext[VAR_NUM(op.var)]) {  \
1778            used_ext[VAR_NUM(op.var)] = 1;                                  \
1779        } \
1780    } while (0)
1781
1782#define NEVER_USED(op) ((op ## _type & (IS_VAR | IS_TMP_VAR)) && !usage[VAR_NUM(op.var)]) /* !used_ext[op.var] && */
1783#define RES_NEVER_USED(opline) (opline->result_type == IS_UNUSED || NEVER_USED(opline->result))
1784
1785/* Find a set of variables which are used outside of the block where they are
1786 * defined. We won't apply some optimization patterns for such variables. */
1787static void zend_t_usage(zend_code_block *block, zend_op_array *op_array, char *used_ext, zend_optimizer_ctx *ctx)
1788{
1789    zend_code_block *next_block = block->next;
1790    char *usage;
1791    char *defined_here;
1792    void *checkpoint;
1793
1794    if (op_array->T == 0) {
1795        /* shortcut - if no Ts, nothing to do */
1796        return;
1797    }
1798
1799    checkpoint = zend_arena_checkpoint(ctx->arena);
1800    usage = zend_arena_alloc(&ctx->arena, op_array->last_var + op_array->T);
1801    memset(usage, 0, op_array->last_var + op_array->T);
1802    defined_here = zend_arena_alloc(&ctx->arena, op_array->last_var + op_array->T);
1803
1804    while (next_block) {
1805        zend_op *opline = next_block->start_opline;
1806        zend_op *end = opline + next_block->len;
1807
1808        if (!next_block->access) {
1809            next_block = next_block->next;
1810            continue;
1811        }
1812        memset(defined_here, 0, op_array->last_var + op_array->T);
1813
1814        while (opline<end) {
1815            T_USAGE(opline->op1);
1816            if (opline->op2_type & (IS_VAR | IS_TMP_VAR)) {
1817                if (opline->opcode == ZEND_FE_FETCH_R || opline->opcode == ZEND_FE_FETCH_RW) {
1818                    /* these opcode use the op2 as result */
1819                    defined_here[VAR_NUM(ZEND_OP2(opline).var)] = 1;
1820                } else {
1821                    T_USAGE(opline->op2);
1822                }
1823            }
1824
1825            if (RESULT_USED(opline)) {
1826                if (!defined_here[VAR_NUM(ZEND_RESULT(opline).var)] && !used_ext[VAR_NUM(ZEND_RESULT(opline).var)] &&
1827                    opline->opcode == ZEND_ADD_ARRAY_ELEMENT) {
1828                    /* these opcode use the result as argument */
1829                    used_ext[VAR_NUM(ZEND_RESULT(opline).var)] = 1;
1830                }
1831                defined_here[VAR_NUM(ZEND_RESULT(opline).var)] = 1;
1832            }
1833            opline++;
1834        }
1835        next_block = next_block->next;
1836    }
1837
1838#if DEBUG_BLOCKPASS
1839    {
1840        int i;
1841        for (i = op_array->last_var; i< op_array->T; i++) {
1842            fprintf(stderr, "T%d: %c\n", i, used_ext[i] + '0');
1843        }
1844    }
1845#endif
1846
1847    while (block) {
1848        zend_op *opline = block->start_opline + block->len - 1;
1849
1850        if (!block->access) {
1851            block = block->next;
1852            continue;
1853        }
1854
1855        memcpy(usage, used_ext, op_array->last_var + op_array->T);
1856
1857        while (opline >= block->start_opline) {
1858            /* usage checks */
1859            if (RES_NEVER_USED(opline)) {
1860                switch (opline->opcode) {
1861                    case ZEND_ASSIGN_ADD:
1862                    case ZEND_ASSIGN_SUB:
1863                    case ZEND_ASSIGN_MUL:
1864                    case ZEND_ASSIGN_DIV:
1865                    case ZEND_ASSIGN_MOD:
1866                    case ZEND_ASSIGN_SL:
1867                    case ZEND_ASSIGN_SR:
1868                    case ZEND_ASSIGN_CONCAT:
1869                    case ZEND_ASSIGN_BW_OR:
1870                    case ZEND_ASSIGN_BW_AND:
1871                    case ZEND_ASSIGN_BW_XOR:
1872                    case ZEND_PRE_INC:
1873                    case ZEND_PRE_DEC:
1874                    case ZEND_POST_INC:
1875                    case ZEND_POST_DEC:
1876                    case ZEND_ASSIGN:
1877                    case ZEND_ASSIGN_REF:
1878                    case ZEND_DO_FCALL:
1879                    case ZEND_DO_ICALL:
1880                    case ZEND_DO_UCALL:
1881                    case ZEND_DO_FCALL_BY_NAME:
1882                        if (ZEND_RESULT_TYPE(opline) == IS_VAR) {
1883                            ZEND_RESULT_TYPE(opline) |= EXT_TYPE_UNUSED;
1884                        }
1885                        break;
1886                    case ZEND_QM_ASSIGN:
1887                    case ZEND_BOOL:
1888                    case ZEND_BOOL_NOT:
1889                        if (ZEND_OP1_TYPE(opline) == IS_CONST) {
1890                            literal_dtor(&ZEND_OP1_LITERAL(opline));
1891                        }
1892                        MAKE_NOP(opline);
1893                        break;
1894                    case ZEND_JMPZ_EX:
1895                    case ZEND_JMPNZ_EX:
1896                        opline->opcode -= 3;
1897                        SET_UNUSED(opline->result);
1898                        break;
1899                }
1900            }
1901
1902            if (opline->opcode == ZEND_ADD_ARRAY_ELEMENT) {
1903                if (ZEND_OP1_TYPE(opline) == IS_VAR || ZEND_OP1_TYPE(opline) == IS_TMP_VAR) {
1904                    usage[VAR_NUM(ZEND_RESULT(opline).var)] = 1;
1905                }
1906            } else {
1907                if (RESULT_USED(opline)) {
1908                    usage[VAR_NUM(ZEND_RESULT(opline).var)] = 0;
1909                }
1910            }
1911
1912            if (ZEND_OP1_TYPE(opline) == IS_VAR || ZEND_OP1_TYPE(opline) == IS_TMP_VAR) {
1913                usage[VAR_NUM(ZEND_OP1(opline).var)] = 1;
1914            }
1915
1916            if (ZEND_OP2_TYPE(opline) == IS_VAR || ZEND_OP2_TYPE(opline) == IS_TMP_VAR) {
1917                usage[VAR_NUM(ZEND_OP2(opline).var)] = 1;
1918            }
1919
1920            if ((ZEND_RESULT_TYPE(opline) & IS_VAR) &&
1921                (ZEND_RESULT_TYPE(opline) & EXT_TYPE_UNUSED) &&
1922                usage[VAR_NUM(ZEND_RESULT(opline).var)]) {
1923                ZEND_RESULT_TYPE(opline) &= ~EXT_TYPE_UNUSED;
1924            }
1925
1926            opline--;
1927        }
1928        block = block->next;
1929    } /* end blocks */
1930
1931    zend_arena_release(&ctx->arena, checkpoint);
1932}
1933
1934#define PASSES 3
1935
1936void optimize_cfg(zend_op_array *op_array, zend_optimizer_ctx *ctx)
1937{
1938    zend_cfg cfg;
1939    zend_code_block *cur_block;
1940    int pass;
1941    char *usage;
1942    void *checkpoint;
1943
1944#if DEBUG_BLOCKPASS
1945    fprintf(stderr, "File %s func %s\n", op_array->filename, op_array->function_name? op_array->function_name : "main");
1946    fflush(stderr);
1947#endif
1948
1949    if (op_array->fn_flags & ZEND_ACC_HAS_FINALLY_BLOCK) {
1950        return;
1951    }
1952
1953    /* Build CFG */
1954    checkpoint = zend_arena_checkpoint(ctx->arena);
1955    if (!find_code_blocks(op_array, &cfg, ctx)) {
1956        zend_arena_release(&ctx->arena, checkpoint);
1957        return;
1958    }
1959
1960    zend_rebuild_access_path(&cfg, op_array, 0, ctx);
1961    /* full rebuild here to produce correct sources! */
1962    if (op_array->last_var || op_array->T) {
1963        cfg.Tsource = zend_arena_calloc(&ctx->arena, op_array->last_var + op_array->T, sizeof(zend_op *));
1964        cfg.same_t = zend_arena_alloc(&ctx->arena, op_array->last_var + op_array->T);
1965        usage = zend_arena_alloc(&ctx->arena, op_array->last_var + op_array->T);
1966    } else {
1967        cfg.Tsource = NULL;
1968        cfg.same_t = NULL;
1969        usage = NULL;
1970    }
1971    for (pass = 0; pass < PASSES; pass++) {
1972        /* Compute data dependencies */
1973        memset(usage, 0, op_array->last_var + op_array->T);
1974        zend_t_usage(cfg.blocks, op_array, usage, ctx);
1975
1976        /* optimize each basic block separately */
1977        for (cur_block = cfg.blocks; cur_block; cur_block = cur_block->next) {
1978            if (!cur_block->access) {
1979                continue;
1980            }
1981            zend_optimize_block(cur_block, op_array, usage, &cfg, ctx);
1982        }
1983
1984        /* Jump optimization for each block */
1985        for (cur_block = cfg.blocks; cur_block; cur_block = cur_block->next) {
1986            if (!cur_block->access) {
1987                continue;
1988            }
1989            zend_jmp_optimization(cur_block, op_array, cfg.blocks, &cfg, ctx);
1990        }
1991
1992        /* Eliminate unreachable basic blocks */
1993        zend_rebuild_access_path(&cfg, op_array, 1, ctx);
1994    }
1995
1996    memset(usage, 0, op_array->last_var + op_array->T);
1997    zend_t_usage(cfg.blocks, op_array, usage, ctx);
1998    assemble_code_blocks(&cfg, op_array);
1999
2000    /* Destroy CFG */
2001    zend_arena_release(&ctx->arena, checkpoint);
2002}
2003