/src/php-src/Zend/Optimizer/escape_analysis.c

Source
/*
   +----------------------------------------------------------------------+
   | Zend OPcache, Escape Analysis                                        |
   +----------------------------------------------------------------------+
   | Copyright (c) The PHP Group                                          |
   +----------------------------------------------------------------------+
   | This source file is subject to version 3.01 of the PHP license,      |
   | that is bundled with this package in the file LICENSE, and is        |
   | available through the world-wide-web at the following url:           |
   | https://www.php.net/license/3_01.txt                                 |
   | If you did not receive a copy of the PHP license and are unable to   |
   | obtain it through the world-wide-web, please send a note to          |
   | license@php.net so we can mail you a copy immediately.               |
   +----------------------------------------------------------------------+
   | Authors: Dmitry Stogov <dmitry@php.net>                              |
   +----------------------------------------------------------------------+
*/

#include "Optimizer/zend_optimizer.h"
#include "Optimizer/zend_optimizer_internal.h"
#include "zend_bitset.h"
#include "zend_cfg.h"
#include "zend_ssa.h"
#include "zend_inference.h"
#include "zend_dump.h"

/*
 * T. Kotzmann and H. Mossenbock. Escape analysis  in the context of dynamic
 * compilation and deoptimization. In Proceedings of the International
 * Conference on Virtual Execution Environments, pages 111-120, Chicago,
 * June 2005
 */

static zend_always_inline void union_find_init(int *parent, int *size, int count) /* {{{ */
{
  int i;

  for (i = 0; i < count; i++) {
    parent[i] = i;
    size[i] = 1;
  }
}
/* }}} */

static zend_always_inline int union_find_root(int *parent, int i) /* {{{ */
{
  int p = parent[i];

  while (i != p) {
    p = parent[p];
    parent[i] = p;
    i = p;
    p = parent[i];
  }
  return i;
}
/* }}} */

static zend_always_inline void union_find_unite(int *parent, int *size, int i, int j) /* {{{ */
{
  int r1 = union_find_root(parent, i);
  int r2 = union_find_root(parent, j);

  if (r1 != r2) {
    if (size[r1] < size[r2]) {
      parent[r1] = r2;
      size[r2] += size[r1];
    } else {
      parent[r2] = r1;
      size[r1] += size[r2];
    }
  }
}
/* }}} */

static zend_result zend_build_equi_escape_sets(int *parent, zend_op_array *op_array, zend_ssa *ssa) /* {{{ */
{
  zend_ssa_var *ssa_vars = ssa->vars;
  int ssa_vars_count = ssa->vars_count;
  zend_ssa_phi *p;
  int i, j;
  int *size;
  ALLOCA_FLAG(use_heap)

  size = do_alloca(sizeof(int) * ssa_vars_count, use_heap);
  if (!size) {
    return FAILURE;
  }
  union_find_init(parent, size, ssa_vars_count);

  for (i = 0; i < ssa_vars_count; i++) {
    if (ssa_vars[i].definition_phi) {
      p = ssa_vars[i].definition_phi;
      if (p->pi >= 0) {
        union_find_unite(parent, size, i, p->sources[0]);
      } else {
        for (j = 0; j < ssa->cfg.blocks[p->block].predecessors_count; j++) {
          union_find_unite(parent, size, i, p->sources[j]);
        }
      }
    } else if (ssa_vars[i].definition >= 0) {
      int def = ssa_vars[i].definition;
      zend_ssa_op *op = ssa->ops + def;
      zend_op *opline =  op_array->opcodes + def;

      if (op->op1_def >= 0) {
        if (op->op1_use >= 0) {
          if (opline->opcode != ZEND_ASSIGN) {
            union_find_unite(parent, size, op->op1_def, op->op1_use);
          }
        }
        if (opline->opcode == ZEND_ASSIGN && op->op2_use >= 0) {
          union_find_unite(parent, size, op->op1_def, op->op2_use);
        }
      }
      if (op->op2_def >= 0) {
        if (op->op2_use >= 0) {
          union_find_unite(parent, size, op->op2_def, op->op2_use);
        }
      }
      if (op->result_def >= 0) {
        if (op->result_use >= 0) {
          if (opline->opcode != ZEND_QM_ASSIGN) {
            union_find_unite(parent, size, op->result_def, op->result_use);
          }
        }
        if (opline->opcode == ZEND_QM_ASSIGN && op->op1_use >= 0) {
          union_find_unite(parent, size, op->result_def, op->op1_use);
        }
        if (opline->opcode == ZEND_ASSIGN && op->op2_use >= 0) {
          union_find_unite(parent, size, op->result_def, op->op2_use);
        }
        if (opline->opcode == ZEND_ASSIGN && op->op1_def >= 0) {
          union_find_unite(parent, size, op->result_def, op->op1_def);
        }
      }
    }
  }

  for (i = 0; i < ssa_vars_count; i++) {
    parent[i] = union_find_root(parent, i);
  }

  free_alloca(size, use_heap);

  return SUCCESS;
}
/* }}} */

static bool is_allocation_def(zend_op_array *op_array, zend_ssa *ssa, int def, int var, const zend_script *script) /* {{{ */
{
  zend_ssa_op *ssa_op = ssa->ops + def;
  zend_op *opline = op_array->opcodes + def;

  if (ssa_op->result_def == var) {
    switch (opline->opcode) {
      case ZEND_INIT_ARRAY:
        return true;
      case ZEND_NEW: {
          /* objects with destructors should escape */
        zend_class_entry *ce = zend_optimizer_get_class_entry_from_op1(
          script, op_array, opline);
        uint32_t forbidden_flags =
          /* These flags will always cause an exception */
          ZEND_ACC_IMPLICIT_ABSTRACT_CLASS | ZEND_ACC_EXPLICIT_ABSTRACT_CLASS
          | ZEND_ACC_INTERFACE | ZEND_ACC_TRAIT;
        if (ce
         && !ce->parent
         && !ce->create_object
         && ce->default_object_handlers->get_constructor == zend_std_get_constructor
         && ce->default_object_handlers->dtor_obj == zend_objects_destroy_object
         && !ce->constructor
         && !ce->destructor
         && !ce->__get
         && !ce->__set
         && !(ce->ce_flags & forbidden_flags)
         && (ce->ce_flags & ZEND_ACC_CONSTANTS_UPDATED)) {
          return true;
        }
        break;
      }
      case ZEND_QM_ASSIGN:
        if (opline->op1_type == IS_CONST
         && Z_TYPE_P(CRT_CONSTANT(opline->op1)) == IS_ARRAY) {
          return true;
        }
        if (opline->op1_type == IS_CV && (OP1_INFO() & MAY_BE_ARRAY)) {
          return true;
        }
        break;
      case ZEND_ASSIGN:
        if (opline->op1_type == IS_CV && (OP1_INFO() & MAY_BE_ARRAY)) {
          return true;
        }
        break;
    }
  } else if (ssa_op->op1_def == var) {
    switch (opline->opcode) {
      case ZEND_ASSIGN:
        if (opline->op2_type == IS_CONST
         && Z_TYPE_P(CRT_CONSTANT(opline->op2)) == IS_ARRAY) {
          return true;
        }
        if (opline->op2_type == IS_CV && (OP2_INFO() & MAY_BE_ARRAY)) {
          return true;
        }
        break;
      case ZEND_ASSIGN_DIM:
        if (OP1_INFO() & (MAY_BE_UNDEF | MAY_BE_NULL | MAY_BE_FALSE)) {
          /* implicit object/array allocation */
          return true;
        }
        break;
    }
  }

  return false;
}
/* }}} */

static bool is_local_def(zend_op_array *op_array, zend_ssa *ssa, int def, int var, const zend_script *script) /* {{{ */
{
  zend_ssa_op *op = ssa->ops + def;
  zend_op *opline = op_array->opcodes + def;

  if (op->result_def == var) {
    switch (opline->opcode) {
      case ZEND_INIT_ARRAY:
      case ZEND_ADD_ARRAY_ELEMENT:
      case ZEND_QM_ASSIGN:
      case ZEND_ASSIGN:
        return true;
      case ZEND_NEW: {
        /* objects with destructors should escape */
        zend_class_entry *ce = zend_optimizer_get_class_entry_from_op1(
          script, op_array, opline);
        if (ce
         && !ce->create_object
         && ce->default_object_handlers->get_constructor == zend_std_get_constructor
         && ce->default_object_handlers->dtor_obj == zend_objects_destroy_object
         && !ce->constructor
         && !ce->destructor
         && !ce->__get
         && !ce->__set
         && !ce->parent) {
          return true;
        }
        break;
      }
    }
  } else if (op->op1_def == var) {
    switch (opline->opcode) {
      case ZEND_ASSIGN:
      case ZEND_ASSIGN_DIM:
      case ZEND_ASSIGN_OBJ:
      case ZEND_ASSIGN_OBJ_REF:
      case ZEND_ASSIGN_DIM_OP:
      case ZEND_ASSIGN_OBJ_OP:
      case ZEND_PRE_INC_OBJ:
      case ZEND_PRE_DEC_OBJ:
      case ZEND_POST_INC_OBJ:
      case ZEND_POST_DEC_OBJ:
        return true;
    }
  }

  return false;
}
/* }}} */

static bool is_escape_use(zend_op_array *op_array, zend_ssa *ssa, int use, int var) /* {{{ */
{
  zend_ssa_op *ssa_op = ssa->ops + use;
  zend_op *opline = op_array->opcodes + use;

  if (ssa_op->op1_use == var) {
    switch (opline->opcode) {
      case ZEND_ASSIGN:
        /* no_val */
        break;
      case ZEND_QM_ASSIGN:
        if (opline->op1_type == IS_CV) {
          if (OP1_INFO() & MAY_BE_OBJECT) {
            /* object aliasing */
            return true;
          }
        }
        break;
      case ZEND_ISSET_ISEMPTY_DIM_OBJ:
      case ZEND_ISSET_ISEMPTY_PROP_OBJ:
      case ZEND_FETCH_DIM_R:
      case ZEND_FETCH_OBJ_R:
      case ZEND_FETCH_DIM_IS:
      case ZEND_FETCH_OBJ_IS:
        break;
      case ZEND_ASSIGN_OP:
        return true;
      case ZEND_ASSIGN_DIM_OP:
      case ZEND_ASSIGN_OBJ_OP:
      case ZEND_ASSIGN_STATIC_PROP_OP:
      case ZEND_ASSIGN_DIM:
      case ZEND_ASSIGN_OBJ:
      case ZEND_ASSIGN_OBJ_REF:
        break;
      case ZEND_PRE_INC_OBJ:
      case ZEND_PRE_DEC_OBJ:
      case ZEND_POST_INC_OBJ:
      case ZEND_POST_DEC_OBJ:
        break;
      case ZEND_INIT_ARRAY:
      case ZEND_ADD_ARRAY_ELEMENT:
        if (opline->extended_value & ZEND_ARRAY_ELEMENT_REF) {
          return true;
        }
        if (OP1_INFO() & MAY_BE_OBJECT) {
          /* object aliasing */
          return true;
        }
        /* reference dependencies processed separately */
        break;
      case ZEND_OP_DATA:
        if ((opline-1)->opcode != ZEND_ASSIGN_DIM
         && (opline-1)->opcode != ZEND_ASSIGN_OBJ) {
          return true;
        }
        if (OP1_INFO() & MAY_BE_OBJECT) {
          /* object aliasing */
          return true;
        }
        opline--;
        ssa_op--;
        if (opline->op1_type != IS_CV
         || (OP1_INFO() & MAY_BE_REF)
         || (ssa_op->op1_def >= 0 && ssa->vars[ssa_op->op1_def].alias)) {
          /* assignment into escaping structure */
          return true;
        }
        /* reference dependencies processed separately */
        break;
      default:
        return true;
    }
  }

  if (ssa_op->op2_use == var) {
    switch (opline->opcode) {
      case ZEND_ASSIGN:
        if (opline->op1_type != IS_CV
         || (OP1_INFO() & MAY_BE_REF)
         || (ssa_op->op1_def >= 0 && ssa->vars[ssa_op->op1_def].alias)) {
          /* assignment into escaping variable */
          return true;
        }
        if (opline->op2_type == IS_CV || opline->result_type != IS_UNUSED) {
          if (OP2_INFO() & MAY_BE_OBJECT) {
            /* object aliasing */
            return true;
          }
        }
        break;
      default:
        return true;
    }
  }

  if (ssa_op->result_use == var) {
    switch (opline->opcode) {
      case ZEND_ASSIGN:
      case ZEND_QM_ASSIGN:
      case ZEND_INIT_ARRAY:
      case ZEND_ADD_ARRAY_ELEMENT:
        break;
      default:
        return true;
    }
  }

  return false;
}
/* }}} */

zend_result zend_ssa_escape_analysis(const zend_script *script, zend_op_array *op_array, zend_ssa *ssa) /* {{{ */
{
  zend_ssa_var *ssa_vars = ssa->vars;
  int ssa_vars_count = ssa->vars_count;
  int i, root, use;
  int *ees;
  bool has_allocations;
  int num_non_escaped;
  ALLOCA_FLAG(use_heap)

  if (!ssa_vars) {
    return SUCCESS;
  }

  has_allocations = false;
  for (i = op_array->last_var; i < ssa_vars_count; i++) {
    if (ssa_vars[i].definition >= 0
      && (ssa->var_info[i].type & (MAY_BE_ARRAY|MAY_BE_OBJECT))
      && is_allocation_def(op_array, ssa, ssa_vars[i].definition, i, script)) {
      has_allocations = true;
      break;
    }
  }
  if (!has_allocations) {
    return SUCCESS;
  }


  /* 1. Build EES (Equi-Escape Sets) */
  ees = do_alloca(sizeof(int) * ssa_vars_count, use_heap);
  if (!ees) {
    return FAILURE;
  }

  if (zend_build_equi_escape_sets(ees, op_array, ssa) == FAILURE) {
    free_alloca(ees, use_heap);
    return FAILURE;
  }

  /* 2. Identify Allocations */
  num_non_escaped = 0;
  for (i = op_array->last_var; i < ssa_vars_count; i++) {
    root = ees[i];
    if (ssa_vars[root].escape_state > ESCAPE_STATE_NO_ESCAPE) {
      /* already escape. skip */
    } else if (ssa_vars[i].alias && (ssa->var_info[i].type & MAY_BE_REF)) {
      if (ssa_vars[root].escape_state == ESCAPE_STATE_NO_ESCAPE) {
        num_non_escaped--;
      }
      ssa_vars[root].escape_state = ESCAPE_STATE_GLOBAL_ESCAPE;
    } else if (ssa_vars[i].definition >= 0
       && (ssa->var_info[i].type & (MAY_BE_ARRAY|MAY_BE_OBJECT))) {
      if (!is_local_def(op_array, ssa, ssa_vars[i].definition, i, script)) {
        if (ssa_vars[root].escape_state == ESCAPE_STATE_NO_ESCAPE) {
          num_non_escaped--;
        }
        ssa_vars[root].escape_state = ESCAPE_STATE_GLOBAL_ESCAPE;
      } else if (ssa_vars[root].escape_state == ESCAPE_STATE_UNKNOWN
       && is_allocation_def(op_array, ssa, ssa_vars[i].definition, i, script)) {
        ssa_vars[root].escape_state = ESCAPE_STATE_NO_ESCAPE;
        num_non_escaped++;
      }
    }
  }

  /* 3. Mark escaped EES */
  if (num_non_escaped) {
    for (i = 0; i < ssa_vars_count; i++) {
      if (ssa_vars[i].use_chain >= 0) {
        root = ees[i];
        if (ssa_vars[root].escape_state == ESCAPE_STATE_NO_ESCAPE) {
          FOREACH_USE(ssa_vars + i, use) {
            if (is_escape_use(op_array, ssa, use, i)) {
              ssa_vars[root].escape_state = ESCAPE_STATE_GLOBAL_ESCAPE;
              num_non_escaped--;
              if (num_non_escaped == 0) {
                i = ssa_vars_count;
              }
              break;
            }
          } FOREACH_USE_END();
        }
      }
    }
  }

  /* 4. Process referential dependencies */
  if (num_non_escaped) {
    bool changed;

    do {
      changed = false;
      for (i = 0; i < ssa_vars_count; i++) {
        if (ssa_vars[i].use_chain >= 0) {
          root = ees[i];
          if (ssa_vars[root].escape_state == ESCAPE_STATE_NO_ESCAPE) {
            FOREACH_USE(ssa_vars + i, use) {
              zend_ssa_op *op = ssa->ops + use;
              zend_op *opline = op_array->opcodes + use;
              int enclosing_root;

              if (opline->opcode == ZEND_OP_DATA &&
                  ((opline-1)->opcode == ZEND_ASSIGN_DIM ||
                   (opline-1)->opcode == ZEND_ASSIGN_OBJ ||
                   (opline-1)->opcode == ZEND_ASSIGN_OBJ_REF) &&
                  op->op1_use == i &&
                  (op-1)->op1_use >= 0) {
                enclosing_root = ees[(op-1)->op1_use];
              } else if ((opline->opcode == ZEND_INIT_ARRAY ||
                   opline->opcode == ZEND_ADD_ARRAY_ELEMENT) &&
                  op->op1_use == i &&
                  op->result_def >= 0) {
                enclosing_root = ees[op->result_def];
              } else {
                continue;
              }

              if (ssa_vars[enclosing_root].escape_state == ESCAPE_STATE_UNKNOWN ||
                  ssa_vars[enclosing_root].escape_state > ssa_vars[root].escape_state) {
                  if (ssa_vars[enclosing_root].escape_state == ESCAPE_STATE_UNKNOWN) {
                  ssa_vars[root].escape_state = ESCAPE_STATE_GLOBAL_ESCAPE;
                  } else {
                  ssa_vars[root].escape_state = ssa_vars[enclosing_root].escape_state;
                }
                if (ssa_vars[root].escape_state == ESCAPE_STATE_GLOBAL_ESCAPE) {
                  num_non_escaped--;
                  if (num_non_escaped == 0) {
                    changed = false;
                  } else {
                    changed = true;
                  }
                  break;
                } else {
                  changed = true;
                }
              }
            } FOREACH_USE_END();
          }
        }
      }
    } while (changed);
  }

  /* 5. Propagate values of escape sets to variables */
  for (i = 0; i < ssa_vars_count; i++) {
    root = ees[i];
    if (i != root) {
      ssa_vars[i].escape_state = ssa_vars[root].escape_state;
    }
  }

  free_alloca(ees, use_heap);

  return SUCCESS;
}
/* }}} */

Coverage Report

Created: 2026-01-18 06:49

Line	Count	Source
1		/*
2		+----------------------------------------------------------------------+
3		\| Zend OPcache, Escape Analysis \|
4		+----------------------------------------------------------------------+
5		\| Copyright (c) The PHP Group \|
6		+----------------------------------------------------------------------+
7		\| This source file is subject to version 3.01 of the PHP license, \|
8		\| that is bundled with this package in the file LICENSE, and is \|
9		\| available through the world-wide-web at the following url: \|
10		\| https://www.php.net/license/3_01.txt \|
11		\| If you did not receive a copy of the PHP license and are unable to \|
12		\| obtain it through the world-wide-web, please send a note to \|
13		\| license@php.net so we can mail you a copy immediately. \|
14		+----------------------------------------------------------------------+
15		\| Authors: Dmitry Stogov <dmitry@php.net> \|
16		+----------------------------------------------------------------------+
17		*/
18
19		#include "Optimizer/zend_optimizer.h"
20		#include "Optimizer/zend_optimizer_internal.h"
21		#include "zend_bitset.h"
22		#include "zend_cfg.h"
23		#include "zend_ssa.h"
24		#include "zend_inference.h"
25		#include "zend_dump.h"
26
27		/*
28		* T. Kotzmann and H. Mossenbock. Escape analysis in the context of dynamic
29		* compilation and deoptimization. In Proceedings of the International
30		* Conference on Virtual Execution Environments, pages 111-120, Chicago,
31		* June 2005
32		*/
33
34		static zend_always_inline void union_find_init(int parent, int size, int count) /* {{{ */
35	20	{
36	20	int i;
37
38	16.7k	for (i = 0; i < count; i++) {
39	16.6k	parent[i] = i;
40	16.6k	size[i] = 1;
41	16.6k	}
42	20	}
43		/* }}} */
44
45		static zend_always_inline int union_find_root(int parent, int i) / {{{ */
46	34.9k	{
47	34.9k	int p = parent[i];
48
49	49.3k	while (i != p) {
50	14.4k	p = parent[p];
51	14.4k	parent[i] = p;
52	14.4k	i = p;
53	14.4k	p = parent[i];
54	14.4k	}
55	34.9k	return i;
56	34.9k	}
57		/* }}} */
58
59		static zend_always_inline void union_find_unite(int parent, int size, int i, int j) /* {{{ */
60	9.11k	{
61	9.11k	int r1 = union_find_root(parent, i);
62	9.11k	int r2 = union_find_root(parent, j);
63
64	9.11k	if (r1 != r2) {
65	7.07k	if (size[r1] < size[r2]) {
66	3.38k	parent[r1] = r2;
67	3.38k	size[r2] += size[r1];
68	3.69k	} else {
69	3.69k	parent[r2] = r1;
70	3.69k	size[r1] += size[r2];
71	3.69k	}
72	7.07k	}
73	9.11k	}
74		/* }}} */
75
76		static zend_result zend_build_equi_escape_sets(int parent, zend_op_array op_array, zend_ssa ssa) / {{{ */
77	20	{
78	20	zend_ssa_var *ssa_vars = ssa->vars;
79	20	int ssa_vars_count = ssa->vars_count;
80	20	zend_ssa_phi *p;
81	20	int i, j;
82	20	int *size;
83	20	ALLOCA_FLAG(use_heap)
84
85	20	size = do_alloca(sizeof(int) * ssa_vars_count, use_heap);
86	20	if (!size) {
87	0	return FAILURE;
88	0	}
89	20	union_find_init(parent, size, ssa_vars_count);
90
91	16.7k	for (i = 0; i < ssa_vars_count; i++) {
92	16.6k	if (ssa_vars[i].definition_phi) {
93	4.51k	p = ssa_vars[i].definition_phi;
94	4.51k	if (p->pi >= 0) {
95	1.41k	union_find_unite(parent, size, i, p->sources[0]);
96	3.10k	} else {
97	9.31k	for (j = 0; j < ssa->cfg.blocks[p->block].predecessors_count; j++) {
98	6.20k	union_find_unite(parent, size, i, p->sources[j]);
99	6.20k	}
100	3.10k	}
101	12.1k	} else if (ssa_vars[i].definition >= 0) {
102	11.7k	int def = ssa_vars[i].definition;
103	11.7k	zend_ssa_op *op = ssa->ops + def;
104	11.7k	zend_op *opline = op_array->opcodes + def;
105
106	11.7k	if (op->op1_def >= 0) {
107	964	if (op->op1_use >= 0) {
108	964	if (opline->opcode != ZEND_ASSIGN) {
109	489	union_find_unite(parent, size, op->op1_def, op->op1_use);
110	489	}
111	964	}
112	964	if (opline->opcode == ZEND_ASSIGN && op->op2_use >= 0) {
113	316	union_find_unite(parent, size, op->op1_def, op->op2_use);
114	316	}
115	964	}
116	11.7k	if (op->op2_def >= 0) {
117	42	if (op->op2_use >= 0) {
118	42	union_find_unite(parent, size, op->op2_def, op->op2_use);
119	42	}
120	42	}
121	11.7k	if (op->result_def >= 0) {
122	11.3k	if (op->result_use >= 0) {
123	194	if (opline->opcode != ZEND_QM_ASSIGN) {
124	194	union_find_unite(parent, size, op->result_def, op->result_use);
125	194	}
126	194	}
127	11.3k	if (opline->opcode == ZEND_QM_ASSIGN && op->op1_use >= 0) {
128	82	union_find_unite(parent, size, op->result_def, op->op1_use);
129	82	}
130	11.3k	if (opline->opcode == ZEND_ASSIGN && op->op2_use >= 0) {
131	152	union_find_unite(parent, size, op->result_def, op->op2_use);
132	152	}
133	11.3k	if (opline->opcode == ZEND_ASSIGN && op->op1_def >= 0) {
134	220	union_find_unite(parent, size, op->result_def, op->op1_def);
135	220	}
136	11.3k	}
137	11.7k	}
138	16.6k	}
139
140	16.7k	for (i = 0; i < ssa_vars_count; i++) {
141	16.6k	parent[i] = union_find_root(parent, i);
142	16.6k	}
143
144	20	free_alloca(size, use_heap);
145
146	20	return SUCCESS;
147	20	}
148		/* }}} */
149
150		static bool is_allocation_def(zend_op_array op_array, zend_ssa ssa, int def, int var, const zend_script script) / {{{ */
151	1.75k	{
152	1.75k	zend_ssa_op *ssa_op = ssa->ops + def;
153	1.75k	zend_op *opline = op_array->opcodes + def;
154
155	1.75k	if (ssa_op->result_def == var) {
156	1.48k	switch (opline->opcode) {
157	23	case ZEND_INIT_ARRAY:
158	23	return true;
159	130	case ZEND_NEW: {
160		/* objects with destructors should escape */
161	130	zend_class_entry *ce = zend_optimizer_get_class_entry_from_op1(
162	130	script, op_array, opline);
163	130	uint32_t forbidden_flags =
164		/* These flags will always cause an exception */
165	130	ZEND_ACC_IMPLICIT_ABSTRACT_CLASS \| ZEND_ACC_EXPLICIT_ABSTRACT_CLASS
166	130	\| ZEND_ACC_INTERFACE \| ZEND_ACC_TRAIT;
167	130	if (ce
168	129	&& !ce->parent
169	129	&& !ce->create_object
170	115	&& ce->default_object_handlers->get_constructor == zend_std_get_constructor
171	115	&& ce->default_object_handlers->dtor_obj == zend_objects_destroy_object
172	115	&& !ce->constructor
173	115	&& !ce->destructor
174	38	&& !ce->__get
175	38	&& !ce->__set
176	38	&& !(ce->ce_flags & forbidden_flags)
177	38	&& (ce->ce_flags & ZEND_ACC_CONSTANTS_UPDATED)) {
178	38	return true;
179	38	}
180	92	break;
181	130	}
182	92	case ZEND_QM_ASSIGN:
183	0	if (opline->op1_type == IS_CONST
184	0	&& Z_TYPE_P(CRT_CONSTANT(opline->op1)) == IS_ARRAY) {
185	0	return true;
186	0	}
187	0	if (opline->op1_type == IS_CV && (OP1_INFO() & MAY_BE_ARRAY)) {
188	0	return true;
189	0	}
190	0	break;
191	1	case ZEND_ASSIGN:
192	1	if (opline->op1_type == IS_CV && (OP1_INFO() & MAY_BE_ARRAY)) {
193	0	return true;
194	0	}
195	1	break;
196	1.48k	}
197	1.48k	} else if (ssa_op->op1_def == var) {
198	257	switch (opline->opcode) {
199	128	case ZEND_ASSIGN:
200	128	if (opline->op2_type == IS_CONST
201	7	&& Z_TYPE_P(CRT_CONSTANT(opline->op2)) == IS_ARRAY) {
202	0	return true;
203	0	}
204	128	if (opline->op2_type == IS_CV && (OP2_INFO() & MAY_BE_ARRAY)) {
205	1	return true;
206	1	}
207	127	break;
208	127	case ZEND_ASSIGN_DIM:
209	14	if (OP1_INFO() & (MAY_BE_UNDEF \| MAY_BE_NULL \| MAY_BE_FALSE)) {
210		/* implicit object/array allocation */
211	14	return true;
212	14	}
213	0	break;
214	257	}
215	257	}
216
217	1.67k	return false;
218	1.75k	}
219		/* }}} */
220
221		static bool is_local_def(zend_op_array op_array, zend_ssa ssa, int def, int var, const zend_script script) / {{{ */
222	1.91k	{
223	1.91k	zend_ssa_op *op = ssa->ops + def;
224	1.91k	zend_op *opline = op_array->opcodes + def;
225
226	1.91k	if (op->result_def == var) {
227	1.76k	switch (opline->opcode) {
228	16	case ZEND_INIT_ARRAY:
229	210	case ZEND_ADD_ARRAY_ELEMENT:
230	210	case ZEND_QM_ASSIGN:
231	215	case ZEND_ASSIGN:
232	215	return true;
233	36	case ZEND_NEW: {
234		/* objects with destructors should escape */
235	36	zend_class_entry *ce = zend_optimizer_get_class_entry_from_op1(
236	36	script, op_array, opline);
237	36	if (ce
238	36	&& !ce->create_object
239	30	&& ce->default_object_handlers->get_constructor == zend_std_get_constructor
240	30	&& ce->default_object_handlers->dtor_obj == zend_objects_destroy_object
241	30	&& !ce->constructor
242	30	&& !ce->destructor
243	30	&& !ce->__get
244	30	&& !ce->__set
245	30	&& !ce->parent) {
246	30	return true;
247	30	}
248	6	break;
249	36	}
250	1.76k	}
251	1.76k	} else if (op->op1_def == var) {
252	140	switch (opline->opcode) {
253	42	case ZEND_ASSIGN:
254	58	case ZEND_ASSIGN_DIM:
255	88	case ZEND_ASSIGN_OBJ:
256	88	case ZEND_ASSIGN_OBJ_REF:
257	88	case ZEND_ASSIGN_DIM_OP:
258	88	case ZEND_ASSIGN_OBJ_OP:
259	88	case ZEND_PRE_INC_OBJ:
260	88	case ZEND_PRE_DEC_OBJ:
261	88	case ZEND_POST_INC_OBJ:
262	88	case ZEND_POST_DEC_OBJ:
263	88	return true;
264	140	}
265	140	}
266
267	1.57k	return false;
268	1.91k	}
269		/* }}} */
270
271		static bool is_escape_use(zend_op_array op_array, zend_ssa ssa, int use, int var) /* {{{ */
272	84	{
273	84	zend_ssa_op *ssa_op = ssa->ops + use;
274	84	zend_op *opline = op_array->opcodes + use;
275
276	84	if (ssa_op->op1_use == var) {
277	37	switch (opline->opcode) {
278	6	case ZEND_ASSIGN:
279		/* no_val */
280	6	break;
281	0	case ZEND_QM_ASSIGN:
282	0	if (opline->op1_type == IS_CV) {
283	0	if (OP1_INFO() & MAY_BE_OBJECT) {
284		/* object aliasing */
285	0	return true;
286	0	}
287	0	}
288	0	break;
289	0	case ZEND_ISSET_ISEMPTY_DIM_OBJ:
290	0	case ZEND_ISSET_ISEMPTY_PROP_OBJ:
291	0	case ZEND_FETCH_DIM_R:
292	0	case ZEND_FETCH_OBJ_R:
293	0	case ZEND_FETCH_DIM_IS:
294	0	case ZEND_FETCH_OBJ_IS:
295	0	break;
296	0	case ZEND_ASSIGN_OP:
297	0	return true;
298	0	case ZEND_ASSIGN_DIM_OP:
299	0	case ZEND_ASSIGN_OBJ_OP:
300	0	case ZEND_ASSIGN_STATIC_PROP_OP:
301	16	case ZEND_ASSIGN_DIM:
302	22	case ZEND_ASSIGN_OBJ:
303	22	case ZEND_ASSIGN_OBJ_REF:
304	22	break;
305	0	case ZEND_PRE_INC_OBJ:
306	0	case ZEND_PRE_DEC_OBJ:
307	0	case ZEND_POST_INC_OBJ:
308	0	case ZEND_POST_DEC_OBJ:
309	0	break;
310	0	case ZEND_INIT_ARRAY:
311	0	case ZEND_ADD_ARRAY_ELEMENT:
312	0	if (opline->extended_value & ZEND_ARRAY_ELEMENT_REF) {
313	0	return true;
314	0	}
315	0	if (OP1_INFO() & MAY_BE_OBJECT) {
316		/* object aliasing */
317	0	return true;
318	0	}
319		/* reference dependencies processed separately */
320	0	break;
321	0	case ZEND_OP_DATA:
322	0	if ((opline-1)->opcode != ZEND_ASSIGN_DIM
323	0	&& (opline-1)->opcode != ZEND_ASSIGN_OBJ) {
324	0	return true;
325	0	}
326	0	if (OP1_INFO() & MAY_BE_OBJECT) {
327		/* object aliasing */
328	0	return true;
329	0	}
330	0	opline--;
331	0	ssa_op--;
332	0	if (opline->op1_type != IS_CV
333	0	\|\| (OP1_INFO() & MAY_BE_REF)
334	0	\|\| (ssa_op->op1_def >= 0 && ssa->vars[ssa_op->op1_def].alias)) {
335		/* assignment into escaping structure */
336	0	return true;
337	0	}
338		/* reference dependencies processed separately */
339	0	break;
340	9	default:
341	9	return true;
342	37	}
343	37	}
344
345	75	if (ssa_op->op2_use == var) {
346	15	switch (opline->opcode) {
347	15	case ZEND_ASSIGN:
348	15	if (opline->op1_type != IS_CV
349	15	\|\| (OP1_INFO() & MAY_BE_REF)
350	9	\|\| (ssa_op->op1_def >= 0 && ssa->vars[ssa_op->op1_def].alias)) {
351		/* assignment into escaping variable */
352	9	return true;
353	9	}
354	6	if (opline->op2_type == IS_CV \|\| opline->result_type != IS_UNUSED) {
355	0	if (OP2_INFO() & MAY_BE_OBJECT) {
356		/* object aliasing */
357	0	return true;
358	0	}
359	0	}
360	6	break;
361	6	default:
362	0	return true;
363	15	}
364	15	}
365
366	66	if (ssa_op->result_use == var) {
367	32	switch (opline->opcode) {
368	0	case ZEND_ASSIGN:
369	0	case ZEND_QM_ASSIGN:
370	0	case ZEND_INIT_ARRAY:
371	32	case ZEND_ADD_ARRAY_ELEMENT:
372	32	break;
373	0	default:
374	0	return true;
375	32	}
376	32	}
377
378	66	return false;
379	66	}
380		/* }}} */
381
382		zend_result zend_ssa_escape_analysis(const zend_script script, zend_op_array op_array, zend_ssa ssa) / {{{ */
383	191	{
384	191	zend_ssa_var *ssa_vars = ssa->vars;
385	191	int ssa_vars_count = ssa->vars_count;
386	191	int i, root, use;
387	191	int *ees;
388	191	bool has_allocations;
389	191	int num_non_escaped;
390	191	ALLOCA_FLAG(use_heap)
391
392	191	if (!ssa_vars) {
393	0	return SUCCESS;
394	0	}
395
396	191	has_allocations = false;
397	16.7k	for (i = op_array->last_var; i < ssa_vars_count; i++) {
398	16.5k	if (ssa_vars[i].definition >= 0
399	13.1k	&& (ssa->var_info[i].type & (MAY_BE_ARRAY\|MAY_BE_OBJECT))
400	1.69k	&& is_allocation_def(op_array, ssa, ssa_vars[i].definition, i, script)) {
401	20	has_allocations = true;
402	20	break;
403	20	}
404	16.5k	}
405	191	if (!has_allocations) {
406	171	return SUCCESS;
407	171	}
408
409
410		/* 1. Build EES (Equi-Escape Sets) */
411	20	ees = do_alloca(sizeof(int) * ssa_vars_count, use_heap);
412	20	if (!ees) {
413	0	return FAILURE;
414	0	}
415
416	20	if (zend_build_equi_escape_sets(ees, op_array, ssa) == FAILURE) {
417	0	free_alloca(ees, use_heap);
418	0	return FAILURE;
419	0	}
420
421		/* 2. Identify Allocations */
422	20	num_non_escaped = 0;
423	16.2k	for (i = op_array->last_var; i < ssa_vars_count; i++) {
424	16.2k	root = ees[i];
425	16.2k	if (ssa_vars[root].escape_state > ESCAPE_STATE_NO_ESCAPE) {
426		/* already escape. skip */
427	14.7k	} else if (ssa_vars[i].alias && (ssa->var_info[i].type & MAY_BE_REF)) {
428	0	if (ssa_vars[root].escape_state == ESCAPE_STATE_NO_ESCAPE) {
429	0	num_non_escaped--;
430	0	}
431	0	ssa_vars[root].escape_state = ESCAPE_STATE_GLOBAL_ESCAPE;
432	14.7k	} else if (ssa_vars[i].definition >= 0
433	11.6k	&& (ssa->var_info[i].type & (MAY_BE_ARRAY\|MAY_BE_OBJECT))) {
434	1.91k	if (!is_local_def(op_array, ssa, ssa_vars[i].definition, i, script)) {
435	1.57k	if (ssa_vars[root].escape_state == ESCAPE_STATE_NO_ESCAPE) {
436	22	num_non_escaped--;
437	22	}
438	1.57k	ssa_vars[root].escape_state = ESCAPE_STATE_GLOBAL_ESCAPE;
439	1.57k	} else if (ssa_vars[root].escape_state == ESCAPE_STATE_UNKNOWN
440	56	&& is_allocation_def(op_array, ssa, ssa_vars[i].definition, i, script)) {
441	56	ssa_vars[root].escape_state = ESCAPE_STATE_NO_ESCAPE;
442	56	num_non_escaped++;
443	56	}
444	1.91k	}
445	16.2k	}
446
447		/* 3. Mark escaped EES */
448	20	if (num_non_escaped) {
449	15.6k	for (i = 0; i < ssa_vars_count; i++) {
450	15.5k	if (ssa_vars[i].use_chain >= 0) {
451	12.3k	root = ees[i];
452	12.3k	if (ssa_vars[root].escape_state == ESCAPE_STATE_NO_ESCAPE) {
453	168	FOREACH_USE(ssa_vars + i, use) {
454	168	if (is_escape_use(op_array, ssa, use, i)) {
455	18	ssa_vars[root].escape_state = ESCAPE_STATE_GLOBAL_ESCAPE;
456	18	num_non_escaped--;
457	18	if (num_non_escaped == 0) {
458	5	i = ssa_vars_count;
459	5	}
460	18	break;
461	18	}
462	168	} FOREACH_USE_END();
463	84	}
464	12.3k	}
465	15.5k	}
466	15	}
467
468		/* 4. Process referential dependencies */
469	20	if (num_non_escaped) {
470	10	bool changed;
471
472	10	do {
473	10	changed = false;
474	1.61k	for (i = 0; i < ssa_vars_count; i++) {
475	1.60k	if (ssa_vars[i].use_chain >= 0) {
476	1.11k	root = ees[i];
477	1.11k	if (ssa_vars[root].escape_state == ESCAPE_STATE_NO_ESCAPE) {
478	68	FOREACH_USE(ssa_vars + i, use) {
479	68	zend_ssa_op *op = ssa->ops + use;
480	68	zend_op *opline = op_array->opcodes + use;
481	68	int enclosing_root;
482
483	68	if (opline->opcode == ZEND_OP_DATA &&
484	0	((opline-1)->opcode == ZEND_ASSIGN_DIM \|\|
485	0	(opline-1)->opcode == ZEND_ASSIGN_OBJ \|\|
486	0	(opline-1)->opcode == ZEND_ASSIGN_OBJ_REF) &&
487	0	op->op1_use == i &&
488	0	(op-1)->op1_use >= 0) {
489	0	enclosing_root = ees[(op-1)->op1_use];
490	34	} else if ((opline->opcode == ZEND_INIT_ARRAY \|\|
491	34	opline->opcode == ZEND_ADD_ARRAY_ELEMENT) &&
492	0	op->op1_use == i &&
493	0	op->result_def >= 0) {
494	0	enclosing_root = ees[op->result_def];
495	34	} else {
496	34	continue;
497	34	}
498
499	0	if (ssa_vars[enclosing_root].escape_state == ESCAPE_STATE_UNKNOWN \|\|
500	0	ssa_vars[enclosing_root].escape_state > ssa_vars[root].escape_state) {
501	0	if (ssa_vars[enclosing_root].escape_state == ESCAPE_STATE_UNKNOWN) {
502	0	ssa_vars[root].escape_state = ESCAPE_STATE_GLOBAL_ESCAPE;
503	0	} else {
504	0	ssa_vars[root].escape_state = ssa_vars[enclosing_root].escape_state;
505	0	}
506	0	if (ssa_vars[root].escape_state == ESCAPE_STATE_GLOBAL_ESCAPE) {
507	0	num_non_escaped--;
508	0	if (num_non_escaped == 0) {
509	0	changed = false;
510	0	} else {
511	0	changed = true;
512	0	}
513	0	break;
514	0	} else {
515	0	changed = true;
516	0	}
517	0	}
518	0	} FOREACH_USE_END();
519	34	}
520	1.11k	}
521	1.60k	}
522	10	} while (changed);
523	10	}
524
525		/* 5. Propagate values of escape sets to variables */
526	16.7k	for (i = 0; i < ssa_vars_count; i++) {
527	16.6k	root = ees[i];
528	16.6k	if (i != root) {
529	7.07k	ssa_vars[i].escape_state = ssa_vars[root].escape_state;
530	7.07k	}
531	16.6k	}
532
533	20	free_alloca(ees, use_heap);
534
535	20	return SUCCESS;
536	20	}
537		/* }}} */