Coverage Report

Created: 2026-06-13 07:01

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/php-src/Zend/Optimizer/sccp.c
Line
Count
Source
1
/*
2
   +----------------------------------------------------------------------+
3
   | Zend Engine, SCCP - Sparse Conditional Constant Propagation          |
4
   +----------------------------------------------------------------------+
5
   | Copyright © The PHP Group and Contributors.                          |
6
   +----------------------------------------------------------------------+
7
   | This source file is subject to the Modified BSD License that is      |
8
   | bundled with this package in the file LICENSE, and is available      |
9
   | through the World Wide Web at <https://www.php.net/license/>.        |
10
   |                                                                      |
11
   | SPDX-License-Identifier: BSD-3-Clause                                |
12
   +----------------------------------------------------------------------+
13
   | Authors: Nikita Popov <nikic@php.net>                                |
14
   |          Dmitry Stogov <dmitry@php.net>                              |
15
   +----------------------------------------------------------------------+
16
*/
17
18
#include "zend_API.h"
19
#include "zend_exceptions.h"
20
#include "zend_ini.h"
21
#include "zend_type_info.h"
22
#include "Optimizer/zend_optimizer_internal.h"
23
#include "Optimizer/zend_call_graph.h"
24
#include "Optimizer/zend_inference.h"
25
#include "Optimizer/scdf.h"
26
#include "Optimizer/zend_dump.h"
27
28
/* This implements sparse conditional constant propagation (SCCP) based on the SCDF framework. The
29
 * used value lattice is defined as follows:
30
 *
31
 * BOT < {constant values} < TOP
32
 *
33
 * TOP indicates an underdefined value, i.e. that we do not yet know the value of variable.
34
 * BOT indicates an overdefined value, i.e. that we know the variable to be non-constant.
35
 *
36
 * All variables are optimistically initialized to TOP, apart from the implicit variables defined
37
 * at the start of the first block. Note that variables that MAY_BE_REF are *not* initialized to
38
 * BOT. We rely on the fact that any operation resulting in a reference will produce a BOT anyway.
39
 * This is better because such operations might never be reached due to the conditional nature of
40
 * the algorithm.
41
 *
42
 * The meet operation for phi functions is defined as follows:
43
 * BOT + any = BOT
44
 * TOP + any = any
45
 * C_i + C_i = C_i (i.e. two equal constants)
46
 * C_i + C_j = BOT (i.e. two different constants)
47
 *
48
 * When evaluating instructions TOP and BOT are handled as follows:
49
 * a) If any operand is BOT, the result is BOT. The main exception to this is op1 of ASSIGN, which
50
 *    is ignored. However, if the op1 MAY_BE_REF we do have to propagate the BOT.
51
 * b) Otherwise, if the instruction can never be evaluated (either in general, or with the
52
 *    specific modifiers) the result is BOT.
53
 * c) Otherwise, if any operand is TOP, the result is TOP.
54
 * d) Otherwise (at this point all operands are known and constant), if we can compute the result
55
 *    for these specific constants (without throwing notices or similar) then that is the result.
56
 * e) Otherwise the result is BOT.
57
 *
58
 * It is sometimes possible to determine a result even if one argument is TOP / BOT, e.g. for things
59
 * like BOT*0. Right now we don't bother with this.
60
 *
61
 * Feasible successors for conditional branches are determined as follows:
62
 * a) If we don't support the branch type or branch on BOT, all successors are feasible.
63
 * b) Otherwise, if we branch on TOP none of the successors are feasible.
64
 * c) Otherwise (we branch on a constant), the feasible successors are marked based on the constant
65
 *    (usually only one successor will be feasible).
66
 *
67
 * The original SCCP algorithm is extended with ability to propagate constant array
68
 * elements and object properties. The extension is based on a variation of Array
69
 * SSA form and its application to Spare Constant Propagation, described at
70
 * "Array SSA Form" by Vivek Sarkar, Kathleen Knobe and Stephen Fink in chapter
71
 * 16 of the SSA book.
72
 */
73
74
#define SCP_DEBUG 0
75
76
typedef struct _sccp_ctx {
77
  scdf_ctx scdf;
78
  zend_call_info **call_map;
79
  zval *values;
80
  zval top;
81
  zval bot;
82
} sccp_ctx;
83
84
4.91M
#define TOP ((uint8_t)-1)
85
3.95M
#define BOT ((uint8_t)-2)
86
1.10M
#define PARTIAL_ARRAY ((uint8_t)-3)
87
1.03M
#define PARTIAL_OBJECT ((uint8_t)-4)
88
5.89M
#define IS_TOP(zv) (Z_TYPE_P(zv) == TOP)
89
6.18M
#define IS_BOT(zv) (Z_TYPE_P(zv) == BOT)
90
2.14M
#define IS_PARTIAL_ARRAY(zv) (Z_TYPE_P(zv) == PARTIAL_ARRAY)
91
1.04M
#define IS_PARTIAL_OBJECT(zv) (Z_TYPE_P(zv) == PARTIAL_OBJECT)
92
93
10.5k
#define MAKE_PARTIAL_ARRAY(zv) (Z_TYPE_INFO_P(zv) = PARTIAL_ARRAY | (IS_TYPE_REFCOUNTED << Z_TYPE_FLAGS_SHIFT))
94
493
#define MAKE_PARTIAL_OBJECT(zv) (Z_TYPE_INFO_P(zv) = PARTIAL_OBJECT | (IS_TYPE_REFCOUNTED << Z_TYPE_FLAGS_SHIFT))
95
96
1.24M
#define MAKE_TOP(zv) (Z_TYPE_INFO_P(zv) = TOP)
97
205k
#define MAKE_BOT(zv) (Z_TYPE_INFO_P(zv) = BOT)
98
99
0
static void scp_dump_value(zval *zv) {
100
0
  if (IS_TOP(zv)) {
101
0
    fprintf(stderr, " top");
102
0
  } else if (IS_BOT(zv)) {
103
0
    fprintf(stderr, " bot");
104
0
  } else if (Z_TYPE_P(zv) == IS_ARRAY || IS_PARTIAL_ARRAY(zv)) {
105
0
    fprintf(stderr, " %s[", IS_PARTIAL_ARRAY(zv) ? "partial " : "");
106
0
    zend_dump_ht(Z_ARRVAL_P(zv));
107
0
    fprintf(stderr, "]");
108
0
  } else if (IS_PARTIAL_OBJECT(zv)) {
109
0
    fprintf(stderr, " {");
110
0
    zend_dump_ht(Z_ARRVAL_P(zv));
111
0
    fprintf(stderr, "}");
112
0
  } else {
113
0
    zend_dump_const(zv);
114
0
  }
115
0
}
116
117
static void empty_partial_array(zval *zv)
118
3.97k
{
119
3.97k
  MAKE_PARTIAL_ARRAY(zv);
120
3.97k
  Z_ARR_P(zv) = zend_new_array(8);
121
3.97k
}
122
123
static void dup_partial_array(zval *dst, const zval *src)
124
585
{
125
585
  MAKE_PARTIAL_ARRAY(dst);
126
585
  Z_ARR_P(dst) = zend_array_dup(Z_ARR_P(src));
127
585
}
128
129
static void empty_partial_object(zval *zv)
130
358
{
131
358
  MAKE_PARTIAL_OBJECT(zv);
132
358
  Z_ARR_P(zv) = zend_new_array(8);
133
358
}
134
135
static void dup_partial_object(zval *dst, const zval *src)
136
135
{
137
135
  MAKE_PARTIAL_OBJECT(dst);
138
135
  Z_ARR_P(dst) = zend_array_dup(Z_ARR_P(src));
139
135
}
140
141
1.10M
static inline bool value_known(zval *zv) {
142
1.10M
  return !IS_TOP(zv) && !IS_BOT(zv);
143
1.10M
}
144
145
/* Sets new value for variable and ensures that it is lower or equal
146
 * the previous one in the constant propagation lattice. */
147
1.03M
static void set_value(scdf_ctx *scdf, sccp_ctx *ctx, int var, const zval *new) {
148
1.03M
  zval *value = &ctx->values[var];
149
1.03M
  if (IS_BOT(value) || IS_TOP(new)) {
150
3.83k
    return;
151
3.83k
  }
152
153
#if SCP_DEBUG
154
  fprintf(stderr, "Lowering #%d.", var);
155
  zend_dump_var(scdf->op_array, IS_CV, scdf->ssa->vars[var].var);
156
  fprintf(stderr, " from");
157
  scp_dump_value(value);
158
  fprintf(stderr, " to");
159
  scp_dump_value(new);
160
  fprintf(stderr, "\n");
161
#endif
162
163
1.03M
  if (IS_TOP(value) || IS_BOT(new)) {
164
1.02M
    zval_ptr_dtor_nogc(value);
165
1.02M
    ZVAL_COPY(value, new);
166
1.02M
    scdf_add_to_worklist(scdf, var);
167
1.02M
    return;
168
1.02M
  }
169
170
  /* Always replace PARTIAL_(ARRAY|OBJECT), as new maybe changed by join_partial_(arrays|object) */
171
2.22k
  if (IS_PARTIAL_ARRAY(new) || IS_PARTIAL_OBJECT(new)) {
172
528
    if (Z_TYPE_P(value) != Z_TYPE_P(new)
173
271
      || zend_hash_num_elements(Z_ARR_P(new)) != zend_hash_num_elements(Z_ARR_P(value))) {
174
271
      zval_ptr_dtor_nogc(value);
175
271
      ZVAL_COPY(value, new);
176
271
      scdf_add_to_worklist(scdf, var);
177
271
    }
178
528
    return;
179
528
  }
180
181
1.70k
#if ZEND_DEBUG
182
1.70k
  ZEND_ASSERT(zend_is_identical(value, new) ||
183
1.70k
    (Z_TYPE_P(value) == IS_DOUBLE && Z_TYPE_P(new) == IS_DOUBLE && isnan(Z_DVAL_P(value)) && isnan(Z_DVAL_P(new))));
184
1.70k
#endif
185
1.70k
}
186
187
1.53M
static zval *get_op1_value(sccp_ctx *ctx, zend_op *opline, const zend_ssa_op *ssa_op) {
188
1.53M
  if (opline->op1_type == IS_CONST) {
189
211k
    return CT_CONSTANT_EX(ctx->scdf.op_array, opline->op1.constant);
190
1.32M
  } else if (ssa_op->op1_use != -1) {
191
915k
    return &ctx->values[ssa_op->op1_use];
192
915k
  } else {
193
405k
    return NULL;
194
405k
  }
195
1.53M
}
196
197
1.46M
static zval *get_op2_value(sccp_ctx *ctx, const zend_op *opline, const zend_ssa_op *ssa_op) {
198
1.46M
  if (opline->op2_type == IS_CONST) {
199
426k
    return CT_CONSTANT_EX(ctx->scdf.op_array, opline->op2.constant);
200
1.03M
  } else if (ssa_op->op2_use != -1) {
201
255k
    return &ctx->values[ssa_op->op2_use];
202
781k
  } else {
203
781k
    return NULL;
204
781k
  }
205
1.46M
}
206
207
static bool can_replace_op1(
208
21.7k
    const zend_op_array *op_array, const zend_op *opline, const zend_ssa_op *ssa_op) {
209
21.7k
  switch (opline->opcode) {
210
80
    case ZEND_PRE_INC:
211
96
    case ZEND_PRE_DEC:
212
96
    case ZEND_PRE_INC_OBJ:
213
96
    case ZEND_PRE_DEC_OBJ:
214
100
    case ZEND_POST_INC:
215
144
    case ZEND_POST_DEC:
216
144
    case ZEND_POST_INC_OBJ:
217
144
    case ZEND_POST_DEC_OBJ:
218
1.33k
    case ZEND_ASSIGN:
219
1.48k
    case ZEND_ASSIGN_REF:
220
1.75k
    case ZEND_ASSIGN_DIM:
221
1.78k
    case ZEND_ASSIGN_OBJ:
222
1.78k
    case ZEND_ASSIGN_OBJ_REF:
223
1.82k
    case ZEND_ASSIGN_OP:
224
1.85k
    case ZEND_ASSIGN_DIM_OP:
225
1.85k
    case ZEND_ASSIGN_OBJ_OP:
226
1.85k
    case ZEND_ASSIGN_STATIC_PROP_OP:
227
1.94k
    case ZEND_FETCH_DIM_W:
228
1.94k
    case ZEND_FETCH_DIM_RW:
229
1.95k
    case ZEND_FETCH_DIM_UNSET:
230
1.96k
    case ZEND_FETCH_DIM_FUNC_ARG:
231
1.97k
    case ZEND_FETCH_OBJ_W:
232
1.97k
    case ZEND_FETCH_OBJ_RW:
233
1.97k
    case ZEND_FETCH_OBJ_UNSET:
234
1.98k
    case ZEND_FETCH_OBJ_FUNC_ARG:
235
1.98k
    case ZEND_FETCH_LIST_W:
236
2.00k
    case ZEND_UNSET_DIM:
237
2.00k
    case ZEND_UNSET_OBJ:
238
2.04k
    case ZEND_SEND_REF:
239
2.07k
    case ZEND_SEND_VAR_EX:
240
2.11k
    case ZEND_SEND_FUNC_ARG:
241
2.11k
    case ZEND_SEND_UNPACK:
242
2.11k
    case ZEND_SEND_ARRAY:
243
2.11k
    case ZEND_SEND_USER:
244
2.11k
    case ZEND_FE_RESET_RW:
245
2.11k
      return false;
246
    /* Do not accept CONST */
247
12.9k
    case ZEND_ROPE_ADD:
248
12.9k
    case ZEND_ROPE_END:
249
12.9k
    case ZEND_BIND_STATIC:
250
12.9k
    case ZEND_BIND_INIT_STATIC_OR_JMP:
251
12.9k
    case ZEND_BIND_GLOBAL:
252
12.9k
    case ZEND_MAKE_REF:
253
12.9k
    case ZEND_UNSET_CV:
254
12.9k
    case ZEND_ISSET_ISEMPTY_CV:
255
12.9k
      return false;
256
49
    case ZEND_INIT_ARRAY:
257
67
    case ZEND_ADD_ARRAY_ELEMENT:
258
67
      return !(opline->extended_value & ZEND_ARRAY_ELEMENT_REF);
259
29
    case ZEND_YIELD:
260
29
      return !(op_array->fn_flags & ZEND_ACC_RETURN_REFERENCE);
261
94
    case ZEND_VERIFY_RETURN_TYPE:
262
      // TODO: This would require a non-local change ???
263
94
      return false;
264
445
    case ZEND_OP_DATA:
265
445
      return (opline - 1)->opcode != ZEND_ASSIGN_OBJ_REF &&
266
445
        (opline - 1)->opcode != ZEND_ASSIGN_STATIC_PROP_REF;
267
6.00k
    default:
268
6.00k
      if (ssa_op->op1_def != -1) {
269
0
        ZEND_UNREACHABLE();
270
0
        return false;
271
0
      }
272
21.7k
  }
273
274
6.00k
  return true;
275
21.7k
}
276
277
static bool can_replace_op2(
278
5.41k
    const zend_op_array *op_array, zend_op *opline, zend_ssa_op *ssa_op) {
279
5.41k
  switch (opline->opcode) {
280
    /* Do not accept CONST */
281
0
    case ZEND_DECLARE_CLASS_DELAYED:
282
80
    case ZEND_BIND_LEXICAL:
283
80
    case ZEND_FE_FETCH_R:
284
80
    case ZEND_FE_FETCH_RW:
285
80
      return false;
286
5.41k
  }
287
5.33k
  return true;
288
5.41k
}
289
290
static bool try_replace_op1(
291
42.6k
    sccp_ctx *ctx, zend_op *opline, zend_ssa_op *ssa_op, int var, zval *value) {
292
42.6k
  if (ssa_op->op1_use == var && can_replace_op1(ctx->scdf.op_array, opline, ssa_op)) {
293
6.49k
    zval zv;
294
6.49k
    ZVAL_COPY(&zv, value);
295
6.49k
    if (zend_optimizer_update_op1_const(ctx->scdf.op_array, opline, &zv)) {
296
6.40k
      return true;
297
6.40k
    }
298
90
    zval_ptr_dtor_nogc(&zv);
299
90
  }
300
36.2k
  return false;
301
42.6k
}
302
303
static bool try_replace_op2(
304
42.6k
    sccp_ctx *ctx, zend_op *opline, zend_ssa_op *ssa_op, int var, zval *value) {
305
42.6k
  if (ssa_op->op2_use == var && can_replace_op2(ctx->scdf.op_array, opline, ssa_op)) {
306
5.33k
    zval zv;
307
5.33k
    ZVAL_COPY(&zv, value);
308
5.33k
    if (zend_optimizer_update_op2_const(ctx->scdf.op_array, opline, &zv)) {
309
5.21k
      return true;
310
5.21k
    }
311
122
    zval_ptr_dtor_nogc(&zv);
312
122
  }
313
37.3k
  return false;
314
42.6k
}
315
316
10.1k
static inline zend_result ct_eval_binary_op(zval *result, uint8_t binop, zval *op1, zval *op2) {
317
  /* TODO: We could implement support for evaluation of + on partial arrays. */
318
10.1k
  if (IS_PARTIAL_ARRAY(op1) || IS_PARTIAL_ARRAY(op2)) {
319
2
    return FAILURE;
320
2
  }
321
322
10.1k
  return zend_optimizer_eval_binary_op(result, binop, op1, op2);
323
10.1k
}
324
325
4.26k
static inline zend_result ct_eval_bool_cast(zval *result, zval *op) {
326
4.26k
  if (IS_PARTIAL_ARRAY(op)) {
327
0
    if (zend_hash_num_elements(Z_ARRVAL_P(op)) == 0) {
328
      /* An empty partial array may be non-empty at runtime, we don't know whether the
329
       * result will be true or false. */
330
0
      return FAILURE;
331
0
    }
332
333
0
    ZVAL_TRUE(result);
334
0
    return SUCCESS;
335
0
  }
336
  /* NAN warns when casting */
337
4.26k
  if (Z_TYPE_P(op) == IS_DOUBLE && zend_isnan(Z_DVAL_P(op))) {
338
6
    return FAILURE;
339
6
  }
340
341
4.25k
  ZVAL_BOOL(result, zend_is_true(op));
342
4.25k
  return SUCCESS;
343
4.26k
}
344
345
22
static inline zend_result zval_to_string_offset(zend_long *result, zval *op) {
346
22
  switch (Z_TYPE_P(op)) {
347
20
    case IS_LONG:
348
20
      *result = Z_LVAL_P(op);
349
20
      return SUCCESS;
350
2
    case IS_STRING:
351
2
      if (IS_LONG == is_numeric_string(
352
2
          Z_STRVAL_P(op), Z_STRLEN_P(op), result, NULL, 0)) {
353
0
        return SUCCESS;
354
0
      }
355
2
      return FAILURE;
356
0
    default:
357
0
      return FAILURE;
358
22
  }
359
22
}
360
361
709
static inline zend_result fetch_array_elem(zval **result, zval *op1, zval *op2) {
362
709
  switch (Z_TYPE_P(op2)) {
363
4
    case IS_NULL:
364
4
      return FAILURE;
365
4
    case IS_FALSE:
366
4
      *result = zend_hash_index_find(Z_ARR_P(op1), 0);
367
4
      return SUCCESS;
368
4
    case IS_TRUE:
369
4
      *result = zend_hash_index_find(Z_ARR_P(op1), 1);
370
4
      return SUCCESS;
371
593
    case IS_LONG:
372
593
      *result = zend_hash_index_find(Z_ARR_P(op1), Z_LVAL_P(op2));
373
593
      return SUCCESS;
374
18
    case IS_DOUBLE: {
375
18
      zend_long lval = zend_dval_to_lval_silent(Z_DVAL_P(op2));
376
18
      if (!zend_is_long_compatible(Z_DVAL_P(op2), lval)) {
377
12
        return FAILURE;
378
12
      }
379
6
      *result = zend_hash_index_find(Z_ARR_P(op1), lval);
380
6
      return SUCCESS;
381
18
    }
382
84
    case IS_STRING:
383
84
      *result = zend_symtable_find(Z_ARR_P(op1), Z_STR_P(op2));
384
84
      return SUCCESS;
385
2
    default:
386
2
      return FAILURE;
387
709
  }
388
709
}
389
390
691
static inline zend_result ct_eval_fetch_dim(zval *result, zval *op1, zval *op2, int support_strings) {
391
691
  if (Z_TYPE_P(op1) == IS_ARRAY || IS_PARTIAL_ARRAY(op1)) {
392
647
    zval *value;
393
647
    if (fetch_array_elem(&value, op1, op2) == SUCCESS && value && !IS_BOT(value)) {
394
473
      ZVAL_COPY(result, value);
395
473
      return SUCCESS;
396
473
    }
397
647
  } else if (support_strings && Z_TYPE_P(op1) == IS_STRING) {
398
22
    zend_long index;
399
22
    if (zval_to_string_offset(&index, op2) == FAILURE) {
400
2
      return FAILURE;
401
2
    }
402
20
    if (index >= 0 && index < Z_STRLEN_P(op1)) {
403
18
      ZVAL_CHAR(result, Z_STRVAL_P(op1)[index]);
404
18
      return SUCCESS;
405
18
    }
406
20
  }
407
198
  return FAILURE;
408
691
}
409
410
/* op1 may be NULL here to indicate an unset value */
411
56
static inline zend_result ct_eval_isset_isempty(zval *result, uint32_t extended_value, zval *op1) {
412
56
  zval zv;
413
56
  if (!(extended_value & ZEND_ISEMPTY)) {
414
56
    ZVAL_BOOL(result, op1 && Z_TYPE_P(op1) != IS_NULL);
415
56
    return SUCCESS;
416
56
  } else if (!op1) {
417
0
    ZVAL_TRUE(result);
418
0
    return SUCCESS;
419
0
  } else if (ct_eval_bool_cast(&zv, op1) == SUCCESS) {
420
0
    ZVAL_BOOL(result, Z_TYPE(zv) == IS_FALSE);
421
0
    return SUCCESS;
422
0
  } else {
423
0
    return FAILURE;
424
0
  }
425
56
}
426
427
72
static inline zend_result ct_eval_isset_dim(zval *result, uint32_t extended_value, zval *op1, zval *op2) {
428
72
  if (Z_TYPE_P(op1) == IS_ARRAY || IS_PARTIAL_ARRAY(op1)) {
429
62
    zval *value;
430
62
    if (fetch_array_elem(&value, op1, op2) == FAILURE) {
431
0
      return FAILURE;
432
0
    }
433
62
    if (IS_PARTIAL_ARRAY(op1) && (!value || IS_BOT(value))) {
434
8
      return FAILURE;
435
8
    }
436
54
    return ct_eval_isset_isempty(result, extended_value, value);
437
62
  } else if (Z_TYPE_P(op1) == IS_STRING) {
438
    // TODO
439
0
    return FAILURE;
440
10
  } else {
441
10
    ZVAL_BOOL(result, (extended_value & ZEND_ISEMPTY));
442
10
    return SUCCESS;
443
10
  }
444
72
}
445
446
678
static inline zend_result ct_eval_del_array_elem(zval *result, const zval *key) {
447
678
  ZEND_ASSERT(IS_PARTIAL_ARRAY(result));
448
449
678
  switch (Z_TYPE_P(key)) {
450
0
    case IS_NULL:
451
0
      zend_hash_del(Z_ARR_P(result), ZSTR_EMPTY_ALLOC());
452
0
      break;
453
15
    case IS_FALSE:
454
15
      zend_hash_index_del(Z_ARR_P(result), 0);
455
15
      break;
456
0
    case IS_TRUE:
457
0
      zend_hash_index_del(Z_ARR_P(result), 1);
458
0
      break;
459
60
    case IS_LONG:
460
60
      zend_hash_index_del(Z_ARR_P(result), Z_LVAL_P(key));
461
60
      break;
462
12
    case IS_DOUBLE: {
463
12
      zend_long lval = zend_dval_to_lval_silent(Z_DVAL_P(key));
464
12
      if (!zend_is_long_compatible(Z_DVAL_P(key), lval)) {
465
12
        return FAILURE;
466
12
      }
467
0
      zend_hash_index_del(Z_ARR_P(result), lval);
468
0
      break;
469
12
    }
470
587
    case IS_STRING:
471
587
      zend_symtable_del(Z_ARR_P(result), Z_STR_P(key));
472
587
      break;
473
4
    default:
474
4
      return FAILURE;
475
678
  }
476
477
662
  return SUCCESS;
478
678
}
479
480
3.70k
static inline zend_result ct_eval_add_array_elem(zval *result, zval *value, const zval *key) {
481
3.70k
  if (!key) {
482
2.66k
    SEPARATE_ARRAY(result);
483
2.66k
    if ((value = zend_hash_next_index_insert(Z_ARR_P(result), value))) {
484
2.66k
      Z_TRY_ADDREF_P(value);
485
2.66k
      return SUCCESS;
486
2.66k
    }
487
0
    return FAILURE;
488
2.66k
  }
489
490
1.03k
  switch (Z_TYPE_P(key)) {
491
0
    case IS_NULL:
492
0
      SEPARATE_ARRAY(result);
493
0
      value = zend_hash_update(Z_ARR_P(result), ZSTR_EMPTY_ALLOC(), value);
494
0
      break;
495
16
    case IS_FALSE:
496
16
      SEPARATE_ARRAY(result);
497
16
      value = zend_hash_index_update(Z_ARR_P(result), 0, value);
498
16
      break;
499
2
    case IS_TRUE:
500
2
      SEPARATE_ARRAY(result);
501
2
      value = zend_hash_index_update(Z_ARR_P(result), 1, value);
502
2
      break;
503
155
    case IS_LONG:
504
155
      SEPARATE_ARRAY(result);
505
155
      value = zend_hash_index_update(Z_ARR_P(result), Z_LVAL_P(key), value);
506
155
      break;
507
24
    case IS_DOUBLE: {
508
24
      zend_long lval = zend_dval_to_lval_silent(Z_DVAL_P(key));
509
24
      if (!zend_is_long_compatible(Z_DVAL_P(key), lval)) {
510
24
        return FAILURE;
511
24
      }
512
0
      SEPARATE_ARRAY(result);
513
0
      value = zend_hash_index_update(
514
0
        Z_ARR_P(result), lval, value);
515
0
      break;
516
24
    }
517
839
    case IS_STRING:
518
839
      SEPARATE_ARRAY(result);
519
839
      value = zend_symtable_update(Z_ARR_P(result), Z_STR_P(key), value);
520
839
      break;
521
0
    default:
522
0
      return FAILURE;
523
1.03k
  }
524
525
1.01k
  Z_TRY_ADDREF_P(value);
526
1.01k
  return SUCCESS;
527
1.03k
}
528
529
24
static inline zend_result ct_eval_add_array_unpack(zval *result, zval *array) {
530
24
  zend_string *key;
531
24
  zval *value;
532
24
  if (Z_TYPE_P(array) != IS_ARRAY) {
533
6
    return FAILURE;
534
6
  }
535
536
18
  SEPARATE_ARRAY(result);
537
98
  ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(array), key, value) {
538
98
    if (key) {
539
0
      value = zend_hash_update(Z_ARR_P(result), key, value);
540
40
    } else {
541
40
      value = zend_hash_next_index_insert(Z_ARR_P(result), value);
542
40
    }
543
98
    if (!value) {
544
0
      return FAILURE;
545
0
    }
546
40
    Z_TRY_ADDREF_P(value);
547
40
  } ZEND_HASH_FOREACH_END();
548
18
  return SUCCESS;
549
18
}
550
551
221
static inline zend_result ct_eval_assign_dim(zval *result, zval *value, const zval *key) {
552
221
  switch (Z_TYPE_P(result)) {
553
94
    case IS_NULL:
554
94
    case IS_FALSE:
555
94
      array_init(result);
556
94
      ZEND_FALLTHROUGH;
557
192
    case IS_ARRAY:
558
211
    case PARTIAL_ARRAY:
559
211
      return ct_eval_add_array_elem(result, value, key);
560
6
    case IS_STRING:
561
      // TODO Before enabling this case, make sure ARRAY_DIM result op is correct
562
#if 0
563
      zend_long index;
564
      zend_string *new_str, *value_str;
565
      if (!key || Z_TYPE_P(value) == IS_ARRAY
566
          || zval_to_string_offset(&index, key) == FAILURE || index < 0) {
567
        return FAILURE;
568
      }
569
570
      if (index >= Z_STRLEN_P(result)) {
571
        new_str = zend_string_alloc(index + 1, 0);
572
        memcpy(ZSTR_VAL(new_str), Z_STRVAL_P(result), Z_STRLEN_P(result));
573
        memset(ZSTR_VAL(new_str) + Z_STRLEN_P(result), ' ', index - Z_STRLEN_P(result));
574
        ZSTR_VAL(new_str)[index + 1] = 0;
575
      } else {
576
        new_str = zend_string_init(Z_STRVAL_P(result), Z_STRLEN_P(result), 0);
577
      }
578
579
      value_str = zval_get_string(value);
580
      ZVAL_STR(result, new_str);
581
      Z_STRVAL_P(result)[index] = ZSTR_VAL(value_str)[0];
582
      zend_string_release_ex(value_str, 0);
583
#endif
584
6
      return FAILURE;
585
4
    default:
586
4
      return FAILURE;
587
221
  }
588
221
}
589
590
56
static inline zend_result fetch_obj_prop(zval **result, zval *op1, zval *op2) {
591
56
  switch (Z_TYPE_P(op2)) {
592
44
    case IS_STRING:
593
44
      *result = zend_symtable_find(Z_ARR_P(op1), Z_STR_P(op2));
594
44
      return SUCCESS;
595
12
    default:
596
12
      return FAILURE;
597
56
  }
598
56
}
599
600
146
static inline zend_result ct_eval_fetch_obj(zval *result, zval *op1, zval *op2) {
601
146
  if (IS_PARTIAL_OBJECT(op1)) {
602
56
    zval *value;
603
56
    if (fetch_obj_prop(&value, op1, op2) == SUCCESS && value && !IS_BOT(value)) {
604
8
      ZVAL_COPY(result, value);
605
8
      return SUCCESS;
606
8
    }
607
56
  }
608
138
  return FAILURE;
609
146
}
610
611
28
static inline zend_result ct_eval_isset_obj(zval *result, uint32_t extended_value, zval *op1, zval *op2) {
612
28
  if (IS_PARTIAL_OBJECT(op1)) {
613
0
    zval *value;
614
0
    if (fetch_obj_prop(&value, op1, op2) == FAILURE) {
615
0
      return FAILURE;
616
0
    }
617
0
    if (!value || IS_BOT(value)) {
618
0
      return FAILURE;
619
0
    }
620
0
    return ct_eval_isset_isempty(result, extended_value, value);
621
28
  } else {
622
28
    ZVAL_BOOL(result, (extended_value & ZEND_ISEMPTY));
623
28
    return SUCCESS;
624
28
  }
625
28
}
626
627
65
static inline zend_result ct_eval_del_obj_prop(zval *result, const zval *key) {
628
65
  ZEND_ASSERT(IS_PARTIAL_OBJECT(result));
629
630
65
  switch (Z_TYPE_P(key)) {
631
65
    case IS_STRING:
632
65
      zend_symtable_del(Z_ARR_P(result), Z_STR_P(key));
633
65
      break;
634
0
    default:
635
0
      return FAILURE;
636
65
  }
637
638
65
  return SUCCESS;
639
65
}
640
641
70
static inline zend_result ct_eval_add_obj_prop(zval *result, zval *value, const zval *key) {
642
70
  switch (Z_TYPE_P(key)) {
643
70
    case IS_STRING:
644
70
      value = zend_symtable_update(Z_ARR_P(result), Z_STR_P(key), value);
645
70
      break;
646
0
    default:
647
0
      return FAILURE;
648
70
  }
649
650
70
  Z_TRY_ADDREF_P(value);
651
70
  return SUCCESS;
652
70
}
653
654
70
static inline zend_result ct_eval_assign_obj(zval *result, zval *value, const zval *key) {
655
70
  switch (Z_TYPE_P(result)) {
656
0
    case IS_NULL:
657
0
    case IS_FALSE:
658
0
      empty_partial_object(result);
659
0
      ZEND_FALLTHROUGH;
660
70
    case PARTIAL_OBJECT:
661
70
      return ct_eval_add_obj_prop(result, value, key);
662
0
    default:
663
0
      return FAILURE;
664
70
  }
665
70
}
666
667
2.05k
static inline zend_result ct_eval_incdec(zval *result, uint8_t opcode, zval *op1) {
668
  /* As of PHP 8.3 with the warning/deprecation notices any type other than int/double/null will emit a diagnostic
669
  if (Z_TYPE_P(op1) == IS_ARRAY || IS_PARTIAL_ARRAY(op1)) {
670
    return FAILURE;
671
  }
672
  */
673
2.05k
  if (Z_TYPE_P(op1) != IS_LONG && Z_TYPE_P(op1) != IS_DOUBLE && Z_TYPE_P(op1) != IS_NULL) {
674
44
    return FAILURE;
675
44
  }
676
677
2.00k
  ZVAL_COPY(result, op1);
678
2.00k
  if (opcode == ZEND_PRE_INC
679
538
      || opcode == ZEND_POST_INC
680
152
      || opcode == ZEND_PRE_INC_OBJ
681
1.85k
      || opcode == ZEND_POST_INC_OBJ) {
682
1.85k
    increment_function(result);
683
1.85k
  } else {
684
    /* Decrement on null emits a deprecation notice */
685
152
    if (Z_TYPE_P(op1) == IS_NULL) {
686
0
      zval_ptr_dtor(result);
687
0
      return FAILURE;
688
0
    }
689
152
    decrement_function(result);
690
152
  }
691
2.00k
  return SUCCESS;
692
2.00k
}
693
694
2
static inline void ct_eval_type_check(zval *result, uint32_t type_mask, zval *op1) {
695
2
  uint32_t type = Z_TYPE_P(op1);
696
2
  if (type == PARTIAL_ARRAY) {
697
0
    type = IS_ARRAY;
698
2
  } else if (type == PARTIAL_OBJECT) {
699
0
    type = IS_OBJECT;
700
0
  }
701
2
  ZVAL_BOOL(result, (type_mask >> type) & 1);
702
2
}
703
704
0
static inline zend_result ct_eval_in_array(zval *result, uint32_t extended_value, zval *op1, zval *op2) {
705
0
  HashTable *ht;
706
0
  bool res;
707
708
0
  if (Z_TYPE_P(op2) != IS_ARRAY) {
709
0
    return FAILURE;
710
0
  }
711
0
  ht = Z_ARRVAL_P(op2);
712
0
  if (EXPECTED(Z_TYPE_P(op1) == IS_STRING)) {
713
0
    res = zend_hash_exists(ht, Z_STR_P(op1));
714
0
  } else if (extended_value) {
715
0
    if (EXPECTED(Z_TYPE_P(op1) == IS_LONG)) {
716
0
      res = zend_hash_index_exists(ht, Z_LVAL_P(op1));
717
0
    } else {
718
0
      res = false;
719
0
    }
720
0
  } else if (Z_TYPE_P(op1) <= IS_FALSE) {
721
0
    res = zend_hash_exists(ht, ZSTR_EMPTY_ALLOC());
722
0
  } else {
723
0
    zend_string *key;
724
0
    zval key_tmp;
725
726
0
    res = false;
727
0
    ZEND_HASH_MAP_FOREACH_STR_KEY(ht, key) {
728
0
      ZVAL_STR(&key_tmp, key);
729
0
      if (zend_compare(op1, &key_tmp) == 0) {
730
0
        res = true;
731
0
        break;
732
0
      }
733
0
    } ZEND_HASH_FOREACH_END();
734
0
  }
735
0
  ZVAL_BOOL(result, res);
736
0
  return SUCCESS;
737
0
}
738
739
0
static inline zend_result ct_eval_array_key_exists(zval *result, zval *op1, zval *op2) {
740
0
  zval *value;
741
742
0
  if (Z_TYPE_P(op2) != IS_ARRAY && !IS_PARTIAL_ARRAY(op2)) {
743
0
    return FAILURE;
744
0
  }
745
0
  if (Z_TYPE_P(op1) != IS_STRING && Z_TYPE_P(op1) != IS_LONG && Z_TYPE_P(op1) != IS_NULL) {
746
0
    return FAILURE;
747
0
  }
748
0
  if (fetch_array_elem(&value, op2, op1) == FAILURE) {
749
0
    return FAILURE;
750
0
  }
751
0
  if (IS_PARTIAL_ARRAY(op2) && (!value || IS_BOT(value))) {
752
0
    return FAILURE;
753
0
  }
754
755
0
  ZVAL_BOOL(result, value != NULL);
756
0
  return SUCCESS;
757
0
}
758
759
0
static bool can_ct_eval_func_call(zend_function *func, zend_string *name, uint32_t num_args, zval **args) {
760
  /* Precondition: func->type == ZEND_INTERNAL_FUNCTION, this is a global function */
761
  /* Functions setting ZEND_ACC_COMPILE_TIME_EVAL (@compile-time-eval) must always produce the same result for the same arguments,
762
   * and have no dependence on global state (such as locales). It is okay if they throw
763
   * or warn on invalid arguments, as we detect this and will discard the evaluation result. */
764
0
  if (func->common.fn_flags & ZEND_ACC_COMPILE_TIME_EVAL) {
765
    /* This has @compile-time-eval in stub info and uses a macro such as ZEND_SUPPORTS_COMPILE_TIME_EVAL_FE */
766
0
    return true;
767
0
  }
768
0
#ifndef ZEND_WIN32
769
  /* On Windows this function may be code page dependent. */
770
0
  if (zend_string_equals_literal(name, "dirname")) {
771
0
    return true;
772
0
  }
773
0
#endif
774
775
0
  if (num_args == 2) {
776
0
    if (zend_string_equals_literal(name, "str_repeat")) {
777
      /* Avoid creating overly large strings at compile-time. */
778
0
      bool overflow;
779
0
      return Z_TYPE_P(args[0]) == IS_STRING
780
0
        && Z_TYPE_P(args[1]) == IS_LONG
781
0
        && zend_safe_address(Z_STRLEN_P(args[0]), Z_LVAL_P(args[1]), 0, &overflow) < 64 * 1024
782
0
        && !overflow;
783
0
    }
784
0
    return false;
785
0
  }
786
787
0
  return false;
788
0
}
789
790
/* The functions chosen here are simple to implement and either likely to affect a branch,
791
 * or just happened to be commonly used with constant operands in WP (need to test other
792
 * applications as well, of course). */
793
static inline zend_result ct_eval_func_call_ex(
794
0
    zend_op_array *op_array, zval *result, zend_function *func, uint32_t num_args, zval **args) {
795
0
  uint32_t i;
796
0
  zend_string *name = func->common.function_name;
797
0
  if (num_args == 1 && Z_TYPE_P(args[0]) == IS_STRING &&
798
0
      zend_optimizer_eval_special_func_call(result, name, Z_STR_P(args[0])) == SUCCESS) {
799
0
    return SUCCESS;
800
0
  }
801
802
0
  if (!can_ct_eval_func_call(func, name, num_args, args)) {
803
0
    return FAILURE;
804
0
  }
805
806
0
  zend_execute_data *prev_execute_data = EG(current_execute_data);
807
0
  zend_execute_data *execute_data, dummy_frame;
808
0
  zend_op dummy_opline;
809
810
  /* Add a dummy frame to get the correct strict_types behavior. */
811
0
  memset(&dummy_frame, 0, sizeof(zend_execute_data));
812
0
  memset(&dummy_opline, 0, sizeof(zend_op));
813
0
  dummy_frame.func = (zend_function *) op_array;
814
0
  dummy_frame.opline = &dummy_opline;
815
0
  dummy_opline.opcode = ZEND_DO_FCALL;
816
817
0
  execute_data = safe_emalloc(num_args, sizeof(zval), ZEND_CALL_FRAME_SLOT * sizeof(zval));
818
0
  memset(execute_data, 0, sizeof(zend_execute_data));
819
0
  execute_data->prev_execute_data = &dummy_frame;
820
0
  EG(current_execute_data) = execute_data;
821
822
  /* Enable suppression and counting of warnings. */
823
0
  ZEND_ASSERT(EG(capture_warnings_during_sccp) == 0);
824
0
  EG(capture_warnings_during_sccp) = 1;
825
826
0
  EX(func) = func;
827
0
  EX_NUM_ARGS() = num_args;
828
0
  for (i = 0; i < num_args; i++) {
829
0
    ZVAL_COPY(EX_VAR_NUM(i), args[i]);
830
0
  }
831
0
  ZVAL_NULL(result);
832
0
  func->internal_function.handler(execute_data, result);
833
0
  for (i = 0; i < num_args; i++) {
834
0
    zval_ptr_dtor_nogc(EX_VAR_NUM(i));
835
0
  }
836
837
0
  zend_result retval = SUCCESS;
838
0
  if (EG(exception)) {
839
0
    zval_ptr_dtor(result);
840
0
    zend_clear_exception();
841
0
    retval = FAILURE;
842
0
  } else if (EG(capture_warnings_during_sccp) > 1) {
843
0
    zval_ptr_dtor(result);
844
0
    retval = FAILURE;
845
0
  }
846
0
  EG(capture_warnings_during_sccp) = 0;
847
848
0
  efree(execute_data);
849
0
  EG(current_execute_data) = prev_execute_data;
850
0
  return retval;
851
0
}
852
853
static inline zend_result ct_eval_func_call(
854
0
    zend_op_array *op_array, zval *result, zend_string *name, uint32_t num_args, zval **args) {
855
0
  zend_function *func = zend_hash_find_ptr(CG(function_table), name);
856
0
  if (!func || func->type != ZEND_INTERNAL_FUNCTION) {
857
0
    return FAILURE;
858
0
  }
859
0
  return ct_eval_func_call_ex(op_array, result, func, num_args, args);
860
0
}
861
862
3.85M
#define SET_RESULT(op, zv) do { \
863
3.85M
  if (ssa_op->op##_def >= 0) { \
864
884k
    set_value(scdf, ctx, ssa_op->op##_def, zv); \
865
884k
  } \
866
3.85M
} while (0)
867
3.75M
#define SET_RESULT_BOT(op) SET_RESULT(op, &ctx->bot)
868
#define SET_RESULT_TOP(op) SET_RESULT(op, &ctx->top)
869
870
80.1k
#define SKIP_IF_TOP(op) if (IS_TOP(op)) return;
871
872
1.46M
static void sccp_visit_instr(scdf_ctx *scdf, zend_op *opline, zend_ssa_op *ssa_op) {
873
1.46M
  sccp_ctx *ctx = (sccp_ctx *) scdf;
874
1.46M
  zval *op1, *op2, zv; /* zv is a temporary to hold result values */
875
876
1.46M
  op1 = get_op1_value(ctx, opline, ssa_op);
877
1.46M
  op2 = get_op2_value(ctx, opline, ssa_op);
878
879
1.46M
  switch (opline->opcode) {
880
64.0k
    case ZEND_ASSIGN:
881
      /* The value of op1 is irrelevant here, because we are overwriting it
882
       * -- unless it can be a reference, in which case we propagate a BOT.
883
       * The result is also BOT in this case, because it might be a typed reference. */
884
64.0k
      if (IS_BOT(op1) && (ctx->scdf.ssa->var_info[ssa_op->op1_use].type & MAY_BE_REF)) {
885
38.8k
        SET_RESULT_BOT(op1);
886
38.8k
        SET_RESULT_BOT(result);
887
38.8k
      } else {
888
25.2k
        SET_RESULT(op1, op2);
889
25.2k
        SET_RESULT(result, op2);
890
25.2k
      }
891
64.0k
      return;
892
10.1k
    case ZEND_ASSIGN_DIM:
893
10.1k
    {
894
10.1k
      zval *data = get_op1_value(ctx, opline+1, ssa_op+1);
895
896
      /* If $a in $a[$b]=$c is UNDEF, treat it like NULL. There is no warning. */
897
10.1k
      if ((ctx->scdf.ssa->var_info[ssa_op->op1_use].type & MAY_BE_ANY) == 0) {
898
494
        op1 = &EG(uninitialized_zval);
899
494
      }
900
901
10.1k
      if (IS_BOT(op1)) {
902
8.82k
        SET_RESULT_BOT(result);
903
8.82k
        SET_RESULT_BOT(op1);
904
8.82k
        return;
905
8.82k
      }
906
907
1.33k
      SKIP_IF_TOP(op1);
908
1.33k
      SKIP_IF_TOP(data);
909
1.33k
      if (op2) {
910
473
        SKIP_IF_TOP(op2);
911
473
      }
912
913
1.33k
      if (op2 && IS_BOT(op2)) {
914
        /* Update of unknown index */
915
244
        SET_RESULT_BOT(result);
916
244
        if (ssa_op->op1_def >= 0) {
917
240
          empty_partial_array(&zv);
918
240
          SET_RESULT(op1, &zv);
919
240
          zval_ptr_dtor_nogc(&zv);
920
240
        } else {
921
4
          SET_RESULT_BOT(op1);
922
4
        }
923
244
        return;
924
244
      }
925
926
1.09k
      if (IS_BOT(data)) {
927
928
872
        SET_RESULT_BOT(result);
929
872
        if ((IS_PARTIAL_ARRAY(op1)
930
440
            || Z_TYPE_P(op1) == IS_NULL
931
156
            || Z_TYPE_P(op1) == IS_FALSE
932
130
            || Z_TYPE_P(op1) == IS_ARRAY)
933
870
          && ssa_op->op1_def >= 0) {
934
935
864
          if (Z_TYPE_P(op1) == IS_NULL || Z_TYPE_P(op1) == IS_FALSE) {
936
304
            empty_partial_array(&zv);
937
560
          } else {
938
560
            dup_partial_array(&zv, op1);
939
560
          }
940
941
864
          if (!op2) {
942
            /* We can't add NEXT element into partial array (skip it) */
943
780
            SET_RESULT(op1, &zv);
944
780
          } else if (ct_eval_del_array_elem(&zv, op2) == SUCCESS) {
945
84
            SET_RESULT(op1, &zv);
946
84
          } else {
947
0
            SET_RESULT_BOT(op1);
948
0
          }
949
950
864
          zval_ptr_dtor_nogc(&zv);
951
864
        } else {
952
8
          SET_RESULT_BOT(op1);
953
8
        }
954
955
872
      } else {
956
957
219
        if (IS_PARTIAL_ARRAY(op1)) {
958
23
          dup_partial_array(&zv, op1);
959
196
        } else {
960
196
          ZVAL_COPY(&zv, op1);
961
196
        }
962
963
219
        if (!op2 && IS_PARTIAL_ARRAY(&zv)) {
964
          /* We can't add NEXT element into partial array (skip it) */
965
4
          SET_RESULT(result, data);
966
4
          SET_RESULT(op1, &zv);
967
215
        } else if (ct_eval_assign_dim(&zv, data, op2) == SUCCESS) {
968
          /* Mark array containing partial array as partial */
969
205
          if (IS_PARTIAL_ARRAY(data) || IS_PARTIAL_OBJECT(data)) {
970
4
            MAKE_PARTIAL_ARRAY(&zv);
971
4
          }
972
205
          SET_RESULT(result, data);
973
205
          SET_RESULT(op1, &zv);
974
205
        } else {
975
10
          SET_RESULT_BOT(result);
976
10
          SET_RESULT_BOT(op1);
977
10
        }
978
979
219
        zval_ptr_dtor_nogc(&zv);
980
219
      }
981
1.09k
      return;
982
1.33k
    }
983
984
9.58k
    case ZEND_ASSIGN_OBJ:
985
9.58k
      if (ssa_op->op1_def >= 0
986
4.80k
          && ctx->scdf.ssa->vars[ssa_op->op1_def].escape_state == ESCAPE_STATE_NO_ESCAPE) {
987
252
        zval *data = get_op1_value(ctx, opline+1, ssa_op+1);
988
252
        zend_ssa_var_info *var_info = &ctx->scdf.ssa->var_info[ssa_op->op1_use];
989
990
        /* Don't try to propagate assignments to (potentially) typed properties. We would
991
         * need to deal with errors and type conversions first. */
992
        // TODO: Distinguish dynamic and declared property assignments here?
993
252
        if (!var_info->ce || (var_info->ce->ce_flags & ZEND_ACC_HAS_TYPE_HINTS) ||
994
194
            !(var_info->ce->ce_flags & ZEND_ACC_ALLOW_DYNAMIC_PROPERTIES)) {
995
95
          SET_RESULT_BOT(result);
996
95
          SET_RESULT_BOT(op1);
997
95
          return;
998
95
        }
999
1000
157
        if (IS_BOT(op1)) {
1001
4
          SET_RESULT_BOT(result);
1002
4
          SET_RESULT_BOT(op1);
1003
4
          return;
1004
4
        }
1005
1006
153
        SKIP_IF_TOP(op1);
1007
153
        SKIP_IF_TOP(data);
1008
153
        SKIP_IF_TOP(op2);
1009
1010
153
        if (IS_BOT(op2)) {
1011
          /* Update of unknown property */
1012
18
          SET_RESULT_BOT(result);
1013
18
          empty_partial_object(&zv);
1014
18
          SET_RESULT(op1, &zv);
1015
18
          zval_ptr_dtor_nogc(&zv);
1016
18
          return;
1017
18
        }
1018
1019
135
        if (IS_BOT(data)) {
1020
65
          SET_RESULT_BOT(result);
1021
65
          if (IS_PARTIAL_OBJECT(op1)
1022
0
              || Z_TYPE_P(op1) == IS_NULL
1023
65
              || Z_TYPE_P(op1) == IS_FALSE) {
1024
1025
65
            if (Z_TYPE_P(op1) == IS_NULL || Z_TYPE_P(op1) == IS_FALSE) {
1026
0
              empty_partial_object(&zv);
1027
65
            } else {
1028
65
              dup_partial_object(&zv, op1);
1029
65
            }
1030
1031
65
            if (ct_eval_del_obj_prop(&zv, op2) == SUCCESS) {
1032
65
              SET_RESULT(op1, &zv);
1033
65
            } else {
1034
0
              SET_RESULT_BOT(op1);
1035
0
            }
1036
65
            zval_ptr_dtor_nogc(&zv);
1037
65
          } else {
1038
0
            SET_RESULT_BOT(op1);
1039
0
          }
1040
1041
70
        } else {
1042
1043
70
          if (IS_PARTIAL_OBJECT(op1)) {
1044
70
            dup_partial_object(&zv, op1);
1045
70
          } else {
1046
0
            ZVAL_COPY(&zv, op1);
1047
0
          }
1048
1049
70
          if (ct_eval_assign_obj(&zv, data, op2) == SUCCESS) {
1050
70
            SET_RESULT(result, data);
1051
70
            SET_RESULT(op1, &zv);
1052
70
          } else {
1053
0
            SET_RESULT_BOT(result);
1054
0
            SET_RESULT_BOT(op1);
1055
0
          }
1056
1057
70
          zval_ptr_dtor_nogc(&zv);
1058
70
        }
1059
9.33k
      } else {
1060
9.33k
        SET_RESULT_BOT(result);
1061
9.33k
        SET_RESULT_BOT(op1);
1062
9.33k
      }
1063
9.47k
      return;
1064
1065
79.4k
    case ZEND_SEND_VAL:
1066
100k
    case ZEND_SEND_VAR:
1067
100k
    {
1068
      /* If the value of a SEND for an ICALL changes, we need to reconsider the
1069
       * ICALL result value. Otherwise we can ignore the opcode. */
1070
100k
      zend_call_info *call;
1071
100k
      if (!ctx->call_map) {
1072
2.77k
        return;
1073
2.77k
      }
1074
1075
97.3k
      call = ctx->call_map[opline - ctx->scdf.op_array->opcodes];
1076
97.3k
      if (IS_TOP(op1) || !call || !call->caller_call_opline
1077
97.3k
          || call->caller_call_opline->opcode != ZEND_DO_ICALL) {
1078
97.3k
        return;
1079
97.3k
      }
1080
1081
0
      opline = call->caller_call_opline;
1082
0
      ssa_op = &ctx->scdf.ssa->ops[opline - ctx->scdf.op_array->opcodes];
1083
0
      break;
1084
97.3k
    }
1085
3.82k
    case ZEND_INIT_ARRAY:
1086
19.6k
    case ZEND_ADD_ARRAY_ELEMENT:
1087
19.6k
    {
1088
19.6k
      zval *result = NULL;
1089
1090
19.6k
      if (opline->opcode == ZEND_ADD_ARRAY_ELEMENT) {
1091
15.8k
        result = &ctx->values[ssa_op->result_use];
1092
15.8k
        if (IS_BOT(result)) {
1093
117
          SET_RESULT_BOT(result);
1094
117
          SET_RESULT_BOT(op1);
1095
117
          return;
1096
117
        }
1097
15.7k
        SKIP_IF_TOP(result);
1098
15.7k
      }
1099
1100
19.5k
      if (op1) {
1101
19.4k
        SKIP_IF_TOP(op1);
1102
19.4k
      }
1103
1104
19.5k
      if (op2) {
1105
2.03k
        SKIP_IF_TOP(op2);
1106
2.03k
        if (Z_TYPE_P(op2) == IS_NULL) {
1107
          /* Emits deprecation at run-time. */
1108
6
          SET_RESULT_BOT(result);
1109
6
          return;
1110
6
        }
1111
2.03k
      }
1112
1113
      /* We want to avoid keeping around intermediate arrays for each SSA variable in the
1114
       * ADD_ARRAY_ELEMENT chain. We do this by only keeping the array on the last opcode
1115
       * and use a NULL value everywhere else. */
1116
19.5k
      if (result && Z_TYPE_P(result) == IS_NULL) {
1117
2
        SET_RESULT_BOT(result);
1118
2
        return;
1119
2
      }
1120
1121
19.5k
      if (op2 && IS_BOT(op2)) {
1122
        /* Update of unknown index */
1123
541
        SET_RESULT_BOT(op1);
1124
541
        if (ssa_op->result_def >= 0) {
1125
541
          empty_partial_array(&zv);
1126
541
          SET_RESULT(result, &zv);
1127
541
          zval_ptr_dtor_nogc(&zv);
1128
541
        } else {
1129
0
          SET_RESULT_BOT(result);
1130
0
        }
1131
541
        return;
1132
541
      }
1133
1134
19.0k
      if ((op1 && IS_BOT(op1))
1135
10.6k
          || (opline->extended_value & ZEND_ARRAY_ELEMENT_REF)) {
1136
1137
8.36k
        SET_RESULT_BOT(op1);
1138
8.36k
        if (ssa_op->result_def >= 0) {
1139
8.36k
          if (!result) {
1140
2.51k
            empty_partial_array(&zv);
1141
5.85k
          } else {
1142
5.85k
            MAKE_PARTIAL_ARRAY(result);
1143
5.85k
            ZVAL_COPY_VALUE(&zv, result);
1144
5.85k
            ZVAL_NULL(result);
1145
5.85k
          }
1146
8.36k
          if (!op2) {
1147
            /* We can't add NEXT element into partial array (skip it) */
1148
7.77k
            SET_RESULT(result, &zv);
1149
7.77k
          } else if (ct_eval_del_array_elem(&zv, op2) == SUCCESS) {
1150
576
            SET_RESULT(result, &zv);
1151
576
          } else {
1152
16
            SET_RESULT_BOT(result);
1153
16
          }
1154
8.36k
          zval_ptr_dtor_nogc(&zv);
1155
8.36k
        } else {
1156
          /* If any operand is BOT, mark the result as BOT right away.
1157
           * Exceptions to this rule are handled above. */
1158
0
          SET_RESULT_BOT(result);
1159
0
        }
1160
1161
10.6k
      } else {
1162
10.6k
        if (result) {
1163
9.58k
          ZVAL_COPY_VALUE(&zv, result);
1164
9.58k
          ZVAL_NULL(result);
1165
9.58k
        } else {
1166
1.06k
          array_init(&zv);
1167
1.06k
        }
1168
1169
10.6k
        if (op1) {
1170
10.5k
          if (!op2 && IS_PARTIAL_ARRAY(&zv)) {
1171
            /* We can't add NEXT element into partial array (skip it) */
1172
7.03k
            SET_RESULT(result, &zv);
1173
7.03k
          } else if (ct_eval_add_array_elem(&zv, op1, op2) == SUCCESS) {
1174
3.47k
            if (IS_PARTIAL_ARRAY(op1) || IS_PARTIAL_OBJECT(op1)) {
1175
180
              MAKE_PARTIAL_ARRAY(&zv);
1176
180
            }
1177
3.47k
            SET_RESULT(result, &zv);
1178
3.47k
          } else {
1179
24
            SET_RESULT_BOT(result);
1180
24
          }
1181
10.5k
        } else {
1182
122
          SET_RESULT(result, &zv);
1183
122
        }
1184
1185
10.6k
        zval_ptr_dtor_nogc(&zv);
1186
10.6k
      }
1187
19.0k
      return;
1188
19.5k
    }
1189
148
    case ZEND_ADD_ARRAY_UNPACK: {
1190
148
      zval *result = &ctx->values[ssa_op->result_use];
1191
148
      if (IS_BOT(result) || IS_BOT(op1)) {
1192
124
        SET_RESULT_BOT(result);
1193
124
        return;
1194
124
      }
1195
24
      SKIP_IF_TOP(result);
1196
24
      SKIP_IF_TOP(op1);
1197
1198
      /* See comment for ADD_ARRAY_ELEMENT. */
1199
24
      if (Z_TYPE_P(result) == IS_NULL) {
1200
0
        SET_RESULT_BOT(result);
1201
0
        return;
1202
0
      }
1203
24
      ZVAL_COPY_VALUE(&zv, result);
1204
24
      ZVAL_NULL(result);
1205
1206
24
      if (ct_eval_add_array_unpack(&zv, op1) == SUCCESS) {
1207
18
        SET_RESULT(result, &zv);
1208
18
      } else {
1209
6
        SET_RESULT_BOT(result);
1210
6
      }
1211
24
      zval_ptr_dtor_nogc(&zv);
1212
24
      return;
1213
24
    }
1214
21.8k
    case ZEND_NEW:
1215
21.8k
      if (ssa_op->result_def >= 0
1216
21.8k
          && ctx->scdf.ssa->vars[ssa_op->result_def].escape_state == ESCAPE_STATE_NO_ESCAPE) {
1217
340
        empty_partial_object(&zv);
1218
340
        SET_RESULT(result, &zv);
1219
340
        zval_ptr_dtor_nogc(&zv);
1220
21.4k
      } else {
1221
21.4k
        SET_RESULT_BOT(result);
1222
21.4k
      }
1223
21.8k
      return;
1224
164
    case ZEND_ASSIGN_STATIC_PROP_REF:
1225
573
    case ZEND_ASSIGN_OBJ_REF:
1226
      /* Handled here because we also need to BOT the OP_DATA operand, while the generic
1227
       * code below will not do so. */
1228
573
      SET_RESULT_BOT(result);
1229
573
      SET_RESULT_BOT(op1);
1230
573
      SET_RESULT_BOT(op2);
1231
573
      opline++;
1232
573
      ssa_op++;
1233
573
      SET_RESULT_BOT(op1);
1234
573
      break;
1235
1.46M
  }
1236
1237
1.23M
  if ((op1 && IS_BOT(op1)) || (op2 && IS_BOT(op2))) {
1238
    /* If any operand is BOT, mark the result as BOT right away.
1239
     * Exceptions to this rule are handled above. */
1240
700k
    SET_RESULT_BOT(result);
1241
700k
    SET_RESULT_BOT(op1);
1242
700k
    SET_RESULT_BOT(op2);
1243
700k
    return;
1244
700k
  }
1245
1246
536k
  switch (opline->opcode) {
1247
558
    case ZEND_ADD:
1248
1.28k
    case ZEND_SUB:
1249
2.33k
    case ZEND_MUL:
1250
3.14k
    case ZEND_DIV:
1251
4.52k
    case ZEND_MOD:
1252
4.73k
    case ZEND_POW:
1253
5.32k
    case ZEND_SL:
1254
5.65k
    case ZEND_SR:
1255
5.71k
    case ZEND_CONCAT:
1256
5.72k
    case ZEND_FAST_CONCAT:
1257
5.72k
    case ZEND_IS_EQUAL:
1258
5.88k
    case ZEND_IS_NOT_EQUAL:
1259
7.48k
    case ZEND_IS_SMALLER:
1260
8.14k
    case ZEND_IS_SMALLER_OR_EQUAL:
1261
8.15k
    case ZEND_IS_IDENTICAL:
1262
8.15k
    case ZEND_IS_NOT_IDENTICAL:
1263
8.24k
    case ZEND_BW_OR:
1264
8.35k
    case ZEND_BW_AND:
1265
9.48k
    case ZEND_BW_XOR:
1266
9.55k
    case ZEND_BOOL_XOR:
1267
9.56k
    case ZEND_CASE:
1268
9.62k
    case ZEND_CASE_STRICT:
1269
9.62k
      SKIP_IF_TOP(op1);
1270
9.62k
      SKIP_IF_TOP(op2);
1271
1272
9.62k
      if (ct_eval_binary_op(&zv, opline->opcode, op1, op2) == SUCCESS) {
1273
3.52k
        SET_RESULT(result, &zv);
1274
3.52k
        zval_ptr_dtor_nogc(&zv);
1275
3.52k
        break;
1276
3.52k
      }
1277
6.10k
      SET_RESULT_BOT(result);
1278
6.10k
      break;
1279
400
    case ZEND_ASSIGN_OP:
1280
440
    case ZEND_ASSIGN_DIM_OP:
1281
614
    case ZEND_ASSIGN_OBJ_OP:
1282
634
    case ZEND_ASSIGN_STATIC_PROP_OP:
1283
634
      if (op1) {
1284
468
        SKIP_IF_TOP(op1);
1285
468
      }
1286
634
      if (op2) {
1287
634
        SKIP_IF_TOP(op2);
1288
634
      }
1289
634
      if (opline->opcode == ZEND_ASSIGN_OP) {
1290
400
        if (ct_eval_binary_op(&zv, opline->extended_value, op1, op2) == SUCCESS) {
1291
393
          SET_RESULT(op1, &zv);
1292
393
          SET_RESULT(result, &zv);
1293
393
          zval_ptr_dtor_nogc(&zv);
1294
393
          break;
1295
393
        }
1296
400
      } else if (opline->opcode == ZEND_ASSIGN_DIM_OP) {
1297
40
        if ((IS_PARTIAL_ARRAY(op1) || Z_TYPE_P(op1) == IS_ARRAY)
1298
32
            && ssa_op->op1_def >= 0 && op2) {
1299
32
          zval tmp;
1300
32
          zval *data = get_op1_value(ctx, opline+1, ssa_op+1);
1301
1302
32
          SKIP_IF_TOP(data);
1303
1304
32
          if (ct_eval_fetch_dim(&tmp, op1, op2, 0) == SUCCESS) {
1305
10
            if (IS_BOT(data)) {
1306
2
              dup_partial_array(&zv, op1);
1307
2
              ct_eval_del_array_elem(&zv, op2);
1308
2
              SET_RESULT_BOT(result);
1309
2
              SET_RESULT(op1, &zv);
1310
2
              zval_ptr_dtor_nogc(&tmp);
1311
2
              zval_ptr_dtor_nogc(&zv);
1312
2
              break;
1313
2
            }
1314
1315
8
            if (ct_eval_binary_op(&tmp, opline->extended_value, &tmp, data) == FAILURE) {
1316
2
              SET_RESULT_BOT(result);
1317
2
              SET_RESULT_BOT(op1);
1318
2
              zval_ptr_dtor_nogc(&tmp);
1319
2
              break;
1320
2
            }
1321
1322
6
            if (IS_PARTIAL_ARRAY(op1)) {
1323
0
              dup_partial_array(&zv, op1);
1324
6
            } else {
1325
6
              ZVAL_COPY(&zv, op1);
1326
6
            }
1327
1328
6
            if (ct_eval_assign_dim(&zv, &tmp, op2) == SUCCESS) {
1329
6
              SET_RESULT(result, &tmp);
1330
6
              SET_RESULT(op1, &zv);
1331
6
              zval_ptr_dtor_nogc(&tmp);
1332
6
              zval_ptr_dtor_nogc(&zv);
1333
6
              break;
1334
6
            }
1335
1336
0
            zval_ptr_dtor_nogc(&tmp);
1337
0
            zval_ptr_dtor_nogc(&zv);
1338
0
          }
1339
32
        }
1340
194
      } else if (opline->opcode == ZEND_ASSIGN_OBJ_OP) {
1341
174
        if (op1 && IS_PARTIAL_OBJECT(op1)
1342
8
            && ssa_op->op1_def >= 0
1343
8
            && ctx->scdf.ssa->vars[ssa_op->op1_def].escape_state == ESCAPE_STATE_NO_ESCAPE) {
1344
8
          zval tmp;
1345
8
          zval *data = get_op1_value(ctx, opline+1, ssa_op+1);
1346
1347
8
          SKIP_IF_TOP(data);
1348
1349
8
          if (ct_eval_fetch_obj(&tmp, op1, op2) == SUCCESS) {
1350
0
            if (IS_BOT(data)) {
1351
0
              dup_partial_object(&zv, op1);
1352
0
              ct_eval_del_obj_prop(&zv, op2);
1353
0
              SET_RESULT_BOT(result);
1354
0
              SET_RESULT(op1, &zv);
1355
0
              zval_ptr_dtor_nogc(&tmp);
1356
0
              zval_ptr_dtor_nogc(&zv);
1357
0
              break;
1358
0
            }
1359
1360
0
            if (ct_eval_binary_op(&tmp, opline->extended_value, &tmp, data) == FAILURE) {
1361
0
              SET_RESULT_BOT(result);
1362
0
              SET_RESULT_BOT(op1);
1363
0
              zval_ptr_dtor_nogc(&tmp);
1364
0
              break;
1365
0
            }
1366
1367
0
            dup_partial_object(&zv, op1);
1368
1369
0
            if (ct_eval_assign_obj(&zv, &tmp, op2) == SUCCESS) {
1370
0
              SET_RESULT(result, &tmp);
1371
0
              SET_RESULT(op1, &zv);
1372
0
              zval_ptr_dtor_nogc(&tmp);
1373
0
              zval_ptr_dtor_nogc(&zv);
1374
0
              break;
1375
0
            }
1376
1377
0
            zval_ptr_dtor_nogc(&tmp);
1378
0
            zval_ptr_dtor_nogc(&zv);
1379
0
          }
1380
8
        }
1381
174
      }
1382
231
      SET_RESULT_BOT(result);
1383
231
      SET_RESULT_BOT(op1);
1384
231
      break;
1385
157
    case ZEND_PRE_INC_OBJ:
1386
177
    case ZEND_PRE_DEC_OBJ:
1387
207
    case ZEND_POST_INC_OBJ:
1388
215
    case ZEND_POST_DEC_OBJ:
1389
215
      if (op1) {
1390
10
        SKIP_IF_TOP(op1);
1391
10
        SKIP_IF_TOP(op2);
1392
10
        if (IS_PARTIAL_OBJECT(op1)
1393
10
            && ssa_op->op1_def >= 0
1394
10
            && ctx->scdf.ssa->vars[ssa_op->op1_def].escape_state == ESCAPE_STATE_NO_ESCAPE) {
1395
10
          zval tmp1, tmp2;
1396
1397
10
          if (ct_eval_fetch_obj(&tmp1, op1, op2) == SUCCESS) {
1398
8
            if (ct_eval_incdec(&tmp2, opline->opcode, &tmp1) == SUCCESS) {
1399
0
              dup_partial_object(&zv, op1);
1400
0
              ct_eval_assign_obj(&zv, &tmp2, op2);
1401
0
              if (opline->opcode == ZEND_PRE_INC_OBJ || opline->opcode == ZEND_PRE_DEC_OBJ) {
1402
0
                SET_RESULT(result, &tmp2);
1403
0
              } else {
1404
0
                SET_RESULT(result, &tmp1);
1405
0
              }
1406
0
              zval_ptr_dtor_nogc(&tmp1);
1407
0
              zval_ptr_dtor_nogc(&tmp2);
1408
0
              SET_RESULT(op1, &zv);
1409
0
              zval_ptr_dtor_nogc(&zv);
1410
0
              break;
1411
0
            }
1412
8
            zval_ptr_dtor_nogc(&tmp1);
1413
8
          }
1414
10
        }
1415
10
      }
1416
215
      SET_RESULT_BOT(op1);
1417
215
      SET_RESULT_BOT(result);
1418
215
      break;
1419
1.49k
    case ZEND_PRE_INC:
1420
1.56k
    case ZEND_PRE_DEC:
1421
1.56k
      SKIP_IF_TOP(op1);
1422
1.56k
      if (ct_eval_incdec(&zv, opline->opcode, op1) == SUCCESS) {
1423
1.54k
        SET_RESULT(op1, &zv);
1424
1.54k
        SET_RESULT(result, &zv);
1425
1.54k
        zval_ptr_dtor_nogc(&zv);
1426
1.54k
        break;
1427
1.54k
      }
1428
29
      SET_RESULT_BOT(op1);
1429
29
      SET_RESULT_BOT(result);
1430
29
      break;
1431
388
    case ZEND_POST_INC:
1432
475
    case ZEND_POST_DEC:
1433
475
      SKIP_IF_TOP(op1);
1434
475
      SET_RESULT(result, op1);
1435
475
      if (ct_eval_incdec(&zv, opline->opcode, op1) == SUCCESS) {
1436
468
        SET_RESULT(op1, &zv);
1437
468
        zval_ptr_dtor_nogc(&zv);
1438
468
        break;
1439
468
      }
1440
7
      SET_RESULT_BOT(op1);
1441
7
      break;
1442
188
    case ZEND_BW_NOT:
1443
458
    case ZEND_BOOL_NOT:
1444
458
      SKIP_IF_TOP(op1);
1445
458
      if (IS_PARTIAL_ARRAY(op1)) {
1446
9
        SET_RESULT_BOT(result);
1447
9
        break;
1448
9
      }
1449
449
      if (zend_optimizer_eval_unary_op(&zv, opline->opcode, op1) == SUCCESS) {
1450
250
        SET_RESULT(result, &zv);
1451
250
        zval_ptr_dtor_nogc(&zv);
1452
250
        break;
1453
250
      }
1454
199
      SET_RESULT_BOT(result);
1455
199
      break;
1456
479
    case ZEND_CAST:
1457
479
      SKIP_IF_TOP(op1);
1458
479
      if (IS_PARTIAL_ARRAY(op1)) {
1459
34
        SET_RESULT_BOT(result);
1460
34
        break;
1461
34
      }
1462
445
      if (zend_optimizer_eval_cast(&zv, opline->extended_value, op1) == SUCCESS) {
1463
13
        SET_RESULT(result, &zv);
1464
13
        zval_ptr_dtor_nogc(&zv);
1465
13
        break;
1466
13
      }
1467
432
      SET_RESULT_BOT(result);
1468
432
      break;
1469
77
    case ZEND_BOOL:
1470
334
    case ZEND_JMPZ_EX:
1471
468
    case ZEND_JMPNZ_EX:
1472
468
      SKIP_IF_TOP(op1);
1473
468
      if (ct_eval_bool_cast(&zv, op1) == SUCCESS) {
1474
462
        SET_RESULT(result, &zv);
1475
462
        zval_ptr_dtor_nogc(&zv);
1476
462
        break;
1477
462
      }
1478
6
      SET_RESULT_BOT(result);
1479
6
      break;
1480
66
    case ZEND_STRLEN:
1481
66
      SKIP_IF_TOP(op1);
1482
66
      if (zend_optimizer_eval_strlen(&zv, op1) == SUCCESS) {
1483
66
        SET_RESULT(result, &zv);
1484
66
        zval_ptr_dtor_nogc(&zv);
1485
66
        break;
1486
66
      }
1487
0
      SET_RESULT_BOT(result);
1488
0
      break;
1489
94
    case ZEND_YIELD_FROM:
1490
      // tmp = yield from [] -> tmp = null
1491
94
      SKIP_IF_TOP(op1);
1492
94
      if (Z_TYPE_P(op1) == IS_ARRAY && zend_hash_num_elements(Z_ARR_P(op1)) == 0) {
1493
14
        ZVAL_NULL(&zv);
1494
14
        SET_RESULT(result, &zv);
1495
14
        break;
1496
14
      }
1497
80
      SET_RESULT_BOT(result);
1498
80
      break;
1499
168
    case ZEND_COUNT:
1500
168
      SKIP_IF_TOP(op1);
1501
168
      if (Z_TYPE_P(op1) == IS_ARRAY) {
1502
18
        ZVAL_LONG(&zv, zend_hash_num_elements(Z_ARRVAL_P(op1)));
1503
18
        SET_RESULT(result, &zv);
1504
18
        zval_ptr_dtor_nogc(&zv);
1505
18
        break;
1506
18
      }
1507
150
      SET_RESULT_BOT(result);
1508
150
      break;
1509
0
    case ZEND_IN_ARRAY:
1510
0
      SKIP_IF_TOP(op1);
1511
0
      SKIP_IF_TOP(op2);
1512
0
      if (ct_eval_in_array(&zv, opline->extended_value, op1, op2) == SUCCESS) {
1513
0
        SET_RESULT(result, &zv);
1514
0
        zval_ptr_dtor_nogc(&zv);
1515
0
        break;
1516
0
      }
1517
0
      SET_RESULT_BOT(result);
1518
0
      break;
1519
0
    case ZEND_ARRAY_KEY_EXISTS:
1520
0
      SKIP_IF_TOP(op1);
1521
0
      SKIP_IF_TOP(op2);
1522
0
      if (ct_eval_array_key_exists(&zv, op1, op2) == SUCCESS) {
1523
0
        SET_RESULT(result, &zv);
1524
0
        zval_ptr_dtor_nogc(&zv);
1525
0
        break;
1526
0
      }
1527
0
      SET_RESULT_BOT(result);
1528
0
      break;
1529
267
    case ZEND_FETCH_DIM_R:
1530
285
    case ZEND_FETCH_DIM_IS:
1531
659
    case ZEND_FETCH_LIST_R:
1532
659
      SKIP_IF_TOP(op1);
1533
659
      SKIP_IF_TOP(op2);
1534
1535
659
      if (ct_eval_fetch_dim(&zv, op1, op2, (opline->opcode != ZEND_FETCH_LIST_R)) == SUCCESS) {
1536
481
        SET_RESULT(result, &zv);
1537
481
        zval_ptr_dtor_nogc(&zv);
1538
481
        break;
1539
481
      }
1540
178
      SET_RESULT_BOT(result);
1541
178
      break;
1542
72
    case ZEND_ISSET_ISEMPTY_DIM_OBJ:
1543
72
      SKIP_IF_TOP(op1);
1544
72
      SKIP_IF_TOP(op2);
1545
1546
72
      if (ct_eval_isset_dim(&zv, opline->extended_value, op1, op2) == SUCCESS) {
1547
64
        SET_RESULT(result, &zv);
1548
64
        zval_ptr_dtor_nogc(&zv);
1549
64
        break;
1550
64
      }
1551
8
      SET_RESULT_BOT(result);
1552
8
      break;
1553
3.11k
    case ZEND_FETCH_OBJ_R:
1554
3.48k
    case ZEND_FETCH_OBJ_IS:
1555
3.48k
      if (op1) {
1556
128
        SKIP_IF_TOP(op1);
1557
128
        SKIP_IF_TOP(op2);
1558
1559
128
        if (ct_eval_fetch_obj(&zv, op1, op2) == SUCCESS) {
1560
0
          SET_RESULT(result, &zv);
1561
0
          zval_ptr_dtor_nogc(&zv);
1562
0
          break;
1563
0
        }
1564
128
      }
1565
3.48k
      SET_RESULT_BOT(result);
1566
3.48k
      break;
1567
130
    case ZEND_ISSET_ISEMPTY_PROP_OBJ:
1568
130
      if (op1) {
1569
28
        SKIP_IF_TOP(op1);
1570
28
        SKIP_IF_TOP(op2);
1571
1572
28
        if (ct_eval_isset_obj(&zv, opline->extended_value, op1, op2) == SUCCESS) {
1573
28
          SET_RESULT(result, &zv);
1574
28
          zval_ptr_dtor_nogc(&zv);
1575
28
          break;
1576
28
        }
1577
28
      }
1578
102
      SET_RESULT_BOT(result);
1579
102
      break;
1580
4.91k
    case ZEND_QM_ASSIGN:
1581
5.25k
    case ZEND_JMP_SET:
1582
5.90k
    case ZEND_COALESCE:
1583
5.96k
    case ZEND_COPY_TMP:
1584
5.96k
      SET_RESULT(result, op1);
1585
5.96k
      break;
1586
44
    case ZEND_JMP_NULL:
1587
44
      switch (opline->extended_value & ZEND_SHORT_CIRCUITING_CHAIN_MASK) {
1588
44
        case ZEND_SHORT_CIRCUITING_CHAIN_EXPR:
1589
44
          ZVAL_NULL(&zv);
1590
44
          break;
1591
0
        case ZEND_SHORT_CIRCUITING_CHAIN_ISSET:
1592
0
          ZVAL_FALSE(&zv);
1593
0
          break;
1594
0
        case ZEND_SHORT_CIRCUITING_CHAIN_EMPTY:
1595
0
          ZVAL_TRUE(&zv);
1596
0
          break;
1597
0
        default: ZEND_UNREACHABLE();
1598
44
      }
1599
44
      SET_RESULT(result, &zv);
1600
44
      break;
1601
76
    case ZEND_FETCH_CLASS:
1602
76
      SET_RESULT(result, op2);
1603
76
      break;
1604
2
    case ZEND_ISSET_ISEMPTY_CV:
1605
2
      SKIP_IF_TOP(op1);
1606
2
      if (ct_eval_isset_isempty(&zv, opline->extended_value, op1) == SUCCESS) {
1607
2
        SET_RESULT(result, &zv);
1608
2
        zval_ptr_dtor_nogc(&zv);
1609
2
        break;
1610
2
      }
1611
0
      SET_RESULT_BOT(result);
1612
0
      break;
1613
2
    case ZEND_TYPE_CHECK:
1614
2
      SKIP_IF_TOP(op1);
1615
2
      ct_eval_type_check(&zv, opline->extended_value, op1);
1616
2
      SET_RESULT(result, &zv);
1617
2
      zval_ptr_dtor_nogc(&zv);
1618
2
      break;
1619
4
    case ZEND_INSTANCEOF:
1620
4
      SKIP_IF_TOP(op1);
1621
4
      ZVAL_FALSE(&zv);
1622
4
      SET_RESULT(result, &zv);
1623
4
      break;
1624
12.9k
    case ZEND_ROPE_INIT:
1625
12.9k
      SKIP_IF_TOP(op2);
1626
12.9k
      if (IS_PARTIAL_ARRAY(op2)) {
1627
0
        SET_RESULT_BOT(result);
1628
0
        break;
1629
0
      }
1630
12.9k
      if (zend_optimizer_eval_cast(&zv, IS_STRING, op2) == SUCCESS) {
1631
12.9k
        SET_RESULT(result, &zv);
1632
12.9k
        zval_ptr_dtor_nogc(&zv);
1633
12.9k
        break;
1634
12.9k
      }
1635
0
      SET_RESULT_BOT(result);
1636
0
      break;
1637
103
    case ZEND_ROPE_ADD:
1638
149
    case ZEND_ROPE_END:
1639
      // TODO The way this is currently implemented will result in quadratic runtime
1640
      // This is not necessary, the way the algorithm works it's okay to reuse the same
1641
      // string for all SSA vars with some extra checks
1642
149
      SKIP_IF_TOP(op1);
1643
149
      SKIP_IF_TOP(op2);
1644
149
      if (ct_eval_binary_op(&zv, ZEND_CONCAT, op1, op2) == SUCCESS) {
1645
148
        SET_RESULT(result, &zv);
1646
148
        zval_ptr_dtor_nogc(&zv);
1647
148
        break;
1648
148
      }
1649
1
      SET_RESULT_BOT(result);
1650
1
      break;
1651
0
    case ZEND_DO_ICALL:
1652
0
    {
1653
0
      zend_call_info *call;
1654
0
      zval *name, *args[3] = {NULL};
1655
1656
0
      if (!ctx->call_map) {
1657
0
        SET_RESULT_BOT(result);
1658
0
        break;
1659
0
      }
1660
1661
0
      call = ctx->call_map[opline - ctx->scdf.op_array->opcodes];
1662
0
      name = CT_CONSTANT_EX(ctx->scdf.op_array, call->caller_init_opline->op2.constant);
1663
1664
      /* We already know it can't be evaluated, don't bother checking again */
1665
0
      if (ssa_op->result_def < 0 || IS_BOT(&ctx->values[ssa_op->result_def])) {
1666
0
        break;
1667
0
      }
1668
1669
      /* We're only interested in functions with up to three arguments right now.
1670
       * Note that named arguments with the argument in declaration order will still work. */
1671
0
      if (call->num_args > 3 || call->send_unpack || call->is_prototype || call->named_args) {
1672
0
        SET_RESULT_BOT(result);
1673
0
        break;
1674
0
      }
1675
1676
0
      for (uint32_t i = 0; i < call->num_args; i++) {
1677
0
        zend_op *opline = call->arg_info[i].opline;
1678
0
        if (opline->opcode != ZEND_SEND_VAL && opline->opcode != ZEND_SEND_VAR) {
1679
0
          SET_RESULT_BOT(result);
1680
0
          return;
1681
0
        }
1682
1683
0
        args[i] = get_op1_value(ctx, opline,
1684
0
          &ctx->scdf.ssa->ops[opline - ctx->scdf.op_array->opcodes]);
1685
0
        if (args[i]) {
1686
0
          if (IS_BOT(args[i]) || IS_PARTIAL_ARRAY(args[i])) {
1687
0
            SET_RESULT_BOT(result);
1688
0
            return;
1689
0
          } else if (IS_TOP(args[i])) {
1690
0
            return;
1691
0
          }
1692
0
        }
1693
0
      }
1694
1695
      /* We didn't get a BOT argument, so value stays the same */
1696
0
      if (!IS_TOP(&ctx->values[ssa_op->result_def])) {
1697
0
        break;
1698
0
      }
1699
1700
0
      if (ct_eval_func_call(scdf->op_array, &zv, Z_STR_P(name), call->num_args, args) == SUCCESS) {
1701
0
        SET_RESULT(result, &zv);
1702
0
        zval_ptr_dtor_nogc(&zv);
1703
0
        break;
1704
0
      }
1705
1706
#if 0
1707
      /* sort out | uniq -c | sort -n */
1708
      fprintf(stderr, "%s\n", Z_STRVAL_P(name));
1709
      /*if (args[1]) {
1710
        php_printf("%s %Z %Z\n", Z_STRVAL_P(name), args[0], args[1]);
1711
      } else {
1712
        php_printf("%s %Z\n", Z_STRVAL_P(name), args[0]);
1713
      }*/
1714
#endif
1715
1716
0
      SET_RESULT_BOT(result);
1717
0
      break;
1718
0
    }
1719
0
    case ZEND_FRAMELESS_ICALL_0:
1720
0
    case ZEND_FRAMELESS_ICALL_1:
1721
0
    case ZEND_FRAMELESS_ICALL_2:
1722
0
    case ZEND_FRAMELESS_ICALL_3: {
1723
      /* We already know it can't be evaluated, don't bother checking again */
1724
0
      if (ssa_op->result_def < 0 || IS_BOT(&ctx->values[ssa_op->result_def])) {
1725
0
        break;
1726
0
      }
1727
1728
0
      zval *args[3] = {NULL};
1729
0
      zend_function *func = ZEND_FLF_FUNC(opline);
1730
0
      uint32_t num_args = ZEND_FLF_NUM_ARGS(opline->opcode);
1731
1732
0
      switch (num_args) {
1733
0
        case 3: {
1734
0
          zend_op *op_data = opline + 1;
1735
0
          args[2] = get_op1_value(ctx, op_data, &ctx->scdf.ssa->ops[op_data - ctx->scdf.op_array->opcodes]);
1736
0
          ZEND_FALLTHROUGH;
1737
0
        }
1738
0
        case 2:
1739
0
          args[1] = get_op2_value(ctx, opline, &ctx->scdf.ssa->ops[opline - ctx->scdf.op_array->opcodes]);
1740
0
          ZEND_FALLTHROUGH;
1741
0
        case 1:
1742
0
          args[0] = get_op1_value(ctx, opline, &ctx->scdf.ssa->ops[opline - ctx->scdf.op_array->opcodes]);
1743
0
          break;
1744
0
      }
1745
0
      for (uint32_t i = 0; i < num_args; i++) {
1746
0
        if (!args[i]) {
1747
0
          SET_RESULT_BOT(result);
1748
0
          return;
1749
0
        } else if (IS_BOT(args[i]) || IS_PARTIAL_ARRAY(args[i])) {
1750
0
          SET_RESULT_BOT(result);
1751
0
          return;
1752
0
        } else if (IS_TOP(args[i])) {
1753
0
          return;
1754
0
        }
1755
0
      }
1756
0
      if (ct_eval_func_call_ex(scdf->op_array, &zv, func, num_args, args) == SUCCESS) {
1757
0
        SET_RESULT(result, &zv);
1758
0
        zval_ptr_dtor_nogc(&zv);
1759
0
        break;
1760
0
      }
1761
0
      SET_RESULT_BOT(result);
1762
0
      break;
1763
0
    }
1764
499k
    default:
1765
499k
    {
1766
      /* If we have no explicit implementation return BOT */
1767
499k
      SET_RESULT_BOT(result);
1768
499k
      SET_RESULT_BOT(op1);
1769
499k
      SET_RESULT_BOT(op2);
1770
499k
      break;
1771
0
    }
1772
536k
  }
1773
536k
}
1774
1775
1.02M
static zval *value_from_type_and_range(sccp_ctx *ctx, int var_num, zval *tmp) {
1776
1.02M
  zend_ssa *ssa = ctx->scdf.ssa;
1777
1.02M
  zend_ssa_var_info *info = &ssa->var_info[var_num];
1778
1779
1.02M
  if (info->type & MAY_BE_UNDEF) {
1780
97.0k
    return NULL;
1781
97.0k
  }
1782
1783
926k
  if (!(info->type & MAY_BE_ANY)) {
1784
    /* This code must be unreachable. We could replace operands with NULL, but this doesn't
1785
     * really make things better. It would be better to later remove this code entirely. */
1786
6.71k
    return NULL;
1787
6.71k
  }
1788
1789
919k
  if (!(info->type & ((MAY_BE_ANY|MAY_BE_UNDEF)-MAY_BE_NULL))) {
1790
37.7k
    if (ssa->vars[var_num].definition >= 0
1791
35.1k
     && ctx->scdf.op_array->opcodes[ssa->vars[var_num].definition].opcode == ZEND_VERIFY_RETURN_TYPE) {
1792
48
      return NULL;
1793
48
    }
1794
37.6k
    ZVAL_NULL(tmp);
1795
37.6k
    return tmp;
1796
37.7k
  }
1797
882k
  if (!(info->type & ((MAY_BE_ANY|MAY_BE_UNDEF)-MAY_BE_FALSE))) {
1798
398
    if (ssa->vars[var_num].definition >= 0
1799
244
     && ctx->scdf.op_array->opcodes[ssa->vars[var_num].definition].opcode == ZEND_VERIFY_RETURN_TYPE) {
1800
2
      return NULL;
1801
2
    }
1802
396
    ZVAL_FALSE(tmp);
1803
396
    return tmp;
1804
398
  }
1805
881k
  if (!(info->type & ((MAY_BE_ANY|MAY_BE_UNDEF)-MAY_BE_TRUE))) {
1806
1.63k
    if (ssa->vars[var_num].definition >= 0
1807
1.38k
     && ctx->scdf.op_array->opcodes[ssa->vars[var_num].definition].opcode == ZEND_VERIFY_RETURN_TYPE) {
1808
8
      return NULL;
1809
8
    }
1810
1.63k
    ZVAL_TRUE(tmp);
1811
1.63k
    return tmp;
1812
1.63k
  }
1813
1814
879k
  if (!(info->type & ((MAY_BE_ANY|MAY_BE_UNDEF)-MAY_BE_LONG))
1815
108k
      && info->has_range
1816
107k
      && !info->range.overflow && !info->range.underflow
1817
17.8k
      && info->range.min == info->range.max) {
1818
837
    ZVAL_LONG(tmp, info->range.min);
1819
837
    return tmp;
1820
837
  }
1821
1822
879k
  return NULL;
1823
879k
}
1824
1825
1826
/* Returns whether there is a successor */
1827
static void sccp_mark_feasible_successors(
1828
    scdf_ctx *scdf,
1829
    int block_num, zend_basic_block *block,
1830
63.9k
    zend_op *opline, zend_ssa_op *ssa_op) {
1831
63.9k
  sccp_ctx *ctx = (sccp_ctx *) scdf;
1832
63.9k
  zval *op1, zv;
1833
63.9k
  uint32_t s;
1834
1835
  /* We can't determine the branch target at compile-time for these */
1836
63.9k
  switch (opline->opcode) {
1837
928
    case ZEND_ASSERT_CHECK:
1838
928
    case ZEND_CATCH:
1839
4.03k
    case ZEND_FE_FETCH_R:
1840
4.81k
    case ZEND_FE_FETCH_RW:
1841
4.98k
    case ZEND_BIND_INIT_STATIC_OR_JMP:
1842
4.98k
      scdf_mark_edge_feasible(scdf, block_num, block->successors[0]);
1843
4.98k
      scdf_mark_edge_feasible(scdf, block_num, block->successors[1]);
1844
4.98k
      return;
1845
63.9k
  }
1846
1847
58.9k
  op1 = get_op1_value(ctx, opline, ssa_op);
1848
58.9k
  if (IS_BOT(op1)) {
1849
54.2k
    ZEND_ASSERT(ssa_op->op1_use >= 0);
1850
54.2k
    op1 = value_from_type_and_range(ctx, ssa_op->op1_use, &zv);
1851
54.2k
  }
1852
1853
  /* Branch target can be either one */
1854
58.9k
  if (!op1 || IS_BOT(op1)) {
1855
162k
    for (s = 0; s < block->successors_count; s++) {
1856
108k
      scdf_mark_edge_feasible(scdf, block_num, block->successors[s]);
1857
108k
    }
1858
53.8k
    return;
1859
53.8k
  }
1860
1861
  /* Branch target not yet known */
1862
5.02k
  if (IS_TOP(op1)) {
1863
0
    return;
1864
0
  }
1865
1866
5.02k
  switch (opline->opcode) {
1867
734
    case ZEND_JMPZ:
1868
993
    case ZEND_JMPZ_EX:
1869
993
    {
1870
993
      if (ct_eval_bool_cast(&zv, op1) == FAILURE) {
1871
0
        scdf_mark_edge_feasible(scdf, block_num, block->successors[0]);
1872
0
        scdf_mark_edge_feasible(scdf, block_num, block->successors[1]);
1873
0
        return;
1874
0
      }
1875
993
      s = Z_TYPE(zv) == IS_TRUE;
1876
993
      break;
1877
993
    }
1878
2.32k
    case ZEND_JMPNZ:
1879
2.46k
    case ZEND_JMPNZ_EX:
1880
2.79k
    case ZEND_JMP_SET:
1881
2.79k
    {
1882
2.79k
      if (ct_eval_bool_cast(&zv, op1) == FAILURE) {
1883
0
        scdf_mark_edge_feasible(scdf, block_num, block->successors[0]);
1884
0
        scdf_mark_edge_feasible(scdf, block_num, block->successors[1]);
1885
0
        return;
1886
0
      }
1887
2.79k
      s = Z_TYPE(zv) == IS_FALSE;
1888
2.79k
      break;
1889
2.79k
    }
1890
780
    case ZEND_COALESCE:
1891
780
      s = (Z_TYPE_P(op1) == IS_NULL);
1892
780
      break;
1893
44
    case ZEND_JMP_NULL:
1894
44
      s = (Z_TYPE_P(op1) != IS_NULL);
1895
44
      break;
1896
370
    case ZEND_FE_RESET_R:
1897
389
    case ZEND_FE_RESET_RW:
1898
      /* A non-empty partial array is definitely non-empty, but an
1899
       * empty partial array may be non-empty at runtime. */
1900
389
      if (Z_TYPE_P(op1) != IS_ARRAY ||
1901
248
          (IS_PARTIAL_ARRAY(op1) && zend_hash_num_elements(Z_ARR_P(op1)) == 0)) {
1902
141
        scdf_mark_edge_feasible(scdf, block_num, block->successors[0]);
1903
141
        scdf_mark_edge_feasible(scdf, block_num, block->successors[1]);
1904
141
        return;
1905
141
      }
1906
248
      s = zend_hash_num_elements(Z_ARR_P(op1)) != 0;
1907
248
      break;
1908
0
    case ZEND_SWITCH_LONG:
1909
12
    case ZEND_SWITCH_STRING:
1910
24
    case ZEND_MATCH:
1911
24
    {
1912
24
      bool strict_comparison = opline->opcode == ZEND_MATCH;
1913
24
      uint8_t type = Z_TYPE_P(op1);
1914
24
      bool correct_type =
1915
24
        (opline->opcode == ZEND_SWITCH_LONG && type == IS_LONG)
1916
24
        || (opline->opcode == ZEND_SWITCH_STRING && type == IS_STRING)
1917
24
        || (opline->opcode == ZEND_MATCH && (type == IS_LONG || type == IS_STRING));
1918
1919
24
      if (correct_type) {
1920
6
        zend_op_array *op_array = scdf->op_array;
1921
6
        zend_ssa *ssa = scdf->ssa;
1922
6
        HashTable *jmptable = Z_ARRVAL_P(CT_CONSTANT_EX(op_array, opline->op2.constant));
1923
6
        zval *jmp_zv = type == IS_LONG
1924
6
          ? zend_hash_index_find(jmptable, Z_LVAL_P(op1))
1925
6
          : zend_hash_find(jmptable, Z_STR_P(op1));
1926
6
        int target;
1927
1928
6
        if (jmp_zv) {
1929
2
          target = ssa->cfg.map[ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, Z_LVAL_P(jmp_zv))];
1930
4
        } else {
1931
4
          target = ssa->cfg.map[ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, opline->extended_value)];
1932
4
        }
1933
6
        scdf_mark_edge_feasible(scdf, block_num, target);
1934
6
        return;
1935
18
      } else if (strict_comparison) {
1936
6
        zend_op_array *op_array = scdf->op_array;
1937
6
        zend_ssa *ssa = scdf->ssa;
1938
6
        int target = ssa->cfg.map[ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, opline->extended_value)];
1939
6
        scdf_mark_edge_feasible(scdf, block_num, target);
1940
6
        return;
1941
6
      }
1942
12
      s = block->successors_count - 1;
1943
12
      break;
1944
24
    }
1945
0
    default:
1946
0
      for (s = 0; s < block->successors_count; s++) {
1947
0
        scdf_mark_edge_feasible(scdf, block_num, block->successors[s]);
1948
0
      }
1949
0
      return;
1950
5.02k
  }
1951
4.87k
  scdf_mark_edge_feasible(scdf, block_num, block->successors[s]);
1952
4.87k
}
1953
1954
static void join_hash_tables(HashTable *ret, HashTable *ht1, HashTable *ht2)
1955
376
{
1956
376
  zend_ulong index;
1957
376
  zend_string *key;
1958
376
  zval *val1, *val2;
1959
1960
388
  ZEND_HASH_FOREACH_KEY_VAL(ht1, index, key, val1) {
1961
388
    if (key) {
1962
6
      val2 = zend_hash_find(ht2, key);
1963
6
    } else {
1964
0
      val2 = zend_hash_index_find(ht2, index);
1965
0
    }
1966
388
    if (val2 && zend_is_identical(val1, val2)) {
1967
0
      if (key) {
1968
0
        val1 = zend_hash_add_new(ret, key, val1);
1969
0
      } else {
1970
0
        val1 = zend_hash_index_add_new(ret, index, val1);
1971
0
      }
1972
0
      Z_TRY_ADDREF_P(val1);
1973
0
    }
1974
388
  } ZEND_HASH_FOREACH_END();
1975
376
}
1976
1977
static zend_result join_partial_arrays(zval *a, zval *b)
1978
3.88k
{
1979
3.88k
  zval ret;
1980
1981
3.88k
  if ((Z_TYPE_P(a) != IS_ARRAY && !IS_PARTIAL_ARRAY(a))
1982
3.50k
      || (Z_TYPE_P(b) != IS_ARRAY && !IS_PARTIAL_ARRAY(b))) {
1983
3.50k
    return FAILURE;
1984
3.50k
  }
1985
1986
376
  empty_partial_array(&ret);
1987
376
  join_hash_tables(Z_ARRVAL(ret), Z_ARRVAL_P(a), Z_ARRVAL_P(b));
1988
376
  zval_ptr_dtor_nogc(a);
1989
376
  ZVAL_COPY_VALUE(a, &ret);
1990
1991
376
  return SUCCESS;
1992
3.88k
}
1993
1994
static zend_result join_partial_objects(zval *a, zval *b)
1995
0
{
1996
0
  zval ret;
1997
1998
0
  if (!IS_PARTIAL_OBJECT(a) || !IS_PARTIAL_OBJECT(b)) {
1999
0
    return FAILURE;
2000
0
  }
2001
2002
0
  empty_partial_object(&ret);
2003
0
  join_hash_tables(Z_ARRVAL(ret), Z_ARRVAL_P(a), Z_ARRVAL_P(b));
2004
0
  zval_ptr_dtor_nogc(a);
2005
0
  ZVAL_COPY_VALUE(a, &ret);
2006
2007
0
  return SUCCESS;
2008
0
}
2009
2010
225k
static void join_phi_values(zval *a, zval *b, bool escape) {
2011
225k
  if (IS_BOT(a) || IS_TOP(b)) {
2012
69.7k
    return;
2013
69.7k
  }
2014
155k
  if (IS_TOP(a)) {
2015
148k
    zval_ptr_dtor_nogc(a);
2016
148k
    ZVAL_COPY(a, b);
2017
148k
    return;
2018
148k
  }
2019
7.21k
  if (IS_BOT(b)) {
2020
1.68k
    zval_ptr_dtor_nogc(a);
2021
1.68k
    MAKE_BOT(a);
2022
1.68k
    return;
2023
1.68k
  }
2024
5.52k
  if (IS_PARTIAL_ARRAY(a) || IS_PARTIAL_ARRAY(b)) {
2025
335
    if (join_partial_arrays(a, b) == FAILURE) {
2026
4
      zval_ptr_dtor_nogc(a);
2027
4
      MAKE_BOT(a);
2028
4
    }
2029
5.18k
  } else if (IS_PARTIAL_OBJECT(a) || IS_PARTIAL_OBJECT(b)) {
2030
0
    if (escape || join_partial_objects(a, b) == FAILURE) {
2031
0
      zval_ptr_dtor_nogc(a);
2032
0
      MAKE_BOT(a);
2033
0
    }
2034
5.18k
  } else if (!zend_is_identical(a, b)) {
2035
3.54k
    if (join_partial_arrays(a, b) == FAILURE) {
2036
3.50k
      zval_ptr_dtor_nogc(a);
2037
3.50k
      MAKE_BOT(a);
2038
3.50k
    }
2039
3.54k
  }
2040
5.52k
}
2041
2042
180k
static void sccp_visit_phi(scdf_ctx *scdf, const zend_ssa_phi *phi) {
2043
180k
  sccp_ctx *ctx = (sccp_ctx *) scdf;
2044
180k
  zend_ssa *ssa = scdf->ssa;
2045
180k
  ZEND_ASSERT(phi->ssa_var >= 0);
2046
180k
  if (!IS_BOT(&ctx->values[phi->ssa_var])) {
2047
149k
    zend_basic_block *block = &ssa->cfg.blocks[phi->block];
2048
149k
    int *predecessors = &ssa->cfg.predecessors[block->predecessor_offset];
2049
2050
149k
    zval result;
2051
149k
    MAKE_TOP(&result);
2052
#if SCP_DEBUG
2053
    fprintf(stderr, "Handling phi(");
2054
#endif
2055
149k
    if (phi->pi >= 0) {
2056
43.7k
      ZEND_ASSERT(phi->sources[0] >= 0);
2057
43.7k
      if (scdf_is_edge_feasible(scdf, phi->pi, phi->block)) {
2058
42.8k
        join_phi_values(&result, &ctx->values[phi->sources[0]], ssa->vars[phi->ssa_var].escape_state != ESCAPE_STATE_NO_ESCAPE);
2059
42.8k
      }
2060
105k
    } else {
2061
323k
      for (uint32_t i = 0; i < block->predecessors_count; i++) {
2062
217k
        ZEND_ASSERT(phi->sources[i] >= 0);
2063
217k
        if (scdf_is_edge_feasible(scdf, predecessors[i], phi->block)) {
2064
#if SCP_DEBUG
2065
          scp_dump_value(&ctx->values[phi->sources[i]]);
2066
          fprintf(stderr, ",");
2067
#endif
2068
182k
          join_phi_values(&result, &ctx->values[phi->sources[i]], ssa->vars[phi->ssa_var].escape_state != ESCAPE_STATE_NO_ESCAPE);
2069
182k
        } else {
2070
#if SCP_DEBUG
2071
          fprintf(stderr, " --,");
2072
#endif
2073
35.4k
        }
2074
217k
      }
2075
105k
    }
2076
#if SCP_DEBUG
2077
    fprintf(stderr, ")\n");
2078
#endif
2079
2080
149k
    set_value(scdf, ctx, phi->ssa_var, &result);
2081
149k
    zval_ptr_dtor_nogc(&result);
2082
149k
  }
2083
180k
}
2084
2085
/* Call instruction -> remove opcodes that are part of the call */
2086
static int remove_call(sccp_ctx *ctx, zend_op *opline, zend_ssa_op *ssa_op)
2087
0
{
2088
0
  zend_ssa *ssa = ctx->scdf.ssa;
2089
0
  zend_op_array *op_array = ctx->scdf.op_array;
2090
0
  zend_call_info *call;
2091
2092
0
  ZEND_ASSERT(ctx->call_map);
2093
0
  call = ctx->call_map[opline - op_array->opcodes];
2094
0
  ZEND_ASSERT(call);
2095
0
  ZEND_ASSERT(call->caller_call_opline == opline);
2096
0
  zend_ssa_remove_instr(ssa, opline, ssa_op);
2097
0
  zend_ssa_remove_instr(ssa, call->caller_init_opline,
2098
0
    &ssa->ops[call->caller_init_opline - op_array->opcodes]);
2099
2100
0
  for (uint32_t i = 0; i < call->num_args; i++) {
2101
0
    zend_ssa_remove_instr(ssa, call->arg_info[i].opline,
2102
0
      &ssa->ops[call->arg_info[i].opline - op_array->opcodes]);
2103
0
  }
2104
2105
  // TODO: remove call_info completely???
2106
0
  call->callee_func = NULL;
2107
2108
0
  return call->num_args + 2;
2109
0
}
2110
2111
/* This is a basic DCE pass we run after SCCP. It only works on those instructions those result
2112
 * value(s) were determined by SCCP. It removes dead computational instructions and converts
2113
 * CV-affecting instructions into CONST ASSIGNs. This basic DCE is performed for multiple reasons:
2114
 * a) During operand replacement we eliminate FREEs. The corresponding computational instructions
2115
 *    must be removed to avoid leaks. This way SCCP can run independently of the full DCE pass.
2116
 * b) The main DCE pass relies on type analysis to determine whether instructions have side-effects
2117
 *    and can't be DCEd. This means that it will not be able collect all instructions rendered dead
2118
 *    by SCCP, because they may have potentially side-effecting types, but the actual values are
2119
 *    not. As such doing DCE here will allow us to eliminate more dead code in combination.
2120
 * c) The ordinary DCE pass cannot collect dead calls. However SCCP can result in dead calls, which
2121
 *    we need to collect.
2122
 * d) The ordinary DCE pass cannot collect construction of dead non-escaping arrays and objects.
2123
 */
2124
static uint32_t try_remove_definition(sccp_ctx *ctx, int var_num, zend_ssa_var *var, zval *value)
2125
49.4k
{
2126
49.4k
  zend_ssa *ssa = ctx->scdf.ssa;
2127
49.4k
  zend_op_array *op_array = ctx->scdf.op_array;
2128
49.4k
  uint32_t removed_ops = 0;
2129
2130
49.4k
  if (var->definition >= 0) {
2131
46.5k
    zend_op *opline = &op_array->opcodes[var->definition];
2132
46.5k
    zend_ssa_op *ssa_op = &ssa->ops[var->definition];
2133
2134
46.5k
    if (ssa_op->result_def == var_num) {
2135
37.8k
      if (opline->opcode == ZEND_ASSIGN) {
2136
        /* We can't drop the ASSIGN, but we can remove the result. */
2137
975
        if (var->use_chain < 0 && var->phi_use_chain == NULL) {
2138
944
          opline->result_type = IS_UNUSED;
2139
944
          zend_ssa_remove_result_def(ssa, ssa_op);
2140
944
        }
2141
975
        return 0;
2142
975
      }
2143
36.9k
      if (ssa_op->op1_def >= 0 || ssa_op->op2_def >= 0) {
2144
182
        if (var->use_chain < 0 && var->phi_use_chain == NULL) {
2145
94
          switch (opline->opcode) {
2146
0
            case ZEND_ASSIGN:
2147
0
            case ZEND_ASSIGN_REF:
2148
20
            case ZEND_ASSIGN_DIM:
2149
20
            case ZEND_ASSIGN_OBJ:
2150
20
            case ZEND_ASSIGN_OBJ_REF:
2151
20
            case ZEND_ASSIGN_STATIC_PROP:
2152
20
            case ZEND_ASSIGN_STATIC_PROP_REF:
2153
61
            case ZEND_ASSIGN_OP:
2154
61
            case ZEND_ASSIGN_DIM_OP:
2155
61
            case ZEND_ASSIGN_OBJ_OP:
2156
61
            case ZEND_ASSIGN_STATIC_PROP_OP:
2157
67
            case ZEND_PRE_INC:
2158
69
            case ZEND_PRE_DEC:
2159
69
            case ZEND_PRE_INC_OBJ:
2160
69
            case ZEND_PRE_DEC_OBJ:
2161
69
            case ZEND_DO_ICALL:
2162
69
            case ZEND_DO_UCALL:
2163
69
            case ZEND_DO_FCALL_BY_NAME:
2164
69
            case ZEND_DO_FCALL:
2165
69
            case ZEND_INCLUDE_OR_EVAL:
2166
69
            case ZEND_YIELD:
2167
69
            case ZEND_YIELD_FROM:
2168
69
            case ZEND_ASSERT_CHECK:
2169
69
              opline->result_type = IS_UNUSED;
2170
69
              zend_ssa_remove_result_def(ssa, ssa_op);
2171
69
              break;
2172
25
            default:
2173
25
              break;
2174
94
          }
2175
94
        }
2176
        /* we cannot remove instruction that defines other variables */
2177
182
        return 0;
2178
36.7k
      } else if (opline->opcode == ZEND_JMPZ_EX
2179
36.4k
          || opline->opcode == ZEND_JMPNZ_EX
2180
36.3k
          || opline->opcode == ZEND_JMP_SET
2181
36.0k
          || opline->opcode == ZEND_COALESCE
2182
35.4k
          || opline->opcode == ZEND_JMP_NULL
2183
35.3k
          || opline->opcode == ZEND_FE_RESET_R
2184
35.3k
          || opline->opcode == ZEND_FE_RESET_RW
2185
35.3k
          || opline->opcode == ZEND_FE_FETCH_R
2186
35.3k
          || opline->opcode == ZEND_FE_FETCH_RW
2187
35.3k
          || opline->opcode == ZEND_NEW) {
2188
        /* we cannot simple remove jump instructions */
2189
1.35k
        return 0;
2190
35.3k
      } else if (var->use_chain >= 0
2191
32.8k
          || var->phi_use_chain != NULL) {
2192
32.8k
        if (value
2193
32.8k
            && (opline->result_type & (IS_VAR|IS_TMP_VAR))
2194
32.8k
            && opline->opcode != ZEND_QM_ASSIGN
2195
28.4k
            && opline->opcode != ZEND_FETCH_CLASS
2196
28.4k
            && opline->opcode != ZEND_ROPE_INIT
2197
15.5k
            && opline->opcode != ZEND_ROPE_ADD
2198
15.5k
            && opline->opcode != ZEND_INIT_ARRAY
2199
12.9k
            && opline->opcode != ZEND_ADD_ARRAY_ELEMENT
2200
41
            && opline->opcode != ZEND_ADD_ARRAY_UNPACK) {
2201
          /* Replace with QM_ASSIGN */
2202
41
          uint8_t old_type = opline->result_type;
2203
41
          uint32_t old_var = opline->result.var;
2204
2205
41
          ssa_op->result_def = -1;
2206
41
          if (opline->opcode == ZEND_DO_ICALL) {
2207
0
            removed_ops = remove_call(ctx, opline, ssa_op) - 1;
2208
41
          } else {
2209
41
            bool has_op_data = opline->opcode == ZEND_FRAMELESS_ICALL_3;
2210
41
            zend_ssa_remove_instr(ssa, opline, ssa_op);
2211
41
            removed_ops++;
2212
41
            if (has_op_data) {
2213
0
              zend_ssa_remove_instr(ssa, opline + 1, ssa_op + 1);
2214
0
              removed_ops++;
2215
0
            }
2216
41
          }
2217
41
          ssa_op->result_def = var_num;
2218
41
          opline->opcode = ZEND_QM_ASSIGN;
2219
41
          opline->result_type = old_type;
2220
41
          opline->result.var = old_var;
2221
41
          Z_TRY_ADDREF_P(value);
2222
41
          zend_optimizer_update_op1_const(ctx->scdf.op_array, opline, value);
2223
41
        }
2224
32.8k
        return 0;
2225
32.8k
      } else if ((opline->op2_type & (IS_VAR|IS_TMP_VAR))
2226
128
          && (!value_known(&ctx->values[ssa_op->op2_use])
2227
128
            || IS_PARTIAL_ARRAY(&ctx->values[ssa_op->op2_use])
2228
128
            || IS_PARTIAL_OBJECT(&ctx->values[ssa_op->op2_use]))) {
2229
0
        return 0;
2230
2.49k
      } else if ((opline->op1_type & (IS_VAR|IS_TMP_VAR))
2231
648
          && (!value_known(&ctx->values[ssa_op->op1_use])
2232
648
            || IS_PARTIAL_ARRAY(&ctx->values[ssa_op->op1_use])
2233
646
            || IS_PARTIAL_OBJECT(&ctx->values[ssa_op->op1_use]))) {
2234
2
        if (opline->opcode == ZEND_TYPE_CHECK
2235
2
         || opline->opcode == ZEND_BOOL) {
2236
0
          zend_ssa_remove_result_def(ssa, ssa_op);
2237
          /* For TYPE_CHECK we may compute the result value without knowing the
2238
           * operand, based on type inference information. Make sure the operand is
2239
           * freed and leave further cleanup to DCE. */
2240
0
          opline->opcode = ZEND_FREE;
2241
0
          opline->result_type = IS_UNUSED;
2242
0
          removed_ops++;
2243
2
        } else {
2244
2
          return 0;
2245
2
        }
2246
2.49k
      } else {
2247
2.49k
        zend_ssa_remove_result_def(ssa, ssa_op);
2248
2.49k
        if (opline->opcode == ZEND_DO_ICALL) {
2249
0
          removed_ops = remove_call(ctx, opline, ssa_op);
2250
2.49k
        } else {
2251
2.49k
          bool has_op_data = opline->opcode == ZEND_FRAMELESS_ICALL_3;
2252
2.49k
          zend_ssa_remove_instr(ssa, opline, ssa_op);
2253
2.49k
          removed_ops++;
2254
2.49k
          if (has_op_data) {
2255
0
            zend_ssa_remove_instr(ssa, opline + 1, ssa_op + 1);
2256
0
            removed_ops++;
2257
0
          }
2258
2.49k
        }
2259
2.49k
      }
2260
36.9k
    } else if (ssa_op->op1_def == var_num) {
2261
8.64k
      if (opline->opcode == ZEND_ASSIGN) {
2262
        /* Leave assigns to DCE (due to dtor effects) */
2263
8.01k
        return 0;
2264
8.01k
      }
2265
2266
      /* Compound assign or incdec -> convert to direct ASSIGN */
2267
2268
626
      if (!value) {
2269
        /* In some cases zend_may_throw() may be avoided */
2270
238
        switch (opline->opcode) {
2271
159
          case ZEND_ASSIGN_DIM:
2272
238
          case ZEND_ASSIGN_OBJ:
2273
238
          case ZEND_ASSIGN_OP:
2274
238
          case ZEND_ASSIGN_DIM_OP:
2275
238
          case ZEND_ASSIGN_OBJ_OP:
2276
238
          case ZEND_ASSIGN_STATIC_PROP_OP:
2277
238
            if ((ssa_op->op2_use >= 0 && !value_known(&ctx->values[ssa_op->op2_use]))
2278
196
                || ((ssa_op+1)->op1_use >= 0 &&!value_known(&ctx->values[(ssa_op+1)->op1_use]))) {
2279
196
              return 0;
2280
196
            }
2281
42
            break;
2282
42
          case ZEND_PRE_INC_OBJ:
2283
0
          case ZEND_PRE_DEC_OBJ:
2284
0
          case ZEND_POST_INC_OBJ:
2285
0
          case ZEND_POST_DEC_OBJ:
2286
0
            if (ssa_op->op2_use >= 0 && !value_known(&ctx->values[ssa_op->op2_use])) {
2287
0
              return 0;
2288
0
            }
2289
0
            break;
2290
0
          case ZEND_INIT_ARRAY:
2291
0
          case ZEND_ADD_ARRAY_ELEMENT:
2292
0
            if (opline->op2_type == IS_UNUSED) {
2293
0
              return 0;
2294
0
            }
2295
            /* break missing intentionally */
2296
0
          default:
2297
0
            if (zend_may_throw(opline, ssa_op, op_array, ssa)) {
2298
0
              return 0;
2299
0
            }
2300
0
            break;
2301
238
        }
2302
238
      }
2303
2304
      /* Mark result unused, if possible */
2305
430
      if (ssa_op->result_def >= 0) {
2306
31
        if (ssa->vars[ssa_op->result_def].use_chain < 0
2307
31
            && ssa->vars[ssa_op->result_def].phi_use_chain == NULL) {
2308
23
          zend_ssa_remove_result_def(ssa, ssa_op);
2309
23
          opline->result_type = IS_UNUSED;
2310
23
        } else if (opline->opcode != ZEND_PRE_INC &&
2311
8
            opline->opcode != ZEND_PRE_DEC) {
2312
          /* op1_def and result_def are different */
2313
8
          return removed_ops;
2314
8
        }
2315
31
      }
2316
2317
      /* Destroy previous op2 */
2318
422
      if (opline->op2_type == IS_CONST) {
2319
143
        literal_dtor(&ZEND_OP2_LITERAL(opline));
2320
279
      } else if (ssa_op->op2_use >= 0) {
2321
114
        if (ssa_op->op2_use != ssa_op->op1_use) {
2322
63
          zend_ssa_unlink_use_chain(ssa, var->definition, ssa_op->op2_use);
2323
63
        }
2324
114
        ssa_op->op2_use = -1;
2325
114
        ssa_op->op2_use_chain = -1;
2326
114
      }
2327
2328
      /* Remove OP_DATA opcode */
2329
422
      switch (opline->opcode) {
2330
166
        case ZEND_ASSIGN_DIM:
2331
192
        case ZEND_ASSIGN_OBJ:
2332
192
          removed_ops++;
2333
192
          zend_ssa_remove_instr(ssa, opline + 1, ssa_op + 1);
2334
192
          break;
2335
6
        case ZEND_ASSIGN_DIM_OP:
2336
6
        case ZEND_ASSIGN_OBJ_OP:
2337
6
        case ZEND_ASSIGN_STATIC_PROP_OP:
2338
6
          removed_ops++;
2339
6
          zend_ssa_remove_instr(ssa, opline + 1, ssa_op + 1);
2340
6
          break;
2341
224
        default:
2342
224
          break;
2343
422
      }
2344
2345
422
      if (value) {
2346
        /* Convert to ASSIGN */
2347
380
        opline->opcode = ZEND_ASSIGN;
2348
380
        opline->op2_type = IS_CONST;
2349
380
        opline->op2.constant = zend_optimizer_add_literal(op_array, value);
2350
380
        Z_TRY_ADDREF_P(value);
2351
380
      } else {
2352
        /* Remove dead array or object construction */
2353
42
        removed_ops++;
2354
42
        if (var->use_chain >= 0 || var->phi_use_chain != NULL) {
2355
20
          zend_ssa_rename_var_uses(ssa, ssa_op->op1_def, ssa_op->op1_use, 1);
2356
20
        }
2357
42
        zend_ssa_remove_op1_def(ssa, ssa_op);
2358
42
        zend_ssa_remove_instr(ssa, opline, ssa_op);
2359
42
      }
2360
422
    }
2361
46.5k
  } else if (var->definition_phi
2362
2.91k
      && var->use_chain < 0
2363
2.75k
      && var->phi_use_chain == NULL) {
2364
1.23k
    zend_ssa_remove_phi(ssa, var->definition_phi);
2365
1.23k
  }
2366
5.83k
  return removed_ops;
2367
49.4k
}
2368
2369
/* This will try to replace uses of SSA variables we have determined to be constant. Not all uses
2370
 * can be replaced, because some instructions don't accept constant operands or only accept them
2371
 * if they have a certain type. */
2372
72.4k
static uint32_t replace_constant_operands(sccp_ctx *ctx) {
2373
72.4k
  zend_ssa *ssa = ctx->scdf.ssa;
2374
72.4k
  zend_op_array *op_array = ctx->scdf.op_array;
2375
72.4k
  int i;
2376
72.4k
  zval tmp;
2377
72.4k
  uint32_t removed_ops = 0;
2378
2379
  /* We iterate the variables backwards, so we can eliminate sequences like INIT_ROPE
2380
   * and INIT_ARRAY. */
2381
1.09M
  for (i = ssa->vars_count - 1; i >= op_array->last_var; i--) {
2382
1.02M
    zend_ssa_var *var = &ssa->vars[i];
2383
1.02M
    zval *value;
2384
1.02M
    int use;
2385
2386
1.02M
    if (IS_PARTIAL_ARRAY(&ctx->values[i])
2387
1.01M
        || IS_PARTIAL_OBJECT(&ctx->values[i])) {
2388
6.14k
      if (!Z_DELREF(ctx->values[i])) {
2389
5.59k
        zend_array_destroy(Z_ARR(ctx->values[i]));
2390
5.59k
      }
2391
6.14k
      MAKE_BOT(&ctx->values[i]);
2392
6.14k
      if ((var->use_chain < 0 && var->phi_use_chain == NULL) || var->no_val) {
2393
377
        removed_ops += try_remove_definition(ctx, i, var, NULL);
2394
377
      }
2395
6.14k
      continue;
2396
1.01M
    } else if (value_known(&ctx->values[i])) {
2397
49.0k
      value = &ctx->values[i];
2398
969k
    } else {
2399
969k
      value = value_from_type_and_range(ctx, i, &tmp);
2400
969k
      if (!value) {
2401
929k
        continue;
2402
929k
      }
2403
969k
    }
2404
2405
131k
    FOREACH_USE(var, use) {
2406
131k
      zend_op *opline = &op_array->opcodes[use];
2407
131k
      zend_ssa_op *ssa_op = &ssa->ops[use];
2408
131k
      if (try_replace_op1(ctx, opline, ssa_op, i, value)) {
2409
6.40k
        if (opline->opcode == ZEND_NOP) {
2410
697
          removed_ops++;
2411
697
        }
2412
6.40k
        ZEND_ASSERT(ssa_op->op1_def == -1);
2413
6.40k
        if (ssa_op->op1_use != ssa_op->op2_use) {
2414
6.40k
          zend_ssa_unlink_use_chain(ssa, use, ssa_op->op1_use);
2415
6.40k
        } else {
2416
0
          ssa_op->op2_use_chain = ssa_op->op1_use_chain;
2417
0
        }
2418
6.40k
        ssa_op->op1_use = -1;
2419
6.40k
        ssa_op->op1_use_chain = -1;
2420
6.40k
      }
2421
131k
      if (try_replace_op2(ctx, opline, ssa_op, i, value)) {
2422
5.21k
        ZEND_ASSERT(ssa_op->op2_def == -1);
2423
5.21k
        if (ssa_op->op2_use != ssa_op->op1_use) {
2424
5.16k
          zend_ssa_unlink_use_chain(ssa, use, ssa_op->op2_use);
2425
5.16k
        }
2426
5.21k
        ssa_op->op2_use = -1;
2427
5.21k
        ssa_op->op2_use_chain = -1;
2428
5.21k
      }
2429
42.6k
    } FOREACH_USE_END();
2430
2431
89.2k
    if (value_known(&ctx->values[i])) {
2432
49.0k
      removed_ops += try_remove_definition(ctx, i, var, value);
2433
49.0k
    }
2434
89.2k
  }
2435
2436
72.4k
  return removed_ops;
2437
72.4k
}
2438
2439
static void sccp_context_init(zend_optimizer_ctx *ctx, sccp_ctx *sccp,
2440
72.4k
    zend_ssa *ssa, zend_op_array *op_array, zend_call_info **call_map) {
2441
72.4k
  int i;
2442
72.4k
  sccp->call_map = call_map;
2443
72.4k
  sccp->values = zend_arena_alloc(&ctx->arena, sizeof(zval) * ssa->vars_count);
2444
2445
72.4k
  MAKE_TOP(&sccp->top);
2446
72.4k
  MAKE_BOT(&sccp->bot);
2447
2448
72.4k
  i = 0;
2449
194k
  for (; i < op_array->last_var; ++i) {
2450
    /* These are all undefined variables, which we have to mark BOT.
2451
     * Otherwise the undefined variable warning might not be preserved. */
2452
121k
    MAKE_BOT(&sccp->values[i]);
2453
121k
  }
2454
1.09M
  for (; i < ssa->vars_count; ++i) {
2455
1.02M
    if (ssa->vars[i].alias) {
2456
0
      MAKE_BOT(&sccp->values[i]);
2457
1.02M
    } else {
2458
1.02M
      MAKE_TOP(&sccp->values[i]);
2459
1.02M
    }
2460
1.02M
  }
2461
72.4k
}
2462
2463
72.4k
static void sccp_context_free(sccp_ctx *sccp) {
2464
72.4k
  int i;
2465
1.09M
  for (i = sccp->scdf.op_array->last_var; i < sccp->scdf.ssa->vars_count; ++i) {
2466
1.02M
    zval_ptr_dtor_nogc(&sccp->values[i]);
2467
1.02M
  }
2468
72.4k
}
2469
2470
uint32_t sccp_optimize_op_array(zend_optimizer_ctx *ctx, zend_op_array *op_array, zend_ssa *ssa, zend_call_info **call_map)
2471
72.4k
{
2472
72.4k
  sccp_ctx sccp;
2473
72.4k
  uint32_t removed_ops = 0;
2474
72.4k
  void *checkpoint = zend_arena_checkpoint(ctx->arena);
2475
2476
72.4k
  sccp_context_init(ctx, &sccp, ssa, op_array, call_map);
2477
2478
72.4k
  sccp.scdf.handlers.visit_instr = sccp_visit_instr;
2479
72.4k
  sccp.scdf.handlers.visit_phi = sccp_visit_phi;
2480
72.4k
  sccp.scdf.handlers.mark_feasible_successors = sccp_mark_feasible_successors;
2481
2482
72.4k
  scdf_init(ctx, &sccp.scdf, op_array, ssa);
2483
72.4k
  scdf_solve(&sccp.scdf, "SCCP");
2484
2485
72.4k
  if (ctx->debug_level & ZEND_DUMP_SCCP) {
2486
0
    int i, first = 1;
2487
2488
0
    for (i = op_array->last_var; i < ssa->vars_count; i++) {
2489
0
      zval *zv = &sccp.values[i];
2490
2491
0
      if (IS_TOP(zv) || IS_BOT(zv)) {
2492
0
        continue;
2493
0
      }
2494
0
      if (first) {
2495
0
        first = 0;
2496
0
        fprintf(stderr, "\nSCCP Values for \"");
2497
0
        zend_dump_op_array_name(op_array);
2498
0
        fprintf(stderr, "\":\n");
2499
0
      }
2500
0
      fprintf(stderr, "    #%d.", i);
2501
0
      zend_dump_var(op_array, IS_CV, ssa->vars[i].var);
2502
0
      fprintf(stderr, " =");
2503
0
      scp_dump_value(zv);
2504
0
      fprintf(stderr, "\n");
2505
0
    }
2506
0
  }
2507
2508
72.4k
  removed_ops += scdf_remove_unreachable_blocks(&sccp.scdf);
2509
72.4k
  removed_ops += replace_constant_operands(&sccp);
2510
2511
72.4k
  sccp_context_free(&sccp);
2512
72.4k
  zend_arena_release(&ctx->arena, checkpoint);
2513
2514
72.4k
  return removed_ops;
2515
72.4k
}