Implement stackless internal function calls

Author: iluuu1994

Zend/Optimizer/dce.c

@@ -167,6 +167,10 @@ static inline bool may_have_side_effects(
 		case ZEND_DO_FCALL_BY_NAME:
 		case ZEND_DO_ICALL:
 		case ZEND_DO_UCALL:
+		case ZEND_FRAMELESS_ICALL_0:
+		case ZEND_FRAMELESS_ICALL_1:
+		case ZEND_FRAMELESS_ICALL_2:
+		case ZEND_FRAMELESS_ICALL_3:
 			/* For now assume all calls have side effects */
 			return 1;
 		case ZEND_RECV:

Zend/Optimizer/sccp.c

@@ -789,14 +789,10 @@ static bool can_ct_eval_func_call(zend_function *func, zend_string *name, uint32
 /* The functions chosen here are simple to implement and either likely to affect a branch,
  * or just happened to be commonly used with constant operands in WP (need to test other
  * applications as well, of course). */
-static inline zend_result ct_eval_func_call(
-		zend_op_array *op_array, zval *result, zend_string *name, uint32_t num_args, zval **args) {
+static inline zend_result ct_eval_func_call_ex(
+		zend_op_array *op_array, zval *result, zend_function *func, uint32_t num_args, zval **args) {
 	uint32_t i;
-	zend_function *func = zend_hash_find_ptr(CG(function_table), name);
-	if (!func || func->type != ZEND_INTERNAL_FUNCTION) {
-		return FAILURE;
-	}
-
+	zend_string *name = func->common.function_name;
 	if (num_args == 1 && Z_TYPE_P(args[0]) == IS_STRING &&
 			zend_optimizer_eval_special_func_call(result, name, Z_STR_P(args[0])) == SUCCESS) {
 		return SUCCESS;
@@ -855,6 +851,15 @@ static inline zend_result ct_eval_func_call(
 	return retval;
 }
 
+static inline zend_result ct_eval_func_call(
+		zend_op_array *op_array, zval *result, zend_string *name, uint32_t num_args, zval **args) {
+	zend_function *func = zend_hash_find_ptr(CG(function_table), name);
+	if (!func || func->type != ZEND_INTERNAL_FUNCTION) {
+		return FAILURE;
+	}
+	return ct_eval_func_call_ex(op_array, result, func, num_args, args);
+}
+
 #define SET_RESULT(op, zv) do { \
 	if (ssa_op->op##_def >= 0) { \
 		set_value(scdf, ctx, ssa_op->op##_def, zv); \
@@ -1708,6 +1713,51 @@ static void sccp_visit_instr(scdf_ctx *scdf, zend_op *opline, zend_ssa_op *ssa_o
 			SET_RESULT_BOT(result);
 			break;
 		}
+		case ZEND_FRAMELESS_ICALL_0:
+		case ZEND_FRAMELESS_ICALL_1:
+		case ZEND_FRAMELESS_ICALL_2:
+		case ZEND_FRAMELESS_ICALL_3: {
+			/* We already know it can't be evaluated, don't bother checking again */
+			if (ssa_op->result_def < 0 || IS_BOT(&ctx->values[ssa_op->result_def])) {
+				break;
+			}
+
+			zval *args[3] = {NULL};
+			zend_function *func = ZEND_FLF_FUNC(opline);
+			uint32_t num_args = ZEND_FLF_NUM_ARGS(opline->opcode);
+
+			switch (num_args) {
+	 			case 3: {
+					zend_op *op_data = opline + 1;
+					args[2] = get_op1_value(ctx, op_data, &ctx->scdf.ssa->ops[op_data - ctx->scdf.op_array->opcodes]);
+					ZEND_FALLTHROUGH;
+				}
+				case 2:
+					args[1] = get_op2_value(ctx, opline, &ctx->scdf.ssa->ops[opline - ctx->scdf.op_array->opcodes]);
+					ZEND_FALLTHROUGH;
+				case 1:
+					args[0] = get_op1_value(ctx, opline, &ctx->scdf.ssa->ops[opline - ctx->scdf.op_array->opcodes]);
+					break;
+			}
+			for (uint32_t i = 0; i < num_args; i++) {
+				if (!args[i]) {
+					SET_RESULT_BOT(result);
+					return;
+				} else if (IS_BOT(args[i]) || IS_PARTIAL_ARRAY(args[i])) {
+					SET_RESULT_BOT(result);
+					return;
+				} else if (IS_TOP(args[i])) {
+					return;
+				}
+			}
+			if (ct_eval_func_call_ex(scdf->op_array, &zv, func, num_args, args) == SUCCESS) {
+				SET_RESULT(result, &zv);
+				zval_ptr_dtor_nogc(&zv);
+				break;
+			}
+			SET_RESULT_BOT(result);
+			break;
+		}
 		default:
 		{
 			/* If we have no explicit implementation return BOT */
@@ -2155,7 +2205,13 @@ static int try_remove_definition(sccp_ctx *ctx, int var_num, zend_ssa_var *var,
 					if (opline->opcode == ZEND_DO_ICALL) {
 						removed_ops = remove_call(ctx, opline, ssa_op) - 1;
 					} else {
+						bool has_op_data = opline->opcode == ZEND_FRAMELESS_ICALL_3;
 						zend_ssa_remove_instr(ssa, opline, ssa_op);
+						removed_ops++;
+						if (has_op_data) {
+							zend_ssa_remove_instr(ssa, opline + 1, ssa_op + 1);
+							removed_ops++;
+						}
 					}
 					ssa_op->result_def = var_num;
 					opline->opcode = ZEND_QM_ASSIGN;
@@ -2191,8 +2247,13 @@ static int try_remove_definition(sccp_ctx *ctx, int var_num, zend_ssa_var *var,
 				if (opline->opcode == ZEND_DO_ICALL) {
 					removed_ops = remove_call(ctx, opline, ssa_op);
 				} else {
+					bool has_op_data = opline->opcode == ZEND_FRAMELESS_ICALL_3;
 					zend_ssa_remove_instr(ssa, opline, ssa_op);
 					removed_ops++;
+					if (has_op_data) {
+						zend_ssa_remove_instr(ssa, opline + 1, ssa_op + 1);
+						removed_ops++;
+					}
 				}
 			}
 		} else if (ssa_op->op1_def == var_num) {

Zend/Optimizer/zend_call_graph.c

@@ -73,6 +73,7 @@ ZEND_API void zend_analyze_calls(zend_arena **arena, zend_script *script, uint32
 					call_info->num_args = opline->extended_value;
 					call_info->next_callee = func_info->callee_info;
 					call_info->is_prototype = is_prototype;
+					call_info->is_frameless = false;
 					func_info->callee_info = call_info;
 
 					if (build_flags & ZEND_CALL_TREE) {
@@ -102,6 +103,24 @@ ZEND_API void zend_analyze_calls(zend_arena **arena, zend_script *script, uint32
 				call_info = NULL;
 				call++;
 				break;
+			case ZEND_FRAMELESS_ICALL_0:
+			case ZEND_FRAMELESS_ICALL_1:
+			case ZEND_FRAMELESS_ICALL_2:
+			case ZEND_FRAMELESS_ICALL_3: {
+				func = ZEND_FLF_FUNC(opline);
+				zend_call_info *call_info = zend_arena_calloc(arena, 1, sizeof(zend_call_info));
+				call_info->caller_op_array = op_array;
+				call_info->caller_init_opline = opline;
+				call_info->caller_call_opline = NULL;
+				call_info->callee_func = func;
+				call_info->num_args = ZEND_FLF_NUM_ARGS(opline->opcode);
+				call_info->next_callee = func_info->callee_info;
+				call_info->is_prototype = false;
+				call_info->is_frameless = true;
+				call_info->next_caller = NULL;
+				func_info->callee_info = call_info;
+				break;
+			}
 			case ZEND_DO_FCALL:
 			case ZEND_DO_ICALL:
 			case ZEND_DO_UCALL:
@@ -260,9 +279,11 @@ ZEND_API zend_call_info **zend_build_call_map(zend_arena **arena, zend_func_info
 		if (call->caller_call_opline) {
 			map[call->caller_call_opline - op_array->opcodes] = call;
 		}
-		for (i = 0; i < call->num_args; i++) {
-			if (call->arg_info[i].opline) {
-				map[call->arg_info[i].opline - op_array->opcodes] = call;
+		if (!call->is_frameless) {
+			for (i = 0; i < call->num_args; i++) {
+				if (call->arg_info[i].opline) {
+					map[call->arg_info[i].opline - op_array->opcodes] = call;
+				}
 			}
 		}
 	}

Zend/Optimizer/zend_call_graph.h

@@ -38,6 +38,7 @@ struct _zend_call_info {
 	bool               send_unpack;  /* Parameters passed by SEND_UNPACK or SEND_ARRAY */
 	bool               named_args;   /* Function has named arguments */
 	bool               is_prototype; /* An overridden child method may be called */
+	bool               is_frameless; /* A frameless function sends arguments through operands */
 	int                     num_args;	/* Number of arguments, excluding named and variadic arguments */
 	zend_send_arg_info      arg_info[1] ZEND_ELEMENT_COUNT(num_args);
 };

Zend/Optimizer/zend_dfg.c

@@ -122,6 +122,7 @@ static zend_always_inline void _zend_dfg_add_use_def_op(const zend_op_array *op_
 			}
 			break;
 		case ZEND_ASSIGN_STATIC_PROP_OP:
+		case ZEND_FRAMELESS_ICALL_3:
 			next = opline + 1;
 			if (next->op1_type & (IS_CV|IS_VAR|IS_TMP_VAR)) {
 				var_num = EX_VAR_TO_NUM(next->op1.var);

Zend/Optimizer/zend_dump.c

@@ -462,6 +462,11 @@ ZEND_API void zend_dump_op(const zend_op_array *op_array, const zend_basic_block
 	} else {
 		fprintf(stderr, "OP_%d", (int)opline->opcode);
 	}
+	
+	if (ZEND_OP_IS_FRAMELESS_ICALL(opline->opcode)) {
+		zend_function *func = ZEND_FLF_FUNC(opline);
+		fprintf(stderr, "(%s)", ZSTR_VAL(func->common.function_name));
+	}
 
 	if (ZEND_VM_EXT_NUM == (flags & ZEND_VM_EXT_MASK)) {
 		fprintf(stderr, " %u", opline->extended_value);

Zend/Optimizer/zend_func_info.c

@@ -51,6 +51,8 @@ typedef struct _func_info_t {
 
 static uint32_t zend_range_info(const zend_call_info *call_info, const zend_ssa *ssa)
 {
+	ZEND_ASSERT(!call_info->is_frameless);
+
 	if (!call_info->send_unpack
 	 && (call_info->num_args == 2 || call_info->num_args == 3)
 	 && ssa

Zend/Optimizer/zend_inference.c

@@ -3806,6 +3806,38 @@ static zend_always_inline zend_result _zend_update_type_info(
 				UPDATE_SSA_OBJ_TYPE(ce, 1, ssa_op->result_def);
 			}
 			break;
+		case ZEND_FRAMELESS_ICALL_1:
+		case ZEND_FRAMELESS_ICALL_2:
+		case ZEND_FRAMELESS_ICALL_3:
+			if (ssa_op->op1_def >= 0) {
+				ZEND_ASSERT(ssa_op->op1_use >= 0);
+				tmp = ssa->var_info[ssa_op->op1_use].type;
+				if (tmp & MAY_BE_RC1) {
+					tmp |= MAY_BE_RCN;
+				}
+				UPDATE_SSA_TYPE(tmp, ssa_op->op1_def);
+			}
+			if (ssa_op->op2_def >= 0) {
+				ZEND_ASSERT(ssa_op->op2_use >= 0);
+				tmp = ssa->var_info[ssa_op->op2_use].type;
+				if (tmp & MAY_BE_RC1) {
+					tmp |= MAY_BE_RCN;
+				}
+				UPDATE_SSA_TYPE(tmp, ssa_op->op2_def);
+			}
+			if (opline->opcode == ZEND_FRAMELESS_ICALL_3) {
+				zend_ssa_op *next_ssa_op = ssa_op + 1;
+				if (next_ssa_op->op1_def >= 0) {
+					ZEND_ASSERT(next_ssa_op->op1_use >= 0);
+					tmp = ssa->var_info[next_ssa_op->op1_use].type;
+					if (tmp & MAY_BE_RC1) {
+						tmp |= MAY_BE_RCN;
+					}
+					UPDATE_SSA_TYPE(tmp, next_ssa_op->op1_def);
+				}
+			}
+			ZEND_FALLTHROUGH;
+		case ZEND_FRAMELESS_ICALL_0:
 		case ZEND_DO_FCALL:
 		case ZEND_DO_ICALL:
 		case ZEND_DO_UCALL:

Zend/Optimizer/zend_ssa.c

@@ -766,6 +766,35 @@ static zend_always_inline int _zend_ssa_rename_op(const zend_op_array *op_array,
 				//NEW_SSA_VAR(opline->op1.var)
 			}
 			break;
+		case ZEND_FRAMELESS_ICALL_1:
+		case ZEND_FRAMELESS_ICALL_2:
+		case ZEND_FRAMELESS_ICALL_3: {
+			if ((build_flags & ZEND_SSA_RC_INFERENCE) && opline->op1_type == IS_CV) {
+				ssa_ops[k].op1_def = ssa_vars_count;
+				var[EX_VAR_TO_NUM(opline->op1.var)] = ssa_vars_count;
+				ssa_vars_count++;
+				//NEW_SSA_VAR(opline->op1.var)
+			}
+			if ((build_flags & ZEND_SSA_RC_INFERENCE) && opline->op2_type == IS_CV) {
+				ssa_ops[k].op2_def = ssa_vars_count;
+				var[EX_VAR_TO_NUM(opline->op2.var)] = ssa_vars_count;
+				ssa_vars_count++;
+				//NEW_SSA_VAR(opline->op2.var)
+			}
+			if (opline->opcode == ZEND_FRAMELESS_ICALL_3) {
+				next = opline + 1;
+				if (next->op1_type & (IS_CV|IS_VAR|IS_TMP_VAR)) {
+					ssa_ops[k + 1].op1_use = var[EX_VAR_TO_NUM(next->op1.var)];
+					//USE_SSA_VAR(op_array->last_var + next->op1.var);
+					if ((build_flags & ZEND_SSA_RC_INFERENCE) && next->op1_type == IS_CV) {
+						ssa_ops[k + 1].op1_def = ssa_vars_count;
+						var[EX_VAR_TO_NUM(next->op1.var)] = ssa_vars_count;
+						ssa_vars_count++;
+						//NEW_SSA_VAR(next->op1.var)
+					}
+				}
+			}
+		}
 		default:
 			break;
 	}

Zend/tests/frameless_throwing_destructor.phpt

@@ -0,0 +1,18 @@
+--TEST--
+Frameless call with throwing destructor
+--FILE--
+<?php
+class Foo {}
+class Bar {
+    public function __destruct() {
+        throw new Exception();
+    }
+}
+in_array(new Foo(), [new Bar()], true);
+?>
+--EXPECTF--
+Fatal error: Uncaught Exception in %s:%d
+Stack trace:
+#0 %s(%d): Bar->__destruct()
+#1 {main}
+  thrown in %s on line %d

Zend/tests/frameless_undefined_var.phpt

@@ -0,0 +1,18 @@
+--TEST--
+Undefined var in frameless call
+--FILE--
+<?php
+set_error_handler(function ($errno, $errstr) {
+    throw new Exception($errstr);
+});
+function test() {
+    strpos($foo, 'o');
+}
+try {
+    test();
+} catch (Exception $e) {
+    echo $e->getMessage(), "\n";
+}
+?>
+--EXPECT--
+Undefined variable $foo