Implement frameless type inference

Author: iluuu1994

Zend/Optimizer/sccp.c

@@ -1717,21 +1717,29 @@ static void sccp_visit_instr(scdf_ctx *scdf, zend_op *opline, zend_ssa_op *ssa_o
 		case ZEND_FRAMELESS_ICALL_1:
 		case ZEND_FRAMELESS_ICALL_2:
 		case ZEND_FRAMELESS_ICALL_3: {
+			if (!ctx->call_map) {
+				SET_RESULT_BOT(result);
+				break;
+			}
+
 			zval *args[3] = {NULL};
-			switch (opline->opcode) {
-	 			case ZEND_FRAMELESS_ICALL_3: {
+			zend_call_info *call = ctx->call_map[opline - ctx->scdf.op_array->opcodes];
+			zend_function *func = call->callee_func;
+			uint32_t num_args = ZEND_FLF_NUM_ARGS(opline->opcode);
+
+			switch (num_args) {
+	 			case 3: {
 					zend_op *op_data = opline + 1;
 					args[2] = get_op1_value(ctx, op_data, &ctx->scdf.ssa->ops[op_data - ctx->scdf.op_array->opcodes]);
 					ZEND_FALLTHROUGH;
 				}
-				case ZEND_FRAMELESS_ICALL_2:
+				case 2:
 					args[1] = get_op2_value(ctx, opline, &ctx->scdf.ssa->ops[opline - ctx->scdf.op_array->opcodes]);
 					ZEND_FALLTHROUGH;
-				case ZEND_FRAMELESS_ICALL_1:
+				case 1:
 					args[0] = get_op1_value(ctx, opline, &ctx->scdf.ssa->ops[opline - ctx->scdf.op_array->opcodes]);
 					break;
 			}
-			uint32_t num_args = ZEND_FLF_NUM_ARGS(opline->opcode);
 			for (uint32_t i = 0; i < num_args; i++) {
 				if (!args[i]) {
 					SET_RESULT_BOT(result);
@@ -1743,7 +1751,6 @@ static void sccp_visit_instr(scdf_ctx *scdf, zend_op *opline, zend_ssa_op *ssa_o
 					return;
 				}
 			}
-			zend_function *func = (*zend_frameless_function_0_functions_lists[num_args])[opline->extended_value];
 			if (ct_eval_func_call_ex(scdf->op_array, &zv, func, num_args, args) == SUCCESS) {
 				SET_RESULT(result, &zv);
 				zval_ptr_dtor_nogc(&zv);

Zend/Optimizer/zend_call_graph.c

@@ -73,6 +73,7 @@ ZEND_API void zend_analyze_calls(zend_arena **arena, zend_script *script, uint32
 					call_info->num_args = opline->extended_value;
 					call_info->next_callee = func_info->callee_info;
 					call_info->is_prototype = is_prototype;
+					call_info->is_frameless = false;
 					func_info->callee_info = call_info;
 
 					if (build_flags & ZEND_CALL_TREE) {
@@ -102,6 +103,24 @@ ZEND_API void zend_analyze_calls(zend_arena **arena, zend_script *script, uint32
 				call_info = NULL;
 				call++;
 				break;
+			case ZEND_FRAMELESS_ICALL_0:
+			case ZEND_FRAMELESS_ICALL_1:
+			case ZEND_FRAMELESS_ICALL_2:
+			case ZEND_FRAMELESS_ICALL_3: {
+				func = ZEND_FLF_FUNC(opline);
+				zend_call_info *call_info = zend_arena_calloc(arena, 1, sizeof(zend_call_info));
+				call_info->caller_op_array = op_array;
+				call_info->caller_init_opline = opline;
+				call_info->caller_call_opline = NULL;
+				call_info->callee_func = func;
+				call_info->num_args = ZEND_FLF_NUM_ARGS(opline->opcode);
+				call_info->next_callee = func_info->callee_info;
+				call_info->is_prototype = false;
+				call_info->is_frameless = true;
+				call_info->next_caller = NULL;
+				func_info->callee_info = call_info;
+				break;
+			}
 			case ZEND_DO_FCALL:
 			case ZEND_DO_ICALL:
 			case ZEND_DO_UCALL:
@@ -260,9 +279,11 @@ ZEND_API zend_call_info **zend_build_call_map(zend_arena **arena, zend_func_info
 		if (call->caller_call_opline) {
 			map[call->caller_call_opline - op_array->opcodes] = call;
 		}
-		for (i = 0; i < call->num_args; i++) {
-			if (call->arg_info[i].opline) {
-				map[call->arg_info[i].opline - op_array->opcodes] = call;
+		if (!call->is_frameless) {
+			for (i = 0; i < call->num_args; i++) {
+				if (call->arg_info[i].opline) {
+					map[call->arg_info[i].opline - op_array->opcodes] = call;
+				}
 			}
 		}
 	}

Zend/Optimizer/zend_call_graph.h

@@ -38,6 +38,7 @@ struct _zend_call_info {
 	bool               send_unpack;  /* Parameters passed by SEND_UNPACK or SEND_ARRAY */
 	bool               named_args;   /* Function has named arguments */
 	bool               is_prototype; /* An overridden child method may be called */
+	bool               is_frameless; /* A frameless function sends arguments through operands */
 	int                     num_args;	/* Number of arguments, excluding named and variadic arguments */
 	zend_send_arg_info      arg_info[1];
 };

Zend/Optimizer/zend_dump.c

@@ -449,6 +449,11 @@ ZEND_API void zend_dump_op(const zend_op_array *op_array, const zend_basic_block
 	} else {
 		fprintf(stderr, "OP_%d", (int)opline->opcode);
 	}
+	
+	if (ZEND_OP_IS_FRAMELESS_ICALL(opline->opcode)) {
+		zend_function *func = ZEND_FLF_FUNC(opline);
+		fprintf(stderr, "(%s)", ZSTR_VAL(func->common.function_name));
+	}
 
 	if (ZEND_VM_EXT_NUM == (flags & ZEND_VM_EXT_MASK)) {
 		fprintf(stderr, " %u", opline->extended_value);

Zend/Optimizer/zend_func_info.c

@@ -51,6 +51,8 @@ typedef struct _func_info_t {
 
 static uint32_t zend_range_info(const zend_call_info *call_info, const zend_ssa *ssa)
 {
+	ZEND_ASSERT(!call_info->is_frameless);
+
 	if (!call_info->send_unpack
 	 && (call_info->num_args == 2 || call_info->num_args == 3)
 	 && ssa

Zend/Optimizer/zend_inference.c

@@ -3793,6 +3793,10 @@ static zend_always_inline zend_result _zend_update_type_info(
 		case ZEND_DO_ICALL:
 		case ZEND_DO_UCALL:
 		case ZEND_DO_FCALL_BY_NAME:
+		case ZEND_FRAMELESS_ICALL_0:
+		case ZEND_FRAMELESS_ICALL_1:
+		case ZEND_FRAMELESS_ICALL_2:
+		case ZEND_FRAMELESS_ICALL_3:
 			if (ssa_op->result_def >= 0) {
 				zend_func_info *func_info = ZEND_FUNC_INFO(op_array);
 				zend_call_info *call_info;

Zend/zend_builtin_functions.c

@@ -1825,7 +1825,7 @@ ZEND_API void zend_fetch_debug_backtrace(zval *return_value, int skip_last, int
 			int num_args = ZEND_FLF_NUM_ARGS(opline->opcode);
 			stack_frame = zend_new_array(8);
 			zend_hash_real_init_mixed(stack_frame);
-			zend_function *func = (*zend_frameless_function_0_functions_lists[num_args])[opline->extended_value];
+			zend_function *func = ZEND_FLF_FUNC(opline);
 			zend_string *name = func->common.function_name;
 			ZVAL_STRINGL(&tmp, ZSTR_VAL(name), ZSTR_LEN(name));
 			_zend_hash_append_ex(stack_frame, ZSTR_KNOWN(ZEND_STR_FUNCTION), &tmp, 1);

Zend/zend_execute_API.c

@@ -569,8 +569,7 @@ ZEND_API zend_function *zend_active_function_ex(zend_execute_data *execute_data)
 	if (ZEND_USER_CODE(func->type)) {
 		const zend_op *op = EX(opline);
 		if (ZEND_OP_IS_FRAMELESS_ICALL(op->opcode)) {
-			uint32_t num_args = ZEND_FLF_NUM_ARGS(op->opcode);
-			func = (*zend_frameless_function_0_functions_lists[num_args])[op->extended_value];
+			func = ZEND_FLF_FUNC(op);
 		}
 	}
 

Zend/zend_frameless_function.h

@@ -28,6 +28,7 @@
 #define ZEND_FRAMELESS_FUNCTION_NAME(name, arity) zdc_##name##_##arity
 #define ZEND_OP_IS_FRAMELESS_ICALL(opcode) ((opcode) >= ZEND_FRAMELESS_ICALL_0 && (opcode) <= ZEND_FRAMELESS_ICALL_3)
 #define ZEND_FLF_NUM_ARGS(opcode) ((opcode) - ZEND_FRAMELESS_ICALL_0)
+#define ZEND_FLF_FUNC(opline) ((*zend_frameless_function_0_functions_lists[ZEND_FLF_NUM_ARGS((opline)->opcode)])[(opline)->extended_value])
 
 #define ZEND_FRAMELESS_FUNCTION(name, arity) \
 	void ZEND_FRAMELESS_FUNCTION_NAME(name, arity)(DIRECT_FUNCTION_PARAMETERS_##arity)

ext/opcache/tests/opt/inference_frameless.phpt

@@ -0,0 +1,28 @@
+--TEST--
+Type inference of frameless functions
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.optimization_level=-1
+opcache.opt_debug_level=0x20000
+--FILE--
+<?php
+function _strpos(string $str): int|false {
+    return \strpos($str, 1, 1);
+}
+?>
+--EXPECTF--
+$_main:
+     ; (lines=1, args=0, vars=0, tmps=0)
+     ; (after optimizer)
+     ; %sinference_frameless.php:1-6
+0000 RETURN int(1)
+
+_strpos:
+     ; (lines=4, args=1, vars=1, tmps=1)
+     ; (after optimizer)
+     ; %sinference_frameless.php:2-4
+0000 CV0($str) = RECV 1
+0001 T1 = FRAMELESS_ICALL_3(strpos) (SUB) CV0($str) int(1)
+0002 OP_DATA int(1)
+0003 RETURN T1