Fix incorrect sccp optimization of zend_switch with strict comparison

Author: iluuu1994

Zend/tests/match/013.phpt

@@ -52,7 +52,7 @@ test:
      ; (after optimizer)
      ; %s
 0000 CV0($char) = RECV 1
-0001 SWITCH_STRING CV0($char) "a": 0020, "b": 0021, "c": 0021, "d": 0022, "e": 0023, "f": 0023, "g": 0024, "h": 0025, "i": 0025, default: 0026
+0001 MATCH_STRING CV0($char) "a": 0020, "b": 0021, "c": 0021, "d": 0022, "e": 0023, "f": 0023, "g": 0024, "h": 0025, "i": 0025, default: 0026
 0002 T1 = IS_IDENTICAL CV0($char) string("a")
 0003 JMPNZ T1 0020
 0004 T1 = IS_IDENTICAL CV0($char) string("b")

Zend/tests/match/018.phpt

@@ -0,0 +1,57 @@
+--TEST--
+Test match jump table optimizer
+--INI--
+opcache.enable=1
+opcache.enable_cli=1
+opcache.opt_debug_level=0x20000
+--SKIPIF--
+<?php if (!extension_loaded('Zend OPcache')) die('skip Zend OPcache extension not available'); ?>
+--FILE--
+<?php
+
+function test() {
+    $x = '2';
+    match($x) {
+        1, 2, 3, 4, 5 => { throw new RuntimeException(); },
+        default => { echo "No match\n"; },
+    }
+}
+test();
+
+function test2() {
+    $x = 2;
+    match($x) {
+        '1', '2', '3', '4', '5' => { throw new RuntimeException(); },
+        default => { echo "No match\n"; },
+    }
+}
+test2();
+
+--EXPECTF--
+$_main:
+     ; (lines=5, args=0, vars=0, tmps=0)
+     ; (after optimizer)
+     ; %s
+0000 INIT_FCALL 0 %d string("test")
+0001 DO_UCALL
+0002 INIT_FCALL 0 %d string("test2")
+0003 DO_UCALL
+0004 RETURN int(1)
+
+test:
+     ; (lines=2, args=0, vars=0, tmps=0)
+     ; (after optimizer)
+     ; %s
+0000 ECHO string("No match
+")
+0001 RETURN null
+
+test2:
+     ; (lines=2, args=0, vars=0, tmps=0)
+     ; (after optimizer)
+     ; %s
+0000 ECHO string("No match
+")
+0001 RETURN null
+No match
+No match

Zend/zend_compile.c

@@ -5249,7 +5249,7 @@ void zend_compile_match(znode *result, zend_ast *ast) /* {{{ */
 		ZVAL_ARR(&jumptable_op.u.constant, jumptable);
 
 		zend_op *opline = zend_emit_op(NULL,
-			jumptable_type == IS_LONG ? ZEND_SWITCH_LONG : ZEND_SWITCH_STRING,
+			jumptable_type == IS_LONG ? ZEND_MATCH_LONG : ZEND_MATCH_STRING,
 			&expr_node, &jumptable_op);
 		if (opline->op1_type == IS_CONST) {
 			Z_TRY_ADDREF_P(CT_CONSTANT(opline->op1));

Zend/zend_opcode.c

@@ -745,11 +745,13 @@ static zend_bool keeps_op1_alive(zend_op *opline) {
 	 * it is later freed by something else. */
 	if (opline->opcode == ZEND_CASE
 	 || opline->opcode == ZEND_SWITCH_LONG
+	 || opline->opcode == ZEND_MATCH_LONG
 	 || opline->opcode == ZEND_FETCH_LIST_R
 	 || opline->opcode == ZEND_COPY_TMP) {
 		return 1;
 	}
 	ZEND_ASSERT(opline->opcode != ZEND_SWITCH_STRING
+		&& opline->opcode != ZEND_MATCH_STRING
 		&& opline->opcode != ZEND_FE_FETCH_R
 		&& opline->opcode != ZEND_FE_FETCH_RW
 		&& opline->opcode != ZEND_FETCH_LIST_W
@@ -1020,6 +1022,8 @@ ZEND_API int pass_two(zend_op_array *op_array)
 				break;
 			case ZEND_SWITCH_LONG:
 			case ZEND_SWITCH_STRING:
+			case ZEND_MATCH_LONG:
+			case ZEND_MATCH_STRING:
 			{
 				/* absolute indexes to relative offsets */
 				HashTable *jumptable = Z_ARRVAL_P(CT_CONSTANT(opline->op2));

Zend/zend_vm_def.h

@@ -8402,6 +8402,16 @@ ZEND_VM_COLD_CONSTCONST_HANDLER(188, ZEND_SWITCH_STRING, CONST|TMPVARCV, CONST,
 	}
 }
 
+ZEND_VM_COLD_CONSTCONST_HANDLER(195, ZEND_MATCH_LONG, CONST|TMPVARCV, CONST, JMP_ADDR)
+{
+	ZEND_VM_DISPATCH_TO_HANDLER(ZEND_SWITCH_LONG);
+}
+
+ZEND_VM_COLD_CONSTCONST_HANDLER(196, ZEND_MATCH_STRING, CONST|TMPVARCV, CONST, JMP_ADDR)
+{
+	ZEND_VM_DISPATCH_TO_HANDLER(ZEND_SWITCH_STRING);
+}
+
 ZEND_VM_COLD_CONSTCONST_HANDLER(189, ZEND_IN_ARRAY, CONST|TMP|VAR|CV, CONST, NUM)
 {
 	USE_OPLINE

Zend/zend_vm_execute.h

@@ -59568,6 +59568,8 @@ void zend_vm_init(void)
 		2284,
 		2285 | SPEC_RULE_OP1,
 		2290 | SPEC_RULE_OP1 | SPEC_RULE_OP2,
+		2259 | SPEC_RULE_OP1,
+		2264 | SPEC_RULE_OP1,
 		3218
 	};
 #if (ZEND_VM_KIND == ZEND_VM_KIND_HYBRID)

Zend/zend_vm_opcodes.c

@@ -22,7 +22,7 @@
 #include <zend.h>
 #include <zend_vm_opcodes.h>
 
-static const char *zend_vm_opcodes_names[195] = {
+static const char *zend_vm_opcodes_names[197] = {
 	"ZEND_NOP",
 	"ZEND_ADD",
 	"ZEND_SUB",
@@ -218,9 +218,11 @@ static const char *zend_vm_opcodes_names[195] = {
 	"ZEND_GET_CALLED_CLASS",
 	"ZEND_GET_TYPE",
 	"ZEND_ARRAY_KEY_EXISTS",
+	"ZEND_MATCH_LONG",
+	"ZEND_MATCH_STRING",
 };
 
-static uint32_t zend_vm_opcodes_flags[195] = {
+static uint32_t zend_vm_opcodes_flags[197] = {
 	0x00000000,
 	0x00000b0b,
 	0x00000b0b,
@@ -416,6 +418,8 @@ static uint32_t zend_vm_opcodes_flags[195] = {
 	0x00000101,
 	0x00000103,
 	0x00000707,
+	0x0300030b,
+	0x0300030b,
 };
 
 ZEND_API const char* ZEND_FASTCALL zend_get_opcode_name(zend_uchar opcode) {

Zend/zend_vm_opcodes.h

@@ -271,7 +271,9 @@ END_EXTERN_C()
 #define ZEND_GET_CALLED_CLASS           192
 #define ZEND_GET_TYPE                   193
 #define ZEND_ARRAY_KEY_EXISTS           194
+#define ZEND_MATCH_LONG                 195
+#define ZEND_MATCH_STRING               196
 
-#define ZEND_VM_LAST_OPCODE             194
+#define ZEND_VM_LAST_OPCODE             196
 
 #endif

ext/opcache/Optimizer/block_pass.c

@@ -111,7 +111,9 @@ static int get_const_switch_target(zend_cfg *cfg, zend_op_array *op_array, zend_
 	HashTable *jumptable = Z_ARRVAL(ZEND_OP2_LITERAL(opline));
 	zval *zv;
 	if ((opline->opcode == ZEND_SWITCH_LONG && Z_TYPE_P(val) != IS_LONG)
-			|| (opline->opcode == ZEND_SWITCH_STRING && Z_TYPE_P(val) != IS_STRING)) {
+			|| (opline->opcode == ZEND_SWITCH_STRING && Z_TYPE_P(val) != IS_STRING)
+			|| (opline->opcode == ZEND_MATCH_LONG && Z_TYPE_P(val) != IS_LONG)
+			|| (opline->opcode == ZEND_MATCH_STRING && Z_TYPE_P(val) != IS_STRING)) {
 		/* fallback to next block */
 		return block->successors[block->successors_count - 1];
 	}
@@ -369,6 +371,8 @@ static void zend_optimize_block(zend_basic_block *block, zend_op_array *op_array
 
 			case ZEND_SWITCH_LONG:
 			case ZEND_SWITCH_STRING:
+			case ZEND_MATCH_LONG:
+			case ZEND_MATCH_STRING:
 				if (opline->op1_type & (IS_TMP_VAR|IS_VAR)) {
 					/* SWITCH variable will be deleted later by FREE, so we can't optimize it */
 					Tsource[VAR_NUM(opline->op1.var)] = NULL;
@@ -1046,6 +1050,8 @@ static void assemble_code_blocks(zend_cfg *cfg, zend_op_array *op_array, zend_op
 				break;
 			case ZEND_SWITCH_LONG:
 			case ZEND_SWITCH_STRING:
+			case ZEND_MATCH_LONG:
+			case ZEND_MATCH_STRING:
 			{
 				HashTable *jumptable = Z_ARRVAL(ZEND_OP2_LITERAL(opline));
 				zval *zv;

ext/opcache/Optimizer/dfa_pass.c

@@ -642,6 +642,8 @@ static void zend_ssa_replace_control_link(zend_op_array *op_array, zend_ssa *ssa
 				break;
 			case ZEND_SWITCH_LONG:
 			case ZEND_SWITCH_STRING:
+			case ZEND_MATCH_LONG:
+			case ZEND_MATCH_STRING:
 				{
 					HashTable *jumptable = Z_ARRVAL(ZEND_OP2_LITERAL(opline));
 					zval *zv;
@@ -896,6 +898,7 @@ static int zend_dfa_optimize_jmps(zend_op_array *op_array, zend_ssa *ssa)
 					break;
 				}
 				case ZEND_SWITCH_LONG:
+				case ZEND_MATCH_LONG:
 					if (opline->op1_type == IS_CONST) {
 						zval *zv = CT_CONSTANT_EX(op_array, opline->op1.constant);
 						if (Z_TYPE_P(zv) != IS_LONG) {
@@ -925,6 +928,7 @@ static int zend_dfa_optimize_jmps(zend_op_array *op_array, zend_ssa *ssa)
 					}
 					break;
 				case ZEND_SWITCH_STRING:
+				case ZEND_MATCH_STRING:
 					if (opline->op1_type == IS_CONST) {
 						zval *zv = CT_CONSTANT_EX(op_array, opline->op1.constant);
 						if (Z_TYPE_P(zv) != IS_STRING) {

ext/opcache/Optimizer/sccp.c

@@ -304,6 +304,8 @@ static zend_bool try_replace_op1(
 				case ZEND_FETCH_LIST_R:
 				case ZEND_SWITCH_STRING:
 				case ZEND_SWITCH_LONG:
+				case ZEND_MATCH_STRING:
+				case ZEND_MATCH_LONG:
 					if (Z_TYPE(zv) == IS_STRING) {
 						zend_string_hash_val(Z_STR(zv));
 					}
@@ -1975,6 +1977,9 @@ static void sccp_mark_feasible_successors(
 			s = zend_hash_num_elements(Z_ARR_P(op1)) != 0;
 			break;
 		case ZEND_SWITCH_LONG:
+		case ZEND_MATCH_LONG:
+		{
+			zend_bool strict_comparison = opline->opcode == ZEND_MATCH_LONG;
 			if (Z_TYPE_P(op1) == IS_LONG) {
 				zend_op_array *op_array = scdf->op_array;
 				zend_ssa *ssa = scdf->ssa;
@@ -1989,10 +1994,20 @@ static void sccp_mark_feasible_successors(
 				}
 				scdf_mark_edge_feasible(scdf, block_num, target);
 				return;
+			} else if (strict_comparison) {
+				zend_op_array *op_array = scdf->op_array;
+				zend_ssa *ssa = scdf->ssa;
+				int target = ssa->cfg.map[ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, opline->extended_value)];
+				scdf_mark_edge_feasible(scdf, block_num, target);
+				return;
 			}
 			s = 0;
 			break;
+		}
 		case ZEND_SWITCH_STRING:
+		case ZEND_MATCH_STRING:
+		{
+			zend_bool strict_comparison = opline->opcode == ZEND_MATCH_STRING;
 			if (Z_TYPE_P(op1) == IS_STRING) {
 				zend_op_array *op_array = scdf->op_array;
 				zend_ssa *ssa = scdf->ssa;
@@ -2007,9 +2022,16 @@ static void sccp_mark_feasible_successors(
 				}
 				scdf_mark_edge_feasible(scdf, block_num, target);
 				return;
+			} else if (strict_comparison) {
+				zend_op_array *op_array = scdf->op_array;
+				zend_ssa *ssa = scdf->ssa;
+				int target = ssa->cfg.map[ZEND_OFFSET_TO_OPLINE_NUM(op_array, opline, opline->extended_value)];
+				scdf_mark_edge_feasible(scdf, block_num, target);
+				return;
 			}
 			s = 0;
 			break;
+		}
 		default:
 			for (s = 0; s < block->successors_count; s++) {
 				scdf_mark_edge_feasible(scdf, block_num, block->successors[s]);

ext/opcache/Optimizer/zend_cfg.c

@@ -73,7 +73,12 @@ static void zend_mark_reachable(zend_op *opcodes, zend_cfg *cfg, zend_basic_bloc
 						succ->flags |= ZEND_BB_FOLLOW;
 					}
 				} else {
-					ZEND_ASSERT(opcode == ZEND_SWITCH_LONG || opcode == ZEND_SWITCH_STRING);
+					ZEND_ASSERT(
+						opcode == ZEND_SWITCH_LONG
+						|| opcode == ZEND_SWITCH_STRING
+						|| opcode == ZEND_MATCH_LONG
+						|| opcode == ZEND_MATCH_STRING
+					);
 					if (i == b->successors_count - 1) {
 						succ->flags |= ZEND_BB_FOLLOW | ZEND_BB_TARGET;
 					} else {
@@ -385,6 +390,8 @@ int zend_build_cfg(zend_arena **arena, const zend_op_array *op_array, uint32_t b
 				break;
 			case ZEND_SWITCH_LONG:
 			case ZEND_SWITCH_STRING:
+			case ZEND_MATCH_LONG:
+			case ZEND_MATCH_STRING:
 			{
 				HashTable *jumptable = Z_ARRVAL_P(CRT_CONSTANT(opline->op2));
 				zval *zv;
@@ -551,6 +558,8 @@ int zend_build_cfg(zend_arena **arena, const zend_op_array *op_array, uint32_t b
 				break;
 			case ZEND_SWITCH_LONG:
 			case ZEND_SWITCH_STRING:
+			case ZEND_MATCH_LONG:
+			case ZEND_MATCH_STRING:
 			{
 				HashTable *jumptable = Z_ARRVAL_P(CRT_CONSTANT(opline->op2));
 				zval *zv;

ext/opcache/Optimizer/zend_dump.c

@@ -615,7 +615,12 @@ void zend_dump_op(const zend_op_array *op_array, const zend_basic_block *b, cons
 
 	if (opline->op2_type == IS_CONST) {
 		zval *op = CRT_CONSTANT(opline->op2);
-		if (opline->opcode == ZEND_SWITCH_LONG || opline->opcode == ZEND_SWITCH_STRING) {
+		if (
+			opline->opcode == ZEND_SWITCH_LONG
+			|| opline->opcode == ZEND_SWITCH_STRING
+			|| opline->opcode == ZEND_MATCH_LONG
+			|| opline->opcode == ZEND_MATCH_STRING
+		) {
 			HashTable *jumptable = Z_ARRVAL_P(op);
 			zend_string *key;
 			zend_ulong num_key;

ext/opcache/Optimizer/zend_inference.c

@@ -4337,6 +4337,8 @@ int zend_may_throw(const zend_op *opline, const zend_ssa_op *ssa_op, const zend_
 		case ZEND_COALESCE:
 		case ZEND_SWITCH_LONG:
 		case ZEND_SWITCH_STRING:
+		case ZEND_MATCH_LONG:
+		case ZEND_MATCH_STRING:
 		case ZEND_ISSET_ISEMPTY_VAR:
 		case ZEND_ISSET_ISEMPTY_CV:
 		case ZEND_FUNC_NUM_ARGS:

ext/opcache/Optimizer/zend_optimizer.c

@@ -593,13 +593,19 @@ int zend_optimizer_replace_by_const(zend_op_array *op_array,
 				}
 				case ZEND_SWITCH_LONG:
 				case ZEND_SWITCH_STRING:
+				case ZEND_MATCH_LONG:
+				case ZEND_MATCH_STRING:
 				case ZEND_CASE: {
 					zend_op *end = op_array->opcodes + op_array->last;
 					while (opline < end) {
 						if (opline->op1_type == type && opline->op1.var == var) {
-							if (opline->opcode == ZEND_CASE
-									|| opline->opcode == ZEND_SWITCH_LONG
-									|| opline->opcode == ZEND_SWITCH_STRING) {
+							if (
+								opline->opcode == ZEND_CASE
+								|| opline->opcode == ZEND_SWITCH_LONG
+								|| opline->opcode == ZEND_SWITCH_STRING
+								|| opline->opcode == ZEND_MATCH_LONG
+								|| opline->opcode == ZEND_MATCH_STRING
+							) {
 								zval v;
 
 								if (opline->opcode == ZEND_CASE) {
@@ -693,6 +699,8 @@ void zend_optimizer_migrate_jump(zend_op_array *op_array, zend_op *new_opline, z
 			break;
 		case ZEND_SWITCH_LONG:
 		case ZEND_SWITCH_STRING:
+		case ZEND_MATCH_LONG:
+		case ZEND_MATCH_STRING:
 		{
 			HashTable *jumptable = Z_ARRVAL(ZEND_OP2_LITERAL(opline));
 			zval *zv;
@@ -737,6 +745,8 @@ void zend_optimizer_shift_jump(zend_op_array *op_array, zend_op *opline, uint32_
 			break;
 		case ZEND_SWITCH_LONG:
 		case ZEND_SWITCH_STRING:
+		case ZEND_MATCH_LONG:
+		case ZEND_MATCH_STRING:
 		{
 			HashTable *jumptable = Z_ARRVAL(ZEND_OP2_LITERAL(opline));
 			zval *zv;
@@ -1111,6 +1121,8 @@ static void zend_redo_pass_two(zend_op_array *op_array)
 			case ZEND_FE_FETCH_RW:
 			case ZEND_SWITCH_LONG:
 			case ZEND_SWITCH_STRING:
+			case ZEND_MATCH_LONG:
+			case ZEND_MATCH_STRING:
 				/* relative extended_value don't have to be changed */
 				break;
 #endif
@@ -1231,6 +1243,8 @@ static void zend_redo_pass_two_ex(zend_op_array *op_array, zend_ssa *ssa)
 			case ZEND_FE_FETCH_RW:
 			case ZEND_SWITCH_LONG:
 			case ZEND_SWITCH_STRING:
+			case ZEND_MATCH_LONG:
+			case ZEND_MATCH_STRING:
 				/* relative extended_value don't have to be changed */
 				break;
 #endif