VAR|TMP overhaul

The aim of this PR is twofold:

- Reduce the number of highly similar TMP|VAR handlers
- Avoid ZVAL_DEREF in most of these cases

This is achieved by guaranteeing that all zend_compile_expr() calls, as well as
all other compile calls with BP_VAR_R, will result in a TMP variable. This
implies that the result will not contain an IS_INDIRECT or IS_REFERENCE value,
which was mostly already the case, with two exceptions:

- Calls to return-by-reference functions. Because return-by-reference functions
  are quite rare, this is solved by delegating the DEREF to the RETURN_BY_REF
  handler, which will examine the stack to check whether the caller expects a
  VAR or TMP to understand whether the DEREF is needed.

- By-reference assignments, including both $a = &$b, as well as $a = [&$b]. When
  the result of these expressions is used in a BP_VAR_R context, it will be
  passed to a new ZEND_DEREF opcode beforehand. This is exceptionally rare.

Preliminary testing shows a 1.1% wall time improvement in Symfony Demo and
roughly 0.5% in Wordpress.

Author: iluuu1994

Zend/Optimizer/block_pass.c

@@ -289,29 +289,34 @@ static void zend_optimize_block(zend_basic_block *block, zend_op_array *op_array
 								MAKE_NOP(opline);
 								++(*opt_count);
 								break;
-							case ZEND_ASSIGN:
-							case ZEND_ASSIGN_DIM:
-							case ZEND_ASSIGN_OBJ:
-							case ZEND_ASSIGN_STATIC_PROP:
-							case ZEND_ASSIGN_OP:
-							case ZEND_ASSIGN_DIM_OP:
-							case ZEND_ASSIGN_OBJ_OP:
-							case ZEND_ASSIGN_STATIC_PROP_OP:
-							case ZEND_PRE_INC:
-							case ZEND_PRE_DEC:
-							case ZEND_PRE_INC_OBJ:
-							case ZEND_PRE_DEC_OBJ:
-							case ZEND_PRE_INC_STATIC_PROP:
-							case ZEND_PRE_DEC_STATIC_PROP:
+							case ZEND_QM_ASSIGN:
 								if (src < op_array->opcodes + block->start) {
 									break;
 								}
 								src->result_type = IS_UNUSED;
 								VAR_SOURCE(opline->op1) = NULL;
 								MAKE_NOP(opline);
 								++(*opt_count);
+								if (src->op1_type & (IS_VAR|IS_TMP_VAR)) {
+									src->opcode = ZEND_FREE;
+								} else if (src->op1_type == IS_CONST) {
+									MAKE_NOP(src);
+								} else if (src->op1_type == IS_CV) {
+									src->opcode = ZEND_CHECK_VAR;
+									SET_UNUSED(src->result);
+								}
 								break;
 							default:
+								if (!zend_op_may_elide_result(src->opcode)) {
+									break;
+								}
+								if (src < op_array->opcodes + block->start) {
+									break;
+								}
+								src->result_type = IS_UNUSED;
+								VAR_SOURCE(opline->op1) = NULL;
+								MAKE_NOP(opline);
+								++(*opt_count);
 								break;
 						}
 					}
@@ -985,6 +990,8 @@ static void zend_optimize_block(zend_basic_block *block, zend_op_array *op_array
 					src = VAR_SOURCE(opline->op1);
 					if (src &&
 						src->opcode != ZEND_COPY_TMP &&
+						/* See gh20628.phpt, breaks live-range calculation. */
+						src->opcode != ZEND_NEW &&
 						src->opcode != ZEND_ADD_ARRAY_ELEMENT &&
 						src->opcode != ZEND_ADD_ARRAY_UNPACK &&
 						(src->opcode != ZEND_DECLARE_LAMBDA_FUNCTION ||

Zend/Optimizer/dce.c

@@ -162,10 +162,16 @@ static inline bool may_have_side_effects(
 		case ZEND_EXT_FCALL_END:
 		case ZEND_TICKS:
 		case ZEND_YIELD:
-		case ZEND_YIELD_FROM:
 		case ZEND_VERIFY_NEVER_TYPE:
 			/* Intrinsic side effects */
 			return true;
+		case ZEND_YIELD_FROM: {
+			uint32_t t1 = OP1_INFO();
+			if ((t1 & (MAY_BE_ANY|MAY_BE_UNDEF)) == MAY_BE_ARRAY && MAY_BE_EMPTY_ONLY(t1)) {
+				return false;
+			}
+			return true;
+		}
 		case ZEND_DO_FCALL:
 		case ZEND_DO_FCALL_BY_NAME:
 		case ZEND_DO_ICALL:

Zend/Optimizer/zend_inference.c

@@ -5336,6 +5336,13 @@ ZEND_API bool zend_may_throw_ex(const zend_op *opline, const zend_ssa_op *ssa_op
 				return 1;
 			}
 			return 0;
+		case ZEND_YIELD_FROM: {
+			uint32_t t1 = OP1_INFO();
+			if ((t1 & (MAY_BE_ANY|MAY_BE_UNDEF)) == MAY_BE_ARRAY && MAY_BE_EMPTY_ONLY(t1)) {
+				return false;
+			}
+			return true;
+		}
 		default:
 			return 1;
 	}

Zend/tests/gh20628.inc

@@ -0,0 +1,3 @@
+<?php
+
+$this->bar();

Zend/tests/gh20628.phpt

@@ -0,0 +1,22 @@
+--TEST--
+Invalid opcode for method call with FETCH_THIS
+--FILE--
+<?php
+
+class Foo {
+    public function bar() {
+        var_dump($this, __METHOD__);
+    }
+
+    public function test() {
+        require __DIR__ . '/gh20628.inc';
+    }
+}
+
+(new Foo)->test();
+
+?>
+--EXPECTF--
+object(Foo)#%d (0) {
+}
+string(8) "Foo::bar"

Zend/tests/gh20628_001.phpt

@@ -0,0 +1,12 @@
+--TEST--
+Nullsafe operator does not support BP_VAR_W
+--FILE--
+<?php
+
+function &test($foo) {
+    return $foo?->bar();
+}
+
+?>
+--EXPECTF--
+Fatal error: Cannot take reference of a nullsafe chain in %s on line %d

Zend/tests/gh20628_002.phpt

@@ -0,0 +1,22 @@
+--TEST--
+Pipes support return-by-reference
+--FILE--
+<?php
+
+function &foo($val) {
+    global $x;
+    $x = $val;
+    return $x;
+}
+
+function &bar() {
+    return 42 |> foo(...);
+}
+
+$xRef = &bar();
+$xRef++;
+var_dump($x);
+
+?>
+--EXPECT--
+int(43)

Zend/tests/gh20628_003.phpt

@@ -0,0 +1,71 @@
+--TEST--
+Missing separation for ASSIGN_DIM with ref OP_DATA
+--FILE--
+<?php
+
+function a() {
+    $a[] = $b[] = &$a;
+    var_dump($a, $b);
+}
+
+function b() {
+    $a = [];
+    $b = [];
+    $a[] = $b[] = &$a;
+    var_dump($a, $b);
+}
+
+function c() {
+    $a[] = $b = &$a;
+    var_dump($a, $b);
+}
+
+function d() {
+    $a = $b[] = &$a;
+    var_dump($a, $b);
+}
+
+a();
+b();
+c();
+d();
+
+?>
+--EXPECT--
+array(1) {
+  [0]=>
+  NULL
+}
+array(1) {
+  [0]=>
+  &array(1) {
+    [0]=>
+    NULL
+  }
+}
+array(1) {
+  [0]=>
+  array(0) {
+  }
+}
+array(1) {
+  [0]=>
+  &array(1) {
+    [0]=>
+    array(0) {
+    }
+  }
+}
+array(1) {
+  [0]=>
+  NULL
+}
+array(1) {
+  [0]=>
+  NULL
+}
+NULL
+array(1) {
+  [0]=>
+  &NULL
+}

Zend/tests/list/bug73663.phpt

@@ -1,5 +1,7 @@
 --TEST--
 Bug #73663 ("Invalid opcode 65/16/8" occurs with a variable created with list())
+--XFAIL--
+list() assign resulting in a ref only when there's a single by-ref fetch is kinda weird.
 --FILE--
 <?php
 function change(&$ref) {

Zend/tests/operator_unsupported_types.phpt

@@ -287,7 +287,7 @@ Unsupported operand types: stdClass * stdClass
 Unsupported operand types: stdClass * resource
 Unsupported operand types: stdClass * string
 Unsupported operand types: resource * array
-Unsupported operand types: stdClass * resource
+Unsupported operand types: resource * stdClass
 Unsupported operand types: resource * resource
 Unsupported operand types: resource * string
 Unsupported operand types: string * array
@@ -753,7 +753,7 @@ Unsupported operand types: stdClass & stdClass
 Unsupported operand types: stdClass & resource
 Unsupported operand types: stdClass & string
 Unsupported operand types: resource & array
-Unsupported operand types: stdClass & resource
+Unsupported operand types: resource & stdClass
 Unsupported operand types: resource & resource
 Unsupported operand types: resource & string
 Unsupported operand types: string & array
@@ -828,7 +828,7 @@ Unsupported operand types: stdClass | stdClass
 Unsupported operand types: stdClass | resource
 Unsupported operand types: stdClass | string
 Unsupported operand types: resource | array
-Unsupported operand types: stdClass | resource
+Unsupported operand types: resource | stdClass
 Unsupported operand types: resource | resource
 Unsupported operand types: resource | string
 Unsupported operand types: string | array
@@ -903,7 +903,7 @@ Unsupported operand types: stdClass ^ stdClass
 Unsupported operand types: stdClass ^ resource
 Unsupported operand types: stdClass ^ string
 Unsupported operand types: resource ^ array
-Unsupported operand types: stdClass ^ resource
+Unsupported operand types: resource ^ stdClass
 Unsupported operand types: resource ^ resource
 Unsupported operand types: resource ^ string
 Unsupported operand types: string ^ array