1 **********************************
2 * HipHop Bytecode v1 revision 18 *
3 **********************************
9 HipHop bytecode (HHBC) v1 is intended to serve as the conceptual basis for
10 encoding the semantic meaning of HipHop source code into a format that is
11 appropriate for consumption by interpreters and just-in-time compilers. By
12 using simpler constructs to encode more complex expressions and statements,
13 HHBC makes it straightforward for an interpreter or a compiler to determine
14 the order of execution for a program.
16 HHBC was designed with several competing goals in mind:
18 1) Run-time efficiency. The design of HHBC should be congruous to implementing
19 an efficient execution engine, whether it be an interpreter or a just-in-time
22 2) PHP 5.5 compatibility. It should be possible to compile valid PHP 5.5 source
23 code into HipHop bytecode in a way that preserves the semantic meaning of the
26 3) Simplicity. The design of HHBC should avoid features that could be removed
27 or simplified without compromising PHP 5.5 compatibility, run-time efficiency,
28 or design cleanliness.
34 Each HipHop source file is compiled into a separate "compilation unit", or
35 "unit" for short. Units are composed of bytecode and metadata.
37 A unit's bytecode is an array of bytes encoding a sequence of HHBC
38 instructions, where each instruction is encoded using one or more bytes. This
39 specification defines an instruction set and defines the behavior of each HHBC
40 instruction, but the exact byte values used to encode HHBC instructions is
41 currently unspecified.
43 A unit's metadata is a set of structures that provide essential information
44 that is needed at run time by the execution engine. This specification will
45 describe a unit's metadata as a set of named tables with ordered rows, but the
46 exact format of the metadata is currently unspecified.
48 Each instruction in a unit's bytecode can be referred to using a "bytecode
49 offset", which is the distance in bytes from the first byte of a unit's
50 bytecode to the first byte of the instruction.
52 A unit's bytecode is partitioned into sections called "functions". The unit's
53 metadata uses bytecode offsets to specify which instructions belong to which
56 When a unit is loaded at run time, the execution engine assigns the unit's
57 bytecode a logical range of addresses called "bytecode addresses". An
58 instruction is referred to at run time using its bytecode address.
64 HipHop bytecode models the flow of execution using a stack of frames referred
65 to as the "call stack". A "frame" is a structure that logically consists of a
66 header, a program counter (PC), a local variable store, an iterator variable
67 store, an evaluation stack, and a function parameter info (FPI) stack.
69 The frame at the top of the call stack is referred to as the "current frame".
70 The current frame represents the function that is currently executing. The
71 program counter (PC) of the current frame is referred to as the "current PC".
72 At any given time, the current PC holds the bytecode address of the current
73 instruction to execute. When the execution engine executes an instruction, the
74 current PC is updated to point to the next instruction. By default, the current
75 PC is updated to point to the byte that sequentially follows the last byte of
76 the current instruction in the bytecode. Some instructions override the default
77 behavior and explicitly update the current PC in a specific way.
79 HHBC provides special instructions to allow for calling a function and
80 returning from a function. When a function is called, a new frame is pushed
81 onto the call stack, and the PC of the new frame is initialized to the
82 appropriate entry point (typically the instruction of the function that is
83 sequentially first in the bytecode). The new frame becomes the current frame,
84 and the PC of the new frame becomes the current PC. When a function returns,
85 the current frame is popped off the call stack. The previous frame becomes the
86 current frame, and its PC becomes the current PC. The facility provided by the
87 execution engine that is responsible for handling function calls and returns is
88 called the "dispatcher".
90 Typically, a frame is removed from the call stack when its corresponding
91 function returns. However, a frame may be removed from the call stack before
92 its corresponding function returns in the course of processing an exception.
93 The facility provided by the execution engine that is responsible for
94 processing exceptions is called the "unwinder".
100 HHBC instructions may push and pop values on the current frame's evaluation
101 stack and they may read and write values to the current frame's local
102 variables. Values come in three flavors: cells, refs, and classrefs.
104 A "cell" is a structure that contains a type identifier and either data (for
105 non-refcounted types) or a pointer to data (for refcounted types). When a cell
106 containing a pointer is duplicated, the new cell will point to the same data as
107 the original cell. When a cell containing a pointer is duplicated or discarded,
108 the execution engine is responsible for honoring the data's refcount logic.
110 A "ref" is a structure that contains a pointer to a cell container. When a ref
111 is duplicated, the new ref will point to the same container as the original
112 ref. When a ref is duplicated or destroyed, the execution engine is responsible
113 for honoring the container's refcount logic. When the container is destroyed,
114 the cell it contains is also destroyed.
116 A "classref" is a structure that contains a reference to a class. When a
117 classref is pushed onto the stack or popped of the stack, no refcounting is
120 Values on the evaluation stack may be any of the three flavors listed above.
121 Values stored in local variables may only be cells or refs.
127 A unit's bytecode is organized into functions. Each function has its own
128 metadata that provides essential information about the function, such as the
129 name of the function, how many local variables it has, how many iterator
130 variables it has, how many formal parameters it has, the names of the local
131 variables, the names of the formal parameters, how each parameter should be
132 passed (pass by value vs. pass by reference), whether each parameter has a
133 default value, and an upper bound for the maximum depth the evaluation stack
134 can reach at run time.
136 Each local variable and iterator variable has an id, and HHBC instructions can
137 reference these variables using these ids. The id space for local variables is
138 distinct from the id space for iterator variables. Thus local id 1 refers to a
139 different variable than iterator id 1. Local variable ids and iterator ids are
140 signed 32-bit integer values. No function may have more than 2^31 - 1 local
141 variables, and no function may have more than 2^31 - 1 iterator variables.
143 Some local variables have names associated with them (called "named local
144 variables"), while other local variables do not have names associated with them
145 (called "unnamed local variables"). All local variables that reference formally
146 declared parameters have names associated with them. Iterator variables do not
147 have names associated with them. Variables that have a name associated with
148 them will appear in the current variable environment (if they are defined),
149 while variables that do not have a name associated with them will never appear
150 in the current variable environment.
152 Formally declared parameters are considered to be local variables. Given a
153 function with n formally declared parameters, local ids 0 through n-1 will be
154 used to reference the formally declared parameters. Formal parameters without
155 default values are called "required parameters", while formal parameters with
156 default values are called "optional parameters".
158 The bytecode for each function is partitioned into a primary function body and
159 0 or more fault funclets. The metadata for each function specifies how many
160 fault funclets the function has. For the primary function body, the metadata
161 specifies a set of non-overlapping ranges of bytecode that compose the primary
162 function body, and it specifies the main entry point and 0 or more DV entry
163 points (entry points are discussed in more detail in the "Entry points"
164 section). For each fault funclet, the metadata specifies a set of non-
165 overlapping ranges of bytecode that compose the fault funclet body, and it
166 specifies an entry point for the fault funclet. The primary function body and
167 the fault funclets may not overlap with each other, and the union of the
168 primary function body and the fault funclets must cover all of the function's
169 bytecode. Fault funclets are discussed in more detail in the "Exception handler
170 (EH) table" and "Processing exceptions" sections.
172 The total size of the bytecode for the primary function body and all the fault
173 funclets must not exceed 2^31 - 1 bytes. The bytecode for a function must be
174 one contiguous range of bytecode.
176 Each function's metadata provides a "line number table" to allow mapping
177 bytecode offsets back to source line numbers. Each row in the line number table
178 consists of a source line number and a range of bytecode. The table is sorted
179 by starting bytecode offset, lowest offset first. The bytecode offset of the
180 beginning of each instruction in the function must belong to exactly one of the
181 ranges of bytecode in the line number table.
187 Functions may be grouped into metadata for classes. Class metadata objects are
188 used to describe several PHP-level language features including traits,
189 interfaces, closures, and (of course) classes.
191 Class metadata includes information about the properties on the class, special
192 functions on the class such as constructors or internal property initialization
193 routines (86sinit, 86pinit), class constants, list of used traits, list of
194 extended classes, list of implemented interfaces, etc.
196 Classes also include a flag indicating their "hoistability". For now this isn't
197 documented much here. See class.h.
203 Closures are implemented in hhbc as subclassses of Closure, in conjunction with
204 the CreateCl opcode. It is legal hhbc to create other subclasses of Closure (to
205 represent user code that attempts to do the same), but attempting to
206 instantiate one will result in a fatal error. The documentation of the CreateCl
207 opcode below lists the requirements for a closure subclass to be usable with
214 The basic compilation strategy for continuations is to create bytecode functions
215 consisting of two parts.
217 The first part, executed when the continuation function is called, must consist
218 of a CreateCont opcode followed by a RetC, which are responsible for suspending
219 execution state into a new Continuation object (includes resume offset pointing
220 to the start of the second part of the function) and returning it back to
223 The second part is where the real user-level code of the generator should be
224 placed. ContEnter and ContRaise opcodes used in Continuation's next(), send()
225 and raise() methods resume execution and transfer control to the resume offset
226 stored in the Continuation object. The user-level code yields values using
227 ContSuspend and ContSuspendK opcodes and returns using ContRetC opcode.
233 Similarly to continuations, async functions are implemented as bytecode
234 functions consisting of two parts.
236 The first part represents "eager execution" of the async function, and the
237 second part is used when "suspended execution" is necessary (i.e. if it does
238 an await on something that is not yet available). Both parts are required to
239 'have the same effects', except the latter one works in a suspended mode.
241 The first part uses AsyncESuspend opcode to suspend execution state into a new
242 AsyncFunctionWaitHandle object. It includes the resume offset pointing to the
243 second part of the function. The second part suspends using ContSuspend opcode
244 and returns using ContRetC opcode.
246 The async function implementation is still changing and the implementation may
247 change significantly, so this spec is staying light on details for now.
253 Entry points come in four varieties: the main entry point, DV entry points,
254 fault entry points, and catch entry points.
256 Every function has exactly one main entry point. When a function is called, the
257 dispatcher will set the PC of the new frame to point to the main entry point if
258 either (1) the function does not have any optional parameters or (2) the caller
259 provides values for all of the optional parameters.
261 DV entry points are normally used to handle initializing optional parameters
262 that the caller did not provide. Generally the DV entries contain blocks that
263 initialize parameters, and then fall through directly into one another, with
264 the last block ending with a jump to the main entry point. This is not a
265 requirement, however. The dispatcher selects the appropriate DV entry point
266 based on the number of arguments passed into the function.
268 The main entry point and DV entry points are used by the dispatcher when
269 handling a function call. Each function's metadata provides an "entry point
270 table". Each row in the entry point table consists of a number of arguments and
271 the bytecode offset of the entry point that should be used by the dispatcher
272 (either the main entry point or a DV entry point).
274 Fault entry points are used by the unwinder to enter fault funclets as
275 appropriate to perform necessary cleanup when a region of code exits abnormally
276 through an exception. For a function with N fault funclets there are exactly N
277 fault entry points (one fault entry point per fault funclet). The bytecode
278 offset of a fault entry point must be inside its corresponding fault funclet.
280 Catch entry points are used by the unwinder to resume normal execution once a
281 matching "catch" block has been found and all the necessary cleanup has been
284 More details about the unwinder, fault funclets, fault entry points, catch
285 entry points can be found in the "Exception handler (EH) table" and "Processing
286 exceptions" sections.
292 Every compilation unit has a litstr table, a scalar array table, a function
293 table, and a class table.
295 The litstr table maps litstr ids to literal strings. Bytecodes that refer to
296 literal strings do so by litstr id. Litstr ids are signed 32-bit integer
297 values, which must be between 0 and 2^31 - 2 inclusive. In addition to the
298 per-unit litstr tables, a global table is built when generating an
299 "authoritative" repo (one in which all the PHP code is known at bytecode
300 generation time, and is guaranteed not to change). Global litstr ids can be
301 used in any unit, and are encoded in the range [2^30..2^31-2].
303 The scalar array table maps scalar array ids to a description of the contents
304 of a scalar array. An array is a scalar array if and only if each element of
305 the array is a null, boolean, integer, double, string, or a scalar array.
306 Furthermore, each element of a scalar array must be a cell. Finally, scalar
307 arrays may not recurse infinitely. Each scalar array id must be between 0 and
310 Each row in the function table contains a unique function id, a function name
311 specified by a litstr id, the bytecode offset for the corresponding function, a
312 flag that indicates if the function is unconditionally declared in the
313 outermost scope, and the function metadata. Note that there may be multiple
314 rows in the function table with same function name. However, there may not be
315 multiple rows that are marked as being unconditionally declared in the
316 outermost scope with the same function name. Each function id must be between 0
317 and 2^31 - 2 inclusive.
319 Each row in the class table contains a unique class id, a class name specified
320 by a litstr id, a flag that indicates if the class declaration is hoisted to
321 the prelude of pseudo-main, and the class metadata. Note that there may be
322 multiple rows in the class table with same class name. However, there may not
323 be multiple rows that are marked as being hoisted with the same class name.
324 Each class id must be between 0 and 2^31 - 2 inclusive.
327 Function parameter info (FPI) structures and the FPI stack
328 ----------------------------------------------------------
330 Every function has a function parameter info (FPI) structure associated with it
331 that can be retrieved at run time. The FPI structure contains the bytecode
332 address of the function, the number of parameters the function has, and a
333 parameter table that indicates whether each parameter is pass by value or pass
336 In addition to the evaluation stack, each frame also contains another stack
337 called the FPI stack. Each entry on the FPI stack consists of a reference to an
338 FPI structure and a bytecode address of entry point into the corresponding
339 function. The entry on the top of the FPI stack is called the "current FPI".
341 The FPush* instructions push a new entry onto the FPI stack, initializing the
342 entry with a reference to the FPI structure for a given function and the
343 bytecode address of the appropriate entry point. The FPass* instructions
344 prepare the parameters that will be passed into the callee. The FCall*
345 instructions look at the current FPI to get the bytecode address of the
346 function (the callee), transfers the parameters from the evaluation stack to
347 the callee, pops the current FPI off of the FPI stack, and then invokes the
348 dispatcher to call the function.
350 Calls to builtin functions may be optimized to avoid pushing an entry on the
351 FPI stack if it is known that the builtin function does not need access to the
352 call stack. In this case, the arguments to the builtin are pushed on stack as
353 Cells and Vars, and the builtin can be invoked with the FCallBuiltin
354 instruction. Unless otherwise noted, subsequent references to FCall*
355 instructions should be meant to refer to non-optimized FCall instructions, i.e.
356 all FCall instructions other than FCallBuiltin.
362 The caller may pass any number of parameters to the callee by executing FPass*
363 instructions zero or more times prior to executing an FCall* instruction. The
364 caller must pass the parameters in forward order, i.e. the first use of FPass*
365 passes the first parameter, the second use of FPass* passes the second
366 parameter, and so forth.
368 The FPush*/FPass*/FCall* instructions can be used to call a global function, a
369 method on an object, or a method from a class. The caller is responsible for
370 evaluating all of the parameters in forward order. When the caller executes an
371 FCall* instruction, the dispatcher creates a new frame and moves the parameters
372 prepared by the caller into the callee's variable environment. The dispatcher
373 then transfers control to the appropriate entry point of the callee (either the
374 main entry point or a DV entry point) based on the number of parameters passed.
376 When the callee executes the Ret* instruction, the dispatcher pushes the return
377 value onto the caller's evaluation stack. Then the dispatcher destroys the
378 callee's frame and transfers control back to the caller.
381 Exception handler (EH) table
382 ----------------------------
384 The metadata for each function provides an "exception handler (EH) table".
385 Each row in the EH table (called an "EH entry") consists of a kind ("fault" or
386 "catch"), a non-negative integer "region depth", a set of non-overlapping
387 ranges of bytecode that compose the "protected region", and an offset of a
388 fault funclet (if it's a "fault" EH entry) or a list of [class name, catch
389 entry point] pairs (if it's a "catch" EH entry).
391 Each range of bytecode is given by a starting offset and an ending offset,
392 where the starting offset is the bytecode offset of the first byte of the first
393 instruction in the range and the ending offset is the bytecode offset after the
394 last byte of the last instruction in the range.
396 Note that two or more EH entries may refer to the same fault funclet or the
397 same catch entry points. Regardless of whether multiple EH entries share the
398 same fault funclet or the same catch entry points, each EH entry in the EH
399 table will be considered to declare a distinct "protected region".
401 The EH entries in each EH table must honor the following rules:
403 1) If an EH entry covers one or more bytes of the primary function body, then
404 it may not cover any bytes in any fault funclets. If an EH entry covers one or
405 more bytes of a fault funclet, then it may not cover any bytes in the primary
406 function body or in other fault funclets.
408 2) If a catch EH entry covers one or more bytes of the primary function body,
409 then its catch entry points must point to instructions in the primary function
410 body. If a catch EH entry covers one or more bytes of a fault funclet F, then
411 its catch entry points must point to instructions in fault funclet F.
413 3) For each EH entry with a region depth of D and a protected region P, for all
414 other protected regions Q that overlap with P, one of the following must be
415 true: (i) Q has a region depth that is greater than D and P is a superset of
416 (or equal to) Q; or (ii) Q has a region depth that is less than D and P is a
417 subset of (or equal to) Q.
419 4) For each EH entry with a region depth of D and a protected region P, for
420 each integer I where 0 <= I < D there must be exactly one protected region Q in
421 the EH table where Q's region depth equals I and P overlaps with Q.
424 Processing exceptions
425 ---------------------
427 The unwinder maintains a stack of exception infos called the "exception stack".
428 An "exception info" is a record that contains an exception object, a reference
429 to a frame on the call stack, a program counter (PC), and a non-negative
430 integer "region depth". When a thread of execution first begins, the exception
431 stack is initially empty.
433 HHBC allows programs to throw exceptions via the Throw instruction. When a
434 Throw instruction executes, it pushes a new exception info to the top of the
435 exception stack that contains the thrown exception object, a reference to the
436 frame that threw the exception, the PC at the time the exception was thrown,
437 and a region depth of D where D equals the number of protected regions in the
438 current frame's EH table that cover PC. Then it transfers control to the
439 unwinder which starts processing the exception info at the top of the exception
440 stack by following the steps given at the end of this section starting with
441 step 1 until control is transferred elsewhere.
443 HHBC also provides an Unwind instruction to allow a fault funclet to return
444 control back to the unwinder when it has finished its work. When the Unwind
445 instruction executes, it transfers control to the unwinder and the unwinder
446 resumes processing the exception info at the top of the exception stack by
447 following the steps below starting at step 1 until control is transferred
450 Here are the steps that the unwinder follows to process the exception info at
451 the top of the stack (called the "current exception info"):
453 Step 1) Consult the EH table of the current exception info's function. Check if
454 there are any EH entries that cover the current exception info's PC and
455 have a region depth that is less than the current exception info's
456 region depth. If one or more matching EH entries are found, choose the
457 EH entry with the greatest region depth and continue on to step 2. If
458 no matching EH entries are found go to step 5.
460 Step 2) Let E be the EH entry found in step 1, and let D be the region depth of
461 E. Set the current exception info's region depth to D (overwriting the
462 previous value). Continue on to step 3.
464 Step 3) If E is a fault EH entry, transfer control to E's fault funclet's entry
465 point; eventually control will be transferred back to the unwinder,
466 either via the Unwind instruction or via another exception being thrown
467 with the Throw instruction. Otherwise continue on to step 4.
469 Step 4) E is a catch EH entry. Consult E's list of [class name, catch entry
470 point] pairs. Check if there are any pairs in the list where the
471 exception's type is compatible with the pair's class name. If one or
472 more matching pairs are found, choose the one that occurs first in E's
473 list and transfer control to that pair's catch entry point; the catch
474 entry point begins with a Catch instruction which will take care of
475 popping the current exception info off of the exception stack. If no
476 matching pair is found, go to step 1.
478 Step 5) Check if the current exception info's PC is in a fault funclet. If it's
479 not, continue to step 6. If it is, read the exception X from the
480 current exception info and then pop the current exception info off of
481 the exception stack. Then, read the new current exception info's
482 exception Y, update exception X so that it's "previous" property chains
483 to exception Y, and then update the new current exception info to point
484 to exception X instead of exception Y. Then go to step 1.
486 Step 6) The current exception info's PC is in the primary function body. Pop
487 the current frame off of the call stack and then check if the call
488 stack is empty. If the call stack is empty, read the current exception
489 info's exception X, clear the exception stack, and transfer control to
490 the unhandled exception facility passing along exception X. If the call
491 stack is not empty continue to step 7.
493 Step 7) Update the current exception info to refer to the new current frame at
494 the top of the call stack, and set the current exception info's PC to
495 point to the FCall* instruction which immediately precedes the PC of
496 the current frame. Next, set the current exception info's region depth
497 to D, where D equals the number of protected regions in the current
498 frame's EH table that cover the current exception info's PC. Then go to
505 As object properties are accessed during execution, the execution engine is
506 responsible for following certain rules to honor each property's accessibility
509 The accessibility and visibility of a property in a given class is determined
510 by that class's definition and the definitions of all of that class's
511 ancestors. When a property is declared in a class definition (a "declared
512 property") it may be specified as being "public", "protected", or "private".
513 Accessibility and visibility are two related but distinct concepts. Depending
514 on the current context, a property may be visible and accessible, visible but
515 inaccessible, or invisible and inaccessible.
517 If a property P is declared with the "public" qualifier in the definition of
518 class C, for instances of class C and descendent classes the property P will be
519 visible and accessible in all contexts. If C has an ancestor that declares a
520 public property with the same name as P, C is said to "redeclare" property P,
521 and the declaration of P in class C is considered to refer to the same property
522 as the declaration in the ancestor class.
524 If a property P is declared as "protected" in the definition of class C, for
525 instances of class C the property P will be visible in all contexts, but only
526 accessible in the context of class C, an ancestor class, or descendent class.
527 When class C is loaded at run time, a semantic check must be performed to
528 ensure that all ancestor classes of C do not declare a property as "public"
529 with the same name as P. If C has an ancestor that declares a public property
530 with the same name as P, the execution engine must throw a fatal error when
531 class C is loaded. If C has an ancestor that declares a protected property with
532 the same name as P, C is said to "redeclare" property P, and the declaration of
533 P in class C is considered to refer to the same property as the declaration in
534 the ancestor class. Note that there may exist a class D that is a descendent of
535 C and declares a property as "public" with the same name as P. In such cases
536 the new "public" declaration in D is considered to refer to the same property
537 as the original "protected" declaration in C, and the "protected" qualifier
538 from the original declaration is effectively overridden by the "public"
539 qualifier from the new declaration. Class D is said to "redeclare" property P
540 with the "public" qualifier. Thus, for instances of class D and descendent
541 classes of D, property P will be visible and accessible in all contexts.
542 Finally, if a class E that is descendent of C does not redeclare P as public
543 and does not have an ancestor class that redeclares P as public, for instances
544 of class E the property P will be visible in all contexts, but only accessible
545 in the context of class E, an ancestor class of E, or a descendent class of E.
547 If a property P is declared with the "private" qualifier in the definition of
548 class C, for instances of class C the property P will be visible in all
549 contexts, but only accessible in the context of class C. For instances of
550 descendent classes of C, the property P will be visible and accessible in the
551 context of the class C, and in all other contexts property P will be invisible
552 and inaccessible. When class C is loaded at run time, a semantic check must be
553 performed to ensure that all ancestor classes of C do not declare a property as
554 "public" or "protected" with the same as P. If C has an ancestor that declares
555 a public or protected property with the same name as P, the execution engine
556 must throw a fatal error when class C is loaded. Note that descendent classes
557 of C may declare another property with the same name as P. The declaration of
558 property P as "private" in class C is considered to define a separate property
559 that is distinct from all other properties of the same name declared in
560 ancestor classes and descendent classes of C.
562 An instruction that accesses a property specifies the property by a name N via
563 a litstr id, a local variable id, or a cell consumed from the evaluation stack.
564 As noted above, it is possible for a class to have multiple distinct properties
565 named N. In cases where there are multiple distinct properties named N, the
566 visibility rules are used to determine which property is retrieved. If there is
567 a visible private property P named N, then property P is retrieved. Otherwise,
568 if there is a visible non-private property Q named N, then property Q is
569 retrieved. If there is no visible property named N, the behavior is determined
570 by the specific instruction. The semantic checks and the visibility rules
571 ensure that for any context there cannot be more than one visible private
572 property, and there cannot be more than one visible non-private property.
574 Some instructions can create a new property at run time with a name that is
575 different than the names of all declared properties that are visible in the
576 current context. Such properties are called "non-declared properties" or
577 "dynamic properties". Dynamic properties are considered to be visible and
578 accessible in all contexts.
580 If a declared property is unset, and then re-accessed/re-created, then it is
581 treated the same way as an invisible property with the same attributes as the
582 original declared property. Specifically, if the property gets created again,
583 it must have the same access attributes as the original declared property.
586 Magic property access methods
587 -----------------------------
589 Instructions that access properties may in some cases invoke a magic property
590 access method (__get, __set, __isset, or __unset) if an object implements the
591 method and the method is considered eligible for invocation. A magic property
592 access method is considered "eligible" for a given object if there is not a
593 frame on the call stack that corresponds to an invocation of the same method on
597 Static property access
598 ----------------------
600 As a class's static properties are accessed during execution, the execution
601 engine is responsible for following certain rules to honor each static
602 property's accessibility and visibility.
604 The accessibility and visibility of a static property in a given class is
605 determined by that class's definition and the definitions of all of that
606 class's ancestors. When a static property is declared in a class definition it
607 may be specified as being "public", "protected", or "private". Depending on the
608 current context, a static property may be visible and accessible, visible but
609 inaccessible, or invisible and inaccessible.
611 Conceptually, each class has a "static store" associated with it at run time
612 that provides storage for the static properties declared in the class's
613 definition. Static properties are accessed at run time by name through the
614 scope of a class. When an instruction accesses a static property through the
615 scope of class C, it will search the static store of C and then the static
616 stores of C's ancestors (starting with C's base class and moving up the
617 inheritance chain) for the first static property with the given name that is
618 visible in the current context.
620 If a static property S is declared with the "public" qualifier in the
621 definition of class C, the static property S when accessed through the scope of
622 class C or a descendent of C will be visible and accessible in all contexts.
623 Note that descendent classes of C may declare another static property with the
624 same name as S. The declaration in class C is considered to define a separate
625 static property that is distinct from all other static properties declared in
626 descendent classes of C.
628 If a static property S is declared with the "protected" qualifier in the
629 definition of class C, the static property S when accessed through the scope of
630 class C or a descendent of C will be visible in all contexts, but only
631 accessible in the context of class C, an ancestor class of C, or descendent
632 class of C. When class C is loaded at run time, a semantic check must be
633 performed to ensure that all ancestor classes of C do not declare a static
634 property as "public" with the same name as S. If C has an ancestor that
635 declares a public static property with the same name as S, the execution engine
636 must throw a fatal error when class C is loaded. Note that descendent classes
637 of C may declare another static property with the same name as S. The
638 declaration in class C is considered to define a separate static property that
639 is distinct from all other static properties declared in descendent classes of
642 If a static property S is declared with the "private" qualifier in the
643 definition of class C, the static property S when accessed through the scope of
644 class C will be visible in all contexts, but only accessible in the context of
645 class C. The static property S when accessed through the scope of a descendent
646 of C will only be visible and accessible in the context of class C. When class
647 C is loaded at run time, a semantic check must be performed to ensure that all
648 ancestor classes of C do not declare a static property as "public" or
649 "protected" with the same name as S. If C has an ancestor that declares a
650 public or protected static property with the same name as S, the execution
651 engine must throw a fatal error when class C is loaded. Note that descendent
652 classes of C may declare another static property with the same name as S. The
653 declaration in class C is considered to define a separate static property that
654 is distinct from all other static properties declared in descendent classes of
657 Note that instructions cannot create new static properties in a class that were
658 not declared in the class definition.
664 An FPI region is a contiguous range of bytecode that constitutes a call site.
665 Each FPI region begins immediately after an FPush* instruction that pushes an
666 FPI structure onto the FPI stack and must end with the corresponding FCall*
667 instruction that pops that FPI structure off of the FPI stack. If two FPI
668 regions overlap, one of the FPI regions must be completely enclosed by the
669 other FPI region. An FPI region may not contain backward jumps, nor may it
670 contain forward jumps that jump past the end of the FPI region.
672 Each function has an "FPI region table". Each row in the FPI region table
673 consists of the starting offset of the FPI region (the bytecode offset
674 immediately following the FPush* instruction), the ending offset of the FPI
675 region (the bytecode offset of the FCall* instruction), and the number of
676 parameters being passed.
682 Any given value on the stack must either be a cell, ref, or classref at run
683 time. However, at bytecode generation time the specific flavor of a value on
684 the stack is not always known. HipHop bytecode uses symbols called "flavor
685 descriptors" to precisely describe what is known at bytecode generation about
686 the state of the evaluation stack at each instruction boundary.
688 Each instruction description specifies the flavor descriptor produced for each
689 of its outputs. Each description also specifies the flavor descriptor consumed
690 for each of the instruction's inputs.
692 Here is a description of each flavor descriptor:
694 C - cell; specifies that the value must be a cell at run time
695 V - ref; specifies that the value must be a ref at run time
696 A - classref; specifies that the value must be a classref at run time
697 R - return value; specifies that the value may be a cell or a ref at run
698 time; this flavor descriptor is used for return values from function
700 F - function argument; specifies that the value may be a cell or a ref at run
701 time; this flavor descriptor is used for parameter values that are about
702 to be passed into a function
703 U - uninit; specifies that the value must be an uninitialized null at run
704 time; this is only used for FCallBuiltin
710 Because instructions specify constraints on the flavor descriptor of each
711 input, it is important to be able to determine if a given HHBC program
712 satisfies these constraints. A program that satisfies the constraints on the
713 inputs to each instruction is said to be "flavor-safe".
715 HHBC provides a set of verification rules that can be mechanically applied to
716 verify that an HHBC program is flavor-safe. All valid HHBC programs must be
717 verifiably flavor-safe, and the execution engine may refuse to execute HHBC
718 programs that cannot be verified.
720 At bytecode generation time, what is known about the state of the evaluation
721 stack at a given instruction boundary can be precisely described using flavor
724 In addition to being flavor-safe, there are other invariants that valid HHBC
725 programs must uphold with respect to metadata and how certain instructions are
728 Below is the complete list of verifiability rules. If the bytecode to be
729 executed does not come from a trusted source, it is the responsibility of the
730 bytecode execution engine to verify that these invariants hold.
732 1) The depth of the evaluation stack at any given point in the bytecode must be
733 the same for all possible control flow paths. The flavor descriptor of any
734 given slot on the evaluation stack at any given point in the bytecode must be
735 the same for all possible control flow paths.
737 2) No instruction may consume more values from the evaluation stack than are
738 available at that given point in the bytecode. Likewise, the flavor descriptor
739 of each slot on the evaluation stack must be compatible with the instruction's
740 inputs' flavor descriptors.
742 3) The evaluation stack must be empty at any offset listed as a catch entry
745 4) If a given instruction is not the target of a forward branch and it follows
746 a Jmp, Switch, SSwitch, RetC, RetV, Unwind, Fatal, Throw, NativeImpl, or
747 ContHandle instruction, the evaluation stack before executing the given
748 instruction must be empty.
750 5) Before executing the RetC instruction, the evaluation stack must contain
751 exactly one value and the flavor descriptor of the value must be cell.
752 Likewise, before executing the RetV instruction, the evaluation stack must
753 contain exactly one value and the flavor descriptor of the value must be the
754 ref. Finally, before executing the Unwind instruction, the evaluation stack
757 6) The code for the primary function body and fault funclets must be laid out
758 in order in one contiguous block, starting with the primary function body and
759 optionally followed by one or more fault funclets. The code for primary
760 function body may not jump into the code for the funclets. Similarly, the code
761 for a funclet may not jump into the code for the primary function body or
764 7) Any bytecode instruction inside the primary function body or a fault funclet
765 that is immediately followed by an instruction not inside the same primary
766 function body or fault funclet must be one of the following instructions: Jmp,
767 Switch, SSwitch, RetC, RetV, Unwind, Fatal, Throw, NativeImpl, or ContHandle.
769 8) The primary function body may not contain the Unwind instruction, and fault
770 funclets may not contain the Ret* instructions. Also, each catch entry point
771 must point to a Catch instruction.
773 9) Each FPI region enumerated in the FPI region table must start immediately
774 after an FPush* instruction and it must end with an FCall* instruction. Each
775 use of the FPush* instruction must be the instruction immediately before
776 exactly one FPI region. Likewise, each use of the FCall* instruction must be
777 the last instruction in exactly one FPI region. Finally, FPass* instructions
778 may not be used outside an FPI region.
780 10) Each FPI region may not contain backward jumps, nor may it contain forward
781 jumps that jump outside the end of the FPI region. Also, there may not be jumps
782 anywhere in the function that transfer control from the outside of a given FPI
783 region to the inside of that region. An FPI region may not contain the Ret*,
784 Unwind, Throw, or Fatal instructions. Finally, an entry point may not point to
785 an instruction inside an FPI region.
787 11) The depth of the FPI stack at any given point in the bytecode must be the
788 same for all possible control flow paths. Also, for any given FPI region that
789 passes n parameters, all possible control flow paths from the beginning of the
790 region to the end must pass through exactly n FPass* instructions associated
791 with the region which pass the parameters in forward order.
793 12) Given an evaluation stack of depth n after an FPush* instruction, the
794 evaluation stack before the corresponding FCall* instruction must also have a
795 depth of n. Likewise, the evaluation stack after corresponding FPass*
796 instructions must have a depth of n as well. Finally, no instruction between an
797 FPush* and its corresponding FCall* may consume any of the values from the
798 evaluation stack that were pushed onto the stack before the FPush* instruction.
800 13) The initialization state of each iterator variable must be known at every
801 point in the code and must be the same for all control paths. There are four
802 possible states: (1) uninitialized, (2) "iter-initialized" (initialized via
803 IterInit*), (3) "miter-initialized" (initialized via MIterInit*), and (4)
804 "cuf-initialized" (initialized via DecodeCufIter). Every range of bytecode for
805 which an iterator variable i is initialized must be protected by a fault
806 funclet that unsets i by calling IterFree, MIterFree, or CIterFree.
808 14) The iterator variable referenced by IterInit* or MIterInit* or
809 DecodeCufIter must be in the uninitialized state when the instruction executes.
810 An iterator variable referenced by IterNext* and IterFree must be in the
811 "iter-initialized" state, an iterator variable referenced by MIterNext* or
812 MIterFree must be in the "miter-initialized" state, and an iterator variable
813 referenced by FPushCufIter or CIterFree must be in the citer-initialized state.
814 Note that IterInit* and MIterInit* conditionally initialize the iterator
815 variable, and IterNext* and MIterNext* conditionally free the iterator
818 15) Each EH table must follow all of the rules specified in the "Exception
819 handler (EH) table" section.
825 Each instruction description below consists of a mnemonic, followed by 0 or
826 more immediate operands, followed by a stack transition description of the form
827 "[xn,...,x2,x1] -> [ym,...,y2,y1]", where "[xn,...,x2,x1]" is a list of flavor
828 descriptors describing what the instruction consumes from the evaluation stack
829 and "[ym,...,y2,y1]" is the list of flavor descriptors describing what the
830 instruction pushes onto the stack. x1 and y1 represent the topmost stack
831 elements before and after execution, respectively.
833 Each element of a stack transition may also contain an optional type
834 annotation. Here is the list of the type annotations used in instruction
837 Null - denotes the null type
838 Bool - denotes the boolean type
839 Int - denotes the integer type
840 Dbl - denotes the double-precision floating-point type
841 Str - denotes the string type
842 Arr - denotes the array type
843 Obj - denotes the object type
845 Multiple type annotations may be combined together using the "|" symbol. For
846 example, the type annotation "Int|Dbl" means that a value is either integer or
849 Some instructions may contain multiple stack transition descriptions to express
850 the relationship between the types of the values consumed from the stack and
851 types of the values pushed onto the stack. Also, in some stack transition
852 descriptions, "<T>" is used as shorthand to represent any one specific type.
853 For example, a transition such as "[C:<T>] -> [C:<T>]" indicates that the type
854 of value that the instruction pushes onto the stack will match the type of
855 value that it consumed from the stack. Likewise, "<F>" is used as shorthand to
856 represent any one specific flavor descriptor.
858 $1 is used to refer to the value at the top of the evaluation stack, $2 is used
859 to refer to the value directly below $1 on the evaluation stack, $3 is used to
860 refer to the value directly below $2, and so forth. Also, %1 is used to refer
861 to the first immediate argument, and %2 is used to refer to the second
864 Note that the relative offset immediate used by a Jmp*, Iter*, MIter*, Switch,
865 SSwitch, CreateCont or AsyncESuspend instruction is relative the beginning
868 There are numerous instructions that operate on different kinds of locations.
869 Locations are specified using "location descriptors". The complete list of
870 location descriptors is given below:
872 L - local id; location is the local variable whose id is given by an
874 N - local name; location is the local variable whose name is given by the
876 G - global name; location is the global variable whose name is given by the
878 S - static property; location is the static property whose class is given by
879 a classref and whose name is given by value of a cell.
880 C - cell; location is a temporary value given by a cell.
881 R - return value; location is a temporary value given by a cell or a ref
882 H - $this; location is the $this pointer in the current frame. Must only be
883 used in a frame that is known to have a non-null $this pointer; CheckThis
884 is most commonly used to ensure this.
886 There are several groups of similarly named instructions where the name of each
887 instruction ends with a different location descriptor (for example, Set*). Each
888 instruction in the group perform similar actions but take different kinds of
889 inputs to specify the location to access.
891 The Member instructions provide functionality to operate on elements and
892 properties. These instructions incorporate an immediate argument vector which
893 specifies a location descriptor (defined above) followed by one or more member
896 EC - consume a cell from the evaluation stack as an element
897 EL:<id> - consume a local given by an immediate id as an element
898 ET:<id> - consume a litstr given by an immediate id as an element
899 EI:<int> - consume a immediate integer as an element
900 PC - consume a cell from the evaluation stack as a property
901 PL:<id> - consume a local given by an immediate id as a property
902 PT:<id> - consume a litstr given by an immediate id as a property
903 W - synthesize a new element (no corresponding local variable or
904 evaluation stack slot)
906 For example, the following correspondence exists (ignoring setup bytecode):
908 Source code: $a[3][$b][]['hi'] = 42;
909 Bytecode: SetM <L:0 EI:3 EL:1 W ET:hi>
912 Instructions that have an immediate argument vector have different stack
913 transition descriptions depending on the kind of location descriptor and member
914 descriptors contained in the immediate argument vector. Member instructions
915 denote the immediate argument vector using the notation "<loc-desc/M-vector>"
916 and "C..C" is used to indicate that the member instructions consume a variable
917 number of cells from the stack. In most cases the immediate vector arguments
918 are ordered such that the loc-desc comes first (deepest in the stack), with the
919 last M-vector element last (shallowest in the stack). However, classrefs that
920 are part of the BaseSC and BaseSL loc-desc inputs always come last (the cell
921 input to BaseSC comes first though). Instructions accepting an immediate vector
922 containing a list of iterators and iterator types use the notation
925 In addition to describing each instruction, this instruction set documentation
926 also describes several operations that encapsulate fundamental, but non-trivial
927 processes that are shared by the Member instructions.
929 The instruction set is organized into the following sections:
930 1. Basic instructions
931 2. Literal and constant instructions
932 3. Operator instructions
933 4. Control flow instructions
935 6. Isset, Empty and type querying instructions
936 7. Mutator instructions
939 10. Member instructions
940 11. Iterator instructions
941 12. Include, eval, and define instructions
942 13. Miscellaneous instructions
943 14. Continuation creation and execution
946 1. Basic instructions
947 ---------------------
951 No operation. This instruction does nothing.
958 Pop. Discards the value on the top of the stack.
960 Dup [C:<T>] -> [C:<T> C:<T>]
962 Duplicate. Duplicates the cell $1 and pushes it onto the stack.
964 Box [C:<T>] -> [V:<T>]
966 Box. Creates a new ref, sets the new ref to point at a copy of cell $1, and
967 pushes the ref onto the stack.
969 Unbox [V:<T>] -> [C:<T>]
971 Unbox. Creates a copy of the cell that ref $1 points to, and pushes the cell
974 BoxR [R:<T>] -> [V:<T>]
976 Box. If $1 is a ref at run time, this instruction does nothing.
978 If $1 is a cell at run time, this instruction creates a new ref, sets the new
979 ref to point at a copy of cell $1, and pushes the ref onto the stack.
981 BoxRNop [R:<T>] -> [C:<T>]
983 Box, no op. $1 must be statically known to be boxed.
985 UnboxR [R:<T>] -> [C:<T>]
987 Unbox. If $1 is a cell at run time, this instruction does nothing.
989 If $1 is a ref at run time, this instruction creates a copy of the cell that
990 ref $1 points to, and pushes the cell onto the stack.
992 UnboxRNop [R:<T>] -> [C:<T>]
994 UnboxR, no op. $1 must be statically known to be unboxed. This instruction
995 pushes $1 on the stack as a cell.
997 2. Literal and constant instructions
998 ------------------------------------
1002 False [] -> [C:Bool]
1004 Push constant. Null pushes null onto the stack, True pushes true onto the
1005 stack, and False pushes false onto the stack.
1007 NullUninit [] -> [U]
1009 Push an uninitialized null on the stack.
1011 Int <signed 64-bit integer value> [] -> [C:Int]
1012 Double <double value> [] -> [C:Dbl]
1013 String <litstr id> [] -> [C:Str]
1014 Array <scalar array id> [] -> [C:Arr]
1016 Push immediate. Pushes %1 onto the stack.
1018 NewArray <capacity hint> [] -> [C:Arr]
1020 New array, with a capacity hint. Creates a new array and pushes it onto the
1021 stack. The implementation may make use of the hint in %1 to pre-size the
1022 array. The hint %1 must be greater than or equal to 0.
1024 NewPackedArray <num elems> [C..C] -> [C]
1026 New array. Creates a new array from the top %1 cells on the stack, pops those
1027 cells, then pushes the new array onto the stack. Elements are pushed on the
1028 stack in array insertion order and are implicitly numbered from 0 to %1 - 1.
1029 $1 is at index %i - 1, $2 at %1-2, and so on; $(%1) is at index 0.
1031 NewStructArray <litstr id vector> [C..C] -> [C]
1033 New array. Creates a new array from the names given in %1 and values from the
1034 stack. The vector of litstr ids gives the element names, one value for each
1035 name is popped from the stack. Names are in array insertion order, and values
1036 were pushed onto the stack in insertion order, so are added to the array in
1037 reverse order (the topmost value will become the last element in the array).
1040 NewStructArray < "a" "b" > [ 1 2 ] -> [ array("a"=>1, "b"=>2) ]
1042 AddElemC [C C C] -> [C:Arr]
1044 Add element. If $3 is an array, this instruction executes $3[$2] = $1 and
1045 then pushes $3 onto the stack.
1047 If $3 is not an array, this instruction throws a fatal error.
1049 AddElemV [C C V] -> [C:Arr]
1051 Add element. If $3 is an array, this instruction executes $3[$2] = &$1 and
1052 then pushes $3 onto the stack.
1054 If $3 is not an array, this instruction throws a fatal error.
1056 AddNewElemC [C C] -> [C:Arr]
1058 Add new element. If $2 is an array, this instruction executes $2[] = $1 and
1059 then pushes $2 onto the stack.
1061 If $2 is not an array, this instruction throws a fatal error.
1063 AddNewElemV [C V] -> [C:Arr]
1065 Add new element. If $2 is an array, this instruction executes $2[] = &$1 and
1066 then pushes $2 onto the stack.
1068 If $2 is not an array, this instruction throws a fatal error.
1070 NewCol <coll type> <num elems> [] -> [C:Obj]
1072 New collection. Creates a new collection of type %1 with an initial capacity
1073 sufficient to hold the number of elements specified by %2, and pushes the
1074 collection onto the stack.
1076 ColAddElemC [C C C] -> [C:Obj]
1078 Collection add key/value pair. If $3 is a collection object, this instruction
1079 executes $3[$2] = $1 and then pushes $3 onto the stack.
1081 If $3 is not a collection object, this instruction throws a fatal error.
1083 ColAddNewElemC [C C] -> [C:Obj]
1085 Collection add value. If $2 is a collection object, this instruction executes
1086 $2[] = $1 and then pushes $2 onto the stack.
1088 If $2 is not a collection object, this instruction throws a fatal error.
1090 Cns <litstr id> [] -> [C:Null|Bool|Int|Dbl|Str]
1092 Get constant. Pushes the value of the global constant named %1 onto the stack
1093 as a cell. If there is no constant named %1, this instruction raises a notice
1094 and pushes the string %1 onto the stack as a cell.
1096 CnsE <litstr id> [] -> [C:Null|Bool|Int|Dbl|Str]
1098 Get constant. Pushes the value of the global constant named %1 onto the stack
1099 as a cell. If there is no constant named %1, throws a fatal error.
1101 CnsU <litstr id> <litstr fallback> [] -> [C:Null|Bool|Int|Dbl|Str]
1103 Get constant. Identical to Cns except returns constant named %2 if the
1104 constant named %1 is undefined.
1106 ClsCns <litstr id> [A] -> [C:Null|Bool|Int|Dbl|Static Str]
1108 Get class constant. This instruction pushes the value of the class constant
1109 named %1 from class $1 onto the stack. If there is no class constant named %1
1110 in class $1, this instruction throws a fatal error.
1112 ClsCnsD <litstr id> <litstr id> [] -> [C:Null|Bool|Int|Dbl|Static Str]
1114 Get class constant (direct). This instruction first checks if %2 matches the
1115 name of a defined class. If %2 does not match the name of a defined class,
1116 this instruction will invoke the autoload facility passing in the class name
1117 %2, and then it will again check if %2 matches the name of a defined class.
1118 If %2 still does not match the name of a defined class this instruction
1119 throws a fatal error.
1121 Next, this instruction pushes the value of the class constant named %1 from
1122 class %2 onto the stack. If there is no class constant named %1 in class %2,
1123 this instruction throws a fatal error.
1125 File [] -> [C:Static Str]
1126 Dir [] -> [C:Static Str]
1128 Push string. File pushes __FILE__ onto the stack, and Dir pushes __DIR__ onto
1131 NameA [A] -> [C:Static Str]
1133 Push the name of the class in $1 as a string.
1136 3. Operator instructions
1137 ------------------------
1139 Concat [C C] -> [C:Str]
1141 Concatenation (.). Pushes ((string)$2 . (string)$1) on the stack.
1143 Abs [C] -> [C:Int|Dbl|Bool]
1145 Absolute value. Computes the absolute value of $1 and pushes the result onto
1148 Add [C:Arr C:Arr] -> [C:Arr]
1149 [C:<T2> C:<T1>] -> [C:Dbl] (where T1 == Dbl || T2 == Dbl)
1150 [C:<T2> C:<T1>] -> [C:Int] (where T1 != Dbl && T2 != Dbl &&
1151 (T1 != Arr || T2 != Arr))
1153 Addition (+). Performs addition (or plus-merge if $1 and $2 are both arrays).
1154 Pushes ($2 + $1) onto the stack. This instruction throws a fatal error if
1155 is_array($1) xor is_array($2) is true.
1157 Sub [C:<T2> C:<T1>] -> [C:Dbl] (where T1 == Dbl || T2 == Dbl)
1158 [C:<T2> C:<T1>] -> [C:Int] (where T1 != Dbl && T2 != Dbl)
1160 Subtraction (-). Pushes ($2 - $1) onto the stack. This instruction throws a
1161 fatal error if is_array($1) || is_array($2) is true.
1163 Mul [C:<T2> C:<T1>] -> [C:Dbl] (where T1 == Dbl || T2 == Dbl)
1164 [C:<T2> C:<T1>] -> [C:Int] (where T1 != Dbl && T2 != Dbl)
1166 Multiplication (*). Pushes ($2 * $1) onto the stack. This instruction throws
1167 a fatal error if is_array($1) || is_array($2) is true.
1169 AddO [C:Arr C:Arr] -> [C:Arr]
1170 [C:<T2> C:<T1>] -> [C:Dbl] (where T1 == Dbl || T2 == Dbl)
1171 [C:<T2> C:<T1>] -> [C:Int|dbl] (where T1 != Dbl && T2 != Dbl &&
1172 (T1 != Arr || T2 != Arr))
1174 Same behavior as Add, except for when both inputs have type Int and the
1175 result would not fit in a 64-bit integer. Then this instruction will push
1176 (double)$1 + (double)$2.
1178 SubO [C:<T2> C:<T1>] -> [C:Dbl] (where T1 == Dbl || T2 == Dbl)
1179 [C:<T2> C:<T1>] -> [C:Int|Dbl] (where T1 != Dbl && T2 != Dbl)
1181 Same behavior as Sub, except for when both inputs have type Int and the
1182 result would not fit in a 64-bit integer. Then this instruction will push
1183 (double)$1 - (double)$2.
1185 MulO [C:<T2> C:<T1>] -> [C:Dbl] (where T1 == Dbl || T2 == Dbl)
1186 [C:<T2> C:<T1>] -> [C:Int|Dbl] (where T1 != Dbl && T2 != Dbl)
1188 Same behavior as Mul, except for when both inputs have type Int and the
1189 result would not fit in a 64-bit integer. Then this instruction will push
1190 (double)$1 * (double)$2.
1192 Div [C C] -> [C:Bool|Int|Dbl]
1193 [C:Dbl C:Int] -> [C:Bool|Dbl]
1194 [C:Int C:Dbl] -> [C:Bool|Dbl]
1195 [C:Dbl C:Dbl] -> [C:Bool|Dbl]
1197 Division (/). Pushes ($2 / $1) onto the stack. This instruction throws a
1198 fatal error if is_array($1) || is_array($2) is true.
1200 Mod [C C] -> [C:Bool|Int]
1202 Modulus (%). Pushes ((int)$2 % (int)$1) onto the stack. This instruction
1203 never throws a fatal error.
1205 Sqrt [C] -> [C:Null|Dbl]
1207 Square root. Computes the square root of $1 and pushes the result onto the
1208 stack. If $1 is not null, a bool, an int, a double, or a numeric string, it
1209 raises a warning and pushes null onto the stack.
1211 If $1 is a negative number, this instruction pushes a floating-point value
1212 representing NAN onto the stack.
1214 Strlen [C] -> [C:Null|Int]
1216 String length. If $1 is a string push the length of the string on the stack.
1217 If $1 is an object with a __toString method, call this method and push the
1218 length of the resulting string on the stack. If $1 is an array or resource,
1219 raise a warning and push null on the stack. Otherwise convert $1 to a string
1220 and push the length of that string on the stack.
1222 Xor [C C] -> [C:Bool]
1224 Logical xor (xor). Pushes ((bool)$2 xor (bool)$1) onto the stack.
1228 Logical not (!). Pushes (!(bool)$1) onto the stack.
1230 Same [C C] -> [C:Bool]
1232 Same (===). Pushes ($2 === $1) onto the stack.
1234 NSame [C C] -> [C:Bool]
1236 Not same (!==). Pushes ($2 !== $1) onto the stack.
1238 Eq [C C] -> [C:Bool]
1240 Equals (==). Pushes ($2 == $1) onto the stack.
1242 Neq [C C] -> [C:Bool]
1244 Not equal (!=). Pushes ($2 != $1) onto the stack.
1246 Lt [C C] -> [C:Bool]
1248 Less than (<). Pushes ($2 < $1) onto the stack.
1250 Lte [C C] -> [C:Bool]
1252 Less than or equal to (<=). Pushes ($2 <= $1) onto the stack.
1254 Gt [C C] -> [C:Bool]
1256 Greater than (>). Pushes ($2 > $1) onto the stack.
1258 Gte [C C] -> [C:Bool]
1260 Greater than or equal to (>=). Pushes ($2 >= $1) onto the stack.
1262 BitAnd [C:<T2> C:<T1>] -> [C:Int] (where T1 != Str || T2 != Str)
1263 [C:Str C:Str] -> [C:Str]
1265 Bitwise and (&). Pushes ($2 & $1) onto the stack. If either $1 or $2 is an
1266 object, this instruction throws a fatal error.
1268 BitOr [C:<T2> C:<T1>] -> [C:Int] (where T1 != Str || T2 != Str)
1269 [C:Str C:Str] -> [C:Str]
1271 Bitwise or (|). Pushes ($2 | $1) onto the stack. If either $1 or $2 is an
1272 object, this instruction throws a fatal error.
1274 BitXor [C:<T2> C:<T1>] -> [C:Int] (where T1 != Str || T2 != Str)
1275 [C:Str C:Str] -> [C:Str]
1277 Bitwise xor (^). Pushes ($2 ^ $1) onto the stack. If either $1 or $2 is an
1278 object, this instruction throws a fatal error.
1280 BitNot [C:<T>] -> [C:Int] (where T != Str)
1283 Bitwise not (~). Pushes (~$1) onto the stack. If $1 is null, a boolean, an
1284 array, or an object, this instruction throws a fatal error.
1286 Shl [C C] -> [C:Int]
1288 Shift left (<<). Pushes ((int)$2 << (int)$1) onto the stack. This instruction
1289 never throws a fatal error.
1291 Shr [C C] -> [C:Int]
1293 Shift right (>>). Pushes ((int)$2 >> (int)$1) onto the stack. This
1294 instruction never throws a fatal error.
1296 Floor [C] -> [C:Dbl]
1298 Round $1 to nearest integer value not greater than $1. Converts $1 to numeric
1299 as appropriate and then takes floor of resulting numeric value.
1303 Round $1 to nearest integer value not less than $1. Converts $1 to numeric as
1304 appropriate and then takes ceil of resulting numeric value.
1306 CastBool [C] -> [C:Bool]
1308 Cast to boolean ((bool),(boolean)). Pushes (bool)$1 onto the stack.
1310 CastInt [C] -> [C:Int]
1312 Cast to integer ((int),(integer)). Pushes (int)$1 onto the stack.
1314 CastDouble [C] -> [C:Dbl]
1316 Cast to double ((float),(double),(real)). Pushes (double)$1 onto the stack.
1318 CastString [C] -> [C:Str]
1320 Cast to string ((string),(binary)). Pushes (string)$1 onto the stack. If $1
1321 is an object that implements the __toString method, the string cast returns
1322 $1->__toString(). If $1 is an object that does not implement __toString
1323 method, the string cast throws a fatal error.
1325 CastArray [C] -> [C:Arr]
1327 Cast to array ((array)). Pushes (array)$1 onto the stack.
1329 CastObject [C] -> [C:Obj]
1331 Cast to object ((object)). Pushes (object)$1 onto the stack.
1333 InstanceOf [C C] -> [C:Bool]
1335 Instance of (instanceof). If $1 is a string and it matches the name of a
1336 defined class and $2 is an object that is an instance of $1, this instruction
1337 pushes true onto the stack. If $1 is an object and get_class($1) matches the
1338 name of a defined class and $2 is an object that is an instance of
1339 get_class($1), this instruction pushes true onto the stack. If $1 is not a
1340 string or an object, this instruction throws a fatal error.
1342 InstanceOfD <litstr id> [C] -> [C:Bool]
1344 Instance of direct (instanceof). If %1 matches the name of a defined class
1345 and $1 is an instance of the %1, this instruction pushes true onto the stack,
1346 otherwise it pushes false onto the stack.
1348 Print [C] -> [C:Int]
1350 Print (print). Outputs (string)$1 to STDOUT and pushes the integer value 1
1353 Clone [C] -> [C:Obj]
1355 Clone (clone). Clones $1 and pushes it onto the stack. If $1 is not an
1356 object, this instruction throws a fatal error.
1358 Exit [C] -> [C:Null]
1360 Exit (exit). Terminates execution of the program.
1362 If $1 is an integer, this instruction will set the exit status to $1, push
1363 null onto the stack, and then it will terminate execution.
1365 If $1 is not an integer, this instruction will output (string)$1 to STDOUT,
1366 set the exit status to 0, push null onto the stack, and then it will
1367 terminate execution.
1369 Fatal <fatal subop> [C] -> []
1371 Fatal. This instruction throws a fatal error using $1 as the error message.
1372 If $1 is not a string, this instruction throws a fatal error with an error
1373 message that indicates that the error message was not a string. Setting %1 to
1374 0 will throw a runtime fatal error with a full backtrace. Setting %1 to 1
1375 will throw a parse fatal error with a full backtrace. Setting %1 to 2 will
1376 throw a runtime fatal error with the backtrace omitting the top frame.
1379 4. Control flow instructions
1380 ----------------------------
1382 Jmp <rel offset> [] -> []
1384 Jump. Transfers control to the location specified by %1.
1386 JmpNS <rel offset> [] -> []
1388 Jump, with no surprise flag checks. This behaves identically to the Jmp
1389 instruction, except that internal VM checks for things like OOM do not need
1390 to be performed even if the offset is negative.
1392 JmpZ <rel offset> [C] -> []
1394 Jump if zero. Conditionally transfers control to the location specified by %1
1395 if (bool)$1 == (bool)0.
1397 JmpNZ <rel offset> [C] -> []
1399 Jump if not zero. Conditionally transfers control to the location specified
1400 by %1 if (bool)$1 != (bool)0.
1402 Switch <offset vector> <base> <bounded> [C] -> []
1404 Switch over integer case values. If bounded == 0, the implementation will
1405 assume that $1 is an integer in the range [0, length(vector)) and
1406 unconditionally transfer control to the location specified by vector[$1].
1407 Undefined behavior will result if $1 is not an integer inside this range. If
1408 bounded != 0, the following rules take over:
1410 For a bounded Switch, the last two elements of the offset vector are special:
1411 they represent the first non-zero case and the default case, respectively.
1412 base + length(vector) - 2 must not be greater than 2^63-1. If $1 === true,
1413 control will be transferred to the location specified by
1414 vector[length(vector) - 2]. If $1 is equal (as defined by Eq) to any integer
1415 $n in the range [base, base + length(vector) - 2), control will be
1416 transferred to the location specified by vector[$n - base]. Otherwise,
1417 control will be transferred to the location specified by
1418 vector[length(vector) - 1].
1420 SSwitch <litstr id/offset vector> [C] -> []
1422 Switch over string case values. This instruction will search the
1423 string/offset vector from the beginning until it finds a string that is equal
1424 to $1. If one is found, control will be transferred to the location specified
1425 by the offset corresponding to that string. If a matching string is not
1426 found, control is transferred to the location specified by the final element
1427 in the vector, which must have a litstr id of -1.
1432 Return. Returns $1 to the caller. This instruction may not be used inside
1433 default value funclets or fault funclets.
1437 Unwind. Transfers control back to the unwinder. This instruction may only be
1438 used inside a fault funclet.
1442 Throw. Throws the object $1. If $1 is not an object that extends the
1443 Exception class, this instruction throws a fatal error.
1449 CGetL <local variable id> [] -> [C]
1451 Get local as cell. If the local variable given by %1 is defined, this
1452 instruction gets the value of the local variable and pushes it onto the stack
1453 as a cell. If the local variable is not defined, this instruction raises a
1454 warning and pushes null onto the stack.
1456 CGetL2 <local variable id> [<F>:<T>] -> [C <F>:<T>]
1458 Get local as cell. If the local variable given by %1 is defined, this
1459 instruction gets the value of the local variable, pushes it onto the stack as
1460 a cell, and then pushes $1 onto the stack.
1462 If the local variable is not defined, this instruction raises a warning,
1463 pushes null onto the stack, and then pushes $1 onto the stack.
1465 CGetL3 <local variable id> [<F2>:<T2> <F1>:<T1>] -> [C <F2>:<T1> <F1>:<T1>]
1467 Get local as cell. If the local variable given by %1 is defined, this
1468 instruction gets the value of the local variable, pushes it onto the stack as
1469 a cell, then pushes $2 onto the stack, and then pushes $1 onto the stack.
1471 If the local variable given by %1 is not defined, this instruction raises a
1472 warning, pushes null onto the stack, then pushes $2 onto the stack, and then
1473 pushes $1 onto the stack.
1475 PushL <local variable id> [] -> [C]
1477 Teleport local value to eval stack. The local variable given by %1 must be
1478 defined and must not contain a reference. This instruction pushes the local's
1479 value on the stack, then unsets it, equivalent to the behavior of UnsetL.
1483 Get local as cell. This instruction first computes x = (string)$1. Next, this
1484 instruction reads the local variable named x pushes its value onto the stack
1487 If there is no local variable defined named x, this instruction pushes null
1488 onto the stack and raises a warning.
1492 Get global as cell. This instruction first computes x = (string)$1. Next,
1493 this instruction reads the global variable named x pushes its value onto the
1496 If there is not a global variable defined named x, this instruction pushes
1497 null onto the stack and raises a warning.
1501 Get static property as cell. This instruction first checks if class $1 has a
1502 visible and accessible static property named (string)$2. If it doesn't, this
1503 instruction throws a fatal error. Otherwise, this instruction pushes the
1504 static property onto the stack as a cell.
1506 VGetL <local variable id> [] -> [V]
1508 Get local as ref. This instruction boxes the local variable given by %1 if
1509 necessary and pushes it onto the stack as a ref. If the given local variable
1510 is not defined, this instruction defines it, sets it to null, boxes it, and
1511 pushes a the value of the local variable onto the stack as a ref.
1515 Get local as ref. This instruction first computes x = (string)$1. Next, this
1516 instruction boxes the local variable named x (if the local is a cell) and
1517 pushes its value onto the stack as a ref. If there is no local variable
1518 defined named x, this instruction defines a local variable named x, sets it
1519 to null, boxes it, and pushes the value of the local variable onto the stack
1524 Get global as ref. This instruction first computes x = (string)$1. Next, this
1525 instruction boxes the global variable named x (if the local is a cell) and
1526 pushes its value onto the stack as a ref. If there is no global variable
1527 defined named x, this instruction defines a global variable named x, sets it
1528 to null, boxes it, and pushes the value of the global variable onto the stack
1533 Get static property as ref. This instruction first checks if class $1 has a
1534 visible and accessible static property named (string)$2. If it doesn't, this
1535 instruction throws a fatal error. Otherwise, this instruction boxes the
1536 static property and pushes it onto the stack as a ref.
1539 AGetL <local variable id> [] -> [A]
1541 Fetch class. This instruction first loads a value into x as shown by the
1549 Next this instruction checks if x is a string or an object. If x is not a
1550 string or object, this instruction throws a fatal error. Otherwise, this
1551 instruction executes y = (is_object(x) ? get_class(x) : (string)x) and checks
1552 if y matches the name of a defined class. If y does not match the name of a
1553 defined class, this instruction will invoke the autoload facility passing in
1554 the class name y, and then it will again check if y matches the name of a
1555 defined class. If y still does not match the name of a defined class this
1556 instruction throws a fatal error.
1558 Next, this instruction pushes a classref that refers to the class named y.
1561 6. Isset, Empty, and type querying instructions
1562 -----------------------------------------------
1564 IssetC [C] -> [C:Bool]
1566 Isset. If $1 is null this instruction pushes false onto the stack, otherwise
1569 IssetL <local variable id> [] -> [C:Bool]
1571 Isset local. This instruction reads the local variable given by %1. If the
1572 local variable is undefined or null, this instruction pushes false onto the
1573 stack, otherwise it pushes true.
1575 IssetN [C] -> [C:Bool]
1577 Isset local. This instruction reads the local variable named (string)$1. If
1578 the local variable is undefined or null, this instruction pushes false onto
1579 the stack, otherwise it pushes true.
1581 IssetG [C] -> [C:Bool]
1583 Isset global. This instruction reads the global variable named (string)$1. If
1584 the global variable is undefined or null, this instruction pushes false onto
1585 the stack, otherwise it pushes true.
1587 IssetS [C A] -> [C:Bool]
1589 Isset static property. This instruction first computes x = (string)$2. Next
1590 it checks if class $1 has an accessible static property named x. If it
1591 doesn't, this instruction pushes false.
1593 If class $1 does have an accessible property named x, this instruction reads
1594 the static property named x. If the static property is null, this instruction
1595 pushes false onto the stack, otherwise it pushes true.
1597 EmptyL <local variable id> [] -> [C:Bool]
1599 Empty local. This instruction reads the local variable named %1 into x. If
1600 the local variable is defined this instruction pushes !(x) onto the stack,
1601 otherwise it pushes true.
1603 EmptyN [C] -> [C:Bool]
1605 Empty local. This instruction reads the local variable named (string)$1 into
1606 x. If the local variable is defined this instruction pushes !(x) onto the
1607 stack, otherwise it pushes true.
1609 EmptyG [C] -> [C:Bool]
1611 Empty global. This instruction reads the global variable named (string)$1
1612 into x. If the global variable is defined this instruction pushes !(x) onto
1613 the stack, otherwise it pushes true.
1615 EmptyS [C A] -> [C:Bool]
1617 Empty static property. This instruction first checks if class $1 has an
1618 accessible static property named (string)$2. If it doesn't, this instruction
1619 pushes true, otherwise this instruction reads the static property into x and
1620 pushes !(x) onto the stack.
1622 IsTypeC <op> [C] -> [C:Bool]
1624 Is type. This instruction first loads a type into t based on the operand op,
1625 according to the following table:
1636 Scalar | Int or Dbl or Str or Bool
1638 If $1 is of type t, this instruction pushes true onto the stack, otherwise it
1641 IsTypeL <local variable id> <op> [] -> [C:Bool]
1643 Is type. This instruction first loads a type into t and a value into x as
1644 given by the following table:
1647 -----------+----------------------------+-------
1655 Scalar | Int or Dbl or Str or Bool | false
1657 If the local variable given by %1 is defined, this pushes true onto the stack
1658 if the local variable is of type t, otherwise it pushes false. If the local
1659 is of kind reference, then the inner value is used to determine the type.
1661 If the local variable given by %1 is not defined, this instruction raises a
1662 warning and pushes x onto the stack.
1665 7. Mutator instructions
1666 -----------------------
1668 SetL <local variable id> [C] -> [C]
1670 Set local. This instruction marks the local variable given by %1 as defined,
1671 stores the value $1 into the local variable, and then pushes $1 onto the
1676 Set local. This instruction marks the local variable named (string)$2 as
1677 defined, assigns the value $1 to the local variable, and then pushes $1 onto
1682 Set global. This instruction marks the global variable named (string)$2 as
1683 defined, assigns the value $1 to the global variable, and then pushes $1 onto
1688 Set static property. First this instruction checks if class $2 has an
1689 accessible static property named (string)$3. If it doesn't, this instruction
1690 throws a fatal error. Otherwise, this instruction assigns the value $1 to the
1691 static property, and then it pushes $1 onto the stack.
1693 SetOpL <local variable id> <op> [C] -> [C]
1695 Set op local. If the local variable given %1 is not defined, this instruction
1696 marks it as defined, sets it to null, and raises a warning.
1698 Next, this instruction reads the local variable into x, then executes y = x
1699 <op> $1, assigns y into local variable %1, and then pushes y onto the stack.
1700 The immediate value must be one of the following opcodes:
1701 Add, AddO, Sub, SubO, Mul, MulO, Div, Mod, Shl, Shr, Concat, BitAnd,
1704 SetOpN <op> [C C] -> [C]
1706 Set op local. This instruction first computes x = (string)$2. If the local
1707 variable named n is not defined, this instruction marks it as defined, sets
1708 it to null, and raises a warning.
1710 Next, this instruction reads the local variable named x into y, executes z =
1711 y <op> $1, assigns z into the local variable named x, and then pushes z onto
1712 the stack as a cell. The immediate value must be one of the following
1714 Add, Sub, Mul, Div, Mod, Shl, Shr, Concat, BitAnd, BitOr, BitXor.
1716 SetOpG <op> [C C] -> [C]
1718 Set op global. This instruction first computes x = (string)$2. If the global
1719 variable named n is not defined, this instruction marks it as defined, sets
1720 it to null, and raises a warning.
1722 Next, this instruction reads the global variable named x into y, executes z =
1723 y <op> $1, assigns z into the global variable named x, and then pushes z onto
1724 the stack as a cell. The immediate value must be one of the following
1726 Add, Sub, Mul, Div, Mod, Shl, Shr, Concat, BitAnd, BitOr, BitXor.
1728 SetOpS <op> [C A C] -> [C]
1730 Set op static property. This instruction first computes x = (string)$3. Next
1731 it checks if class $2 has an accessible static property named x. If it
1732 doesn't, this instruction throws a fatal error. Otherwise, this instruction
1733 reads the static property named x into y, executes z = y <op> $1, assigns z
1734 into the static property, and then pushes z onto the stack. The immediate
1735 value must be one of the following opcodes:
1736 Add, Sub, Mul, Div, Mod, Shl, Shr, Concat, BitAnd, BitOr, BitXor.
1738 IncDecL <local variable id> <op> [] -> [C]
1740 Increment/decrement local. If the local variable given by %1 is not defined,
1741 this instruction marks it as defined, sets it to null, and raises a warning.
1743 Where x is the local given by %1, this instruction then does the following:
1745 If op is PreInc, this instruction executes ++x and then pushes x onto the
1748 If op is PostInc, this instruction pushes x onto the stack and then it
1751 If op is PreDec, this instruction executes --x and then pushes x onto the
1754 If op is PostDec, this instruction pushes x onto the stack and then it
1757 IncDecN <op> [C] -> [C]
1758 IncDecG <op> [C] -> [C]
1760 Increment/decrement. This instruction first computes x = (string)$1. Next, if
1761 the local variable (IncDecN) or global variable (IncDecG) named x is not
1762 defined, this instruction first defines it, sets it to null, and raises a
1765 Where v is the local variable or global variable named x, this instruction
1766 performs the following:
1768 If op is PreInc, this instruction executes ++v and then pushes v onto the
1771 If op is PostInc, this instruction pushes v onto the stack and then it
1774 If op is PreDec, this instruction executes --v and then pushes v onto the
1777 If op is PostDec, this instruction pushes v onto the stack and then it
1780 IncDecS <op> [C A] -> [C]
1782 Increment/decrement static property. This instruction first computes x =
1783 (string)$2. Next it checks if class $1 has an accessible static property
1784 named x. If it doesn't, this instruction throws a fatal error.
1786 Where s is the static property named x, this instruction performs the
1789 If op is PreInc, this instruction increments the ++s and then pushes s onto
1792 If op is PostInc, this instruction pushes s onto the stack and then it
1795 If op is PreDec, this instruction executes --s and then pushes s onto the
1798 If op is PostDec, this instruction pushes s onto the stack and then it
1801 BindL <local variable id> [V] -> [V]
1803 Bind local. This instruction marks the local variable given by %1 as defined,
1804 binds the local variable to $1, and pushes $1 onto the stack.
1808 Bind local. This instruction marks the local variable named (string)$2 as
1809 defined, binds the local variable to $1, and pushes $1 onto the stack.
1813 Bind global. This instruction marks the global variable named (string)$2 as
1814 defined, binds the global variable to $1, and pushes $1 onto the stack.
1816 BindS [C A V] -> [V]
1818 Bind static property. This instruction first checks if class $2 has an
1819 accessible static property named (string)$3. If it doesn't, this instruction
1820 throws a fatal error. Otherwise, this instruction binds the static property
1821 to $1, and pushes $1 onto the stack.
1823 UnsetL <local variable id> [] -> []
1825 Unset local. Breaks any bindings the local variable given by %1 may have and
1826 marks the local variable as undefined.
1830 Unset local. This instruction breaks any bindings the local variable named
1831 (string)$1 may have and marks the local variable as undefined.
1835 Unset global. This instruction breaks any bindings the global variable named
1836 (string)$1 may have and marks the global variable as undefined.
1838 CheckProp <propName> [] -> [C:Bool]
1840 Check non-scalar property initializer. This instruction checks the
1841 initializer for property named %1 in the context class, and pushes
1842 true on the stack if it is initialized, and false otherwise.
1844 InitProp <propName> <op> [C] -> []
1846 Initialize non-scalar property. If %2 is 'NonStatic', this instruction sets
1847 the initializer for the property named %1 in the context class to $1. If %2
1848 is 'Static', this instruction sets the initializer for the static property
1849 named %1 in the context class to $1.
1851 The CheckProp and InitProp opcodes should only be used in 86pinit methods.
1852 86pinit methods are HHVM-internal property initialization methods that
1853 cannot be called from user-land. After 86pinit runs, no declared properties
1854 of the class can be of type NullUninit.
1856 8. Call instructions
1857 --------------------
1859 FPushFunc <num params> [C] -> []
1860 FPushFuncD <num params> <litstr id> [] -> []
1862 FPI push function. First, these instructions load a value into x as given by
1863 the following table:
1870 If x is a string, this instruction attempts to lookup a function named x. If
1871 no function named x is defined, this instruction throws a fatal error.
1872 Otherwise this instruction pushes a new entry on the FPI stack, initializing
1873 it with the number of parameters being passed (given by %1) and a reference
1874 to the FPI structure for the function named x. With FPushFuncD the litstr in
1875 %2 must not start with a '\' character. Function names should be normalized
1876 with respect to namespace and never start with a '\'.
1878 If x is an object, this instruction checks if the object has an __invoke
1879 method. If the object does not have an __invoke method, this instruction
1880 throws a fatal error. Otherwise this instruction pushes a new entry on the
1881 FPI stack, initializing it with the number of parameters being passed (given
1882 by %1) and a reference to the FPI structure for the __invoke method from
1885 If x is not a string or object, this instruction throws a fatal error.
1887 FPushFuncU <num params> <litstr id> <litstr fallback> [] -> []
1889 FPI push function unqualified. Identical to FPushFuncD except first tries to
1890 lookup the function named %2 and if it isn't defined calls the function named
1891 %3. As for FPushFuncD the litstr in %2 and %3 must not start with a '\'
1894 FPushObjMethod <num params> [C C] -> []
1895 FPushObjMethodD <num params> <litstr id> [C] -> []
1897 FPI push object-based method. First, these instructions load values into x
1898 and y as given by the following table:
1901 -------------------+----+-----
1902 FPushObjMethod | $2 | $1
1903 FPushObjMethodD | $1 | %2
1905 If x is not an object or if y is not a string, this instruction throws a
1906 fatal error. Next, this instruction checks if object x has an accessible
1907 method named y. If it does, this instruction pushes a new entry on the FPI
1908 stack, initializing it with the number of parameters being passed (given by
1909 %1) and a reference to the FPI structure for the method named y from object
1912 If object x does not have an accessible method named y, this instruction
1913 checks if object x has a __call method. If a __call method is found, this
1914 instruction pushes a new entry on the FPI stack, initializing it with the
1915 number of parameters being passed (given by %1) and a reference to the FPI
1916 structure for the __call from object x, and stores the original name y in the
1919 If object x does not have an accessible method named y and it does not have a
1920 __call method, this instruction throws a fatal error.
1922 FPushClsMethod <num params> [C A] -> []
1923 FPushClsMethodF <num params> [C A] -> []
1924 FPushClsMethodD <num params> <litstr id> <litstr id> [] -> []
1926 FPI push class-based method. First, these instructions load values into x and
1927 y as given by the following table:
1930 -------------------+----+-----
1931 FPushClsMethod | $1 | $2
1932 FPushClsMethodF | $1 | $2
1933 FPushClsMethodD | %3 | %2
1935 When loading %3 into x, FPushClsMethodD will perform the work performed by
1936 the AGetC instruction to convert the name given by %3 into a classref.
1938 If y is not a string, this instruction throws a fatal error. Next, this
1939 instruction checks if class x has an accessible method named y. If class x
1940 has a method named y. If it does, this instruction pushes a new entry on the
1941 FPI stack, initializing it with the number of parameters being passed (given
1942 by %1) and a reference to the FPI structure for the method named y from class
1945 If class x does not have an accessible method named y, this instruction
1946 checks if the current function's $this is non-null, if the class of $this is
1947 the same or derived from class x, and if $this has a __call method. If no
1948 suitable __call method is found, this instruction will check if class x has a
1949 __callStatic method. If a suitable __call method or a __callStatic method is
1950 found, this instruction pushes a new entry on the FPI stack, initializing it
1951 with the number of parameters being passed (given by %1) and a reference to
1952 the FPI structure for the __call or __callStatic method that was found, and
1953 stores the original name y in the FPI stack entry.
1955 If class x does not have an accessible method named y, and if a suitable
1956 __call method or a __callStatic method could not be found, this instruction
1957 throws a fatal error.
1959 FPushCtor <num params> [A] -> [C]
1960 FPushCtorD <num params> <litstr id> [] -> [C]
1962 FPI push constructor. First, these instructions load a value into x as given
1963 by the following table:
1970 When loading %2 into x, FPushCtorD will perform the work performed by the
1971 AGetC instruction to convert the name given by %2 into a classref.
1973 This instruction pushes an uninitialized object onto the stack (to be
1974 initialized during FCall*) prior to entering the FPI region, then pushes a
1975 new entry on the FPI stack, initializing it with the number of parameters
1976 being passed (given by %1) and a reference to the FPI structure for the
1977 constructor for class x.
1979 DecodeCufIter <iterator id> [C] -> []
1981 This instruction looks up $1 as a callable, and writes enough information to
1982 iterator %1 for FPushCufIter to be able to push an actrec, as if it had been
1983 given the callable. If the function is not successfully decoded, sets up iter
1984 to call a function that does nothing and returns Null. No warning is raised.
1986 FPushCufIter <num params> <iterator id> [] -> []
1988 FPI push the result of a previous DecodeCufIter. No warning is raised.
1990 FPushCuf <num params> [C] -> []
1991 FPushCufF <num params> [C] -> []
1993 FPI push call user function. These instructions lookup $1 as a callable, and
1994 push a new entry onto the FPI stack. If $1 is not callable, they issue a
1995 warning, and push an entry representing a function which does nothing, takes
1996 no argument, and returns null.
1998 FPushCufSafe <num params> [C C] -> [C C:Bool]
2000 FPI push call user function. This instruction pops $1 and $2, then pushes $1
2001 back onto the stack. It then looks up $2 as a callable, and pushes a new
2002 entry onto the FPI stack. If $2 is not callable, it pushes an entry
2003 representing a function which does nothing, takes no argument, and returns
2004 null, and in addition pushes boolean false onto the evaluation stack;
2005 otherwise it pushes true onto the evaluation stack.
2007 CufSafeArray [C C R] -> [C]
2009 Pops 3 elements from the stack, and pushes array($2, $1), preserving refs.
2011 CufSafeReturn [C C R] -> [R]
2013 Pops 3 elements from the stack, and pushes $2 ? $1 : $3, preserving refs.
2015 FPassC <param id> [C] -> [F]
2016 FPassCW <param id> [C] -> [F]
2017 FPassCE <param id> [C] -> [F]
2019 FPI pass parameter. This instruction pushes $1 onto the stack as a cell
2020 regardless of whether parameter %1 is pass by value or pass by reference.
2022 If parameter %1 is pass by reference, FPassCW and FPassCE check if the
2023 function associated with the current FPI (the callee) is an extension
2024 function that can accept a cell for parameter %1. If this condition is not
2025 met, FPassCW will raise a warning while FPassCE will throw a fatal error.
2027 FPassV <param id> [V] -> [F]
2029 FPI pass parameter. If parameter %1 is pass by value, this instruction will
2030 unbox $1 and push it onto the stack as a cell. If parameter %1 is pass by
2031 reference, this instruction will push $1 onto the stack as a ref.
2033 FPassVNop <param id> [V] -> [F]
2035 FPI pass parameter, no op. Parameter %1 must be statically known to be pass
2036 by reference. This instruction pushes $1 onto the stack as a ref.
2038 FPassR <param id> [R] -> [F]
2040 FPI pass parameter. If $1 is a cell at run time, this instruction will behave
2041 like FPassC. Otherwise, this instruction will behave like FPassV.
2043 FPassL <param id> <local variable id> [] -> [F]
2045 FPI pass local as parameter. This instruction behaves as CGetL if parameter
2046 %1 is pass by value, or it behaves like VGetL if parameter %1 is pass by
2049 FPassN <param id> [C] -> [F]
2051 FPI pass local as parameter. This instruction behaves as CGetN if parameter
2052 %1 is pass by value, or it behaves like VGetN if parameter %1 is pass by
2055 FPassG <param id> [C] -> [F]
2057 FPI pass global as parameter. This instruction behaves as CGetG if parameter
2058 %1 is pass by value, or it behaves like VGetG if parameter %1 is pass by
2061 FPassS <param id> [C A] -> [F]
2063 FPI pass parameter. This instruction behaves as CGetS if parameter %1 is pass
2064 by value, or it behaves like VGetS if parameter %1 is pass by reference.
2066 FCall <num params> [F..F] -> [R]
2068 FPI call. This instruction gets the bytecode address of the function
2069 associated with the current FPI (the callee), transfers the top %1 values
2070 from the stack to the callee as parameters, pops the current FPI off of the
2071 FPI stack, and then invokes the dispatcher to call the callee. When the
2072 callee returns, it will transfer the return value onto the caller's
2073 evaluation stack using the R flavor.
2075 FCallD <num params> <class name> <func name> [F..F] -> [R]
2077 FPI call direct. This instruction has exactly the effects of FCall %1, but
2078 provides hints from static analysis to assist the region selector in
2079 determining the callee. The strings in %2 and %3 are statically known names
2080 of the class (if any) and method being called. If the call is targeting a
2081 non-method, %2 must be the empty string.
2083 FCallArray [F] -> [R]
2085 FPI call with array. This instruction gets the bytecode address of the
2086 function associated with the current FPI (the callee), transfers the elements
2087 of $1 (which must be an array) to the callee as parameters, pops the current
2088 FPI off of the FPI stack, and then invokes the dispatcher to call the callee.
2089 When the callee returns, it will transfer the return value onto the caller's
2090 evaluation stack using the R flavor.
2092 FCallBuiltin <total params> <passed params> <litstr id> [C|V|U..C|V|U] -> [R]
2094 Optimized builtin call without an ActRec. This instruction attempts to lookup
2095 a builtin function named %3. If no function named %3 is defined, this
2096 instruction throws a fatal error. Otherwise, this function gets address of
2097 the builtin function named %3, transfers the top %1 values from the stack to
2098 the callee as parameters, and then invokes the dispatcher to call the callee.
2099 %2 denotes the number of non-default parameters pushed onto stack by user
2100 level code. When the callee returns, it will transfer the return value onto
2101 the caller's evaluation stack using the R flavor.
2104 9. Member operations
2105 --------------------
2107 The following operations describe processes that are shared across the Member
2108 instructions. Operations are not considered instructions; they do not have
2109 opcodes associated with them.
2111 Operations can produce and consume intermediate values called "bases". A "base"
2112 is a structure that contains either a cell or a ref or a reference to a memory
2113 location that is occupied by a cell or a ref. Bases are never pushed onto the
2116 For operations that create a base, the operation descriptions specify whether
2117 the base created "contains" a value or "references" a location. In the former
2118 case, the base created contains a cell or a ref. In the latter case, the base
2119 created contains a reference to a memory location occupied by a cell or a ref.
2121 When a base that contains a cell is destroyed, if the cell points to data then
2122 the execution engine is responsible for honoring the data's refcount logic.
2123 Likewise when a base that contains a ref is destroyed, the execution engine is
2124 responsible for honoring the refcount logic of the cell container pointed to by
2125 the ref. When a base that contains a reference to a memory location occupied by
2126 a cell or a ref is destroyed, no refcounting is required.
2128 Some operations that take a base as input can modify that base as part of the
2129 work performed by the operation. Such operations are said to "set" the base to
2130 a new value. When a base that contains a cell or a reference to a memory
2131 location occupied by a cell is set to a new value, the new value overwrites the
2132 previous value contained in the cell (honoring the data refcount logic if the
2133 previous value was a refcounted type). When a base that contains a ref or a
2134 reference to a memory location occupied by a ref is set to the new value, the
2135 new value is written into the cell container referenced by the ref, overwriting
2136 the previous cell in that container (honoring the data refcount logic if the
2137 previous cell was a refcounted type). Note that for bases that contain a
2138 reference to a memory location, "setting" the base does not change which memory
2139 location the base references.
2141 Operations are specified as if they directly operate on the top of the
2142 evaluation stack in the name of consistency and clarity, but in fact their
2143 inputs and outputs may reside elsewhere. The symbol 'B' is used in the input
2144 descriptions and output descriptions of operations to indicate that a given
2145 operation consumes a base as input or produces a base as output.
2149 Get base from value. This operation outputs a base that contains the value
2154 Get base from return value. This operation outputs a base that contains the
2155 return value given by $1.
2157 BaseL <local variable id> [] -> [B]
2159 Get base from local. This operation outputs a base that references the local
2160 given by %1. If the local is not defined, this operation outputs a base that
2163 BaseLW <local variable id> [] -> [B]
2165 Get base from local. This operation outputs a base that references the local
2166 given by %1. If the local is not defined, this operation raises a warning and
2167 outputs a base that contains null.
2169 BaseLD <local variable id> [] -> [B]
2171 Get base from local. This operation outputs a base that references the local
2172 given by %1. If the local is not defined, this operation defines it and
2173 returns a base that references the local.
2175 BaseLWD <local variable id> [] -> [B]
2177 Get base from local. This operation outputs a base that references the local
2178 variable given by %1. If the local is not defined, this operation defines it,
2179 raises a warning, and returns a base that references the local.
2182 BaseNL <local variable id> [] -> [B]
2184 Get base from name. This operation outputs a base that references the local
2185 variable whose name is given by (string)%1 or (string)$1. If the local is not
2186 defined, this operation outputs a base that contains null.
2189 BaseNLW <local variable id> [] -> [B]
2191 Get base from name. This operation outputs a base that references the local
2192 variable whose name is given by (string)%1 or (string)$1. If the local is not
2193 defined, this operation raises a warning and outputs a base that contains
2197 BaseNLD <local variable id> [] -> [B]
2199 Get base from name. This operation outputs a base that references the local
2200 variable whose name is given by (string)%1 or (string)$1. If the local is not
2201 defined, this operation defines it and returns a base that references the
2205 BaseNLWD <local variable id> [] -> [B]
2207 Get base from name. This operation outputs a base that references the local
2208 variable whose name is given by (string)%1 or (string)$1. If the local is not
2209 defined, this operation defines it, raises a warning, and returns a base that
2210 references the local.
2213 BaseGL <local variable id> [] -> [B]
2215 Get base from global name. This operation outputs a base that references the
2216 global variable whose name is given by (string)%1 or (string)$1. If the
2217 global is not defined, this operation produces a base that contains null.
2220 BaseGLW <local variable id> [] -> [B]
2222 Get base from global name. This operation outputs a base that references the
2223 global variable whose name is given by (string)%1 or (string)$1. If the
2224 global is not defined, this operation raises a warning and outputs a base
2228 BaseGLD <local variable id> [] -> [B]
2230 Get base from global name. This operation outputs a base that references the
2231 global variable whose name is given by (string)%1 or (string)$1. If the
2232 global is not defined, this operation defines it and returns a base that
2233 references the global.
2236 BaseGLWD <local variable id> [] -> [B]
2238 Get base from global name. This operation outputs a base that references the
2239 global variable whose name is given by (string)%1 or (string)$1. If the
2240 global is not defined, this operation defines it, raises a warning, and
2241 returns a base that references the global.
2244 BaseSL <local variable id> [A] -> [B]
2246 Get base from static property. First, this operation loads a value into x as
2247 given by the following table:
2254 Next this operation computes y = (string)x. Then this instruction checks if
2255 class $1 has an accessible property named y. If it does, this operation
2256 outputs a base that references the static property. Otherwise, this operation
2257 throws a fatal error.
2261 Get base from $this. This operation assumes that the current frame contains a
2262 valid $this pointer and outputs a base containing the object in $this.
2265 ElemL <local variable id> [B] -> [B]
2267 Fetch element if it exists. First, these operations load a value into x and a
2268 base into y, as given by the following table:
2271 ----------+----+-----
2275 Then, if y is an array, this operation outputs a base that references the
2276 element at index x from array y. If there is no element at index x, this
2277 operation outputs a base that contains null.
2279 If y is an object that implements the ArrayAccess interface, this operation
2280 outputs a base that contains the result of y->offsetGet(x).
2282 If y is an object that does not implement the ArrayAccess interface, this
2283 operation throws a fatal error.
2285 If y is a string, this operation computes z = (int)x. If z >= 0 and z <
2286 strlen(z), this operation builds a new string consisting of the character at
2287 offset z from y and outputs a base that contains the new string. Otherwise,
2288 this operation outputs a base that contains the empty string.
2290 If y is not a string, array, or object, this operation will output a null
2294 ElemLW <local variable id> [B] -> [B]
2296 Fetch element; warn if it doesn't exist.
2298 First, these operations load a value into x and a base into y, as given by
2299 the following table:
2302 ----------+----+-----
2306 If y is an array, this operation outputs a base that references the element
2307 at index x from array y. If there is no element at index x, this operation
2308 outputs a base that contains null and raises a warning.
2310 If y is an object that implements the ArrayAccess interface, this operation
2311 outputs a base that contains the result of y->offsetGet(x).
2313 If y is an object that does not implement the ArrayAccess interface, this
2314 operation throws a fatal error.
2316 If y is a string, this operation continues to compute z = (int)x. If z >= 0
2317 and z < strlen(z), this operation builds a new string consisting of the
2318 character at offset z from y and outputs a base that contains the new string.
2319 Otherwise, this operation raises a warning and outputs a base that contains
2322 If y is not a string, array, or object, this operation will output a null
2326 ElemLD <local variable id> [B] -> [B]
2328 Fetch element; define it if it doesn't exist.
2330 First, these operations load a value into x and a base into y, as given by
2331 the following table:
2334 ----------+----+-----
2338 If y is an array, this operation outputs a base that references the element
2339 at index x. If there is no element at index x, this operation creates an
2340 element at index x, and outputs a base that references the element.
2342 If y is an object that implements the ArrayAccess interface, this operation
2343 outputs a base that contains the result of y->offsetGet(x).
2345 If y is non-empty string or an object that does not implement the ArrayAccess
2346 interface, this operation throws a fatal error.
2348 If y is null, the empty string, or false, this operation will set y to a new
2349 empty array, create an element at index x, and output a base that references
2352 If y is true, integer, double, this operation raises a warning and outputs a
2353 base that contains null.
2355 ElemCWD [C B] -> [B]
2356 ElemLWD <local variable id> [B] -> [B]
2358 Fetch element; warn and define it if it doesn't exist.
2360 First, these operations load a value into x and a base into y, as given by
2361 the following table:
2364 ----------+----+-----
2368 If y is an array, this operation outputs a base that references the element
2369 at index x. If there is no element at index x, this operation creates an
2370 element at index x, raises a warning, and outputs a base that references the
2373 If y is an object that implements the ArrayAccess interface, this operation
2374 outputs a base that contains the result of y->offsetGet(x).
2376 If y is non-empty string or an object that does not implement the ArrayAccess
2377 interface, this operation throws a fatal error.
2379 If y is null, the empty string, or false, this operation will set y to a new
2380 empty array, create an element at index x, and output a base that references
2383 If y is true, integer, or double, this operation raises a warning and outputs
2384 a base that contains null.
2387 ElemLU <local variable id> [B] -> [B]
2389 Fetch element for unset.
2391 First, these operations load a value into x and a base into y, as given by
2392 the following table:
2395 ----------+----+-----
2399 If y is an array, this operation outputs a base that references the element
2400 at index x from array y. If there is no element at index x, this operation
2401 outputs a base that contains null.
2403 If y is an object that implements the ArrayAccess interface, this operation
2404 outputs a base that contains the result of y->offsetGet(x).
2406 If y is an object that does not implement the ArrayAccess interface, this
2407 operation throws a fatal error.
2409 If y is a string, this operation throws a fatal error.
2411 If y is not a string, array, or object, this operation will output a null
2416 Fetch new element. If $1 is an array, this operation creates a new element
2417 with the next available numeric key in array $1 and outputs a base that
2418 references the new element.
2420 If $1 is an object that implements the ArrayAccess interface, this operation
2421 outputs a base that contains the result of $1->offsetGet(null).
2423 If $1 is a non-empty string or an object that does not implement the
2424 ArrayAccess interface, this operation throws a fatal error.
2426 If $1 is null, false, or the empty string, this operation sets $1 to a new
2427 empty array, creates a new element with the next available numeric key in
2428 array $1, and then outputs a base that references the new element.
2430 If $1 is true, integer, or double, this operation raises a warning and
2431 outputs a base that contains null.
2434 PropL <local variable id> [B] -> [B]
2436 Fetch property if it exists.
2438 First, these operations load a value into x and a base into y, as given by
2439 the following table:
2442 ----------+----+-----
2446 Next, performs one of the following actions:
2451 y has eligible __get method
2452 y->x has been unset previously
2453 ------+---------------------------------------------------------------------
2456 10X1X | push ref(y->__get(x))
2457 1100X | throw fatal error
2458 1101X | push ref(y->__get(x))
2459 111X0 | push ref(y->x)
2461 11111 | push ref(y->__get(x))
2464 PropLW <local variable id> [B] -> [B]
2466 Fetch property; warn if it doesn't exist.
2468 First, these operations load a value into x and a base into y, as given by
2469 the following table:
2472 ----------+----+-----
2476 Next, performs one of the following actions:
2481 y has eligible __get method
2482 y->x has been unset previously
2483 -----+----------------------------------------------------------------------
2484 0XXXX | raise warning; push null
2485 10X0X | raise warning; push null
2486 10X1X | push ref(y->__get(x))
2487 1100X | throw fatal error
2488 1101X | push ref(y->__get(x))
2489 111X0 | push ref(y->x)
2490 11101 | raise warning; push null
2491 11111 | push ref(y->__get(x))
2494 PropLD <local variable id> [B] -> [B]
2496 Fetch property; define it if it doesn't exist.
2498 First, these operations load a value into x and a base into y, as given by
2499 the following table:
2502 ----------+----+-----
2506 Next, performs one of the following actions:
2512 y has eligible __get method
2513 y->x has been unset previously
2514 ------+---------------------------------------------------------------------
2516 01XXXX | y = new stdclass; create property y->x; push ref(y->x)
2517 1X0X0X | create property y->x; push ref(y->x)
2518 1X0X1X | push ref(y->__get(x))
2519 1X100X | throw fatal error
2520 1X101X | push ref(y->__get(x))
2521 1X11X0 | push ref(y->x)
2522 1X1101 | re-create property y->x, push ref(y->x)
2523 1X1111 | push ref(y->__get(x))
2525 PropCWD [C B] -> [B]
2526 PropLWD <local variable id> [B] -> [B]
2528 Fetch property; warn and define it if it doesn't exist.
2530 First, these operations load a value into x and a base into y, as given by
2531 the following table:
2534 ----------+----+-----
2538 Next, performs one of the following actions:
2544 y has eligible __get method
2545 y->x has been unset previously
2546 ------+---------------------------------------------------------------------
2547 00XXXX | raise warning; push null
2548 01XXXX | raise warning; y = new stdclass; create property y->x;
2550 1X0X0X | raise warning; create property y->x; push ref(y->x)
2551 1X0X1X | push ref(y->__get(x))
2552 1X100X | throw fatal error
2553 1X101X | push ref(y->__get(x))
2554 1X11X0 | push ref(y->x)
2555 1X1101 | re-create property y->x, push ref(y->x)
2556 1X1111 | push ref(y->__get(x))
2559 PropLU <local variabld id> [B] -> [B]
2561 Fetch property for unset.
2563 First, these operations load a value into x and a base into y, as given by
2564 the following table:
2567 ----------+----+-----
2571 Next, performs one of the following actions:
2576 y has eligible __get method
2577 y->x has been unset previously
2578 -----+----------------------------------------------------------------------
2580 10XXX | create property y->x; push ref(y->x)
2581 110XX | throw fatal error
2582 111X0 | push ref(y->x)
2583 111X1 | re-create property y->x, push ref(y->x)
2585 CGetElemC [C B] -> [C]
2586 CGetElemL <local variable id> [B] -> [C]
2588 Get element as cell.
2590 These instructions first load a value into x and a base into y, as given by
2591 the following table:
2594 ------------+----+-----
2598 If y is an array, this operation retrieves the element at index x from array
2599 y and pushes it onto the stack as a cell. If there is no element at index x,
2600 this operation raises a warning and pushes null onto the stack.
2602 If y is an object that implements the ArrayAccess interface, this operation
2603 pushes x->offsetGet($2) onto the stack.
2605 If y is an object that does not implement the ArrayAccess interface, this
2606 operation throws a fatal error.
2608 If y is a string, this operation continues to compute z = (int)x. If z >= 0
2609 and z < strlen(z), this operation builds a new string consisting of the
2610 character at offset z from y and pushes it onto the stack. Otherwise, this
2611 operation raises a warning and pushes the empty string onto the stack.
2613 If y is not a string, array, or object, this operation will push null onto
2616 VGetElemC [C B] -> [V]
2617 VGetElemL <local variable id> [B] -> [V]
2621 These instructions first load a value into x and a base into y, as given by
2622 the following table:
2625 ------------+----+-----
2629 If y is an array, this operation retrieves the element at index x from array
2630 y and pushes it onto the stack as a ref. If there is no element at index x,
2631 this operation creates a new element at index x, and pushes it onto the stack
2634 If y is an object that implements the ArrayAccess interface, this operation
2635 pushes y->offsetGet(x) onto the stack as a ref.
2637 If y is a non-empty string or an object that does not implement the
2638 ArrayAccess interface, this operation throws a fatal error.
2640 If y is null, false, or the empty string, this operation sets y to a new
2641 empty array. Then this operation retrieves the element at index x from array
2642 y and pushes it onto the stack as a ref. If there is no element at index x,
2643 this operation creates a new element at index x, and pushes it onto the stack
2646 If y is true, integer, or double, this operation raises a warning and pushes
2647 null onto the stack.
2649 IssetElemC [C B] -> [C:Bool]
2650 IssetElemL <local variable id> [B] -> [C:Bool]
2654 These instructions first load a value into x and a base into y, as given by
2655 the following table:
2658 ------------+----+-----
2659 IssetElemC | $2 | $1
2660 IssetElemL | %1 | $1
2662 If y is an array, this operation pushes !is_null(y[x]) onto the stack.
2664 If y is an object that implements the ArrayAccess interface, this operation
2665 pushes y->offsetExists(x) onto the stack.
2667 If y is an object that does not implement the ArrayAccess interface, this
2668 operation throws a fatal error.
2670 If y is a string, this operation computes x = (int)x and then it pushes (x >=
2671 0 && x < strlen(y)) onto the stack.
2673 If y is a not a string, array, or object, this operation pushes false onto
2676 EmptyElemC [C B] -> [C]
2677 EmptyElemL <local variable id> [B] -> [C]
2681 These instructions first load a value into x and a base into y, as given by
2682 the following table:
2685 ------------+----+-----
2686 EmptyElemC | $2 | $1
2687 EmptyElemL | %1 | $1
2689 If y is an array, this operation pushes !(y[x]) onto the stack.
2691 If y is an object that implements the ArrayAccess interface, this operation
2692 first calls y->offsetExists(x); if that returns false this operation pushes
2693 true onto the stack, otherwise it pushes !(y->offsetGet(x)) onto the stack.
2695 If y is an object that does not implement the ArrayAccess interface, this
2696 operation throws a fatal error.
2698 If y is a string, this operation computes z = (int)x, then pushes true if (z
2699 < 0 || z >= strlen(y)), !(y[z]) otherwise.
2701 If y is, not an array, object, or string, this operation pushes true onto the
2704 SetElemC [C C B] -> [C]
2706 Set element. If $1 is an array, this operation executes $1[$3] = $2 and then
2707 pushes $2 onto the stack.
2709 If $1 is an object that implements the ArrayAccess interface, this operation
2710 executes $1->offsetSet($3, $2) and then pushes $2 onto the stack.
2712 If $1 is an object that does not implement the ArrayAccess interface, this
2713 operation throws a fatal error.
2715 If $1 is null, the empty string, or false, this operation sets $1 to a new
2716 empty array, executes $1[$3] = $2, and then pushes $2 onto the stack.
2718 If $1 is a non-empty string, this operation first computes x = (int)$3. If x
2719 is negative, this operation raises a warning and does nothing else. If x is
2720 non-negative, this operation appends spaces to the end of $1 as needed to
2721 ensure that x is in bounds, then it computes y = substr((string)$2,0,1), and
2722 then it sets the character at index x in $1 equal to y (if y is not empty) or
2723 it sets the character at index x in $1 to "\0" (if y is empty). Then this
2724 operation pushes y on to the stack.
2726 If $1 is true, integer, or double, this operation raises a warning and pushes
2727 null onto the stack as a cell.
2729 SetElemL <local variable id> [C B] -> [C]
2731 Set element. If $1 is an array, this operation executes $1[%1] = $2 and then
2732 pushes $2 onto the stack.
2734 If $1 is an object that implements the ArrayAccess interface, this operation
2735 executes $1->offsetSet(%1, $2) and then pushes $2 onto the stack.
2737 If $1 is an object that does not implement the ArrayAccess interface, this
2738 operation throws a fatal error.
2740 If $1 is null, the empty string, or false, this operation sets $1 to a new
2741 empty array, executes $1[%1] = $2, and then pushes $2 onto the stack.
2743 If $1 is a non-empty string, this operation first computes x = (int)%1. If x
2744 is negative, this operation raises a warning and does nothing else. If x is
2745 non-negative, this operation appends spaces to the end of $1 as needed to
2746 ensure that x is in bounds, then it computes y = substr((string)$2,0,1), and
2747 then it sets the character at index x in $1 equal to y (if y is not empty) or
2748 it sets the character at index x in $1 to "\0" (if y is empty). Then this
2749 operation pushes y on to the stack.
2751 If $1 is true, integer, or double, this operation raises a warning and pushes
2752 null onto the stack as a cell.
2754 SetOpElemC <op> [C C B] -> [C]
2756 Set element op. If $1 is an array, this operation first checks $1 contains an
2757 element at offset $2. If it does not, this operation creates an element at
2758 offset $2, sets it to null, and raises a warning. Next, this operation
2759 executes x = $1[$3], y = x <op> $2, and $1[$3] = y, and then it pushes y onto
2760 the stack as a cell.
2762 If $1 is null, false, or the empty string, this operation first sets $1 to a
2763 new empty array. Then it follows the rules described in the case above.
2765 If $1 is an object that implements the ArrayAccess interface, this operation
2766 executes x = $1->offsetGet($3), y = x <op> $2, and $1->offsetSet($3, y), and
2767 then it pushes y onto the stack as a cell.
2769 If $1 is a non-empty string or an object that does not implement the
2770 ArrayAccess interface, this operation throws a fatal error.
2772 If $1 is true, integer, or double, this operation raises a warning and pushes
2773 null onto the stack.
2775 SetOpElemL <op> <local variable id> [C B] -> [C]
2777 Set element op. If $1 is an array, this operation first checks $1 contains an
2778 element at offset $2. If it does not, this operation creates an element at
2779 offset $2, sets it to null, and raises a warning. Next, this operation
2780 executes x = $1[%1], y = x <op> $2, and $1[%1] = y, and then it pushes y onto
2781 the stack as a cell.
2783 If $1 is null, false, or the empty string, this operation first sets $1 to a
2784 new empty array. Then it follows the rules described in the case above.
2786 If $1 is an object that implements the ArrayAccess interface, this operation
2787 executes x = $1->offsetGet(%1), y = x <op> $2, and $1->offsetSet(%1, y), and
2788 then it pushes y onto the stack as a cell.
2790 If $1 is a non-empty string or an object that does not implement the
2791 ArrayAccess interface, this operation throws a fatal error.
2793 If $1 is true, integer, or double, this operation raises a warning and pushes
2794 null onto the stack.
2796 IncDecElemC <op> [C B] -> [C]
2798 Increment/decrement element. If $1 is an array, this operation checks if $1
2799 contains an element at offset $2. If it does not, this operation creates an
2800 element at offset $2, sets it to null, and raises a warning. Next, this
2801 operation executes x = $1[$2], y = x, and either ++y (if op is PreInc or
2802 PostInc) or --y (if op is PreDec or PostDec). Then it assigns y to $1[$2] and
2803 pushes either y (if op is PreInc or PreDec) or x (if op is PostInc or
2804 PostDec) onto the stack.
2806 If $1 is null, false, or the empty string, this operation first sets $1 to an
2807 empty array. Then it follows the rules described in the case above.
2809 If $1 is a non-empty string or an object that does not implement the
2810 ArrayAccess interface, this operation throws a fatal error.
2812 If $1 is an object that implements ArrayAccess, this operation executes x =
2813 $1->offsetGet($2), y = x, and either ++y (if op is PreInc or PostInc) or --y
2814 (if op is PreDec or PostDec). Then it pushes either y (if op is PreInc or
2815 PreDec) or x (if op is PostInc or PostDec) onto the stack.
2817 If $1 is true, integer, or double, this operation raises a warning and pushes
2818 null onto the stack.
2820 IncDecElemL <op> <local variable id> [B] -> [C]
2822 Increment/decrement element. If $1 is an array, this operation checks if $1
2823 contains an element at offset %1. If it does not, this operation creates an
2824 element at offset %1, sets it to null, and raises a warning. Next, this
2825 operation executes x = $1[%1], y = x, and either ++y (if op is PreInc or
2826 PostInc) or --y (if op is PreDec or PostDec). Then it assigns y to $1[%1] and
2827 pushes either y (if op is PreInc or PreDec) or x (if op is PostInc or
2828 PostDec) onto the stack.
2830 If $1 is null, false, or the empty string, this operation first sets $1 to an
2831 empty array. Then it follows the rules described in the case above.
2833 If $1 is a non-empty string or an object that does not implement the
2834 ArrayAccess interface, this operation throws a fatal error.
2836 If $1 is an object that implements ArrayAccess, this operation executes x =
2837 $1->offsetGet(%1), y = x, and either ++y (if op is PreInc or PostInc) or --y
2838 (if op is PreDec or PostDec). Then it pushes either y (if op is PreInc or
2839 PreDec) or x (if op is PostInc or PostDec) onto the stack.
2841 If $1 is true, integer, or double, this operation raises a warning and pushes
2842 null onto the stack.
2844 BindElemC [C V B] -> [V]
2845 BindElemL <local variable id> [V B] -> [V]
2849 This instruction first loads a value into x, from $3 or the local referred to
2852 If $1 is an array, this operation executes $1[x] =& $2 and pushes $2 onto the
2855 If $1 is an object, this operation throws a fatal error.
2857 If $1 is null, false, or the empty string, this operation sets $1 to a new
2858 empty array, executes $1[x] =& $2, and pushes $2 onto the stack as a ref.
2860 If $1 is a non-empty string, this operation throws a fatal error.
2862 If $1 is true, integer, or double, this operation raises a warning.
2864 UnsetElemC [C B] -> []
2865 UnsetElemL <local variable id> [B] -> []
2869 These instructions first load a value into x and a base into y, as given by
2870 the following table:
2873 ------------+----+-----
2874 UnsetElemL | %1 | $1
2875 UnsetElemC | $2 | $1
2877 If y is an array, this operation removes the element at index x from array y.
2879 If y is an object that implements ArrayAccess interface, this operation
2880 executes y->offsetUnset(x).
2882 If y is an object that does not implement the ArrayAccess interface, this
2883 operation throws a fatal error.
2885 If y is a string, this operation throws a fatal error.
2887 If y is not a string, array, or object, this operation does nothing.
2889 VGetNewElem [B] -> [V]
2891 Get new element as ref.
2893 If $1 is an array, this operation creates a new element with the next
2894 available numeric key in array $1 and pushes it onto the stack as a ref.
2896 If $1 is an object that implements the ArrayAccess interface, this operation
2897 pushes $1->offsetGet($2) onto the stack as a ref.
2899 If $1 is a non-empty string or an object that does not implement the
2900 ArrayAccess interface, this operation throws a fatal error.
2902 If $1 is null, false, or the empty string, this operation first sets $1 to a
2903 new empty array. Then it creates a new element with the next available
2904 numeric key in array $1 and pushes it onto the stack as a ref.
2906 If $1 is true, integer, or double, this operation raises a warning and pushes
2907 null onto the stack.
2909 SetNewElem [C B] -> [C]
2911 Set new element. If $1 is an array, this operation executes $1[] = $2 and
2912 then pushes $2 onto the stack.
2914 If $1 is null, false, or the empty string, this operation sets $1 to a new
2915 empty array, and then it executes $1[] = $2 and pushes $2 onto the stack.
2917 If $1 is a non-empty string or an object that does not implement the
2918 ArrayAccess interface, this operation throws a fatal error.
2920 If $1 is an object that implements the ArrayAccess interface, this operation
2921 executes $1->offsetSet(null, $2) and then pushes $2 onto the stack.
2923 If $1 is true, integer, or double, this operation raises a warning and pushes
2924 null onto the stack.
2926 SetOpNewElem <op> [C B] -> [C]
2928 Set op new element. If $1 is an array, this operation first determines the
2929 next available integer offset k in array $1. Next, this operation executes
2930 $1[k] = null, x = $1[k], and y = x <op> $2. Then it assigns y to $1[k] and
2931 pushes y onto the stack.
2933 If $1 is null, false, or the empty string, this operation first sets $1 to an
2934 empty array. Then it follows the rules described in the case above.
2936 If $1 is a non-empty string or an object that does not implement the
2937 ArrayAccess interface, this operation throws a fatal error.
2939 If $1 is an object that implements ArrayAccess, this operation executes x =
2940 $1->offsetGet(null), y = x <op> $2, and $1->offsetSet(null, y). Then it
2941 pushes y onto the stack.
2943 If $1 is true, integer, or double, this operation raises a warning and pushes
2944 null onto the stack.
2946 IncDecNewElem <op> [B] -> [C]
2948 Increment/decrement new element. If $1 is an array, this operation first
2949 determines the next available integer offset k in array $1. Next, this
2950 operation executes $1[k] = null, x = $1[k], y = x, and either ++y (if op is
2951 PreInc or PostInc) or --y (if op is PreDec or PostDec). Then it assigns y to
2952 $1[k] and pushes either y (if op is PreInc or PreDec) or x (if op is PostInc
2953 or PostDec) onto the stack.
2955 If $1 is null, false, or the empty string, this operation first sets $1 to an
2956 empty array. Then it follows the rules described in the case above.
2958 If $1 is a non-empty string or an object that does not implement the
2959 ArrayAccess interface, this operation throws a fatal error.
2961 If $1 is an object that implements ArrayAccess, this operation executes x =
2962 $1->offsetGet(null), y = x, and either ++y (if op is PreInc or PostInc) or
2963 --y (if op is PreDec or PostDec). Then it pushes either y (if op is PreInc or
2964 PreDec) or x (if op is PostInc or PostDec) onto the stack.
2966 If $1 is true, integer, or double, this operation raises a warning and pushes
2967 null onto the stack.
2969 BindNewElem [V B] -> [V]
2971 Bind new element. If $1 is an array, this operation executes $1[] =& $2 and
2972 then it pushes $2 onto the stack.
2974 If $1 is null, false, or empty string, this operation sets $1 to a new empty
2975 array, executes $1[] =& $2, and pushes $2 onto the stack.
2977 If $1 is a non-empty string or an object, this operation throws a fatal
2980 If $1 is true, integer, or double, this operation raises a warning and pushes
2981 null onto the stack.
2983 CGetPropC [C B] -> [C]
2984 CGetPropL <local variable id> [B] -> [C]
2986 Get property as cell.
2988 These instructions first load a value into x and a base into y, as given by
2989 the following table:
2992 ------------+----+-----
2996 If y is an object that does not have an eligible __get method, this operation
2997 first checks if y has a visible property named x. If it does not, this
2998 operation raises a warning and pushes null. Otherwise, this operation
2999 continues to check if the property named x is accessible. If the property
3000 named x is accessible this operation pushes it onto the stack as a cell,
3001 otherwise this operation throws a fatal error.
3003 If y is an object that has an eligible __get method, this operation checks if
3004 y has a visible and accessible property named x. If it does, this operation
3005 pushes the property onto the stack. Otherwise, this operation pushes
3006 y->__get(x) onto the stack.
3008 If y is not an object, this operation will raise a warning and push null onto
3011 VGetPropC [C B] -> [V]
3012 VGetPropL <local variable id> [B] -> [V]
3014 Get property as ref.
3016 These instructions first load a value into x and a base into y, as given by
3017 the following table:
3020 ------------+----+-----
3024 If y is an object that does not have an eligible __get method, this operation
3025 first checks if y has a visible property named x. If it does not, this
3026 operation will create a new property named x and push it onto the stack as a
3027 ref. Otherwise this operation continues to check if the property named x is
3028 accessible. If it the property named x is accessible this operation pushes it
3029 onto the stack as a ref, otherwise this operation throws a fatal error.
3031 If y is an object has an eligible __get method, this operation checks if y
3032 has a visible and accessible property named x. If it does, this operation
3033 pushes the property onto the stack. Otherwise, this operation pushes
3034 y->__get(x) onto the stack.
3036 If y is null, false, or the empty string, this operation will set y to a new
3037 object of type stdclass, create a new property named x, and pushes it onto
3040 If y is true, integer, double, a non-empty string, or an array, this
3041 operation raises a warning and pushes null.
3043 IssetPropC [C B] -> [C:Bool]
3044 IssetPropL <local variable id> [B] -> [C:Bool]
3048 These instructions first load a value into x and a base into y, as given by
3049 the following table:
3052 -------------+----+-----
3053 IssetPropC | $2 | $1
3054 IssetPropL | %1 | $1
3056 If y is an object that does not have an eligible __isset method, this
3057 operation checks if y has a visible accessible property named x. If it does,
3058 this operation pushes !is_null(y->x) onto the stack. Otherwise this operation
3059 pushes false onto the stack.
3061 If y is an object that has an eligible __isset method, this operation checks
3062 if y has a visible and accessible property named x. If it does, this
3063 operation pushes !is_null(y->x) onto the stack. Otherwise this operation
3064 pushes y->__isset(x) onto the stack.
3066 If y is an array, this operation pushes !is_null(y[x]) onto the stack.
3068 If y is not an object or array, this operation pushes false.
3070 EmptyPropC [C B] -> [C:Bool]
3071 EmptyPropL <local variable id> [B] -> [C:Bool]
3075 These instructions first load a value into x and a base into y, as given by
3076 the following table:
3079 -------------+----+-----
3080 EmptyPropC | $2 | $1
3081 EmptyPropL | %1 | $1
3083 If y is an object that does not have an eligible __isset method, this
3084 operation first checks if y has a visible and accessible property named x.
3085 If it does, this operation pushes !(y->x) onto the stack. Otherwise this
3086 operation pushes true onto the stack.
3088 If y is an object that has an eligible __isset method but it does not have an
3089 eligible __get method, this operation checks if y has a visible and
3090 accessible property named x. If it does, this operation pushes !(y->x) onto
3091 the stack. Otherwise this operation pushes !(y->__isset(x)) onto the stack.
3093 If y is an object that has an eligible __isset method and an eligible __get
3094 method, this operation checks if y has a visible and accessible property
3095 named x. If it does, this operation pushes !(y->x) onto the stack. Otherwise
3096 this operation continues to execute x = y->__isset(x). If x is false this
3097 operation pushes true onto the stack, otherwise this operation pushes
3098 !(y->__get(x)) onto the stack.
3100 If y is an array, this operation pushes !(y[x]) onto the stack.
3102 If y is not an object or array, this operation pushes true.
3104 SetPropC [C C B] -> [C]
3105 SetPropL <local variable id> [C B] -> [C]
3107 Set property. Perform one of the following actions:
3109 First, these operations load values into k and x, and a base into y, as given
3110 by the following table:
3113 ----------+----+----+----
3114 SetPropC | $3 | $2 | $1
3115 SetPropL | %1 | $2 | $1
3117 Next, performs one of the following actions:
3123 y has eligible __set method
3124 y->k has been unset previously
3125 ------+---------------------------------------------------------------------
3126 00XXXX | raise warning; push null
3127 01XXXX | y = new stdclass; y->k = x; push x
3128 1X0X0X | create property y->k; y->k = x; push x
3129 1X0X1X | y->__set(k, x); push x
3130 1X100X | throw fatal error
3131 1X101X | y->__set(k, x); push x
3132 1X11X0 | y->k = x; push x
3133 1X1101 | re-create property y->k; y->k = x; push x
3134 1X1111 | y->__set(k, x); push x
3136 SetOpPropC <op> [C C B] -> [C]
3138 Set op property. Perform one of the following actions:
3143 $1->$3 is accessible
3144 $1 has eligible __get method
3145 $1 has eligible __set method
3146 $1->$3 has been unset previously
3147 -------+--------------------------------------------------------------------
3148 00XXXXX | raise warning; push null
3149 01XXXXX | $1 = new stdclass; y = null <op> $2; $1->$3 = y; push y
3150 100X0XX | y = null <op> $2; $1->$3 = y; push y
3151 100X10X | x = $1->__get($3); y = x <op> $2; $1->$3 = y; push y
3152 100X11X | x = $1->__get($3); y = x <op> $2; $1->__set($3, y), push y
3153 10100XX | throw fatal error
3154 101010X | throw fatal error
3155 101011X | x = $1->__get($3); y = x <op> $2; $1->__set($3, y), push y
3156 1011XX0 | x = $1->$3; y = x <op> $2; $1->$3 = y; push y
3157 10110X1 | y = null <op> $2; re-create $1->$3; $1->$3 = y; push y
3158 1011101 | x = $1->__get($3); y = x <op> $2; re-create $1->$3; $1->$3 = y;
3160 1011111 | x = $1->__get($3); y = x <op> $2; $1->__set($3, y); push y
3162 SetOpPropL <op> <local variable id> [C B] -> [C]
3164 Set op property. Perform one of the following actions, where k is the value
3165 of the local given by %2.
3171 $1 has eligible __get method
3172 $1 has eligible __set method
3173 $1->k has been unset previously
3174 -------+--------------------------------------------------------------------
3175 00XXXXX | raise warning; push null
3176 01XXXXX | $1 = new stdclass; y = null <op> $2; $1->k = y; push y
3177 100X0XX | y = null <op> $2; $1->k = y; push y
3178 100X10X | x = $1->__get(k); y = x <op> $2; $1->k = y; push y
3179 100X11X | x = $1->__get(k); y = x <op> $2; $1->__set(k, y), push y
3180 10100XX | throw fatal error
3181 101010X | throw fatal error
3182 101011X | x = $1->__get(k); y = x <op> $2; $1->__set(k, y), push y
3183 1011XX0 | x = $1->k; y = x <op> $2; $1->k = y; push y
3184 10110X1 | y = null <op> $2; re-create $1->k; $1->k = y; push y
3185 1011101 | x = $1->__get(k); y = x <op> $2; re-create $1->k; $1->k = y;
3187 1011111 | x = $1->__get(k); y = x <op> $2; $1->__set(k, y); push y
3189 IncDecPropC <op> [C B] -> [C]
3191 Increment/decrement property. Perform one of the following actions:
3196 $1->$2 is accessible
3197 $1 has eligible __get method
3198 $1 has eligible __set method
3199 $1->$2 has been unset previously
3200 -------+--------------------------------------------------------------------
3201 00XXXXX | raise warning; push null
3202 01XXXXX | $1 = new stdclass; x = null; y = x; <op>y; $1->$2 = y;
3203 | push y (Pre*) or x (Post*)
3204 100X0XX | x = null; y = x; <op>y; $1->$2 = y; push y (Pre*) or x (Post*)
3205 100X10X | x = $1->__get($2); y = x; <op>y; $1->$2 = y;
3206 | push y (Pre*) or x (Post*)
3207 100X11X | x = $1->__get($2); y = x, <op>y; $1->__set($2, y);
3208 | push y (Pre*) or x (Post*)
3209 10100XX | throw fatal error
3210 101010X | throw fatal error
3211 101011X | x = $1->__get($2); y = x, <op>y; $1->__set($2, y);
3212 | push y (Pre*) or x (Post*)
3213 1011XX0 | x = $1->$2; y = x; <op>y; $1->$2 = y; push y (Pre*) or x (Post*)
3214 10110X1 | x = null; y = x; <op>y; re-create $1->$2; $1->$2 = y;
3215 | push y (Pre*) or x (Post*)
3216 1011101 | x = $1->__get($2); y = x; <op>y; re-create $1->$2; $1->$2 = y;
3217 | push y (Pre*) or x (Post*)
3218 1011111 | x = $1->__get($2); y = x; <op>y; $1->__set($2, y);
3219 | push y (Pre*) or x (Post*)
3221 IncDecPropL <op> <local variable id> [B] -> [C]
3223 Increment/decrement property. Perform one of the following actions, where k
3224 is the value of the local variable given by %2.
3230 $1 has eligible __get method
3231 $1 has eligible __set method
3232 $1->k has been unset previously
3233 -------+--------------------------------------------------------------------
3234 00XXXXX | raise warning; push null
3235 01XXXXX | $1 = new stdclass; x = null; y = x; <op>y; $1->k = y;
3236 | push y (Pre*) or x (Post*)
3237 100X0XX | x = null; y = x; <op>y; $1->k = y; push y (Pre*) or x (Post*)
3238 100X10X | x = $1->__get(k); y = x; <op>y; $1->k = y;
3239 | push y (Pre*) or x (Post*)
3240 100X11X | x = $1->__get(k); y = x, <op>y; $1->__set(k, y);
3241 | push y (Pre*) or x (Post*)
3242 10100XX | throw fatal error
3243 101010X | throw fatal error
3244 101011X | x = $1->__get(k); y = x, <op>y; $1->__set(k, y);
3245 | push y (Pre*) or x (Post*)
3246 1011XX0 | x = $1->k; y = x; <op>y; $1->k = y; push y (Pre*) or x (Post*)
3247 10110X1 | x = null; y = x; <op>y; re-create $1->k; $1->k = y;
3248 | push y (Pre*) or x (Post*)
3249 1011101 | x = $1->__get(k); y = x; <op>y; re-create $1->k; $1->k = y;
3250 | push y (Pre*) or x (Post*)
3251 1011111 | x = $1->__get(k); y = x; <op>y; $1->__set(k, y);
3252 | push y (Pre*) or x (Post*)
3254 BindPropC [C V B] -> [V]
3256 Bind property. If $1 is an object that does not have an eligible __set
3257 method, this operation first checks if $1 has a visible property named $3. If
3258 it does not, this operation creates a new property named $3, executes $1->$3
3259 =& $2, and pushes $2 onto the stack. Otherwise, this operation continues to
3260 check if the property named $3 is accessible. If the property named $3 is not
3261 accessible, this operation throws a fatal error. Otherwise, this operation
3262 executes $1->$3 =& $2 and pushes $2 onto the stack.
3264 If $1 is an object that has an eligible __set method, this operation checks
3265 if $1 has a visible and accessible property named $3. If it does, this
3266 operation follows the rules described in the first case given above.
3267 Otherwise this operation throws a fatal error.
3269 If $1 is null, false, or empty string, this operation sets $1 to a new object
3270 of type stdclass, executes $1->$3 =& $2, and pushes $2 onto the stack.
3272 If $1 is true, integer, double, a non-empty string, or an array, this
3273 operation raises a warning and pushes null onto the stack.
3275 BindPropL <local variable id> [V B] -> [V]
3277 Bind property. Where k is the value of the local variable given by %1:
3279 If $1 is an object that does not have an eligible __set method, this
3280 operation first checks if $1 has a visible property named k. If it does not,
3281 this operation creates a new property named k, executes $1->k =& $2, and
3282 pushes $2 onto the stack. Otherwise, this operation continues to check if the
3283 property named k is accessible. If the property named k is not accessible,
3284 this operation throws a fatal error. Otherwise, this operation executes $1->k
3285 =& $2 and pushes $2 onto the stack.
3287 If $1 is an object that has an eligible __set method, this operation checks
3288 if $1 has a visible and accessible property named k. If it does, this
3289 operation follows the rules described in the first case given above.
3290 Otherwise this operation throws a fatal error.
3292 If $1 is null, false, or empty string, this operation sets $1 to a new object
3293 of type stdclass, executes $1->k =& $2, and pushes $2 onto the stack.
3295 If $1 is true, integer, double, a non-empty string, or an array, this
3296 operation raises a warning and pushes null onto the stack.
3298 UnsetPropC [C B] -> []
3299 UnsetPropL <local variable id> [B] -> []
3303 These instructions first load a value into x and a base into y, as given by
3304 the following table:
3307 -------------+----+-----
3308 UnsetPropC | $2 | $1
3309 UnsetPropL | %1 | $1
3311 Next, performs one of the following actions:
3316 y has eligible __unset method
3317 -----+----------------------------------------------------------------------
3320 10X1 | y->__unset(x)
3321 1100 | throw fatal error
3322 1101 | y->__unset(x)
3326 10. Member instructions
3327 -----------------------
3329 Member instructions perform series of operations that are structurally
3330 identical, but each instruction utilizes a distinct set of operations. For each
3331 member instruction, first use a Base* operation depending on the kind of
3332 location code. Next perform a series of intermediate operations depending on
3333 member code to process all but the last member. Finally, perform a final
3334 operation depending on member code to process the last member. See the
3335 instruction-specific tables for details.
3337 The member codes that represent immediate literal data (ET, EI, PT) are
3338 implemented using the corresponding EC or PC intermediate operation: they
3339 behave exactly as though that literal data had been pushed on the stack as a
3340 cell, then consumed by an ElemC* or PropC* operation.
3342 CGetM <loc-desc/M-vector> [C..C] -> [C]
3346 location Base* member intermediate final
3347 descriptor operation code operation operation
3348 -----------+---------- -------+--------------+----------
3349 C | BaseC EC | ElemCW | CGetElemC
3350 R | BaseR PC | PropCW | CGetPropC
3351 L | BaseLW EL | ElemLW | CGetElemL
3352 NC | BaseNCW PL | PropLW | CGetPropL
3353 NL | BaseNLW W | N/A | N/A
3360 VGetM <loc-desc/M-vector> [C..C] -> [V]
3364 location Base* member intermediate final
3365 descriptor operation code operation operation
3366 -----------+---------- -------+--------------+------------
3367 C | BaseC EC | ElemCD | VGetElemC
3368 R | BaseR PC | PropCD | VGetPropC
3369 L | BaseLD EL | ElemLD | VGetElemL
3370 NC | BaseNCD PL | PropLD | VGetPropL
3371 NL | BaseNLD W | NewElem | VGetNewElem
3378 FPassM <param id> <loc-desc/M-vector> [C..C] -> [F]
3380 FPI pass parameter. This instruction behaves as CGetM if parameter %1 is pass
3381 by value, or it behaves like VGetM if parameter %1 is pass by reference. Then
3382 it passes the value produced to the callee.
3384 IssetM <loc-desc/M-vector> [C..C] -> [C:Bool]
3388 location Base* member intermediate final
3389 descriptor operation code operation operation
3390 -----------+---------- -------+--------------+-----------
3391 C | BaseC EC | ElemC | IssetElemC
3392 R | BaseR PC | PropC | IssetPropC
3393 L | BaseL EL | ElemL | IssetElemL
3394 NC | BaseNC PL | PropL | IssetPropL
3395 NL | BaseNL W | N/A | N/A
3402 EmptyM <loc-desc/M-vector> [C..C] -> [C:Bool]
3406 location Base* member intermediate final
3407 descriptor operation code operation operation
3408 -----------+---------- -------+--------------+-----------
3409 C | BaseC EC | ElemC | EmptyElemC
3410 R | BaseR PC | PropC | EmptyPropC
3411 L | BaseL EL | ElemL | EmptyElemL
3412 NC | BaseNC PL | PropL | EmptyPropL
3413 NL | BaseNL W | N/A | N/A
3420 SetM <loc-desc/M-vector> [C..C C] -> [C]
3424 location Base* member intermediate final
3425 descriptor operation code operation operation
3426 -----------+---------- -------+--------------+-----------
3427 C | BaseC EC | ElemCD | SetElemC
3428 R | BaseR PC | PropCD | SetPropC
3429 L | BaseLD EL | ElemLD | SetElemL
3430 NC | BaseNCD PL | PropLD | SetPropL
3431 NL | BaseNLD W | NewElem | SetNewElem
3438 SetWithRefLM <loc-desc/M-vector> <local variable id> [C..C] -> []
3440 Set member preserving the reffiness of the local.
3442 location Base* member intermediate final
3443 descriptor operation code operation operation
3444 -----------+---------- -------+--------------+-----------
3445 C | BaseC EC | ElemCD | SetWithRefElemC
3446 R | BaseR PC | PropCD | SetPropC
3447 L | BaseLD EL | ElemLD | SetWithRefElemL
3448 NC | BaseNCD PL | PropLD | SetPropL
3449 NL | BaseNLD W | NewElem | SetWithRefNewElem
3456 SetWithRefRM <loc-desc/M-vector> [C..C R] -> []
3458 Set member preserving the reffiness of the stack element.
3460 location Base* member intermediate final
3461 descriptor operation code operation operation
3462 -----------+---------- -------+--------------+-----------
3463 C | BaseC EC | ElemCD | SetWithRefElemC
3464 R | BaseR PC | PropCD | SetPropC
3465 L | BaseLD EL | ElemLD | SetWithRefElemL
3466 NC | BaseNCD PL | PropLD | SetPropL
3467 NL | BaseNLD W | NewElem | SetWithRefNewElem
3474 SetOpM <op> <loc-desc/M-vector> [C..C C] -> [C]
3478 location Base* member intermediate final
3479 descriptor operation code operation operation
3480 -----------+---------- -------+--------------+-------------
3481 C | BaseC EC | ElemCWD | SetOpElemC
3482 R | BaseR PC | PropCWD | SetOpPropC
3483 L | BaseLWD EL | ElemLWD | SetOpElemL
3484 NC | BaseNCWD PL | PropLWD | SetOpPropL
3485 NL | BaseNLWD W | NewElem | SetOpNewElem
3492 IncDecM <op> <loc-desc/M-vector> [C..C] -> [C]
3494 Increment/decrement member.
3496 location Base* member intermediate final
3497 descriptor operation code operation operation
3498 -----------+---------- -------+--------------+--------------
3499 C | BaseC EC | ElemCWD | IncDecElemC
3500 R | BaseR PC | PropCWD | IncDecPropC
3501 L | BaseLWD EL | ElemLWD | IncDecElemL
3502 NC | BaseNCWD PL | PropLWD | IncDecPropL
3503 NL | BaseNLWD W | NewElem | IncDecNewElem
3510 BindM <loc-desc/M-vector> [C..C V] -> [V]
3514 location Base* member intermediate final
3515 descriptor operation code operation operation
3516 -----------+---------- -------+--------------+------------
3517 C | BaseC EC | ElemCD | BindElemC
3518 R | BaseR PC | PropCD | BindPropC
3519 L | BaseLD EL | ElemLD | BindElemL
3520 NC | BaseNCD PL | PropLD | BindPropL
3521 NL | BaseNLD W | NewElem | BindNewElem
3528 UnsetM <loc-desc/M-vector> [C..C] -> []
3532 location Base* member intermediate final
3533 descriptor operation code operation operation
3534 -----------+---------- -------+--------------+-----------
3535 C | BaseC EC | ElemCU | UnsetElemC
3536 R | BaseR PC | PropCU | UnsetPropC
3537 L | BaseL EL | ElemLU | UnsetElemL
3538 NC | BaseNC PL | PropLU | UnsetPropL
3539 NL | BaseNL W | N/A | N/A
3547 11. Iterator instructions
3548 -------------------------
3550 IterInit <iterator id> <rel offset> <local id> [C] -> []
3551 IterInitK <iterator id> <rel offset> <local id> <local id> [C] -> []
3552 WIterInit <iterator id> <rel offset> <local id> [C] -> []
3553 WIterInitK <iterator id> <rel offset> <local id> <local id> [C] -> []
3555 Initialize iterator. If $1 is an array, these instructions create an array
3556 iterator, rewind the array iterator to point to the beginning of the array,
3557 and store the array iterator in the iterator variable %1. Then these
3558 instructions check if the iterator is at the end, and if it is, these
3559 instructions free the iterator and transfer control to the location specified
3562 If $1 is an object that is an instance of an extension class that implements
3563 the Traversable interface, these instructions create an extension class
3564 iterator and store it in the iterator variable %1. Then these instructions
3565 check if the iterator is at the end, and if it is these instructions free the
3566 iterator and transfer control the location specified by %2.
3568 If $1 is an object that implements the Iterator interface, these instructions
3569 create an user class iterator, call $1->rewind(), and store the user class
3570 iterator in the iterator variable %1. Then these instructions check if
3571 $1->valid() returns false, and if it does these instructions free the
3572 iterator and transfer control to the location specified by %2.
3574 If $1 is an object that implements the IteratorAggregate interface, these
3575 instructions call $1->getIterator() and inspect the object x that is
3576 returned. If x is an instance of IteratorAggregate, these instructions will
3577 repeatedly execute "x = x->getIterator()" until x is not an object that is an
3578 instance of IteratorAggregate. If x is an object that implements the
3579 Traversable interface, then this instruction will behave according to the
3580 appropriate case described above. Otherwise, these instructions will throw an
3581 exception of type Exception.
3583 If $1 is an object that does not match any of the three cases above, these
3584 instructions create a default class iterator, rewind the default class
3585 iterator to point to the first accessible property, and store the default
3586 class iterator in the iterator variable %1. Then these instructions check if
3587 the iterator is at the end, and if it is these instructions free the iterator
3588 and transfer control the location specified by %2.
3590 If $1 is not an array or an object, these instructions raise a warning and
3591 transfer control to the location specified by %2.
3593 The local ids in %3 (and %4, for the *K variants) represent the locals that
3594 should receive the value (in %3) and key (in %4) for the iteration, in
3595 accordance with the type of iterator initialized in %1.
3597 For the non-W* flavors of these instructions, the locals are stored to with
3598 the same semantics as SetL (non-binding assignment). The W* flavors of these
3599 instructions do a binding assignment to %3 if the rhs was a reference, or if
3600 not they unset the old value of the local and then do a non-binding
3601 assignment. The W* flavors still do a non-binding assignment to %4.
3603 The logical value is computed differently depending on the iterator type that
3604 is initialized in %1:
3606 If the iterator specified by %1 is a non-mutable array iterator or an
3607 extension class iterator, these instructions of the current value in %3.
3609 If the iterator specified by %1 is a user class iterator for object $x,
3610 these instructions store the return value of $x->current() in %3.
3612 If the iterator specified by %1 is a non-mutable default class iterator,
3613 these instructions store a copy of the current property in %3.
3615 For the *K variants, the logical key to be stored in %4 is computed
3616 differently depending on the iterator type initialized in %1:
3618 If the iterator specified by %1 is an array iterator or an extension class
3619 iterator, this instruction stores a copy of the current key in %4.
3621 If the iterator specified by %1 is a user class iterator for object $x,
3622 this instruction stores the return value of $x->key() in %4.
3624 If the iterator specified by %1 is a non-mutable default class iterator,
3625 this instruction stores a copy of the name of the current property in %4.
3627 MIterInit <iterator id> <rel offset> <local id> [V] -> []
3628 MIterInitK <iterator id> <rel offset> <local id> <local id> [V] -> []
3630 Initialize mutable iterator. If $1 is an array, these instructions create a
3631 mutable array iterator, rewind the mutable array iterator to point to the
3632 beginning of the array, and store the mutable array iterator in the iterator
3633 variable %1. Then these instructions check if the iterator is at the end, and
3634 if it is these instructions free the iterator and transfers control the
3635 location specified by %2.
3637 If $1 is an object that is an instance of an extension class that implements
3638 the Traversable interface, these instructions raise a fatal error.
3640 If $1 is an object that implements the Iterator interface, these instructions
3641 throw a fatal error.
3643 If $1 is an object that implements the IteratorAggregate interface, these
3644 instructions throw a fatal error.
3646 If $1 is an object that does not match any of the three cases above, these
3647 instructions create a mutable default class iterator, rewind it to point to
3648 the first accessible property, and store the it in the iterator variable %1.
3649 Then these instructions check if the iterator is at the end, and if it is
3650 these instructions free the iterator and transfer control to the location
3653 If $1 is not an array or an object, these instructions raise a warning and
3654 transfer control to the location specified by %2.
3656 If the iterator specified by %1 is a mutable array iterator, these
3657 instructions store the current value in %3 as a ref.
3659 If the iterator specified by %1 is a mutable default class iterator, these
3660 instructions store the current property in %3 as a ref.
3662 For the MIterInitK version, the following also happens:
3664 If the iterator specified by %1 is an array iterator, this instruction stores
3665 a copy of the current key in %4 as a cell.
3667 If the iterator specified by %1 is a mutable default class iterator, this
3668 instruction stores a copy of the name of the current property in %4 as a
3671 IterNext <iterator id> <rel offset> <local id> [] -> []
3672 IterNextK <iterator id> <rel offset> <local id> <local id> [] -> []
3673 WIterNext <iterator id> <rel offset> <local id> [] -> []
3674 WIterNextK <iterator id> <rel offset> <local id> <local id> [] -> []
3676 Iterator next. If the specified iterator is a non-mutable array iterator or
3677 an extension class iterator, advance the iterator to point to the next
3678 element. If the iterator is not at the end, these instructions transfer
3679 control to the location specified by %2.
3681 If the specified iterator is a user class iterator for object $x, this
3682 instruction executes $x->next(). Then these instructions check if $x->valid()
3683 returns true, and if it does these instructions transfer control to the
3684 location specified by %2.
3686 If the specified iterator is a non-mutable default class iterator, advance
3687 the iterator to point to the next accessible property in the object. If the
3688 iterator is not at the end, these instructions transfer control to the
3689 location specified by %2.
3691 If the specified iterator is at the end, free the iterator variable with an
3692 implicit IterFree, then fall through to the next instruction.
3694 If the specified iterator is not at the end, the local ids in %3 (and %4, for
3695 the *K variants) represent the locals that should receive the value (in
3696 %3) and key (in %4) for the iteration, in accordance with the type of
3697 iterator initialized in %1.
3699 These locals are stored to with the same semantics as SetL (non-binding
3700 assignment), except the W* flavors of these instructions do a "with
3701 reference" assignment (i.e. the local gets a binding assignment if and only
3702 if the value to be assigned is already a reference).
3704 The semantics of how to determine what the key and value are depend on %1 in
3705 an analogous way to {W,}IterInit{K,}.
3707 MIterNext <iterator id> <rel offset> <local id> [] -> []
3708 MIterNextK <iterator id> <rel offset> <local id> <local id> [] -> []
3710 Iterator next. If the specified iterator is a mutable array iterator, advance
3711 the iterator to point to the next element. If the iterator is not at the end,
3712 these instructions transfer control to the location specified by %2.
3714 If the specified iterator is a mutable default class iterator, advance the
3715 iterator to point to the next accessible property in the object. If the
3716 iterator is not at the end, these instructions transfer control to the
3717 location specified by %2.
3719 If the specified iterator is at the end, free the iterator variable with an
3720 implicit MIterFree, then fall through to the next instruction.
3722 If the specified iterator is not at the end, retrieve the key and value:
3724 If the iterator specified by %1 is a mutable array iterator, these
3725 instructions store the new current value in %3 as a ref.
3727 If the iterator specified by %1 is a mutable default class iterator, these
3728 instructions store the new current property in %3 as a ref.
3730 For the MIterNextK version, the following also happens:
3732 If the iterator specified by %1 is an array iterator, this instruction stores
3733 a copy of the new current key in %4 as a cell.
3735 If the iterator specified by %1 is a mutable default class iterator, this
3736 instruction stores a copy of the name of the new current property in %4 as a
3739 IterFree <iterator id> [] -> []
3741 Iterator free. This instruction frees the specified iterator variable.
3742 Typically an iterator gets freed by IterNext, so IterFree is only needed for
3743 guarding against exceptions and implementing break and return control flow
3744 statements inside iterator loops.
3746 MIterFree <iterator id> [] -> []
3748 Mutable iterator free. This instruction frees the specified iterator
3749 variable. Typically an iterator gets freed by MIterNext*, so MIterFree is
3750 only needed for guarding against exceptions and implementing break and return
3751 control flow statements inside iterator loops.
3753 CIterFree <iterator id> [] -> []
3755 Cuf iterator free. This instruction frees the specified iterator variable.
3757 IterBreak <iter-vec> <rel offset> [] -> []
3759 Iterator break. Frees vectors in %1 in left to right order then transfers
3760 control to the location specified by %2. Surprise checks are performed before
3761 iterators are freed so that in the event of an exception iterators are not
3762 double freed. Note that as with normal jumps surprise checks will only be
3763 performed if %2 is negative.
3766 12. Include, eval, and define instructions
3767 ------------------------------------------
3771 Include. Includes the compilation unit containing the file (string)$1. The
3772 instruction eagerly marks all functions and classes that are unconditionally
3773 declared in the outermost scope as defined. Next this instruction calls the
3774 pseudo-main function from the file (string)$1. The pseudo-main function
3775 inherits the caller's variable environment. If the execution engine cannot
3776 find a compilation unit containing the file (string)$1, this instruction
3781 Include once. Include the compilation unit containing the file (string)$1 if
3782 it hasn't been included already. This instruction eagerly marks all functions
3783 and classes that are unconditionally declared in the outermost scope as
3784 defined, and then calls the pseudo-main function from (string)$1 if it hasn't
3785 run already. The pseudo-main function inherits the caller's variable
3786 environment. If the execution engine cannot find a compilation unit
3787 containing the file (string)$1, this instruction raises a warning.
3791 Require. Includes the compilation unit containing the file (string)$1. The
3792 instruction eagerly marks all functions and classes that are unconditionally
3793 declared in the outermost scope as defined. Next this instruction calls the
3794 pseudo-main function from the file (string)$1. The pseudo-main function
3795 inherits the caller's variable environment. If the execution engine cannot
3796 find a compilation unit containing the file (string)$1, this instruction
3797 throws a fatal error.
3801 Require once. Include the compilation unit containing the file (string)$1 if
3802 it hasn't been included already. This instruction eagerly marks all functions
3803 and classes that are unconditionally declared in the outermost scope as
3804 defined, and then calls the pseudo-main function from (string)$1 if it hasn't
3805 run already. The pseudo-main function inherits the caller's variable
3806 environment. If the execution engine cannot find a compilation unit
3807 containing the file (string)$1, this instruction throws a fatal error.
3811 As ReqOnce except the string is always taken to be relative to the document
3812 root (ie SourceRoot).
3816 Eval. Executes the source code in (string)$1. This instruction eagerly marks
3817 all functions and classes that are unconditionally declared in the outermost
3818 scope as defined, and then calls the pseudo-main function from (string)$1.
3819 The pseudo-main function from (string)$1 inherits the caller's variable
3822 DefFunc <function id> [] -> []
3824 Define function. Bind the function specified by %1. If the function specified
3825 by %1 is already bound, this instruction does nothing. If another function is
3826 already bound to the name associated with %1, this instruction throws a fatal
3829 DefCls <class id> [] -> []
3831 Define class. Bind the class specified by %1. If the class specified by %1 is
3832 already bound, this instruction does nothing. If another class is already
3833 bound to the associated name, this instruction throws a fatal error.
3835 NopDefCls <class id> [] -> []
3837 For always-hoistable classes (which are automatically defined when the unit
3838 is loaded). This instruction is used as a marker for the location in a
3839 pseudo-main where a DefCls would've existed, but doesn't need to be. (It is
3840 used as a place to raise errors from if the class fails to define.)
3842 DefCns <litstr id> [C] -> [C]
3844 Define constant. If there is already a global constant named %1, raises a
3845 notice and pushes false. If $1 is an array or an object, raises a notice, and
3846 pushes false. Otherwise defines the constant named %1 to have the value $1,
3849 DefTypeAlias <litstr id> [] -> []
3851 Define type alias. Type aliases are a hhvm extension to PHP that allow
3852 declaring new names for existing types. The unit contains a table of the type
3853 aliases it was compiled with. This instruction looks up the type alias given
3854 by %1 in the table. If there is an existing class or type alias defined with
3855 the same name as %1, this function checks whether it is compatible with the
3856 type alias given by %1, and if it isn't it raises a fatal error.
3859 13. Miscellaneous instructions
3860 ------------------------------
3864 This. This instruction checks the current instance, and if it is null, this
3865 instruction throws a fatal error. Next, this instruction pushes the current
3866 instance onto the stack.
3868 BareThis <notice> [] -> [C:Obj|Null]
3870 This. This instruction pushes the current instance onto the stack. If %1 is
3871 BareThisOp::Notice, and the current instance is null, emits a notice. If %1
3872 is BareThisOp::NeverNull the current value of $this is guaranteed to be
3873 available and can be loaded with no null check.
3877 Check existence of this. This instruction checks the current instance, and if
3878 it is null, throws a fatal error.
3880 InitThisLoc <local variable id> [] -> []
3882 Initialize this local variable. This instruction checks the current instance,
3883 and if it is not null this instruction stores it to the specified local
3884 variable. If the current instance is null, or if this bytecode appears in a
3885 function body that is not a class method, this instruction does nothing.
3887 StaticLoc <local variable id> <litstr id> [] -> [C:Bool]
3889 Static variable. This instruction first checks if the static variable named
3890 %2 has been marked as initialized. If the static variable has been marked as
3891 initialized, this instruction binds the static variable to the local variable
3892 %1 and pushes true. Otherwise, this instruction binds the static variable to
3893 the local variable %1, marks the static variable as initialized, and pushes
3896 StaticLocInit <local variable id> <litstr id> [C] -> []
3898 Static variable with initializer. This instruction first checks if the static
3899 variable named %2 has been marked as initialized. If the static variable has
3900 been marked as initialized, this instruction binds the static variable to the
3901 local variable %1. Otherwise, this instruction binds the static variable to
3902 the local variable, assigns $1 to the local variable, and marks the static
3903 variable as initialized.
3905 The cell in $1 must not be a reference counted type.
3909 Catch. Retrieves the current exception object and pushes it onto the stack.
3910 The exception object must be a subclass of the builtin Exception class. This
3911 instruction may only be used at the beginning of a catch entry point.
3913 ClassExists [C C] -> [C:Bool]
3914 InterfaceExists [C C] -> [C:Bool]
3915 TraitExists [C C] -> [C:Bool]
3917 Check for class/interface/trait existence. If $1 cannot be cast to a bool or
3918 $2 cannot be cast to a string, this instruction will throw a fatal error.
3919 Otherwise, it will check for existence of the entity named by $2, invoking
3920 the autoloader if needed and if $1 is true. The result of the existence check
3921 will be pushed on the stack.
3923 VerifyParamType <parameter id> [] -> []
3925 Verify parameter type. Functions and methods can optionally specify the types
3926 of arguments they will accept. These type constraints are memoized into each
3927 function's FPI structure.
3929 VerifyParamType checks the specified parameter against the enclosing
3930 function's corresponding parameter constraints. In case of a mismatch, a
3931 recoverable error is raised.
3933 VerifyRetTypeC [C] -> [C]
3934 VerifyRetTypeV [V] -> [V]
3936 Verify return type. This instruction pops $1 off of the stack, checks if $1
3937 is compatible with the current function's return type annotation and raises
3938 a warning if there is a mismatch, and then it pushes $1 back onto the stack.
3942 Creates a classref that refers to the class in which the current function is
3943 defined. This instruction throws a fatal error if the current method is
3944 defined outside of a class, otherwise it pushes a classref on the stack.
3948 Creates a classref that refers to the parent of the class in which the
3949 current method is defined. This instruction throws a fatal error if the
3950 current method is defined outside of a class or if the class in which the
3951 current method is defined has no parent, otherwise it pushes a classref on
3954 LateBoundCls [] -> [A]
3956 Late-bound class. Creates a classref that refers to the current late-bound
3957 class and pushes it onto the stack.
3961 Native implementation. This instruction invokes the native implementation
3962 associated with current function and returns the return value to the caller
3963 of the current function.
3965 IncStat <counter id> <value> [] -> []
3967 Increment stat counter. If stats are enabled, this instruction adds <value>
3968 to the counter specified by <counter id>. The meaning of the <counter id>
3969 immediate is implementation defined
3971 AKExists [C C] -> [C:Bool]
3973 Checks if array (object) in $1 contains key (property) in $2 and pushes the
3974 resulting boolean onto the stack. If $2 is null, uses the empty string as
3975 key. Throws a fatal error if $1 is not an array or object, and raises a
3976 warning if $2 is not a string, integer, or null.
3978 CreateCl <num args> <class name> [C|V..C|V] -> [C]
3980 Creates an instance of <class name> and pushes it on the stack.
3982 The class named by %2 must be a subclass of "Closure", must have a single
3983 public method named __invoke, must be defined at the point of the CreateCl
3984 opcode, must be defined in the same unit as the CreateCl opcode, and must
3985 always be tagged as "ClosureHoistable" (see comments near
3986 PreClass---hoistability metadata is currently not covered by this spec).
3988 If there is more than one CreateCl opcode in the unit for the Closure
3989 subclass named by %2, all of the opcodes must be possible to associate with
3990 the same class (or trait), or none if the closure will not inherit a class
3991 context at runtime. This is intended to mean that CreateCl opcodes for a
3992 given closure may only occur in bytecode bodies of functions that are
3993 generated to represent a single user-visible PHP function, async function,
3994 async closure, generator, or generator closure.
3996 Moreover, for normal (non-async, non-generator) functions and methods, there
3997 must be at most a single CreateCl opcode in the unit for a given Closure
3998 subclass contained in the unit.
4002 Checks if object in $3 contains key in $2 and pushes the result onto the
4003 stack if found. Otherwise, $1 is pushed onto the stack. $3 must be an object
4004 that supports array or indexed access (e.g. arrays, collections,
4005 implementations of ArrayAccess).
4007 ArrayIdx [C C C] -> [C]
4009 Checks if array in $3 contains key in $2 and pushes the result onto the stack
4010 if found. Otherwise, $1 is pushed onto the stack. A fatal error will be
4011 thrown if $3 is not an array.
4013 AssertTL <local id> <op> [] -> []
4014 AssertTStk <stack offset> <op> [] -> []
4016 These opcodes may be used to communicate the results of ahead of time static
4017 analysis to the runtime. They indicate that the value in the specified local
4018 or stack offset must be statically known to have a particular type. The sub
4019 opcodes should be used to indicate the type, in an unspecified way.
4021 AssertObjL <local id> <class name> <op> [] -> []
4022 AssertObjStk <stack offset> <class name> <op> [] -> []
4024 These opcodes may be used to communicate the results of ahead of time static
4025 analysis to the runtime.
4027 Depending on the value of %3, they indicate that the value in the specified
4028 local or stack offset must be statically known to be an object of a
4029 particular class or interface type, or an object that is a non-strict subtype
4030 of a particular class or interface type, or either of those cases with
4033 %2 is a litstr id of a class or interface name. %3 has the following
4034 semantics regarding what it asserts about the type of the local or stack
4038 -----------------------+------------------------------------
4039 AssertObjOp::Exact | exactly the type named in %2
4040 AssertObjOp::Sub | non-strict subtype of %2
4041 AssertObjOp::OptExact | null, or exactly the type in %2
4042 AssertObjOp::OptSub | null, or non-strict subtype of %2
4045 PredictTL <local id> <op> [] -> []
4046 PredictTStk <stack offset> <op> [] -> []
4048 These opcodes may be used to provide hints about the types of values at
4049 runtime. Runtime behavior is implementation defined, although incorrect
4050 predictions should not affect program correctness.
4052 BreakTraceHint [] -> []
4054 This opcode has no effects, but is a hint that code immediately following it
4055 is probably not worth including in the same compilation unit as the code in
4056 front of it. In HHVM, this is used to tell the JIT to break a Tracelet when
4057 it sees this opcode.
4059 14. Continuation creation and execution
4060 ---------------------------------------
4062 CreateCont <rel offset> [] -> [C]
4064 Creates a Continuation object and pushes it on the stack. The Continuation
4065 will capture all local variables in the current function, and marks them
4066 uninitialized on the current frame. The continuation will also store
4067 resume offset specified by %1.
4071 This instruction may only appear in non-static methods of the Continuation
4072 class. It transfers control flow to the saved resume offset of a function
4073 associated with $this Continuation object. The $1 will remain available
4074 on the stack after the control is transferred.
4076 ContRaise [C:Obj] -> []
4078 This instruction may only appear in non-static methods of the Continuation
4079 class. It transfers control flow to the saved resume offset of a function
4080 associated with $this Continuation object. The Exception stored at $1 is
4081 raised instead of invoking code at the resume offset.
4083 ContSuspend [C] -> [C]
4085 This instruction may only appear in bodies of continuations and async
4086 functions. Stores $1 in the continuation as the result of the current
4087 iteration, sets resume offset at the next opcode and suspends execution
4088 by transferring control flow back to the ContEnter or ContRaise. Once
4089 the execution is resumed, the value sent by ContEnter becomes available
4090 on the stack, or an exception sent by ContRaise is thrown.
4092 ContSuspendK [C C] -> []
4094 This instruction may only appear in bodies of continuations. Stores $1
4095 in the continuation as the result and $2 as the key of the current
4096 iteration, sets resume offset at the next opcode and suspends execution
4097 by transferring control flow back to the ContEnter or ContRaise. Once
4098 the execution is resumed, the value sent by ContEnter becomes available
4099 on the stack, or an exception sent by ContRaise is thrown.
4103 This instruction may only appear in bodies of continuations and async
4104 functions. Stores $1 in the continuation as the result of the execution,
4105 marks the continuation as finished and returns by transferring control flow
4106 back to the ContEnter or ContRaise. Further attempts to iterate the
4107 Continuation will fail.
4109 ContCheck <check started> [] -> []
4111 Check whether continuation can be iterated. $this must be a Continuation
4112 object. If the continuation is finished, already running, or not yet started
4113 and <check started> is enabled, an exception will be thrown.
4115 ContValid [] -> [C:Bool]
4117 Check continuation validity. $this must be a Continuation object. Pushes true
4118 onto the stack if the continuation can be iterated further, false otherwise.
4122 Get continuation key. $this must be a Continuation object. Pushes the most
4123 recently yielded key from the continuation onto the stack.
4125 ContCurrent [] -> [C]
4127 Get continuation value. $this must be a Continuation object. Pushes the most
4128 recently yielded value from the continuation onto the stack.
4130 ContStopped [] -> []
4132 Mark continuation as stopped. $this must be a Continuation object.
4134 ContHandle [C] -> []
4136 Handle exception from continuation body. $this must be a Continuation object.
4137 Marks the continuation as no longer running and finished and rethrows the
4138 exception on the top of the stack.
4143 AsyncAwait [C] -> [C C:Bool]
4145 Perform an await operation on a wait handle. If $1 is not a subclass of
4146 WaitHandle, raises a fatal error. If $1 is not finished, this instruction
4147 pushes $1, and pushes False. Otherwise, if $1 succeeded, this instruction
4148 pushes the result value from the WaitHandle, and then pushes true. If $1
4149 failed, this instruction throws the exception from the WaitHandle.
4151 AsyncESuspend <rel offset> <number of iterators> [C:Obj] -> [C:Obj]
4153 Suspends an eagerly executed async function into an AsyncFunctionWaitHandle
4154 object. The AsyncFunctionWaitHandle object will capture all local variables
4155 and the first %2 iterators in the current eagerly executed async function,
4156 and mark them uninitialized on the current frame. The object will store
4157 a reference to the associated resumable async function and a resume offset
4158 %1 to be used to resume the execution once the WaitHandle object given
4161 If $1 is not a WaitHandle, or is a WaitHandle that is already finished, the
4162 behavior is undefined. This opcode must only occur in the eagerly executed
4163 part of the async function. The value this opcode pushes on the stack must
4164 be passed to a RetC opcode.
4166 AsyncResume [] -> []
4168 No operation. Used to teach hhbbc that an exception may be thrown right after
4169 unreachable ContSuspend. Must appear as the target of AsyncESuspend opcode.
4171 AsyncWrapResult [C] -> [C:Obj]
4173 Wraps $1 into a StaticResultWaitHandle object.
4176 Basic statement transformations
4177 -------------------------------
4179 To achieve HHBC's goal of making it straightforward for an interpreter or a
4180 compiler to determine order of execution, control flow statements are
4181 transformed to use the simpler constructs. Most control flow statements such as
4182 "if", "while", and "for" are implemented in a straightforward manner using the
4185 HHBC provides the Switch instruction for implementing very simple switch
4186 statements; most real switch statements are implemented naively using the Eq
4187 and JmpNZ instructions. Also, the functionality of both the echo statement and
4188 the print statement is implemented with the Print instruction.
4190 Foreach statements are implemented using iterator variables and the Iter* and
4191 MIter* instructions. Each foreach loop must be protected by a fault funclet to
4192 ensure that the iterator variable is freed when a foreach loop exits abnormally
4193 through an exception.
4195 Simple break statements and continue statements are implemented using the Jmp*,
4196 IterFree, MIterFree and CIterFree instructions. Dynamic break is implemented
4197 using an unnamed local (to store the 'break count') and a chain of basic
4198 blocks, where each block decrements the unnamed local variable and compares it
4199 with 0, and then decides where to jump next.
4202 Basic expression transformations
4203 --------------------------------
4205 To reduce the size of the instruction set, certain types of expressions are
4208 1) Unary plus and negation
4209 Unary plus and negation "+(<expression>)" gets converted to "(0 +
4210 (<expression>))", and "-(<expression>)" gets converted to "(0 -
4213 2) Assignment-by operators (+=, -=, etc)
4214 Assignment-by operators are converted to use the SetOp* instructions.
4216 3) List assignment (list)
4217 List assignments are converted to use an unnamed local variable and the SetM
4218 and VGet* instructions. If the function contains any catch funclets, then list
4219 assignment requires a fault funclet as well.
4221 4) Logical and and logical or operators (and/&&, or/||)
4222 If any of the operands side-effect, these operators are implemented using Jmp*
4223 instructions instead of using the "and" and "or" instructions to implement
4224 short-circuit semantics correctly. All Jmp* instructions used to implement
4225 "and" and "or" operators will be forward jumps.
4227 5) The new expression
4228 The new expression is implemented by using the FPushCtor*, FPass*, and FCall
4231 6) The ternary operator (?:)
4232 The functionality of the ternary operator is implemented using Jmp*
4233 instructions. All Jmp* instructions used to implement the ternary operator will
4236 7) Silence operator (@)
4237 The silence operator is implemented by using various instructions (including
4238 the Jmp* instructions), unnamed local variables, and a fault funclet. All Jmp*
4239 instructions used to implement the silence operator will be forward jumps.
4241 8) The $this expression
4242 The $this expression has different effects depending on whether or not $this is
4243 the direct base of a property expression (such as "$this->x") or a method call
4244 expression (such as "$this->foo()"). When the $this expression is the direct
4245 base of a property expression or a method call expression, the This instruction
4248 A bare $this expression within an instance method is handled one of two ways:
4249 general or BareThis-optimized (optional). The general solution accesses a local
4250 variable named "this", which is initialized at the beginning of the method
4251 using the InitThisLoc instruction. The BareThis optimization applies to bare
4252 $this access as long as $this is not passed by reference and there are no
4253 dynamic method variables. In such cases, the BareThis instruction can be used
4254 to directly access $this, and the InitThisLoc instruction is not needed.
4257 Warning and errors at parse time
4258 --------------------------------
4260 Certain syntactically correct source code may cause warnings or errors to be
4261 raised when the source file is parsed. Examples of this include using "$this"
4262 on the left hand side of the assignment, using "$this" with binding assignment,
4263 using "$a[]" in an r-value context, and doing "unset($a[])". HHBC handles these
4264 cases by generating Raise or Fatal instructions at the beginning of the body
4265 for the pseudo-main function.
4271 At the time of this writing, the HipHop bytecode specification is missing the
4274 1) Description of traits
4275 2) Description of metadata for class statements, trait statements, and method
4277 3) Description and examples for the yield generator feature
4278 4) Description of the late static binding feature
4279 5) Description of the resource type
4280 6) Definitions of operators (ex. +, -, !) and other helper functions (ex.
4281 is_null, get_class, strlen)
4282 7) High level description of how namespaces are dealt with and any relevant
4284 8) Description of async function implementation
4287 /* Local Variables: */
4288 /* fill-column: 79 */