1 **********************************
2 * HipHop Bytecode v1 revision 18 *
3 **********************************
9 HipHop bytecode (HHBC) v1 is intended to serve as the conceptual basis for
10 encoding the semantic meaning of HipHop source code into a format that is
11 appropriate for consumption by interpreters and just-in-time compilers. By
12 using simpler constructs to encode more complex expressions and statements,
13 HHBC makes it straightforward for an interpreter or a compiler to determine
14 the order of execution for a program.
16 HHBC was designed with several competing goals in mind:
18 1) Run-time efficiency. The design of HHBC should be congruous to implementing
19 an efficient execution engine, whether it be an interpreter or a just-in-time
22 2) PHP 5.5 compatibility. It should be possible to compile valid PHP 5.5 source
23 code into HipHop bytecode in a way that preserves the semantic meaning of the
26 3) Simplicity. The design of HHBC should avoid features that could be removed
27 or simplified without compromising PHP 5.5 compatibility, run-time efficiency,
28 or design cleanliness.
34 Each HipHop source file is compiled into a separate "compilation unit", or
35 "unit" for short. Units are composed of bytecode and metadata.
37 A unit's bytecode is an array of bytes encoding a sequence of HHBC
38 instructions, where each instruction is encoded using one or more bytes. This
39 specification defines an instruction set and defines the behavior of each HHBC
40 instruction, but the exact byte values used to encode HHBC instructions is
41 currently unspecified.
43 A unit's metadata is a set of structures that provide essential information
44 that is needed at run time by the execution engine. This specification will
45 describe a unit's metadata as a set of named tables with ordered rows, but the
46 exact format of the metadata is currently unspecified.
48 Each instruction in a unit's bytecode can be referred to using a "bytecode
49 offset", which is the distance in bytes from the first byte of a unit's
50 bytecode to the first byte of the instruction.
52 A unit's bytecode is partitioned into sections called "functions". The unit's
53 metadata uses bytecode offsets to specify which instructions belong to which
56 When a unit is loaded at run time, the execution engine assigns the unit's
57 bytecode a logical range of addresses called "bytecode addresses". An
58 instruction is referred to at run time using its bytecode address.
64 HipHop bytecode models the flow of execution using a stack of frames referred
65 to as the "call stack". A "frame" is a structure that logically consists of a
66 header, a program counter (PC), a local variable store, an iterator variable
67 store, an evaluation stack, and a function parameter info (FPI) stack.
69 The frame at the top of the call stack is referred to as the "current frame".
70 The current frame represents the function that is currently executing. The
71 program counter (PC) of the current frame is referred to as the "current PC".
72 At any given time, the current PC holds the bytecode address of the current
73 instruction to execute. When the execution engine executes an instruction, the
74 current PC is updated to point to the next instruction. By default, the current
75 PC is updated to point to the byte that sequentially follows the last byte of
76 the current instruction in the bytecode. Some instructions override the default
77 behavior and explicitly update the current PC in a specific way.
79 HHBC provides special instructions to allow for calling a function and
80 returning from a function. When a function is called, a new frame is pushed
81 onto the call stack, and the PC of the new frame is initialized to the
82 appropriate entry point (typically the instruction of the function that is
83 sequentially first in the bytecode). The new frame becomes the current frame,
84 and the PC of the new frame becomes the current PC. When a function returns,
85 the current frame is popped off the call stack. The previous frame becomes the
86 current frame, and its PC becomes the current PC. The facility provided by the
87 execution engine that is responsible for handling function calls and returns is
88 called the "dispatcher".
90 Typically, a frame is removed from the call stack when its corresponding
91 function returns. However, a frame may be removed from the call stack before
92 its corresponding function returns in the course of processing an exception.
93 The facility provided by the execution engine that is responsible for
94 processing exceptions is called the "unwinder".
100 HHBC instructions may push and pop values on the current frame's evaluation
101 stack and they may read and write values to the current frame's local
102 variables. Values come in three flavors: cells, refs, and classrefs.
104 A "cell" is a structure that contains a type identifier and either data (for
105 non-refcounted types) or a pointer to data (for refcounted types). When a cell
106 containing a pointer is duplicated, the new cell will point to the same data as
107 the original cell. When a cell containing a pointer is duplicated or discarded,
108 the execution engine is responsible for honoring the data's refcount logic.
110 A "ref" is a structure that contains a pointer to a cell container. When a ref
111 is duplicated, the new ref will point to the same container as the original
112 ref. When a ref is duplicated or destroyed, the execution engine is responsible
113 for honoring the container's refcount logic. When the container is destroyed,
114 the cell it contains is also destroyed.
116 A "classref" is a structure that contains a reference to a class. When a
117 classref is pushed onto the stack or popped of the stack, no refcounting is
120 Values on the evaluation stack may be any of the three flavors listed above.
121 Values stored in local variables may only be cells or refs.
127 A unit's bytecode is organized into functions. Each function has its own
128 metadata that provides essential information about the function, such as the
129 name of the function, how many local variables it has, how many iterator
130 variables it has, how many formal parameters it has, the names of the local
131 variables, the names of the formal parameters, how each parameter should be
132 passed (pass by value vs. pass by reference), whether each parameter has a
133 default value, and an upper bound for the maximum depth the evaluation stack
134 can reach at run time.
136 Each local variable and iterator variable has an id, and HHBC instructions can
137 reference these variables using these ids. The id space for local variables is
138 distinct from the id space for iterator variables. Thus local id 1 refers to a
139 different variable than iterator id 1. Local variable ids and iterator ids are
140 signed 32-bit integer values. No function may have more than 2^31 - 1 local
141 variables, and no function may have more than 2^31 - 1 iterator variables.
143 Some local variables have names associated with them (called "named local
144 variables"), while other local variables do not have names associated with them
145 (called "unnamed local variables"). All local variables that reference formally
146 declared parameters have names associated with them. Iterator variables do not
147 have names associated with them. Variables that have a name associated with
148 them will appear in the current variable environment (if they are defined),
149 while variables that do not have a name associated with them will never appear
150 in the current variable environment.
152 Formally declared parameters are considered to be local variables. Given a
153 function with n formally declared parameters, local ids 0 through n-1 will be
154 used to reference the formally declared parameters. Formal parameters without
155 default values are called "required parameters", while formal parameters with
156 default values are called "optional parameters".
158 The bytecode for each function is partitioned into a primary function body and
159 0 or more fault funclets. The metadata for each function specifies how many
160 fault funclets the function has. For the primary function body, the metadata
161 specifies a set of non-overlapping ranges of bytecode that compose the primary
162 function body, and it specifies the main entry point and 0 or more DV entry
163 points (entry points are discussed in more detail in the "Entry points"
164 section). For each fault funclet, the metadata specifies a set of non-
165 overlapping ranges of bytecode that compose the fault funclet body, and it
166 specifies an entry point for the fault funclet. The primary function body and
167 the fault funclets may not overlap with each other, and the union of the
168 primary function body and the fault funclets must cover all of the function's
169 bytecode. Fault funclets are discussed in more detail in the "Exception handler
170 (EH) table" and "Processing exceptions" sections.
172 The total size of the bytecode for the primary function body and all the fault
173 funclets must not exceed 2^31 - 1 bytes. The bytecode for a function must be
174 one contiguous range of bytecode.
176 Each function's metadata provides a "line number table" to allow mapping
177 bytecode offsets back to source line numbers. Each row in the line number table
178 consists of a source line number and a range of bytecode. The table is sorted
179 by starting bytecode offset, lowest offset first. The bytecode offset of the
180 beginning of each instruction in the function must belong to exactly one of the
181 ranges of bytecode in the line number table.
187 Functions may be grouped into metadata for classes. Class metadata objects are
188 used to describe several PHP-level language features including traits,
189 interfaces, closures, and (of course) classes.
191 Class metadata includes information about the properties on the class, special
192 functions on the class such as constructors or internal property initialization
193 routines (86sinit, 86pinit), class constants, list of used traits, list of
194 extended classes, list of implemented interfaces, etc.
196 Classes also include a flag indicating their "hoistability". For now this isn't
197 documented much here. See class.h.
203 Closures are implemented in hhbc as subclassses of Closure, in conjunction with
204 the CreateCl opcode. It is legal hhbc to create other subclasses of Closure (to
205 represent user code that attempts to do the same), but attempting to
206 instantiate one will result in a fatal error. The documentation of the CreateCl
207 opcode below lists the requirements for a closure subclass to be usable with
214 The basic compilation strategy for generators is to create bytecode functions
215 consisting of two parts.
217 The first part, executed when the generator function is called, must consist
218 of a CreateCont, which is responsible for suspending execution state into a new
219 Generator object (includes resume offset pointing to the start of the second
220 part of the function) and returning it back to the caller.
222 The second part is where the real user-level code of the generator should be
223 placed. ContEnter and ContRaise opcodes used in Generator's next(), send()
224 and raise() methods resume execution and transfer control to the resume offset
225 stored in the Generator object. The user-level code yields values using
226 Yield and YieldK opcodes and returns using RetC opcode.
232 Async functions are special type of functions representing asynchronous
233 execution. They can suspend while waiting for other asynchronous operations to
234 finish. This is achieved using Await opcode, which suspends execution into
235 an AsyncFunctionWaitHandle object. Once the given dependency is finished,
236 the scheduler resumes async function at the next opcode.
238 The async function body can be executed in 2 different modes. If the execution
239 was never suspended, we are in "eager execution" mode. The code executed after
240 the resume is executed in "resumed execution" mode.
242 The "eager execution" can end in 3 different ways. If a RetC opcode is reached,
243 the result is wrapped into a succeeded StaticWaitHandle and returned to the
244 caller. If an exception is thrown, it is wrapped into a failed StaticWaitHandle
245 and returned to the caller. Otherwise, if an Await opcode was reached and the
246 provided child WaitHandle has not finished, the current execution state is
247 suspended into an AsyncFunctionWaitHandle object and retured to the caller.
248 This mechanism allows fast execution if no blocking asynchronous operation was
251 The "resumed execution" mode is always entered from the scheduler. In this mode,
252 the async function either gets blocked on another dependency, or gets finished.
253 The scheduler is notified of these events using Await and RetC opcodes (or via
254 the unwinder if an exception was thrown) and the control is given back.
256 The async function implementation is still changing and the implementation may
257 change significantly, so this spec is staying light on details for now.
263 Entry points come in four varieties: the main entry point, DV entry points,
264 fault entry points, and catch entry points.
266 Every function has exactly one main entry point. When a function is called, the
267 dispatcher will set the PC of the new frame to point to the main entry point if
268 either (1) the function does not have any optional parameters or (2) the caller
269 provides values for all of the optional parameters.
271 DV entry points are normally used to handle initializing optional parameters
272 that the caller did not provide. Generally the DV entries contain blocks that
273 initialize parameters, and then fall through directly into one another, with
274 the last block ending with a jump to the main entry point. This is not a
275 requirement, however. The dispatcher selects the appropriate DV entry point
276 based on the number of arguments passed into the function.
278 The main entry point and DV entry points are used by the dispatcher when
279 handling a function call. Each function's metadata provides an "entry point
280 table". Each row in the entry point table consists of a number of arguments and
281 the bytecode offset of the entry point that should be used by the dispatcher
282 (either the main entry point or a DV entry point).
284 Fault entry points are used by the unwinder to enter fault funclets as
285 appropriate to perform necessary cleanup when a region of code exits abnormally
286 through an exception. For a function with N fault funclets there are exactly N
287 fault entry points (one fault entry point per fault funclet). The bytecode
288 offset of a fault entry point must be inside its corresponding fault funclet.
290 Catch entry points are used by the unwinder to resume normal execution once a
291 matching "catch" block has been found and all the necessary cleanup has been
294 More details about the unwinder, fault funclets, fault entry points, catch
295 entry points can be found in the "Exception handler (EH) table" and "Processing
296 exceptions" sections.
302 Every compilation unit has a litstr table, a scalar array table, a function
303 table, and a class table.
305 The litstr table maps litstr ids to literal strings. Bytecodes that refer to
306 literal strings do so by litstr id. Litstr ids are signed 32-bit integer
307 values, which must be between 0 and 2^31 - 2 inclusive. In addition to the
308 per-unit litstr tables, a global table is built when generating an
309 "authoritative" repo (one in which all the PHP code is known at bytecode
310 generation time, and is guaranteed not to change). Global litstr ids can be
311 used in any unit, and are encoded in the range [2^30..2^31-2].
313 The scalar array table maps scalar array ids to a description of the contents
314 of a scalar array. An array is a scalar array if and only if each element of
315 the array is a null, boolean, integer, double, string, or a scalar array.
316 Furthermore, each element of a scalar array must be a cell. Finally, scalar
317 arrays may not recurse infinitely. Each scalar array id must be between 0 and
320 Each row in the function table contains a unique function id, a function name
321 specified by a litstr id, the bytecode offset for the corresponding function, a
322 flag that indicates if the function is unconditionally declared in the
323 outermost scope, and the function metadata. Note that there may be multiple
324 rows in the function table with same function name. However, there may not be
325 multiple rows that are marked as being unconditionally declared in the
326 outermost scope with the same function name. Each function id must be between 0
327 and 2^31 - 2 inclusive.
329 Each row in the class table contains a unique class id, a class name specified
330 by a litstr id, a flag that indicates if the class declaration is hoisted to
331 the prelude of pseudo-main, and the class metadata. Note that there may be
332 multiple rows in the class table with same class name. However, there may not
333 be multiple rows that are marked as being hoisted with the same class name.
334 Each class id must be between 0 and 2^31 - 2 inclusive.
337 Function parameter info (FPI) structures and the FPI stack
338 ----------------------------------------------------------
340 Every function has a function parameter info (FPI) structure associated with it
341 that can be retrieved at run time. The FPI structure contains the bytecode
342 address of the function, the number of parameters the function has, and a
343 parameter table that indicates whether each parameter is pass by value or pass
346 In addition to the evaluation stack, each frame also contains another stack
347 called the FPI stack. Each entry on the FPI stack consists of a reference to an
348 FPI structure and a bytecode address of entry point into the corresponding
349 function. The entry on the top of the FPI stack is called the "current FPI".
351 The FPush* instructions push a new entry onto the FPI stack, initializing the
352 entry with a reference to the FPI structure for a given function and the
353 bytecode address of the appropriate entry point. The FPass* instructions
354 prepare the parameters that will be passed into the callee. The FCall*
355 instructions look at the current FPI to get the bytecode address of the
356 function (the callee), transfers the parameters from the evaluation stack to
357 the callee, pops the current FPI off of the FPI stack, and then invokes the
358 dispatcher to call the function.
360 Calls to builtin functions may be optimized to avoid pushing an entry on the
361 FPI stack if it is known that the builtin function does not need access to the
362 call stack. In this case, the arguments to the builtin are pushed on stack as
363 Cells and Vars, and the builtin can be invoked with the FCallBuiltin
364 instruction. Unless otherwise noted, subsequent references to FCall*
365 instructions should be meant to refer to non-optimized FCall instructions, i.e.
366 all FCall instructions other than FCallBuiltin.
372 The caller may pass any number of parameters to the callee by executing FPass*
373 instructions zero or more times prior to executing an FCall* instruction. The
374 caller must pass the parameters in forward order, i.e. the first use of FPass*
375 passes the first parameter, the second use of FPass* passes the second
376 parameter, and so forth.
378 The FPush*/FPass*/FCall* instructions can be used to call a global function, a
379 method on an object, or a method from a class. The caller is responsible for
380 evaluating all of the parameters in forward order. When the caller executes an
381 FCall* instruction, the dispatcher creates a new frame and moves the parameters
382 prepared by the caller into the callee's variable environment. The dispatcher
383 then transfers control to the appropriate entry point of the callee (either the
384 main entry point or a DV entry point) based on the number of parameters passed.
386 When the callee executes the Ret* instruction, the dispatcher pushes the return
387 value onto the caller's evaluation stack. Then the dispatcher destroys the
388 callee's frame and transfers control back to the caller.
391 Exception handler (EH) table
392 ----------------------------
394 The metadata for each function provides an "exception handler (EH) table".
395 Each row in the EH table (called an "EH entry") consists of a kind ("fault" or
396 "catch"), a non-negative integer "region depth", a set of non-overlapping
397 ranges of bytecode that compose the "protected region", and an offset of a
398 fault funclet (if it's a "fault" EH entry) or a list of [class name, catch
399 entry point] pairs (if it's a "catch" EH entry).
401 Each range of bytecode is given by a starting offset and an ending offset,
402 where the starting offset is the bytecode offset of the first byte of the first
403 instruction in the range and the ending offset is the bytecode offset after the
404 last byte of the last instruction in the range.
406 Note that two or more EH entries may refer to the same fault funclet or the
407 same catch entry points. Regardless of whether multiple EH entries share the
408 same fault funclet or the same catch entry points, each EH entry in the EH
409 table will be considered to declare a distinct "protected region".
411 The EH entries in each EH table must honor the following rules:
413 1) If an EH entry covers one or more bytes of the primary function body, then
414 it may not cover any bytes in any fault funclets. If an EH entry covers one or
415 more bytes of a fault funclet, then it may not cover any bytes in the primary
416 function body or in other fault funclets.
418 2) If a catch EH entry covers one or more bytes of the primary function body,
419 then its catch entry points must point to instructions in the primary function
420 body. If a catch EH entry covers one or more bytes of a fault funclet F, then
421 its catch entry points must point to instructions in fault funclet F.
423 3) For each EH entry with a region depth of D and a protected region P, for all
424 other protected regions Q that overlap with P, one of the following must be
425 true: (i) Q has a region depth that is greater than D and P is a superset of
426 (or equal to) Q; or (ii) Q has a region depth that is less than D and P is a
427 subset of (or equal to) Q.
429 4) For each EH entry with a region depth of D and a protected region P, for
430 each integer I where 0 <= I < D there must be exactly one protected region Q in
431 the EH table where Q's region depth equals I and P overlaps with Q.
434 Processing exceptions
435 ---------------------
437 The unwinder maintains a stack of exception infos called the "exception stack".
438 An "exception info" is a record that contains an exception object, a reference
439 to a frame on the call stack, a program counter (PC), and a non-negative
440 integer "region depth". When a thread of execution first begins, the exception
441 stack is initially empty.
443 HHBC allows programs to throw exceptions via the Throw instruction. When a
444 Throw instruction executes, it pushes a new exception info to the top of the
445 exception stack that contains the thrown exception object, a reference to the
446 frame that threw the exception, the PC at the time the exception was thrown,
447 and a region depth of D where D equals the number of protected regions in the
448 current frame's EH table that cover PC. Then it transfers control to the
449 unwinder which starts processing the exception info at the top of the exception
450 stack by following the steps given at the end of this section starting with
451 step 1 until control is transferred elsewhere.
453 HHBC also provides an Unwind instruction to allow a fault funclet to return
454 control back to the unwinder when it has finished its work. When the Unwind
455 instruction executes, it transfers control to the unwinder and the unwinder
456 resumes processing the exception info at the top of the exception stack by
457 following the steps below starting at step 1 until control is transferred
460 Here are the steps that the unwinder follows to process the exception info at
461 the top of the stack (called the "current exception info"):
463 Step 1) Consult the EH table of the current exception info's function. Check if
464 there are any EH entries that cover the current exception info's PC and
465 have a region depth that is less than the current exception info's
466 region depth. If one or more matching EH entries are found, choose the
467 EH entry with the greatest region depth and continue on to step 2. If
468 no matching EH entries are found go to step 5.
470 Step 2) Let E be the EH entry found in step 1, and let D be the region depth of
471 E. Set the current exception info's region depth to D (overwriting the
472 previous value). Continue on to step 3.
474 Step 3) If E is a fault EH entry, transfer control to E's fault funclet's entry
475 point; eventually control will be transferred back to the unwinder,
476 either via the Unwind instruction or via another exception being thrown
477 with the Throw instruction. Otherwise continue on to step 4.
479 Step 4) E is a catch EH entry. Consult E's list of [class name, catch entry
480 point] pairs. Check if there are any pairs in the list where the
481 exception's type is compatible with the pair's class name. If one or
482 more matching pairs are found, choose the one that occurs first in E's
483 list and transfer control to that pair's catch entry point; the catch
484 entry point begins with a Catch instruction which will take care of
485 popping the current exception info off of the exception stack. If no
486 matching pair is found, go to step 1.
488 Step 5) Check if the current exception info's PC is in a fault funclet. If it's
489 not, continue to step 6. If it is, read the exception X from the
490 current exception info and then pop the current exception info off of
491 the exception stack. Then, read the new current exception info's
492 exception Y, update exception X so that it's "previous" property chains
493 to exception Y, and then update the new current exception info to point
494 to exception X instead of exception Y. Then go to step 1.
496 Step 6) The current exception info's PC is in the primary function body. Pop
497 the current frame off of the call stack and then check if the call
498 stack is empty. If the call stack is empty, read the current exception
499 info's exception X, clear the exception stack, and transfer control to
500 the unhandled exception facility passing along exception X. If the call
501 stack is not empty continue to step 7.
503 Step 7) Update the current exception info to refer to the new current frame at
504 the top of the call stack, and set the current exception info's PC to
505 point to the FCall* instruction which immediately precedes the PC of
506 the current frame. Next, set the current exception info's region depth
507 to D, where D equals the number of protected regions in the current
508 frame's EH table that cover the current exception info's PC. Then go to
515 As object properties are accessed during execution, the execution engine is
516 responsible for following certain rules to honor each property's accessibility
519 The accessibility and visibility of a property in a given class is determined
520 by that class's definition and the definitions of all of that class's
521 ancestors. When a property is declared in a class definition (a "declared
522 property") it may be specified as being "public", "protected", or "private".
523 Accessibility and visibility are two related but distinct concepts. Depending
524 on the current context, a property may be visible and accessible, visible but
525 inaccessible, or invisible and inaccessible.
527 If a property P is declared with the "public" qualifier in the definition of
528 class C, for instances of class C and descendent classes the property P will be
529 visible and accessible in all contexts. If C has an ancestor that declares a
530 public property with the same name as P, C is said to "redeclare" property P,
531 and the declaration of P in class C is considered to refer to the same property
532 as the declaration in the ancestor class.
534 If a property P is declared as "protected" in the definition of class C, for
535 instances of class C the property P will be visible in all contexts, but only
536 accessible in the context of class C, an ancestor class, or descendent class.
537 When class C is loaded at run time, a semantic check must be performed to
538 ensure that all ancestor classes of C do not declare a property as "public"
539 with the same name as P. If C has an ancestor that declares a public property
540 with the same name as P, the execution engine must throw a fatal error when
541 class C is loaded. If C has an ancestor that declares a protected property with
542 the same name as P, C is said to "redeclare" property P, and the declaration of
543 P in class C is considered to refer to the same property as the declaration in
544 the ancestor class. Note that there may exist a class D that is a descendent of
545 C and declares a property as "public" with the same name as P. In such cases
546 the new "public" declaration in D is considered to refer to the same property
547 as the original "protected" declaration in C, and the "protected" qualifier
548 from the original declaration is effectively overridden by the "public"
549 qualifier from the new declaration. Class D is said to "redeclare" property P
550 with the "public" qualifier. Thus, for instances of class D and descendent
551 classes of D, property P will be visible and accessible in all contexts.
552 Finally, if a class E that is descendent of C does not redeclare P as public
553 and does not have an ancestor class that redeclares P as public, for instances
554 of class E the property P will be visible in all contexts, but only accessible
555 in the context of class E, an ancestor class of E, or a descendent class of E.
557 If a property P is declared with the "private" qualifier in the definition of
558 class C, for instances of class C the property P will be visible in all
559 contexts, but only accessible in the context of class C. For instances of
560 descendent classes of C, the property P will be visible and accessible in the
561 context of the class C, and in all other contexts property P will be invisible
562 and inaccessible. When class C is loaded at run time, a semantic check must be
563 performed to ensure that all ancestor classes of C do not declare a property as
564 "public" or "protected" with the same as P. If C has an ancestor that declares
565 a public or protected property with the same name as P, the execution engine
566 must throw a fatal error when class C is loaded. Note that descendent classes
567 of C may declare another property with the same name as P. The declaration of
568 property P as "private" in class C is considered to define a separate property
569 that is distinct from all other properties of the same name declared in
570 ancestor classes and descendent classes of C.
572 An instruction that accesses a property specifies the property by a name N via
573 a litstr id, a local variable id, or a cell consumed from the evaluation stack.
574 As noted above, it is possible for a class to have multiple distinct properties
575 named N. In cases where there are multiple distinct properties named N, the
576 visibility rules are used to determine which property is retrieved. If there is
577 a visible private property P named N, then property P is retrieved. Otherwise,
578 if there is a visible non-private property Q named N, then property Q is
579 retrieved. If there is no visible property named N, the behavior is determined
580 by the specific instruction. The semantic checks and the visibility rules
581 ensure that for any context there cannot be more than one visible private
582 property, and there cannot be more than one visible non-private property.
584 Some instructions can create a new property at run time with a name that is
585 different than the names of all declared properties that are visible in the
586 current context. Such properties are called "non-declared properties" or
587 "dynamic properties". Dynamic properties are considered to be visible and
588 accessible in all contexts.
590 If a declared property is unset, and then re-accessed/re-created, then it is
591 treated the same way as an invisible property with the same attributes as the
592 original declared property. Specifically, if the property gets created again,
593 it must have the same access attributes as the original declared property.
596 Magic property access methods
597 -----------------------------
599 Instructions that access properties may in some cases invoke a magic property
600 access method (__get, __set, __isset, or __unset) if an object implements the
601 method and the method is considered eligible for invocation. A magic property
602 access method is considered "eligible" for a given object if there is not a
603 frame on the call stack that corresponds to an invocation of the same method on
607 Static property access
608 ----------------------
610 As a class's static properties are accessed during execution, the execution
611 engine is responsible for following certain rules to honor each static
612 property's accessibility and visibility.
614 The accessibility and visibility of a static property in a given class is
615 determined by that class's definition and the definitions of all of that
616 class's ancestors. When a static property is declared in a class definition it
617 may be specified as being "public", "protected", or "private". Depending on the
618 current context, a static property may be visible and accessible, visible but
619 inaccessible, or invisible and inaccessible.
621 Conceptually, each class has a "static store" associated with it at run time
622 that provides storage for the static properties declared in the class's
623 definition. Static properties are accessed at run time by name through the
624 scope of a class. When an instruction accesses a static property through the
625 scope of class C, it will search the static store of C and then the static
626 stores of C's ancestors (starting with C's base class and moving up the
627 inheritance chain) for the first static property with the given name that is
628 visible in the current context.
630 If a static property S is declared with the "public" qualifier in the
631 definition of class C, the static property S when accessed through the scope of
632 class C or a descendent of C will be visible and accessible in all contexts.
633 Note that descendent classes of C may declare another static property with the
634 same name as S. The declaration in class C is considered to define a separate
635 static property that is distinct from all other static properties declared in
636 descendent classes of C.
638 If a static property S is declared with the "protected" qualifier in the
639 definition of class C, the static property S when accessed through the scope of
640 class C or a descendent of C will be visible in all contexts, but only
641 accessible in the context of class C, an ancestor class of C, or descendent
642 class of C. When class C is loaded at run time, a semantic check must be
643 performed to ensure that all ancestor classes of C do not declare a static
644 property as "public" with the same name as S. If C has an ancestor that
645 declares a public static property with the same name as S, the execution engine
646 must throw a fatal error when class C is loaded. Note that descendent classes
647 of C may declare another static property with the same name as S. The
648 declaration in class C is considered to define a separate static property that
649 is distinct from all other static properties declared in descendent classes of
652 If a static property S is declared with the "private" qualifier in the
653 definition of class C, the static property S when accessed through the scope of
654 class C will be visible in all contexts, but only accessible in the context of
655 class C. The static property S when accessed through the scope of a descendent
656 of C will only be visible and accessible in the context of class C. When class
657 C is loaded at run time, a semantic check must be performed to ensure that all
658 ancestor classes of C do not declare a static property as "public" or
659 "protected" with the same name as S. If C has an ancestor that declares a
660 public or protected static property with the same name as S, the execution
661 engine must throw a fatal error when class C is loaded. Note that descendent
662 classes of C may declare another static property with the same name as S. The
663 declaration in class C is considered to define a separate static property that
664 is distinct from all other static properties declared in descendent classes of
667 Note that instructions cannot create new static properties in a class that were
668 not declared in the class definition.
674 An FPI region is a contiguous range of bytecode that constitutes a call site.
675 Each FPI region begins immediately after an FPush* instruction that pushes an
676 FPI structure onto the FPI stack and must end with the corresponding FCall*
677 instruction that pops that FPI structure off of the FPI stack. If two FPI
678 regions overlap, one of the FPI regions must be completely enclosed by the
679 other FPI region. An FPI region may not contain backward jumps, nor may it
680 contain forward jumps that jump past the end of the FPI region.
682 Each function has an "FPI region table". Each row in the FPI region table
683 consists of the starting offset of the FPI region (the bytecode offset
684 immediately following the FPush* instruction), the ending offset of the FPI
685 region (the bytecode offset of the FCall* instruction), and the number of
686 parameters being passed.
692 Any given value on the stack must either be a cell, ref, or classref at run
693 time. However, at bytecode generation time the specific flavor of a value on
694 the stack is not always known. HipHop bytecode uses symbols called "flavor
695 descriptors" to precisely describe what is known at bytecode generation about
696 the state of the evaluation stack at each instruction boundary.
698 Each instruction description specifies the flavor descriptor produced for each
699 of its outputs. Each description also specifies the flavor descriptor consumed
700 for each of the instruction's inputs.
702 Here is a description of each flavor descriptor:
704 C - cell; specifies that the value must be a cell at run time
705 V - ref; specifies that the value must be a ref at run time
706 A - classref; specifies that the value must be a classref at run time
707 R - return value; specifies that the value may be a cell or a ref at run
708 time; this flavor descriptor is used for return values from function
710 F - function argument; specifies that the value may be a cell or a ref at run
711 time; this flavor descriptor is used for parameter values that are about
712 to be passed into a function
713 U - uninit; specifies that the value must be an uninitialized null at run
714 time; this is only used for FCallBuiltin, CreateCl, and CUGetL.
720 Because instructions specify constraints on the flavor descriptor of each
721 input, it is important to be able to determine if a given HHBC program
722 satisfies these constraints. A program that satisfies the constraints on the
723 inputs to each instruction is said to be "flavor-safe".
725 HHBC provides a set of verification rules that can be mechanically applied to
726 verify that an HHBC program is flavor-safe. All valid HHBC programs must be
727 verifiably flavor-safe, and the execution engine may refuse to execute HHBC
728 programs that cannot be verified.
730 At bytecode generation time, what is known about the state of the evaluation
731 stack at a given instruction boundary can be precisely described using flavor
734 In addition to being flavor-safe, there are other invariants that valid HHBC
735 programs must uphold with respect to metadata and how certain instructions are
738 Below is the complete list of verifiability rules. If the bytecode to be
739 executed does not come from a trusted source, it is the responsibility of the
740 bytecode execution engine to verify that these invariants hold.
742 1) The depth of the evaluation stack at any given point in the bytecode must be
743 the same for all possible control flow paths. The flavor descriptor of any
744 given slot on the evaluation stack at any given point in the bytecode must be
745 the same for all possible control flow paths.
747 2) No instruction may consume more values from the evaluation stack than are
748 available at that given point in the bytecode. Likewise, the flavor descriptor
749 of each slot on the evaluation stack must be compatible with the instruction's
750 inputs' flavor descriptors.
752 3) The evaluation stack must be empty at any offset listed as a catch entry
755 4) If a given instruction is not the target of a forward branch and it follows
756 a Jmp, Switch, SSwitch, RetC, RetV, Unwind, Fatal, Throw, or NativeImpl
757 instruction, the evaluation stack before executing the given instruction
760 5) Before executing the RetC instruction, the evaluation stack must contain
761 exactly one value and the flavor descriptor of the value must be cell.
762 Likewise, before executing the RetV instruction, the evaluation stack must
763 contain exactly one value and the flavor descriptor of the value must be the
764 ref. Finally, before executing the Unwind or NativeImpl instructions, the
765 evaluation stack must be empty.
767 6) The code for the primary function body and fault funclets must be laid out
768 in order in one contiguous block, starting with the primary function body and
769 optionally followed by one or more fault funclets. The code for primary
770 function body may not jump into the code for the funclets. Similarly, the code
771 for a funclet may not jump into the code for the primary function body or
774 7) Any bytecode instruction inside the primary function body or a fault funclet
775 that is immediately followed by an instruction not inside the same primary
776 function body or fault funclet must be one of the following instructions: Jmp,
777 Switch, SSwitch, RetC, RetV, Unwind, Fatal, Throw, or NativeImpl.
779 8) The primary function body may not contain the Unwind instruction, and fault
780 funclets may not contain the Ret* instructions. Also, each catch entry point
781 must point to a Catch instruction.
783 9) Each FPI region enumerated in the FPI region table must start immediately
784 after an FPush* instruction and it must end with an FCall* instruction. Each
785 use of the FPush* instruction must be the instruction immediately before
786 exactly one FPI region. Likewise, each use of the FCall* instruction must be
787 the last instruction in exactly one FPI region. Finally, FPass* instructions
788 may not be used outside an FPI region.
790 10) Each FPI region may not contain backward jumps, nor may it contain forward
791 jumps that jump outside the end of the FPI region. Also, there may not be jumps
792 anywhere in the function that transfer control from the outside of a given FPI
793 region to the inside of that region. An FPI region may not contain the Ret*,
794 Unwind, Throw, or Fatal instructions. Finally, an entry point may not point to
795 an instruction inside an FPI region.
797 11) The depth of the FPI stack at any given point in the bytecode must be the
798 same for all possible control flow paths. Also, for any given FPI region that
799 passes n parameters, all possible control flow paths from the beginning of the
800 region to the end must pass through exactly n FPass* instructions associated
801 with the region which pass the parameters in forward order.
803 12) Given an evaluation stack of depth n after an FPush* instruction, the
804 evaluation stack before the corresponding FCall* instruction must also have a
805 depth of n. Likewise, the evaluation stack after corresponding FPass*
806 instructions must have a depth of n as well. Finally, no instruction between an
807 FPush* and its corresponding FCall* may consume any of the values from the
808 evaluation stack that were pushed onto the stack before the FPush* instruction.
810 13) The initialization state of each iterator variable must be known at every
811 point in the code and must be the same for all control paths. There are four
812 possible states: (1) uninitialized, (2) "iter-initialized" (initialized via
813 IterInit*), (3) "miter-initialized" (initialized via MIterInit*), and (4)
814 "cuf-initialized" (initialized via DecodeCufIter). Every range of bytecode for
815 which an iterator variable i is initialized must be protected by a fault
816 funclet that unsets i by calling IterFree, MIterFree, or CIterFree.
818 14) The iterator variable referenced by IterInit* or MIterInit* or
819 DecodeCufIter must be in the uninitialized state when the instruction executes.
820 An iterator variable referenced by IterNext* and IterFree must be in the
821 "iter-initialized" state, an iterator variable referenced by MIterNext* or
822 MIterFree must be in the "miter-initialized" state, and an iterator variable
823 referenced by FPushCufIter or CIterFree must be in the citer-initialized state.
824 Note that IterInit* and MIterInit* conditionally initialize the iterator
825 variable, and IterNext* and MIterNext* conditionally free the iterator
828 15) Each EH table must follow all of the rules specified in the "Exception
829 handler (EH) table" section.
835 Each instruction description below consists of a mnemonic, followed by 0 or
836 more immediate operands, followed by a stack transition description of the form
837 "[xn,...,x2,x1] -> [ym,...,y2,y1]", where "[xn,...,x2,x1]" is a list of flavor
838 descriptors describing what the instruction consumes from the evaluation stack
839 and "[ym,...,y2,y1]" is the list of flavor descriptors describing what the
840 instruction pushes onto the stack. x1 and y1 represent the topmost stack
841 elements before and after execution, respectively.
843 Each element of a stack transition may also contain an optional type
844 annotation. Here is the list of the type annotations used in instruction
847 Null - denotes the null type
848 Bool - denotes the boolean type
849 Int - denotes the integer type
850 Dbl - denotes the double-precision floating-point type
851 Str - denotes the string type
852 Arr - denotes the array type
853 Obj - denotes the object type
855 Multiple type annotations may be combined together using the "|" symbol. For
856 example, the type annotation "Int|Dbl" means that a value is either integer or
859 Some instructions may contain multiple stack transition descriptions to express
860 the relationship between the types of the values consumed from the stack and
861 types of the values pushed onto the stack. Also, in some stack transition
862 descriptions, "<T>" is used as shorthand to represent any one specific type.
863 For example, a transition such as "[C:<T>] -> [C:<T>]" indicates that the type
864 of value that the instruction pushes onto the stack will match the type of
865 value that it consumed from the stack. Likewise, "<F>" is used as shorthand to
866 represent any one specific flavor descriptor.
868 $1 is used to refer to the value at the top of the evaluation stack, $2 is used
869 to refer to the value directly below $1 on the evaluation stack, $3 is used to
870 refer to the value directly below $2, and so forth. Also, %1 is used to refer
871 to the first immediate argument, and %2 is used to refer to the second
874 Note that the relative offset immediate used by a Jmp*, Iter*, MIter*, Switch,
875 or SSwitch instruction is relative to the beginning of the instruction.
877 There are numerous instructions that operate on different kinds of locations.
878 Locations are specified using "location descriptors". The complete list of
879 location descriptors is given below:
881 L - local id; location is the local variable whose id is given by an
883 N - local name; location is the local variable whose name is given by the
885 G - global name; location is the global variable whose name is given by the
887 S - static property; location is the static property whose class is given by
888 a classref and whose name is given by value of a cell.
889 C - cell; location is a temporary value given by a cell.
890 R - return value; location is a temporary value given by a cell or a ref
891 H - $this; location is the $this pointer in the current frame. Must only be
892 used in a frame that is known to have a non-null $this pointer; CheckThis
893 is most commonly used to ensure this.
895 There are several groups of similarly named instructions where the name of each
896 instruction ends with a different location descriptor (for example, Set*). Each
897 instruction in the group perform similar actions but take different kinds of
898 inputs to specify the location to access.
900 The Member instructions provide functionality to operate on elements and
901 properties. These instructions incorporate an immediate argument vector which
902 specifies a location descriptor (defined above) followed by one or more member
905 EC - consume a cell from the evaluation stack as an element
906 EL:<id> - consume a local given by an immediate id as an element
907 ET:<id> - consume a litstr given by an immediate id as an element
908 EI:<int> - consume a immediate integer as an element
909 PC - consume a cell from the evaluation stack as a property
910 PL:<id> - consume a local given by an immediate id as a property
911 PT:<id> - consume a litstr given by an immediate id as a property
912 QT:<id> - a nullsafe version of PT:<id>. The null-base doesn't issue
913 a warning, and no stdClass promotion in write context for the
914 base happens. Consume a litstr given by an immediate id
916 W - synthesize a new element (no corresponding local variable or
917 evaluation stack slot)
919 For example, the following correspondence exists (ignoring setup bytecode):
921 Source code: $a[3][$b][]['hi'] = 42;
922 Bytecode: SetM <L:0 EI:3 EL:1 W ET:hi>
925 Instructions that have an immediate argument vector have different stack
926 transition descriptions depending on the kind of location descriptor and member
927 descriptors contained in the immediate argument vector. Member instructions
928 denote the immediate argument vector using the notation "<loc-desc/M-vector>"
929 and "C..C" is used to indicate that the member instructions consume a variable
930 number of cells from the stack. In most cases the immediate vector arguments
931 are ordered such that the loc-desc comes first (deepest in the stack), with the
932 last M-vector element last (shallowest in the stack). However, classrefs that
933 are part of the BaseSC and BaseSL loc-desc inputs always come last (the cell
934 input to BaseSC comes first though). Instructions accepting an immediate vector
935 containing a list of iterators and iterator types use the notation
938 In addition to describing each instruction, this instruction set documentation
939 also describes several operations that encapsulate fundamental, but non-trivial
940 processes that are shared by the Member instructions.
942 The instruction set is organized into the following sections:
943 1. Basic instructions
944 2. Literal and constant instructions
945 3. Operator instructions
946 4. Control flow instructions
948 6. Isset, Empty and type querying instructions
949 7. Mutator instructions
952 10. Member instructions
953 11. Iterator instructions
954 12. Include, eval, and define instructions
955 13. Miscellaneous instructions
956 14. Generator creation and execution
960 1. Basic instructions
961 ---------------------
965 No operation. This instruction does nothing.
972 Pop. Discards the value on the top of the stack.
974 Dup [C:<T>] -> [C:<T> C:<T>]
976 Duplicate. Duplicates the cell $1 and pushes it onto the stack.
978 Box [C:<T>] -> [V:<T>]
980 Box. Creates a new ref, sets the new ref to point at a copy of cell $1, and
981 pushes the ref onto the stack.
983 Unbox [V:<T>] -> [C:<T>]
985 Unbox. Creates a copy of the cell that ref $1 points to, and pushes the cell
988 BoxR [R:<T>] -> [V:<T>]
990 Box. If $1 is a ref at run time, this instruction does nothing.
992 If $1 is a cell at run time, this instruction creates a new ref, sets the new
993 ref to point at a copy of cell $1, and pushes the ref onto the stack.
995 BoxRNop [R:<T>] -> [V:<T>]
997 Box, no op. $1 must be statically known to be boxed.
999 UnboxR [R:<T>] -> [C:<T>]
1001 Unbox. If $1 is a cell at run time, this instruction does nothing.
1003 If $1 is a ref at run time, this instruction creates a copy of the cell that
1004 ref $1 points to, and pushes the cell onto the stack.
1006 UnboxRNop [R:<T>] -> [C:<T>]
1008 UnboxR, no op. $1 must be statically known to be unboxed. This instruction
1009 pushes $1 on the stack as a cell.
1011 RGetCNop [C:<T>] -> [R:<T>]
1013 Convert a cell to an R, no op. This is a flavor-safety only opcode.
1016 2. Literal and constant instructions
1017 ------------------------------------
1021 False [] -> [C:Bool]
1023 Push constant. Null pushes null onto the stack, True pushes true onto the
1024 stack, and False pushes false onto the stack.
1026 NullUninit [] -> [U]
1028 Push an uninitialized null on the stack.
1030 Int <signed 64-bit integer value> [] -> [C:Int]
1031 Double <double value> [] -> [C:Dbl]
1032 String <litstr id> [] -> [C:Str]
1033 Array <scalar array id> [] -> [C:Arr]
1035 Push immediate. Pushes %1 onto the stack.
1037 NewArray <capacity hint> [] -> [C:Arr]
1039 New array, with a capacity hint. Creates a new array and pushes it onto the
1040 stack. The implementation may make use of the hint in %1 to pre-size the
1041 array. The hint %1 must be greater than or equal to 0.
1043 NewMixedArray <capacity hint> [] -> [C:Arr]
1045 New array in mixed mode, with a capacity hint. Creates a new array and pushes
1046 it onto the stack. The implementation may make use of the hint in %1 to
1047 pre-size the array. The hint %1 must be greater than or equal to 0.
1049 NewMIArray <capacity hint> [] -> [C:Arr]
1051 New array in int map mode, with a capacity hint. Creates a new array and
1052 pushes it onto the stack. The implementation may make use of the hint in %1 to
1053 pre-size the array. The hint %1 must be greater than or equal to 0.
1055 NewMSArray <capacity hint> [] -> [C:Arr]
1057 New array in string map mode, with a capacity hint. Creates a new array and
1058 pushes it onto the stack. The implementation may make use of the hint in %1 to
1059 pre-size the array. The hint %1 must be greater than or equal to 0.
1061 NewLikeArrayL <local variable id> <capacity hint> [] -> [C:Arr]
1063 New array with the same kind as the array stored in the local variable %1.
1064 If %1 is not an array, returns an array in mixed mode. The implementation
1065 may make use of the hint in %2 to pre-size the array. If %2 == 0, the
1066 implementation may instead use the size of %1 as the hint.
1068 NewPackedArray <num elems> [C..C] -> [C]
1070 New array. Creates a new array from the top %1 cells on the stack, pops those
1071 cells, then pushes the new array onto the stack. Elements are pushed on the
1072 stack in array insertion order and are implicitly numbered from 0 to %1 - 1.
1073 $1 is at index %i - 1, $2 at %1-2, and so on; $(%1) is at index 0.
1075 NewStructArray <litstr id vector> [C..C] -> [C]
1077 New array. Creates a new array from the names given in %1 and values from the
1078 stack. The vector of litstr ids gives the element names, one value for each
1079 name is popped from the stack. Names are in array insertion order, and values
1080 were pushed onto the stack in insertion order, so are added to the array in
1081 reverse order (the topmost value will become the last element in the array).
1084 NewStructArray < "a" "b" > [ 1 2 ] -> [ array("a"=>1, "b"=>2) ]
1086 AddElemC [C C C] -> [C:Arr]
1088 Add element. If $3 is an array, this instruction executes $3[$2] = $1 and
1089 then pushes $3 onto the stack.
1091 If $3 is not an array, this instruction throws a fatal error.
1093 AddElemV [C C V] -> [C:Arr]
1095 Add element. If $3 is an array, this instruction executes $3[$2] = &$1 and
1096 then pushes $3 onto the stack.
1098 If $3 is not an array, this instruction throws a fatal error.
1100 AddNewElemC [C C] -> [C:Arr]
1102 Add new element. If $2 is an array, this instruction executes $2[] = $1 and
1103 then pushes $2 onto the stack.
1105 If $2 is not an array, this instruction throws a fatal error.
1107 AddNewElemV [C V] -> [C:Arr]
1109 Add new element. If $2 is an array, this instruction executes $2[] = &$1 and
1110 then pushes $2 onto the stack.
1112 If $2 is not an array, this instruction throws a fatal error.
1114 NewCol <coll type> <num elems> [] -> [C:Obj]
1116 New collection. Creates a new collection of type %1 with an initial capacity
1117 sufficient to hold the number of elements specified by %2, and pushes the
1118 collection onto the stack.
1120 ColFromArray <coll type> [C:Arr] -> [C:Obj]
1122 Create a collection of type %1 from array $1, and pushes the collection onto
1123 the stack. %1 cannot be Pair. The array will be used to implement the
1124 collection without conversion or duplication, thus it should not to contain
1125 references. $1 must be in packed mode if %1 is Vector or ImmVector, and must
1126 be in mixed mode otherwise.
1128 Note that integer-like string keys are converted to integers in array, but
1129 not in collections; thus not all collections can be created using this
1132 MapAddElemC [C C C] -> [C:Obj]
1134 Collection add key/value pair. $3 must be an instance of HH\Map or
1135 HH\ImmMap. This instruction executes $3[$2] = $1 and then pushes $3 onto the
1138 ColAddNewElemC [C C] -> [C:Obj]
1140 Collection add value. $2 must be an instance of HH\Pair, HH\Set, or
1141 HH\Vector. This instruction executes $2[] = $1 and then pushes $2 onto the
1144 Cns <litstr id> [] -> [C:Null|Bool|Int|Dbl|Str|Resource]
1146 Get constant. Pushes the value of the global constant named %1 onto the stack
1147 as a cell. If there is no constant named %1, this instruction raises a notice
1148 and pushes the string %1 onto the stack as a cell.
1150 CnsE <litstr id> [] -> [C:Null|Bool|Int|Dbl|Str|Resource]
1152 Get constant. Pushes the value of the global constant named %1 onto the stack
1153 as a cell. If there is no constant named %1, throws a fatal error.
1155 CnsU <litstr id> <litstr fallback> [] -> [C:Null|Bool|Int|Dbl|Str|Resource]
1157 Get constant. Identical to Cns except returns constant named %2 if the
1158 constant named %1 is undefined.
1160 ClsCns <litstr id> [A] -> [C:Null|Bool|Int|Dbl|Str|Resource]
1162 Get class constant. This instruction pushes the value of the class constant
1163 named %1 from class $1 onto the stack. If there is no class constant named %1
1164 in class $1, this instruction throws a fatal error.
1166 ClsCnsD <litstr id> <litstr id> [] -> [C:Null|Bool|Int|Dbl|Str|Resource]
1168 Get class constant (direct). This instruction first checks if %2 matches the
1169 name of a defined class. If %2 does not match the name of a defined class,
1170 this instruction will invoke the autoload facility passing in the class name
1171 %2, and then it will again check if %2 matches the name of a defined class.
1172 If %2 still does not match the name of a defined class this instruction
1173 throws a fatal error.
1175 Next, this instruction pushes the value of the class constant named %1 from
1176 class %2 onto the stack. If there is no class constant named %1 in class %2,
1177 this instruction throws a fatal error.
1179 File [] -> [C:Static Str]
1180 Dir [] -> [C:Static Str]
1182 Push string. File pushes __FILE__ onto the stack, and Dir pushes __DIR__ onto
1185 NameA [A] -> [C:Static Str]
1187 Push the name of the class in $1 as a string.
1190 3. Operator instructions
1191 ------------------------
1193 Concat [C C] -> [C:Str]
1195 Concatenation (.). Pushes ((string)$2 . (string)$1) on the stack.
1197 ConcatN <n> [C..C] -> [C:Str]
1199 Concatenation (.). Pushes ((string)$n . ... . (string)$1) on the stack.
1201 Abs [C] -> [C:Int|Dbl|Bool]
1203 Absolute value. Computes the absolute value of $1 and pushes the result onto
1206 Add [C:Arr C:Arr] -> [C:Arr]
1207 [C:<T2> C:<T1>] -> [C:Dbl] (where T1 == Dbl || T2 == Dbl)
1208 [C:<T2> C:<T1>] -> [C:Int] (where T1 != Dbl && T2 != Dbl &&
1209 (T1 != Arr || T2 != Arr))
1211 Addition (+). Performs addition (or plus-merge if $1 and $2 are both arrays).
1212 Pushes ($2 + $1) onto the stack. This instruction throws a fatal error if
1213 is_array($1) xor is_array($2) is true.
1215 Sub [C:<T2> C:<T1>] -> [C:Dbl] (where T1 == Dbl || T2 == Dbl)
1216 [C:<T2> C:<T1>] -> [C:Int] (where T1 != Dbl && T2 != Dbl)
1218 Subtraction (-). Pushes ($2 - $1) onto the stack. This instruction throws a
1219 fatal error if is_array($1) || is_array($2) is true.
1221 Mul [C:<T2> C:<T1>] -> [C:Dbl] (where T1 == Dbl || T2 == Dbl)
1222 [C:<T2> C:<T1>] -> [C:Int] (where T1 != Dbl && T2 != Dbl)
1224 Multiplication (*). Pushes ($2 * $1) onto the stack. This instruction throws
1225 a fatal error if is_array($1) || is_array($2) is true.
1227 AddO [C:Arr C:Arr] -> [C:Arr]
1228 [C:<T2> C:<T1>] -> [C:Dbl] (where T1 == Dbl || T2 == Dbl)
1229 [C:<T2> C:<T1>] -> [C:Int|dbl] (where T1 != Dbl && T2 != Dbl &&
1230 (T1 != Arr || T2 != Arr))
1232 Same behavior as Add, except for when both inputs have type Int and the
1233 result would not fit in a 64-bit integer. Then this instruction will push
1234 (double)$1 + (double)$2.
1236 SubO [C:<T2> C:<T1>] -> [C:Dbl] (where T1 == Dbl || T2 == Dbl)
1237 [C:<T2> C:<T1>] -> [C:Int|Dbl] (where T1 != Dbl && T2 != Dbl)
1239 Same behavior as Sub, except for when both inputs have type Int and the
1240 result would not fit in a 64-bit integer. Then this instruction will push
1241 (double)$2 - (double)$1.
1243 MulO [C:<T2> C:<T1>] -> [C:Dbl] (where T1 == Dbl || T2 == Dbl)
1244 [C:<T2> C:<T1>] -> [C:Int|Dbl] (where T1 != Dbl && T2 != Dbl)
1246 Same behavior as Mul, except for when both inputs have type Int and the
1247 result would not fit in a 64-bit integer. Then this instruction will push
1248 (double)$1 * (double)$2.
1250 Div [C C] -> [C:Bool|Int|Dbl]
1251 [C:Dbl C:Int] -> [C:Bool|Dbl]
1252 [C:Int C:Dbl] -> [C:Bool|Dbl]
1253 [C:Dbl C:Dbl] -> [C:Bool|Dbl]
1255 Division (/). Pushes ($2 / $1) onto the stack. This instruction throws a
1256 fatal error if is_array($1) || is_array($2) is true.
1258 Mod [C C] -> [C:Bool|Int]
1260 Modulus (%). Pushes ((int)$2 % (int)$1) onto the stack. This instruction
1261 never throws a fatal error.
1263 Pow [C C] -> [C:Int|Dbl]
1265 Power. Pushes $2 raised to the power of $1 onto the stack. This instruction
1266 never throws a fatal error.
1268 Sqrt [C] -> [C:Null|Dbl]
1270 Square root. Computes the square root of $1 and pushes the result onto the
1271 stack. If $1 is not null, a bool, an int, a double, or a numeric string, it
1272 raises a warning and pushes null onto the stack.
1274 If $1 is a negative number, this instruction pushes a floating-point value
1275 representing NAN onto the stack.
1277 Strlen [C] -> [C:Null|Int]
1279 String length. If $1 is a string push the length of the string on the stack.
1280 If $1 is an object with a __toString method, call this method and push the
1281 length of the resulting string on the stack. If $1 is an array or resource,
1282 raise a warning and push null on the stack. Otherwise convert $1 to a string
1283 and push the length of that string on the stack.
1285 Xor [C C] -> [C:Bool]
1287 Logical xor (xor). Pushes ((bool)$2 xor (bool)$1) onto the stack.
1291 Logical not (!). Pushes (!(bool)$1) onto the stack.
1293 Same [C C] -> [C:Bool]
1295 Same (===). Pushes ($2 === $1) onto the stack.
1297 NSame [C C] -> [C:Bool]
1299 Not same (!==). Pushes ($2 !== $1) onto the stack.
1301 Eq [C C] -> [C:Bool]
1303 Equals (==). Pushes ($2 == $1) onto the stack.
1305 Neq [C C] -> [C:Bool]
1307 Not equal (!=). Pushes ($2 != $1) onto the stack.
1309 Lt [C C] -> [C:Bool]
1311 Less than (<). Pushes ($2 < $1) onto the stack.
1313 Lte [C C] -> [C:Bool]
1315 Less than or equal to (<=). Pushes ($2 <= $1) onto the stack.
1317 Gt [C C] -> [C:Bool]
1319 Greater than (>). Pushes ($2 > $1) onto the stack.
1321 Gte [C C] -> [C:Bool]
1323 Greater than or equal to (>=). Pushes ($2 >= $1) onto the stack.
1325 BitAnd [C:<T2> C:<T1>] -> [C:Int] (where T1 != Str || T2 != Str)
1326 [C:Str C:Str] -> [C:Str]
1328 Bitwise and (&). Pushes ($2 & $1) onto the stack. If either $1 or $2 is an
1329 object, this instruction throws a fatal error.
1331 BitOr [C:<T2> C:<T1>] -> [C:Int] (where T1 != Str || T2 != Str)
1332 [C:Str C:Str] -> [C:Str]
1334 Bitwise or (|). Pushes ($2 | $1) onto the stack. If either $1 or $2 is an
1335 object, this instruction throws a fatal error.
1337 BitXor [C:<T2> C:<T1>] -> [C:Int] (where T1 != Str || T2 != Str)
1338 [C:Str C:Str] -> [C:Str]
1340 Bitwise xor (^). Pushes ($2 ^ $1) onto the stack. If either $1 or $2 is an
1341 object, this instruction throws a fatal error.
1343 BitNot [C:<T>] -> [C:Int] (where T != Str)
1346 Bitwise not (~). Pushes (~$1) onto the stack. If $1 is null, a boolean, an
1347 array, or an object, this instruction throws a fatal error.
1349 Shl [C C] -> [C:Int]
1351 Shift left (<<). Pushes ((int)$2 << (int)$1) onto the stack. This instruction
1352 never throws a fatal error.
1354 Shr [C C] -> [C:Int]
1356 Shift right (>>). Pushes ((int)$2 >> (int)$1) onto the stack. This
1357 instruction never throws a fatal error.
1359 Floor [C] -> [C:Dbl]
1361 Round $1 to nearest integer value not greater than $1. Converts $1 to numeric
1362 as appropriate and then takes floor of resulting numeric value.
1366 Round $1 to nearest integer value not less than $1. Converts $1 to numeric as
1367 appropriate and then takes ceil of resulting numeric value.
1369 CastBool [C] -> [C:Bool]
1371 Cast to boolean ((bool),(boolean)). Pushes (bool)$1 onto the stack.
1373 CastInt [C] -> [C:Int]
1375 Cast to integer ((int),(integer)). Pushes (int)$1 onto the stack.
1377 CastDouble [C] -> [C:Dbl]
1379 Cast to double ((float),(double),(real)). Pushes (double)$1 onto the stack.
1381 CastString [C] -> [C:Str]
1383 Cast to string ((string),(binary)). Pushes (string)$1 onto the stack. If $1
1384 is an object that implements the __toString method, the string cast returns
1385 $1->__toString(). If $1 is an object that does not implement __toString
1386 method, the string cast throws a fatal error.
1388 CastArray [C] -> [C:Arr]
1390 Cast to array ((array)). Pushes (array)$1 onto the stack.
1392 CastObject [C] -> [C:Obj]
1394 Cast to object ((object)). Pushes (object)$1 onto the stack.
1396 InstanceOf [C C] -> [C:Bool]
1398 Instance of (instanceof). If $1 is a string and it matches the name of a
1399 defined class and $2 is an object that is an instance of $1, this instruction
1400 pushes true onto the stack. If $1 is an object and get_class($1) matches the
1401 name of a defined class and $2 is an object that is an instance of
1402 get_class($1), this instruction pushes true onto the stack. If $1 is not a
1403 string or an object, this instruction throws a fatal error.
1405 InstanceOfD <litstr id> [C] -> [C:Bool]
1407 Instance of direct (instanceof). If %1 matches the name of a defined class
1408 and $1 is an instance of the %1, this instruction pushes true onto the stack,
1409 otherwise it pushes false onto the stack.
1411 Print [C] -> [C:Int]
1413 Print (print). Outputs (string)$1 to STDOUT and pushes the integer value 1
1416 Clone [C] -> [C:Obj]
1418 Clone (clone). Clones $1 and pushes it onto the stack. If $1 is not an
1419 object, this instruction throws a fatal error.
1421 Exit [C] -> [C:Null]
1423 Exit (exit). Terminates execution of the program.
1425 If $1 is an integer, this instruction will set the exit status to $1, push
1426 null onto the stack, and then it will terminate execution.
1428 If $1 is not an integer, this instruction will output (string)$1 to STDOUT,
1429 set the exit status to 0, push null onto the stack, and then it will
1430 terminate execution.
1432 Fatal <fatal subop> [C] -> []
1434 Fatal. This instruction throws a fatal error using $1 as the error message.
1435 If $1 is not a string, this instruction throws a fatal error with an error
1436 message that indicates that the error message was not a string. Setting %1 to
1437 0 will throw a runtime fatal error with a full backtrace. Setting %1 to 1
1438 will throw a parse fatal error with a full backtrace. Setting %1 to 2 will
1439 throw a runtime fatal error with the backtrace omitting the top frame.
1442 4. Control flow instructions
1443 ----------------------------
1445 Jmp <rel offset> [] -> []
1447 Jump. Transfers control to the location specified by %1.
1449 JmpNS <rel offset> [] -> []
1451 Jump, with no surprise flag checks (NS means "no surprise"). This behaves
1452 identically to the Jmp instruction, except that internal VM checks for things
1453 like OOM and timeouts do not need to be performed even if the offset is
1454 negative. This instruction cannot have a zero offset (i.e. it cannot jump to
1457 JmpZ <rel offset> [C] -> []
1459 Jump if zero. Conditionally transfers control to the location specified by %1
1460 if (bool)$1 == (bool)0.
1462 JmpNZ <rel offset> [C] -> []
1464 Jump if not zero. Conditionally transfers control to the location specified
1465 by %1 if (bool)$1 != (bool)0.
1467 Switch <offset vector> <base> <bounded> [C] -> []
1469 Switch over integer case values. If bounded == SwitchKind::Unbounded, the
1470 implementation will assume that $1 is an integer in the range [0,
1471 length(vector)) and unconditionally transfer control to the location
1472 specified by vector[$1]. Undefined behavior will result if $1 is not an
1473 integer inside this range. If bounded == SwitchKind::Bounded, the following
1476 For a bounded Switch, the last two elements of the offset vector are special:
1477 they represent the first non-zero case and the default case, respectively.
1478 base + length(vector) - 2 must not be greater than 2^63-1. If $1 === true,
1479 control will be transferred to the location specified by
1480 vector[length(vector) - 2]. If $1 is equal (as defined by Eq) to any integer
1481 $n in the range [base, base + length(vector) - 2), control will be
1482 transferred to the location specified by vector[$n - base]. Otherwise,
1483 control will be transferred to the location specified by
1484 vector[length(vector) - 1].
1486 SSwitch <litstr id/offset vector> [C] -> []
1488 Switch over string case values. This instruction will search the
1489 string/offset vector from the beginning until it finds a string that is equal
1490 to $1. If one is found, control will be transferred to the location specified
1491 by the offset corresponding to that string. If a matching string is not
1492 found, control is transferred to the location specified by the final element
1493 in the vector, which must have a litstr id of -1.
1497 Return a cell. Returns $1 to the caller. This instruction may not be used
1498 inside fault funclets.
1500 If this instruction is used inside an async function executed in an "eager
1501 execution" mode, the $1 is wrapped into a StaticResultWaitHandle prior to
1502 return. In a "resumed execution" mode, the control is given back to the
1503 scheduler and it is informed that the async function has finished.
1505 If used in a generator, the Generator object is marked as finished and
1506 the control is given back to the next instruction after ContEnter or
1507 ContRaise instruction in a previous frame. The $1 must be Null.
1511 Return a ref. Returns $1 to the caller. This instruction may not be used
1512 inside fault funclets, async functions and generators.
1516 Unwind. Transfers control back to the unwinder. This instruction may only be
1517 used inside a fault funclet.
1521 Throw. Throws the object $1. If $1 is not an object that extends the
1522 Exception class, this instruction throws a fatal error.
1528 CGetL <local variable id> [] -> [C]
1530 Get local as cell. If the local variable given by %1 is defined, this
1531 instruction gets the value of the local variable and pushes it onto the stack
1532 as a cell. If the local variable is not defined, this instruction raises a
1533 warning and pushes null onto the stack.
1535 CGetL2 <local variable id> [<F>:<T>] -> [C <F>:<T>]
1537 Get local as cell. If the local variable given by %1 is defined, this
1538 instruction gets the value of the local variable, pushes it onto the stack as
1539 a cell, and then pushes $1 onto the stack.
1541 If the local variable is not defined, this instruction raises a warning,
1542 pushes null onto the stack, and then pushes $1 onto the stack.
1544 CGetL3 <local variable id> [<F2>:<T2> <F1>:<T1>] -> [C <F2>:<T1> <F1>:<T1>]
1546 Get local as cell. If the local variable given by %1 is defined, this
1547 instruction gets the value of the local variable, pushes it onto the stack as
1548 a cell, then pushes $2 onto the stack, and then pushes $1 onto the stack.
1550 CUGetL <local variable id> [] -> [C|U]
1552 Get local as cell or uninit. If the local variable given by %1 is defined,
1553 this instruction gets the value of the local variable and pushes it onto the
1554 stack as a cell. If the local variable is not defined, this instruction pushes
1555 uninit onto the stack.
1557 If the local variable given by %1 is not defined, this instruction raises a
1558 warning, pushes null onto the stack, then pushes $2 onto the stack, and then
1559 pushes $1 onto the stack.
1561 PushL <local variable id> [] -> [C]
1563 Teleport local value to eval stack. The local variable given by %1 must be
1564 defined and must not contain a reference. This instruction pushes the local's
1565 value on the stack, then unsets it, equivalent to the behavior of UnsetL.
1569 Get local as cell. This instruction first computes x = (string)$1. Next, this
1570 instruction reads the local variable named x pushes its value onto the stack
1573 If there is no local variable defined named x, this instruction pushes null
1574 onto the stack and raises a warning.
1578 Get global as cell. This instruction first computes x = (string)$1. Next,
1579 this instruction reads the global variable named x pushes its value onto the
1582 If there is not a global variable defined named x, this instruction pushes
1583 null onto the stack and raises a warning.
1587 Get static property as cell. This instruction first checks if class $1 has a
1588 visible and accessible static property named (string)$2. If it doesn't, this
1589 instruction throws a fatal error. Otherwise, this instruction pushes the
1590 static property onto the stack as a cell.
1592 VGetL <local variable id> [] -> [V]
1594 Get local as ref. This instruction boxes the local variable given by %1 if
1595 necessary and pushes it onto the stack as a ref. If the given local variable
1596 is not defined, this instruction defines it, sets it to null, boxes it, and
1597 pushes a the value of the local variable onto the stack as a ref.
1601 Get local as ref. This instruction first computes x = (string)$1. Next, this
1602 instruction boxes the local variable named x (if the local is a cell) and
1603 pushes its value onto the stack as a ref. If there is no local variable
1604 defined named x, this instruction defines a local variable named x, sets it
1605 to null, boxes it, and pushes the value of the local variable onto the stack
1610 Get global as ref. This instruction first computes x = (string)$1. Next, this
1611 instruction boxes the global variable named x (if the local is a cell) and
1612 pushes its value onto the stack as a ref. If there is no global variable
1613 defined named x, this instruction defines a global variable named x, sets it
1614 to null, boxes it, and pushes the value of the global variable onto the stack
1619 Get static property as ref. This instruction first checks if class $1 has a
1620 visible and accessible static property named (string)$2. If it doesn't, this
1621 instruction throws a fatal error. Otherwise, this instruction boxes the
1622 static property and pushes it onto the stack as a ref.
1625 AGetL <local variable id> [] -> [A]
1627 Fetch class. This instruction first loads a value into x as shown by the
1635 Next this instruction checks if x is a string or an object. If x is not a
1636 string or object, this instruction throws a fatal error. Otherwise, this
1637 instruction executes y = (is_object(x) ? get_class(x) : (string)x) and checks
1638 if y matches the name of a defined class. If y does not match the name of a
1639 defined class, this instruction will invoke the autoload facility passing in
1640 the class name y, and then it will again check if y matches the name of a
1641 defined class. If y still does not match the name of a defined class this
1642 instruction throws a fatal error.
1644 Next, this instruction pushes a classref that refers to the class named y.
1647 6. Isset, Empty, and type querying instructions
1648 -----------------------------------------------
1650 IssetC [C] -> [C:Bool]
1652 Isset. If $1 is null this instruction pushes false onto the stack, otherwise
1655 IssetL <local variable id> [] -> [C:Bool]
1657 Isset local. This instruction reads the local variable given by %1. If the
1658 local variable is undefined or null, this instruction pushes false onto the
1659 stack, otherwise it pushes true.
1661 IssetN [C] -> [C:Bool]
1663 Isset local. This instruction reads the local variable named (string)$1. If
1664 the local variable is undefined or null, this instruction pushes false onto
1665 the stack, otherwise it pushes true.
1667 IssetG [C] -> [C:Bool]
1669 Isset global. This instruction reads the global variable named (string)$1. If
1670 the global variable is undefined or null, this instruction pushes false onto
1671 the stack, otherwise it pushes true.
1673 IssetS [C A] -> [C:Bool]
1675 Isset static property. This instruction first computes x = (string)$2. Next
1676 it checks if class $1 has an accessible static property named x. If it
1677 doesn't, this instruction pushes false.
1679 If class $1 does have an accessible property named x, this instruction reads
1680 the static property named x. If the static property is null, this instruction
1681 pushes false onto the stack, otherwise it pushes true.
1683 EmptyL <local variable id> [] -> [C:Bool]
1685 Empty local. This instruction reads the local variable named %1 into x. If
1686 the local variable is defined this instruction pushes !(x) onto the stack,
1687 otherwise it pushes true.
1689 EmptyN [C] -> [C:Bool]
1691 Empty local. This instruction reads the local variable named (string)$1 into
1692 x. If the local variable is defined this instruction pushes !(x) onto the
1693 stack, otherwise it pushes true.
1695 EmptyG [C] -> [C:Bool]
1697 Empty global. This instruction reads the global variable named (string)$1
1698 into x. If the global variable is defined this instruction pushes !(x) onto
1699 the stack, otherwise it pushes true.
1701 EmptyS [C A] -> [C:Bool]
1703 Empty static property. This instruction first checks if class $1 has an
1704 accessible static property named (string)$2. If it doesn't, this instruction
1705 pushes true, otherwise this instruction reads the static property into x and
1706 pushes !(x) onto the stack.
1708 IsTypeC <op> [C] -> [C:Bool]
1710 Is type. This instruction first loads a type into t based on the operand op,
1711 according to the following table:
1722 Scalar | Int or Dbl or Str or Bool
1724 If t is Obj, this instruction checks if the operand in an object.
1725 Instances of a special class __PHP_Incomplete_Class are not considered
1727 Instances of descendants of __PHP_Incomplete_Class are considered objects.
1728 Otherwise, the result is true if $1 is of type t and false otherwise.
1729 The result is pushed on the stack.
1731 IsTypeL <local variable id> <op> [] -> [C:Bool]
1733 Is type. This instruction first loads a type into t and a value into x as
1734 given by the following table:
1737 -----------+----------------------------+-------
1745 Scalar | Int or Dbl or Str or Bool | false
1747 If the local variable given by %1 is defined, the logic is the same as for
1748 IsTypeC (see above).
1749 If the local is of kind reference, then the inner value is used to determine
1751 If the local variable given by %1 is not defined, this instruction raises a
1752 warning and pushes x onto the stack.
1755 7. Mutator instructions
1756 -----------------------
1758 SetL <local variable id> [C] -> [C]
1760 Set local. This instruction marks the local variable given by %1 as defined,
1761 stores the value $1 into the local variable, and then pushes $1 onto the
1766 Set local. This instruction marks the local variable named (string)$2 as
1767 defined, assigns the value $1 to the local variable, and then pushes $1 onto
1772 Set global. This instruction marks the global variable named (string)$2 as
1773 defined, assigns the value $1 to the global variable, and then pushes $1 onto
1778 Set static property. First this instruction checks if class $2 has an
1779 accessible static property named (string)$3. If it doesn't, this instruction
1780 throws a fatal error. Otherwise, this instruction assigns the value $1 to the
1781 static property, and then it pushes $1 onto the stack.
1783 SetOpL <local variable id> <op> [C] -> [C]
1785 Set op local. If the local variable given %1 is not defined, this instruction
1786 marks it as defined, sets it to null, and raises a warning.
1788 Next, this instruction reads the local variable into x, then executes y = x
1789 <op> $1, assigns y into local variable %1, and then pushes y onto the stack.
1790 The immediate value must be one of the following opcodes:
1791 Add, AddO, Sub, SubO, Mul, MulO, Div, Mod, Shl, Shr, Concat, BitAnd,
1794 SetOpN <op> [C C] -> [C]
1796 Set op local. This instruction first computes x = (string)$2. If the local
1797 variable named n is not defined, this instruction marks it as defined, sets
1798 it to null, and raises a warning.
1800 Next, this instruction reads the local variable named x into y, executes z =
1801 y <op> $1, assigns z into the local variable named x, and then pushes z onto
1802 the stack as a cell. The immediate value must be one of the following
1804 Add, Sub, Mul, Div, Mod, Shl, Shr, Concat, BitAnd, BitOr, BitXor.
1806 SetOpG <op> [C C] -> [C]
1808 Set op global. This instruction first computes x = (string)$2. If the global
1809 variable named n is not defined, this instruction marks it as defined, sets
1810 it to null, and raises a warning.
1812 Next, this instruction reads the global variable named x into y, executes z =
1813 y <op> $1, assigns z into the global variable named x, and then pushes z onto
1814 the stack as a cell. The immediate value must be one of the following
1816 Add, Sub, Mul, Div, Mod, Shl, Shr, Concat, BitAnd, BitOr, BitXor.
1818 SetOpS <op> [C A C] -> [C]
1820 Set op static property. This instruction first computes x = (string)$3. Next
1821 it checks if class $2 has an accessible static property named x. If it
1822 doesn't, this instruction throws a fatal error. Otherwise, this instruction
1823 reads the static property named x into y, executes z = y <op> $1, assigns z
1824 into the static property, and then pushes z onto the stack. The immediate
1825 value must be one of the following opcodes:
1826 Add, Sub, Mul, Div, Mod, Shl, Shr, Concat, BitAnd, BitOr, BitXor.
1828 IncDecL <local variable id> <op> [] -> [C]
1830 Increment/decrement local. If the local variable given by %1 is not defined,
1831 this instruction marks it as defined, sets it to null, and raises a warning.
1833 Where x is the local given by %1, this instruction then does the following:
1835 If op is PreInc, this instruction executes ++x and then pushes x onto the
1838 If op is PostInc, this instruction pushes x onto the stack and then it
1841 If op is PreDec, this instruction executes --x and then pushes x onto the
1844 If op is PostDec, this instruction pushes x onto the stack and then it
1847 IncDecN <op> [C] -> [C]
1848 IncDecG <op> [C] -> [C]
1850 Increment/decrement. This instruction first computes x = (string)$1. Next, if
1851 the local variable (IncDecN) or global variable (IncDecG) named x is not
1852 defined, this instruction first defines it, sets it to null, and raises a
1855 Where v is the local variable or global variable named x, this instruction
1856 performs the following:
1858 If op is PreInc, this instruction executes ++v and then pushes v onto the
1861 If op is PostInc, this instruction pushes v onto the stack and then it
1864 If op is PreDec, this instruction executes --v and then pushes v onto the
1867 If op is PostDec, this instruction pushes v onto the stack and then it
1870 IncDecS <op> [C A] -> [C]
1872 Increment/decrement static property. This instruction first computes x =
1873 (string)$2. Next it checks if class $1 has an accessible static property
1874 named x. If it doesn't, this instruction throws a fatal error.
1876 Where s is the static property named x, this instruction performs the
1879 If op is PreInc, this instruction increments the ++s and then pushes s onto
1882 If op is PostInc, this instruction pushes s onto the stack and then it
1885 If op is PreDec, this instruction executes --s and then pushes s onto the
1888 If op is PostDec, this instruction pushes s onto the stack and then it
1891 BindL <local variable id> [V] -> [V]
1893 Bind local. This instruction marks the local variable given by %1 as defined,
1894 binds the local variable to $1, and pushes $1 onto the stack.
1898 Bind local. This instruction marks the local variable named (string)$2 as
1899 defined, binds the local variable to $1, and pushes $1 onto the stack.
1903 Bind global. This instruction marks the global variable named (string)$2 as
1904 defined, binds the global variable to $1, and pushes $1 onto the stack.
1906 BindS [C A V] -> [V]
1908 Bind static property. This instruction first checks if class $2 has an
1909 accessible static property named (string)$3. If it doesn't, this instruction
1910 throws a fatal error. Otherwise, this instruction binds the static property
1911 to $1, and pushes $1 onto the stack.
1913 UnsetL <local variable id> [] -> []
1915 Unset local. Breaks any bindings the local variable given by %1 may have and
1916 marks the local variable as undefined.
1920 Unset local. This instruction breaks any bindings the local variable named
1921 (string)$1 may have and marks the local variable as undefined.
1925 Unset global. This instruction breaks any bindings the global variable named
1926 (string)$1 may have and marks the global variable as undefined.
1928 CheckProp <propName> [] -> [C:Bool]
1930 Check non-scalar property initializer. This instruction checks the
1931 initializer for property named %1 in the context class, and pushes
1932 true on the stack if it is initialized, and false otherwise.
1934 InitProp <propName> <op> [C] -> []
1936 Initialize non-scalar property. If %2 is 'NonStatic', this instruction sets
1937 the initializer for the property named %1 in the context class to $1. If %2
1938 is 'Static', this instruction sets the initializer for the static property
1939 named %1 in the context class to $1.
1941 The CheckProp and InitProp opcodes should only be used in 86pinit methods.
1942 86pinit methods are HHVM-internal property initialization methods that
1943 cannot be called from user-land. After 86pinit runs, no declared properties
1944 of the class can be of type NullUninit.
1946 8. Call instructions
1947 --------------------
1949 FPushFunc <num params> [C] -> []
1950 FPushFuncD <num params> <litstr id> [] -> []
1952 FPI push function. First, these instructions load a value into x as given by
1953 the following table:
1960 If x is a string, this instruction attempts to lookup a function named x. If
1961 no function named x is defined, this instruction throws a fatal error.
1962 Otherwise this instruction pushes a new entry on the FPI stack, initializing
1963 it with the number of parameters being passed (given by %1) and a reference
1964 to the FPI structure for the function named x. With FPushFuncD the litstr in
1965 %2 must not start with a '\' character. Function names should be normalized
1966 with respect to namespace and never start with a '\'.
1968 If x is an object, this instruction checks if the object has an __invoke
1969 method. If the object does not have an __invoke method, this instruction
1970 throws a fatal error. Otherwise this instruction pushes a new entry on the
1971 FPI stack, initializing it with the number of parameters being passed (given
1972 by %1) and a reference to the FPI structure for the __invoke method from
1975 If x is not a string or object, this instruction throws a fatal error.
1977 FPushFuncU <num params> <litstr id> <litstr fallback> [] -> []
1979 FPI push function unqualified. Identical to FPushFuncD except first tries to
1980 lookup the function named %2 and if it isn't defined calls the function named
1981 %3. As for FPushFuncD the litstr in %2 and %3 must not start with a '\'
1984 FPushObjMethod <num params> [C C] -> []
1985 FPushObjMethodD <num params> <litstr id> [C] -> []
1987 FPI push object-based method. First, these instructions load values into x
1988 and y as given by the following table:
1991 -------------------+----+-----
1992 FPushObjMethod | $2 | $1
1993 FPushObjMethodD | $1 | %2
1995 If x is not an object or if y is not a string, this instruction throws a
1996 fatal error. Next, this instruction checks if object x has an accessible
1997 method named y. If it does, this instruction pushes a new entry on the FPI
1998 stack, initializing it with the number of parameters being passed (given by
1999 %1) and a reference to the FPI structure for the method named y from object
2002 If object x does not have an accessible method named y, this instruction
2003 checks if object x has a __call method. If a __call method is found, this
2004 instruction pushes a new entry on the FPI stack, initializing it with the
2005 number of parameters being passed (given by %1) and a reference to the FPI
2006 structure for the __call from object x, and stores the original name y in the
2009 If object x does not have an accessible method named y and it does not have a
2010 __call method, this instruction throws a fatal error.
2012 FPushClsMethod <num params> [C A] -> []
2013 FPushClsMethodF <num params> [C A] -> []
2014 FPushClsMethodD <num params> <litstr id> <litstr id> [] -> []
2016 FPI push class-based method. First, these instructions load values into x and
2017 y as given by the following table:
2020 -------------------+----+-----
2021 FPushClsMethod | $1 | $2
2022 FPushClsMethodF | $1 | $2
2023 FPushClsMethodD | %3 | %2
2025 When loading %3 into x, FPushClsMethodD will perform the work performed by
2026 the AGetC instruction to convert the name given by %3 into a classref.
2028 If y is not a string, this instruction throws a fatal error. Next, this
2029 instruction checks if class x has an accessible method named y. If it does,
2030 this instruction pushes a new entry on the FPI stack, initializing it with
2031 the number of parameters being passed (given by %1) and a reference to the
2032 FPI structure for the method named y from class x.
2034 If class x does not have an accessible method named y, this instruction
2035 checks if the current function's $this is non-null, if the class of $this is
2036 the same or derived from class x, and if $this has a __call method. If no
2037 suitable __call method is found, this instruction will check if class x has a
2038 __callStatic method. If a suitable __call method or a __callStatic method is
2039 found, this instruction pushes a new entry on the FPI stack, initializing it
2040 with the number of parameters being passed (given by %1) and a reference to
2041 the FPI structure for the __call or __callStatic method that was found, and
2042 stores the original name y in the FPI stack entry.
2044 If class x does not have an accessible method named y, and if a suitable
2045 __call method or a __callStatic method could not be found, this instruction
2046 throws a fatal error.
2048 FPushCtor <num params> [A] -> [C]
2049 FPushCtorD <num params> <litstr id> [] -> [C]
2051 FPI push constructor. First, these instructions load a value into x as given
2052 by the following table:
2059 When loading %2 into x, FPushCtorD will perform the work performed by the
2060 AGetC instruction to convert the name given by %2 into a classref.
2062 This instruction pushes an uninitialized object onto the stack (to be
2063 initialized during FCall*) prior to entering the FPI region, then pushes a
2064 new entry on the FPI stack, initializing it with the number of parameters
2065 being passed (given by %1) and a reference to the FPI structure for the
2066 constructor for class x.
2068 DecodeCufIter <iterator id> <rel offset> [C] -> []
2070 This instruction looks up $1 as a callable, and writes enough information to
2071 iterator %1 for FPushCufIter to be able to push an actrec, as if it had been
2072 given the callable. If the function is not successfully decoded, branches to
2073 the given offset without raising a warning. No surprise check is performed.
2075 FPushCufIter <num params> <iterator id> [] -> []
2077 FPI push the result of a previous DecodeCufIter. No warning is raised.
2079 FPushCuf <num params> [C] -> []
2080 FPushCufF <num params> [C] -> []
2082 FPI push call user function. These instructions lookup $1 as a callable, and
2083 push a new entry onto the FPI stack. If $1 is not callable, they issue a
2084 warning, and push an entry representing a function which does nothing, takes
2085 no argument, and returns null.
2087 FPushCufSafe <num params> [C C] -> [C C:Bool]
2089 FPI push call user function. This instruction pops $1 and $2, then pushes $1
2090 back onto the stack. It then looks up $2 as a callable, and pushes a new
2091 entry onto the FPI stack. If $2 is not callable, it pushes an entry
2092 representing a function which does nothing, takes no argument, and returns
2093 null, and in addition pushes boolean false onto the evaluation stack;
2094 otherwise it pushes true onto the evaluation stack.
2096 CufSafeArray [C C R] -> [C]
2098 Pops 3 elements from the stack, and pushes array($2, $1), preserving refs.
2100 CufSafeReturn [C C R] -> [R]
2102 Pops 3 elements from the stack, and pushes $2 ? $1 : $3, preserving refs.
2104 FPassC <param id> [C] -> [F]
2105 FPassCW <param id> [C] -> [F]
2106 FPassCE <param id> [C] -> [F]
2108 FPI pass parameter. This instruction pushes $1 onto the stack as a cell
2109 regardless of whether parameter %1 is pass by value or pass by reference.
2111 If parameter %1 is pass by reference, FPassCW and FPassCE check if the
2112 function associated with the current FPI (the callee) is an extension
2113 function that can accept a cell for parameter %1. If this condition is not
2114 met, FPassCW will raise a warning while FPassCE will throw a fatal error.
2116 FPassV <param id> [V] -> [F]
2118 FPI pass parameter. If parameter %1 is pass by value, this instruction will
2119 unbox $1 and push it onto the stack as a cell. If parameter %1 is pass by
2120 reference, this instruction will push $1 onto the stack as a ref.
2122 FPassVNop <param id> [V] -> [F]
2124 FPI pass parameter, no op. Parameter %1 must be statically known to be pass
2125 by reference. This instruction pushes $1 onto the stack as a ref.
2127 FPassR <param id> [R] -> [F]
2129 FPI pass parameter. If $1 is a cell at run time, this instruction will behave
2130 like FPassC. Otherwise, this instruction will behave like FPassV.
2132 FPassL <param id> <local variable id> [] -> [F]
2134 FPI pass local as parameter. This instruction behaves as CGetL if parameter
2135 %1 is pass by value, or it behaves like VGetL if parameter %1 is pass by
2138 FPassN <param id> [C] -> [F]
2140 FPI pass local as parameter. This instruction behaves as CGetN if parameter
2141 %1 is pass by value, or it behaves like VGetN if parameter %1 is pass by
2144 FPassG <param id> [C] -> [F]
2146 FPI pass global as parameter. This instruction behaves as CGetG if parameter
2147 %1 is pass by value, or it behaves like VGetG if parameter %1 is pass by
2150 FPassS <param id> [C A] -> [F]
2152 FPI pass parameter. This instruction behaves as CGetS if parameter %1 is pass
2153 by value, or it behaves like VGetS if parameter %1 is pass by reference.
2155 FCall <num params> [F..F] -> [R]
2157 FPI call. This instruction gets the bytecode address of the function
2158 associated with the current FPI (the callee), transfers the top %1 values
2159 from the stack to the callee as parameters, pops the current FPI off of the
2160 FPI stack, and then invokes the dispatcher to call the callee. When the
2161 callee returns, it will transfer the return value onto the caller's
2162 evaluation stack using the R flavor.
2164 FCallD <num params> <class name> <func name> [F..F] -> [R]
2166 FPI call direct. This instruction has exactly the effects of FCall %1, but
2167 provides hints from static analysis to assist the region selector in
2168 determining the callee. The strings in %2 and %3 are statically known names
2169 of the class (if any) and method being called. If the call is targeting a
2170 non-method, %2 must be the empty string.
2172 FCallArray [F] -> [R]
2174 FPI call with array. This instruction gets the bytecode address of the
2175 function associated with the current FPI (the callee), transfers the elements
2176 of $1 (which must be an array) to the callee as parameters, pops the current
2177 FPI off of the FPI stack, and then invokes the dispatcher to call the callee.
2179 When the callee returns, it will transfer the return value onto the caller's
2180 evaluation stack using the R flavor.
2182 FCallUnpack <num params> [F..F] -> [R]
2184 FPI call with params and array. This instruction gets the bytecode address of
2185 the function associated with the current FPI (the callee), transfers the top
2186 %1 - 1 values from the stack to the callee as parameters, transfers the
2187 elements of the last value on the stack (which must be an array) to the
2188 callee as parameters, pops the current FPI off of the FPI stack, and then
2189 invokes the dispatcher to call the callee.
2191 When the callee returns, it will transfer the return value onto the caller's
2192 evaluation stack using the R flavor.
2194 FCallBuiltin <total params> <passed params> <litstr id> [C|V|U..C|V|U] -> [R]
2196 Optimized builtin call without an ActRec. This instruction attempts to lookup
2197 a builtin function named %3. If no function named %3 is defined, this
2198 instruction throws a fatal error. Otherwise, this function gets address of
2199 the builtin function named %3, transfers the top %1 values from the stack to
2200 the callee as parameters, and then invokes the dispatcher to call the callee.
2201 %2 denotes the number of non-default parameters pushed onto stack by user
2202 level code. When the callee returns, it will transfer the return value onto
2203 the caller's evaluation stack using the R flavor.
2206 9. Member operations
2207 --------------------
2209 The following operations describe processes that are shared across the Member
2210 instructions. Operations are not considered instructions; they do not have
2211 opcodes associated with them.
2213 Operations can produce and consume intermediate values called "bases". A "base"
2214 is a structure that contains either a cell or a ref or a reference to a memory
2215 location that is occupied by a cell or a ref. Bases are never pushed onto the
2218 For operations that create a base, the operation descriptions specify whether
2219 the base created "contains" a value or "references" a location. In the former
2220 case, the base created contains a cell or a ref. In the latter case, the base
2221 created contains a reference to a memory location occupied by a cell or a ref.
2223 When a base that contains a cell is destroyed, if the cell points to data then
2224 the execution engine is responsible for honoring the data's refcount logic.
2225 Likewise when a base that contains a ref is destroyed, the execution engine is
2226 responsible for honoring the refcount logic of the cell container pointed to by
2227 the ref. When a base that contains a reference to a memory location occupied by
2228 a cell or a ref is destroyed, no refcounting is required.
2230 Some operations that take a base as input can modify that base as part of the
2231 work performed by the operation. Such operations are said to "set" the base to
2232 a new value. When a base that contains a cell or a reference to a memory
2233 location occupied by a cell is set to a new value, the new value overwrites the
2234 previous value contained in the cell (honoring the data refcount logic if the
2235 previous value was a refcounted type). When a base that contains a ref or a
2236 reference to a memory location occupied by a ref is set to the new value, the
2237 new value is written into the cell container referenced by the ref, overwriting
2238 the previous cell in that container (honoring the data refcount logic if the
2239 previous cell was a refcounted type). Note that for bases that contain a
2240 reference to a memory location, "setting" the base does not change which memory
2241 location the base references.
2243 Operations are specified as if they directly operate on the top of the
2244 evaluation stack in the name of consistency and clarity, but in fact their
2245 inputs and outputs may reside elsewhere. The symbol 'B' is used in the input
2246 descriptions and output descriptions of operations to indicate that a given
2247 operation consumes a base as input or produces a base as output.
2251 Get base from value. This operation outputs a base that contains the value
2256 Get base from return value. This operation outputs a base that contains the
2257 return value given by $1.
2259 BaseL <local variable id> [] -> [B]
2261 Get base from local. This operation outputs a base that references the local
2262 given by %1. If the local is not defined, this operation outputs a base that
2265 BaseLW <local variable id> [] -> [B]
2267 Get base from local. This operation outputs a base that references the local
2268 given by %1. If the local is not defined, this operation raises a warning and
2269 outputs a base that contains null.
2271 BaseLD <local variable id> [] -> [B]
2273 Get base from local. This operation outputs a base that references the local
2274 given by %1. If the local is not defined, this operation defines it and
2275 returns a base that references the local.
2277 BaseLWD <local variable id> [] -> [B]
2279 Get base from local. This operation outputs a base that references the local
2280 variable given by %1. If the local is not defined, this operation defines it,
2281 raises a warning, and returns a base that references the local.
2284 BaseNL <local variable id> [] -> [B]
2286 Get base from name. This operation outputs a base that references the local
2287 variable whose name is given by (string)%1 or (string)$1. If the local is not
2288 defined, this operation outputs a base that contains null.
2291 BaseNLW <local variable id> [] -> [B]
2293 Get base from name. This operation outputs a base that references the local
2294 variable whose name is given by (string)%1 or (string)$1. If the local is not
2295 defined, this operation raises a warning and outputs a base that contains
2299 BaseNLD <local variable id> [] -> [B]
2301 Get base from name. This operation outputs a base that references the local
2302 variable whose name is given by (string)%1 or (string)$1. If the local is not
2303 defined, this operation defines it and returns a base that references the
2307 BaseNLWD <local variable id> [] -> [B]
2309 Get base from name. This operation outputs a base that references the local
2310 variable whose name is given by (string)%1 or (string)$1. If the local is not
2311 defined, this operation defines it, raises a warning, and returns a base that
2312 references the local.
2315 BaseGL <local variable id> [] -> [B]
2317 Get base from global name. This operation outputs a base that references the
2318 global variable whose name is given by (string)%1 or (string)$1. If the
2319 global is not defined, this operation produces a base that contains null.
2322 BaseGLW <local variable id> [] -> [B]
2324 Get base from global name. This operation outputs a base that references the
2325 global variable whose name is given by (string)%1 or (string)$1. If the
2326 global is not defined, this operation raises a warning and outputs a base
2330 BaseGLD <local variable id> [] -> [B]
2332 Get base from global name. This operation outputs a base that references the
2333 global variable whose name is given by (string)%1 or (string)$1. If the
2334 global is not defined, this operation defines it and returns a base that
2335 references the global.
2338 BaseGLWD <local variable id> [] -> [B]
2340 Get base from global name. This operation outputs a base that references the
2341 global variable whose name is given by (string)%1 or (string)$1. If the
2342 global is not defined, this operation defines it, raises a warning, and
2343 returns a base that references the global.
2346 BaseSL <local variable id> [A] -> [B]
2348 Get base from static property. First, this operation loads a value into x as
2349 given by the following table:
2356 Next this operation computes y = (string)x. Then this instruction checks if
2357 class $1 has an accessible property named y. If it does, this operation
2358 outputs a base that references the static property. Otherwise, this operation
2359 throws a fatal error.
2363 Get base from $this. This operation assumes that the current frame contains a
2364 valid $this pointer and outputs a base containing the object in $this.
2367 ElemL <local variable id> [B] -> [B]
2369 Fetch element if it exists. First, these operations load a value into x and a
2370 base into y, as given by the following table:
2373 ----------+----+-----
2377 Then, if y is an array, this operation outputs a base that references the
2378 element at index x from array y. If there is no element at index x, this
2379 operation outputs a base that contains null.
2381 If y is an object that implements the ArrayAccess interface, this operation
2382 outputs a base that contains the result of y->offsetGet(x).
2384 If y is an object that does not implement the ArrayAccess interface, this
2385 operation throws a fatal error.
2387 If y is a string, this operation computes z = (int)x. If z >= 0 and z <
2388 strlen(z), this operation builds a new string consisting of the character at
2389 offset z from y and outputs a base that contains the new string. Otherwise,
2390 this operation outputs a base that contains the empty string.
2392 If y is not a string, array, or object, this operation will output a null
2396 ElemLW <local variable id> [B] -> [B]
2398 Fetch element; warn if it doesn't exist.
2400 First, these operations load a value into x and a base into y, as given by
2401 the following table:
2404 ----------+----+-----
2408 If y is an array, this operation outputs a base that references the element
2409 at index x from array y. If there is no element at index x, this operation
2410 outputs a base that contains null and raises a warning.
2412 If y is an object that implements the ArrayAccess interface, this operation
2413 outputs a base that contains the result of y->offsetGet(x).
2415 If y is an object that does not implement the ArrayAccess interface, this
2416 operation throws a fatal error.
2418 If y is a string, this operation continues to compute z = (int)x. If z >= 0
2419 and z < strlen(z), this operation builds a new string consisting of the
2420 character at offset z from y and outputs a base that contains the new string.
2421 Otherwise, this operation raises a warning and outputs a base that contains
2424 If y is not a string, array, or object, this operation will output a null
2428 ElemLD <local variable id> [B] -> [B]
2430 Fetch element; define it if it doesn't exist.
2432 First, these operations load a value into x and a base into y, as given by
2433 the following table:
2436 ----------+----+-----
2440 If y is an array, this operation outputs a base that references the element
2441 at index x. If there is no element at index x, this operation creates an
2442 element at index x, and outputs a base that references the element.
2444 If y is an object that implements the ArrayAccess interface, this operation
2445 outputs a base that contains the result of y->offsetGet(x).
2447 If y is non-empty string or an object that does not implement the ArrayAccess
2448 interface, this operation throws a fatal error.
2450 If y is null, the empty string, or false, this operation will set y to a new
2451 empty array, create an element at index x, and output a base that references
2454 If y is true, integer, double, this operation raises a warning and outputs a
2455 base that contains null.
2457 ElemCWD [C B] -> [B]
2458 ElemLWD <local variable id> [B] -> [B]
2460 Fetch element; warn and define it if it doesn't exist.
2462 First, these operations load a value into x and a base into y, as given by
2463 the following table:
2466 ----------+----+-----
2470 If y is an array, this operation outputs a base that references the element
2471 at index x. If there is no element at index x, this operation creates an
2472 element at index x, raises a warning, and outputs a base that references the
2475 If y is an object that implements the ArrayAccess interface, this operation
2476 outputs a base that contains the result of y->offsetGet(x).
2478 If y is non-empty string or an object that does not implement the ArrayAccess
2479 interface, this operation throws a fatal error.
2481 If y is null, the empty string, or false, this operation will set y to a new
2482 empty array, create an element at index x, and output a base that references
2485 If y is true, integer, or double, this operation raises a warning and outputs
2486 a base that contains null.
2489 ElemLU <local variable id> [B] -> [B]
2491 Fetch element for unset.
2493 First, these operations load a value into x and a base into y, as given by
2494 the following table:
2497 ----------+----+-----
2501 If y is an array, this operation outputs a base that references the element
2502 at index x from array y. If there is no element at index x, this operation
2503 outputs a base that contains null.
2505 If y is an object that implements the ArrayAccess interface, this operation
2506 outputs a base that contains the result of y->offsetGet(x).
2508 If y is an object that does not implement the ArrayAccess interface, this
2509 operation throws a fatal error.
2511 If y is a string, this operation throws a fatal error.
2513 If y is not a string, array, or object, this operation will output a null
2518 Fetch new element. If $1 is an array, this operation creates a new element
2519 with the next available numeric key in array $1 and outputs a base that
2520 references the new element.
2522 If $1 is an object that implements the ArrayAccess interface, this operation
2523 outputs a base that contains the result of $1->offsetGet(null).
2525 If $1 is a non-empty string or an object that does not implement the
2526 ArrayAccess interface, this operation throws a fatal error.
2528 If $1 is null, false, or the empty string, this operation sets $1 to a new
2529 empty array, creates a new element with the next available numeric key in
2530 array $1, and then outputs a base that references the new element.
2532 If $1 is true, integer, or double, this operation raises a warning and
2533 outputs a base that contains null.
2536 PropL <local variable id> [B] -> [B]
2538 Fetch property if it exists.
2540 First, these operations load a value into x and a base into y, as given by
2541 the following table:
2544 ----------+----+-----
2548 Next, performs one of the following actions:
2553 y has eligible __get method
2554 y->x has been unset previously
2555 ------+---------------------------------------------------------------------
2558 10X1X | push ref(y->__get(x))
2559 1100X | throw fatal error
2560 1101X | push ref(y->__get(x))
2561 111X0 | push ref(y->x)
2563 11111 | push ref(y->__get(x))
2566 PropLW <local variable id> [B] -> [B]
2568 Fetch property; warn if it doesn't exist.
2570 First, these operations load a value into x and a base into y, as given by
2571 the following table:
2574 ----------+----+-----
2578 Next, performs one of the following actions:
2583 y has eligible __get method
2584 y->x has been unset previously
2585 -----+----------------------------------------------------------------------
2586 0XXXX | raise warning; push null
2587 10X0X | raise warning; push null
2588 10X1X | push ref(y->__get(x))
2589 1100X | throw fatal error
2590 1101X | push ref(y->__get(x))
2591 111X0 | push ref(y->x)
2592 11101 | raise warning; push null
2593 11111 | push ref(y->__get(x))
2596 PropLD <local variable id> [B] -> [B]
2598 Fetch property; define it if it doesn't exist.
2600 First, these operations load a value into x and a base into y, as given by
2601 the following table:
2604 ----------+----+-----
2608 Next, performs one of the following actions:
2614 y has eligible __get method
2615 y->x has been unset previously
2616 ------+---------------------------------------------------------------------
2618 01XXXX | y = new stdclass; create property y->x; push ref(y->x)
2619 1X0X0X | create property y->x; push ref(y->x)
2620 1X0X1X | push ref(y->__get(x))
2621 1X100X | throw fatal error
2622 1X101X | push ref(y->__get(x))
2623 1X11X0 | push ref(y->x)
2624 1X1101 | re-create property y->x, push ref(y->x)
2625 1X1111 | push ref(y->__get(x))
2627 PropCWD [C B] -> [B]
2628 PropLWD <local variable id> [B] -> [B]
2630 Fetch property; warn and define it if it doesn't exist.
2632 First, these operations load a value into x and a base into y, as given by
2633 the following table:
2636 ----------+----+-----
2640 Next, performs one of the following actions:
2646 y has eligible __get method
2647 y->x has been unset previously
2648 ------+---------------------------------------------------------------------
2649 00XXXX | raise warning; push null
2650 01XXXX | raise warning; y = new stdclass; create property y->x;
2652 1X0X0X | raise warning; create property y->x; push ref(y->x)
2653 1X0X1X | push ref(y->__get(x))
2654 1X100X | throw fatal error
2655 1X101X | push ref(y->__get(x))
2656 1X11X0 | push ref(y->x)
2657 1X1101 | re-create property y->x, push ref(y->x)
2658 1X1111 | push ref(y->__get(x))
2661 PropLU <local variabld id> [B] -> [B]
2663 Fetch property for unset.
2665 First, these operations load a value into x and a base into y, as given by
2666 the following table:
2669 ----------+----+-----
2673 Next, performs one of the following actions:
2678 y has eligible __get method
2679 y->x has been unset previously
2680 -----+----------------------------------------------------------------------
2682 10XXX | create property y->x; push ref(y->x)
2683 110XX | throw fatal error
2684 111X0 | push ref(y->x)
2685 111X1 | re-create property y->x, push ref(y->x)
2687 CGetElemC [C B] -> [C]
2688 CGetElemL <local variable id> [B] -> [C]
2690 Get element as cell.
2692 These instructions first load a value into x and a base into y, as given by
2693 the following table:
2696 ------------+----+-----
2700 If y is an array, this operation retrieves the element at index x from array
2701 y and pushes it onto the stack as a cell. If there is no element at index x,
2702 this operation raises a warning and pushes null onto the stack.
2704 If y is an object that implements the ArrayAccess interface, this operation
2705 pushes x->offsetGet($2) onto the stack.
2707 If y is an object that does not implement the ArrayAccess interface, this
2708 operation throws a fatal error.
2710 If y is a string, this operation continues to compute z = (int)x. If z >= 0
2711 and z < strlen(z), this operation builds a new string consisting of the
2712 character at offset z from y and pushes it onto the stack. Otherwise, this
2713 operation raises a warning and pushes the empty string onto the stack.
2715 If y is not a string, array, or object, this operation will push null onto
2718 VGetElemC [C B] -> [V]
2719 VGetElemL <local variable id> [B] -> [V]
2723 These instructions first load a value into x and a base into y, as given by
2724 the following table:
2727 ------------+----+-----
2731 If y is an array, this operation retrieves the element at index x from array
2732 y and pushes it onto the stack as a ref. If there is no element at index x,
2733 this operation creates a new element at index x, and pushes it onto the stack
2736 If y is an object that implements the ArrayAccess interface, this operation
2737 pushes y->offsetGet(x) onto the stack as a ref.
2739 If y is a non-empty string or an object that does not implement the
2740 ArrayAccess interface, this operation throws a fatal error.
2742 If y is null, false, or the empty string, this operation sets y to a new
2743 empty array. Then this operation retrieves the element at index x from array
2744 y and pushes it onto the stack as a ref. If there is no element at index x,
2745 this operation creates a new element at index x, and pushes it onto the stack
2748 If y is true, integer, or double, this operation raises a warning and pushes
2749 null onto the stack.
2751 IssetElemC [C B] -> [C:Bool]
2752 IssetElemL <local variable id> [B] -> [C:Bool]
2756 These instructions first load a value into x and a base into y, as given by
2757 the following table:
2760 ------------+----+-----
2761 IssetElemC | $2 | $1
2762 IssetElemL | %1 | $1
2764 If y is an array, this operation pushes !is_null(y[x]) onto the stack.
2766 If y is an object that implements the ArrayAccess interface, this operation
2767 pushes y->offsetExists(x) onto the stack.
2769 If y is an object that does not implement the ArrayAccess interface, this
2770 operation throws a fatal error.
2772 If y is a string, this operation computes z = (int)x and then it pushes (z >=
2773 0 && z < strlen(y)) onto the stack.
2775 If y is a not a string, array, or object, this operation pushes false onto
2778 EmptyElemC [C B] -> [C]
2779 EmptyElemL <local variable id> [B] -> [C]
2783 These instructions first load a value into x and a base into y, as given by
2784 the following table:
2787 ------------+----+-----
2788 EmptyElemC | $2 | $1
2789 EmptyElemL | %1 | $1
2791 If y is an array, this operation pushes !(y[x]) onto the stack.
2793 If y is an object that implements the ArrayAccess interface, this operation
2794 first calls y->offsetExists(x); if that returns false this operation pushes
2795 true onto the stack, otherwise it pushes !(y->offsetGet(x)) onto the stack.
2797 If y is an object that does not implement the ArrayAccess interface, this
2798 operation throws a fatal error.
2800 If y is a string, this operation computes z = (int)x, then pushes true if (z
2801 < 0 || z >= strlen(y)), !(y[z]) otherwise.
2803 If y is, not an array, object, or string, this operation pushes true onto the
2806 SetElemC [C C B] -> [C]
2808 Set element. If $1 is an array, this operation executes $1[$3] = $2 and then
2809 pushes $2 onto the stack.
2811 If $1 is an object that implements the ArrayAccess interface, this operation
2812 executes $1->offsetSet($3, $2) and then pushes $2 onto the stack.
2814 If $1 is an object that does not implement the ArrayAccess interface, this
2815 operation throws a fatal error.
2817 If $1 is null, the empty string, or false, this operation sets $1 to a new
2818 empty array, executes $1[$3] = $2, and then pushes $2 onto the stack.
2820 If $1 is a non-empty string, this operation first computes x = (int)$3. If x
2821 is negative, this operation raises a warning and does nothing else. If x is
2822 non-negative, this operation appends spaces to the end of $1 as needed to
2823 ensure that x is in bounds, then it computes y = substr((string)$2,0,1), and
2824 then it sets the character at index x in $1 equal to y (if y is not empty) or
2825 it sets the character at index x in $1 to "\0" (if y is empty). Then this
2826 operation pushes y on to the stack.
2828 If $1 is true, integer, or double, this operation raises a warning and pushes
2829 null onto the stack as a cell.
2831 SetElemL <local variable id> [C B] -> [C]
2833 Set element. If $1 is an array, this operation executes $1[%1] = $2 and then
2834 pushes $2 onto the stack.
2836 If $1 is an object that implements the ArrayAccess interface, this operation
2837 executes $1->offsetSet(%1, $2) and then pushes $2 onto the stack.
2839 If $1 is an object that does not implement the ArrayAccess interface, this
2840 operation throws a fatal error.
2842 If $1 is null, the empty string, or false, this operation sets $1 to a new
2843 empty array, executes $1[%1] = $2, and then pushes $2 onto the stack.
2845 If $1 is a non-empty string, this operation first computes x = (int)%1. If x
2846 is negative, this operation raises a warning and does nothing else. If x is
2847 non-negative, this operation appends spaces to the end of $1 as needed to
2848 ensure that x is in bounds, then it computes y = substr((string)$2,0,1), and
2849 then it sets the character at index x in $1 equal to y (if y is not empty) or
2850 it sets the character at index x in $1 to "\0" (if y is empty). Then this
2851 operation pushes y on to the stack.
2853 If $1 is true, integer, or double, this operation raises a warning and pushes
2854 null onto the stack as a cell.
2856 SetOpElemC <op> [C C B] -> [C]
2858 Set element op. If $1 is an array, this operation first checks $1 contains an
2859 element at offset $2. If it does not, this operation creates an element at
2860 offset $2, sets it to null, and raises a warning. Next, this operation
2861 executes x = $1[$3], y = x <op> $2, and $1[$3] = y, and then it pushes y onto
2862 the stack as a cell.
2864 If $1 is null, false, or the empty string, this operation first sets $1 to a
2865 new empty array. Then it follows the rules described in the case above.
2867 If $1 is an object that implements the ArrayAccess interface, this operation
2868 executes x = $1->offsetGet($3), y = x <op> $2, and $1->offsetSet($3, y), and
2869 then it pushes y onto the stack as a cell.
2871 If $1 is a non-empty string or an object that does not implement the
2872 ArrayAccess interface, this operation throws a fatal error.
2874 If $1 is true, integer, or double, this operation raises a warning and pushes
2875 null onto the stack.
2877 SetOpElemL <op> <local variable id> [C B] -> [C]
2879 Set element op. If $1 is an array, this operation first checks $1 contains an
2880 element at offset $2. If it does not, this operation creates an element at
2881 offset $2, sets it to null, and raises a warning. Next, this operation
2882 executes x = $1[%1], y = x <op> $2, and $1[%1] = y, and then it pushes y onto
2883 the stack as a cell.
2885 If $1 is null, false, or the empty string, this operation first sets $1 to a
2886 new empty array. Then it follows the rules described in the case above.
2888 If $1 is an object that implements the ArrayAccess interface, this operation
2889 executes x = $1->offsetGet(%1), y = x <op> $2, and $1->offsetSet(%1, y), and
2890 then it pushes y onto the stack as a cell.
2892 If $1 is a non-empty string or an object that does not implement the
2893 ArrayAccess interface, this operation throws a fatal error.
2895 If $1 is true, integer, or double, this operation raises a warning and pushes
2896 null onto the stack.
2898 IncDecElemC <op> [C B] -> [C]
2900 Increment/decrement element. If $1 is an array, this operation checks if $1
2901 contains an element at offset $2. If it does not, this operation creates an
2902 element at offset $2, sets it to null, and raises a warning. Next, this
2903 operation executes x = $1[$2], y = x, and either ++y (if op is PreInc or
2904 PostInc) or --y (if op is PreDec or PostDec). Then it assigns y to $1[$2] and
2905 pushes either y (if op is PreInc or PreDec) or x (if op is PostInc or
2906 PostDec) onto the stack.
2908 If $1 is null, false, or the empty string, this operation first sets $1 to an
2909 empty array. Then it follows the rules described in the case above.
2911 If $1 is a non-empty string or an object that does not implement the
2912 ArrayAccess interface, this operation throws a fatal error.
2914 If $1 is an object that implements ArrayAccess, this operation executes x =
2915 $1->offsetGet($2), y = x, and either ++y (if op is PreInc or PostInc) or --y
2916 (if op is PreDec or PostDec). Then it pushes either y (if op is PreInc or
2917 PreDec) or x (if op is PostInc or PostDec) onto the stack.
2919 If $1 is true, integer, or double, this operation raises a warning and pushes
2920 null onto the stack.
2922 IncDecElemL <op> <local variable id> [B] -> [C]
2924 Increment/decrement element. If $1 is an array, this operation checks if $1
2925 contains an element at offset %1. If it does not, this operation creates an
2926 element at offset %1, sets it to null, and raises a warning. Next, this
2927 operation executes x = $1[%1], y = x, and either ++y (if op is PreInc or
2928 PostInc) or --y (if op is PreDec or PostDec). Then it assigns y to $1[%1] and
2929 pushes either y (if op is PreInc or PreDec) or x (if op is PostInc or
2930 PostDec) onto the stack.
2932 If $1 is null, false, or the empty string, this operation first sets $1 to an
2933 empty array. Then it follows the rules described in the case above.
2935 If $1 is a non-empty string or an object that does not implement the
2936 ArrayAccess interface, this operation throws a fatal error.
2938 If $1 is an object that implements ArrayAccess, this operation executes x =
2939 $1->offsetGet(%1), y = x, and either ++y (if op is PreInc or PostInc) or --y
2940 (if op is PreDec or PostDec). Then it pushes either y (if op is PreInc or
2941 PreDec) or x (if op is PostInc or PostDec) onto the stack.
2943 If $1 is true, integer, or double, this operation raises a warning and pushes
2944 null onto the stack.
2946 BindElemC [C V B] -> [V]
2947 BindElemL <local variable id> [V B] -> [V]
2951 This instruction first loads a value into x, from $3 or the local referred to
2954 If $1 is an array, this operation executes $1[x] =& $2 and pushes $2 onto the
2957 If $1 is an object, this operation throws a fatal error.
2959 If $1 is null, false, or the empty string, this operation sets $1 to a new
2960 empty array, executes $1[x] =& $2, and pushes $2 onto the stack as a ref.
2962 If $1 is a non-empty string, this operation throws a fatal error.
2964 If $1 is true, integer, or double, this operation raises a warning.
2966 UnsetElemC [C B] -> []
2967 UnsetElemL <local variable id> [B] -> []
2971 These instructions first load a value into x and a base into y, as given by
2972 the following table:
2975 ------------+----+-----
2976 UnsetElemL | %1 | $1
2977 UnsetElemC | $2 | $1
2979 If y is an array, this operation removes the element at index x from array y.
2981 If y is an object that implements ArrayAccess interface, this operation
2982 executes y->offsetUnset(x).
2984 If y is an object that does not implement the ArrayAccess interface, this
2985 operation throws a fatal error.
2987 If y is a string, this operation throws a fatal error.
2989 If y is not a string, array, or object, this operation does nothing.
2991 VGetNewElem [B] -> [V]
2993 Get new element as ref.
2995 If $1 is an array, this operation creates a new element with the next
2996 available numeric key in array $1 and pushes it onto the stack as a ref.
2998 If $1 is an object that implements the ArrayAccess interface, this operation
2999 pushes $1->offsetGet($2) onto the stack as a ref.
3001 If $1 is a non-empty string or an object that does not implement the
3002 ArrayAccess interface, this operation throws a fatal error.
3004 If $1 is null, false, or the empty string, this operation first sets $1 to a
3005 new empty array. Then it creates a new element with the next available
3006 numeric key in array $1 and pushes it onto the stack as a ref.
3008 If $1 is true, integer, or double, this operation raises a warning and pushes
3009 null onto the stack.
3011 SetNewElem [C B] -> [C]
3013 Set new element. If $1 is an array, this operation executes $1[] = $2 and
3014 then pushes $2 onto the stack.
3016 If $1 is null, false, or the empty string, this operation sets $1 to a new
3017 empty array, and then it executes $1[] = $2 and pushes $2 onto the stack.
3019 If $1 is a non-empty string or an object that does not implement the
3020 ArrayAccess interface, this operation throws a fatal error.
3022 If $1 is an object that implements the ArrayAccess interface, this operation
3023 executes $1->offsetSet(null, $2) and then pushes $2 onto the stack.
3025 If $1 is true, integer, or double, this operation raises a warning and pushes
3026 null onto the stack.
3028 SetOpNewElem <op> [C B] -> [C]
3030 Set op new element. If $1 is an array, this operation first determines the
3031 next available integer offset k in array $1. Next, this operation executes
3032 $1[k] = null, x = $1[k], and y = x <op> $2. Then it assigns y to $1[k] and
3033 pushes y onto the stack.
3035 If $1 is null, false, or the empty string, this operation first sets $1 to an
3036 empty array. Then it follows the rules described in the case above.
3038 If $1 is a non-empty string or an object that does not implement the
3039 ArrayAccess interface, this operation throws a fatal error.
3041 If $1 is an object that implements ArrayAccess, this operation executes x =
3042 $1->offsetGet(null), y = x <op> $2, and $1->offsetSet(null, y). Then it
3043 pushes y onto the stack.
3045 If $1 is true, integer, or double, this operation raises a warning and pushes
3046 null onto the stack.
3048 IncDecNewElem <op> [B] -> [C]
3050 Increment/decrement new element. If $1 is an array, this operation first
3051 determines the next available integer offset k in array $1. Next, this
3052 operation executes $1[k] = null, x = $1[k], y = x, and either ++y (if op is
3053 PreInc or PostInc) or --y (if op is PreDec or PostDec). Then it assigns y to
3054 $1[k] and pushes either y (if op is PreInc or PreDec) or x (if op is PostInc
3055 or PostDec) onto the stack.
3057 If $1 is null, false, or the empty string, this operation first sets $1 to an
3058 empty array. Then it follows the rules described in the case above.
3060 If $1 is a non-empty string or an object that does not implement the
3061 ArrayAccess interface, this operation throws a fatal error.
3063 If $1 is an object that implements ArrayAccess, this operation executes x =
3064 $1->offsetGet(null), y = x, and either ++y (if op is PreInc or PostInc) or
3065 --y (if op is PreDec or PostDec). Then it pushes either y (if op is PreInc or
3066 PreDec) or x (if op is PostInc or PostDec) onto the stack.
3068 If $1 is true, integer, or double, this operation raises a warning and pushes
3069 null onto the stack.
3071 BindNewElem [V B] -> [V]
3073 Bind new element. If $1 is an array, this operation executes $1[] =& $2 and
3074 then it pushes $2 onto the stack.
3076 If $1 is null, false, or empty string, this operation sets $1 to a new empty
3077 array, executes $1[] =& $2, and pushes $2 onto the stack.
3079 If $1 is a non-empty string or an object, this operation throws a fatal
3082 If $1 is true, integer, or double, this operation raises a warning and pushes
3083 null onto the stack.
3085 CGetPropC [C B] -> [C]
3086 CGetPropL <local variable id> [B] -> [C]
3088 Get property as cell.
3090 These instructions first load a value into x and a base into y, as given by
3091 the following table:
3094 ------------+----+-----
3098 If y is an object that does not have an eligible __get method, this operation
3099 first checks if y has a visible property named x. If it does not, this
3100 operation raises a warning and pushes null. Otherwise, this operation
3101 continues to check if the property named x is accessible. If the property
3102 named x is accessible this operation pushes it onto the stack as a cell,
3103 otherwise this operation throws a fatal error.
3105 If y is an object that has an eligible __get method, this operation checks if
3106 y has a visible and accessible property named x. If it does, this operation
3107 pushes the property onto the stack. Otherwise, this operation pushes
3108 y->__get(x) onto the stack.
3110 If y is not an object, this operation will raise a warning and push null onto
3113 VGetPropC [C B] -> [V]
3114 VGetPropL <local variable id> [B] -> [V]
3116 Get property as ref.
3118 These instructions first load a value into x and a base into y, as given by
3119 the following table:
3122 ------------+----+-----
3126 If y is an object that does not have an eligible __get method, this operation
3127 first checks if y has a visible property named x. If it does not, this
3128 operation will create a new property named x and push it onto the stack as a
3129 ref. Otherwise this operation continues to check if the property named x is
3130 accessible. If it the property named x is accessible this operation pushes it
3131 onto the stack as a ref, otherwise this operation throws a fatal error.
3133 If y is an object has an eligible __get method, this operation checks if y
3134 has a visible and accessible property named x. If it does, this operation
3135 pushes the property onto the stack. Otherwise, this operation pushes
3136 y->__get(x) onto the stack.
3138 If y is null, false, or the empty string, this operation will set y to a new
3139 object of type stdclass, create a new property named x, and pushes it onto
3142 If y is true, integer, double, a non-empty string, or an array, this
3143 operation raises a warning and pushes null.
3145 IssetPropC [C B] -> [C:Bool]
3146 IssetPropL <local variable id> [B] -> [C:Bool]
3150 These instructions first load a value into x and a base into y, as given by
3151 the following table:
3154 -------------+----+-----
3155 IssetPropC | $2 | $1
3156 IssetPropL | %1 | $1
3158 If y is an object that does not have an eligible __isset method, this
3159 operation checks if y has a visible accessible property named x. If it does,
3160 this operation pushes !is_null(y->x) onto the stack. Otherwise this operation
3161 pushes false onto the stack.
3163 If y is an object that has an eligible __isset method, this operation checks
3164 if y has a visible and accessible property named x. If it does, this
3165 operation pushes !is_null(y->x) onto the stack. Otherwise this operation
3166 pushes y->__isset(x) onto the stack.
3168 If y is an array, this operation pushes !is_null(y[x]) onto the stack.
3170 If y is not an object or array, this operation pushes false.
3172 EmptyPropC [C B] -> [C:Bool]
3173 EmptyPropL <local variable id> [B] -> [C:Bool]
3177 These instructions first load a value into x and a base into y, as given by
3178 the following table:
3181 -------------+----+-----
3182 EmptyPropC | $2 | $1
3183 EmptyPropL | %1 | $1
3185 If y is an object that does not have an eligible __isset method, this
3186 operation first checks if y has a visible and accessible property named x.
3187 If it does, this operation pushes !(y->x) onto the stack. Otherwise this
3188 operation pushes true onto the stack.
3190 If y is an object that has an eligible __isset method but it does not have an
3191 eligible __get method, this operation checks if y has a visible and
3192 accessible property named x. If it does, this operation pushes !(y->x) onto
3193 the stack. Otherwise this operation pushes !(y->__isset(x)) onto the stack.
3195 If y is an object that has an eligible __isset method and an eligible __get
3196 method, this operation checks if y has a visible and accessible property
3197 named x. If it does, this operation pushes !(y->x) onto the stack. Otherwise
3198 this operation continues to execute x = y->__isset(x). If x is false this
3199 operation pushes true onto the stack, otherwise this operation pushes
3200 !(y->__get(x)) onto the stack.
3202 If y is an array, this operation pushes !(y[x]) onto the stack.
3204 If y is not an object or array, this operation pushes true.
3206 SetPropC [C C B] -> [C]
3207 SetPropL <local variable id> [C B] -> [C]
3209 Set property. Perform one of the following actions:
3211 First, these operations load values into k and x, and a base into y, as given
3212 by the following table:
3215 ----------+----+----+----
3216 SetPropC | $3 | $2 | $1
3217 SetPropL | %1 | $2 | $1
3219 Next, performs one of the following actions:
3225 y has eligible __set method
3226 y->k has been unset previously
3227 ------+---------------------------------------------------------------------
3228 00XXXX | raise warning; push null
3229 01XXXX | y = new stdclass; y->k = x; push x
3230 1X0X0X | create property y->k; y->k = x; push x
3231 1X0X1X | y->__set(k, x); push x
3232 1X100X | throw fatal error
3233 1X101X | y->__set(k, x); push x
3234 1X11X0 | y->k = x; push x
3235 1X1101 | re-create property y->k; y->k = x; push x
3236 1X1111 | y->__set(k, x); push x
3238 SetOpPropC <op> [C C B] -> [C]
3240 Set op property. Perform one of the following actions:
3245 $1->$3 is accessible
3246 $1 has eligible __get method
3247 $1 has eligible __set method
3248 $1->$3 has been unset previously
3249 -------+--------------------------------------------------------------------
3250 00XXXXX | raise warning; push null
3251 01XXXXX | $1 = new stdclass; y = null <op> $2; $1->$3 = y; push y
3252 100X0XX | y = null <op> $2; $1->$3 = y; push y
3253 100X10X | x = $1->__get($3); y = x <op> $2; $1->$3 = y; push y
3254 100X11X | x = $1->__get($3); y = x <op> $2; $1->__set($3, y), push y
3255 10100XX | throw fatal error
3256 101010X | throw fatal error
3257 101011X | x = $1->__get($3); y = x <op> $2; $1->__set($3, y), push y
3258 1011XX0 | x = $1->$3; y = x <op> $2; $1->$3 = y; push y
3259 10110X1 | y = null <op> $2; re-create $1->$3; $1->$3 = y; push y
3260 1011101 | x = $1->__get($3); y = x <op> $2; re-create $1->$3; $1->$3 = y;
3262 1011111 | x = $1->__get($3); y = x <op> $2; $1->__set($3, y); push y
3264 SetOpPropL <op> <local variable id> [C B] -> [C]
3266 Set op property. Perform one of the following actions, where k is the value
3267 of the local given by %2.
3273 $1 has eligible __get method
3274 $1 has eligible __set method
3275 $1->k has been unset previously
3276 -------+--------------------------------------------------------------------
3277 00XXXXX | raise warning; push null
3278 01XXXXX | $1 = new stdclass; y = null <op> $2; $1->k = y; push y
3279 100X0XX | y = null <op> $2; $1->k = y; push y
3280 100X10X | x = $1->__get(k); y = x <op> $2; $1->k = y; push y
3281 100X11X | x = $1->__get(k); y = x <op> $2; $1->__set(k, y), push y
3282 10100XX | throw fatal error
3283 101010X | throw fatal error
3284 101011X | x = $1->__get(k); y = x <op> $2; $1->__set(k, y), push y
3285 1011XX0 | x = $1->k; y = x <op> $2; $1->k = y; push y
3286 10110X1 | y = null <op> $2; re-create $1->k; $1->k = y; push y
3287 1011101 | x = $1->__get(k); y = x <op> $2; re-create $1->k; $1->k = y;
3289 1011111 | x = $1->__get(k); y = x <op> $2; $1->__set(k, y); push y
3291 IncDecPropC <op> [C B] -> [C]
3293 Increment/decrement property. Perform one of the following actions:
3298 $1->$2 is accessible
3299 $1 has eligible __get method
3300 $1 has eligible __set method
3301 $1->$2 has been unset previously
3302 -------+--------------------------------------------------------------------
3303 00XXXXX | raise warning; push null
3304 01XXXXX | $1 = new stdclass; x = null; y = x; <op>y; $1->$2 = y;
3305 | push y (Pre*) or x (Post*)
3306 100X0XX | x = null; y = x; <op>y; $1->$2 = y; push y (Pre*) or x (Post*)
3307 100X10X | x = $1->__get($2); y = x; <op>y; $1->$2 = y;
3308 | push y (Pre*) or x (Post*)
3309 100X11X | x = $1->__get($2); y = x, <op>y; $1->__set($2, y);
3310 | push y (Pre*) or x (Post*)
3311 10100XX | throw fatal error
3312 101010X | throw fatal error
3313 101011X | x = $1->__get($2); y = x, <op>y; $1->__set($2, y);
3314 | push y (Pre*) or x (Post*)
3315 1011XX0 | x = $1->$2; y = x; <op>y; $1->$2 = y; push y (Pre*) or x (Post*)
3316 10110X1 | x = null; y = x; <op>y; re-create $1->$2; $1->$2 = y;
3317 | push y (Pre*) or x (Post*)
3318 1011101 | x = $1->__get($2); y = x; <op>y; re-create $1->$2; $1->$2 = y;
3319 | push y (Pre*) or x (Post*)
3320 1011111 | x = $1->__get($2); y = x; <op>y; $1->__set($2, y);
3321 | push y (Pre*) or x (Post*)
3323 IncDecPropL <op> <local variable id> [B] -> [C]
3325 Increment/decrement property. Perform one of the following actions, where k
3326 is the value of the local variable given by %2.
3332 $1 has eligible __get method
3333 $1 has eligible __set method
3334 $1->k has been unset previously
3335 -------+--------------------------------------------------------------------
3336 00XXXXX | raise warning; push null
3337 01XXXXX | $1 = new stdclass; x = null; y = x; <op>y; $1->k = y;
3338 | push y (Pre*) or x (Post*)
3339 100X0XX | x = null; y = x; <op>y; $1->k = y; push y (Pre*) or x (Post*)
3340 100X10X | x = $1->__get(k); y = x; <op>y; $1->k = y;
3341 | push y (Pre*) or x (Post*)
3342 100X11X | x = $1->__get(k); y = x, <op>y; $1->__set(k, y);
3343 | push y (Pre*) or x (Post*)
3344 10100XX | throw fatal error
3345 101010X | throw fatal error
3346 101011X | x = $1->__get(k); y = x, <op>y; $1->__set(k, y);
3347 | push y (Pre*) or x (Post*)
3348 1011XX0 | x = $1->k; y = x; <op>y; $1->k = y; push y (Pre*) or x (Post*)
3349 10110X1 | x = null; y = x; <op>y; re-create $1->k; $1->k = y;
3350 | push y (Pre*) or x (Post*)
3351 1011101 | x = $1->__get(k); y = x; <op>y; re-create $1->k; $1->k = y;
3352 | push y (Pre*) or x (Post*)
3353 1011111 | x = $1->__get(k); y = x; <op>y; $1->__set(k, y);
3354 | push y (Pre*) or x (Post*)
3356 BindPropC [C V B] -> [V]
3358 Bind property. If $1 is an object that does not have an eligible __set
3359 method, this operation first checks if $1 has a visible property named $3. If
3360 it does not, this operation creates a new property named $3, executes $1->$3
3361 =& $2, and pushes $2 onto the stack. Otherwise, this operation continues to
3362 check if the property named $3 is accessible. If the property named $3 is not
3363 accessible, this operation throws a fatal error. Otherwise, this operation
3364 executes $1->$3 =& $2 and pushes $2 onto the stack.
3366 If $1 is an object that has an eligible __set method, this operation checks
3367 if $1 has a visible and accessible property named $3. If it does, this
3368 operation follows the rules described in the first case given above.
3369 Otherwise this operation throws a fatal error.
3371 If $1 is null, false, or empty string, this operation sets $1 to a new object
3372 of type stdclass, executes $1->$3 =& $2, and pushes $2 onto the stack.
3374 If $1 is true, integer, double, a non-empty string, or an array, this
3375 operation raises a warning and pushes null onto the stack.
3377 BindPropL <local variable id> [V B] -> [V]
3379 Bind property. Where k is the value of the local variable given by %1:
3381 If $1 is an object that does not have an eligible __set method, this
3382 operation first checks if $1 has a visible property named k. If it does not,
3383 this operation creates a new property named k, executes $1->k =& $2, and
3384 pushes $2 onto the stack. Otherwise, this operation continues to check if the
3385 property named k is accessible. If the property named k is not accessible,
3386 this operation throws a fatal error. Otherwise, this operation executes $1->k
3387 =& $2 and pushes $2 onto the stack.
3389 If $1 is an object that has an eligible __set method, this operation checks
3390 if $1 has a visible and accessible property named k. If it does, this
3391 operation follows the rules described in the first case given above.
3392 Otherwise this operation throws a fatal error.
3394 If $1 is null, false, or empty string, this operation sets $1 to a new object
3395 of type stdclass, executes $1->k =& $2, and pushes $2 onto the stack.
3397 If $1 is true, integer, double, a non-empty string, or an array, this
3398 operation raises a warning and pushes null onto the stack.
3400 UnsetPropC [C B] -> []
3401 UnsetPropL <local variable id> [B] -> []
3405 These instructions first load a value into x and a base into y, as given by
3406 the following table:
3409 -------------+----+-----
3410 UnsetPropC | $2 | $1
3411 UnsetPropL | %1 | $1
3413 Next, performs one of the following actions:
3418 y has eligible __unset method
3419 -----+----------------------------------------------------------------------
3422 10X1 | y->__unset(x)
3423 1100 | throw fatal error
3424 1101 | y->__unset(x)
3428 10. Member instructions
3429 -----------------------
3431 Member instructions perform series of operations that are structurally
3432 identical, but each instruction utilizes a distinct set of operations. For each
3433 member instruction, first use a Base* operation depending on the kind of
3434 location code. Next perform a series of intermediate operations depending on
3435 member code to process all but the last member. Finally, perform a final
3436 operation depending on member code to process the last member. See the
3437 instruction-specific tables for details.
3439 The member codes that represent immediate literal data (ET, EI, PT) are
3440 implemented using the corresponding EC or PC intermediate operation: they
3441 behave exactly as though that literal data had been pushed on the stack as a
3442 cell, then consumed by an ElemC* or PropC* operation.
3444 CGetM <loc-desc/M-vector> [C..C] -> [C]
3448 location Base* member intermediate final
3449 descriptor operation code operation operation
3450 -----------+---------- -------+--------------+----------
3451 C | BaseC EC | ElemCW | CGetElemC
3452 R | BaseR PC | PropCW | CGetPropC
3453 L | BaseLW EL | ElemLW | CGetElemL
3454 NC | BaseNCW PL | PropLW | CGetPropL
3455 NL | BaseNLW W | N/A | N/A
3462 VGetM <loc-desc/M-vector> [C..C] -> [V]
3466 location Base* member intermediate final
3467 descriptor operation code operation operation
3468 -----------+---------- -------+--------------+------------
3469 C | BaseC EC | ElemCD | VGetElemC
3470 R | BaseR PC | PropCD | VGetPropC
3471 L | BaseLD EL | ElemLD | VGetElemL
3472 NC | BaseNCD PL | PropLD | VGetPropL
3473 NL | BaseNLD W | NewElem | VGetNewElem
3480 FPassM <param id> <loc-desc/M-vector> [C..C] -> [F]
3482 FPI pass parameter. This instruction behaves as CGetM if parameter %1 is pass
3483 by value, or it behaves like VGetM if parameter %1 is pass by reference. Then
3484 it passes the value produced to the callee.
3486 IssetM <loc-desc/M-vector> [C..C] -> [C:Bool]
3490 location Base* member intermediate final
3491 descriptor operation code operation operation
3492 -----------+---------- -------+--------------+-----------
3493 C | BaseC EC | ElemC | IssetElemC
3494 R | BaseR PC | PropC | IssetPropC
3495 L | BaseL EL | ElemL | IssetElemL
3496 NC | BaseNC PL | PropL | IssetPropL
3497 NL | BaseNL W | N/A | N/A
3504 EmptyM <loc-desc/M-vector> [C..C] -> [C:Bool]
3508 location Base* member intermediate final
3509 descriptor operation code operation operation
3510 -----------+---------- -------+--------------+-----------
3511 C | BaseC EC | ElemC | EmptyElemC
3512 R | BaseR PC | PropC | EmptyPropC
3513 L | BaseL EL | ElemL | EmptyElemL
3514 NC | BaseNC PL | PropL | EmptyPropL
3515 NL | BaseNL W | N/A | N/A
3522 SetM <loc-desc/M-vector> [C..C C] -> [C]
3526 location Base* member intermediate final
3527 descriptor operation code operation operation
3528 -----------+---------- -------+--------------+-----------
3529 C | BaseC EC | ElemCD | SetElemC
3530 R | BaseR PC | PropCD | SetPropC
3531 L | BaseLD EL | ElemLD | SetElemL
3532 NC | BaseNCD PL | PropLD | SetPropL
3533 NL | BaseNLD W | NewElem | SetNewElem
3540 SetWithRefLM <loc-desc/M-vector> <local variable id> [C..C] -> []
3542 Set member preserving the reffiness of the local.
3544 location Base* member intermediate final
3545 descriptor operation code operation operation
3546 -----------+---------- -------+--------------+-----------
3547 C | BaseC EC | ElemCD | SetWithRefElemC
3548 R | BaseR PC | PropCD | SetPropC
3549 L | BaseLD EL | ElemLD | SetWithRefElemL
3550 NC | BaseNCD PL | PropLD | SetPropL
3551 NL | BaseNLD W | NewElem | SetWithRefNewElem
3558 SetWithRefRM <loc-desc/M-vector> [C..C R] -> []
3560 Set member preserving the reffiness of the stack element.
3562 location Base* member intermediate final
3563 descriptor operation code operation operation
3564 -----------+---------- -------+--------------+-----------
3565 C | BaseC EC | ElemCD | SetWithRefElemC
3566 R | BaseR PC | PropCD | SetPropC
3567 L | BaseLD EL | ElemLD | SetWithRefElemL
3568 NC | BaseNCD PL | PropLD | SetPropL
3569 NL | BaseNLD W | NewElem | SetWithRefNewElem
3576 SetOpM <op> <loc-desc/M-vector> [C..C C] -> [C]
3580 location Base* member intermediate final
3581 descriptor operation code operation operation
3582 -----------+---------- -------+--------------+-------------
3583 C | BaseC EC | ElemCWD | SetOpElemC
3584 R | BaseR PC | PropCWD | SetOpPropC
3585 L | BaseLWD EL | ElemLWD | SetOpElemL
3586 NC | BaseNCWD PL | PropLWD | SetOpPropL
3587 NL | BaseNLWD W | NewElem | SetOpNewElem
3594 IncDecM <op> <loc-desc/M-vector> [C..C] -> [C]
3596 Increment/decrement member.
3598 location Base* member intermediate final
3599 descriptor operation code operation operation
3600 -----------+---------- -------+--------------+--------------
3601 C | BaseC EC | ElemCWD | IncDecElemC
3602 R | BaseR PC | PropCWD | IncDecPropC
3603 L | BaseLWD EL | ElemLWD | IncDecElemL
3604 NC | BaseNCWD PL | PropLWD | IncDecPropL
3605 NL | BaseNLWD W | NewElem | IncDecNewElem
3612 BindM <loc-desc/M-vector> [C..C V] -> [V]
3616 location Base* member intermediate final
3617 descriptor operation code operation operation
3618 -----------+---------- -------+--------------+------------
3619 C | BaseC EC | ElemCD | BindElemC
3620 R | BaseR PC | PropCD | BindPropC
3621 L | BaseLD EL | ElemLD | BindElemL
3622 NC | BaseNCD PL | PropLD | BindPropL
3623 NL | BaseNLD W | NewElem | BindNewElem
3630 UnsetM <loc-desc/M-vector> [C..C] -> []
3634 location Base* member intermediate final
3635 descriptor operation code operation operation
3636 -----------+---------- -------+--------------+-----------
3637 C | BaseC EC | ElemCU | UnsetElemC
3638 R | BaseR PC | PropCU | UnsetPropC
3639 L | BaseL EL | ElemLU | UnsetElemL
3640 NC | BaseNC PL | PropLU | UnsetPropL
3641 NL | BaseNL W | N/A | N/A
3649 11. Iterator instructions
3650 -------------------------
3652 IterInit <iterator id> <rel offset> <local id> [C] -> []
3653 IterInitK <iterator id> <rel offset> <local id> <local id> [C] -> []
3654 WIterInit <iterator id> <rel offset> <local id> [C] -> []
3655 WIterInitK <iterator id> <rel offset> <local id> <local id> [C] -> []
3657 Initialize iterator. If $1 is an array, these instructions create an array
3658 iterator, rewind the array iterator to point to the beginning of the array,
3659 and store the array iterator in the iterator variable %1. Then these
3660 instructions check if the iterator is at the end, and if it is, these
3661 instructions free the iterator and transfer control to the location specified
3664 If $1 is an object that is an instance of an extension class that implements
3665 the Traversable interface, these instructions create an extension class
3666 iterator and store it in the iterator variable %1. Then these instructions
3667 check if the iterator is at the end, and if it is these instructions free the
3668 iterator and transfer control the location specified by %2.
3670 If $1 is an object that implements the Iterator interface, these instructions
3671 create an user class iterator, call $1->rewind(), and store the user class
3672 iterator in the iterator variable %1. Then these instructions check if
3673 $1->valid() returns false, and if it does these instructions free the
3674 iterator and transfer control to the location specified by %2.
3676 If $1 is an object that implements the IteratorAggregate interface, these
3677 instructions call $1->getIterator() and inspect the object x that is
3678 returned. If x is an instance of IteratorAggregate, these instructions will
3679 repeatedly execute "x = x->getIterator()" until x is not an object that is an
3680 instance of IteratorAggregate. If x is an object that implements the
3681 Traversable interface, then this instruction will behave according to the
3682 appropriate case described above. Otherwise, these instructions will throw an
3683 exception of type Exception.
3685 If $1 is an object that does not match any of the three cases above, these
3686 instructions create a default class iterator, rewind the default class
3687 iterator to point to the first accessible property, and store the default
3688 class iterator in the iterator variable %1. Then these instructions check if
3689 the iterator is at the end, and if it is these instructions free the iterator
3690 and transfer control the location specified by %2.
3692 If $1 is not an array or an object, these instructions raise a warning and
3693 transfer control to the location specified by %2.
3695 The local ids in %3 (and %4, for the *K variants) represent the locals that
3696 should receive the value (in %3) and key (in %4) for the iteration, in
3697 accordance with the type of iterator initialized in %1.
3699 For the non-W* flavors of these instructions, the locals are stored to with
3700 the same semantics as SetL (non-binding assignment). The W* flavors of these
3701 instructions do a binding assignment to %3 if the rhs was a reference, or if
3702 not they unset the old value of the local and then do a non-binding
3703 assignment. The W* flavors still do a non-binding assignment to %4.
3705 The logical value is computed differently depending on the iterator type that
3706 is initialized in %1:
3708 If the iterator specified by %1 is a non-mutable array iterator or an
3709 extension class iterator, these instructions store a copy of the current
3712 If the iterator specified by %1 is a user class iterator for object $x,
3713 these instructions store the return value of $x->current() in %3.
3715 If the iterator specified by %1 is a non-mutable default class iterator,
3716 these instructions store a copy of the current property in %3.
3718 For the *K variants, the logical key to be stored in %4 is computed
3719 differently depending on the iterator type initialized in %1:
3721 If the iterator specified by %1 is an array iterator or an extension class
3722 iterator, this instruction stores a copy of the current key in %4.
3724 If the iterator specified by %1 is a user class iterator for object $x,
3725 this instruction stores the return value of $x->key() in %4.
3727 If the iterator specified by %1 is a non-mutable default class iterator,
3728 this instruction stores a copy of the name of the current property in %4.
3730 MIterInit <iterator id> <rel offset> <local id> [V] -> []
3731 MIterInitK <iterator id> <rel offset> <local id> <local id> [V] -> []
3733 Initialize mutable iterator. If $1 is an array, these instructions create a
3734 mutable array iterator, rewind the mutable array iterator to point to the
3735 beginning of the array, and store the mutable array iterator in the iterator
3736 variable %1. Then these instructions check if the iterator is at the end, and
3737 if it is these instructions free the iterator and transfers control the
3738 location specified by %2.
3740 If $1 is an object that is an instance of an extension class that implements
3741 the Traversable interface, these instructions raise a fatal error.
3743 If $1 is an object that implements the Iterator interface, these instructions
3744 throw a fatal error.
3746 If $1 is an object that implements the IteratorAggregate interface, these
3747 instructions throw a fatal error.
3749 If $1 is an object that does not match any of the three cases above, these
3750 instructions create a mutable default class iterator, rewind it to point to
3751 the first accessible property, and store it in the iterator variable %1.
3752 Then these instructions check if the iterator is at the end, and if it is
3753 these instructions free the iterator and transfer control to the location
3756 If $1 is not an array or an object, these instructions raise a warning and
3757 transfer control to the location specified by %2.
3759 If the iterator specified by %1 is a mutable array iterator, these
3760 instructions store the current value in %3 as a ref.
3762 If the iterator specified by %1 is a mutable default class iterator, these
3763 instructions store the current property in %3 as a ref.
3765 For the MIterInitK version, the following also happens:
3767 If the iterator specified by %1 is an array iterator, this instruction stores
3768 a copy of the current key in %4 as a cell.
3770 If the iterator specified by %1 is a mutable default class iterator, this
3771 instruction stores a copy of the name of the current property in %4 as a
3774 IterNext <iterator id> <rel offset> <local id> [] -> []
3775 IterNextK <iterator id> <rel offset> <local id> <local id> [] -> []
3776 WIterNext <iterator id> <rel offset> <local id> [] -> []
3777 WIterNextK <iterator id> <rel offset> <local id> <local id> [] -> []
3779 Iterator next. If the specified iterator is a non-mutable array iterator or
3780 an extension class iterator, advance the iterator to point to the next
3781 element. If the iterator is not at the end, these instructions transfer
3782 control to the location specified by %2.
3784 If the specified iterator is a user class iterator for object $x, this
3785 instruction executes $x->next(). Then these instructions check if $x->valid()
3786 returns true, and if it does these instructions transfer control to the
3787 location specified by %2.
3789 If the specified iterator is a non-mutable default class iterator, advance
3790 the iterator to point to the next accessible property in the object. If the
3791 iterator is not at the end, these instructions transfer control to the
3792 location specified by %2.
3794 If the specified iterator is at the end, free the iterator variable with an
3795 implicit IterFree, then fall through to the next instruction.
3797 If the specified iterator is not at the end, the local ids in %3 (and %4, for
3798 the *K variants) represent the locals that should receive the value (in
3799 %3) and key (in %4) for the iteration, in accordance with the type of
3800 iterator initialized in %1.
3802 These locals are stored to with the same semantics as SetL (non-binding
3803 assignment), except the W* flavors of these instructions do a "with
3804 reference" assignment (i.e. the local gets a binding assignment if and only
3805 if the value to be assigned is already a reference).
3807 The semantics of how to determine what the key and value are depend on %1 in
3808 an analogous way to {W,}IterInit{K,}.
3810 MIterNext <iterator id> <rel offset> <local id> [] -> []
3811 MIterNextK <iterator id> <rel offset> <local id> <local id> [] -> []
3813 Iterator next. If the specified iterator is a mutable array iterator, advance
3814 the iterator to point to the next element. If the iterator is not at the end,
3815 these instructions transfer control to the location specified by %2.
3817 If the specified iterator is a mutable default class iterator, advance the
3818 iterator to point to the next accessible property in the object. If the
3819 iterator is not at the end, these instructions transfer control to the
3820 location specified by %2.
3822 If the specified iterator is at the end, free the iterator variable with an
3823 implicit MIterFree, then fall through to the next instruction.
3825 If the specified iterator is not at the end, retrieve the key and value:
3827 If the iterator specified by %1 is a mutable array iterator, these
3828 instructions store the new current value in %3 as a ref.
3830 If the iterator specified by %1 is a mutable default class iterator, these
3831 instructions store the new current property in %3 as a ref.
3833 For the MIterNextK version, the following also happens:
3835 If the iterator specified by %1 is an array iterator, this instruction stores
3836 a copy of the new current key in %4 as a cell.
3838 If the iterator specified by %1 is a mutable default class iterator, this
3839 instruction stores a copy of the name of the new current property in %4 as a
3842 IterFree <iterator id> [] -> []
3844 Iterator free. This instruction frees the specified iterator variable.
3845 Typically an iterator gets freed by IterNext, so IterFree is only needed for
3846 guarding against exceptions and implementing break and return control flow
3847 statements inside iterator loops.
3849 MIterFree <iterator id> [] -> []
3851 Mutable iterator free. This instruction frees the specified iterator
3852 variable. Typically an iterator gets freed by MIterNext*, so MIterFree is
3853 only needed for guarding against exceptions and implementing break and return
3854 control flow statements inside iterator loops.
3856 CIterFree <iterator id> [] -> []
3858 Cuf iterator free. This instruction frees the specified iterator variable.
3860 IterBreak <iter-vec> <rel offset> [] -> []
3862 Iterator break. Frees vectors in %1 in left to right order then transfers
3863 control to the location specified by %2. Surprise checks are performed before
3864 iterators are freed so that in the event of an exception iterators are not
3865 double freed. Note that as with normal jumps surprise checks will only be
3866 performed if %2 is non-positive.
3869 12. Include, eval, and define instructions
3870 ------------------------------------------
3874 Include. Includes the compilation unit containing the file (string)$1. The
3875 instruction eagerly marks all functions and classes that are unconditionally
3876 declared in the outermost scope as defined. Next this instruction calls the
3877 pseudo-main function from the file (string)$1. The pseudo-main function
3878 inherits the caller's variable environment. If the execution engine cannot
3879 find a compilation unit containing the file (string)$1, this instruction
3884 Include once. Include the compilation unit containing the file (string)$1 if
3885 it hasn't been included already. This instruction eagerly marks all functions
3886 and classes that are unconditionally declared in the outermost scope as
3887 defined, and then calls the pseudo-main function from (string)$1 if it hasn't
3888 run already. The pseudo-main function inherits the caller's variable
3889 environment. If the execution engine cannot find a compilation unit
3890 containing the file (string)$1, this instruction raises a warning.
3894 Require. Includes the compilation unit containing the file (string)$1. The
3895 instruction eagerly marks all functions and classes that are unconditionally
3896 declared in the outermost scope as defined. Next this instruction calls the
3897 pseudo-main function from the file (string)$1. The pseudo-main function
3898 inherits the caller's variable environment. If the execution engine cannot
3899 find a compilation unit containing the file (string)$1, this instruction
3900 throws a fatal error.
3904 Require once. Include the compilation unit containing the file (string)$1 if
3905 it hasn't been included already. This instruction eagerly marks all functions
3906 and classes that are unconditionally declared in the outermost scope as
3907 defined, and then calls the pseudo-main function from (string)$1 if it hasn't
3908 run already. The pseudo-main function inherits the caller's variable
3909 environment. If the execution engine cannot find a compilation unit
3910 containing the file (string)$1, this instruction throws a fatal error.
3914 As ReqOnce except the string is always taken to be relative to the document
3915 root (ie SourceRoot).
3919 Eval. Executes the source code in (string)$1. This instruction eagerly marks
3920 all functions and classes that are unconditionally declared in the outermost
3921 scope as defined, and then calls the pseudo-main function from (string)$1.
3922 The pseudo-main function from (string)$1 inherits the caller's variable
3925 DefFunc <function id> [] -> []
3927 Define function. Bind the function specified by %1. If the function specified
3928 by %1 is already bound, this instruction does nothing. If another function is
3929 already bound to the name associated with %1, this instruction throws a fatal
3932 DefCls <class id> [] -> []
3934 Define class. Bind the class specified by %1. If the class specified by %1 is
3935 already bound, this instruction does nothing. If another class is already
3936 bound to the associated name, this instruction throws a fatal error.
3938 DefClsNop <class id> [] -> []
3940 For always-hoistable classes (which are automatically defined when the unit
3941 is loaded). This instruction is used as a marker for the location in a
3942 pseudo-main where a DefCls would've existed, but doesn't need to be. (It is
3943 used as a place to raise errors from if the class fails to define.)
3945 DefCns <litstr id> [C] -> [C]
3947 Define constant. If there is already a global constant named %1, raises a
3948 notice and pushes false. If $1 is an array or an object, raises a notice, and
3949 pushes false. Otherwise defines the constant named %1 to have the value $1,
3952 DefTypeAlias <litstr id> [] -> []
3954 Define type alias. Type aliases are a hhvm extension to PHP that allow
3955 declaring new names for existing types. The unit contains a table of the type
3956 aliases it was compiled with. This instruction looks up the type alias given
3957 by %1 in the table. If there is an existing class or type alias defined with
3958 the same name as %1, this function checks whether it is compatible with the
3959 type alias given by %1, and if it isn't it raises a fatal error.
3962 13. Miscellaneous instructions
3963 ------------------------------
3967 This. This instruction checks the current instance, and if it is null, this
3968 instruction throws a fatal error. Next, this instruction pushes the current
3969 instance onto the stack.
3971 BareThis <notice> [] -> [C:Obj|Null]
3973 This. This instruction pushes the current instance onto the stack. If %1 is
3974 BareThisOp::Notice, and the current instance is null, emits a notice. If %1
3975 is BareThisOp::NeverNull the current value of $this is guaranteed to be
3976 available and can be loaded with no null check.
3980 Check existence of this. This instruction checks the current instance, and if
3981 it is null, throws a fatal error.
3983 InitThisLoc <local variable id> [] -> []
3985 Initialize this local variable. This instruction checks the current instance,
3986 and if it is not null this instruction stores it to the specified local
3987 variable. If the current instance is null, or if this bytecode appears in a
3988 function body that is not a class method, this instruction does nothing.
3990 StaticLoc <local variable id> <litstr id> [] -> [C:Bool]
3992 Static variable. This instruction first checks if the static variable named
3993 %2 has been marked as initialized. If the static variable has been marked as
3994 initialized, this instruction binds the static variable to the local variable
3995 %1 and pushes true. Otherwise, this instruction binds the static variable to
3996 the local variable %1, marks the static variable as initialized, and pushes
3999 StaticLocInit <local variable id> <litstr id> [C] -> []
4001 Static variable with initializer. This instruction first checks if the static
4002 variable named %2 has been marked as initialized. If the static variable has
4003 been marked as initialized, this instruction binds the static variable to the
4004 local variable %1. Otherwise, this instruction binds the static variable to
4005 the local variable, assigns $1 to the local variable, and marks the static
4006 variable as initialized.
4008 The cell in $1 must not be a reference counted type.
4012 Catch. Retrieves the current exception object and pushes it onto the stack.
4013 The exception object must be a subclass of the builtin Exception class. This
4014 instruction may only be used at the beginning of a catch entry point.
4016 OODeclExists <Class|Interface|Trait> [C C] -> [C:Bool]
4018 Check for class/interface/trait existence. If $1 cannot be cast to a bool or
4019 $2 cannot be cast to a string, this instruction will throw a fatal error.
4020 Otherwise, it will check for existence of the entity named by $2, invoking
4021 the autoloader if needed and if $1 is true. The result of the existence check
4022 will be pushed on the stack.
4024 VerifyParamType <parameter id> [] -> []
4026 Verify parameter type. Functions and methods can optionally specify the types
4027 of arguments they will accept. These type constraints are memoized into each
4028 function's FPI structure.
4030 VerifyParamType checks the specified parameter against the enclosing
4031 function's corresponding parameter constraints. In case of a mismatch, a
4032 recoverable error is raised.
4034 VerifyRetTypeC [C] -> [C]
4035 VerifyRetTypeV [V] -> [V]
4037 Verify return type. This instruction pops $1 off of the stack, checks if $1
4038 is compatible with the current function's return type annotation and raises
4039 a warning if there is a mismatch, and then it pushes $1 back onto the stack.
4043 Creates a classref that refers to the class in which the current function is
4044 defined. This instruction throws a fatal error if the current method is
4045 defined outside of a class, otherwise it pushes a classref on the stack.
4049 Creates a classref that refers to the parent of the class in which the
4050 current method is defined. This instruction throws a fatal error if the
4051 current method is defined outside of a class or if the class in which the
4052 current method is defined has no parent, otherwise it pushes a classref on
4055 LateBoundCls [] -> [A]
4057 Late-bound class. Creates a classref that refers to the current late-bound
4058 class and pushes it onto the stack.
4062 Native implementation. This instruction invokes the native implementation
4063 associated with current function and returns the return value to the caller
4064 of the current function.
4066 IncStat <counter id> <value> [] -> []
4068 Increment stat counter. If stats are enabled, this instruction adds <value>
4069 to the counter specified by <counter id>. The meaning of the <counter id>
4070 immediate is implementation defined
4072 AKExists [C C] -> [C:Bool]
4074 Checks if array (object) in $1 contains key (property) in $2 and pushes the
4075 resulting boolean onto the stack. If $2 is null, uses the empty string as
4076 key. Throws a fatal error if $1 is not an array or object, and raises a
4077 warning if $2 is not a string, integer, or null.
4079 CreateCl <num args> <class name> [C|V|U..C|V|U] -> [C]
4081 Creates an instance of <class name> and pushes it on the stack.
4083 The class named by %2 must be a subclass of "Closure", must have a single
4084 public method named __invoke, must be defined at the point of the CreateCl
4085 opcode, must be defined in the same unit as the CreateCl opcode, and must
4086 always be tagged as "ClosureHoistable" (see comments near
4087 PreClass---hoistability metadata is currently not covered by this spec).
4089 If there is more than one CreateCl opcode in the unit for the Closure
4090 subclass named by %2, all of the opcodes must be possible to associate with
4091 the same class (or trait), or none if the closure will not inherit a class
4092 context at runtime. This is intended to mean that CreateCl opcodes for a
4093 given closure may only occur in bytecode bodies of functions that are
4094 generated to represent a single user-visible PHP function, async function,
4095 async closure, generator, or generator closure.
4097 Moreover, for normal (non-async, non-generator) functions and methods, there
4098 must be at most a single CreateCl opcode in the unit for a given Closure
4099 subclass contained in the unit.
4103 Checks if object in $3 contains key in $2 and pushes the result onto the
4104 stack if found. Otherwise, $1 is pushed onto the stack. $3 must be an object
4105 that supports array or indexed access (e.g. arrays, collections,
4106 implementations of ArrayAccess).
4108 ArrayIdx [C C C] -> [C]
4110 Checks if array in $3 contains key in $2 and pushes the result onto the stack
4111 if found. Otherwise, $1 is pushed onto the stack. A fatal error will be
4112 thrown if $3 is not an array.
4114 AssertRATL <local id> <repo auth type> [] -> []
4115 AssertRATStk <stack offset> <repo auth type> [] -> []
4117 Assert known "repo authoritative type", for locals or stack offsets.
4119 These opcodes may be used to communicate the results of ahead of time static
4120 analysis (hhbbc) to the runtime. They indicate that the value in the
4121 specified local or stack offset is statically known to have a particular
4122 type. The "repo auth type" immediate is an encoded RepoAuthType struct (for
4123 details see runtime/base/repo-auth-type.h).
4125 As suggested by the name, these opcodes are generally for use with
4126 RepoAuthoritative mode. They may appear in non-RepoAuthoritative mode with
4127 one restriction: "specialized" array type information may not be asserted,
4128 because the global array type table may only be present in RepoAuthoritative
4131 BreakTraceHint [] -> []
4133 This opcode has no effects, but is a hint that code immediately following it
4134 is probably not worth including in the same compilation unit as the code in
4135 front of it. In HHVM, this is used to tell the JIT to break a Tracelet when
4136 it sees this opcode.
4138 Silence <local id> <Start|End> [] -> []
4140 With %2 = Start, sets the error reporting level to 0 and stores the previous
4141 one in the local variable %1. The local variable will be overwritten without
4144 With %2 = End, if the error reporting level is 0, restores the error
4145 reporting level to the previous value (stored in local variable %1); if the
4146 error reporting level is not 0, does nothing.
4148 GetMemoKey [C] -> [C]
4150 Given a cell, produces a cell that can be used as a cache key. Valid values
4151 for the input include all basic types, arrays and collections, and objects
4152 that implement IMemozieParam. Any other type will cause GetMemoKey to throw.
4154 14. Generator creation and execution
4155 ---------------------------------------
4157 CreateCont [] -> [C:Null]
4159 This instruction may only appear in bodies of generators. Creates a new
4160 Generator object, moves all local variables from the current frame into
4161 the object, sets resume offset at the next opcode and suspends execution by
4162 transferring control flow back to the caller, returning the Generator
4163 object. Once the execution is resumed, the Null value sent by ContEnter
4164 becomes available on the stack. It is illegal to resume newly constructed
4165 Generator using ContEnter with a non-null value or ContRaise opcodes.
4167 ContEnter [C] -> [C]
4169 This instruction may only appear in non-static methods of the Generator
4170 class. It transfers control flow to the saved resume offset of a function
4171 associated with $this Generator object. The $1 will remain available
4172 on the stack after the control is transferred. Once the control is
4173 transferred back, a value determined by suspending opcode (Await, Yield,
4174 YieldK or RetC) will be pushed on the stack. This value corresponds to
4175 the next()/send() return value -- null for non-async generators, and
4176 WaitHandle or null for async generators.
4178 ContRaise [C:Obj] -> [C]
4180 This instruction may only appear in non-static methods of the Generator
4181 class. It transfers control flow to the saved resume offset of a function
4182 associated with $this Generator object. The Exception stored at $1 is
4183 raised instead of invoking code at the resume offset. Once the control is
4184 transferred back, a value determined by suspending opcode (Await, Yield,
4185 YieldK or RetC) will be pushed on the stack. This value corresponds to
4186 the raise() return value -- null for non-async generators, and WaitHandle
4187 or null for async generators.
4191 This instruction may only appear in bodies of generators. Stores $1
4192 in the generator as the result of the current iteration, sets resume
4193 offset at the next opcode and suspends execution by transferring control
4194 flow back to the ContEnter or ContRaise. Once the execution is resumed,
4195 the value sent by ContEnter becomes available on the stack, or
4196 an exception sent by ContRaise is thrown.
4200 This instruction may only appear in bodies of generators. Stores $1
4201 in the generator as the result and $2 as the key of the current
4202 iteration, sets resume offset at the next opcode and suspends execution
4203 by transferring control flow back to the ContEnter or ContRaise. Once
4204 the execution is resumed, the value sent by ContEnter becomes available
4205 on the stack, or an exception sent by ContRaise is thrown.
4207 ContCheck <check started> [] -> []
4209 Check whether generator can be iterated. $this must be a Generator
4210 object. If the generator is finished, already running, or not yet started
4211 and <check started> is enabled, an exception will be thrown.
4213 ContValid [] -> [C:Bool]
4215 Check generator validity. $this must be a Generator object. Pushes true
4216 onto the stack if the generator can be iterated further, false otherwise.
4220 Get generator key. $this must be a Generator object. Pushes the most
4221 recently yielded key from the generator onto the stack.
4223 ContCurrent [] -> [C]
4225 Get generator value. $this must be a Generator object. Pushes the most
4226 recently yielded value from the generator onto the stack.
4231 Await <number of iterators> [C] -> [C]
4233 This instruction may only appear in bodies of async functions. Awaits
4234 a WaitHandle provided by $1, suspending the execution if the WaitHandle
4237 If $1 is not a subclass of WaitHandle, raises a fatal error. If $1 succeeded,
4238 this instruction pushes the result value from the WaitHandle. If $1 failed,
4239 this instruction throws the exception from the WaitHandle. Otherwise the
4240 execution needs to be suspended:
4242 If the async function is executed eagerly, creates an AsyncFunctionWaitHandle
4243 object, moves all local variables and first %1 iterators from the current
4244 frame into the object, sets resume offset at the next opcode, marks the
4245 AsyncFunctionWaitHandle as blocked on the WaitHandle provided by $1 and
4246 suspends execution by transferring control flow back to the caller,
4247 returning the AsyncFunctionWaitHandle object.
4249 If the async function is executed in resumed mode, sets resume offset at
4250 the next opcode, marks the AsyncFunctionWaitHandle as blocked on the
4251 WaitHandle provided by $1 and suspends execution by transferring control
4252 flow back to the scheduler.
4254 Once the execution is resumed, the result of the WaitHandle provided by $1
4255 becomes available on the stack.
4258 Basic statement transformations
4259 -------------------------------
4261 To achieve HHBC's goal of making it straightforward for an interpreter or a
4262 compiler to determine order of execution, control flow statements are
4263 transformed to use the simpler constructs. Most control flow statements such as
4264 "if", "while", and "for" are implemented in a straightforward manner using the
4267 HHBC provides the Switch instruction for implementing very simple switch
4268 statements; most real switch statements are implemented naively using the Eq
4269 and JmpNZ instructions. Also, the functionality of both the echo statement and
4270 the print statement is implemented with the Print instruction.
4272 Foreach statements are implemented using iterator variables and the Iter* and
4273 MIter* instructions. Each foreach loop must be protected by a fault funclet to
4274 ensure that the iterator variable is freed when a foreach loop exits abnormally
4275 through an exception.
4277 Simple break statements and continue statements are implemented using the Jmp*,
4278 IterFree, MIterFree and CIterFree instructions. Dynamic break is implemented
4279 using an unnamed local (to store the 'break count') and a chain of basic
4280 blocks, where each block decrements the unnamed local variable and compares it
4281 with 0, and then decides where to jump next.
4284 Basic expression transformations
4285 --------------------------------
4287 To reduce the size of the instruction set, certain types of expressions are
4290 1) Unary plus and negation
4291 Unary plus and negation "+(<expression>)" gets converted to "(0 +
4292 (<expression>))", and "-(<expression>)" gets converted to "(0 -
4295 2) Assignment-by operators (+=, -=, etc)
4296 Assignment-by operators are converted to use the SetOp* instructions.
4298 3) List assignment (list)
4299 List assignments are converted to use an unnamed local variable and the SetM
4300 and VGet* instructions. If the function contains any catch funclets, then list
4301 assignment requires a fault funclet as well.
4303 4) Logical and and logical or operators (and/&&, or/||)
4304 If any of the operands side-effect, these operators are implemented using Jmp*
4305 instructions instead of using the "and" and "or" instructions to implement
4306 short-circuit semantics correctly. All Jmp* instructions used to implement
4307 "and" and "or" operators will be forward jumps.
4309 5) The new expression
4310 The new expression is implemented by using the FPushCtor*, FPass*, and FCall
4313 6) The ternary operator (?:)
4314 The functionality of the ternary operator is implemented using Jmp*
4315 instructions. All Jmp* instructions used to implement the ternary operator will
4318 7) Silence operator (@)
4319 The silence operator is implemented by using various instructions (including
4320 the Jmp* instructions), unnamed local variables, and a fault funclet. All Jmp*
4321 instructions used to implement the silence operator will be forward jumps.
4323 8) The $this expression
4324 The $this expression has different effects depending on whether or not $this is
4325 the direct base of a property expression (such as "$this->x") or a method call
4326 expression (such as "$this->foo()"). When the $this expression is the direct
4327 base of a property expression or a method call expression, the This instruction
4330 A bare $this expression within an instance method is handled one of two ways:
4331 general or BareThis-optimized (optional). The general solution accesses a local
4332 variable named "this", which is initialized at the beginning of the method
4333 using the InitThisLoc instruction. The BareThis optimization applies to bare
4334 $this access as long as $this is not passed by reference and there are no
4335 dynamic method variables. In such cases, the BareThis instruction can be used
4336 to directly access $this, and the InitThisLoc instruction is not needed.
4339 Warning and errors at parse time
4340 --------------------------------
4342 Certain syntactically correct source code may cause warnings or errors to be
4343 raised when the source file is parsed. Examples of this include using "$this"
4344 on the left hand side of the assignment, using "$this" with binding assignment,
4345 using "$a[]" in an r-value context, and doing "unset($a[])". HHBC handles these
4346 cases by generating Raise or Fatal instructions at the beginning of the body
4347 for the pseudo-main function.
4353 At the time of this writing, the HipHop bytecode specification is missing the
4356 1) Description of traits
4357 2) Description of metadata for class statements, trait statements, and method
4359 3) Description and examples for the yield generator feature
4360 4) Description of the late static binding feature
4361 5) Description of the resource type
4362 6) Definitions of operators (ex. +, -, !) and other helper functions (ex.
4363 is_null, get_class, strlen)
4364 7) High level description of how namespaces are dealt with and any relevant
4366 8) Description of async function implementation
4369 /* Local Variables: */
4370 /* fill-column: 79 */