mirror of
https://github.com/capstone-engine/llvm-capstone.git
synced 2025-01-18 22:26:16 +00:00
d2c8970a9a
llvm-svn: 52208
624 lines
30 KiB
HTML
624 lines
30 KiB
HTML
<html>
|
|
<head>
|
|
<title>"clang" CFE Internals Manual</title>
|
|
<link type="text/css" rel="stylesheet" href="../menu.css" />
|
|
<link type="text/css" rel="stylesheet" href="../content.css" />
|
|
</head>
|
|
<body>
|
|
|
|
<!--#include virtual="../menu.html.incl"-->
|
|
|
|
<div id="content">
|
|
|
|
<h1>"clang" CFE Internals Manual</h1>
|
|
|
|
<ul>
|
|
<li><a href="#intro">Introduction</a></li>
|
|
<li><a href="#libsystem">LLVM System and Support Libraries</a></li>
|
|
<li><a href="#libbasic">The clang 'Basic' Library</a>
|
|
<ul>
|
|
<li><a href="#SourceLocation">The SourceLocation and SourceManager
|
|
classes</a></li>
|
|
</ul>
|
|
</li>
|
|
<li><a href="#liblex">The Lexer and Preprocessor Library</a>
|
|
<ul>
|
|
<li><a href="#Token">The Token class</a></li>
|
|
<li><a href="#Lexer">The Lexer class</a></li>
|
|
<li><a href="#TokenLexer">The TokenLexer class</a></li>
|
|
<li><a href="#MultipleIncludeOpt">The MultipleIncludeOpt class</a></li>
|
|
</ul>
|
|
</li>
|
|
<li><a href="#libparse">The Parser Library</a>
|
|
<ul>
|
|
</ul>
|
|
</li>
|
|
<li><a href="#libast">The AST Library</a>
|
|
<ul>
|
|
<li><a href="#Type">The Type class and its subclasses</a></li>
|
|
<li><a href="#QualType">The QualType class</a></li>
|
|
<li><a href="#CFG">The CFG class</a></li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
|
|
|
|
<!-- ======================================================================= -->
|
|
<h2 id="intro">Introduction</h2>
|
|
<!-- ======================================================================= -->
|
|
|
|
<p>This document describes some of the more important APIs and internal design
|
|
decisions made in the clang C front-end. The purpose of this document is to
|
|
both capture some of this high level information and also describe some of the
|
|
design decisions behind it. This is meant for people interested in hacking on
|
|
clang, not for end-users. The description below is categorized by
|
|
libraries, and does not describe any of the clients of the libraries.</p>
|
|
|
|
<!-- ======================================================================= -->
|
|
<h2 id="libsystem">LLVM System and Support Libraries</h2>
|
|
<!-- ======================================================================= -->
|
|
|
|
<p>The LLVM libsystem library provides the basic clang system abstraction layer,
|
|
which is used for file system access. The LLVM libsupport library provides many
|
|
underlying libraries and <a
|
|
href="http://llvm.org/docs/ProgrammersManual.html">data-structures</a>,
|
|
including command line option
|
|
processing and various containers.</p>
|
|
|
|
<!-- ======================================================================= -->
|
|
<h2 id="libbasic">The clang 'Basic' Library</h2>
|
|
<!-- ======================================================================= -->
|
|
|
|
<p>This library certainly needs a better name. The 'basic' library contains a
|
|
number of low-level utilities for tracking and manipulating source buffers,
|
|
locations within the source buffers, diagnostics, tokens, target abstraction,
|
|
and information about the subset of the language being compiled for.</p>
|
|
|
|
<p>Part of this infrastructure is specific to C (such as the TargetInfo class),
|
|
other parts could be reused for other non-C-based languages (SourceLocation,
|
|
SourceManager, Diagnostics, FileManager). When and if there is future demand
|
|
we can figure out if it makes sense to introduce a new library, move the general
|
|
classes somewhere else, or introduce some other solution.</p>
|
|
|
|
<p>We describe the roles of these classes in order of their dependencies.</p>
|
|
|
|
<!-- ======================================================================= -->
|
|
<h3 id="SourceLocation">The SourceLocation and SourceManager classes</h3>
|
|
<!-- ======================================================================= -->
|
|
|
|
<p>Strangely enough, the SourceLocation class represents a location within the
|
|
source code of the program. Important design points include:</p>
|
|
|
|
<ol>
|
|
<li>sizeof(SourceLocation) must be extremely small, as these are embedded into
|
|
many AST nodes and are passed around often. Currently it is 32 bits.</li>
|
|
<li>SourceLocation must be a simple value object that can be efficiently
|
|
copied.</li>
|
|
<li>We should be able to represent a source location for any byte of any input
|
|
file. This includes in the middle of tokens, in whitespace, in trigraphs,
|
|
etc.</li>
|
|
<li>A SourceLocation must encode the current #include stack that was active when
|
|
the location was processed. For example, if the location corresponds to a
|
|
token, it should contain the set of #includes active when the token was
|
|
lexed. This allows us to print the #include stack for a diagnostic.</li>
|
|
<li>SourceLocation must be able to describe macro expansions, capturing both
|
|
the ultimate instantiation point and the source of the original character
|
|
data.</li>
|
|
</ol>
|
|
|
|
<p>In practice, the SourceLocation works together with the SourceManager class
|
|
to encode two pieces of information about a location: it's physical location
|
|
and it's virtual location. For most tokens, these will be the same. However,
|
|
for a macro expansion (or tokens that came from a _Pragma directive) these will
|
|
describe the location of the characters corresponding to the token and the
|
|
location where the token was used (i.e. the macro instantiation point or the
|
|
location of the _Pragma itself).</p>
|
|
|
|
<p>For efficiency, we only track one level of macro instantions: if a token was
|
|
produced by multiple instantiations, we only track the source and ultimate
|
|
destination. Though we could track the intermediate instantiation points, this
|
|
would require extra bookkeeping and no known client would benefit substantially
|
|
from this.</p>
|
|
|
|
<p>The clang front-end inherently depends on the location of a token being
|
|
tracked correctly. If it is ever incorrect, the front-end may get confused and
|
|
die. The reason for this is that the notion of the 'spelling' of a Token in
|
|
clang depends on being able to find the original input characters for the token.
|
|
This concept maps directly to the "physical" location for the token.</p>
|
|
|
|
<!-- ======================================================================= -->
|
|
<h2 id="liblex">The Lexer and Preprocessor Library</h2>
|
|
<!-- ======================================================================= -->
|
|
|
|
<p>The Lexer library contains several tightly-connected classes that are involved
|
|
with the nasty process of lexing and preprocessing C source code. The main
|
|
interface to this library for outside clients is the large <a
|
|
href="#Preprocessor">Preprocessor</a> class.
|
|
It contains the various pieces of state that are required to coherently read
|
|
tokens out of a translation unit.</p>
|
|
|
|
<p>The core interface to the Preprocessor object (once it is set up) is the
|
|
Preprocessor::Lex method, which returns the next <a href="#Token">Token</a> from
|
|
the preprocessor stream. There are two types of token providers that the
|
|
preprocessor is capable of reading from: a buffer lexer (provided by the <a
|
|
href="#Lexer">Lexer</a> class) and a buffered token stream (provided by the <a
|
|
href="#TokenLexer">TokenLexer</a> class).
|
|
|
|
|
|
<!-- ======================================================================= -->
|
|
<h3 id="Token">The Token class</h3>
|
|
<!-- ======================================================================= -->
|
|
|
|
<p>The Token class is used to represent a single lexed token. Tokens are
|
|
intended to be used by the lexer/preprocess and parser libraries, but are not
|
|
intended to live beyond them (for example, they should not live in the ASTs).<p>
|
|
|
|
<p>Tokens most often live on the stack (or some other location that is efficient
|
|
to access) as the parser is running, but occasionally do get buffered up. For
|
|
example, macro definitions are stored as a series of tokens, and the C++
|
|
front-end will eventually need to buffer tokens up for tentative parsing and
|
|
various pieces of look-ahead. As such, the size of a Token matter. On a 32-bit
|
|
system, sizeof(Token) is currently 16 bytes.</p>
|
|
|
|
<p>Tokens contain the following information:</p>
|
|
|
|
<ul>
|
|
<li><b>A SourceLocation</b> - This indicates the location of the start of the
|
|
token.</li>
|
|
|
|
<li><b>A length</b> - This stores the length of the token as stored in the
|
|
SourceBuffer. For tokens that include them, this length includes trigraphs and
|
|
escaped newlines which are ignored by later phases of the compiler. By pointing
|
|
into the original source buffer, it is always possible to get the original
|
|
spelling of a token completely accurately.</li>
|
|
|
|
<li><b>IdentifierInfo</b> - If a token takes the form of an identifier, and if
|
|
identifier lookup was enabled when the token was lexed (e.g. the lexer was not
|
|
reading in 'raw' mode) this contains a pointer to the unique hash value for the
|
|
identifier. Because the lookup happens before keyword identification, this
|
|
field is set even for language keywords like 'for'.</li>
|
|
|
|
<li><b>TokenKind</b> - This indicates the kind of token as classified by the
|
|
lexer. This includes things like <tt>tok::starequal</tt> (for the "*="
|
|
operator), <tt>tok::ampamp</tt> for the "&&" token, and keyword values
|
|
(e.g. <tt>tok::kw_for</tt>) for identifiers that correspond to keywords. Note
|
|
that some tokens can be spelled multiple ways. For example, C++ supports
|
|
"operator keywords", where things like "and" are treated exactly like the
|
|
"&&" operator. In these cases, the kind value is set to
|
|
<tt>tok::ampamp</tt>, which is good for the parser, which doesn't have to
|
|
consider both forms. For something that cares about which form is used (e.g.
|
|
the preprocessor 'stringize' operator) the spelling indicates the original
|
|
form.</li>
|
|
|
|
<li><b>Flags</b> - There are currently four flags tracked by the
|
|
lexer/preprocessor system on a per-token basis:
|
|
|
|
<ol>
|
|
<li><b>StartOfLine</b> - This was the first token that occurred on its input
|
|
source line.</li>
|
|
<li><b>LeadingSpace</b> - There was a space character either immediately
|
|
before the token or transitively before the token as it was expanded
|
|
through a macro. The definition of this flag is very closely defined by
|
|
the stringizing requirements of the preprocessor.</li>
|
|
<li><b>DisableExpand</b> - This flag is used internally to the preprocessor to
|
|
represent identifier tokens which have macro expansion disabled. This
|
|
prevents them from being considered as candidates for macro expansion ever
|
|
in the future.</li>
|
|
<li><b>NeedsCleaning</b> - This flag is set if the original spelling for the
|
|
token includes a trigraph or escaped newline. Since this is uncommon,
|
|
many pieces of code can fast-path on tokens that did not need cleaning.
|
|
</p>
|
|
</ol>
|
|
</li>
|
|
</ul>
|
|
|
|
<p>One interesting (and somewhat unusual) aspect of tokens is that they don't
|
|
contain any semantic information about the lexed value. For example, if the
|
|
token was a pp-number token, we do not represent the value of the number that
|
|
was lexed (this is left for later pieces of code to decide). Additionally, the
|
|
lexer library has no notion of typedef names vs variable names: both are
|
|
returned as identifiers, and the parser is left to decide whether a specific
|
|
identifier is a typedef or a variable (tracking this requires scope information
|
|
among other things).</p>
|
|
|
|
<!-- ======================================================================= -->
|
|
<h3 id="Lexer">The Lexer class</h3>
|
|
<!-- ======================================================================= -->
|
|
|
|
<p>The Lexer class provides the mechanics of lexing tokens out of a source
|
|
buffer and deciding what they mean. The Lexer is complicated by the fact that
|
|
it operates on raw buffers that have not had spelling eliminated (this is a
|
|
necessity to get decent performance), but this is countered with careful coding
|
|
as well as standard performance techniques (for example, the comment handling
|
|
code is vectorized on X86 and PowerPC hosts).</p>
|
|
|
|
<p>The lexer has a couple of interesting modal features:</p>
|
|
|
|
<ul>
|
|
<li>The lexer can operate in 'raw' mode. This mode has several features that
|
|
make it possible to quickly lex the file (e.g. it stops identifier lookup,
|
|
doesn't specially handle preprocessor tokens, handles EOF differently, etc).
|
|
This mode is used for lexing within an "<tt>#if 0</tt>" block, for
|
|
example.</li>
|
|
<li>The lexer can capture and return comments as tokens. This is required to
|
|
support the -C preprocessor mode, which passes comments through, and is
|
|
used by the diagnostic checker to identifier expect-error annotations.</li>
|
|
<li>The lexer can be in ParsingFilename mode, which happens when preprocessing
|
|
after reading a #include directive. This mode changes the parsing of '<'
|
|
to return an "angled string" instead of a bunch of tokens for each thing
|
|
within the filename.</li>
|
|
<li>When parsing a preprocessor directive (after "<tt>#</tt>") the
|
|
ParsingPreprocessorDirective mode is entered. This changes the parser to
|
|
return EOM at a newline.</li>
|
|
<li>The Lexer uses a LangOptions object to know whether trigraphs are enabled,
|
|
whether C++ or ObjC keywords are recognized, etc.</li>
|
|
</ul>
|
|
|
|
<p>In addition to these modes, the lexer keeps track of a couple of other
|
|
features that are local to a lexed buffer, which change as the buffer is
|
|
lexed:</p>
|
|
|
|
<ul>
|
|
<li>The Lexer uses BufferPtr to keep track of the current character being
|
|
lexed.</li>
|
|
<li>The Lexer uses IsAtStartOfLine to keep track of whether the next lexed token
|
|
will start with its "start of line" bit set.</li>
|
|
<li>The Lexer keeps track of the current #if directives that are active (which
|
|
can be nested).</li>
|
|
<li>The Lexer keeps track of an <a href="#MultipleIncludeOpt">
|
|
MultipleIncludeOpt</a> object, which is used to
|
|
detect whether the buffer uses the standard "<tt>#ifndef XX</tt> /
|
|
<tt>#define XX</tt>" idiom to prevent multiple inclusion. If a buffer does,
|
|
subsequent includes can be ignored if the XX macro is defined.</li>
|
|
</ul>
|
|
|
|
<!-- ======================================================================= -->
|
|
<h3 id="TokenLexer">The TokenLexer class</h3>
|
|
<!-- ======================================================================= -->
|
|
|
|
<p>The TokenLexer class is a token provider that returns tokens from a list
|
|
of tokens that came from somewhere else. It typically used for two things: 1)
|
|
returning tokens from a macro definition as it is being expanded 2) returning
|
|
tokens from an arbitrary buffer of tokens. The later use is used by _Pragma and
|
|
will most likely be used to handle unbounded look-ahead for the C++ parser.</p>
|
|
|
|
<!-- ======================================================================= -->
|
|
<h3 id="MultipleIncludeOpt">The MultipleIncludeOpt class</h3>
|
|
<!-- ======================================================================= -->
|
|
|
|
<p>The MultipleIncludeOpt class implements a really simple little state machine
|
|
that is used to detect the standard "<tt>#ifndef XX</tt> / <tt>#define XX</tt>"
|
|
idiom that people typically use to prevent multiple inclusion of headers. If a
|
|
buffer uses this idiom and is subsequently #include'd, the preprocessor can
|
|
simply check to see whether the guarding condition is defined or not. If so,
|
|
the preprocessor can completely ignore the include of the header.</p>
|
|
|
|
|
|
|
|
<!-- ======================================================================= -->
|
|
<h2 id="libparse">The Parser Library</h2>
|
|
<!-- ======================================================================= -->
|
|
|
|
<!-- ======================================================================= -->
|
|
<h2 id="libast">The AST Library</h2>
|
|
<!-- ======================================================================= -->
|
|
|
|
<!-- ======================================================================= -->
|
|
<h3 id="Type">The Type class and its subclasses</h3>
|
|
<!-- ======================================================================= -->
|
|
|
|
<p>The Type class (and its subclasses) are an important part of the AST. Types
|
|
are accessed through the ASTContext class, which implicitly creates and uniques
|
|
them as they are needed. Types have a couple of non-obvious features: 1) they
|
|
do not capture type qualifiers like const or volatile (See
|
|
<a href="#QualType">QualType</a>), and 2) they implicitly capture typedef
|
|
information. Once created, types are immutable (unlike decls).</p>
|
|
|
|
<p>Typedefs in C make semantic analysis a bit more complex than it would
|
|
be without them. The issue is that we want to capture typedef information
|
|
and represent it in the AST perfectly, but the semantics of operations need to
|
|
"see through" typedefs. For example, consider this code:</p>
|
|
|
|
<code>
|
|
void func() {<br>
|
|
typedef int foo;<br>
|
|
foo X, *Y;<br>
|
|
typedef foo* bar;<br>
|
|
bar Z;<br>
|
|
*X; <i>// error</i><br>
|
|
**Y; <i>// error</i><br>
|
|
**Z; <i>// error</i><br>
|
|
}<br>
|
|
</code>
|
|
|
|
<p>The code above is illegal, and thus we expect there to be diagnostics emitted
|
|
on the annotated lines. In this example, we expect to get:</p>
|
|
|
|
<pre>
|
|
<b>test.c:6:1: error: indirection requires pointer operand ('foo' invalid)</b>
|
|
*X; // error
|
|
<font color="blue">^~</font>
|
|
<b>test.c:7:1: error: indirection requires pointer operand ('foo' invalid)</b>
|
|
**Y; // error
|
|
<font color="blue">^~~</font>
|
|
<b>test.c:8:1: error: indirection requires pointer operand ('foo' invalid)</b>
|
|
**Z; // error
|
|
<font color="blue">^~~</font>
|
|
</pre>
|
|
|
|
<p>While this example is somewhat silly, it illustrates the point: we want to
|
|
retain typedef information where possible, so that we can emit errors about
|
|
"<tt>std::string</tt>" instead of "<tt>std::basic_string<char, std:...</tt>".
|
|
Doing this requires properly keeping typedef information (for example, the type
|
|
of "X" is "foo", not "int"), and requires properly propagating it through the
|
|
various operators (for example, the type of *Y is "foo", not "int"). In order
|
|
to retain this information, the type of these expressions is an instance of the
|
|
TypedefType class, which indicates that the type of these expressions is a
|
|
typedef for foo.
|
|
</p>
|
|
|
|
<p>Representing types like this is great for diagnostics, because the
|
|
user-specified type is always immediately available. There are two problems
|
|
with this: first, various semantic checks need to make judgements about the
|
|
<em>actual structure</em> of a type, ignoring typdefs. Second, we need an
|
|
efficient way to query whether two types are structurally identical to each
|
|
other, ignoring typedefs. The solution to both of these problems is the idea of
|
|
canonical types.</p>
|
|
|
|
<h4>Canonical Types</h4>
|
|
|
|
<p>Every instance of the Type class contains a canonical type pointer. For
|
|
simple types with no typedefs involved (e.g. "<tt>int</tt>", "<tt>int*</tt>",
|
|
"<tt>int**</tt>"), the type just points to itself. For types that have a
|
|
typedef somewhere in their structure (e.g. "<tt>foo</tt>", "<tt>foo*</tt>",
|
|
"<tt>foo**</tt>", "<tt>bar</tt>"), the canonical type pointer points to their
|
|
structurally equivalent type without any typedefs (e.g. "<tt>int</tt>",
|
|
"<tt>int*</tt>", "<tt>int**</tt>", and "<tt>int*</tt>" respectively).</p>
|
|
|
|
<p>This design provides a constant time operation (dereferencing the canonical
|
|
type pointer) that gives us access to the structure of types. For example,
|
|
we can trivially tell that "bar" and "foo*" are the same type by dereferencing
|
|
their canonical type pointers and doing a pointer comparison (they both point
|
|
to the single "<tt>int*</tt>" type).</p>
|
|
|
|
<p>Canonical types and typedef types bring up some complexities that must be
|
|
carefully managed. Specifically, the "isa/cast/dyncast" operators generally
|
|
shouldn't be used in code that is inspecting the AST. For example, when type
|
|
checking the indirection operator (unary '*' on a pointer), the type checker
|
|
must verify that the operand has a pointer type. It would not be correct to
|
|
check that with "<tt>isa<PointerType>(SubExpr->getType())</tt>",
|
|
because this predicate would fail if the subexpression had a typedef type.</p>
|
|
|
|
<p>The solution to this problem are a set of helper methods on Type, used to
|
|
check their properties. In this case, it would be correct to use
|
|
"<tt>SubExpr->getType()->isPointerType()</tt>" to do the check. This
|
|
predicate will return true if the <em>canonical type is a pointer</em>, which is
|
|
true any time the type is structurally a pointer type. The only hard part here
|
|
is remembering not to use the <tt>isa/cast/dyncast</tt> operations.</p>
|
|
|
|
<p>The second problem we face is how to get access to the pointer type once we
|
|
know it exists. To continue the example, the result type of the indirection
|
|
operator is the pointee type of the subexpression. In order to determine the
|
|
type, we need to get the instance of PointerType that best captures the typedef
|
|
information in the program. If the type of the expression is literally a
|
|
PointerType, we can return that, otherwise we have to dig through the
|
|
typedefs to find the pointer type. For example, if the subexpression had type
|
|
"<tt>foo*</tt>", we could return that type as the result. If the subexpression
|
|
had type "<tt>bar</tt>", we want to return "<tt>foo*</tt>" (note that we do
|
|
<em>not</em> want "<tt>int*</tt>"). In order to provide all of this, Type has
|
|
a getAsPointerType() method that checks whether the type is structurally a
|
|
PointerType and, if so, returns the best one. If not, it returns a null
|
|
pointer.</p>
|
|
|
|
<p>This structure is somewhat mystical, but after meditating on it, it will
|
|
make sense to you :).</p>
|
|
|
|
<!-- ======================================================================= -->
|
|
<h3 id="QualType">The QualType class</h3>
|
|
<!-- ======================================================================= -->
|
|
|
|
<p>The QualType class is designed as a trivial value class that is small,
|
|
passed by-value and is efficient to query. The idea of QualType is that it
|
|
stores the type qualifiers (const, volatile, restrict) separately from the types
|
|
themselves: QualType is conceptually a pair of "Type*" and bits for the type
|
|
qualifiers.</p>
|
|
|
|
<p>By storing the type qualifiers as bits in the conceptual pair, it is
|
|
extremely efficient to get the set of qualifiers on a QualType (just return the
|
|
field of the pair), add a type qualifier (which is a trivial constant-time
|
|
operation that sets a bit), and remove one or more type qualifiers (just return
|
|
a QualType with the bitfield set to empty).</p>
|
|
|
|
<p>Further, because the bits are stored outside of the type itself, we do not
|
|
need to create duplicates of types with different sets of qualifiers (i.e. there
|
|
is only a single heap allocated "int" type: "const int" and "volatile const int"
|
|
both point to the same heap allocated "int" type). This reduces the heap size
|
|
used to represent bits and also means we do not have to consider qualifiers when
|
|
uniquing types (<a href="#Type">Type</a> does not even contain qualifiers).</p>
|
|
|
|
<p>In practice, on hosts where it is safe, the 3 type qualifiers are stored in
|
|
the low bit of the pointer to the Type object. This means that QualType is
|
|
exactly the same size as a pointer, and this works fine on any system where
|
|
malloc'd objects are at least 8 byte aligned.</p>
|
|
|
|
<!-- ======================================================================= -->
|
|
<h3 id="CFG">The <tt>CFG</tt> class</h3>
|
|
<!-- ======================================================================= -->
|
|
|
|
<p>The <tt>CFG</tt> class is designed to represent a source-level
|
|
control-flow graph for a single statement (<tt>Stmt*</tt>). Typically
|
|
instances of <tt>CFG</tt> are constructed for function bodies (usually
|
|
an instance of <tt>CompoundStmt</tt>), but can also be instantiated to
|
|
represent the control-flow of any class that subclasses <tt>Stmt</tt>,
|
|
which includes simple expressions. Control-flow graphs are especially
|
|
useful for performing
|
|
<a href="http://en.wikipedia.org/wiki/Data_flow_analysis#Sensitivities">flow-
|
|
or path-sensitive</a> program analyses on a given function.</p>
|
|
|
|
<h4>Basic Blocks</h4>
|
|
|
|
<p>Concretely, an instance of <tt>CFG</tt> is a collection of basic
|
|
blocks. Each basic block is an instance of <tt>CFGBlock</tt>, which
|
|
simply contains an ordered sequence of <tt>Stmt*</tt> (each referring
|
|
to statements in the AST). The ordering of statements within a block
|
|
indicates unconditional flow of control from one statement to the
|
|
next. <a href="#ConditionalControlFlow">Conditional control-flow</a>
|
|
is represented using edges between basic blocks. The statements
|
|
within a given <tt>CFGBlock</tt> can be traversed using
|
|
the <tt>CFGBlock::*iterator</tt> interface.</p>
|
|
|
|
<p>
|
|
A <tt>CFG</tt> object owns the instances of <tt>CFGBlock</tt> within
|
|
the control-flow graph it represents. Each <tt>CFGBlock</tt> within a
|
|
CFG is also uniquely numbered (accessible
|
|
via <tt>CFGBlock::getBlockID()</tt>). Currently the number is
|
|
based on the ordering the blocks were created, but no assumptions
|
|
should be made on how <tt>CFGBlock</tt>s are numbered other than their
|
|
numbers are unique and that they are numbered from 0..N-1 (where N is
|
|
the number of basic blocks in the CFG).</p>
|
|
|
|
<h4>Entry and Exit Blocks</h4>
|
|
|
|
Each instance of <tt>CFG</tt> contains two special blocks:
|
|
an <i>entry</i> block (accessible via <tt>CFG::getEntry()</tt>), which
|
|
has no incoming edges, and an <i>exit</i> block (accessible
|
|
via <tt>CFG::getExit()</tt>), which has no outgoing edges. Neither
|
|
block contains any statements, and they serve the role of providing a
|
|
clear entrance and exit for a body of code such as a function body.
|
|
The presence of these empty blocks greatly simplifies the
|
|
implementation of many analyses built on top of CFGs.
|
|
|
|
<h4 id ="ConditionalControlFlow">Conditional Control-Flow</h4>
|
|
|
|
<p>Conditional control-flow (such as those induced by if-statements
|
|
and loops) is represented as edges between <tt>CFGBlock</tt>s.
|
|
Because different C language constructs can induce control-flow,
|
|
each <tt>CFGBlock</tt> also records an extra <tt>Stmt*</tt> that
|
|
represents the <i>terminator</i> of the block. A terminator is simply
|
|
the statement that caused the control-flow, and is used to identify
|
|
the nature of the conditional control-flow between blocks. For
|
|
example, in the case of an if-statement, the terminator refers to
|
|
the <tt>IfStmt</tt> object in the AST that represented the given
|
|
branch.</p>
|
|
|
|
<p>To illustrate, consider the following code example:</p>
|
|
|
|
<code>
|
|
int foo(int x) {<br>
|
|
x = x + 1;<br>
|
|
<br>
|
|
if (x > 2) x++;<br>
|
|
else {<br>
|
|
x += 2;<br>
|
|
x *= 2;<br>
|
|
}<br>
|
|
<br>
|
|
return x;<br>
|
|
}
|
|
</code>
|
|
|
|
<p>After invoking the parser+semantic analyzer on this code fragment,
|
|
the AST of the body of <tt>foo</tt> is referenced by a
|
|
single <tt>Stmt*</tt>. We can then construct an instance
|
|
of <tt>CFG</tt> representing the control-flow graph of this function
|
|
body by single call to a static class method:</p>
|
|
|
|
<code>
|
|
Stmt* FooBody = ...<br>
|
|
CFG* FooCFG = <b>CFG::buildCFG</b>(FooBody);
|
|
</code>
|
|
|
|
<p>It is the responsibility of the caller of <tt>CFG::buildCFG</tt>
|
|
to <tt>delete</tt> the returned <tt>CFG*</tt> when the CFG is no
|
|
longer needed.</p>
|
|
|
|
<p>Along with providing an interface to iterate over
|
|
its <tt>CFGBlock</tt>s, the <tt>CFG</tt> class also provides methods
|
|
that are useful for debugging and visualizing CFGs. For example, the
|
|
method
|
|
<tt>CFG::dump()</tt> dumps a pretty-printed version of the CFG to
|
|
standard error. This is especially useful when one is using a
|
|
debugger such as gdb. For example, here is the output
|
|
of <tt>FooCFG->dump()</tt>:</p>
|
|
|
|
<code>
|
|
[ B5 (ENTRY) ]<br>
|
|
Predecessors (0):<br>
|
|
Successors (1): B4<br>
|
|
<br>
|
|
[ B4 ]<br>
|
|
1: x = x + 1<br>
|
|
2: (x > 2)<br>
|
|
<b>T: if [B4.2]</b><br>
|
|
Predecessors (1): B5<br>
|
|
Successors (2): B3 B2<br>
|
|
<br>
|
|
[ B3 ]<br>
|
|
1: x++<br>
|
|
Predecessors (1): B4<br>
|
|
Successors (1): B1<br>
|
|
<br>
|
|
[ B2 ]<br>
|
|
1: x += 2<br>
|
|
2: x *= 2<br>
|
|
Predecessors (1): B4<br>
|
|
Successors (1): B1<br>
|
|
<br>
|
|
[ B1 ]<br>
|
|
1: return x;<br>
|
|
Predecessors (2): B2 B3<br>
|
|
Successors (1): B0<br>
|
|
<br>
|
|
[ B0 (EXIT) ]<br>
|
|
Predecessors (1): B1<br>
|
|
Successors (0):
|
|
</code>
|
|
|
|
<p>For each block, the pretty-printed output displays for each block
|
|
the number of <i>predecessor</i> blocks (blocks that have outgoing
|
|
control-flow to the given block) and <i>successor</i> blocks (blocks
|
|
that have control-flow that have incoming control-flow from the given
|
|
block). We can also clearly see the special entry and exit blocks at
|
|
the beginning and end of the pretty-printed output. For the entry
|
|
block (block B5), the number of predecessor blocks is 0, while for the
|
|
exit block (block B0) the number of successor blocks is 0.</p>
|
|
|
|
<p>The most interesting block here is B4, whose outgoing control-flow
|
|
represents the branching caused by the sole if-statement
|
|
in <tt>foo</tt>. Of particular interest is the second statement in
|
|
the block, <b><tt>(x > 2)</tt></b>, and the terminator, printed
|
|
as <b><tt>if [B4.2]</tt></b>. The second statement represents the
|
|
evaluation of the condition of the if-statement, which occurs before
|
|
the actual branching of control-flow. Within the <tt>CFGBlock</tt>
|
|
for B4, the <tt>Stmt*</tt> for the second statement refers to the
|
|
actual expression in the AST for <b><tt>(x > 2)</tt></b>. Thus
|
|
pointers to subclasses of <tt>Expr</tt> can appear in the list of
|
|
statements in a block, and not just subclasses of <tt>Stmt</tt> that
|
|
refer to proper C statements.</p>
|
|
|
|
<p>The terminator of block B4 is a pointer to the <tt>IfStmt</tt>
|
|
object in the AST. The pretty-printer outputs <b><tt>if
|
|
[B4.2]</tt></b> because the condition expression of the if-statement
|
|
has an actual place in the basic block, and thus the terminator is
|
|
essentially
|
|
<i>referring</i> to the expression that is the second statement of
|
|
block B4 (i.e., B4.2). In this manner, conditions for control-flow
|
|
(which also includes conditions for loops and switch statements) are
|
|
hoisted into the actual basic block.</p>
|
|
|
|
<!--
|
|
<h4>Implicit Control-Flow</h4>
|
|
-->
|
|
|
|
<!--
|
|
<p>A key design principle of the <tt>CFG</tt> class was to not require
|
|
any transformations to the AST in order to represent control-flow.
|
|
Thus the <tt>CFG</tt> does not perform any "lowering" of the
|
|
statements in an AST: loops are not transformed into guarded gotos,
|
|
short-circuit operations are not converted to a set of if-statements,
|
|
and so on.</p>
|
|
-->
|
|
|
|
</div>
|
|
</body>
|
|
</html> |