blob: 78fb9b1d9ce2a1581def76f7d3f97acceba03ba1 [file] [log] [blame]
Chris Lattner86920d32007-07-31 05:42:17 +00001<title>"clang" CFE Internals Manual</title>
2
3<h1>"clang" CFE Internals Manual</h1>
4
5<ul>
6<li><a href="#intro">Introduction</a></li>
7<li><a href="#libsystem">LLVM System and Support Libraries</a></li>
8<li><a href="#libbasic">The clang 'Basic' Library</a>
9 <ul>
10 <li><a href="#SourceLocation">The SourceLocation and SourceManager
11 classes</a></li>
12 </ul>
13</li>
14<li><a href="#liblex">The Lexer and Preprocessor Library</a>
15 <ul>
16 <li><a href="#Token">The Token class</a></li>
17 <li><a href="#Lexer">The Lexer class</a></li>
Chris Lattner79281252008-03-09 02:27:26 +000018 <li><a href="#TokenLexer">The TokenLexer class</a></li>
Chris Lattner86920d32007-07-31 05:42:17 +000019 <li><a href="#MultipleIncludeOpt">The MultipleIncludeOpt class</a></li>
20 </ul>
21</li>
22<li><a href="#libparse">The Parser Library</a>
23 <ul>
24 </ul>
25</li>
26<li><a href="#libast">The AST Library</a>
27 <ul>
28 <li><a href="#Type">The Type class and its subclasses</a></li>
29 <li><a href="#QualType">The QualType class</a></li>
Ted Kremenek8bc05712007-10-10 23:01:43 +000030 <li><a href="#CFG">The CFG class</a></li>
Chris Lattner86920d32007-07-31 05:42:17 +000031 </ul>
32</li>
33</ul>
34
35
36<!-- ======================================================================= -->
37<h2 id="intro">Introduction</h2>
38<!-- ======================================================================= -->
39
40<p>This document describes some of the more important APIs and internal design
41decisions made in the clang C front-end. The purpose of this document is to
42both capture some of this high level information and also describe some of the
43design decisions behind it. This is meant for people interested in hacking on
44clang, not for end-users. The description below is categorized by
45libraries, and does not describe any of the clients of the libraries.</p>
46
47<!-- ======================================================================= -->
48<h2 id="libsystem">LLVM System and Support Libraries</h2>
49<!-- ======================================================================= -->
50
51<p>The LLVM libsystem library provides the basic clang system abstraction layer,
52which is used for file system access. The LLVM libsupport library provides many
53underlying libraries and <a
54href="http://llvm.org/docs/ProgrammersManual.html">data-structures</a>,
55 including command line option
56processing and various containers.</p>
57
58<!-- ======================================================================= -->
59<h2 id="libbasic">The clang 'Basic' Library</h2>
60<!-- ======================================================================= -->
61
62<p>This library certainly needs a better name. The 'basic' library contains a
63number of low-level utilities for tracking and manipulating source buffers,
64locations within the source buffers, diagnostics, tokens, target abstraction,
65and information about the subset of the language being compiled for.</p>
66
67<p>Part of this infrastructure is specific to C (such as the TargetInfo class),
68other parts could be reused for other non-C-based languages (SourceLocation,
69SourceManager, Diagnostics, FileManager). When and if there is future demand
70we can figure out if it makes sense to introduce a new library, move the general
71classes somewhere else, or introduce some other solution.</p>
72
73<p>We describe the roles of these classes in order of their dependencies.</p>
74
75<!-- ======================================================================= -->
76<h3 id="SourceLocation">The SourceLocation and SourceManager classes</h3>
77<!-- ======================================================================= -->
78
79<p>Strangely enough, the SourceLocation class represents a location within the
80source code of the program. Important design points include:</p>
81
82<ol>
83<li>sizeof(SourceLocation) must be extremely small, as these are embedded into
84 many AST nodes and are passed around often. Currently it is 32 bits.</li>
85<li>SourceLocation must be a simple value object that can be efficiently
86 copied.</li>
87<li>We should be able to represent a source location for any byte of any input
88 file. This includes in the middle of tokens, in whitespace, in trigraphs,
89 etc.</li>
90<li>A SourceLocation must encode the current #include stack that was active when
91 the location was processed. For example, if the location corresponds to a
92 token, it should contain the set of #includes active when the token was
93 lexed. This allows us to print the #include stack for a diagnostic.</li>
94<li>SourceLocation must be able to describe macro expansions, capturing both
95 the ultimate instantiation point and the source of the original character
96 data.</li>
97</ol>
98
99<p>In practice, the SourceLocation works together with the SourceManager class
100to encode two pieces of information about a location: it's physical location
101and it's virtual location. For most tokens, these will be the same. However,
102for a macro expansion (or tokens that came from a _Pragma directive) these will
103describe the location of the characters corresponding to the token and the
104location where the token was used (i.e. the macro instantiation point or the
105location of the _Pragma itself).</p>
106
107<p>For efficiency, we only track one level of macro instantions: if a token was
108produced by multiple instantiations, we only track the source and ultimate
109destination. Though we could track the intermediate instantiation points, this
110would require extra bookkeeping and no known client would benefit substantially
111from this.</p>
112
113<p>The clang front-end inherently depends on the location of a token being
114tracked correctly. If it is ever incorrect, the front-end may get confused and
115die. The reason for this is that the notion of the 'spelling' of a Token in
116clang depends on being able to find the original input characters for the token.
117This concept maps directly to the "physical" location for the token.</p>
118
119<!-- ======================================================================= -->
120<h2 id="liblex">The Lexer and Preprocessor Library</h2>
121<!-- ======================================================================= -->
122
123<p>The Lexer library contains several tightly-connected classes that are involved
124with the nasty process of lexing and preprocessing C source code. The main
125interface to this library for outside clients is the large <a
126href="#Preprocessor">Preprocessor</a> class.
127It contains the various pieces of state that are required to coherently read
128tokens out of a translation unit.</p>
129
130<p>The core interface to the Preprocessor object (once it is set up) is the
131Preprocessor::Lex method, which returns the next <a href="#Token">Token</a> from
132the preprocessor stream. There are two types of token providers that the
133preprocessor is capable of reading from: a buffer lexer (provided by the <a
134href="#Lexer">Lexer</a> class) and a buffered token stream (provided by the <a
Chris Lattner79281252008-03-09 02:27:26 +0000135href="#TokenLexer">TokenLexer</a> class).
Chris Lattner86920d32007-07-31 05:42:17 +0000136
137
138<!-- ======================================================================= -->
139<h3 id="Token">The Token class</h3>
140<!-- ======================================================================= -->
141
142<p>The Token class is used to represent a single lexed token. Tokens are
143intended to be used by the lexer/preprocess and parser libraries, but are not
144intended to live beyond them (for example, they should not live in the ASTs).<p>
145
146<p>Tokens most often live on the stack (or some other location that is efficient
147to access) as the parser is running, but occasionally do get buffered up. For
148example, macro definitions are stored as a series of tokens, and the C++
149front-end will eventually need to buffer tokens up for tentative parsing and
150various pieces of look-ahead. As such, the size of a Token matter. On a 32-bit
151system, sizeof(Token) is currently 16 bytes.</p>
152
153<p>Tokens contain the following information:</p>
154
155<ul>
156<li><b>A SourceLocation</b> - This indicates the location of the start of the
157token.</li>
158
159<li><b>A length</b> - This stores the length of the token as stored in the
160SourceBuffer. For tokens that include them, this length includes trigraphs and
161escaped newlines which are ignored by later phases of the compiler. By pointing
162into the original source buffer, it is always possible to get the original
163spelling of a token completely accurately.</li>
164
165<li><b>IdentifierInfo</b> - If a token takes the form of an identifier, and if
166identifier lookup was enabled when the token was lexed (e.g. the lexer was not
167reading in 'raw' mode) this contains a pointer to the unique hash value for the
168identifier. Because the lookup happens before keyword identification, this
169field is set even for language keywords like 'for'.</li>
170
171<li><b>TokenKind</b> - This indicates the kind of token as classified by the
172lexer. This includes things like <tt>tok::starequal</tt> (for the "*="
173operator), <tt>tok::ampamp</tt> for the "&amp;&amp;" token, and keyword values
174(e.g. <tt>tok::kw_for</tt>) for identifiers that correspond to keywords. Note
175that some tokens can be spelled multiple ways. For example, C++ supports
176"operator keywords", where things like "and" are treated exactly like the
177"&amp;&amp;" operator. In these cases, the kind value is set to
178<tt>tok::ampamp</tt>, which is good for the parser, which doesn't have to
179consider both forms. For something that cares about which form is used (e.g.
180the preprocessor 'stringize' operator) the spelling indicates the original
181form.</li>
182
183<li><b>Flags</b> - There are currently four flags tracked by the
184lexer/preprocessor system on a per-token basis:
185
186 <ol>
187 <li><b>StartOfLine</b> - This was the first token that occurred on its input
188 source line.</li>
189 <li><b>LeadingSpace</b> - There was a space character either immediately
190 before the token or transitively before the token as it was expanded
191 through a macro. The definition of this flag is very closely defined by
192 the stringizing requirements of the preprocessor.</li>
193 <li><b>DisableExpand</b> - This flag is used internally to the preprocessor to
194 represent identifier tokens which have macro expansion disabled. This
195 prevents them from being considered as candidates for macro expansion ever
196 in the future.</li>
197 <li><b>NeedsCleaning</b> - This flag is set if the original spelling for the
198 token includes a trigraph or escaped newline. Since this is uncommon,
199 many pieces of code can fast-path on tokens that did not need cleaning.
200 </p>
201 </ol>
202</li>
203</ul>
204
205<p>One interesting (and somewhat unusual) aspect of tokens is that they don't
206contain any semantic information about the lexed value. For example, if the
207token was a pp-number token, we do not represent the value of the number that
208was lexed (this is left for later pieces of code to decide). Additionally, the
209lexer library has no notion of typedef names vs variable names: both are
210returned as identifiers, and the parser is left to decide whether a specific
211identifier is a typedef or a variable (tracking this requires scope information
212among other things).</p>
213
214<!-- ======================================================================= -->
215<h3 id="Lexer">The Lexer class</h3>
216<!-- ======================================================================= -->
217
218<p>The Lexer class provides the mechanics of lexing tokens out of a source
219buffer and deciding what they mean. The Lexer is complicated by the fact that
220it operates on raw buffers that have not had spelling eliminated (this is a
221necessity to get decent performance), but this is countered with careful coding
222as well as standard performance techniques (for example, the comment handling
223code is vectorized on X86 and PowerPC hosts).</p>
224
225<p>The lexer has a couple of interesting modal features:</p>
226
227<ul>
228<li>The lexer can operate in 'raw' mode. This mode has several features that
229 make it possible to quickly lex the file (e.g. it stops identifier lookup,
230 doesn't specially handle preprocessor tokens, handles EOF differently, etc).
231 This mode is used for lexing within an "<tt>#if 0</tt>" block, for
232 example.</li>
233<li>The lexer can capture and return comments as tokens. This is required to
234 support the -C preprocessor mode, which passes comments through, and is
235 used by the diagnostic checker to identifier expect-error annotations.</li>
236<li>The lexer can be in ParsingFilename mode, which happens when preprocessing
Chris Lattner84386242007-09-16 19:25:23 +0000237 after reading a #include directive. This mode changes the parsing of '&lt;'
Chris Lattner86920d32007-07-31 05:42:17 +0000238 to return an "angled string" instead of a bunch of tokens for each thing
239 within the filename.</li>
240<li>When parsing a preprocessor directive (after "<tt>#</tt>") the
241 ParsingPreprocessorDirective mode is entered. This changes the parser to
242 return EOM at a newline.</li>
243<li>The Lexer uses a LangOptions object to know whether trigraphs are enabled,
244 whether C++ or ObjC keywords are recognized, etc.</li>
245</ul>
246
247<p>In addition to these modes, the lexer keeps track of a couple of other
248 features that are local to a lexed buffer, which change as the buffer is
249 lexed:</p>
250
251<ul>
252<li>The Lexer uses BufferPtr to keep track of the current character being
253 lexed.</li>
254<li>The Lexer uses IsAtStartOfLine to keep track of whether the next lexed token
255 will start with its "start of line" bit set.</li>
256<li>The Lexer keeps track of the current #if directives that are active (which
257 can be nested).</li>
258<li>The Lexer keeps track of an <a href="#MultipleIncludeOpt">
259 MultipleIncludeOpt</a> object, which is used to
260 detect whether the buffer uses the standard "<tt>#ifndef XX</tt> /
261 <tt>#define XX</tt>" idiom to prevent multiple inclusion. If a buffer does,
262 subsequent includes can be ignored if the XX macro is defined.</li>
263</ul>
264
265<!-- ======================================================================= -->
Chris Lattner79281252008-03-09 02:27:26 +0000266<h3 id="TokenLexer">The TokenLexer class</h3>
Chris Lattner86920d32007-07-31 05:42:17 +0000267<!-- ======================================================================= -->
268
Chris Lattner79281252008-03-09 02:27:26 +0000269<p>The TokenLexer class is a token provider that returns tokens from a list
Chris Lattner86920d32007-07-31 05:42:17 +0000270of tokens that came from somewhere else. It typically used for two things: 1)
271returning tokens from a macro definition as it is being expanded 2) returning
272tokens from an arbitrary buffer of tokens. The later use is used by _Pragma and
273will most likely be used to handle unbounded look-ahead for the C++ parser.</p>
274
275<!-- ======================================================================= -->
276<h3 id="MultipleIncludeOpt">The MultipleIncludeOpt class</h3>
277<!-- ======================================================================= -->
278
279<p>The MultipleIncludeOpt class implements a really simple little state machine
280that is used to detect the standard "<tt>#ifndef XX</tt> / <tt>#define XX</tt>"
281idiom that people typically use to prevent multiple inclusion of headers. If a
282buffer uses this idiom and is subsequently #include'd, the preprocessor can
283simply check to see whether the guarding condition is defined or not. If so,
284the preprocessor can completely ignore the include of the header.</p>
285
286
287
288<!-- ======================================================================= -->
289<h2 id="libparse">The Parser Library</h2>
290<!-- ======================================================================= -->
291
292<!-- ======================================================================= -->
293<h2 id="libast">The AST Library</h2>
294<!-- ======================================================================= -->
295
296<!-- ======================================================================= -->
297<h3 id="Type">The Type class and its subclasses</h3>
298<!-- ======================================================================= -->
299
300<p>The Type class (and its subclasses) are an important part of the AST. Types
301are accessed through the ASTContext class, which implicitly creates and uniques
302them as they are needed. Types have a couple of non-obvious features: 1) they
303do not capture type qualifiers like const or volatile (See
304<a href="#QualType">QualType</a>), and 2) they implicitly capture typedef
Chris Lattner8a2bc622007-07-31 06:37:39 +0000305information. Once created, types are immutable (unlike decls).</p>
Chris Lattner86920d32007-07-31 05:42:17 +0000306
307<p>Typedefs in C make semantic analysis a bit more complex than it would
308be without them. The issue is that we want to capture typedef information
309and represent it in the AST perfectly, but the semantics of operations need to
310"see through" typedefs. For example, consider this code:</p>
311
312<code>
313void func() {<br>
Bill Wendling30d17752007-10-06 01:56:01 +0000314&nbsp;&nbsp;typedef int foo;<br>
315&nbsp;&nbsp;foo X, *Y;<br>
316&nbsp;&nbsp;typedef foo* bar;<br>
317&nbsp;&nbsp;bar Z;<br>
318&nbsp;&nbsp;*X; <i>// error</i><br>
319&nbsp;&nbsp;**Y; <i>// error</i><br>
320&nbsp;&nbsp;**Z; <i>// error</i><br>
Chris Lattner86920d32007-07-31 05:42:17 +0000321}<br>
322</code>
323
324<p>The code above is illegal, and thus we expect there to be diagnostics emitted
325on the annotated lines. In this example, we expect to get:</p>
326
327<pre>
Chris Lattner8a2bc622007-07-31 06:37:39 +0000328<b>test.c:6:1: error: indirection requires pointer operand ('foo' invalid)</b>
Chris Lattner86920d32007-07-31 05:42:17 +0000329*X; // error
330<font color="blue">^~</font>
Chris Lattner8a2bc622007-07-31 06:37:39 +0000331<b>test.c:7:1: error: indirection requires pointer operand ('foo' invalid)</b>
Chris Lattner86920d32007-07-31 05:42:17 +0000332**Y; // error
333<font color="blue">^~~</font>
Chris Lattner8a2bc622007-07-31 06:37:39 +0000334<b>test.c:8:1: error: indirection requires pointer operand ('foo' invalid)</b>
335**Z; // error
336<font color="blue">^~~</font>
Chris Lattner86920d32007-07-31 05:42:17 +0000337</pre>
338
339<p>While this example is somewhat silly, it illustrates the point: we want to
340retain typedef information where possible, so that we can emit errors about
341"<tt>std::string</tt>" instead of "<tt>std::basic_string&lt;char, std:...</tt>".
342Doing this requires properly keeping typedef information (for example, the type
343of "X" is "foo", not "int"), and requires properly propagating it through the
Chris Lattner8a2bc622007-07-31 06:37:39 +0000344various operators (for example, the type of *Y is "foo", not "int"). In order
345to retain this information, the type of these expressions is an instance of the
346TypedefType class, which indicates that the type of these expressions is a
347typedef for foo.
348</p>
Chris Lattner86920d32007-07-31 05:42:17 +0000349
Chris Lattner8a2bc622007-07-31 06:37:39 +0000350<p>Representing types like this is great for diagnostics, because the
351user-specified type is always immediately available. There are two problems
352with this: first, various semantic checks need to make judgements about the
Chris Lattner33fc68a2007-07-31 18:54:50 +0000353<em>actual structure</em> of a type, ignoring typdefs. Second, we need an
354efficient way to query whether two types are structurally identical to each
355other, ignoring typedefs. The solution to both of these problems is the idea of
Chris Lattner8a2bc622007-07-31 06:37:39 +0000356canonical types.</p>
Chris Lattner86920d32007-07-31 05:42:17 +0000357
Chris Lattner8a2bc622007-07-31 06:37:39 +0000358<h4>Canonical Types</h4>
Chris Lattner86920d32007-07-31 05:42:17 +0000359
Chris Lattner8a2bc622007-07-31 06:37:39 +0000360<p>Every instance of the Type class contains a canonical type pointer. For
361simple types with no typedefs involved (e.g. "<tt>int</tt>", "<tt>int*</tt>",
362"<tt>int**</tt>"), the type just points to itself. For types that have a
363typedef somewhere in their structure (e.g. "<tt>foo</tt>", "<tt>foo*</tt>",
364"<tt>foo**</tt>", "<tt>bar</tt>"), the canonical type pointer points to their
365structurally equivalent type without any typedefs (e.g. "<tt>int</tt>",
366"<tt>int*</tt>", "<tt>int**</tt>", and "<tt>int*</tt>" respectively).</p>
Chris Lattner86920d32007-07-31 05:42:17 +0000367
Chris Lattner8a2bc622007-07-31 06:37:39 +0000368<p>This design provides a constant time operation (dereferencing the canonical
369type pointer) that gives us access to the structure of types. For example,
370we can trivially tell that "bar" and "foo*" are the same type by dereferencing
371their canonical type pointers and doing a pointer comparison (they both point
372to the single "<tt>int*</tt>" type).</p>
373
374<p>Canonical types and typedef types bring up some complexities that must be
375carefully managed. Specifically, the "isa/cast/dyncast" operators generally
376shouldn't be used in code that is inspecting the AST. For example, when type
377checking the indirection operator (unary '*' on a pointer), the type checker
378must verify that the operand has a pointer type. It would not be correct to
379check that with "<tt>isa&lt;PointerType&gt;(SubExpr-&gt;getType())</tt>",
380because this predicate would fail if the subexpression had a typedef type.</p>
381
382<p>The solution to this problem are a set of helper methods on Type, used to
383check their properties. In this case, it would be correct to use
384"<tt>SubExpr-&gt;getType()-&gt;isPointerType()</tt>" to do the check. This
385predicate will return true if the <em>canonical type is a pointer</em>, which is
386true any time the type is structurally a pointer type. The only hard part here
387is remembering not to use the <tt>isa/cast/dyncast</tt> operations.</p>
388
389<p>The second problem we face is how to get access to the pointer type once we
390know it exists. To continue the example, the result type of the indirection
391operator is the pointee type of the subexpression. In order to determine the
392type, we need to get the instance of PointerType that best captures the typedef
393information in the program. If the type of the expression is literally a
394PointerType, we can return that, otherwise we have to dig through the
395typedefs to find the pointer type. For example, if the subexpression had type
396"<tt>foo*</tt>", we could return that type as the result. If the subexpression
397had type "<tt>bar</tt>", we want to return "<tt>foo*</tt>" (note that we do
398<em>not</em> want "<tt>int*</tt>"). In order to provide all of this, Type has
Chris Lattner11406c12007-07-31 16:50:51 +0000399a getAsPointerType() method that checks whether the type is structurally a
Chris Lattner8a2bc622007-07-31 06:37:39 +0000400PointerType and, if so, returns the best one. If not, it returns a null
401pointer.</p>
402
403<p>This structure is somewhat mystical, but after meditating on it, it will
404make sense to you :).</p>
Chris Lattner86920d32007-07-31 05:42:17 +0000405
406<!-- ======================================================================= -->
407<h3 id="QualType">The QualType class</h3>
408<!-- ======================================================================= -->
409
410<p>The QualType class is designed as a trivial value class that is small,
411passed by-value and is efficient to query. The idea of QualType is that it
412stores the type qualifiers (const, volatile, restrict) separately from the types
413themselves: QualType is conceptually a pair of "Type*" and bits for the type
414qualifiers.</p>
415
416<p>By storing the type qualifiers as bits in the conceptual pair, it is
417extremely efficient to get the set of qualifiers on a QualType (just return the
418field of the pair), add a type qualifier (which is a trivial constant-time
419operation that sets a bit), and remove one or more type qualifiers (just return
420a QualType with the bitfield set to empty).</p>
421
422<p>Further, because the bits are stored outside of the type itself, we do not
423need to create duplicates of types with different sets of qualifiers (i.e. there
424is only a single heap allocated "int" type: "const int" and "volatile const int"
425both point to the same heap allocated "int" type). This reduces the heap size
426used to represent bits and also means we do not have to consider qualifiers when
427uniquing types (<a href="#Type">Type</a> does not even contain qualifiers).</p>
428
429<p>In practice, on hosts where it is safe, the 3 type qualifiers are stored in
430the low bit of the pointer to the Type object. This means that QualType is
431exactly the same size as a pointer, and this works fine on any system where
432malloc'd objects are at least 8 byte aligned.</p>
Ted Kremenek8bc05712007-10-10 23:01:43 +0000433
434<!-- ======================================================================= -->
435<h3 id="CFG">The <tt>CFG</tt> class</h3>
436<!-- ======================================================================= -->
437
438<p>The <tt>CFG</tt> class is designed to represent a source-level
439control-flow graph for a single statement (<tt>Stmt*</tt>). Typically
440instances of <tt>CFG</tt> are constructed for function bodies (usually
441an instance of <tt>CompoundStmt</tt>), but can also be instantiated to
442represent the control-flow of any class that subclasses <tt>Stmt</tt>,
443which includes simple expressions. Control-flow graphs are especially
444useful for performing
445<a href="http://en.wikipedia.org/wiki/Data_flow_analysis#Sensitivities">flow-
446or path-sensitive</a> program analyses on a given function.</p>
447
448<h4>Basic Blocks</h4>
449
450<p>Concretely, an instance of <tt>CFG</tt> is a collection of basic
451blocks. Each basic block is an instance of <tt>CFGBlock</tt>, which
452simply contains an ordered sequence of <tt>Stmt*</tt> (each referring
453to statements in the AST). The ordering of statements within a block
454indicates unconditional flow of control from one statement to the
455next. <a href="#ConditionalControlFlow">Conditional control-flow</a>
456is represented using edges between basic blocks. The statements
457within a given <tt>CFGBlock</tt> can be traversed using
458the <tt>CFGBlock::*iterator</tt> interface.</p>
459
460<p>
Ted Kremenek18e17e72007-10-18 22:50:52 +0000461A <tt>CFG</tt> object owns the instances of <tt>CFGBlock</tt> within
Ted Kremenek8bc05712007-10-10 23:01:43 +0000462the control-flow graph it represents. Each <tt>CFGBlock</tt> within a
463CFG is also uniquely numbered (accessible
464via <tt>CFGBlock::getBlockID()</tt>). Currently the number is
465based on the ordering the blocks were created, but no assumptions
466should be made on how <tt>CFGBlock</tt>s are numbered other than their
467numbers are unique and that they are numbered from 0..N-1 (where N is
468the number of basic blocks in the CFG).</p>
469
470<h4>Entry and Exit Blocks</h4>
471
472Each instance of <tt>CFG</tt> contains two special blocks:
473an <i>entry</i> block (accessible via <tt>CFG::getEntry()</tt>), which
474has no incoming edges, and an <i>exit</i> block (accessible
475via <tt>CFG::getExit()</tt>), which has no outgoing edges. Neither
476block contains any statements, and they serve the role of providing a
477clear entrance and exit for a body of code such as a function body.
478The presence of these empty blocks greatly simplifies the
479implementation of many analyses built on top of CFGs.
480
481<h4 id ="ConditionalControlFlow">Conditional Control-Flow</h4>
482
483<p>Conditional control-flow (such as those induced by if-statements
484and loops) is represented as edges between <tt>CFGBlock</tt>s.
485Because different C language constructs can induce control-flow,
486each <tt>CFGBlock</tt> also records an extra <tt>Stmt*</tt> that
487represents the <i>terminator</i> of the block. A terminator is simply
488the statement that caused the control-flow, and is used to identify
489the nature of the conditional control-flow between blocks. For
490example, in the case of an if-statement, the terminator refers to
491the <tt>IfStmt</tt> object in the AST that represented the given
492branch.</p>
493
494<p>To illustrate, consider the following code example:</p>
495
496<code>
497int foo(int x) {<br>
498&nbsp;&nbsp;x = x + 1;<br>
499<br>
500&nbsp;&nbsp;if (x > 2) x++;<br>
501&nbsp;&nbsp;else {<br>
502&nbsp;&nbsp;&nbsp;&nbsp;x += 2;<br>
503&nbsp;&nbsp;&nbsp;&nbsp;x *= 2;<br>
504&nbsp;&nbsp;}<br>
505<br>
506&nbsp;&nbsp;return x;<br>
507}
508</code>
509
510<p>After invoking the parser+semantic analyzer on this code fragment,
511the AST of the body of <tt>foo</tt> is referenced by a
512single <tt>Stmt*</tt>. We can then construct an instance
513of <tt>CFG</tt> representing the control-flow graph of this function
514body by single call to a static class method:</p>
515
516<code>
517&nbsp;&nbsp;Stmt* FooBody = ...<br>
518&nbsp;&nbsp;CFG* FooCFG = <b>CFG::buildCFG</b>(FooBody);
519</code>
520
521<p>It is the responsibility of the caller of <tt>CFG::buildCFG</tt>
522to <tt>delete</tt> the returned <tt>CFG*</tt> when the CFG is no
523longer needed.</p>
524
525<p>Along with providing an interface to iterate over
526its <tt>CFGBlock</tt>s, the <tt>CFG</tt> class also provides methods
527that are useful for debugging and visualizing CFGs. For example, the
528method
529<tt>CFG::dump()</tt> dumps a pretty-printed version of the CFG to
530standard error. This is especially useful when one is using a
531debugger such as gdb. For example, here is the output
532of <tt>FooCFG->dump()</tt>:</p>
533
534<code>
535&nbsp;[ B5 (ENTRY) ]<br>
536&nbsp;&nbsp;&nbsp;&nbsp;Predecessors (0):<br>
537&nbsp;&nbsp;&nbsp;&nbsp;Successors (1): B4<br>
538<br>
539&nbsp;[ B4 ]<br>
540&nbsp;&nbsp;&nbsp;&nbsp;1: x = x + 1<br>
541&nbsp;&nbsp;&nbsp;&nbsp;2: (x > 2)<br>
542&nbsp;&nbsp;&nbsp;&nbsp;<b>T: if [B4.2]</b><br>
543&nbsp;&nbsp;&nbsp;&nbsp;Predecessors (1): B5<br>
544&nbsp;&nbsp;&nbsp;&nbsp;Successors (2): B3 B2<br>
545<br>
546&nbsp;[ B3 ]<br>
547&nbsp;&nbsp;&nbsp;&nbsp;1: x++<br>
548&nbsp;&nbsp;&nbsp;&nbsp;Predecessors (1): B4<br>
549&nbsp;&nbsp;&nbsp;&nbsp;Successors (1): B1<br>
550<br>
551&nbsp;[ B2 ]<br>
552&nbsp;&nbsp;&nbsp;&nbsp;1: x += 2<br>
553&nbsp;&nbsp;&nbsp;&nbsp;2: x *= 2<br>
554&nbsp;&nbsp;&nbsp;&nbsp;Predecessors (1): B4<br>
555&nbsp;&nbsp;&nbsp;&nbsp;Successors (1): B1<br>
556<br>
557&nbsp;[ B1 ]<br>
558&nbsp;&nbsp;&nbsp;&nbsp;1: return x;<br>
559&nbsp;&nbsp;&nbsp;&nbsp;Predecessors (2): B2 B3<br>
560&nbsp;&nbsp;&nbsp;&nbsp;Successors (1): B0<br>
561<br>
562&nbsp;[ B0 (EXIT) ]<br>
563&nbsp;&nbsp;&nbsp;&nbsp;Predecessors (1): B1<br>
564&nbsp;&nbsp;&nbsp;&nbsp;Successors (0):
565</code>
566
567<p>For each block, the pretty-printed output displays for each block
568the number of <i>predecessor</i> blocks (blocks that have outgoing
569control-flow to the given block) and <i>successor</i> blocks (blocks
570that have control-flow that have incoming control-flow from the given
571block). We can also clearly see the special entry and exit blocks at
572the beginning and end of the pretty-printed output. For the entry
573block (block B5), the number of predecessor blocks is 0, while for the
574exit block (block B0) the number of successor blocks is 0.</p>
575
576<p>The most interesting block here is B4, whose outgoing control-flow
577represents the branching caused by the sole if-statement
578in <tt>foo</tt>. Of particular interest is the second statement in
579the block, <b><tt>(x > 2)</tt></b>, and the terminator, printed
580as <b><tt>if [B4.2]</tt></b>. The second statement represents the
581evaluation of the condition of the if-statement, which occurs before
582the actual branching of control-flow. Within the <tt>CFGBlock</tt>
583for B4, the <tt>Stmt*</tt> for the second statement refers to the
584actual expression in the AST for <b><tt>(x > 2)</tt></b>. Thus
585pointers to subclasses of <tt>Expr</tt> can appear in the list of
586statements in a block, and not just subclasses of <tt>Stmt</tt> that
587refer to proper C statements.</p>
588
589<p>The terminator of block B4 is a pointer to the <tt>IfStmt</tt>
590object in the AST. The pretty-printer outputs <b><tt>if
591[B4.2]</tt></b> because the condition expression of the if-statement
592has an actual place in the basic block, and thus the terminator is
593essentially
594<i>referring</i> to the expression that is the second statement of
595block B4 (i.e., B4.2). In this manner, conditions for control-flow
596(which also includes conditions for loops and switch statements) are
597hoisted into the actual basic block.</p>
598
Ted Kremenek98f19b62007-10-10 23:22:00 +0000599<!--
Ted Kremenek8bc05712007-10-10 23:01:43 +0000600<h4>Implicit Control-Flow</h4>
Ted Kremenek98f19b62007-10-10 23:22:00 +0000601-->
Ted Kremenek8bc05712007-10-10 23:01:43 +0000602
603<!--
604<p>A key design principle of the <tt>CFG</tt> class was to not require
605any transformations to the AST in order to represent control-flow.
606Thus the <tt>CFG</tt> does not perform any "lowering" of the
607statements in an AST: loops are not transformed into guarded gotos,
608short-circuit operations are not converted to a set of if-statements,
609and so on.</p>
610-->