1% SPDX-FileCopyrightText: 2015-2024 Quentin Carbonneaux <quentin@c9x.me>2% SPDX-FileCopyrightText: 2025 Sören Tempel <soeren+git@soeren-tempel.net>3%4% SPDX-License-Identifier: MIT AND GPL-3.0-only56\documentclass{article}7%include polycode.fmt89%subst blankline = "\\[5mm]"1011% See https://github.com/kosmikus/lhs2tex/issues/5812%format <$> = "\mathbin{\langle\$\rangle}"13%format <&> = "\mathbin{\langle\&\rangle}"14%format <|> = "\mathbin{\langle\:\vline\:\rangle}"15%format <?> = "\mathbin{\langle?\rangle}"16%format <*> = "\mathbin{\langle*\rangle}"17%format <* = "\mathbin{\langle*}"18%format *> = "\mathbin{*\rangle}"1920\long\def\ignore#1{}2122\usepackage{hyperref}23\hypersetup{24 colorlinks = true,25}2627\begin{document}2829\title{QBE Intermediate Language\vspace{-2em}}30\date{}31\maketitle32\frenchspacing3334\ignore{35\begin{code}36module Language.QBE.Parser (dataDef, typeDef, funcDef) where3738import Data.Functor ((<&>))39import Data.List (singleton)40import Data.Map qualified as Map41import qualified Language.QBE.Types as Q42import Language.QBE.Util (bind, decNumber, float)43import Text.ParserCombinators.Parsec44 ( Parser,45 alphaNum,46 anyChar,47 between,48 char,49 choice,50 letter,51 many,52 many1,53 manyTill,54 newline,55 noneOf,56 oneOf,57 optionMaybe,58 sepBy,59 sepBy1,60 skipMany,61 skipMany1,62 string,63 try,64 (<?>),65 (<|>),66 )67\end{code}68}6970This an executable description of the71\href{https://c9x.me/compile/doc/il-v1.2.html}{QBE intermediate language},72specified through \href{https://hackage.haskell.org/package/parsec}{Parsec}73parser combinators and generated from a literate Haskell file. The description74is derived from the original QBE IL documentation, licensed under MIT.75Presently, this implementation targets version 1.2 of the QBE intermediate76language and aims to be equivalent with the original specification.7778\section{Basic Concepts}7980The intermediate language (IL) is a higher-level language than the81machine's assembly language. It smoothes most of the82irregularities of the underlying hardware and allows an infinite number83of temporaries to be used. This higher abstraction level lets frontend84programmers focus on language design issues.8586\subsection{Input Files}8788The intermediate language is provided to QBE as text. Usually, one file89is generated per each compilation unit from the frontend input language.90An IL file is a sequence of \nameref{sec:definitions} for91data, functions, and types. Once processed by QBE, the resulting file92can be assembled and linked using a standard toolchain (e.g., GNU93binutils).9495\begin{code}96comment :: Parser ()97comment = skipMany blankNL >> comment' >> skipMany blankNL98 where99 comment' = char '#' >> manyTill anyChar newline100\end{code}101102\ignore{103\begin{code}104skipNoCode :: Parser () -> Parser ()105skipNoCode blankP = try (skipMany1 comment <?> "comments") <|> blankP106\end{code}107}108109Here is a complete "Hello World" IL file which defines a function that110prints to the screen. Since the string is not a first class object (only111the pointer is) it is defined outside the function\textquotesingle s112body. Comments start with a \# character and finish with the end of the113line.114115\begin{verbatim}116data $str = { b "hello world", b 0 }117118export function w $main() {119@start120 # Call the puts function with $str as argument.121 %r =w call $puts(l $str)122 ret 0123}124\end{verbatim}125126If you have read the LLVM language reference, you might recognize the127example above. In comparison, QBE makes a much lighter use of types and128the syntax is terser.129130\subsection{Parser Combinators}131132\ignore{133\begin{code}134bracesNL :: Parser a -> Parser a135bracesNL = between (wsNL $ char '{') (wsNL $ char '}')136137quoted :: Parser a -> Parser a138quoted = let q = char '"' in between q q139140parenLst :: Parser a -> Parser [a]141parenLst p = between (ws $ char '(') (char ')') inner142 where143 inner = sepBy (ws p) (ws $ char ',')144145binaryInstr :: (Q.Value -> Q.Value -> Q.Instr) -> String -> Parser Q.Instr146binaryInstr conc keyword = do147 _ <- ws (string keyword)148 vfst <- ws val <* ws (char ',')149 conc vfst <$> ws val150151-- Can only appear in data and type definitions and hence allows newlines.152alignSpec :: Parser Q.AllocSize153alignSpec = (ws1 (string "align")) >> wsNL allocSize154\end{code}155}156157The original QBE specification defines the syntax using a BNF grammar. In158contrast, this document defines it using Parsec parser combinators. As such,159this specification is less formal but more accurate as the parsing code is160actually executable. Consequently, this specification also captures constructs161omitted in the original specification (e.g., \nameref{sec:identifiers},162\nameref{sec:statements}, or \nameref{sec:strlit}). Nonetheless, the formal163language recognized by these combinators aims to be equivalent to the one of164the BNF grammar.165166\subsection{Identifiers}167\label{sec:identifiers}168169% Ident is not documented in the original QBE specification.170% See https://c9x.me/git/qbe.git/tree/parse.c?h=v1.2#n304171172\begin{code}173ident :: Parser String174ident = do175 start <- letter <|> oneOf "._"176 rest <- many (alphaNum <|> oneOf "$._")177 return $ start : rest178\end{code}179180Identifiers for data, types, and functions can start with any ASCII letter or181the special characters \texttt{.} and \texttt{\_}. This initial character can182be followed by a sequence of zero or more alphanumeric characters and the183special characters \texttt{\$}, \texttt{.}, and \texttt{\_}.184185\subsection{Sigils}186187\begin{code}188userDef :: Parser Q.UserIdent189userDef = Q.UserIdent <$> (char ':' >> ident)190191global :: Parser Q.GlobalIdent192global = Q.GlobalIdent <$> (char '$' >> ident)193194local :: Parser Q.LocalIdent195local = Q.LocalIdent <$> (char '%' >> ident)196197label :: Parser Q.BlockIdent198label = Q.BlockIdent <$> (char '@' >> ident)199\end{code}200201The intermediate language makes heavy use of sigils, all user-defined202names are prefixed with a sigil. This is to avoid keyword conflicts, and203also to quickly spot the scope and nature of identifiers.204205\begin{itemize}206 \item \texttt{:} is for user-defined \nameref{sec:aggregate-types}207 \item \texttt{\$} is for globals (represented by a pointer)208 \item \texttt{\%} is for function-scope temporaries209 \item \texttt{@@} is for block labels210\end{itemize}211212\subsection{Spacing}213214\begin{code}215blank :: Parser Char216blank = oneOf "\t " <?> "blank"217218blankNL :: Parser Char219blankNL = oneOf "\n\t " <?> "blank or newline"220\end{code}221222Individual tokens in IL files must be separated by one or more spacing223characters. Both spaces and tabs are recognized as spacing characters.224In data and type definitions, newlines may also be used as spaces to225prevent overly long lines. When exactly one of two consecutive tokens is226a symbol (for example \texttt{,} or \texttt{=} or \texttt{\{}), spacing may be omitted.227228\ignore{229\begin{code}230ws :: Parser a -> Parser a231ws p = p <* skipMany blank232233ws1 :: Parser a -> Parser a234ws1 p = p <* skipMany1 blank235236wsNL :: Parser a -> Parser a237wsNL p = p <* skipNoCode (skipMany blankNL)238239wsNL1 :: Parser a -> Parser a240wsNL1 p = p <* skipNoCode (skipMany1 blankNL)241\end{code}242}243244\subsection{String Literals}245\label{sec:strlit}246247% The string literal is not documented in the original QBE specification.248% See https://c9x.me/git/qbe.git/tree/parse.c?h=v1.2#n287249250\begin{code}251strLit :: Parser String252strLit = concat <$> quoted (many strChr)253 where254 strChr :: Parser [Char]255 strChr = (singleton <$> noneOf "\"\\") <|> escSeq256257 escSeq :: Parser [Char]258 escSeq = try $ do259 esc <- char '\\'260 chr <- anyChar261 return $ [esc, chr]262\end{code}263264Strings are enclosed by double quotes and are, for example, used to specify a265section name as part of the \nameref{sec:linkage} information. Within a string,266a double quote can be escaped using a \texttt{\textbackslash} character. All267escape sequences, including double quote escaping, are passed through as-is to268the generated assembly file.269270\section{Types}271272\subsection{Simple Types}273274The IL makes minimal use of types. By design, the types used are275restricted to what is necessary for unambiguous compilation to machine276code and C interfacing. Unlike LLVM, QBE is not using types as a means277to safety; they are only here for semantic purposes.278279\begin{code}280baseType :: Parser Q.BaseType281baseType = choice282 [ bind "w" Q.Word283 , bind "l" Q.Long284 , bind "s" Q.Single285 , bind "d" Q.Double ]286\end{code}287288The four base types are \texttt{w} (word), \texttt{l} (long), \texttt{s} (single), and \texttt{d}289(double), they stand respectively for 32-bit and 64-bit integers, and29032-bit and 64-bit floating-point numbers. There are no pointer types291available; pointers are typed by an integer type sufficiently wide to292represent all memory addresses (e.g., \texttt{l} on 64-bit architectures).293Temporaries in the IL can only have a base type.294295\begin{code}296extType :: Parser Q.ExtType297extType = (Q.Base <$> baseType)298 <|> bind "b" Q.Byte299 <|> bind "h" Q.HalfWord300\end{code}301302Extended types contain base types plus \texttt{b} (byte) and \texttt{h} (half word),303respectively for 8-bit and 16-bit integers. They are used in \nameref{sec:aggregate-types}304and \nameref{sec:data} definitions.305306For C interfacing, the IL also provides user-defined aggregate types as307well as signed and unsigned variants of the sub-word extended types.308Read more about these types in the \nameref{sec:aggregate-types}309and \nameref{sec:functions} sections.310311\subsection{Subtyping}312313The IL has a minimal subtyping feature, for integer types only. Any314value of type \texttt{l} can be used in a \texttt{w} context. In that case, only the31532 least significant bits of the word value are used.316317Make note that it is the opposite of the usual subtyping on integers (in318C, we can safely use an \texttt{int} where a \texttt{long} is expected). A long value319cannot be used in word context. The rationale is that a word can be320signed or unsigned, so extending it to a long could be done in two ways,321either by zero-extension, or by sign-extension.322323\subsection{Constants and Vals}324\label{sec:constants-and-vals}325326\begin{code}327dynConst :: Parser Q.DynConst328dynConst =329 (Q.Const <$> constant)330 <|> (Q.Thread <$> global)331 <?> "dynconst"332\end{code}333334Constants come in two kinds: compile-time constants and dynamic335constants. Dynamic constants include compile-time constants and other336symbol variants that are only known at program-load time or execution337time. Consequently, dynamic constants can only occur in function bodies.338339The representation of integers is two's complement.340Floating-point numbers are represented using the single-precision and341double-precision formats of the IEEE 754 standard.342343\begin{code}344constant :: Parser Q.Const345constant =346 (Q.Number <$> decNumber)347 <|> (Q.SFP <$> sfp)348 <|> (Q.DFP <$> dfp)349 <|> (Q.Global <$> global)350 <?> "const"351 where352 sfp = string "s_" >> float353 dfp = string "d_" >> float354\end{code}355356Constants specify a sequence of bits and are untyped. They are always357parsed as 64-bit blobs. Depending on the context surrounding a constant,358only some of its bits are used. For example, in the program below, the359two variables defined have the same value since the first operand of the360subtraction is a word (32-bit) context.361362\begin{verbatim}363%x =w sub -1, 0 %y =w sub 4294967295, 0364\end{verbatim}365366Because specifying floating-point constants by their bits makes the code367less readable, syntactic sugar is provided to express them. Standard368scientific notation is prefixed with \texttt{s\_} and \texttt{d\_} for single and369double precision numbers respectively. Once again, the following example370defines twice the same double-precision constant.371372\begin{verbatim}373%x =d add d_0, d_-1374%y =d add d_0, -4616189618054758400375\end{verbatim}376377Global symbols can also be used directly as constants; they will be378resolved and turned into actual numeric constants by the linker.379380When the \texttt{thread} keyword prefixes a symbol name, the381symbol\textquotesingle s numeric value is resolved at runtime in the382thread-local storage.383384\begin{code}385val :: Parser Q.Value386val =387 (Q.VConst <$> dynConst)388 <|> (Q.VLocal <$> local)389 <?> "val"390\end{code}391392Vals are used as arguments in regular, phi, and jump instructions within393function definitions. They are either constants or function-scope394temporaries.395396\subsection{Linkage}397\label{sec:linkage}398399\begin{code}400linkage :: Parser Q.Linkage401linkage =402 wsNL (bind "export" Q.LExport)403 <|> wsNL (bind "thread" Q.LThread)404 <|> do405 _ <- ws1 $ string "section"406 (try secWithFlags) <|> sec407 where408 sec :: Parser Q.Linkage409 sec = wsNL strLit <&> (`Q.LSection` Nothing)410411 secWithFlags :: Parser Q.Linkage412 secWithFlags = do413 n <- ws1 strLit414 wsNL strLit <&> Q.LSection n . Just415\end{code}416417Function and data definitions (see below) can specify linkage418information to be passed to the assembler and eventually to the linker.419420The \texttt{export} linkage flag marks the defined item as visible outside the421current file\textquotesingle s scope. If absent, the symbol can only be422referred to locally. Functions compiled by QBE and called from C need to423be exported.424425The \texttt{thread} linkage flag can only qualify data definitions. It mandates426that the object defined is stored in thread-local storage. Each time a427runtime thread starts, the supporting platform runtime is in charge of428making a new copy of the object for the fresh thread. Objects in429thread-local storage must be accessed using the \texttt{thread \$IDENT} syntax,430as specified in the \nameref{sec:constants-and-vals} section.431432A \texttt{section} flag can be specified to tell the linker to put the defined433item in a certain section. The use of the section flag is platform434dependent and we refer the user to the documentation of their assembler435and linker for relevant information.436437\begin{verbatim}438section ".init_array" data $.init.f = { l $f }439\end{verbatim}440441The section flag can be used to add function pointers to a global442initialization list, as depicted above. Note that some platforms provide443a BSS section that can be used to minimize the footprint of uniformly444zeroed data. When this section is available, QBE will automatically make445use of it and no section flag is required.446447The section and export linkage flags should each appear at most once in448a definition. If multiple occurrences are present, QBE is free to use449any.450451\subsection{Definitions}452\label{sec:definitions}453454Definitions are the essential components of an IL file. They can define455three types of objects: aggregate types, data, and functions. Aggregate456types are never exported and do not compile to any code. Data and457function definitions have file scope and are mutually recursive (even458across IL files). Their visibility can be controlled using linkage459flags.460461\subsubsection{Aggregate Types}462\label{sec:aggregate-types}463464\begin{code}465typeDef :: Parser Q.TypeDef466typeDef = do467 _ <- wsNL1 (string "type")468 i <- wsNL1 userDef469 _ <- wsNL1 (char '=')470 a <- optionMaybe alignSpec471 bracesNL (opaqueType <|> unionType <|> regularType) <&> Q.TypeDef i a472\end{code}473474Aggregate type definitions start with the \texttt{type} keyword. They have file475scope, but types must be defined before being referenced. The inner476structure of a type is expressed by a comma-separated list of fields.477478\begin{code}479subType :: Parser Q.SubType480subType =481 (Q.SExtType <$> extType)482 <|> (Q.SUserDef <$> userDef)483484field :: Parser Q.Field485field = do486 -- TODO: newline is required if there is a number argument487 f <- wsNL subType488 s <- ws $ optionMaybe decNumber489 pure (f, s)490491-- TODO: "For ease of IL generation, a trailing comma is tolerated by the parser".492fields :: Bool -> Parser [Q.Field]493fields allowEmpty =494 (if allowEmpty then sepBy else sepBy1) field (wsNL $ char ',')495\end{code}496497A field consists of a subtype, either an extended type or a user-defined type,498and an optional number expressing the value of this field. In case many items499of the same type are sequenced (like in a C array), the shorter array syntax500can be used.501502\begin{code}503regularType :: Parser Q.AggType504regularType = Q.ARegular <$> fields True505\end{code}506507Three different kinds of aggregate types are presentl ysupported: regular508types, union types and opaque types. The fields of regular types will be509packed. By default, the alignment of an aggregate type is the maximum alignment510of its members. The alignment can be explicitly specified by the programmer.511512\begin{code}513unionType :: Parser Q.AggType514unionType = Q.AUnion <$> many1 (wsNL unionType')515 where516 unionType' :: Parser [Q.Field]517 unionType' = bracesNL $ fields False518\end{code}519520Union types allow the same chunk of memory to be used with different layouts. They are defined by enclosing multiple regular aggregate type bodies in a pair of curly braces. Size and alignment of union types are set to the maximum size and alignment of each variation or, in the case of alignment, can be explicitly specified.521522\begin{code}523opaqueType :: Parser Q.AggType524opaqueType = Q.AOpaque <$> wsNL decNumber525\end{code}526527Opaque types are used when the inner structure of an aggregate cannot be specified; the alignment for opaque types is mandatory. They are defined simply by enclosing their size between curly braces.528529\subsubsection{Data}530\label{sec:data}531532\begin{code}533dataDef :: Parser Q.DataDef534dataDef = do535 link <- many linkage536 name <- wsNL1 (string "data") >> wsNL global537 _ <- wsNL (char '=')538 alignment <- optionMaybe alignSpec539 bracesNL dataObjs <&> Q.DataDef link name alignment540 where541 dataObjs = sepBy dataObj (wsNL $ char ',')542\end{code}543544Data definitions express objects that will be emitted in the compiled545file. Their visibility and location in the compiled artifact are546controlled with linkage flags described in the \nameref{sec:linkage}547section.548549They define a global identifier (starting with the sigil \texttt{\$}), that550will contain a pointer to the object specified by the definition.551552\begin{code}553dataObj :: Parser Q.DataObj554dataObj =555 (Q.OZeroFill <$> (wsNL1 (char 'z') >> wsNL decNumber))556 <|> do557 t <- wsNL1 extType558 i <- many1 (wsNL dataItem)559 return $ Q.OItem t i560\end{code}561562Objects are described by a sequence of fields that start with a type563letter. This letter can either be an extended type, or the \texttt{z} letter.564If the letter used is an extended type, the data item following565specifies the bits to be stored in the field.566567\begin{code}568dataItem :: Parser Q.DataItem569dataItem =570 (Q.DString <$> strLit)571 <|> (Q.DConst <$> constant)572 <|> do573 i <- global574 off <- optionMaybe (char '+' >> decNumber)575 return $ Q.DSymbol i off576\end{code}577578Within each object, several items can be defined. When several data items579follow a letter, they initialize multiple fields of the same size.580581\begin{code}582allocSize :: Parser Q.AllocSize583allocSize =584 choice585 [ bind "4" Q.AlignWord,586 bind "8" Q.AlignLong,587 bind "16" Q.AlignLongLong588 ]589\end{code}590591The members of a struct will be packed. This means that padding has to592be emitted by the frontend when necessary. Alignment of the whole data593objects can be manually specified, and when no alignment is provided,594the maximum alignment from the platform is used.595596When the \texttt{z} letter is used the number following indicates the size of597the field; the contents of the field are zero initialized. It can be598used to add padding between fields or zero-initialize big arrays.599600\subsubsection{Functions}601\label{sec:functions}602603\begin{code}604funcDef :: Parser Q.FuncDef605funcDef = do606 link <- many linkage607 _ <- ws1 (string "function")608 retTy <- optionMaybe (ws1 abity)609 name <- ws global610 args <- wsNL params611 body <- between (wsNL1 $ char '{') (wsNL $ char '}') $ many1 block612613 case (Q.insertJumps body) of614 Nothing -> fail $ "invalid fallthrough in " ++ show name615 Just bl -> return $ Q.FuncDef link name retTy args bl616\end{code}617618Function definitions contain the actual code to emit in the compiled619file. They define a global symbol that contains a pointer to the620function code. This pointer can be used in \texttt{call} instructions or stored621in memory.622623\begin{code}624subWordType :: Parser Q.SubWordType625subWordType = choice626 [ try $ bind "sb" Q.SignedByte627 , try $ bind "ub" Q.UnsignedByte628 , bind "sh" Q.SignedHalf629 , bind "uh" Q.UnsignedHalf ]630631abity :: Parser Q.Abity632abity = try (Q.ASubWordType <$> subWordType)633 <|> (Q.ABase <$> baseType)634 <|> (Q.AUserDef <$> userDef)635\end{code}636637The type given right before the function name is the return type of the638function. All return values of this function must have this return type.639If the return type is missing, the function must not return any value.640641\begin{code}642param :: Parser Q.FuncParam643param = (Q.Env <$> (ws1 (string "env") >> local))644 <|> (string "..." >> pure Q.Variadic)645 <|> do646 ty <- ws1 abity647 Q.Regular ty <$> local648649params :: Parser [Q.FuncParam]650params = parenLst param651\end{code}652653The parameter list is a comma separated list of temporary names prefixed654by types. The types are used to correctly implement C compatibility.655When an argument has an aggregate type, a pointer to the aggregate is656passed by thea caller. In the example below, we have to use a load657instruction to get the value of the first (and only) member of the658struct.659660\begin{verbatim}661type :one = { w }662663function w $getone(:one %p) {664@start665 %val =w loadw %p666 ret %val667}668\end{verbatim}669670If a function accepts or returns values that are smaller than a word,671such as \texttt{signed char} or \texttt{unsigned short} in C, one of the sub-word type672must be used. The sub-word types \texttt{sb}, \texttt{ub}, \texttt{sh}, and \texttt{uh} stand,673respectively, for signed and unsigned 8-bit values, and signed and674unsigned 16-bit values. Parameters associated with a sub-word type of675bit width N only have their N least significant bits set and have base676type \texttt{w}. For example, the function677678\begin{verbatim}679function w $addbyte(w %a, sb %b) {680@start681 %bw =w extsb %b682 %val =w add %a, %bw683 ret %val684}685\end{verbatim}686687needs to sign-extend its second argument before the addition. Dually,688return values with sub-word types do not need to be sign or zero689extended.690691If the parameter list ends with \texttt{...}, the function is a variadic692function: it can accept a variable number of arguments. To access the693extra arguments provided by the caller, use the \texttt{vastart} and \texttt{vaarg}694instructions described in the \nameref{sec:variadic} section.695696Optionally, the parameter list can start with an environment parameter697\texttt{env \%e}. This special parameter is a 64-bit integer temporary (i.e.,698of type \texttt{l}). If the function does not use its environment parameter,699callers can safely omit it. This parameter is invisible to a C caller:700for example, the function701702\begin{verbatim}703export function w $add(env %e, w %a, w %b) {704@start705 %c =w add %a, %b706 ret %c707}708\end{verbatim}709710must be given the C prototype \texttt{int add(int, int)}. The intended use of711this feature is to pass the environment pointer of closures while712retaining a very good compatibility with C. The \nameref{sec:call}713section explains how to pass an environment parameter.714715Since global symbols are defined mutually recursive, there is no need716for function declarations: a function can be referenced before its717definition. Similarly, functions from other modules can be used without718previous declaration. All the type information necessary to compile a719call is in the instruction itself.720721The syntax and semantics for the body of functions are described in the722\nameref{sec:control} section.723724\section{Control}725\label{sec:control}726727The IL represents programs as textual transcriptions of control flow728graphs. The control flow is serialized as a sequence of blocks of729straight-line code which are connected using jump instructions.730731\subsection{Blocks}732\label{sec:blocks}733734\begin{code}735block :: Parser Q.Block'736block = do737 l <- wsNL1 label738 p <- many (wsNL1 $ try phiInstr)739 s <- many (wsNL1 statement)740 Q.Block' l p s <$> (optionMaybe $ wsNL1 jumpInstr)741\end{code}742743All blocks have a name that is specified by a label at their beginning.744Then follows a sequence of instructions that have "fall-through" flow.745Finally one jump terminates the block. The jump can either transfer746control to another block of the same function or return; jumps are747described further below.748749The first block in a function must not be the target of any jump in the750program. If a jump to the function start is needed, the frontend must751insert an empty prelude block at the beginning of the function.752753When one block jumps to the next block in the IL file, it is not754necessary to write the jump instruction, it will be automatically added755by the parser. For example the start block in the example below jumps756directly to the loop block.757758\subsection{Jumps}759760\begin{code}761jumpInstr :: Parser Q.JumpInstr762jumpInstr = (string "hlt" >> pure Q.Halt)763 -- TODO: Return requires a space if there is an optionMaybe764 <|> Q.Return <$> ((ws $ string "ret") >> optionMaybe val)765 <|> try (Q.Jump <$> ((ws1 $ string "jmp") >> label))766 <|> do767 _ <- ws1 $ string "jnz"768 v <- ws val <* ws (char ',')769 l1 <- ws label <* ws (char ',')770 l2 <- ws label771 return $ Q.Jnz v l1 l2772\end{code}773774A jump instruction ends every block and transfers the control to another775program location. The target of a jump must never be the first block in776a function. The three kinds of jumps available are described in the777following list.778779\begin{enumerate}780 \item \textbf{Unconditional jump.} Jumps to another block of the same function.781 \item \textbf{Conditional jump.} When its word argument is non-zero, it jumps to its first label argument; otherwise it jumps to the other label. The argument must be of word type; because of subtyping a long argument can be passed, but only its least significant 32 bits will be compared to 0.782 \item \textbf{Function return.} Terminates the execution of the current function, optionally returning a value to the caller. The value returned must be of the type given in the function prototype. If the function prototype does not specify a return type, no return value can be used.783 \item \textbf{Program termination.} Terminates the execution of the program with a target-dependent error. This instruction can be used when it is expected that the execution never reaches the end of the block it closes; for example, after having called a function such as \texttt{exit()}.784\end{enumerate}785786\section{Instructions}787\label{sec:instructions}788789\begin{code}790instr :: Parser Q.Instr791instr =792 choice793 [ try $ binaryInstr Q.Add "add",794 try $ binaryInstr Q.Sub "sub",795 try $ binaryInstr Q.Mul "mul",796 try $ binaryInstr Q.URem "urem",797 try $ binaryInstr Q.Rem "rem",798 try $ binaryInstr Q.UDiv "udiv",799 try $ binaryInstr Q.Or "or",800 try $ binaryInstr Q.Xor "xor",801 try $ binaryInstr Q.And "and",802 try $ loadInstr,803 try $ allocInstr,804 try $ compareInstr,805 try $ extInstr806 ]807\end{code}808809Instructions are the smallest piece of code in the IL, they form the body of810\nameref{sec:blocks}. This specification distinguishes instructions and811volatile instructions, the latter do not return a value. For the former, the IL812uses a three-address code, which means that one instruction computes an813operation between two operands and assigns the result to a third one.814815\begin{code}816assign :: Parser Q.Statement817assign = do818 n <- ws local819 t <- ws (char '=') >> ws1 baseType820 Q.Assign n t <$> instr821822volatileInstr :: Parser Q.Statement823volatileInstr = Q.Volatile <$> (storeInstr <|> blitInstr)824825-- TODO: Not documented in the QBE BNF.826statement :: Parser Q.Statement827statement = (try callInstr) <|> assign <|> volatileInstr828\end{code}829830An instruction has both a name and a return type, this return type is a base831type that defines the size of the instruction's result. The type of the832arguments can be unambiguously inferred using the instruction name and the833return type. For example, for all arithmetic instructions, the type of the834arguments is the same as the return type. The two additions below are valid if835\texttt{\%y} is a word or a long (because of \nameref{sec:subtyping}).836837\begin{verbatim}838%x =w add 0, %y839%z =w add %x, %x840\end{verbatim}841842Some instructions, like comparisons and memory loads have operand types843that differ from their return types. For instance, two floating points844can be compared to give a word result (0 if the comparison succeeds, 1845if it fails).846847\begin{verbatim}848%c =w cgts %a, %b849\end{verbatim}850851In the example above, both operands have to have single type. This is852made explicit by the instruction suffix.853854\subsection{Arithmetic and Bits}855856To-Do.857858\subsection{Memory}859\label{sec:memory}860861To-Do.862863\subsubsection{Store instructions}864865\begin{code}866storeInstr :: Parser Q.VolatileInstr867storeInstr = do868 t <- string "store" >> ws1 extType869 v <- ws val870 _ <- ws $ char ','871 ws val <&> Q.Store t v872\end{code}873874Store instructions exist to store a value of any base type and any extended875type. Since halfwords and bytes are not first class in the IL, \texttt{storeh}876and \texttt{storeb} take a word as argument. Only the first 16 or 8 bits of877this word will be stored in memory at the address specified in the second878argument.879880\subsubsection{Load instructions}881882\begin{code}883loadInstr :: Parser Q.Instr884loadInstr = do885 _ <- string "load"886 t <- ws1 $ choice887 [ try $ bind "sw" (Q.LBase Q.Word),888 try $ bind "uw" (Q.LBase Q.Word),889 try $ Q.LSubWord <$> subWordType,890 Q.LBase <$> baseType891 ]892 ws val <&> Q.Load t893\end{code}894895For types smaller than long, two variants of the load instruction are896available: one will sign extend the loaded value, while the other will zero897extend it. Note that all loads smaller than long can load to either a long or a898word.899900The two instructions \texttt{loadsw} and \texttt{loaduw} have the same effect901when they are used to define a word temporary. A \texttt{loadw} instruction is902provided as syntactic sugar for \texttt{loadsw} to make explicit that the903extension mechanism used is irrelevant.904905\subsubsection{Blits}906907\begin{code}908blitInstr :: Parser Q.VolatileInstr909blitInstr = do910 v1 <- (ws1 $ string "blit") >> ws val <* (ws $ char ',')911 v2 <- ws val <* (ws $ char ',')912 nb <- decNumber913 return $ Q.Blit v1 v2 nb914\end{code}915916The blit instruction copies in-memory data from its first address argument to917its second address argument. The third argument is the number of bytes to copy.918The source and destination spans are required to be either non-overlapping, or919fully overlapping (source address identical to the destination address). The920byte count argument must be a nonnegative numeric constant; it cannot be a921temporary.922923One blit instruction may generate a number of instructions proportional to its924byte count argument, consequently, it is recommended to keep this argument925relatively small. If large copies are necessary, it is preferable that926frontends generate calls to a supporting \texttt{memcpy} function.927928\subsubsection{Stack Allocation}929930\begin{code}931allocInstr :: Parser Q.Instr932allocInstr = do933 siz <- (ws $ string "alloc") >> (ws1 allocSize)934 val <&> Q.Alloc siz935\end{code}936937These instructions allocate a chunk of memory on the stack. The number ending938the instruction name is the alignment required for the allocated slot. QBE will939make sure that the returned address is a multiple of that alignment value.940941Stack allocation instructions are used, for example, when compiling the C local942variables, because their address can be taken. When compiling Fortran,943temporaries can be used directly instead, because it is illegal to take the944address of a variable.945946\subsection{Comparisons}947948Comparison instructions return an integer value (either a word or a long), and949compare values of arbitrary types. The returned value is 1 if the two operands950satisfy the comparison relation, or 0 otherwise. The names of comparisons951respect a standard naming scheme in three parts.952953\begin{code}954compareInstr :: Parser Q.Instr955compareInstr = do956 _ <- char 'c'957 op <- compareOp958 ty <- ws1 baseType959 lhs <- ws val <* ws (char ',')960 rhs <- ws val961 pure $ Q.Compare ty op lhs rhs962\end{code}963964\begin{code}965compareOp :: Parser Q.CmpOp966compareOp = choice967 [ bind "eq" Q.CEq968 , bind "ne" Q.CNe969 , try $ bind "sle" Q.CSle970 , try $ bind "slt" Q.CSlt971 , try $ bind "sge" Q.CSge972 , try $ bind "sgt" Q.CSgt973 , try $ bind "ule" Q.CUle974 , try $ bind "ult" Q.CUlt975 , try $ bind "uge" Q.CUge976 , try $ bind "ugt" Q.CUgt ]977\end{code}978979For example, \texttt{cod} (\texttt{I(dd,dd)}) compares two double-precision floating point numbers and returns 1 if the two floating points are not NaNs, or 0 otherwise. The \texttt{csltw} (\texttt{I(ww,ww)}) instruction compares two words representing signed numbers and returns 1 when the first argument is smaller than the second one.980981\subsection{Conversions}982983\begin{code}984subLongType :: Parser Q.SubLongType985subLongType = try (Q.SLSubWord <$> subWordType)986 <|> bind "sw" Q.SLSignedWord987 <|> bind "uw" Q.SLUnsignedWord988989extInstr :: Parser Q.Instr990extInstr = do991 _ <- string "ext"992 ty <- ws1 subLongType993 ws val <&> Q.Ext ty994\end{code}995996Conversion operations change the representation of a value, possibly modifying997it if the target type cannot hold the value of the source type. Conversions can998extend the precision of a temporary (e.g., from signed 8-bit to 32-bit), or999convert a floating point into an integer and vice versa.10001001\subsection{Cast and Copy}10021003To-Do.10041005\subsection{Call}1006\label{sec:call}10071008\begin{code}1009-- TODO: Code duplication with 'param'.1010callArg :: Parser Q.FuncArg1011callArg = (Q.ArgEnv <$> (ws1 (string "env") >> val))1012 <|> (string "..." >> pure Q.ArgVar)1013 <|> do1014 ty <- ws1 abity1015 Q.ArgReg ty <$> val10161017callArgs :: Parser [Q.FuncArg]1018callArgs = parenLst callArg10191020callInstr :: Parser Q.Statement1021callInstr = do1022 retValue <- optionMaybe $ do1023 i <- ws local <* ws (char '=')1024 a <- ws1 abity1025 return (i, a)1026 toCall <- ws1 (string "call") >> ws val1027 fnArgs <- callArgs1028 return $ Q.Call retValue toCall fnArgs1029\end{code}10301031The call instruction is special in several ways. It is not a three-address1032instruction and requires the type of all its arguments to be given. Also, the1033return type can be either a base type or an aggregate type. These specifics are1034required to compile calls with C compatibility (i.e., to respect the ABI).10351036When an aggregate type is used as argument type or return type, the value1037respectively passed or returned needs to be a pointer to a memory location1038holding the value. This is because aggregate types are not first-class1039citizens of the IL.10401041Sub-word types are used for arguments and return values of width less than a1042word. Details on these types are presented in the <@ Functions > section.1043Arguments with sub-word types need not be sign or zero extended according to1044their type. Calls with a sub-word return type define a temporary of base type1045\texttt{w} with its most significant bits unspecified.10461047Unless the called function does not return a value, a return temporary must be1048specified, even if it is never used afterwards.10491050An environment parameter can be passed as first argument using the \texttt{env}1051keyword. The passed value must be a 64-bit integer. If the called function does1052not expect an environment parameter, it will be safely discarded. See the1053\nameref{sec:functions} section for more information about environment1054parameters.10551056When the called function is variadic, there must be a \texttt{...} marker1057separating the named and variadic arguments.10581059\subsection{Variadic}1060\label{sec:variadic}10611062To-Do.10631064\subsection{Phi}10651066\begin{code}1067phiBranch :: Parser (Q.BlockIdent, Q.Value)1068phiBranch = do1069 n <- ws1 label1070 v <- val1071 pure (n, v)10721073phiInstr :: Parser Q.Phi1074phiInstr = do1075 -- TODO: code duplication with 'assign'1076 n <- ws local1077 t <- ws (char '=') >> ws1 baseType10781079 _ <- ws1 (string "phi")1080 -- TODO: combinator for sepBy1081 p <- Map.fromList <$> sepBy1 (ws phiBranch) (ws $ char ',')1082 return $ Q.Phi n t p1083\end{code}10841085First and foremost, phi instructions are NOT necessary when writing a frontend1086to QBE. One solution to avoid having to deal with SSA form is to use stack1087allocated variables for all source program variables and perform assignments1088and lookups using \nameref{sec:memory} operations. This is what LLVM users1089typically do.10901091Another solution is to simply emit code that is not in SSA form! Contrary to1092LLVM, QBE is able to fixup programs not in SSA form without requiring the1093boilerplate of loading and storing in memory. For example, the following1094program will be correctly compiled by QBE.10951096\begin{verbatim}1097@start1098 %x =w copy 1001099 %s =w copy 01100@loop1101 %s =w add %s, %x1102 %x =w sub %x, 11103 jnz %x, @loop, @end1104@end1105 ret %s1106\end{verbatim}11071108Now, if you want to know what phi instructions are and how to use them in QBE,1109you can read the following.11101111Phi instructions are specific to SSA form. In SSA form values can only be1112assigned once, without phi instructions, this requirement is too strong to1113represent many programs. For example consider the following C program.11141115\begin{verbatim}1116int f(int x) {1117 int y;1118 if (x)1119 y = 1;1120 else1121 y = 2;1122 return y;1123}1124\end{verbatim}11251126The variable \texttt{y} is assigned twice, the solution to translate it in SSA1127form is to insert a phi instruction.11281129\begin{verbatim}1130@ifstmt1131 jnz %x, @ift, @iff1132@ift1133 jmp @retstmt1134@iff1135 jmp @retstmt1136@retstmt1137 %y =w phi @ift 1, @iff 21138 ret %y1139\end{verbatim}11401141Phi instructions return one of their arguments depending on where the control1142came from. In the example, \texttt{%y} is set to 1 if the \texttt{@ift} branch1143is taken, or it is set to 2 otherwise.11441145An important remark about phi instructions is that QBE assumes that if a1146variable is defined by a phi it respects all the SSA invariants. So it is1147critical to not use phi instructions unless you know exactly what you are1148doing.1149\end{document}