Introduction to llvm

Introduction to LLVM
on Program Analysis
Tao He
elfinhe@gmail.com
Department of Computer Science, Sun Yat-Sen University
Department of Computer Science and Engineering, HKUST
Group Discussion
June 2012
HKUST, Hong Kong, China
1/34

Outline
 Objectives
 A quick scenario
 LLVM IR
 ‘opt’ command
 Installation of LLVM
2/34

Objectives -
What do we want to do?
3/34

Objectives
 To implement a symbolic execution engine.
 A expression-based engine [BH07]
different from
most existing implementations (path-based
engines).
 Program analysis on C programs.
 To generate static single assignment (SSA)
representation of C first.
4/34
[BH07] Domagoj Babić and Alan J. Hu. Structural Abstraction of Software Verification Conditions. In Proceedings
of the 19th international conference on Computer aided verification (CAV'07), Lecture Notes in Computer Science,
2007, Volume 4590/2007, 366-378

A Quick Scenario -
What can LLVM do?
5/34

!A Quick Scenario
6/34
 Given a C program:
 #include <stdio.h>
 int branch(int n){
 if (n>0) printf("Positiven");
 else if (n==0) printf("Zeron");
 else if (n<0) printf("Negativen");
 return 0;
 }
 int main() {
 branch(-4); branch(0); branch(6);
 return 0;
 }

!A Quick Scenario
7/34
 Generate immediate representation (IR) of
LLVM – the SSA representation in LLVM
 clang -O3 -emit-llvm hello.c -S -o hello.ll
 define i32 @main() nounwind uwtable {
 %1 = alloca i32, align 4
 store i32 0, i32* %1
 %2 = call i32 @branch(i32 -4)
 %3 = call i32 @branch(i32 0)
 %4 = call i32 @branch(i32 6)
 ret i32 0
 }
 ...
[SH] Reid Spencer and Gordon Henriksen. LLVM's Analysis and Transform Passes.
URL: http://llvm.org/docs/Passes.html.

!A Quick Scenario
8/34
 Print call graph
 opt method_para_int_branch.ll -S -dot-
callgraph 2>output_file >/dev/null
 dot -Tsvg in.dot -o out.svg

!A Quick Scenario
9/34
 Print control flow graph (CFG)
 opt method_para_int_branch.ll -S -dot-cfg
2>output_file >/dev/null

# A Quick Scenario
10/34
 More:
 Dead Global Elimination
 Interprocedural Constant Propagation
 Dead Argument Elimination
 Inlining
 Reassociation
 Loop Invariant Code Motion
 Loop Opts
 Memory Promotion
 Dead Store Elimination
 Aggressive Dead Code Elimination
[LA04] Chris Lattner and Vikram Adve. The LLVM Compiler Framework and Infrastructure Tutorial. Mini
Workshop on Compiler Research Infrastructures (LCPC'04), West Lafayette, Indiana, Sep. 2004.

What is the SSA representation in LLVM?
- LLVM IR
11/34

LLVM IR
12/34
 “A Static Single Assignment (SSA) based
representation that provides type safety, low-
level operations, flexibility, and the capability
of representing 'all' high-level languages
cleanly.”
[Lat] Chris Lattner. LLVM Language Reference Manual. URL: http://llvm.org/docs/LangRef.html

LLVM IR
13/34
 Three address code
 SSA-based
 Three different forms
 An in-memory compiler IR
 An on-disk bitcode representation (suitable for
fast loading by a Just-In-Time compiler)
 A human readable assembly language
representation

LLVM IR
14/34
 An example
 To multiply the integer variable '%X' by 8
 Syntax:
 <result> = mul <ty> <op1>, <op2>
 IR code:
 %result = mul i32 %X, 8
 More
 For floating point, use fmul

LLVM IR
15/34
 Another example
 Instruction jump – to change control flow
 Branches or loops
 Syntax:
 br i1 <cond>, label <iftrue>, label <iffalse>
 br label <dest> ; Unconditional branch

LLVM IR
16/34
 IR code:
 Test:
 %cond = icmp eq i32 %a, %b
 br i1 %cond, label %IfEqual, label %IfUnequal
 IfEqual:
 ret i32 1
 IfUnequal:

LLVM IR
17/34
 3rd
example
 Function call
 A simplified syntax:
 <result> = call <ty> <fnptrval>(<function args>)
 IR code:
 call i32 (i8*, ...)* @printf(i8* %msg, i32 12, i8 42)

LLVM IR
18/34
 4th
example
 Function definition
 A simplified syntax:
 define <ResultType> @<FunctionName> ([argument list]) { ... }
 IR code:
 define i32 @main() { … }
 define i32 @test(i32 %X, ...) { … }

LLVM IR
19/34
 The majority of instructions in C programs:
 Operations (binary/bitwise)
 Jumps
 Function calls
 Function definitions
 Many keywords in LLVM IR will not be
used for C programs. (e.g., invoke)

How to analyze programs
by using LLVM?
- ‘opt’ command
20/34

‘opt’ command
 Compiler is organized as a series of ‘passes’:
 Each pass is one analysis or transformation
21/34

!‘opt’ command
 An example
 -dot-callgraph
22/34

!‘opt’ command
23/34
An example
Print call graph: -dot-callgraph
 opt method_para_int_branch.ll -S -dot-
callgraph 2>output_file >/dev/null
 dot -Tsvg in.dot -o out.svg

How to write your own pass?
24/34

 Four types of pass:
 ModulePass: general interprocedural pass
 CallGraphSCCPass: bottom-up on the call graph
 FunctionPass: process a function at a time
 BasicBlockPass: process a basic block at a time
25/34

 Two important classes
 User: http://llvm.org/docs/doxygen/html/classllvm_1_1User.html
 This class defines the interface that one who uses a
Value must implement.
 Instructions
 Constants
 Operators
 Value: http://llvm.org/docs/doxygen/html/classllvm_1_1Value.html
 It is the base class of all values computed by a
program that may be used as operands to other
values.
 e.g., instruction and function.
26/34

 An example – print function names
27/34

 An example – print function names
 First generate bytecode:
 clang -emit-llvm hello.c -o hello.bc
 Then
28/34

 Another example – print def-use chain
29/34

How to install LLVM?
 To compile programs faster and use built-in
transformation and analysis
 Install both ‘llvm’ and ‘clang’ from package
management software
 E.g., Synaptic, yum, apt.
 To write your own pass
 Build from source code and add your own pass
 http://llvm.org/docs/GettingStarted.html#quickstart
 http://llvm.org/docs/WritingAnLLVMPass.html
31/34

LLVM IR
32/34
 The majority of instructions in C programs:
 Operation (binary/bitwise)
 Jump
 Function call
 Function definition

Thank you!
Contact me via elfinhe@gmail.com
34/34

Introduction to llvm

More Related Content

What's hot (20)

Similar to Introduction to llvm (20)

More from Tao He (18)

Recently uploaded (20)

Introduction to llvm