1

A basic block is defined as a sequence of (non-jump) instructions ending with a jump (direct or indirect) instruction. The jump target address should be the start of another basic block. Consider I have the following assembly code :

106ac:       ba00000f        blt     106f0 <main+0xb8>
106b0:       e3099410        movw    r9, #37904      ; 0x9410
106b4:       e3409001        movt    r9, #1
106b8:       e79f9009        ldr     r9, [pc, r9]
106bc:       e3a06000        mov     r6, #0
106c0:       e1a0a008        mov     sl, r8
106c4:       e30993fc        movw    r9, #37884      ; 0x93fc
106c8:       e3409001        movt    r9, #1
106cc:       e79f9009        ldr     r9, [pc, r9]
106d0:       e5894000        str     r4, [r9]
106d4:       e7941105        ldr     r1, [r4, r5, lsl #2]
106d8:       e1a00007        mov     r0, r7
106dc:       e12fff31        blx     r1
106e0:       e0806006        add     r6, r0, r6
106e4:       e25aa001        subs    sl, sl, #1
106e8:       e287700d        add     r7, r7, #13
106ec:       1afffff4        bne     106c4 <main+0x8c>
106f0:       e30993d0        movw    r9, #37840      ; 0x93d0
106f4:       e3409001        movt    r9, #1

bb1

106a4:       ...
106ac:       ba00000f        blt     106f0 <main+0xb8>

The first basic block bb1 has a target address which is the start of bb4.

bb2

106b0:       e3099410        movw    r9, #37904      ; 0x9410
....        All other instructions
106c4:       e30993fc        movw    r9, #37884      ; 0x93fc
....        All other instructions
106d8:       e1a00007        mov     r0, r7
106dc:       e12fff31        blx     r1

The second basic block bb2 has an indirect branch so the target address is known only at runtime.

bb3

106e0:       e0806006        add     r6, r0, r6
106e4:       e25aa001        subs    sl, sl, #1
106e8:       e287700d        add     r7, r7, #13
106ec:       1afffff4        bne     106c4 <main+0x8c>

The third basic block has a target address which is not the start of another basic block but it is in the middle of bb2. According to the definition of a basic block, it is not possible. But, in practice, I am seeing this behavior (jumps in the middle of basic blocks) in multiple places. How to explain this behavior ? Is it possible to force a compiler (LLVM) to generate code that does not jump anywhere else except at the beginning of a basic block ?

bb4

106f0:       e30993d0        movw    r9, #37840      ; 0x93d0
106f4:       e3409001        movt    r9, #1
....
Ends with a branch (direct or indirect)

I am generating basic blocks using a tool (SPEDI) and the compiler used is LLVM (CLANG front end) and the targeted architecture is ARM V7 Cortex-A9.

abpar
  • 61
  • 9

2 Answers2

3

Basic blocks are the nodes in the control flow graph, which means that once control enters the block, it can't do anything else apart from running through the whole block and exiting it. It doesn't mean that they have to start or end with a jump instruction. For better understanding refer to this excerpt from Wikipedia:

Because of its construction procedure, in a CFG, every edge A→B has the property that:

outdegree(A) > 1 or indegree(B) > 1 (or both).

The CFG can thus be obtained, at least conceptually, by starting from the program's (full) flow graph—i.e. the graph in which every node represents an individual instruction—and performing an edge contraction for every edge that falsifies the predicate above, i.e. contracting every edge whose source has a single exit and whose destination has a single entry.

According to this definition I would analyze code between 106b0 and 106ec differently: one block B1 from 106b0 to 106c0, and one block B2 from 106c4 to 106ec. This code is a loop, B1 is the setup part of the loop and B2 is the body.

In ARM a bl instruction such as the one at 106dc is a function call, meaning that control will be passed to the called function but then returned to the instruction right after the bl. So if we're only constructing the CFG for the calling function I wouldn't consider this instruction as a block boundary. If we're doing the CFG for the whole program there should be an edge towards the called function here and then another edge back from the called function to the next instruction.

Samuel Peter
  • 4,136
  • 2
  • 34
  • 42
  • Thank you so much for your explanation. Do you know of a tool that allows to recover the basic blocks in the way that the starting address of the basic block matches with a target address of a basic block? Such that there will be no jumps in the middle of a basic block. – abpar Apr 03 '18 at 08:33
  • 2
    @abpar: Agner Fog's `objconv` x86 disassembler puts labels on branch targets, making it easy to see basic blocks. http://agner.org/optimize/. (A basic block contains no branches/jumps, and no branch targets) – Peter Cordes Apr 05 '18 at 08:03
  • Thank yoiu so much @PeterCordes. I am looking for a similar thing for ARM elf binaries. – abpar Apr 05 '18 at 09:12
0

A basic block doesn't contain branch targets, as Samuel's answer explains. The branch targets into blocks of instructions are also boundaries between basic blocks.

You're generating this code with a compiler, so use clang -O3 -S foo.c to get the compiler's asm output with labels on branch targets.

Compiling all the way to an object file and then disassembling that means you'd need a disassembler to put labels back onto the targets of all the branches it finds when disassembling. Agner Fog's x86 disassembler, objconv does this. Maybe there's something similar for ARM, but I don't think GNU binutils objdump -d has an option for that.

I don't have ARM clang installed, but the output is probably very similar to x86. For example, a very simple function that will compile with a branch:

int sa, sb;
void foo(int a, int b) {
    if (a>b) {
        sb = b;
    }
    sa = a;
}

Compiled for x86 on the Godbolt compiler explorer with clang5.0 -O3. (Godbolt has ARM-gcc installed, but not ARM-clang)

foo(int, int):                               # @foo(int, int)
        cmp     edi, esi
        jle     .LBB0_2
        mov     dword ptr [rip + sb], esi
.LBB0_2:
        mov     dword ptr [rip + sa], edi
        ret

There are 3 basic blocks here: cmp/jle, the first mov, and the 2nd mov+ret. The 2nd block has no label, because it starts after the fall-through of a conditional branch.

The .LBB0_2 label name is auto-generated. The .L means its a "local" label (no symbol in the symbol-table of the object file; it's for internal use while assembling this file only). The BB stands for Basic Block. I think BB0_2 means it's basic block #2 (counting from 0) in the first function. (Duplicating the function with a different name gives us a .LBB1_2 label.) Within a function, different labels have a different last number.

Clang even labels all the basic blocks in comments:

On Godbolt, click the // button to disable hiding comment lines. Then you get:

foo(int, int):                               # @foo(int, int)
# BB#0:
        #DEBUG_VALUE: foo:a <- %EDI
        #DEBUG_VALUE: foo:b <- %ESI
        cmp     edi, esi
        jle     .LBB0_2
# BB#1:
        #DEBUG_VALUE: foo:b <- %ESI
        #DEBUG_VALUE: foo:a <- %EDI
        mov     dword ptr [rip + sb], esi
.LBB0_2:
        #DEBUG_VALUE: foo:b <- %ESI
        #DEBUG_VALUE: foo:a <- %EDI
        mov     dword ptr [rip + sa], edi
        ret

i.e. basic blocks that aren't branch targets get a comment to delimit + number them, instead of a .L local label. It also shows you which C variables are in which registers on entry to the BB.

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847