Interpreter, Compiler, JIT from scratch

Interpreter, Compiler, JIT
from scratch
Jim Huang <jserv.tw@gmail.com>

● Brainf*ck: Turing complete programming language
● Interpreter
● Compiler
● JIT Compiler
Agenda

Brainf*ck Machine
● Assume we have unlimited length of buffer
Address 0 1 2 3 4 …
Value 0 0 0 0 0 …
Source: http://jonfwilkins.blogspot.tw/2011/06/happy-99th-birthday-alan-turing.html

Brainf*ck instructions
Increment the byte value at the data pointer.
Decrement the data pointer to point to the previous cell.
Increment the data pointer to point to the next cell.
Decrement the byte value at the data pointer.
Output the byte value at the data pointer.
Input one byte and store its value at the data pointer.
If the byte value at the data pointer is zero, jump to the
instruction following the matching ] bracket. Otherwise,
continue execution.
Unconditionally jump back to the matching [ bracket.

Turing Complete
● Brianfuck has 6 opcode + Input/Output commands
● gray area for I/O (implementation dependent)
– EOF
– tape length
– cell type
– newlines
● That is enough to program!
● Extension: self-modifying Brainfuck
https://soulsphere.org/hacks/smbf/

Brainf*ck
Address 0 1 2 3 4 …
Value 0 0 0 0 0 …
+ > + < -

Brainf*ck
Address 0 1 2 3 4 …
Value 1 0 0 0 0 …
+ > + < -

Brainf*ck
Address 0 1 2 3 4 …
Value 1 1 0 0 0 …
+ > + < -

Brainf*ck
Address 0 1 2 3 4 …
Value 0 1 0 0 0 …
+ > + < -

Brainf*ck
Address 0 1 2 3 4 …
Value 64 0 0 0 0 …
. [ > , ]
Input Output
'A' 'B' '0'

Brainf*ck
Address 0 1 2 3 4 …
Value 64 0 0 0 0 …
. [ > , ]
'A' 'B' '0' '@'
Input Output

Brainf*ck
Address 0 1 2 3 4 …
Value 64 65 0 0 0 …
. [ > , ]
'A' 'B' '0' '@'
Input Output

Brainf*ck
Address 0 1 2 3 4 …
Value 64 65 66 0 0 …
. [ > , ]
'A' 'B' '0' '@'
Input Output

Initialization
● A Brainfuck program operates on a 30,000 element byte
array initialized to all zeros. It starts off with an instruction
pointer, that initially points to the first element in the data
array or “tape.”
// Initialize the tape with 30,000 zeroes.
uint8_t tape [30000] = { 0 };
// Set the pointer to the left most cell of the tape.
uint8_t* ptr = tape;

Data Pointer
● Operators, > and < increment and decrement the data
pointer.
case '>': ++ptr; break;
case '<': --ptr; break;
● One thing that could be bad is that because the interpreter is
written in C and we’re representing the tape as an array but
we’re not validating our inputs, there’s potential for stack
buffer overrun since we’re not performing bounds checks.
Again, punting and assuming well formed input to keep the
code and the point more precise.

Cells pointed to Data Pointer
● + and – operators are used for incrementing and
decrementing the cell pointed to by the data pointer by
one.
case '+': ++(*ptr); break;
case '-': --(*ptr); break;

Input and Output
● The operators . and , provide Brainfuck’s only means of
input or output, by writing the value pointed to by the
instruction pointer to stdout as an ASCII value, or reading
one byte from stdin as an ASCII value and writing it to the
cell pointed to by the instruction pointer.
case '.': putchar(*ptr); break;
case ',': *ptr = getchar(); break;

Loop
●
Looping constructs, [ and ].
– [: if the byte at the data pointer is zero, then instead of
moving the instruction pointer forward to the next
command, jump it forward to the command after the
matching ] command
– ]: if the byte at the data pointer is nonzero, then
instead of moving the instruction pointer forward to the
next command, jump it back to the command after the
matching [ command.

Loop
case '[':
if (!(*ptr)) {
int loop = 1;
while (loop > 0) {
uint8_t current_char =
input[++i];
if (current_char == ']') {
--loop;
} else if (current_char == '[') {
++loop;
}
}
}
break;
case ']':
if (*ptr) {
int loop = 1;
while (loop > 0) {
uint8_t current_char =
input[--i];
if (current_char == '[') {
--loop;
} else if (current_char == ']') {
++loop;
}
}
}
break;

Verify the simple interpreter
● Fetch and build
$ git clone https://github.com/embedded2015/jit-construct.git
$ cd jit-construct
$ make
$ ./interpreter progs/hello.bf
Hello World!
● Check interpreter.c which reads a byte and immediately performs
an action based on the operator.
● Benchmark on GNU/Linux for x86_64
$ time ./interpreter progs/mandelbrot.b
real 2m1.297s
user 2m1.368s
sys 0m0.004s

Brainf*ck Compiler
[x86_64/x64 backend]

Generate machine code
● How about if we want to compile the Brainfuck source
code to native machine code?
– Instruction Set Architecture (ISA)
– Application Binary Interface (ABI)
● Iterate over every character in the source file again,
switching on the recognized operator.
– print assembly instructions to stdout.
– Doing so requires running the compiler on an input file,
redirecting stdout to a file, then running the system
assembler and linker on that file.

Prologue for compiled x86_64
const char *const prologue =
".textn"
".globl _mainn"
"main:n"
" pushq %rbpn"
" movq %rsp, %rbpn"
" pushq %r12n" // store callee saved register
" subq $30008, %rspn" // allocate 30,008 B on stack, and realign
" leaq (%rsp), %rdin" // address of beginning of tape
" movl $0, %esin" // fill with 0's
" movq $30000, %rdxn" // length 30,000 B
" call memsetn" // memset
" movq %rsp, %r12";

Epilogue for compiled x86_64
const char *const epilogue =
" addq $30008, %rspn" // clean up tape from stack.
" popq %r12n" // restore callee saved register
" popq %rbpn"
" retn";
● During the linking phase, we ensure linking in libc so we can call
memset. What we do is backing up callee saved registers we’ll
be using, stack allocating the tape, realigning the stack, copying
the address of the only item on the stack into a register for our
first argument, setting the second argument to the constant 0,
the third arg to 30000, then calling memset.
● Finally, we use the callee saved register %r12 as our instruction
pointer, which is the address into a value on the stack.

Alignment
● We can expect the call to memset to result in a segfault if
simply subtract just 30000B, and not realign for the 2 registers
(64 b each, 8 B each) we pushed on the stack.
● The first pushed register aligns the stack on a 16 B boundary,
the second misaligns it; that’s why we allocate an additional 8
B on the stack.
Reference:
System V Application Binary Interface
AMD64 Architecture Processor Supplement
Draft Version 0.99.6

Data Pointers are straightforward
● Moving the instruction pointer (>, <) and modifying the
pointed to value (+, -)
case '>':
puts(" inc %r12");
break;
case '<':
puts(" dec %r12");
break;
case '+':
puts(" incb (%r12)");
break;
case '-':
puts(" decb (%r12)");
break;

Output
● Have to copy the pointed to byte into the register for the
first argument to putchar.
● We explicitly zero out the register before calling putchar,
since it takes an int (32 b), but we’re only copying a char (8
b) (C’s type promotion rules).
– x86-64 has an instruction that does both, movzXX, Where the first X is the
source size (b, w) and the second is the destination size (w, l, q).
– movzbl moves a byte (8 b) into a double word (32 b). %rdi and %edi are the
same register, but %rdi is the full 64 b register, while %edi is the lowest (or
least significant) 32 b.
case '.':
puts(" movzbl (%r12), %edi");
puts(" call putchar");
break;

Input
● Easily call getchar, move the resulting lowest byte into
the cell pointed to by the instruction pointer.
– %al is the lowest 8 b of the 64 b %rax register
case ',':
puts(" call getchar");
puts(" movb %al, (%r12)");
break;

Loop constructs [
● Have to match up jumps to matching labels
– labels must be unique.
● Instead, whenever we encounter an opening brace, push a
monotonically increasing number that represents the numbers of
opening brackets we’ve seen so far onto a stack like data structure.
– compare and jump to what will be the label that should be produced by the matching
close label.
– insert our starting label, and finally increment the number of brackets seen.
case '[':
stack_push(&stack, num_brackets);
puts (" cmpb $0, (%r12)");
printf(" je bracket_%d_endn", num_brackets);
printf("bracket_%d_start:n", num_brackets++);
break;

Loop constructs ]
● pop the number of brackets seen (or rather, number of pending open
brackets which we have yet to see a matching close bracket) off of the
stack, do our comparison, jump to the matching start label, and finally
place our end label.
case ']':
stack_pop(&stack, &matching_bracket);
puts(" cmpb $0, (%r12)");
printf(" jne bracket_%d_startn", matching_bracket);
printf("bracket_%d_end:n", matching_bracket);
break;

Code generation of Nested Loop
[ [ ] ]
cmpb $0, (%r12)
je bracket_0_end
bracket_0_start:
cmpb $0, (%r12)
je bracket_1_end
bracket_1_start:
cmpb $0, (%r12)
jne bracket_1_start
bracket_1_end:
cmpb $0, (%r12)
jne bracket_0_start
bracket_0_end:

Verify x86_64 compiler
● build
$ make && ./compiler-x64 progs/hello.b > hello.s
$ gcc -o hello-x64 hello.s && ./hello-x64
Hello World!
● Check interpreter.c which reads a byte and immediately
performs an action based on the operator.
$ ./compiler-x64 progs/mandelbrot.b > mandelbrot.s
$ gcc -o mandelbrot mandelbrot.s && time ./mandelbrot
real 0m9.366s

Brainf*ck Compiler
[ARM backend]

Prologue/Epilogue for ARM
const char *const prologue =
".globl mainn"
"main:n"
"LDR R4 ,= _arrayn"
"push {lr}n";
const char *const epilogue =
" pop {pc}n"
".datan"
".align 4n"
"_char: .asciz "%c"n"
"_array: .space 30000n";

Data Pointers
● Moving the instruction pointer (>, <) and modifying the
pointed to value (+, -)
case '>':
puts("ADD R4, R4, #1");
break;
case '<':
puts("SUB R4, R4, #1");
break;
case '+':
puts("LDRB R5, [R4]");
puts("ADD R5, R5, #1");
puts("STRB R5, [R4]");
break;
case '-':
puts("SUB R5, R5, #1");
break;

Input/Output
case ',':
puts("BL getchar");
break;
case '.':
puts("LDR R0 ,= _char ");
puts("BL printf");
break;
NOTE:in epilogue
"_char: .asciz "%c"n"

Loop constructs [
case '[':
stack_push(&stack, num_brackets);
printf("_in_%d:n", num_brackets);
puts ("LDRB R5, [R4]");
puts ("CMP R5, #0");
printf("BEQ _out_%dn", num_brackets);
num_brackets++;
break;

Loop constructs ]
case ']':
stack_pop(&stack, &matching_bracket);
printf("_out_%d:n", matching_bracket);
puts ("LDRB R5, [R4]");
puts ("CMP R5, #0");
printf("BNE _in_%dn", matching_bracket);
break;

Brainf*ck JIT Compiler
[x86_64 backend]

Minimal JIT
#include <sys/mman.h>
int main(int argc, char *argv[]) {
unsigned char code[] = {0xb8, 0x00, 0x00, 0x00, 0x00, 0xc3};
int num = atoi(argv[1]);
memcpy(&code[1], &num, 4);
void *mem = mmap(NULL, sizeof(code), PROT_WRITE | PROT_EXEC,
MAP_ANON | MAP_PRIVATE, -1, 0);
memcpy(mem, code, sizeof(code));
int (*func)() = mem;
return func();
}
Machine code for:
● mov eax, 0
● ret
Overwrite immediate value "0"
in the instruction with the user's
value. This will make our code:
● mov eax, <user's value>
● ret
Allocate writable/executable memory.
● Note: real programs should not map
memory both writable and executable
because it is a security risk

Minimal JIT: Evaluate
$ make test
$ ./jit0-x64 42 ; echo $?
42
● use mmap() to allocate the memory instead of malloc(),
the normal way of getting memory from the heap.
– This is necessary because we need the memory to be
executable so we can jump to it without crashing the
program.
● On most systems the stack and heap are configured not
to allow execution because if you're jumping to the stack
or heap it means something has gone very wrong.

DynASM
● is a part of the most impressive LuaJIT project, but is totally
independent of the LuaJIT code and can be used separately.
● consists of two parts
– a preprocessor that converts a mixed C/assembly file
(*.dasc) to straight C
– A tiny runtime that links against the C to do the work that
must be deferred until runtime.

DynASM
|.arch x64
|.actionlist actions
#define Dst &state
int num = atoi(argv[1]);
dasm_State *state;
initjit(&state, actions);
| mov eax, num
| ret
int (*fptr)() = jitcode(&state);
int ret = fptr();
free_jitcode(fptr);
return ret;
}

JIT using DynASM(2)
#define Dst &state
#define MAX_NESTING 256
dasm_State *state;
initjit(&state, actions);
unsigned int maxpc = 0;
int pcstack[MAX_NESTING];
int *top = pcstack, *limit = pcstack + MAX_NESTING;
// Function prologue.
| push PTR
| mov PTR, rdi

JIT using DynASM(3)
for (char *p = argv[1]; *p; p++) {
switch (*p) {
case '>':
| inc PTR
break;
case '<':
| dec PTR
break;
case '+':
| inc byte [PTR]
break;
case '-':
| dec byte [PTR]
break;
case '.':
| movzx edi, byte [PTR]
| callp putchar
break;
case ',':
| callp getchar
| mov byte [PTR], al
break;

JIT using DynASM(4)
case '[':
if (top == limit)
err("Nesting too deep.");
// Each loop gets two pclabels: at the beginning and end.
// We store pclabel offsets in a stack to link the loop
// begin and end together.
maxpc += 2;
*top++ = maxpc;
dasm_growpc(&state, maxpc);
| cmp byte [PTR], 0
| je =>(maxpc-2)
|=>(maxpc-1):
break;
case ']':
if (top == pcstack)
err("Unmatched ']'");
top--;
| cmp byte [PTR], 0
| jne =>(*top-1)
|=>(*top-2):
break;
}
}

JIT using DynASM(5)
// Function epilogue.
| pop PTR
| ret
void (*fptr)(char*) = jitcode(&state);
char *mem = calloc(30000, 1);
fptr(mem);
free(mem);
free_jitcode(fptr);
return 0;
}

Verify JIT compiler
$ time ./jit-x64 progs/mandelbrot.b
real 0m3.614s
user 0m3.612s
sys 0m0.004s

● Interpreter, Compiler, JIT
https://nickdesaulniers.github.io/blog/2015/05/25/interpreter-compiler-jit/
● 実用 Brainf*ck プログラミ
● The Unofficial DynASM Documentation
https://corsix.github.io/dynasm-doc/
● Hello, JIT World: The Joy of Simple JITs
http://blog.reverberate.org/2012/12/hello-jit-world-joy-of-simple-jits.html
Reference

Interpreter, Compiler, JIT from scratch

More Related Content

What's hot (20)

Similar to Interpreter, Compiler, JIT from scratch (20)

More from National Cheng Kung University (20)

Recently uploaded (20)

Interpreter, Compiler, JIT from scratch