gcc如何传递C/C++函数的聚合类参数

intro

通常C/C++中函数一般不会直接传递一个结构，更多处于性能考虑都会传递一个const类型的结构引用/指针。但是既然语言本身支持这种语法功能，编译器必定就要有对应的实现/规范/标准：否则不同编译器(例如gcc和llvm)生成的二进制文件(lib库)之间就没有办法兼容。特别是聚合类对象(struct/array)更加复杂，所以就更需要有清晰明确的标准。

ABI

以最常见的X86系统为例，函数参数传递相关内容在System V Application Binary Interface的3.2.3 Parameter Passing一节中。

其中相关信息如下所示，看起来很详细，但是也有些困惑。其中多次提到了8字节(eightbyte)。例如其中的

3. If the size of the aggregate exceeds a single eightbyte, each is classified separately. Each eightbyte gets initialized to class NO_CLASS.

并且看起来是不考虑类型，只考虑内存大小。那么如果一个结构在pack之后跨越两个不同的8bytes会如何处理？如果是一个数组，并且数组类型是char类型会怎么处理？

Classification The size of each argument gets rounded up to eightbytes.
...
The classification of aggregate (structures and arrays) and union types works as follows:

1. If the size of an object is larger than four eightbytes, or it contains unaligned fields, it has class MEMORY

2. If a C++ object has either a non-trivial copy constructor or a non-trivial destructor 11, it is passed by invisible reference (the object is replaced in the parameter list by a pointer that has class INTEGER) .

3. If the size of the aggregate exceeds a single eightbyte, each is classified separately. Each eightbyte gets initialized to class NO_CLASS.

4. Each field of an object is classified recursively so that always two fields are considered. The resulting class is calculated according to the classes of the fields in the eightbyte:
   (a) If both classes are equal, this is the resulting class.
   (b) If one of the classes is NO_CLASS, the resulting class is the other
   class.
   (c) If one of the classes is MEMORY, the result is the MEMORY class.
   (d) If one of the classes is INTEGER, the result is the INTEGER.
   (e) If one of the classes is X87, X87UP, COMPLEX_X87 class, MEMORY is used as class.
   (f) Otherwise class SSE is used.

5. Then a post merger cleanup is done:
   (a) If one of the classes is MEMORY, the whole argument is passed in memory.
   (b) If X87UP is not preceded by X87, the whole argument is passed in memory.
   (c) If the size of the aggregate exceeds two eightbytes and the first eightbyte isn’t SSE or any other eightbyte isn’t SSEUP, the whole argument is passed in memory.

主体代码

由于文档说明可能有些模糊，如果结合代码来看，文档的描述会清晰很多。

函数最开始就是以8字节为单位向上取整，获得eightbytes的数量(对应words变量)。的确是把每个word都初始化为X86_64_NO_CLASS。如果总大小大于64个字节就一定通过堆栈来传递参数。

这里的8bytes是单单从存储大小角度考虑的，根本原因是因为64bits系统中，一个寄存器最多只能存储8个字节。在这个时候，已经触碰到编译器的一个核心功能了：把程序中的类型转换为内存/寄存器。

///@file: gcc\config\i386\i386.cc
/* Classify the argument of type TYPE and mode MODE.CLASSES will be filled by the register class used to pass each wordof the operand.  The number of words is returned.  In case the parametershould be passed in memory, 0 is returned. As a special case for zerosized containers, classes[0] will be NO_CLASS and 1 is returned.BIT_OFFSET is used internally for handling records and specifies offsetof the offset in bits modulo 512 to avoid overflow cases.See the x86-64 PS ABI for details.
*/static int
classify_argument (machine_mode mode, const_tree type,enum x86_64_reg_class classes[MAX_CLASSES], int bit_offset,int &zero_width_bitfields)
{HOST_WIDE_INT bytes= mode == BLKmode ? int_size_in_bytes (type) : (int) GET_MODE_SIZE (mode);int words = CEIL (bytes + (bit_offset % 64) / 8, UNITS_PER_WORD);/* Variable sized entities are always passed/returned in memory.  */if (bytes < 0)return 0;if (mode != VOIDmode){/* The value of "named" doesn't matter.  */function_arg_info arg (const_cast<tree> (type), mode, /*named=*/true);if (targetm.calls.must_pass_in_stack (arg))return 0;}if (type && (AGGREGATE_TYPE_P (type)|| (TREE_CODE (type) == BITINT_TYPE && words > 1))){int i;tree field;enum x86_64_reg_class subclasses[MAX_CLASSES];/* On x86-64 we pass structures larger than 64 bytes on the stack.  */if (bytes > 64)return 0;for (i = 0; i < words; i++)classes[i] = X86_64_NO_CLASS;/* Zero sized arrays or structures are NO_CLASS.  We return 0 tosignalize memory class, so handle it as special case.  */if (!words){classes[0] = X86_64_NO_CLASS;return 1;}

struct

结构是按照结构的每个filed来遍历的，在处理每个field的时候进行了递归调用classify_argument函数。将classify_argument计算成的class和所在struct进行合并(merge_classes (subclasses[i], classes[i + pos]))。

其中还有一个重要细节：只要任何一个字段不能放在寄存器中，整个结构都不能放在寄存器中：

		      if (!num)return 0;

完整代码如下：

static int
classify_argument (machine_mode mode, const_tree type,enum x86_64_reg_class classes[MAX_CLASSES], int bit_offset,int &zero_width_bitfields)
{
///.../* Classify each field of record and merge classes.  */switch (TREE_CODE (type)){case RECORD_TYPE:/* And now merge the fields of structure.  */for (field = TYPE_FIELDS (type); field; field = DECL_CHAIN (field)){if (TREE_CODE (field) == FIELD_DECL){int num;if (TREE_TYPE (field) == error_mark_node)continue;/* Bitfields are always classified as integer.  Handle themearly, since later code would consider them to bemisaligned integers.  */if (DECL_BIT_FIELD (field)){if (integer_zerop (DECL_SIZE (field))){if (DECL_FIELD_CXX_ZERO_WIDTH_BIT_FIELD (field))continue;if (zero_width_bitfields != 2){zero_width_bitfields = 1;continue;}}for (i = (int_bit_position (field)+ (bit_offset % 64)) / 8 / 8;i < ((int_bit_position (field) + (bit_offset % 64))+ tree_to_shwi (DECL_SIZE (field))+ 63) / 8 / 8; i++)classes[i]= merge_classes (X86_64_INTEGER_CLASS, classes[i]);}else{int pos;type = TREE_TYPE (field);/* Flexible array member is ignored.  */if (TYPE_MODE (type) == BLKmode&& TREE_CODE (type) == ARRAY_TYPE&& TYPE_SIZE (type) == NULL_TREE&& TYPE_DOMAIN (type) != NULL_TREE&& (TYPE_MAX_VALUE (TYPE_DOMAIN (type))== NULL_TREE)){static bool warned;if (!warned && warn_psabi){warned = true;inform (input_location,"the ABI of passing struct with"" a flexible array member has"" changed in GCC 4.4");}continue;}num = classify_argument (TYPE_MODE (type), type,subclasses,(int_bit_position (field)+ bit_offset) % 512,zero_width_bitfields);if (!num)return 0;pos = (int_bit_position (field)+ (bit_offset % 64)) / 8 / 8;for (i = 0; i < num && (i + pos) < words; i++)classes[i + pos]= merge_classes (subclasses[i], classes[i + pos]);}}}break;

array

数组的处理相对比较简单：对数组类型调用classify_argument函数，然后以每个类型的结构为pattern来对整个数组占用的内存循环施加pattern效果。如果数组类型可以放入到一个8bytes中，那么每个classes元素都是数组类型的class(subclasses)。

这里或许是假设了如果数组类型不大于8个bytes，那么整个类型的所有内存都是相同的存储class。

	    for (i = 0; i < words; i++)classes[i] = subclasses[i % num];

相对完整代码如下

static int
classify_argument (machine_mode mode, const_tree type,enum x86_64_reg_class classes[MAX_CLASSES], int bit_offset,int &zero_width_bitfields)
{
///...case ARRAY_TYPE:/* Arrays are handled as small records.  */{int num;num = classify_argument (TYPE_MODE (TREE_TYPE (type)),TREE_TYPE (type), subclasses, bit_offset,zero_width_bitfields);if (!num)return 0;/* The partial classes are now full classes.  */if (subclasses[0] == X86_64_SSESF_CLASS && bytes != 4)subclasses[0] = X86_64_SSE_CLASS;if (subclasses[0] == X86_64_SSEHF_CLASS && bytes != 2)subclasses[0] = X86_64_SSE_CLASS;if (subclasses[0] == X86_64_INTEGERSI_CLASS&& !((bit_offset % 64) == 0 && bytes == 4))subclasses[0] = X86_64_INTEGER_CLASS;for (i = 0; i < words; i++)classes[i] = subclasses[i % num];break;}

未对齐字段

没有自然对齐的字段不能通过寄存器传递(Misaligned fields are always returned in memory)。

static int
classify_argument (machine_mode mode, const_tree type,enum x86_64_reg_class classes[MAX_CLASSES], int bit_offset,int &zero_width_bitfields)
{
///.../* Compute alignment needed.  We align all types to natural boundaries withexception of XFmode that is aligned to 64bits.  */if (mode != VOIDmode && mode != BLKmode){int mode_alignment = GET_MODE_BITSIZE (mode);if (mode == XFmode)mode_alignment = 128;else if (mode == XCmode)mode_alignment = 256;if (COMPLEX_MODE_P (mode))mode_alignment /= 2;/* Misaligned fields are always returned in memory.  */if (bit_offset % mode_alignment)return 0;}

结构大于2个8bytes不能使用寄存器

非SSE类型，如果总长度超过两个8字节，一定通过内存传递。

      if (words > 2){/* When size > 16 bytes, if the first one isn'tX86_64_SSE_CLASS or any other ones aren'tX86_64_SSEUP_CLASS, everything should be passed inmemory.  */if (classes[0] != X86_64_SSE_CLASS)return 0;for (i = 1; i < words; i++)if (classes[i] != X86_64_SSEUP_CLASS)return 0;}

一些情况分类

1. 结构/数组中有未对齐字段

代码中可以看到直接返回0，也就是只能放在堆栈中。

2. 结构中多个字段在同一个8字节范围内

此时num为1，而多个field在classed数组中的下标可能都是相同的(pos值相同：classes每个元素对于结构的8个bytes，所以在同一个8字节空间内的filed就在同一个classes数组元素中)。

		      pos = (int_bit_position (field)+ (bit_offset % 64)) / 8 / 8;for (i = 0; i < num && (i + pos) < words; i++)classes[i + pos]= merge_classes (subclasses[i], classes[i + pos]);

test

结构B为两个8字节，作为函数参数时整个结构都通过寄存器传递；结构C在B的基础上加一个字节(因为超过了两个8字节)，就需要通过堆栈传递。

tsecer@harry: cat func_struct_param.cpp
struct A
{int i;float f;
};struct B
{A aa[2];
};struct C
{B b;char c;
};int foo(B b)
{return b.aa[0].i + b.aa[1].f;
}int bar(C c)
{return c.c + c.b.aa[0].i;
}tsecer@harry: gcc -S func_struct_param.cpp
tsecer@harry: cat func_struct_param.s.file   "func_struct_param.cpp".text.globl  _Z3foo1B.type   _Z3foo1B, @function
_Z3foo1B:
.LFB0:.cfi_startprocendbr64pushq   %rbp.cfi_def_cfa_offset 16.cfi_offset 6, -16movq    %rsp, %rbp.cfi_def_cfa_register 6movq    %rdi, %raxmovq    %rsi, %rcxmovq    %rcx, %rdxmovq    %rax, -16(%rbp)movq    %rdx, -8(%rbp)movl    -16(%rbp), %eaxpxor    %xmm1, %xmm1cvtsi2ssl       %eax, %xmm1movss   -4(%rbp), %xmm0addss   %xmm1, %xmm0cvttss2sil      %xmm0, %eaxpopq    %rbp.cfi_def_cfa 7, 8ret.cfi_endproc
.LFE0:.size   _Z3foo1B, .-_Z3foo1B.globl  _Z3bar1C.type   _Z3bar1C, @function
_Z3bar1C:
.LFB1:.cfi_startprocendbr64pushq   %rbp.cfi_def_cfa_offset 16.cfi_offset 6, -16movq    %rsp, %rbp.cfi_def_cfa_register 6movzbl  32(%rbp), %eaxmovsbl  %al, %edxmovl    16(%rbp), %eaxaddl    %edx, %eaxpopq    %rbp.cfi_def_cfa 7, 8ret.cfi_endproc
.LFE1:.size   _Z3bar1C, .-_Z3bar1C.ident  "GCC: (Ubuntu 13.3.0-6ubuntu2~24.04) 13.3.0".section        .note.GNU-stack,"",@progbits.section        .note.gnu.property,"a".align 8.long   1f - 0f.long   4f - 1f.long   5
0:.string "GNU"
1:.align 8.long   0xc0000002.long   3f - 2f
2:.long   0x3
3:.align 8
4:
tsecer@harry:

outro

这里并没有详细分析流程的所有细节，只是想说明，在分析汇编代码的时候要注意：

C/C++的函数参数传递并不是结构/数组就一定通过堆栈传递；反过来说，通过(分散的)寄存器传递的函数参数也可能是(同一个)结构的成员。