source: Papers/sttt/problem.tex @ 3470

\section{Introduction}

The problem of branch displacement optimisation, also known as jump encoding, is
a well-known problem in assembler design~\cite{Hyde2006}. Its origin lies in the
fact that in many architecture sets, the encoding (and therefore size) of some
instructions depends on the distance to their operand (the instruction 'span').
The branch displacement optimisation problem consists of encoding these
span-dependent instructions in such a way that the resulting program is as
small as possible.

This problem is the subject of the present paper. After introducing the problem
in more detail, we will discuss the solutions used by other compilers, present 
the algorithm we use in the CerCo assembler, and discuss its verification,
that is the proofs of termination and correctness using the Matita proof
assistant~\cite{Asperti2007}.

Formulating the final statement of correctness and finding the loop invariants
have been non-trivial tasks and are, indeed, the main contribution of this
paper. It has required considerable care and fine-tuning to formulate not
only the minimal statement required for the ulterior proof of correctness of
the assembler, but also the minimal set of invariants needed for the proof
of correctness of the algorithm.

The research presented in this paper has been executed within the CerCo project
which aims at formally verifying a C compiler with cost annotations. The
target architecture for this project is the MCS-51, whose instruction set
contains span-dependent instructions. Furthermore, its maximum addressable
memory size is very small (64 Kb), which makes it important to generate
programs that are as small as possible. With this optimisation, however, comes increased complexity and hence increased possibility for error. We must make sure that the branch instructions are encoded correctly, otherwise the assembled program will behave unpredictably.

All Matita files related to this development can be found on the CerCo
website, \url{http://cerco.cs.unibo.it}. The specific part that contains the
branch displacement algorithm is in the {\tt ASM} subdirectory, in the files
{\tt PolicyFront.ma}, {\tt PolicyStep.ma} and {\tt Policy.ma}.

\section{The branch displacement optimisation problem}

In most modern instruction sets that have them, the only span-dependent
instructions are branch instructions. Taking the ubiquitous x86-64 instruction
set as an example, we find that it contains eleven different forms of the
unconditional branch instruction, all with different ranges, instruction sizes
and semantics (only six are valid in 64-bit mode, for example). Some examples
are shown in Figure~\ref{f:x86jumps} (see also~\cite{IntelDev}).

\begin{figure}[h]
\begin{center}
\begin{tabular}{|l|l|l|}
\hline
Instruction & Size (bytes) & Displacement range \\
\hline
Short jump & 2 & -128 to 127 bytes \\
Relative near jump & 5 & $-2^{32}$ to $2^{32}-1$ bytes \\
Absolute near jump & 6 & one segment (64-bit address) \\
Far jump & 8 & entire memory (indirect jump) \\
\hline
\end{tabular}
\end{center}
\caption{List of x86 branch instructions}
\label{f:x86jumps}
\end{figure}

The chosen target architecture of the CerCo project is the Intel MCS-51, which
features three types of branch instructions (or jump instructions; the two terms
are used interchangeably), as shown in Figure~\ref{f:mcs51jumps}.

\begin{figure}[h]
\begin{center}
\begin{tabular}{|l|l|l|l|}
\hline
Instruction & Size    & Execution time & Displacement range \\
            & (bytes) & (cycles) & \\
\hline
SJMP (`short jump') & 2 & 2 & -128 to 127 bytes \\
AJMP (`absolute jump') & 2 & 2 & one segment (11-bit address) \\
LJMP (`long jump') & 3 & 3 & entire memory \\
\hline
\end{tabular}
\end{center}
\caption{List of MCS-51 branch instructions}
\label{f:mcs51jumps}
\end{figure}

Conditional branch instructions are only available in short form, which
means that a conditional branch outside the short address range has to be
encoded using three branch instructions (for instructions whose logical
negation is available, it can be done with two branch instructions, but for
some instructions this is not the case). The call instruction is
only available in absolute and long forms.

Note that even though the MCS-51 architecture is much less advanced and much
simpler than the x86-64 architecture, the basic types of branch instruction
remain the same: a short jump with a limited range, an intra-segment jump and a
jump that can reach the entire available memory.
 
Generally, in code fed to the assembler as input, the only
difference between branch instructions is semantics, not span. This
means that a distinction is made between an unconditional branch and the
several kinds of conditional branch, but not between their short, absolute or
long variants.

The algorithm used by the assembler to encode these branch instructions into
the different machine instructions is known as the {\em branch displacement
algorithm}. The optimisation problem consists of finding as small an encoding as
possible, thus minimising program length and execution time.

Similar problems, e.g. the branch displacement optimisation problem for other
architectures, are known to be NP-complete~\cite{Robertson1979,Szymanski1978},
which could make finding an optimal solution very time-consuming. 

The canonical solution, as shown by Szymanski~\cite{Szymanski1978} or more
recently by Dickson~\cite{Dickson2008} for the x86 instruction set, is to use a
fixed point algorithm that starts with the shortest possible encoding (all
branch instruction encoded as short jumps, which is likely not a correct
solution) and then iterates over the source to re-encode those branch
instructions whose target is outside their range.

\subsection*{Adding absolute jumps}

In both papers mentioned above, the encoding of a jump is only dependent on the
distance between the jump and its target: below a certain value a short jump
can be used; above this value the jump must be encoded as a long jump.

Here, termination of the smallest fixed point algorithm is easy to prove. All
branch instructions start out encoded as short jumps, which means that the
distance between any branch instruction and its target is as short as possible
(all the intervening jumps are short).
If, in this situation, there is a branch instruction $b$ whose span is not
within the range for a short jump, we can be sure that we can never reach a
situation where the span of $j$ is so small that it can be encoded as a short
jump. This argument continues to hold throughout the subsequent iterations of
the algorithm: short jumps can change into long jumps, but not \emph{vice versa},
as spans only increase. Hence, the algorithm either terminates early when a fixed
point is reached or when all short jumps have been changed into long jumps.

Also, we can be certain that we have reached an optimal solution: a short jump
is only changed into a long jump if it is absolutely necessary.

However, neither of these claims (termination nor optimality) hold when we add
the absolute jump. With absolute jumps, the encoding of a branch
instruction no longer depends only on the distance between the branch
instruction and its target. An absolute jump is possible when instruction and
target are in the same segment (for the MCS-51, this means that the first 5
bytes of their addresses have to be equal). It is therefore entirely possible
for two branch instructions with the same span to be encoded in different ways
(absolute if the branch instruction and its target are in the same segment,
long if this is not the case).

\begin{figure}[t]
\begin{subfigure}[b]{.45\linewidth}
\small
\begin{alltt}
    jmp X
    \ldots
L\(\sb{0}\): \ldots
% Start of new segment if
% jmp X is encoded as short
    \ldots
    jmp L\(\sb{0}\)
\end{alltt}
\caption{Example of a program where a long jump becomes absolute}
\label{f:term_example}
\end{subfigure}
\hfill
\begin{subfigure}[b]{.45\linewidth}
\small
\begin{alltt}
L\(\sb{0}\): jmp X
X:  \ldots
    \ldots
L\(\sb{1}\): \ldots
% Start of new segment if
% jmp X is encoded as short
    \ldots
    jmp L\(\sb{1}\)
    \ldots
    jmp L\(\sb{1}\)
    \ldots
    jmp L\(\sb{1}\) 
    \ldots
\end{alltt}
\caption{Example of a program where the fixed-point algorithm is not optimal}
\label{f:opt_example}
\end{subfigure}
\end{figure}

This invalidates our earlier termination argument: a branch instruction, once encoded
as a long jump, can be re-encoded during a later iteration as an absolute jump.
Consider the program shown in Figure~\ref{f:term_example}. At the start of the
first iteration, both the branch to {\tt X} and the branch to $\mathtt{L}_{0}$
are encoded as small jumps. Let us assume that in this case, the placement of
$\mathtt{L}_{0}$ and the branch to it are such that $\mathtt{L}_{0}$ is just
outside the segment that contains this branch. Let us also assume that the
distance between $\mathtt{L}_{0}$ and the branch to it is too large for the
branch instruction to be encoded as a short jump.

All this means that in the second iteration, the branch to $\mathtt{L}_{0}$ will
be encoded as a long jump. If we assume that the branch to {\tt X} is encoded as
a long jump as well, the size of the branch instruction will increase and
$\mathtt{L}_{0}$ will be `propelled' into the same segment as its branch
instruction, because every subsequent instruction will move one byte forward.
Hence, in the third iteration, the branch to $\mathtt{L}_{0}$ can be encoded as
an absolute jump. At first glance, there is nothing that prevents us from
constructing a configuration where two branch instructions interact in such a
way as to iterate indefinitely between long and absolute encodings.

This situation mirrors the explanation by Szymanski~\cite{Szymanski1978} of why
the branch displacement optimisation problem is NP-complete. In this explanation,
a condition for NP-completeness is the fact that programs be allowed to contain
{\em pathological} jumps. These are branch instructions that can normally not be
encoded as a short(er) jump, but gain this property when some other branch
instructions are encoded as a long(er) jump. This is exactly what happens in
Figure~\ref{f:term_example}. By encoding the first branch instruction as a long
jump, another branch instruction switches from long to absolute (which is
shorter).

In addition, our previous optimality argument no longer holds. Consider the
program shown in Figure~\ref{f:opt_example}. Suppose that the distance between
$\mathtt{L}_{0}$ and $\mathtt{L}_{1}$ is such that if {\tt jmp X} is encoded
as a short jump, there is a segment border just after $\mathtt{L}_{1}$. Let
us also assume that all three branches to $\mathtt{L}_{1}$ are in the same
segment, but far enough away from $\mathtt{L}_{1}$ that they cannot be encoded
as short jumps.

Then, if {\tt jmp X} were to be encoded as a short jump, which is clearly
possible, all of the branches to $\mathtt{L}_{1}$ would have to be encoded as
long jumps. However, if {\tt jmp X} were to be encoded as a long jump, and
therefore increase in size, $\mathtt{L}_{1}$ would be `propelled' across the
segment border, so that the three branches to $\mathtt{L}_{1}$ could be encoded
as absolute jumps. Depending on the relative sizes of long and absolute jumps,
this solution might actually be smaller than the one reached by the smallest
fixed point algorithm.