GCC's switch table code generation

[Edd Barrett <vext01@gmail.com>]

Hi there,

I am new here, so I wish to take a second to introduce myself and what
I am working on, then ultimately why I am posting on this list. Also I
will apologise if this is the wrong place to post this query. If this
is so, perhaps you could point me in the right direction.

I have just started a PhD on reverse engineering executable code at
the University of Kent in England. I arrived at this position after
taking an keen interest in operating systems and programming languages
during my undergraduate degree, where I eventually wrote an
experimental compiler. So basically I am quite new to compiler
technology, but not completely clueless.

One of the first things that became apparent when reviewing literature
on reverse engineering executable code, was that computer scientists
consider the code generated by switch statements to be awkward to draw
CFG's for. Following on from this, I have started to disassemble some
simple mock up programs. I have discovered:

 * GCC will sometimes just use simple conditional jumps, notably with -O0.
 * at -O1 and greater, depending upon the size of the case table, GCC
sometimes embeds a indirect jump table in the data segment of the
binary and uses arithmetic to lookup the address to jump to.

Next i scripted the creation of a sparse switch statement with little
clusters of cases next to each other, but with nothing in-between. The
exact test case was a switch statement (comparing an integer) with a
(differing) printf and break statement on each arm at positions:

0-9
300-319
9000-9040


What I expected was one indirect jump table for each of the 3 clusters
and some form of conditional as to which table to look in. What I got
was very different. In-fact no indirect jump tables were used at-all.
A series of conditional jumps were used. What I am confused about was
the selection of comparisons used to construct the switch. I started
to draw a tree for these findings, but obviously the tree is huge, so
I only did a bit (I need to make a tool to draw these trees really):

http://students.dec.bournemouth.ac.uk/ebarrett/files/switch-tree.png

I would be really interested to know how GCC:
 * Decides whether or not to embed tables in the data segment of the binary.
 * Selects the comparisons in the above tree.

Perhaps someone knows of a good paper/book on this topic which could
be of use, or a relevant section of code in the GCC sources (at the
moment I am overwhelmed by the source tree).

For the record, all of my tests have switched on a variable which can
not be known at compile time (argv[1]). This was to stop the optimiser
being clever and removing the switch table altogether.

My environment:
OpenBSD-4.6-current/i386
GCC-4.2.4

Sorry for the huge email.

-- 
Best Regards
Edd Barrett

http://students.dec.bournemouth.ac.uk/ebarrett