refactor(ast2ir): 提取模块访问函数并优化类型大小计算

- 添加 scc_ast2ir_mir_module 内联函数统一访问模块 - 替换所有直接访问 ctx->builder.cprog->module 的地方 - 移除重复的 scc_hir_type_size 函数实现 - 添加 scc_hir_module_type_size 函数到模块接口 - 更新所有类型大小计算调用使用新函数 feat(hir): 增强构建器安全性和全局变量处理 - 为 scc_hir_builder_integer 添加空指针检查断言 - 修复 scc_hir_builder_global_alloca 中全局变量类型设置 - 改进 scc_hir_builder_get_elem_ptr 处理空指针索引情况 - 重构字符串常量生成使用 get_elem_ptr 构建器函数 refactor(lir): 简化地址表达式表示并增强内置函数支持 - 移除复杂地址结构体 scc_lir_addr_t - 简化 scc_lir_instr 结构体中的地址表示 - 移除 STORE_ADDR 操作码 - 添加 memcpy 和 memset 内置函数操作码 - 在符号元数据中使用联合体替代嵌套结构体 feat(hir2lir): 完善 HIR 到 LIR 转换中的内置函数处理 - 添加 ensure_vreg 辅助函数确保虚拟寄存器操作数 - 正确处理全局变量地址符号引用 - 优化 GET_ELEM_PTR 转换使用类型大小计算 - 完整实现所有内置函数(BUILTIN)的 LIR 转换 - 包括 memcpy、memset、va_start、va_arg、va_end、va_copy 等
2026-05-22 15:15:18 +08:00
parent 41d060d7e7
commit d78b91894e
27 changed files with 1272 additions and 563 deletions
--- a/libs/ast2ir/include/scc_ast2ir.h
+++ b/libs/ast2ir/include/scc_ast2ir.h
@@ -19,6 +19,10 @@ typedef struct {
    scc_ast_ctx_t *ast_ctx;
 } scc_ast2ir_ctx_t;
 static inline scc_hir_module_t *scc_ast2ir_mir_module(scc_ast2ir_ctx_t *ctx) {
    return &ctx->builder.cprog->module;
 }
 void scc_ast2ir_ctx_init(scc_ast2ir_ctx_t *ctx, const scc_abi_type_calc_t *abi,
                         scc_ast_ctx_t *ast_ctx, scc_hir_cprog_t *cprog);
 void scc_ast2ir_ctx_drop(scc_ast2ir_ctx_t *ctx);
--- a/libs/ast2ir/src/scc_ast2ir.c
+++ b/libs/ast2ir/src/scc_ast2ir.c
@@ -55,7 +55,7 @@ static void emit_array_initialization(scc_ast2ir_ctx_t *ctx,
    Assert(array_type->tag == SCC_HIR_TYPE_ARRAY);
    scc_hir_type_ref_t elem_type_ref = array_type->data.array.base;
    const scc_hir_type_t *elem_type =
-        scc_hir_module_get_type(&ctx->builder.cprog->module, elem_type_ref);
+        scc_hir_module_get_type(scc_ast2ir_mir_module(ctx), elem_type_ref);
    usize array_len = array_type->data.array.len;
    // 字符串字面量初始化：直接 memcpy
@@ -124,8 +124,8 @@ static void emit_aggregate_initialization(scc_ast2ir_ctx_t *ctx,
            scc_vec_at(init_expr->compound.rhs_exprs, i);
        scc_hir_type_ref_t field_type_ref =
            scc_vec_at(type->data.aggregate.fields, idx);
-        const scc_hir_type_t *field_type = scc_hir_module_get_type(
+        const scc_hir_type_t *field_type =
-            &ctx->builder.cprog->module, field_type_ref);
+            scc_hir_module_get_type(scc_ast2ir_mir_module(ctx), field_type_ref);
        scc_ap_t idx_ap;
        scc_ap_set_int(&idx_ap, idx);
@@ -149,68 +149,6 @@ static void emit_aggregate_initialization(scc_ast2ir_ctx_t *ctx,
 }
 // static inline void parse_struct_union_layout(scc_ast_qual_type_t *type) {}
 usize scc_hir_type_size(scc_ast2ir_ctx_t *ctx, const scc_hir_type_t *type) {
    switch (type->tag) {
    case SCC_HIR_TYPE_void:
        return 0;
    case SCC_HIR_TYPE_i8:
        return 1;
    case SCC_HIR_TYPE_i16:
        return 2;
    case SCC_HIR_TYPE_i32:
        return 4;
    case SCC_HIR_TYPE_i64:
        return 8;
    case SCC_HIR_TYPE_i128:
        return 16;
    case SCC_HIR_TYPE_u8:
        return 1;
    case SCC_HIR_TYPE_u16:
        return 2;
    case SCC_HIR_TYPE_u32:
        return 4;
    case SCC_HIR_TYPE_u64:
        return 8;
    case SCC_HIR_TYPE_u128:
        return 16;
    case SCC_HIR_TYPE_f16:
        return 2;
    case SCC_HIR_TYPE_f32:
        return 4;
    case SCC_HIR_TYPE_f64:
        return 8;
    case SCC_HIR_TYPE_f128:
        return 16;
    case SCC_HIR_TYPE_PTR: {
        // 目标指针大小，可以定义为 8（64位）或从 ABI 获取
        // 假设你的目标架构是 64 位
        return 8;
    }
    case SCC_HIR_TYPE_ARRAY: {
        usize elem_size = scc_hir_type_size(
            ctx, scc_hir_module_get_type(&ctx->builder.cprog->module,
                                         type->data.array.base));
        return elem_size * type->data.array.len;
    }
    case SCC_HIR_TYPE_FUNC:
        // 函数类型大小一般是指针大小
        return 8;
    case SCC_HIR_TYPE_STRUCT:
    case SCC_HIR_TYPE_UNION:
        // 暂时无法计算，保守返回 0 或报错
        LOG_ERROR("Cannot compute size of struct/union without layout info");
        return 0;
    default:
        LOG_ERROR("Unknown type tag %d", type->tag);
        return 0;
    }
 }
 // 辅助函数：计算数组实际长度（如果原长度为0）
 static void resolve_array_length(scc_ast2ir_ctx_t *ctx,
                                 const scc_hir_type_t *orig_array_type,
@@ -334,7 +272,7 @@ scc_hir_type_ref_t scc_ast2ir_type(scc_ast2ir_ctx_t *ctx,
        // === 3. 直接添加到模块，不经过 builder 的 uniquing ===
        //     因为此时我们不需要类型去重，只需要一个确定不移的引用
        scc_hir_type_ref_t place_ref =
-            scc_hir_module_add_type(&ctx->builder.cprog->module, &placeholder);
+            scc_hir_module_add_type(scc_ast2ir_mir_module(ctx), &placeholder);
        // === 4. 将映射写入缓存（关键！必须在递归前） ===
        scc_hashtable_set(&ctx->type_cache, canon, (void *)(usize)place_ref);
@@ -357,7 +295,7 @@ scc_hir_type_ref_t scc_ast2ir_type(scc_ast2ir_ctx_t *ctx,
        // === 6. 将字段填入占位类型 ===
        scc_hir_type_t *place_type =
-            scc_hir_module_get_type(&ctx->builder.cprog->module, place_ref);
+            scc_hir_module_get_type(scc_ast2ir_mir_module(ctx), place_ref);
        // 注意：scc_hir_type_init 已经为 struct/union 初始化了 fields 空向量
        // 这里直接 push 即可（也可以先 scc_vec_free 再 init，看需要）
        scc_vec_foreach(fields, i) {
@@ -895,13 +833,15 @@ scc_hir_value_ref_t scc_ast2ir_expr(scc_ast2ir_ctx_t *ctx,
        // 3. 确定转换模式（SEXT / ZEXT / TRUNC）
        // 这里用简单的启发式：根据大小变化决定
        scc_hir_type_t *src_type = scc_hir_module_get_type_by_value(
-            &ctx->builder.cprog->module, operand);
+            scc_ast2ir_mir_module(ctx), operand);
        scc_hir_type_t *dst_type =
-            scc_hir_module_get_type(&ctx->builder.cprog->module, target_type);
+            scc_hir_module_get_type(scc_ast2ir_mir_module(ctx), target_type);
-        usize src_size =
+        usize src_size = scc_hir_module_type_size(
-            scc_hir_type_size(ctx, src_type); // 你可能有这个函数，否则自行计算
+            scc_ast2ir_mir_module(ctx),
-        usize dst_size = scc_hir_type_size(ctx, dst_type);
+            src_type); // 你可能有这个函数，否则自行计算
        usize dst_size =
            scc_hir_module_type_size(scc_ast2ir_mir_module(ctx), dst_type);
        int conv_kind;
        if (dst_size > src_size) {
@@ -923,8 +863,7 @@ scc_hir_value_ref_t scc_ast2ir_expr(scc_ast2ir_ctx_t *ctx,
            .data.conv.target_type = target_type,
            .data.conv.conv_type = conv_kind,
        };
-        return scc_hir_module_add_value(&ctx->builder.cprog->module,
+        return scc_hir_module_add_value(scc_ast2ir_mir_module(ctx), &conv_node);
                                        &conv_node);
    }
    case SCC_AST_EXPR_SIZE_OF: {
        // 1. 将 sizeof 的操作数（类型或表达式）转换为 IR 类型
@@ -939,7 +878,7 @@ scc_hir_value_ref_t scc_ast2ir_expr(scc_ast2ir_ctx_t *ctx,
            scc_hir_value_ref_t dummy =
                scc_ast2ir_expr(ctx, expr->attr_of.expr, false);
            hir_type =
-                scc_hir_module_get_value(&ctx->builder.cprog->module, dummy)
+                scc_hir_module_get_value(scc_ast2ir_mir_module(ctx), dummy)
                    ->type;
        } else {
            scc_ap_t val;
@@ -951,8 +890,9 @@ scc_hir_value_ref_t scc_ast2ir_expr(scc_ast2ir_ctx_t *ctx,
        // 2. 计算大小
        const scc_hir_type_t *type =
-            scc_hir_module_get_type(&ctx->builder.cprog->module, hir_type);
+            scc_hir_module_get_type(scc_ast2ir_mir_module(ctx), hir_type);
-        usize dst_size = scc_hir_type_size(ctx, type);
+        usize dst_size =
            scc_hir_module_type_size(scc_ast2ir_mir_module(ctx), type);
        scc_ap_t val;
        val.data.digit = dst_size;
@@ -971,7 +911,7 @@ scc_hir_value_ref_t scc_ast2ir_expr(scc_ast2ir_ctx_t *ctx,
        scc_ast_qual_type_t *ast_type = expr->compound.base->lvalue.type;
        scc_hir_type_ref_t type_ref = scc_ast2ir_type(ctx, ast_type);
        const scc_hir_type_t *type =
-            scc_hir_module_get_type(&ctx->builder.cprog->module, type_ref);
+            scc_hir_module_get_type(scc_ast2ir_mir_module(ctx), type_ref);
        // 2. 分配栈上临时存储
        scc_hir_value_ref_t storage =
@@ -1073,10 +1013,10 @@ scc_hir_value_ref_t scc_ast2ir_expr(scc_ast2ir_ctx_t *ctx,
        } else {
            // 右值：如果是数组类型，退化为指针（返回地址）
            scc_hir_type_t *ir_type = scc_hir_module_get_type_by_value(
-                &ctx->builder.cprog->module, in);
+                scc_ast2ir_mir_module(ctx), in);
            if (ir_type->tag == SCC_HIR_TYPE_PTR) {
                scc_hir_type_t *target_type = scc_hir_module_get_type(
-                    &ctx->builder.cprog->module, ir_type->data.pointer.base);
+                    scc_ast2ir_mir_module(ctx), ir_type->data.pointer.base);
                if (target_type->tag == SCC_HIR_TYPE_ARRAY) {
                    // 生成 getptr 获取数组首地址
                    return scc_hir_builder_get_elem_ptr(&ctx->builder, in,
@@ -1344,8 +1284,7 @@ void scc_ast2ir_decl(scc_ast2ir_ctx_t *ctx, const scc_ast_decl_t *decl,
        const scc_hir_type_t *orig_type;
        SCC_HIR_BUILDER_BEGIN_BORROW(
            &ctx->builder, orig_type,
-            scc_hir_module_get_type(&ctx->builder.cprog->module,
+            scc_hir_module_get_type(scc_ast2ir_mir_module(ctx), orig_type_ref));
                                    orig_type_ref));
        scc_hir_type_t final_type_desc = *orig_type;
        SCC_HIR_BUILDER_END_BORROW(&ctx->builder);
@@ -1384,7 +1323,7 @@ void scc_ast2ir_decl(scc_ast2ir_ctx_t *ctx, const scc_ast_decl_t *decl,
            const scc_hir_type_t *final_type;
            SCC_HIR_BUILDER_BEGIN_BORROW(
                &ctx->builder, final_type,
-                scc_hir_module_get_type(&ctx->builder.cprog->module,
+                scc_hir_module_get_type(scc_ast2ir_mir_module(ctx),
                                        final_type_ref));
            scc_hir_type_t type = *final_type;
            SCC_HIR_BUILDER_END_BORROW(&ctx->builder);
--- a/libs/ir/hir/include/scc_hir_builder.h
+++ b/libs/ir/hir/include/scc_hir_builder.h
@@ -131,6 +131,7 @@ scc_hir_value_ref_t scc_hir_builder_builtin_memcpy(scc_hir_builder_t *builder,
 static inline scc_hir_value_ref_t
 scc_hir_builder_integer(scc_hir_builder_t *builder, scc_hir_type_ref_t type,
                        scc_ap_t *val) {
    Assert(builder != nullptr && val != nullptr);
    scc_hir_value_t value;
    scc_hir_value_init(&value, nullptr, SCC_HIR_VALUE_TAG_INTEGER);
    // FIXME assign
--- a/libs/ir/hir/include/scc_hir_module.h
+++ b/libs/ir/hir/include/scc_hir_module.h
@@ -38,6 +38,7 @@ scc_hir_bblock_t *scc_hir_module_get_bblock(scc_hir_module_t *ctx,
                                            scc_hir_bblock_ref_t ref);
 scc_hir_func_t *scc_hir_module_get_func(scc_hir_module_t *ctx,
                                        scc_hir_func_ref_t ref);
 usize scc_hir_module_type_size(scc_hir_module_t *ctx, scc_hir_type_t *type);
 static inline scc_hir_type_t *
 scc_hir_module_get_type_by_value(scc_hir_module_t *ctx,
--- a/libs/ir/hir/src/scc_hir_builder.c
+++ b/libs/ir/hir/src/scc_hir_builder.c
@@ -287,14 +287,8 @@ scc_hir_value_ref_t scc_hir_builder_const_string(scc_hir_builder_t *builder,
        scc_hir_builder_global_alloca(builder, array_type_ref, const_array_ref);
    // scc_hashtable_insert(builder);
-    scc_hir_value_ref_t pointer_to_global_value = scc_hir_module_add_value(
+    scc_hir_value_ref_t pointer_to_global_value = scc_hir_builder_get_elem_ptr(
-        GET_MODULE(builder),
+        builder, global_value_ref, SCC_HIR_VALUE_TAG_NULLPTR);
        &(scc_hir_value_t){
            .tag = SCC_HIR_VALUE_TAG_GET_ELEM_PTR,
            .data.get_elem_ptr.src_addr = global_value_ref,
            .data.get_elem_ptr.index = SCC_HIR_VALUE_TAG_NULLPTR,
        });
    scc_hir_builder_add_instr(builder, pointer_to_global_value);
    return pointer_to_global_value;
 }
@@ -406,12 +400,18 @@ scc_hir_value_ref_t scc_hir_builder_global_alloca(scc_hir_builder_t *builder,
                                                  scc_hir_type_ref_t type,
                                                  scc_hir_value_ref_t value) {
    SCC_HIR_BUILDER_CHECK_NO_BORROW(builder);
    // 全局变量的实际类型是指向 type 的指针
    scc_hir_type_t ptr_type = {.tag = SCC_HIR_TYPE_PTR,
                               .data.pointer.base = type};
    scc_hir_type_ref_t ptr_type_ref = scc_hir_builder_type(builder, &ptr_type);
    // FIXME
    char *name = scc_malloc(32);
    scc_hir_value_ref_t global_value_ref = scc_hir_module_add_value(
        GET_MODULE(builder), &(scc_hir_value_t){
                                 .name = name,
                                 .tag = SCC_HIR_VALUE_TAG_GLOBAL_ALLOC,
-                                 .type = type,
+                                 .type = ptr_type_ref, // 类型是指针
                                 .data.global_alloc.value = value,
                             });
    scc_snprintf(name, 32, "$G%u", global_value_ref);
@@ -506,6 +506,12 @@ scc_hir_value_ref_t scc_hir_builder_get_elem_ptr(scc_hir_builder_t *builder,
    scc_hir_value_t get_ptr_node = {0};
    get_ptr_node.tag = SCC_HIR_VALUE_TAG_GET_ELEM_PTR;
    get_ptr_node.data.get_elem_ptr.src_addr = target;
    if (index == SCC_HIR_REF_nullptr) {
        scc_ap_t ap = {.capacity = -1, .len = 0, .data.digit = 0};
        index = scc_hir_builder_integer(builder,
                                        scc_hir_builder_type_u8(builder), &ap);
    }
    Assert(target != SCC_HIR_REF_nullptr && index != SCC_HIR_REF_nullptr);
    get_ptr_node.data.get_elem_ptr.index = index;
    // 借用类型信息
--- a/libs/ir/hir/src/scc_hir_module.c
+++ b/libs/ir/hir/src/scc_hir_module.c
@@ -126,3 +126,46 @@ scc_hir_func_t *scc_hir_module_get_func(scc_hir_module_t *ctx,
                                        scc_hir_func_ref_t ref) {
    return scc_cfg_module_unsafe_get_func(&ctx->cfg_module, ref);
 }
 usize scc_hir_module_type_size(scc_hir_module_t *ctx, scc_hir_type_t *type) {
    Assert(type != nullptr);
    switch (type->tag) {
    case SCC_HIR_TYPE_unknown:
    case SCC_HIR_TYPE_void:
        return 0;
    case SCC_HIR_TYPE_i8:
    case SCC_HIR_TYPE_u8:
        return 1;
    case SCC_HIR_TYPE_i16:
    case SCC_HIR_TYPE_u16:
        return 2;
    case SCC_HIR_TYPE_f32:
    case SCC_HIR_TYPE_i32:
    case SCC_HIR_TYPE_u32:
        return 4;
    case SCC_HIR_TYPE_f64:
    case SCC_HIR_TYPE_i64:
    case SCC_HIR_TYPE_u64:
        return 8;
    case SCC_HIR_TYPE_FUNC:
    case SCC_HIR_TYPE_PTR: {
        // TODO
        // 目标指针大小，可以定义为 8（64位）或从 ABI 获取
        // 假设你的目标架构是 64 位
        return 8;
    }
    case SCC_HIR_TYPE_ARRAY: {
        usize elem_size = scc_hir_module_type_size(
            ctx, scc_hir_module_get_type(ctx, type->data.array.base));
        return elem_size * type->data.array.len;
    }
    case SCC_HIR_TYPE_STRUCT:
    case SCC_HIR_TYPE_UNION:
        // 暂时无法计算，保守返回 0 或报错
        LOG_ERROR("Cannot compute size of struct/union without layout info");
        return 0;
    default:
        LOG_ERROR("Unknown type tag %d", type->tag);
        return 0;
    }
 }
--- a/libs/ir/lir/include/scc_lir.h
+++ b/libs/ir/lir/include/scc_lir.h
@@ -41,17 +41,6 @@ typedef enum {
    SCC_LIR_INSTR_KIND_MEM,    // 复杂地址表达式 (base + index*scale + offset)
 } scc_lir_instr_kind_t;
 /**
 * @brief 复杂地址表达式
 * base + index * scale + offset
 */
 typedef struct scc_lir_addr {
    int base;   // 基址寄存器，-1 表示无
    int index;  // 索引寄存器，-1 表示无
    int scale;  // 比例因子 (1, 2, 4, 8)
    i64 offset; // 常量偏移
 } scc_lir_addr_t;
 typedef struct scc_lir_instr {
    scc_lir_instr_kind_t kind;
    union {
@@ -60,7 +49,6 @@ typedef struct scc_lir_instr {
        scc_ap_t imm;       // 整型立即数
        f64 fimm;           // 浮点立即数
        const char *symbol; // 符号名 (生命周期由前端管理)
        scc_lir_addr_t addr; // 复杂地址
    } data;
 } scc_lir_val_t;
@@ -74,8 +62,6 @@ typedef struct scc_lir_instr {
    ((scc_lir_val_t){.kind = SCC_LIR_INSTR_KIND_FIMM, .data.fimm = (v)})
 #define SCC_LIR_SYMBOL(s)                                                      \
    ((scc_lir_val_t){.kind = SCC_LIR_INSTR_KIND_SYMBOL, .data.symbol = (s)})
 #define SCC_LIR_ADDR(b, i, s, o)                                               \
    ((scc_lir_val_t){.kind = SCC_LIR_INSTR_KIND_MEM, .data.addr = {b, i, s, o}})
 #define SCC_LIR_ARG(n)                                                         \
    ((scc_lir_val_t){.kind = SCC_LIR_INSTR_KIND_ARG, .data.arg = (n)})
@@ -97,7 +83,6 @@ typedef enum {
    SCC_LIR_LOAD,
    SCC_LIR_LOAD_ADDR,
    SCC_LIR_STORE,
    SCC_LIR_STORE_ADDR,
    /* 整数算术 */
    SCC_LIR_ADD,
@@ -143,6 +128,9 @@ typedef enum {
    SCC_LIR_VA_ARG,
    SCC_LIR_VA_END,
    SCC_LIR_VA_COPY,
    /* 内置方法 */
    SCC_LIR_MEMCPY,
    SCC_LIR_MEMSET,
    /* 栈管理 */
    SCC_LIR_ALLOCA,
@@ -183,6 +171,12 @@ typedef struct scc_lir_ins {
    union {
        scc_lir_cond_t cond;
        // base + index * scale + offset
        struct scc_lir_addr {
            int scale;  // 比例因子 (1, 2, 4, 8)
            i64 offset; // 常量偏移
        } addr;
        struct scc_lir_br {
            scc_lir_bblock_id_t true_target;
            scc_lir_bblock_id_t false_target;
@@ -240,6 +234,18 @@ typedef struct scc_lir_ins {
            scc_lir_val_t dest;
            scc_lir_val_t src;
        } va_copy;
        struct {
            scc_lir_val_t dest;
            scc_lir_val_t src;
            scc_lir_val_t size;
        } memcpy;
        struct {
            scc_lir_val_t dest;
            scc_lir_val_t value;
            scc_lir_val_t size;
        } memset;
    } metadata;
 } scc_lir_instr_t;
@@ -259,8 +265,7 @@ typedef struct scc_lir_func_meta {
 typedef scc_cfg_symbol_id_t scc_lir_symbol_id_t;
 typedef scc_cfg_symbol_t scc_lir_symbol_t;
-typedef struct scc_lir_symbol_meta {
+typedef union scc_lir_symbol_meta {
    union {
    struct {
        scc_lir_func_t *func; // 指向函数体（若为定义）
    } func;
@@ -269,7 +274,6 @@ typedef struct scc_lir_symbol_meta {
        usize size;    // 数据大小（字节）
        int align;     // 对齐要求
    } data;
    };
 } scc_lir_symbol_meta_t;
 #define SCC_LIR_SYMBOL_META(symbol) ((scc_lir_symbol_meta_t *)(symbol)->meta)
--- a/libs/ir/lir/src/scc_hir2lir.c
+++ b/libs/ir/lir/src/scc_hir2lir.c
@@ -79,6 +79,7 @@ static void ir_type_to_lir_size_ext(scc_hir_type_t *type, u8 *out_size,
        *out_size = SCC_LIR_SIZE_64;
        *out_ext = SCC_LIR_EXT_FLOAT;
        break;
    case SCC_HIR_TYPE_ARRAY:
    case SCC_HIR_TYPE_PTR:
        *out_size = SCC_LIR_SIZE_64;
        *out_ext = SCC_LIR_EXT_NONE;
@@ -126,9 +127,7 @@ static scc_lir_val_t ir_value_to_lir_operand(ir2lir_ctx_t *ctx,
    }
    case SCC_HIR_VALUE_TAG_GLOBAL_ALLOC: {
        // 全局变量地址作为符号
-        scc_hir_value_t *global_val = scc_hir_module_get_value(
+        return SCC_LIR_SYMBOL(val->name);
            ctx->hir_module, val->data.global_alloc.value);
        return SCC_LIR_SYMBOL(global_val->name);
    }
    case SCC_HIR_VALUE_TAG_FUNC_ARG_REF: {
        // 函数参数：预先已分配 vreg
@@ -240,6 +239,24 @@ static scc_lir_op_t map_binop(scc_hir_op_type_t op, cbool is_float) {
    return SCC_LIR_NOP;
 }
 // 确保操作数是一个虚拟寄存器，如果不是则生成 MOV 并返回新 VREG 编号
 static int ensure_vreg(ir2lir_ctx_t *ctx, scc_lir_val_t *val) {
    if (val->kind == SCC_LIR_INSTR_KIND_VREG) {
        return val->data.reg;
    }
    // 分配新的虚拟寄存器
    int new_vreg = ++(SCC_LIR_FUNC_META(ctx->current_func)->vregs_count);
    scc_lir_instr_t mov = {.op = SCC_LIR_MOV,
                           .size = SCC_LIR_SIZE_64, // 地址宽度
                           .to = SCC_LIR_VREG(new_vreg),
                           .arg0 = *val};
    scc_lir_builder_add_instr(ctx, &mov);
    // 将原操作数替换为 VREG，避免重复转换
    val->kind = SCC_LIR_INSTR_KIND_VREG;
    val->data.reg = new_vreg;
    return new_vreg;
 }
 static void translate_hir_value(ir2lir_ctx_t *ctx, scc_hir_value_t *value,
                                scc_hir_value_ref_t value_ref) {
    // 防止重复翻译
@@ -254,8 +271,7 @@ static void translate_hir_value(ir2lir_ctx_t *ctx, scc_hir_value_t *value,
    }
    bool is_float = (ext == SCC_LIR_EXT_FLOAT);
-    // 为当前指令分配目标虚拟寄存器
+    int dst_vreg = get_vreg_for_value(ctx, value_ref);
    unsigned int dst_vreg = get_vreg_for_value(ctx, value_ref);
    switch (value->tag) {
    case SCC_HIR_VALUE_TAG_OP: {
@@ -291,70 +307,60 @@ static void translate_hir_value(ir2lir_ctx_t *ctx, scc_hir_value_t *value,
            ir_value_to_lir_operand(ctx, value->data.store.value);
        scc_lir_val_t addr =
            ir_value_to_lir_operand(ctx, value->data.store.target);
-        scc_lir_instr_t instr = {
+        ty = scc_hir_module_get_type_by_value(ctx->hir_module,
-            .op = SCC_LIR_STORE, .size = size, .arg0 = data, .arg1 = addr};
+                                              value->data.store.value);
        ir_type_to_lir_size_ext(ty, &size, &ext);
        scc_lir_instr_t instr = {.op = SCC_LIR_STORE,
                                 .ext = ext,
                                 .size = size,
                                 .arg0 = data,
                                 .arg1 = addr};
        scc_lir_builder_add_instr(ctx, &instr);
    } break;
    case SCC_HIR_VALUE_TAG_GET_ELEM_PTR: {
-        // 将指针运算转换为 LEA
+        // 1. 获取基址和索引的 LIR 操作数
        scc_lir_val_t base =
            ir_value_to_lir_operand(ctx, value->data.get_elem_ptr.src_addr);
-        scc_lir_val_t index = SCC_LIR_IMM(0);
+        scc_lir_val_t index =
        if (value->data.get_elem_ptr.index)
            ir_value_to_lir_operand(ctx, value->data.get_elem_ptr.index);
-        // 计算元素大小
+        // 2. 获取元素类型和大小
-        scc_hir_type_t *ptr_ty = scc_hir_module_get_type_by_value(
+        scc_hir_type_t *ptr_type =
-            ctx->hir_module, value->data.get_elem_ptr.src_addr);
+            scc_hir_module_get_type(ctx->hir_module, value->type);
-        scc_hir_type_t *elem_ty = nullptr;
+        scc_hir_type_t *pointee = NULL;
-        if (ptr_ty->tag == SCC_HIR_TYPE_PTR) {
+        if (ptr_type->tag == SCC_HIR_TYPE_PTR) {
-            elem_ty = scc_hir_module_get_type(ctx->hir_module,
+            pointee = scc_hir_module_get_type(ctx->hir_module,
-                                              ptr_ty->data.pointer.base);
+                                              ptr_type->data.pointer.base);
-        } else if (ptr_ty->tag == SCC_HIR_TYPE_ARRAY) {
+        } else if (ptr_type->tag == SCC_HIR_TYPE_ARRAY) {
-            elem_ty = scc_hir_module_get_type(ctx->hir_module,
+            // 数组名退化为指针，元素类型为数组的元素类型
-                                              ptr_ty->data.array.base);
+            pointee = scc_hir_module_get_type(ctx->hir_module,
                                              ptr_type->data.array.base);
        } else {
            Panic("GET_ELEM_PTR on non-pointer/array type");
        }
-        Assert(elem_ty != nullptr);
+        int elem_size = scc_hir_module_type_size(ctx->hir_module, pointee);
        int elem_size = 0;
        // 简化：仅处理基本类型
        if (elem_ty->tag == SCC_HIR_TYPE_i32 ||
            elem_ty->tag == SCC_HIR_TYPE_u32)
            elem_size = 4;
        else if (elem_ty->tag == SCC_HIR_TYPE_i64 ||
                 elem_ty->tag == SCC_HIR_TYPE_u64)
            elem_size = 8;
        else if (elem_ty->tag == SCC_HIR_TYPE_i8 ||
                 elem_ty->tag == SCC_HIR_TYPE_u8)
            elem_size = 1;
        else if (elem_ty->tag == SCC_HIR_TYPE_ARRAY)
            elem_size = 8; // FIXME ptr size
        else
            Panic("unsupported element type for getelemptr");
-        // 构造地址表达式：base + index * elem_size
+        int dst_vreg = get_vreg_for_value(ctx, value_ref);
-        scc_lir_val_t addr =
+        scc_lir_instr_t instr = {
-            SCC_LIR_ADDR(dst_vreg, -1, index.data.reg, elem_size);
+            .op = SCC_LIR_LOAD_ADDR,
        // 更简单的做法：使用 LEA 指令，参数为 base 和 index，由后端展开
        scc_lir_instr_t instr = {.op = SCC_LIR_LOAD_ADDR,
            .size = SCC_LIR_SIZE_64,
            .to = SCC_LIR_VREG(dst_vreg),
            .arg0 = base,
-                                 .arg1 = index};
+            .arg1 = index,
-        // 实际需要将 index * elem_size 的信息编码，这里简化，假设后端处理
+            .metadata.addr.scale = elem_size,
            .metadata.addr.offset = 0,
        };
        scc_lir_builder_add_instr(ctx, &instr);
    } break;
    case SCC_HIR_VALUE_TAG_ALLOC: {
-        // alloca 指令：分配栈空间
+        Assert(ty != nullptr);
        scc_hir_type_t *alloc_ty =
            scc_hir_module_get_type(ctx->hir_module, ty->data.pointer.base);
-        // 计算大小和对齐（简化）
+        int alloc_size = scc_hir_module_type_size(ctx->hir_module, alloc_ty);
        int alloc_size = 8; // 默认
        if (alloc_ty->tag == SCC_HIR_TYPE_i32)
            alloc_size = 4;
        scc_lir_instr_t instr = {.op = SCC_LIR_ALLOCA,
-                                 .size = SCC_LIR_SIZE_64,
+                                 .size = alloc_size,
                                 .to = SCC_LIR_VREG(dst_vreg),
-                                 .metadata.alloca = {alloc_size, alloc_size}};
+                                 .metadata.alloca = {alloc_size, 1}};
        scc_lir_builder_add_instr(ctx, &instr);
    } break;
    case SCC_HIR_VALUE_TAG_CALL: {
@@ -426,8 +432,90 @@ static void translate_hir_value(ir2lir_ctx_t *ctx, scc_hir_value_t *value,
                                 .arg0 = src};
        scc_lir_builder_add_instr(ctx, &instr);
    } break;
    case SCC_HIR_VALUE_TAG_BUILTIN: {
        scc_hir_builtin_t *b = &value->data.builtin;
        switch (b->tag) {
        case SCC_HIR_BUILTIN_TAG_MEMCPY: {
            scc_lir_val_t dest =
                ir_value_to_lir_operand(ctx, b->func.memcpy.dest);
            scc_lir_val_t src =
                ir_value_to_lir_operand(ctx, b->func.memcpy.src);
            scc_lir_val_t len =
                ir_value_to_lir_operand(ctx, b->func.memcpy.size);
            scc_lir_instr_t instr = {.op = SCC_LIR_MEMCPY,
                                     .metadata.memcpy = {dest, src, len}};
            scc_lir_builder_add_instr(ctx, &instr);
            break;
        }
        case SCC_HIR_BUILTIN_TAG_MEMSET: {
            scc_lir_val_t dest =
                ir_value_to_lir_operand(ctx, b->func.memset.dest);
            scc_lir_val_t val =
                ir_value_to_lir_operand(ctx, b->func.memset.value);
            scc_lir_val_t len =
                ir_value_to_lir_operand(ctx, b->func.memset.size);
            scc_lir_instr_t instr = {.op = SCC_LIR_MEMSET,
                                     .metadata.memset = {dest, val, len}};
            scc_lir_builder_add_instr(ctx, &instr);
            break;
        }
        case SCC_HIR_BUILTIN_TAG_VA_START: {
            scc_lir_val_t ap =
                ir_value_to_lir_operand(ctx, b->func.va_start.ap);
            scc_lir_val_t last =
                ir_value_to_lir_operand(ctx, b->func.va_start.last);
            scc_lir_instr_t instr = {.op = SCC_LIR_VA_START,
                                     .metadata.va_start = {ap, last}};
            scc_lir_builder_add_instr(ctx, &instr);
            break;
        }
        case SCC_HIR_BUILTIN_TAG_VA_ARG: {
            // 需要从类型中获取大小和对齐以及是否为浮点
            scc_hir_type_t *ty =
                scc_hir_module_get_type(ctx->hir_module, b->func.va_arg.type);
            u8 size = 0;
            scc_lir_ext_t ext = SCC_LIR_EXT_NONE;
            ir_type_to_lir_size_ext(ty, &size, &ext);
            bool is_float = (ext == SCC_LIR_EXT_FLOAT);
            scc_lir_val_t ap = ir_value_to_lir_operand(ctx, b->func.va_arg.ap);
            scc_lir_instr_t instr = {
                .op = SCC_LIR_VA_ARG,
                .to = SCC_LIR_VREG(dst_vreg),
                .metadata.va_arg = {.ap = ap,
                                    .type_size = size,
                                    .type_align =
                                        size, // 简化，实际应查询 ABI 对齐
                                    .is_float = is_float,
                                    .to = SCC_LIR_VREG(dst_vreg)}};
            scc_lir_builder_add_instr(ctx, &instr);
            break;
        }
        case SCC_HIR_BUILTIN_TAG_VA_END: {
            scc_lir_val_t ap = ir_value_to_lir_operand(ctx, b->func.va_end.ap);
            scc_lir_instr_t instr = {.op = SCC_LIR_VA_END,
                                     .metadata.va_end = {ap}};
            scc_lir_builder_add_instr(ctx, &instr);
            break;
        }
        case SCC_HIR_BUILTIN_TAG_VA_COPY: {
            scc_lir_val_t dest =
                ir_value_to_lir_operand(ctx, b->func.va_copy.dest);
            scc_lir_val_t src =
                ir_value_to_lir_operand(ctx, b->func.va_copy.src);
            scc_lir_instr_t instr = {.op = SCC_LIR_VA_COPY,
                                     .metadata.va_copy = {dest, src}};
            scc_lir_builder_add_instr(ctx, &instr);
            break;
        }
        default:
-        // 不生成指令的节点（如 CONST_INT, FUNC_ARG_REF）不会调用本函数
+            TODO();
        }
    } break;
    case SCC_HIR_VALUE_TAG_FUNC_ARG_REF:
    case SCC_HIR_VALUE_TAG_BLOCK_ARG_REF:
        break;
    default:
        Panic("unsupported opcode %d", value->tag);
        break;
    }
 }
--- a/libs/ir/lir/src/scc_lir_dump.c
+++ b/libs/ir/lir/src/scc_lir_dump.c
@@ -16,8 +16,8 @@ static const char *op_to_string(scc_lir_op_t op) {
        return "load.addr";
    case SCC_LIR_STORE:
        return "store";
-    case SCC_LIR_STORE_ADDR:
+    // case SCC_LIR_STORE_ADDR:
-        return "store.addr";
+    //     return "store.addr";
    case SCC_LIR_ADD:
        return "add";
    case SCC_LIR_SUB:
@@ -86,6 +86,11 @@ static const char *op_to_string(scc_lir_op_t op) {
        return "va_copy";
    case SCC_LIR_ALLOCA:
        return "alloca";
    case SCC_LIR_MEMCPY:
        return "memcpy";
    case SCC_LIR_MEMSET:
        return "memset";
    case SCC_LIR_NOP:
        return "nop";
    default:
@@ -160,29 +165,6 @@ static void dump_operand(scc_lir_dump_ctx_t *ctx, const scc_lir_val_t *op) {
        scc_tree_dump_append_fmt(td, "@%s",
                                 op->data.symbol ? op->data.symbol : "<null>");
        break;
    case SCC_LIR_INSTR_KIND_MEM: {
        const scc_lir_addr_t *addr = &op->data.addr;
        scc_tree_dump_append(td, "[");
        if (addr->base != -1) {
            scc_tree_dump_append_fmt(td, "%%%d", addr->base);
        }
        if (addr->index != -1) {
            scc_tree_dump_append_fmt(td, " + %%%d * %d", addr->index,
                                     addr->scale);
        }
        if (addr->offset != 0) {
            if (addr->offset > 0)
                scc_tree_dump_append_fmt(td, " + %lld",
                                         (long long)addr->offset);
            else
                scc_tree_dump_append_fmt(td, " - %lld",
                                         -(long long)addr->offset);
        }
        if (addr->base == -1 && addr->index == -1 && addr->offset == 0)
            scc_tree_dump_append(td, "0");
        scc_tree_dump_append(td, "]");
        break;
    }
    default:
        scc_tree_dump_append(td, "<?>");
    }
@@ -199,6 +181,8 @@ static void dump_size_ext(scc_lir_dump_ctx_t *ctx, u8 size, scc_lir_ext_t ext) {
        size_str = "32";
    else if (size == SCC_LIR_SIZE_64)
        size_str = "64";
    else
        size_str = "sz(?)";
    const char *ext_str = "";
    if (ext == SCC_LIR_EXT_SEXT)
@@ -229,31 +213,40 @@ void scc_lir_dump_ins(scc_lir_dump_ctx_t *ctx, const scc_lir_instr_t *ins) {
    switch (ins->op) {
    case SCC_LIR_MOV:
    case SCC_LIR_LOAD:
    case SCC_LIR_LOAD_ADDR:
        dump_operand(ctx, &ins->to);
        scc_tree_dump_append(td, " <- ");
        dump_operand(ctx, &ins->arg0);
        break;
    case SCC_LIR_LOAD_ADDR:
        // base + index * scale + offset
        dump_operand(ctx, &ins->to);
        scc_tree_dump_append(td, " <- (");
        dump_operand(ctx, &ins->arg0); // base
        scc_tree_dump_append(td, " + ");
        dump_operand(ctx, &ins->arg1); // index
        scc_tree_dump_append_fmt(td, " * %d + %lld)", ins->metadata.addr.scale,
                                 ins->metadata.addr.offset);
        break;
    case SCC_LIR_NEG:
    case SCC_LIR_NOT:
    case SCC_LIR_FNEG:
    case SCC_LIR_FCVT:
    case SCC_LIR_ALLOCA:
        dump_operand(ctx, &ins->to);
        if (ins->op != SCC_LIR_ALLOCA) {
        scc_tree_dump_append(td, ", ");
        dump_operand(ctx, &ins->arg0);
            // alloca 额外信息在 metadata 中，但通常只关注 to
        }
        break;
-
+    case SCC_LIR_ALLOCA:
        scc_tree_dump_append_fmt(td, "(sz=%zd,al=%zd) => ",
                                 ins->metadata.alloca.size_bytes,
                                 ins->metadata.alloca.align_bytes);
        dump_operand(ctx, &ins->to);
        break;
    // case SCC_LIR_STORE_ADDR:
    case SCC_LIR_STORE:
    case SCC_LIR_STORE_ADDR:
        dump_operand(ctx, &ins->arg0);
        scc_tree_dump_append(td, " -> ");
        dump_operand(ctx, &ins->arg1);
        break;
    case SCC_LIR_ADD:
    case SCC_LIR_SUB:
    case SCC_LIR_MUL:
@@ -277,7 +270,6 @@ void scc_lir_dump_ins(scc_lir_dump_ctx_t *ctx, const scc_lir_instr_t *ins) {
        scc_tree_dump_append(td, ", ");
        dump_operand(ctx, &ins->arg1);
        break;
    case SCC_LIR_CMP:
        dump_operand(ctx, &ins->to);
        scc_tree_dump_append_fmt(td, ", %s, ",
@@ -286,22 +278,18 @@ void scc_lir_dump_ins(scc_lir_dump_ctx_t *ctx, const scc_lir_instr_t *ins) {
        scc_tree_dump_append(td, ", ");
        dump_operand(ctx, &ins->arg1);
        break;
    case SCC_LIR_BR:
        dump_operand(ctx, &ins->arg0);
        scc_tree_dump_append_fmt(td, ", BB#%zu, BB#%zu",
                                 ins->metadata.br.true_target,
                                 ins->metadata.br.false_target);
        break;
    case SCC_LIR_JMP:
        scc_tree_dump_append_fmt(td, "#BB%d", ins->metadata.jmp_target);
        break;
    case SCC_LIR_JMP_INDIRECT:
        dump_operand(ctx, &ins->arg0);
        break;
    case SCC_LIR_CALL: {
        const struct scc_lir_call *c = &ins->metadata.call;
        if (c->ret_vreg.kind != SCC_LIR_INSTR_KIND_NONE) {
@@ -317,9 +305,7 @@ void scc_lir_dump_ins(scc_lir_dump_ctx_t *ctx, const scc_lir_instr_t *ins) {
        }
        scc_tree_dump_append_fmt(td, ") clobber=0x%llx",
                                 (unsigned long long)c->clobber_mask);
-        break;
+    } break;
    }
    case SCC_LIR_CALL_INDIRECT: {
        const struct scc_lir_call_indirect *c = &ins->metadata.call_indirect;
        if (c->ret_vreg.kind != SCC_LIR_INSTR_KIND_NONE) {
@@ -336,15 +322,12 @@ void scc_lir_dump_ins(scc_lir_dump_ctx_t *ctx, const scc_lir_instr_t *ins) {
        }
        scc_tree_dump_append_fmt(td, ") clobber=0x%llx",
                                 (unsigned long long)c->clobber_mask);
-        break;
+    } break;
    }
    case SCC_LIR_RET:
        if (ins->metadata.ret_val.kind != SCC_LIR_INSTR_KIND_NONE) {
            dump_operand(ctx, &ins->metadata.ret_val);
        }
        break;
    case SCC_LIR_PARALLEL_COPY: {
        const struct scc_lir_parallel_copy *pc = &ins->metadata.parallel_copy;
        scc_tree_dump_append(td, "[");
@@ -358,13 +341,11 @@ void scc_lir_dump_ins(scc_lir_dump_ctx_t *ctx, const scc_lir_instr_t *ins) {
        scc_tree_dump_append(td, "]");
        break;
    }
    case SCC_LIR_VA_START:
        dump_operand(ctx, &ins->metadata.va_start.ap);
        scc_tree_dump_append(td, ", ");
        dump_operand(ctx, &ins->metadata.va_start.last);
        break;
    case SCC_LIR_VA_ARG:
        dump_operand(ctx, &ins->metadata.va_arg.to);
        scc_tree_dump_append(td, " = va_arg ");
@@ -373,17 +354,28 @@ void scc_lir_dump_ins(scc_lir_dump_ctx_t *ctx, const scc_lir_instr_t *ins) {
            td, ", size=%u, align=%u, float=%d", ins->metadata.va_arg.type_size,
            ins->metadata.va_arg.type_align, ins->metadata.va_arg.is_float);
        break;
    case SCC_LIR_VA_END:
        dump_operand(ctx, &ins->metadata.va_end.ap);
        break;
    case SCC_LIR_VA_COPY:
        dump_operand(ctx, &ins->metadata.va_copy.dest);
        scc_tree_dump_append(td, ", ");
        dump_operand(ctx, &ins->metadata.va_copy.src);
        break;
-
+    case SCC_LIR_MEMCPY:
        dump_operand(ctx, &ins->metadata.memcpy.dest);
        scc_tree_dump_append(td, ", ");
        dump_operand(ctx, &ins->metadata.memcpy.src);
        scc_tree_dump_append(td, ", ");
        dump_operand(ctx, &ins->metadata.memcpy.size);
        break;
    case SCC_LIR_MEMSET:
        dump_operand(ctx, &ins->metadata.memset.dest);
        scc_tree_dump_append(td, ", ");
        dump_operand(ctx, &ins->metadata.memset.value);
        scc_tree_dump_append(td, ", ");
        dump_operand(ctx, &ins->metadata.memset.size);
        break;
    case SCC_LIR_NOP:
        break;
    }
@@ -451,7 +443,12 @@ void scc_lir_dump_module(scc_lir_dump_ctx_t *ctx) {
            &scc_vec_at(ctx->lir_module->cfg_module.symbols, i);
        scc_tree_dump_begin_line(ctx->dump_ctx);
        scc_tree_dump_node(ctx->dump_ctx, "symbol");
        scc_lir_symbol_meta_t *meta = SCC_LIR_SYMBOL_META(sym);
        scc_tree_dump_append_fmt(ctx->dump_ctx, " %s", sym->name);
        if (sym->kind == SCC_CFG_SYMBOL_KIND_DATA) {
            scc_tree_dump_append_fmt(ctx->dump_ctx, "(size=%zu)",
                                     meta->data.size);
        }
    }
    scc_vec_foreach(ctx->lir_module->cfg_module.funcs, i) {
        if (i == 0)
--- a/libs/ir/mir/include/arch/scc_x86_isel.h
+++ b/libs/ir/mir/include/arch/scc_x86_isel.h
@@ -19,7 +19,11 @@ void scc_isel_x86_64(scc_mir_module_t *mir_module,
                     scc_x86_64_isel_t *isel);
 // Utils
-void scc_x86_emit_move(scc_x86_64_isel_t *isel, scc_x86_operand_value_t dst,
+void scc_x86_emit_move(scc_x86_64_isel_t *isel, scc_x86_operand_value_t dst_reg,
                       scc_x86_operand_value_t src, u8 size);
 void scc_x86_emit_load(scc_x86_64_isel_t *isel, scc_x86_operand_value_t dst,
                       scc_x86_operand_value_t src, u8 size);
 void scc_x86_emit_store(scc_x86_64_isel_t *isel, scc_x86_operand_value_t dst,
                        scc_x86_operand_value_t src, u8 size);
 scc_x86_operand_value_t scc_x86_lir_val_to_mir_op(scc_x86_64_isel_t *isel,
                                                  const scc_lir_val_t *val);
@@ -52,16 +56,18 @@ static inline void emit_ret(scc_x86_64_isel_t *isel) {
        scc_vec_push((isel)->instrs, instr);                                   \
    } while (0)
-#define add_instr_1(isel, iform, arg1)                                         \
+#define add_instr_1(isel, iform, arg1, _size)                                  \
    do {                                                                       \
        scc_mir_x86_instr_t instr;                                             \
        (arg1).size = (_size);                                                 \
        scc_mir_x86_instr_1(&instr, (iform), (arg1), (isel)->pos);             \
        scc_vec_push((isel)->instrs, instr);                                   \
    } while (0)
-#define add_instr_2(isel, iform, arg1, arg2)                                   \
+#define add_instr_2(isel, iform, arg1, arg2, _size)                            \
    do {                                                                       \
        scc_mir_x86_instr_t instr;                                             \
        (arg1).size = (_size);                                                 \
        scc_mir_x86_instr_2(&instr, (iform), (arg1), (arg2), (isel)->pos);     \
        scc_vec_push((isel)->instrs, instr);                                   \
    } while (0)
--- a/libs/ir/mir/include/arch/scc_x86_mir.h
+++ b/libs/ir/mir/include/arch/scc_x86_mir.h
@@ -9,8 +9,11 @@
 #include <x86/scc_x86_reg.h>
 typedef struct {
    union {
        int opcode;
-    uint8_t num_operands;
+        scc_x86_iform_t iform;
    };
    u8 num_operands;
    scc_x86_operand_value_t operands[6];
    scc_pos_t src_loc;
 } scc_x86_instr_t;
@@ -29,13 +32,17 @@ typedef SCC_VEC(scc_mir_x86_instr_t) scc_mir_x86_instr_vec_t;
 #define SCC_MIR_X86_BBLOCK_INSTRS_C(bb)                                        \
    ((const scc_mir_x86_instr_vec_t *)&bb->values)
-// ── vreg 编码 ──────────────────────────────────────────────────────────
+static inline cbool scc_x86_reg_is_vreg(scc_x86_reg_t reg) {
-static inline bool scc_x86_op_is_vreg(const scc_x86_operand_value_t *op) {
+    return reg >= SCC_X86_REG_COUNT;
-    return op->kind == SCC_X86_OPR_REG &&
+}
-           (int)op->reg >= (int)SCC_X86_REG_COUNT;
+static inline cbool scc_x86_op_is_vreg(const scc_x86_operand_value_t *op) {
    return op->kind == SCC_X86_OPR_REG && scc_x86_reg_is_vreg(op->reg);
 }
 static inline int scc_x86_reg_get_vreg(scc_x86_reg_t reg) {
    return (int)reg - (int)SCC_X86_REG_COUNT;
 }
 static inline int scc_x86_op_get_vreg(const scc_x86_operand_value_t *op) {
-    return (int)op->reg - (int)SCC_X86_REG_COUNT;
+    return scc_x86_reg_get_vreg(op->reg);
 }
 static inline void scc_x86_op_set_preg(scc_x86_operand_value_t *op,
                                       scc_x86_reg_t preg) {
@@ -53,6 +60,7 @@ static inline scc_x86_operand_value_t scc_x86_op_slot(int slot_id) {
    o.mem.disp.displacement_bits = 0;
    return o;
 }
 static inline bool scc_x86_op_is_slot(const scc_x86_operand_value_t *op) {
    return op->kind == SCC_X86_OPR_MEM && op->mem.base == SCC_X86_REG_INVALID;
 }
--- a/libs/ir/mir/include/core_pass/scc_reg_alloc.h
+++ b/libs/ir/mir/include/core_pass/scc_reg_alloc.h
@@ -9,6 +9,12 @@ typedef enum {
    SCC_REG_ALLOC_OP_ACCESS_READWRITE = 2,
 } scc_reg_op_access_t;
 typedef struct {
    const scc_mir_instr_t *instr;
    int op_idx;
    int op_sub_idx;
 } scc_reg_alloc_iter_t;
 // 后端回调表 —— 框架通过回调获取/修改指令，不感知具体布局
 typedef struct scc_reg_alloc_op {
    // ── 寄存器池 ──
@@ -18,25 +24,21 @@ typedef struct scc_reg_alloc_op {
    void (*clean_mark_regs)(void *ctx);
    // ── 指令信息 ──
-    int (*instr_opcode)(const void *instr);
+    scc_reg_alloc_iter_t iter;
-    int (*instr_num_operands)(const void *instr);
+    void (*alloc_iter_begin)(scc_reg_alloc_iter_t *iter);
-    bool (*op_is_vreg)(const void *instr, int idx);
+    cbool (*alloc_iter_next)(scc_reg_alloc_iter_t *iter, int *out_vreg,
-    int (*op_get_vreg)(const void *instr, int idx);
+                             int *out_size, scc_reg_op_access_t *out_access);
-    void (*op_set_preg)(void *instr, int idx, int preg);
+    void (*alloc_iter_replace_preg)(scc_reg_alloc_iter_t *iter, int preg);
-    void (*op_set_slot)(void *instr, int idx, int slot);
+    void (*alloc_iter_replace_slot)(scc_reg_alloc_iter_t *iter, int slot);
    void (*alloc_iter_end)(scc_reg_alloc_iter_t *iter);
    // 读写属性与隐式寄存器
    scc_reg_op_access_t (*get_operand_access)(void *ctx, int opcode,
                                              int op_idx);
    void (*get_implicit_regs)(void *ctx, int opcode, const int **out_uses,
                              const int **out_defs);
    // ── 伪指令处理 ──
    bool (*is_pseudo)(const void *instr);
    void (*handle_pseudo)(scc_mir_func_t *func, void *instr, void *out);
    // ── 溢出/重载（写入 out 向量） ──
-    void (*emit_spill)(void *out, int preg, int slot);
+    void (*emit_spill)(void *out, int preg, int slot, int size);
-    void (*emit_reload)(void *out, int preg, int slot);
+    void (*emit_reload)(void *out, int preg, int slot, int size);
    void (*emit_copy)(void *out, int dst_preg, int src_preg, int size);
 } scc_reg_alloc_op_t;
--- a/libs/ir/mir/include/scc_mir_module.h
+++ b/libs/ir/mir/include/scc_mir_module.h
@@ -5,10 +5,8 @@
 #include <scc_lir_module.h>
 typedef SCC_VEC(char) scc_mir_instr_vec_t;
-
+typedef scc_lir_symbol_meta_t scc_mir_symbol_meta_t;
-typedef struct {
+#define SCC_MIR_SYMBOL_META(symbol) ((scc_mir_symbol_meta_t *)(symbol)->meta)
 } scc_mir_symbol_t;
 typedef scc_lir_symbol_meta_vec_t scc_mir_symbol_meta_vec_t;
 typedef SCC_VEC(scc_mir_func_meta_t *) scc_mir_func_meta_vec_t;
--- a/libs/ir/mir/src/arch/scc_x86_isel.c
+++ b/libs/ir/mir/src/arch/scc_x86_isel.c
@@ -9,7 +9,16 @@ static const char *preg_name(int preg_id) {
    return scc_x86_reg_table[preg_id].display_str;
 }
-void scc_x86_instr_dump(scc_tree_dump_t *td, const scc_mir_x86_instr_t *instr) {
+static inline void scc_x86_dump_reg(scc_tree_dump_t *td,
                                    const scc_x86_reg_t reg) {
    if (scc_x86_reg_is_vreg(reg))
        scc_tree_dump_append_fmt(td, "%%%d", scc_x86_reg_get_vreg(reg));
    else
        scc_tree_dump_append_fmt(td, "$%s", preg_name(reg));
 }
 void scc_x86_instr_dump(scc_tree_dump_t *td, const scc_mir_func_t *func,
                        const scc_mir_x86_instr_t *instr) {
    if (instr->x86_instr.opcode >= SCC_X86_IFORM_COUNT ||
        instr->x86_instr.opcode < 0) {
        scc_tree_dump_append_fmt(td, "  ???");
@@ -26,24 +35,43 @@ void scc_x86_instr_dump(scc_tree_dump_t *td, const scc_mir_x86_instr_t *instr) {
        const scc_x86_operand_value_t *op = &instr->x86_instr.operands[i];
        switch (op->kind) {
        case SCC_X86_OPR_REG:
-            if (scc_x86_op_is_vreg(op))
+            scc_x86_dump_reg(td, op->reg);
                scc_tree_dump_append_fmt(td, "%%%d", scc_x86_op_get_vreg(op));
            else
                scc_tree_dump_append_fmt(td, "$%s", preg_name(op->reg));
            break;
        case SCC_X86_OPR_IMM:
            scc_tree_dump_append_fmt(td, "%ld", op->imm0);
            break;
        case SCC_X86_OPR_MEM:
-            if (scc_x86_op_is_slot(op))
+            if (scc_x86_op_is_slot(op)) {
-                scc_tree_dump_append_fmt(td, "[slot:%d]",
+                int slot_id = scc_x86_op_slot_id(op);
-                                         scc_x86_op_slot_id(op));
+                scc_mir_stack_slot_t *slot = scc_mir_unsafe_slot(func, slot_id);
-            else
+                if (slot == nullptr) {
                    scc_tree_dump_append_fmt(td, "[slot:%d<null>]", slot_id);
                } else {
                    scc_tree_dump_append_fmt(td, "[slot:%d(of=%d,sz=%d,al=%d)]",
                                             slot_id, slot->offset, slot->size,
                                             slot->alignment);
                }
            } else {
                scc_tree_dump_append(td, "(");
                scc_x86_dump_reg(td, op->mem.base);
                if (op->mem.index != SCC_X86_REG_INVALID) {
                    scc_tree_dump_append(td, "[");
                    scc_x86_dump_reg(td, op->mem.index);
                    scc_tree_dump_append(td, "]");
                }
                if (op->mem.scale != 1) {
                    scc_tree_dump_append_fmt(td, "(x%d)", op->mem.scale);
                }
                if (op->mem.disp.displacement != 0) {
                    scc_tree_dump_append_fmt(
-                    td, "[sp %c %llu]",
+                        td, " %c %llu",
                        op->mem.disp.displacement >= 0 ? '+' : '-',
-                    op->mem.disp.displacement < 0 ? -op->mem.disp.displacement
+                        op->mem.disp.displacement < 0
                            ? -op->mem.disp.displacement
                            : op->mem.disp.displacement);
                }
                scc_tree_dump_append(td, ")");
            }
            break;
        case SCC_X86_OPR_RELBR:
            scc_tree_dump_append(td, "<relbr>");
@@ -62,8 +90,10 @@ void scc_x86_instr_dump(scc_tree_dump_t *td, const scc_mir_x86_instr_t *instr) {
            }
            break;
        default:
            scc_tree_dump_append(td, "<?>");
            break;
        }
        scc_tree_dump_append_fmt(td, "(%zu)", op->size);
    }
 }
@@ -92,79 +122,54 @@ scc_x86_operand_value_t scc_x86_lir_val_to_mir_op(scc_x86_64_isel_t *isel,
        op = scc_x86_op_imm(*(i64 *)&val->data.fimm);
        break;
    case SCC_LIR_INSTR_KIND_SYMBOL:
-        // 默认作为绝对地址立即数（后续可优化为 RIP 相对）
+        op = scc_x86_op_reloc_global_relrip(val->data.symbol, 0);
        op = scc_x86_op_reloc_global_imm(val->data.symbol, 0);
        break;
    case SCC_LIR_INSTR_KIND_ARG:
        Assert(isel->abi_lowering.lower_param);
        isel->abi_lowering.lower_param(isel, val, &op);
        break;
    default:
-        UNREACHABLE();
+        Panic("unsupported lir instr kind %d", val->kind);
        break;
    }
    return op;
 }
 static scc_x86_operand_value_t build_mem_op(scc_x86_64_isel_t *isel,
                                            scc_x86_operand_value_t base,
                                            scc_x86_operand_value_t index,
                                            int scale, i64 offset) {
    (void)isel;
    scc_x86_operand_value_t mem_op;
    mem_op.kind = SCC_X86_OPR_MEM;
    // base 必须为寄存器
    Assert(base.kind == SCC_X86_OPR_REG);
    mem_op.mem.base = base.reg;
    // index 可选
    if (index.kind == SCC_X86_OPR_REG) {
        mem_op.mem.index = index.reg;
        mem_op.mem.scale = scale;
    } else {
        mem_op.mem.index = SCC_X86_REG_INVALID;
        mem_op.mem.scale = 1;
    }
    mem_op.mem.disp.displacement = offset;
    mem_op.mem.disp.displacement_bits = 0;
    return mem_op;
 }
 // 虚拟临时寄存器分配（简单递增）
 static scc_x86_operand_value_t new_vreg_temp(scc_x86_64_isel_t *isel) {
    return scc_x86_op_vreg(scc_mir_alloc_vreg(isel->func));
 }
 void scc_x86_emit_move(scc_x86_64_isel_t *isel, scc_x86_operand_value_t dst,
                       scc_x86_operand_value_t src, u8 size) {
    scc_x86_operand_kind_t dst_kind = dst.kind;
    if (dst_kind == SCC_X86_OPR_RELOC) {
        dst_kind = dst.reloc.kind;
    }
    scc_x86_operand_kind_t src_kind = src.kind;
    if (src_kind == SCC_X86_OPR_RELOC) {
        src_kind = src.reloc.kind;
    }
    if (dst_kind == SCC_X86_OPR_REG) {
        if (src_kind == SCC_X86_OPR_REG) {
            add_instr_2(isel, SCC_X86_IFORM_MOV_GPRV_GPRV_8B, dst, src);
        } else if (src_kind == SCC_X86_OPR_IMM) {
            add_instr_2(isel,
                        (size == 8) ? SCC_X86_IFORM_MOV_GPRV_IMMZ
                                    : SCC_X86_IFORM_MOV_GPRV_IMMV,
                        dst, src);
        } else if (src_kind == SCC_X86_OPR_IMM && src.imm0 == 0) {
            // 特殊：符号作为立即数地址
            add_instr_2(isel, SCC_X86_IFORM_MOV_GPRV_IMMZ, dst, src);
        } else if (src_kind == SCC_X86_OPR_MEM) {
            add_instr_2(isel, SCC_X86_IFORM_MOV_GPRV_MEMV, dst, src);
        } else {
            UNREACHABLE();
        }
    } else if (dst_kind == SCC_X86_OPR_MEM) {
        if (src_kind == SCC_X86_OPR_REG) {
            add_instr_2(isel, SCC_X86_IFORM_MOV_MEMV_GPRV, dst, src);
        } else if (src_kind == SCC_X86_OPR_IMM) {
            add_instr_2(isel, SCC_X86_IFORM_MOV_MEMV_IMMZ, dst, src);
        } else if (src_kind == SCC_X86_OPR_IMM) {
            scc_x86_operand_value_t temp = new_vreg_temp(isel);
            add_instr_2(isel, SCC_X86_IFORM_MOV_GPRV_IMMZ, temp, src);
            add_instr_2(isel, SCC_X86_IFORM_MOV_MEMV_GPRV, dst, temp);
        } else if (src_kind == SCC_X86_OPR_MEM) {
            scc_x86_operand_value_t temp = new_vreg_temp(isel);
            scc_x86_emit_move(isel, temp, src, size);
            scc_x86_emit_move(isel, dst, temp, size);
        } else {
            UNREACHABLE();
        }
    } else {
        UNREACHABLE();
    }
 }
 static void emit_compare(scc_x86_64_isel_t *isel, scc_x86_operand_value_t op0,
                         scc_x86_operand_value_t op1, u8 size) {
    (void)size;
    if (scc_x86_op_is_vreg(&op0) && op1.kind == SCC_X86_OPR_IMM) {
-        add_instr_2(isel, SCC_X86_IFORM_CMP_GPRV_IMMZ, op0, op1);
+        add_instr_2(isel, SCC_X86_IFORM_CMP_GPRV_IMMZ, op0, op1, size);
    } else if (scc_x86_op_is_vreg(&op0) && scc_x86_op_is_vreg(&op1)) {
-        add_instr_2(isel, SCC_X86_IFORM_CMP_GPRV_GPRV_3B, op0, op1);
+        add_instr_2(isel, SCC_X86_IFORM_CMP_GPRV_GPRV_3B, op0, op1, size);
    } else {
        UNREACHABLE();
    }
@@ -213,6 +218,9 @@ static void emit_binary_op(scc_x86_64_isel_t *isel, scc_lir_op_t op,
                           scc_x86_operand_value_t src1, u8 size) {
    (void)size;
    emit_copy_if_needed(isel, dst, src0, size);
    dst.size = size;
    src0.size = size;
    src1.size = size;
    bool is_imm = (src1.kind == SCC_X86_OPR_IMM);
    scc_x86_iform_t iform;
@@ -240,7 +248,155 @@ static void emit_binary_op(scc_x86_64_isel_t *isel, scc_lir_op_t op,
    default:
        UNREACHABLE();
    }
-    add_instr_2(isel, iform, dst, src1);
+    add_instr_2(isel, iform, dst, src1, size);
 }
 void scc_x86_emit_move(scc_x86_64_isel_t *isel, scc_x86_operand_value_t dst_reg,
                       scc_x86_operand_value_t src, u8 size) {
    if (size == 0) {
        size = dst_reg.size;
    }
    if (dst_reg.size != src.size) {
        LOG_WARN("Mismatched register sizes for move %d != %d", dst_reg.size,
                 src.size);
    }
    Assert(dst_reg.kind == SCC_X86_OPR_REG);
    if (src.kind == SCC_X86_OPR_REG) {
        add_instr_2(isel, SCC_X86_IFORM_MOV_GPRV_GPRV_8B, dst_reg, src, size);
    } else if (src.kind == SCC_X86_OPR_IMM) {
        add_instr_2(isel, SCC_X86_IFORM_MOV_GPRV_IMMV, dst_reg, src, size);
    } else if (src.kind == SCC_X86_OPR_MEM ||
               (src.kind == SCC_X86_OPR_RELOC &&
                src.reloc.target == SCC_X86_RELOC_TARGET_SYMBOL)) {
        add_instr_2(isel, SCC_X86_IFORM_LEA_GPRV_AGEN, dst_reg, src, size);
    } else {
        Panic("emit_move: unsupported src kind %d", src.kind);
    }
 }
 void scc_x86_emit_load(scc_x86_64_isel_t *isel, scc_x86_operand_value_t dst,
                       scc_x86_operand_value_t src, u8 size) {
    if (size == 0) {
        size = dst.size;
    }
    if (dst.size != src.size) {
        LOG_WARN("Mismatched register sizes for store %d != %d", dst.size,
                 src.size);
    }
    if (dst.kind != SCC_X86_OPR_REG) {
        scc_x86_operand_value_t tmp_reg = new_vreg_temp(isel);
        scc_x86_emit_move(isel, tmp_reg, dst, size);
        dst = tmp_reg;
    }
    scc_x86_operand_value_t mem_op;
    if (src.kind == SCC_X86_OPR_REG) {
        // 地址在寄存器中 -> 构造 [reg]
        mem_op = (scc_x86_operand_value_t){
            .kind = SCC_X86_OPR_MEM,
            .mem = {.base = src.reg,
                    .index = SCC_X86_REG_INVALID,
                    .scale = 1,
                    .disp = {.displacement = 0, .displacement_bits = size * 8}},
        };
    } else if (src.kind == SCC_X86_OPR_MEM) {
        mem_op = src;
    } else {
        Panic("emit_load: src must be REG or MEM");
    }
    add_instr_2(isel, SCC_X86_IFORM_MOV_GPRV_MEMV, dst, mem_op, size);
 }
 void scc_x86_emit_store(scc_x86_64_isel_t *isel, scc_x86_operand_value_t dst,
                        scc_x86_operand_value_t src, u8 size) {
    if (size == 0) {
        size = dst.size;
    }
    if (dst.size != src.size) {
        LOG_WARN("Mismatched register sizes for store %d != %d", dst.size,
                 src.size);
    }
    if (src.kind != SCC_X86_OPR_REG) {
        scc_x86_operand_value_t tmp_reg = new_vreg_temp(isel);
        scc_x86_emit_move(isel, tmp_reg, src, size);
        src = tmp_reg;
    }
    scc_x86_operand_value_t mem_op;
    if (dst.kind == SCC_X86_OPR_REG) {
        mem_op = (scc_x86_operand_value_t){
            .kind = SCC_X86_OPR_MEM,
            .mem = {.base = dst.reg,
                    .index = SCC_X86_REG_INVALID,
                    .scale = 1,
                    .disp = {.displacement = 0, .displacement_bits = 0}}};
    } else if (dst.kind == SCC_X86_OPR_MEM) {
        mem_op = dst;
    } else {
        Panic("emit_store: dst_addr must be REG or MEM");
    }
    mem_op.size = size;
    src.size = size;
    add_instr_2(isel, SCC_X86_IFORM_MOV_MEMV_GPRV, mem_op, src, size);
 }
 static void emit_load_addr(scc_x86_64_isel_t *isel, scc_x86_operand_value_t dst,
                           scc_x86_operand_value_t base,
                           scc_x86_operand_value_t index, int scale,
                           i64 offset) {
    usize size = dst.size;
    // 前置断言：dst 必须是寄存器
    Assert(dst.kind == SCC_X86_OPR_REG);
    // scale 必须是 1,2,4,8 之一
    Assert(scale == 1 || scale == 2 || scale == 4 || scale == 8);
    // ---- 处理 base ----
    scc_x86_operand_value_t base_reg = base;
    if (base.kind != SCC_X86_OPR_REG) {
        base_reg = new_vreg_temp(isel);
        scc_x86_emit_move(isel, base_reg, base, 8);
    }
    // ---- 处理 index * scale ----
    scc_x86_operand_value_t scaled_index = index;
    Assert(index.kind != SCC_X86_OPR_NONE);
    // 确保 index 在寄存器中
    if (index.kind != SCC_X86_OPR_REG) {
        scc_x86_operand_value_t index_tmp = new_vreg_temp(isel);
        scc_x86_emit_move(isel, index_tmp, index, 8);
        index = index_tmp;
    }
    // ---- 计算 base + scaled_index ----
    scc_x86_operand_value_t sum = base_reg;
    if (base_reg.kind == SCC_X86_OPR_REG &&
        scaled_index.kind == SCC_X86_OPR_REG) {
        if (dst.reg != base_reg.reg) {
            scc_x86_emit_move(isel, dst, base_reg, 8);
            sum = dst;
        }
        add_instr_2(isel, SCC_X86_IFORM_ADD_GPRV_GPRV_03, sum, scaled_index,
                    size);
    } else if (base_reg.kind == SCC_X86_OPR_REG) {
        if (dst.reg != base_reg.reg)
            scc_x86_emit_move(isel, dst, base_reg, 8);
        sum = dst;
    } else if (scaled_index.kind == SCC_X86_OPR_REG) {
        scc_x86_emit_move(isel, dst, scaled_index, 8);
        sum = dst;
    } else {
        // base 和 index 都无效 => 结果为 0
        scc_x86_emit_move(isel, dst, scc_x86_op_imm(0), 8);
        return;
    }
    // ---- 加上 offset ----
    if (offset != 0) {
        scc_x86_operand_value_t mem_op = build_mem_op(
            isel, sum, (scc_x86_operand_value_t){.kind = SCC_X86_OPR_NONE}, 1,
            offset);
        scc_x86_emit_move(isel, dst, mem_op, 8);
    } else if (sum.reg != dst.reg) {
        scc_x86_emit_move(isel, dst, sum, 8);
    }
 }
 static void sel_mir(scc_x86_64_isel_t *isel, const scc_lir_instr_t *instr) {
@@ -253,32 +409,30 @@ static void sel_mir(scc_x86_64_isel_t *isel, const scc_lir_instr_t *instr) {
    switch (instr->op) {
        /* ---- 数据移动 ---- */
    case SCC_LIR_MOV:
        scc_x86_emit_move(isel, dst, src0, size);
        break;
    case SCC_LIR_LOAD:
-        // TODO check valid
+        // src0 是地址（可能是寄存器或内存操作数），dst 是寄存器
-        scc_x86_emit_move(isel, dst, src0, size);
+        scc_x86_emit_load(isel, dst, src0, size);
        break;
    case SCC_LIR_STORE:
-        // TODO check valid
+        // src0 是要存储的值（寄存器），src1 是目标地址
-        scc_x86_emit_move(isel, src1, src0, size);
+        scc_x86_emit_store(isel, src1, src0, size);
        break;
-    case SCC_LIR_STORE_ADDR:
+    case SCC_LIR_MOV:
-        TODO();
+        // 纯粹的寄存器/立即数复制
        scc_x86_emit_move(isel, dst, src0, size);
        break;
    case SCC_LIR_LOAD_ADDR:
-        add_instr_2(isel, SCC_X86_IFORM_LEA_GPRV_AGEN, dst, src0);
+        // 计算地址，结果放入 dst（寄存器）
        emit_load_addr(isel, dst, src0, src1, instr->metadata.addr.scale,
                       instr->metadata.addr.offset);
        break;
    /* ---- 一元运算 ---- */
    case SCC_LIR_NEG:
-        add_instr_1(isel, SCC_X86_IFORM_NEG_GPRV, dst);
+        add_instr_1(isel, SCC_X86_IFORM_NEG_GPRV, dst, size);
        break;
    case SCC_LIR_NOT:
-        add_instr_1(isel, SCC_X86_IFORM_NOT_GPRV, dst);
+        add_instr_1(isel, SCC_X86_IFORM_NOT_GPRV, dst, size);
        break;
    /* ---- 算术/逻辑二元运算 ---- */
    case SCC_LIR_ADD:
    case SCC_LIR_SUB:
@@ -295,7 +449,7 @@ static void sel_mir(scc_x86_64_isel_t *isel, const scc_lir_instr_t *instr) {
            scc_x86_emit_move(isel, op, src1, size);
            src1 = op;
        }
-        add_instr_2(isel, SCC_X86_IFORM_IMUL_GPRV_GPRV, dst, src1);
+        add_instr_2(isel, SCC_X86_IFORM_IMUL_GPRV_GPRV, dst, src1, size);
        break;
    case SCC_LIR_SHL:
@@ -318,7 +472,7 @@ static void sel_mir(scc_x86_64_isel_t *isel, const scc_lir_instr_t *instr) {
            default:
                UNREACHABLE();
            }
-            add_instr_2(isel, iform, dst, src1);
+            add_instr_2(isel, iform, dst, src1, size);
        } else {
            scc_x86_operand_value_t cl = scc_x86_op_preg(SCC_X86_REG_CL);
            scc_x86_emit_move(isel, cl, src1, 1);
@@ -336,7 +490,7 @@ static void sel_mir(scc_x86_64_isel_t *isel, const scc_lir_instr_t *instr) {
            default:
                UNREACHABLE();
            }
-            add_instr_2(isel, iform, dst, cl);
+            add_instr_2(isel, iform, dst, cl, size);
        }
    } break;
@@ -361,7 +515,7 @@ static void sel_mir(scc_x86_64_isel_t *isel, const scc_lir_instr_t *instr) {
            (instr->op == SCC_LIR_DIV_S || instr->op == SCC_LIR_REM_S)
                ? SCC_X86_IFORM_IDIV_GPRV
                : SCC_X86_IFORM_DIV_GPRV;
-        add_instr_1(isel, div_if, src1);
+        add_instr_1(isel, div_if, src1, size);
        if (instr->op == SCC_LIR_REM_S || instr->op == SCC_LIR_REM_U)
            scc_x86_emit_move(isel, dst, rdx, size);
@@ -372,17 +526,17 @@ static void sel_mir(scc_x86_64_isel_t *isel, const scc_lir_instr_t *instr) {
    /* ---- 比较指令 ---- */
    case SCC_LIR_CMP: {
        if (scc_x86_op_is_vreg(&src0) && src1.kind == SCC_X86_OPR_IMM)
-            add_instr_2(isel, SCC_X86_IFORM_CMP_GPRV_IMMZ, src0, src1);
+            add_instr_2(isel, SCC_X86_IFORM_CMP_GPRV_IMMZ, src0, src1, size);
        else if (scc_x86_op_is_vreg(&src0) && scc_x86_op_is_vreg(&src1))
-            add_instr_2(isel, SCC_X86_IFORM_CMP_GPRV_GPRV_3B, src0, src1);
+            add_instr_2(isel, SCC_X86_IFORM_CMP_GPRV_GPRV_3B, src0, src1, size);
        else
            UNREACHABLE();
        scc_x86_iform_t setcc = cond_to_setcc(instr->metadata.cond);
-        add_instr_1(isel, setcc, dst);
+        add_instr_1(isel, setcc, dst, size);
        if (size > 1) {
            scc_x86_operand_value_t one = scc_x86_op_imm(1);
-            add_instr_2(isel, SCC_X86_IFORM_AND_GPRV_IMMZ, dst, one);
+            add_instr_2(isel, SCC_X86_IFORM_AND_GPRV_IMMZ, dst, one, size);
        }
    } break;
@@ -393,15 +547,15 @@ static void sel_mir(scc_x86_64_isel_t *isel, const scc_lir_instr_t *instr) {
        scc_x86_operand_value_t false_bb =
            scc_x86_op_reloc_block(instr->metadata.br.false_target, 0);
-        add_instr_2(isel, SCC_X86_IFORM_TEST_GPRV_GPRV, src0, src0);
+        add_instr_2(isel, SCC_X86_IFORM_TEST_GPRV_GPRV, src0, src0, size);
-        add_instr_1(isel, SCC_X86_IFORM_JNZ_RELBRZ, true_bb);
+        add_instr_1(isel, SCC_X86_IFORM_JNZ_RELBRZ, true_bb, size);
-        add_instr_1(isel, SCC_X86_IFORM_JMP_RELBRZ, false_bb);
+        add_instr_1(isel, SCC_X86_IFORM_JMP_RELBRZ, false_bb, size);
    } break;
    case SCC_LIR_JMP: {
        scc_x86_operand_value_t jmp_bb =
            scc_x86_op_reloc_block(instr->metadata.jmp_target, 0);
-        add_instr_1(isel, SCC_X86_IFORM_JMP_RELBRZ, jmp_bb);
+        add_instr_1(isel, SCC_X86_IFORM_JMP_RELBRZ, jmp_bb, size);
    } break;
    /* ---- 栈分配 ---- */
@@ -412,10 +566,14 @@ static void sel_mir(scc_x86_64_isel_t *isel, const scc_lir_instr_t *instr) {
        x86instr.instr.opcode = SCC_MIR_PSEUDO_ALLOCA;
        Assert(op.kind == SCC_X86_OPR_REG);
        x86instr.instr.data.alloc.vreg = op.reg;
-        x86instr.instr.data.alloc.size = instr->size;
+        x86instr.instr.data.alloc.size = instr->metadata.alloca.size_bytes;
-        x86instr.instr.data.alloc.align = 0;
+        x86instr.instr.data.alloc.align = instr->metadata.alloca.align_bytes;
        scc_vec_push(isel->instrs, x86instr);
-        scc_mir_vreg_map2slot(isel->func, instr->to.data.reg, instr->size, 0);
+        scc_mir_vreg_map2slot(isel->func, instr->to.data.reg,
                              instr->metadata.alloca.size_bytes,
                              instr->metadata.alloca.align_bytes
                                  ? instr->metadata.alloca.align_bytes
                                  : 8);
        break;
    }
@@ -429,12 +587,43 @@ static void sel_mir(scc_x86_64_isel_t *isel, const scc_lir_instr_t *instr) {
        Assert(isel->abi_lowering.lower_call);
        isel->abi_lowering.lower_call(isel, instr);
    } break;
    case SCC_LIR_CALL_INDIRECT: {
        TODO();
        // 假设函数指针的 LIR 值在某个 vreg 中
        // scc_x86_operand_value_t func_ptr_op =
        //     scc_x86_lir_val_to_mir_op(isel, &func_ptr_val);
        // scc_x86_operand_value_t temp_reg = new_vreg_temp(isel);
        // scc_x86_emit_lea(isel, temp_reg, func_ptr_op); // 确保得到地址
        // emit_indirect_call(isel, temp_reg);
    } break;
    case SCC_LIR_RET: {
        Assert(isel->abi_lowering.lower_ret);
        isel->abi_lowering.lower_ret(isel, instr);
    } break;
    case SCC_LIR_MEMCPY: {
        scc_lir_val_t dest_val = instr->metadata.memcpy.dest;
        scc_lir_val_t src_val = instr->metadata.memcpy.src;
        // 将 dest 的地址放入 RDI
        scc_x86_operand_value_t dest_op =
            scc_x86_lir_val_to_mir_op(isel, &dest_val);
        scc_x86_emit_move(isel, scc_x86_op_preg(SCC_X86_REG_RDI), dest_op, 8);
        // 将 src 的地址放入 RSI
        scc_x86_operand_value_t src_op =
            scc_x86_lir_val_to_mir_op(isel, &src_val);
        scc_x86_emit_move(isel, scc_x86_op_preg(SCC_X86_REG_RSI), src_op, 8);
        // 长度处理保持不变...
        scc_x86_operand_value_t len_op =
            scc_x86_lir_val_to_mir_op(isel, &instr->metadata.memcpy.size);
        scc_x86_emit_move(isel, scc_x86_op_preg(SCC_X86_REG_RCX), len_op, 8);
        add_instr_0(isel, SCC_X86_IFORM_REP_MOVSB);
    } break;
    default: {
-        UNREACHABLE();
+        Panic("unsupported instruction %d", instr->op);
    } break;
    }
 }
--- a/libs/ir/mir/src/arch/scc_x86_peephole.c
+++ b/libs/ir/mir/src/arch/scc_x86_peephole.c
@@ -0,0 +1,161 @@
 #include <arch/scc_x86_mir.h>
 #include <scc_mir_module.h>
 static bool same_x86_operand(const scc_x86_operand_value_t *a,
                             const scc_x86_operand_value_t *b) {
    if (a->kind != b->kind)
        return false;
    switch (a->kind) {
    case SCC_X86_OPR_REG:
        return a->reg == b->reg;
    case SCC_X86_OPR_MEM:
        return a->mem.base == b->mem.base && a->mem.index == b->mem.index &&
               a->mem.scale == b->mem.scale &&
               a->mem.disp.displacement == b->mem.disp.displacement;
    case SCC_X86_OPR_IMM:
        return a->imm0 == b->imm0;
    default:
        return false;
    }
 }
 static bool is_store_to_mem(const scc_mir_x86_instr_t *ins) {
    int op = ins->x86_instr.opcode;
    return op == SCC_X86_IFORM_MOV_MEMV_GPRV ||
           op == SCC_X86_IFORM_MOV_MEMV_IMMZ;
 }
 static bool is_load_from_mem(const scc_mir_x86_instr_t *ins) {
    int op = ins->x86_instr.opcode;
    return op == SCC_X86_IFORM_MOV_GPRV_MEMV;
 }
 static bool is_reg_reg_move(const scc_mir_x86_instr_t *ins) {
    int op = ins->x86_instr.opcode;
    return op == SCC_X86_IFORM_MOV_GPRV_GPRV_8B;
 }
 void scc_x86_peephole_optimize(scc_mir_module_t *module) {
    Assert(module != nullptr);
    usize instr_size = module->instr_size;
    // 遍历函数
    scc_vec_foreach(module->cfg_module.funcs, i) {
        if (i == 0)
            continue;
        scc_mir_func_t *func = &scc_vec_at(module->cfg_module.funcs, i);
        // 遍历基本块
        scc_vec_foreach(func->bblocks, j) {
            scc_cfg_bblock_id_t bb_id = scc_vec_at(func->bblocks, j);
            scc_cfg_bblock_t *bb =
                scc_cfg_module_unsafe_get_bblock(&module->cfg_module, bb_id);
            Assert(bb != nullptr);
            scc_mir_instr_vec_t *old_vec = SCC_MIR_BBLOCK_VALUES_PTR(bb);
            if (scc_vec_size(*old_vec) == 0)
                continue;
            size_t old_count = scc_vec_size(*old_vec);
            // 构建新向量
            scc_mir_instr_vec_t new_vec;
            scc_vec_init(new_vec);
            for (size_t k = 0; k < old_count;) {
                if (k + 1 >= old_count) {
                    // 剩余不足2条，直接复制
                    void *ins_ptr =
                        scc_vec_sized_at_ptr(*old_vec, instr_size, k);
                    scc_vec_sized_push(new_vec, instr_size, ins_ptr,
                                       instr_size);
                    k++;
                    continue;
                }
                scc_mir_x86_instr_t *i0 =
                    (scc_mir_x86_instr_t *)scc_vec_sized_at_ptr(*old_vec,
                                                                instr_size, k);
                scc_mir_x86_instr_t *i1 =
                    (scc_mir_x86_instr_t *)scc_vec_sized_at_ptr(
                        *old_vec, instr_size, k + 1);
                int op0 = i0->x86_instr.opcode;
                int op1 = i1->x86_instr.opcode;
                // 模式 A: store reg, mem 后紧跟 load mem, reg (同一 reg 和 mem)
                if (is_store_to_mem(i0) && is_load_from_mem(i1) &&
                    i0->x86_instr.num_operands >= 2 &&
                    i1->x86_instr.num_operands >= 2) {
                    scc_x86_operand_value_t *store_dst =
                        &i0->x86_instr.operands[0]; // mem
                    scc_x86_operand_value_t *store_src =
                        &i0->x86_instr.operands[1]; // reg/imm
                    scc_x86_operand_value_t *load_dst =
                        &i1->x86_instr.operands[0]; // reg
                    scc_x86_operand_value_t *load_src =
                        &i1->x86_instr.operands[1]; // mem
                    if (store_src->kind == SCC_X86_OPR_REG &&
                        load_dst->kind == SCC_X86_OPR_REG &&
                        same_x86_operand(store_dst, load_src) &&
                        store_src->reg == load_dst->reg) {
                        // 两条指令相互抵消，都跳过
                        k += 2;
                        continue;
                    }
                }
                // 模式 B: load mem, reg 后紧跟 store reg, mem (同一 reg 和 mem)
                if (is_load_from_mem(i0) && is_store_to_mem(i1) &&
                    i0->x86_instr.num_operands >= 2 &&
                    i1->x86_instr.num_operands >= 2) {
                    scc_x86_operand_value_t *load_dst =
                        &i0->x86_instr.operands[0]; // reg
                    scc_x86_operand_value_t *load_src =
                        &i0->x86_instr.operands[1]; // mem
                    scc_x86_operand_value_t *store_dst =
                        &i1->x86_instr.operands[0]; // mem
                    scc_x86_operand_value_t *store_src =
                        &i1->x86_instr.operands[1]; // reg
                    if (store_src->kind == SCC_X86_OPR_REG &&
                        load_dst->kind == SCC_X86_OPR_REG &&
                        same_x86_operand(load_src, store_dst) &&
                        load_dst->reg == store_src->reg) {
                        k += 2;
                        continue;
                    }
                }
                // 模式 C: mov r1, r2 后跟 mov r2, r1
                if (is_reg_reg_move(i0) && is_reg_reg_move(i1) &&
                    i0->x86_instr.num_operands >= 2 &&
                    i1->x86_instr.num_operands >= 2) {
                    scc_x86_operand_value_t *dst0 = &i0->x86_instr.operands[0];
                    scc_x86_operand_value_t *src0 = &i0->x86_instr.operands[1];
                    scc_x86_operand_value_t *dst1 = &i1->x86_instr.operands[0];
                    scc_x86_operand_value_t *src1 = &i1->x86_instr.operands[1];
                    if (dst0->kind == SCC_X86_OPR_REG &&
                        src0->kind == SCC_X86_OPR_REG &&
                        dst1->kind == SCC_X86_OPR_REG &&
                        src1->kind == SCC_X86_OPR_REG &&
                        dst0->reg == src1->reg && src0->reg == dst1->reg) {
                        // 保留第一条，删除第二条
                        scc_vec_sized_push(new_vec, instr_size, i0, instr_size);
                        k += 2;
                        continue;
                    }
                }
                // 未匹配，保留当前指令
                scc_vec_sized_push(new_vec, instr_size, i0, instr_size);
                k++;
            }
            // 替换基本块的指令向量
            scc_vec_free(*old_vec);
            *old_vec = new_vec;
        }
    }
 }
--- a/libs/ir/mir/src/arch/scc_x86_reg_alloc.c
+++ b/libs/ir/mir/src/arch/scc_x86_reg_alloc.c
@@ -4,71 +4,29 @@
 #include <x86/scc_x86_iform.h>
 #include <x86/scc_x86_reg.h>
-/* ========== 指令访问回调 ========== */
+static void emit_spill(void *out, int preg, int slot, int size) {
 static int instr_opcode(const void *instr) {
    return ((const scc_mir_x86_instr_t *)instr)->x86_instr.opcode;
 }
 static int instr_num_operands(const void *instr) {
    return ((const scc_mir_x86_instr_t *)instr)->x86_instr.num_operands;
 }
 static bool op_is_vreg(const void *instr, int idx) {
    return scc_x86_op_is_vreg(
        &((const scc_mir_x86_instr_t *)instr)->x86_instr.operands[idx]);
 }
 static int op_get_vreg(const void *instr, int idx) {
    return scc_x86_op_get_vreg(
        &((const scc_mir_x86_instr_t *)instr)->x86_instr.operands[idx]);
 }
 static void op_set_preg(void *instr, int idx, int preg) {
    scc_x86_op_set_preg(
        &((scc_mir_x86_instr_t *)instr)->x86_instr.operands[idx],
        (scc_x86_reg_t)preg);
 }
 static void op_set_slot(void *instr, int idx, int slot) {
    ((scc_mir_x86_instr_t *)instr)->x86_instr.operands[idx] =
        scc_x86_op_slot(slot);
 }
 /* ========== 伪指令处理 ========== */
 static bool is_pseudo(const void *instr) {
    return ((const scc_mir_x86_instr_t *)instr)->x86_instr.opcode < 0;
 }
 static void handle_pseudo(scc_mir_func_t *func, void *instr, void *out) {
    scc_mir_x86_instr_t *ins = instr;
    scc_mir_x86_instr_vec_t *out_vec = out;
    if (ins->x86_instr.opcode == SCC_MIR_PSEUDO_ALLOCA) {
        // // 指令选择时已分配 slot，直接替换为 slot 操作数
        // if (scc_x86_op_is_vreg(&ins->x86_instr.operands[0])) {
        //     int vreg = scc_x86_op_get_vreg(&ins->x86_instr.operands[0]);
        //     int slot = scc_mir_vreg_map2slot(func, vreg, 8, 8);
        //     ins->x86_instr.operands[0] = scc_x86_op_slot(slot);
        // }
        // scc_vec_push(*out_vec, *ins);
    } else {
        scc_vec_push(*out_vec, *ins);
    }
 }
 /* ========== Spill / Reload / Copy ========== */
 static void emit_spill(void *out, int preg, int slot) {
    scc_mir_x86_instr_vec_t *vec = out;
    scc_x86_operand_value_t val_slot = scc_x86_op_slot(slot);
    scc_x86_operand_value_t val_preg = scc_x86_op_preg(preg);
    val_slot.size = size;
    val_preg.size = size;
    scc_mir_x86_instr_t ins = {
        .x86_instr.opcode = SCC_X86_IFORM_MOV_MEMV_GPRV,
        .x86_instr.num_operands = 2,
-        .x86_instr.operands = {scc_x86_op_slot(slot), scc_x86_op_preg(preg)}};
+        .x86_instr.operands = {val_slot, val_preg},
    };
    scc_vec_push(*vec, ins);
 }
-static void emit_reload(void *out, int preg, int slot) {
+static void emit_reload(void *out, int preg, int slot, int size) {
    scc_x86_operand_value_t val_slot = scc_x86_op_slot(slot);
    scc_x86_operand_value_t val_preg = scc_x86_op_preg(preg);
    val_slot.size = size;
    val_preg.size = size;
    scc_mir_x86_instr_vec_t *vec = out;
-    scc_mir_x86_instr_t ins = {
+    scc_mir_x86_instr_t ins = {.x86_instr.opcode = SCC_X86_IFORM_MOV_GPRV_MEMV,
        .x86_instr.opcode = SCC_X86_IFORM_MOV_GPRV_MEMV,
                               .x86_instr.num_operands = 2,
-        .x86_instr.operands = {scc_x86_op_preg(preg), scc_x86_op_slot(slot)}};
+                               .x86_instr.operands = {val_preg, val_slot}};
    scc_vec_push(*vec, ins);
 }
@@ -83,11 +41,7 @@ static void emit_copy(void *out, int dst_preg, int src_preg, int size) {
    scc_vec_push(*vec, ins);
 }
-/* ========== 操作数读写属性 ========== */
+static scc_reg_op_access_t get_operand_access(int opcode, int op_idx) {
 static scc_reg_op_access_t get_operand_access(void *ctx, int opcode,
                                              int op_idx) {
    (void)ctx;
    if (opcode >= 0 && opcode < SCC_X86_IFORM_COUNT) {
        const scc_x86_iform_info_t *info = &scc_x86_iform_table[opcode];
        if (op_idx >= info->num_ops || op_idx < 0)
@@ -174,7 +128,111 @@ static void clean_mark_regs(void *ctx) {
    reg_mask = 0;
 }
-/* ========== 注册全部 x86 回调 ========== */
+static void x86_alloc_iter_begin(scc_reg_alloc_iter_t *iter) {
    iter->op_idx = 0;
    iter->op_sub_idx = 0;
 }
 static cbool x86_alloc_iter_next(scc_reg_alloc_iter_t *iter, int *out_vreg,
                                 int *out_size,
                                 scc_reg_op_access_t *out_access) {
    const scc_mir_x86_instr_t *ins = (const scc_mir_x86_instr_t *)iter->instr;
    int opcode = ins->x86_instr.opcode;
    int num_ops = ins->x86_instr.num_operands;
    while (iter->op_idx < num_ops) {
        const scc_x86_operand_value_t *op =
            &ins->x86_instr.operands[iter->op_idx];
        scc_reg_op_access_t base_access =
            get_operand_access(opcode, iter->op_idx);
        *out_size = op->size;
        if (op->kind == SCC_X86_OPR_REG) {
            if (iter->op_sub_idx == 0 && scc_x86_op_is_vreg(op)) {
                *out_vreg = scc_x86_op_get_vreg(op);
                *out_access = base_access;
                iter->op_sub_idx++;
                return true;
            }
            iter->op_idx++;
            iter->op_sub_idx = 0;
            continue;
        } else if (op->kind == SCC_X86_OPR_MEM) {
            const scc_x86_mem_t *mem = &op->mem;
            // 子索引 0: 基址寄存器
            if (iter->op_sub_idx == 0) {
                if (mem->base != SCC_X86_REG_INVALID &&
                    scc_x86_reg_is_vreg(mem->base)) {
                    *out_vreg = scc_x86_reg_get_vreg(mem->base);
                    *out_access =
                        SCC_REG_ALLOC_OP_ACCESS_READ; // 地址寄存器只读
                    iter->op_sub_idx++;
                    return true;
                }
                iter->op_sub_idx++;
            }
            // 子索引 1: 索引寄存器
            if (iter->op_sub_idx == 1) {
                if (mem->index != SCC_X86_REG_INVALID &&
                    scc_x86_reg_is_vreg(mem->index)) {
                    *out_vreg = scc_x86_reg_get_vreg(mem->index);
                    *out_access = SCC_REG_ALLOC_OP_ACCESS_READ;
                    iter->op_sub_idx++;
                    return true;
                }
                iter->op_sub_idx++;
            }
            // 没有更多子部分
            iter->op_idx++;
            iter->op_sub_idx = 0;
            continue;
        }
        // 其他操作数类型（立即数、slot 等）直接跳过
        iter->op_idx++;
        iter->op_sub_idx = 0;
    }
    return false;
 }
 static void x86_alloc_iter_replace_preg(scc_reg_alloc_iter_t *iter, int preg) {
    scc_mir_x86_instr_t *ins = (scc_mir_x86_instr_t *)iter->instr;
    int op_idx = iter->op_idx;
    int sub_idx = iter->op_sub_idx;
    if (op_idx >= ins->x86_instr.num_operands)
        return;
    scc_x86_operand_value_t *op = &ins->x86_instr.operands[op_idx];
    if (op->kind == SCC_X86_OPR_REG) {
        // 普通寄存器操作数
        scc_x86_op_set_preg(op, (scc_x86_reg_t)preg);
    } else if (op->kind == SCC_X86_OPR_MEM) {
        scc_x86_mem_t *mem = &op->mem;
        if (sub_idx == 1) {
            // 基址寄存器
            mem->base = (scc_x86_reg_t)preg;
        } else if (sub_idx == 2) {
            // 索引寄存器
            mem->index = (scc_x86_reg_t)preg;
        }
    }
 }
 static void x86_alloc_iter_replace_slot(scc_reg_alloc_iter_t *iter, int slot) {
    scc_mir_x86_instr_t *ins = (scc_mir_x86_instr_t *)iter->instr;
    int op_idx = iter->op_idx;
    if (op_idx < ins->x86_instr.num_operands && iter->op_sub_idx == 0) {
        ins->x86_instr.operands[op_idx] = scc_x86_op_slot(slot);
    } else {
        Panic("x86_alloc_iter_replace_slot: invalid op_idx");
    }
 }
 static void x86_alloc_iter_end(scc_reg_alloc_iter_t *iter) {
    (void)iter; // 无需清理
 }
 void scc_reg_alloc_fill_arch_x86(scc_reg_alloc_op_t *ops) {
    ops->acquire_reg = acquire_reg;
@@ -182,19 +240,13 @@ void scc_reg_alloc_fill_arch_x86(scc_reg_alloc_op_t *ops) {
    ops->mark_reg_used = mark_reg_used;
    ops->clean_mark_regs = clean_mark_regs;
-    ops->instr_opcode = instr_opcode;
+    ops->alloc_iter_begin = x86_alloc_iter_begin;
-    ops->instr_num_operands = instr_num_operands;
+    ops->alloc_iter_next = x86_alloc_iter_next;
-    ops->op_is_vreg = op_is_vreg;
+    ops->alloc_iter_replace_preg = x86_alloc_iter_replace_preg;
-    ops->op_get_vreg = op_get_vreg;
+    ops->alloc_iter_replace_slot = x86_alloc_iter_replace_slot;
-    ops->op_set_preg = op_set_preg;
+    ops->alloc_iter_end = x86_alloc_iter_end;
    ops->op_set_slot = op_set_slot;
    ops->get_operand_access = get_operand_access;
    ops->get_implicit_regs = get_implicit_regs;
    ops->is_pseudo = is_pseudo;
    ops->handle_pseudo = handle_pseudo;
    ops->emit_spill = emit_spill;
    ops->emit_reload = emit_reload;
    ops->emit_copy = emit_copy;
--- a/libs/ir/mir/src/reg_alloc/reg_alloc.c
+++ b/libs/ir/mir/src/reg_alloc/reg_alloc.c
@@ -6,8 +6,11 @@ static void alloc_instr(scc_reg_alloc_ctx_t *ctx,
                        scc_mir_instr_t *instr) {
    const scc_reg_alloc_op_t *ops = &ctx->ops;
    usize instr_size = ctx->module->instr_size;
-    if (ops->is_pseudo(instr)) {
+
-        ops->handle_pseudo(ctx->func, (void *)instr, instr_vec);
+    if (instr->opcode < 0) {
        if (instr->opcode != SCC_MIR_PSEUDO_ALLOCA) {
            scc_vec_sized_push(*instr_vec, instr_size, instr, instr_size);
        }
        return;
    }
@@ -17,69 +20,69 @@ static void alloc_instr(scc_reg_alloc_ctx_t *ctx,
    SCC_VEC(int) allocated;
    scc_vec_init(allocated);
-    int opcode = ops->instr_opcode(instr);
+    // 获取隐式寄存器
    // 标记隐式寄存器
    const int *implicit_uses, *implicit_defs;
-    ops->get_implicit_regs(ctx, opcode, &implicit_uses, &implicit_defs);
+    ops->get_implicit_regs(ctx, instr->opcode, &implicit_uses, &implicit_defs);
    for (const int *p = implicit_uses; *p != -1; p++)
        ops->mark_reg_used(ctx, *p);
    for (const int *p = implicit_defs; *p != -1; p++)
        ops->mark_reg_used(ctx, *p);
-    int num_ops = ops->instr_num_operands(instr);
+    // 初始化迭代器
-    for (int op_i = 0; op_i < num_ops; op_i++) {
+    scc_reg_alloc_iter_t iter;
-        if (!ops->op_is_vreg(instr, op_i))
+    iter.instr = instr;
-            continue;
+    ops->alloc_iter_begin(&iter);
-        int vreg = ops->op_get_vreg(instr, op_i);
+    int vreg;
    int size;
    scc_reg_op_access_t access;
    while (ops->alloc_iter_next(&iter, &vreg, &size, &access)) {
        int id = 0;
        int mapping = scc_mir_vreg_lookup(ctx->func, vreg, &id);
        int preg = id, slot = id;
        if (mapping == 1) {
            // 已预着色
            ops->mark_reg_used(ctx, preg);
-            ops->op_set_preg(instr, op_i, preg);
+            ops->alloc_iter_replace_preg(&iter, preg);
            continue;
        }
        if (mapping == 0)
-            slot = scc_mir_vreg_map2slot(ctx->func, vreg, 8, 8);
+            slot = scc_mir_vreg_map2slot(ctx->func, vreg, size, 8);
        preg = ops->acquire_reg(ctx);
        scc_vec_push(allocated, preg);
-        scc_reg_op_access_t acc = ops->get_operand_access(ctx, opcode, op_i);
+        if (access == SCC_REG_ALLOC_OP_ACCESS_READ ||
-        if (acc == SCC_REG_ALLOC_OP_ACCESS_READ ||
+            access == SCC_REG_ALLOC_OP_ACCESS_READWRITE)
-            acc == SCC_REG_ALLOC_OP_ACCESS_READWRITE)
+            ops->emit_reload(&before, preg, slot, size);
-            ops->emit_reload(&before, preg, slot);
+        if (access == SCC_REG_ALLOC_OP_ACCESS_WRITE ||
-        if (acc == SCC_REG_ALLOC_OP_ACCESS_WRITE ||
+            access == SCC_REG_ALLOC_OP_ACCESS_READWRITE)
-            acc == SCC_REG_ALLOC_OP_ACCESS_READWRITE)
+            ops->emit_spill(&after, preg, slot, size);
            ops->emit_spill(&after, preg, slot);
-        ops->op_set_preg(instr, op_i, preg);
+        ops->alloc_iter_replace_preg(&iter, preg);
    }
    ops->alloc_iter_end(&iter);
    // 合并 before / instr / after
    for (size_t i = 0; i < scc_vec_size(before); i++) {
        void *p = scc_vec_sized_at_ptr(before, instr_size, i);
        scc_vec_sized_push(*instr_vec, instr_size, p, instr_size);
    }
    scc_vec_sized_push(*instr_vec, instr_size, instr, instr_size);
    for (size_t i = 0; i < scc_vec_size(after); i++) {
        void *p = scc_vec_sized_at_ptr(after, instr_size, i);
        scc_vec_sized_push(*instr_vec, instr_size, p, instr_size);
    }
-    // 合并指令流
+    // 释放隐式寄存器
    scc_vec_foreach(before, i) scc_vec_sized_push(
        *instr_vec, instr_size, scc_vec_sized_at_ptr(before, instr_size, i),
        instr_size);
    scc_vec_sized_push(*instr_vec, instr_size, instr, instr_size);
    scc_vec_foreach(after, i) scc_vec_sized_push(
        *instr_vec, instr_size, scc_vec_sized_at_ptr(after, instr_size, i),
        instr_size);
    // 清理隐式寄存器
    for (const int *p = implicit_defs; *p != -1; p++)
-        ops->mark_reg_used(ctx, *p);
+        ops->release_reg(ctx, *p);
    for (const int *p = implicit_uses; *p != -1; p++)
        ops->release_reg(ctx, *p);
    scc_vec_free(before);
    scc_vec_free(after);
-    scc_vec_foreach(allocated, l)
+    for (size_t i = 0; i < scc_vec_size(allocated); i++)
-        ops->release_reg(ctx, scc_vec_at(allocated, l));
+        ops->release_reg(ctx, scc_vec_at(allocated, i));
    scc_vec_free(allocated);
 }
@@ -99,7 +102,6 @@ void scc_reg_alloc(scc_reg_alloc_ctx_t *ctx, scc_mir_module_t *module) {
            scc_cfg_bblock_id_t bb_id = scc_vec_at(func->bblocks, j);
            scc_cfg_bblock_t *bb =
                scc_cfg_module_unsafe_get_bblock(&module->cfg_module, bb_id);
            scc_mir_instr_vec_t *old_instrs = SCC_MIR_BBLOCK_VALUES_PTR(bb);
            scc_mir_instr_vec_t new_instrs;
            scc_vec_init(new_instrs);
--- a/libs/ir/mir/src/scc_mir_dump.c
+++ b/libs/ir/mir/src/scc_mir_dump.c
@@ -1,8 +1,10 @@
 #include <arch/scc_x86_mir.h>
 #include <scc_mir_dump.h>
-void scc_x86_instr_dump(scc_tree_dump_t *td, const scc_mir_x86_instr_t *instr);
+void scc_x86_instr_dump(scc_tree_dump_t *td, const scc_mir_func_t *func,
-void scc_mir_dump_bblock(scc_mir_dump_ctx_t *ctx, const scc_mir_bblock_t *bb) {
+                        const scc_mir_x86_instr_t *instr);
 void scc_mir_dump_bblock(scc_mir_dump_ctx_t *ctx, const scc_mir_func_t *func,
                         const scc_mir_bblock_t *bb) {
    Assert(ctx != nullptr && bb != nullptr);
    scc_tree_dump_t *td = ctx->dump_ctx;
@@ -27,7 +29,7 @@ void scc_mir_dump_bblock(scc_mir_dump_ctx_t *ctx, const scc_mir_bblock_t *bb) {
                break;
            }
        } else {
-            scc_x86_instr_dump(td, (void *)instr);
+            scc_x86_instr_dump(td, func, (void *)instr);
        }
    }
 }
@@ -44,7 +46,7 @@ void scc_mir_dump_func(scc_mir_dump_ctx_t *ctx, const scc_mir_func_t *func) {
        scc_cfg_bblock_id_t id = scc_vec_at(func->bblocks, i);
        const scc_cfg_bblock_t *bb =
            scc_cfg_module_unsafe_get_bblock(&ctx->mir_module->cfg_module, id);
-        scc_mir_dump_bblock(ctx, bb);
+        scc_mir_dump_bblock(ctx, func, bb);
    }
 }
--- a/libs/ir/mir/src/scc_mir_pass.c
+++ b/libs/ir/mir/src/scc_mir_pass.c
@@ -65,6 +65,9 @@ void scc_mir_pass(scc_mir_module_t *mir_module, scc_mir_pass_stage_t stage) {
        return;
    }
    void scc_x86_peephole_optimize(scc_mir_module_t * module);
    // scc_x86_peephole_optimize(mir_module);
    scc_frame_layout_t frame_layout_ctx = {0};
    scc_win_pc_x64_frame_alloc_init(&frame_layout_ctx);
    scc_frame_layout(&frame_layout_ctx, mir_module);
--- a/libs/ir/mir/src/target/win64_abi.c
+++ b/libs/ir/mir/src/target/win64_abi.c
@@ -155,7 +155,7 @@ static void lower_call(void *userdata, const scc_lir_instr_t *instr) {
            add_instr_1(isel,
                        op.kind == SCC_X86_OPR_REG ? SCC_X86_IFORM_PUSH_GPRV_50
                                                   : SCC_X86_IFORM_PUSH_IMMZ,
-                        op);
+                        op, 8);
            break;
        }
    }
--- a/libs/ir2mcode/src/scc_ir2mcode.c
+++ b/libs/ir2mcode/src/scc_ir2mcode.c
@@ -8,6 +8,20 @@
 #include <x86/scc_x86_patch.h>
 #include <x86/scc_x86_reg.h>
 scc_x86_reg_t mir_x86_trans_gpr(scc_x86_reg_t reg, u8 size) {
    size *= 8;
    if (size == 0) {
        return reg;
    }
    for (scc_x86_reg_t i = 0; i < SCC_X86_REG_COUNT; i += 1) {
        if (scc_x86_reg_table[i].max_enclosing == reg &&
            scc_x86_reg_table[i].width == size) {
            return i;
        }
    }
    return reg;
 }
 void mir_x86_to_mcode(scc_mcode_t *mcode, scc_reloc_vec_t *relocs,
                      const scc_mir_x86_instr_t *_ins) {
    Assert(mcode != nullptr && _ins != nullptr);
@@ -24,15 +38,21 @@ void mir_x86_to_mcode(scc_mcode_t *mcode, scc_reloc_vec_t *relocs,
            Panic("can't convert vreg to mcode");
        if (scc_x86_op_is_slot(op_ptr))
            Panic("can't convert unresolved slot to mcode");
        ops[i] = *op_ptr;
        if (op_ptr->kind == SCC_X86_OPR_RELOC) {
            ops[i].kind = op_ptr->reloc.kind;
            switch (op_ptr->reloc.kind) {
            case SCC_X86_OPR_RELBR:
-                ops[i].imm0 = 0;
+                ops[i].brdisp = 0;
                break;
            case SCC_X86_OPR_MEM:
                ops[i].mem.base = SCC_X86_REG_RIP;
                ops[i].mem.index = SCC_X86_REG_INVALID;
                ops[i].mem.scale = 1;
                ops[i].mem.disp.displacement = 0;
                ops[i].mem.disp.displacement_bits = 32;
                break;
            default:
-                TODO();
+                Panic("unsupported reloc type %d", op_ptr->reloc.kind);
                break;
            }
            if (skip_reloc) {
@@ -55,8 +75,14 @@ void mir_x86_to_mcode(scc_mcode_t *mcode, scc_reloc_vec_t *relocs,
            } else {
                TODO();
            }
        } else if (op_ptr->kind == SCC_X86_OPR_REG) {
            ops[i].kind = SCC_X86_OPR_REG;
            ops[i].reg = mir_x86_trans_gpr(op_ptr->reg, op_ptr->size);
        } else {
            ops[i] = *op_ptr;
        }
    }
    scc_x86_encode_inst(mcode, ins->opcode, ops);
    if (!skip_reloc && reloc.target_kind != SCC_RELOC_TARGET_NONE) {
        reloc.offset = scc_mcode_size(mcode);
--- a/libs/ir2mcode/src/scc_ir2sccf.c
+++ b/libs/ir2mcode/src/scc_ir2sccf.c
@@ -31,10 +31,18 @@ static inline void scc_ir_sym_to_sccf_sym(const scc_cfg_symbol_t *symbol,
 static inline void scc_ir_symbol_to_sect_data(const scc_cfg_symbol_t *symbol,
                                              sccf_sect_data_t *sect_data) {
-    // scc_vec_foreach(value->data.const_array.fields, j) {
+    if (symbol->kind != SCC_CFG_SYMBOL_KIND_DATA) {
-    //     scc_vec_push(ctx->sect_data,
+        return;
-    //                  scc_vec_at(value->data.const_array.fields, j));
+    }
-    // }
+    scc_mir_symbol_meta_t *meta = SCC_MIR_SYMBOL_META(symbol);
    for (usize i = 0; i < meta->data.size; i += 1) {
        scc_vec_push(*sect_data, meta->data.init_data[i]);
    }
    // struct {
    //     u8 *init_data; // 初始化数据（若为 NULL 则零初始化）
    //     usize size;    // 数据大小（字节）
    //     int align;     // 对齐要求
    // } data;
 }
 static void emit_mir_module(sccf_builder_t *builder, scc_mcode_t *mcode,
@@ -122,14 +130,16 @@ void scc_ir2sccf(sccf_builder_t *builder, scc_mir_module_t *mir_module) {
            continue;
        }
-        sccf_sym_t sym = (sccf_sym_t){
+        sccf_sym_t sym = {0};
            .sccf_sect_offset = scc_vec_size(sect_data),
            .sccf_sym_size =
                4, // FIXME on windows using rel32, on linux using ?
        };
        scc_ir_sym_to_sccf_sym(symbol, &sym);
        // FIXME 区分只读
        if (sym.sccf_sect_type == SCCF_SECT_DATA ||
            sym.sccf_sect_type == SCCF_SECT_RODATA) {
            sym.sccf_sect_offset = scc_vec_size(sect_data);
            scc_ir_symbol_to_sect_data(symbol, &sect_data);
            sym.sccf_sym_size = scc_vec_size(sect_data) - sym.sccf_sect_offset;
        }
        usize sym_idx = sccf_builder_add_symbol(builder, symbol->name, &sym);
        Assert(sym_idx != 0);
--- a/libs/mcode/include/scc_mcode.h
+++ b/libs/mcode/include/scc_mcode.h
@@ -12,76 +12,76 @@ typedef SCC_VEC(u8) scc_mcode_buff_t;
 typedef struct {
    cbool is_littel_endian;
    scc_mcode_arch_t arch;
-    scc_mcode_buff_t mcode;
+    scc_mcode_buff_t code;
 } scc_mcode_t;
 static inline void scc_mcode_init(scc_mcode_t *mcode, scc_mcode_arch_t arch) {
-    scc_vec_init(mcode->mcode);
+    scc_vec_init(mcode->code);
    mcode->arch = arch;
    mcode->is_littel_endian = true;
 }
 static inline char *scc_mcode_unsafe_data(scc_mcode_t *mcode) {
-    return (char *)scc_vec_unsafe_get_data(mcode->mcode);
+    return (char *)scc_vec_unsafe_get_data(mcode->code);
 }
 static inline usize scc_mcode_size(scc_mcode_t *mcode) {
-    return scc_vec_size(mcode->mcode);
+    return scc_vec_size(mcode->code);
 }
 static inline void scc_mcode_drop(scc_mcode_t *mcode) {
-    scc_vec_free(mcode->mcode);
+    scc_vec_free(mcode->code);
    mcode->arch = SCC_MCODE_ARCH_NONE;
    mcode->is_littel_endian = true;
 }
 static inline void scc_mcode_add_u8(scc_mcode_t *mcode, u8 data) {
-    scc_vec_push(mcode->mcode, data);
+    scc_vec_push(mcode->code, data);
 }
 static inline void scc_mcode_add_u16(scc_mcode_t *mcode, u16 data) {
    if (mcode->is_littel_endian) {
-        scc_vec_push(mcode->mcode, (u8)(data & 0xFF));
+        scc_vec_push(mcode->code, (u8)(data & 0xFF));
-        scc_vec_push(mcode->mcode, (u8)(data >> 8));
+        scc_vec_push(mcode->code, (u8)(data >> 8));
    } else {
-        scc_vec_push(mcode->mcode, (u8)(data >> 8));
+        scc_vec_push(mcode->code, (u8)(data >> 8));
-        scc_vec_push(mcode->mcode, (u8)(data & 0xFF));
+        scc_vec_push(mcode->code, (u8)(data & 0xFF));
    }
 }
 static inline void scc_mcode_add_u32(scc_mcode_t *mcode, u32 data) {
    if (mcode->is_littel_endian) {
-        scc_vec_push(mcode->mcode, (u8)(data & 0xFF));
+        scc_vec_push(mcode->code, (u8)(data & 0xFF));
-        scc_vec_push(mcode->mcode, (u8)(data >> 8));
+        scc_vec_push(mcode->code, (u8)(data >> 8));
-        scc_vec_push(mcode->mcode, (u8)(data >> 16));
+        scc_vec_push(mcode->code, (u8)(data >> 16));
-        scc_vec_push(mcode->mcode, (u8)(data >> 24));
+        scc_vec_push(mcode->code, (u8)(data >> 24));
    } else {
-        scc_vec_push(mcode->mcode, (u8)(data >> 24));
+        scc_vec_push(mcode->code, (u8)(data >> 24));
-        scc_vec_push(mcode->mcode, (u8)(data >> 16));
+        scc_vec_push(mcode->code, (u8)(data >> 16));
-        scc_vec_push(mcode->mcode, (u8)(data >> 8));
+        scc_vec_push(mcode->code, (u8)(data >> 8));
-        scc_vec_push(mcode->mcode, (u8)(data & 0xFF));
+        scc_vec_push(mcode->code, (u8)(data & 0xFF));
    }
 }
 static inline void scc_mcode_add_u64(scc_mcode_t *mcode, uint64_t data) {
    if (mcode->is_littel_endian) {
-        scc_vec_push(mcode->mcode, (u8)(data & 0xFF));
+        scc_vec_push(mcode->code, (u8)(data & 0xFF));
-        scc_vec_push(mcode->mcode, (u8)(data >> 8));
+        scc_vec_push(mcode->code, (u8)(data >> 8));
-        scc_vec_push(mcode->mcode, (u8)(data >> 16));
+        scc_vec_push(mcode->code, (u8)(data >> 16));
-        scc_vec_push(mcode->mcode, (u8)(data >> 24));
+        scc_vec_push(mcode->code, (u8)(data >> 24));
-        scc_vec_push(mcode->mcode, (u8)(data >> 32));
+        scc_vec_push(mcode->code, (u8)(data >> 32));
-        scc_vec_push(mcode->mcode, (u8)(data >> 40));
+        scc_vec_push(mcode->code, (u8)(data >> 40));
-        scc_vec_push(mcode->mcode, (u8)(data >> 48));
+        scc_vec_push(mcode->code, (u8)(data >> 48));
-        scc_vec_push(mcode->mcode, (u8)(data >> 56));
+        scc_vec_push(mcode->code, (u8)(data >> 56));
    } else {
-        scc_vec_push(mcode->mcode, (u8)(data >> 56));
+        scc_vec_push(mcode->code, (u8)(data >> 56));
-        scc_vec_push(mcode->mcode, (u8)(data >> 48));
+        scc_vec_push(mcode->code, (u8)(data >> 48));
-        scc_vec_push(mcode->mcode, (u8)(data >> 40));
+        scc_vec_push(mcode->code, (u8)(data >> 40));
-        scc_vec_push(mcode->mcode, (u8)(data >> 32));
+        scc_vec_push(mcode->code, (u8)(data >> 32));
-        scc_vec_push(mcode->mcode, (u8)(data >> 24));
+        scc_vec_push(mcode->code, (u8)(data >> 24));
-        scc_vec_push(mcode->mcode, (u8)(data >> 16));
+        scc_vec_push(mcode->code, (u8)(data >> 16));
-        scc_vec_push(mcode->mcode, (u8)(data >> 8));
+        scc_vec_push(mcode->code, (u8)(data >> 8));
-        scc_vec_push(mcode->mcode, (u8)(data & 0xFF));
+        scc_vec_push(mcode->code, (u8)(data & 0xFF));
    }
 }
--- a/libs/mcode/include/x86/scc_x86_encode.h
+++ b/libs/mcode/include/x86/scc_x86_encode.h
@@ -45,16 +45,21 @@ typedef struct {
        scc_x86_mem_t mem;
        scc_x86_reloc_op_t reloc;
    };
    usize size;
 } scc_x86_operand_value_t;
 static inline scc_x86_operand_value_t scc_x86_op_preg(scc_x86_reg_t reg) {
    scc_x86_operand_value_t o = {.kind = SCC_X86_OPR_REG, .reg = reg};
    return o;
 }
 static inline scc_x86_reg_t scc_x86_op_vreg_reg(int vreg) {
    return (int)SCC_X86_REG_COUNT + vreg;
 }
 static inline scc_x86_operand_value_t scc_x86_op_vreg(int vreg) {
    scc_x86_operand_value_t o = {
        .kind = SCC_X86_OPR_REG,
-        .reg = (scc_x86_reg_t)((int)SCC_X86_REG_COUNT + vreg)};
+        .reg = scc_x86_op_vreg_reg(vreg),
    };
    return o;
 }
 static inline scc_x86_operand_value_t scc_x86_op_relbr(i32 rel) {
@@ -81,6 +86,16 @@ scc_x86_op_reloc_global_imm(const char *sym, i64 addend) {
    return op;
 }
 static inline scc_x86_operand_value_t
 scc_x86_op_reloc_global_relrip(const char *sym, i64 addend) {
    scc_x86_operand_value_t op = {.kind = SCC_X86_OPR_RELOC};
    op.reloc.kind = SCC_X86_OPR_MEM;
    op.reloc.target = SCC_X86_RELOC_TARGET_SYMBOL;
    op.reloc.global_name = sym;
    op.reloc.addend = addend;
    return op;
 }
 // 2. 全局符号重定位（相对跳转/调用：CALL/JMP rel32）
 static inline scc_x86_operand_value_t
 scc_x86_op_reloc_global_relbr(const char *sym, i64 addend) {
--- a/libs/mcode/include/x86/scc_x86_patch.h
+++ b/libs/mcode/include/x86/scc_x86_patch.h
@@ -23,8 +23,6 @@ static inline void patch_bytes(scc_mcode_t *mcode, usize offset,
    scc_memcpy(buf + offset, data, size);
 }
 /* ---------- 实现补丁接口 ---------- */
 static inline int scc_x86_patch_disp(scc_mcode_t *mcode, usize offset,
                                     scc_x86_disp_t disp) {
    if (!mcode || disp.displacement_bits == 0)
--- a/libs/mcode/src/scc_x86_encode.c
+++ b/libs/mcode/src/scc_x86_encode.c
@@ -37,11 +37,19 @@ static inline int scc_reg_ordinal(scc_x86_reg_t reg) {
 static int reg_low3(scc_x86_reg_t reg) {
    if (reg == SCC_X86_REG_INVALID)
        return 0;
    // RIP/EIP/IP 必须返回 5，否则无法编码 RIP 相对寻址
    if (reg == SCC_X86_REG_RIP || reg == SCC_X86_REG_EIP ||
        reg == SCC_X86_REG_IP)
        return 5;
    return scc_reg_ordinal(reg) & 7;
 }
 static int reg_rex_bit(scc_x86_reg_t reg) {
    if (reg == SCC_X86_REG_INVALID)
        return 0;
    // RIP 不需要 REX 扩展
    if (reg == SCC_X86_REG_RIP || reg == SCC_X86_REG_EIP ||
        reg == SCC_X86_REG_IP)
        return 0;
    if (reg >= SCC_X86_REG_AH && reg <= SCC_X86_REG_DH)
        return 0;
    return (scc_reg_ordinal(reg) >= 8) ? 1 : 0;
@@ -138,9 +146,11 @@ static void emit_legacy_prefixes(scc_mcode_t *m, const scc_x86_encoding_t *enc,
 static void emit_rex(scc_mcode_t *m, const scc_x86_encoding_t *enc,
                     scc_x86_reg_t reg_op, scc_x86_reg_t rm_op,
-                     scc_x86_reg_t base, scc_x86_reg_t idx) {
+                     scc_x86_reg_t base, scc_x86_reg_t idx,
                     int op_width) { // 新增 op_width 参数
    int rex = 0x40;
-    if (need_rexw(enc, reg_op, rm_op, base, idx))
+    // 仅当 op_width == 64 时才考虑 REX.W
    if (op_width == 64 && need_rexw(enc, reg_op, rm_op, base, idx))
        rex |= 8;
    if (reg_op != SCC_X86_REG_INVALID && reg_rex_bit(reg_op))
        rex |= 4;
@@ -154,7 +164,6 @@ static void emit_rex(scc_mcode_t *m, const scc_x86_encoding_t *enc,
        emit_u8(m, (uint8_t)rex);
    }
 }
 static void emit_escape_map(scc_mcode_t *m, const scc_x86_encoding_t *enc) {
    if (enc->map == 1) {
        emit_u8(m, 0x0F);
@@ -196,15 +205,17 @@ static int scale_to_enc(uint8_t scale) {
    }
 }
 /* 修正：位移大小只由数值范围决定，与基址寄存器无关 */
 static int disp_size(int32_t disp, scc_x86_reg_t base) {
-    if (disp == 0 && base != SCC_X86_REG_RBP && base != SCC_X86_REG_R13)
+    (void)base;
    if (disp == 0)
        return 0;
    if (disp >= -128 && disp <= 127)
        return 8;
    return 32;
 }
-/* ---------- 立即数发射（独立函数） ---------- */
+/* ---------- 立即数发射 ---------- */
 static void emit_immediate(scc_mcode_t *m, const scc_x86_encoding_t *enc,
                           const scc_x86_operand_t *tmpl, int imm_idx,
                           int64_t imm_val, int op_width) {
@@ -285,17 +296,58 @@ static void emit_modrm_sib_disp(scc_mcode_t *m,
             scc_reg_ordinal(reg_r), reg_b, scc_reg_ordinal(reg_b));
    uint8_t modrm = 0;
    if (has_mem) {
        // ========== RIP 相对寻址特殊处理 ==========
        if (memdesc.base == SCC_X86_REG_RIP &&
            memdesc.index == SCC_X86_REG_INVALID) {
            // RIP 相对：mod=00, r/m=101，位移固定 32 位
            if (reg_r != SCC_X86_REG_INVALID)
                modrm |= (reg_low3(reg_r) & 7) << 3;
            else if (enc->modrm_reg_fix >= 0)
                modrm |= (enc->modrm_reg_fix & 7) << 3;
            modrm |= 0x05; // r/m = 101
            emit_u8(m, modrm);
            // 写入 32 位位移（小端）
            int32_t disp32 = (int32_t)memdesc.disp.displacement;
            emit_u32(m, (uint32_t)disp32);
            // 处理立即数（如果有）
            if (imm_idx >= 0) {
                emit_immediate(m, enc, tmpl, imm_idx, imm_val, op_width);
            }
            return; // 已处理完，跳过后续 SIB/位移逻辑
        }
        // ==========================================
        if (reg_r != SCC_X86_REG_INVALID)
            modrm |= (reg_low3(reg_r) & 7) << 3;
        else if (enc->modrm_reg_fix >= 0)
            modrm |= (enc->modrm_reg_fix & 7) << 3;
        int32_t disp = memdesc.disp.displacement;
-        int dsize = disp_size(disp, memdesc.base);
+        // 优先使用用户指定的 displacement_bits，转换为字节数
-        modrm |= (dsize == 0) ? 0 : (dsize == 8) ? 0x40 : 0x80;
+        int dsize = 0;
        if (memdesc.disp.displacement_bits != 0) {
            dsize = memdesc.disp.displacement_bits / 8;
            if (dsize != 1 && dsize != 2 && dsize != 4 && dsize != 8)
                dsize = 0; // 无效则回退
        }
        if (dsize == 0) {
            // 使用自动计算：disp_size 返回位数，除以 8 得字节数
            int bits = disp_size(disp, memdesc.base);
            dsize = bits / 8;
        }
        // 设置 ModRM 的 mod 字段
        if (dsize == 0)
            modrm |= 0x00;
        else if (dsize == 1)
            modrm |= 0x40;
        else if (dsize == 2 || dsize == 4 || dsize == 8)
            modrm |= 0x80; // 2/4/8 字节位移均使用 mod=10b
        if (memdesc.index != SCC_X86_REG_INVALID) {
            // SIB 寻址
            modrm |= 4;
            int idx_ord = scc_reg_ordinal(memdesc.index);
            int base_ord = scc_reg_ordinal(memdesc.base);
@@ -306,45 +358,57 @@ static void emit_modrm_sib_disp(scc_mcode_t *m,
                                    (base_ord & 7));
            emit_u8(m, modrm);
            emit_u8(m, sib);
-            if (dsize == 8)
+            if (dsize == 1)
                emit_u8(m, (uint8_t)disp);
-            else if (dsize == 32)
+            else if (dsize == 2)
                emit_u16(m, (uint16_t)disp);
            else if (dsize == 4)
                emit_u32(m, (uint32_t)disp);
            else if (dsize == 8)
                emit_u64(m, (uint64_t)disp);
        } else if (memdesc.base == SCC_X86_REG_INVALID) {
            // 绝对地址：mod=00, r/m=101，位移 32 位
            modrm |= 5;
            emit_u8(m, modrm);
            emit_u32(m, (uint32_t)disp);
        } else {
            // 一般基址寻址
            int base_ord = scc_reg_ordinal(memdesc.base);
            if (memdesc.base == SCC_X86_REG_RSP ||
                memdesc.base == SCC_X86_REG_R12) {
                // 需要 SIB（基址为 RSP/R12 时强制）
                modrm |= 4;
                uint8_t sib = (uint8_t)((base_ord & 7) | (4 << 3));
                emit_u8(m, modrm);
                emit_u8(m, sib);
-                if (dsize == 8)
+                if (dsize == 1)
                    emit_u8(m, (uint8_t)disp);
-                else if (dsize == 32)
+                else if (dsize == 2)
                    emit_u16(m, (uint16_t)disp);
                else if (dsize == 4)
                    emit_u32(m, (uint32_t)disp);
                else if (dsize == 8)
                    emit_u64(m, (uint64_t)disp);
            } else {
                modrm |= (base_ord & 7);
                emit_u8(m, modrm);
-                if (dsize == 8)
+                if (dsize == 1)
                    emit_u8(m, (uint8_t)disp);
-                else if (dsize == 32)
+                else if (dsize == 2)
                    emit_u16(m, (uint16_t)disp);
                else if (dsize == 4)
                    emit_u32(m, (uint32_t)disp);
                else if (dsize == 8)
                    emit_u64(m, (uint64_t)disp);
            }
        }
    } else {
-        // 特殊情况：只有一个显式寄存器操作数，且 reg_fix/rm_fix 均未指定，且
+        // 没有内存操作数：寄存器-寄存器或单个寄存器
        // mod_fix == 3 此时操作数应放在 rm 字段，reg 字段固定为 0（例如 SETZ
        // 指令）
        int is_single_reg_op =
            (info->num_explicit_ops == 1 && enc->modrm_reg_fix == -1 &&
             enc->modrm_rm_fix == -1 && enc->mod_fix == 3);
        if (is_single_reg_op && reg_r != SCC_X86_REG_INVALID &&
            reg_b == SCC_X86_REG_INVALID) {
            // 操作数作为 rm，reg 部分为 0
            modrm = 0xC0 | (reg_low3(reg_r) & 7);
            emit_u8(m, modrm);
            LOG_INFO("[MODRM] single reg operand treated as rm, emit 0x%02x",
@@ -369,28 +433,126 @@ static void emit_modrm_sib_disp(scc_mcode_t *m,
            emit_u8(m, modrm);
        }
    }
    LOG_INFO("[MODRM] emit byte 0x%02x", modrm);
-    /* 立即数在 ModRM 后发射 */
+    // 立即数在 ModRM 后发射
    if (imm_idx >= 0) {
        emit_immediate(m, enc, tmpl, imm_idx, imm_val, op_width);
    }
 }
 static scc_x86_iform_t adapt_iform_to_8bit(scc_x86_iform_t iform,
                                           const scc_x86_operand_value_t *ops,
                                           int num_ops) {
    // 只处理第一个操作数是 8
    // 位寄存器的情况（大多数指令的目标或源是第一个寄存器）
    if (num_ops > 0 && ops[0].kind == SCC_X86_OPR_REG &&
        scc_reg_width(ops[0].reg) == 8) {
        switch (iform) {
        // ---- MOV 类 ----
        case SCC_X86_IFORM_MOV_GPRV_IMMV:
        case SCC_X86_IFORM_MOV_GPRV_IMMZ:
            return SCC_X86_IFORM_MOV_GPR8_IMMB_B0;
        case SCC_X86_IFORM_MOV_GPRV_GPRV_89: // mov r/m, r
            return SCC_X86_IFORM_MOV_GPR8_GPR8_88;
        case SCC_X86_IFORM_MOV_GPRV_GPRV_8B: // mov r, r/m
            return SCC_X86_IFORM_MOV_GPR8_GPR8_8A;
        case SCC_X86_IFORM_MOV_GPRV_MEMV: // mov r, mem
            return SCC_X86_IFORM_MOV_GPR8_MEMB;
        case SCC_X86_IFORM_MOV_MEMV_GPRV: // mov mem, r
            return SCC_X86_IFORM_MOV_MEMB_GPR8;
        // ---- ADD ----
        case SCC_X86_IFORM_ADD_GPRV_IMMB:
        case SCC_X86_IFORM_ADD_GPRV_IMMZ:
            return SCC_X86_IFORM_ADD_GPR8_IMMB_80R0;
        case SCC_X86_IFORM_ADD_GPRV_GPRV_01: // add r/m, r
            return SCC_X86_IFORM_ADD_GPR8_GPR8_00;
        case SCC_X86_IFORM_ADD_GPRV_GPRV_03: // add r, r/m
            return SCC_X86_IFORM_ADD_GPR8_GPR8_02;
        // ---- SUB ----
        case SCC_X86_IFORM_SUB_GPRV_IMMB:
        case SCC_X86_IFORM_SUB_GPRV_IMMZ:
            return SCC_X86_IFORM_SUB_GPR8_IMMB_80R5;
        case SCC_X86_IFORM_SUB_GPRV_GPRV_29:
            return SCC_X86_IFORM_SUB_GPR8_GPR8_28;
        case SCC_X86_IFORM_SUB_GPRV_GPRV_2B:
            return SCC_X86_IFORM_SUB_GPR8_GPR8_2A;
        // ---- CMP ----
        case SCC_X86_IFORM_CMP_GPRV_IMMB:
        case SCC_X86_IFORM_CMP_GPRV_IMMZ:
            return SCC_X86_IFORM_CMP_GPR8_IMMB_80R7;
        case SCC_X86_IFORM_CMP_GPRV_GPRV_39:
            return SCC_X86_IFORM_CMP_GPR8_GPR8_38;
        case SCC_X86_IFORM_CMP_GPRV_GPRV_3B:
            return SCC_X86_IFORM_CMP_GPR8_GPR8_3A;
        // ---- AND ----
        case SCC_X86_IFORM_AND_GPRV_IMMB:
        case SCC_X86_IFORM_AND_GPRV_IMMZ:
            return SCC_X86_IFORM_AND_GPR8_IMMB_80R4;
        case SCC_X86_IFORM_AND_GPRV_GPRV_21:
            return SCC_X86_IFORM_AND_GPR8_GPR8_20;
        // ---- OR ----
        case SCC_X86_IFORM_OR_GPRV_IMMB:
        case SCC_X86_IFORM_OR_GPRV_IMMZ:
            return SCC_X86_IFORM_OR_GPR8_IMMB_80R1;
        case SCC_X86_IFORM_OR_GPRV_GPRV_09:
            return SCC_X86_IFORM_OR_GPR8_GPR8_08;
        // ---- XOR ----
        case SCC_X86_IFORM_XOR_GPRV_IMMB:
        case SCC_X86_IFORM_XOR_GPRV_IMMZ:
            return SCC_X86_IFORM_XOR_GPR8_IMMB_80R6;
        case SCC_X86_IFORM_XOR_GPRV_GPRV_31:
            return SCC_X86_IFORM_XOR_GPR8_GPR8_30;
        // ---- TEST ----
        case SCC_X86_IFORM_TEST_GPRV_GPRV:
            return SCC_X86_IFORM_TEST_GPR8_GPR8;
        case SCC_X86_IFORM_TEST_GPRV_IMMZ_F7R0:
            return SCC_X86_IFORM_TEST_GPR8_IMMB_F6R0;
        // ---- INC/DEC ----
        case SCC_X86_IFORM_INC_GPRV_40:
        case SCC_X86_IFORM_INC_GPRV_FFR0:
            return SCC_X86_IFORM_INC_GPR8;
        case SCC_X86_IFORM_DEC_GPRV_48:
        case SCC_X86_IFORM_DEC_GPRV_FFR1:
            return SCC_X86_IFORM_DEC_GPR8;
        // ---- NEG/NOT ----
        case SCC_X86_IFORM_NEG_GPRV:
            return SCC_X86_IFORM_NEG_GPR8;
        case SCC_X86_IFORM_NOT_GPRV:
            return SCC_X86_IFORM_NOT_GPR8;
        // ---- 移位操作 ----
        case SCC_X86_IFORM_SHL_GPRV_ONE_D1R4:
            return SCC_X86_IFORM_SHL_GPR8_ONE_D0R4;
        case SCC_X86_IFORM_SHR_GPRV_ONE:
            return SCC_X86_IFORM_SHR_GPR8_ONE;
        case SCC_X86_IFORM_SAR_GPRV_ONE:
            return SCC_X86_IFORM_SAR_GPR8_ONE;
        // ---- 其他（根据需求继续添加）----
        default:
            break;
        }
    }
    return iform;
 }
 /* ---------- 主编码入口 ---------- */
 int scc_x86_encode_inst(scc_mcode_t *mcode, scc_x86_iform_t iform,
                        const scc_x86_operand_value_t *ops) {
    if (!mcode || !ops)
        return -1;
-
+    if (iform >= SCC_X86_IFORM_COUNT)
    if (iform >= SCC_X86_IFORM_COUNT || iform < 0)
        Panic("invalid iform %d", iform);
    const scc_x86_iform_info_t *info = &scc_x86_iform_table[iform];
    int num_ops = info->num_explicit_ops;
    // FIXME 自动适配 8 位操作数
    iform = adapt_iform_to_8bit(iform, ops, num_ops);
    // FIXME 重新获取 info 因为 iform 可能变了
    info = &scc_x86_iform_table[iform];
    const scc_x86_encoding_t *enc = &info->encode;
    const scc_x86_operand_t *tmpl = info->ops;
    int num_ops = info->num_explicit_ops;
    LOG_INFO("[IFORM] %s, explicit_ops=%d (total=%d)", info->iform_name,
             num_ops, info->num_ops);
@@ -399,7 +561,6 @@ int scc_x86_encode_inst(scc_mcode_t *mcode, scc_x86_iform_t iform,
    scc_x86_reg_t base_reg = SCC_X86_REG_INVALID;
    scc_x86_reg_t idx_reg = SCC_X86_REG_INVALID;
    /* ---------- 收集立即数信息（用于无 ModRM 指令） ---------- */
    int64_t imm_val = 0;
    int imm_idx = -1;
    for (int i = 0; i < num_ops; i++) {
@@ -407,16 +568,15 @@ int scc_x86_encode_inst(scc_mcode_t *mcode, scc_x86_iform_t iform,
        if (ops[i].kind == SCC_X86_OPR_REG) {
            if (scc_strcmp(tname, "REG0") == 0) {
                if (enc->modrm_reg_fix >= 0)
-                    rm_field = ops[i].reg; // reg固定 → REG0为rm
+                    rm_field = ops[i].reg;
                else
-                    reg_field = ops[i].reg; // 否则为reg
+                    reg_field = ops[i].reg;
            } else if (scc_strcmp(tname, "REG1") == 0) {
                if (enc->modrm_rm_fix >= 0)
-                    reg_field = ops[i].reg; // rm固定 → REG1为reg
+                    reg_field = ops[i].reg;
                else
-                    rm_field = ops[i].reg; // 否则为rm
+                    rm_field = ops[i].reg;
            } else {
                // 未命名的寄存器，按先 reg 后 rm 填充
                if (reg_field == SCC_X86_REG_INVALID)
                    reg_field = ops[i].reg;
                else if (rm_field == SCC_X86_REG_INVALID)
@@ -432,38 +592,33 @@ int scc_x86_encode_inst(scc_mcode_t *mcode, scc_x86_iform_t iform,
        }
    }
-    // ===== 新增：特殊处理 SETZ 类指令（只有一个寄存器操作数，mod_fix=3 且
+    // 特殊处理 SETZ 等单寄存器指令
    // reg_fix/rm_fix 未指定）=====
    if (enc->has_modrm && info->num_explicit_ops == 1 &&
        enc->modrm_reg_fix == -1 && enc->modrm_rm_fix == -1 &&
        enc->mod_fix == 3) {
        if (reg_field != SCC_X86_REG_INVALID &&
            rm_field == SCC_X86_REG_INVALID) {
            // 将操作数从 reg_field 移到 rm_field
            rm_field = reg_field;
            reg_field = SCC_X86_REG_INVALID;
        }
    }
    // ========================================================================
    int op_width = infer_operand_width(info, ops);
    LOG_INFO("[OPWIDTH] %d bits", op_width);
    // +++ 新增：无 ModRM 时，寄存器用 REX.B 扩展 +++
    if (!enc->has_modrm) {
        rm_field = reg_field;
        reg_field = SCC_X86_REG_INVALID;
    }
    emit_legacy_prefixes(mcode, enc, reg_field, rm_field, base_reg, idx_reg);
-    emit_rex(mcode, enc, reg_field, rm_field, base_reg, idx_reg);
+    emit_rex(mcode, enc, reg_field, rm_field, base_reg, idx_reg, op_width);
    emit_escape_map(mcode, enc);
    if (enc->has_modrm) {
        emit_opcode(mcode, enc, rm_field, base_reg);
        emit_modrm_sib_disp(mcode, info, ops, op_width);
    } else {
        // 无 ModRM：opcode 中的寄存器来自 rm_field
        emit_opcode(mcode, enc, rm_field, base_reg);
        if (imm_idx >= 0) {
            emit_immediate(mcode, enc, tmpl, imm_idx, imm_val, op_width);
--- a/libs/target/sccf2target/src/sccf2pe.c
+++ b/libs/target/sccf2target/src/sccf2pe.c
@@ -230,9 +230,8 @@ void sccf2pe(scc_pe_builder_t *builder, const sccf_t *sccf) {
        // if (reloc->reloc_type == SCCF_RELOC_TYPE_ABS) {
        //     TODO();
        // }
-        scc_x86_patch(&mcode, SCC_X86_PATCH_PC32,
+        scc_x86_patch(&mcode, SCC_X86_PATCH_PC32, reloc->offset + reloc->addend,
-                      code_range.virual_address + reloc->offset + reloc->addend,
+                      (i64)rva - (i64)code_range.virual_address);
                      rva);
    }
    *(scc_mcode_buff_t *)code_data = mcode.code;