CS 2150
Program and Data Representation
Mark Floryan (mrf8t@virginia.edu)
Aaron Bloomfield (aaron@virginia.edu)
@github | ↑ | 
32 bit x86 (assembly language)
CS 2150 Roadmap
Data Representation | Program Representation | |||||
| string int x[3] char x 0x9cd0f0ad 01101011 |
 |
Objects Arrays Primitive types Addresses bits |
Java code C++ code C code x86 code IBCM hexadecimal |
 |
High-level language Low-level language Assembly language Machine code |
|
Contents
Introduction to x86
x86 Instruction Set
Calling Conventions
Callee Rules
Caller Rules
Activation Records
x86 Examples
Introduction to x86
History of x86
|
|
IBCM vs. x86: Registers
IBCM vs. x86: Fetch Execute Cycle (same)
while(power is on) {
IR := mem[PC]
PC := PC + 1 (word) // 32-bits in x86
execute instruction in IR
}- PC = program counter
- IR = instruction register
Declaring Variables in x86
|
Directives
|
|
mov command
mov <dest>, <src>- Where dest and src can be:
- A register
- A constant
- Variable name
- Pointer: [ebx]
- (but with a few exceptions we'll see shortly)
Addressing Memory
|
Incorrect: (why?) |
|
Memory:
| |||||||||||||||||||||||||||||||||||||||||||
mov eax, [4*esi-edx]
- Valid
- Invalid
- Not sure
mov eax, [4*esi+4]
- Valid
- Invalid
- Not sure
mov eax, [4*esi+edx+8]
- Valid
- Invalid
- Not sure
mov eax, [esi+4*edx]
- Valid
- Invalid
- Not sure
mov eax+4, [esi]
- Valid
- Invalid
- Not sure
Memory addressing restrictions
- The destination cannot be a constant (duh!)
- You cannot access memory twice in one instruction
- As the CPU does not have enough time to do so at that clock speed
- So the following instructions are invalid:
mov [eax], [var] mov [eax+4], [ebx] mov 20, [eax]
x86 Instruction Set
x86 Instruction Set
- Data movement instructions
- Arithmetic instructions
- Logical instructions
- Control instructions
Data Movement Instructions, part 1
mov- We've seen this in detail already
push- First decrements ESP (stack pointer) by 4 (stack grows down)
- push (mov) operand onto stack (4 bytes)
push eax push [var]
Data Movement Instructions, part 2
pop- Pop top element of stack to memory or register, then increment stack pointer (ESP) by 4
- Value is written to the parameter
pop eax pop [var]
lea- Load effective address
- Place address of second parameter into the first parameter
lea eax, [var] lea edi, [ebx+4*esi]
Arithmetic Instructions, part 1
add,subadd <reg>, <reg> add <reg>, <mem> add <mem>, <reg> add <reg>, <constant> add <mem>, <constant>- Adds (or subtracts), storing result in first operand
- Similar restrictions as with data movement instructions:
- Destination cannot be a constant
- Memory cannot be accessed twice
Arithmetic Instructions, part 2
inc,dec(increment and decrement by one)inc <reg> inc <mem>- Specific examples:
dec eax inc [var]
- Specific examples:
imulimul <reg32>, <reg32> (or <mem>) imul <reg32>, <reg32> (or <mem>), <con>idiv- Divide 64-bit integer in EDX:EAX by operand
idiv ebx
- Divide 64-bit integer in EDX:EAX by operand
Logical Instructions
and,or,xorand <reg>, <reg> and <reg>, <mem> and <mem>, <reg>- Specific examples:
and eax, 0fH xor ecx, ecx
Control Instructions, part 1
jmp <label>- go to instruction address specified by label
cmp- This must be done prior to an conditional jump
- cmp operand1, operand2
- Operand1 can be a register or memory (variable)
- Operand2 can be a register, memory (variable), or a constant
- Recall that you can't access memory twice!
- Sets the machine status word
Control Instructions, part 2
- Conditional jumps: jcondition
- Uses the machine status word, which was set via
cmp- Which holds info about the results of the last instruction
- There are many 'condition's to determine whether to jump
- Example:
je <label>- Jump when condition code equal is set
- Others:
jne,jz,jg,jge,jl,jle,js, etc.
- Uses the machine status word, which was set via
Control Instructions, part 3
call <label>- Subroutine call
- Pushes address of the next instruction onto the stack, then unconditionally jumps to the label
ret- Subroutine return
- Pops the return address from the stack, then jumps to that address
A code block in both C/C++ and Assembly
C/C++ code: |
Assembly code: |
Calling Conventions
Calling of a subroutine
int max(int x, int y) {
int theMax = (x > y) ? x : y;
return theMax;
}
int main() {
int a = 5, b = 6;
int maxVal = max(a,b);
cout << "Max value: " << maxVal << endl;
return 0;
}Calling Conventions
- What is a calling convention?
- A set of rules/expectations between functions
- How (and where) are parameters passed?
- Which registers does the calling function expect to be preserved?
- Where should local variables be stored?
- How/where should results be returned from functions?
- A set of rules/expectations between functions
- Why?
- Separate programmers can:
- Share code more easily
- Develop libraries
- Separate programmers can:
C Calling Convention
- Why C's calling convention?
- It's important
- Is used with both C and C++ code
- Can enable calling C library functions from assembly code
- Or other languages, too
C Calling Convention
- Uses hardware stack (memory)
- Stack grows down, toward the lower memory addresses
- x86 instructions used for calling convention
poppushcallret
- Using a stack for calling convention is implemented on most processors. Why?
- Recursion
C Calling Convention Overview
- Answers to questions
- Parameters: passed on the stack
- Registers: saved on the stack
- Local variables: placed in memory on the stack
- Return value: eax register
Calling Convention Overview
- Two sets of rules
- Caller: the function which calls another function
- Callee: the function which is called by another function
Caller vs. Callee
void foo() {
// some function code ...
}
int main() {
foo();
return 0;
}main()is the callerfoo()is the callee
Register usage
- One register is used for the return value: eax
- Three registers may be modified by the callee: eax, ecx, edx
- If the caller wants to keep those values, they need to be saved by pushing them onto the stack
- And note eax is where the return value goes
- Three registers may not be modified by a subroutine call: ebx, edi, esi
- If the subroutine wants to modify them, it needs to back them up first (onto the stack) and restore them before returning
- Two registers should almost never be modified directly: ebp, esp
- There is an exception: ebp is modified in one case by the callee
Varying number of parameters
- Three ways to have a variable number of parameters:
- Method overloading
Foo::bar(int)andFoo::bar(int, float)
- Default parameters
Foo::bar (int x = 3)
- Variable arguments
- As seen next...
- Method overloading
Variable number of arguments in C/C++
This code adapted from here
#include <cstdarg>
#include <iostream>
using namespace std;
double average (int num, ...) {
va_list arguments;
double sum = 0;
va_start (arguments, num);
for ( int x = 0; x < num; x++ )
sum += va_arg (arguments, double);
va_end (arguments);
return sum / num;
}
int main() {
cout << average(3, 12.2, 22.3, 4.5) << endl;
cout << average(5, 3.3, 2.2, 1.1, 5.5, 3.3) << endl;
}Dissection of the average() function
- Create a data structure to hold the list of arguments:
va_list arguments; - Initialize the arguments to store all values after num:
va_start ( arguments, num ); - Loop until all numbers are added:
for ( int x = 0; x < num; x++ ) - Adds the next value in argument list to sum:
sum += va_arg ( arguments, double ); - Clean up the list:
va_end ( arguments ); - Return the average:
return sum / num;
Example: Output in C
The C equivalent of cout is a function called printf
printf ("A %s, a %s, a %s: %s!\n", "man",
"plan", "canal", "Panama");
printf ("A percent sign: %%\n");
printf ("An int: %d\n", i);
printf ("A float with 2 decimal digits: %.2f\n",
float_value);Output:
A man, a plan, a canal: Panama!
A percent sign: %
An int: 3
A float with 2 decimal digits: 3.14Caller Rules
Caller Summary
- Prologue
- Tasks to take care of BEFORE calling a subroutine
- Call the subroutine with the
callopcode - Epilogue
- Tasks to complete AFTER subroutine call returns
- (It is not really called this, but I use this to parallel the equivalent components in the callee convention)
Callee Summary
- Prologue
- Tasks to perform BEFORE executing the function body
- Function body
- Epilogue
- Tasks to perform AFTER executing function body, but BEFORE leaving function
Caller Rules/Responsibilities
- Before calling the function (the prologue)
- Save registers that might be needed after the call (eax, ecx, edx)
- Push parameters on the stack
- Call the function
callinstruction places return address in stack
- After the called function returns (the epilogue)
- Remove parameters from stack
- Restore saved registers
Caller Rules ("Prologue")
- Caller-saved registers
- Registers which the calling function (caller) must save (push onto the stack) ONLY if it wants the values preserved.
- eax, ecx, edx
- Parameters
- Pushed in reverse order (last parameter first) onto stack
- Call the subroutine
- Use the
callinstruction- pushes the return address onto the stack and branches to the subroutine
Caller Rules ("Epilogue")
- Remove parameters
- Parameters pushed onto stack must be removed
- Restore stack to the state before the call
- What is done with the parameters?
- Parameters pushed onto stack must be removed
- Return value
- If any, held in eax
- Restore caller-saved registers
- eax, ecx, edx
popthem off the stack (Caller can assume no other registers were modified)
Caller Rules Example
We'll see this code in the following slides:
int myFunc(int a, int b, int c) {
int result;
// some code
return result;
}
int main() {
int x = 1, z = 3;
int retVal = myFunc(x, 123, z);
//...
return 0;
}Caller Rules Example
push edx ; caller wants edx to be preserved
; int retVal = myFunc(x, 123, z);
push [z] ; Push last param first
push 123 ; push constant 123
push eax ; push first param last
call myFunc ; call the function
add esp, 12 ; clean up stack
pop edx ; restore saved edx value
; return value of myFunc is now available in eax
; (if there is any return value)Stack Memory Visualization for myFunc
This is just before the call opcode is invoked.
| ↑ | value of edx | |||
| To higher addresses | copy of var z | |||
| (to 0xffffffff) | 123 | |||
| value of eax (var x) | ← esp | |||
| To lower addresses | ||||
| (to 0x00000000) | ||||
| ↓ |
Stack Memory Visualization for myFunc
This is just after the call opcode is invoked.
| ↑ | value of edx | |||
| To higher addresses | copy of var z | |||
| (to 0xffffffff) | 123 | |||
| value of eax (var x) | ||||
| return address | ← esp | |||
| To lower addresses | ||||
| (to 0x00000000) | ||||
| ↓ |
Callee Rules
Callee Summary (again)
- Prologue
- Tasks to perform BEFORE executing the function body
- Function body
- Epilogue
- Tasks to perform AFTER executing function body, but BEFORE leaving function
Caller Rules Example
We'll see this code in the following slides:
int myFunc(int a, int b, int c) {
int result;
// some code
return result;
}
int main() {
int x = 1, z = 3;
int retVal = myFunc(x, 123, z);
//...
return 0;
}Callee Rules (Prologue)
Before the body of the function:
- Push ebp and copy esp into ebp
push ebp mov ebp, esp
- ebp: snapshot of esp when subroutine starts
- Parameters and local variables are known distances/offsets from this pointer value
- Allocate local variables
- Make space on stack (decrement stack pointer)
sub esp, 4
- Make space on stack (decrement stack pointer)
Callee Rules (Prologue)
- Save callee-save registers
- ebx, edi, esi (push them onto stack)
- only need to do this if callee intends to use them, otherwise, no need to save their contents
THEN, perform body of the function
Callee Rules (Epilogue)
- Return value saved to eax
- Restore callee-saved registers
popfrom stack (in reverse order from which pushed)
- Deallocate local variables
mov esp, ebp - Restore base pointer
pop ebp - Return
ret
Callee Rules Example
With a bit more code in the myFunc() body:
int myFunc(int a, int b, int c) {
int result;
result = c;
result += b;
return result;
}
int main() {
int x = 1, z = 3;
int retVal = myFunc(x, 123, z);
//...
return 0;
}Callee Rules Example (1)
section .text
myFunc:
; prologue
push ebp ; save old base pointer
mov ebp, esp ; set new base pointer
sub esp, 4 ; save room for 1 local var (result)
push ebx ; save callee-save registers
push esi ; both will be used by myFuncCallee Rules Example (2)
; subroutine body
mov eax, [ebp+8] ; param 1 to eax
mov esi, [ebp+12] ; param 2 to esi
mov ebx, [ebp+16] ; param 3 to ebx
mov [ebp-4], ebx ; put ebx into local var
add [ebp-4], esi ; add esi into local var
mov eax, [ebp-4] ; mov contents of local var to eax
; (return value/final result)Callee Rules Example (3)
; subroutine epilogue
pop esi ; recover callee save registers
pop ebx ; REVERSE of when pushed
mov esp, ebp ; deallocate local var(s)
pop ebp ; restore caller's base pointer
ret ; pop top value from stack, jump thereStack Memory Visualization for myFunc
This is just after the caller invokes the call opcode.
| ↑ | value of edx | ↖ ebp | ||
| To higher addresses | copy of var z | |||
| (to 0xffffffff) | 123 | |||
| value of eax (var x) | ||||
| return address | ← esp | |||
| To lower addresses | ||||
| (to 0x00000000) | ||||
| ↓ |
Stack Memory Visualization for myFunc
This is just after the callee invokes the push ebp opcode.
| ↑ | value of edx | ↖ ebp | ||
| To higher addresses | copy of var z | |||
| (to 0xffffffff) | 123 | |||
| value of eax (var x) | ||||
| return address | ||||
| ebp backup | ← esp | |||
| To lower addresses | ||||
| (to 0x00000000) | ||||
| ↓ |
Stack Memory Visualization for myFunc
This is after the myFunc() prologue is completed.
| ↑ | value of edx | |||
| To higher addresses | copy of var z | [ebp+16] | ||
| (to 0xffffffff) | 123 | [ebp+12] | ||
| value of eax (var x) | [ebp+8] | |||
| return address | ||||
| ebp backup | ← ebp | |||
| To lower addresses | local variable | [ebp-4] | ||
| (to 0x00000000) | saved value of ebx | |||
| ↓ | saved value of esi | ← esp |
|
|
||||||||||||||||||||||||||||||||||||||||||||||
Activation Records
Activation Records
|
|
Memory management
- The binary program takes up a fixed amount of space
- The size of the file (say, 10k, as an example)
- There are two types of memory that need to be handled:
- Dynamic memory (via
new,malloc(), etc.)- This is stored on the heap
- Static memory (on the stack)
- This is where the activation records are kept
- Dynamic memory (via
Memory management
- The binary program starts at the beginning of the 232 = 4 Gb of memory
- The heap starts right after this
- Say, at address 10,000 or so if you have a 10 kb binary file
- The stack starts at the end of this 4 Gb of memory, and grows backward
- They could have chosen the heap to grow backwards, but they didn't
- As a program progresses, they both grow toward the middle
- And never the two shall meet
Consider this subroutine
void security_hole() {
char buffer[12];
scanf ("%s", buffer); // how C handles input
}The stack looks like (with sizes in parenthesis):
| esi (4) | edi (4) | buffer (12) | ebp (4) | ret addr (4) |
- Addresses increase to the right (the stack grows to the left)
- What happens if the value stored into buffer is 13 bytes long?
- What happens if the value stored into buffer is 16 bytes long?
- What if it is exactly 20 bytes long?
- We overwrite the return address!
Buffer overflow attack
- When you read in a string (etc.) that goes beyond the size of the buffer
- Hence 'buffer overflow'
- You can then overwrite the return address
- And set it to your own code
- For example, code that is included later on in the string
- We may see an example of this, if there is time in the course...
x86 Examples
A note about x86 compatibility
- We are using nasm as our assembler for the x86 labs
- The x86 code samples in this slide set are either:
- "Generic" x86 examples that could work in nasm if put into a proper program
- In the same way that you have seen C++ code snippets
- Or the output from "clang++ -S" or "g++ -S" (and probably some other flags)
- This code will NOT work with nasm, but will work with clang++/g++ (which we aren't really using to compile our assembly anyway)
- "Generic" x86 examples that could work in nasm if put into a proper program
x86 Examples
All examples are in the slides/code/08-x86/ directory in the github repo
Code we'll see:
- int absolute_value(int x)
- int max(int x, int y)
- bool compare_string(const char *theStr1, const char *theStr2)
- int fib(unsigned int n)
clang++ creates some odd assembly...
- We'll see why later, but clang++ creates some odd-looking assembly
- Which does not appear to follow the calling convention
- So you can use g++ to view the assembly
- The flags are different:
g++ -S -m32 -masm=intel - g++ was installed on your VirtualBox image specifically for this reason
- The flags are different:
- The assembly shown in this slide set was generated using g++, not clang++
int absolute_value(int x)
(see next slide for the source code link)
int absolute_value(int x) {
if ( x < 0 ) // if x is negative
x = -x; // negate x
return x; // return x
}test_abs.cpp
Source code: test_abs.cpp (src)
#include <iostream>
using namespace std;
extern "C" int absolute_value(int x);
int absolute_value(int x) {
if (x<0) // if x is negative
x = -x; // negate x
return x; // return x
}
int main() {
int theValue=0;
cout << "Enter a value: " << endl;
cin >> theValue;
int theResult = absolute_value(theValue);
cout << "The result is: " << theResult << endl;
return 0;
}x86 Assembly for absolute_value
No external source code; this is how we might write it ourselves.
; Standard prologue
push ebp
mov ebp, esp
; procedure body
mov eax, [ebp + 8] ; eax <- x
cmp eax, 0 ; x == 0 ?
jge end_of_proc ; if pos goto end
neg eax ; negate x
end_of_proc:
; Standard epilogue
mov esp, ebp
pop ebp
retGenerating assembly with clang++ or g++
- Using the -S flag, we can generate assembly from C/C++ code
- Note that the format is a bit different
- Register specification, dest/source order, etc.
- So we need to use the following command:
clang++ -m32 -S test_abs.cpp -o test_abs-non-intel.s- You'll see why it has 'non-intel' in the name shortly...
- If you want to use g++ (which we do), you use:
g++ -m32 -S test_abs.cpp -o test_abs-non-intel.s - The formatting is still slightly different from nasm, but the idea is the same
g++'s assembly for absolute_value
Note the source / destination order is reversed! And lots of other differences...
Source code: test_abs-non-intel.s (src)
absolute_value:
pushl %eax
movl 8(%esp), %eax
movl %eax, (%esp)
cmpl $0, (%esp)
jge .LBB1_2
movl $0, %eax
subl (%esp), %eax
movl %eax, (%esp)
.LBB1_2:
movl (%esp), %eax
popl %edx
retAssembly differences
- There are a lot of differences between the assembly we've seen and what
g++ -Sproducesmovl,pushl,cmpl,subl,popl, etc.- the 'l' part means 'long' (i.e. 32 bits, so the assembler doesn't have to guess)
$0is the constant 0- Register names begin with a percent sign
8(%ebp)is [ebp+8]- i.e. where the parameters are
Assembly syntax "flavors"
- There are two primary syntax "flavors" of x86 assmembly
- The difference is solely in the formatting; all assembly commands can be written in either format
- You can see more details about the differences here
- Flavors:
- Intel syntax: what we will use, and what nasm uses
- AT&T syntax: what
g++ -Suses by default
- To make clang++ use the Intel syntax, you need to add the
-mllvm --x86-asm-syntax=intelflagsclang++ -m32 -mllvm --x86-asm-syntax=intel -S \ test_abs.cpp -o test_abs.s - For g++, use the
-masm=intelflags:g++ -m32 -masm=intel -S test_abs.cpp -o test_abs.s
g++'s assembly for absolute_value
This is with the -masm=intel flags
Source code: test_abs.s (src)
absolute_value:
push ebp
mov ebp, esp
cmp DWORD PTR [ebp+8], 0
jns .L2
neg DWORD PTR [ebp+8]
.L2:
mov eax, DWORD PTR [ebp+8]
pop ebp
retjns means jump if not signed (i.e. if positive)
clang++'s assembly output on Macs
- With g++ (what we used last year), Darwin (i.e., Mac OS X) did not support the
-masm=intelflag- And clang++ may not support the
-mllvm --x86-asm-syntax=intelflags
- And clang++ may not support the
- But I don't know what clang++ will do...
- Can anybody test this?
- So you may be stuck using the "other" format
- With the source / destination order reversed
- You can compile it on a the Linux VirtualBox image, if you want the 'correct' order
- We recommned this for the x86 labs!
test_abs_c.c
Source code: test_abs_c.c (src)
#include <stdio.h>
int absolute_value(int x) {
if ( x < 0 ) // if x is negative
x = -x; // negate x
return x; // return x
}
int main() {
int theValue=0;
printf ("Enter a value: \n");
scanf ("%d", &theValue);
int theResult = absolute_value(theValue);
printf ("The result is: %d\n", theResult);
return 0;
}C++ assembly vs. C assembly
- Notice how much cleaner C translates into assembly versus C++
- Compare the absolute value code in both C and C++:
- C++: test_abs.s (src)
- C: test_abs_c.s (src)
int max(int x, int y)
(see next slide for the source code link)
int max(int x, int y) {
int theMax;
if (x > y) // if x > y then x is max
theMax = x;
else // else y is the max
theMax = y;
return theMax; // return the max
}test_max.cpp
Source code: test_max.cpp (src)
#include <iostream>
using namespace std;
extern "C" int max(int x, int y);
// the max function from the previous slide
int main() {
int theValue1=0, theValue2=0;
cout << "Enter value 1: " << endl;
cin >> theValue1;
cout << "Enter value 2: " << endl;
cin >> theValue2;
int theResult = max(theValue1, theValue2);
cout << "The result is: " << theResult << endl;
return 0;
}x86 code for max()
Using: g++ -S -m32 -masm=intel
Source code: test_max.s (src)
max:
push ebp
mov ebp, esp
sub esp, 16
mov eax, DWORD PTR [ebp+8]
cmp eax, DWORD PTR [ebp+12]
jle .L2
mov eax, DWORD PTR [ebp+8]
mov DWORD PTR [ebp-4], eax
jmp .L3
.L2:
mov eax, DWORD PTR [ebp+12]
mov DWORD PTR [ebp-4], eax
.L3:
mov eax, DWORD PTR [ebp-4]
leave
retx86 code for max() using -O2
Using: g++ -S -m32 -masm=intel and -O2
Source code: test_max-O2.s (src)
max:
mov eax, DWORD PTR [esp+4]
mov edx, DWORD PTR [esp+8]
cmp edx, eax
cmovge eax, edx
retThe cmovg opcode (conditional move if greater than) will move the greater value into the first parameter; cmovge does the move greater than or equal to value
x86 code for max() without 'extern "C"'
Using: g++ -S -m32 -masm=intel
Source code: test_max-noextern.s (src)
_Z3maxii:
push ebp
mov ebp, esp
sub esp, 16
mov eax, DWORD PTR [ebp+8]
cmp eax, DWORD PTR [ebp+12]
jle .L2
mov eax, DWORD PTR [ebp+8]
mov DWORD PTR [ebp-4], eax
jmp .L3
.L2:
mov eax, DWORD PTR [ebp+12]
mov DWORD PTR [ebp-4], eax
.L3:
mov eax, DWORD PTR [ebp-4]
leave
retC-string Comparison
(see next slide for the source code link)
bool compare_string (const char *theStr1,
const char *theStr2) {
// while *theStr1 is not NULL terminator
// and the current corresponding bytes are equal
while( (*theStr1 != NULL)
&& (*theStr1 == *theStr2) ) {
theStr1++; // increment the pointers to
theStr2++; // the next char / byte
}
return (*theStr1==*theStr2);
}test_string_compare.cpp
Source code: test_string_compare.cpp (src)
#include <iostream>
#include <string>
using namespace std;
extern "C" bool compare_string(const char* theStr1,
const char* theStr2);
// code for compare_string here
int main() {
string theValue1, theValue2;
cout << "Enter string 1: " << endl;
cin >> theValue1;
cout << "Enter string 2: " << endl;
cin >> theValue2;
bool theResult = compare_string(theValue1.c_str(),
theValue2.c_str());
cout << "The result is: " << theResult << endl;
return 0;
}x86 assembly for compare_string(), 1/3
Using: g++ -S -m32 -masm=intel
Source code: test_string_compare.s (src)
compare_string:
push ebp
mov ebp, esp
jmp .L2
.L5:
add DWORD PTR [ebp+8], 1
add DWORD PTR [ebp+12], 1x86 assembly for compare_string(), 2/3
Using: g++ -S -m32 -masm=intel
Source code: test_string_compare.s (src)
.L2:
mov eax, DWORD PTR [ebp+8]
movzx eax, BYTE PTR [eax]
test al, al
je .L3
mov eax, DWORD PTR [ebp+8]
movzx edx, BYTE PTR [eax]
mov eax, DWORD PTR [ebp+12]
movzx eax, BYTE PTR [eax]
cmp dl, al
jne .L3
mov eax, 1
jmp .L4x86 assembly for compare_string(), 3/3
Using: g++ -S -m32 -masm=intel
Source code: test_string_compare.s (src)
.L3:
mov eax, 0
.L4:
test al, al
jne .L5
mov eax, DWORD PTR [ebp+8]
movzx edx, BYTE PTR [eax]
mov eax, DWORD PTR [ebp+12]
movzx eax, BYTE PTR [eax]
cmp dl, al
sete al
pop ebp
retint fib
(see next slide for the source code link)
int fib(unsigned int n) {
if ((n==0) || (n==1))
return 1;
return fib(n-1) + fib(n-2);
}test_fib.cpp
Source code: test_fib.cpp (src)
#include <iostream>
using namespace std;
extern "C" int fib(unsigned int n);
int fib(unsigned int n) {
if ((n==0) || (n==1))
return 1;
return fib(n-1) + fib(n-2);
}
int main() {
int theValue = 0;
cout << "Enter value for fib(): " << endl;
cin >> theValue;
int theResult = fib(theValue);
cout << "The result is: " << theResult << endl;
return 0;
}x86 assembly for fib(), 1/2
Using: g++ -S -m32 -masm=intel
Source code: test_fib.s (src)
fib:
push ebp
mov ebp, esp
push ebx
sub esp, 20
cmp DWORD PTR [ebp+8], 0
je .L2
cmp DWORD PTR [ebp+8], 1
jne .L3
.L2:
mov eax, 1
jmp .L4x86 assembly for fib(), 2/2
Using: g++ -S -m32 -masm=intel
Source code: test_fib.s (src)
.L3:
mov eax, DWORD PTR [ebp+8]
sub eax, 1
mov DWORD PTR [esp], eax
call fib
mov ebx, eax
mov eax, DWORD PTR [ebp+8]
sub eax, 2
mov DWORD PTR [esp], eax
call fib
add eax, ebx
.L4:
add esp, 20
pop ebx
pop ebp
retDidn't that violate the convention?
- Not really!
- The convention states what the stack must look like when a subroutine is invoked
- The steps given in this slide set are to help learn the convention
- So as the stack was set up correctly, the convention was followed
Do we need to even use ebp?
| |
But clang breaks the calling convention!
- Again, not really
- clang will optimize much of the calling convention away
- For example, it will offset many things from esp (rather than ebp), and not bother to back up the caller's ebp
- And if the subroutine invocation is solely within clang's code...
- ... meaning that there is no call to an external library, or this is not code that will go into a library...
- ... then parameters may be passed in the registers
An aside: An advantage of little-Endian
- Consider the 32-bit big-Endian word 0x680abcde in memory starting address 1000:
- In big-Endian:
- Byte '68' is the most significant; is at address 1000
- Byte 'de' is the least significant; is at address 1003
- In little-Endian:
- Byte 'de' is the most significant; is at address 1000
- Byte '68' is the least significant; is at address 1003
- In big-Endian:
- Note that, in little-Endian, the entire 32-bit word and the 8-bit least significant byte have the same address!
More on little-Endian
- In little-Endian, the entire 32-bit word and the 8-bit least significant byte have the same address
- Consider a
movb,movw, ormovl- Moving a 8, 16, and 32 bit quantity, respecitively
- If you called
movb, that instruction moves the least significant 8 bits of the 32-bit quantity
- Thus, if you are doing one of those moves, the address is the same, which makes the CPU addressing routines simpler
- This means integer casts are a essentially a no-op
- To cast an
intto ashort, you just tke lowest 16 bits, which means you use amovwinstead of amovl
- To cast an
RISC versus CISC
- RISC
- Reduced instruction set computer
- Fewer and simpler instructions (maybe 50 or so)
- Less chip complexity means they can run fast
- CISC
- Complex instruction set computer
- More and more complex instructions (300-400 or so)
- More chip complexity means harder to make run fast
CS 2150 Program and Data Representation Mark Floryan (mrf8t@virginia.edu) Aaron Bloomfield (aaron@virginia.edu) @github | ↑ | 32 bit x86 (assembly language)