Transcript 7.ppt

Heterogeneous Data Structures &
Alignment
* heterogeneous: 不同种类的
1
Outline
• Struct
• Union
• Alignment
– Chap 3.9, 3.10
2
Structures P191
• Group objects into a single object
• Each object is referenced by name
• Memory layout
– All the components are stored in a contiguous
region of memory
– A pointer to a structure is the address of its first
byte
• References to structure elements
– Using offsets as displacements
3
Structure P192
struct rect {
int llx;
lower-left corner
int lly;
lower-left corner
int color;
int width;
int height;
};
/*
*/
/*
*/
/*
/*
/*
X coordinate of
Y coordinate of
Coding of color */
Width (in pixels) */
Height (in pixels) */
4
Structure P192
struct rect r;
r.llx = r.lly = 0;
r.color = 0xFF00FF;
r.width = 10;
r.height = 20;
5
Structure P192
int area (struct rect *rp)
{
return (*rp).width * (*rp).height;
}
void rotate_left (struct rect *rp)
{
/* Exchange width and height */
int t = rp->height;
rp->height = rp->width;
rp->width = t;
}
6
Structure
struct rec {
int i;
int j;
int a[3];
int *p;
} *r;
7
Structure P193
• Copy element r->i to element r->j:
• r is in register %edx.
1
2
movl (%edx), %eax
movl %eax,
4(%edx)
Get r->i
Store in r-
>j
8
Structure P193
• Generate the pointer &(r->a[1])
– r in %eax,
– i in %edx
1 leal
8(%eax,%edx,4),%ecx
%ecx = &r->a[i]
9
Structure
• r->p = &r->a[r->i + r->j];
– r in register %edx:
1 movl
4(%edx), %eax
2 addl
(%edx),
%eax
3 leal
8(%edx,%eax,4),
>a[r->i + r->j]
4 movl
%eax,
20(%edx)
Get r->j
Add r->i
%eax
Compute &rStore in r->p
10
Unions
P194
• A single object can be referenced by using
different data types
• The syntax of a union declaration is identical
to that for structures, but its semantics are
very different
• Rather than having the different fields
reference different blocks of memory, they
all reference the same block
*syntax: 语法
*semantic: 语义
11
Unions
struct S3 {
char c;
int i[2];
double v;
};
union U3 {
char c;
int i[2];
double v;
};
12
Unions
P195
• The offsets of the fields, as well as the total size of
data types S3 and U3, are:
Type
S3
c
0
i
4
v
12
size
20
U3
0
0
0
8
13
Unions
P195
struct NODE {
struct NODE *left;
struct NODE *right;
double data;
};
union NODE {
struct {
union NODE *left;
union NODE *right;
} internal;
double data;
};
14
Unions (additional tag field)
struct NODE {
int is_leaf;
union {
struct {
struct NODE *left;
struct NODE *right;
} internal;
double data;
} info;
};
15
Unions
P196
1 unsigned float2bit(float f)
2 {
3
union {
4
float f;
5
unsigned u;
6
} temp;
7
temp.f = f;
8
return temp.u;
9 };
1
movl 8(%ebp),
%eax
16
Unions
1 unsigned float2bit(float f)
2 {
3
union {
4
float f;
5
unsigned u;
6
} temp;
7
temp.f = f;
8
return temp.u;
9 };
1 movl
8(%ebp),
%eax
17
Unions (Code generated identical to the
procedure)
1 unsigned copy (unsigned u)
2 {
3
return u;
4 }
1
movl 8(%ebp),
%eax
18
Alignment
P198
• Alignment restrictions
– The address for some type of object must be a
multiple of some value k (typically 2, 4, or 8)
– Simplify the hardware design of the interface
between the processor and the memory system
19
Alignment
• In IA32
– hardware will work correctly regardless of the
alignment of data
– Aligned data can improve memory system
performance
20
Alignment
• Linux alignment restriction
– 1-byte data types are able to have any address
– 2-byte data types must have an address that is
multiple of 2
– Any larger data types must have an address that
is multiple of 4
21
Alignment
• Alignment is enforced by
– Making sure that every data type is organized and
allocated in such a way that every object within
the type satisfies its alignment restrictions.
• malloc()
– Returns a generic pointer that is void *
– Its alignment requirement is 4
22
Alignment
• Structure data type
– may need to insert gaps in the field allocation
– may need to add padding to the end of the
structure
* padding: 填充
23
Alignment
P199
struct S1 {
int i;
char c;
int j;
};
24
Alignment
P200
struct S2 {
int i;
int j;
char c;
} d[4];
xd, xd+9, xd+18, xd+27
xd, xd+12, xd+24, xd+36
25
Putting it Together
26
Outline
• Pointer
– Declaration
– referencing, deferencing
– memory allocation, memory free
• Buffer overflow
• Suggested reading
– Chap 3.11, 3.13
27
Example
1
2
3
4
5
6
7
8
9
10
11
12
P202 Figure 3.26
struct str { /* Example Structure */
int t;
char v;
};
union uni { /* Example Union */
int t;
char v;
} u;
int g = 15;
28
Example P202 Figure 3.26
13 void fun(int* xp)
14 {
15
void (*f)(int*) = fun; /* f is a function
pointer */
16
17
/* Allocate structure on stack */
18
struct str s = {1,’a’}; /* Initialize
structure */
19
20
/* Allocate union from heap */
21
union uni *up = (union uni *)
malloc(sizeof(union uni));
22
23
/* Locally declared array */
24
int *ip[2] = {xp, &g};
29
Example
26
27
28
29
30
31
32
33
up->v = s.v+1;
printf("ip = %p, *ip = %p, **ip = %d\n",
ip,
*ip,
**ip);
printf("ip+1 = %p, ip[1] = %p, *ip[1] = %d\n",
ip+1,
ip[1],
*ip[1]);
printf ("&s.v = %p, s.v = ’%c’\n", &s.v, s.v);
printf ("&up->v = %p, up->v = ’%c’\n", &up->v,
up->v);
34
printf ("f = %p\n", f);
35
if (--(*xp) > 0)
36
f(xp); /* Recursive call of fun */
37 }
30
Example
P202 Figure 3.26
38
39 int test()
40 {
41
int x = 2;
42
fun(&x);
43
return x;
44 }
31
Every pointer has a type
P201
• If the object has type T
– A pointer to this object has type T *
• Special void * type
– Represents a generic pointer
• malloc returns a generic pointer
Pointer Type
Object Type
Pointers
int *
int
xp, ip[0], ip[1]
union uni *
union uni
up
32
Every pointer has a value
xp
&x
ip[0]
&x
ip[1]
&g
up
Address in heap
33
Pointers are created with the & operator
• Applied to lvalue expression
– Lvalue expression can appear on the left side of
assignment
– &g, &s.v, &u->v, &x
34
Pointers are dereferenced with the operator *
• The result is a value having the type
associated with the pointer
• *ip, **ip, *ip[1], *xp
• up->v
35
Arrays and pointers are closed related
• The name of array can be viewed as a pointer
constant
• ip[0] is equivalent to *ip
36
Pointers can point to functions
•
•
•
•
•
void (*f)(int *)
f is a pointer to function
The function taken int * as argument
The return type of the function is void
Assignment makes f point to func
– f = func
void: 空的
37
The precedence of the operators
• void *f(int *) declares f is a function
– (void *)
f(int *)
38
Example
P203
1 ip = 0xbfffefa8, *ip = 0xbfffefe4, **ip = 2
ip[0] = xp. *xp = x = 2
2 ip+1 = 0xbfffefac, ip[1] = 0x804965c, *ip[1] = 15
ip[1] = &g. g = 15
3 &s.v = 0xbfffefb4, s.v = ’a’
s in stack
frame
4 &up->v = 0x8049760, up->v = ’b’
up points to area
in heap
5 f = 0x8048414
f points to code
for fun
6 ip = 0xbfffef68, *ip = 0xbfffefe4, **ip = 1
ip
in new frame, x = 1
7 ip+1 = 0xbfffef6c, ip[1] = 0x804965c, *ip[1] = 15
39
Pointer Declaration
•
•
•
•
char
int
int
char
**argv ;
(*daytab)[13]
(*comp)()
(*(*x())[])()
– Function returning pointer to array[ ] of pointer
to function returning char
• char
(*(*x[3])())[5]
– Array[3] of pointer to function returning pointer
to array[5] of char
40
Pointer Arithmetic
• Addition and subtraction
– p+i , p-i (result is a pointer)
– p-q (result is a int)
• Referencing & dereferencing
– *p, &E
• Subscription
– A[i], *(A+i)
41
C operators
Operators
Associativity
()
!
*
+
<<
<
==
&
^
|
&&
||
?:
=
,
left to right
right to left
left to right
left to right
left to right
left to right
left to right
left to right
left to right
left to right
left to right
left to right
right to left
right to left
left to right
[] ->
~ ++
/ %
>>
<= >
!=
+=
-=
. ++ --- + - *
&
(type)
sizeof
>=
*=
/=
%=
&=
^=
!=
<<=
>>=
Note: Unary +, -, and * have higher precedence than binary forms
42
Parameter Passing
• Call by value
– f(xp)
• Call by reference
– f(&xp)
43
3.13
Out-of-Bounds Memory References
P206
1 /* Implementation of library function gets() */
2 char *gets(char *s)
3 {
4
int c;
5
char *dest = s;
6
while ((c = getchar()) != ’\n’ && c != EOF)
7
*dest++ = c;
8
*dest++ = ’\0’;
/* Terminate String */
9
if (c == EOF)
10
return NULL;
11
return s;
12 }
44
Out-of-Bounds Memory References
13
14
15
16
17
18
19
20
/* Read input line and write it back */
void echo()
{
char buf[4];
/* Way too small ! */
gets(buf);
puts(buf);
}
45
Out-of-Bounds Memory References
Stack frame
for caller
Return address
Saved %ebp
%ebp
[3] [2] [1] [0]
buf
Stack frame
for echo
46
Out-of-Bounds Memory References
Stack frame
for caller
Return address
[7] [6] [5] [4]
%ebp
[3] [2] [1] [0]
buf
Stack frame
for echo
47
Out-of-Bounds Memory References
Stack frame
for caller
[11] [10]
[9] [8]
[7] [6] [5] [4]
%ebp
[3] [2] [1] [0]
buf
Stack frame
for echo
48
Buffer Overflow
P208 Figure 3.29
1 /* This is very low quality code.
2 It is intended to illustrate bad programming practices
3 See Practice Problem 3.24. */
4 char *getline()
5{
6
char buf[8];
7
char *result;
8
gets(buf);
9
result = malloc(strlen(buf));
10
strcpy(result, buf);
11
return(result);
12 }
49
Buffer Overflow
P208 Figure 3.29
1 08048524 <getline>:
2 8048524:
55
push %ebp
3 8048525:
89 e5
mov %esp,%ebp
4 8048527:
83 ec 10
sub $0x10,%esp
5 804852a:
56
push %esi
6 804852b:
53
push %ebx
Diagram stack at this point
7 804852c:
83 c4 f4
add $0xfffffff4,%esp
8 804852f:
8d 5d f8
lea 0xfffffff8(%ebp),%ebx
9 8048532:
53
push %ebx
10 8048533:
e8 74 fe ff ff
call 80483ac <_init+0x50> gets
50
Buffer Overflow
P208 Practice Problem 3.24
Stack frame
for caller
08 04 86 43 Return Address
51
Buffer Overflow
Stack frame
for caller
08 04 86 43
bf ff fc 94
[7] [6] [5] [4]
[3] [2] [1] [0]
%ebp
buf
00 00 00 01
Saved %esi
00 00 00 02
Saved %ebx
52
Buffer Overflow
Stack frame
for caller
012345678901 08 04 86 00
31 30 39 38
37 36 35 34
33 32 31 30
%ebp
buf
00 00 00 01
Saved %esi
00 00 00 02
Saved %ebx
53
Malicious Use of Buffer Overflow
return
address
A
Stack
after call to gets()
void foo(){
bar();
...
}
void bar() {
char buf[64];
gets(buf);
...
}
foo stack frame
data
written
by
gets()
B
B
pad
exploit
code
bar stack frame
Malicious:怀恶意的
54
Malicious Use of Buffer Overflow
• Input string contains byte representation of
executable code
• Overwrite return address with address of
buffer
• When bar() executes ret, will jump to exploit
code
55
Floating Point
56
Outline
•
•
•
•
•
•
Stack evaluation
Data movement
Set special data
Arithmetic operation
Comparison
Suggested reading: 3.14
57
IA32 Floating Point
• History
– 8086: first computer to implement IEEE FP
• separate 8087 FPU (floating point unit)
– 486: merged FPU and Integer Unit onto one chip
58
IA32 Floating Point
• Floating Point Formats
– single precision (C float): 32 bits
– double precision (C double): 64 bits
– extended precision (C long double): 80 bits
59
IA32 Floating Point
• Summary
– Hardware to add, multiply, and divide
– Floating point data registers
– Various control & status registers
60
IA32 Floating Point
Instruction
decoder and
sequencer
Integer
Unit
FPU
Memory
61
FPU Data Register Stack
• FPU register format (extended precision)
79 78
s
0
64 63
exp
frac
62
FPU Data Register Stack
• FPU registers
–
–
–
–
8 registers
Logically forms shallow stack
Top called %st(0)
When push too many, bottom values disappear
%st(3)
%st(2)
%st(1)
“Top”
%st(0)
stack grows down
63
FPU instructions
• Large number of floating point instructions
and formats
– ~50 basic instruction types
– load, store, add, multiply
– sin, cos, tan, arctan, and log!
• Sample instructions:
64
FPU instructions
P213 Figure 3.30,
P216 Figure 3.31
Instruction
Effect
Description
fldz
push 0.0
Load zero
flds Addr
push M[Addr]
Load single precision real
fmuls Addr
%st(0) <- %st(0)*M[Addr]
Multiply
faddp
%st(1) <- %st(0)+%st(1);
Add and pop
pop
65
IA32 Floating Point
float ipf (float x[], float y[], int n)
{
int i;
float result = 0.0;
for (i = 0; i < n; i++) {
result += x[i] * y[i];
}
return result;
}
66
pushl %ebp
movl %esp,%ebp
pushl %ebx
movl 8(%ebp),%ebx
movl 12(%ebp),%ecx
movl 16(%ebp),%edx
fldz
xorl %eax,%eax
cmpl %edx,%eax
jge .L3
.L5:
flds (%ebx,%eax,4)
fmuls (%ecx,%eax,4)
faddp
incl %eax
cmpl %edx,%eax
jl .L5
.L3:
movl -4(%ebp),%ebx
movl %ebp, %esp
popl %ebp
ret
# setup
#
#
#
#
#
#
%ebx=&x
%ecx=&y
%edx=n
push +0.0
i=0
if i>=n done
#
#
#
#
#
push x[i]
st(0)*=y[i]
st(1)+=st(0); pop
i++
if i<n repeat
# finish
# st(0) = result
67
Inner Product Stack Trace
Initialization
1. fldz
0.0
%st(0)
Iteration 0
Iteration 1
2. flds (%ebx,%eax,4)
0.0
x[0]
5. flds (%ebx,%eax,4)
%st(1)
%st(0)
3. fmuls (%ecx,%eax,4)
0.0
x[0]*y[0]
%st(1)
%st(0)
4. faddp
0.0+x[0]*y[0]
x[0]*y[0]
x[1]
%st(1)
%st(0)
6. fmuls (%ecx,%eax,4)
x[0]*y[0]
x[1]*y[1]
%st(1)
%st(0)
7. faddp
%st(0)
%st(0)
x[0]*y[0]+x[1]*y[1]
68
Load Instructions
P216 Figure 3.31
Instruction
Source format
Source location
flds Addr
Single
Mem4[Addr]
fldl Addr
Double
Mem8[Addr]
fldt Addr
Extended
Mem10[Addr]
fildl Addr
Integer
Mem4[Addr]
fld
extended
%st(i)
%st(i)
69
Store Instructions
Instruction
fsts
P216 Figure 3.32
Pop(Y/N) destination format destination location
Addr N
Single
Mem4[Addr]
fstps Addr Y
Single
Mem4[Addr]
fstl
Double
Mem8[Addr]
Addr N
fstpl Addr
Y
Double
Mem8[Addr]
fstt
N
Extended
Mem10[Addr]
fstpt Addr Y
Extended
Mem10[Addr]
fistl
Addr N
Integer
Mem4[Addr]
fistpl Addr Y
Integer
Mem4[Addr]
fst
%st(i) N
extended
%st(i)
fstp %st(i) Y
extended
%st(i)
Addr
70
Arithmetic Instructions
P218
Figure 3.33
71
Arithmetic Instructions
P218 Figure 3.34
72
Comparison Instructions
P222
Figure 3.35
73
Comparison Instructions
P222 Figure 3.36
fnstsw %ax
andb $69, %ah
69=0X45
74
Arithmetic Instructions
P223
1 int less (double x, double y)
2 {
3
return x < y;
4 }
75
Arithmetic Instructions
P223
1 fldl
16(%ebp)
Push y
2 fcompl
8(%ebp)
Compare y:x
3 fnstsw
%ax
Store floating point status word in %ax
4 andb
$69, %ah
Mask all but bits 0, 2, and 6
5 sete
%al
Test for comparison outcome of 0 (>)
6 movzbl
%al, %eax
Copy low order byte to result,
and set rest to 0
76
77
78
79
80
81