chapter3.pptx
Download
Report
Transcript chapter3.pptx
Chapter 3 Machine-Level
Representation of Programs
Guobao Jiang
[email protected]
Problem 3.1 (P138)
• Assume the following values are stored
at the indicated memory addresses and
registers:
Address
Value
Register
Value
0x100
0xFF
%eax
0x100
0x104
0xAB
%ecx
0x1
0x108
0x13
%edx
0x3
0x10C
0x11
• Fill in the following table showing the
values for the indicated operands:
2016/8/6
2
Address
Value
0x100
0xFF
0x104
0xAB
0x108
0x13
0x10C
0x11
Operand
2016/8/6
Register
Value
%eax
0x100
%ecx
0x1
%edx
0x3
Value
%eax Imm(Eb, Ei, S)
M[Imm + R[Eb] + R[Ei]*S]
0x104
0x100
Register
0xAB
Absolute address
$0x108
0x108
Immediate
(%eax)
0xFF
Address 0x100
4(%eax)
0xAB
Address 0x104
9(%eax, %edx)
0x11
Address 0x10C
260(%ecx, %edx)
0x13
Address 0x108
0xFC(, %ecx, 4)
0xFF
Address 0x100
(%eax, %edx, 4)
0x11
Address 0x10C
3
Problem 3.2 (P142)
• You are given the following information. A
function with prototype
void decode1(int *xp, int *yp, int *zp)
is compiled into assembly code. The body
of the code is as follows:
…
• Parameters xp, yp and zp are stored at
memory locations with offsets 8, 12, and
16, respectively, relative to the address in
register %ebp
2016/8/6
4
Problem 3.2+
1 movl 8(%ebp), %edi
int x = *xp;
2 movl 12(%ebp), %ebx
int y = *yp;
3 movl 16(%ebp), %esi
int z = *zp;
*yp = x;
4 movl (%edi), %eax
*zp = y;
5 movl (%ebx), %edx
*xp = z;
6 movl (%esi), %ecx
7 movl %eax, (%ebx)
8 movl %edx, (%esi)
9 movl %ecx, (%edi)
• Write C code for decode1 that will have an
effect equivalent to the assembly code above.
2016/8/6
5
Problem 3.3 (143)
• Suppose register %eax holds values x
and %ecx holds value y. Fill the table …
Expression
2016/8/6
Result
leal 6(%eax), %edx
6+x
leal (%eax, %ecx), %edx
x+y
leal (%eax, %ecx, 4), %edx
x + 4y
leal 7(%eax, %eax ,8), %edx
7 + 9x
leal 0xA (, %ecx, 4), %edx
10 + 4y
leal 9(%eax, %ecx, 2), %edx
9 + x + 2y
6
Problem 3.4 (P145)
• Assume the following values are stored
at the indicated memory addresses and
registers:
Address
Value
Register
Value
0x100
0xFF
%eax
0x100
0x104
0xAB
%ecx
0x1
0x108
0x13
%edx
0x3
0x10C
0x11
• Fill in the following table showing the
effects of the following instructions …
2016/8/6
7
Address
Value
0x100
0xFF
0x104
0xAB
0x108
0x13
0x10C
0x11
Register
Value
%eax
0x100
%ecx
0x1
%edx
0x3
Instruction
Destination
Value
0x11 %ecx,
* 16(dec)=
addl
(%eax)
0x100
0x100
0x104
0xA8
imull $16, (%eax, %edx, 4)
0x10C
0x110
incl 8(%eax)
0x108
0x14
decl %ecx
%ecx
0x0
subl %edx, %eax
%eax
0xFD
(16+1) * 16 = 256 +
16 = %edx,
0x 110 4(%eax)
subl
2016/8/6
8
Problem 3.5 (P145)
• Suppose we want to generate assembly
code for the following C Function:
int shift_left2_rightn(int x, int n)
{
x <<= 2;
x >>= n;
return x;
}
2016/8/6
9
Problem 3.5+
• Parameters x and n are stored at memory
locations with offsets 8 and 12,
respectively, relative to the address in
register %ebp.
1 movl 12(%ebp), %ecx
Get n
%ecx ? Shifts
2 movl 8(%ebp),
%eax
Get x
amounts between
0
and 31 are allowed
sall
$2,
%eax
3 ______________
x <<= 2
subl %cl, %eax
4 ______________
x >>= n
• Note: the right shift should be performed
arithmetically.
2016/8/6
10
Problem 3.6 (P147)
In the compilation of the loop
for (i = 0; i < n; i++)
v += i;
set register
%edx code
to 0, line:
we find theTo
following
assembly
exploiting the program
xorl %edx, %edx
that x^x =0 for any x. It
Explain why this instruction would be there,
corresponds to the C
even though there are no EXCLUSIVE-OR
i = 0.
operators in ourstatement
C code. What
operation in
the C program does this instruction
implement ?
2016/8/6
11
Problem 3.7 (P151)
• In the following C code, we have replaced some
of the comparison operators with “__” and
omitted the data types in the casts.
cmpl %ecx, %esi
char ctest(in a,
int
c) %ecx, %esi
setl
%alb, int cmpl
{
setb -1(%ebp)
cmpw %cx, 16(%ebp)
< b;
char t1 = a ___
setge -2(%ebp)
char t2 = b ___(
< unsigned ) a;movb %cl, %dl
>= ( short)a;
char t3 = ( short ) c __
!= ( char )c;
char t4 = ( char ) a __
>
char t5 =
c ____
b;
>
char t6 = a _____
0;
return t1 + t2 + t3 + t4 + t5 + t6 ;
}
2016/8/6
12
Problem 3.8 (P155)
• In the following excerpts from a
disassembled binary, some of the
8048dle
information has been
replaced by x’s.
+da
Answer the following
questions:
8048df8
• A. What is the target of the jbe
instruction below?
8048d1c: 76 da
jbe xxxxxxx
8048d1e: eb 24
jmp 8048d44
2016/8/6
13
Problem 3.8+
• B. What is the address of the mov instruction ?
xxxxxxx: eb 54 jmp 8048d44
8048CF0
xxxxxxx:
c7 45 f8 10 00 mov $0x10,
0xfffffff8 (%ebp)
• C. In the code that
follows, the jump target is
8048907
encoded in PC-relative
+cb form as a 4-byte, two’s
complement number.
The bytes are listed from
80489d2
least significant to most, reflecting the littleendian byte ordering of IA32. What is the
address of the jump target ?
8048902: e9 cb 00 00 00 jmp xxxxxxx
80489D2
8048907: 90
nop
2016/8/6
14
Problem 3.8++
• D. Explain the relation between the
annotation on the right and the byte
coding on the left. Both lines are part of
the encoding of the jmp instruction.
80483f0: ff 25 e0 a2 04 jmp *0x804a2e0
80483f5: 08
Answer: An indirect jump is denoted by instruction code ff 25. The
address from which the jump target is to be read is encoded
explicitly by the following 4 bytes. Since the machine is little endian,
these are given in reverse order as e0 a2 04 08
2016/8/6
15
Problem 3.9 (P157)
• When given the C code
void cond(int a, int *p)
{
if (p && a > 0)
*p += a;
}
• GCC generates the following assembly
code:
2016/8/6
16
1 movl 8(%ebp), %edx
void cond (int a, int *p){
2 movl 12(%ebp), %eax
if (p == 0)
3 testl %eax, %eax
goto done;
if (a <= 0)
4 je .L3
goto done;
5 testl %edx, %edx
*p += a;
done:
6 jle .L3
}
7 addl %edx, (%eax)
8 .L3:
• A. Write a goto vision in C that …
• B. Explain why the assembly code contains
two conditional branches, even though the
C code has only one if statement.
The first conditional branch is part of the implementation of
the || expression. If the test for p being nonnull fails, the code
will skip the test of a > 0
2016/8/6
17
Problem 3.10 (P160)
• For the C code
int dw_loop(int x, int y, int n)
{
do {
x += n;
y *= n;
n--;
} while ((n > 0) & (y < n));
return x;
}
• GCC generates the following assembly code:
2016/8/6
18
put x in %esi
1
movl 8(%ebp), %esi
put y in %ebx
2
movl 12(%ebp), %ebx
put n in %ecx
3
movl 16 (%ebp), %ecx
4
.p2align 4, ,7
5 .L6
loop:
y *=n
6
imull %ecx, %ebx
Register
usage
x
+
=
n
7
addl %ecx, %esi
Registern-Variable
Initially
8
decl %ecx
%esi
x
x
9
testl %ecx, %ecx %ebx test n y
y
n>0
10 setg %al
%ecx
n
n
compare y:n
11 cmpl %ecx, %ebx
y<n
12 setl %dl
(n > 0) & (y < n)z
13 andl %edx, %eax
14 testb $1, %al
test least significant bit
15 jne .L6
if !=0, goto loop
2016/8/6
19
Problem 3.11 (P163)
• For the following C code:
int loop_while (int a, int b)
{
int i = 0;
int result = a;
while (i < 256){
result += a;
a -= b;
i += b;
}
return result;
}
• GCC generates the following assembly code:
2016/8/6
20
a in %eaxa, int b){
int put
loop_while_goto(int
movl 8(%ebp), %eax
int i=0;
put
b in=a;%ebx
movl 12(%ebp), %ebx
int result
loop:
i=
0
xorl %ecx, %ecx
result += a;
a -= b;
result
=a
movl %eax, %edx
i + =b;
if (i <= 255)
.p2align 4, , 7
goto loop:
return result
.L5:
loop:
}
result += a
addl %eax, %edx
a -= b
subl %ebx, %eax
Register usage
i
b
addl %ebx, %ecx Register +=Variable
Initially
compare i:255
cmpl $255, %ecx %eax
a
a
%ebx
b goto loop
b
if <=
jle .L5
%ecx
i
0
%edx
2016/8/6
result
a
21
Problem 3.12 (P165)
• Consider the following assembly code:
movl 8(%ebp), %ebx
movl 16(%ebp), %edx
xorl %eax, %eax
decl %edx
js .L4
movl %ebx, %ecx
imull 12(%ebp), %ecx
.p2align 4, ,4
.L6:
addl %ecx, %eax
subl %ebx, %edx
jns .L6
.L4:
2016/8/6
22
int loop(int x, int y, int n){
int result = 0;
int i;
n-1 i___;
>= 0 i = ___){
i-x
for (i = ___;
result += ___;
y*x
}
return result;
%eax
%edx
}
A. Which registers hold program values result and i ?
B. What is the initial value of i ?
n-1
C. What is the test condition on i ? i to be nonnegative
D. How does i get updated?
instruction 4: decl %edx
E. The C expression describing how to increment
result in the loop body does not change value from
one iteration of the loop to the next. The compiler
detected this and moved its computation to
before the loop. What
is thex*y
expression?
1,6,7 cause
to be stored
in register %ecx
2016/8/6
23
Problem 3.13 (P169)
• In the C code, the case labels did not span
a contiguous range, and some cases had
multiple labels.
int switch2(int x){
int result =0;
switch (x){
/*Body of switch statement omitted*/
}
return result;
}
2016/8/6
24
Jump table for switch2
1 .L11:
2 .long .L4
setting up jump table access 3 .long .L10
1 movl 8(%ebp), %eax
4 .long .L5
2 addl $2, %eax
5 .long .L6
3 cmpl $6, %eax
6 .long .L8
4 ja .L10
7 .long .L8
5 jmp *.L11 (, %eax, 4)
8 .long .L9
Use the foregoing information-2to
answer the
01234
following questions:
A. What were the values of the case labels in the
switch statement body ?
B. What cases had multiple labels in the C code ?
2016/8/6
In jump table line 6 and 7 have the save destination.
These correspond to case labels 2 and 3.
25
Problem 3.14 (P172)
• The following code fragment occurs often
in the compiled vision of library routines:
is set
to the
Not true
all, since
the
1
call
nextsubroutine%eax
address
of the
popl
control
flows
the
same
ordering
as
2 next:
the instructions
andinstruction.
the way
return
This
is
the
only
in
3
popl
%eax
address is
popped
from
stack.
IA32
to get
thethe
value
of
A. To what value
does register %eax get set?
the program counter into
B. Explain whyanthere
no matching ret
integerisregister.
instruction to this call.
C. What useful purpose does this code
fragment serve?
2016/8/6
26
Problem 3.15 (P174)
Registers %edi, %esi, and
%ebx are callee save. The
pushl %edi
procedure must save them on
pushl %esi
the stack before altering their
pushl %ebx
values and restore them
before returning. The other
movl 24(%ebp), %eax
three registers are caller save.
imull 16(%ebp), %eax
They can be altered with out
movl 24(%ebp), %ebx
affecting the behavior of the
caller
leal 0(,%eax,4), %ecx
1
2
3
4
5
6
7
8 addl 8(%ebp), %ecx
9 Movl %ebx, %edx
Explain this apparent inconsistency in the saving
and restoring of register states ?
2016/8/6
27
Problem 3.16 (P177)
• Given the C function
1 int proc(void)
2 {
3
int x, y;
4
scanf(“%x %x”, &y, &x);
5
return x - y;
6 }
GCC generates the following assembly code:
2016/8/6
28
1
proc:
2
push1 %ebp
3
movl %esp, %ebp
4
subl $24, %esp
5
addl $-4, %esp
6
leal
-4(%ebp), %eax
7
pushl %eax
8
leal -8(%ebp), %eax
9
pushl %eax
10
pushl $.LC0 pointer to string “%x %x”
11
call scanf
12
movl -8(%ebp), %eax
13
movl -4(%ebp), %edx
14
subl %eax, %edx
Register
Value
15
movl %edx, %eax
16
movl %ebp, %esp
%esp
0x800040
17
popl %ebp
%ebp
0x800060
18
ret
Assume that procedure proc starts executing with the
following register values:
2016/8/6
29
• Suppose proc calls scanf (line 11), and that
scanf reads values 0x46 and 0x53 from the
standard input. Assume that the string “%x %x”
is stored at memory location 0x300070
• A. What value does %ebp get set to on line 3 ?
• B. At what addresses are local variables x and y?
• C. What is the value of %esp after line 10 ?
• D. Draw a diagram of the stack frame for proc
right after scanf returns. Include as much
information as you can about the addresses and
the contents of the stack frame elements.
• E. Indicate the regions of the stack frame that
are not used by proc (these wasted areas are
allocated to improve the cache performance).
2016/8/6
30
A. What value does %ebp get
1
proc:
set to on line 3 ? 0x800040
2
push1 %ebp
3
movl %esp, %ebp
4
subl $24, %esp
5
addl $-4, %esp
6
leal
-4(%ebp), %eax
C. What is the value of %esp
7
pushl %eax
8
leal -8(%ebp), %eax after line 10 ? 0x800014
9
pushl %eax
B. At what addresses are local
10
pushl $.LC0 pointer
to string
%x” ?
variables
x and“%x
y stored
11
call scanf
12
movl -8(%ebp), %eax
X :0x800038 %edx
13
movl -4(%ebp), %edx
Y : 0x800034 %eax
14
subl %eax, %edx
Register
Value
15
movl %edx, %eax
16
movl %ebp, %esp
%esp
0x800040
17
popl %ebp
%ebp
0x800060
18
ret
Assume that procedure proc starts executing with the
following register values:
2016/8/6
31
2016/8/6
32
Q&A ?
Thank you!
2016/8/6
33