Chapter 3 MachineLevel Representation of Programs Guobao Jiang

Chapter 3 Machine-Level Representation of Programs Guobao Jiang 11210240049@fudan. edu. cn

Problem 3. 1 (P 138) • Assume the following values are stored at the indicated memory addresses and registers: Address Value Register Value 0 x 100 0 x. FF %eax 0 x 100 0 x 104 0 x. AB %ecx 0 x 108 0 x 13 %edx 0 x 3 0 x 10 C 0 x 11 • Fill in the following table showing the values for the indicated operands: 2020/12/4 2

Address Value 0 x 100 0 x. FF 0 x 104 0 x. AB 0 x 108 0 x 13 0 x 10 C 0 x 11 Operand 2020/12/4 Register Value %eax 0 x 100 %ecx 0 x 1 %edx 0 x 3 Value %eax Imm(Eb, Ei, S) M[Imm + R[Eb] + R[Ei]*S] 0 x 104 0 x 100 Register 0 x. AB Absolute address $0 x 108 Immediate (%eax) 0 x. FF Address 0 x 100 4(%eax) 0 x. AB Address 0 x 104 9(%eax, %edx) 0 x 11 Address 0 x 10 C 260(%ecx, %edx) 0 x 13 Address 0 x 108 0 x. FC(, %ecx, 4) 0 x. FF Address 0 x 100 (%eax, %edx, 4) 0 x 11 Address 0 x 10 C 3

Problem 3. 2 (P 142) • You are given the following information. A function with prototype void decode 1(int *xp, int *yp, int *zp) is compiled into assembly code. The body of the code is as follows: … • Parameters xp, yp and zp are stored at memory locations with offsets 8, 12, and 16, respectively, relative to the address in register %ebp 2020/12/4 4

Problem 3. 2+ 1 movl 8(%ebp), %edi int x = *xp; 2 movl 12(%ebp), %ebx int y = *yp; 3 movl 16(%ebp), %esi int z = *zp; *yp = x; 4 movl (%edi), %eax *zp = y; 5 movl (%ebx), %edx *xp = z; 6 movl (%esi), %ecx 7 movl %eax, (%ebx) 8 movl %edx, (%esi) 9 movl %ecx, (%edi) • Write C code for decode 1 that will have an effect equivalent to the assembly code above. 2020/12/4 5

Problem 3. 3 (143) • Suppose register %eax holds values x and %ecx holds value y. Fill the table … Expression 2020/12/4 Result leal 6(%eax), %edx 6+x leal (%eax, %ecx), %edx x+y leal (%eax, %ecx, 4), %edx x + 4 y leal 7(%eax, %eax , 8), %edx 7 + 9 x leal 0 x. A (, %ecx, 4), %edx 10 + 4 y leal 9(%eax, %ecx, 2), %edx 9 + x + 2 y 6

Problem 3. 4 (P 145) • Assume the following values are stored at the indicated memory addresses and registers: Address Value Register Value 0 x 100 0 x. FF %eax 0 x 100 0 x 104 0 x. AB %ecx 0 x 108 0 x 13 %edx 0 x 3 0 x 10 C 0 x 11 • Fill in the following table showing the effects of the following instructions … 2020/12/4 7

Address Value 0 x 100 0 x. FF 0 x 104 0 x. AB 0 x 108 0 x 13 0 x 10 C 0 x 11 Register Value %eax 0 x 100 %ecx 0 x 1 %edx 0 x 3 Instruction Destination Value 0 x 11 %ecx, * 16(dec)= addl (%eax) 0 x 100 0 x 104 0 x. A 8 imull $16, (%eax, %edx, 4) 0 x 10 C 0 x 110 incl 8(%eax) 0 x 108 0 x 14 decl %ecx 0 x 0 subl %edx, %eax 0 x. FD (16+1) * 16 = 256 + 16 = %edx, 0 x 110 4(%eax) subl 2020/12/4 8

Problem 3. 5 (P 145) • Suppose we want to generate assembly code for the following C Function: int shift_left 2_rightn(int x, int n) { x <<= 2; x >>= n; return x; } 2020/12/4 9

Problem 3. 5+ • Parameters x and n are stored at memory locations with offsets 8 and 12, respectively, relative to the address in register %ebp. 1 movl 12(%ebp), %ecx Get n %ecx ? Shifts 2 movl 8(%ebp), %eax Get x amounts between 0 and 31 are allowed sall $2, %eax 3 _______ x <<= 2 subl %cl, %eax 4 _______ x >>= n • Note: the right shift should be performed arithmetically. 2020/12/4 10

Problem 3. 6 (P 147) In the compilation of the loop for (i = 0; i < n; i++) v += i; set register %edx code to 0, line: we find the. To following assembly the program that xorl %edx, exploiting %edx x^x =0 for any x. It Explain why this instruction would be there, corresponds to the C even though there are no EXCLUSIVE-OR statement i = 0. operators in our C code. What operation in the C program does this instruction implement ? 2020/12/4 11

Problem 3. 7 (P 151) • In the following C code, we have replaced some of the comparison operators with “__” and omitted the data types in the casts. cmpl %ecx, %esi char ctest(in a, int c) %ecx, %esi setl %alb, int cmpl setb -1(%ebp) { cmpw %cx, 16(%ebp) < b; char t 1 = a ___ setge -2(%ebp) char t 2 = b ___( < unsigned ) a; movb %cl, %dl >= ( short)a; char t 3 = ( short ) c __ != ( char )c; char t 4 = ( char ) a __ > char t 5 = c ____ b; > char t 6 = a _____ 0; return t 1 + t 2 + t 3 + t 4 + t 5 + t 6 ; } 2020/12/4 12

Problem 3. 8 (P 155) • In the following excerpts from a disassembled binary, some of the 8048 dle information has been replaced by x’s. +da Answer the following questions: 8048 df 8 • A. What is the target of the jbe instruction below? 8048 d 1 c: 76 da jbe xxxxxxx 8048 d 1 e: eb 24 jmp 8048 d 44 2020/12/4 13

Problem 3. 8+ • B. What is the address of the mov instruction ? xxxxxxx: eb 54 jmp 8048 d 44 8048 CF 0 xxxxxxx: c 7 45 f 8 10 00 mov $0 x 10, 0 xfffffff 8 (%ebp) • C. In the code that follows, the jump target is 8048907 encoded in PC-relative +cb form as a 4 -byte, two’s complement number. The bytes are listed from 80489 d 2 least significant to most, reflecting the littleendian byte ordering of IA 32. What is the address of the jump target ? 8048902: e 9 cb 00 00 00 jmp xxxxxxx 80489 D 2 8048907: 90 nop 2020/12/4 14

Problem 3. 8++ • D. Explain the relation between the annotation on the right and the byte coding on the left. Both lines are part of the encoding of the jmp instruction. 80483 f 0: ff 25 e 0 a 2 04 jmp *0 x 804 a 2 e 0 80483 f 5: 08 Answer: An indirect jump is denoted by instruction code ff 25. The address from which the jump target is to be read is encoded explicitly by the following 4 bytes. Since the machine is little endian, these are given in reverse order as e 0 a 2 04 08 2020/12/4 15

Problem 3. 9 (P 157) • When given the C code void cond(int a, int *p) { if (p && a > 0) *p += a; } • GCC generates the following assembly code: 2020/12/4 16

1 movl 8(%ebp), %edx void cond (int a, int *p){ 2 movl 12(%ebp), %eax if (p == 0) goto done; 3 testl %eax, %eax if (a <= 0) 4 je. L 3 goto done; *p += a; 5 testl %edx, %edx done: 6 jle. L 3 } 7 addl %edx, (%eax) 8. L 3: • A. Write a goto vision in C that … • B. Explain why the assembly code contains two conditional branches, even though the C code has only one if statement. The first conditional branch is part of the implementation of the || expression. If the test for p being nonnull fails, the code will skip the test of a > 0 2020/12/4 17

Problem 3. 10 (P 160) • For the C code int dw_loop(int x, int y, int n) { do { x += n; y *= n; n--; } while ((n > 0) & (y < n)); return x; } • GCC generates the following assembly code: 2020/12/4 18

put x in %esi 1 movl 8(%ebp), %esi put y in %ebx 2 movl 12(%ebp), %ebx put n in %ecx 3 movl 16 (%ebp), %ecx 4. p 2 align 4, , 7 5. L 6 loop: y *=n 6 imull %ecx, %ebx Register usage x + = n 7 addl %ecx, %esi Registern-Variable Initially 8 decl %ecx %esi x x 9 testl %ecx, %ecx %ebx test n y y n>0 10 setg %al %ecx n n compare y: n 11 cmpl %ecx, %ebx y<n 12 setl %dl (n > 0) & (y < n)z 13 andl %edx, %eax test least significant bit 14 testb $1, %al 15 jne. L 6 if !=0, goto loop 2020/12/4 19

Problem 3. 11 (P 163) • For the following C code: int loop_while (int a, int b) { int i = 0; int result = a; while (i < 256){ result += a; a -= b; i += b; } return result; } • GCC generates the following assembly code: 2020/12/4 20

$a in %eaxa, int b){ int put loop_while_goto(int movl 8(%ebp), %eax int i=0; put$

a in %eaxa, int b){ int put loop_while_goto(int movl 8(%ebp), %eax int i=0; put b in=a; %ebx movl 12(%ebp), %ebx int result loop: i= 0 xorl %ecx, %ecx result += a; a -= b; result =a movl %eax, %edx i + =b; if (i <= 255). p 2 align 4, , 7 goto loop: return result. L 5: loop: } result += a addl %eax, %edx a -= b subl %ebx, %eax Register usage i b addl %ebx, %ecx Register +=Variable Initially compare i: 255 cmpl $255, %ecx %eax a a %ebx b goto loop b if <= jle. L 5 %ecx i 0 %edx 2020/12/4 result a 21

Problem 3. 12 (P 165) • Consider the following assembly code: movl 8(%ebp), %ebx movl 16(%ebp), %edx xorl %eax, %eax decl %edx js. L 4 movl %ebx, %ecx imull 12(%ebp), %ecx. p 2 align 4, , 4. L 6: addl %ecx, %eax subl %ebx, %edx jns. L 6. L 4: 2020/12/4 22

int loop(int x, int y, int n){ int result = 0; int i; n-1 i___; >= 0 i = ___){ i-x for (i = ___; y*x result += ___; } return result; %eax %edx } A. Which registers hold program values result and i ? n-1 B. What is the initial value of i ? C. What is the test condition on i ? i to be nonnegative D. How does i get updated? instruction 4: decl %edx E. The C expression describing how to increment result in the loop body does not change value from one iteration of the loop to the next. The compiler detected this and moved its computation to 1, 6, 7 cause to be stored before the loop. What is thex*y expression? in register %ecx 2020/12/4 23

Problem 3. 13 (P 169) • In the C code, the case labels did not span a contiguous range, and some cases had multiple labels. int switch 2(int x){ int result =0; switch (x){ /*Body of switch statement omitted*/ } return result; } 2020/12/4 24

Jump table for switch 2 1. L 11: 2. long. L 4 setting up jump table access 3. long. L 10 1 movl 8(%ebp), %eax 4. long. L 5 2 addl $2, %eax 5. long. L 6 3 cmpl $6, %eax 6. long. L 8 4 ja. L 10 7. long. L 8 5 jmp *. L 11 (, %eax, 4) 8. long. L 9 Use the foregoing information-2 to answer the 01234 following questions: A. What were the values of the case labels in the switch statement body ? B. What cases had multiple labels in the C code ? 2020/12/4 In jump table line 6 and 7 have the save destination. These correspond to case labels 2 and 3. 25

Problem 3. 14 (P 172) • The following code fragment occurs often in the compiled vision of library routines: is set to the Not true all, since the 1 call nextsubroutine%eax address of the control flows the same ordering as popl 2 next: the instructions andinstruction. the way return This is the only in 3 popl %eax address is popped from stack. IA 32 to get thethe value of A. To what value does register %eax get the program counter into set? an integer register. B. Explain why there is no matching ret instruction to this call. C. What useful purpose does this code fragment serve? 2020/12/4 26

Problem 3. 15 (P 174) Registers %edi, %esi, and %ebx are callee save. The pushl %edi procedure must save them on pushl %esi the stack before altering their pushl %ebx values and restore them before returning. The other movl 24(%ebp), %eax three registers are caller save. imull 16(%ebp), %eax They can be altered with out movl 24(%ebp), %ebx affecting the behavior of the caller leal 0(, %eax, 4), %ecx 1 2 3 4 5 6 7 8 addl 8(%ebp), %ecx 9 Movl %ebx, %edx Explain this apparent inconsistency in the saving and restoring of register states ? 2020/12/4 27

Problem 3. 16 (P 177) • Given the C function 1 int proc(void) 2 { 3 int x, y; 4 scanf(“%x %x”, &y, &x); 5 return x - y; 6 } GCC generates the following assembly code: 2020/12/4 28

1 proc: 2 push 1 %ebp 3 movl %esp, %ebp 4 subl $24, %esp 5 addl $-4, %esp 6 leal -4(%ebp), %eax 7 pushl %eax 8 leal -8(%ebp), %eax 9 pushl %eax 10 pushl $. LC 0 pointer to string “%x %x” 11 call scanf 12 movl -8(%ebp), %eax 13 movl -4(%ebp), %edx 14 subl %eax, %edx Register Value 15 movl %edx, %eax 16 movl %ebp, %esp 0 x 800040 17 popl %ebp 0 x 800060 18 ret Assume that procedure proc starts executing with the following register values: 2020/12/4 29

• Suppose proc calls scanf (line 11), and that scanf reads values 0 x 46 and 0 x 53 from the standard input. Assume that the string “%x %x” is stored at memory location 0 x 300070 • A. What value does %ebp get set to on line 3 ? • B. At what addresses are local variables x and y? • C. What is the value of %esp after line 10 ? • D. Draw a diagram of the stack frame for proc right after scanf returns. Include as much information as you can about the addresses and the contents of the stack frame elements. • E. Indicate the regions of the stack frame that are not used by proc (these wasted areas are allocated to improve the cache performance). 2020/12/4 30

A. What value does %ebp get 1 proc: set to on line 3 ? 0 x 800040 2 push 1 %ebp 3 movl %esp, %ebp 4 subl $24, %esp 5 addl $-4, %esp 6 leal -4(%ebp), %eax C. What is the value of %esp 7 pushl %eax 8 leal -8(%ebp), %eax after line 10 ? 0 x 800014 9 pushl %eax B. At what addresses are local 10 pushl $. LC 0 pointer to string %x” ? variables x and“%x y stored 11 call scanf 12 movl -8(%ebp), %eax X : 0 x 800038 %edx 13 movl -4(%ebp), %edx Y : 0 x 800034 %eax 14 subl %eax, %edx Register Value 15 movl %edx, %eax 16 movl %ebp, %esp 0 x 800040 17 popl %ebp 0 x 800060 18 ret Assume that procedure proc starts executing with the following register values: 2020/12/4 31

0 x 80003 C 0 x 800038 0 x 800034 0 x 800030 0 x 80002 C 0 x 800028 0 x 800024 0 x 800020 0 x 80001 C 0 x 800018 0 x 800014 2020/12/4 0 x 800060 0 x 53 x 0 x 46 y 0 x 800038 0 x 800034 0 x 300070 %ebp %esp 32

Q&A ? Thank you! 2020/12/4 33