MachineLevel Programming I Introduction Topics n n Assembly
Machine-Level Programming I: Introduction Topics n n Assembly Programmer’s Execution Model Accessing Information l Registers l Memory n Arithmetic operations
Assembly Programmer’s View CPU Memory Addresses E I P Registers Data Condition Codes Instructions Object Code Program Data OS Data Stack Programmer-Visible State n EIP Program Counter l Address of next instruction n Register File l Heavily used program data n Condition Codes l Store status information about – 2– most recent arithmetic operation l Used for conditional branching n Memory l Byte addressable array l Code, user data, (some) OS data l Includes stack used to support procedures
Turning C into Object Code in files p 1. c p 2. c n Compile with command: gcc -O p 1. c p 2. c -o p n l Use optimizations (-O) l Put resulting binary in file p text C program (p 1. c p 2. c) Compiler (gcc -S) text Asm program (p 1. s p 2. s) Assembler (gcc or as) binary Object program (p 1. o p 2. o) Linker (gcc or ld) binary – 3– Executable program (p) Static libraries (. a)
Compiling Into Assembly C Code int sum(int x, int y) { int t = x+y; return t; } Obtain with command gcc -O -S code. c Produces file code. s – 4– Generated Assembly _sum: pushl %ebp movl %esp, %ebp movl 12(%ebp), %eax addl 8(%ebp), %eax movl %ebp, %esp popl %ebp ret
Assembly Characteristics Minimal Data Types n “Integer” data of 1, 2, or 4 bytes l Data values l Addresses (untyped pointers) n n Floating point data of 4, 8, or 10 bytes No aggregate types such as arrays or structures l Just contiguously allocated bytes in memory Primitive Operations n n Perform arithmetic function on register or memory data Transfer data between memory and register l Load data from memory into register l Store register data into memory n Transfer control l Unconditional jumps to/from procedures l Conditional branches – 5–
Object Code for sum Assembler n Translates. s into. o n Some libraries are dynamically linked 0 x 401040 <sum>: n Binary encoding of each instruction 0 x 55 • Total of 13 0 x 89 n Nearly-complete image of executable bytes 0 xe 5 code • Each 0 x 8 b instruction 1, n Missing linkages between code in 0 x 45 2, or 3 bytes different files 0 x 0 c • Starts at 0 x 03 n Look at output with xxd address 0 x 45 0 x 401040 0 x 08 Linker 0 x 89 n Resolves references between files 0 xec n Combines with static run-time 0 x 5 d 0 xc 3 libraries l E. g. , code for malloc, printf l Linking occurs when program begins – 6– execution
Machine Instruction Example C Code int t = x+y; n Add two signed integers Assembly addl 8(%ebp), %eax Similar to expression x += y n Add 2 4 -byte integers l “Long” words in GCC parlance l Same instruction whether signed or unsigned n Operands: x: y: t: 0 x 401046: 03 45 08 Object Code 3 -byte instruction n Stored at address 0 x 401046 n – 7– Register %eax Memory M[%ebp+8] Register %eax » Return function value in %eax
Disassembling Object Code Disassembled 00401040 <_sum>: 0: 55 1: 89 e 5 3: 8 b 45 0 c 6: 03 45 08 9: 89 ec b: 5 d c: c 3 d: 8 d 76 00 push mov add mov pop ret lea %ebp %esp, %ebp 0 xc(%ebp), %eax 0 x 8(%ebp), %eax %ebp, %esp %ebp 0 x 0(%esi), %esi Disassembler objdump -d p (otool –tv p on mac) n n – 8– Useful tool for examining object code Analyzes bit pattern of series of instructions Produces approximate rendition of assembly code Can be run on either a. out (complete executable) or. o file
Alternate Disassembly Disassembled Object 0 x 401040: 0 x 55 0 x 89 0 xe 5 0 x 8 b 0 x 45 0 x 0 c 0 x 03 0 x 45 0 x 08 0 x 89 0 xec 0 x 5 d 0 xc 3 0 x 401040 0 x 401041 0 x 401043 0 x 401046 0 x 401049 0 x 40104 b 0 x 40104 c 0 x 40104 d push mov add mov pop ret lea %ebp %esp, %ebp 0 xc(%ebp), %eax 0 x 8(%ebp), %eax %ebp, %esp %ebp 0 x 0(%esi), %esi Within gdb Debugger gdb p disassemble sum Disassemble procedure x/13 b sum n Examine the 13 bytes starting at sum n – 9– <sum>: <sum+1>: <sum+3>: <sum+6>: <sum+9>: <sum+11>: <sum+12>: <sum+13>:
What Can be Disassembled? % objdump -d WINWORD. EXE: file format pei-i 386 No symbols in "WINWORD. EXE". Disassembly of section. text: 30001000 <. text>: 30001000: 55 30001001: 8 b ec 30001003: 6 a ff 30001005: 68 90 10 00 30 3000100 a: 68 91 dc 4 c 30 n n – 10 – push mov push %ebp %esp, %ebp $0 xffff $0 x 30001090 $0 x 304 cdc 91 Anything that can be interpreted as executable code Disassembler examines bytes and reconstructs assembly source
Moving Data %eax %edx Moving Data movl Source, Dest: n n Move 4 -byte (“long”) word Lots of these in typical code Operand Types n Immediate: Constant integer data l Like C constant, but prefixed with ‘$’ l E. g. , $0 x 400, $-533 l Encoded with 1, 2, or 4 bytes n Register: One of 8 integer registers l But %esp and %ebp reserved for special use l Others have special uses for particular instructions n Memory: 4 consecutive bytes of memory l Various “address modes” – 11 – %ecx %ebx %esi %edi %esp %ebp
movl Operand Combinations Source movl C Analog movl $0 x 4, %eax temp = 0 x 4; movl $-147, (%eax) *p = -147; Imm Reg Mem movl %eax, %edx temp 2 = temp 1; movl %eax, (%edx) *p = temp; Mem Reg movl (%eax), %edx temp = *p; n – 12 – Destination Cannot do memory-memory transfers with single instruction
Simple Addressing Modes Normal (R) Mem[Reg[R]] Register R specifies memory address movl (%ecx), %eax n Displacement D(R) Mem[Reg[R]+D] Register R specifies start of memory region n Constant displacement D specifies offset movl 8(%ebp), %edx n – 13 –
Using Simple Addressing Modes void swap(int *xp, int *yp) { int t 0 = *xp; int t 1 = *yp; *xp = t 1; *yp = t 0; } swap: pushl %ebp movl %esp, %ebp pushl %ebx movl movl 12(%ebp), %ecx 8(%ebp), %edx (%ecx), %eax (%edx), %ebx %eax, (%edx) %ebx, (%ecx) movl -4(%ebp), %ebx movl %ebp, %esp popl %ebp ret – 14 – Set Up Body Finish
Understanding Swap void swap(int *xp, int *yp) { int t 0 = *xp; int t 1 = *yp; *xp = t 1; *yp = t 0; } • • • Offset Stack 12 yp 8 xp 4 Rtn adr 0 Old %ebp Register %ecx %edx %eax %ebx – 15 – Variable yp xp t 1 t 0 -4 Old %ebx movl movl 12(%ebp), %ecx 8(%ebp), %edx (%ecx), %eax (%edx), %ebx %eax, (%edx) %ebx, (%ecx) # # # ecx edx eax ebx *xp *yp = = = yp xp *yp *xp eax ebx %ebp
Address Understanding Swap 123 0 x 124 456 0 x 120 0 x 11 c %eax 0 x 118 Offset %edx %ecx %ebx %esi – 16 – 12 0 x 120 0 x 110 xp 8 0 x 124 0 x 10 c 4 Rtn adr 0 x 108 0 0 x 104 -4 %esp %ebp yp %ebp %edi 0 x 114 0 x 104 movl movl 12(%ebp), %ecx 8(%ebp), %edx (%ecx), %eax (%edx), %ebx %eax, (%edx) %ebx, (%ecx) # # # ecx edx eax ebx *xp *yp 0 x 100 = = = yp xp *yp (t 1) *xp (t 0) eax ebx
Address Understanding Swap 123 0 x 124 456 0 x 120 0 x 11 c %eax 0 x 118 Offset %edx %ecx 0 x 120 %ebx %esi – 17 – 12 0 x 120 0 x 110 xp 8 0 x 124 0 x 10 c 4 Rtn adr 0 x 108 0 0 x 104 -4 %esp %ebp yp %ebp %edi 0 x 114 0 x 104 movl movl 12(%ebp), %ecx 8(%ebp), %edx (%ecx), %eax (%edx), %ebx %eax, (%edx) %ebx, (%ecx) # # # ecx edx eax ebx *xp *yp 0 x 100 = = = yp xp *yp (t 1) *xp (t 0) eax ebx
Address Understanding Swap 123 0 x 124 456 0 x 120 0 x 11 c %eax 0 x 118 %edx 0 x 124 %ecx 0 x 120 Offset %ebx %esi – 18 – 12 0 x 120 0 x 110 xp 8 0 x 124 0 x 10 c 4 Rtn adr 0 x 108 0 0 x 104 -4 %esp %ebp yp %ebp %edi 0 x 114 0 x 104 movl movl 12(%ebp), %ecx 8(%ebp), %edx (%ecx), %eax (%edx), %ebx %eax, (%edx) %ebx, (%ecx) # # # ecx edx eax ebx *xp *yp 0 x 100 = = = yp xp *yp (t 1) *xp (t 0) eax ebx
Address Understanding Swap 123 0 x 124 456 0 x 120 0 x 11 c %eax 456 %edx 0 x 124 %ecx 0 x 120 0 x 118 Offset %ebx %esi – 19 – 12 0 x 120 0 x 110 xp 8 0 x 124 0 x 10 c 4 Rtn adr 0 x 108 0 0 x 104 -4 %esp %ebp yp %ebp %edi 0 x 114 0 x 104 movl movl 12(%ebp), %ecx 8(%ebp), %edx (%ecx), %eax (%edx), %ebx %eax, (%edx) %ebx, (%ecx) # # # ecx edx eax ebx *xp *yp 0 x 100 = = = yp xp *yp (t 1) *xp (t 0) eax ebx
Address Understanding Swap 123 0 x 124 456 0 x 120 0 x 11 c %eax 456 %edx 0 x 124 %ecx 0 x 120 %ebx 0 x 118 Offset 123 %esi – 20 – 12 0 x 120 0 x 110 xp 8 0 x 124 0 x 10 c 4 Rtn adr 0 x 108 0 0 x 104 -4 %esp %ebp yp %ebp %edi 0 x 114 0 x 104 movl movl 12(%ebp), %ecx 8(%ebp), %edx (%ecx), %eax (%edx), %ebx %eax, (%edx) %ebx, (%ecx) # # # ecx edx eax ebx *xp *yp 0 x 100 = = = yp xp *yp (t 1) *xp (t 0) eax ebx
Address Understanding Swap 456 0 x 124 456 0 x 120 0 x 11 c %eax 456 %edx 0 x 124 %ecx 0 x 120 %ebx 0 x 118 Offset 123 %esi – 21 – 12 0 x 120 0 x 110 xp 8 0 x 124 0 x 10 c 4 Rtn adr 0 x 108 0 0 x 104 -4 %esp %ebp yp %ebp %edi 0 x 114 0 x 104 movl movl 12(%ebp), %ecx 8(%ebp), %edx (%ecx), %eax (%edx), %ebx %eax, (%edx) %ebx, (%ecx) # # # ecx edx eax ebx *xp *yp 0 x 100 = = = yp xp *yp (t 1) *xp (t 0) eax ebx
Address Understanding Swap 456 0 x 124 123 0 x 120 0 x 11 c %eax 456 %edx 0 x 124 %ecx 0 x 120 %ebx 0 x 118 Offset 123 %esi – 22 – 12 0 x 120 0 x 110 xp 8 0 x 124 0 x 10 c 4 Rtn adr 0 x 108 0 0 x 104 -4 %esp %ebp yp %ebp %edi 0 x 114 0 x 104 movl movl 12(%ebp), %ecx 8(%ebp), %edx (%ecx), %eax (%edx), %ebx %eax, (%edx) %ebx, (%ecx) # # # ecx edx eax ebx *xp *yp 0 x 100 = = = yp xp *yp (t 1) *xp (t 0) eax ebx
Indexed Addressing Modes Most General Form D(Rb, Ri, S) Mem[Reg[Rb]+S*Reg[Ri]+ D] D: Constant “displacement” 1, 2, or 4 bytes n Rb: Base register: Any of 8 integer registers n Ri: Index register: Any, except for %esp n l Unlikely you’d use %ebp, either n S: Scale: 1, 2, 4, or 8 Special Cases – 23 – (Rb, Ri) Mem[Reg[Rb]+Reg[Ri]] D(Rb, Ri) Mem[Reg[Rb]+Reg[Ri]+D] (Rb, Ri, S) Mem[Reg[Rb]+S*Reg[Ri]]
Address Computation Examples %edx 0 xf 000 %ecx – 24 – 0 x 100 Expression Computation Address 0 x 8(%edx) 0 xf 000 + 0 x 8 0 xf 008 (%edx, %ecx) 0 xf 000 + 0 x 100 0 xf 100 (%edx, %ecx, 4) 0 xf 000 + 4*0 x 100 0 xf 400 0 x 80(, %edx, 2) 2*0 xf 000 + 0 x 80 0 x 1 e 080
Address Computation Instruction leal Src, Dest n n Src is address mode expression Set Dest to address denoted by expression Uses n Computing address without doing memory reference l E. g. , translation of p = &x[i]; n Computing arithmetic expressions of the form x + k*y l k = 1, 2, 4, or 8. – 25 –
Some Arithmetic Operations Format Computation Two Operand Instructions addl Src, Dest subl Src, Dest imull Src, Dest sarl Src, Dest shrl Src, Dest xorl Src, Dest andl Src, Dest orl Src, Dest – 26 – Dest Dest Dest = = = = = Dest Dest Dest + Src - Src * Src << Src Also called shll >> Src Arithmetic >> Src Logical ^ Src & Src | Src
Some Arithmetic Operations Format Computation One Operand Instructions incl Dest decl Dest negl Dest notl Dest – 27 – Dest = = Dest + 1 Dest - 1 - Dest ~ Dest
Using leal for Arithmetic Expressions int arith (int x, int y, int z) { int t 1 = x+y; int t 2 = z+t 1; int t 3 = x+4; int t 4 = y * 48; int t 5 = t 3 + t 4; int rval = t 2 * t 5; return rval; } – 28 – arith: pushl %ebp movl %esp, %ebp movl 8(%ebp), %eax movl 12(%ebp), %edx leal (%edx, %eax), %ecx leal (%edx, 2), %edx sall $4, %edx addl 16(%ebp), %ecx leal 4(%edx, %eax), %eax imull %ecx, %eax movl %ebp, %esp popl %ebp ret Set Up Body Finish
Understanding arith int arith (int x, int y, int z) { int t 1 = x+y; int t 2 = z+t 1; int t 3 = x+4; int t 4 = y * 48; int t 5 = t 3 + t 4; int rval = t 2 * t 5; return rval; } – 29 – movl 8(%ebp), %eax movl 12(%ebp), %edx leal (%edx, %eax), %ecx leal (%edx, 2), %edx sall $4, %edx addl 16(%ebp), %ecx leal 4(%edx, %eax), %eax imull %ecx, %eax # # # # Offset • • • 16 z 12 y 8 x 4 Rtn adr 0 Old %ebp eax edx ecx eax = = = = x y x+y (t 1) 3*y 48*y (t 4) z+t 1 (t 2) 4+t 4+x (t 5) t 5*t 2 (rval) Stack %ebp
Understanding arith int arith (int x, int y, int z) { int t 1 = x+y; int t 2 = z+t 1; int t 3 = x+4; int t 4 = y * 48; int t 5 = t 3 + t 4; int rval = t 2 * t 5; return rval; } – 30 – # eax = x movl 8(%ebp), %eax # edx = y movl 12(%ebp), %edx # ecx = x+y (t 1) leal (%edx, %eax), %ecx # edx = 3*y leal (%edx, 2), %edx # edx = 48*y (t 4) sall $4, %edx # ecx = z+t 1 (t 2) addl 16(%ebp), %ecx # eax = 4+t 4+x (t 5) leal 4(%edx, %eax), %eax # eax = t 5*t 2 (rval) imull %ecx, %eax
Summary: Abstract Machines Machine Models C mem proc Assembly mem Stack – 32 – regs alu Cond. processor Codes Data 1) char 2) int, float 3) double 4) struct, array 5) pointer Control 1) loops 2) conditionals 3) switch 4) Proc. call 5) Proc. return 1) byte 3) branch/jump 2) 2 -byte word 4) call 3) 4 -byte long word 5) ret 4) contiguous byte allocation 5) address of initial byte
X 86 Assembly Properties Instruction can reference different operand types n Immediate, register, memory Arithmetic operations can read/write memory Memory reference can involve complex computation n n Rb + S*Ri + D Useful for arithmetic expressions, too Instructions can have varying lengths n – 33 – IA 32 instructions can range from 1 to 15 bytes
Pentium Pro (P 6) History n Announced in Feb. ‘ 95 n Basis for Pentium II, Pentium III, and Celeron processors Pentium 4 similar idea, but different details n Features n Dynamically translates instructions to more regular format l Very wide, but simple instructions n Executes operations in parallel l Up to 5 at once n Very deep pipeline l 12– 18 cycle latency – 34 –
Pentium. Pro Operation Translates instructions dynamically into “Uops” n 118 bits wide n Holds operation, two sources, and destination Executes Uops with “Out of Order” engine n Uop executed when l Operands available l Functional unit available n Execution controlled by “Reservation Stations” l Keeps track of data dependencies between uops l Allocates resources Consequences n n – 35 – Indirect relationship between IA 32 code & what actually gets executed Tricky to predict / optimize performance at assembly level
Pentium. Pro Block Diagram Microprocessor Report 2/16/95
Whose Assembler? Intel/Microsoft Format GAS/Gnu Format lea sub cmp mov leal subl cmpl movl eax, [ecx+ecx*2] esp, 8 dword ptr [ebp-8], 0 eax, dword ptr [eax*4+100 h] (%ecx, 2), %eax $8, %esp $0, -8(%ebp) $0 x 100(, %eax, 4), %eax Intel/Microsoft Differs from GAS n Operands listed in opposite order mov Dest, Src n Constants not preceded by ‘$’, Denote hex with ‘h’ at end 100 h n subl Addressing format shows effective address computation [eax*4+100 h] – 37 – $0 x 100 Operand size indicated by operands rather than operator suffix sub n movl Src, Dest $0 x 100(, %eax, 4)
- Slides: 36