Credits and Disclaimers

Transcription

1 Credits and Disclaimers 1 The examples and discussion in the following slides have been adapted from a variety of sources, including: Chapter 3 of Computer Systems 2 nd Edition by Bryant and O'Hallaron /GAS Syntax on WikiBooks ( Using Assembly Language in Linux by Phillip?? ( The C code was compiled to assembly with gcc version on Ubuntu Linux. Unless noted otherwise, the assembly code was generated using the following command line: gcc S m32 O0 file.c AT&T assembly syntax is used, rather than Intel syntax, since that is what the gcc tools use.

2 Shift Instructions Shifting the representation of an integer sall rightop, leftop leftop = leftop << rightop 2 sarl rightop, leftop leftop = leftop >> rightop (preserves sign) shll rightop, leftop leftop = leftop << rightop (same as sall) shrl rightop, leftop leftop = leftop >> rightop (hi bits set to 0)

3 Left Shifts and Multiplication 3 Shifting an integer operand to the left by k bits is equivalent to multiplying the operand's value by 2 k : sall 1, %eax sall 3, %edx # eax = 2*eax # edx = 8*edx For example: edx edx Since general multiplication is much more expensive (in time) than shifting bits, we should prefer using a shift-left instruction when multiplying by a power of 2.

4 Right Shifts, Unsigned Operands, and Division 4 Shifting an integer operand to the right by k bits might be expected to divide the operand's value by 2 k : shrl 1, %eax # eax = eax / 2? Recall that shrl shifts in 0's on the left; so this will indeed perform integer division by 2, provided the value in eax is interpreted as an unsigned integer. For example, if we have an 8-bit unsigned representation of , the instruction above would perform the following transformation: So it would yield , which is correct for integer division.

5 Right Shifts, Unsigned Operands, and Division 5 But, the following will not yield the correct result for an unsigned integer: sarl 1, %eax # eax!= eax / 2 For example, if we consider an 8-bit representation of , the instruction above would produce this transformation: So it would yield , which is incorrect.

6 Right Shifts, Signed Operands, and Division 6 Shifting a non-negative (signed) integer operand to the right by k bits will divide the operand's value by 2 k : shrl 1, %eax # eax = eax / 2 sarl 1, %eax # eax = eax / 2 If eax holds a non-negative signed integer, the left-most bit will 0, and so both of these instructions will yield the same result. But, if the signed operand is negative, then the high bit will be 1. Clearly, shrl cannot yield the correct quotient in this case. Why?

7 Right Shifts, Signed Operands, and Division 7 What about the following instruction, if eax holds a negative signed value? sarl 1, %eax # eax = eax / 2 sarl replicates the sign bit, so this will yield a negative result But, suppose we have an 8-bit representation of -7: Then applying an arithmetic right shift of 1 position yields: That represents the value -4 is that correct? Mathematics says yes by the Division Algorithm: -7 = -4 * Remainders must be >= 0! C says no: -7 = -3 * % 2 must equal -(7 % 2)

8 Logical Instructions There are the usual logical operations, applied bitwise: andl rightop, leftop leftop = leftop & rightop orl rightop, leftop leftop = leftop righttop xorl rightop, leftop leftop = leftop ^ rightop notl op op = ~op 8

9 Arithmetic/Logic Example int arith(int x, int y, int z) { 9 } int t1 = x + y; int t2 = z*48; int t3 = t1 & 0xFFFF; int t4 = t2 * t3; return t4; ebp + 16 ebp + 12 ebp + 8 ebp + 4 ebp ebp 4 ebp 8 ebp - 12 ebp - 16 the Stack z y x return address old value of ebp t1 t2 t3 t4 fn parameters fn autos

10 Arithmetic/Logic Example int arith(int x, int y, int z) { } int t1 = x + y; int t2 = z*48; int t3 = t1 & 0xFFFF; int t4 = t2 * t3; return t4; Mapping: address x ebp + 8 y ebp + 12 t1 ebp leal 12(%ebp), %eax # eax = y 8(%ebp), %edx # edx = x (%edx,%eax), %eax # eax = x + y %eax, -4(%ebp) # t1 = x + y

11 Arithmetic/Logic Example int arith(int x, int y, int z) { } int t1 = x + y; int t2 = z*48; int t3 = t1 & 0xFFFF; int t4 = t2 * t3; return t4; Mapping: address z ebp + 16 t2 ebp addl addl sall 16(%ebp), %edx # edx = z %edx, %eax # eax = z %eax, %eax # eax = z + z = 2z %edx, %eax # eax = 2z + z = 3z $4, %eax # eax = (3z) << 4 = 3z*16 = 48z %eax, -8(%ebp) # t2 = 48z

12 Aside: Optimization 12 You noticed something interesting about the way the compiler translated the C statement: int t2 = z * 48; The resulting assembly code did not use imull: leal sall 16(%ebp), %eax # eax = z (%eax,%eax,2), %edx # edx = eax + 2*eax $4, %edx # edx = 16*edx The original C code is equivalent to: int t2 = (z + z << 1) << 4; Recall that shifting is equivalent to multiplying by a power of 2. It is also faster to shift (and add) than to multiply, so the translation above saves some time.

13 Aside: leal You also noticed another use of the leal instruction: 13 leal (%eax,%eax,2), %edx # edx = eax + 2*eax The particular form of the instruction used here is: leal Imm1(src1, src2, Imm2), dst dst = Imm2*src2 + src1 + Imm1 The execution of the instruction offers some additional performance advantages.

14 Arithmetic/Logic Example int arith(int x, int y, int z) { } int t1 = x + y; int t2 = z*48; int t3 = t1 & 0xFFFF; int t4 = t2 * t3; return t4; Mapping: address t1 ebp - 4 t3 ebp andl -4(%ebp), %eax # eax = t1 $65535, %eax # eax = t1 & 0xFFFF %eax, -12(%ebp) # t3 = t1 & 0xFFFF

15 Arithmetic/Logic Example int arith(int x, int y, int z) { } int t1 = x + y; int t2 = z*48; int t3 = t1 & 0xFFFF; int t4 = t2 * t3; return t4; Mapping: address t2 ebp - 8 t3 ebp - 12 t4 ebp imull -8(%ebp), %eax # eax = t2-12(%ebp), %eax # eax = t2 * t3 %eax, -16(%ebp) # t4 = t2 * t3

16 Assembled Code 16.file "arith.c".text gcc O0 -S -Wall -m32 arith.c.globl arith.type arith: pushl %ebp # save old frame pointer %esp, %ebp # move frame pointer to top subl $16, %esp # make room on stack for locals # see following slides for body -16(%ebp), %eax # set return value in eax leave # esp = ebp; pop to ebp ret # return to caller.size arith,.-arith.ident "GCC: (Ubuntu/Linaro int arith(int ubuntu4) x, int y, 4.5.2" int z) {.section.note.gnu-stack,"",@progbits } int t4 = t2 * t3; return t4;

17 Assembled Code 17 int.. arith(int. x, int y, int z) { 12(%ebp), %eax # eax = y int 8(%ebp), t1 = x + %edx y; # edx = x leal int (%edx,%eax), t2 = z*48; %eax # eax = x + y int %eax, t3 = t1-4(%ebp) & 0xFFFF; # t1 = x + y int t4 = t2 * t3; return 16(%ebp), t4; %edx # edx = z } %edx, %eax # eax = z addl %eax, %eax # eax = z + z = 2z addl %edx, %eax # eax = 2z + z = 3z sall $4, %eax # eax = (3z) << 4 = 3z*16 = 48z %eax, -8(%ebp) # t2 = 48z int arith(int x, int y, int z) { } int t1 = x + y; int t2 = z*48;

18 Assembled Code 18 int.. arith(int. x, int y, int z) { -4(%ebp), %eax # eax = t1 andl int $65535, t1 = x + %eax y; # eax = t1 & 0xFFFF int %eax, t2 = z*48; -12(%ebp) # t3 = t1 & 0xFFFF int t3 = t1 & 0xFFFF; int -8(%ebp), t4 = t2 * %eax t3; # eax = t2 imull return -12(%ebp), t4; %eax # eax = t2 * t3 } %eax, -16(%ebp) # t4 = t2 * t3 int arith(int x, int y, int z) { } int t3 = t1 & 0xFFFF; int t4 = t2 * t3; return t4;

19 Comparing Operands 19 The compare instruction facilitates the comparison of operands: cmpl rightop, leftop The instruction performs a subtraction of its operands, discarding the result. The instruction sets flags in the machine status word register (EFLAGS) that record the results of the comparison: CF carry flag; indicates overflow for unsigned operations OF overflow flag; indicates operation caused 2's complement overflow SF sign flag; indicates operation resulted in a negative value ZF zero flag; indicates operation resulted in zero For our purposes, we will most commonly check these codes by using the various jump instructions.

20 Conditional Jump Instructions 20 The conditional jump instructions check the relevant EFLAGS flags and jump to the instruction that corresponds to the label if the flag is set: # make jump if last result was: je label # zero jne label # nonzero js label # negative jns label # nonnegative jg label # positive (signed >) jge label # nonnegative (signed >=) jl label # negative (signed <) jle label # nonnegative (signed <=) ja label # above (unsigned >) jae label # above or equal (unsigned >=) jb label # below (unsigned <) jbe label # below or equal (unsigned <=).

21 C to Assembly: if int y = 5; 21 $5, -4(%ebp) # y = 5 cmpl $0, 8(%ebp) # compare x to 0 if ( x >= 0 ) { y++; }.L2: js addl.l2 # goto.l2 if negative $1, -4(%ebp) # y++ gcc -S -m32 O0 if.c

22 C to Assembly: if else int y = 5; 22.L2:.L3: if ( x >= 0 ) y++; else y--; $5, -4(%ebp) # y = 5 cmpl $0, 8(%ebp) # compare x to 0 js.l2 # goto.l2 if negative addl $1, -4(%ebp) # y++ jmp.l3 # goto.l3 after y++ subl $1, -4(%ebp) # y-- gcc -S -m32 O0 ifelse.c

23 C to Assembly: do while int y = 0; 23.L2: $0, -4(%ebp) # y = 0 addl $1, -4(%ebp) # y++ subl $1, 8(%ebp) # x-- do { y++; x--; } while ( x > 0); cmpl $0, 8(%ebp) # compare x to 0 jg.l2 # goto.l2 if positive gcc -S -m32 O0 dowhile.c

24 C to Assembly: while Note that the compiler translated the C while loop to a logically-equivalent do-while loop. int y = 0; 24.L3:.L2: while ( x > 0 ) { $0, -4(%ebp) # y = 0 y++; x--; jmp.l2 # goto compare x to } 0 # entry test addl subl $1, -4(%ebp) # y++ $1, 8(%ebp) # x-- cmpl $0, 8(%ebp) # compare x to 0 jg.l3 # goto loop entry if positive gcc -S -m32 O0 while.c

25 Reverse Engineering: Assembly to C 25 Let's consider a short assembly function: f:.l3:.l2: pushl %ebp %esp, %ebp subl $16, %esp $1, -4(%ebp) $2, -8(%ebp) jmp.l2 imull addl -4(%ebp), %eax -8(%ebp), %eax %eax, -4(%ebp) $1, -8(%ebp) -8(%ebp), %eax cmpl 8(%ebp), %eax jle.l3-4(%ebp), %eax leave ret This is stack setup code; the compiler creates this; it is not represented in C. We're going to reconstruct an equivalent function in C. The first step will be to identify the things that do not translate to C This is cleanup and return code; it corresponds to a return statement in C.

26 Reverse Engineering: Assembly to C The next step will be to identify variables 26 f:.l3:.l2: $1, -4(%ebp) $2, -8(%ebp) jmp.l2 imull addl -4(%ebp), %eax -8(%ebp), %eax %eax, -4(%ebp) $1, -8(%ebp) -8(%ebp), %eax cmpl 8(%ebp), %eax jle.l3-4(%ebp), %eax We're going to reconstruct an equivalent function in C. The next step will be to identify variables

27 Reverse Engineering: Assembly to C Variables will be indicated by memory accesses. 27 Filtering out repeat accesses yields these assembly statements: f: cmpl $1, -4(%ebp) $2, -8(%ebp) 8(%ebp), %eax There's an access to a variable on the stack at ebp-4; this must be a local (auto) variable. Let's call it A. There's another access to a variable on the stack at ebp-8; this must also be a local (auto) variable. Let's call it B. There's an access to a variable on the stack at ebp+8; this must be a parameter passed to the function. Let's call it C.

28 Reverse Engineering: Assembly to C 28 Now we'll assume the variables are all C ints, and considering that the first two accesses are initialization statements, so far we can say the function in question looks like: f(int C) { } int A = 1; int B = 2; And another clue is the statement that stores the value of the variable we're calling A into the register eax right before the function returns. That indicates what's returned and the return type: int f(int C) { } int A = 1; int B = 2; return A;

29 Reverse Engineering: Assembly to C 29 Now, there are two jump statements, a comparison statement, and two labels, all of which indicate the presence of a loop f:.l3:.l2: jmp.l2-8(%ebp), %eax cmpl 8(%ebp), %eax jle.l3 The first jump is unconditional that looks like a C goto. So, this skips the loop body the first time through The comparison is using the parameter we're calling C (first argument) and we see that the register eax is holding the value of the variable we're calling A (second argument). Moreover, the conditional jump statement that follows the comparison causes a jump back to the label at the top of the loop, if A <= C.

30 Reverse Engineering: Assembly to C What we've just discovered is that there is a while loop: 30 f:.l3:.l2: jmp.l2-8(%ebp), %eax cmpl 8(%ebp), %eax jle.l3 int f(int C) { } int A = 1; int B = 2; while (A <= C) { } return A; The final step is to construct the body of the loop, and make sure we haven't missed anything else

31 Reverse Engineering: Assembly to C Here's what's left, including the loop boundaries for clarity: 31 f:.l3:.l2: jmp.l2 imull addl -4(%ebp), %eax -8(%ebp), %eax %eax, -4(%ebp) $1, -8(%ebp) -8(%ebp), %eax cmpl 8(%ebp), %eax jle.l3 eax = A eax = A * B A = eax = A * B B = B + 1 And that will do it

32 Reverse Engineering: Assembly to C Here's our function: int f(int C) { int A = 1; int B = 2; while (A <= C) { A = A * B; B++; } 32 } return A; So, what is it really?