Machine-level Representation of Programs Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu
Program? 짬뽕라면 준비시간 :10 분, 조리시간 :10 분 재료라면 1개, 스프 1봉지, 오징어 1/4마리, 호박 1/4개, 양파 1/2개, 양배추 1장, 당근 1/4개, 물 3컵 (600cc) Data 만드는법 1. 오징어는껍질을벗기고깨끗하게씻어칼집으로모양을낸다. 2. 호박, 양파, 양배추는모두채썬다. 3. 냄비에물 3컵을붓고끓인다. 4. 물이끓으면스프를넣고오징어와야채를넣어충분히맛이우러나도록 5분정도끓여준다. 5. 끓으면면을넣어익힌다. Instructions Source: http://user.chol.com/~yugenie/yo/jjambong.html 2
Introduction (1) Computer system CPU Processing unit Address Data Instruction Memory Storage unit Data movement Arithmetic & logical ops Control transfer Byte addressable array Program code + data OS code + data,... 3
Introduction (2) CPU (Central Processing Unit) PC (Program Counter) Address of next instruction Called EIP (IA-32) or RIP (x86-64) Register File Heavily used program data Condition codes Store status information about most recent arithmetic operation Used for conditional branching Cond. Codes PC ALU Register File 4
Introduction (3) Instruction Set Architecture (ISA) An important part of Architecture Above: how to program machine Processors execute instructions in sequence Below: what needs to be built Use variety of tricks to make it run fast Instruction set Processor registers Memory addressing modes Data types and representations... Application Program Compiler ISA OS CPU Design Circuit Design Chip Layout 5
Turning C into Object code gcc O p1.c p2.c o p Use optimizations (-O) Put resulting binary in file p text C program (p1.c p2.c) Compiler (gcc -S) text Asm program (p1.s p2.s) Assembler (gcc or as) binary binary Object program (p1.o p2.o) Linker (gcc or ld) Executable program (p) Static libraries (.a) 6
Compiling into Assembly gcc O S sum.c sum.c int sum(int x, int y) { int t = x + y; return t; } Some compilers use single instruction leave sum.s _sum: pushl %ebp movl %esp,%ebp movl 12(%ebp),%eax addl 8(%ebp),%eax movl %ebp,%esp popl %ebp ret 0x401040 <sum>: 0x55 0x89 0xe5 0x8b 0x45 0x0c 0x03 0x45 0x08 0x89 0xec 0x5d 0xc3 7
Object Code Assembler Translates.s into.o Binary encoding of each instruction Nearly-complete image of executable code Missing linkages between code in different files Linker Resolves references between files Combines with static run-time libraries e.g., code for malloc(), printf(), etc. Some libraries are dynamically linked Linking occurs when program begins execution. 0x401040 <sum>: 0x55 0x89 0xe5 0x8b 0x45 0x0c 0x03 0x45 0x08 0x89 0xec 0x5d 0xc3 - Total of 13 bytes - Each instruction 1, 2, or 3 bytes - Starts at address 0x401040 8
Machine Code Example C code Add two signed integers Assembly Add two 4-byte integers Long words in GCC parlance Same instruction whether signed or unsigned Operands x: Register %eax y: Memory M[%ebp+8] t: Register %eax Object code 3-byte instruction Stored at address 0x401046 int t = x + y; addl 8(%ebp),%eax 0x401046: 03 45 08 9
Disassembling (1) Disassembler: objdump d sum Useful tool for examining object code Analyzes bit pattern of series of instructions Produces approximate rendition of assembly code Can be run on either a.out (complete executable) or.o (object code) file. 00401040 <_sum>: 0: 55 push %ebp 1: 89 e5 mov %esp,%ebp 3: 8b 45 0c mov 0xc(%ebp),%eax 6: 03 45 08 add 0x8(%ebp),%eax 9: 89 ec mov %ebp,%esp b: 5d pop %ebp c: c3 ret 10
Disassembling (2) Using gdb (GNU debugger) $ gdb sum (gdb) disassemble sum Dump of assembler code for function sum: 0x401040 <sum>: push %ebp 0x401041 <sum+1>: mov %esp,%ebp 0x401043 <sum+3>: mov 0xc(%ebp),%eax 0x401046 <sum+6>: add 0x8(%ebp),%eax 0x401049 <sum+9>: mov %ebp,%esp 0x40104b <sum+11>: pop %ebp 0x40104c <sum+12>: ret $ gdb sum (gdb) x/13b sum 0x401040: 0x55 0x89 0xe5 0x8b 0x45 0x0c 0x03 0x45 0x08 0x89 0xec 0x5d 0xc3 Disassemble procedure, sum Examine 13 bytes starting at sum 11
Introduction to IA-32
IA-32 Processors Evolutionary design Starting in 1978 with 8086 Added more features as time goes on Still support old features, although obsolete Totally dominate computer market Complex Instruction Set Computer (CISC) Many different instructions with many different formats Hard to match performance of Reduced Instruction Set Computers (RISC) But, Intel has done just that! 13
IA-32 History Evolution with backward compatibility 1978 8086 x86 is born 1980 8087 x87 is born 1985 80386 IA-32 1995 Pentium Pro PAE 1997 Pentium MMX MMX 1999 Pentium III SSE 2000 Pentium 4 SSE2 2004 Pentium 4 Prescott SSE3, Intel 64 2005 Pentium 4 662 Intel VT 2006 Core 2 SSSE3 2008 Core 2 Penryn SSE4.1 2008 Core i7 SSE4.2 14
Basic Execution Environment Application Programming Registers General-purpose registers 31 0 EAX AH AL EBX BH BL ECX CH CL EDX DH DL EBP ESI EDI ESP BP SI DI SP Segment registers 15 0 CS DS SS ES FS GS seg. selector seg. selector seg. selector seg. selector seg. selector seg. selector 31 CR0 CR1 CR2 CR3 CR4 Control registers 0 31 EIP 0 GDTR 47 System Table Registers 16 15 linear base address table limit 0 System Segment Registers 15 0 TR seg. selector EFLAGS IDTR linear base address table limit LDTR seg. selector 15
General-Purpose Registers EAX, EBX, ECX, EDX, ESI, EDI, ESP, EBP Some instructions assume that pointers in certain registers are relative to specific segments. Many instructions assign specific registers to hold operands EAX: Accumulator for operands and results data EBX: Pointer to data in the DS segment ECX: Counter for string and loop operations EDX: I/O pointer ESI: Pointer to data in the segment pointed to by the DS register; Source pointer for string operations EDI: Pointer to data in the segment pointed to by the ES register; Destination pointer for string operations ESP: Stack pointer (in the SS segment) EBP: Pointer to data on the stack (in the SS segment) 16
EFLAGS Register (1) 17
EFLAGS Register (2) Status flags CF (Carry): set if an arithmetic operation generates a carry or a borrow; indicates an overflow condition for unsigned-integer arithmetic. PF (Parity): set if the least-significant byte of the result contains an even number of 1 bits AF (Adjust): set if an arithmetic operation generates a carry or a borrow out of bit 3 of the result; used in binary-coded decimal (BCD) arithmetic ZF (Zero): set if the result is zero SF (Sign): set equal to the most-significant bit of the result OF (Overflow): set if the integer result is too large a positive number or too small a negative number to fit in the destination operand; indicates an overflow condition for signed-integer arithmetic. DF (Direction): setting the DF causes the string instructions to autodecrement; set and cleared by STD/CLD instructions 18
Instruction Pointer EIP Register Contains the offset in the current code segment for the next instruction to be executed. Advanced from one instruction boundary to the next in straightline code, or Moved ahead or backwards by instructions such as JMP, Jcc, CALL, RET, and IRET. Cannot be accessed directly by software EIP is controlled implicitly by control transfer instructions, interrupts, and exceptions Because of instruction prefetching, an instruction address read from the bus does not match the value in the EIP register. 19
Assembly Characteristics (1) Minimal data types Integer data of 1, 2, 4, or 8 bytes Data values Addresses (untyped pointers) Floating point data of 4, 8, or 10 bytes No aggregate types such as arrays or structures Just contiguously allocated bytes in memory (cf.) In IA-32, a word means 16-bit data 20
Assembly Characteristics (2) Primitive operations Perform an arithmetic/logical function on register or memory data Transfer data between memory and register Load data from memory into register Store register data into memory Transfer control Unconditional jumps Conditional branches Procedure calls and returns 21
IA-32 Reference Intel 64 and IA-32 Architectures Software Developer s Manual Volume 1: Basic Architecture Volume 2A, 2B: Instruction Set Reference Volume 3A, 3B: System Programming Guide Available online: http://www.intel.com/products/processor/manuals/ index.htm 22