Chapter 3 Machine-Level Representation of Programs Guobao Jiang 11210240049@fudan.edu.cn
Problem 3.1 (P138) Assume the following values are stored at the indicated memory addresses and registers: Fill in the following table showing the values for the indicated operands: Address Value 0x100 0xFF 0x104 0xAB 0x108 0x13 0x10C 0x11 Register Value %eax 0x100 %ecx 0x1 %edx 0x3 2018/9/18
M[Imm + R[Eb] + R[Ei]*S] Address Value 0x100 0xFF 0x104 0xAB 0x108 0x13 0x10C 0x11 Register Value %eax 0x100 %ecx 0x1 %edx 0x3 Imm(Eb, Ei, S) M[Imm + R[Eb] + R[Ei]*S] Operand Value %eax 0x104 $0x108 (%eax) 4(%eax) 9(%eax, %edx) 260(%ecx, %edx) 0xFC(, %ecx, 4) (%eax, %edx, 4) 0x100 Register 0xAB Absolute address 0x108 Immediate 0xFF Address 0x100 0xAB Address 0x104 0x11 Address 0x10C 0x13 Address 0x108 0xFF Address 0x100 0x11 Address 0x10C 2018/9/18
Problem 3.2 (P142) You are given the following information. A function with prototype void decode1(int *xp, int *yp, int *zp) is compiled into assembly code. The body of the code is as follows: … Parameters xp, yp and zp are stored at memory locations with offsets 8, 12, and 16, respectively, relative to the address in register %ebp 2018/9/18
Problem 3.2+ 1 movl 8(%ebp), %edi 2 movl 12(%ebp), %ebx int x = *xp; int y = *yp; int z = *zp; *yp = x; *zp = y; *xp = z; 1 movl 8(%ebp), %edi 2 movl 12(%ebp), %ebx 3 movl 16(%ebp), %esi 4 movl (%edi), %eax 5 movl (%ebx), %edx 6 movl (%esi), %ecx 7 movl %eax, (%ebx) 8 movl %edx, (%esi) 9 movl %ecx, (%edi) Write C code for decode1 that will have an effect equivalent to the assembly code above. 2018/9/18
Problem 3.3 (143) Suppose register %eax holds values x and %ecx holds value y. Fill the table … Expression Result leal 6(%eax), %edx leal (%eax, %ecx), %edx leal (%eax, %ecx, 4), %edx leal 7(%eax, %eax ,8), %edx leal 0xA (, %ecx, 4), %edx leal 9(%eax, %ecx, 2), %edx 6 + x x + y x + 4y 7 + 9x 10 + 4y 9 + x + 2y 2018/9/18
Problem 3.4 (P145) Assume the following values are stored at the indicated memory addresses and registers: Fill in the following table showing the effects of the following instructions … Address Value 0x100 0xFF 0x104 0xAB 0x108 0x13 0x10C 0x11 Register Value %eax 0x100 %ecx 0x1 %edx 0x3 2018/9/18
Instruction Destination Value addl %ecx, (%eax) subl %edx, 4(%eax) Address Value 0x100 0xFF 0x104 0xAB 0x108 0x13 0x10C 0x11 Register Value %eax 0x100 %ecx 0x1 %edx 0x3 Instruction Destination Value addl %ecx, (%eax) subl %edx, 4(%eax) imull $16, (%eax, %edx, 4) incl 8(%eax) decl %ecx subl %edx, %eax 0x11 * 16(dec)= (16+1) * 16 = 256 + 16 = 0x 110 0x100 0x100 0x104 0xA8 0x10C 0x110 0x108 0x14 %ecx 0x0 %eax 0xFD 2018/9/18
Problem 3.5 (P145) Suppose we want to generate assembly code for the following C Function: int shift_left2_rightn(int x, int n) { x <<= 2; x >>= n; return x; } 2018/9/18
Problem 3.5+ Parameters x and n are stored at memory locations with offsets 8 and 12, respectively, relative to the address in register %ebp. 1 movl 12(%ebp), %ecx Get n 2 movl 8(%ebp), %eax Get x 3 ______________ x <<= 2 4 ______________ x >>= n Note: the right shift should be performed arithmetically. %ecx ? Shifts amounts between 0 and 31 are allowed sall $2, %eax subl %cl, %eax 2018/9/18
Problem 3.6 (P147) In the compilation of the loop for (i = 0; i < n; i++) v += i; we find the following assembly code line: xorl %edx, %edx Explain why this instruction would be there, even though there are no EXCLUSIVE-OR operators in our C code. What operation in the C program does this instruction implement ? To set register %edx to 0, exploiting the program that x^x =0 for any x. It corresponds to the C statement i = 0. 2018/9/18
Problem 3.7 (P151) < < unsigned short >= short char != char In the following C code, we have replaced some of the comparison operators with “__” and omitted the data types in the casts. char ctest(in a, int b, int c) { char t1 = a ___ b; char t2 = b ___( ) a; char t3 = ( ) c __ ( )a; char t4 = ( ) a __ ( )c; char t5 = c ____ b; char t6 = a _____ 0; return t1 + t2 + t3 + t4 + t5 + t6 ; } cmpl %ecx, %esi setl %al cmpl %ecx, %esi setb -1(%ebp) cmpw %cx, 16(%ebp) setge -2(%ebp) movb %cl, %dl < < unsigned short >= short char != char > > 2018/9/18
Problem 3.8 (P155) In the following excerpts from a disassembled binary, some of the information has been replaced by x’s. Answer the following questions: A. What is the target of the jbe instruction below? 8048d1c: 76 da jbe xxxxxxx 8048d1e: eb 24 jmp 8048d44 8048dle +da 8048df8 2018/9/18
Problem 3.8+ 80489D2 B. What is the address of the mov instruction ? xxxxxxx: eb 54 jmp 8048d44 xxxxxxx: c7 45 f8 10 00 mov $0x10, 0xfffffff8 (%ebp) C. In the code that follows, the jump target is encoded in PC-relative form as a 4-byte, two’s complement number. The bytes are listed from least significant to most, reflecting the little-endian byte ordering of IA32. What is the address of the jump target ? 8048902: e9 cb 00 00 00 jmp xxxxxxx 8048907: 90 nop 8048CF0 8048907 +cb 80489d2 80489D2 2018/9/18
Problem 3.8++ D. Explain the relation between the annotation on the right and the byte coding on the left. Both lines are part of the encoding of the jmp instruction. 80483f0: ff 25 e0 a2 04 jmp *0x804a2e0 80483f5: 08 Answer: An indirect jump is denoted by instruction code ff 25. The address from which the jump target is to be read is encoded explicitly by the following 4 bytes. Since the machine is little endian, these are given in reverse order as e0 a2 04 08 2018/9/18
Problem 3.9 (P157) When given the C code void cond(int a, int *p) { if (p && a > 0) *p += a; } GCC generates the following assembly code: 2018/9/18
A. Write a goto vision in C that … 1 movl 8(%ebp), %edx 2 movl 12(%ebp), %eax 3 testl %eax, %eax 4 je .L3 5 testl %edx, %edx 6 jle .L3 7 addl %edx, (%eax) 8 .L3: A. Write a goto vision in C that … B. Explain why the assembly code contains two conditional branches, even though the C code has only one if statement. void cond (int a, int *p){ if (p == 0) goto done; if (a <= 0) *p += a; done: } The first conditional branch is part of the implementation of the || expression. If the test for p being nonnull fails, the code will skip the test of a > 0 2018/9/18
Problem 3.10 (P160) For the C code int dw_loop(int x, int y, int n) { do { x += n; y *= n; n--; } while ((n > 0) & (y < n)); return x; } GCC generates the following assembly code: 2018/9/18
1 movl 8(%ebp), %esi 2 movl 12(%ebp), %ebx 3 movl 16 (%ebp), %ecx put x in %esi 1 movl 8(%ebp), %esi 2 movl 12(%ebp), %ebx 3 movl 16 (%ebp), %ecx 4 .p2align 4, ,7 5 .L6 loop: 6 imull %ecx, %ebx 7 addl %ecx, %esi 8 decl %ecx 9 testl %ecx, %ecx 10 setg %al 11 cmpl %ecx, %ebx 12 setl %dl 13 andl %edx, %eax 14 testb $1, %al 15 jne .L6 put y in %ebx put n in %ecx y * = n Register usage Register Variable Initially %esi %ebx %ecx x y n x + = n n-- test n n > 0 compare y:n y < n (n > 0) & (y < n)z test least significant bit if !=0, goto loop 2018/9/18
Problem 3.11 (P163) For the following C code: int loop_while (int a, int b) { int i = 0; int result = a; while (i < 256){ result += a; a -= b; i += b; } return result; GCC generates the following assembly code: 2018/9/18
int loop_while_goto(int a, int b){ int i=0; int result =a; loop: result += a; a -= b; i + =b; if (i <= 255) goto loop: return result } put a in %eax movl 8(%ebp), %eax movl 12(%ebp), %ebx xorl %ecx, %ecx movl %eax, %edx .p2align 4, , 7 .L5: loop: addl %eax, %edx subl %ebx, %eax addl %ebx, %ecx cmpl $255, %ecx jle .L5 put b in %ebx i= 0 result = a result += a a -= b Register usage Register Variable Initially %eax %ebx %ecx %edx a b i result i += b compare i:255 if <= goto loop 2018/9/18
Problem 3.12 (P165) Consider the following assembly code: movl 8(%ebp), %ebx movl 16(%ebp), %edx xorl %eax, %eax decl %edx js .L4 movl %ebx, %ecx imull 12(%ebp), %ecx .p2align 4, ,4 .L6: addl %ecx, %eax subl %ebx, %edx jns .L6 .L4: 2018/9/18
int loop(int x, int y, int n){ int result = 0; int i; for (i = ___; i___; i = ___){ result += ___; } return result; Which registers hold program values result and i ? What is the initial value of i ? What is the test condition on i ? How does i get updated? The C expression describing how to increment result in the loop body does not change value from one iteration of the loop to the next. The compiler detected this and moved its computation to before the loop. What is the expression? n-1 >= 0 i - x y * x %eax %edx n-1 i to be nonnegative instruction 4: decl %edx 1,6,7 cause x*y to be stored in register %ecx 2018/9/18
Problem 3.13 (P169) In the C code, the case labels did not span a contiguous range, and some cases had multiple labels. int switch2(int x){ int result =0; switch (x){ /*Body of switch statement omitted*/ } return result; 2018/9/18
setting up jump table access 3 .long .L10 Jump table for switch2 1 .L11: 2 .long .L4 setting up jump table access 3 .long .L10 1 movl 8(%ebp), %eax 4 .long .L5 2 addl $2, %eax 5 .long .L6 3 cmpl $6, %eax 6 .long .L8 4 ja .L10 7 .long .L8 5 jmp *.L11 (, %eax, 4) 8 .long .L9 Use the foregoing information to answer the following questions: What were the values of the case labels in the switch statement body ? What cases had multiple labels in the C code ? -2 0 1 2 3 4 In jump table line 6 and 7 have the save destination. These correspond to case labels 2 and 3. 2018/9/18
Problem 3.14 (P172) The following code fragment occurs often in the compiled vision of library routines: 1 call next 2 next: 3 popl %eax To what value does register %eax get set? Explain why there is no matching ret instruction to this call. What useful purpose does this code fragment serve? %eax is set to the address of the popl instruction. Not true subroutine all, since the control flows the same ordering as the instructions and the return address is popped from the stack. This is the only way in IA32 to get the value of the program counter into an integer register. 2018/9/18
Problem 3.15 (P174) Registers %edi, %esi, and %ebx are callee save. The procedure must save them on the stack before altering their values and restore them before returning. The other three registers are caller save. They can be altered with out affecting the behavior of the caller 1 pushl %edi 2 pushl %esi 3 pushl %ebx 4 movl 24(%ebp), %eax 5 imull 16(%ebp), %eax 6 movl 24(%ebp), %ebx 7 leal 0(,%eax,4), %ecx 8 addl 8(%ebp), %ecx 9 Movl %ebx, %edx Explain this apparent inconsistency in the saving and restoring of register states ? 2018/9/18
Problem 3.16 (P177) Given the C function 1 int proc(void) 2 { 2 { 3 int x, y; 4 scanf(“%x %x”, &y, &x); 5 return x - y; 6 } GCC generates the following assembly code: 2018/9/18
Register Value %esp %ebp 0x800040 0x800060 proc: push1 %ebp movl %esp, %ebp subl $24, %esp addl $-4, %esp leal -4(%ebp), %eax pushl %eax leal -8(%ebp), %eax pushl $.LC0 pointer to string “%x %x” call scanf movl -8(%ebp), %eax movl -4(%ebp), %edx subl %eax, %edx movl %edx, %eax movl %ebp, %esp popl %ebp ret Assume that procedure proc starts executing with the following register values: Register Value %esp %ebp 0x800040 0x800060 2018/9/18
A. What value does %ebp get set to on line 3 ? Suppose proc calls scanf (line 11), and that scanf reads values 0x46 and 0x53 from the standard input. Assume that the string “%x %x” is stored at memory location 0x300070 A. What value does %ebp get set to on line 3 ? B. At what addresses are local variables x and y? C. What is the value of %esp after line 10 ? D. Draw a diagram of the stack frame for proc right after scanf returns. Include as much information as you can about the addresses and the contents of the stack frame elements. E. Indicate the regions of the stack frame that are not used by proc (these wasted areas are allocated to improve the cache performance). 2018/9/18
Register Value %esp %ebp 0x800040 0x800060 A. What value does %ebp get set to on line 3 ? proc: push1 %ebp movl %esp, %ebp subl $24, %esp addl $-4, %esp leal -4(%ebp), %eax pushl %eax leal -8(%ebp), %eax pushl $.LC0 pointer to string “%x %x” call scanf movl -8(%ebp), %eax movl -4(%ebp), %edx subl %eax, %edx movl %edx, %eax movl %ebp, %esp popl %ebp ret Assume that procedure proc starts executing with the following register values: 0x800040 C. What is the value of %esp after line 10 ? 0x800014 B. At what addresses are local variables x and y stored ? X :0x800038 %edx Y : 0x800034 %eax Register Value %esp %ebp 0x800040 0x800060 2018/9/18
0x80003C 0x800038 0x800034 0x800030 0x80002C 0x800028 0x800024 0x800020 0x80001C 0x800018 0x800014 0x800060 0x53 0x46 0x800038 0x800034 0x300070 %ebp x y %esp 2018/9/18
Q&A ? Thank you! 2018/9/18