1. Heterogeneous Data Structures & Alignment * heterogeneous: 不同种类的

2. Outline
Struct
Union
Alignment
Chap 3.9, 3.10

3. Group objects into a single object Each object is referenced by name
Structures P191
Group objects into a single object
Each object is referenced by name
Memory layout
All the components are stored in a contiguous region of memory
A pointer to a structure is the address of its first byte
References to structure elements
Using offsets as displacements

4. Structure P192 struct rect {
int llx; /* X coordinate of lower-left corner */
int lly; /* Y coordinate of lower-left corner */
int color; /* Coding of color */
int width; /* Width (in pixels) */
int height; /* Height (in pixels) */ };

5. Structure P192 struct rect r; r.llx = r.lly = 0; r.color = 0xFF00FF;
r.width = 10;
r.height = 20;

6. Structure P192 int area (struct rect *rp) {
return (*rp).width * (*rp).height; }
void rotate_left (struct rect *rp)
/* Exchange width and height */
int t = rp->height;
rp->height = rp->width;
rp->width = t;

7. Structure
struct rec {
int i;
int j;
int a[3];
int *p;
} *r;

8. Structure P193 Copy element r->i to element r->j:
r is in register %edx.
1 movl (%edx), %eax Get r->i
2 movl %eax, 4(%edx) Store in r->j

9. Generate the pointer &(r->a[1])
Structure P193
Generate the pointer &(r->a[1])
r in %eax,
i in %edx
1 leal 8(%eax,%edx,4),%ecx %ecx = &r->a[i]

10. r->p = &r->a[r->i + r->j];
Structure
r->p = &r->a[r->i + r->j];
r in register %edx:
1 movl 4(%edx), %eax Get r->j
2 addl (%edx), %eax Add r->i
3 leal (%edx,%eax,4), %eax Compute &r->a[r->i + r->j]
4 movl %eax, (%edx) Store in r->p

11. A single object can be referenced by using different data types
Unions P194
A single object can be referenced by using different data types
The syntax of a union declaration is identical to that for structures, but its semantics are very different
Rather than having the different fields reference different blocks of memory, they all reference the same block
*syntax: 语法
*semantic: 语义

12. Unions
struct S3 {
char c;
int i[2];
double v; };
union U3 {

13. Unions P195
The offsets of the fields, as well as the total size of data types S3 and U3, are:
Type c i v
size S3 4 12 20 U3 8

14. Unions P195 struct NODE { struct NODE *left; struct NODE *right;
double data; };
union NODE {
struct {
union NODE *left;
union NODE *right;
} internal;

15. Unions (additional tag field)
struct NODE {
int is_leaf;
union {
struct {
struct NODE *left;
struct NODE *right;
} internal;
double data;
} info; };

16. Unions P196 1 movl 8(%ebp), %eax 1 unsigned float2bit(float f) 2 {
5 unsigned u;
6 } temp;
7 temp.f = f;
8 return temp.u;
9 };
1 movl 8(%ebp), %eax

17. Unions 1 unsigned float2bit(float f) 2 { 3 union { 4 float f;
5 unsigned u;
6 } temp;
7 temp.f = f;
8 return temp.u;
9 };
1 movl 8(%ebp), %eax

18. Unions (Code generated identical to the procedure)
1 unsigned copy (unsigned u)
2 {
3 return u;
4 }
1 movl 8(%ebp), %eax

19. Alignment restrictions
Alignment P198
Alignment restrictions
The address for some type of object must be a multiple of some value k (typically 2, 4, or 8)
Simplify the hardware design of the interface between the processor and the memory system

20. Alignment
In IA32
hardware will work correctly regardless of the alignment of data
Aligned data can improve memory system performance

21. Linux alignment restriction
1-byte data types are able to have any address
2-byte data types must have an address that is multiple of 2
Any larger data types must have an address that is multiple of 4

22. Alignment is enforced by
Making sure that every data type is organized and allocated in such a way that every object within the type satisfies its alignment restrictions.
malloc()
Returns a generic pointer that is void *
Its alignment requirement is 4

23. Alignment Structure data type
may need to insert gaps in the field allocation
may need to add padding to the end of the structure
* padding: 填充

24. Alignment P199
struct S1 {
int i;
char c;
int j; };

25. Alignment P200 struct S2 { int i; int j; char c; } d[4];
xd, xd+9, xd+18, xd+27
xd, xd+12, xd+24, xd+36

26. Putting it Together

27. Outline Pointer Buffer overflow Suggested reading Declaration
referencing, deferencing
memory allocation, memory free
Buffer overflow
Suggested reading
Chap 3.11, 3.13

28. Example P202 Figure 3.26 1 struct str { /* Example Structure */
2 int t;
3 char v;
4 }; 5
6 union uni { /* Example Union */
7 int t;
8 char v;
9 } u; 10
11 int g = 15; 12

29. Example P202 Figure 3.26 13 void fun(int* xp) 14 {
15 void (*f)(int*) = fun; /* f is a function pointer */ 16
17 /* Allocate structure on stack */
18 struct str s = {1,’a’}; /* Initialize structure */ 19
20 /* Allocate union from heap */
21 union uni *up = (union uni *) malloc(sizeof(union uni)); 22
23 /* Locally declared array */
24 int *ip[2] = {xp, &g};

30. Example 26 up->v = s.v+1; 27
28 printf("ip = %p, *ip = %p, **ip = %d\n",
ip, *ip, **ip);
30 printf("ip+1 = %p, ip[1] = %p, *ip[1] = %d\n",
31 ip+1, ip[1], *ip[1]);
32 printf ("&s.v = %p, s.v = ’%c’\n", &s.v, s.v);
33 printf ("&up->v = %p, up->v = ’%c’\n", &up->v, up->v);
34 printf ("f = %p\n", f);
35 if (--(*xp) > 0)
36 f(xp); /* Recursive call of fun */
37 }

31. Example P202 Figure 3.26 38 39 int test()
40 { 41 int x = 2; 42 fun(&x); 43 return x; 44 }

32. Every pointer has a type P201
If the object has type T
A pointer to this object has type T *
Special void * type
Represents a generic pointer
malloc returns a generic pointer
Pointer Type
Object Type
Pointers
int *
int
xp, ip[0], ip[1]
union uni *
union uni up

33. Every pointer has a valuexp
ip[0]
ip[1] up
&x
&g
Address in heap

34. Pointers are created with the & operator
Applied to lvalue expression
Lvalue expression can appear on the left side of assignment
&g, &s.v, &u->v, &x

35. Pointers are dereferenced with the operator *
The result is a value having the type associated with the pointer
*ip, **ip, *ip[1], *xp
up->v

36. Arrays and pointers are closed related
The name of array can be viewed as a pointer constant
ip[0] is equivalent to *ip

37. Pointers can point to functions
void (*f)(int *)
f is a pointer to function
The function taken int * as argument
The return type of the function is void
Assignment makes f point to func
f = func
void: 空的

38. The precedence of the operators
void *f(int *) declares f is a function
(void *) f(int *)

39. Example P203
1 ip = 0xbfffefa8, *ip = 0xbfffefe4, **ip = 2 ip[0] = xp. *xp = x = 2
2 ip+1 = 0xbfffefac, ip[1] = 0x804965c, *ip[1] = 15 ip[1] = &g. g = 15
3 &s.v = 0xbfffefb4, s.v = ’a’ s in stack frame
4 &up->v = 0x , up->v = ’b’ up points to area in heap
5 f = 0x f points to code for fun
6 ip = 0xbfffef68, *ip = 0xbfffefe4, **ip = 1 ip in new frame, x = 1
7 ip+1 = 0xbfffef6c, ip[1] = 0x804965c, *ip[1] = 15 ip[1] same as before
8 &s.v = 0xbfffef74, s.v = ’a’ s in new frame
9 &up->v = 0x , up->v = ’b’ up points to new area in heap
10 f = 0x f points to code for fun

40. Pointer Declaration char **argv ; int (*daytab)[13] int (*comp)()
char (*(*x())[])()
Function returning pointer to array[ ] of pointer to function returning char
char (*(*x[3])())[5]
Array[3] of pointer to function returning pointer to array[5] of char

41. Addition and subtraction
Pointer Arithmetic
Addition and subtraction
p+i , p-i (result is a pointer)
p-q (result is a int)
Referencing & dereferencing
*p, &E
Subscription
A[i], *(A+i)

42. C operators Operators Associativity () [] -> . ++ -- left to right
! ~ * & (type) sizeof right to left
* / % left to right
left to right
<< >> left to right
< <= > >= left to right
== != left to right
& left to right
^ left to right
| left to right
&& left to right
|| left to right
?: right to left
= += -= *= /= %= &= ^= != <<= >>= right to left
, left to right
Note: Unary +, -, and * have higher precedence than binary forms

43. Parameter Passing
Call by value
f(xp)
Call by reference
f(&xp)

44. 3.13 Out-of-Bounds Memory References P206
1 /* Implementation of library function gets() */
2 char *gets(char *s)
3 {
4 int c;
5 char *dest = s;
6 while ((c = getchar()) != ’\n’ && c != EOF)
7 *dest++ = c;
8 *dest++ = ’\0’; /* Terminate String */
9 if (c == EOF)
10 return NULL;
11 return s;
12 }

45. Out-of-Bounds Memory References13
14 /* Read input line and write it back */
15 void echo()
16 {
17 char buf[4]; /* Way too small ! */
18 gets(buf);
19 puts(buf);
20 }

46. Out-of-Bounds Memory References
Stack frame
for caller
Return address
Saved %ebp
[3]
[2]
[1]
[0]
for echo
%ebp
buf

47. Out-of-Bounds Memory References
Stack frame
for caller
Return address
[7]
[6]
[5]
[4]
[3]
[2]
[1]
[0]
for echo
%ebp
buf

48. Out-of-Bounds Memory References
Stack frame
for caller
[11]
[10]
[9]
[8]
[7]
[6]
[5]
[4]
[3]
[2]
[1]
[0]
for echo
%ebp
buf

49. Buffer Overflow P208 Figure 3.29
1 /* This is very low quality code. 2 It is intended to illustrate bad programming practices 3 See Practice Problem */ 4 char *getline() 5 { 6 char buf[8]; 7 char *result; 8 gets(buf); 9 result = malloc(strlen(buf)); 10 strcpy(result, buf); 11 return(result); 12 }

50. Buffer Overflow P208 Figure 3.29
<getline>:
: push %ebp
: 89 e5 mov %esp,%ebp
: 83 ec 10 sub $0x10,%esp
a: push %esi
b: push %ebx
Diagram stack at this point
c: 83 c4 f4 add $0xfffffff4,%esp
f: 8d 5d f8 lea 0xfffffff8(%ebp),%ebx
: push %ebx
: e8 74 fe ff ff call 80483ac <_init+0x50> gets

51. Buffer Overflow P208 Practice Problem 3.24
Stack frame
for caller 08 04 86 43
Return Address

52. Buffer Overflow Stack frame for caller 08 04 86 43 bf ff fc 94 [7] [6]
[5]
[4]
[3]
[2]
[1]
[0]
%ebp
buf
Saved %esi
Saved %ebx

53. Buffer Overflow Stack frame for caller 08 04 86 00 31 30 39 38 37 3635 34 33 32
%ebp
buf
Saved %esi
Saved %ebx

54. Malicious Use of Buffer Overflow
Stack
after call to gets() B
foo stack frame
bar stack frame
exploit
code
pad
data
written by
gets()
void bar() {
char buf[64];
gets(buf);
... }
void foo(){
bar();
return
address A
Malicious:怀恶意的

55. Malicious Use of Buffer Overflow
Input string contains byte representation of executable code
Overwrite return address with address of buffer
When bar() executes ret, will jump to exploit code

56. Floating Point

57. Outline
Stack evaluation
Data movement
Set special data
Arithmetic operation
Comparison
Suggested reading: 3.14

58. IA32 Floating Point History 8086: first computer to implement IEEE FP
separate 8087 FPU (floating point unit)
486: merged FPU and Integer Unit onto one chip

59. Floating Point Formats
IA32 Floating Point
Floating Point Formats
single precision (C float): 32 bits
double precision (C double): 64 bits
extended precision (C long double): 80 bits

60. IA32 Floating Point Summary Hardware to add, multiply, and divide
Floating point data registers
Various control & status registers

61. IA32 Floating Point Instruction decoder and sequencer Integer FPU Unit
Memory

62. FPU Data Register Stack
FPU register format (extended precision) 79 78 64 63 s
exp
frac

63. FPU Data Register Stack
FPU registers
8 registers
Logically forms shallow stack
Top called %st(0)
When push too many, bottom values disappear
%st(3)
%st(2)
%st(1)
“Top”
%st(0)
stack grows down

64. Large number of floating point instructions and formats
FPU instructions
Large number of floating point instructions and formats
~50 basic instruction types
load, store, add, multiply
sin, cos, tan, arctan, and log!
Sample instructions:

65. FPU instructions P213 Figure 3.30, P216 Figure 3.31
Instruction Effect Description
fldz push Load zero
flds Addr push M[Addr] Load single precision real
fmuls Addr %st(0) <- %st(0)*M[Addr] Multiply
faddp %st(1) <- %st(0)+%st(1); Add and pop
pop

66. IA32 Floating Point float ipf (float x[], float y[], int n) { int i;
float result = 0.0;
for (i = 0; i < n; i++) {
result += x[i] * y[i]; }
return result;

67. pushl %ebp # setup
movl %esp,%ebp
pushl %ebx
movl 8(%ebp),%ebx # %ebx=&x
movl 12(%ebp),%ecx # %ecx=&y
movl 16(%ebp),%edx # %edx=n
fldz # push +0.0
xorl %eax,%eax # i=0
cmpl %edx,%eax # if i>=n done
jge .L3
.L5:
flds (%ebx,%eax,4) # push x[i]
fmuls (%ecx,%eax,4) # st(0)*=y[i]
faddp # st(1)+=st(0); pop
incl %eax # i++
cmpl %edx,%eax # if i<n repeat
jl .L5
.L3:
movl -4(%ebp),%ebx # finish
movl %ebp, %esp
popl %ebp
ret # st(0) = result

68. Inner Product Stack Trace
1. fldz
0.0
%st(0)
2. flds (%ebx,%eax,4)
%st(1)
x[0]
3. fmuls (%ecx,%eax,4)
x[0]*y[0]
4. faddp
0.0+x[0]*y[0]
5. flds (%ebx,%eax,4)
x[1]
6. fmuls (%ecx,%eax,4)
x[1]*y[1]
7. faddp
x[0]*y[0]+x[1]*y[1]
Initialization
Iteration 0
Iteration 1

69. Load Instructions P216 Figure 3.31
Source format
Source location
flds Addr
Single
Mem4[Addr]
fldl Addr
Double
Mem8[Addr]
fldt Addr
Extended
Mem10[Addr]
fildl Addr
Integer
fld %st(i)
extended
%st(i)

70. Store Instructions P216 Figure 3.32
Pop(Y/N)
destination format
destination location
fsts Addr N
Single
Mem4[Addr]
fstps Addr Y
fstl Addr
Double
Mem8[Addr]
fstpl Addr
fstt Addr
Extended
Mem10[Addr]
fstpt Addr
fistl Addr
Integer
fistpl Addr
fst %st(i)
extended
%st(i)
fstp %st(i)

71. Arithmetic Instructions P218 Figure 3.33

72. Arithmetic Instructions P218 Figure 3.34

73. Comparison Instructions P222 Figure 3.35

74. Comparison Instructions P222 Figure 3.36
fnstsw %ax
andb $69, %ah
69=0X45

75. Arithmetic Instructions P223
1 int less (double x, double y)
2 {
3 return x < y;
4 }

76. Arithmetic Instructions P223
1 fldl 16(%ebp) Push y
2 fcompl 8(%ebp) Compare y:x
3 fnstsw %ax Store floating point status word in %ax
4 andb $69, %ah Mask all but bits 0, 2, and 6
5 sete %al Test for comparison outcome of 0 (>)
6 movzbl %al, %eax Copy low order byte to result,
and set rest to 0