Post on 23-Jun-2015
CSE 2421Autumn 2013
S. Preston
2
Y86 programmer-visible state
• The Y86 has: • 8 32-bit registers with the same names as the IA32 32-bit
registers • 3 condition codes: ZF, SF, OF
• no carry flag - interpret integers as signed• a program counter (PC)
• Holds the address of the instruction currently being executed• a program status byte: AOK, HLT, ADR, INS
• State of program execution• memory: up to 4 GB to hold program and data (4096 = 2^12)
%eax
%ecx
%edx
%ebx
%esi
%edi
%esp
%ebp
RF: Program registers
ZF SF OF
CC: Condition codes
PCDMEM: Memory
Stat: Program Status
Condition Codes
• 3 condition codes in y86• ZF – Set if the result of the last arithmetic
operation is 0• SF – Set if the result of the last arithmetic
operation resulted in the sign bit being set• OF – Set if the result of the last arithmetic
operation resulted in an overflow
Conditions
• FLAGS: Zero, Sign, Overflow• Less or Equal
• Z = 1, S = 1, O = X• Less
• Z = 0, S = 1, O = X• Equal
• Z = 1, S = 0, O = X• Not Equal
• Z = 0, S = X, O = X• Greater or Equal
• Z = 1, S = 0, O = X• Greater
• Z = 0, S = 0, O = X
5
Simple Addressing Modes• Normal = (R) = Mem[Reg[R]]
• Register Reg specifies memory address • denoted by a register in ( )• Example
ecx = 0x00000120
movl (%ecx),%eax
move the value that is at the address in ecx into eaxMoves 0x11223344 into eax
addr value
0x120
0x11
0x121
0x22
0x122
0x33
0x123
0x44
6
Simple Addressing Modes
• Displacement = D(R) = Mem[Reg[R]+D]• Register R specifies start of memory address• Constant displacement D specifies offset
• In bytes•Denoted by displacement(register)ebp = 0x120 movl 2(%ebp),%edxmove the value at ebp (0x120) + 2 into edx
loads 0x33445566 into edx
addr value
0x120
0x11
0x121
0x22
0x122
0x33
0x123
0x44
0x124
0x55
0x125
0x66
7
Y86 example program w/ loop
# y86loop.ys.pos 0x0 irmovl $0,%eax # sum = 0 irmovl $1,%ecx # num = 1Loop: addl %ecx,%eax # sum += num irmovl $1,%edx # tmp = 1 addl %edx,%ecx # num++ irmovl $1000,%edx # lim = 1000 subl %ecx,%edx # if lim - num >= 0 jge Loop # loop again halt
CONVERT TO Csum=0;num = 1;do { sum += num; num++;}while (1000 – num >= 0)
8
Y86 example program w/ loop
# y86loop.ys.pos 0x0 irmovl $0,%eax # sum = 0 irmovl $1,%ecx # num = 1Loop: addl %ecx,%eax # sum += num irmovl $1,%edx # tmp = 1 addl %edx,%ecx # num++ irmovl $1000,%edx # lim = 1000 subl %ecx,%edx # if lim - num >= 0 jge Loop # loop again halt
Why don’t we just do addl $1, %edx??
Cant! not allowed, only register to register
CONVERT TO Csum=0;num = 1;do { sum += num; num++;}while (1000 – num >= 0)
Y86 Stack
• Stack top address always held in esp
• Stack grows towards lower addresses
%esp
•
•
•
IncreasingAddresses
Stack “Bottom”
Stack “Top”
Y86 Stack - Push
• Pushing• Decrement the stack register by
4 then store new data
//(1)esp = 0x120movl 0xFECA8712, %eaxpush %eax//(1)esp = 0x11C
addr value
0x11B
0x11C
0x11D
0x11E
0x11F
0x120
0x11
0x121
0x22
0x122
0x33
(1) (2)
addr value
0x11B
0x11C
0x12
0x11D
0x87
0x11E
0xCA
0x11F
0xFE
0x120
0x11
0x121
0x22
0x122
0x33
Y86 Stack - Pop
• Pushing• Save new data on stack,
Increment the stack register by 4
//(1) esp = 0x11Cpop eax//(2) esp = 0x120//eax = 0xFECA8712
addr value
0x11B
0x11C
0x12
0x11D
0x87
0x11E
0xCA
0x11F
0xFE
0x120
0x11
0x121
0x22
0x122
0x33
(1) (2)
addr value
0x11B
0x11C
0x11D
0x11E
0x11F
0x120
0x11
0x121
0x22
0x122
0x33
Stack Example 2
==PUSH==subl $4, %espmovl %ebp, (%esp)
==POP===movl (%esp), %eaxaddl $4, %esp
13
Y86 Instruction Set
Fetch Cycle
16
Executing rmmovl
• Fetch• Read 6 bytes
• Decode• Read operand
registers• Execute
• Compute effective address
• Memory• Write to memory
• Write back• Do nothing
• PC Update• Increment PC by 6
17
Executing Arithmetic/Logical Ops
• Fetch• Read 2 bytes
• Decode• Read operand registers
• Execute• Perform operation• Set condition codes
• Memory• Do nothing
• Write back• Update register
• PC Update• Increment PC by 2
18
Executing popl
• Fetch• Read 2 bytes
• Decode• Read stack pointer
• Execute• Increment stack
pointer by 4• Memory
• Read from old stack pointer
• Write back• Update stack pointer• Write result to
register• PC Update
• Increment PC by 2
19
Jumps
• Fetch• Read 5 bytes• Increment PC by 5
• Decode• Do nothing
• Execute• Determine whether to take
branch based on jump condition and condition codes
• Memory• Do nothing
• Write back• Do nothing
• PC Update• Set PC to Dest if branch
taken or to incremented PC if not branch
20
Executing Call
• Fetch• Read 5 bytes• Increment PC by 5
• Decode• Read stack pointer
• Execute• Decrement stack pointer
by 4• Memory
• Write incremented PC to new value of stack pointer
• Write back• Update stack pointer
• PC Update• Set PC to Dest
21
Executing ret
• Fetch• Read 1 bytes• Increment PC by 1
• Decode• Read stack pointer
• Execute• Decrement stack pointer
by 4• Memory
• Write incremented PC to new value of stack pointer
• Write back• Update stack pointer
• PC Update• Set PC to Dest
23
Instruction encoding practice
• Determine the byte encoding of the following Y86 instruction sequence given “.pos 0x100” specifies the starting address of the object code to be 0x100 (practice problem 4.1)
.pos 0x100 # start code at address 0x100 irmovl $15, %ebx #load 15 into %ebx rrmovl %ebx, %ecx #copy 15 to %ecxloop:
rmmovl %ecx, -3(%ebx)#save %ecx at addr 15-3=12
addl %ebx, %ecx #increment %ecx by 15 jmp loop # goto loop
Instruction encoding practice
0x100: 30f30f000000 //irmovl $15, %ebxrrmovl %ebx, %ecxrmmovl %ecx, -3(%ebx)loop:addl %ebx, %ecxjmp loop
Instruction encoding practice
0x100: 30f30f000000 //irmovl $15, %ebx0x106: 2031 //rrmovl %ebx, %ecxloop:rmmovl %ecx, -3(%ebx)addl %ebx, %ecxjmp loop
Instruction encoding practice
0x100: 30f30f000000 //irmovl $15, %ebx0x106: 2031 //rrmovl %ebx, %ecxloop:0x108: 4013fdffffff //rmmovl %ecx, -3(%ebx)addl %ebx, %ecxjmp loop
Instruction encoding practice
0x100: 30f30f000000 //irmovl $15, %ebx0x106: 2031 //rrmovl %ebx, %ecxloop:0x108: 4013fdffffff //rmmovl %ecx, -3(%ebx)0x10e: 6031 //addl %ebx, %ecxjmp loop
Instruction encoding practice
0x100: 30f30f000000 //irmovl $15, %ebx0x106: 2031 //rrmovl %ebx, %ecxloop:0x108: 4013fdffffff //rmmovl %ecx, -3(%ebx)0x10e: 6031 //addl %ebx, %ecx0x110: 708010000 //jmp loop
29
Instruction encoding practice (cont)
What about disassembling?
0x200: a06f80080200000030f30a000000900x400: 6113730004000000
30
Instruction encoding practice (cont)
What about disassembling?
0x200: a06f push %esi0x202: 80080200000030f30a000000900x400: 6113730004000000
31
Instruction encoding practice (cont)
What about disassembling?
0x200: a06f pop %esi0x202: 8008020000 call 0x2080x208: 30f30a000000900x400: 6113730004000000
32
Instruction encoding practice (cont)
What about disassembling?
0x200: a06f pop %esi0x202: 800802000000 call 0x2080x208: 30f30a000000 irmovl $a0, %ebx0x20F: 900x400: 6113730004000000
33
Instruction encoding practice (cont)
What about disassembling?
0x200: a06f pop %esi0x202: 800802000000 call 0x2080x208: 30f30a000000 irmovl $a0, %ebx0x20F: 90 ret0x400: 6113730004000000
34
Instruction encoding practice (cont)
What about disassembling?
0x200: a06f pop %esi0x202: 800802000000 call 0x2080x208: 30f30a000000 irmovl $a0, %ebx0x20F: 90 ret0x400: 6113 subl %ecx, %ebx0x402: 730004000000
35
Instruction encoding practice (cont)
What about disassembling?
0x200: a06f pop %esi0x202: 800802000000 call 0x2080x208: 30f30a000000 irmovl $a0, %ebx0x20F: 90 ret0x400: 6113 subl %ecx, %ebx0x402: 73004000000 je 0x400
36
Y86
int Sum(int *Start, int Count){ int sum = 0; while (Count) {
sum += *Start;Start++;Count--;
}}
x86
• 8 32 bit registers• General Purpose Registers
• eax• ebx• ecx• edx• esi• edi
• Stack Register• esp
• Base Register• ebp
x86 - Registers
x86 Registers
• eax, ebx, ecx, edx• Registers can be accessed in parts• Rrx – Referes to the 64 bit register• erx – Refers to 32 bit register• rx – Referes to the lower 16 bits of erx• rh – Refers to the top 8 bits of the rx bit
register• rl – Refers to the lower 8 bits of the rx
register
Condition Flags
• CF – Carry – Last arithmetic resulted in a carry
• PF – Parity – Last arithmetic/logical operation results in even parity (even number of 1’s)
• ZF – Zero – Last arithmetic/logical operation resulted in a zero
• SF – Sign – Last arithmetic operation resulted in the sign bit being set
• OF – Overflow – Last arithmetic resulted in an overflow
Condition Flags
• AF – Adjust – Last arithmetic results in a carry out of the lowest 4 bits (Used for BCD arithmetic)
• TF – Trap – Enables CPU single step mode – Used for debugging
• IF – Interrupt Enable – Enables cpu to handle system interrupts
• DF – Direction – Sets the direction of string processing from R->L
Verbiage
• Opcode operand1, operand2
• operand1 and/or operand2 are not always required, depending on the opcode
• mov eax, ebx• Opcode – mov• operand1 – eax• operand2 - ebx
43
Operand Specifiers
• Source operand• Constants, registers, or memory
• Destination operand• Registers or memory
• Cannot do Memory-Memory transfer with a single instruction
• 3 types of operands• Immediate• Register • Memory
44
IA32 – Intel Architecture
• 32-bit address bus• normal physical address space of 4 GBytes (232
bytes)• addresses ranging continuously from 0 to
0xFFFFFFFF• Data formats
• Primitive data types of C• Single letter suffix
• denotes size of operand• No aggregate types
• Arrays, structures
C Declaration Suffix Size
char B 8 bits
short W or S 16 bits
int L 32 bits
* (pointer) L 32 bits
float S 32 bits
45
Addressing Modes
• An addressing mode is a mechanism for specifying an address.
• Immediate • Register• Memory
• Absolute• specify the address of the data
• Indirect• use register to calculate address
• Base + displacement• use register plus absolute address to calculate address
• Indexed• Indexed
• Add contents of an index register• Scaled index
• Add contents of an index register scaled by a constant
46
Operand addressing exampleOperand ValueComment
%eax0x100 Register
0x104 0xAB Absolute Address - memory
$0x1080x108 Immediate
(%eax) 0xFF Address 0x100 - indirect
4(%eax) 0XAB
Address 0x104 - base+displacement(4+register)
9(%eax,%edx) 0X11Address 0x10C – indexed(9 + eax+edx)
0x104(%ecx,%edx) 0X13
Address 0x108 – indexed(0x104+ecx+edx)
0xFC(,%ecx,4) 0XFFAddress 0x100 - scaled index(0xfc+0+ecx*4)
(%eax,%edx,4) 0X11Address 0x10C - scaled index(eax+edx*4)*scaled index multiplies the 2nd argument by the scaled value (the 3rd argument)
which must be a value of 1, 2, 4 or 8 (sizes of the primitive data types)
Address
Value
0x100 0xFF
0x104 0xAB
0x108 0x13
0x10C 0x11
Register
Value
ax 0x100
cx 0x01
dx 0x03
47
Operand Combinations example
Source Dest Src,Dest* C analog
Immediate Register movl $0x4, %eax temp = 0x4;
Immediate Memory movl $-147, (%eax) *p = -147;
Register Register movl %eax, %edx temp2 = temp1;
Register Memory movl %eax, (%edx) *p = temp;
Memory Register movl (%eax), %edx temp = *p;
• Each statement should be viewed separately.• REMINDER: cannot do memory-memory transfer with a single instruction.• The parentheses around the register tell the assembler to use the register
as a pointer.
Size Directive
• Typically you can infer the size being operated on by which variation of the register is in use
• mov (ebx), %eax• Destination EAX, implies moving 4 bytes
• mov (ebx), %ax• Destination AX implies moving only 2 bytes
• mov (ebx), %ah• Destination ah implies moving only 1 bytes
Size Directive
• Sometimes it is unclear though. • mov $2, (%ebx)• How many bytes do you move into memory
@ address ebx. 2? 4? 8?• Have to explicitly specify size when
dealing with immediate values• movw $2, (%ebx)
• Explicitly move 2 bytes• movl $2, (%ebx)
• Explicitly move 4 bytes
C Declaration Suffix Size
char b 8 bits
short w or s 16 bits
int l 32 bits
* (pointer) l 32 bits
float s 32 bits
long q 64 bits
x86 Instructions
• Three categories• Data Movement• Arithmetic/Logic• Control-Flow
• We will not cover ALL x86 instructions, there are numerous obscure ones
• We will cover all of the common instructions• For full list of operands see Intel’s
instruction set reference
x86 Instructions
<reg32> Any 32-bit register (EAX, EBX, ECX, EDX, ESI, EDI, ESP, or
EBP) <reg16> Any 16-bit register (AX, BX, CX, or
DX) <reg8> Any 8-bit register (AH, BH, CH, DH,
AL, BL, CL, or DL) <reg> Any register <mem> A memory address (e.g., [eax], [var +
4], or dword ptr [eax+ebx]) <con32> Any 32-bit constant <con16> Any 16-bit constant <con8> Any 8-bit constant <con> Any 8-, 16-, or 32-bit constant
Data Movement
• mov source, destination• Move data from source to destination• Syntax
mov <reg>,<reg>mov <reg>,<mem>mov <mem>,<reg>mov <const>, <reg>mov <const>, <mem>
• Examplesmov %eax, %ebx — copy the value in eax into ebx
Data Movement
• push• add 4 bytes on top of the stack• Syntax
push <reg32>push <mem>push <con32>
• Examplespush %eax — push eax on the stack
Data Movement
• pop• remove top 4 byte value from stack• Syntax
pop <reg32>pop <mem>
• Examplespop %eax — pop off stack into eax
Data Movement
• lea – Load Effective Address• loads the address of the source into the
registers in the second operand• Syntax
lea <mem>, <reg32>• Exampleslea (var), %eax — address of var is placed into eax
Arithmetic and Logic• add• adds together the two operands and stores result
in the second operand• Syntax
add <reg>,<reg>add <reg>,<mem>add <mem>,<reg>add <imm>,<reg>add <imm>,<mem>Examplesadd $10, %eax — add 10 to the current value in eax, and store result in eax
Arithmetic and Logic• sub• subtracts the two operands and stores result in the
second operand• Syntax
sub <reg>,<reg>sub <reg>,<mem>sub <mem>,<reg>sub <imm>,<reg>sub <imm>,<mem>Examplessub $10, %eax — subtracts 10 from the current value in eax, and store result in eax