Machine-level Programming (2)

Condition Codes
 Single Bit Registers
CF Carry Flag SF Sign Flag
ZF Zero Flag OF Overflow Flag
 Implicitly Set By Arithmetic Operations
addl Src,Dest
C analog: t = a + b
– CF set if carry out from most significant bit
• Used to detect unsigned overflow
• CF = C
– ZF set if t == 0
– SF set if t < 0
– OF set if two’s complement overflow
(a>0 && b>0 && t<0) || (a<0 && b<0 && t>=0)
 Not Set by leal instruction
2
 [註|例] 상태표시 코드
명령이 플래그에 미치는 영향 명령 ZF SF CF OF
and √ √ 0 0

명령 ZF SF CF OF or √ √ 0 0

add √ √ √ √ xor √ √ 0 0

adc √ √ √ √ not
sub √ √ √ √ test √ √ 0 0

sbb √ √ √ √ bt √

neg √ √ √ √ btc/btr/bts √

inc √ √ √ shl (sal) √ √ √ √

dec √ √ √ rcl √ √

cmp √ √ √ √ rol √ √

mul ? ? √ √ shr √ √ √ √

imul ? ? √ √ sar √ √ √ √

div ? ? ? ? rcr √ √

idv ? ? ? ? ror √ √

주: “√”는 플래그를 결과에 따라 수정함. “0”은 0으로 설정함.

“?”는 정의되지 않음. 빈칸은 영향을 주지 않음.
3
 Carry Flag (in 8-bit operation)
 1) CF: (C8 in addition, ~C8 in subtraction)
– Carry out of MSB (i.e., C8) in addition: logically means overflow for
“unsigned” addition
– Complement of carry out of MSB (i.e., ~C8) in subtraction: logically
means borrow for “unsigned” subtraction

A $FF 1111 1111 255

B $FF 1111 1111 +255
A 1 1111 1110 510
• 510 is big to represent in 8 bits of A
• overflow
• C=1 indicates this
– How about “signed” numbers
A $FF 1111 1111 -1
B $FF 1111 1111 -1
A 1 1111 1110 -2
• ABA still adds the same
• C can’t give us overflow indication for
signed 2’s complement numbers 4
 Overflow Flag (in 8-bit operation)
 2) OF – overflow bit for working with 2’s complement numbers
– OF = C8  C7 (XOR of Carry In and Carry Out of MSB)

A $7F 0111 1111 127

B $01 0000 0001 + 1
A 0 1000 0000 128
• C=0 but overflow
• V=1  0=1 indicates overflow

A $80 1000 0000 -128

B $80 1000 0000 -128
A 1 0000 0000 -256
• V=0  1=1 overflow!

5
 Zero Flag and Sign Flag (in 8-bit operation)
 3) ZF – set if answer is $00
 4) SF – MSB of result; sign bit (valid only for signed numbers)

unsigned 2’s complement

A $01 0000 0001 1 1
B $FF 1111 1111 +255 -1
A 1 0000 0000 256 0
SF=0 ZF=1OF=0CF=1
 Interpretation of the Flag bits
addl Src,Dest
C analog: t = a + b
– CF set if carry out from most significant bit
• Used to detect unsigned overflow
• CF = C
– ZF set if t == 0
– SF set if t < 0
– OF set if two’s complement overflow
(a>0 && b>0 && t<0) || (a<0 && b<0 && t>=0) 6
 Setting Condition Codes (cont.)
 Explicit Setting by Compare Instruction
cmpl Src2,Src1
– cmpl b,a like computing a-b without setting destination
– CF set if “borrow” (i.e., unsigned a < unsigned b)
• Used for unsigned comparisons
– ZF set if a == b
– SF set if “MSB of(a-b) is 1” (a<b when OF=0, a>b
when OF=1)
– OF set if two’s complement overflow
(a>0 && b<0 && (a-b)<0) || (a<0 && b>0 && (a-b)>0)

7
 Setting Condition Codes (cont.)
 Explicit Setting by Test instruction
testl Src2,Src1
– Sets condition codes based on value of Src1 & Src2
• Useful to have one of the operands be a mask
– testl b,a like computing a&b without setting destination
– ZF set when a&b == 0
– SF set when a&b < 0

8
 Reading Condition Codes
 SetX Instructions (setX D: D  ConditionCodes)
– Set single byte based on combinations of condition codes

SetX Condition Description

sete ZF Equal / Zero
setne ~ZF Not Equal / Not Zero
sets SF Negative
setns ~SF Nonnegative
setg ~(SF^OF)&~ZF Greater (Signed)
setge ~(SF^OF) Greater or Equal (Signed)
setl (SF^OF) Less (Signed)
setle (SF^OF)|ZF Less or Equal (Signed)
seta ~CF&~ZF Above (unsigned)
setb CF Below (unsigned)
9
 Reading Condition Codes (Cont.)
 SetX Instructions
– Set single byte based on combinations
of condition codes %eax %ah %al
– One of 8 addressable byte registers %edx %dh %dl
• Embedded within first 4 integer registers
%ecx %ch %cl
• Does not alter remaining 3 bytes
• Typically use movzbl to finish job %ebx %bh %bl

%esi
int gt (int x, int y)
{ %edi
return x > y;
%esp
}
Body %ebp
movl 12(%ebp),%eax # eax = y
cmpl %eax,8(%ebp) # Compare x : y Note
setg %al # al = x > y inverted
movzbl %al,%eax # Zero rest of %eax ordering!

10
 Jumping
 jX Instructions (jX Label or jX *Operand)
– Jump to different part of code depending on condition codes
jX Condition Description
jmp 1 Unconditional
je ZF Equal / Zero
jne ~ZF Not Equal / Not Zero
js SF Negative
jns ~SF Nonnegative
jg ~(SF^OF)&~ZF Greater (Signed)
jge ~(SF^OF) Greater or Equal (Signed)
jl (SF^OF) Less (Signed)
jle (SF^OF)|ZF Less or Equal (Signed)
ja ~CF&~ZF Above (unsigned)
jb CF Below (unsigned)
11
 Direct and Indirect Jump
 Direct jump (give the  Indirect jump examples
jump target directly in (should refer the value
the operand) of register or memory to
get the jump target)
xorl %eax, %eax jmp *%eax
jmp .L1
movl (%eax), %edx
.L1: jmp *(%eax)
popl %edx

Conditional jumps
can only be direct

12
 Conditional Branch Example

_max:
pushl %ebp
Set
movl %esp,%ebp
Up
int max(int x, int y)
{ movl 8(%ebp),%edx
if (x > y) movl 12(%ebp),%eax
return x; cmpl %eax,%edx Body
else jle L9
return y; movl %edx,%eax
} L9:

movl %ebp,%esp
popl %ebp Finish
ret

13
 “Do-While” Loop Example

C Code Goto Version

int fact_do int fact_goto(int x)
(int x) {
{ int result = 1;
int result = 1; loop:
do { result *= x;
result *= x; x = x-1;
x = x-1; if (x > 1)
} while (x > 1); goto loop;
return result; return result;
} }

– Use backward branch to continue looping

– Only take branch when “while” condition holds

14
 “Do-While” Loop Compilation

Goto Version Assembly

int fact_goto _fact_goto:
(int x) pushl %ebp # Setup
{ movl %esp,%ebp # Setup
int result = 1; movl $1,%eax # eax = 1
loop: movl 8(%ebp),%edx # edx = x
result *= x;
x = x-1; L11:
if (x > 1) imull %edx,%eax # result *= x
goto loop; decl %edx # x--
return result; cmpl $1,%edx # Compare x : 1
} jg L11 # if > goto loop

 Registers movl %ebp,%esp # Finish

popl %ebp # Finish
%edx x
ret # Finish
%eax result

15
 General “Do-While” Translation
C Code Goto Version
do loop:
Body Body
while (Test); if (Test)
goto loop

– Body can be any C statement

• Typically compound statement:
{
Statement1;
Statement2;
…
Statementn;
}

– Test is expression returning integer

= 0 interpreted as false 0 interpreted as true
16
 “While” Loop Example #1
C Code First Goto Version
int fact_while int fact_while_goto
(int x) (int x)
{ {
int result = 1; int result = 1;
while (x > 1) { loop:
result *= x; if (!(x > 1))
x = x-1; goto done;
}; result *= x;
return result; x = x-1;
} goto loop;
done:
return result;
}

– Is this code equivalent to the do-while version?

– Must jump out of loop if test fails

17
 Actual “While” Loop Translation

C Code Second Goto Version

int fact_while(int x) int fact_while_goto2
{ (int x)
int result = 1; {
while (x > 1) { int result = 1;
result *= x; if (!(x > 1))
x = x-1; goto done;
}; loop:
return result; result *= x;
} x = x-1;
if (x > 1)
goto loop;
– Uses same inner loop done:
as do-while version return result;
– Guards loop entry with }
extra test

18
 General “While” Translation
C Code
while (Test)
Body

Do-While Version Goto Version

if (!Test)
if (!Test)
goto done;
goto done;
loop:
do
Body
Body
if (Test)
while(Test);
goto loop;
done:
done:

19
 “For” Loop Example
/* Compute x raised to nonnegative power p */
int ipwr_for(int x, unsigned p) {
int result;
for (result = 1; p != 0; p = p>>1) {
if (p & 0x1)
result *= x;
x = x*x;
}
return result;
}

 Algorithm
– Exploit property that p = p0 + 2p1 + 4p2 + … 2n–1pn–1
– Gives: xp = z0 ·z1 2 ·(z2 2) 2 ·… ·(…((zn –12) 2 )…) 2
zi = 1 when pi = 0
zi = x when pi = 1 Example
n–1 times
– Complexity O(log p) 310 = 32 * 38
= 32 * ((32) 2) 2
20
 ipwr Computation
/* Compute x raised to nonnegative power p */
int ipwr_for(int x, unsigned p) {
int result;
for (result = 1; p != 0; p = p>>1) {
if (p & 0x1)
result *= x;
x = x*x;
}
return result;
}

result x p
1 3 10
1 9 5
9 81 2
9 6561 1
531441 43046721 0

21
 “For” Loop Example
General Form
int result;
for (result = 1; for (Init; Test; Update )
p != 0;
p = p>>1) { Body
if (p & 0x1)
result *= x;
x = x*x;
}

Init Test Update

result = 1 p != 0 p = p >> 1

{
Body if (p & 0x1)
result *= x;
x = x*x;
}
22
 “For” “While”
For Version While Version
for (Init; Test; Update ) Init;
while (Test ) {
Body
Body
Update ;
}
Do-While Version
Init; Goto Version
if (!Test)
goto done; Init;
do { if (!Test)
Body goto done;
Update ; loop:
} while (Test) Body
done: Update ;
if (Test)
goto loop;
done:
23
 “For” Loop Compilation

Goto Version result = 1;

Init; if (p == 0)
if (!Test) goto done;
goto done; loop:
loop: if (p & 0x1)
Body result *= x;
Update ; x = x*x;
if (Test) p = p >> 1;
goto loop; if (p != 0)
done: goto loop;
done:
Init Test
result = 1 p != 0
Body
{
if (p & 0x1)
Update result *= x;
p = p >> 1 x = x*x;
}
24
typedef enum
{ADD, MULT, MINUS, DIV, MOD, BAD} Switch Statements
op_type;

char unparse_symbol(op_type op)

 Implementation Options
{ – Series of conditionals
switch (op) { • Good if few cases
case ADD : • Slow if many
return '+';
case MULT:
– Jump Table
return '*'; • Lookup branch target
case MINUS: • Avoids conditionals
return '-'; • Possible when cases are
case DIV: small integer constants
return '/';
– GCC
case MOD:
return '%'; • Picks one based on case
case BAD: structure
return '?'; – Bug in example code (?)
} • No default given
}

25
 Jump Table Structure
Switch Form Jump Table Jump Targets
switch(op) { jtab: Targ0 Targ0:
Code Block
case val_0: 0
Targ1
Block 0
case val_1: Targ2
Targ1:
Block 1 • Code Block
• • • • 1
case val_n-1: •
Block n–1 Targ2:
Targn-1 Code Block
} 2

•
Approx. Translation •
target = JTab[op]; •
goto *target;
Targn-1:
Code Block
n–1

26
 Switch Statement Example
 Branching Possibilities Enumerated Values
typedef enum ADD 0
{ADD, MULT, MINUS, DIV, MOD, BAD} MULT 1
op_type; MINUS 2
DIV 3
char unparse_symbol(op_type op) MOD 4
{ BAD 5
switch (op) {
• • •
}
}

unparse_symbol:
pushl %ebp # Setup
movl %esp,%ebp # Setup
movl 8(%ebp),%eax # eax = op
Setup: cmpl $5,%eax # Compare op : 5
ja .L49 # If > goto done
jmp *.L57(,%eax,4) # goto Table[op]
27
 Jump Table
Table Contents Targets & Completion
.section .rodata .L51:
.align 4 movl $43,%eax # ’+’
.L57: jmp .L49
.long .L51 #Op = 0 .L52:
.long .L52 #Op = 1 movl $42,%eax # ’*’
.long .L53 #Op = 2 jmp .L49
.long .L54 #Op = 3 .L53:
.long .L55 #Op = 4 movl $45,%eax # ’-’
.long .L56 #Op = 5 jmp .L49
.L54:
Enumerated Values movl $47,%eax # ’/’
ADD 0 jmp .L49
MULT 1 .L55:
MINUS 2 movl $37,%eax # ’%’
DIV 3 jmp .L49
MOD 4 .L56:
BAD 5 movl $63,%eax # ’?’
# Fall Through to .L49
28
 Assembly Setup Explanation
 Symbolic Labels
– Labels of form .LXX translated into addresses by assembler
 Table Structure
– Each target requires 4 bytes
– Base address at .L57
 Jumping
jmp .L49
– Jump target is denoted by label .L49
jmp *.L57(,%eax,4)
– Start of jump table denoted by label .L57
– Register %eax holds op
– Must scale by factor of 4 to get offset into table
– Fetch target from effective Address .L57 + op*4

29
 Switch Statement Completion
.L49: # Done:
movl %ebp,%esp # Finish
popl %ebp # Finish
ret # Finish

 Puzzle
– What value returned when op is invalid?

 Answer
– Register %eax set to op at beginning of procedure
– This becomes the returned value

 Advantage of Jump Table

– Can do k-way branch in O(1) operations

30
 Object Code
 Setup
– Label .L49 becomes address 0x804875c
– Label .L57 becomes address 0x8048bc0
08048718 <unparse_symbol>:
8048718: 55 pushl %ebp
8048719: 89 e5 movl %esp,%ebp
804871b: 8b 45 08 movl 0x8(%ebp),%eax
804871e: 83 f8 05 cmpl $0x5,%eax
8048721: 77 39 ja 804875c <unparse_symbol+0x44>
8048723: ff 24 85 c0 8b jmp *0x8048bc0(,%eax,4)

31
 Object Code (cont.)
 Jump Table
– Doesn’t show up in disassembled code
– Can inspect using GDB
gdb code-examples
(gdb) x/6xw 0x8048bc0
• Examine 6 hexadecimal format “words” (4-bytes each)
• Use command “help x” to get format documentation

0x8048bc0 <_fini+32>:
0x08048730
0x08048737
0x08048740
0x08048747
0x08048750
0x08048757
32
 Extracting Jump Table from Binary
 Jump Table Stored in Read Only Data Segment (.rodat
a)
– Various fixed values needed by your code
 Can examine with objdump
objdump code-examples –s –-section=.rodata
– Show everything in indicated segment.
 Hard to read
– Jump table entries shown with reversed byte ordering
Contents of section .rodata:
8048bc0 30870408 37870408 40870408 47870408 [email protected]...
8048bd0 50870408 57870408 46616374 28256429 P...W...Fact(%d)
8048be0 203d2025 6c640a00 43686172 203d2025 = %ld..Char = %
…

– E.g., 30870408 really means 0x08048730

33
 Disassembled Targets

8048730: b8 2b 00 00 00 movl $0x2b,%eax

8048735: eb 25 jmp 804875c <unparse_symbol+0x44>
8048737: b8 2a 00 00 00 movl $0x2a,%eax
804873c: eb 1e jmp 804875c <unparse_symbol+0x44>
804873e: 89 f6 movl %esi,%esi
8048740: b8 2d 00 00 00 movl $0x2d,%eax
8048745: eb 15 jmp 804875c <unparse_symbol+0x44>
8048747: b8 2f 00 00 00 movl $0x2f,%eax
804874c: eb 0e jmp 804875c <unparse_symbol+0x44>
804874e: 89 f6 movl %esi,%esi
8048750: b8 25 00 00 00 movl $0x25,%eax
8048755: eb 05 jmp 804875c <unparse_symbol+0x44>
8048757: b8 3f 00 00 00 movl $0x3f,%eax

– movl %esi,%esi does nothing

– Inserted to align instructions for better cache performance

34
 Matching Disassembled Targets

8048730: b8 2b 00 00 00 movl
8048735: eb 25 jmp
Entry 8048737: b8 2a 00 00 00 movl
0x08048730 804873c: eb 1e jmp
804873e: 89 f6 movl
0x08048737 8048740: b8 2d 00 00 00 movl
0x08048740 8048745: eb 15 jmp
0x08048747 8048747: b8 2f 00 00 00 movl
0x08048750 804874c: eb 0e jmp
804874e: 89 f6 movl
0x08048757
8048750: b8 25 00 00 00 movl
8048755: eb 05 jmp
8048757: b8 3f 00 00 00 movl

35
 Summarizing
 C Control
– if-then-else
– do-while
– while
– switch
 Assembler Control
– jump
– Conditional jump
 Compiler
– Must generate assembly code to implement more complex control
 Standard Techniques
– All loops converted to do-while form
– Large switch statements use jump tables

36