EE209: Programming Structures for

Electrical Engineering
EE209: Programming Structures for Electrical Engineering

Lecture 13: Assembly Language - IA-32

Instructions
Variable Sizes in High-Level Language

• C data types vary in size

• character: 1 byte
• short, int, and long: varies, depending on the computer
• float and double: varies, depending on the computer
• pointers: typically 4 bytes (32bit) or 8 bytes (64bit)

• Programmer-created types
• struct: arbitrary size, depending on the fields

• arrays
• Multiple consecutive elements of some fixed size
• Where each element could be a struct

3
Supporting Different Sizes in IA-32

• Three main data sizes

• Byte (b): 1 byte
• Word (w): 2 bytes
• Long (l): 4 bytes

• Separate assembly-language instructions

• e.g., addb, addw, addl,addq

• Separate ways to access (parts of) a register

• e.g., %ah or %al, %ax, and %eax

• Larger sizes (e.g., struct)

• Manipulated in smaller byte, word, or long units

4
 Byte Order in Multi-Byte Entities
• Intel is a little endian architecture
• Least significant byte of multi-byte entity is stored at
lowest memory address
• “Little end goes first” 1000 00000101
1001 00000000
The int 5 at address 1000: 1002 00000000
1003 00000000
• Some other systems use big endian
• Most significant byte of multi-byte entity is stored at
lowest memory address
• “Big end goes first”
1000 00000000
1001 00000000
The int 5 at address 1000: 1002 00000000
1003 00000101

5
Little Endian Example

int main(void) {
int i=0x003377ff, j;
unsigned char *p = (unsigned char *) &i;

for (j=0; j<4; j++)

printf("Byte %d: %x\n", j, p[j]);
}

Byte 0: ff
Output on a little-endian
Byte 1: 77
machine Byte 2: 33
Byte 3: 0

7
IA-32 General Purpose Registers

AX/BX/CX/DX

31 15 8 7 0 16-bit 32-bit
AH AL AX EAX
BH BL BX EBX
CH CL CX ECX
DH DL DX EDX
SI ESI
DI EDI

General-purpose registers

8
9
C Example: One-Byte Data

Global char variable i is in %al, the lower byte of the “A” register.

cmpb $5, %al

char i; jle else
…
if (i > 5){ incb %al
i++; jmp endif
}
else:
else {
i--; decb %al
} endif:

10
C Example: Four-Byte Data

Global int variable i is in %eax, the full 32 bits of the “A” register.

cmpl $5, %eax

int i;
… jle else
if (i > 5) { incl %eax
i++; jmp endif
}
else { else:
i--; decl %eax
} endif:

11
Loading and Storing Data

• Processors have many ways to access data

• Known as “addressing modes”
• Two simple ways seen in previous examples

• Immediate addressing
• Example: movl $0, %ecx
• Data (e.g., number “0”) embedded in the instruction
• Initialize register ECX with zero

• Register addressing
• Example: movl %edx, %ecx
• Choice of register(s) embedded in the instruction
• Copy value in register EDX into register ECX

12
Accessing Memory

• Variables are stored in memory

TEXT
• Global and static local variables in Data or BSS section
RODATA
• Dynamically allocated variables in the heap
DATA
• Function parameters and local variables on the stack BSS
• Need to be able to load from and store to memory HEAP
• To manipulate the data directly in memory
• Or copy the data between main memory and registers

• IA-32 has many different addressing modes STACK

• Corresponding to common programming constructs

• e.g., accessing a global variable, dereferencing a pointer, accessing a field in a
struct, or indexing an array

13
(1) Direct Addressing

• Load or store from a particular memory location

• Memory address is embedded in the instruction
• Instruction reads from or writes to that address

• IA-32 example:

movl 2000, %ecx

• Four-byte variable located at address 2000

• Read four bytes starting at address 2000
• Load the value into the ECX register

• Useful when the address is known in advance

• Global variables in the Data or BSS sections

• Can use a label for (human) readability

• e.g., “i” to allow “movl i, %eax”

14
(2) Indirect Addressing

• Load or store from a previously-computed address

• Register with the address is embedded in the instruction
• Instruction reads from or writes to that address

• IA-32 example:

movl (%eax), %ecx

• EAX register stores a 32-bit address (e.g., 2000)

• Read long-word variable stored at that address
• Load the value into the ECX register

• Useful when address is not known in advance

• Dynamically allocated data referenced by a pointer
• The “(%eax)” essentially dereferences a pointer

15
(3) Base Pointer Addressing
• Load or store with an offset from a base address
• Register storing the base address
• Fixed offset also embedded in the instruction
• Instruction computes the address and does access

• IA-32 example:

movl 8(%eax), %ecx

• EAX register stores a 32-bit base address (e.g., 2000)

• Offset of 8 is added to compute address (e.g., 2008)
• Read long-word variable stored at that address
• Load the value into the ECX register

• Useful when accessing part of a larger variable

• Specific field within a “struct”
• e.g., if “age” starts at the 8th byte of “student” record

16
(4) Indexed Addressing
• Load or store with an offset and multiplier
• Fixed based address embedded in the instruction
• Offset computed by multiplying register with constant
• Instruction computes the address and does access

• IA-32 example:

movl 2000(,%eax,4), %ecx

• Index register EAX (say, with value of 10)

• Multiplied by a multiplier of 1, 2, 4, or 8 (say, 4)
• Added to a fixed base of 2000 (say, to get 2040)

• Useful to iterate through an array (e.g., a[i])

• Base is the start of the array (i.e., “a”)
• Register is the index (i.e., “i”)
• Multiplier is the size of the element (e.g., 4 for “int”)

17
 Indexed Addressing Example

int a[20]; global variable

…
int i, sum=0;
for (i=0; i<20; i++)
sum += a[i];

movl $0, %eax

movl $0, %ebx
sumloop:
movl a(,%eax,4), %ecx
EAX: i addl %ecx, %ebx
EBX: sum incl %eax
ECX: temporary
cmpl $19, %eax
jle sumloop

18
 Effective Address: More Generally

eax eax
ebx ebx None
ecx ecx 1
edx edx 2 8-bit
Offset = esp + esp * +
ebp 4 16-bit
ebp
esi esi 8 32-bit
edi edi

Base Index scale displacement

• Displacement movl foo, %ebx

• Base movl (%eax), %ebx
• Base + displacement movl foo(%eax), %ebx
movl 1(%eax), %ebx
• (Index * scale) + displacement movl (,%eax,4), %ebx
• Base + (index * scale) + displacement movl foo(%edx,%eax,4),%ebx

19
 Effective Address (source)

movl var, %eax

Move the contents of memory location var into number register %eax
movl %cs:var, %eax
Move the contents of memory location var in the code segment (register %cs) into number register %eax
movl $var, %eax
Move the address of var into number register %eax

movl array_base(%esi), %eax

Add the address of memory location array_base to the contents of number register %esi to determine an
address in memory. Move the contents of this address into number register %eax

movl (%ebx,%esi, 4), %eax

Multiply the contents of number register %esi by 4 and add the result to the contents of number register %ebx to
produce a memory reference. Move the contents of this memory location into number register %eax

movl struct_base(%ebx,%esi, 4),%eax

Multiply the contents of number register %esi by 4, add the result to the contents of number register %ebx, and add
the result to the address of struct_base to produce an address. Move the contents of this address into number register
%eax

20
Review with Examples (source – page 2)

Assembly C pseudocode
movl %eax,%edx edx = eax;

movl $0x123, %edx edx = 0x123;

movl 0x124, %edx edx = *((int32 t*) 0x124);

movl (%ebx), %edx edx = *((int32 t*) ebx);

movl 4(%ebx), %edx edx = *((int32 t*) (ebx+4));

21
 Data Access Methods: Summary

• Immediate addressing: data stored in the instruction itself

• movl $10, %ecx

• Register addressing: data stored in a register

• movl %eax, %ecx

• Direct addressing: address stored in instruction

• movl foo, %ecx

• Indirect addressing: address stored in a register

• movl (%eax), %ecx

• Base pointer addressing: includes an offset as well

• movl 4(%eax), %ecx

• Indexed addressing: instruction contains base address, and specifies an index register and a multiplier (1, 2, 4, or 8)
• movl 2000(,%eax,1), %ecx

22
Goals of this Lecture

• Help you learn how to:

• Manipulate data of various sizes
• Leverage more sophisticated addressing modes
• Use condition codes and jumps to change control flow
• … and thereby …
• Write more efficient assembly-language programs
• Understand the relationship to data types and common programming
constructs in high-level languages

• Focus is on the assembly-language code

• Rather than the layout of memory for storing data

23
Control Flow

• Common case
• Execute code sequentially
• One instruction after another

• Sometimes need to change control flow

• If-then-else
cmpl $5, %eax
jle else
• Loops
incl %eax
• Switch jmp endif
else:
• Two key ingredients decl %eax
endif:
• Testing a condition
• Selecting what to run next based on result

24
Condition Codes

• 1-bit registers set by arithmetic & logic instructions

• ZF: Zero Flag
• SF: Sign Flag
• CF: Carry Flag
• OF: Overflow Flag

• Example: “addl src, dest” (“t = a + b”)

• ZF: set if t == 0
• SF: set if t < 0
• CF: set if carry out from most significant bit
• Unsigned overflow

• OF: set if two’s complement overflow

• (a>0 && b>0 && t<0) || (a<0 && b<0 && t>=0)

25
Condition Codes (continued)

• Example: “cmpl src2, src1” (compare b, a)

• Like computing a-b without setting destination
• ZF: set if a == b
• SF: set if (a-b) < 0
• CF: set if carry out from most significant bit or borrow into the MSB
• Used for unsigned comparisons

• OF: set if two’s complement overflow

• (a>0 && b<0 && (a-b)<0) || (a<0 && b>0 && (a-b)>0)
positive overflow negative overflow

• Flags are not set by lea, inc, or dec instructions

load effective address

26
Carry Flag
• The rules for turning on the carry flag in binary/integer math are two:

1. The carry flag is set if the addition of two numbers causes a carry out of the most significant (leftmost) bits
added.
- 1111 + 0001 = 0000 (carry flag is turned on)

2. The carry (borrow) flag is also set if the subtraction of two numbers requires a borrow into the most significant
(leftmost) bits subtracted.
- 0000 - 0001 = 1111 (carry flag is turned on)

Otherwise, the carry flag is turned off (zero).

* 0111 + 0001 = 1000 (carry flag is turned off [zero])

* 1000 - 0001 = 0111 (carry flag is turned off [zero])

In unsigned arithmetic, watch the carry flag to detect errors. In signed arithmetic, the carry flag tells you nothing
interesting.

27
Overflow Flag

• The rules for turning on the overflow flag in binary/integer math are two:

1. If the sum of two numbers with the sign bits off yields a result number with the sign bit on, the "overflow" flag is
turned on.
• 0100 + 0100 = 1000 (overflow flag is turned on)

2. If the sum of two numbers with the sign bits on yields a result number with the sign bit off, the "overflow" flag is
turned on.
• 1000 + 1000 = 0000 (overflow flag is turned on)

Otherwise, the overflow flag is turned off. * 0100 + 0001 = 0101 (overflow flag is turned off)
• 0110 + 1001 = 1111 (overflow flag is turned off)
• 1000 + 0001 = 1001 (overflow flag is turned off)
• 1100 + 1100 = 1000 (overflow flag is turned off)

28
Overflow Flag

• Note that you only need to look at the sign bits (leftmost) of the three numbers to decide if the overflow flag is
turned on or off.

• If you are doing two's complement (signed) arithmetic, overflow flag on means the answer is wrong - you added
two positive numbers and got a negative, or you added two negative numbers and got a positive.

• If you are doing unsigned arithmetic, the overflow flag means nothing and should be ignored.

29
 Example Five-Bit Comparisons
• Comparison: cmp $6, $12
• Not zero: ZF=0 (diff is not 00000) 01100 01100
• Positive: SF=0 (first bit is 0) - 00110 + 11010
?? 00110
• No carry: CF=0 (unsigned diff is correct)
• No overflow: OF=0 (signed diff is correct)
• Comparison: cmp $12, $6
• Not zero: ZF=0 (diff is not 00000) 00110 00110
- 01100 + 10100
• Negative: SF=1 (first bit is 1) 11010
??
• Carry: CF=1 (unsigned diff is wrong)
• No overflow: OF=0 (signed diff is correct)
10100 10100
• Comparison: cmp $-6, $-12 - 11010 + 00110
?? 11010
• Not zero: ZF=0 (diff is not 00000)
• Negative: SF=1 (first bit is 1)
• Carry: CF=1 (unsigned diff of 20 and 26 is wrong)
• No overflow: OF=0 (signed diff is correct)

30
Jumps after Comparison (cmpl)
• Equality
• Equal: je (ZF)
• Not equal: jne (~ZF)

• Below/above (e.g., unsigned arithmetic)

• Below: jb (CF)
• Above or equal: jae (~CF)
• Below or equal: jbe (CF | ZF)
• Above: ja (~(CF | ZF))

• Less/greater (e.g., signed arithmetic)

• Less: jl (SF ^ OF)
• Greater or equal: jge (~(SF ^ OF))
• Less or equal: jle ((SF ^ OF) | ZF)
• Greater: jg (~((SF ^ OF) | ZF))

31
Branch Instructions

• Conditional jump
• j{l,g,e,ne,...} target if (condition) {eip = target}
Comparison Signed Unsigned
= e e “equal”
≠ ne ne “not equal”
> g a “greater,above”
≥ ge ae “...-or-equal”
< l b “less,below”
≤ le be “...-or-equal”
overflow/carry o c
no ovf/carry no nc

• Unconditional jump
• jmp target
• jmp *register (e.g., jmp *%eax) # jump to the address that
%eax holds
• jmp *(register) (e.g., jmp *(%eax)) # %eax is a pointer to
the target.

32
Jumping

• Simple model of a “goto” statement

• Go to a particular place in the code
• Based on whether a condition is true or false
• Can represent if-then-else, switch, loops, etc.

• Pseudocode example: If-Then-Else

if (!Test) goto Else;

if (Test) {
then-body;
then-body;
goto Done;
} else {
Else:
else-body;
else-body;
}
Done:

33
Jumping (continued)

• Pseudocode example: do-while loop

do { loop:
Body; Body;
} while (Test); if (Test) then goto loop;

• Pseudocode example: while loop

goto middle;
loop:
while (Test) Body;
Body; middle:
if (Test) then goto loop;

34
Jumping (continued)

• Pseudocode example: For loop

for (Init; Test; Update)

Body

Init;
if (!Test) goto done;
loop:
Body;
Update;
if (Test) goto loop;
done:

35
Arithmetic Instructions
• Simple instructions
• add{b,w,l,q} source, dest dest = source + dest
• sub{b,w,l,q} source, dest dest = dest – source
• inc{b,w,l,q} dest dest = dest + 1
• dec{b,w,l,q} dest dest = dest – 1
• neg{b,w,l,q} dest dest = ~dest + 1 # 2’s complement
• cmp{b,w,l,q} source1, source2 source2 – source1
• Multiply
• mul (unsigned) or imul (signed)
mull %ebx # edx, eax = eax * ebx
• Divide
• div (unsigned) or idiv (signed)
idivl %ebx # edx:eax / ebx
# quotient: eax remainder: edx
• Many more in Intel manual (volume 2)
• adc (add with carry), sbb (integer subtraction with borrow), decimal
arithmetic instructions
36
Arithmetic Instructions

• Example: multiply instruction

mulb src

src X AL AX

mulw src

src X AX DX AX

mull src

src X EAX EDX EAX

37
Bitwise Logic Instructions
• Simple instructions
and{b,w,l,q} source, dest dest = source & dest

or{b,w,l,q} source, dest dest = source | dest

xor{b,w,l,q} source, dest dest = source ^ dest

not{b,w,l,q} dest dest = ~dest

sal{b,w,l,q} source, dest (arithmetic) dest = dest << source

sar{b,w,l,q} source, dest (arithmetic) dest = dest >> source

• Many more in Intel Manual (volume 2)

• Logic shift

• Rotation shift

• Bit scan

• Bit test
• Byte set on conditions

38
Data Transfer Instructions

• mov{b,w,l,q} source, dest

• General move instruction
• push{w,l,q} source
pushl %ebx # equivalent instructions
subl $4, %esp

movl %ebx, (%esp)

• pop{w,l,q} dest
popl %ebx # equivalent instructions
movl (%esp), %ebx
addl $4, %esp

• Many more in Intel manual (volume 2)

• Type conversion, conditional move, exchange, compare and exchange,
I/O port, string move, etc.

39
 Data Transfer Instructions
• mov{b,w,l,q} source, dest

• General move instruction

• push{w,l,q} source
pushl %ebx # equivalent instructions
subl $4, %esp
esp
movl %ebx, (%esp)

• pop{w,l,q} dest
popl %ebx # equivalent instructions
movl (%esp), %ebx
addl $4, %esp

• Many more in Intel manual (volume 2)

• Type conversion, conditional move, exchange, compare and exchange, I/O

port, string move, etc.
40
Data Transfer Instructions
• mov{b,w,l,q} source, dest

• General move instruction

• push{w,l,q} source
pushl %ebx # equivalent instructions
esp
subl $4, %esp

movl %ebx, (%esp)

• pop{w,l,q} dest
popl %ebx # equivalent instructions
movl (%esp), %ebx
addl $4, %esp

• Many more in Intel manual (volume 2)

• Type conversion, conditional move, exchange, compare and

exchange, I/O port, string move, etc.
41
Data Transfer Instructions
• mov{b,w,l,q} source, dest

• General move instruction

• push{w,l,q} source
pushl %ebx # equivalent instructions
subl $4, %esp

movl %ebx, (%esp)

• pop{w,l,q} dest
popl %ebx # equivalent instructions
movl (%esp), %ebx
addl $4, %esp

• Many more in Intel manual (volume 2)

• Type conversion, conditional move, exchange, compare and

exchange, I/O port, string move, etc.

42
Data Transfer Instructions
• mov{b,w,l,q} source, dest

• General move instruction

• push{w,l,q} source
pushl %ebx # equivalent instructions
subl $4, %esp

movl %ebx, (%esp)

• pop{w,l,q} dest
popl %ebx # equivalent instructions
movl (%esp), %ebx
esp
addl $4, %esp

• Many more in Intel manual (volume 2)

• Type conversion, conditional move, exchange, compare and

exchange, I/O port, string move, etc.

43
Data Transfer Instructions
• mov{b,w,l,q} source, dest

• General move instruction

• push{w,l,q} source
pushl %ebx # equivalent instructions
subl $4, %esp

movl %ebx, (%esp)

• pop{w,l,q} dest
popl %ebx # equivalent instructions
movl (%esp), %ebx
addl $4, %esp esp
• Many more in Intel manual (volume 2)

• Type conversion, conditional move, exchange, compare and

exchange, I/O port, string move, etc.

44
Conclusions

• Accessing data
• Byte, word, and long-word data types
• Wide variety of addressing modes

• Control flow
• Common C control-flow constructs
• Condition codes and jump instructions

• Manipulating data
• Arithmetic and logic operations

• Next time
• Calling functions, using the stack

45
46