{"id":1215,"date":"2021-08-27T23:55:57","date_gmt":"2021-08-27T15:55:57","guid":{"rendered":"https:\/\/markjohntaylor.com\/blog\/wordpress\/?p=1215"},"modified":"2023-07-16T14:49:20","modified_gmt":"2023-07-16T06:49:20","slug":"a-running-example","status":"publish","type":"post","link":"https:\/\/markjohntaylor.com\/blog\/wordpress\/index.php\/2021\/08\/27\/a-running-example\/","title":{"rendered":"A Running Example"},"content":{"rendered":"\n
#include <stdio.h>\n  \nint add(int a, int b)\n{\n    int c = a+b;\n    printf(\"@add(): &a=%p, &b=%p\\n\", &a, &b);\n    return c;\n}\n\nint main()\n{\n    int i = 3;\n    int j = 4;\n    int k = add(i,j);\n    printf(\"@main(): &i=%p, &j=%p, &k=%p\\n\", &i, &j, &k);\n    return k;\n}<\/pre>\n\n\n\n
I made a test in Dev-C++ (version 5.7.1, with MinGW GCC 4.8.1 32-bit), and in debug mode, via the CPU Window it produced the following instructions:<\/span><\/p>\n\n\n\n
procedure main<\/em>:<\/p>\n\n\n\n
   0x004016e0 <+0>:\tpush   %ebp\n   0x004016e1 <+1>:\tmov    %esp,%ebp\n   0x004016e3 <+3>:\tand    $0xfffffff0,%esp\n   0x004016e6 <+6>:\tsub    $0x20,%esp\n   0x004016e9 <+9>:\tcall   0x401cc0 <__main>\n=> 0x004016ee <+14>:\tmovl   $0x3,0x1c(%esp)\n   0x004016f6 <+22>:\tmovl   $0x4,0x18(%esp)\n   0x004016fe <+30>:\tmov    0x18(%esp),%edx\n   0x00401702 <+34>:\tmov    0x1c(%esp),%eax\n   0x00401706 <+38>:\tmov    %edx,0x4(%esp)\n   0x0040170a <+42>:\tmov    %eax,(%esp)\n   0x0040170d <+45>:\tcall   0x4016b0 <add>\n   0x00401712 <+50>:\tmov    %eax,0x14(%esp)\n   0x00401716 <+54>:\tlea    0x14(%esp),%eax\n   0x0040171a <+58>:\tmov    %eax,0xc(%esp)\n   0x0040171e <+62>:\tlea    0x18(%esp),%eax\n   0x00401722 <+66>:\tmov    %eax,0x8(%esp)\n   0x00401726 <+70>:\tlea    0x1c(%esp),%eax\n   0x0040172a <+74>:\tmov    %eax,0x4(%esp)\n   0x0040172e <+78>:\tmovl   $0x40507a,(%esp)\n   0x00401735 <+85>:\tcall   0x4036c8 <printf>\n   0x0040173a <+90>:\tmov    0x14(%esp),%eax\n   0x0040173e <+94>:\tleave  \n   0x0040173f <+95>:\tret    <\/pre>\n\n\n\n
subroutine add<\/em>:<\/p>\n\n\n\n
   0x004016b0 <+0>:\tpush   %ebp\n   0x004016b1 <+1>:\tmov    %esp,%ebp\n   0x004016b3 <+3>:\tsub    $0x28,%esp\n   0x004016b6 <+6>:\tmov    0x8(%ebp),%edx\n   0x004016b9 <+9>:\tmov    0xc(%ebp),%eax\n   0x004016bc <+12>:\tadd    %edx,%eax\n   0x004016be <+14>:\tmov    %eax,-0xc(%ebp)\n   0x004016c1 <+17>:\tlea    0xc(%ebp),%eax\n   0x004016c4 <+20>:\tmov    %eax,0x8(%esp)\n   0x004016c8 <+24>:\tlea    0x8(%ebp),%eax\n   0x004016cb <+27>:\tmov    %eax,0x4(%esp)\n   0x004016cf <+31>:\tmovl   $0x405064,(%esp)\n   0x004016d6 <+38>:\tcall   0x4036c8 <printf>\n   0x004016db <+43>:\tmov    -0xc(%ebp),%eax\n   0x004016de <+46>:\tleave  \n   0x004016df <+47>:\tret    <\/pre>\n\n\n\n
Following these instructions, I drew a simple diagram (partial, incomplete):<\/p>\n\n\n\n
\n
\"\"
The Running Stack<\/figcaption><\/figure>\n<\/figure>\n\n\n\n
The arguments for printf<\/code> were left out in this diagram for simplicity, but it is not difficult to imagine the whole running process with the aid of the above instructions. The calling convention<\/a>, however, can be different from another compiler. For example, on my Ubuntu 20.04.1 LTS server with GCC 9.3.0, it yields something like<\/p>\n\n\n\n
@add(): &a=0x7ffdf0f69a3c, &b=0x7ffdf0f69a38\n@main(): &i=0x7ffdf0f69a6c, &j=0x7ffdf0f69a70, &k=0x7ffdf0f69a74<\/pre>\n\n\n\n
which is completely the opposite of the above diagram: the passed arguments were arranged in decreasing addresses, and the local vars were placed in increasing addresses.  For local variables,  the compiler knows in advance how much space should be allocated in the stack by looking at its symbol table. Then it allocates enough space by subtracting some value from the RSP register. Thus, it looks like the compiler can place the local vars wherever it likes, it just needs to perform some arithmetics based on the RSP or RBP register. A good explanation for the locations of the passed arguments is, as opposed to storing them on the caller stack, it first copies those arguments to registers (if possible) in reverse order and then saves them to the callee stack <\/span>near the beginning<\/span><\/s> in argument order (RDI, RSI, RDX, RCX, R8, R9)<\/span>. In this way, the value in the EDI register (1st argument) is first placed into the callee stack and hence it has a higher address. Aha! Now it makes perfect sense! Next, let’s check it out by looking at the disassembly by running gdb a.out -batch -ex 'disassemble\/s main'<\/code> (or add<\/code>).<\/p>\n\n\n\n
Dump of assembler code for function main:\nadd.c:\n11\t{\n   0x00000000000011a7 <+0>:\tendbr64 \n   0x00000000000011ab <+4>:\tpush   %rbp\n   0x00000000000011ac <+5>:\tmov    %rsp,%rbp\n   0x00000000000011af <+8>:\tsub    $0x20,%rsp\n   0x00000000000011b3 <+12>:\tmov    %fs:0x28,%rax\n   0x00000000000011bc <+21>:\tmov    %rax,-0x8(%rbp)\n   0x00000000000011c0 <+25>:\txor    %eax,%eax\n\n12\t    int i = 3;\n   0x00000000000011c2 <+27>:\tmovl   $0x3,-0x14(%rbp)\n\n13\t    int j = 4;\n   0x00000000000011c9 <+34>:\tmovl   $0x4,-0x10(%rbp)\n\n14\t    int k = add(i,j);\n   0x00000000000011d0 <+41>:\tmov    -0x10(%rbp),%edx\n   0x00000000000011d3 <+44>:\tmov    -0x14(%rbp),%eax\n   0x00000000000011d6 <+47>:\tmov    %edx,%esi\n   0x00000000000011d8 <+49>:\tmov    %eax,%edi\n   0x00000000000011da <+51>:\tcallq  0x1169 <add>\n   0x00000000000011df <+56>:\tmov    %eax,-0xc(%rbp)\n\n15\t    printf(\"@main(): &i=%p, &j=%p, &k=%p\\n\", &i, &j, &k);\n   0x00000000000011e2 <+59>:\tlea    -0xc(%rbp),%rcx\n   0x00000000000011e6 <+63>:\tlea    -0x10(%rbp),%rdx\n   0x00000000000011ea <+67>:\tlea    -0x14(%rbp),%rax\n   0x00000000000011ee <+71>:\tmov    %rax,%rsi\n   0x00000000000011f1 <+74>:\tlea    0xe22(%rip),%rdi        # 0x201a\n   0x00000000000011f8 <+81>:\tmov    $0x0,%eax\n   0x00000000000011fd <+86>:\tcallq  0x1070 <printf@plt>\n\n16\t    return k;\n   0x0000000000001202 <+91>:\tmov    -0xc(%rbp),%eax\n\n17\t}\n   0x0000000000001205 <+94>:\tmov    -0x8(%rbp),%rsi\n   0x0000000000001209 <+98>:\txor    %fs:0x28,%rsi\n   0x0000000000001212 <+107>:\tje     0x1219 <main+114>\n   0x0000000000001214 <+109>:\tcallq  0x1060 <__stack_chk_fail@plt>\n   0x0000000000001219 <+114>:\tleaveq \n   0x000000000000121a <+115>:\tretq   \nEnd of assembler dump.<\/pre>\n\n\n\n
Dump of assembler code for function add:\nadd.c:\n4\t{\n   0x0000000000001169 <+0>:\tendbr64 \n   0x000000000000116d <+4>:\tpush   %rbp\n   0x000000000000116e <+5>:\tmov    %rsp,%rbp\n   0x0000000000001171 <+8>:\tsub    $0x20,%rsp\n   0x0000000000001175 <+12>:\tmov    %edi,-0x14(%rbp)\n   0x0000000000001178 <+15>:\tmov    %esi,-0x18(%rbp)\n\n5\t    int c = a+b;\n   0x000000000000117b <+18>:\tmov    -0x14(%rbp),%edx\n   0x000000000000117e <+21>:\tmov    -0x18(%rbp),%eax\n   0x0000000000001181 <+24>:\tadd    %edx,%eax\n   0x0000000000001183 <+26>:\tmov    %eax,-0x4(%rbp)\n\n6\t    printf(\"@add(): &a=%p, &b=%p\\n\", &a, &b);\n   0x0000000000001186 <+29>:\tlea    -0x18(%rbp),%rdx\n   0x000000000000118a <+33>:\tlea    -0x14(%rbp),%rax\n   0x000000000000118e <+37>:\tmov    %rax,%rsi\n   0x0000000000001191 <+40>:\tlea    0xe6c(%rip),%rdi        # 0x2004\n   0x0000000000001198 <+47>:\tmov    $0x0,%eax\n   0x000000000000119d <+52>:\tcallq  0x1070 <printf@plt>\n\n7\t    return c;\n   0x00000000000011a2 <+57>:\tmov    -0x4(%rbp),%eax\n\n8\t}\n   0x00000000000011a5 <+60>:\tleaveq \n   0x00000000000011a6 <+61>:\tretq   \nEnd of assembler dump.<\/pre>\n\n\n\n
The above assembler code agrees with our speculation. Note, however, the location of the local variable c<\/code> here. It is above the two arguments in the stack (just one position below the RBP register). If we rewrite the  main<\/code> function as int main(int argc, char** argv)<\/code>, then we can get something like<\/p>\n\n\n\n
   0x00000000000011a7 <+0>:\tendbr64 \n   0x00000000000011ab <+4>:\tpush   %rbp\n   0x00000000000011ac <+5>:\tmov    %rsp,%rbp\n   0x00000000000011af <+8>:\tsub    $0x30,%rsp\n   0x00000000000011b3 <+12>:\tmov    %edi,-0x24(%rbp)\n   0x00000000000011b6 <+15>:\tmov    %rsi,-0x30(%rbp)\n   0x00000000000011ba <+19>:\tmov    %fs:0x28,%rax\n   0x00000000000011c3 <+28>:\tmov    %rax,-0x8(%rbp)\n   0x00000000000011c7 <+32>:\txor    %eax,%eax<\/pre>\n\n\n\n
in the setup of the stack of main<\/code>. We can see that the two passed arguments argc<\/code> and argv<\/code> are stored at the stack top via the EDI and RSI registers, respectively.<\/p>\n\n\n\n
(Jul 15, 2023)<\/p>\n\n\n\n
Effective implementations of some x86 instructions (slides from here<\/a>):<\/p>\n\n\n\n
\n
\"\"<\/figure>\n<\/figure>\n","protected":false},"excerpt":{"rendered":"
I made a test in Dev-C++ (version 5.7.1, with MinGW GCC 4.8.1 32-bit), and in debug mode, via the CPU Window it produced the following instructions: procedure main: subroutine add: Following these instructions, I drew a simple diagram (partial, incomplete): The arguments for printf were left out in this diagram for simplicity, but it is … <\/p>\n
Continue reading “A Running Example”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[15],"tags":[],"_links":{"self":[{"href":"https:\/\/markjohntaylor.com\/blog\/wordpress\/index.php\/wp-json\/wp\/v2\/posts\/1215"}],"collection":[{"href":"https:\/\/markjohntaylor.com\/blog\/wordpress\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/markjohntaylor.com\/blog\/wordpress\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/markjohntaylor.com\/blog\/wordpress\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/markjohntaylor.com\/blog\/wordpress\/index.php\/wp-json\/wp\/v2\/comments?post=1215"}],"version-history":[{"count":32,"href":"https:\/\/markjohntaylor.com\/blog\/wordpress\/index.php\/wp-json\/wp\/v2\/posts\/1215\/revisions"}],"predecessor-version":[{"id":1758,"href":"https:\/\/markjohntaylor.com\/blog\/wordpress\/index.php\/wp-json\/wp\/v2\/posts\/1215\/revisions\/1758"}],"wp:attachment":[{"href":"https:\/\/markjohntaylor.com\/blog\/wordpress\/index.php\/wp-json\/wp\/v2\/media?parent=1215"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/markjohntaylor.com\/blog\/wordpress\/index.php\/wp-json\/wp\/v2\/categories?post=1215"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/markjohntaylor.com\/blog\/wordpress\/index.php\/wp-json\/wp\/v2\/tags?post=1215"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}