当前位置: 文江博客 话题详情

cltq 在汇编中做什么?

发布于 2024-11-18 01:19:21 字数 3534 浏览 2 评论 0 原文 

0x0000000000400553 <main+59>:   mov    -0x4(%rbp),%eax
0x0000000000400556 <main+62>:   cltq   
0x0000000000400558 <main+64>:   shl    $0x3,%rax
0x000000000040055c <main+68>:   mov    %rax,%rdx

事实上,我的程序很简单:

5   int main(int argc, char *argv[]) { 
6     int i = 0;
7     while(environ[i]) {
8       printf("%s\n", environ[i++]);
9     }
10    return 0;

但是汇编输出很长:

Dump of assembler code for function main:
0x0000000000400518 <main+0>:    push   %rbp
0x0000000000400519 <main+1>:    mov    %rsp,%rbp
0x000000000040051c <main+4>:    sub    $0x20,%rsp
0x0000000000400520 <main+8>:    mov    %edi,-0x14(%rbp)
0x0000000000400523 <main+11>:   mov    %rsi,-0x20(%rbp)
0x0000000000400527 <main+15>:   movl   $0x0,-0x4(%rbp)
0x000000000040052e <main+22>:   jmp    0x400553 <main+59>
0x0000000000400530 <main+24>:   mov    -0x4(%rbp),%eax
0x0000000000400533 <main+27>:   cltq   
0x0000000000400535 <main+29>:   shl    $0x3,%rax
0x0000000000400539 <main+33>:   mov    %rax,%rdx
0x000000000040053c <main+36>:   mov    0x2003e5(%rip),%rax        # 0x600928 <environ@@GLIBC_2.2.5>
0x0000000000400543 <main+43>:   lea    (%rdx,%rax,1),%rax
0x0000000000400547 <main+47>:   mov    (%rax),%rdi
0x000000000040054a <main+50>:   addl   $0x1,-0x4(%rbp)
0x000000000040054e <main+54>:   callq  0x400418 <puts@plt>
0x0000000000400553 <main+59>:   mov    -0x4(%rbp),%eax
0x0000000000400556 <main+62>:   cltq   
0x0000000000400558 <main+64>:   shl    $0x3,%rax
0x000000000040055c <main+68>:   mov    %rax,%rdx
0x000000000040055f <main+71>:   mov    0x2003c2(%rip),%rax        # 0x600928 <environ@@GLIBC_2.2.5>
0x0000000000400566 <main+78>:   lea    (%rdx,%rax,1),%rax
0x000000000040056a <main+82>:   mov    (%rax),%rax
0x000000000040056d <main+85>:   test   %rax,%rax
0x0000000000400570 <main+88>:   jne    0x400530 <main+24>
0x0000000000400572 <main+90>:   mov    $0x0,%eax
0x0000000000400577 <main+95>:   leaveq 
0x0000000000400578 <main+96>:   retq   
End of assembler dump.

我不明白的是这个块:

0x000000000040052e <main+22>:   jmp    0x400553 <main+59>
0x0000000000400530 <main+24>:   mov    -0x4(%rbp),%eax
0x0000000000400533 <main+27>:   cltq   
0x0000000000400535 <main+29>:   shl    $0x3,%rax
0x0000000000400539 <main+33>:   mov    %rax,%rdx
0x000000000040053c <main+36>:   mov    0x2003e5(%rip),%rax        # 0x600928 <environ@@GLIBC_2.2.5>
0x0000000000400543 <main+43>:   lea    (%rdx,%rax,1),%rax
0x0000000000400547 <main+47>:   mov    (%rax),%rdi
0x000000000040054a <main+50>:   addl   $0x1,-0x4(%rbp)
0x000000000040054e <main+54>:   callq  0x400418 <puts@plt>
0x0000000000400553 <main+59>:   mov    -0x4(%rbp),%eax
0x0000000000400556 <main+62>:   cltq   
0x0000000000400558 <main+64>:   shl    $0x3,%rax
0x000000000040055c <main+68>:   mov    %rax,%rdx
0x000000000040055f <main+71>:   mov    0x2003c2(%rip),%rax        # 0x600928 <environ@@GLIBC_2.2.5>
0x0000000000400566 <main+78>:   lea    (%rdx,%rax,1),%rax
0x000000000040056a <main+82>:   mov    (%rax),%rax
0x000000000040056d <main+85>:   test   %rax,%rax
0x0000000000400570 <main+88>:   jne    0x400530 <main+24>
原文 
0x0000000000400553 <main+59>:   mov    -0x4(%rbp),%eax
0x0000000000400556 <main+62>:   cltq   
0x0000000000400558 <main+64>:   shl    $0x3,%rax
0x000000000040055c <main+68>:   mov    %rax,%rdx

In fact my programe is as simple as :

5   int main(int argc, char *argv[]) { 
6     int i = 0;
7     while(environ[i]) {
8       printf("%s\n", environ[i++]);
9     }
10    return 0;

But the assembly output is pretty long:

Dump of assembler code for function main:
0x0000000000400518 <main+0>:    push   %rbp
0x0000000000400519 <main+1>:    mov    %rsp,%rbp
0x000000000040051c <main+4>:    sub    $0x20,%rsp
0x0000000000400520 <main+8>:    mov    %edi,-0x14(%rbp)
0x0000000000400523 <main+11>:   mov    %rsi,-0x20(%rbp)
0x0000000000400527 <main+15>:   movl   $0x0,-0x4(%rbp)
0x000000000040052e <main+22>:   jmp    0x400553 <main+59>
0x0000000000400530 <main+24>:   mov    -0x4(%rbp),%eax
0x0000000000400533 <main+27>:   cltq   
0x0000000000400535 <main+29>:   shl    $0x3,%rax
0x0000000000400539 <main+33>:   mov    %rax,%rdx
0x000000000040053c <main+36>:   mov    0x2003e5(%rip),%rax        # 0x600928 <environ@@GLIBC_2.2.5>
0x0000000000400543 <main+43>:   lea    (%rdx,%rax,1),%rax
0x0000000000400547 <main+47>:   mov    (%rax),%rdi
0x000000000040054a <main+50>:   addl   $0x1,-0x4(%rbp)
0x000000000040054e <main+54>:   callq  0x400418 <puts@plt>
0x0000000000400553 <main+59>:   mov    -0x4(%rbp),%eax
0x0000000000400556 <main+62>:   cltq   
0x0000000000400558 <main+64>:   shl    $0x3,%rax
0x000000000040055c <main+68>:   mov    %rax,%rdx
0x000000000040055f <main+71>:   mov    0x2003c2(%rip),%rax        # 0x600928 <environ@@GLIBC_2.2.5>
0x0000000000400566 <main+78>:   lea    (%rdx,%rax,1),%rax
0x000000000040056a <main+82>:   mov    (%rax),%rax
0x000000000040056d <main+85>:   test   %rax,%rax
0x0000000000400570 <main+88>:   jne    0x400530 <main+24>
0x0000000000400572 <main+90>:   mov    $0x0,%eax
0x0000000000400577 <main+95>:   leaveq 
0x0000000000400578 <main+96>:   retq   
End of assembler dump.

What I don't understand is this block:

0x000000000040052e <main+22>:   jmp    0x400553 <main+59>
0x0000000000400530 <main+24>:   mov    -0x4(%rbp),%eax
0x0000000000400533 <main+27>:   cltq   
0x0000000000400535 <main+29>:   shl    $0x3,%rax
0x0000000000400539 <main+33>:   mov    %rax,%rdx
0x000000000040053c <main+36>:   mov    0x2003e5(%rip),%rax        # 0x600928 <environ@@GLIBC_2.2.5>
0x0000000000400543 <main+43>:   lea    (%rdx,%rax,1),%rax
0x0000000000400547 <main+47>:   mov    (%rax),%rdi
0x000000000040054a <main+50>:   addl   $0x1,-0x4(%rbp)
0x000000000040054e <main+54>:   callq  0x400418 <puts@plt>
0x0000000000400553 <main+59>:   mov    -0x4(%rbp),%eax
0x0000000000400556 <main+62>:   cltq   
0x0000000000400558 <main+64>:   shl    $0x3,%rax
0x000000000040055c <main+68>:   mov    %rax,%rdx
0x000000000040055f <main+71>:   mov    0x2003c2(%rip),%rax        # 0x600928 <environ@@GLIBC_2.2.5>
0x0000000000400566 <main+78>:   lea    (%rdx,%rax,1),%rax
0x000000000040056a <main+82>:   mov    (%rax),%rax
0x000000000040056d <main+85>:   test   %rax,%rax
0x0000000000400570 <main+88>:   jne    0x400530 <main+24>

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

赤濁 2024-11-25 01:19:21

助记符

cltq 是 Intel 的 cdqegas 助记符,记录如下:https://sourceware.org/binutils/docs/as/i386_002dMnemonics.html

助记符为:

  • Convert Long To Quad (cltq): AT&T-style
  • Convert Double至四边扩展 (cdqe):Intel

术语:

  • 四元组(又名四字)== 8 字节
  • 长 (AT&T) == 双字 (Intel) == 4 字节

这是 GAS 名称与 Intel 版本有很大不同的少数指令之一。 as 接受助记符,但像 NASM 这样的 Intel 语法汇编程序可能只接受 Intel 名称。

作用

它的符号将4个字节扩展到8个字节,在2的补码中意味着对于:

  • 负数,高4字节的位必须设置为1,
  • 正数,它们必须设置为0

在C中,通常表示从有符号 intlong 的转换。

示例:

mov $0x0123456700000001, %rax  # eax=1, high bytes of rax=garbage
cltq
# %rax == $0000 0000 0000 0001

mov $-1, %eax   # %rax = 0000 0000 FFFF FFFF
cltq
# %rax == $FFFF FFFF FFFF FFFF == qword $-1

该指令仅适用于 64 位。

另请考虑以下说明:

  • CWDE (AT&T CWTL)、CBW (AT&T CBTW): CDQE 的较小版本,也出现在 32 位
  • CQO 系列中,该符号将 RAX 扩展为 RDX:RAX
  • MOVSX 系列,它们都进行符号扩展和移动:movsbl 指令做什么?

GitHub 上带断言的最小可运行示例:

C 示例

GCC 4.9.3 发出it:

#include <stdio.h>
#include <stdlib.h>

int main(int argc, char **argv) {
    int i = strtol(argv[1], (char **)NULL, 16);;
    long int l = i;
    printf("%lx\n", l);
}

编译和反汇编:

gcc -ggdb3 -std=c99 -O0 a.c
objdump -S a.out

包含:

    int main(int argc, char **argv) {
  ...
    long int l2 = i;
  400545:       8b 45 fc                mov    -0x4(%rbp),%eax
  400548:       48 98                   cltq   
  40054a:       48 89 45 f0             mov    %rax,-0x10(%rbp)

并且行为是:

$ ./a.out 0x80000000
ffffffff80000000
$ ./a.out 0x40000000
40000000

Mnemonic

cltq is the gas mnemonic for Intel's cdqe as documented at: https://sourceware.org/binutils/docs/as/i386_002dMnemonics.html

The mnemonics are:

  • Convert Long To Quad (cltq): AT&T-style
  • Convert Double to Quad Extend (cdqe): Intel

Terminology:

  • quad (aka quad-word) == 8 bytes
  • long (AT&T) == double-word (Intel) == 4 bytes

This is one of the few instructions whose GAS name is very different from the Intel version. as accepts either mnemonic, but Intel-syntax assemblers like NASM may only accept the Intel names.

Effect

It sign extends 4 bytes into 8 bytes, which in 2's complement means that for:

  • negative numbers, the bits of the upper 4 bytes must set to 1
  • positive numbers, they must be set to 0

In C, that usually represents a cast from signed int to long.

Example:

mov $0x0123456700000001, %rax  # eax=1, high bytes of rax=garbage
cltq
# %rax == $0000 0000 0000 0001

mov $-1, %eax   # %rax = 0000 0000 FFFF FFFF
cltq
# %rax == $FFFF FFFF FFFF FFFF == qword $-1

This instruction is only available on 64-bits.

Also consider the following instructions:

  • CWDE (AT&T CWTL), CBW (AT&T CBTW): smaller versions of CDQE, also present in 32-bit
  • CQO family, which sign extends RAX into RDX:RAX
  • MOVSX family, which both sign extends and moves: what does movsbl instruction do?

Minimal runnable examples on GitHub with assertions:

C example

GCC 4.9.3 emits it:

#include <stdio.h>
#include <stdlib.h>

int main(int argc, char **argv) {
    int i = strtol(argv[1], (char **)NULL, 16);;
    long int l = i;
    printf("%lx\n", l);
}

Compile and disassemble:

gcc -ggdb3 -std=c99 -O0 a.c
objdump -S a.out

contains:

    int main(int argc, char **argv) {
  ...
    long int l2 = i;
  400545:       8b 45 fc                mov    -0x4(%rbp),%eax
  400548:       48 98                   cltq   
  40054a:       48 89 45 f0             mov    %rax,-0x10(%rbp)

and the behavior is:

$ ./a.out 0x80000000
ffffffff80000000
$ ./a.out 0x40000000
40000000
回复 原文
挽袖吟 2024-11-25 01:19:21

cltq 将 int 提升为 int64。 shl 3, %rax 对 64 位指针进行偏移(将 rax 中的内容乘以 8)。该代码正在做的是循环遍历指向环境变量的指针列表。当它找到零值时,即结束,并退出循环。

下面是 Linux 如何将环境变量存储在堆栈上方 RAM 中的示意图。您将看到从 0xbffff75c 开始的指针;指向 0xbffff893,“TERM=rxvt”。

jcomeau@intrepid:/tmp$ gdb test
GNU gdb (GDB) 7.2-debian
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /tmp/test...(no debugging symbols found)...done.
(gdb) break main
Breakpoint 1 at 0x80483e7
(gdb) run
Starting program: /tmp/test 

Breakpoint 1, 0x080483e7 in main ()
(gdb) info reg
eax            0xbffff754   -1073744044
ecx            0xe88ed1c    243854620
edx            0x1  1
ebx            0xb7fc5ff4   -1208197132
esp            0xbffff6a8   0xbffff6a8
ebp            0xbffff6a8   0xbffff6a8
esi            0x0  0
edi            0x0  0
eip            0x80483e7    0x80483e7 <main+3>
eflags         0x200246 [ PF ZF IF ID ]
cs             0x73 115
ss             0x7b 123
ds             0x7b 123
es             0x7b 123
fs             0x0  0
gs             0x33 51
(gdb) x/160x 0xbffff6a8
0xbffff6a8: 0xbffff728  0xb7e86e46  0x00000001  0xbffff754
0xbffff6b8: 0xbffff75c  0xb7fe2940  0xb7ff7351  0xffffffff
0xbffff6c8: 0xb7ffeff4  0x08048254  0x00000001  0xbffff710
0xbffff6d8: 0xb7ff0976  0xb7fffac0  0xb7fe2c38  0xb7fc5ff4
0xbffff6e8: 0x00000000  0x00000000  0xbffff728  0x21b99b0c
0xbffff6f8: 0x0e88ed1c  0x00000000  0x00000000  0x00000000
0xbffff708: 0x00000001  0x08048330  0x00000000  0xb7ff64f0
0xbffff718: 0xb7e86d6b  0xb7ffeff4  0x00000001  0x08048330
0xbffff728: 0x00000000  0x08048351  0x080483e4  0x00000001
0xbffff738: 0xbffff754  0x08048440  0x08048430  0xb7ff12f0
0xbffff748: 0xbffff74c  0xb7fff908  0x00000001  0xbffff889
0xbffff758: 0x00000000  0xbffff893  0xbffff89d  0xbffff8ad
0xbffff768: 0xbffff8fd  0xbffff90c  0xbffff91c  0xbffff92d
0xbffff778: 0xbffff93a  0xbffff94d  0xbffff97a  0xbffffe6a
0xbffff788: 0xbffffe75  0xbffffef7  0xbfffff0e  0xbfffff1d
0xbffff798: 0xbfffff26  0xbfffff30  0xbfffff41  0xbfffff6a
0xbffff7a8: 0xbfffff73  0xbfffff8a  0xbfffff9d  0xbfffffa5
0xbffff7b8: 0xbfffffbc  0xbfffffcc  0xbfffffdf  0x00000000
0xbffff7c8: 0x00000020  0xffffe420  0x00000021  0xffffe000
0xbffff7d8: 0x00000010  0x078bfbff  0x00000006  0x00001000
0xbffff7e8: 0x00000011  0x00000064  0x00000003  0x08048034
0xbffff7f8: 0x00000004  0x00000020  0x00000005  0x00000008
0xbffff808: 0x00000007  0xb7fe3000  0x00000008  0x00000000
---Type <return> to continue, or q <return> to quit---
0xbffff818: 0x00000009  0x08048330  0x0000000b  0x000003e8
0xbffff828: 0x0000000c  0x000003e8  0x0000000d  0x000003e8
0xbffff838: 0x0000000e  0x000003e8  0x00000017  0x00000000
0xbffff848: 0x00000019  0xbffff86b  0x0000001f  0xbffffff2
0xbffff858: 0x0000000f  0xbffff87b  0x00000000  0x00000000
0xbffff868: 0x50000000  0x7d410985  0x1539ef2a  0x7a3f5e9a
0xbffff878: 0x6964fe17  0x00363836  0x00000000  0x00000000
0xbffff888: 0x6d742f00  0x65742f70  0x54007473  0x3d4d5245
0xbffff898: 0x74767872  0x45485300  0x2f3d4c4c  0x2f6e6962
0xbffff8a8: 0x68736162  0x47445800  0x5345535f  0x4e4f4953
0xbffff8b8: 0x4f4f435f  0x3d45494b  0x37303534  0x66656135
0xbffff8c8: 0x32353131  0x63346334  0x30393436  0x35386331
0xbffff8d8: 0x39346134  0x37316135  0x3033312d  0x31383339
0xbffff8e8: 0x2e303736  0x31303832  0x382d3033  0x33323731
0xbffff8f8: 0x39373936  0x53494800  0x5a495354  0x30313d45
0xbffff908: 0x00303030  0x48535548  0x49474f4c  0x41463d4e
0xbffff918: 0x0045534c  0x444e4957  0x4449574f  0x3833383d
(gdb) x/20s 0xbffff888
0xbffff888:  ""
0xbffff889:  "/tmp/test"
0xbffff893:  "TERM=rxvt"
0xbffff89d:  "SHELL=/bin/bash"
0xbffff8ad:  "XDG_SESSION_COOKIE=45075aef11524c4c64901c854a495a17-1309381670.280130-817236979"
0xbffff8fd:  "HISTSIZE=10000"
0xbffff90c:  "HUSHLOGIN=FALSE"
0xbffff91c:  "WINDOWID=8388614"
0xbffff92d:  "USER=jcomeau"
0xbffff93a:  "HISTFILESIZE=10000"
0xbffff94d:  "LD_LIBRARY_PATH=/usr/src/jet/lib/x86/shared:"
0xbffff97a:  "LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31"...
0xbffffa42:  ":*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.d"...
0xbffffb0a:  "eb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35"...
0xbffffbd2:  ":*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=---Type <return> to continue, or q <return> to quit---
01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4"...
0xbffffc9a:  "v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*."...
0xbffffd62:  "yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;3"...
0xbffffe2a:  "6:*.wav=00;36:*.axa=00;36:*.oga=00;36:*.spx=00;36:*.xspf=00;36:"
0xbffffe6a:  "COLUMNS=80"
0xbffffe75:  "PATH=/usr/src/jet/bin:/usr/local/bin:/usr/bin:/bin:/usr/games:/home/jcomeau:/home/jcomeau/bin:/home/jcomeau/src:/sbin:/usr/sbin:."
(gdb) quit
A debugging session is active.

    Inferior 1 [process 10880] will be killed.

Quit anyway? (y or n) y

您的编译器显然足够聪明,可以将简单格式的 printf 优化为 puts。环境字符串的获取和 i 的后增量都在代码中。如果你不自己弄清楚其中的一些内容,你永远不会真正理解它。只需“成为”计算机,并使用我通过 gdb 为您转储的数据单步执行循环,您就会明白一切。

cltq promotes an int to an int64. shl 3, %rax makes an offset to a 64-bit pointer (multiplies whatever is in rax by 8). what the code is doing is looping through a list of pointers to environment variables. when it finds a value of zero, that's the end, and it drops out of the loop.

Here is a visual on how Linux stores the environment variables in RAM, above the stack. You'll see the pointers starting at 0xbffff75c; that points to 0xbffff893, "TERM=rxvt".

jcomeau@intrepid:/tmp$ gdb test
GNU gdb (GDB) 7.2-debian
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /tmp/test...(no debugging symbols found)...done.
(gdb) break main
Breakpoint 1 at 0x80483e7
(gdb) run
Starting program: /tmp/test 

Breakpoint 1, 0x080483e7 in main ()
(gdb) info reg
eax            0xbffff754   -1073744044
ecx            0xe88ed1c    243854620
edx            0x1  1
ebx            0xb7fc5ff4   -1208197132
esp            0xbffff6a8   0xbffff6a8
ebp            0xbffff6a8   0xbffff6a8
esi            0x0  0
edi            0x0  0
eip            0x80483e7    0x80483e7 <main+3>
eflags         0x200246 [ PF ZF IF ID ]
cs             0x73 115
ss             0x7b 123
ds             0x7b 123
es             0x7b 123
fs             0x0  0
gs             0x33 51
(gdb) x/160x 0xbffff6a8
0xbffff6a8: 0xbffff728  0xb7e86e46  0x00000001  0xbffff754
0xbffff6b8: 0xbffff75c  0xb7fe2940  0xb7ff7351  0xffffffff
0xbffff6c8: 0xb7ffeff4  0x08048254  0x00000001  0xbffff710
0xbffff6d8: 0xb7ff0976  0xb7fffac0  0xb7fe2c38  0xb7fc5ff4
0xbffff6e8: 0x00000000  0x00000000  0xbffff728  0x21b99b0c
0xbffff6f8: 0x0e88ed1c  0x00000000  0x00000000  0x00000000
0xbffff708: 0x00000001  0x08048330  0x00000000  0xb7ff64f0
0xbffff718: 0xb7e86d6b  0xb7ffeff4  0x00000001  0x08048330
0xbffff728: 0x00000000  0x08048351  0x080483e4  0x00000001
0xbffff738: 0xbffff754  0x08048440  0x08048430  0xb7ff12f0
0xbffff748: 0xbffff74c  0xb7fff908  0x00000001  0xbffff889
0xbffff758: 0x00000000  0xbffff893  0xbffff89d  0xbffff8ad
0xbffff768: 0xbffff8fd  0xbffff90c  0xbffff91c  0xbffff92d
0xbffff778: 0xbffff93a  0xbffff94d  0xbffff97a  0xbffffe6a
0xbffff788: 0xbffffe75  0xbffffef7  0xbfffff0e  0xbfffff1d
0xbffff798: 0xbfffff26  0xbfffff30  0xbfffff41  0xbfffff6a
0xbffff7a8: 0xbfffff73  0xbfffff8a  0xbfffff9d  0xbfffffa5
0xbffff7b8: 0xbfffffbc  0xbfffffcc  0xbfffffdf  0x00000000
0xbffff7c8: 0x00000020  0xffffe420  0x00000021  0xffffe000
0xbffff7d8: 0x00000010  0x078bfbff  0x00000006  0x00001000
0xbffff7e8: 0x00000011  0x00000064  0x00000003  0x08048034
0xbffff7f8: 0x00000004  0x00000020  0x00000005  0x00000008
0xbffff808: 0x00000007  0xb7fe3000  0x00000008  0x00000000
---Type <return> to continue, or q <return> to quit---
0xbffff818: 0x00000009  0x08048330  0x0000000b  0x000003e8
0xbffff828: 0x0000000c  0x000003e8  0x0000000d  0x000003e8
0xbffff838: 0x0000000e  0x000003e8  0x00000017  0x00000000
0xbffff848: 0x00000019  0xbffff86b  0x0000001f  0xbffffff2
0xbffff858: 0x0000000f  0xbffff87b  0x00000000  0x00000000
0xbffff868: 0x50000000  0x7d410985  0x1539ef2a  0x7a3f5e9a
0xbffff878: 0x6964fe17  0x00363836  0x00000000  0x00000000
0xbffff888: 0x6d742f00  0x65742f70  0x54007473  0x3d4d5245
0xbffff898: 0x74767872  0x45485300  0x2f3d4c4c  0x2f6e6962
0xbffff8a8: 0x68736162  0x47445800  0x5345535f  0x4e4f4953
0xbffff8b8: 0x4f4f435f  0x3d45494b  0x37303534  0x66656135
0xbffff8c8: 0x32353131  0x63346334  0x30393436  0x35386331
0xbffff8d8: 0x39346134  0x37316135  0x3033312d  0x31383339
0xbffff8e8: 0x2e303736  0x31303832  0x382d3033  0x33323731
0xbffff8f8: 0x39373936  0x53494800  0x5a495354  0x30313d45
0xbffff908: 0x00303030  0x48535548  0x49474f4c  0x41463d4e
0xbffff918: 0x0045534c  0x444e4957  0x4449574f  0x3833383d
(gdb) x/20s 0xbffff888
0xbffff888:  ""
0xbffff889:  "/tmp/test"
0xbffff893:  "TERM=rxvt"
0xbffff89d:  "SHELL=/bin/bash"
0xbffff8ad:  "XDG_SESSION_COOKIE=45075aef11524c4c64901c854a495a17-1309381670.280130-817236979"
0xbffff8fd:  "HISTSIZE=10000"
0xbffff90c:  "HUSHLOGIN=FALSE"
0xbffff91c:  "WINDOWID=8388614"
0xbffff92d:  "USER=jcomeau"
0xbffff93a:  "HISTFILESIZE=10000"
0xbffff94d:  "LD_LIBRARY_PATH=/usr/src/jet/lib/x86/shared:"
0xbffff97a:  "LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31"...
0xbffffa42:  ":*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.d"...
0xbffffb0a:  "eb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35"...
0xbffffbd2:  ":*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=---Type <return> to continue, or q <return> to quit---
01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4"...
0xbffffc9a:  "v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*."...
0xbffffd62:  "yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;3"...
0xbffffe2a:  "6:*.wav=00;36:*.axa=00;36:*.oga=00;36:*.spx=00;36:*.xspf=00;36:"
0xbffffe6a:  "COLUMNS=80"
0xbffffe75:  "PATH=/usr/src/jet/bin:/usr/local/bin:/usr/bin:/bin:/usr/games:/home/jcomeau:/home/jcomeau/bin:/home/jcomeau/src:/sbin:/usr/sbin:."
(gdb) quit
A debugging session is active.

    Inferior 1 [process 10880] will be killed.

Quit anyway? (y or n) y

Your compiler is apparently smart enough to optimize the simply-formatted printf to a puts. the fetching of the environment string, and the postincrement of i, are right there in the code. If you don't figure some of this out on your own you'll never really understand it. Just "be" the computer, and step through the loop, using the data I dumped out for you with gdb, and it should all become clear to you.

回复 原文
演出会有结束 2024-11-25 01:19:21

cltqCDQE 的 AT&T 助记符,它将 EAX 符号扩展为 RAX。它是 movslq %eax, %rax 的缩写形式,节省代码字节。它的存在是因为 x86-64 从 8086 到 386 再到 AMD64 的演变。

它将 EAX 的符号位复制到更宽寄存器的所有高位,因为这就是 2 的补码的工作原理。该助记符是 Convert Long to Quad 的缩写。

AT&T 语法(由 GNU as / objdump 使用)对于某些指令使用与 Intel 不同的助记符(请参阅 官方文档)。您可以使用 objdump -drwC -Mintel 或 gcc -masm=intel -S 使用 Intel 和 AMD 在其指令参考手册中记录的助记符来获取 Intel 语法(请参阅 x86 标签 wiki(有趣的事实:作为输入,gas 在任一模式下都接受任一助记符)。

machine    mnemonics:                MOVSX equivalent
code         AT&T    Intel           AT&T               Intel

 66 98       cbtw    cbw             movsbw %al,%ax     movsx  ax,al
 98          cwtl    cwde            movswl %ax,%eax    movsx  eax,ax
 48 98       cltq    cdqe            movslq %eax,%rax   movsxd rax,eax

title="show questions tagged 'x86'" rel= " .com/x86/CBW:CWDE:CDQE.html" rel="nofollow noreferrer">这 3 个 insn 的英特尔 insn 参考手册条目。

cltq/cdqe 显然仅在 64 位模式下可用,但其他两个在所有模式下均可用。 x86/MOVSX:MOVSXD.html" rel="nofollow noreferrer">movsxmovzx 仅在 386 中引入,使其变得简单/高效对 al/ax 以外的寄存器进行符号/零扩展,或者在加载时动态进行符号/零扩展。

cltq/cdqe 视为 movslq %eax,%rax 的特殊情况较短编码。它运行得同样快。但唯一的好处是节省了几个字节的代码,因此不值得牺牲任何其他东西来使用它来代替 movsxd / movzx

相关指令组将 [e/r]ax 的符号位复制到 [e/r]dx 的所有位中。 eax 符号扩展为 edx:eaxidiv 之前或在返回宽整数之前很有用一对寄存器。

             AT&T   /  Intel  mnemonic                 effect
 66 99       cwtd      cwd     word->doubleword        dx = signbit(ax)
 99          cltd      cdq     doubleword->quadword   edx = signbit(eax)
 48 99       cqto      cqo     quadword->octword      rdx = signbit(rax)

这些没有等效的单指令,但您可以用两条指令来完成它们:
例如 mov %eax, %edx / sar $31, %edx

记住助记符

用于在 rax 除原始的 8086 cbw 外,均以 e 结尾。您可以记住这种情况,因为即使 8086 也可以在单个寄存器中处理 16 位整数,因此无需将 dl 设置为 al 的符号位。 div r8idiv r8ax 读取被除数,而不是从 dl:al 读取。因此,cbwal 符号扩展为 ax

AT&T 助记符没有明显的提示来帮助您记住哪个是哪个。一些写入 *dx 的内容以 d 结尾(代表 dx?),而不是通常的 l 代表 long. cqto 打破了这种模式,但八字是 128b,因此必须是 rdx:rax 的串联。

IMO 英特尔助记符更容易记住,英特尔语法一般更容易阅读。 (我首先学习了 AT&T 语法,但后来习惯了 Intel,因为阅读 Intel/AMD 手册很有用!)

请注意,对于零扩展,mov %edi,%edi%edi 零扩展为 %rdi,因为 任何写入 32-位寄存器将高 32 位清零

(实际上,尝试 mov 到不同的寄存器(例如 mov %eax, %ecx),因为 same,same 击败英特尔中的 mov-elimination CPU。您经常会看到编译器为具有 32 位无符号参数的函数生成的 asm 使用 mov 进行零扩展,不幸的是通常使用与 src 和目标相同的寄存器。)

对于 8 或 16 到 32(隐含的 64),和 $0xff, %eax 可以工作,但效率低于 movzbl %al, %eax$0xff 不适合 8 位符号扩展立即数,因此它需要完整的 4 字节 0x000000ff 立即数。 (或者更好的是,movzbl %al, %ecx,这样 mov-elimination 可以使其在 Intel CPU 上实现零延迟,其中 mov-elimination 适用于 movzx 8->32。) 。

cltq is the AT&T mnemonic for CDQE, which sign-extends EAX into RAX. It's a short-form of movslq %eax, %rax, saving code bytes. It exists because of how x86-64 evolved from 8086 to 386 to AMD64.

It copies the sign bit of EAX to all the upper bits of the wider register, because that's how 2's complement works. The mnemonic is short for Convert Long to Quad.

AT&T syntax (used by GNU as / objdump) uses different mnemonics than Intel for some instructions (see the official docs). You can use objdump -drwC -Mintel or gcc -masm=intel -S to get Intel syntax using the mnemonics that Intel and AMD document in their instruction reference manuals (see links in the tag wiki. (Fun fact: as input, gas accepts either mnemonic in either mode).

machine    mnemonics:                MOVSX equivalent
code         AT&T    Intel           AT&T               Intel

 66 98       cbtw    cbw             movsbw %al,%ax     movsx  ax,al
 98          cwtl    cwde            movswl %ax,%eax    movsx  eax,ax
 48 98       cltq    cdqe            movslq %eax,%rax   movsxd rax,eax

Intel insn ref manual entry for these 3 insns.

cltq/cdqe is obviously only available in 64-bit mode, but the other two are available in all modes. movsx and movzx were only introduced with 386, making it easy/efficient to sign/zero extend registers other than al/ax, or to sign/zero extend on the fly while loading.

Think of cltq/cdqe as a special-case shorter encoding of movslq %eax,%rax. It runs just as fast. But the only benefit is saving a couple bytes of code, so it's not worth sacrificing anything else to use it instead of movsxd / movzx.

A related group of instructions copies the sign-bit of [e/r]ax into all bits of [e/r]dx. Sign-extending eax into edx:eax is useful before idiv, or simply before returning a wide integer in a pair of registers.

             AT&T   /  Intel  mnemonic                 effect
 66 99       cwtd      cwd     word->doubleword        dx = signbit(ax)
 99          cltd      cdq     doubleword->quadword   edx = signbit(eax)
 48 99       cqto      cqo     quadword->octword      rdx = signbit(rax)

These have no single-instruction equivalent, but you can do them in two instructions:
e.g. mov %eax, %edx / sar $31, %edx

Remembering the mnemonics

The Intel mnemonics for Extending within rax all end with e, except for the original 8086 cbw. You can remember that case because even 8086 handled 16-bit integers in a single register, so there'd be no need to set dl to the sign bit of al. div r8 and idiv r8 read the dividend from ax, not from dl:al. So cbw sign-extends al into ax.

The AT&T mnemonics don't have an obvious hint to help you remember which one is which. Some of the ones that write to *dx end with d (for dx?) instead of the usual l for long. cqto breaks that pattern, but an octword is 128b and thus has to be the concatenation of rdx:rax.

IMO the Intel mnemonics are easier to remember, and Intel-syntax is easier to read in general. (I learned AT&T syntax first, but got used to Intel because reading Intel/AMD manuals is useful!)

Note that for zero-extension, mov %edi,%edi zero-extends %edi into %rdi, because any write to a 32-bit register zeros the upper 32 bits.

(In practice, try to mov to a different register (e.g. mov %eax, %ecx) because same,same defeats mov-elimination in Intel CPUs. You will often see compiler-generated asm for functions with 32-bit unsigned args use a mov to zero-extend, and unfortunately often with the same register as src and destination.)

For 8 or 16 out to 32 (and implicitly 64), and $0xff, %eax works but is less efficient than movzbl %al, %eax. $0xff doesn't fit in an 8-bit sign-extended immediate so it needs a full 4-byte 0x000000ff immediate. (Or better, movzbl %al, %ecx so mov-elimination can make it zero latency on Intel CPUs where mov-elimination works for movzx 8->32.).

回复 原文
阳光下慵懒的猫 2024-11-25 01:19:21

如果你的操作系统是64位,如果你没有声明一个函数驻留在另一个文件中,但你想在这个文件中使用它。 GCC会默认认为这个函数是32位的。所以cltq只会使用RAX(返回值)的低32位,高32位将填充1或0。
希望这个网站能帮助你
http://www.mystone7.com/2012/05/23/cltq/

If your OS is 64bit, If you do not declare a function reside in another file, but you want to use it in this file. GCC will default to think this function to be 32bit. So cltq will only use low 32 bit of RAX(return value) , the high 32bit will be fill in 1 or 0.
hope this web will help you
http://www.mystone7.com/2012/05/23/cltq/

回复 原文
~没有更多了~

关于作者

寄意

暂无简介

0 文章
0 评论
24 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

Gabu-gabumon

文章 0 评论 0

qq_CgiN62

文章 0 评论 0

荔枝明

文章 0 评论 0

赏烟花じ飞满天

文章 0 评论 0

独守阴晴ぅ圆缺

文章 0 评论 0

¤→小豸慧

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文