# CS 261 Fall 2017



0x100000f7a

Mike Lam, Professor

#### Machine and Assembly Code

00000010000f68

Data Movement and Arithmetic

# Topics

- Architecture/assembly intro
- Data formats
- Data movement
- Arithmetic and logical operations

## **Computer systems**



## **Computer systems**



# Let's focus for now on the single-CPU components

## von Neumann architecture



## von Neumann architecture



## Machine code

#### Machine code

- Variable-length binary encoding of **opcodes** and *operands*
- Program is stored in memory along with data
- Specific to a particular CPU architecture (e.g., x86-64)
- Looks very different than the original C code!

```
int add (int num1, int num2)
{
    return num1 + num2;
}
000000000400606 <add>:
                 55
  400606:
                48 89 e5
  400607:
  40060a:
                89 7d fc
                89 75 f8
  40060d:
                8b 55 fc
  400610:
                8b 45 f8
  400613:
                01 d0
  400616:
  400618:
                 5d
                 c3
  400619:
```

# Machine code

- Machine instructions are specified by an instruction set architecture (ISA)
  - x86-64 (x64) is the current dominant workstation/server architecture
    - ARM is used in embedded and mobile markets
    - **POWER** is used in high-performance market
  - x86-64 has an **enormous**, complex instruction set
    - Lots of legacy features and support for previous ISAs
    - We'll learn a bit of it now, then later focus on a simplified form called Y86

| 00000000004006 | 06 <add>:</add> |  |
|----------------|-----------------|--|
| 400606:        | 55              |  |
| 400607:        | <b>48</b> 89 e5 |  |
| 40060a:        | <b>89</b> 7d fc |  |
| 40060d:        | <b>89</b> 75 f8 |  |
| 400610:        | <b>8b</b> 55 fc |  |
| 400613:        | <b>8b</b> 45 f8 |  |
| 400616:        | <b>01</b> d0    |  |
| 400618:        | 5d              |  |
| 400619:        | C3              |  |
|                |                 |  |

## Assembly code

- Assembly code: human-readable form of machine code
  - Each indented line of text represents a single machine code instruction
    - Two main x86-64 formats: Intel and ATT (we'll use the latter)
    - Use "#" to denote comments (extends to end of line)
  - Generated from C code by compiler (not a simple process!)
  - Disassemblers like objdump can extract assembly from an executable
  - Understanding assembly helps you to debug, optimize, and secure your programs

|               |                 | opcode | operands        |
|---------------|-----------------|--------|-----------------|
| 0000000000400 |                 |        |                 |
| 400606:       | 55              | push   | %rbp            |
| 400607:       | <b>48</b> 89 e5 | mov    | %rsp,%rbp       |
| 40060a:       | <b>89</b> 7d fc | mov    | %edi,-0x4(%rbp) |
| 40060d:       | <b>89</b> 75 f8 | mov    | %esi,-0x8(%rbp) |
| 400610:       | <b>8b</b> 55 fc | mov    | -0x4(%rbp),%edx |
| 400613:       | <b>8b</b> 45 f8 | mov    | -0x8(%rbp),%eax |
| 400616:       | <b>01</b> d0    | add    | %edx,%eax       |
| 400618:       | 5d              | рор    | %rbp            |
| 400619:       | <b>c3</b>       | retq   |                 |

## Assembly code

- Assembly provides low-level access to machine
  - Program counter (PC) tracks current instruction
    - Like a bookmark; also referred to as the instruction pointer (IP)
  - Arithmetic logic unit (ALU) executes opcode of instructions
    - Today, we'll focus on data movement and arithmetic opcodes
  - Register file & main memory store operands
    - Registers are faster but main memory is larger



# Registers

- General-purpose
  - AX: accumulator
  - BX: base
  - CX: counter
  - DX: address
  - SI: source index
  - DI: dest index
- Special
  - **BP**: base pointer
  - SP: stack pointer
  - FLAGS: status info
    - "Condition codes" in CS:APP
  - IP: instruction pointer
    - This is the PC on x86-64

exx = lower 32-bits (e.g., eax) rxx = full 64 bits (e.g., rax)

| -                    | not modified for<br>not modified for 16-bit |    | nds     | 1            |         |                               |           |
|----------------------|---------------------------------------------|----|---------|--------------|---------|-------------------------------|-----------|
| register<br>encoding | zero-extended<br>for 32-bit operands        | 1  |         | low<br>8-bit | 16-bit  | 32-bit                        | 64-bi     |
| 0                    |                                             |    | AH*     | AL           | AX      | EAX                           | RAX       |
| 3                    |                                             |    | BH*     | BL           | BX      | EBX                           | RBX       |
| 1                    |                                             |    | CH*     | CL           | сх      | ECX                           | RCX       |
| 2                    |                                             |    | DH*     | DL           | DX      | EDX                           | RDX       |
| 6                    |                                             |    |         | SIL**        | SI      | ESI                           | RSI       |
| 7                    |                                             |    |         | DIL**        | DI      | EDI                           | RDI       |
| 5                    |                                             |    |         | BPL**        | BP      | EBP                           | RBP       |
| 4                    |                                             |    |         | SPL**        | SP      | ESP                           | RSP       |
| 8                    |                                             |    |         | R8B          | R8W     | R8D                           | R8        |
| 9                    |                                             |    |         | R9B          | R9W     | R9D                           | R9        |
| 10                   |                                             |    |         | R10B         | R10W    | RIOD                          | R10       |
| 11                   |                                             |    |         | R11B         | R11W    | R11D                          | R11       |
| 12                   |                                             |    |         | R12B         | R12W    | R12D                          | R12       |
| 13                   |                                             |    |         | R13B         | R13W    | R13D                          | R13       |
| 14                   |                                             |    |         | R14B         | R14W    | R14D                          | R14       |
| 15                   |                                             |    |         | R15B         | R15W    | R15D                          | R15       |
| 63                   | 32                                          | 31 | 16 15 8 | 7 0          |         |                               |           |
|                      | 0                                           |    |         |              | RFLAG   | S 50                          | 3-309.eps |
|                      |                                             |    |         |              | RIP     |                               |           |
| 63                   | 32                                          | 31 |         | 0            |         | addressable<br>X prefix is us |           |
|                      |                                             |    |         |              | ** Only | addressable<br>X prefix is us | e when    |

# **Operand types**

- Immediate
  - Operand embedded in instruction itself
  - Extends the size of the instruction by the width of the value
  - Written in assembly using "\$" prefix (e.g., \$42 or \$0x1234)
- Register
  - Operand stored in register file
  - Accessed by register number
  - Written in assembly using name and "%" prefix (e.g., %eax or %rsp)
- Memory
  - Operand stored in main memory
  - Accessed by effective address calculated from instruction components
  - Written in assembly using a variety of addressing modes

## Memory addressing modes

- Absolute: addr
  - Effective address: addr
- Indirect: (reg)
  - Effective address: **R**[*reg*]
- Base + displacement: offset(reg)
  - Effective address: offset + R[reg]
- Indexed: offset(reg<sub>base</sub>, reg<sub>index</sub>)
  - Effective address: offset + R[reg<sub>base</sub>] + R[reg<sub>index</sub>]
- Scaled indexed: offset(reg<sub>base</sub>, reg<sub>index</sub>, s)
  - Effective address: offset + R[reg<sub>base</sub>] + R[reg<sub>index</sub>] · s
  - Scale (s) must be 1, 2, 4, or 8

**R**[**reg**] = value of register **reg** 





- Given the following machine status, what is the value of the following assembly operands? (assume 32-bit memory locations)
  - \$42
  - \$0x10
  - %rax
  - 0x104
  - (%rax)
  - 4(%rax)
  - 2(%rax, %rdx)
  - (%rax, %rdx, 4)

#### Registers

| <u>Name</u> | <u>Value</u> |
|-------------|--------------|
| %rax        | 0x100        |
| %rdx        | 0x2          |

#### Memory

| <u>Address</u> | <u>Value</u> |
|----------------|--------------|
| 0x100          | 0xFF         |
| 0x104          | 0xAB         |
| 0x108          | 0x13         |

- Given the following machine status, what is the value of the following assembly operands? (assume 32-bit memory locations)
  - \$42 <mark>42</mark>
  - \$0x10 **1**6

  - (%rax) 0xFF
  - 4(%rax) 0xAB
  - 2(%rax, %rdx) OxAB
  - (%rax, %rdx, 4) 0x13

#### Registers

| <u>Name</u> | <u>Value</u> |
|-------------|--------------|
| %rax        | 0x100        |
| %rdx        | 0x2          |

#### Memory

| <u>Address</u> | <u>Value</u> |  |  |
|----------------|--------------|--|--|
| 0x100          | 0xFF         |  |  |
| 0x104          | 0xAB         |  |  |
| 0x108          | 0x13         |  |  |

## Data sizes

- Historical artifact: "word" in x86 is 16 bits
  - 1 byte (8 bits) = "byte" (b suffix)
  - 2 bytes (16 bits) = "word" (w suffix)
  - 4 bytes (32 bits) = "double word" (1 suffix)
  - 8 bytes (64 bits) = "quad word" (q suffix)
- Often, a "class" of instructions will perform similar jobs, but on different sizes of data
  - There are no "types" in assembly code
  - Thus, instruction suffixes and operand sizes must match!
  - E.g., movg \$1, %rax is valid but movg \$1, %eax is not

## Data movement

- Primary data movement instruction: "mov"
  - Copies data from first operand to second operand
    - E.g., movq \$1, %rax will set the value of RAX to 1
  - movb, movw, movl, movq, movabsq
- Zero-extension variant: "movz"
  - movzbw, movzbl, movzwl, movzbq, movzwq
  - Note lack of movzlq; just use movl, which sets higher 32-bits to zero
- Sign-extension variant: "movs"

## x86-64 addresses

- Addresses in x86-64 are always 64 bits
  - Thus, the registers used to calculate the effective address of a memory operand must be 64 bits
    - E.g., movw %ax, (%rbp) is valid
    - E.g., **movw** %ax, %rbp is **not valid**!
  - This does NOT mean that the instruction will load or store 64 bits from/to memory
    - The size of data moved is determined by the instruction suffix
    - Memory locations have no "type" in assembly/machine code

# Stack management

- The system stack holds 8-byte (quadword) slots, growing downward from high addresses to low addresses
  - Stack Pointer (SP) register stores address of "top" of stack
    - i.e., a pointer to the last value pushed (lowest address)
    - On x86-64, it is %rsp b/c addresses are 64 bits
  - pushq <reg> instruction
    - Subtract 8 from stack pointer
    - Store value of <reg> at stack top
  - popq <reg> instruction
    - Retrieve value at current stack top (%rsp)
      - Save value in the given register
    - Increment stack pointer by 8



- Given the following register state, what will the values of the registers be after the following instruction sequence?
  - pushq %rax
  - pushq %rcx
  - pushq %rbx
  - pushq %rdx
  - popq %rax
  - popq %rbx
  - popq %rcx
  - popq %rdx

#### Registers

| <u>Name</u> | <u>Value</u> |
|-------------|--------------|
| %rax        | 0xAA         |
| %rbx        | 0xBB         |
| %rcx        | 0xCC         |
| %rdx        | 0xDD         |

- Given the following register state, what will the values of the registers be after the following instruction sequence?
  - pushq %rax
  - pushq %rcx
  - pushq %rbx
  - pushq %rdx
  - popq %rax %rax = 0xDD
  - popq %rbx %rbx
  - popq %rcx
  - popq %rdx

| %rax | = | ⊎xdd |
|------|---|------|
| %rbx | = | 0xBB |
| %rcx | = | 0xCC |
| %rdx | = | 0xAA |

| Registers   |              |  |  |
|-------------|--------------|--|--|
| <u>Name</u> | <u>Value</u> |  |  |
| %rax        | 0xAA         |  |  |
| %rbx        | 0xBB         |  |  |
| %rcx        | 0xCC         |  |  |
| %rdx        | 0xDD         |  |  |

# **Arithmetic operations**

| Instru | ction               | Effect                             | Description              |
|--------|---------------------|------------------------------------|--------------------------|
| leaq   | <i>S</i> , <i>D</i> | $D \leftarrow \&S$                 | Load effective address   |
| INC    | D                   | $D \leftarrow D+1$                 | Increment                |
| DEC    | D                   | $D \leftarrow D-1$                 | Decrement                |
| NEG    | D                   | $D \leftarrow -D$                  | Negate                   |
| NOT    | D                   | $D \leftarrow \neg D$              | Complement               |
| ADD    | <i>S</i> , <i>D</i> | $D \leftarrow D + S$               | Add                      |
| SUB    | S, D                | $D \leftarrow D - S$               | Subtract                 |
| IMUL   | S, D                | $D \leftarrow D * S$               | Multiply                 |
| XOR    | <i>S</i> , <i>D</i> | $D \leftarrow D^{s}$               | Exclusive-or             |
| OR     | <i>S</i> , <i>D</i> | $D \leftarrow D \mid S$            | Or                       |
| AND    | S, D                | $D \leftarrow D \& S$              | And                      |
| SAL    | k, D                | $D \leftarrow D << k$              | Left shift               |
| SHL    | k, D                | $D \leftarrow D << k$              | Left shift (same as SAL) |
| SAR    | k, D                | $D \leftarrow D >>_{A} k$          | Arithmetic right shift   |
| SHR    | k, D                | $D \leftarrow D >>_{\mathrm{L}} k$ | Logical right shift      |

Figure 3.10 Integer arithmetic operations. The load effective address (leaq) instruction is commonly used to perform simple arithmetic. The remaining ones are more standard unary or binary operations. We use the notation  $>>_A$  and  $>>_L$  to denote arithmetic and logical right shift, respectively. Note the nonintuitive ordering of the operands with ATT-format assembly code.

| Instruction<br>leaq S, A<br>INC D<br>DEC D<br>NEG D<br>NOT D | D D        | fect<br>← | &S                              | Description<br>Load effective address                            |                       | Re                           | gisters                                       |
|--------------------------------------------------------------|------------|-----------|---------------------------------|------------------------------------------------------------------|-----------------------|------------------------------|-----------------------------------------------|
| INC D<br>DEC D<br>NEG D                                      |            | ~         | &S                              | Load effective address                                           |                       |                              | -                                             |
| DEC D<br>NEG D                                               | D          |           |                                 | Load effective address                                           |                       | <u>Name</u>                  | <u>Value</u>                                  |
|                                                              | D          | ↓<br>↓    | D+1<br>D−1<br>−D<br>~D          | Increment<br>Decrement<br>Negate<br>Complement                   |                       | %rax<br>%rbx<br>%rcx<br>%rdx | 0x12<br>0x56<br>0x02<br>0xF0                  |
| ADD S, I<br>SUB S, I<br>IMUL S, I<br>XOR S, I                | D D<br>D D | ←<br>←    | $D + S$ $D - S$ $D * S$ $D ^ S$ | Add<br>Subtract<br>Multiply<br>Exclusive-or                      |                       |                              | values of all registers<br>wing instructions? |
| OR S, I<br>AND S, I                                          | D D        | ~         | D   S<br>D & S                  | Or<br>And                                                        | addq<br>subq          | %rax,<br>%rax,               | %rbx                                          |
| SAL k, I<br>SHL k, I<br>SAR k, I<br>SHR k, I                 | D D        | ~         | $D << k$ $D << k$ $D >>_A k$    | Left shift<br>Left shift (same as SAL)<br>Arithmetic right shift | imulq<br>andq<br>shrq | %rcx,<br>%rbx,<br>\$4,       |                                               |

**Figure 3.10 Integer arithmetic operations.** The load effective address (leaq) instruction is commonly used to perform simple arithmetic. The remaining ones are more standard unary or binary operations. We use the notation  $>>_A$  and  $>>_L$  to denote arithmetic and logical right shift, respectively. Note the nonintuitive ordering of the operands with ATT-format assembly code.

| Instruction Effect Description |                     |                               |                          |                                        |
|--------------------------------|---------------------|-------------------------------|--------------------------|----------------------------------------|
|                                | ction               | Effect                        | Description              | Registers                              |
| leaq                           | S, D                | $D \leftarrow \&S$            | Load effective address   | <u>Name</u> <u>Value</u>               |
| INC                            | D                   | $D \leftarrow D+1$            | Increment                | %rax 0x12                              |
| DEC                            | D                   | $D \leftarrow D-1$            | Decrement                | %rbx 0x56                              |
| NEG                            | D                   | $D \leftarrow -D$             | Negate                   | %rcx 0x02                              |
| NOT                            | D                   | $D \leftarrow \sim D$         | Complement               | %rdx 0xF0                              |
| ADD                            | S, D                | $D \leftarrow D + S$          | Add                      |                                        |
| SUB                            | S, D                | $D \leftarrow D - S$          | Subtract                 | What are the values of all registers   |
| IMUL                           | S, D                | $D \leftarrow D * S$          | Multiply                 | after the following instructions?      |
| XOR                            | <i>S</i> , <i>D</i> | $D \leftarrow D^{s}$          | Exclusive-or             |                                        |
| OR                             | S, D                | $D \leftarrow D \mid S$       | Or                       | addq %rax, %rax <mark>%rax:0x24</mark> |
| AND                            | S, D                | $D \leftarrow D \& S$         | And                      | subq %rax, %rbx %rbx:0x32              |
| SAL                            | k, D                | $D \leftarrow D << k$         | Left shift               | <pre>imulq %rcx, %rax %rax:0x48</pre>  |
| SHL                            | k, D                | $D \leftarrow D << k$         | Left shift (same as SAL) | andq %rbx, %rdx %rdx:0x30              |
| SAR                            | k, D                | $D \leftarrow D >>_A k$       | Arithmetic right shift   | shrq \$4, %rdx %rdx:0x03               |
| SHR                            | k, D                | $D \leftarrow D >>_{\rm L} k$ | Logical right shift      |                                        |

**Figure 3.10 Integer arithmetic operations.** The load effective address (leaq) instruction is commonly used to perform simple arithmetic. The remaining ones are more standard unary or binary operations. We use the notation  $>>_A$  and  $>>_L$  to denote arithmetic and logical right shift, respectively. Note the nonintuitive ordering of the operands with ATT-format assembly code.

%rax = 0x48 %rbx = 0x32 %rcx = 0x02 %rdx = 0x03

| Instruction |                     | Effect                             | Description              |                                                               |
|-------------|---------------------|------------------------------------|--------------------------|---------------------------------------------------------------|
| leaq        | S, D                | $D \leftarrow \&S$                 | Load effective address   |                                                               |
| INC         | D                   | $D \leftarrow D+1$                 | Increment                |                                                               |
| DEC         | D                   | $D \leftarrow D-1$                 | Decrement                |                                                               |
| NEG         | D                   | $D \leftarrow -D$                  | Negate                   |                                                               |
| NOT         | D                   | $D \leftarrow \neg D$              | Complement               |                                                               |
| ADD         | <i>S</i> , <i>D</i> | $D \leftarrow D + S$               | Add                      | What does the following instruction do if $\%$ rax = $0x100?$ |
| SUB         | S, D                | $D \leftarrow D - S$               | Subtract                 |                                                               |
| IMUL        | S, D                | $D \leftarrow D * S$               | Multiply                 | leaq (%rax, %rax, 2), %rax                                    |
| XOR         | <i>S</i> , <i>D</i> | $D \leftarrow D^{-}S$              | Exclusive-or             |                                                               |
| OR          | <i>S</i> , <i>D</i> | $D \leftarrow D \mid S$            | Or                       |                                                               |
| AND         | S, D                | $D \leftarrow D \& S$              | And                      |                                                               |
| SAL         | k, D                | $D \leftarrow D << k$              | Left shift               |                                                               |
| SHL         | k, D                | $D \leftarrow D << k$              | Left shift (same as SAL) |                                                               |
| SAR         | k, D                | $D \leftarrow D >>_A k$            | Arithmetic right shift   |                                                               |
| SHR         | k, D                | $D \leftarrow D >>_{\mathrm{L}} k$ | Logical right shift      |                                                               |

**Figure 3.10 Integer arithmetic operations.** The load effective address (leaq) instruction is commonly used to perform simple arithmetic. The remaining ones are more standard unary or binary operations. We use the notation  $>>_A$  and  $>>_L$  to denote arithmetic and logical right shift, respectively. Note the nonintuitive ordering of the operands with ATT-format assembly code.

| Instruction |                     | Effect                        | Description              |                                                               |
|-------------|---------------------|-------------------------------|--------------------------|---------------------------------------------------------------|
| leaq        | S, D                | $D \leftarrow \&S$            | Load effective address   |                                                               |
| INC         | D                   | $D \leftarrow D+1$            | Increment                |                                                               |
| DEC         | D                   | $D \leftarrow D-1$            | Decrement                |                                                               |
| NEG         | D                   | $D \leftarrow -D$             | Negate                   |                                                               |
| NOT         | D                   | $D \leftarrow \sim D$         | Complement               |                                                               |
| ADD         | <i>S</i> , <i>D</i> | $D \leftarrow D + S$          | Add                      | What does the following instruction do if $\%$ rax = $0x100?$ |
| SUB         | S, D                | $D \leftarrow D - S$          | Subtract                 |                                                               |
| IMUL        | S, D                | $D \leftarrow D * S$          | Multiply                 | leaq (%rax, %rax, 2), %rax                                    |
| XOR         | <i>S</i> , <i>D</i> | $D \leftarrow D^{s}$          | Exclusive-or             |                                                               |
| OR          | S, D                | $D \leftarrow D \mid S$       | Or                       |                                                               |
| AND         | S, D                | $D \leftarrow D \& S$         | And                      | %rax = 0x300                                                  |
| SAL         | k, D                | $D \leftarrow D << k$         | Left shift               | (multiply by three)                                           |
| SHL         | k, D                | $D \leftarrow D << k$         | Left shift (same as SAL) | Note: leaq does not actually read/write memory!               |
| SAR         | k, D                | $D \leftarrow D >>_A k$       | Arithmetic right shift   |                                                               |
| SHR         | k, D                | $D \leftarrow D >>_{\rm L} k$ | Logical right shift      |                                                               |

**Figure 3.10 Integer arithmetic operations.** The load effective address (leaq) instruction is commonly used to perform simple arithmetic. The remaining ones are more standard unary or binary operations. We use the notation  $>>_A$  and  $>>_L$  to denote arithmetic and logical right shift, respectively. Note the nonintuitive ordering of the operands with ATT-format assembly code.

# Hand-writing assembly

• Minimal template (returns 0; known to work on stu):

```
.globl main
main:
movq $0, %rax # your code goes here
ret
```

- Save in .s file and build with gcc as usual (don't use "-c" flag)
  - Run program and view return value in bash with "echo \$?"
- Use gdb to trace execution
  - start: begin execution and pause at main
  - disas: print disassembly of current function
  - ni: next instruction (step over function calls)
  - si: step instruction (step into function calls)
  - p/x \$rax: print value of RAX (note "\$" instead of "%")
  - info registers: print values of all registers