Επεξεργασία

Κοινή χρήση μέσω


x86 Architecture

The Intel x86 processor uses complex instruction set computer (CISC) architecture, which means there is a modest number of special-purpose registers instead of large quantities of general-purpose registers. It also means that complex special-purpose instructions will predominate.

The x86 processor traces its heritage at least as far back as the 8-bit Intel 8080 processor. Many peculiarities in the x86 instruction set are due to the backward compatibility with that processor (and with its Zilog Z-80 variant).

Microsoft Win32 uses the x86 processor in 32-bit flat mode. This documentation will focus only on the flat mode.

Registers

The x86 architecture consists of the following unprivileged integer registers.

eax

Accumulator

ebx

Base register

ecx

Counter register

edx

Data register - can be used for I/O port access and arithmetic functions

esi

Source index register

edi

Destination index register

ebp

Base pointer register

esp

Stack pointer

All integer registers are 32 bit. However, many of them have 16-bit or 8-bit subregisters.

ax

Low 16 bits of eax

bx

Low 16 bits of ebx

cx

Low 16 bits of ecx

dx

Low 16 bits of edx

si

Low 16 bits of esi

di

Low 16 bits of edi

bp

Low 16 bits of ebp

sp

Low 16 bits of esp

al

Low 8 bits of eax

ah

High 8 bits of ax

bl

Low 8 bits of ebx

bh

High 8 bits of bx

cl

Low 8 bits of ecx

ch

High 8 bits of cx

dl

Low 8 bits of edx

dh

High 8 bits of dx

Operating on a subregister affects only the subregister and none of the parts outside the subregister. For example, storing to the ax register leaves the high 16 bits of the eax register unchanged.

When using the ? (Evaluate Expression) command, registers should be prefixed with an "at" sign ( @ ). For example, you should use ? @ax rather than ? ax. This ensures that the debugger recognizes ax as a register rather than a symbol.

However, the (@) is not required in the r (Registers) command. For instance, r ax=5 will always be interpreted correctly.

Two other registers are important for the processor's current state.

eip

instruction pointer

flags

flags

The instruction pointer is the address of the instruction being executed.

The flags register is a collection of single-bit flags. Many instructions alter the flags to describe the result of the instruction. These flags can then be tested by conditional jump instructions. See x86 Flags for details.

Calling Conventions

The x86 architecture has several different calling conventions. Fortunately, they all follow the same register preservation and function return rules:

  • Functions must preserve all registers, except for eax, ecx, and edx, which can be changed across a function call, and esp, which must be updated according to the calling convention.

  • The eax register receives function return values if the result is 32 bits or smaller. If the result is 64 bits, then the result is stored in the edx:eax pair.

The following is a list of calling conventions used on the x86 architecture:

  • Win32 (__stdcall)

    Function parameters are passed on the stack, pushed right to left, and the callee cleans the stack.

  • Native C++ method call (also known as thiscall)

    Function parameters are passed on the stack, pushed right to left, the "this" pointer is passed in the ecx register, and the callee cleans the stack.

  • COM (__stdcall for C++ method calls)

    Function parameters are passed on the stack, pushed right to left, then the "this" pointer is pushed on the stack, and then the function is called. The callee cleans the stack.

  • __fastcall

    The first two DWORD-or-smaller arguments are passed in the ecx and edx registers. The remaining parameters are passed on the stack, pushed right to left. The callee cleans the stack.

  • __cdecl

    Function parameters are passed on the stack, pushed right to left, and the caller cleans the stack. The __cdecl calling convention is used for all functions with variable-length parameters.

Debugger Display of Registers and Flags

Here is a sample debugger register display:

eax=00000000 ebx=008b6f00 ecx=01010101 edx=ffffffff esi=00000000 edi=00465000
eip=77f9d022 esp=05cffc48 ebp=05cffc54 iopl=0         nv up ei ng nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000286

In user-mode debugging, you can ignore the iopl and the entire last line of the debugger display.

x86 Flags

In the preceding example, the two-letter codes at the end of the second line are flags. These are single-bit registers and have a variety of uses.

The following table lists the x86 flags:

Flag Code Flag Name Value Flag Status Description
of Overflow Flag 0 1 nvov No overflow - Overflow
df Direction Flag 0 1 updn Direction up - Direction down
if Interrupt Flag 0 1 diei Interrupts disabled - Interrupts enabled
sf Sign Flag 0 1 plng Positive (or zero) - Negative
zf Zero Flag 0 1 nzzr Nonzero - Zero
af Auxiliary Carry Flag 0 1 naac No auxiliary carry - Auxiliary carry
pf Parity Flag 0 1 pepo Parity odd - Parity even
cf Carry Flag 0 1 nccy No carry - Carry
tf Trap Flag If tf equals 1, the processor will raise a STATUS_SINGLE_STEP exception after the execution of one instruction. This flag is used by a debugger to implement single-step tracing. It should not be used by other applications.
iopl I/O Privilege Level I/O Privilege Level This is a two-bit integer, with values between zero and 3. It is used by the operating system to control access to hardware. It should not be used by applications.

When registers are displayed as a result of some command in the Debugger Command window, it is the flag status that is displayed. However, if you want to change a flag using the r (Registers) command, you should refer to it by the flag code.

In the Registers window of WinDbg, the flag code is used to view or alter flags. The flag status is not supported.

Here is an example. In the preceding register display, the flag status ng appears. This means that the sign flag is currently set to 1. To change this, use the following command:

r sf=0

This sets the sign flag to zero. If you do another register display, the ng status code will not appear. Instead, the pl status code will be displayed.

The Sign Flag, Zero Flag, and Carry Flag are the most commonly-used flags.

Conditions

A condition describes the state of one or more flags. All conditional operations on the x86 are expressed in terms of conditions.

The assembler uses a one or two letter abbreviation to represent a condition. A condition can be represented by multiple abbreviations. For example, AE ("above or equal") is the same condition as NB ("not below"). The following table lists some common conditions and their meaning.

Condition Name Flags Meaning

Z

ZF=1

Result of last operation was zero.

NZ

ZF=0

Result of last operation was not zero.

C

CF=1

Last operation required a carry or borrow. (For unsigned integers, this indicates overflow.)

NC

CF=0

Last operation did not require a carry or borrow. (For unsigned integers, this indicates overflow.)

S

SF=1

Result of last operation has its high bit set.

NS

SF=0

Result of last operation has its high bit clear.

O

OF=1

When treated as a signed integer operation, the last operation caused an overflow or underflow.

NO

OF=0

When treated as signed integer operation, the last operation did not cause an overflow or underflow.

Conditions can also be used to compare two values. The cmp instruction compares its two operands, and then sets flags as if subtracted one operand from the other. The following conditions can be used to check the result of cmp value1, value2.

Condition Name Flags Meaning after a CMP operation.

E

ZF=1

value1 == value2.

NE

ZF=0

value1 != value2.

GE NL

SF=OF

value1 >= value2. Values are treated as signed integers.

LE NG

ZF=1 or SF!=OF

value1 <= value2. Values are treated as signed integers.

G NLE

ZF=0 and SF=OF

value1 > value2. Values are treated as signed integers.

L NGE

SF!=OF

value1 < value2. Values are treated as signed integers.

AE NB

CF=0

value1 >= value2. Values are treated as unsigned integers.

BE NA

CF=1 or ZF=1

value1 <= value2. Values are treated as unsigned integers.

A NBE

CF=0 and ZF=0

value1 > value2. Values are treated as unsigned integers.

B NAE

CF=1

value1 < value2. Values are treated as unsigned integers.

Conditions are typically used to act on the result of a cmp or test instruction. For example,

cmp eax, 5
jz equal

compares the eax register against the number 5 by computing the expression (eax - 5) and setting flags according to the result. If the result of the subtraction is zero, then the zr flag will be set, and the jz condition will be true so the jump will be taken.

Data Types

  • byte: 8 bits

  • word: 16 bits

  • dword: 32 bits

  • qword: 64 bits (includes floating-point doubles)

  • tword: 80 bits (includes floating-point extended doubles)

  • oword: 128 bits

Notation

The following table indicates the notation used to describe assembly language instructions.

Notation Meaning

r, r1, r2...

Registers

m

Memory address (see the succeeding Addressing Modes section for more information.)

#n

Immediate constant

r/m

Register or memory

r/#n

Register or immediate constant

r/m/#n

Register, memory, or immediate constant

cc

A condition code listed in the preceding Conditions section.

T

"B", "W", or "D" (byte, word or dword)

accT

Size T accumulator: al if T = "B", ax if T = "W", or eax if T = "D"

Addressing Modes

There are several different addressing modes, but they all take the form T ptr [expr], where T is some data type (see the preceding Data Types section) and expr is some expression involving constants and registers.

The notation for most modes can be deduced without much difficulty. For example, BYTE PTR [esi+edx*8+3] means "take the value of the esi register, add to it eight times the value of the edx register, add three, then access the byte at the resulting address."

Pipelining

The Pentium is dual-issue, which means that it can perform up to two actions in one clock tick. However, the rules on when it is capable of doing two actions at once (known as pairing) are very complicated.

Because x86 is a CISC processor, you do not have to worry about jump delay slots.

Synchronized Memory Access

Load, modify, and store instructions can receive a lock prefix, which modifies the instruction as follows:

  1. Before issuing the instruction, the CPU will flush all pending memory operations to ensure coherency. All data prefetches are abandoned.

  2. While issuing the instruction, the CPU will have exclusive access to the bus. This ensures the atomicity of the load/modify/store operation.

The xchg instruction automatically obeys the previous rules whenever it exchanges a value with memory.

All other instructions default to nonlocking.

Jump Prediction

Unconditional jumps are predicted to be taken.

Conditional jumps are predicted to be taken or not taken, depending on whether they were taken the last time they were executed. The cache for recording jump history is limited in size.

If the CPU does not have a record of whether the conditional jump was taken or not taken the last time it was executed, it predicts backward conditional jumps as taken and forward conditional jumps as not taken.

Alignment

The x86 processor will automatically correct unaligned memory access, at a performance penalty. No exception is raised.

A memory access is considered aligned if the address is an integer multiple of the object size. For example, all BYTE accesses are aligned (everything is an integer multiple of 1), WORD accesses to even addresses are aligned, and DWORD addresses must be a multiple of 4 in order to be aligned.

The lock prefix should not be used for unaligned memory accesses.