1

Heterogeneous Data Structures & Alignment

* heterogeneous: 不同种类的

2

Outline

• Struct• Union• Alignment

– Chap 3.9, 3.10

3

Structures P191

• Group objects into a single object• Each object is referenced by name• Memory layout

– All the components are stored in a contiguous region of memory

– A pointer to a structure is the address of its first byte

• References to structure elements– Using offsets as displacements

4

Structure P192

struct rect {int llx; /* X coordinate of lower-left corner */int lly; /* Y coordinate of lower-left corner */int color; /* Coding of color */int width; /* Width (in pixels) */int height; /* Height (in pixels) */

};

5

Structure P192

struct rect r;

r.llx = r.lly = 0;r.color = 0xFF00FF;r.width = 10;r.height = 20;

6

Structure P192

int area (struct rect *rp){return (*rp).width * (*rp).height;

}

void rotate_left (struct rect *rp){/* Exchange width and height */int t = rp->height;rp->height = rp->width;rp->width = t;

}

7

Structure

struct rec {

int i;

int j;

int a[3];

int *p;

} *r;

8

Structure P193

• Copy element r->i to element r->j:• r is in register %edx.

1 movl (%edx), %eax Get r->i2 movl %eax, 4(%edx) Store in

r->j

9

Structure P193

• Generate the pointer &(r->a[1])– r in %eax, – i in %edx

1 leal 8(%eax,%edx,4),%ecx %ecx = &r->a[i]

10

Structure

• r->p = &r->a[r->i + r->j];– r in register %edx:

1 movl 4(%edx), %eax Get r->j2 addl (%edx), %eax Add r->i3 leal 8(%edx,%eax,4), %eax Compute &r-

>a[r->i + r->j]4 movl %eax, 20(%edx) Store in r->p

11

Unions P194

• A single object can be referenced by using different data types

• The syntax of a union declaration is identical to that for structures, but its semantics are very different

• Rather than having the different fields reference different blocks of memory, they all reference the same block

*syntax: 语法*semantic: 语义

12

Unions

struct S3 {

char c;

int i[2];

double v;

};

union U3 {

char c;

int i[2];

double v;

};

13

Unions P195

• The offsets of the fields, as well as the total size of data types S3 and U3, are:

Type c i v size

S3 0 4 12 20U3 0 0 0 8

14

Unions P195

struct NODE {struct NODE *left;struct NODE *right;double data;

};union NODE {struct {

union NODE *left;union NODE *right;

} internal;double data;

};

15

Unions (additional tag field)

struct NODE {

int is_leaf;

union {

struct {

struct NODE *left;

struct NODE *right;

} internal;

double data;

} info;

};

16

Unions P196

1 unsigned float2bit(float f)

2 {

3 union {

4 float f;

5 unsigned u;

6 } temp;

7 temp.f = f;

8 return temp.u;

9 };

1 movl 8(%ebp), %eax

17

Unions

1 unsigned float2bit(float f)

2 {

3 union {

4 float f;

5 unsigned u;

6 } temp;

7 temp.f = f;

8 return temp.u;

9 };

1 movl 8(%ebp), %eax

18

Unions (Code generated identical to the procedure)

1 unsigned copy (unsigned u)

2 {

3 return u;

4 }

1 movl 8(%ebp), %eax

19

Alignment P198

• Alignment restrictions

– The address for some type of object must be a

multiple of some value k (typically 2, 4, or 8)

– Simplify the hardware design of the interface

between the processor and the memory

system

20

Alignment

• In IA32

– hardware will work correctly regardless of the

alignment of data

– Aligned data can improve memory system

performance

21

Alignment

• Linux alignment restriction

– 1-byte data types are able to have any

address

– 2-byte data types must have an address that

is multiple of 2

– Any larger data types must have an address

that is multiple of 4

22

Alignment

• Alignment is enforced by– Making sure that every data type is organized

and allocated in such a way that every object within the type satisfies its alignment restrictions.

• malloc()– Returns a generic pointer that is void *– Its alignment requirement is 4

23

Alignment

• Structure data type– may need to insert gaps in the field allocation– may need to add padding to the end of the

structure

* padding: 填充

24

Alignment P199

struct S1 {

int i;

char c;

int j;

};

25

Alignment P200

struct S2 {

int i;

int j;

char c;

} d[4];

xd, xd+9, xd+18, xd+27

xd, xd+12, xd+24, xd+36

26

Putting it Together

27

Outline

• Pointer– Declaration

– referencing, deferencing

– memory allocation, memory free

• Buffer overflow

• Suggested reading– Chap 3.11, 3.13

28

Example P202 Figure 3.26

1 struct str { /* Example Structure */2 int t;3 char v;4 };56 union uni { /* Example Union */7 int t;8 char v;9 } u;1011 int g = 15;12

29

Example P202 Figure 3.26

13 void fun(int* xp)14 {15 void (*f)(int*) = fun; /* f is a function

pointer */1617 /* Allocate structure on stack */18 struct str s = {1,’a’}; /* Initialize structure

*/1920 /* Allocate union from heap */21 union uni *up = (union uni *)

malloc(sizeof(union uni));2223 /* Locally declared array */24 int *ip[2] = {xp, &g};

30

Example

26 up->v = s.v+1;2728 printf("ip = %p, *ip = %p, **ip = %d\n",29 ip, *ip, **ip);30 printf("ip+1 = %p, ip[1] = %p, *ip[1] = %d\n",31 ip+1, ip[1], *ip[1]);32 printf ("&s.v = %p, s.v = ’%c’\n", &s.v, s.v);33 printf ("&up->v = %p, up->v = ’%c’\n", &up->v,

up->v);34 printf ("f = %p\n", f);35 if (--(*xp) > 0)36 f(xp); /* Recursive call of fun */37 }

31

Example P202 Figure 3.26

38

39 int test()

40 {41 int x = 2;42 fun(&x);43 return x;44 }

32

Every pointer has a type P201

• If the object has type T– A pointer to this object has type T *

• Special void * type– Represents a generic pointer

• malloc returns a generic pointer

Pointer Type

Object Type

Pointers

int * int xp, ip[0], ip[1]

union uni * union uni up

33

Every pointer has a value

xp ip[0] ip[1] up

&x &x &g Address in heap

34

Pointers are created with the & operator

• Applied to lvalue expression– Lvalue expression can appear on the left side of

assignment– &g, &s.v, &u->v, &x

35

Pointers are dereferenced with the operator *

• The result is a value having the type associated with the pointer

• *ip, **ip, *ip[1], *xp• up->v

36

Arrays and pointers are closed related

• The name of array can be viewed as a pointer constant

• ip[0] is equivalent to *ip

37

Pointers can point to functions

• void (*f)(int *)• f is a pointer to function• The function taken int * as argument• The return type of the function is void• Assignment makes f point to func

– f = func

void: 空的

38

The precedence of the operators

• void *f(int *) declares f is a function– (void *) f(int *)

39

Example P203

1 ip = 0xbfffefa8, *ip = 0xbfffefe4, **ip = 2 ip[0] = xp. *xp = x

= 2

2 ip+1 = 0xbfffefac, ip[1] = 0x804965c, *ip[1] = 15 ip[1] = &g. g = 15

3 &s.v = 0xbfffefb4, s.v = ’a’ s in stack frame

4 &up->v = 0x8049760, up->v = ’b’ up points to area in heap

5 f = 0x8048414 f points to code for fun

6 ip = 0xbfffef68, *ip = 0xbfffefe4, **ip = 1 ip in new frame, x =

1

7 ip+1 = 0xbfffef6c, ip[1] = 0x804965c, *ip[1] = 15 ip[1] same as before

8 &s.v = 0xbfffef74, s.v = ’a’ s in new frame

9 &up->v = 0x8049770, up->v = ’b’ up points to new area in heap

10 f = 0x8048414 f points to code for fun

40

Pointer Declaration

• char **argv ;• int (*daytab)[13]• int (*comp)()• char (*(*x())[])()

– Function returning pointer to array[ ] of pointer to function returning char

• char(*(*x[3])())[5]– Array[3] of pointer to function returning

pointer to array[5] of char

41

Pointer Arithmetic

• Addition and subtraction– p+i , p-i (result is a pointer)

– p-q (result is a int)

• Referencing & dereferencing– *p, &E

• Subscription– A[i], *(A+i)

42

C operators

Operators Associativity() [] -> . ++ -- left to right! ~ ++ -- + - * & (type) sizeof right to left* / % left to right+ - left to right<< >> left to right< <= > >= left to right== != left to right& left to right^ left to right| left to right&& left to right|| left to right?: right to left= += -= *= /= %= &= ^= != <<= >>= right to left, left to right

Note: Unary +, -, and * have higher precedence than binary forms

43

Parameter Passing

• Call by value

– f(xp)

• Call by reference

– f(&xp)

44

3.13 Out-of-Bounds Memory References P206

1 /* Implementation of library function gets() */2 char *gets(char *s)3 {4 int c;5 char *dest = s;6 while ((c = getchar()) != ’\n’ && c != EOF)7 *dest++ = c;8 *dest++ = ’\0’; /* Terminate String

*/9 if (c == EOF)10 return NULL;11 return s;12 }

45

Out-of-Bounds Memory References

1314 /* Read input line and write it back */15 void echo()16 {17 char buf[4]; /* Way too small ! */18 gets(buf);19 puts(buf);20 }

46

Out-of-Bounds Memory References

Stack frame for caller

Return address

Saved %ebp

[3] [2] [1] [0]Stack frame

for echo

%ebp

buf

47

Out-of-Bounds Memory References

Stack frame for caller

Return address

[7]

[6]

[5]

[4]

[3] [2] [1] [0]Stack frame

for echo

%ebp

buf

48

Out-of-Bounds Memory References

Stack frame for caller

[11]

[10]

[9]

[8]

[7]

[6]

[5]

[4]

[3] [2] [1] [0]Stack frame

for echo

%ebp

buf

49

Buffer Overflow P208 Figure 3.29

1 /* This is very low quality code.2 It is intended to illustrate bad programming practices3 See Practice Problem 3.24. */4 char *getline()5 {6 char buf[8];7 char *result;8 gets(buf);9 result = malloc(strlen(buf));10 strcpy(result, buf);11 return(result);12 }

50

Buffer Overflow P208 Figure 3.29

1 08048524 <getline>:

2 8048524: 55 push %ebp

3 8048525: 89 e5 mov %esp,%ebp

4 8048527: 83 ec 10 sub $0x10,%esp

5 804852a: 56 push %esi

6 804852b: 53 push %ebx

Diagram stack at this point

7 804852c: 83 c4 f4 add $0xfffffff4,%esp

8 804852f: 8d 5d f8 lea 0xfffffff8(%ebp),%ebx

9 8048532: 53 push %ebx

10 8048533: e8 74 fe ff ff call 80483ac <_init+0x50> gets

51

Buffer Overflow P208 Practice Problem 3.24

Stack frame for caller

08 04 86 43Return Address

52

Buffer Overflow

Stack frame for caller

08 04 86 43bf ff fc 94[7] [6] [5] [4][3] [2] [1] [0]

00 00 00 01

00 00 00 02

%ebp

buf

Saved %esi

Saved %ebx

53

Buffer Overflow

Stack frame for caller

08 04 86 0031 30 39 3837 36 35 3433 32 31 30

00 00 00 01

00 00 00 02

%ebp

buf

Saved %esi

Saved %ebx

012345678901

54

Malicious Use of Buffer Overflow

void bar() { char buf[64]; gets(buf); ... }

void foo(){ bar(); ...}

returnaddress

A

Stack after call to gets()

B

foo stack frame

bar stack frame

B

exploitcode

pad

data written

bygets()

Malicious:怀恶意的

55

Malicious Use of Buffer Overflow

• Input string contains byte representation

of executable code

• Overwrite return address with address of

buffer

• When bar() executes ret, will jump to

exploit code

56

Floating Point

57

Outline

• Stack evaluation• Data movement• Set special data• Arithmetic operation• Comparison • Suggested reading: 3.14

58

IA32 Floating Point

• History

– 8086: first computer to implement IEEE FP

• separate 8087 FPU (floating point unit)

– 486: merged FPU and Integer Unit onto one

chip

59

IA32 Floating Point

• Floating Point Formats

– single precision (C float): 32 bits

– double precision (C double): 64 bits

– extended precision (C long double): 80 bits

60

IA32 Floating Point

• Summary

– Hardware to add, multiply, and divide

– Floating point data registers

– Various control & status registers

61

IA32 Floating Point

Instructiondecoder andsequencer

FPUInteger

Unit

Memory

62

FPU Data Register Stack

• FPU register format (extended precision)

s exp frac

063647879

63

FPU Data Register Stack

• FPU registers– 8 registers– Logically forms shallow stack– Top called %st(0)– When push too many, bottom values disappear

“ Top”

stack grows down

%st(0)

%st(1)

%st(2)

%st(3)

64

FPU instructions

• Large number of floating point instructions and formats– ~50 basic instruction types– load, store, add, multiply– sin, cos, tan, arctan, and log!

• Sample instructions:

65

FPU instructions P213 Figure 3.30, P216 Figure 3.31

Instruction Effect Description

fldz push 0.0 Load zero

flds Addr push M[Addr] Load single precision real

fmuls Addr %st(0) <- %st(0)*M[Addr] Multiply

faddp %st(1) <- %st(0)+%st(1); Add and pop

pop

66

IA32 Floating Point

float ipf (float x[], float y[], int n){ int i; float result = 0.0; for (i = 0; i < n; i++) { result += x[i] * y[i]; } return result;}

67

pushl %ebp # setup movl %esp,%ebp pushl %ebx movl 8(%ebp),%ebx # %ebx=&x movl 12(%ebp),%ecx # %ecx=&y movl 16(%ebp),%edx # %edx=n fldz # push +0.0 xorl %eax,%eax # i=0 cmpl %edx,%eax # if i>=n done jge .L3 .L5: flds (%ebx,%eax,4) # push x[i] fmuls (%ecx,%eax,4) # st(0)*=y[i] faddp # st(1)+=st(0); pop incl %eax # i++ cmpl %edx,%eax # if i<n repeat jl .L5 .L3: movl -4(%ebp),%ebx # finish movl %ebp, %esp popl %ebp ret # st(0) = result

68

Inner Product Stack Trace

1. fldz 0.0 %st(0)

2. flds (%ebx,%eax,4) 0.0 %st(1)

x[0] %st(0)

3. fmuls (%ecx,%eax,4) 0.0 %st(1)

x[0]*y[0] %st(0)

4. faddp 0.0+x[0]*y[0] %st(0)

5. flds (%ebx,%eax,4) x[0]*y[0] %st(1)

x[1] %st(0)

6. fmuls (%ecx,%eax,4) x[0]*y[0] %st(1)x[1]*y[1] %st(0)

7. faddp %st(0)

x[0]*y[0]+x[1]*y[1]

Initialization

Iteration 0 Iteration 1

69

Load Instructions P216 Figure 3.31

Instruction Source format Source location

flds Addr Single Mem4[Addr]

fldl Addr Double Mem8[Addr]

fldt Addr Extended Mem10[Addr]

fildl Addr Integer Mem4[Addr]

fld %st(i) extended %st(i)

70

Store Instructions P216 Figure 3.32

Instruction Pop(Y/N)

destination format

destination location

fsts Addr N Single Mem4[Addr]

fstps Addr Y Single Mem4[Addr]

fstl Addr N Double Mem8[Addr]

fstpl Addr Y Double Mem8[Addr]

fstt Addr N Extended Mem10[Addr]

fstpt Addr Y Extended Mem10[Addr]

fistl Addr N Integer Mem4[Addr]

fistpl Addr Y Integer Mem4[Addr]

fst %st(i) N extended %st(i)

fstp %st(i) Y extended %st(i)

71

Arithmetic Instructions P218 Figure 3.33

72

Arithmetic Instructions P218 Figure 3.34

73

Comparison Instructions P222 Figure 3.35

74

Comparison Instructions P222 Figure 3.36

fnstsw %axandb $69, %ah

69=0X45

75

Arithmetic Instructions P223

1 int less (double x, double y)

2 {

3 return x < y;

4 }

76

Arithmetic Instructions P223

1 fldl 16(%ebp) Push y

2 fcompl 8(%ebp) Compare y:x

3 fnstsw %ax Store floating point status word in %ax

4 andb $69, %ah Mask all but bits 0, 2, and 6

5 sete %al Test for comparison outcome of 0

(>)

6 movzbl %al, %eax Copy low order byte to result,

and set rest to 0

77

78

79

80

81