1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
|
<!DOCTYPE HTML>
<html lang="en" class="light sidebar-visible" dir="ltr">
<head>
<!-- Book generated using mdBook -->
<meta charset="UTF-8">
<title>x86_64 - Notes</title>
<!-- Custom HTML head -->
<meta name="description" content="">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="theme-color" content="#ffffff">
<link rel="icon" href="../favicon.svg">
<link rel="shortcut icon" href="../favicon.png">
<link rel="stylesheet" href="../css/variables.css">
<link rel="stylesheet" href="../css/general.css">
<link rel="stylesheet" href="../css/chrome.css">
<link rel="stylesheet" href="../css/print.css" media="print">
<!-- Fonts -->
<link rel="stylesheet" href="../FontAwesome/css/font-awesome.css">
<link rel="stylesheet" href="../fonts/fonts.css">
<!-- Highlight.js Stylesheets -->
<link rel="stylesheet" id="highlight-css" href="../highlight.css">
<link rel="stylesheet" id="tomorrow-night-css" href="../tomorrow-night.css">
<link rel="stylesheet" id="ayu-highlight-css" href="../ayu-highlight.css">
<!-- Custom theme stylesheets -->
<!-- Provide site root to javascript -->
<script>
var path_to_root = "../";
var default_theme = window.matchMedia("(prefers-color-scheme: dark)").matches ? "navy" : "light";
</script>
<!-- Start loading toc.js asap -->
<script src="../toc.js"></script>
</head>
<body>
<div id="body-container">
<!-- Work around some values being stored in localStorage wrapped in quotes -->
<script>
try {
var theme = localStorage.getItem('mdbook-theme');
var sidebar = localStorage.getItem('mdbook-sidebar');
if (theme.startsWith('"') && theme.endsWith('"')) {
localStorage.setItem('mdbook-theme', theme.slice(1, theme.length - 1));
}
if (sidebar.startsWith('"') && sidebar.endsWith('"')) {
localStorage.setItem('mdbook-sidebar', sidebar.slice(1, sidebar.length - 1));
}
} catch (e) { }
</script>
<!-- Set the theme before any content is loaded, prevents flash -->
<script>
var theme;
try { theme = localStorage.getItem('mdbook-theme'); } catch(e) { }
if (theme === null || theme === undefined) { theme = default_theme; }
const html = document.documentElement;
html.classList.remove('light')
html.classList.add(theme);
html.classList.add("js");
</script>
<input type="checkbox" id="sidebar-toggle-anchor" class="hidden">
<!-- Hide / unhide sidebar before it is displayed -->
<script>
var sidebar = null;
var sidebar_toggle = document.getElementById("sidebar-toggle-anchor");
if (document.body.clientWidth >= 1080) {
try { sidebar = localStorage.getItem('mdbook-sidebar'); } catch(e) { }
sidebar = sidebar || 'visible';
} else {
sidebar = 'hidden';
}
sidebar_toggle.checked = sidebar === 'visible';
html.classList.remove('sidebar-visible');
html.classList.add("sidebar-" + sidebar);
</script>
<nav id="sidebar" class="sidebar" aria-label="Table of contents">
<!-- populated by js -->
<mdbook-sidebar-scrollbox class="sidebar-scrollbox"></mdbook-sidebar-scrollbox>
<noscript>
<iframe class="sidebar-iframe-outer" src="../toc.html"></iframe>
</noscript>
<div id="sidebar-resize-handle" class="sidebar-resize-handle">
<div class="sidebar-resize-indicator"></div>
</div>
</nav>
<div id="page-wrapper" class="page-wrapper">
<div class="page">
<div id="menu-bar-hover-placeholder"></div>
<div id="menu-bar" class="menu-bar sticky">
<div class="left-buttons">
<label id="sidebar-toggle" class="icon-button" for="sidebar-toggle-anchor" title="Toggle Table of Contents" aria-label="Toggle Table of Contents" aria-controls="sidebar">
<i class="fa fa-bars"></i>
</label>
<button id="theme-toggle" class="icon-button" type="button" title="Change theme" aria-label="Change theme" aria-haspopup="true" aria-expanded="false" aria-controls="theme-list">
<i class="fa fa-paint-brush"></i>
</button>
<ul id="theme-list" class="theme-popup" aria-label="Themes" role="menu">
<li role="none"><button role="menuitem" class="theme" id="light">Light</button></li>
<li role="none"><button role="menuitem" class="theme" id="rust">Rust</button></li>
<li role="none"><button role="menuitem" class="theme" id="coal">Coal</button></li>
<li role="none"><button role="menuitem" class="theme" id="navy">Navy</button></li>
<li role="none"><button role="menuitem" class="theme" id="ayu">Ayu</button></li>
</ul>
<button id="search-toggle" class="icon-button" type="button" title="Search. (Shortkey: s)" aria-label="Toggle Searchbar" aria-expanded="false" aria-keyshortcuts="S" aria-controls="searchbar">
<i class="fa fa-search"></i>
</button>
</div>
<h1 class="menu-title">Notes</h1>
<div class="right-buttons">
<a href="../print.html" title="Print this book" aria-label="Print this book">
<i id="print-button" class="fa fa-print"></i>
</a>
<a href="https://github.com/johannst/notes" title="Git repository" aria-label="Git repository">
<i id="git-repository-button" class="fa fa-github"></i>
</a>
</div>
</div>
<div id="search-wrapper" class="hidden">
<form id="searchbar-outer" class="searchbar-outer">
<input type="search" id="searchbar" name="searchbar" placeholder="Search this book ..." aria-controls="searchresults-outer" aria-describedby="searchresults-header">
</form>
<div id="searchresults-outer" class="searchresults-outer hidden">
<div id="searchresults-header" class="searchresults-header"></div>
<ul id="searchresults">
</ul>
</div>
</div>
<!-- Apply ARIA attributes after the sidebar and the sidebar toggle button are added to the DOM -->
<script>
document.getElementById('sidebar-toggle').setAttribute('aria-expanded', sidebar === 'visible');
document.getElementById('sidebar').setAttribute('aria-hidden', sidebar !== 'visible');
Array.from(document.querySelectorAll('#sidebar a')).forEach(function(link) {
link.setAttribute('tabIndex', sidebar === 'visible' ? 0 : -1);
});
</script>
<div id="content" class="content">
<main>
<h1 id="x86_64"><a class="header" href="#x86_64">x86_64</a></h1>
<p>keywords: x86_64, x86, abi</p>
<ul>
<li>64bit synonyms: <code>x86_64</code>, <code>x64</code>, <code>amd64</code>, <code>intel 64</code></li>
<li>32bit synonyms: <code>x86</code>, <code>ia32</code>, <code>i386</code></li>
<li>ISA type: <code>CISC</code></li>
<li>Endianness: <code>little</code></li>
</ul>
<h2 id="registers"><a class="header" href="#registers">Registers</a></h2>
<h3 id="general-purpose-register"><a class="header" href="#general-purpose-register">General purpose register</a></h3>
<pre><code class="language-markdown">bytes
[7:0] [3:0] [1:0] [1] [0] desc
----------------------------------------------------------
rax eax ax ah al accumulator
rbx ebx bx bh bl base register
rcx ecx cx ch cl counter
rdx edx dx dh dl data register
rsi esi si - sil source index
rdi edi di - dil destination index
rbp ebp bp - bpl base pointer
rsp esp sp - spl stack pointer
r8-15 rNd rNw - rNb
</code></pre>
<h3 id="special-register"><a class="header" href="#special-register">Special register</a></h3>
<pre><code class="language-markdown">bytes
[7:0] [3:0] [1:0] desc
---------------------------------------------------
rflags eflags flags flags register
rip eip ip instruction pointer
</code></pre>
<h3 id="flags-register"><a class="header" href="#flags-register">FLAGS register</a></h3>
<pre><code class="language-markdown">rflags
bits desc instr comment
--------------------------------------------------------------------------------------------------------------
[21] ID identification ability to set/clear -> indicates support for CPUID instr
[18] AC alignment check alignment exception for PL 3 (user), requires CR0.AM
[13:12] IOPL io privilege level
[11] OF overflow flag
[10] DF direction flag cld/std increment (0) or decrement (1) registers in string operations
[9] IF interrupt enable cli/sti
[7] SF sign flag
[6] ZF zero flag
[4] AF auxiliary carry flag
[2] PF parity flag
[0] CF carry flag
</code></pre>
<p>Change flag bits with <code>pushf</code> / <code>popf</code> instructions:</p>
<pre><code class="language-x86asm">pushfd // push flags (4bytes) onto stack
or dword ptr [esp], (1 << 18) // enable AC flag
popfd // pop flags (4byte) from stack
</code></pre>
<blockquote>
<p>There is also <code>pushfq</code> / <code>popfq</code> to push and pop all 8 bytes of <code>rflags</code>.</p>
</blockquote>
<h3 id="model-specific-register-msr"><a class="header" href="#model-specific-register-msr">Model Specific Register (MSR)</a></h3>
<pre><code class="language-x86asm">rdmsr // Read MSR register, effectively does EDX:EAX <- MSR[ECX]
wrmsr // Write MSR register, effectively does MSR[ECX] <- EDX:EAX
</code></pre>
<blockquote>
<p>See <a href="https://github.com/johannst/mini-kvm-rs/blob/main/guest/guest64-msr.S">guest64-msr.S</a> as an example.</p>
</blockquote>
<h4 id="some-interesting-msrs"><a class="header" href="#some-interesting-msrs">Some interesting MSRs</a></h4>
<ul>
<li><code>C000_0082: IA32_LSTAR</code> target address for <a href="https://www.felixcloutier.com/x86/syscall"><code>syscall</code></a> instruction
in <strong>IA-32e</strong> (64 bit) mode.</li>
<li><code>C000_0100: IA32_FS_BASE</code> storage for <strong>%fs</strong> segment base address.</li>
<li><code>C000_0101: IA32_GS_BASE</code> storage for <strong>%gs</strong> segment base address.</li>
<li><code>C000_0102: IA32_KERNEL_GS_BASE</code> additional register, <a href="https://www.felixcloutier.com/x86/swapgs"><code>swapgs</code></a>
swaps <strong>GS_BASE</strong> and <strong>KERNEL_GS_BASE</strong>, without altering any register state.
Can be used to swap in a pointer to a kernel data structure on syscall entry,
as for example in <a href="https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/entry/entry_64.S?h=v6.13#n87"><code>entry_SYSCALL_64</code></a>.</li>
</ul>
<h2 id="current-privilege-level"><a class="header" href="#current-privilege-level">Current privilege level</a></h2>
<p>The current privilege level can be found at any time in the last two bits of the
code segment selector <code>cs</code>. The following shows an example debugging an entry
and exit of a syscall in x86_64-linux.</p>
<pre><code>Breakpoint 1, entry_SYSCALL_64 () at arch/x86/entry/entry_64.S:90
90 swapgs
(gdb) info r rax rcx cs
rax 0x0 0 ; syscall nr
rcx 0x7feb16399e56 140647666916950 ; ret addr
cs 0x10 16 ; cs & 0x3 -> 0 (ring0,kernel)
(gdb) c
Breakpoint 2, entry_SYSCALL_64 () at arch/x86/entry/entry_64.S:217
217 sysretq
(gdb) info r rcx cs
rcx 0x7feb16399e56 140647666916950 ; ret addr
cs 0x10 16 ; cs & 0x3 -> 0 (ring0,kernel)
(gdb) b *$rcx
(gdb) s
Breakpoint 3, 0x00007feb16399e56 in ?? ()
(gdb) info r cs
cs 0x33 51 ; cs & 0x3 -> 3 (ring3,user)
</code></pre>
<h2 id="size-directives"><a class="header" href="#size-directives">Size directives</a></h2>
<p>Explicitly specify size of the operation.</p>
<pre><code class="language-x86asm">mov byte ptr [rax], 0xff // save 1 byte(s) at [rax]
mov word ptr [rax], 0xff // save 2 byte(s) at [rax]
mov dword ptr [rax], 0xff // save 4 byte(s) at [rax]
mov qword ptr [rax], 0xff // save 8 byte(s) at [rax]
</code></pre>
<h2 id="addressing"><a class="header" href="#addressing">Addressing</a></h2>
<pre><code class="language-x86asm">mov qword ptr [rax], rbx // save val in rbx at [rax]
mov qword ptr [imm], rbx // save val in rbx at [imm]
mov rax, qword ptr [rbx+4*rcx] // load val at [rbx+4*rcx] into rax
</code></pre>
<p><code>rip</code> relative addressing:</p>
<pre><code class="language-x86asm">lea rax, [rip+.my_str] // load addr of .my_str into rax
...
.my_str:
.asciz "Foo"
</code></pre>
<p>Load effective address:</p>
<pre><code class="language-x86asm">mov rax, 2
lea r11, [rax + 3] // r11 <- 5
</code></pre>
<h2 id="string-instructions"><a class="header" href="#string-instructions">String instructions</a></h2>
<p>The operand size of a string instruction is defined by the instruction suffix
<code>b | w | d | q</code>.</p>
<p>Source and destination registers are modified according to the <code>direction flag (DF)</code> in the <code>flags</code> register</p>
<ul>
<li><code>DF=0</code> increment src/dest registers</li>
<li><code>DF=1</code> decrement src/dest registers</li>
</ul>
<p>Following explanation assumes <code>byte</code> operands with <code>DF=0</code>:</p>
<pre><code class="language-x86asm">movsb // move data from string to string
// ES:[DI] <- DS:[SI]
// DI <- DI + 1
// SI <- SI + 1
lodsb // load string
// AL <- DS:[SI]
// SI <- SI + 1
stosb // store string
// ES:[DI] <- AL
// DI <- DI + 1
cmpsb // compare string operands
// DS:[SI] - ES:[DI] ; set status flag (eg ZF)
// SI <- SI + 1
// DI <- DI + 1
scasb // scan string
// AL - ES:[DI] ; set status flag (eg ZF)
// DI <- DI + 1
</code></pre>
<p>String operations can be repeated:</p>
<pre><code class="language-x86asm">rep // repeat until rcx = 0
repz // repeat until rcx = 0 or while ZF = 0
repnz // repeat until rcx = 0 or while ZF = 1
</code></pre>
<h3 id="example-simple-memset"><a class="header" href="#example-simple-memset">Example: Simple <code>memset</code></a></h3>
<pre><code class="language-x86asm">// memset (dest, 0xaa /* char */, 0x10 /* len */)
lea di, [dest]
mov al, 0xaa
mov cx, 0x10
rep stosb
</code></pre>
<h2 id="att-syntax-for-intel-syntax-users"><a class="header" href="#att-syntax-for-intel-syntax-users">AT&T syntax for intel syntax users</a></h2>
<pre><code class="language-x86asm">mov %rax, %rbx // mov rbx, rax
mov $12, %rax // mov rax, 12
mov (%rsp), %rax // mov rax, [rsp]
mov 8(%rsp), %rax // mov rax, [rsp + 8]
mov (%rsp,%rcx,4), %rax // mov rax, [rsp + 8 * rcx]
mov 0x100, %rax // mov rax, [0x100]
mov (0x100), %rax // mov rax, [0x100]
mov %gs:8, %rax // mov rax, gs:8
</code></pre>
<h2 id="time-stamp-counter---rdtsc"><a class="header" href="#time-stamp-counter---rdtsc">Time stamp counter - <code>rdtsc</code></a></h2>
<pre><code class="language-c">static inline uint64_t rdtsc() {
uint32_t eax, edx;
asm volatile("rdtsc" : "=d"(edx), "=a"(eax)::);
return (uint64_t)edx << 32 | eax;
}
</code></pre>
<blockquote>
<p>Constant TSC behavior ensures that the duration of each clock tick is uniform
and supports the use of the TSC as a wall clock timer even if the processor
core changes frequency. This is the architectural behavior moving forward.</p>
<ul>
<li>18.17 TIME-STAMP COUNTER - <a href="https://software.intel.com/content/www/us/en/develop/download/intel-64-and-ia-32-architectures-sdm-combined-volumes-3a-3b-3c-and-3d-system-programming-guide.html">intel64-vol3</a></li>
</ul>
</blockquote>
<p>On linux one can check the <code>constant_tsc</code> cpu flag, to validate if the
implemented TSC ticks with a constant frequency.</p>
<pre><code class="language-sh">grep constant_tsc /proc/cpuinfo
</code></pre>
<h2 id="cpu--hw-features---cpuid"><a class="header" href="#cpu--hw-features---cpuid">Cpu & hw features - <code>cpuid</code></a></h2>
<pre><code class="language-x86asm">cpuid // in: eax leaf; ecx sub-leaf
// out: eax, ebx, ecx, edx (interpreting depends on leaf)
</code></pre>
<p>This instruction is used to query for availability of certain
instructions or hardware details like cache sizes and son on.</p>
<p>An example how to read cpuid leafs is show in <a href="x86/cpuid/cpuid.c">cpuid.c</a>.</p>
<h2 id="sysv-x86_64-abi"><a class="header" href="#sysv-x86_64-abi"><a href="https://gitlab.com/x86-psABIs/x86-64-ABI">SysV x86_64 ABI</a></a></h2>
<h3 id="passing-arguments-to-functions"><a class="header" href="#passing-arguments-to-functions">Passing arguments to functions</a></h3>
<ul>
<li>Integer/Pointer arguments
<pre><code class="language-markdown">reg arg
-----------
rdi 1
rsi 2
rdx 3
rcx 4
r8 5
r9 6
</code></pre>
</li>
<li>Floating point arguments
<pre><code class="language-markdown">reg arg
-----------
xmm0 1
.. ..
xmm7 8
</code></pre>
</li>
<li>Additional arguments are passed on the stack. Arguments are pushed
right-to-left (RTL), meaning next arguments are closer to current <code>rsp</code>.</li>
</ul>
<h3 id="return-values-from-functions"><a class="header" href="#return-values-from-functions">Return values from functions</a></h3>
<ul>
<li>Integer/Pointer return values
<pre><code class="language-markdown">reg size
-----------------
rax 64 bit
rax+rdx 128 bit
</code></pre>
</li>
<li>Floating point return values
<pre><code class="language-markdown">reg size
-------------------
xmm0 64 bit
xmm0+xmm1 128 bit
</code></pre>
</li>
</ul>
<h3 id="caller-saved-registers"><a class="header" href="#caller-saved-registers">Caller saved registers</a></h3>
<p>Caller must save these registers if they should be preserved across function
calls.</p>
<ul>
<li><code>rax</code></li>
<li><code>rcx</code></li>
<li><code>rdx</code></li>
<li><code>rsi</code></li>
<li><code>rdi</code></li>
<li><code>rsp</code></li>
<li><code>r8</code> - <code>r11</code></li>
</ul>
<h3 id="callee-saved-registers"><a class="header" href="#callee-saved-registers">Callee saved registers</a></h3>
<p>Caller can expect these registers to be preserved across function calls. Callee
must must save these registers in case they are used.</p>
<ul>
<li><code>rbx</code></li>
<li><code>rbp</code></li>
<li><code>r12</code> – <code>r15</code></li>
</ul>
<h3 id="stack"><a class="header" href="#stack">Stack</a></h3>
<ul>
<li>grows downwards</li>
<li>frames aligned on 16 byte boundary
<pre><code class="language-text">Hi ADDR
| +------------+
| | prev frame |
| +------------+ <--- 16 byte aligned (X & ~0xf)
| [rbp+8] | saved RIP |
| [rbp] | saved RBP |
| [rbp-8] | func stack |
| | ... |
v +------------+
Lo ADDR
</code></pre>
</li>
</ul>
<h3 id="function-prologue--epilogue"><a class="header" href="#function-prologue--epilogue">Function prologue & epilogue</a></h3>
<ul>
<li>prologue
<pre><code class="language-x86asm">push rbp // save caller base pointer
mov rbp, rsp // save caller stack pointer
</code></pre>
</li>
<li>epilogue
<pre><code class="language-x86asm">mov rsp, rbp // restore caller stack pointer
pop rbp // restore caller base pointer
</code></pre>
<blockquote>
<p>Equivalent to <code>leave</code> instruction.</p>
</blockquote>
</li>
</ul>
<h2 id="windows-x64-abi"><a class="header" href="#windows-x64-abi"><a href="https://learn.microsoft.com/en-us/cpp/build/x64-software-conventions">Windows x64 ABI</a></a></h2>
<h3 id="passing-arguments-to-functions-ref"><a class="header" href="#passing-arguments-to-functions-ref">Passing arguments to functions (<a href="https://learn.microsoft.com/en-us/cpp/build/x64-calling-convention">ref</a>)</a></h3>
<blockquote>
<p>A single argument is never spread across multiple registers.</p>
</blockquote>
<ul>
<li>Integer/Pointer arguments
<pre><code class="language-markdown">reg arg
-----------
rcx 1
rdx 2
r8 3
r9 4
</code></pre>
</li>
<li>Floating point arguments
<pre><code class="language-markdown">reg arg
-----------
xmm0 1
.. ..
xmm3 4
</code></pre>
</li>
<li>Additional arguments are passed on the stack. Arguments are pushed
right-to-left (RTL), meaning next arguments are closer to current <code>rsp</code>.
<a href="https://godbolt.org/z/oT5Tjdf7Y">See example</a>.</li>
</ul>
<h3 id="return-values-from-functions-1"><a class="header" href="#return-values-from-functions-1">Return values from functions</a></h3>
<ul>
<li>Integer/Pointer return values
<pre><code class="language-markdown">reg size
-----------------
rax 64 bit
</code></pre>
</li>
<li>Floating point return values
<pre><code class="language-markdown">reg size
-------------------
xmm0 64 bit
</code></pre>
</li>
</ul>
<h3 id="caller-saved-registers-1"><a class="header" href="#caller-saved-registers-1">Caller saved registers</a></h3>
<p>Caller must save these registers if they should be preserved across function
calls.</p>
<ul>
<li><code>rax</code></li>
<li><code>rcx</code></li>
<li><code>rdx</code></li>
<li><code>r8</code> - <code>r11</code></li>
<li><code>xmm0</code> - <code>xmm5</code></li>
</ul>
<h3 id="callee-saved-registers-1"><a class="header" href="#callee-saved-registers-1">Callee saved registers</a></h3>
<p>Caller can expect these registers to be preserved across function calls. Callee
must must save these registers in case they are used.</p>
<ul>
<li><code>rbx</code></li>
<li><code>rbp</code></li>
<li><code>rdi</code></li>
<li><code>rsi</code></li>
<li><code>rsp</code></li>
<li><code>r12</code> - <code>r15</code></li>
<li><code>xmm6</code> - <code>xmm15</code></li>
</ul>
<h2 id="asm-skeleton---linux-userspace"><a class="header" href="#asm-skeleton---linux-userspace">ASM skeleton - linux userspace</a></h2>
<p>Small assembler skeleton, ready to use with following properties:</p>
<ul>
<li>use raw Linux syscalls (<code>man 2 syscall</code> for ABI)</li>
<li>no <code>C runtime (crt)</code></li>
<li>gnu assembler <a href="https://sourceware.org/binutils/docs/as"><code>gas</code></a></li>
<li>intel syntax</li>
</ul>
<pre><code class="language-x86asm">// file: greet.S
#include <asm/unistd.h>
.intel_syntax noprefix
.section .text, "ax", @progbits
.global _start
_start:
mov rdi, 1 # fd (stdout)
lea rsi, [rip + greeting] # buf
mov rdx, [rip + greeting_len] # count
mov rax, __NR_write # write(2) syscall nr
syscall
mov rdi, __NR_exit # exit code
mov rax, 60 # exit(2) syscall nr
syscall
.section .rdonly, "a", @progbits
greeting:
.ascii "Hi ASM-World!\n"
greeting_len:
.int .-greeting
</code></pre>
<blockquote>
<p>Files with <code>.S</code> suffix are pre-processed, while files with <code>.s</code> suffix are not.</p>
</blockquote>
<p>To compile and run:</p>
<pre><code class="language-bash">> gcc -o greet greet.S -nostartfiles -nostdlib && ./greet
Hi ASM-World!
</code></pre>
<h2 id="mbr-boot-sectors-example"><a class="header" href="#mbr-boot-sectors-example">MBR boot sectors example</a></h2>
<p>The following shows a non-minimal <a href="https://en.wikipedia.org/wiki/Master_boot_record">MBR</a> boot sector, which transitions from
16-bit <em>real mode</em> to 32-bit <em>protected mode</em> by setting up a small <em>global
descriptor table (GDT)</em>. A string is printed in each mode.</p>
<pre><code class="language-x86asm">.code16
.intel_syntax noprefix
.section .boot, "ax", @progbits
// Disable interrupts.
cli
// Clear segment selectors.
xor ax, ax
mov ds, ax
mov es, ax
mov ss, ax
mov fs, ax
mov gs, ax
// Set cs to 0x0000, as some BIOSes load the MBR to either 07c0:0000 or 0000:7c000.
jmp 0x0000:entry_rm16
entry_rm16:
// Set video mode 3h, see [1].
// * 80x25 text mode
// * 640x200 pixel resolution (8x8 pixel per char)
// * 16 colors (4bit)
// * 4 pages
// * 0xB8000 screen address
//
// [1] http://www.ctyme.com/intr/rb-0069.htm
mov ax, 0x3
int 0x10
// Move cursor to second row.
// http://www.ctyme.com/intr/rb-0087.htm
mov ah, 0x02
mov bh, 0 // page
mov dh, 1 // row
mov dl, 0 // col
int 0x10
// Clear direction flag for lodsb below.
cld
// Load pointer to msg_rm string (null terminated).
lea si, [msg_rm]
// Teletype output char at current cursor position.
// http://www.ctyme.com/intr/rb-0106.htm
mov ah, 0x0e
1:
lodsb // al <- ds:si ; si+=1 ; (al char to write)
test al,al // test for null terminator
jz 2f
int 0x10
jmp 1b
2:
// Enable A20 address line.
in al, 0x92
or al, 2
out 0x92, al
// Load GDT descriptor.
lgdt [gdt_desc]
// Enable protected mode (set CR0.PE bit).
mov eax, cr0
or eax, (1 << 0)
mov cr0, eax
// Far jump which loads segment selector (0x0008) into cs.
// 0x0008 -> RPL=0, TI=0(GDT), I=1
jmp 0x0008:entry_pm32
.code32
entry_pm32:
// Select data segment selector (0x0010) for ds.
mov ax, gdt_data - gdt
mov ds, ax
// Write through VGA interface (video memory).
// Each character is represented by 2 bytes.
// 4 bit bg | 4 bit fg | 8 bit ascii char
//
// Start writing at third line.
mov edi, 0xb8000 + (80 * 2 * 2)
lea esi, [msg_pm]
1:
lodsb // al <- ds:esi ; esi+=1
test al, al // test for null terminator
jz 2f
or eax, 0x1f00 // blue bg, white fg
stosw // ds:[edi] <- ax; edi+=2
jmp 1b
2:
hlt
jmp 2b
// For simplicity keep data used by boot sector in the same section.
.balign 8
msg_rm:
.asciz "Hello from Real Mode!"
msg_pm:
.asciz "Hello from Protected Mode!"
.balign 8
gdt:
.8byte 0x0000000000000000 // 0x00 | null descriptor
.8byte 0x00cf9a000000ffff // 0x08 | 32 bit, code (rx), present, dpl=0, g=4K, base=0, limit=fffff
gdt_data:
.8byte 0x00cf92000000ffff // 0x10 | 32 bit, data (rw), present, dpl=0, g=4K, base=0, limit=fffff
gdt_desc:
.2byte .-gdt-1 // size
.4byte gdt // address
// Write MBR boot magic value.
.fill 510 - (. - .boot), 1, 0x00
.2byte 0xaa55
</code></pre>
<p>The linker script.</p>
<pre><code class="language-x86asm">OUTPUT_FORMAT(elf32-i386)
OUTPUT_ARCH(i386)
SECTIONS {
. = 0x7c00;
.boot : { *(.boot) }
_boot_end = .;
/DISCARD/ : { *(.*) }
ASSERT(_boot_end - 0x7c00 == 512, "boot sector must be exact 512 bytes")
}
</code></pre>
<p>The build instructions.</p>
<pre><code class="language-make">mbr: mbr.ld mbr.o
ld -o $@.elf -nostdlib -T $^
objcopy -O binary $@.elf $@
mbr.o: mbr.S
gcc -c -o $@ -m32 -ffreestanding $^
</code></pre>
<p>One can boot into the bootsector from legacy BIOS, either with qemu or by
writing the mbr boot sector as first sector onto a usb stick.</p>
<pre><code class="language-sh">qemu-system-i386 -hda mbr
</code></pre>
<p>The following gives some more detailed description for the <em>segment selector</em>
registers, the <em>segment descriptors</em> in the GDT, and the <em>GDT descriptor</em>
itself.</p>
<pre><code># Segment Selector (cs, ds, es, ss, fs, gs).
[15:3] I Descriptor Index
[2] TI Table Indicator (0=GTD | 1=LDT)
[1:0] RPL Requested Privilege Level
# Segment Descriptor (2 x 4 byte words).
0x4 [31:24] Base[31:24]
0x4 [23] G Granularity, scaling of limit (0=1B | 1=4K)
0x4 [22] D/B (0=16bit | 1=32bit)
0x4 [21] L (0=compatibility mode | 1=64bit code) if 1 -> D/B = 0
0x4 [20] AVL Free use for system sw
0x4 [19:16] Limit[19:16]
0x4 [15] P Present
0x4 [14:13] DPL Descriptor privilege level
0x4 [12] S (0=system segment | 1=code/data)
0x4 [11:0] Type Code or data and access information.
0x4 [7:0] Base[23:16]
0x0 [31:16] Base[15:0]
0x0 [15:0] Limit[15:0]
# GDT descriptor (32bit mode)
[47:16] Base address of GDT table.
[15:0] Length of GDT table.
</code></pre>
<blockquote>
<p>In 64-bit mode the <code>{cs, ds, es, ss}</code> segment register have no
effect, segmentation is effectively disabled. The <code>{gs, fs}</code> segment
register however can still be used for segmented memory access in
64-bit with paging enabled. Segmentation takes place before VA -> PA
address translation.</p>
<p>The example in <a href="x86/seg/seg.c">seg.c</a> shows how to set the <code>gs</code> base
address and to relative accesses.</p>
</blockquote>
<h2 id="references"><a class="header" href="#references">References</a></h2>
<ul>
<li><a href="https://gitlab.com/x86-psABIs/x86-64-ABI">SystemV AMD64 ABI</a></li>
<li><a href="https://www.amd.com/system/files/TechDocs/24592.pdf">AMD64 Vol1: Application Programming</a></li>
<li><a href="https://www.amd.com/system/files/TechDocs/24593.pdf">AMD64 Vol2: System Programming</a></li>
<li><a href="https://www.amd.com/system/files/TechDocs/24594.pdf">AMD64 Vol3: General-Purpose & System Instructions</a></li>
<li><a href="https://cs.brown.edu/courses/cs033/docs/guides/x64_cheatsheet.pdf">X86_64 Cheat-Sheet</a></li>
<li><a href="https://software.intel.com/content/www/us/en/develop/download/intel-64-and-ia-32-architectures-software-developers-manual-volume-1-basic-architecture.html">Intel 64 Vol1: Basic Architecture</a></li>
<li><a href="https://software.intel.com/content/www/us/en/develop/download/intel-64-and-ia-32-architectures-sdm-combined-volumes-2a-2b-2c-and-2d-instruction-set-reference-a-z.html">Intel 64 Vol2: Instruction Set Reference</a></li>
<li><a href="https://software.intel.com/content/www/us/en/develop/download/intel-64-and-ia-32-architectures-sdm-combined-volumes-3a-3b-3c-and-3d-system-programming-guide.html">Intel 64 Vol3: System Programming Guide</a></li>
<li><a href="https://sourceware.org/binutils/docs/as">GNU Assembler</a></li>
<li><a href="https://sourceware.org/binutils/docs/as/Pseudo-Ops.html#Pseudo-Ops">GNU Assembler Directives</a></li>
<li><a href="https://sourceware.org/binutils/docs/as/i386_002dDependent.html">GNU Assembler <code>x86_64</code> dependent features</a></li>
<li><a href="https://github.com/johannst/juicebox-asm"><code>juicebox-asm</code> an <code>x86_64</code> jit assembler playground</a></li>
</ul>
</main>
<nav class="nav-wrapper" aria-label="Page navigation">
<!-- Mobile navigation buttons -->
<a rel="prev" href="../arch/cache.html" class="mobile-nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
<i class="fa fa-angle-left"></i>
</a>
<a rel="next prefetch" href="../arch/armv8.html" class="mobile-nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
<i class="fa fa-angle-right"></i>
</a>
<div style="clear: both"></div>
</nav>
</div>
</div>
<nav class="nav-wide-wrapper" aria-label="Page navigation">
<a rel="prev" href="../arch/cache.html" class="nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
<i class="fa fa-angle-left"></i>
</a>
<a rel="next prefetch" href="../arch/armv8.html" class="nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
<i class="fa fa-angle-right"></i>
</a>
</nav>
</div>
<script>
window.playground_copyable = true;
</script>
<script src="../elasticlunr.min.js"></script>
<script src="../mark.min.js"></script>
<script src="../searcher.js"></script>
<script src="../clipboard.min.js"></script>
<script src="../highlight.js"></script>
<script src="../book.js"></script>
<!-- Custom JS scripts -->
</div>
</body>
</html>
|
