It has been a while since I started working with SSE/AVX intrinsic functions. I recently began writing a header for matrix transposition. I used a lot of if constexpr branches so that the compiler always selects the optimal instruction set depending on some template parameters. Now I wanted to check if everything works as expected by looking into the local disassembly with objdump. When using Clang, I get a clear output which basically contains only the assembly instructions corresponding to the utilized intrinsic functions. However, if I use GCC, the disassembly is quite bloated with extra instructions. A quick check on Godbolt shows me that those extra instructions in the GCC disassembly shouldn't be there.
Here is a small example:
#include <x86intrin.h>
#include <array>
std::array<__m256, 1> Test(std::array<__m256, 1> a)
{
std::array<__m256, 1> b;
b[0] = _mm256_unpacklo_ps(a[0], a[0]);
return b;
}
I compile with -march=native -Wall -Wextra -Wpedantic -pthread -O3 -DNDEBUG -std=gnu++1z. Then I use objdump -S -Mintel libassembly.a > libassembly.dump on the object file. For Clang (6.0.0), the result is:
In archive libassembly.a:
libAssembly.cpp.o: file format elf64-x86-64
Disassembly of section .text:
0000000000000000 <_Z4TestSt5arrayIDv8_fLm1EE>:
0: c4 e3 7d 04 c0 50 vpermilps ymm0,ymm0,0x50
6: c3 ret
which is the same as Godbolt returns: Godbolt - Clang 6.0.0
For GCC (7.4) the output is
In archive libassembly.a:
libAssembly.cpp.o: file format elf64-x86-64
Disassembly of section .text:
0000000000000000 <_Z4TestSt5arrayIDv8_fLm1EE>:
0: 4c 8d 54 24 08 lea r10,[rsp+0x8]
5: 48 83 e4 e0 and rsp,0xffffffffffffffe0
9: c5 fc 14 c0 vunpcklps ymm0,ymm0,ymm0
d: 41 ff 72 f8 push QWORD PTR [r10-0x8]
11: 55 push rbp
12: 48 89 e5 mov rbp,rsp
15: 41 52 push r10
17: 48 83 ec 28 sub rsp,0x28
1b: 64 48 8b 04 25 28 00 mov rax,QWORD PTR fs:0x28
22: 00 00
24: 48 89 45 e8 mov QWORD PTR [rbp-0x18],rax
28: 31 c0 xor eax,eax
2a: 48 8b 45 e8 mov rax,QWORD PTR [rbp-0x18]
2e: 64 48 33 04 25 28 00 xor rax,QWORD PTR fs:0x28
35: 00 00
37: 75 0c jne 45 <_Z4TestSt5arrayIDv8_fLm1EE+0x45>
39: 48 83 c4 28 add rsp,0x28
3d: 41 5a pop r10
3f: 5d pop rbp
40: 49 8d 62 f8 lea rsp,[r10-0x8]
44: c3 ret
45: c5 f8 77 vzeroupper
48: e8 00 00 00 00 call 4d <_Z4TestSt5arrayIDv8_fLm1EE+0x4d>
As you can see, there are a lot of additional instructions. In contrast to that, Godbolt does not include all these extra instructions: Godbolt - GCC 7.4
So what is going on here? I have just started learning assembly, so maybe it is totally clear to someone with assembly experience, but I am a little bit confused why GCC creates those extra instructions on my machine.
Greetings and thank you in advance.
EDIT
To avoid further confusions, I just compiled using:
gcc-7 -I/usr/local/include -O3 -march=native -Wall -Wextra -Wpedantic -pthread -std=gnu++1z -o test.o -c /<PathToFolder>/libAssembly.cpp
Output remains the same. I am not sure if this is relevant, but it generates the warning:
warning: ignoring attributes on template argument ‘__m256 {aka __vector(8) float}’ [-Wignored-attributes]
Usually I surpress this warning and it shouldn't be an issue:
Implication of GCC warning: ignoring attributes on template argument (-Wignored-attributes)
Processor is Intel(R) Core(TM) i7-6700K CPU # 4.00GHz
Here is the gcc -v:
gcc-7 -v
Using built-in specs.
COLLECT_GCC=gcc-7
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Ubuntu 7.4.0-1ubuntu1~18.04.1' --with-bugurl=file:///usr/share/doc/gcc-7/README.Bugs --enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++ --prefix=/usr --with-gcc-major-version-only --program-suffix=-7 --program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-libmpx --enable-plugin --enable-default-pie --with-system-zlib --with-target-system-zlib --enable-objc-gc=auto --enable-multiarch --disable-werror --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-offload-targets=nvptx-none --without-cuda-driver --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
Thread model: posix
gcc version 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04.1)
Use -fno-stack-protector
Your local GCC defaults to -fstack-protector-strong but Godbolt's GCC install doesn't.
mov rax,QWORD PTR fs:0x28 is the telltale clue; Thread-local storage at fs:40 aka fs:0x28 is where GCC keeps its stack cookie constant. The call after the ret is call __stack_chk_fail (but you disassembled a .o without using objdump -dr to show relocations, so the placeholder +0 offset just looked like still a target within this function).
Since you have arrays (or a class containing an array), stack-protector-strong kicks in even though their sizes are compile-time constants. So you get the code to store the stack cookie, then check it and branch on stack overflow. (Even the array of size 1 in this MVCE is enough to trigger that.)
Making arrays on the stack with 32-byte alignment (for __m256) requires 32-byte alignment, and your GCC is older than GCC8 so you get the ridiculously clunky stack-alignment code that builds a full copy of the stack frame including a return address. Generated assembly for extended alignment of stack variables (To be clear, GCC8 still does align the stack here, just wasting fewer instructions on it.)
This is pretty much a missed optimization; gcc never actually spills or reloads to those arrays so it could have just optimized them away, along with the stack alignment, like it did without stack-protector.
More recent GCC is better at optimizing away stack alignment after optimizing away the memory for aligned locals in more cases, but this has been a persistent missed optimization in AVX code. Fortunately the cost is pretty negligible in a function that loops; as long as small helper functions inline.
Compiling on Godbolt with -fstack-protector-strong reproduces your output. Newer GCC, including current trunk pre-10, still has both missed optimizations, but stack alignment costs fewer instructions because it just uses RBP as a frame pointer and aligns RSP, then references locals relative to aligned RSP. It still checks the stack cookie (with no instructions between storing it and checking it).
On your desktop, compiling with -fno-stack-protector should make good asm.
Related
I start with a binary executable and I want to see the source code, not just the assembly code. Is this possible? The documentation at "https://sourceware.org/gdb/onlinedocs/gdb/Machine-Code.html" seems to generate the source code.
If it is possible, why is the source code not showing. I have set no breakpoints, the code is not striped. I have used the gdb command "disas /s main". A screen shot starting with some information about my configuration follow.
──(root㉿kali)-[/home/kali/Downloads]
└─# uname -a
Linux kali 5.15.0-kali3-amd64 #1 SMP Debian 5.15.15-2kali1 (2022-01-31) x86_64 GNU/Linux
┌──(root㉿kali)-[/home/kali/Downloads]
└─# gdb -v
GNU gdb (Debian 10.1-2) 10.1.90.20210103-git
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
┌──(root㉿kali)-[/home/kali/Downloads]
└─# file RE1_64bit
RE1_64bit: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=8616e4f2a4a3c325c2a1f32b8ebb8366694f7a03, not stripped
┌──(root㉿kali)-[/home/kali/Downloads]
└─# gdb RE1_64bit
GNU gdb (Debian 10.1-2) 10.1.90.20210103-git
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from RE1_64bit...
(No debugging symbols found in RE1_64bit)
(gdb) disas /s main
Dump of assembler code for function main:
0x000000000040084e <+0>: push %rbp
0x000000000040084f <+1>: mov %rsp,%rbp
0x0000000000400852 <+4>: sub $0x40,%rsp
0x0000000000400856 <+8>: mov %edi,-0x34(%rbp)
0x0000000000400859 <+11>: mov %rsi,-0x40(%rbp)
0x000000000040085d <+15>: cmpl $0x2,-0x34(%rbp)
0x0000000000400861 <+19>: je 0x400886 <main+56>
0x0000000000400863 <+21>: mov -0x40(%rbp),%rax
0x0000000000400867 <+25>: mov (%rax),%rax
0x000000000040086a <+28>: mov %rax,%rsi
0x000000000040086d <+31>: mov $0x4009a2,%edi
0x0000000000400872 <+36>: mov $0x0,%eax
0x0000000000400877 <+41>: call 0x400580 <printf#plt>
0x000000000040087c <+46>: mov $0x1,%edi
0x0000000000400881 <+51>: call 0x4005e0 <exit#plt>
0x0000000000400886 <+56>: mov -0x40(%rbp),%rax
0x000000000040088a <+60>: add $0x8,%rax
0x000000000040088e <+64>: mov (%rax),%rax
0x0000000000400891 <+67>: mov %rax,%rdi
0x0000000000400894 <+70>: call 0x400570 <strlen#plt>
0x0000000000400899 <+75>: cmp $0x4,%rax
0x000000000040089d <+79>: je 0x4008c2 <main+116>
0x000000000040089f <+81>: mov -0x40(%rbp),%rax
0x00000000004008a3 <+85>: mov (%rax),%rax
0x00000000004008a6 <+88>: mov %rax,%rsi
0x00000000004008a9 <+91>: mov $0x4009a2,%edi
0x00000000004008ae <+96>: mov $0x0,%eax
0x00000000004008b3 <+101>: call 0x400580 <printf#plt>
0x00000000004008b8 <+106>: mov $0x1,%edi
0x00000000004008bd <+111>: call 0x4005e0 <exit#plt>
0x00000000004008c2 <+116>: movl $0x0,-0x4(%rbp)
0x00000000004008c9 <+123>: mov $0x4009b3,%edi
0x00000000004008ce <+128>: mov $0x0,%eax
0x00000000004008d3 <+133>: call 0x400580 <printf#plt>
0x00000000004008d8 <+138>: lea -0x30(%rbp),%rax
0x00000000004008dc <+142>: mov %rax,%rdi
0x00000000004008df <+145>: call 0x4005d0 <gets#plt>
0x00000000004008e4 <+150>: cmpl $0x0,-0x4(%rbp)
0x00000000004008e8 <+154>: je 0x4008f8 <main+170>
0x00000000004008ea <+156>: mov -0x40(%rbp),%rax
0x00000000004008ee <+160>: mov %rax,%rdi
0x00000000004008f1 <+163>: call 0x4006dd <fg>
0x00000000004008f6 <+168>: jmp 0x400902 <main+180>
0x00000000004008f8 <+170>: mov $0x4009cd,%edi
0x00000000004008fd <+175>: call 0x400560 <puts#plt>
0x0000000000400902 <+180>: mov $0x0,%eax
0x0000000000400907 <+185>: leave
0x0000000000400908 <+186>: ret
End of assembler dump.
As has been said in the comments, this line:
(No debugging symbols found in RE1_64bit)
indicates that the binary does not include any debug information, so you're not going to be able to match assembler code to source lines.
If the binary did include debug information then it would only contain a table mapping addresses in the binary to file names and line numbers. You would still need to have the actual source files in order to view the source lines, and, of course, the source files need to be the exact versions that were compiled into that specific binary, otherwise the line numbers in the debug information will not match up correctly.
I used gdb to attach a program, and then set a breakpoint in function engine::monAppendSystemInfo. When the breakpoint was hit, the gdb coredump(actually, it's my program crashed in engine::monAppendSystemInfo).This is not an inevitable problem. It has only appeared twice and cannot be reproduced.
Here is the compared assembly code of engine::monAppendSystemInfo.
The code below is disassembled from the coredump file:
Dump of assembler code for function engine::monAppendSystemInfo(bson::BSONObjBuilder&, unsigned int):
0x00000000011188f1 <+0>: push %rbp
0x00000000011188f2 <+1>: mov %rsp,%rbp
0x00000000011188f5 <+4>: push %r12
0x00000000011188f7 <+6>: push %rbx
0x00000000011188f8 <+7>: sub $0xb20,%rsp
0x00000000011188ff <+14>: mov %rdi,-0xa98(%rbp)
0x0000000001118906 <+21>: mov %esi,-0xa9c(%rbp)
0x000000000111890c <+27>: int3 // strange point
=> 0x000000000111890d <+28>: mov 0x28,%rax // crash for accessing 0x28
0x0000000001118915 <+36>: mov %rax,-0x18(%rbp)
The code below is disassembled from normal gdb, and the program can continue to run:
Dump of assembler code for function engine::monAppendSystemInfo(bson::BSONObjBuilder&, unsigned int):
0x00000000011188f1 <+0>: push %rbp
0x00000000011188f2 <+1>: mov %rsp,%rbp
0x00000000011188f5 <+4>: push %r12
0x00000000011188f7 <+6>: push %rbx
0x00000000011188f8 <+7>: sub $0xb20,%rsp
0x00000000011188ff <+14>: mov %rdi,-0xa98(%rbp)
0x0000000001118906 <+21>: mov %esi,-0xa9c(%rbp)
=> 0x000000000111890c <+27>: mov %fs:0x28,%rax // "%fs:0x28" was changed to "0x28" in above
0x0000000001118915 <+36>: mov %rax,-0x18(%rbp)
My linux is: ubuntu16.04.4 LTS, and the enviroment is as below:
root#lyysdbserver1:~# g++ --version
g++ (Ubuntu 5.4.0-6ubuntu1~16.04.9) 5.4.0 20160609
Copyright (C) 2015 Free Software Foundation, Inc.
root#lyysdbserver1:~# gdb --version
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
Why "%fs:0x28" was changed to "0x28"? Is this a gdb bug ?
Presumably you're looking of a coredump of your program when GDB had already set a breakpoint. int 3 is how GDB sets a breakpoint. When you resume, the int 3 instruction should be replaced by the original byte.
Look how the machine code compares for these two instruction sequences:
mov %fs:0x28,%rax; 64 48 8b 04 25 28 00 00 00
int 3; mov 0x28,%rax; cc 48 8b 04 25 28 00 00 00
I am using valgrind 3.16 to debug my program, and it reports illegal instruction in std::string::swap. The program is compiled on Ubuntu 18.04 with g++ 7.5.0.
vex amd64->IR: unhandled instruction bytes: 0x62 0xF1 0xFE 0x8 0x6F 0x47 0x1 0xC5 0xF8 0x11
vex amd64->IR: REX=0 REX.W=0 REX.R=0 REX.X=0 REX.B=0
vex amd64->IR: VEX=0 VEX.L=0 VEX.nVVVV=0x0 ESC=NONE
vex amd64->IR: PFX.66=0 PFX.F2=0 PFX.F3=0
==392550== valgrind: Unrecognised instruction at address 0x3fef89.
==392550== at 0x3FEF89: std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::swap(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&) (in /tmp/tmp.BnUAMaceSS/cmake-build-release-parallel-chameleon/release/lqf-tpch-query-dev)
==392550== by 0x4F4CD0C: std::__cxx11::basic_stringbuf<char, std::char_traits<char>, std::allocator<char> >::overflow(int) (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25)
I have two questions:
Is there a website I can query instructions using the given OP code? I tried this website but cannot find anything corresponding to 0x62 0xF1 0xFE ...
Why would valgrind reports SIGILL in std library?
The code works well by itself. I also applied undefined,thread,leak and address sanitizer, and stack-check. They report no error. So I think the problem is from valgrind.
I really appreciate #TedLyngmo's comments of applying sanitizers. Although the sanitizer itself does not give any error, after applying sanitizer the error location changes. Now it is pointing to some of my code base which uses AVX 512 instructions. When I replace those instructions Valgrind can run.
Although I am still not sure why applying sanitizer will have such effect, I would like to share this experience with those who may encounter similar errors in the future.
Question 1: convert opcode to assembly
This website can disassemble opcode to assembly online for x86 or x64. For the opcode in your question, insert 62 F1 FE 08 6F 47 01 C5 F8 11 (note that use 08 for 0x8) to the text box under disassemble, then it outputs
Disassembly:
0: 62 f1 fe 08 6f 47 01 vmovdqu64 xmm0,XMMWORD PTR [rdi+0x10]
7: c5 .byte 0xc5
8: f8 clc
9: 11 .byte 0x11
So the instruction is vmovdqu64which is an AVX512 instruction.
Or you it can be hacked as following
$ cat instruct.c
#include <stdio.h>
int main(void)
{
asm(".byte 0x62, 0xF1, 0xFE, 0x8, 0x6F, 0x47, 0x1, 0xC5, 0xF8, 0x11");
return 0;
}
$ gcc -c instruct.c
$ objdump -drwC -Mintel instruct.o
instruct.o: file format elf64-x86-64
Disassembly of section .text:
0000000000000000 <main>:
0: f3 0f 1e fa endbr64
4: 55 push rbp
5: 48 89 e5 mov rbp,rsp
8: 62 f1 fe 08 6f 47 01 vmovdqu64 xmm0,XMMWORD PTR [rdi+0x10]
f: c5 f8 11 b8 00 00 00 00 vmovups XMMWORD PTR [rax+0x0],xmm7
17: 5d pop rbp
18: c3 ret
In order for valgrind to run a program with AVX512 instructions, one can compile the program with gcc flag -mno-avx512f as documented here which points out that extension instructions can be enabled with flag (e.g. -mavx512f) and disabled with a corresponding -mno- option.
Another way to use valgrind on a program with AVX512 instructions is to build Valgind from source and apply patches from here. Following are steps for it:
Clone valgrind source code
$ git clone https://sourceware.org/git/valgrind.git
$ cd valgrind
Download patches from here
Copy the patches to local files (e.g. patch512-part1.patch inside
folder
valgrind). Currently there are
four patches, and they look quite messy due to the fact that the author
keeps
updating it (which is good) and obsoleting old ones. One should also apply the
patches on top of right commit since new commits from valgrind master branch after the patches may break the
build system. For example, up to now patches from comment 58, 73, 60 and 74 and
on top of commit b77dbefe72e4a5c7bcf1576a02c909010bd56991 can be compiled
successfully.
$ git reset --hard b77dbefe72e4a5c7bcf1576a02c909010bd56991
Apply patches
$ patch -p1 < patch512-part1.patch
$ patch -p1 < patch512-part2.patch
$ patch -p1 < patch512-part3.patch
$ patch -p1 < patch512-part4.patch
Compile valgrind
$ ./autogen.sh
$ ./configure --prefix=<install-path>
$ make
$ make install
I have a .cpp file with various methods defined:
// test.cpp
// foo() is not inlined
void foo() {
...
}
I compile it:
g++ test.cpp -o test.o -S
And now I want to determine, from examination of test.o, how many bytes of memory the instruction foo() takes up. How can I do this?
I ask because I have, through careful profiling and experimentation, determined that I am incurring instruction cache misses leading to significant slowdowns on certain critical paths. I'd therefore like to get a sense of how many bytes are occupied by various methods, to guide my efforts in shrinking my instruction set size.
I wouldn't recommend the -S flag for that, unless you're in love with your ISA's manual and hand-calculating instruction sizes. Instead, just build and disassemble, presto - out comes the answer:
$ cc -c example.c
$ objdump -d example.o
example.o: file format elf64-x86-64
Disassembly of section .text:
0000000000000000 <f>:
0: 55 push %rbp
1: 48 89 e5 mov %rsp,%rbp
4: 89 7d fc mov %edi,-0x4(%rbp)
7: 8b 45 fc mov -0x4(%rbp),%eax
a: 83 c0 03 add $0x3,%eax
d: 5d pop %rbp
e: c3 retq
As you can see, this function is 15 bytes long.
Build with map file generation, parse the map file. There might be some padding in the end, but it'll give you an idea.
In g++, the option goes:
-Xlinker -Map=MyProject.txt
I'm working on the buffer bomb lab and I'm stuck on one thing. I've written my exploit code to solve level 2 (firecracker) but I'm not sure how I can convert this to its raw form using gcc -c.
I've never written a compile-able assembly file but I have written instructions themselves and traced already written ones.. So I know how they work but I'm not sure how to syntactically write the code file itself.
Here are the current contents of the file I'm trying to convert to its raw form:
movl $0x1a4bb386, 0x804d200
push $0x0804915f
ret
What do I need to add to this so that it will compile using gcc -c or objdump -d?
I need to figure out how many bytes these instructions take up and how to insert them into the buffer so that I can write my buffer overflow exploit.
Thanks.
Compiled with gcc -m32 -c code.s
Output was a file code.o
I used objdump -d code.o > code.asm to obtain the raw assembly and bytes needed.
Output:
code.o: file format elf32-i386
Disassembly of section .text:
00000000 <.text>:
0: c7 05 00 d2 04 08 86 movl $0x1a4bb386,0x804d200
7: b3 4b 1a
a: 68 5f 91 04 08 push $0x804915f
f: c3 ret
I'm curious what the instruction does at VA 0x7 ... Is that just the rest of the instruction movl?