MACHINE LEVEL PROGRAMMING III SWITCH STATEMENTS AND IA32 PROCEDURES University of Texas at Austin Today Switch statements IA 32 Procedures Stack Structure Calling Conventions Illustrations of Recursion Pointers 2 University of Texas at Austin long switch eg long x long y long z long w 1 switch x case 1 w y z break case 2 w y z Fall Through case 3 w z break case 5 case 6 w z break default w 2 return w Switch Statement Example Multiple case labels Here 5 6 Fall through cases Here 2 Missing cases Here 4 3 University of Texas at Austin Jump Table Structure Switch Form switch x case val 0 Block 0 case val 1 Block 1 case val n 1 Block n 1 Jump Table jtab Targ0 Jump Targets Targ0 Code Block 0 Targ1 Targ2 Targn 1 Targ1 Targ2 Code Block 1 Code Block 2 Approximate Translation target JTab x goto target Targn 1 Code Block n 1 4 University of Texas at Austin Switch Statement Example IA32 long switch eg long x long y long z long w 1 switch x return w What range of values takes default Setup switch eg pushl ebp movl esp ebp movl 8 ebp eax cmpl 6 eax ja L2 jmp L7 eax 4 Setup Setup eax x Compare x 6 If unsigned goto default Goto JTab x Note that w not initialized here 5 University of Texas at Austin Switch Statement Example IA32 long switch eg long x long y long z long w 1 switch x return w Setup Indirect jump switch eg pushl ebp movl esp ebp movl 8 ebp eax cmpl 6 eax ja L2 jmp L7 eax 4 Jump table section align 4 L7 long long long long long long long rodata L2 L3 L4 L5 L2 L6 L6 Setup Setup eax x Compare x 6 If unsigned goto default Goto JTab x x x x x x x x 0 1 2 3 4 5 6 6 University of Texas at Austin Assembly Setup Explanation Table Structure Each target requires 4 bytes Base address at L7 Jumping Direct jmp L2 Jump target is denoted by label L2 Jump table section rodata align 4 L7 long L2 x 0 long L3 x 1 long L4 x 2 long L5 x 3 long L2 x 4 long L6 x 5 long L6 x 6 Indirect jmp L7 eax 4 Start of jump table L7 Must scale by factor of 4 labels have 32 bits 4 Bytes on IA32 Fetch target from effective Address L7 eax 4 Only for 0 x 6 7 University of Texas at Austin Jump Table Jump table section rodata align 4 L7 long L2 x 0 long L3 x 1 long L4 x 2 long L5 x 3 long L2 x 4 long L6 x 5 long L6 x 6 switch x case 1 L3 w y z break case 2 L4 w y z Fall Through case 3 L5 w z break case 5 case 6 L6 w z break default L2 w 2 8 University of Texas at Austin Handling Fall Through long w 1 switch x case 2 w y z Fall Through case 3 w z break case 3 w 1 goto merge case 2 w y z merge w z 9 University of Texas at Austin Code Blocks Partial switch x case 1 L3 w y z break case 3 L5 w z break default L2 w 2 L2 Default movl 2 eax w 2 jmp L8 Goto done L5 x 3 movl 1 eax jmp L9 w 1 Goto merge L3 x 1 movl 16 ebp eax z imull 12 ebp eax w y z jmp L8 Goto done 10 University of Texas at Austin Code Blocks Rest switch x case 2 L4 w y z Fall Through merge L9 w z break case 5 case 6 L6 w z break L4 x 2 movl 12 ebp edx movl edx eax sarl 31 edx idivl 16 ebp w y z L9 merge addl 16 ebp eax w z jmp L8 goto done L6 x 5 6 movl 1 eax w 1 subl 16 ebp eax w 1 z 11 University of Texas at Austin x86 64 Switch Implementation Same general idea adapted to 64 bit code Table entries 64 bits pointers Cases use revised code Jump Table switch x case 1 L3 w y z break L3 movq imulq ret rdx rax rsi rax section align 8 L7 quad quad quad quad quad quad quad rodata L2 L3 L4 L5 L2 L6 L6 x x x x x X x 0 1 2 3 4 5 6 13 University of Texas at Austin IA32 Object Code Setup Label L2 becomes address 0x8048422 Label L7 becomes address 0x8048660 Assembly Code switch eg ja L2 If unsigned goto default jmp L7 eax 4 Goto JTab x Disassembled Object Code 08048410 switch eg 8048419 77 07 ja 8048422 switch eg 0x12 804841b ff 24 85 60 86 04 08 jmp 0x8048660 eax 4 14 University of Texas at Austin IA32 Object Code cont Jump Table Doesn t show up in disassembled code Can inspect using GDB gdb switch gdb x 7xw 0x8048660 Examine 7 hexadecimal format words 4 bytes each Use command help x to get format documentation 0x8048660 0x8048670 0x08048422 0x08048422 0x08048432 0x0804844b 0x0804843b 0x0804844b 0x08048429 15 University of Texas at Austin IA32 Object Code cont Deciphering Jump Table 0x8048660 0x8048670 0x08048422 0x08048422 0x08048432 0x0804844b 0x0804843b 0x0804844b Address Value x 0x8048660 0x8048422 0 0x8048664 0x8048432 1 0x8048668 0x804843b 2 0x804866c 0x8048429 3 0x8048670 0x8048422 4 0x8048674 0x804844b 5 0x8048678 0x804844b 6 0x08048429 16 University of Texas at Austin Disassembled Targets 8048422 8048427 8048429 804842e 8048430 8048432 8048435 8048439 804843b 804843e 8048440 8048443 8048446 8048449 804844b 8048450 8048453 8048454 b8 eb b8 66 eb 8b 0f eb 8b 89 c1 f7 03 eb b8 2b 5d c3 02 2a 01 90 14 45 af 18 55 d0 fa 7d 45 08 01 45 00 00 00 00 00 00 10 45 0c 0c 1f 10 10 00 00 00 10 mov jmp mov xchg jmp mov imul jmp mov mov sar idivl add jmp mov sub pop ret 0x2 eax 8048453 switch eg 0x43 0x1 eax ax ax noop 8048446 switch eg 0x36 0x10 ebp eax 0xc ebp eax 8048453 switch eg 0x43 0xc ebp edx edx eax 0x1f edx 0x10 ebp 0x10 ebp eax 8048453 switch eg 0x43 0x1 eax 0x10 ebp eax ebp 17 University of Texas at Austin Matching Disassembled Targets Value 0x8048422 0x8048432 0x804843b 0x8048429 0x8048422 0x804844b 0x804844b 8048422 8048427 8048429 804842e 8048430 8048432 8048435 8048439 804843b 804843e 8048440 8048443 8048446 8048449 804844b 8048450 8048453 8048454 mov jmp mov xchg jmp mov imul jmp mov mov sar idivl add jmp mov sub pop ret 0x2 eax 8048453 switch eg 0x43 0x1 eax ax ax 8048446 switch eg 0x36 0x10 ebp eax 0xc ebp eax 8048453 switch eg 0x43 0xc ebp edx edx eax 0x1f edx 0x10 ebp 0x10 ebp eax 8048453 switch eg 0x43 0x1 eax 0x10 ebp eax ebp 18 University of Texas at Austin Summarizing C Control if then else do while while …