Scribd
Upload
2 views

Lecture10

Uploaded by

minulo
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
2 views

Lecture10

Uploaded by

minulo
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 112

CSC 252/452: Computer Organization

Fall 2024: Lecture 10

Instructor: Yanan Guo

Department of Computer Science


University of Rochester
Carnegie Mellon

Announcement
• Programming Assignment 1 grade is out
• You got a “0” if dlc could not compile your code
• Mainly due to the “parse error”
• Talk to a TA about this (within two weeks)

2
Carnegie Mellon

Announcement
• Programming Assignment 2
• Details: https://www.cs.rochester.edu/courses/252/fall2024/
labs/assignment2.html
• Due on Oct. 2nd (Wednesday), 11:59 PM (extended two
days)
• You (may still) have 3 slip days

• Programming Assignment 3 will be released Wednesday instead

3
Carnegie Mellon

Announcement
• Midterm on Oct. 9th, Wednesday
• Open-book; e-book allowed.
• No cheat sheet.
• Exams for CSC 252 and CSC 452 will be slightly different
• More problems
• Covers everything until today’s lecture (Sep. 30th)

• Review Lecture (Oct. 7th, Monday)


• Instructor traveling from Oct. 7th to Oct. 11th.
• Lecture Recorded

• Taking a look at previous exams would help


• On course website

4
Carnegie Mellon

Vulnerable Buffer Code


/* Echo Line */
void echo()
{
char buf[4]; /* Way too small! */
gets(buf);
puts(buf);
}

void call_echo() {
echo();
}

5
Carnegie Mellon

Vulnerable Buffer Code


/* Echo Line */
void echo()
{
char buf[4]; /* Way too small! */
gets(buf);
puts(buf);
}

void call_echo() {
echo();
}

unix>./bufdemo-nsp
Type a string:012345678901234567890123
012345678901234567890123

5
Carnegie Mellon

Vulnerable Buffer Code


/* Echo Line */
void echo()
{
char buf[4]; /* Way too small! */
gets(buf);
puts(buf);
}

void call_echo() {
echo();
}

unix>./bufdemo-nsp
Type a string:012345678901234567890123
012345678901234567890123

unix>./bufdemo-nsp
Type a string:0123456789012345678901234
Segmentation Fault

5
Carnegie Mellon

Buffer Overflow Stack Example


After call to gets
Stack Frame register_tm_clones:
for call_echo
. . .
400600: mov %rsp,%rbp
400603: mov %rax,%rdx
00Return
00 Address
00 00 400606: shr $0x3f,%rdx
00 (840bytes)
06 00 40060a: add %rdx,%rax
40060d: sar %rax
33 32 31 30
400610: jne 400614
39 38 37 36 400612: pop %rbp
35 34 unused
20 bytes 33 32 400613: retq
31 30 39 38
37 36 35 34
33 32 31 30 buf %rsp

“Returns” to unrelated code


Could be code controlled by attackers!

6
Carnegie Mellon

What to do about buffer overflow attacks


• Avoid overflow vulnerabilities
• Have compiler use “stack canaries”
• Employ system-level protections

7
Carnegie Mellon

1. Avoid Overflow Vulnerabilities in Code (!)


/* Echo Line */
void echo()
{
char buf[4]; /* Way too small! */
fgets(buf, 4, stdin);
puts(buf);
}

• For example, use library routines that limit string lengths


• fgets instead of gets
• strncpy instead of strcpy

8
Carnegie Mellon

2. Stack Canaries can help


• Idea
• Place special value (“canary”) on stack just beyond buffer
• Check for corruption before exiting function
Stack Frame
• GCC Implementation for call_echo
• -fstack-protector
• Now the default (disabled earlier)
Return Address
Return Address
(8 bytes)
Saved %ebp
Saved %ebx
20 bytes unused
Canary
(8Canary
bytes)
00 [3]
[2]
36 [1]35 [0]
34
33 32 31 30 buf %rsp

9
Carnegie Mellon

2. Stack Canaries can help


• Idea
• Place special value (“canary”) on stack just beyond buffer
• Check for corruption before exiting function
Stack Frame
• GCC Implementation for call_echo
• -fstack-protector
• Now the default (disabled earlier)
Return Address
Return Address
(8 bytes)
Saved %ebp
unix>./bufdemo-sp
Type a string:0123456
Saved %ebx
0123456 20 bytes unused
Canary
(8Canary
bytes)
unix>./bufdemo-sp
Type a string:01234567 00 [3]
[2]
36 [1]35 [0]
34
*** stack smashing detected ***
33 32 31 30 buf %rsp

9
Carnegie Mellon

3. System-Level Protections can help


Stack after call to gets()
• Nonexecutable code
segments
P stack frame
• In traditional x86, can mark
region of memory as either
“read-only” or “writeable”
B
• Can execute anything readable
• X86-64 added explicit data written pad
“execute” permission by gets()
• Stack marked as non- exploit Q stack frame
executable code
B

Any attempt to execute


this code will fail
10
Carnegie Mellon

Buffer Overflow Stack Example


After call to gets
Stack Frame register_tm_clones:
for call_echo
. . .
400600: mov %rsp,%rbp
400603: mov %rax,%rdx
00Return
00 Address
00 00 400606: shr $0x3f,%rdx
00 (840bytes)
06 00 40060a: add %rdx,%rax
40060d: sar %rax
33 32 31 30
400610: jne 400614
39 38 37 36 400612: pop %rbp
35 34 unused
20 bytes 33 32 400613: retq
31 30 39 38
37 36 35 34
33 32 31 30 buf %rsp

“Returns” to unrelated code


Could be code controlled by attackers!

11
Carnegie Mellon

3. System-Level Protections can help


Stack after call to gets()
• Nonexecutable code
segments
P stack frame
• In traditional x86, can mark
region of memory as either
“read-only” or “writeable”
B
• Can execute anything readable
• X86-64 added explicit data written pad
“execute” permission by gets()
• Stack marked as non- exploit Q stack frame
executable code
B

Any attempt to execute


this code will fail
12
Carnegie Mellon

So far in 252…
C Program

Assembly
Program

Instruction Set Architecture

Processor
Microarchitecture

Circuits
13
Carnegie Mellon

So far in 252…
C Program

Assembly
Program

ret, call
Instruction Set Architecture movq, addq
jmp, jne

Processor
Microarchitecture

Circuits
13
Carnegie Mellon

So far in 252…
C Program

movq %rsi, %rax


Assembly imulq %rdx, %rax
Program jmp .done

ret, call
Instruction Set Architecture movq, addq
jmp, jne

Processor
Microarchitecture

Circuits
13
Carnegie Mellon

So far in 252…
int, float
C Program if, else
+, -, >>

movq %rsi, %rax


Assembly imulq %rdx, %rax
Program jmp .done

ret, call
Instruction Set Architecture movq, addq
jmp, jne

Processor
Microarchitecture

Circuits
13
Carnegie Mellon

So far in 252…
int, float
C Program if, else
+, -, >>

movq %rsi, %rax


Assembly imulq %rdx, %rax
Program jmp .done

ret, call
Instruction Set Architecture movq, addq
jmp, jne

Processor Logic gates


Microarchitecture

Circuits
13
Carnegie Mellon

So far in 252…
int, float
C Program if, else
+, -, >>

movq %rsi, %rax


Assembly imulq %rdx, %rax
Program jmp .done

ret, call
Instruction Set Architecture movq, addq
jmp, jne

Processor Logic gates


Microarchitecture

Circuits Transistors
13
Carnegie Mellon

So far in 252…
C Program • ISA is the interface between
assembly programs and
microarchitecture
Assembly
Program

Instruction Set Architecture

Processor
Microarchitecture

Circuits
14
Carnegie Mellon

So far in 252…
C Program • ISA is the interface between
assembly programs and
microarchitecture
Assembly • Assembly view:
Program

Instruction Set Architecture

Processor
Microarchitecture

Circuits
14
Carnegie Mellon

So far in 252…
C Program • ISA is the interface between
assembly programs and
microarchitecture
Assembly • Assembly view:
Program • How to program the machine,
based on instructions and
processor states (registers,
Instruction Set Architecture memory, condition codes, etc.)?

Processor
Microarchitecture

Circuits
14
Carnegie Mellon

So far in 252…
C Program • ISA is the interface between
assembly programs and
microarchitecture
Assembly • Assembly view:
Program • How to program the machine,
based on instructions and
processor states (registers,
Instruction Set Architecture memory, condition codes, etc.)?
• Instructions are executed
sequentially.
Processor
Microarchitecture

Circuits
14
Carnegie Mellon

So far in 252…
C Program • ISA is the interface between
assembly programs and
microarchitecture
Assembly • Assembly view:
Program • How to program the machine,
based on instructions and
processor states (registers,
Instruction Set Architecture memory, condition codes, etc.)?
• Instructions are executed
sequentially.
Processor • Microarchitecture view:
Microarchitecture

Circuits
14
Carnegie Mellon

So far in 252…
C Program • ISA is the interface between
assembly programs and
microarchitecture
Assembly • Assembly view:
Program • How to program the machine,
based on instructions and
processor states (registers,
Instruction Set Architecture memory, condition codes, etc.)?
• Instructions are executed
sequentially.
Processor • Microarchitecture view:
Microarchitecture • What hardware needs to be built to
run assembly programs?

Circuits
14
Carnegie Mellon

So far in 252…
C Program • ISA is the interface between
assembly programs and
microarchitecture
Assembly • Assembly view:
Program • How to program the machine,
based on instructions and
processor states (registers,
Instruction Set Architecture memory, condition codes, etc.)?
• Instructions are executed
sequentially.
Processor • Microarchitecture view:
Microarchitecture • What hardware needs to be built to
run assembly programs?
• How to run programs as fast
Circuits (energy-efficient) as possible?
14
Carnegie Mellon

(Simplified) x86 Processor State


RF: Program CC: Stat: Program status
registers Condition
codes
%rax %rsp %r8 %r12
%rcx %rbp %r9 %r13 ZF SF OF DMEM: Memory
%rdx %rsi %r10 %r14 PC
%rbx %rdi %r11

• Processor state is what’s visible to assembly programs. Also known as


architecture state.

15
Carnegie Mellon

(Simplified) x86 Processor State


RF: Program CC: Stat: Program status
registers Condition
codes
%rax %rsp %r8 %r12
%rcx %rbp %r9 %r13 ZF SF OF DMEM: Memory
%rdx %rsi %r10 %r14 PC
%rbx %rdi %r11

• Processor state is what’s visible to assembly programs. Also known as


architecture state.
• Program Registers: 15 registers.

15
Carnegie Mellon

(Simplified) x86 Processor State


RF: Program CC: Stat: Program status
registers Condition
codes
%rax %rsp %r8 %r12
%rcx %rbp %r9 %r13 ZF SF OF DMEM: Memory
%rdx %rsi %r10 %r14 PC
%rbx %rdi %r11

• Processor state is what’s visible to assembly programs. Also known as


architecture state.
• Program Registers: 15 registers.
• Condition Codes: Single-bit flags set by arithmetic or logical instructions
(ZF, SF, OF)

15
Carnegie Mellon

(Simplified) x86 Processor State


RF: Program CC: Stat: Program status
registers Condition
codes
%rax %rsp %r8 %r12
%rcx %rbp %r9 %r13 ZF SF OF DMEM: Memory
%rdx %rsi %r10 %r14 PC
%rbx %rdi %r11

• Processor state is what’s visible to assembly programs. Also known as


architecture state.
• Program Registers: 15 registers.
• Condition Codes: Single-bit flags set by arithmetic or logical instructions
(ZF, SF, OF)
• Program Counter: Indicates address of next instruction

15
Carnegie Mellon

(Simplified) x86 Processor State


RF: Program CC: Stat: Program status
registers Condition
codes
%rax %rsp %r8 %r12
%rcx %rbp %r9 %r13 ZF SF OF DMEM: Memory
%rdx %rsi %r10 %r14 PC
%rbx %rdi %r11

• Processor state is what’s visible to assembly programs. Also known as


architecture state.
• Program Registers: 15 registers.
• Condition Codes: Single-bit flags set by arithmetic or logical instructions
(ZF, SF, OF)
• Program Counter: Indicates address of next instruction
• Program Status: Indicates either normal operation or error condition

15
Carnegie Mellon

(Simplified) x86 Processor State


RF: Program CC: Stat: Program status
registers Condition
codes
%rax %rsp %r8 %r12
%rcx %rbp %r9 %r13 ZF SF OF DMEM: Memory
%rdx %rsi %r10 %r14 PC
%rbx %rdi %r11

• Processor state is what’s visible to assembly programs. Also known as


architecture state.
• Program Registers: 15 registers.
• Condition Codes: Single-bit flags set by arithmetic or logical instructions
(ZF, SF, OF)
• Program Counter: Indicates address of next instruction
• Program Status: Indicates either normal operation or error condition
• Memory
• Byte-addressable storage array
• Words stored in little-endian byte order
15
Carnegie Mellon

Why Have Instructions?


• Why do we need an ISA? Can we directly program the hardware?

16
Carnegie Mellon

Why Have Instructions?


• Why do we need an ISA? Can we directly program the hardware?
• Simplifies interface
• Software knows what is available
• Hardware knows what needs to be implemented

16
Carnegie Mellon

Why Have Instructions?


• Why do we need an ISA? Can we directly program the hardware?
• Simplifies interface
• Software knows what is available
• Hardware knows what needs to be implemented
• Abstraction protects software and hardware
• Software can run on new machines
• Hardware can run old software

16
Carnegie Mellon

Why Have Instructions?


• Why do we need an ISA? Can we directly program the hardware?
• Simplifies interface
• Software knows what is available
• Hardware knows what needs to be implemented
• Abstraction protects software and hardware
• Software can run on new machines
• Hardware can run old software
• Alternatives: Application-Specific Integrated Circuits (ASIC)
• No instructions, (largely) not programmable, fixed-functioned, so
no instruction fetch, decoding, etc.
• So could be implemented extremely efficiently.
• Examples: video/audio codec, (conventional) image signal
processors, (conventional) IP packet router
16
Carnegie Mellon

Today: Instruction Encoding


• How to translate assembly instructions to binary
• Essentially how an assembler works
• Using the Y86-64 ISA: Simplified version of x86-64

17
Carnegie Mellon

How are Instructions Encoded in Binary?


• Remember that instructions are stored in memory as bits (just
like data)
• Each instruction is fetched (according to the address specified
in the PC), decoded, and executed by the CPU
• The ISA defines the format of an instruction (syntax) and its
meaning (semantics)
• Idea: encode the two major fields, opcode and operand,
separately in bits.
• The OPCODE field says what the instruction does (e.g. ADD)
• The OPERAND field(s) say where to find inputs and outputs

18
Carnegie Mellon

Y86-64 Instructions
halt

nop

cmovXX rA, rB

irmovq V, rB

rmmovq rA, D(rB)

mrmovq D(rB), rA

OPq rA, rB

jXX Dest

call Dest

ret

pushq rA

popq rA
19
Carnegie Mellon

Y86-64 Instructions
halt

nop

cmovXX rA, rB

irmovq V, rB

rmmovq rA, D(rB)


jmp
mrmovq D(rB), rA
jle
OPq rA, rB
jl
jXX Dest
je
call Dest
jne
ret
jge
pushq rA
jg
popq rA
19
Carnegie Mellon

Y86-64 Instructions
halt

nop

cmovXX rA, rB

irmovq V, rB addq

rmmovq rA, D(rB) subq


jmp
mrmovq D(rB), rA andq
jle
OPq rA, rB xorq
jl
jXX Dest
je
call Dest
jne
ret
jge
pushq rA
jg
popq rA
19
Carnegie Mellon

rrmovq
Y86-64 Instructions cmovle

cmovl
halt

cmove
nop

cmovne
cmovXX rA, rB
cmovge
irmovq V, rB addq
cmovg
rmmovq rA, D(rB) subq
jmp
mrmovq D(rB), rA andq
jle
OPq rA, rB xorq
jl
jXX Dest
je
call Dest
jne
ret
jge
pushq rA
jg
popq rA
19
Carnegie Mellon

rrmovq
Y86-64 Instructions cmovle

halt How to encode them in bits? cmovl

cmove
nop

cmovne
cmovXX rA, rB
cmovge
irmovq V, rB addq
cmovg
rmmovq rA, D(rB) subq
jmp
mrmovq D(rB), rA andq
jle
OPq rA, rB xorq
jl
jXX Dest
je
call Dest
jne
ret
jge
pushq rA
jg
popq rA
19
Carnegie Mellon

Encoding Opcodes
halt addq • 27 Instructions, so need 5 bits
nop subq
for encoding the operand
rrmovq
cmovXX rA, rB andq
cmovle
irmovq V, rB xorq
cmovl
rmmovq rA, D(rB)
jmp
cmove
mrmovq D(rB), rA
jle
cmovne
OPq rA, rB
jl
cmovge
jXX Dest
je
cmovg
call Dest
jne
ret
jge
pushq rA
jg
popq rA
20
Carnegie Mellon

Encoding Opcodes
halt addq • 27 Instructions, so need 5 bits
nop subq
for encoding the operand

cmovXX rA, rB andq


rrmovq • Or: group similar instructions,
use one opcode for them, and
cmovle
irmovq V, rB xorq then use more bits to indicate
rmmovq rA, D(rB)
cmovl specific instructions within a
jmp
cmove group.
mrmovq D(rB), rA
jle
cmovne
OPq rA, rB
jl
cmovge
jXX Dest
je
cmovg
call Dest
jne
ret
jge
pushq rA
jg
popq rA
20
Carnegie Mellon

Encoding Opcodes
halt addq • 27 Instructions, so need 5 bits
nop subq
for encoding the operand

cmovXX rA, rB andq


rrmovq • Or: group similar instructions,
use one opcode for them, and
cmovle
irmovq V, rB xorq then use more bits to indicate
rmmovq rA, D(rB)
cmovl specific instructions within a
jmp
cmove group.
mrmovq D(rB), rA

OPq rA, rB
jle
cmovne • E.g., 12 categories, so 4 bits
jl
cmovge
jXX Dest
je
cmovg
call Dest
jne
ret
jge
pushq rA
jg
popq rA
20
Carnegie Mellon

Encoding Opcodes
halt addq • 27 Instructions, so need 5 bits
nop subq
for encoding the operand

cmovXX rA, rB andq


rrmovq • Or: group similar instructions,
use one opcode for them, and
cmovle
irmovq V, rB xorq then use more bits to indicate
rmmovq rA, D(rB)
cmovl specific instructions within a
jmp
cmove group.
mrmovq D(rB), rA

OPq rA, rB
jle
cmovne • E.g., 12 categories, so 4 bits
jl
cmovge
• There are four instructions within
jXX Dest
je
the OPq category, so additional
cmovg
call Dest 2 bits. Similarly, 3 more bits for
jne
ret
jXX and cmovXX, respectively.
jge
pushq rA
jg
popq rA
20
Carnegie Mellon

Encoding Opcodes
halt addq • 27 Instructions, so need 5 bits
nop subq
for encoding the operand

cmovXX rA, rB andq


rrmovq • Or: group similar instructions,
use one opcode for them, and
cmovle
irmovq V, rB xorq then use more bits to indicate
rmmovq rA, D(rB)
cmovl specific instructions within a
jmp
cmove group.
mrmovq D(rB), rA

OPq rA, rB
jle
cmovne • E.g., 12 categories, so 4 bits
jl
cmovge
• There are four instructions within
jXX Dest
je
the OPq category, so additional
cmovg
call Dest 2 bits. Similarly, 3 more bits for
jne
ret
jXX and cmovXX, respectively.

pushq rA
jge
• Which one is better???
jg
popq rA
20
Carnegie Mellon

Encoding Opcodes
Byte 0 1 2 3 4 5 6 7 8 9

halt 0 0

nop 1 0
• Design decision chosen by the textbook
cmovXX rA, rB 2 fn authors (don’t have to be this way!)
irmovq V, rB 3 0 • Use 4 bits to encode the instruction
category
rmmovq rA, D(rB) 4 0
• Another 4 bits to encode the specific
5 0
mrmovq D(rB), rA
instructions within a category
OPq rA, rB 6 fn • So 1 bytes for encoding opcode
jXX Dest 7 fn • Is this better than the alternative of using

call Dest 8 0 5 bits without classifying instructions?


• Trade-offs.
ret 9 0

pushq rA A 0

popq rA B 0
21
Carnegie Mellon

Encoding Registers
Each register has 4-bit ID
• Same encoding as in x86-64
• Register ID 15 (0xF) indicates “no register”

%rax 0 %r8 8
%rcx 1 %r9 9
%rdx 2 %r10 A
%rbx 3 %r11 B
%rsp 4 %r12 C
%rbp 5 %r13 D
%rsi 6 %r14 E
%rdi 7 No Register F

22
Carnegie Mellon

Encoding Registers
Byte 0 1 2 3 4 5 6 7 8 9

halt 0 0

nop 1 0

cmovXX rA, rB 2 fn rA rB

irmovq V, rB 3 0 F rB

rmmovq rA, D(rB) 4 0 rA rB

mrmovq D(rB), rA 5 0 rA rB

OPq rA, rB 6 fn rA rB

jXX Dest 7 fn

call Dest 8 0

ret 9 0

pushq rA A 0 rA F

popq rA B 0 rA F
23
Carnegie Mellon

Instruction Example
Addition Instruction

addq rA, rB 6 0 rA rB

• Add value in register rA to that in register rB


• Store result in register rB
• Set condition codes based on result
• e.g., addq %rax,%rsi Encoding: 60 06
• Two-byte encoding
• First indicates instruction type
• Second gives source and destination registers

24
Carnegie Mellon

Instruction Example
Addition Instruction
Assembly Form

addq rA, rB 6 0 rA rB

• Add value in register rA to that in register rB


• Store result in register rB
• Set condition codes based on result
• e.g., addq %rax,%rsi Encoding: 60 06
• Two-byte encoding
• First indicates instruction type
• Second gives source and destination registers

24
Carnegie Mellon

Instruction Example
Addition Instruction
Assembly Form

Encoded Representation

addq rA, rB 6 0 rA rB

• Add value in register rA to that in register rB


• Store result in register rB
• Set condition codes based on result
• e.g., addq %rax,%rsi Encoding: 60 06
• Two-byte encoding
• First indicates instruction type
• Second gives source and destination registers

24
Carnegie Mellon

Arithmetic and Logical Operations


Add • Refer to generically as “OPq”
addq rA, rB 6 0 rA rB • Encodings differ only by “function
code”
Subtract (rA from rB) • Low-order 4 bits in first instruction
byte
subq rA, rB 6 1 rA rB
• Set condition codes as side effect
And

andq rA, rB 6 2 rA rB

Exclusive-Or

xorq rA, rB 6 3 rA rB

25
Carnegie Mellon

Move Instructions
Byte 0 1 2 3 4 5 6 7 8 9

halt 0 0

nop 1 0

cmovXX rA, rB 2 fn rA rB

irmovq V, rB 3 0 F rB

rmmovq rA, D(rB) 4 0 rA rB

mrmovq D(rB), rA 5 0 rA rB

OPq rA, rB 6 fn rA rB

jXX Dest 7 fn

call Dest 8 0

ret 9 0

pushq rA A 0 rA F

popq rA B 0 rA F
26
Carnegie Mellon

Move Instructions
Byte 0 1 2 3 4 5 6 7 8 9

halt 0 0

nop 1 0

cmovXX rA, rB 2 fn rA rB

irmovq V, rB 3 0 F rB irmovq $0xabcd, %rdx

rmmovq rA, D(rB) 4 0 rA rB

mrmovq D(rB), rA 5 0 rA rB

OPq rA, rB 6 fn rA rB

jXX Dest 7 fn

call Dest 8 0

ret 9 0

pushq rA A 0 rA F

popq rA B 0 rA F
26
Carnegie Mellon

Move Instructions
Byte 0 1 2 3 4 5 6 7 8 9

halt 0 0

nop 1 0

cmovXX rA, rB 2 fn rA rB

irmovq V, rB 3 0 F rB V

rmmovq rA, D(rB) 4 0 rA rB

mrmovq D(rB), rA 5 0 rA rB

OPq rA, rB 6 fn rA rB

jXX Dest 7 fn

call Dest 8 0

ret 9 0

pushq rA A 0 rA F

popq rA B 0 rA F
26
Carnegie Mellon

Move Instructions
Byte 0 1 2 3 4 5 6 7 8 9

halt 0 0

nop 1 0

cmovXX rA, rB 2 fn rA rB

irmovq V, rB 3 0 F rB V

rmmovq rA, D(rB) 4 0 rA rB rmmovq %rsi,0x41c(%rsp)

mrmovq D(rB), rA 5 0 rA rB

OPq rA, rB 6 fn rA rB

jXX Dest 7 fn

call Dest 8 0

ret 9 0

pushq rA A 0 rA F

popq rA B 0 rA F
26
Carnegie Mellon

Move Instructions
Byte 0 1 2 3 4 5 6 7 8 9

halt 0 0

nop 1 0

cmovXX rA, rB 2 fn rA rB

irmovq V, rB 3 0 F rB V

rmmovq rA, D(rB) 4 0 rA rB D

mrmovq D(rB), rA 5 0 rA rB

OPq rA, rB 6 fn rA rB

jXX Dest 7 fn

call Dest 8 0

ret 9 0

pushq rA A 0 rA F

popq rA B 0 rA F
26
Carnegie Mellon

Move Instructions
Byte 0 1 2 3 4 5 6 7 8 9

halt 0 0

nop 1 0

cmovXX rA, rB 2 fn rA rB

irmovq V, rB 3 0 F rB V

rmmovq rA, D(rB) 4 0 rA rB D

mrmovq D(rB), rA 5 0 rA rB mrmovq -12(%rbp),%rcx

OPq rA, rB 6 fn rA rB

jXX Dest 7 fn

call Dest 8 0

ret 9 0

pushq rA A 0 rA F

popq rA B 0 rA F
26
Carnegie Mellon

Move Instructions
Byte 0 1 2 3 4 5 6 7 8 9

halt 0 0

nop 1 0

cmovXX rA, rB 2 fn rA rB

irmovq V, rB 3 0 F rB V

rmmovq rA, D(rB) 4 0 rA rB D

mrmovq D(rB), rA 5 0 rA rB D

OPq rA, rB 6 fn rA rB

jXX Dest 7 fn

call Dest 8 0

ret 9 0

pushq rA A 0 rA F

popq rA B 0 rA F
26
Carnegie Mellon

Move Instructions
Byte 0 1 2 3 4 5 6 7 8 9

halt 0 0

nop 1 0
The instruction length limits the
immediate value and displacement.
cmovXX rA, rB 2 fn rA rB

irmovq V, rB 3 0 F rB V

rmmovq rA, D(rB) 4 0 rA rB D

mrmovq D(rB), rA 5 0 rA rB D

OPq rA, rB 6 fn rA rB

jXX Dest 7 fn

call Dest 8 0

ret 9 0

pushq rA A 0 rA F

popq rA B 0 rA F
26
Carnegie Mellon

Move Instruction Examples


Y86-64
irmovq $0xabcd, %rdx

Encoding: 30 f2 cd ab 00 00 00 00 00 00

rrmovq %rsp, %rbx

Encoding: 20 43

mrmovq -12(%rbp),%rcx

Encoding: 50 15 f4 ff ff ff ff ff ff ff

rmmovq %rsi,0x41c(%rsp)

Encoding: 40 64 1c 04 00 00 00 00 00 00

27
Carnegie Mellon

Jump/Call Instructions
Byte 0 1 2 3 4 5 6 7 8 9

halt 0 0

nop 1 0

cmovXX rA, rB 2 fn rA rB

irmovq V, rB 3 0 F rB V

rmmovq rA, D(rB) 4 0 rA rB D

mrmovq D(rB), rA 5 0 rA rB D

OPq rA, rB 6 fn rA rB

jXX Dest 7 fn

call Dest 8 0

ret 9 0

pushq rA A 0 rA F

popq rA B 0 rA F
28
Carnegie Mellon

Jump/Call Instructions
Byte 0 1 2 3 4 5 6 7 8 9

halt 0 0

nop 1 0

cmovXX rA, rB 2 fn rA rB

irmovq V, rB 3 0 F rB V

rmmovq rA, D(rB) 4 0 rA rB D

mrmovq D(rB), rA 5 0 rA rB D

OPq rA, rB 6 fn rA rB

jXX Dest 7 fn jle .L4

call Dest 8 0

ret 9 0

pushq rA A 0 rA F

popq rA B 0 rA F
28
Carnegie Mellon

Jump/Call Instructions
Byte 0 1 2 3 4 5 6 7 8 9

halt 0 0
The assembler would assume a start
nop 1 0 address of the program, and then calculates
2 fn rA rB
the address of each instruction.
cmovXX rA, rB

irmovq V, rB 3 0 F rB V

rmmovq rA, D(rB) 4 0 rA rB D

mrmovq D(rB), rA 5 0 rA rB D

OPq rA, rB 6 fn rA rB

jXX Dest 7 fn jle .L4

call Dest 8 0

ret 9 0

pushq rA A 0 rA F

popq rA B 0 rA F
28
Carnegie Mellon

Jump/Call Instructions
Byte 0 1 2 3 4 5 6 7 8 9

halt 0 0
The assembler would assume a start
nop 1 0 address of the program, and then calculates
2 fn rA rB
the address of each instruction.
cmovXX rA, rB

irmovq V, rB 3 0 F rB V

rmmovq rA, D(rB) 4 0 rA rB D

mrmovq D(rB), rA 5 0 rA rB D

OPq rA, rB 6 fn rA rB

jXX Dest 7 fn Dest (essentially the target address)

call Dest 8 0

ret 9 0

pushq rA A 0 rA F

popq rA B 0 rA F
28
Carnegie Mellon

Jump/Call Instructions
Byte 0 1 2 3 4 5 6 7 8 9

halt 0 0
The assembler would assume a start
nop 1 0 address of the program, and then calculates
2 fn rA rB
the address of each instruction.
cmovXX rA, rB

irmovq V, rB 3 0 F rB V

rmmovq rA, D(rB) 4 0 rA rB D

mrmovq D(rB), rA 5 0 rA rB D

OPq rA, rB 6 fn rA rB

jXX Dest 7 fn Dest (essentially the target address)

call Dest 8 0 call foo

ret 9 0

pushq rA A 0 rA F

popq rA B 0 rA F
28
Carnegie Mellon

Jump/Call Instructions
Byte 0 1 2 3 4 5 6 7 8 9

halt 0 0
The assembler would assume a start
nop 1 0 address of the program, and then calculates
2 fn rA rB
the address of each instruction.
cmovXX rA, rB

irmovq V, rB 3 0 F rB V

rmmovq rA, D(rB) 4 0 rA rB D

mrmovq D(rB), rA 5 0 rA rB D

OPq rA, rB 6 fn rA rB

jXX Dest 7 fn Dest (essentially the target address)

call Dest 8 0 Dest (essentially the start address of the callee)

ret 9 0

pushq rA A 0 rA F

popq rA B 0 rA F
28
Carnegie Mellon

How Does An Assembler Work?


rmmovq rA, D(rB) 4 0 rA rB D

OPq rA, rB 6 fn rA rB

jXX Dest 7 fn Dest

call Dest 8 0 Dest

29
Carnegie Mellon

How Does An Assembler Work?


rmmovq rA, D(rB) 4 0 rA rB D

OPq rA, rB 6 fn rA rB

jXX Dest 7 fn Dest

call Dest 8 0 Dest

0x100 <foo> rmmovq %rsi,0x41c(%rsp)


… …
ret

addq %rax,%rsi

call <foo>

jmp .L0
… …
.L0 irmovq $0xabcd, %rdx

29
Carnegie Mellon

How Does An Assembler Work?


rmmovq rA, D(rB) 4 0 rA rB D

OPq rA, rB 6 fn rA rB

jXX Dest 7 fn Dest

call Dest 8 0 Dest

0x100 <foo> rmmovq %rsi,0x41c(%rsp) 40 64 1c 04 00 00 00 00 00 00


… …
ret

addq %rax,%rsi

call <foo>

jmp .L0
… …
.L0 irmovq $0xabcd, %rdx

29
Carnegie Mellon

How Does An Assembler Work?


rmmovq rA, D(rB) 4 0 rA rB D

OPq rA, rB 6 fn rA rB

jXX Dest 7 fn Dest

call Dest 8 0 Dest

0x100 <foo> rmmovq %rsi,0x41c(%rsp) 40 64 1c 04 00 00 00 00 00 00


… …
ret 90

addq %rax,%rsi

call <foo>

jmp .L0
… …
.L0 irmovq $0xabcd, %rdx

29
Carnegie Mellon

How Does An Assembler Work?


rmmovq rA, D(rB) 4 0 rA rB D

OPq rA, rB 6 fn rA rB

jXX Dest 7 fn Dest

call Dest 8 0 Dest

0x100 <foo> rmmovq %rsi,0x41c(%rsp) 40 64 1c 04 00 00 00 00 00 00


… …
ret 90

addq %rax,%rsi 60 06

call <foo>

jmp .L0
… …
.L0 irmovq $0xabcd, %rdx

29
Carnegie Mellon

How Does An Assembler Work?


rmmovq rA, D(rB) 4 0 rA rB D

OPq rA, rB 6 fn rA rB

jXX Dest 7 fn Dest

call Dest 8 0 Dest

0x100 <foo> rmmovq %rsi,0x41c(%rsp) 40 64 1c 04 00 00 00 00 00 00


… …
ret 90

addq %rax,%rsi 60 06

call <foo> 80 00 01 00 00 00 00 00 00

jmp .L0
… …
.L0 irmovq $0xabcd, %rdx

29
Carnegie Mellon

How Does An Assembler Work?


rmmovq rA, D(rB) 4 0 rA rB D

OPq rA, rB 6 fn rA rB

jXX Dest 7 fn Dest

call Dest 8 0 Dest

0x100 <foo> rmmovq %rsi,0x41c(%rsp) 40 64 1c 04 00 00 00 00 00 00


… …
ret 90

addq %rax,%rsi 60 06

call <foo> 80 00 01 00 00 00 00 00 00

jmp .L0 70 ????????


… …
.L0 irmovq $0xabcd, %rdx

29
Carnegie Mellon

How Does An Assembler Work?


rmmovq rA, D(rB) 4 0 rA rB D

OPq rA, rB 6 fn rA rB

jXX Dest 7 fn Dest

call Dest 8 0 Dest

0x100 <foo> rmmovq %rsi,0x41c(%rsp) 40 64 1c 04 00 00 00 00 00 00


… …
ret 90

addq %rax,%rsi 60 06

call <foo> 80 00 01 00 00 00 00 00 00

jmp .L0 70 ????????


… …
.L0 irmovq $0xabcd, %rdx 30 f2 cd ab 00 00 00 00 00 00

29
Carnegie Mellon

How Does An Assembler Work?


rmmovq rA, D(rB) 4 0 rA rB D

OPq rA, rB 6 fn rA rB

jXX Dest 7 fn Dest

call Dest 8 0 Dest

0x100 <foo> rmmovq %rsi,0x41c(%rsp) 40 64 1c 04 00 00 00 00 00 00


… …
ret 90
0x100 + the
lengths of all addq %rax,%rsi 60 06
instructions
in-between call <foo> 80 00 01 00 00 00 00 00 00

jmp .L0 70 ????????


… …
.L0 irmovq $0xabcd, %rdx 30 f2 cd ab 00 00 00 00 00 00

29
Carnegie Mellon

How Does An Assembler Work?


rmmovq rA, D(rB) 4 0 rA rB D

OPq rA, rB 6 fn rA rB

jXX Dest 7 fn Dest

call Dest 8 0 Dest

0x100 <foo> rmmovq %rsi,0x41c(%rsp) 40 64 1c 04 00 00 00 00 00 00


… …
ret 90
0x100 + the
lengths of all addq %rax,%rsi 60 06
instructions
in-between call <foo> 80 00 01 00 00 00 00 00 00

jmp .L0 70 ????????


… …
0x200 .L0 irmovq $0xabcd, %rdx 30 f2 cd ab 00 00 00 00 00 00

29
Carnegie Mellon

How Does An Assembler Work?


rmmovq rA, D(rB) 4 0 rA rB D

OPq rA, rB 6 fn rA rB

jXX Dest 7 fn Dest

call Dest 8 0 Dest

0x100 <foo> rmmovq %rsi,0x41c(%rsp) 40 64 1c 04 00 00 00 00 00 00


… …
ret 90
0x100 + the
lengths of all addq %rax,%rsi 60 06
instructions
in-between call <foo> 80 00 01 00 00 00 00 00 00

jmp .L0 70 00
????????
02 00 00 00 00 00 00
… …
0x200 .L0 irmovq $0xabcd, %rdx 30 f2 cd ab 00 00 00 00 00 00

29
Carnegie Mellon

How Does An Assembler Work?


• The assembler is a program that translates assembly code to binary code
• The OS tells the assembler the start address of the code (sort of…)
• Translate the assembly program line by line
• Need to build a “label map” that maps each label to its address
0x100 <foo> rmmovq %rsi,0x41c(%rsp) 40 64 1c 04 00 00 00 00 00 00
… …
ret 90
0x100 + the
lengths of all addq %rax,%rsi 60 06
instructions
in-between call <foo> 80 00 01 00 00 00 00 00 00

jmp .L0 70 00
????????
02 00 00 00 00 00 00
… …
0x200 .L0 irmovq $0xabcd, %rdx 30 f2 cd ab 00 00 00 00 00 00

30
Carnegie Mellon

Jump Instructions
Jump Unconditionally
jmp Dest 7 0 Dest

Jump When Less or Equal


jle Dest 7 1 Dest

Jump When Less


jl Dest 7 2 Dest

Jump When Equal


je Dest 7 3 Dest

Jump When Not Equal


jne Dest 7 4 Dest

Jump When Greater or Equal


jge Dest 7 5 Dest

Jump When Greater


jg Dest 7 6 Dest

31
Carnegie Mellon

Subroutine Call and Return


call Dest 8 0 Dest

• Push address of next instruction onto stack


• Start executing instructions at Dest
• Like x86-64

ret 9 0

• Pop value from stack


• Use as address for next instruction
• Like x86-64

32
Carnegie Mellon

One More Complication…


Byte 0 1 2 3 4 5 6 7 8 9

jXX Dest 7 fn Dest (essentially the target address) jle .L4

call Dest 8 0 Dest (essentially the start address of the callee) call foo

33
Carnegie Mellon

One More Complication…


Byte 0 1 2 3 4 5 6 7 8 9

jXX Dest 7 fn Dest (essentially the target address) jle .L4

call Dest 8 0 Dest (essentially the start address of the callee) call foo

• The instruction length limits how far you can jump/call functions. What
if the jump target has a very long address that can’t fit in 8 bytes?

33
Carnegie Mellon

One More Complication…


Byte 0 1 2 3 4 5 6 7 8 9

jXX Dest 7 fn Dest (essentially the target address) jle .L4

call Dest 8 0 Dest (essentially the start address of the callee) call foo

• The instruction length limits how far you can jump/call functions. What
if the jump target has a very long address that can’t fit in 8 bytes?
• One alternative: use a super long instruction encoding format.
• Simple to encode, but space inefficient (waste bits for jumps to short
addr.)

33
Carnegie Mellon

One More Complication…


Byte 0 1 2 3 4 5 6 7 8 9

jXX Dest 7 fn Dest (essentially the target address) jle .L4

call Dest 8 0 Dest (essentially the start address of the callee) call foo

• The instruction length limits how far you can jump/call functions. What
if the jump target has a very long address that can’t fit in 8 bytes?
• One alternative: use a super long instruction encoding format.
• Simple to encode, but space inefficient (waste bits for jumps to short
addr.)
• Another alternative: encode the relative address, not the absolute
address
• E.g., encode (.L4 - current address) in Dest

33
Carnegie Mellon

Using Relative Addresses for Jumps


• What if the ISA encoding uses relative address for jump and call?

0x100 <foo> rmmovq %rsi,0x41c(%rsp) 40 64 1c 04 00 00 00 00 00 00


… …
ret 90

addq %rax,%rsi 60 06

0x180 call <foo> 80 06 00 01 00 00 00 00 00 00

0x185 jmp .L0 70 00 02 00 00 00 00 00 00


… …
0x200 .L0 irmovq $0xabcd, %rdx 30 f2 cd ab 00 00 00 00 00 00

34
Carnegie Mellon

Using Relative Addresses for Jumps


• What if the ISA encoding uses relative address for jump and call?

0x100 <foo> rmmovq %rsi,0x41c(%rsp) 40 64 1c 04 00 00 00 00 00 00


… …
relative addr: ret 90
-0x80
addq %rax,%rsi 60 06

0x180 call <foo> 80 06 00 01 00 00 00 00 00 00

0x185 jmp .L0 70 00 02 00 00 00 00 00 00


… …
0x200 .L0 irmovq $0xabcd, %rdx 30 f2 cd ab 00 00 00 00 00 00

34
Carnegie Mellon

Using Relative Addresses for Jumps


• What if the ISA encoding uses relative address for jump and call?

0x100 <foo> rmmovq %rsi,0x41c(%rsp) 40 64 1c 04 00 00 00 00 00 00


… …
relative addr: ret 90
-0x80
addq %rax,%rsi 60 06

0x180 call <foo> 80 00


06 00 00
01 11
00 11
00 11
00 11
00 11
00 00

0x185 jmp .L0 70 00 02 00 00 00 00 00 00


… …
0x200 .L0 irmovq $0xabcd, %rdx 30 f2 cd ab 00 00 00 00 00 00

34
Carnegie Mellon

Using Relative Addresses for Jumps


• What if the ISA encoding uses relative address for jump and call?

0x100 <foo> rmmovq %rsi,0x41c(%rsp) 40 64 1c 04 00 00 00 00 00 00


… …
relative addr: ret 90
-0x80
addq %rax,%rsi 60 06

0x180 call <foo> 80 00


06 00 00
01 11
00 11
00 11
00 11
00 11
00 00

0x185 jmp .L0 70 00 02 00 00 00 00 00 00


0x7B … …
0x200 .L0 irmovq $0xabcd, %rdx 30 f2 cd ab 00 00 00 00 00 00

34
Carnegie Mellon

Using Relative Addresses for Jumps


• What if the ISA encoding uses relative address for jump and call?

0x100 <foo> rmmovq %rsi,0x41c(%rsp) 40 64 1c 04 00 00 00 00 00 00


… …
relative addr: ret 90
-0x80
addq %rax,%rsi 60 06

0x180 call <foo> 80 00


06 00 00
01 11
00 11
00 11
00 11
00 11
00 00

0x185 jmp .L0 70 00


7B 02
00 00 00 00 00 00 00
0x7B … …
0x200 .L0 irmovq $0xabcd, %rdx 30 f2 cd ab 00 00 00 00 00 00

34
Carnegie Mellon

Using Relative Addresses for Jumps


• What if the ISA encoding uses relative address for jump and call?
• If we use relative address, the exact start address of the code
doesn’t matter. Why?

0x100 <foo> rmmovq %rsi,0x41c(%rsp) 40 64 1c 04 00 00 00 00 00 00


… …
relative addr: ret 90
-0x80
addq %rax,%rsi 60 06

0x180 call <foo> 80 00


06 00 00
01 11
00 11
00 11
00 11
00 11
00 00

0x185 jmp .L0 70 00


7B 02
00 00 00 00 00 00 00
0x7B … …
0x200 .L0 irmovq $0xabcd, %rdx 30 f2 cd ab 00 00 00 00 00 00

34
Carnegie Mellon

Using Relative Addresses for Jumps


• What if the ISA encoding uses relative address for jump and call?
• If we use relative address, the exact start address of the code
doesn’t matter. Why?
• This code is called Position-Independent Code (PIC)
0x100 <foo> rmmovq %rsi,0x41c(%rsp) 40 64 1c 04 00 00 00 00 00 00
… …
relative addr: ret 90
-0x80
addq %rax,%rsi 60 06

0x180 call <foo> 80 00


06 00 00
01 11
00 11
00 11
00 11
00 11
00 00

0x185 jmp .L0 70 00


7B 02
00 00 00 00 00 00 00
0x7B … …
0x200 .L0 irmovq $0xabcd, %rdx 30 f2 cd ab 00 00 00 00 00 00

34
Carnegie Mellon

One More Complication…


Byte 0 1 2 3 4 5 6 7 8 9

jXX Dest 7 fn Dest (essentially the target address) jle .L4

call Dest 8 0 Dest (essentially the start address of the callee) call foo

35
Carnegie Mellon

One More Complication…


Byte 0 1 2 3 4 5 6 7 8 9

jXX Dest 7 fn Dest (essentially the target address) jle .L4

call Dest 8 0 Dest (essentially the start address of the callee) call foo

• What if you want to jump really far away from the current instruction?
• indirect jump, use a combination of absolute + relative addresses
(“Far jumps” in x86). Elegant design.

35
Carnegie Mellon

Stack Operations
pushq rA A 0 rA F

• Decrement %rsp by 8
• Store word from rA to memory at %rsp
• Like x86-64

popq rA B 0 rA F

• Read word from memory at %rsp


• Save in rA
• Increment %rsp by 8
• Like x86-64

36
Carnegie Mellon

Miscellaneous Instructions
nop 1 0

• Don’t do anything

halt 0 0

• Stop executing instructions


• Usually can’t be executed in the user mode, only by the OS
• Encoding ensures that program hitting memory initialized to zero will halt

37
Carnegie Mellon

Variable Length Instructions

38
Carnegie Mellon

Variable Length Instructions

• X86 (and Y86) is a variable length ISA (1 to 15 bytes), where


different instructions have different lengths.

38
Carnegie Mellon

Variable Length Instructions

• X86 (and Y86) is a variable length ISA (1 to 15 bytes), where


different instructions have different lengths.
• There are fixed length ISAs: all instructions have the same length

38
Carnegie Mellon

Variable Length Instructions

• X86 (and Y86) is a variable length ISA (1 to 15 bytes), where


different instructions have different lengths.
• There are fixed length ISAs: all instructions have the same length
• ARM’s ISA for micro-controllers have a 4-bit ISA. Very Long Instruction Word
(VLIW) ISAs have instructions that are hundreds of bytes long.

38
Carnegie Mellon

Variable Length Instructions

• X86 (and Y86) is a variable length ISA (1 to 15 bytes), where


different instructions have different lengths.
• There are fixed length ISAs: all instructions have the same length
• ARM’s ISA for micro-controllers have a 4-bit ISA. Very Long Instruction Word
(VLIW) ISAs have instructions that are hundreds of bytes long.
• Or you can have a combination of both: e.g., 16-bit ISA with 32-bit extensions
(e..g, ARM Thumb-extension).

38
Carnegie Mellon

Variable Length Instructions

• X86 (and Y86) is a variable length ISA (1 to 15 bytes), where


different instructions have different lengths.
• There are fixed length ISAs: all instructions have the same length
• ARM’s ISA for micro-controllers have a 4-bit ISA. Very Long Instruction Word
(VLIW) ISAs have instructions that are hundreds of bytes long.
• Or you can have a combination of both: e.g., 16-bit ISA with 32-bit extensions
(e..g, ARM Thumb-extension).
• Advantages of variable length ISAs

38
Carnegie Mellon

Variable Length Instructions

• X86 (and Y86) is a variable length ISA (1 to 15 bytes), where


different instructions have different lengths.
• There are fixed length ISAs: all instructions have the same length
• ARM’s ISA for micro-controllers have a 4-bit ISA. Very Long Instruction Word
(VLIW) ISAs have instructions that are hundreds of bytes long.
• Or you can have a combination of both: e.g., 16-bit ISA with 32-bit extensions
(e..g, ARM Thumb-extension).
• Advantages of variable length ISAs
• More compact. Some instructions do not need that many bits. (Actually what’s
the optimal way of encoding instructions in a variable length ISA?)

38
Carnegie Mellon

Variable Length Instructions

• X86 (and Y86) is a variable length ISA (1 to 15 bytes), where


different instructions have different lengths.
• There are fixed length ISAs: all instructions have the same length
• ARM’s ISA for micro-controllers have a 4-bit ISA. Very Long Instruction Word
(VLIW) ISAs have instructions that are hundreds of bytes long.
• Or you can have a combination of both: e.g., 16-bit ISA with 32-bit extensions
(e..g, ARM Thumb-extension).
• Advantages of variable length ISAs
• More compact. Some instructions do not need that many bits. (Actually what’s
the optimal way of encoding instructions in a variable length ISA?)
• Can have arbitrary number of instructions: easy to add new inst.

38
Carnegie Mellon

Variable Length Instructions

• X86 (and Y86) is a variable length ISA (1 to 15 bytes), where


different instructions have different lengths.
• There are fixed length ISAs: all instructions have the same length
• ARM’s ISA for micro-controllers have a 4-bit ISA. Very Long Instruction Word
(VLIW) ISAs have instructions that are hundreds of bytes long.
• Or you can have a combination of both: e.g., 16-bit ISA with 32-bit extensions
(e..g, ARM Thumb-extension).
• Advantages of variable length ISAs
• More compact. Some instructions do not need that many bits. (Actually what’s
the optimal way of encoding instructions in a variable length ISA?)
• Can have arbitrary number of instructions: easy to add new inst.
• What is the down side?

38
Carnegie Mellon

Variable Length Instructions

• X86 (and Y86) is a variable length ISA (1 to 15 bytes), where


different instructions have different lengths.
• There are fixed length ISAs: all instructions have the same length
• ARM’s ISA for micro-controllers have a 4-bit ISA. Very Long Instruction Word
(VLIW) ISAs have instructions that are hundreds of bytes long.
• Or you can have a combination of both: e.g., 16-bit ISA with 32-bit extensions
(e..g, ARM Thumb-extension).
• Advantages of variable length ISAs
• More compact. Some instructions do not need that many bits. (Actually what’s
the optimal way of encoding instructions in a variable length ISA?)
• Can have arbitrary number of instructions: easy to add new inst.
• What is the down side?
• Fetch and decode are harder to implement. More on this later.

38
Carnegie Mellon

Variable Length Instructions

• X86 (and Y86) is a variable length ISA (1 to 15 bytes), where


different instructions have different lengths.
• There are fixed length ISAs: all instructions have the same length
• ARM’s ISA for micro-controllers have a 4-bit ISA. Very Long Instruction Word
(VLIW) ISAs have instructions that are hundreds of bytes long.
• Or you can have a combination of both: e.g., 16-bit ISA with 32-bit extensions
(e..g, ARM Thumb-extension).
• Advantages of variable length ISAs
• More compact. Some instructions do not need that many bits. (Actually what’s
the optimal way of encoding instructions in a variable length ISA?)
• Can have arbitrary number of instructions: easy to add new inst.
• What is the down side?
• Fetch and decode are harder to implement. More on this later.
• A good writeup showing some of the complexity involved:
http://www.c-jump.com/CIS77/CPU/x86/lecture.html
38

You might also like