Tag: Assembly

Assembly Primer Part 4 — Hello World — PPC

These are my notes for where I can see PPC varying from ia32, as presented in the video Part 4 — Hello World. Let me know if I’ve missed something important, obvious or got something wrong.

http://www.ibm.com/developerworks/library/l-ppc/ gives a good starting overview of PPC asm, including syscalls. The syscall number goes into gpr0 and the args in gpr3 and following, so JustExit.s becomes:

.text
.globl _start

_start:
    li 0,1 # load 1 into reg 0
    li 3,0 # load 0 into reg 3
    sc     # system call

Simple enough.

Modifying the provided HelloWorldProgram.s example (and using the example from the above link) yields

.data

HelloWorldString:
    .ascii "Hello World\n"

.text

.globl _start

_start:
    # Load all the arguments for write ()

    li   0, 4  # syscall number of 4 (write)
    li   3, 1  # filenumber 1 (stdout)
    lis  4, HelloWorldString@ha   # load upper 16 bits of addr
    addi 4, 4, HelloWorldString@l # add lower 16 bits of addr
    li   5, 12 # length of string
    sc

    # exit the program
    li 0,1
    li 3,0
    sc

There’s some subtlety in the @ha and @l high and low parts of addresses that I don’t yet have my head around fully, but I’ll be coming back to this in a later part.

Previous assembly primer notes…

Part 1 — System Organization — PPC — SPU
Part 2 — Memory Organisation — SPU
Part 3 — GDB Usage Primer — PPC & SPU

Assembly Primer Part 3 — GDB Usage Primer

These are my notes for where I can see both PPC and SPU varying from ia32, as presented in the video Part 3 — GDB Usage Primer. The usage of gdb is effectively the same for all three architectures — I’ve noted here some of the differences in the program being debugged.

In the ia32 disassembly of SimpleDemo.c, the call instruction is generated for function calls.

When compiled for PPC, I see bl — branch to address offset from bl instruction, placing the address of the following instruction in the link register (lr).

When compiled for SPU, I see brsl — branch to address offset from brsl instruction, placing the address of the following instruction into the specified register (typically r0, used as link register).

Neither PPC nor SPU pass args on the stack (at least not for two scalar args as for the add function in SimpleDemo.c). Those values can still be seen as being present on the stack when examining it in gdb. The reason appears to be that when compiled with no optimisation, a number of registers are pushed to the stack that are not needed. Compiling at -O1 eliminates the superfluous pushes, so the args are no longer visible there, being present in the appropriate registers when the function is called.

(This document on calling conventions from Intel seems to say that args get passed to functions in regs where possible on ia32 as well… I can see it happening for amd64, not ia32)

As noted above, PPC and SPU store the function return address in the link register (lr or r0), not on the stack.

All three architectures appear to put the return value in a register (eax or r3).

Previous assembly primer notes…

Part 1 — System Organization — PPC — SPU
Part 2 — Memory Organisation — SPU

Assembly Primer Part 2 — Memory Organisation — SPU

These are my notes for where I can see SPU varying from ia32, as presented in the video Part 2 — Virtual Memory Organization.

(I didn’t notice see any significant differences between the presented information for ia32 and PPC — apart from what was noted from the first presentation — so there’s no separate post for that arch).

To compile SimpleDemo.c to examine on the SPU, you’ll need to add the -mstdmain option to spu-gcc (or spu-elf-gcc) so that the program will correctly receive the command line options.

If you examine the /proc/$PID/maps file when running a standalone SPU program, you’ll see something like this:

00100000-00120000 r-xp 00000000 00:00 0       [vdso]
0fd70000-0fd90000 r-xp 00000000 fe:02 1590608 /lib/libgcc_s.so.1
0fd90000-0fda0000 rw-p 00010000 fe:02 1590608 /lib/libgcc_s.so.1
0fdb0000-0fdd0000 r-xp 00000000 fe:02 292441  /lib/libpthread-2.11.2.so
0fdd0000-0fde0000 rw-p 00010000 fe:02 292441  /lib/libpthread-2.11.2.so
0fdf0000-0fe00000 r-xp 00000000 fe:02 292418  /lib/librt-2.11.2.so
0fe00000-0fe10000 rw-p 00000000 fe:02 292418  /lib/librt-2.11.2.so
0fe20000-0ff90000 r-xp 00000000 fe:02 292437  /lib/libc-2.11.2.so
0ff90000-0ffa0000 rw-p 00160000 fe:02 292437  /lib/libc-2.11.2.so
0ffa0000-0ffb0000 rw-p 00000000 00:00 0
0ffc0000-0ffe0000 r-xp 00000000 fe:02 1590211 /usr/lib/libspe2.so.2.2.80
0ffe0000-0fff0000 rw-p 00010000 fe:02 1590211 /usr/lib/libspe2.so.2.2.80
10000000-10010000 r-xp 00000000 fe:02 1821445 /usr/bin/elfspe
10010000-10020000 rw-p 00000000 fe:02 1821445 /usr/bin/elfspe
10020000-10050000 rwxp 00000000 00:00 0       [heap]
f7f60000-f7f70000 rw-p 00000000 00:00 0
f7f70000-f7fb0000 rw-s 00000000 00:13 9086
                                       /spu/spethread-2971-268566640/mem
f7fb0000-f7fc0000 rw-p 00000000 fe:02 1463963
                     /home/jonathan/AssemblyLanguagePrimer/SimpleDemoSPU
f7fc0000-f7fe0000 r-xp 00000000 fe:02 292430  /lib/ld-2.11.2.so
f7fe0000-f7ff0000 rw-p 00020000 fe:02 292430  /lib/ld-2.11.2.so
ffea0000-ffff0000 rw-p 00000000 00:00 0       [stack]

This is the information for the elfspe loader for the SPU program.

(The SPU’s local store is mapped into elfspe’s address space at 0xf7f7000. This is with randomize_va_space set to zero, so it should always be in that location. This is possibly useful…)

There is no equivalent of this for the SPU program itself as there is no virtual memory mapping required (or possible) within the local store. The state of the SPU’s memory state may be examined externally through the spufs interface provided (in this case, the file /spu/spethread-2971-268566640/mem from the above listing may be used to access the current SPU LS state). Or, of course, using gdb.

Previous assembly primer notes…

Part 1 — System Organization — PPC — SPU

Assembly Primer Part 1 — System Organization — SPU

The platform I’m using is Debian Sid on a PS3 (3.15 OtherOS) with the spu-gcc toolchain.

These are my notes for where I can see the SPU varying from the ia32, as presented in the video Part 1 — System Organization. Let me know if I’ve missed something important, obvious or got something wrong.

For reference, I’m using the SPU ABI and ISA docs.

General Purpose Registers

128 128bit registers, treated as different data types depending on the instruction used.
- r0 (LR) — Return Address / Link Register
- r1 (SP) — Stack pointer information.
  - Word 0 — current stack pointer (always 16-byte aligned, grows down)
  - Word 1 — bytes of available stack space
- r2 — Environment pointer (for languages that use one)
- r3–r74 — First 72 qwords of a function’s argument list and its return value
- r75–r79 — Scratch registers
- r80–r127 — Local variable registers. Preserved across function calls.
FPSCR — Floating-Point Status and Control Register
Channels — Used for various DMA operations, access to the decrementer, mailboxes and signalling.
SRR0 — Used to store the address of next instruction upon interrupt
LSLR — Local Store Limit Register. 0x0003ffff == 2¹⁸-1 == 262143

Memory model

.text at address 0
Bottom of stack at 0x3ffff, effectively earlier if using -mstdmain. (at least, afaict — could look more closely at how -mstdmain actually works…)

Assembly Primer Part 1 — System Organization — PPC

I found the videos introducing assembly language here to be of interest as my own understanding and experience with assembly is quite limited. The videos are focussed on the ia32 architecture and reverse engineering, particularly for security exploits, and while these aspects don’t really excite me, the videos are well made and clear and the “Assembly Primer for Hackers” videos cover general assembly programming and details of machine architecture that are more broadly applicable.

I thought it would be interesting to work from these videos and make some notes on applying the concepts to the Cell BE’s PPU and SPU.

The platform I’m using is Debian Sid on a PS3 (3.15 OtherOS) with the standard system toolchain.

These are my notes for where I can see the PPU varying from the ia32, as presented in the video Part 1 — System Organization. Let me know if I’ve missed something important, obvious or got something wrong.

For reference, I’m using the PPC Architecture Books (also found in the Cell SDK) and documentation for the PPC64 ABI.

Registers

Branch Processor

CR Condition Register — 32-bit. Provides a mechanism for testing (and branching). Eight 4-bit fields.
- CR0–CR1 — Volatile condition code register fields
- CR2–CR4 — Nonvolatile condition code register fields
- CR5–CR7 — Volatile condition code register fields
LR Link Register (volatile) — 64-bit. Can be used to provide branch target address for Branch Conditional to Link Register instruction
CTR Count Register (volatile) — 64-bit. Can be used to hold a loop count that can be decremented during execution of Branch instructions containing appropriately coded BO field. Also can be used to provide branch target address for the Branch Conditional to Count Register instruction.

Fixed-Pt Processing

GPR0–GPR31 — 64-bit General Purpose registers. Byte, halfword, word or doubleword, depending on instruction flags. Supports byte, halfword, word, doubleword operand fetches and stores to storage.
- r0 — Volatile register used in function prologs
- r1 — Stack frame pointer
- r2 — TOC pointer
- r3 — Volatile parameter and return value register
- r4–r10 — Volatile registers used for function parameters
- r11 — Volatile register used in calls by pointer and as an environment pointer for languages which require one
- r12 — Volatile register used for exception handling and glink code
- r13 — Reserved for use as system thread ID
- r14–r31 — Nonvolatile registers used for local variables
XER Fixed-Point Exception Register (volatile) — 64-bit. Book I, p 32 has the details on this one.
MSR Machine State Register — 64-bit. Defines the state of the processor. See Book III, p 10.

Float-Pt Processing

FPR0–FPR31 Floating-Point Registers — 64-bit. Single or double precision, depending on instruction flags. Supports word and doubleword operand fetches and stores to storage.
- f0 — Volatile scratch register
- f1–f4 — Volatile floating point parameter and return value registers
- f5–f13 — Volatile floating point parameter registers
- f14–f31 — Nonvolatile registers
FPSCR Floading-Point Status and Control Register (volatile) — 32-bit. Status and control bits. See Book1, pp 87–89.

VMX

v0–v1 — Volatile scratch registers
v2–v13 — Volatile vector parameters registers
v14–v19 — Volatile scratch registers
v20–v31 — Non-volatile registers
vrsave — Non-volatile 32-bit register

Privileged

SRR0 & SRR1 Machine Status Save/Restore registers — 64-bit. Used to store machine state when an interrupt occurs.
DAR Data Address Register — 64-bit. Set by various interrupts to effective address associated with interrupt.
DSISR Data Storage Interrupt Status Register — 32-bit. Set to indicate the cause of various interrupts.
SPRG0–SPRG3 Software-use SPRs — 64-bit. For use by privileged software.
CTRL Control Register — 32-bit. Controls an external I/O pin.
PVR Processor Version Register — 32-bit. Read-only.
PIR Processor Identification Register — 32-bit.

(there’s some hypervisor regs not listed here, and probably others…)

Virtual Memory Model

Default/standard location for .text appears to be 0x1000000
stack starts at 0xffffffff