0
Dump of assembler code for function read@plt:
0x0000000000402458 <read@plt+0>:    jmpq   *0x2b4f72(%rip)        # 0x6b73d0 <_GLOBAL_OFFSET_TABLE_+232>
0x000000000040245e <read@plt+6>:    pushq  $0x1a
0x0000000000402463 <read@plt+11>:   jmpq   0x4022a8

Anyone knows?

BTW,how does read knows he comes to the end of file?

Paul R
  • 208,748
  • 37
  • 389
  • 560
cpuer
  • 7,413
  • 14
  • 35
  • 39

3 Answers3

2

No, it's a immediate value. pushq pushes a value onto the stack, which may be a register, but you'll find they're denoted by operands like %rbx.

The $0x1a is an immediate value - you can tell this also by the length of that instruction (five bytes, from x+6 to x+10). The pushq instruction is capable of pushing a register, a memory content (64 bits) or a 32-bit immediate value (sign extended to 64 bits).

In this case, the five bytes are the opcode 0x68 along with the 32-bit value to push. If you were to examine the memory, it would probably look like 0x68 0x1a 0x00 0x00 0x00.

And don't be fooled by that code, it's not the "real" read call at all. It's a stub used to fix up references at runtime where code sections may be shared amongst processors, even at different base addresses.

The PLT is a small-footprint per-process stub which jumps to the real shared code the first time, fixing itself up in the process, so as to jump directly there in future. See here for an explanation of this process.

Community
  • 1
  • 1
paxdiablo
  • 854,327
  • 234
  • 1,573
  • 1,953
  • So `$0x1a` is indeed a register, `%rbx` to be specific? – cpuer Jun 10 '11 at 07:11
  • 1
    No, `$0x1a` is not a register, it's an immediate value of hexadecimal `1a` (decimal 26) the end-of-file indicator for Windows and its predecessors. – paxdiablo Jun 10 '11 at 07:13
  • So I can imagine there're other similar calls whether finally goes to the same syscall,but with a different parameter as `$0x1a`? – cpuer Jun 10 '11 at 07:18
  • Don't mistake the `read` _function_ as a syscall. A syscall is the interface to the _kernel_ using either int80 or the newer sysenter (or perhaps another method depending on architecture). `read()` is simply another userland thing to kernel programmers (`sys_read` is the syscall it eventually gets to). As to other calls, they would have their own place in the PLT. – paxdiablo Jun 10 '11 at 07:30
  • Isn't EOF defined as `-1` in stdio.h? – cpuer Jun 10 '11 at 07:38
  • @cpuer, that's a C thing. `read` is not a C thing, it operates at a different level of abstraction. The UNIX `read` call will return the number of bytes read, or zero on end of file. -1 represents an error. – paxdiablo Jun 10 '11 at 07:46
  • `The $0x1a is an immediate value - you can tell this also by the length of that instruction (five bytes, from x+6 to x+10).` I don't see how can I tell `$0x1a` is immediate from the length of the instruction:( – cpuer Jun 10 '11 at 08:04
  • @cpuer, an instruction to push a register would be very short because (1) it would be done a lot; and (2) you don't need many bits to specify one of the registers (there are only 16 64-bit registers so you only need 4 bits to specify which one). – paxdiablo Jun 10 '11 at 08:13
  • @paxdiablo,can you explain how are variables in shared libraries referenced by loader? http://stackoverflow.com/questions/6306908/how-are-variables-in-shared-libraries-referenced-by-loader – compile-fan Jun 10 '11 at 14:03
0

Registers do not (ordinarily) have a memory location, they are a CPU register.

Arafangion
  • 11,517
  • 1
  • 40
  • 72
  • When we say register,we never mean anything other than CPU register,right? – cpuer Jun 10 '11 at 07:27
  • No, a "register" can mean other things depending on context, but if the context is low level assembly, then yes, it is almost always a CPU register. – Arafangion Jun 10 '11 at 07:53
0

Not mentioned yet, but the leading $ sign denotes a constant. Simple as that when looking at assembly dumps.

One easy pitfall: when looking a dumps of unlinked binaries, don't be fooled by 0x00000000 all over the place. Without the leading $, those are linker relocations, not constant 0 values.

srking
  • 4,512
  • 1
  • 30
  • 46