flat assembler
Message board for the users of flat assembler.

Index > Windows > Sequence of calls

Author
Thread Post new topic Reply to topic
macomics



Joined: 26 Jan 2021
Posts: 1151
Location: Russia
macomics 01 May 2025, 20:12
I came across this sequence of calls in the Windows code.
Code:
    call @last

  @0:
    add rsp, 8
    call @end

  @1:
    add rsp, 8
    call @0

  @2:
    add rsp, 8
    call @1

  @3:
    add rsp, 8
    call @2

; ...

  @last:
    add rsp, 8
    call @last-1

  @end:
...    
It became interesting to understand the meaning of this construction, which eludes me.

By the way, this sequence is also present in the user code, not just in the kernel. For example, at the end of the FindWindow function.


Description:
Download
Filename: isr.txt
Filesize: 17.55 KB
Downloaded: 36 Time(s)

Post 01 May 2025, 20:12
View user's profile Send private message Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 4227
Location: vpcmpistri
bitRAKE 01 May 2025, 21:21
The specific sequence appears to be a delay - note the following LFENCE. Overall the code appears to be speculative execution prevention with processor specific feature paths.
Post 01 May 2025, 21:21
View user's profile Send private message Visit poster's website Reply with quote
macomics



Joined: 26 Jan 2021
Posts: 1151
Location: Russia
macomics 01 May 2025, 21:25
Delays? Then why is it in FindWindow when Microsoft is chasing speed?

One more question. Why then are the calls executed towards smaller addresses rather than just sequentially?

ADD: If you're interested, DeepSeek says it's left for debugging. But he's just lying because he doesn't know.


Description:
Download
Filename: fw.txt
Filesize: 12.08 KB
Downloaded: 36 Time(s)

Post 01 May 2025, 21:25
View user's profile Send private message Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 4227
Location: vpcmpistri
bitRAKE 01 May 2025, 21:48
I too have more questions.

Perhaps it is related to CET, or some processor errata?

The ordering could be to prevent optimization by the processor - a more consistent delay.

macomics wrote:
when Microsoft is chasing speed?
News to me!
Post 01 May 2025, 21:48
View user's profile Send private message Visit poster's website Reply with quote
macomics



Joined: 26 Jan 2021
Posts: 1151
Location: Russia
macomics 01 May 2025, 22:00
bitRAKE wrote:
News to me!
Then why, starting with Windows 8, start mentioning system boot time in presentations?
I'm not very good with YouTube here, but I'll try to find you a video of their ads with these mentions.

ADD: In my discussion here, they express the opinion that this may be Indirect Brench Prediction Barrier (IBPB).
Post 01 May 2025, 22:00
View user's profile Send private message Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 4227
Location: vpcmpistri
bitRAKE 01 May 2025, 22:07
(GPT-o3) It's “RSB stuffing” part of the Spectre v2 / Spectre-RSB mitigation.
GPT-o3 wrote:
Independent mitigations are toggled a few lines earlier (IA32_SPEC_CTRL, IA32_PRED_CMD IBPB, etc.). These cover indirect-branch prediction; the RSB stuffing specifically protects ret prediction.


... also effects AMD.
Post 01 May 2025, 22:07
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20632
Location: In your JS exploiting you and your system
revolution 02 May 2025, 02:08
macomics wrote:
One more question. Why then are the calls executed towards smaller addresses rather than just sequentially?
Probably because C requires declarations first before instantiation. So the C-trained programmer just did it automatically without much thought about it.

Plus, it really doesn't matter. The purpose (whatever it is) was achieved, no need to waste time massaging it further for no benefit. And the programmer had to move on to placing ever more telemetry into Windows to make the line go up.
Post 02 May 2025, 02:08
View user's profile Send private message Visit poster's website Reply with quote
AsmGuru62



Joined: 28 Jan 2004
Posts: 1708
Location: Toronto, Canada
AsmGuru62 02 May 2025, 03:57
Maybe it is a stack alignment.
Any CALL opcode will cause misalignment by 8 bytes.
So, they align before the next call.
Just want to make any CALL when stack is aligned.
However, to align stack, PUSH RAX is shorter than ADD RSP,8.
Post 02 May 2025, 03:57
View user's profile Send private message Send e-mail Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20632
Location: In your JS exploiting you and your system
revolution 02 May 2025, 04:04
AsmGuru62 wrote:
Maybe it is a stack alignment.
Any CALL opcode will cause misalignment by 8 bytes.
So, they align before the next call.
Just want to make any CALL when stack is aligned.
However, to align stack, PUSH RAX is shorter than ADD RSP,8.
For internal calls the alignment doesn't matter.

Note: "push reg" and "add rsp,8" adjust the stack in opposite directions! You would need to use "pop reg" but that corrupts a register.
Post 02 May 2025, 04:04
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20632
Location: In your JS exploiting you and your system
revolution 02 May 2025, 04:23
So the whole thing can be reduced to two lines in fasm?
Code:
rept 6 { call $+5 }
add rsp, 8 * 6    
Post 02 May 2025, 04:23
View user's profile Send private message Visit poster's website Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 4227
Location: vpcmpistri
bitRAKE 02 May 2025, 09:04
The most thorough documentation I've found is:
https://blogs.oracle.com/linux/post/understanding-spectre-v2-mitigations-on-x86

In the references we can find how Linux handles it a little different. Also, relevant links to Intel/AMD related documentation and recommendations.

If the code comments are to be believed, some testing was performed at Google which reduced the implementation used by Linux to an effective minimal instruction sequence. Of course, this differs from the recommendations of Intel and AMD - which differ from each other.

_________________
¯\(°_o)/¯ “languages are not safe - uses can be” Bjarne Stroustrup
Post 02 May 2025, 09:04
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20632
Location: In your JS exploiting you and your system
revolution 02 May 2025, 09:07
bitRAKE wrote:
The most thorough documentation I've found is:
https://blogs.oracle.com/linux/post/understanding-spectre-v2-mitigations-on-x86

In the references we can find how Linux handles it a little different. Also, relevant links to Intel/AMD related documentation and recommendations.
Sadly both links "require" JS. Sad

If only there was some simpler way to design websites that didn't use JS ...
Post 02 May 2025, 09:07
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.