flat assembler
Message board for the users of flat assembler.

Index > Main > ia32e consditional jumps

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
a115433



Joined: 05 Mar 2010
Posts: 144
a115433
JCC jumps are broken under ia32e Sad
under ia32, they covered full address space of 32 bits, now they do not work Sad

they didnt expanded them do cover 64 bit address space. What will i do now?
I cant use conditional jumps unless im sure that destination is within 31 bits in both sides. And i cant make this assumption if i want my code to work under all conditions.


What you think about it?
Intel should at least make some replacement, and thor away jcc jumps.
i can jmp rax, they could make new jcc's only on rax or all gprs (rax-r15).


Now i cant make simple loop Sad
Post 13 Mar 2010, 19:00
View user's profile Send private message Reply with quote
Goplat



Joined: 15 Sep 2006
Posts: 181
Goplat
If your program's code is smaller than 2GB, then any Jcc you make in it is guaranteed to be within range. If your program's code is larger than 2GB, you need to ask yourself "What the hell am I doing?". Smile
Post 13 Mar 2010, 19:32
View user's profile Send private message Reply with quote
a115433



Joined: 05 Mar 2010
Posts: 144
a115433
virtual address space is 64 bit. (48 bit in canonical form, but it can be expanded to 64 in future).

i for example allocate memory from heap, so system can give me any address from 0 to 0x7FFFFFFFFFFFFFFF.
and thats 63 bits of space, i can access only 31 with jcc.

why you assume my program cant be > 2 GB? todays games use 1GB++ of ram just to store objects (AC2 recommended ram is 2GB).


Is there something i dont know?
Post 13 Mar 2010, 20:45
View user's profile Send private message Reply with quote
Fanael



Joined: 03 Jul 2009
Posts: 168
Fanael
Most of these data are... um, well... data. I have yet to see two gigabytes of code.
Post 13 Mar 2010, 21:50
View user's profile Send private message Reply with quote
a115433



Joined: 05 Mar 2010
Posts: 144
a115433
while you are waiitng to see 2 giga app, i am waiting for explanation and more important, SOLUTION if any exist to this problem.
Post 13 Mar 2010, 21:52
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Quote:

i for example allocate memory from heap, so system can give me any address from 0 to 0x7FFFFFFFFFFFFFFF.
and thats 63 bits of space, i can access only 31 with jcc.


Run-time generated code? The range of memory you say is right, but still if the block of generated code is below 2GB in size you could still use jcc without problems (and the limit is actually 4 GB, but only a jcc in the middle of the block has that broad range).
Post 13 Mar 2010, 22:31
View user's profile Send private message Reply with quote
a115433



Joined: 05 Mar 2010
Posts: 144
a115433
no, the range is 4 GB.
limit is 2 GB, on each side. you wont reach byte beyond.

Quote:
but still if the block of generated code is below 2GB

so in order to do simple jcc jump, i must check is requested memory is within range?

i would prefer not to worry about it, just calculate jump and execute it.
now, i have to substract address of next instruction from jumps destination, check if highest 32 bits are extension of bit 31, and if they are, jump. if they not - thor error and not jump. Dont forget that in order to do this check, i must use conditional jump, wich is unacceptable. Why would i assume that next few instruction is within 2 giga rande? Its pathetic, at least in my opinion. I cant JCC in ia32e mode.

Oh well, good that they didnt screw up cmovcc instruction.
i cal load r* and jump anyway. value loaded would depend on condition. if met - handler.
i htink they did it to enforce us to using cmovcc's.

Code:
use64
call qword [someting]
test rax,rax
mov rax,default_code
mov rbx,error_handler
cmovz rax,rbx
jmp rax


default_code:



error_handler:    

welcome to ia32e world!
Post 13 Mar 2010, 22:56
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
You quoted me wrong, finish it with "in size" as I've wrote in my post.

Quote:

no, the range is 4 GB.
limit is 2 GB, on each side. you wont reach byte beyond.

So, if RIP is 0x1000000000000000, where is the problem in accessing from 0x0FFFFFFF80000000 to 0x1000000080000000?
Post 13 Mar 2010, 23:02
View user's profile Send private message Reply with quote
a115433



Joined: 05 Mar 2010
Posts: 144
a115433
yes you can access it:
actually its off by 5 bytes, because if rip is 0x1000000000000000, and jcc specify 4 byte jump, start address is 0x1000000000000005 (next instruction).

so you can jump from RIP = 0x1000000000000000 to:

0x0FFFFFFF80000005 <> 0x1000000080000004


because:
0x1000000000000005 + 0x000000007FFFFFFF = 0x1000000080000004
0x1000000000000005 - 0x0000000080000000 = 0x0FFFFFFF80000005

but if 48 bit address bus is used, only 48 sign extended addreses can be accesed.
if jump will reach beyond that - i guess general protection will fire.
or page fault, my guess is GPF.
Post 13 Mar 2010, 23:13
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
RIP != $ Wink (RIP is documented as address of next instruction)

I still can't see the problem, for me, not matter where your 2 GB block is allocated, Jcc will always cover it all (except in the case it is placed in the last 6 bytes of the block, in that case you can jump backwards to block offset 6 maximum).
Post 13 Mar 2010, 23:59
View user's profile Send private message Reply with quote
a115433



Joined: 05 Mar 2010
Posts: 144
a115433
it doesnt matter where my 2 GB code is, but rather if my code exceed 2 GB.
Or if system will allocate memory for me with a range of 2 GB (no rule say it cannot, i have 63 bits of virtual address in userland, and even this is not a rule. windows for example allow 3:1 in ia32 mode.) And dont forget about systems where i use only ring0, i want to access all pieces of code, no matter where am i!

i will go with cmovcc, its without this flaw.



and also displacement is STILL 32 bits.
if ihave a pointer in register, i can only displace it by 32bits, so instruction:
mov rax,[rcx+DISP32] will still have range of 32 bits.


Last edited by a115433 on 14 Mar 2010, 00:27; edited 1 time in total
Post 14 Mar 2010, 00:22
View user's profile Send private message Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr
a115433,

cmovcc can jump somewhere?
Post 14 Mar 2010, 00:27
View user's profile Send private message Reply with quote
a115433



Joined: 05 Mar 2010
Posts: 144
a115433
baldr wrote:
a115433,

cmovcc can jump somewhere?



not directly, i gave example.


Code:
call qword [someting]
test rax,rax ;check if its 0, or any other condition instruction.
mov rax,default_code ;default code
mov rbx,error_handler ;handler of error
cmove rax,rbx ;if rax was 0 (mov dont touch flags) default handler (in rax) is replaced with error handler (in rbx)
jmp rax ;jump to handler, or default code


default_code:



error_handler:    
Post 14 Mar 2010, 00:30
View user's profile Send private message Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr
a115433,
Code:
        test    rax, rax
        jnz     @f
        mov     rax, error_handler
        jmp     rax
@@:    
Indirect jmp can be used too.

2+ GiB of code? Hmmm…
Post 14 Mar 2010, 00:40
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17716
Location: In your JS exploiting you and your system
revolution
a115433: You are arguing in the wrong place. Talk to AMD or Intel and get them to fix the problem. None of us here can help you, the assembler cannot fix the CPU limitations.

And I seriously doubt you have 2GB+ of code. Nobody has that much code (not even asmcoder has that much code). It is a non-issue. Unless you do something stupid like this
Code:
  mov rax,...
  cmp rbx,rcx
  je A_long_WAY_forward
  jmp backwards
  rb 3 shl 30 ;3GB of data?
A_long_WAY_forward:
  mul r14
  ;...    
Question


Last edited by revolution on 14 Mar 2010, 03:15; edited 1 time in total
Post 14 Mar 2010, 01:40
View user's profile Send private message Visit poster's website Reply with quote
godomega



Joined: 21 Jun 2005
Posts: 8
godomega
If you're not jumping across different pages I don't see how you could get into any trouble.

Anyway for whatever practical purposes absolute jumps may have, I use this for detouring API.:
PUSH <Absolute Address>
RET
As I can't guarantee if other applications are in my 2 GB boundary.
Post 14 Mar 2010, 03:03
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17716
Location: In your JS exploiting you and your system
revolution
godomega wrote:
If you're not jumping across different pages I don't see how you could get into any trouble.

Anyway for whatever practical purposes absolute jumps may have, I use this for detouring API.:
PUSH <Absolute Address>
RET
As I can't guarantee if other applications are in my 2 GB boundary.
Except that push const is also limited to signed 32 bits values. Wink

You would need this instead:
Code:
mov rax,<Absolute Address>
push rax
ret    
In which case the push rax and ret can just be substituted with jmp rax.
Post 14 Mar 2010, 03:19
View user's profile Send private message Visit poster's website Reply with quote
godomega



Joined: 21 Jun 2005
Posts: 8
godomega
Quote:
Except that push const is also limited to signed 32 bits values. Wink
Oh right! I thought I was being smart here by leaving the registers in place. :p
Post 14 Mar 2010, 12:43
View user's profile Send private message Reply with quote
a115433



Joined: 05 Mar 2010
Posts: 144
a115433
Code:
test    rax, rax
        jnz     @f
        mov     rax, error_handler
        jmp     rax
@@:    

Quote:
Indirect jmp can be used too.

why you assume that range between jnz and @@ is < 2 GB? i can patch this code, and it will crash. simple address fix wont solve this problem, and i will have to use another solution.

Quote:
Talk to AMD or Intel and get them to fix the problem.

hardware is alreade released, too late Sad
Quote:
Nobody has that much code (not even asmcoder has that much code).

yeah, and 640 kilo RAM is enough for everyone!

Quote:
In which case the push rax and ret can just be substituted with jmp rax.

in my opinion, using stack to solve those issues is just lame. And in ia32e mode, when you have NULL SS upon each interrupt, its really great to use stack, even if your code doesnt need it, just to jump.
Post 14 Mar 2010, 12:44
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17716
Location: In your JS exploiting you and your system
revolution
a115433 wrote:
Quote:
Nobody has that much code (not even asmcoder has that much code).

yeah, and 640 kilo RAM is enough for everyone!
Well when your code gets to be bigger than 1GB then it will be time to worry. So what is the biggest proggy code you have now?

But hey, why not complain about the lame 64bit address limitation, those noobs at Intel and AMD don't know what they a doing, lozerz. Laughing
Post 14 Mar 2010, 12:48
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.