I want to allocate some nodes for a linked list. I have an alloc_pair function which seems to work. I included comments to explain the intent of each line in regards to linked lists. My code is giving me a segmentation fault somewhere, but I can't figure out where. GDB is unhelpful as seen here:
Thread 2 hit Breakpoint 1, 0x0000000100003f63 in main ()
(gdb) c
Continuing.
Thread 2 hit Breakpoint 2, 0x0000000100003f4e in alloc_pair ()
(gdb) ni
0x0000000100003f55 in alloc_pair ()
(gdb) ni
0x0000000100003f59 in alloc_pair ()
(gdb) disassemble
Dump of assembler code for function alloc_pair:
0x0000000100003f4e <+0>: mov rdi,0x10
0x0000000100003f55 <+7>: sub rsp,0x8
=> 0x0000000100003f59 <+11>: call 0x100003f96
0x0000000100003f5e <+16>: add rsp,0x8
0x0000000100003f62 <+20>: ret
End of assembler dump.
(gdb) c
Continuing.
Thread 2 received signal SIGSEGV, Segmentation fault.
0x00007fff731d970a in ?? ()
(gdb) bt
#0 0x00007fff731d970a in ?? ()
#1 0x00007ffeefbff828 in ?? ()
#2 0x0000000100008008 in ?? ()
#3 0x0000000000000000 in ?? ()
(gdb)
If you know the mistake that I am making, please let me know.
.global _main
.text
alloc_pair:
push rbp
mov rbp, rsp
mov rdi, 16
sub rsp, 8
call _malloc
add rsp, 8
mov rsp, rbp
pop rbp
ret
_main:
call alloc_pair
mov r13, rax # r13 stores the initial pair allocated
mov qword ptr [rax], 29 # the node 1 head contains 29
mov r12, [rax + 8] # r12 stores the memory location of the node 1 tail
call alloc_pair
mov qword ptr [rax], 7 # the node 2 head contains 7
mov qword ptr [r12], rax # the node 1 tail points to the node 2 head
mov rdi, 0
mov rax, 0x2000001
syscall
This line:
mov r12, [rax + 8] # r12 stores the memory location of the node 1 tail
doesn't do what your comment says it does. This instruction moves the 64-bit contents of memory at [rax+8] to R12. It doesn't move the address of [rax+8] to R12. What you want is to Load Effective Address (LEA) to get the address of [rax+8] into R12. The instruction would look like:
lea r12, [rax + 8] # r12 stores the memory location of the node 1 tail
Related
I am trying to print an array, reverse it, and then print it again. I manage to print it once. I can also make 2 consecutive calls to _printy and it works. But the code breaks with the _reverse function. It does not segfault, it exits with code 24 (I looked online but this seems to mean that the maximum number of file descriptors has been exceeded, and I cannot get what this means in this context). I stepped with a debugger and the loop logic seems to make sense.
I am not passing the array in RDI, because _printy restores the content of that register when it exits. I also tried to load it directly into RDI before calling _reverse but that does not solve the problem.
I cannot figure out what the problem is. Any idea?
BITS 64
DEFAULT REL
; -------------------------------------
; -------------------------------------
; PRINT LIST
; -------------------------------------
; -------------------------------------
%define SYS_WRITE 0x02000004
%define SYS_EXIT 0x02000001
%define SYS_OPEN 0x02000005
%define SYS_CLOSE 0x02000006
%define SYS_READ 0x02000003
%define EXIT_SUCCESS 0
%define STDOUT 1
%define LF 10
%define INT_OFFSET 48
section .text
extern _printf
extern _puts
extern _exit
global _main
_main:
push rbp
lea rdi, [rel array]
call _printy
call _reverse
call _printy
pop rbp
call _exit
_reverse:
push rbp
lea rsi, [rdi + 4 * (length - 1) ]
.LOOP2:
cmp rdi, rsi
jge .DONE2
mov r8, [rdi]
mov r9, [rsi]
mov [rdi], r9
mov [rsi], r8
add rdi,4
sub rsi,4
jmp .LOOP2
.DONE2:
xor rax, rax
lea rdi, [rel array]
pop rbp
ret
_printy:
push rbp
xor rcx, rcx
mov r8, rdi
.loop:
cmp rcx, length
jge .done
push rcx
push r8
lea rdi, [rel msg]
mov rsi, [r8 + rcx * 4]
xor rax, rax
call _printf
pop r8
pop rcx
add rcx, 1
jmp .loop
.done:
xor rax, rax
lea rdi, [rel array]
pop rbp
ret
section .data
array: dd 78, 2, 3, 4, 5, 6
length: equ ($ - array) / 4
msg: db "%d => ", 0
Edit with some info from the debugger
Stepping into the _printy function gives the following msg, once reaching the call to _printf.
* thread #1, queue = 'com.apple.main-thread', stop reason = step over failed (Could not create return address breakpoint.)
frame #0: 0x0000000100003f8e a.out`printf
a.out`printf:
-> 0x100003f8e <+0>: jmp qword ptr [rip + 0x4074] ; (void *)0x00007ff80258ef0b: printf
0x100003f94: lea r11, [rip + 0x4075] ; _dyld_private
0x100003f9b: push r11
0x100003f9d: jmp qword ptr [rip + 0x5d] ; (void *)0x00007ff843eeb520: dyld_stub_binder
I am not an expert, but a quick research online led to the following
During the 'thread step-out' command, check that the memory we are about to place a breakpoint in is executable. Previously, if the current function had a nonstandard stack layout/ABI, and had a valid data pointer in the location where the return address is usually located, data corruption would occur when the breakpoint was written. This could lead to an incorrectly reported crash or silent corruption of the program's state. Now, if the above check fails, the command safely aborts.
So after all this might not be a problem (I am also able to track the execution of the printf call). But this is really the only understandable piece of information I am able to extract from the debugger. Deep in some quite obscure (to me) function calls I reach this
* thread #1, queue = 'com.apple.main-thread', stop reason = instruction step into
frame #0: 0x00007ff80256db7f libsystem_c.dylib`flockfile + 10
libsystem_c.dylib`flockfile:
-> 0x7ff80256db7f <+10>: call 0x7ff8025dd480 ; symbol stub for: __error
0x7ff80256db84 <+15>: mov r14d, dword ptr [rax]
0x7ff80256db87 <+18>: mov rdi, qword ptr [rbx + 0x68]
0x7ff80256db8b <+22>: add rdi, 0x8
Target 0: (a.out) stopped.
(lldb)
Process 61913 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = instruction step into
frame #0: 0x00007ff8025dd480 libsystem_c.dylib`__error
This is one of the function calls happening in _printf.
Ask further questions if there is something more I can do.
Your array consists of int32 numbers aka dd in nasm terminology, but your swap operates on 64 bit numbers:
mov r8, [rdi]
mov r9, [rsi]
mov [rdi], r9
mov [rsi], r8
Assuming you were not after some crazy optimizations where you swap a pair of elements simultaneously you want this to remain in 32 bits:
mov r8d, [rdi]
mov r9d, [rsi]
mov [rdi], r9d
mov [rsi], r8d
I'm currently writing a compiler and I have created some tests and only one of them fails with Segmentation fault (core dumped) as error message.
This is the code that gets compiled
function main(): int {
var f: int = 10;
return func(f) - func(f / 2);
}
function func(a: int): int {
return a;
}
And this is the generated assembly code (it's not really optimized as you can see)
section .text
global _start
_start:
call function_main
mov rdi, rax
mov rax, 60
syscall
global function_main
function_main:
push rbp
mov rbp, rsp
sub rsp, 4
mov rax, 10
mov DWORD[rbp-0], eax
mov eax, DWORD[rbp-0]
mov rdi, rax
call function_func
push rax
mov eax, DWORD[rbp-0]
mov rbx, 2
idiv rbx
mov rdi, rax
call function_func
mov rbx, rax
pop rax
sub rax, rbx
mov rsp, rbp
pop rbp
ret
global function_func
function_func:
push rbp
mov rbp, rsp
sub rsp, 4
mov DWORD[rbp-0], edi
mov eax, DWORD[rbp-0]
mov rsp, rbp
pop rbp
ret
The assembly file is compiled with nasm -f elf64 ./test9.lv.asm -o ./test9.lv.asm.o and ld -g ./test9.lv.asm.o a.out
I've used gdb to debug the binary file and it seems like the program receives the SIGSEGV signal right after func(f) returns the first time.
But now I don't know why this is happening in this case.
I am trying to make the Lisp function cons in x86_84 assembly on MacOS. Below I am trying to make a pair of 2 and 3, but it is not working; I am getting a segmentation fault.
.global _main
.extern _malloc
.text
.macro make_node register
mov rdi, 8 # 64-bit number
call _malloc # failed on malloc
mov [rax], \register # contents of register in address of rax
mov \register, [rax]
.endm
cons:
push rbp
mov rbp, rsp
mov r8, [rbp + 16]
make_node r8
mov r9, [rbp + 24]
make_node r9
mov rsp, rbp
pop rbp
ret
_main:
push 3
push 2
call cons
add rsp, 16
# I should now be able to do whatever I want with r8 (2) and r9 (3)
mov rdi, 0
mov rax, 0x2000001
syscall
I stepped through it with GDB and I see that it failed on calling malloc, but to me, there doesn't seem to be a problem since malloc only takes one argument (the number of bytes to allocate) in the rdi register.
Dump of assembler code for function cons:
0x0000000100003f48 <+0>: push %rbp
0x0000000100003f49 <+1>: mov %rsp,%rbp
0x0000000100003f4c <+4>: mov 0x10(%rbp),%r8
0x0000000100003f50 <+8>: mov $0x8,%rdi
=> 0x0000000100003f57 <+15>: callq 0x100003f96
0x0000000100003f5c <+20>: mov %r8,(%rax)
0x0000000100003f5f <+23>: mov (%rax),%r8
0x0000000100003f62 <+26>: mov 0x18(%rbp),%r9
0x0000000100003f66 <+30>: mov $0x8,%rdi
0x0000000100003f6d <+37>: callq 0x100003f96
0x0000000100003f72 <+42>: mov %r9,(%rax)
0x0000000100003f75 <+45>: mov (%rax),%r9
0x0000000100003f78 <+48>: mov %rbp,%rsp
0x0000000100003f7b <+51>: pop %rbp
0x0000000100003f7c <+52>: retq
End of assembler dump.
(gdb) ni
Thread 2 received signal SIGSEGV, Segmentation fault.
I am assembling on a Mac like this: clang -masm=intel cell.asm.
Does anyone familiar with x86 assembly know the source of my error?
(Also, in case anyone asks, I know that it's important to call free after malloc but this code is the only code necessary to demonstrate my problem.)
How to include debug symbols in NASM code for debugging using GDB on Windows?
Having coded some NASM assembly, I want to debug it using GDB.
I assemble and link using the following commands:
nasm -f win32 insertion_sort.asm
ld insertion_sort.obj
However, starting GDB (gdb a) yields:
Reading symbols from C:\Users\nze\Desktop\asm\sorting\insertion_sort\a.exe...(no debugging symbols found)...done.
In the code below I cannot reference _array like:
(gdb) x/4xw _array
No symbol table is loaded. Use the "file" command.
(gdb) x/4xw array
0x1: Cannot access memory at address 0x1
Also, setting breakpoint at _exit:
(gdb) break exit
Breakpoint 1 at 0x401464
(gdb) run
Starting program: C:\Users\nze\Desktop\asm\sorting\insertion_sort/insertion_sort.exe
[New Thread 5488.0x1c7c]
[New Thread 5488.0xc54]
[Inferior 1 (process 5488) exited with code 01]
causes GDB to just run the program to completion when run...
What is wrong?
The assembly code is:
BITS 32
section .data
_array: dd 4, 2, 8, 6, 1
_len: equ ($ - _array) / 4
section .text
global _start
_start:
push ebp
mov ebp, esp
xor ecx, ecx
_outer:
inc ecx
cmp ecx, _len
jge _exit
mov ebx, ecx
dec ebx
lea esi, [_array + ecx * 4]
lea edi, [_array + ebx * 4]
_inner:
cmp ebx, 0
jl _outer
mov eax, [edi]
cmp eax, [esi]
jle _outer
xchg eax, dword [esi] ; swap [esi] and [edi]
mov dword [edi], eax
sub esi, 4
sub edi, 4
dec ebx
jmp _inner
_exit:
mov esp, ebp
pop ebp
ret
have you tried include the debug information available for Windows (Codeview 8)?
$ nasm -gcv8 -f win32 -o insertion_sort.o insertion_sort.asm
$ gcc -m32 -o insertion_sort.exe insertion_sort.o
I'm trying to access memory I have malloced in assembly but I keep just repeatedly getting segfault errors. What am I doing wrong in the following code, I'm sure it's simple but I just can't see it!
EDIT: I am using 64 bit NASM assembly
; Allocate room for 8 integers
mov r8, 8
mov rdi, r8
imul rdi, 8 ; Multiply by 8 (8 bytes per entry in 64bit)
xor rax, rax
call malloc
add rsp, 8
test rax, rax
jz malloc_failure
mov r8, rsp
; r8 now = base of array
; Set the first element to be 100
mov r9, 0
add r9, r8
mov qword [r9], 100
malloc_failure:
deallocate_start:
dealloc_1:
mov rdi, r8
xor rax, rax
call free
add rsp, 8
deallocate_end:
call os_return ; return to operating system
And the segfault (Not very interesting...)
matrix05% ./arr5
Segmentation fault
mov r8, 8
mov rdi, r8
imul rdi, 8
xor rax, rax
call malloc
add rsp, 8 ;; here we _add_ 8 bytes to the stack pointer
;; this is equivalent to _popping_ off the stack
;; remember, the x86 stack grows down!
test rax, rax ;; rax is indeed where the return value is..... but:
jz malloc_failure
mov r8, rsp ;; we overwrite r8 with the stack pointer (why??)
; r8 now = base of array ;; no it's not
mov r9, 0
add r9, r8 ;; r9 = r8 = stack pointer
mov qword [r9], 100 ;; we now write 100 to the current stack pointer.
;; The stack pointer initially (on entry to the function)
;; pointed to a return address; where exactly are you overwriting?
malloc_failure:
deallocate_start:
dealloc_1:
mov rdi, r8
xor rax, rax
call free
add rsp, 8 ;; we pop from the stack pointer _again_. I do hope there's a sub rsp, 16 at the top...
deallocate_end:
call os_return ; return to operating system (and probably crash because our stack is FUBAR'd)