introduction to computer systems recitation 2 yao guo
TRANSCRIPT
Introduction to Computer Systems
Recitation 2
Yao Guo
Administrivia
• 作业提交时间– 周六晚 12 点(周日凌晨 0 点)
• 小班答疑时间– 周五下午 3-5 点
• 课程内容回顾– 本周:高嗣淳– 下周:李晨旸
Today
• Homework review• Review of this week’s material• Integer arithmetic– Negation
• TMin in C• Code security example• Floating point
Arithmetic: Basic Rules
• Unsigned ints, 2’s complement ints are isomorphic rings: isomorphism = casting
• Left shift– Unsigned/signed: multiplication by 2k
– Always logical shift
• Right shift– Unsigned: logical shift, div (division + round to zero) by 2k
– Signed: arithmetic shift• Positive numbers: div (division + round to zero) by 2k
• Negative numbers: div (division + round away from zero) by 2k
Use biasing to fix
leal (%eax,%eax,2), %eaxsall $2, %eax
Compiled Multiplication Code
• C compiler automatically generates shift/add code when multiplying by constant
int mul12(int x){ return x*12;}
t <- x+x*2return t << 2;
C Function
Compiled Arithmetic Operations Explanation
shrl $3, %eax
Compiled Unsigned Division Code
• Uses logical shift for unsigned• For Java Users
– Logical shift written as >>>
unsigned udiv8(unsigned x){ return x/8;}
# Logical shiftreturn x >> 3;
C Function
Compiled Arithmetic Operations Explanation
testl %eax, %eaxjs L4
L3:sarl $3, %eaxret
L4:addl $7, %eaxjmp L3
Compiled Signed Division Code
• Uses arithmetic shift for int• For Java Users
– Arith. shift written as >>
int idiv8(int x){ return x/8;}
if x < 0 x += 7;# Arithmetic shiftreturn x >> 3;
C Function
Compiled Arithmetic Operations Explanation
Two’s Complement Negation
• Claim: Following Holds for 2’s Complement-x = ~x + 1
• Complement– Observation: ~x + x == 1111…111 == -1
• Is it always correct? Can you prove it?• The answer is NO!
– Consider x = 1000…0002
– ~x = 0111…1112 ~x+1 = 1000…0002 = x
1 0 0 1 0 11 1 x
0 1 1 0 1 00 0~x+
1 1 1 1 1 11 1-1
Negation: Practice #1• You are given the task of writing a function with the following
prototype:/** Generate mask indicating rightmost 1 in x.* For example 0xFF00 -> 0x0100, and 0x6600 --> 0x0200.* If x = 0, then return 0.*/int rightmost_one(unsigned x);
– If argument x equals 0, this function returns 0. Otherwise, it returns a mask consisting of a single one inthe same position as the least significant bit with value 1 in x.
• Solution:return (x & -x);
TMin in C
• In the C header file limits.h
/* Minimum and maximum values a ‘signed int’ can hold. */
#define INT_MAX 2147483647#define INT_MIN (-INT_MAX - 1)
• Why DON’T we write INT_MIN as -2147483648?
Data type of TMin in C
• Consider the data type search order:
• We have:
TMin: Practice #1
• Consider the following code:int dtmin = -2147483648;int dcomp2 = (dtmin < 0);int htmin = 0x80000000;int hcomp2 = (htmin < 0);
• What are the results of dcomp2 and hcomp2 for 32-bit and 64-bit machines?
• WHY?– The values of both constants are casted into type “int”.
TMin: Practice #2
• Write TMinw
– where w is the number of bits in data type long• An example
/* Shift 1 over by 8*sizeof(long) - 1 */1L << sizeof(long)<<3 – 1
• What’s the value generated? Is it correct?– For 32 and 64-bit machines?
• No, Correct answer:1L << (sizeof(long)<<3) - 1
Code Security Example
• Similar to code found in FreeBSD’s implementation of getpeername
• There are legions of smart people trying to find vulnerabilities in programs
/* Kernel memory region holding user-accessible data */#define KSIZE 1024char kbuf[KSIZE];
/* Copy at most maxlen bytes from kernel region to user buffer */int copy_from_kernel(void *user_dest, int maxlen) { /* Byte count len is minimum of buffer size and maxlen */ int len = KSIZE < maxlen ? KSIZE : maxlen; memcpy(user_dest, kbuf, len); return len;}
Typical Usage/* Kernel memory region holding user-accessible data */#define KSIZE 1024char kbuf[KSIZE];
/* Copy at most maxlen bytes from kernel region to user buffer */int copy_from_kernel(void *user_dest, int maxlen) { /* Byte count len is minimum of buffer size and maxlen */ int len = KSIZE < maxlen ? KSIZE : maxlen; memcpy(user_dest, kbuf, len); return len;}
#define MSIZE 528
void getstuff() { char mybuf[MSIZE]; copy_from_kernel(mybuf, MSIZE); printf(“%s\n”, mybuf);}
Malicious Usage/* Kernel memory region holding user-accessible data */#define KSIZE 1024char kbuf[KSIZE];
/* Copy at most maxlen bytes from kernel region to user buffer */int copy_from_kernel(void *user_dest, int maxlen) { /* Byte count len is minimum of buffer size and maxlen */ int len = KSIZE < maxlen ? KSIZE : maxlen; memcpy(user_dest, kbuf, len); return len;}
#define MSIZE 528
void getstuff() { char mybuf[MSIZE]; copy_from_kernel(mybuf, -MSIZE); . . .} /* Declaration of library function memcpy */
void *memcpy(void *dest, void *src, size_t n);
Floating Point Representation
• Basic format of bit representation (single precision):
More on IEEE-754: http://babbage.cs.qc.cuny.edu/IEEE-754/
Interpreting the Bits
Example: Practice 2.46
• 美国爱国者导弹系统– 时钟每次增加 0.1 秒– 0.110 = 0.000110011[0011] . . .2
– 截取 23 位 : x = 0.00011001100110011001100• 问题– 0.1-x 的二进制表示?– 0.1-x 的十进制表示?– 100 小时之后,时间的误差是多少?– 设导弹速度 3000m/s ,距离误差是多少?
阿丽亚娜 5 号火箭• 1996 年发射失败• 原因:– 64-bit Float 转换为
16-bit int – 在 Ariane 4 上完全
正常– Ariane 5 的速度是
Ariane 4 的 5 倍– 溢出!!
Questions?