Help with inline assembly x86_64

korke · May 24, 2025, 10:55pm

I am fairly new to this llvm/gcc style inline assembly. I am mainly focused on x86_64 for now…

so the thing I am trying to do is jmp to a global variable’s value.

var jmp_back: usize = 0;
export fn DoSomething() callconv(.naked) noreturn {
    @setRuntimeSafety(false);

    asm volatile (
        \\ jmp *%[jmp_back]
        :
        : [jmp_back] "m" (jmp_back),
        : "memory", "cc"
    );
}

which generates kind of not expected assembly, it moves the value of the variable to rsp + 08, then stores the pointer to rsp + 08 to rsp, then tries to jmp [rsp], so it would be jumping to the address of rsp + 08 Compiler Explorer

and I don’t want to use “r” input constraint i would like to avoid using any general purpose registers.

Zen · May 25, 2025, 2:17am

No, it jump to the address stored in rsp+08.

korke · May 25, 2025, 2:26am

I don’t get it lea rax, [rsp + 8] supposed to store the address of rsp+8 to rax right? then this rax gets stored to [rsp] so when jmp [rsp] happens its going to read the address of rsp+8, at least that’s what’s my debugger is showing what’s happening

LucasSantos91 · May 25, 2025, 4:24am

github.com/ziglang/zig

Inline assembly input memory operand has extra level of indirection

opened 09:45PM - 19 Oct 24 UTC

arctic-marmoset

bug

### Zig Version 0.14.0-dev.1860+2e2927735 ### Steps to Reproduce and Obser…ved Behavior [Godbolt link](https://godbolt.org/z/baEqfK9on) This code: ```zig export fn _start() noreturn { const gdtr: GDTR = .{ .limit = (5 * 8) - 1, .base_address = 0xFFFFFFFF80001000, }; asm volatile ("lgdt %[gdtr]" : : [gdtr] "m" (gdtr), ); while (true) {} } pub const GDTR = extern struct { limit: u16, base_address: u64 align(1), }; ``` Compiles to: ```nasm _start: push rbp mov rbp, rsp push rax mov qword ptr [rbp - 8], offset .L__unnamed_1 ; Extra level of indirection lgdt [rbp - 8] .LBB0_1: jmp .LBB0_1 .L__unnamed_1: .short 39 .quad -2147479552 ``` Which is as if I additionally took the address of `gdtr`. ### Expected Behavior There should not be an extra level of indirection. The operand should simply resolve to something like: ```nasm _start: ... lgdt [.L__unnamed_1] ``` The equivalent C code compiles as expected ([Godbolt link](https://godbolt.org/z/PMTGhP8zh)): ```c #include <stdint.h> struct GDTR { uint16_t limit; uint64_t base_address; } __attribute__((packed)); __attribute__((noreturn)) void _start(void) { const struct GDTR gdtr = { .limit = (5 * 8) - 1, .base_address = 0xFFFFFFFF80001000ULL, }; asm volatile ("lgdt %[gdtr]" : : [gdtr] "m" (gdtr) ); for (;;) {} } ``` ```nasm _start: push rbp mov rbp, rsp sub rsp, 16 movabs rax, -140737219919833 mov qword ptr [rbp - 16], rax mov word ptr [rbp - 8], -1 lgdt [rbp - 16] .LBB0_1: jmp .LBB0_1 ```

For those who didn’t get the problem:

Start
rax: undefined 
[rsp]: undefined
[rsp + 8]: undefined

mov     rax, qword ptr [example.do_something_trampoline]
rax: value of do_something_trampoline
[rsp]: undefined
[rsp + 8]: undefined

mov     qword ptr [rsp + 8], rax
rax: value of do_something_trampoline
[rsp]: undefined
[rsp + 8]: value of do_something_trampoline

lea     rax, [rsp + 8]
rax: address of rsp + 8
[rsp]: undefined
[rsp + 8]: value of do_something_trampoline

mov     qword ptr [rsp], rax
rax: address of rsp + 8
[rsp]: address of rsp + 8
[rsp + 8]: value of do_something_trampoline

jmp     qword ptr [rsp]
This will jump to address of rsp + 8,
but we should be jumping to do_something_trampoline

dimdin · May 25, 2025, 8:37am

No, [] means indirect. It stores in rax the value that is loaded from rsp+8 address.
In zig notation it is: rax = (rsp + 8).*

EDIT: I was wrong, load effective address (lea) loads the address and not the value.

korke · May 25, 2025, 8:42am

then the whole thing doesn’t make sense, it’s loading the value to rax from the variable address, then storing it to rsp + 8 then again reloading it to rax, lea rax,[rsp+8]

then storing rax to rsp then jmp rsp…

some c volatile keyword shenanigans?

dimdin · May 25, 2025, 11:18am

EDIT: I hope that both examples are correct now

var do_something_trampoline: usize = 0;

export fn DoSomething() callconv(.naked) noreturn {
    @setRuntimeSafety(false);
    asm volatile (
        \\mov do_something_trampoline,%rax
        \\jmp *%rax
        ::: "rax"
    );
}

The above code produces:

DoSomething:
        mov     rax, qword ptr [do_something_trampoline]
        jmp     rax

Another possibility is:

var do_something_trampoline: usize = 0;

export fn DoSomething() callconv(.naked) noreturn {
    @setRuntimeSafety(false);
    asm volatile (
        \\lea (do_something_trampoline),%rax
        \\jmp *(%rax)
        ::: "rax"
    );
}

producing:

DoSomething:
        lea     rax, [do_something_trampoline]
        jmp     qword ptr [rax]

ericlang · May 25, 2025, 12:51pm

Probably completely off topic, sorry sorry.
In the far past I did quite some assembly in Delphi.
When I see the asm syntax we need in Zig I am kinda confused.
Why these superweird stuff and not just some asm block with real statements?

\\jmp *(%rax)
::: "rax"
 // omg...

LucasSantos91 · May 25, 2025, 3:30pm

Assembly is a block box for the compiler, so it would have to disable all optimizations when it finds one. Constraints are a way to recover some optimizations. You tell the compiler what you’re reading and writing, and it ensures that the assembly block is properly ordered according to the statements around it. Without that, the compiler could reorder the statements in such a way that you could be reading a value that wasn’t computed yet, or your write could be overwritten.
Constraints are not optional, reading or writing values without setting the proper constraints is undefined behavior.

korke · May 25, 2025, 5:52pm

I was wondering why not some way to do a direct jmp [do_something_trampoline]

why these type of indirection is needed like loading to rsp… rax

I think x86_64 supports jmp [rip + offset] something like that?

Edit: actually works Compiler Explorer

LucasSantos91 · May 25, 2025, 6:19pm

You still need to set the proper constraints:

var do_something_trampoline: usize = 0;

export fn DoSomething() callconv(.naked) noreturn {
    @setRuntimeSafety(false);
    asm volatile (
        \\jmp *do_something_trampoline
        :: [dummy] "rmx" (do_something_trampoline): "memory"
    );
}

With optimizations enabled, this generates the desired assembly: godbolt.

korke · May 25, 2025, 6:21pm

can you explain a little bit more about “rmx”?

korke · May 25, 2025, 6:34pm

Interestingly

test.zig:

const std = @import("std");

var do_something_trampoline: usize = 0;

export fn DoSomething() callconv(.naked) noreturn {
    @setRuntimeSafety(false);
    asm volatile (
        \\jmp *do_something_trampoline
        :
        : [dummy] "rmx" (do_something_trampoline),
        : "memory"
    );
}

pub fn main() void {}

zig build-exe test.zig

gives error: lld-link: undefined symbol: do_something_trampoline

zig version: 0.15.0-dev.631+9a3540d61

needs export var do_something_trampoline: usize = 0; for it to compile kinda weird? is it fixed in some newer version? or whatever https://godbolt.org/ is using?

LucasSantos91 · May 25, 2025, 8:32pm

That’s intended. My bad, I forgot about export.
Godbolt only runs the compilation phase, it doesn’t do linking, which is way it didn’t error.
You can avoid the export by doing this:

    asm volatile (
-        \\jmp *do_something_trampoline
+        \\jmp *dummy
        :: [dummy] "rmx" (do_something_trampoline): "memory"

The body of an inline assembly is a separate compilation unit, so it can only access things that are exported, or that explicitly provided to it in the constraints.
"rmx" is explained here.
Concatenating constraints by juxtaposition like this means an alternative. r is register, m is memory, and x is supposed to be “anything”. The compiler can choose to pass the value of do_something_trampoline to the body of the inline assembly in any of these places. You’d imagine that x would make everything else redundant, but, for some reason, it doesn’t.
I tried each individual constraint and neither one generated the desired assembly, only when I provided all the alternatives.

korke · May 25, 2025, 10:46pm

is it kind of like a workaround zig’s unstable inline assembly or that’s how this “rmx” suppose to work?

btw

this is also giving me undefined symbol error

LucasSantos91 · May 26, 2025, 12:58pm

I don’t know. Inline assembly is kind of an afterthought in LLVM, and is poorly documented.

Ops, I always forget the syntax of inline assembly. The correct way is

\\jmp *%[dummy]

korke · May 26, 2025, 2:59pm

The debug version moves the value to rax, then to [rsp] then jmp [rsp] :") not trying to be annoying but it’s not consistent which is kinda weird…