Details about implementation of CALL/RET instruction in QEMU (x86_64)

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite
1












In file target/i386/translate.c the CALL instruction (opcode 0xe8) has this implementation:



 case 0xe8: /* call im */
 
 if (dflag != MO_16) 
 tval = (int32_t)insn_get(env, s, MO_32);
 else 
 tval = (int16_t)insn_get(env, s, MO_16);
 
 next_eip = s->pc - s->cs_base;
 tval += next_eip;
 if (dflag == MO_16) 
 tval &= 0xffff;
 else if (!CODE64(s)) 
 tval &= 0xffffffff;
 
 tcg_gen_movi_tl(cpu_T0, next_eip);
 gen_push_v(s, cpu_T0);
 gen_bnd_jmp(s);
 gen_jmp(s, tval);
 
 break;


The value in next_eip is saved by the following calls:



 tcg_gen_movi_tl(cpu_T0, next_eip);
 gen_push_v(s, cpu_T0);


But I can not find how this value (next_eip) is used in the RET implementation:



 case 0xc3: /* ret */
 ot = gen_pop_T0(s);
 gen_pop_update(s, ot);
 /* Note that gen_pop_T0 uses a zero-extending load. */
 gen_op_jmp_v(cpu_T0);
 gen_bnd_jmp(s);
 gen_jr(s, cpu_T0);
 break;


While i trace CALL implementation i see code where return adress is used:



void tcg_gen_op2(TCGOpcode opc, TCGArg a1, TCGArg a2)

TCGOp *op = tcg_emit_op(opc); // INDEX_op_movi_i64
op->args[0] = a1; // address of register
op->args[1] = a2; // **REAL RETURN ADDRESS**



But i can not find REAL RETURN ADDRESS while tracing RET implementation.



Can anyone tell me where exactly the RET instruction implementation uses the value in next_eip.




qemu




share|improve this question

























    up vote
    1
    down vote

    favorite
    1












    In file target/i386/translate.c the CALL instruction (opcode 0xe8) has this implementation:



     case 0xe8: /* call im */
     
     if (dflag != MO_16) 
     tval = (int32_t)insn_get(env, s, MO_32);
     else 
     tval = (int16_t)insn_get(env, s, MO_16);
     
     next_eip = s->pc - s->cs_base;
     tval += next_eip;
     if (dflag == MO_16) 
     tval &= 0xffff;
     else if (!CODE64(s)) 
     tval &= 0xffffffff;
     
     tcg_gen_movi_tl(cpu_T0, next_eip);
     gen_push_v(s, cpu_T0);
     gen_bnd_jmp(s);
     gen_jmp(s, tval);
     
     break;


    The value in next_eip is saved by the following calls:



     tcg_gen_movi_tl(cpu_T0, next_eip);
     gen_push_v(s, cpu_T0);


    But I can not find how this value (next_eip) is used in the RET implementation:



     case 0xc3: /* ret */
     ot = gen_pop_T0(s);
     gen_pop_update(s, ot);
     /* Note that gen_pop_T0 uses a zero-extending load. */
     gen_op_jmp_v(cpu_T0);
     gen_bnd_jmp(s);
     gen_jr(s, cpu_T0);
     break;


    While i trace CALL implementation i see code where return adress is used:



    void tcg_gen_op2(TCGOpcode opc, TCGArg a1, TCGArg a2)

    TCGOp *op = tcg_emit_op(opc); // INDEX_op_movi_i64
    op->args[0] = a1; // address of register
    op->args[1] = a2; // **REAL RETURN ADDRESS**



    But i can not find REAL RETURN ADDRESS while tracing RET implementation.



    Can anyone tell me where exactly the RET instruction implementation uses the value in next_eip.




    qemu




    share|improve this question























      up vote
      1
      down vote

      favorite
      1









      up vote
      1
      down vote

      favorite
      1






      1





      In file target/i386/translate.c the CALL instruction (opcode 0xe8) has this implementation:



       case 0xe8: /* call im */
       
       if (dflag != MO_16) 
       tval = (int32_t)insn_get(env, s, MO_32);
       else 
       tval = (int16_t)insn_get(env, s, MO_16);
       
       next_eip = s->pc - s->cs_base;
       tval += next_eip;
       if (dflag == MO_16) 
       tval &= 0xffff;
       else if (!CODE64(s)) 
       tval &= 0xffffffff;
       
       tcg_gen_movi_tl(cpu_T0, next_eip);
       gen_push_v(s, cpu_T0);
       gen_bnd_jmp(s);
       gen_jmp(s, tval);
       
       break;


      The value in next_eip is saved by the following calls:



       tcg_gen_movi_tl(cpu_T0, next_eip);
       gen_push_v(s, cpu_T0);


      But I can not find how this value (next_eip) is used in the RET implementation:



       case 0xc3: /* ret */
       ot = gen_pop_T0(s);
       gen_pop_update(s, ot);
       /* Note that gen_pop_T0 uses a zero-extending load. */
       gen_op_jmp_v(cpu_T0);
       gen_bnd_jmp(s);
       gen_jr(s, cpu_T0);
       break;


      While i trace CALL implementation i see code where return adress is used:



      void tcg_gen_op2(TCGOpcode opc, TCGArg a1, TCGArg a2)

      TCGOp *op = tcg_emit_op(opc); // INDEX_op_movi_i64
      op->args[0] = a1; // address of register
      op->args[1] = a2; // **REAL RETURN ADDRESS**



      But i can not find REAL RETURN ADDRESS while tracing RET implementation.



      Can anyone tell me where exactly the RET instruction implementation uses the value in next_eip.




      qemu




      share|improve this question













      In file target/i386/translate.c the CALL instruction (opcode 0xe8) has this implementation:



       case 0xe8: /* call im */
       
       if (dflag != MO_16) 
       tval = (int32_t)insn_get(env, s, MO_32);
       else 
       tval = (int16_t)insn_get(env, s, MO_16);
       
       next_eip = s->pc - s->cs_base;
       tval += next_eip;
       if (dflag == MO_16) 
       tval &= 0xffff;
       else if (!CODE64(s)) 
       tval &= 0xffffffff;
       
       tcg_gen_movi_tl(cpu_T0, next_eip);
       gen_push_v(s, cpu_T0);
       gen_bnd_jmp(s);
       gen_jmp(s, tval);
       
       break;


      The value in next_eip is saved by the following calls:



       tcg_gen_movi_tl(cpu_T0, next_eip);
       gen_push_v(s, cpu_T0);


      But I can not find how this value (next_eip) is used in the RET implementation:



       case 0xc3: /* ret */
       ot = gen_pop_T0(s);
       gen_pop_update(s, ot);
       /* Note that gen_pop_T0 uses a zero-extending load. */
       gen_op_jmp_v(cpu_T0);
       gen_bnd_jmp(s);
       gen_jr(s, cpu_T0);
       break;


      While i trace CALL implementation i see code where return adress is used:



      void tcg_gen_op2(TCGOpcode opc, TCGArg a1, TCGArg a2)

      TCGOp *op = tcg_emit_op(opc); // INDEX_op_movi_i64
      op->args[0] = a1; // address of register
      op->args[1] = a2; // **REAL RETURN ADDRESS**



      But i can not find REAL RETURN ADDRESS while tracing RET implementation.



      Can anyone tell me where exactly the RET instruction implementation uses the value in next_eip.





      qemu





      share|improve this question












      share|improve this question




      share|improve this question








      edited Jun 28 at 9:20
























      asked Jun 28 at 7:12









      puzzlestorage

      63




      63




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          0
          down vote













          The value in next_eip is popped from the stack:



          ot = gen_pop_T0(s);


          As a side-effect, this updates cpu_T0 which is then used for the jump; see the implementation of gen_pop_T0:



          TCGMemOp d_ot = mo_pushpop(s, s->dflag);

          gen_lea_v_seg(s, mo_stacksize(s), cpu_regs[R_ESP], R_SS, -1);
          gen_op_ld_v(s, d_ot, cpu_T0, cpu_A0);

          return d_ot;


          This is how RET retrieves the value which was pushed by CALL:



          tcg_gen_movi_tl(cpu_T0, next_eip);
          gen_push_v(s, cpu_T0);


          When interpreting a RET instruction, the emulator can’t rely on internal knowledge: it has to behave exactly as the RET instruction does, retrieving its return address from the stack. (In real-world code, there are many cases of RETs following a JMP with a manually-set-up stack rather than a CALL, or a CALL never resulting in a RET, or code changing the return address for the RET by changing the value on the stack.) This is what QEMU’s RET implementation does: it pops the return address from the stack (gen_pop_T0) and processes that.






          share|improve this answer























          • Thanks for the quick response. As I understand it, gen_pop_T0 pops element of TCGTemp type. If I'm wrong, then please correct me. I can not find where in the structure of type TCGTemp the value of the return address is stored (next_eip).
            – puzzlestorage
            Jun 28 at 7:32










          • See my updated answer.
            – Stephen Kitt
            Jun 28 at 7:44










          Your Answer







          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: false,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );








           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f452365%2fdetails-about-implementation-of-call-ret-instruction-in-qemu-x86-64%23new-answer', 'question_page');

          );

          Post as a guest

















          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          0
          down vote













          The value in next_eip is popped from the stack:



          ot = gen_pop_T0(s);


          As a side-effect, this updates cpu_T0 which is then used for the jump; see the implementation of gen_pop_T0:



          TCGMemOp d_ot = mo_pushpop(s, s->dflag);

          gen_lea_v_seg(s, mo_stacksize(s), cpu_regs[R_ESP], R_SS, -1);
          gen_op_ld_v(s, d_ot, cpu_T0, cpu_A0);

          return d_ot;


          This is how RET retrieves the value which was pushed by CALL:



          tcg_gen_movi_tl(cpu_T0, next_eip);
          gen_push_v(s, cpu_T0);


          When interpreting a RET instruction, the emulator can’t rely on internal knowledge: it has to behave exactly as the RET instruction does, retrieving its return address from the stack. (In real-world code, there are many cases of RETs following a JMP with a manually-set-up stack rather than a CALL, or a CALL never resulting in a RET, or code changing the return address for the RET by changing the value on the stack.) This is what QEMU’s RET implementation does: it pops the return address from the stack (gen_pop_T0) and processes that.






          share|improve this answer























          • Thanks for the quick response. As I understand it, gen_pop_T0 pops element of TCGTemp type. If I'm wrong, then please correct me. I can not find where in the structure of type TCGTemp the value of the return address is stored (next_eip).
            – puzzlestorage
            Jun 28 at 7:32










          • See my updated answer.
            – Stephen Kitt
            Jun 28 at 7:44














          up vote
          0
          down vote













          The value in next_eip is popped from the stack:



          ot = gen_pop_T0(s);


          As a side-effect, this updates cpu_T0 which is then used for the jump; see the implementation of gen_pop_T0:



          TCGMemOp d_ot = mo_pushpop(s, s->dflag);

          gen_lea_v_seg(s, mo_stacksize(s), cpu_regs[R_ESP], R_SS, -1);
          gen_op_ld_v(s, d_ot, cpu_T0, cpu_A0);

          return d_ot;


          This is how RET retrieves the value which was pushed by CALL:



          tcg_gen_movi_tl(cpu_T0, next_eip);
          gen_push_v(s, cpu_T0);


          When interpreting a RET instruction, the emulator can’t rely on internal knowledge: it has to behave exactly as the RET instruction does, retrieving its return address from the stack. (In real-world code, there are many cases of RETs following a JMP with a manually-set-up stack rather than a CALL, or a CALL never resulting in a RET, or code changing the return address for the RET by changing the value on the stack.) This is what QEMU’s RET implementation does: it pops the return address from the stack (gen_pop_T0) and processes that.






          share|improve this answer























          • Thanks for the quick response. As I understand it, gen_pop_T0 pops element of TCGTemp type. If I'm wrong, then please correct me. I can not find where in the structure of type TCGTemp the value of the return address is stored (next_eip).
            – puzzlestorage
            Jun 28 at 7:32










          • See my updated answer.
            – Stephen Kitt
            Jun 28 at 7:44












          up vote
          0
          down vote










          up vote
          0
          down vote









          The value in next_eip is popped from the stack:



          ot = gen_pop_T0(s);


          As a side-effect, this updates cpu_T0 which is then used for the jump; see the implementation of gen_pop_T0:



          TCGMemOp d_ot = mo_pushpop(s, s->dflag);

          gen_lea_v_seg(s, mo_stacksize(s), cpu_regs[R_ESP], R_SS, -1);
          gen_op_ld_v(s, d_ot, cpu_T0, cpu_A0);

          return d_ot;


          This is how RET retrieves the value which was pushed by CALL:



          tcg_gen_movi_tl(cpu_T0, next_eip);
          gen_push_v(s, cpu_T0);


          When interpreting a RET instruction, the emulator can’t rely on internal knowledge: it has to behave exactly as the RET instruction does, retrieving its return address from the stack. (In real-world code, there are many cases of RETs following a JMP with a manually-set-up stack rather than a CALL, or a CALL never resulting in a RET, or code changing the return address for the RET by changing the value on the stack.) This is what QEMU’s RET implementation does: it pops the return address from the stack (gen_pop_T0) and processes that.






          share|improve this answer















          The value in next_eip is popped from the stack:



          ot = gen_pop_T0(s);


          As a side-effect, this updates cpu_T0 which is then used for the jump; see the implementation of gen_pop_T0:



          TCGMemOp d_ot = mo_pushpop(s, s->dflag);

          gen_lea_v_seg(s, mo_stacksize(s), cpu_regs[R_ESP], R_SS, -1);
          gen_op_ld_v(s, d_ot, cpu_T0, cpu_A0);

          return d_ot;


          This is how RET retrieves the value which was pushed by CALL:



          tcg_gen_movi_tl(cpu_T0, next_eip);
          gen_push_v(s, cpu_T0);


          When interpreting a RET instruction, the emulator can’t rely on internal knowledge: it has to behave exactly as the RET instruction does, retrieving its return address from the stack. (In real-world code, there are many cases of RETs following a JMP with a manually-set-up stack rather than a CALL, or a CALL never resulting in a RET, or code changing the return address for the RET by changing the value on the stack.) This is what QEMU’s RET implementation does: it pops the return address from the stack (gen_pop_T0) and processes that.







          share|improve this answer















          share|improve this answer



          share|improve this answer








          edited Jun 28 at 7:43


























          answered Jun 28 at 7:20









          Stephen Kitt

          139k22299361




          139k22299361











          • Thanks for the quick response. As I understand it, gen_pop_T0 pops element of TCGTemp type. If I'm wrong, then please correct me. I can not find where in the structure of type TCGTemp the value of the return address is stored (next_eip).
            – puzzlestorage
            Jun 28 at 7:32










          • See my updated answer.
            – Stephen Kitt
            Jun 28 at 7:44
















          • Thanks for the quick response. As I understand it, gen_pop_T0 pops element of TCGTemp type. If I'm wrong, then please correct me. I can not find where in the structure of type TCGTemp the value of the return address is stored (next_eip).
            – puzzlestorage
            Jun 28 at 7:32










          • See my updated answer.
            – Stephen Kitt
            Jun 28 at 7:44















          Thanks for the quick response. As I understand it, gen_pop_T0 pops element of TCGTemp type. If I'm wrong, then please correct me. I can not find where in the structure of type TCGTemp the value of the return address is stored (next_eip).
          – puzzlestorage
          Jun 28 at 7:32




          Thanks for the quick response. As I understand it, gen_pop_T0 pops element of TCGTemp type. If I'm wrong, then please correct me. I can not find where in the structure of type TCGTemp the value of the return address is stored (next_eip).
          – puzzlestorage
          Jun 28 at 7:32












          See my updated answer.
          – Stephen Kitt
          Jun 28 at 7:44




          See my updated answer.
          – Stephen Kitt
          Jun 28 at 7:44












           

          draft saved


          draft discarded


























           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f452365%2fdetails-about-implementation-of-call-ret-instruction-in-qemu-x86-64%23new-answer', 'question_page');

          );

          Post as a guest
































































          -

          Popular posts from this blog

          Peggy Mitchell

          Image
          EastEnders character This article is about the soap opera character. For the British tennis player, see Peggy Michell. For the author, see Margaret Mitchell. Peggy Mitchell Barbara Windsor as Peggy Mitchell (2008) EastEnders character Portrayed by Jo Warne (1991) Barbara Windsor (1994–2016) Duration 1991, 1994–2010, 2013–2016 First appearance Episode 650 30 April 1991  ( 1991-04-30 ) Last appearance Episode 5286 17 May 2016  ( 2016-05-17 ) (appearance) Episode 5287 19 May 2016 (voiceover) Introduced by Michael Ferguson (1991) Barbara Emile (1994) Louise Berridge (2004) Kate Harwood (2005) Lorraine Newman (2013) Dominic Treadwell-Collins (2014) Spin-off appearances The Mitchells - Naked Truths (1998) Classification Former; regular Profile Other names Peggy Butcher Occupation Barmaid Businesswoman Pub landlady Jo Warne as Peggy Mitchell (1991) Family Family Mitchell Father Jack Martin Mother Lily Martin Sisters Aunt ...
          Read more

          Palaiologos

          Image
          Palaiologos Παλαιολόγος Palaeologus, Palaeologue Imperial Family Double-headed eagle with the family cypher Country Byzantine Empire, Duchy of Montferrat (remaining lineage after Empire annexed by Ottomans) Founded 11th century  ( 11th century ) Founder Nikephoros Palaiologos (first known) Final ruler Constantine XI Palaiologos (Byzantine Empire) Margaret Paleologa (Montferrat) Titles Byzantine Emperor Marquess of Montferrat Style(s) "Augustus" "Basileus" "Autokrator" Traditions Greek Orthodoxy (predominantly) Roman Catholicism (remaining lineage in Montferrat) Dissolution 1533  ( 1533 ) Cadet branches Claimants: House of Kastrioti (defunct) House of Rurik (defunct) Palaiologan dynasty Chronology Michael VIII 1259–1282 with Andronikos II as co-emperor, 1261–1282 Andronikos II 1282–1328 with Michael IX (1294–1320) and Andronikos III (1321–1328) as co-emperors Andronikos III 1328–1341 John...
          Read more

          The Forum (Inglewood, California)

          Image
          The Forum "LA Forum" Prairie Ave. façade of The Forum in 2014 Full name The Forum, presented by Chase Former names The Forum (1967–1988) Great Western Forum (1988–2003) Address 3900 W. Manchester Blvd Location Inglewood, California Coordinates Coordinates: 33°57′29″N 118°20′31″W  /  33.95806°N 118.34194°W  / 33.95806; -118.34194 Public transit     Downtown Inglewood station Owner The Madison Square Garden Company Operator MSG Entertainment Seating type Reserved Capacity 17,500 Half-bowl: 8,000 Construction Broke ground July 1, 1966  ( 1966-07-01 ) Opened December 30, 1967  ( 1967-12-30 ) Renovated 1988, 2012–2014 Construction cost $16 million Renovation: 2014: $76.5 million Architect Charles Luckman Associates (original) Brisbin Brook Beynon (renovation) Structural engineer Johnson & Nielsen Associates (original) Severud Associates (renovation) Genera...
          Read more