More on %gs:0x0
Petr Baudis
pasky@suse.cz
Tue Aug 25 15:00:00 GMT 2009
On Mon, Aug 24, 2009 at 03:39:34PM -0400, Amittai Aviram wrote:
> On Mon, 2009-08-24 at 19:25 +0100, Mark Seaborn wrote:
> > Amittai Aviram <amittai.aviram@yale.edu> wrote:
> >
> > > Here is a follow-up to my previous query. My question remains this:
> > > how do values get into %gs:0x0?
> >
> > > The final step will show me zillions of instances of moving data from
> > > location %gs:0x0 to a general purpose register, but not a single
> > > instance of moving data _into_ location %gs:0x0. How does anything
> > > except 0 ever get into %gs:0x0?
> >
> > I'd suggest reading Ulrich Drepper's document about the TLS ABIs -
> > http://people.redhat.com/drepper/tls.pdf - and also read about how
> > segment registers work on i386.
> [...]
>
> Thanks! I also find it puzzling why glibc's ___printf_fp would fetch a
> value from an address that is 32 _below_ the start of the TLB:
>
> 805bfff: 65 8b 1d 00 00 00 00 mov %gs:0x0,%ebx
> 805c006: b8 e0 ff ff ff mov $0xffffffe0,%eax
> 805c00b: 89 9d f8 fe ff ff mov %ebx,-0x108(%ebp)
> 805c011: 8b 04 03 mov (%ebx,%eax,1),%eax
> 805c014: 8b 00 mov (%eax),%eax
>
> The first line above fetches the TLB start address (let's call it
> tlb_start). The next instruction loads -32 into eax. In the fourth
> instruction, the value found at the location tlb_start - 32 is loaded
> into eax. Why would the library refer to an address with a negative
> offset (or index, in this case) from tlb_start? Thanks.
It's actually explained in detail in the tls.pdf Mark Seaborn pointed
you at - x86* places TLS blocks _below_ the TCB in memory (since TCB
size is unknown on x86* for historical reasons).
--
Petr "Pasky" Baudis
A lot of people have my books on their bookshelves.
That's the problem, they need to read them. -- Don Knuth
More information about the Libc-help
mailing list