More on %gs:0x0

Petr Baudis pasky@suse.cz
Tue Aug 25 15:00:00 GMT 2009


On Mon, Aug 24, 2009 at 03:39:34PM -0400, Amittai Aviram wrote:
> On Mon, 2009-08-24 at 19:25 +0100, Mark Seaborn wrote:
> > Amittai Aviram <amittai.aviram@yale.edu> wrote:
> > 
> > > Here is a follow-up to my previous query.  My question remains this:   
> > > how do values get into %gs:0x0?
> > 
> > > The final step will show me zillions of instances of moving data from  
> > > location %gs:0x0 to a general purpose register, but not a single  
> > > instance of moving data _into_ location %gs:0x0.  How does anything  
> > > except 0 ever get into %gs:0x0?
> > 
> > I'd suggest reading Ulrich Drepper's document about the TLS ABIs -
> > http://people.redhat.com/drepper/tls.pdf - and also read about how
> > segment registers work on i386.
> [...]
> 
> Thanks!  I also find it puzzling why glibc's ___printf_fp would fetch a
> value from an address that is 32 _below_ the start of the TLB:
> 
> 805bfff:       65 8b 1d 00 00 00 00    mov    %gs:0x0,%ebx
> 805c006:       b8 e0 ff ff ff          mov    $0xffffffe0,%eax
> 805c00b:       89 9d f8 fe ff ff       mov    %ebx,-0x108(%ebp)
> 805c011:       8b 04 03                mov    (%ebx,%eax,1),%eax
> 805c014:       8b 00                   mov    (%eax),%eax
> 
> The first line above fetches the TLB start address (let's call it
> tlb_start).  The next instruction loads -32 into eax.  In the fourth
> instruction, the value found at the location tlb_start - 32 is loaded
> into eax.  Why would the library refer to an address with a negative
> offset (or index, in this case) from tlb_start?  Thanks.

It's actually explained in detail in the tls.pdf Mark Seaborn pointed
you at - x86* places TLS blocks _below_ the TCB in memory (since TCB
size is unknown on x86* for historical reasons).

-- 
				Petr "Pasky" Baudis
A lot of people have my books on their bookshelves.
That's the problem, they need to read them. -- Don Knuth



More information about the Libc-help mailing list