diff options
Diffstat (limited to 'source/notes/mono_jit/mono_jit.md')
-rw-r--r-- | source/notes/mono_jit/mono_jit.md | 267 |
1 files changed, 267 insertions, 0 deletions
diff --git a/source/notes/mono_jit/mono_jit.md b/source/notes/mono_jit/mono_jit.md new file mode 100644 index 0000000..1f6c073 --- /dev/null +++ b/source/notes/mono_jit/mono_jit.md @@ -0,0 +1,267 @@ +``` +(gdb) info address System_Console_ReadLine +Symbol "System_Console_ReadLine" is a function at address 0x7f9a3ce60f50. +``` + +ok, time to look for something close to `0x7f9a3ce60f50` on the stack as a return address. + +<div class="codebox"><pre> +(gdb) x/300xg $rsp +0x7ffd84d06930: 0x0000000000000000 0x0000000000603f21 +0x7ffd84d06940: 0x0000000002106908 0x32bfbbdd7b4d2300 +0x7ffd84d06950: 0x0000000000000004 0x0000000000000000 +0x7ffd84d06960: 0x00007f9a3ec0a150 0x0000000000000400 +0x7ffd84d06970: 0x00007ffd84d06a80 0x00000000005d7c20 +0x7ffd84d06980: 0x000000003cd61c3d 0x32bfbbdd7b4d2300 +0x7ffd84d06990: 0x0000000000000000 0x00007ffd84d06a60 +0x7ffd84d069a0: 0x00007f9a3ec0a150 0x0000000000000000 +0x7ffd84d069b0: 0x0000000000000400 0x0000000041951b2a +0x7ffd84d069c0: 0x0000000000000000 0x00007f9a3ec09ff8 +0x7ffd84d069d0: 0x00007f9a3ec0a150 0x0000000000000000 +0x7ffd84d069e0: 0x0000000000000400 0x00000000020b49b0 +0x7ffd84d069f0: 0x00007f9a3ec0a150 0x00007ffd84d06a60 +0x7ffd84d06a00: 0x00007ffd84d069c0 0x00007f9a3cd61b91 +0x7ffd84d06a10: 0x00007ffd84d06a80 0x0000000000000400 +0x7ffd84d06a20: 0x0000000000000000 0x00007f9a3ec0a150 +0x7ffd84d06a30: 0x00007f9a3ec0a068 0x00007f9a3ec0a118 +0x7ffd84d06a40: 0x00007f9a3ec0a170 0x0000000000000007 +0x7ffd84d06a50: 0x00007f9a3ec0a501 0x0000000000000400 +0x7ffd84d06a60: 0x0000000000000400 0x00007f9a3cd60348 +0x7ffd84d06a70: 0x0000000000000000 0x0000000000000400 +0x7ffd84d06a80: 0x00007f9a00000000 0x00007f9a3ec09ff8 +0x7ffd84d06a90: 0x00007f9a3ec0a068 0x00007f9a3ec0a150 +0x7ffd84d06aa0: 0x0000000000000400 0x00007f9a3cd5e517 +0x7ffd84d06ab0: 0x0000000000000400 0x00007ffd84d06d00 +0x7ffd84d06ac0: 0x00007f9a3ec09ff8 0x00007f9a3ec0a150 +0x7ffd84d06ad0: 0x0000000000000000 0x0000000000000400 +0x7ffd84d06ae0: 0x0000000000000400 0x00007f9a3cd5e382 +0x7ffd84d06af0: 0x00000000020f1e30 0x0000000000000000 +0x7ffd84d06b00: 0x00007f9a3ec00628 0x00007ffd84d06c38 +0x7ffd84d06b10: 0x00007f9a3ec0a0b0 0x0000000000000000 +0x7ffd84d06b20: 0x00007f9a3ec00628 0x00007f9a3cbcddc5 +0x7ffd84d06b30: 0x00000000020f1e30 0x00007ffd84d06d00 +0x7ffd84d06b40: 0x0000000000000000 0x00007f9a3ec00628 +0x7ffd84d06b50: 0x00007ffd84d06c38 0x00007f9a3ec0a0b0 +0x7ffd84d06b60: 0x00000000020f1e30 0x00007f9a3cbccc44 +0x7ffd84d06b70: 0x00000000020f1e30 0x0000000000000000 +0x7ffd84d06b80: 0x00007f9a3ec00628 0x00007f9a3ec00628 +0x7ffd84d06b90: 0x00007ffd84d06c38 0x00007f9a00000000 +0x7ffd84d06ba0: 0x00007ffd84d06b60 0x00007f9a3ce78294 +0x7ffd84d06bb0: 0x0000000000000000 0x0000000000000004 +0x7ffd84d06bc0: 0x00007f9a3ec272f8 0x00007ffd84d06c28 +0x7ffd84d06bd0: 0x00007f9a3ec08328 0x00007f9a3cc6f872 +0x7ffd84d06be0: 0x00007f9a3ec272f8 0x00007f9a3ce78a12 +0x7ffd84d06bf0: 0x00000000020f1e30 0x00007ffd84d06fe0 +0x7ffd84d06c00: 0x0000000000000000 0x00007f9a3ec08328 +0x7ffd84d06c10: 0x00007f9a3ec08328 0x0000000041952328 +0x7ffd84d06c20: 0x0000000041952315 0x0000000000000000 +0x7ffd84d06c30: 0x00007f9a00000000 0x00007f9a3ec07800 +0x7ffd84d06c40: 0x00007f9a3ec272f8 0x00007f9a3ce628c4 +<b>0x7ffd84d06c50: 0x00007f9a3ec08328 0x00007f9a3ce61027 <--- this is our winner</b> +0x7ffd84d06c60: 0x000000004194fe50 0x00007ffd84d06fe0 +0x7ffd84d06c70: 0x0000000000000005 0x000000004194fdca +0x7ffd84d06c80: 0x000000004194fd50 0x000000004194fd50 +0x7ffd84d06c90: 0x000000004194fd50 0x000000004194ff19 +0x7ffd84d06ca0: 0x000000000000001f 0x0000000000000000 +0x7ffd84d06cb0: 0x31c01d4184d06f90 0x0000000000000000 +0x7ffd84d06cc0: 0x0000000000000000 0x32bfbbdd7b4d2300 +0x7ffd84d06cd0: 0x00000000020908b0 0x00000000020f1e30 +0x7ffd84d06ce0: 0x00007ffd84d06f90 0x000000004194fe50 +0x7ffd84d06cf0: 0x0000000002091d30 0x0000000000000000 +0x7ffd84d06d00: 0x00007ffd84d06f90 0x00000000004266b8 +0x7ffd84d06d10: 0x00000000020ed240 0x000000000208df90 +0x7ffd84d06d20: 0x0000000000000000 0x00000000020f9c00 +0x7ffd84d06d30: 0x0000000000000025 0x0000000000000000 +0x7ffd84d06d40: 0x0000000000000000 0x0000000000000000 +0x7ffd84d06d50: 0x000000000209bfa8 0x00007f9a00000000 +0x7ffd84d06d60: 0x0000000000000000 0x00007f9a3f733b20 +0x7ffd84d06d70: 0x0000000000000026 0x0000000000000025 +0x7ffd84d06d80: 0x00007ffd84d06df4 0x00007f9a3f749c89 +0x7ffd84d06d90: 0x0000000000000000 0x00000000006366fe +0x7ffd84d06da0: 0x00007f9a401b4130 0x00000000020f1d80 +0x7ffd84d06db0: 0x00007ffd84d071f0 0x00007f9a3f3f398c +0x7ffd84d06dc0: 0x00007ffd84d071f0 0x00007f9a3f3f35d4 +0x7ffd84d06dd0: 0x00000000020af860 0x0000000000632060 +0x7ffd84d06de0: 0x00000000020f1d80 0x0000000000000000 +0x7ffd84d06df0: 0x0000000000000000 0x000000000208df90 +0x7ffd84d06e00: 0x00000000020f1d80 0x00000000020f1d80 +0x7ffd84d06e10: 0x00007f9a401b4130 0x00000000020f1d80 +0x7ffd84d06e20: 0x00007ffd84d071f0 0x00007f9a3f3f398c +0x7ffd84d06e30: 0x0000000000000000 0x32bfbbdd7b4d2300 +0x7ffd84d06e40: 0x00007ffd84d06eb0 0x000000000054537c +0x7ffd84d06e50: 0x00000000020f1d80 0x000000000208df90 +0x7ffd84d06e60: 0x00000000020f1d80 0x00000000020f1d80 +0x7ffd84d06e70: 0x00007f9a401b4130 0x32bfbbdd7b4d2300 +0x7ffd84d06e80: 0x0000000000000000 0x0000000002091d30 +0x7ffd84d06e90: 0x0000000002091d30 0x0000000000000000 +0x7ffd84d06ea0: 0x00007f9a401b4130 0x00000000020f1d80 +0x7ffd84d06eb0: 0x00007ffd84d071f0 0x00000000005452d9 +0x7ffd84d06ec0: 0x0000000000000000 0x0000000002091d30 +0x7ffd84d06ed0: 0x00000000020911c0 0x0000000002091350 +0x7ffd84d06ee0: 0x0000000000000040 0x00000000020f1d80 +0x7ffd84d06ef0: 0x00007ffd84d071f0 0x000000000055fec6 +0x7ffd84d06f00: 0x0000000000000040 0x0000000002091350 +0x7ffd84d06f10: 0x00007f9a3ec00388 0x32bfbbdd7b4d2300 +0x7ffd84d06f20: 0x00007f9a401b4130 0x0000000002091d30 +0x7ffd84d06f30: 0x00000000020911c0 0x0000000000000000 +0x7ffd84d06f40: 0x00007f9a401b4130 0x00000000005b910a +0x7ffd84d06f50: 0x000000000208df90 0x32bfbbdd7b4d2300 +0x7ffd84d06f60: 0x00007f9a401b4130 0x0000000002091d30 +0x7ffd84d06f70: 0x00007ffd84d06fe0 0x0000000000000000 +0x7ffd84d06f80: 0x00000000020f1d80 0x00007ffd84d071f0 +0x7ffd84d06f90: 0x0000000000000000 0x00000000005ac68d +0x7ffd84d06fa0: 0x000000000208df90 0x0000000002091d30 +0x7ffd84d06fb0: 0x0000000000000000 0x0000000000000000 +0x7ffd84d06fc0: 0x00007f9a401b4130 0x00000000005ae9cc +0x7ffd84d06fd0: 0x000000000208df90 0x0000000000000000 +0x7ffd84d06fe0: 0x00007f9a3ec00328 0x32bfbbdd7b4d2300 +0x7ffd84d06ff0: 0x00007ffd84d07484 0x000000000208df90 +0x7ffd84d07000: 0x0000000000000001 0x00000000020ed390 +0x7ffd84d07010: 0x0000000000000000 0x0000000000476967 +0x7ffd84d07020: 0x0000000000000000 0x00000000161169ff +0x7ffd84d07030: 0x0000000000000000 0x0000000000000000 +0x7ffd84d07040: 0x0000000000000000 0x0000000000000000 +0x7ffd84d07050: 0x0000000000000004 0x0000000000000000 +0x7ffd84d07060: 0x0000000000000000 0x0000000000000000 +0x7ffd84d07070: 0x0000000000000000 0x0000000000000000 +0x7ffd84d07080: 0x0000000000000002 0x0000000100000001 +0x7ffd84d07090: 0x0000000000639710 0x000000000208df90 +0x7ffd84d070a0: 0x00007ffd84d071e0 0x0000000000000002 +0x7ffd84d070b0: 0x0000000000000000 0x0000000000422c0e +0x7ffd84d070c0: 0x0000000000000001 0x32bfbbdd7b4d2300 +0x7ffd84d070d0: 0x0000000000000000 0x0000000000000000 +0x7ffd84d070e0: 0x0000000000639710 0x0000000000422e50 +0x7ffd84d070f0: 0x00007ffd84d071e0 0x0000000000000000 +0x7ffd84d07100: 0x0000000000000000 0x00007f9a3f390830 +0x7ffd84d07110: 0x0000000000000000 0x00007ffd84d071e8 +0x7ffd84d07120: 0x0000000240290ca0 0x0000000000422be0 +0x7ffd84d07130: 0x0000000000000000 0x42f8e52f22cfd5b5 +0x7ffd84d07140: 0x0000000000422e50 0x00007ffd84d071e0 +0x7ffd84d07150: 0x0000000000000000 0x0000000000000000 +0x7ffd84d07160: 0xbd03ec48eecfd5b5 0xbdcc9b9a033fd5b5 +0x7ffd84d07170: 0x00007ffd00000000 0x0000000000000000 +0x7ffd84d07180: 0x0000000000000000 0x0000000000639780 +0x7ffd84d07190: 0x00007f9a4007b8e0 0x00007f9a4007b5fb +0x7ffd84d071a0: 0x0000000000000000 0x0000000000000000 +0x7ffd84d071b0: 0x0000000000422e50 0x00007ffd84d071e0 +0x7ffd84d071c0: 0x0000000000000000 0x0000000000422e79 +0x7ffd84d071d0: 0x00007ffd84d071d8 0x000000000000001c +0x7ffd84d071e0: 0x0000000000000002 0x00007ffd84d0747f +0x7ffd84d071f0: 0x00007ffd84d07484 0x0000000000000000 +0x7ffd84d07200: 0x00007ffd84d0748e 0x00007ffd84d07499 +0x7ffd84d07210: 0x00007ffd84d074aa 0x00007ffd84d074bd +0x7ffd84d07220: 0x00007ffd84d074da 0x00007ffd84d074eb +0x7ffd84d07230: 0x00007ffd84d074fb 0x00007ffd84d07507 +0x7ffd84d07240: 0x00007ffd84d07519 0x00007ffd84d07529 +0x7ffd84d07250: 0x00007ffd84d07536 0x00007ffd84d07565 +0x7ffd84d07260: 0x00007ffd84d07aed 0x00007ffd84d07b1c +0x7ffd84d07270: 0x00007ffd84d07b33 0x00007ffd84d07e50 +0x7ffd84d07280: 0x00007ffd84d07e71 0x00007ffd84d07e81 +</pre></div> + +0x7ffd84d06c58: 0x00007f9a3ce61027 <-- this is a return address to the native code Console.ReadLine() + +which means slightly further up the stack: + +0x7ffd84d06c78: 0x000000004194fdca <-- this is a return address to the caller of Console.ReadLine() (this is main) + +Main(), for comparison: +<div class="codebox"> +```cs +#include main.cs +``` +</div> + +<div class="codebox"><pre> +(gdb) x/10i 0x000000004194fdca + 0x4194fdca: nop + 0x4194fdcb: callq 0x41953b10 <-- so this is the last statement in main - mangler() + 0x4194fdd0: inc %r15d <-- this is i++ in the loop on line 4 of main + 0x4194fdd3: cmp $0x3c,%r15d + 0x4194fdd7: jl 0x4194fd78 + 0x4194fdd9: xchg %ax,%ax + 0x4194fddb: callq 0x4194fe26 + 0x4194fde0: movabs $0x7f9a401a4158,%rdi + 0x4194fdea: movabs $0x4194fe1c,%r11 + 0x4194fdf4: callq *%r11 +</pre></div> + +this makes sense as a return address because we see the first thing after ReadLine(), which is mangler()! + +stepping back a little: + +<div class="codebox"><pre> +(gdb) x/30i 0x000000004194fdb0 + 0x4194fdb0: movabs $0x7f9a3ce609d0,%r11 <- pointer to native code System_Console_ReadLine() + 0x4194fdba: callq *%r11 + 0x4194fdbd: movabs $0x7f9a3ce60f50,%r11 <- pointer to native code System_Console_WriteLine() + 0x4194fdc7: callq *%r11 + 0x4194fdca: nop + 0x4194fdcb: callq 0x41953b10 <- mangler() + 0x4194fdd0: inc %r15d + 0x4194fdd3: cmp $0x3c,%r15d + 0x4194fdd7: jl 0x4194fd78 <- loop end + 0x4194fdd9: xchg %ax,%ax + 0x4194fddb: callq 0x4194fe26 <- also mangler()?? + 0x4194fde0: movabs $0x7f9a401a4158,%rdi <- ??? + 0x4194fdea: movabs $0x4194fe1c,%r11 <- ??? + 0x4194fdf4: callq *%r11 <- ??? + 0x4194fdf7: callq 0x4194fe26 + 0x4194fdfc: movabs $0x7f9a401a4180,%rdi + 0x4194fe06: movabs $0x4194fe1c,%r11 + 0x4194fe10: callq *%r11 + 0x4194fe13: mov (%rsp),%r15 + 0x4194fe17: add $0x18,%rsp + 0x4194fe1b: retq <- main's end, whew +</pre></div> + +looking at the weird mangler() call: +<div class="codebox"><pre> +(gdb) x/10i 0x4194fe26 + 0x4194fe26: callq 0x40ee3000 + 0x4194fe2b: add $0xf0,%al + 0x4194fe2d: lahf + 0x4194fe2e: lar %ax,%ebp + 0x4194fe31: lret + 0x4194fe32: xor %ebx,-0x1(%rcx) + 0x4194fe35: add $0xf0,%al + 0x4194fe37: cmp %cl,(%rdi) + 0x4194fe39: add %al,%ch + 0x4194fe3b: (bad) +</pre></div> + +the only part of this that makes sense is the callq 0x40ee3000 - the rest is... nonsense-y. long return, really??? maybe at the call site we'll see something useful... + +<div class="codebox"><pre> +(gdb) x/70i 0x40ee3000 + 0x40ee3000: mov %r11,-0xd0(%rsp) + 0x40ee3008: pop %r11 <------------ WHAT + 0x40ee300a: push %rbp + 0x40ee300b: mov %rsp,%rbp + 0x40ee300e: sub $0x160,%rsp + 0x40ee3015: sub $0x5,%r11 + 0x40ee3019: mov %r11,-0x10(%rbp) + 0x40ee301d: mov %rax,-0x128(%rbp) + 0x40ee3024: mov %rcx,-0x120(%rbp) + 0x40ee302b: mov %rdx,-0x118(%rbp) + 0x40ee3032: mov %rbx,-0x110(%rbp) + 0x40ee3039: mov %rsp,%r11 + 0x40ee303c: add $0x170,%r11 + 0x40ee3043: mov %r11,-0x108(%rbp) + 0x40ee304a: mov 0x0(%rbp),%rax + 0x40ee304e: mov %rax,-0x100(%rbp) + 0x40ee3055: mov %rsi,-0xf8(%rbp) + 0x40ee305c: mov %rdi,-0xf0(%rbp) + 0x40ee3063: mov %r8,-0xe8(%rbp) + 0x40ee306a: mov %r9,-0xe0(%rbp) + 0x40ee3071: mov %r10,-0xd8(%rbp) + 0x40ee3078: mov %r12,-0xc8(%rbp) + 0x40ee307f: mov %r13,-0xc0(%rbp) + 0x40ee3086: mov %r14,-0xb8(%rbp) + 0x40ee308d: mov %r15,-0xb0(%rbp) + 0x40ee3094: mov 0x8(%rbp),%r11 + 0x40ee3098: mov %r11,-0xa8(%rbp) + 0x40ee309f: movsd %xmm0,-0xa0(%rbp) +</pre></div> + +that pop pops the return address of this function, 0x4194fe2b, into r11, meaning we actually return to the *caller* of 0x4194fe26, back into main. so this method must use that pointer as information and probably is a 'patch-and-invoke' mechanism. the `sub $0x5, %r11` at 0x40ee3015 seals the deal, because that moves r11 back 5 bytes to point to the call here. |