source/notes/mono_jit/mono_jit.md


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267

```
(gdb) info address System_Console_ReadLine
Symbol "System_Console_ReadLine" is a function at address 0x7f9a3ce60f50.
```

ok, time to look for something close to `0x7f9a3ce60f50` on the stack as a return address.

<div class="codebox"><pre>
(gdb) x/300xg $rsp
0x7ffd84d06930: 0x0000000000000000      0x0000000000603f21
0x7ffd84d06940: 0x0000000002106908      0x32bfbbdd7b4d2300
0x7ffd84d06950: 0x0000000000000004      0x0000000000000000
0x7ffd84d06960: 0x00007f9a3ec0a150      0x0000000000000400
0x7ffd84d06970: 0x00007ffd84d06a80      0x00000000005d7c20
0x7ffd84d06980: 0x000000003cd61c3d      0x32bfbbdd7b4d2300
0x7ffd84d06990: 0x0000000000000000      0x00007ffd84d06a60
0x7ffd84d069a0: 0x00007f9a3ec0a150      0x0000000000000000
0x7ffd84d069b0: 0x0000000000000400      0x0000000041951b2a
0x7ffd84d069c0: 0x0000000000000000      0x00007f9a3ec09ff8
0x7ffd84d069d0: 0x00007f9a3ec0a150      0x0000000000000000
0x7ffd84d069e0: 0x0000000000000400      0x00000000020b49b0
0x7ffd84d069f0: 0x00007f9a3ec0a150      0x00007ffd84d06a60
0x7ffd84d06a00: 0x00007ffd84d069c0      0x00007f9a3cd61b91
0x7ffd84d06a10: 0x00007ffd84d06a80      0x0000000000000400
0x7ffd84d06a20: 0x0000000000000000      0x00007f9a3ec0a150
0x7ffd84d06a30: 0x00007f9a3ec0a068      0x00007f9a3ec0a118
0x7ffd84d06a40: 0x00007f9a3ec0a170      0x0000000000000007
0x7ffd84d06a50: 0x00007f9a3ec0a501      0x0000000000000400
0x7ffd84d06a60: 0x0000000000000400      0x00007f9a3cd60348
0x7ffd84d06a70: 0x0000000000000000      0x0000000000000400
0x7ffd84d06a80: 0x00007f9a00000000      0x00007f9a3ec09ff8
0x7ffd84d06a90: 0x00007f9a3ec0a068      0x00007f9a3ec0a150
0x7ffd84d06aa0: 0x0000000000000400      0x00007f9a3cd5e517
0x7ffd84d06ab0: 0x0000000000000400      0x00007ffd84d06d00
0x7ffd84d06ac0: 0x00007f9a3ec09ff8      0x00007f9a3ec0a150
0x7ffd84d06ad0: 0x0000000000000000      0x0000000000000400
0x7ffd84d06ae0: 0x0000000000000400      0x00007f9a3cd5e382
0x7ffd84d06af0: 0x00000000020f1e30      0x0000000000000000
0x7ffd84d06b00: 0x00007f9a3ec00628      0x00007ffd84d06c38
0x7ffd84d06b10: 0x00007f9a3ec0a0b0      0x0000000000000000
0x7ffd84d06b20: 0x00007f9a3ec00628      0x00007f9a3cbcddc5
0x7ffd84d06b30: 0x00000000020f1e30      0x00007ffd84d06d00
0x7ffd84d06b40: 0x0000000000000000      0x00007f9a3ec00628
0x7ffd84d06b50: 0x00007ffd84d06c38      0x00007f9a3ec0a0b0
0x7ffd84d06b60: 0x00000000020f1e30      0x00007f9a3cbccc44
0x7ffd84d06b70: 0x00000000020f1e30      0x0000000000000000
0x7ffd84d06b80: 0x00007f9a3ec00628      0x00007f9a3ec00628
0x7ffd84d06b90: 0x00007ffd84d06c38      0x00007f9a00000000
0x7ffd84d06ba0: 0x00007ffd84d06b60      0x00007f9a3ce78294
0x7ffd84d06bb0: 0x0000000000000000      0x0000000000000004
0x7ffd84d06bc0: 0x00007f9a3ec272f8      0x00007ffd84d06c28
0x7ffd84d06bd0: 0x00007f9a3ec08328      0x00007f9a3cc6f872
0x7ffd84d06be0: 0x00007f9a3ec272f8      0x00007f9a3ce78a12
0x7ffd84d06bf0: 0x00000000020f1e30      0x00007ffd84d06fe0
0x7ffd84d06c00: 0x0000000000000000      0x00007f9a3ec08328
0x7ffd84d06c10: 0x00007f9a3ec08328      0x0000000041952328
0x7ffd84d06c20: 0x0000000041952315      0x0000000000000000
0x7ffd84d06c30: 0x00007f9a00000000      0x00007f9a3ec07800
0x7ffd84d06c40: 0x00007f9a3ec272f8      0x00007f9a3ce628c4
<b>0x7ffd84d06c50: 0x00007f9a3ec08328      0x00007f9a3ce61027 &lt;--- this is our winner</b>
0x7ffd84d06c60: 0x000000004194fe50      0x00007ffd84d06fe0
0x7ffd84d06c70: 0x0000000000000005      0x000000004194fdca
0x7ffd84d06c80: 0x000000004194fd50      0x000000004194fd50
0x7ffd84d06c90: 0x000000004194fd50      0x000000004194ff19
0x7ffd84d06ca0: 0x000000000000001f      0x0000000000000000
0x7ffd84d06cb0: 0x31c01d4184d06f90      0x0000000000000000
0x7ffd84d06cc0: 0x0000000000000000      0x32bfbbdd7b4d2300
0x7ffd84d06cd0: 0x00000000020908b0      0x00000000020f1e30
0x7ffd84d06ce0: 0x00007ffd84d06f90      0x000000004194fe50
0x7ffd84d06cf0: 0x0000000002091d30      0x0000000000000000
0x7ffd84d06d00: 0x00007ffd84d06f90      0x00000000004266b8
0x7ffd84d06d10: 0x00000000020ed240      0x000000000208df90
0x7ffd84d06d20: 0x0000000000000000      0x00000000020f9c00
0x7ffd84d06d30: 0x0000000000000025      0x0000000000000000
0x7ffd84d06d40: 0x0000000000000000      0x0000000000000000
0x7ffd84d06d50: 0x000000000209bfa8      0x00007f9a00000000
0x7ffd84d06d60: 0x0000000000000000      0x00007f9a3f733b20
0x7ffd84d06d70: 0x0000000000000026      0x0000000000000025
0x7ffd84d06d80: 0x00007ffd84d06df4      0x00007f9a3f749c89
0x7ffd84d06d90: 0x0000000000000000      0x00000000006366fe
0x7ffd84d06da0: 0x00007f9a401b4130      0x00000000020f1d80
0x7ffd84d06db0: 0x00007ffd84d071f0      0x00007f9a3f3f398c
0x7ffd84d06dc0: 0x00007ffd84d071f0      0x00007f9a3f3f35d4
0x7ffd84d06dd0: 0x00000000020af860      0x0000000000632060
0x7ffd84d06de0: 0x00000000020f1d80      0x0000000000000000
0x7ffd84d06df0: 0x0000000000000000      0x000000000208df90
0x7ffd84d06e00: 0x00000000020f1d80      0x00000000020f1d80
0x7ffd84d06e10: 0x00007f9a401b4130      0x00000000020f1d80
0x7ffd84d06e20: 0x00007ffd84d071f0      0x00007f9a3f3f398c
0x7ffd84d06e30: 0x0000000000000000      0x32bfbbdd7b4d2300
0x7ffd84d06e40: 0x00007ffd84d06eb0      0x000000000054537c
0x7ffd84d06e50: 0x00000000020f1d80      0x000000000208df90
0x7ffd84d06e60: 0x00000000020f1d80      0x00000000020f1d80
0x7ffd84d06e70: 0x00007f9a401b4130      0x32bfbbdd7b4d2300
0x7ffd84d06e80: 0x0000000000000000      0x0000000002091d30
0x7ffd84d06e90: 0x0000000002091d30      0x0000000000000000
0x7ffd84d06ea0: 0x00007f9a401b4130      0x00000000020f1d80
0x7ffd84d06eb0: 0x00007ffd84d071f0      0x00000000005452d9
0x7ffd84d06ec0: 0x0000000000000000      0x0000000002091d30
0x7ffd84d06ed0: 0x00000000020911c0      0x0000000002091350
0x7ffd84d06ee0: 0x0000000000000040      0x00000000020f1d80
0x7ffd84d06ef0: 0x00007ffd84d071f0      0x000000000055fec6
0x7ffd84d06f00: 0x0000000000000040      0x0000000002091350
0x7ffd84d06f10: 0x00007f9a3ec00388      0x32bfbbdd7b4d2300
0x7ffd84d06f20: 0x00007f9a401b4130      0x0000000002091d30
0x7ffd84d06f30: 0x00000000020911c0      0x0000000000000000
0x7ffd84d06f40: 0x00007f9a401b4130      0x00000000005b910a
0x7ffd84d06f50: 0x000000000208df90      0x32bfbbdd7b4d2300
0x7ffd84d06f60: 0x00007f9a401b4130      0x0000000002091d30
0x7ffd84d06f70: 0x00007ffd84d06fe0      0x0000000000000000
0x7ffd84d06f80: 0x00000000020f1d80      0x00007ffd84d071f0
0x7ffd84d06f90: 0x0000000000000000      0x00000000005ac68d
0x7ffd84d06fa0: 0x000000000208df90      0x0000000002091d30
0x7ffd84d06fb0: 0x0000000000000000      0x0000000000000000
0x7ffd84d06fc0: 0x00007f9a401b4130      0x00000000005ae9cc
0x7ffd84d06fd0: 0x000000000208df90      0x0000000000000000
0x7ffd84d06fe0: 0x00007f9a3ec00328      0x32bfbbdd7b4d2300
0x7ffd84d06ff0: 0x00007ffd84d07484      0x000000000208df90
0x7ffd84d07000: 0x0000000000000001      0x00000000020ed390
0x7ffd84d07010: 0x0000000000000000      0x0000000000476967
0x7ffd84d07020: 0x0000000000000000      0x00000000161169ff
0x7ffd84d07030: 0x0000000000000000      0x0000000000000000
0x7ffd84d07040: 0x0000000000000000      0x0000000000000000
0x7ffd84d07050: 0x0000000000000004      0x0000000000000000
0x7ffd84d07060: 0x0000000000000000      0x0000000000000000
0x7ffd84d07070: 0x0000000000000000      0x0000000000000000
0x7ffd84d07080: 0x0000000000000002      0x0000000100000001
0x7ffd84d07090: 0x0000000000639710      0x000000000208df90
0x7ffd84d070a0: 0x00007ffd84d071e0      0x0000000000000002
0x7ffd84d070b0: 0x0000000000000000      0x0000000000422c0e
0x7ffd84d070c0: 0x0000000000000001      0x32bfbbdd7b4d2300
0x7ffd84d070d0: 0x0000000000000000      0x0000000000000000
0x7ffd84d070e0: 0x0000000000639710      0x0000000000422e50
0x7ffd84d070f0: 0x00007ffd84d071e0      0x0000000000000000
0x7ffd84d07100: 0x0000000000000000      0x00007f9a3f390830
0x7ffd84d07110: 0x0000000000000000      0x00007ffd84d071e8
0x7ffd84d07120: 0x0000000240290ca0      0x0000000000422be0
0x7ffd84d07130: 0x0000000000000000      0x42f8e52f22cfd5b5
0x7ffd84d07140: 0x0000000000422e50      0x00007ffd84d071e0
0x7ffd84d07150: 0x0000000000000000      0x0000000000000000
0x7ffd84d07160: 0xbd03ec48eecfd5b5      0xbdcc9b9a033fd5b5
0x7ffd84d07170: 0x00007ffd00000000      0x0000000000000000
0x7ffd84d07180: 0x0000000000000000      0x0000000000639780
0x7ffd84d07190: 0x00007f9a4007b8e0      0x00007f9a4007b5fb
0x7ffd84d071a0: 0x0000000000000000      0x0000000000000000
0x7ffd84d071b0: 0x0000000000422e50      0x00007ffd84d071e0
0x7ffd84d071c0: 0x0000000000000000      0x0000000000422e79
0x7ffd84d071d0: 0x00007ffd84d071d8      0x000000000000001c
0x7ffd84d071e0: 0x0000000000000002      0x00007ffd84d0747f
0x7ffd84d071f0: 0x00007ffd84d07484      0x0000000000000000
0x7ffd84d07200: 0x00007ffd84d0748e      0x00007ffd84d07499
0x7ffd84d07210: 0x00007ffd84d074aa      0x00007ffd84d074bd
0x7ffd84d07220: 0x00007ffd84d074da      0x00007ffd84d074eb
0x7ffd84d07230: 0x00007ffd84d074fb      0x00007ffd84d07507
0x7ffd84d07240: 0x00007ffd84d07519      0x00007ffd84d07529
0x7ffd84d07250: 0x00007ffd84d07536      0x00007ffd84d07565
0x7ffd84d07260: 0x00007ffd84d07aed      0x00007ffd84d07b1c
0x7ffd84d07270: 0x00007ffd84d07b33      0x00007ffd84d07e50
0x7ffd84d07280: 0x00007ffd84d07e71      0x00007ffd84d07e81
</pre></div>

0x7ffd84d06c58: 0x00007f9a3ce61027 <-- this is a return address to the native code Console.ReadLine()

which means slightly further up the stack:

0x7ffd84d06c78: 0x000000004194fdca <-- this is a return address to the caller of Console.ReadLine() (this is main)

Main(), for comparison:
<div class="codebox">
```cs
#include main.cs
```
</div>

<div class="codebox"><pre>
(gdb) x/10i 0x000000004194fdca
   0x4194fdca:  nop
   0x4194fdcb:  callq  0x41953b10  <-- so this is the last statement in main - mangler()
   0x4194fdd0:  inc    %r15d       <-- this is i++ in the loop on line 4 of main
   0x4194fdd3:  cmp    $0x3c,%r15d
   0x4194fdd7:  jl     0x4194fd78
   0x4194fdd9:  xchg   %ax,%ax
   0x4194fddb:  callq  0x4194fe26
   0x4194fde0:  movabs $0x7f9a401a4158,%rdi
   0x4194fdea:  movabs $0x4194fe1c,%r11
   0x4194fdf4:  callq  *%r11
</pre></div>

this makes sense as a return address because we see the first thing after ReadLine(), which is mangler()!

stepping back a little:

<div class="codebox"><pre>
(gdb) x/30i 0x000000004194fdb0
   0x4194fdb0:  movabs $0x7f9a3ce609d0,%r11 <- pointer to native code System_Console_ReadLine()
   0x4194fdba:  callq  *%r11
   0x4194fdbd:  movabs $0x7f9a3ce60f50,%r11 <- pointer to native code System_Console_WriteLine()
   0x4194fdc7:  callq  *%r11
   0x4194fdca:  nop
   0x4194fdcb:  callq  0x41953b10           <- mangler()
   0x4194fdd0:  inc    %r15d
   0x4194fdd3:  cmp    $0x3c,%r15d
   0x4194fdd7:  jl     0x4194fd78           <- loop end
   0x4194fdd9:  xchg   %ax,%ax
   0x4194fddb:  callq  0x4194fe26           <- also mangler()??
   0x4194fde0:  movabs $0x7f9a401a4158,%rdi <- ???
   0x4194fdea:  movabs $0x4194fe1c,%r11     <- ???
   0x4194fdf4:  callq  *%r11                <- ???
   0x4194fdf7:  callq  0x4194fe26
   0x4194fdfc:  movabs $0x7f9a401a4180,%rdi
   0x4194fe06:  movabs $0x4194fe1c,%r11
   0x4194fe10:  callq  *%r11
   0x4194fe13:  mov    (%rsp),%r15
   0x4194fe17:  add    $0x18,%rsp
   0x4194fe1b:  retq                        <- main's end, whew
</pre></div>

looking at the weird mangler() call:
<div class="codebox"><pre>
(gdb) x/10i 0x4194fe26
   0x4194fe26:  callq  0x40ee3000
   0x4194fe2b:  add    $0xf0,%al
   0x4194fe2d:  lahf   
   0x4194fe2e:  lar    %ax,%ebp
   0x4194fe31:  lret   
   0x4194fe32:  xor    %ebx,-0x1(%rcx)
   0x4194fe35:  add    $0xf0,%al
   0x4194fe37:  cmp    %cl,(%rdi)
   0x4194fe39:  add    %al,%ch
   0x4194fe3b:  (bad) 
</pre></div>

the only part of this that makes sense is the callq 0x40ee3000 - the rest is... nonsense-y. long return, really??? maybe at the call site we'll see something useful...

<div class="codebox"><pre>
(gdb) x/70i 0x40ee3000
   0x40ee3000:  mov    %r11,-0xd0(%rsp)
   0x40ee3008:  pop    %r11 <------------ WHAT
   0x40ee300a:  push   %rbp
   0x40ee300b:  mov    %rsp,%rbp
   0x40ee300e:  sub    $0x160,%rsp
   0x40ee3015:  sub    $0x5,%r11
   0x40ee3019:  mov    %r11,-0x10(%rbp)
   0x40ee301d:  mov    %rax,-0x128(%rbp)
   0x40ee3024:  mov    %rcx,-0x120(%rbp)
   0x40ee302b:  mov    %rdx,-0x118(%rbp)
   0x40ee3032:  mov    %rbx,-0x110(%rbp)
   0x40ee3039:  mov    %rsp,%r11
   0x40ee303c:  add    $0x170,%r11
   0x40ee3043:  mov    %r11,-0x108(%rbp)
   0x40ee304a:  mov    0x0(%rbp),%rax
   0x40ee304e:  mov    %rax,-0x100(%rbp)
   0x40ee3055:  mov    %rsi,-0xf8(%rbp)
   0x40ee305c:  mov    %rdi,-0xf0(%rbp)
   0x40ee3063:  mov    %r8,-0xe8(%rbp)
   0x40ee306a:  mov    %r9,-0xe0(%rbp)
   0x40ee3071:  mov    %r10,-0xd8(%rbp)
   0x40ee3078:  mov    %r12,-0xc8(%rbp)
   0x40ee307f:  mov    %r13,-0xc0(%rbp)
   0x40ee3086:  mov    %r14,-0xb8(%rbp)
   0x40ee308d:  mov    %r15,-0xb0(%rbp)
   0x40ee3094:  mov    0x8(%rbp),%r11
   0x40ee3098:  mov    %r11,-0xa8(%rbp)
   0x40ee309f:  movsd  %xmm0,-0xa0(%rbp)
</pre></div>

that pop pops the return address of this function, 0x4194fe2b, into r11, meaning we actually return to the *caller* of 0x4194fe26, back into main. so this method must use that pointer as information and probably is a 'patch-and-invoke' mechanism. the `sub $0x5, %r11` at 0x40ee3015 seals the deal, because that moves r11 back 5 bytes to point to the call here.