Lab: Traps

RISC-V assembly (easy)

  1. 哪个寄存器存放了函数的参数?例如 main 函数对 printf 中的参数 13 存放在哪个寄存器中?
  2. main 函数中对函数 f 的调用位于汇编代码中的何处?对函数 g 的调用呢?(提示:编译器可能会将函数进行内联。)
  3. 函数 printf 的地址位于哪里?
  4. main 执行 jalrprintf 中后,寄存器 ra 的值是多少?
  5. 运行下面的代码: unsigned int i = 0x00646c72; printf("H%x Wo%s", 57616, &i); 代码的输出是什么?查询 ASCII 表以将字节映射到字符。
  6. 在下面的代码中,“y=”之后会输出什么?(提示:答案不是一个确定的数值。)为什么会这样?
1. Which registers contain arguments to functions? For example, which register holds 13 in main's call to printf?
   a0-a7, a2.
2. Where is the call to function f in the assembly code for main? Where is the call to g? (Hint: the compiler may inline functions.)
   26:  45b1                    li  a1,12 (The call to function f already inlined into x + 3.)
   14:  250d                    addiw   a0,a0,3 (The call to function g also inlined into x + 3.)
3. At what address is the function printf located?
   0x640, can be seen in the comment "# 640 <printf>" or in the header of printf function "0000000000000640 <printf>:"
4. What value is in the register ra just after the jalr to printf in main?
   What jalr does here at 0x34 is jump into the value stored in ra added by 1552 and then write pc + 4 into ra, so the value in the ra after the jalr is pc + 4, which is 0x34 + 0x4 = 0x38.
5. Run the following code. What is the output? If the RISC-V were instead big-endian what would you set i to in order to yield the same output? Would you need to change 57616 to a different value?
   The output is "He110, World". If RISC-V is big-endian instead, then i should be 0x726c6400, however, the value 57616 doesn't need to be changed.
6. In the following code, what is going to be printed after 'y='? (note: the answer is not a specific value.) Why does this happen?
   The value to be printed is the value stored in a2, that's because the function read the second argument from register a2.

Backtrace (moderate)

阅读题目,可以得知题目的要求是实现一个将程序当前的调用栈以地址的形式输出的程序。要做到这一点,需要对 xv6 中 stack frame 的结构有所了解,从下图中(来源:课程笔记第五页)可以看到 xv6 中栈和栈帧的具体结构。

Untitled

从上图中可以得到以下重要信息:

  1. 栈顶的元素位于较低的地址,栈底的元素位于较高的地址。

  2. 栈帧中存放了我们输出时所需要的函数地址(实际上是函数中执行跳转的指令的地址),此外还有指向上一个栈帧开头的地址。

    这里需要额外存一个指针指向上一个栈帧的原因是因为函数的本地变量存放于该函数的栈帧中,因此栈中每个元素的大小不是固定的,无法直接推算。

最后通过题目的提示中给出的 r_fp 获取进程当前正在执行的函数的栈帧的指针,便可以以类似链表的方式逐一访问栈空间内的所有栈帧了。同时由于 xv6 内核分配栈页面时是按页对齐的,要得到栈顶或栈底的地址,可以通过 PGROUNDDOWN(fp)PGROUNDUP(fp) 指令做到。1

然而还有一个问题,我们得到的都是“指向栈帧的指针(frame pointer)”,从笔记中可以看到这个指针是指向栈帧的最高处,那么我们在访问栈帧内的项目时又应该如何处理这个地址呢?

实际上提示中直接给出了访问的方法,“Return Address” 的地址位于 fp- 8"To Prev. Frame(fp)" 的地址位于 fp - 16

Note that the return address lives at a fixed offset (-8) from the frame pointer of a stackframe, and that the saved frame pointer lives at fixed offset (-16) from the frame pointer.