AL<\/code><\/td>\n| always<\/td>\n | always true<\/td>\n | unconditional<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n The conditions come in pairs (aside from AL<\/code>), and toggling the bottom bit negates the condition. For 16-bit conditional branch encoding, this maps to the bottom bit of the first byte of the instruction. For 32-bit conditional branch encoding, you toggle 0x40<\/code> in the second byte of the instruction.<\/p>\nThe conditions are named after the behavior that is expected if they come directly after a CMP<\/code> instruction. For example, a BEQ<\/code> instruction that comes directly after a CMP<\/code> is a conditional branch that is taken if the comparison was between two equal values.<\/p>\nFour bits of instruction encoding space are lost to encode the condition, so it can reach only 1\/16th as far as the unconditional branch: About \u00b1254 bytes for the 16-bit encoding and about \u00b11MB for the 32-bit encoding.<\/p>\n There are special conditional branch instructions for testing whether a register is zero.<\/p>\n cbz Rn, label ; branch if Rn == 0\r\n cbnz Rn, label ; branch if Rn != 0\r\n<\/pre>\nThese are 16-bit instructions which are available only for low registers, and they are capable only of branching forward<\/i> by up to 126 bytes.\u00b9<\/p>\n Subroutine calls are performed by branching to the first instruction of the subroutine and putting the return address in the lr<\/var> register. This should feel familiar, for all of the other non-x86 processors we’ve reviewed perform subroutine linkage the same way.<\/p>\n ; branch and link, stay in Thumb-2\r\n bl label ; lr = next instruction + 1\r\n ; execution resumes at label\r\n\r\n ; branch and link with exchange, switch to classic ARM\r\n blx label ; lr = next instruction + 1\r\n ; execution resumes at label\r\n<\/pre>\nThese instructions have a reach of approximately \u00b116MB.<\/p>\n Windows uses Thumb-2 exclusively, so you won’t see the blx<\/code> instruction used in this way. The X<\/code> stands for “exchange”, which means that it swaps between Thumb-2 and classic ARM modes.\u00b2<\/p>\nThe return address is stored in lr<\/var>, but with the bottom bit set. There’s a reason for this.<\/p>\nThumb-2 instructions must be halfword-aligned, and classic ARM instructions must be word-aligned. Therefore, the bottom bit of any code address is known to be zero, so the processor uses it to encode the target instruction set: If the bottom bit is clear, then execution resumes in classic ARM; if the bottom bit is set, then execution resumes in Thumb-2. Switching dynamically between classic ARM and Thumb-2 instruction sets is known as interworking<\/i>.<\/p>\n Windows uses Thumb-2 exclusively, and the convention is that the bottom bit of function pointers is always set. When you look at function pointers in the debugger, they will always be one larger<\/i> than the address itself.<\/p>\n ; branch with exchange\r\n bx Rn ; switch to classic ARM if Rn is even\r\n ; execution resumes at Rn & ~1\r\n\r\n ; branch and link with exchange\r\n blx Rn ; lr = next instruction + 1\r\n ; switch to classic ARM if Rn is even\r\n ; execution resumes at Rn & ~1\r\n<\/pre>\nEven though the X<\/code> instructions can switch to classic ARM, that switching feature is never used in Windows. Function pointers always have the bottom bit set, so the destination of the BLX<\/code> is always Thumb-2.<\/p>\nThe last branch instruction is the table-based branch:<\/p>\n ; table branch byte\r\n tbb [Rn, Rm] ; jump to pc + 2 * (byte at Rn + Rm)\r\n\r\n ; table branch halfword\r\n tbh [Rn, Rm, lsl #1] ; jump to pc + 2 * (halfword at Rn + Rm * 2)\r\n<\/pre>\nThe base register points to the start of a jump table, and the second register is a byte or word index into the table. The value read from the table is then treated as a forward relative branch offset in units of halfwords.<\/p>\n Remember that pc<\/var> has moved ahead four bytes when the instruction executes, so the forward branch is relative to the next instruction, not to the TBB<\/code> or TBH<\/code> instruction.<\/p>\nSince the offsets are stored in an unsigned byte or halfword, the reach of TBB<\/code> instruction is 514 bytes, and the reach of of the TBH<\/code> instruction is around 128KB.<\/p>\nOne thing you might notice is that, if you assume that the bottom bit of the register is set, these two instructions are equivalent:<\/p>\n bx Rn ; jump to Rn\r\n mov pc, Rn ; jump to Rn\r\n<\/pre>\nThe second version takes advantage of the fact that storing a value into the pc<\/var> register acts as a control transfer. In practice, you won’t see the MOV<\/code> version because it takes a 32-bit encoding, whereas BX<\/code> uses a 16-bit encoding.<\/p>\nNevertheless, other variations of loading a value into pc<\/var> are still useful:<\/p>\n mov pc, [r0,#4] ; jump to address\r\n pop {pc} ; pop return address and jump there\r\n<\/pre>\nPopping a value into the instruction pointer is a common pattern. On entry to a function, you push the registers you need to preserve across the call, and on exit you pop them off. The two sets of registers line up, so that everything pops back to the original source register, except<\/i> that you pop the old lr<\/var> into pc<\/var>, so that the pop<\/code> instruction is a combination “pop registers from the stack” and “return to caller” instruction.<\/p>\n ; save a bunch of registers, and the return address\r\n push {r3-r6,r11,lr}\r\n\r\n ...\r\n\r\n ; restore the registers, except that the return\r\n ; address goes into pc, thereby jumping there\r\n pop {r3-r6,r11,pc}\r\n<\/pre>\nNext time, we’ll look at conditional execution.<\/p>\n \u00b9 The inability to branch backward with CBNZ<\/code> explains why the sample atomic sequence we used last time uses a two-instruction sequence of cmp r3, #0<\/code> followd by bne<\/code>: It can’t use cbnz<\/code> because it wants to branch backward to retry the operation.<\/p>\n\u00b2 This instruction was clearly named back when there were only two modes<\/a>. Nowadays, naming the instruction “exchange” would be ambiguous about which of the many modes it is switching to.<\/p>\n","protected":false},"excerpt":{"rendered":"Let’s go places.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[2],"class_list":["post-105311","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-history"],"acf":[],"blog_post_summary":" Let’s go places.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/105311","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=105311"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/105311\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=105311"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=105311"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=105311"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}} |