Understanding the un-optimized asm for C that dereferences an uninitialized pointer, causing a segmentation fault

Question

I set a experiment to see whether it works or not

int *p;
p[0] = 3;

My idea is that the compiler gives a random value to p and I can consider it as a array.

But it turns out segmentation fault and I don't understand the assembly code.

   0x0000000000401530 <+0>: push   %rbp
   0x0000000000401531 <+1>: mov    %rsp,%rbp
   0x0000000000401534 <+4>: sub    $0x30,%rsp
   0x0000000000401538 <+8>: mov    %ecx,0x10(%rbp)
   0x000000000040153b <+11>:    mov    %rdx,0x18(%rbp)
   0x000000000040153f <+15>:    callq  0x402170 <__main>
   0x0000000000401544 <+20>:    mov    -0x8(%rbp),%rax
=> 0x0000000000401548 <+24>:    movl   $0x3,(%rax)
   0x000000000040154e <+30>:    mov    $0x0,%eax
   0x0000000000401553 <+35>:    add    $0x30,%rsp
   0x0000000000401557 <+39>:    pop    %rbp
   0x0000000000401558 <+40>:    retq    

I searched on google, mov is Intel style and movl is AT&T style. How come these two style come together?

At this line:

mov    -0x8(%rbp),%rax

It seems like move the value of address rbp-0x8 to register rax, right? Is this "-0x8(%rbp)" a random value goes to p?

I think %rax is not p, because at next line CPU give $0x3 to %rax. It seems the %rax is the first memory of the array.

How do I interpret this assembly code? Thank you.

Answer 1

I'm not an expert at assembly, but the code looks quite clear so I'll give it an attempt to explain it.

---

   0x0000000000401530 <+0>: push   %rbp
   0x0000000000401531 <+1>: mov    %rsp,%rbp

(Above) This is some "procedural" code that the compiler generates when optimization is not turned on. It saves the state of RSP (64-bit stack pointer).

   0x0000000000401534 <+4>: sub    $0x30,%rsp

This reserves extra space on the stack for local variables.

   0x0000000000401538 <+8>: mov    %ecx,0x10(%rbp)
   0x000000000040153b <+11>:    mov    %rdx,0x18(%rbp)

This saves argc and argv onto the stack, because you made a debug build so all variables have to be in memory. (The space it's using is above the return address, where main's caller reserved space. This is called shadow space, and is a feature of the Windows x64 calling convention.)

   0x000000000040153f <+15>:    callq  0x402170 <__main>

This calls some kind of early init function. It might use argc and argv (still in registers), or it might not; we can't tell from the code.

   0x0000000000401544 <+20>:    mov    -0x8(%rbp),%rax

This loads uninitialized stack memory as the value of int *p. Automatic variables are placed on stack. You read p without having written it first, and the compiler just reads whatever garbage or zeros were already in the stack slot it chose for int *p;

=> 0x0000000000401548 <+24>:    movl   $0x3,(%rax)

This line sets the address that rax points to to immediate value 3.

The value of p is in rax, so this is your p[0] = 3;, dereferencing whatever garbage p holds. You crash because it's doesn't happen to point to writeable memory. (Overwriting some random dword in memory would hardly be better, but at least your code wouldn't crash here, just maybe at some point later, if the garbage value of p happened to be a valid pointer.)

   0x000000000040154e <+30>:    mov    $0x0,%eax

This sets the register eax to zero, and effectively setting rax to zero, too. Windows x64 (like every standard calling convention) uses RAX for return values, so this is implementing the implicit return 0; at the bottom of main.

   0x0000000000401553 <+35>:    add    $0x30,%rsp
   0x0000000000401557 <+39>:    pop    %rbp
   0x0000000000401558 <+40>:    retq

Restores the pointer states to before the function call.