assembly - How to perform a x86 jmp far without using a 64 bit register?

Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Learn more about Collectives

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Learn more about Teams Handling calls to (potentially) far away ahead-of-time compiled functions from JITed code (1 answer) Fail to change CS register value from kernel mode. invalid opcode: 0000 (2 answers)

Closed 5 months ago .

@ElderBug: That's guaranteed to mispredict, and will cause future mispredicts on other

ret

s, so


    push


    mov dword [rsp+4], imm32

ret

is not ideal. Using space in the red-zone below RSP for a


    jmp qword [rsp-8]

would work, assuming x86-64 System V; space below RSP isn't safe to use on Windows x64, but there is shadow space that you can use equivalently. Or there's the trick of using RIP-relative addressing and putting the target address in the next 8 bytes after the

jmp

, although it's usually better to put the pointer in with other data. – Peter Cordes Dec 22, 2022 at 3:33 When you say a jmp far, do you actually mean

far

as in setting a new CS as well as RIP? Or do you just mean to a new CS value that's farther than +-2 GiB away? There are no encodings of


    jmp far

that take a new CS:RIP from a register anyway, only memory. felixcloutier.com/x86/jmp . Do you want to do something equivalent to


    mov r11, 0x123456789a


    jmp r11

, or do you want something like


    retf


    jmp far [rsp-10]

with a 10-byte m16:64 memory operand? – Peter Cordes Dec 22, 2022 at 3:36 @PeterCordes True the push/ret is probably the "worse" solution, but it would be the easiest and most portable. Be it on Windows or linux, locating the shadow space could be tricky with inline assembly. You also have no guarantee the compiler didn't use it. Same for the red zone. Otherwise I totally agree this is probably optimal in perf. – ElderBug Dec 22, 2022 at 3:43 @ElderBug: Yes,


    .quad

works inside an asm statement. But more normally you'd let the compiler put a constant in


    .rodata

and invent an addressing mode for you, like


    static const uint64_t addr = 0xdeadbeef11;

(or


    void*

if you want) ;


    asm("jmp *%0" :: "r,m"(addr));

;


    __builtin_unreachable(); // let the compiler know execution doesn't come out the other side of the asm()

. godbolt.org/z/xqcqPPvnj shows that, including without the

"r"

option so it has to pick memory. Directives are filtered, there's a


    .section .rodata

before the constant. – Peter Cordes Dec 22, 2022 at 3:57