0

When I disassemble code, I often see something like this:

mov BYTE PTR [ebp-0x1], 0xff

Here, "BYTE PTR" indicates the size of the write.

How is the size of reads/writes to/from memory determined by a disassembler or by the CPU?

Fee
  • 719
  • 9
  • 24
  • Do you mean in the machine code? Like, how does the disassembler figure out what operand-size to print? byte operand size has a separate opcode, and word/dword is selected by the operand-size prefix or lack thereof. qword operand-size is selected by a REX prefix (64bit mode only, of course). – Peter Cordes Jul 11 '16 at 18:07
  • Yes, how the disasembler or later the CPU figures out the size of the read/write to/from memory. This would be a good answer. – Fee Jul 11 '16 at 18:24
  • The "size" of a memory-affecting x86 machine-instruction *(that is to say, "the number of bytes affected by it") is not simply determined by "the opcode of the instruction," e.g. `MOV`. *(That would result in a rather-unmanageable number of opcode-names ...)* Instead, the specifications attached to the "destination" operand are used. The *binary* format of the different instructions may vary accordingly. – Mike Robinson Jul 11 '16 at 18:25
  • 2
    @MikeRobinson: `mov` is the mnemonic. Opcodes are the machine-code byte(s). x86 opcodes range from one byte for the most common instructions (that existed in 8086) up to three bytes IIRC. Some immediate-operand encodings borrow the `/r` field from the mod/rm byte as extra opcode bits. (like http://www.felixcloutier.com/x86/ADD.html) – Peter Cordes Jul 11 '16 at 18:31
  • @user2600312: thanks for clarifying. I think it's still a duplicate of the question I linked it to. That was the first search hit that seemed to fit. There may be other questions with even better answers. If you find a potential duplicate-target that's even better, let me know and I'll change the duplicate-target to the better one. – Peter Cordes Jul 11 '16 at 18:33
  • You can tell it's the byte version because the byte version has a special opcode. The other sizes are more complicated. – harold Jul 11 '16 at 19:17
  • @PeterCordes, clearly, "that answer" clearly answers "this question," but the "slant," if you will, of the two questions is (I think ...) complementary: one starts with bytes, the other with assembly language. I think that the question you selected is a very fine adjunct to what is being (in a slightly different way ...) asked here. I think that you made an excellent choice. I'd like to see "this question" continue to *exist,* but I think that it requires no further "Answer." – Mike Robinson Jul 11 '16 at 22:55
  • @MikeRobinson: you should upvote this one if you think it's valuable. I forget if negative score questions eventually get auto-deleted (by the "roomba") when they're closed as duplicates. – Peter Cordes Jul 12 '16 at 00:08
  • Done. I'm of the opinion that posts *(in general)* are useful "for posterity," as "future search-keys," maybe years later. – Mike Robinson Jul 12 '16 at 00:11

0 Answers0