22

What does the "SHORT" mean in this code?

JE SHORT 00013FB8
Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
Domshooter
  • 233
  • 1
  • 2
  • 4
  • 2
    Forces the rel8 encoding instead of allowing the assembler to choose rel8 or rel32. (Or rel16 in 16-bit mode.) http://felixcloutier.com/x86/Jcc.html – Peter Cordes Oct 24 '17 at 03:08
  • Some assemblers didn't optimize branch displacements, and assemblers *still* can't always solve it optimally, so forcing a `short` jmp encoding can be useful. – Peter Cordes Jan 05 '19 at 07:26
  • Related: my answer on [What is the difference, if any, between LONG and FAR jumps in Assembly?](https://stackoverflow.com/a/71977317) covers `jmp short foo` / `jmp near foo` / `jmp far 123:foo` – Peter Cordes Jun 18 '22 at 03:04

4 Answers4

24

Short jumps (and near calls) are jumps whose target is in the same module (i.e. they are intramodular, however it is possible to get intermodular variants from certain hacks). They are most commonly up to 127 bytes of relative displacement (they change the flow of execution forward or backward from the address of the instruction), however there are 16bit variants offering 32k bytes.

You don't really need to worry about it much, its really superfluous information, but the intel developer manuals (volumes 2a and 2b, specifically 2a) will cover the gory details.

Olivia Stork
  • 4,660
  • 5
  • 27
  • 40
Necrolis
  • 25,836
  • 3
  • 63
  • 101
  • 4
    "short" jmp specifically means the `rel8` 2-byte encoding for near jumps. You're conflating that with "near" jumps/calls in general, which change IP/EIP/RIP but not CS. i.e. normal jumps, the only kind you'll ever use in a flat memory model. A short jmp is the compact encoding version of a near jmp. The Description section in Intel's manual (https://www.felixcloutier.com/x86/jmp) explains that terminology. – Peter Cordes Jan 05 '19 at 07:24
  • @PeterCordes I suggest you check that link... and secondly my explanation isn't incorrect, rel8 = 0-127 bytes of displacement forward or backward. – Necrolis Jan 07 '19 at 10:46
  • 1
    It's 2's complement, so it's actually -128 .. +127, but that's not what I was trying to comment on. What I mean is that nowhere does your answer specifically say that `jmp short` forces the assembler to use the `rel8` encoding, and that's the whole point of the keyword. Some early assemblers had weak (or nonexistent?) branch displacement optimization, and there are still cases where [the normal algorithm won't find the optimal solution.](https://stackoverflow.com/a/34940237). Your answer isn't *wrong*, but it's less useful than it could be. I didn't downvote, but I like @typedeaf's better. – Peter Cordes Jan 07 '19 at 11:19
  • @PeterCordes fair enough, I implied in my answer thats its two bytes, but IMO an edit might have been a better option. Also your links are coming up as a Namecheap WHOIS verification pending page... – Necrolis Jan 07 '19 at 20:14
  • Felix Cloutier's site had been working for years, but broke recently, like a day or two after I commented :( https://github.com/HJLebbink/asm-dude/wiki/JMP is another HTML extract of Intel's vol.2 manual entry, with maybe different tweaks to the same script. – Peter Cordes Jan 08 '19 at 12:47
9

A short jump can be achieved using a relative offset from the current assembly instruction. For x86/32-bit, this is a 2 byte instruction, where the first byte is always EB, for short jump, and the second byte is the number of bytes before or after the current instruction to jump. The second byte is a signed 8-bit number, so the the furthest short jump on x86 is +/-127 bytes away. Anything past +/-127 bytes away is a long jump, E9, and must use the full 32-bit address; resulting in a 5 byte instruction.

This is important to keep in mind if you are inline patching assembly code.

ex. EB 0 would jump to the opcode following the short jump, not the line of code itself.

ex. EB 7F is the furthest jump down.

typedeaf
  • 1,511
  • 13
  • 8
  • 2
    `EB rel8` / `jmp short` is *always* a 2-byte instruction in any mode. https://www.felixcloutier.com/x86/jmp. Only rel16/rel32 near jmp has a different default operand-size depending on 16-bit mode or not. – Peter Cordes Jan 05 '19 at 07:21
  • 2
    The rel8 range is -128 .. +127, not exactly +/-127. It's a signed 2's complement relative displacement, relative to the end of the instruction. "long jump" isn't an technical term used in the manuals; `jmp rel32` is a "near" jump (doesn't change CS) that can't use the rel8 encoding. (It's still a relative address, so it's not "the full 32-bit address". Even in 64-bit mode, it's still call/jmp rel32 at most. To use 64-bit absolute addresses, you typically mov reg,imm64 / jmp reg.) – Peter Cordes Mar 12 '21 at 01:58
2

It means that it isn't jumping very far. Depending on the disassembler, the number after that will either be the address that it jumps to or a relative offset which tells you how many bytes are between the next instruction and the target of the jump.

ughoavgfhw
  • 39,734
  • 6
  • 101
  • 123
-5

short jump is in PC's boot, that means that 2-byte long assembly instruction tells processor to jump address 100h in BIOS to start booting.

somewhereintime
  • 1