for studying purposes I am trying to find out the memory address of a variable after JIT compilation from IonMonkey ( IonMonkey is part of SpiderMonkey, the Javascript engine of Mozilla )
Until now I have followed these instruction https://developer.mozilla.org/en-US/docs/SpiderMonkey/Hacking_Tips#Printing_the_generated_assembly_code_(from_gdb)
I use GDB and I run the same procedure with 2 different test files.
function f(a, b) { return a + b; }
var shell = "AAAA";
for (var i = 0; i < 1000000; i++){ f( shell[0], shell[1] ); }
and this one:
function f(a, b) { return a + b; }
var shell = "AAAA";
for (var i = 0; i < 1000000; i++){ f( shell[1], shell[1] ); }
I believed that this way I would spot the difference between the generated code and find out where is the "shell" variable is located. The problem is that the generated code is exactly the same. I also tried different versions of simple function such as minus or print but the generated code is totally different.
Can anyone suggest any way so I can get the memory address of the variable?
The assembly generated code is
0x7ffff7ff3ac8: mov 0x20(%rsp),%r10
0x7ffff7ff3acd: shr $0x2f,%r10
0x7ffff7ff3ad1: cmp $0x1fff2,%r10d
0x7ffff7ff3ad8: je 0x7ffff7ff3ae3
0x7ffff7ff3ade: jmpq 0x7ffff7ff3b85
0x7ffff7ff3ae3: mov 0x28(%rsp),%r10
0x7ffff7ff3ae8: shr $0x2f,%r10
0x7ffff7ff3aec: cmp $0x1fff5,%r10d
0x7ffff7ff3af3: je 0x7ffff7ff3afe
0x7ffff7ff3af9: jmpq 0x7ffff7ff3b85
0x7ffff7ff3afe: mov 0x30(%rsp),%r10
0x7ffff7ff3b03: shr $0x2f,%r10
0x7ffff7ff3b07: cmp $0x1fff5,%r10d
0x7ffff7ff3b0e: je 0x7ffff7ff3b19
0x7ffff7ff3b14: jmpq 0x7ffff7ff3b85
0x7ffff7ff3b19: mov 0x28(%rsp),%r8
0x7ffff7ff3b1e: movabs $0x7fffffffffff,%rax
0x7ffff7ff3b28: and %r8,%rax
0x7ffff7ff3b2b: mov 0x30(%rsp),%r9
0x7ffff7ff3b30: movabs $0x7fffffffffff,%rdi
0x7ffff7ff3b3a: and %r9,%rdi
0x7ffff7ff3b3d: mov $0x1670b78,%r11d
0x7ffff7ff3b43: mov (%r11),%rcx
0x7ffff7ff3b46: cmp %rcx,%rsp
0x7ffff7ff3b49: jbe 0x7ffff7ff3b8f
0x7ffff7ff3b4f: callq 0x7ffff7ff39a0
0x7ffff7ff3b54: test %rbp,%rbp
0x7ffff7ff3b57: je 0x7ffff7ff3bd6
0x7ffff7ff3b5d: movabs $0xfffa800000000000,%rcx
0x7ffff7ff3b67: or %rbp,%rcx
0x7ffff7ff3b6a: retq
0x7ffff7ff3b6b: nop
...
0x7ffff7ff3b72: nop
0x7ffff7ff3b73: movabs $0xffffffffffffffff,%r11
0x7ffff7ff3b7d: push %r11
0x7ffff7ff3b7f: callq 0x7ffff7fe9400
0x7ffff7ff3b84: int3
0x7ffff7ff3b85: pushq $0x0
0x7ffff7ff3b8a: jmpq 0x7ffff7ff3c40
0x7ffff7ff3b8f: sub $0x28,%rsp
0x7ffff7ff3b93: mov %r9,0x20(%rsp)
0x7ffff7ff3b98: mov %r8,0x18(%rsp)
0x7ffff7ff3b9d: mov %rdi,0x10(%rsp)
0x7ffff7ff3ba2: mov %rcx,0x8(%rsp)
0x7ffff7ff3ba7: mov %rax,(%rsp)
0x7ffff7ff3bab: pushq $0x280
0x7ffff7ff3bb0: callq 0x7ffff7fee880
0x7ffff7ff3bb5: mov 0x20(%rsp),%r9
0x7ffff7ff3bba: mov 0x18(%rsp),%r8
0x7ffff7ff3bbf: mov 0x10(%rsp),%rdi
0x7ffff7ff3bc4: mov 0x8(%rsp),%rcx
0x7ffff7ff3bc9: mov (%rsp),%rax
0x7ffff7ff3bcd: add $0x28,%rsp
0x7ffff7ff3bd1: jmpq 0x7ffff7ff3b4f
0x7ffff7ff3bd6: sub $0x40,%rsp
0x7ffff7ff3bda: mov %r9,0x38(%rsp)
0x7ffff7ff3bdf: mov %r8,0x30(%rsp)
0x7ffff7ff3be4: mov %rdi,0x28(%rsp)
0x7ffff7ff3be9: mov %rsi,0x20(%rsp)
0x7ffff7ff3bee: mov %rbx,0x18(%rsp)
0x7ffff7ff3bf3: mov %rdx,0x10(%rsp)
0x7ffff7ff3bf8: mov %rcx,0x8(%rsp)
0x7ffff7ff3bfd: mov %rax,(%rsp)
0x7ffff7ff3c01: push %rdi
0x7ffff7ff3c02: push %rax
0x7ffff7ff3c03: pushq $0x500
0x7ffff7ff3c08: callq 0x7ffff7fec370
0x7ffff7ff3c0d: mov %rax,%rbp
0x7ffff7ff3c10: mov 0x38(%rsp),%r9
0x7ffff7ff3c15: mov 0x30(%rsp),%r8
0x7ffff7ff3c1a: mov 0x28(%rsp),%rdi
0x7ffff7ff3c1f: mov 0x20(%rsp),%rsi
0x7ffff7ff3c24: mov 0x18(%rsp),%rbx
0x7ffff7ff3c29: mov 0x10(%rsp),%rdx
0x7ffff7ff3c2e: mov 0x8(%rsp),%rcx
0x7ffff7ff3c33: mov (%rsp),%rax
0x7ffff7ff3c37: add $0x40,%rsp
0x7ffff7ff3c3b: jmpq 0x7ffff7ff3b5d
0x7ffff7ff3c40: pushq $0x0
0x7ffff7ff3c45: jmpq 0x7ffff7fe9008
0x7ffff7ff3c4a: hlt
Easiest way is to build the engine with debugging enabled, then use the IONFLAGS env var: per the spew handling code you can enable spew channels like codegen.