Linux i386 clone(): %ebx 'frobbing' ?

Linux i386 clone(): %ebx 'frobbing' ?

[Ahmed S. Darwish]

Hi all,

In the clone(int (*fn)(void *arg), void *child_stack, ..., void *arg, ...)
Glibc library function defind in sysdeps/unix/sysv/linux/i386/:

`fn' is saved in 8(child_stack), and `arg' is stored in 12(child_stack):

	movl	STACK(%esp),%ecx
	movl	ARG(%esp),%eax		/* no negative argument counts */
	movl	%eax,12(%ecx)		<---

	/* Save the function pointer as the zeroth argument.
	   It will be popped off in the child in the ebx frobbing below.  */
	movl	FUNC(%esp),%eax
	movl	%eax,8(%ecx)		<---

But after the exectuion of `sys_clone' system call, `fn' is 
called in the child thread by the statement 'call *%ebx' as follows:

	int	$0x80
	[...]

	test	%eax,%eax
	jz	L(thread_start)

/* Parent */
L(pseudo_end):
	ret

/* Child */
L(thread_start):
	/* Note: %esi is zero.  */
	movl	%esi,%ebp	/* terminate the stack frame */
	call	*%ebx

I don't understand how the `fn' argument reached the child thread
in the %ebx register. It's said in the comment that `fn' will be
popped to child 'in the ebx frobbing below'. But what does that mean ?

Thanks in advance

-- 
Ahmed S. Darwish
Homepage: http://darwish.07.googlepages.com
Blog: http://darwish-07.blogspot.com

Re: Linux i386 clone(): %ebx 'frobbing' ?

[Andreas Schwab]

"Ahmed S. Darwish" <darwish.07@gmail.com> writes:

> I don't understand how the `fn' argument reached the child thread
> in the %ebx register. It's said in the comment that `fn' will be
> popped to child 'in the ebx frobbing below'. But what does that mean ?

See "popl %ebx" after "int $0x80".

Andreas.

-- 
Andreas Schwab, SuSE Labs, schwab@suse.de
SuSE Linux Products GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany
PGP key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."

Re: Linux i386 clone(): %ebx 'frobbing' ?

[Ahmed S. Darwish]

Hi Andreas,

On Fri, Feb 15, 2008, Andreas Schwab wrote:
> "Ahmed S. Darwish" <darwish.07@gmail.com> writes:
> 
> > I don't understand how the `fn' argument reached the child thread
> > in the %ebx register. It's said in the comment that `fn' will be
> > popped to child 'in the ebx frobbing below'. But what does that mean ?
> 
> See "popl %ebx" after "int $0x80".
> 

I hope I'm not misreading something obvious, but I can't find
the code where FUNC(%esp) is stored in %ebx before %ebx value
got pushed in the stack (and restored in above 'popl' statement).

Thanks a lot for help.

-- 
Ahmed S. Darwish
Homepage: http://darwish.07.googlepages.com
Blog: http://darwish-07.blogspot.com

Re: Linux i386 clone(): %ebx 'frobbing' ?

[Andreas Schwab]

"Ahmed S. Darwish" <darwish.07@gmail.com> writes:

> Hi Andreas,
>
> On Fri, Feb 15, 2008, Andreas Schwab wrote:
>> "Ahmed S. Darwish" <darwish.07@gmail.com> writes:
>> 
>> > I don't understand how the `fn' argument reached the child thread
>> > in the %ebx register. It's said in the comment that `fn' will be
>> > popped to child 'in the ebx frobbing below'. But what does that mean ?
>> 
>> See "popl %ebx" after "int $0x80".
>> 
>
> I hope I'm not misreading something obvious, but I can't find
> the code where FUNC(%esp) is stored in %ebx before %ebx value
> got pushed in the stack (and restored in above 'popl' statement).

It is stored in the new stack for the child, as explained in the
comment.  The parent has a different stack.

Andreas.

-- 
Andreas Schwab, SuSE Labs, schwab@suse.de
SuSE Linux Products GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany
PGP key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."

Re: Linux i386 clone(): %ebx 'frobbing' ?

[Ahmed S. Darwish]

On Sat, Feb 16, 2008 at 12:28:11AM +0100, Andreas Schwab wrote:
> "Ahmed S. Darwish" <darwish.07@gmail.com> writes:
> 
> > Hi Andreas,
> >
> > On Fri, Feb 15, 2008, Andreas Schwab wrote:
> >> "Ahmed S. Darwish" <darwish.07@gmail.com> writes:
> >> 
> >> > I don't understand how the `fn' argument reached the child thread
> >> > in the %ebx register. It's said in the comment that `fn' will be
> >> > popped to child 'in the ebx frobbing below'. But what does that mean ?
> >> 
> >> See "popl %ebx" after "int $0x80".
> >> 
> >
> > I hope I'm not misreading something obvious, but I can't find
> > the code where FUNC(%esp) is stored in %ebx before %ebx value
> > got pushed in the stack (and restored in above 'popl' statement).
> 
> It is stored in the new stack for the child, as explained in the
> comment.  The parent has a different stack.
> 

Ooh great, I got it. Sorry, my mind didn't connect the dots though 
I read the comment several times. Thanks a lot for bearing with me :).

Regards,

-- 
Ahmed S. Darwish
Homepage: http://darwish.07.googlepages.com
Blog: http://darwish-07.blogspot.com