Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Bounds checking - historical aside

From: aleph1 () DFW NET (Aleph One)
Date: Wed, 22 Jul 1998 12:00:12 -0500

The x86 may implement the BOUND instruction but since everyone has decided
not to use it Intel has done little to speed it up. From the Art of
Assembly Language Programming:

http://webster.ucr.edu/Page_asm/ArtofAssembly/CH06/CH06-5.html#HEADING5-171

The fourth software interrupt, provided by 80286 and later processors, is
the bound instruction. This instruction takes the form

                bound   reg, mem

and executes the following algorithm:

        if (reg < [mem]) or (reg > [mem+sizeof(reg)]) then int 5

[mem] denotes the contents of the memory location mem and sizeof(reg) is
two or four depending on  whether the register is 16 or 32 bits wide. The
memory operand must be twice the size of the register operand. The bound
instruction compares the values using a signed integer comparison.

Intel's designers added the bound instruction to allow a quick check of
the range of a value in a register. This is useful in Pascal, for example,
which checking array bounds validity and when checking to see if a
subrange integer is within an allowable range. There are two problems with
this instruction, however. On 80486 and Pentium/586 processors, the bound
instruction is generally slower than the sequence of instructions it would
replace:

                cmp     reg, LowerBound
                jl      OutOfBounds
                cmp     reg, UpperBound
                jg      OutOfBounds

On the 80486 and Pentium/586 chips, the sequence above only requires four
clock cycles assuming you can use the immediate addressing mode and the
branches are not taken; the bound instruction requires 7-8 clock cycles
under similar circumstances and also assuming the memory operands are in
the cache.

A second problem with the bound instruction is that it executes an int 5
if the specified register is out of range. IBM, in their infinite wisdom,
decided to use the int 5 interrupt handler routine to print the screen.
Therefore, if you execute a bound instruction and the value is out of
range, the system will, by default, print a copy of the screen to the
printer. If you replace the default int 5 handler with one of your own,
pressing the PrtSc key will transfer control to your bound instruction
handler. Although there are ways around this problem, most people don't
bother since the bound instruction is so slow.

Aleph One / aleph1 () dfw net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01
Previous By Date Next
Previous By Thread Next

Current thread: