What is callq instruction?

by

It’s just call. Use Intel-syntax disassembly if you want to be able to look up instructions in the Intel/AMD manuals. (objdump -drwC -Mintel, GBD set disassembly-flavor intel, GCC -masm=intel)

The q operand-size suffix does technically apply (it pushes a 64-bit return address and treats RIP as a 64-bit register), but there’s no way to override it with instruction prefixes. i.e. calll and callw aren’t encodeable in 64-bit mode according to Intel’s manual, so it’s just annoying that some AT&T syntax tools show it as callq instead of call. This of course applies to retq as well.

Different tools are different in 32 vs. 64-bit mode. (Godbolt)

  • gcc -S: always call/ret. Nice.

  • clang -S: callq/retq and calll/retl. At least it’s consistently annoying.

  • objdump -d: callq/retq (explicit 64-bit) and call/ret (implicit for 32-bit). Inconsistent and kinda dumb because 64-bit has no choice of operand-size, but 32-bit does. (Not a useful choice, though: callw truncates EIP to 16 bits.)

    Although on the other hand, the default operand size (without a REX.W prefix) for most instructions in 64-bit mode is still 32. But add $1, (%rdi) needs an operand-size suffix; the assembler won’t pick 32-bit for you if nothing implies one. OTOH, push is implicitly pushq, even though pushw $1 and pushq $1 are both encodeable (and usable in practice) in 64-bit mode.

GAS in 64-bit mode will assemble callw foo / foo: to 66 e8 00 00, but my Skylake CPU single-steps it as a 6-byte instruction, consuming 2 bytes of 00 after it. And changing RSP by 8. So it decodes it as callq with a rel32=0, ignoring the 66 operand-size prefix. So even though there’s no choice of operand-size, GNU Binutils thinks there is. (Tested with GAS 2.38). So it’s still odd that it uses suffixes in 64-bit mode but not 32, since it thinks the situation is the same in both modes.

Clang and llvm-objdump -d have the same bug, assembling / disassembling callw in 64-bit mode.

AMD’s manual says 64-bit mode can’t use 32-bit operand-size, but does not mention any limitation on using 16-bit operand-size. So perhaps GAS and LLVM are correct for AMD CPUs, and there is still the same choice of 66 prefix or not, as in 32-bit mode. (You could test by seeing if RIP = 0x1004 after single-stepping callw foo / foo: in a static executable, instead of 0x401006, with the .text section starting at 0x401000.)

NASM’s ndisasm -b64 assumes that a 66 prefix will be ignored in 64-bit mode, disassembling 66E800000000 as call qword 0x18c (it doesn’t understand ELF metadata, so I just padded with nops and found it in disassembly of a .o as if it were a flat binary, hence the unusual address.)

From Intel’s instruction-set ref manual (linked above):

For a near call absolute, an absolute offset is specified indirectly in a general-purpose register or a memory location (r/m16, r/m32, or r/m64).
The operand-size attribute determines the size of the target operand (16, 32 or 64 bits). When in 64-bit mode, the operand size for near call (and all near branches) is forced to 64-bits.

for rel32 … As with absolute offsets, the operand-size attribute determines the size of the target operand (16, 32, or 64 bits). In 64-bit mode the target operand will always be 64-bits because the operand size is forced to 64-bits for near branches.

In 32-bit mode, you can encode a 16-bit call rel16 that truncates EIP to 16 bits, or a call r/m16 that uses an absolute 16-bit address. But as the manual says, the operand-size is fixed in 64-bit mode.

This is unlike the situation with push, where it defaults to 64-bit in 64-bit mode, but can be overridden to 16 with an operand-size prefix. (But not to 32 with a REX.W=0). So pushq and pushw are both available, but only callq.

More Related Contents:

  1. Why do x86-64 instructions on 32-bit registers zero the upper part of the full 64-bit register?
  2. What’s the purpose of the LEA instruction?
  3. Why doesn’t GCC use partial registers?
  4. Difference between movq and movabsq in x86-64
  5. A couple of questions about [base + index*scale + disp] and AT&T disp(base, index, scale)
  6. rbp not allowed as SIB base?
  7. Why are signed and unsigned multiplication different instructions on x86(-64)?
  8. What does cltq do in assembly?
  9. What do the E and R prefixes stand for in the names of Intel 32-bit and 64-bit registers?
  10. Why is (or isn’t?) SFENCE + LFENCE equivalent to MFENCE?
  11. Why is imul used for multiplying unsigned numbers?
  12. What is the meaning of MOV (%r11,%r12,1), %edx?
  13. x64 instruction encoding and the ModRM byte
  14. What was the original reason for the design of AT&T assembly syntax?
  15. Does it make any sense to use the LFENCE instruction on x86/x86_64 processors?
  16. Why not store function parameters in XMM vector registers?
  17. How to interpret objdump disassembly output columns?
  18. What does the bracket in `movl (%eax), %eax` mean?
  19. Questions about AT&T x86 Syntax design
  20. How to determine if the registers are loaded right to left or vice versa
  21. What does the MOVZBL instruction do in IA-32 AT&T syntax?
  22. What does “rep; nop;” mean in x86 assembly? Is it the same as the “pause” instruction?
  23. What does an asterisk * before an address mean in x86-64 AT&T assembly?
  24. When should I use size directives in x86?
  25. Using 8-bit registers in x86-64 indexed addressing modes
  26. Why can I access lower dword/word/byte in a register but not higher?
  27. Arithmetic identities and EFLAGS
  28. What is the compatible subset of Intel’s and AMD’s x86-64 implementations?
  29. How to know if an assembly code has particular syntax (emu8086, NASM, TASM, …)?
  30. What’s difference between number with $ or without $ symbol in at&t assembly syntax?

Leave a Comment