How to obtain a pointer out of a C++ vtable?
Posted
by
Josh Haberman
on Stack Overflow
See other posts from Stack Overflow
or by Josh Haberman
Published on 2011-02-24T03:12:42Z
Indexed on
2012/06/26
21:16 UTC
Read the original article
Hit count: 283
Say you have a C++ class like:
class Foo {
public:
virtual ~Foo() {}
virtual DoSomething() = 0;
};
The C++ compiler translates a call into a vtable lookup:
Foo* foo;
// Translated by C++ to:
// foo->vtable->DoSomething(foo);
foo->DoSomething();
Suppose I was writing a JIT compiler and I wanted to obtain the address of the DoSomething() function for a particular instance of class Foo, so I can generate code that jumps to it directly instead of doing a table lookup and an indirect branch.
My questions are:
Is there any standard C++ way to do this (I'm almost sure the answer is no, but wanted to ask for the sake of completeness).
Is there any remotely compiler-independent way of doing this, like a library someone has implemented that provides an API for accessing a vtable?
I'm open to completely hacks, if they will work. For example, if I created my own derived class and could determine the address of its DoSomething method, I could assume that the vtable is the first (hidden) member of Foo and search through its vtable until I find my pointer value. However, I don't know a way of getting this address: if I write &DerivedFoo::DoSomething
I get a pointer-to-member, which is something totally different.
Maybe I could turn the pointer-to-member into the vtable offset. When I compile the following:
class Foo {
public:
virtual ~Foo() {}
virtual void DoSomething() = 0;
};
void foo(Foo *f, void (Foo::*member)()) {
(f->*member)();
}
On GCC/x86-64, I get this assembly output:
Disassembly of section .text:
0000000000000000 <_Z3fooP3FooMS_FvvE>:
0: 40 f6 c6 01 test sil,0x1
4: 48 89 74 24 e8 mov QWORD PTR [rsp-0x18],rsi
9: 48 89 54 24 f0 mov QWORD PTR [rsp-0x10],rdx
e: 74 10 je 20 <_Z3fooP3FooMS_FvvE+0x20>
10: 48 01 d7 add rdi,rdx
13: 48 8b 07 mov rax,QWORD PTR [rdi]
16: 48 8b 74 30 ff mov rsi,QWORD PTR [rax+rsi*1-0x1]
1b: ff e6 jmp rsi
1d: 0f 1f 00 nop DWORD PTR [rax]
20: 48 01 d7 add rdi,rdx
23: ff e6 jmp rsi
I don't fully understand what's going on here, but if I could reverse-engineer this or use an ABI spec I could generate a fragment like the above for each separate platform, as a way of obtaining a pointer out of a vtable.
© Stack Overflow or respective owner