在不是地址/指针的值上使用 LEA？

Question

I was trying to understand how Address Computation Instruction works, especially with leaq command. Then I get confused when I see examples using leaq to do arithmetic computation. For example, the following C code,

long m12(long x) {
return x*12;
}

In assembly,

leaq (%rdi, %rdi, 2), %rax
salq $2, $rax

If my understanding is right, leaq should move whatever address (%rdi, %rdi, 2) , which should be 2*%rdi+%rdi , evaluate to into %rax . What I get confused is since value x is stored in %rdi , which is just memory address, why does times %rdi by 3 then left shift this memory address by 2 is equal to x times 12? Isn't that when we times %rdi by 3, we jump to another memory address which does not hold value x?

Answer 1

lea (see Intel's instruction-set manual entry) is a shift-and-add instruction that uses memory-operand syntax and machine encoding. This explains the name, but it's not the only thing it's good for. It never actually accesses memory, so it's like using & in C.

See for example How to multiply a register by 37 using only 2 consecutive leal instructions in x86?

In C, it's like uintptr_t foo = &arr[idx] . Note the & to give you the result of arr + idx , including scaling for the object size of arr . In C, this would be abuse of the language syntax and types, but in x86 assembly pointers and integers are the same thing. Everything is just bytes, and it's up to the program put instructions in the right order to get useful results.

---

The original designer / architect of 8086's instruction set ( Stephen Morse ) might or might not have had pointer math in mind as the main use-case, but modern compilers think of it as just another option for doing arithmetic on pointers / integers, and that's how you should think of it, too.

(Note that 16-bit addressing modes don't include shifts, just [BP|BX] + [SI|DI] + disp8/disp16 , so LEA wasn't as useful for non-pointer math before 386. See this answer for more about 32/64-bit addressing modes, although that answer uses Intel syntax like [rax + rdi*4] instead of the AT&T syntax used in this question. x86 machine code is the same regardless of what syntax you use to create it.)

Maybe the 8086 architects did simply want to expose the address-calculation hardware for arbitrary uses because they could do it without using a lot of extra transistors. The decoder already has to be able to decode addressing modes, and other parts of the CPU have to be able to do address calculations. Putting the result in a register instead of using it with a segment-register value for memory access doesn't take many extra transistors. Ross Ridge confirms that LEA on original 8086 reuses the CPUs effective-address decoding and calculation hardware.

---

Note that most modern CPUs run LEA on the same ALUs as normal add and shift instructions . They have dedicated AGUs (address-generation units), but only use them for actual memory operands. In-order Atom is one exception; LEA runs earlier in the pipeline than the ALUs: inputs have to be ready sooner, but outputs are also ready sooner. Out-of-order execution CPUs (the vast majority for modern x86) don't want LEA to interfere with actual loads/stores, so they run it on an ALU.

lea has good latency and throughput, but not as good throughput as add or mov r32, imm32 on most CPUs, so only use lea when you can save an instructions with it instead of add . (See Agner Fog's x86 microarch guide and asm optimization manual .)

---

The internal implementation is irrelevant, but it's a safe bet that decoding the operands to LEA shares transistors with decoding addressing modes for any other instruction . (So there is hardware reuse / sharing even on modern CPUs that don't execute lea on an AGU.) Any other way of exposing a multi-input shift-and-add instruction would have taken a special encoding for the operands.

So 386 got a shift-and-add ALU instruction for "free" when it extended the addressing modes to include scaled-index, and being able to use any register in an addressing mode made LEA much easier to use for non-pointers, too.

x86-64 got cheap access to the program counter ( instead of needing to read what call pushed ) "for free" via LEA because it added the RIP-relative addressing mode, making access to static data significantly cheaper in x86-64 position-independent code than in 32-bit PIC. (RIP-relative does need special support in the ALUs that handle LEA, as well as the separate AGUs that handle actual load/store addresses. But no new instruction was needed.)

---

It's just as good for arbitrary arithmetic as for pointers, so it's a mistake to think of it as being intended for pointers these days . It's not an "abuse" or "trick" to use it for non-pointers, because everything's an integer in assembly language. It has lower throughput than add , but it's cheap enough to use almost all the time when it saves even one instruction. But it can save up to three instructions:

;; Intel syntax.
lea  eax, [rdi + rsi*4 - 8]   ; 3 cycle latency on Intel SnB-family
                              ; 2-component LEA is only 1c latency

 ;;; without LEA:
mov  eax, esi             ; maybe 0 cycle latency, otherwise 1
shl  eax, 2               ; 1 cycle latency
add  eax, edi             ; 1 cycle latency
sub  eax, 8               ; 1 cycle latency

On some AMD CPUs, even a complex LEA is only 2 cycle latency, but the 4-instruction sequence would be 4 cycle latency from esi being ready to the final eax being ready. Either way, this saves 3 uops for the front-end to decode and issue, and that take up space in the reorder buffer all the way until retirement.

lea has several major benefits , especially in 32/64-bit code where addressing modes can use any register and can shift:

• non-destructive: output in a register that isn't one of the inputs . It's sometimes useful as just a copy-and-add like lea 1(%rdi), %eax or lea (%rdx, %rbp), %ecx .
• can do 3 or 4 operations in one instruction (see above).
• Math without modifying EFLAGS , can be handy after a test before a cmovcc . Or maybe in an add-with-carry loop on CPUs with partial-flag stalls.

• x86-64: position independent code can use a RIP-relative LEA to get a pointer to static data.

  7-byte lea foo(%rip), %rdi is slightly larger and slower than mov $foo, %edi (5 bytes), so prefer mov r32, imm32 in position-dependent code on OSes where symbols are in the low 32 bits of virtual address space, like Linux. You may need to disable the default PIE setting in gcc to use this.

  In 32-bit code, mov edi, OFFSET symbol is similarly shorter and faster than lea edi, [symbol] . (Leave out the OFFSET in NASM syntax.) RIP-relative isn't available and addresses fit in a 32-bit immediate, so there's no reason to consider lea instead of mov r32, imm32 if you need to get static symbol addresses into registers.

Other than RIP-relative LEA in x86-64 mode, all of these apply equally to calculating pointers vs. calculating non-pointer integer add / shifts.

See also the x86 tag wiki for assembly guides / manuals, and performance info.

---

Operand-size vs. address-size for x86-64 lea

See also Which 2's complement integer operations can be used without zeroing high bits in the inputs, if only the low part of the result is wanted? . 64-bit address size and 32-bit operand size is the most compact encoding (no extra prefixes), so prefer lea (%rdx, %rbp), %ecx when possible instead of 64-bit lea (%rdx, %rbp), %rcx or 32-bit lea (%edx, %ebp), %ecx .

x86-64 lea (%edx, %ebp), %ecx is always a waste of an address-size prefix vs. lea (%rdx, %rbp), %ecx , but 64-bit address / operand size is obviously required for doing 64-bit math. (Agner Fog's objconv disassembler even warns about useless address-size prefixes on LEA with a 32-bit operand-size.)

Except maybe on Ryzen, where Agner Fog reports that 32-bit operand size lea in 64-bit mode has an extra cycle of latency. I don't know if overriding the address-size to 32-bit can speed up LEA in 64-bit mode if you need it to truncate to 32-bit.

---

This question is a near-duplicate of the very-highly-voted What's the purpose of the LEA instruction? , but most of the answers explain it in terms of address calculation on actual pointer data. That's only one use.

Answer 2

leaq doesn't have to operate on memory addresses, and it computes an address, it doesn't actually read from the result, so until a mov or the like tries to use it, it's just an esoteric way to add one number, plus 1, 2, 4 or 8 times another number (or the same number in this case). It's frequently "abused" ^† for mathematical purposes, as you see. 2*%rdi+%rdi is just 3 * %rdi , so it's computing x * 3 without involving the multiplier unit on the CPU.

Similarly, left shifting, for integers, doubles the value for every bit shifted (every zero added to the right), thanks to the way binary numbers work (the same way in decimal numbers, adding zeroes on the right multiplies by 10).

So this is abusing the leaq instruction to accomplish multiplication by 3, then shifting the result to achieve a further multiplication by 4, for a final result of multiplying by 12 without ever actually using a multiply instruction (which it presumably believes would run more slowly, and for all I know it could be right; second-guessing the compiler is usually a losing game).

^† : To be clear, it's not abuse in the sense of misuse , just using it in a way that doesn't clearly align with the implied purpose you'd expect from its name. It's 100% okay to use it this way.

Answer 3

LEA is for calculating the address . It doesn't dereference the memory address

It should be much more readable in Intel syntax

m12(long):
  lea rax, [rdi+rdi*2]
  sal rax, 2
  ret

So the first line is equivalent to rax = rdi*3 Then the left shift is to multiply rax by 4, which results in rdi*3*4 = rdi*12