Indirect branch

An indirect branch (also known as a computed jump, indirect jump and register-indirect jump) is a type of program control instruction present in some machine language instruction sets. Rather than specifying the address of the next instruction to execute, as in a direct branch, the argument specifies where the address is located. An example is 'jump indirect on the r1 register', which means that the next instruction to be executed is at the address in register r1. The address to be jumped to is not known until the instruction is executed. Indirect branches can also depend on the value of a memory location.

An indirect branch can be useful to make a conditional branch, especially a multiway branch. For instance, based on program input, a value could be looked up in a jump table of pointers to code for handling the various cases implied by the data value. The data value could be added to the address of the table, with the result stored in a register. An indirect jump could then be made based on the value of that register, efficiently dispatching program control to the code appropriate to the input.

In a similar manner, subroutine call instructions can be indirect, with the address of the subroutine to be called specified in memory. Function Pointers are typically implemented with indirect subroutine calls.

Indirect branches were one of the attack surfaces of Spectre. To mitigate the attack GCC 8.1 introduced the following new options: -mindirect-branch=, -mfunction-return= and -mindirect-branch-register.^[1]^{[nb 1]}

Example assembler syntax

MSP430:	`br r15`
SPARC:	`jmpl %o7`
MIPS:	`jr $ra`
x86 (AT&T Syntax):	`jmp *%eax`
x86 (Intel Syntax):	`jmp eax`
ARM:	`BX r0`, `mov pc, r2`
Itanium:	`br.ret.sptk.few rp`
6502:	`jmp ($0DEA)`
65C816:	`jsr ($0DEA,X)`
6809:	`jmp [$0DEA]`, `jmp B,X`, `jmp [B,X]`
6800:	`jmp 0,X`
68000:	`jmp (A0)`,`jmp (d₁₆,A0)`,`jmp (d₈,A0,D1)`
Z80:	`jp (hl)`
Intel MCS-51:	`jmp @A+DPTR`
Intel 8080, 8085:	`pchl`
IBM System z:	`bcr cond,r1`^[2]
PDP-11:	`jmp @R5`, `jmp 12(R5)`, `jmp @0(R5)`
RISC-V:	`jalr x0, 0(x1)`

Notes

^ Consult also the RETPOLINE=y feature added in Linux kernel 4.14.14/4.9.77/4.4.112. See also: Retpoline

References

^ Larabel, Michael (2018-01-14). "Spectre Mitigation Added To GCC 8, Seeking Backport To GCC 7". Archived from the original on 2018-01-20. Retrieved 2018-01-19.
^ "z/Architecture - Principles of Operation" (4 ed.). IBM. May 2004 [1990]. SA22-7832-03. Archived from the original on 2016-03-04. Retrieved 2018-05-26.

This computer-programming-related article is a stub. You can help Wikipedia by expanding it.

[RETPOLINE_2018-2] Consult also the RETPOLINE=y feature added in Linux kernel 4.14.14/4.9.77/4.4.112. See also: Retpoline

[GCC_2018_Spectre-1] Larabel, Michael (2018-01-14). "Spectre Mitigation Added To GCC 8, Seeking Backport To GCC 7". Archived from the original on 2018-01-20. Retrieved 2018-01-19.

[IBM-3] "z/Architecture - Principles of Operation" (4 ed.). IBM. May 2004 [1990]. SA22-7832-03. Archived from the original on 2016-03-04. Retrieved 2018-05-26.

[1]

[nb 1]

[2]

Indirect branch

Indirect branch

Indirect branch

Add your contribution

Hub overview

Root Wikipedia Article

Indirect branch

Example assembler syntax

See also

Notes

References