Chapter 25 Quiz: System Calls
1. Which register holds the system call number in the Linux x86-64 ABI?
A) RDI B) RSI C) RAX D) R8
Answer: C — RAX holds the syscall number on entry, and the return value on exit.
2. What does the syscall instruction save RIP into?
A) RBP B) RSP C) RCX D) R10
Answer: C — syscall saves the return address (RIP) into RCX and RFLAGS into R11. Both are therefore destroyed from the caller's perspective.
3. Why does the Linux syscall ABI use R10 for the 4th argument instead of RCX?
A) R10 is faster to access than RCX
B) The syscall instruction destroys RCX
C) RCX is reserved for the kernel
D) R10 has special hardware support for system calls
Answer: B — syscall uses RCX to save the return address (RIP), destroying whatever was there. R10 is used as the substitute.
4. A sys_open call returns -2 in RAX. What does this mean?
A) The file was opened with fd=2 (stderr) B) The syscall failed with errno ENOENT (file not found) C) 2 bytes were read from the file D) The file descriptor table has 2 entries
Answer: B — Negative return from a syscall means error. -2 corresponds to ENOENT (No such file or directory). The actual error number is the negation: errno = -RAX = 2.
5. What is the syscall number for sys_write on Linux x86-64?
A) 0 B) 1 C) 2 D) 4
Answer: B — sys_read=0, sys_write=1, sys_open=2, sys_close=3.
6. Which registers are the first three arguments to a Linux x86-64 system call?
A) RAX, RBX, RCX B) RDI, RSI, RDX C) R8, R9, R10 D) RBP, RBX, R12
Answer: B — Arguments 1-3 are RDI, RSI, RDX. This matches the System V AMD64 ABI calling convention (except R10 replaces RCX for arg 4).
7. After a successful sys_mmap call, what value is in RAX?
A) 0 (success) B) The number of bytes mapped C) The virtual address of the mapped region D) The file descriptor for the mapping
Answer: C — mmap returns the virtual address of the mapped region on success, or MAP_FAILED (-1 as a void*) on error.
8. In a program that uses sys_fork, what value does the child process receive in RAX after the syscall returns?
A) The child's own PID B) The parent's PID C) 0 D) -1
Answer: C — In the child, fork returns 0. In the parent, fork returns the child's PID (positive). This is how you distinguish parent from child after fork.
9. What registers does sys_execve require for its three arguments?
A) RAX, RBX, RCX B) RDI (path), RSI (argv), RDX (envp) C) RDI (argv), RSI (path), RDX (envp) D) R8 (path), R9 (argv), R10 (envp)
Answer: B — sys_execve(59): RDI=path, RSI=argv array pointer, RDX=envp array pointer. Both argv and envp are arrays of pointers that must be NULL-terminated.
10. What is strace used for?
A) Analyzing CPU performance counters B) Intercepting and displaying system calls made by a process C) Disassembling binary executables D) Monitoring hardware interrupts
Answer: B — strace intercepts every system call, printing the call name, arguments, and return value. It uses the ptrace syscall internally.
11. The sys_brk syscall with argument 0 does what?
A) Sets the program break to address 0 (unmaps all memory) B) Returns the current program break (end of data segment) C) Allocates 0 bytes and returns NULL D) Terminates the program with exit code 0
Answer: B — Calling brk(0) queries the current program break without changing it. This is how malloc implementations discover the current heap end.
12. On ARM64 Linux, which instruction is used to make a system call?
A) syscall
B) INT 0x80
C) SVC #0
D) TRAP
Answer: C — ARM64 uses SVC #0 (Supervisor Call) to enter kernel mode. The syscall number is in X8 (not X0 as you might expect).
13. What does the vDSO accomplish for gettimeofday?
A) It makes the call faster by using hardware time registers directly B) It eliminates the expensive ring transition by mapping kernel time data into user space C) It caches the time to avoid calling the kernel more than once per second D) It uses RDTSC to approximate the time
Answer: B — The vDSO maps a kernel-maintained page into user address space. The gettimeofday function in the vDSO reads from this shared page without executing a real syscall instruction, avoiding the ring-3→ring-0 transition.
14. Which system call number is sys_exit on Linux x86-64?
A) 1 B) 60 C) 93 D) 231
Answer: B — sys_exit is 60. Note: sys_exit_group (231) exits all threads; sys_exit (60) exits just the current thread. For single-threaded programs, they behave identically.
15. When calling sys_mmap for anonymous memory from NASM assembly, what value must be passed for the flags argument, and which register carries it?
A) MAP_SHARED (0x01) in RCX
B) MAP_PRIVATE|MAP_ANONYMOUS (0x22) in R10
C) MAP_FIXED (0x10) in RDI
D) MAP_ANONYMOUS (0x20) in RSI
Answer: B — Flags is the 4th argument. Since syscall destroys RCX, the 4th argument uses R10. MAP_PRIVATE=0x02, MAP_ANONYMOUS=0x20, combined = 0x22.
16. After calling sys_fork, how does a process determine whether it is the parent or child?
A) Check if getppid() changed
B) Check the value of RAX: 0 = child, positive = parent (value is child's PID)
C) Check a global flag set by the kernel in the BSS segment
D) Compare RSP before and after the fork
Answer: B — Fork returns 0 in the child and the child's PID (positive) in the parent. Negative means fork failed.
17. What does the swapgs instruction do in the MinOS syscall entry point?
A) Swaps the GS segment register with FS, needed for TLS B) Swaps the GS base MSR with the kernel GS base MSR, allowing access to per-CPU data C) Saves and restores the GS register across the syscall boundary D) Enables use of GS for string operations
Answer: B — swapgs swaps the value of the GS.base MSR with the IA32_KERNEL_GS_BASE MSR. This gives the kernel access to per-CPU data structures (like the kernel stack pointer) via GS-relative addressing.
18. What is the correct call to sys_write to print to stderr (standard error)?
A) RAX=1, RDI=2, RSI=buf, RDX=len B) RAX=1, RDI=1, RSI=buf, RDX=len C) RAX=2, RDI=2, RSI=buf, RDX=len D) RAX=0, RDI=2, RSI=buf, RDX=len
Answer: A — sys_write is syscall number 1 (RAX=1). stderr is file descriptor 2 (RDI=2). Stdout is fd 1, stdin is fd 0.
19. What happens if sys_execve succeeds?
A) RAX returns 0 and the process continues executing
B) RAX returns the PID of the new process
C) The current process image is replaced; the code after syscall never executes
D) A new process is created and the original continues
Answer: C — On success, execve replaces the entire process image (code, data, stack) with the new program. There is no return. On failure, RAX returns a negative error code and the original program continues.
20. Which of the following syscalls is used to wait for a child process to change state?
A) sys_sleep (35)
B) sys_pause (34)
C) sys_wait4 (61)
D) sys_getppid (110)
Answer: C — sys_wait4 (and its aliases waitpid, wait) blocks until a child process changes state (exits, is killed, or stopped). The status can be decoded to get the exit code or signal number.