Shulou(Shulou.com)06/01 Report--

1. What is stack frame?

Stack frame, also known as procedure activity record, is a data structure used by the compiler to implement function call procedures. In C language, each stack frame corresponds to an unfinished function. Logically, the stack frame is the environment in which a function is executed: the function call framework, function parameters, local variables of the function, where to return after the function is executed, and so on. The stack extends from a high address to a low address. Each call of each function has its own independent stack frame, in which all kinds of information is maintained. Register ebp points to the bottom of the current stack frame (high address), and register esp points to the top of the current stack frame (low address).

2. The calling process of the Add () function

Let's take the Add () function as an example to deeply study the calling process of the function.

Let's start with a simple piece of code:

1 # include 2 int Add (int x, int y) 3 {4 int z = 0; 5 z = x + y; 6 return z; 7} 8 int main () 9 {10 int a = 10 int ret 11 int b = 20 int ret 12 int ret = Add (a, b); 13 printf ("ret =% d\ n", ret); 14 return 0x 15}

When talking about program debugging, check [call Stack] (press F10 to enter the debug-window-call stack, or press the shortcut key ctrl+alt+C), and debug with VS2015 as shown below:

If you use an older version, or other editors such as VC6.0, you can see more information, as shown in the figure for VS2008 debugging:

We found that the main function is actually called in the _ _ tmai nCRTStartup function, while the _ _ tmai nCRTStartup function is called in mai nCRTStartup. We know that every function call is a process. This process is usually called: the calling procedure of the function. This process is to open up stack space for the function, which is used for the preservation and on-site protection of temporary variables in this function call. This stack space is called function stack frame.

For the maintenance of stack frames, we must understand the ebp and esp registers. During the function call, these two registers store the bottom and top pointers that maintain the stack. For example, if we call the main function and allocate the stack frame space for the main function, the stack frame maintenance is as follows:

Ebp stores the address that points to the bottom of the function stack. Esp stores the address that points to the top of the function stack.

Note: ebp points to the bottom of a stack frame currently at the top of the system stack, not the bottom of the system stack. Strictly speaking, "bottom of the stack frame" and "bottom of the stack" are different concepts; ESP refers to the top of the stack frame in the same position as the top of the system stack.

1. Starting from the place of the main function, to expand the call to the main function, you have to create a stack frame for the main function, so let's first look at the creation of the main function stack frame. Go to disassembly to see the process more clearly:

Process analysis:

a. First, call the mainCRTStartup (), _ _ mainCRTStartup () function, and call the main () function.

b. Stack the ebp to save the address pointing to the ebp at the bottom of the stack (to facilitate the on-site recovery after the function returns), and the esp points to the new top location of the stack.

c. Assign the value of esp to ebp to generate a new ebp

d. Subtract a hexadecimal number 0E4H from esp (pre-open up space for the main function)

E.push ebx 、 esi 、 edi

F.lea instruction, loading a valid address

g. Initialize the pre-opened space to 0xcccccccc

h. Create variables an and b.

two。 Next is the call to the Add function. Parameter transfer process: process analysis:

a. Put b in the register eax, and then stack the eax; (parameter passing process, passing from left to right)

b. Put an into register ecx, and then stack ecx

The call to the c.call instruction first presses the address of the next instruction in the call instruction, and then push+jmp to the place of the Add () function (_ _ cdecl calling convention). Press F11 while executing the call instruction and come here.

Press F11 again to enter the execution code of the Add function. Creation of Add function stack frame:

Process analysis:

a. First, stack the main () function ebp to save the address pointing to the ebp at the bottom of the stack frame of the main () function (to facilitate the field recovery after the function returns), and then esp points to the new top position of the stack.

b. Assign the value of esp to ebp to generate a new ebp, that is, the ebp of the stack frame of the Add () function

c. Subtract a hexadecimal number 0E4H from esp (pre-open up space for the Add () function)

D.push ebx 、 esi 、 edi

E.lea instruction, loading a valid address

f. Initialize the pre-opened space to 0xcccccccc

g. Create variable z

h. Get the an and b of the parameter and add it, and store the result in z

i. Store the result in the eax register and bring back the return value of the function through the register.

The rest is the return part of the function:

Process analysis:

A.pop3 times, edi, esi, ebx out of the stack in turn, esp will move down

b. Assign ebp to esp so that esp points to where ebp points

C.ebp goes out of the stack, gives the contents of the stack to ebp (that is, the main () function ebp), and returns to the stack frame of the main () function.

D.ret instruction, out of the stack once, and the contents of the stack as an address, and jump to that address (pop+jmp).

Note: there are differences in the implementation of stack frames on different compilers, but the ideas are the same.

General summary of stack frames:

1. Stack is a space necessary for C language programs to record call paths and parameters.

Function call framework

Transfer parameters

Save return address

Provide local variable space

Wait.

Take x86 architecture as an example

two。 Stack registers and stack operations

Stack-related register

Esp, stack pointer (stack pointer)

Ebp, base address pointer (base pointer)

Stack operation

Reduce the top address of the push stack by 4 bytes (32 bits)

Add 4 bytes to the top address of the pop stack

Ebp is used as the base address for recording the current function call in C language.

3. Using stack to realize function call and return

Other key registers

Cs: eip: always points to the address of the next instruction

● sequential execution: always points to the next instruction with consecutive addresses

● jump / branch: when such an instruction is executed, the value of cs: eip will be modified according to the needs of the program

● call: press the current cs: eip to the top of the stack, and cs: eip points to the entry address of the called function.

● ret: pop up the value of cs: eip that was saved here from the top of the stack and put it in cs: eip

When an interruption occurs in ●?

4. The formation of function stack framework

Call xxx

Before performing the call

When call is executed, the original value of cs:eip points to the next instruction of call, which is saved to the top of the stack, and then the value of cs:eip points to the entry address of xxx

Enter xxx

First instruction: pushl% ebp

Second instruction: movl% esp,%ebp

Routine operations in the function body, stack pressing, stack out, etc.

Exit xxx

Movl ebp,%esp

Popl ebp

Ret

5. The relationship between heap and stack

When we say stack, we actually mean stack, but in fact, stack and stack are two different memory allocations. Briefly list the similarities and differences in the following aspects.

1)。 The heap requires the user to apply explicitly in the program. The stack is not used and is automatically completed by the system. The API that requests / frees heap memory is malloc/free in C and new/delete in C++. Request and release must be paired, otherwise it will cause memory leak (memory leak), over time the system will have no memory available, there will be an OOM (Out Of Memory) error. Generally speaking, it is easy to forget to free memory in statements such as return/exit or break/continue, so check the code for memory leaks to see if there is a necessary release statement free/delete in front of these statements.

2)。 The space of the heap is larger and the stack is smaller. Therefore, the application for large memory is generally applied in the heap; there is no large memory use on the stack, such as a large static array; and unless the algorithm is necessary, generally do not use deeper iterative function calls, so that stack memory consumption will soar as the number of iterations increases.

3)。 About the life cycle. The stack is short, and as the function exits or returns, the stack of this function is finished; the heap depends on when it is released, and the life cycle ends.

We find that parsing Coredump still has a relatively close relationship with stack, and there is a kind of production related to heap.

The reason for Coredump is an error accessing heap memory.

Why study stack frames? Look at a topic:

In a VC6.0 environment, what is the result of the following code?

1 # include 2 void fun () 3 {4 int tmp = 10; 5 int * p = (int *) (* (& tmp+1)); 6 * (pmur1) = 20; 7} 8 int main () 9 {10 int a = 0 fun (); 12 printf ("a =% d\ n", a); 13 return 0x 14}

In fact, this code has different output on different platforms and can be verified by itself.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.