本文详细解析了栈帧在函数调用中的作用及其构造过程,包括栈的特性、栈帧的内容、函数调用时栈帧的变化等核心概念。
转自:http://blog.chinaunix.net/uid-9104650-id-2009601.html
Stack is one important segment of the process's memory layout. It is a dynamic memory buffer portion used to store data implicitly normally during the run time.
栈是进程内存布局的很重要的一个片段,它是一个动态内存缓存部分,通常用于在程序运行时隐式的存储数据。
The stack segment is where local (automatic) variables are allocated. In C program, local variables are all variables declared inside the opening left curly brace of a function body including the main() or other left curly brace that aren’t defined as static. The data is popped up or pushed into the stack following the Last In First Out (LIFO) rule. The stack holds local variables, temporary information/data, function parameters, return address and the like. When a function is called, a stack frame (or a procedure activation record) is created and PUSHed onto the top of the stack. This stack frame contains information such as the address from which the function was called and where to jump back to when the function is finished (return address), parameters, local variables, and any other information needed by the invoked function. The order of the information may vary by system and compiler. When a function returns, the stack frame is POPped from the stack. Typically the stack grows downward, meaning that items deeper in the call chain are at numerically lower addresses and toward the heap.
Stack frame constructed during the function call for memory allocation implicitly.
A typical layout of a stack frame is shown below although it may be organized differently in different operating systems:
*Function parameters.
*Function’s return address.
*Frame pointer.
*Exception Handler frame.
*Locally declared variables.
*Buffer
*Callee save registers
As an example in Windows/Intel, typically, when the function call takes place, data elements are stored on the stack in the following way:
1. The function parameters are pushed on the stack before the function is called. The parameters are pushed from right to left.
2. The function return address is placed on the stack by the x86 CALL instruction, which stores the current value of the EIP register.
3. Then, the frame pointer that is the previous value of the EBP register is placed on the stack.
4. If a function includes try/catch or any other exception handling construct such as SEH (Structured Exception Handling - Microsoft implementation), the compiler will include exception handling information on the stack.
5. Next, the locally declared variables.
6. Then the buffers are allocated for temporary data storage.
7. Finally, the callee save registers such as ESI, EDI, and EBX are stored if they are used at any point during the functions execution. For Linux/Intel, this step comes after step no. 4.
There are two CPU registers that are important for the functioning of the stack which hold information that is necessary when calling data residing in the memory. Their names are ESP and EBP in 32 bits system.
The ESP (Extended Stack Pointer) holds the top stack address. The EBP (Extended Base Pointer) points to the bottom of the current stack frame.
ESP points to the top of the stack (lower numerical address); it is often convenient to have a stack frame pointer (FP) which holds an address that point to a fixed location within a frame. Looking at the stack frame, local variables could be referenced by giving their offsets from ESP. However , as data are pushed onto the stack and popped off the stack, these offsets change, so the reference of the local variables is not consistent. Consequently, many compilers use another register, generally called Frame Pointer (FP), for referencing both local variables and parameters because their distances from FP do not change with PUSHes and POPs. On Intel CPUs, EBP (Extended Base Pointer) is used for this purpose.
Because the way stack grows, actual parameters have positive offsets and local variables have negative offsets from FP as shown below. Let examine the following simple C program.
- #include <stdio.h>
- int MyFunc(int parameter1, char parameter2)
- {
- int local1 = 9;
- char local2 = 'Z';
- return 0;
- }
- int main(int argc, char *argv[])
- {
- MyFunc(7, '8');
- return 0;
- }
And the memory layout will look something like this:
Each time a new function is called, the old value of EBP is the first to be pushed onto the stack and then the new value of ESP is moved to EBP. This new value of ESP held by EBP becomes the reference base to local variables that are needed to retrieve the stack section allocated for the new function call. As mentioned before, a stack grows downward to lower memory address. The stack pointer (ESP) points to the last address on the stack not the next free available address after the top of the stack.
每次在一个新的函数被调用时, 首先把EBP(SP)原来的值压入栈,然后新的ESP的值将会给EBP(SP). 由EBP保存的ESP的新值就变成了对本地变量的的参考基准, 这些本地变量需要在为新的函数调用而分配的栈段上被检索。 自如前面所讲的,一个栈指针朝着低内存地址向下增长。 指向栈的最后一个地址的栈指针并不是在栈顶之后的下一个可用地址。
其实就说栈指针并不一定是一个长得开始地址,只是当前的地址,他会随着出栈入栈而相应的变化,所以为了能够取到参数,需要一个固定的指针来作为基地址,这样读取参数时只要通过偏移量就可以取到了, 这个固定的指针就称为FP. 但是需要注意的是在函数被调用之前,编译器会在新的栈上放入参数等,所以只有在函数被调用时,SP的值才会给到FP, 今天总算是搞明白了。
The first thing a function must do when called is to save the previous EBP (so it can be restored by copying into the EIP at function exit later). Then it copies ESP into EBP to create the new stack frame pointer, and advances ESP to reserve space for the local variables. This code is called the procedure prolog . Upon function exit, the stack must be cleaned up again, something called the procedure epilog .
在函数真正的被调用之前。函数必须:
1. 首先保存先前的EBP, 用于在函数退出时把EBP的值给EIP,
2. 拷贝ESP的值给EBP,目的是创建新的栈frame指针,向前增加ESP来为本地变量预留空间
这样的代码叫做程序的prolog; 在函数退出时栈必须被清除干净,称为程序的epilog。
Using a very simple C program skeleton, the following tries to figure out function calls and stack frames construction/destruction.
- #include <stdio.h>
- int a();
- int b();
- int c();
- int a()
- {
- b();
- c();
- return 0;
- }
- int b()
- {
- return 0;
- }
- int c()
- {
- return 0;
- }
- int main()
- {
- a();
- return 0;
- }
By taking the stack area only, the following is what happen when the above program is run.
By referring the previous program example and above figure, when a program begins execution in the function main(), stack frame is created, space is allocated on the stack for all variables declared within main(). Then, when main() calls a function, a(), new stack frame is created for the variables in a() at the top of the main() stack. Any parameters passed by main() to a() are stored on the stack. If a() were to call any additional functions such as b() and c(), new stack frames would be allocated at the new top of the stack. Notice that the order of the execution happened in the sequence. When c(), b() and a() return, storage for their local variables are de-allocated, the stack frames are destroyed and the top of the stack returns to the previous condition. The order of the execution is in the reverse. As can be seen, the memory allocated in the stack area is used and reused during program execution. It should be clear that memory allocated in this area will contain garbage values left over from previous usage.
Ref:
http://www.tenouk.com/Bufferoverflowc/Bufferoverflow1c.html
http://www.tenouk.com/Bufferoverflowc/Bufferoverflow2.html
http://www.tenouk.com/Bufferoverflowc/Bufferoverflow2a.html
扫一扫
759
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
