1 15-410, S`14

Stack Discipline
Jan. 15, 2014
Dave Eckhardt Dave Eckhardt
SIides originaIIy stoIen from 15-213 SIides originaIIy stoIen from 15-213
15-410
"An Experience Like No Other"
2 15-410, S`14
Synchronization
Registration Registration
!
The wait Iist wiII probabIy be done today or tomorrow
!
If you're on a wait Iist and not an INI student...
!
...I am probabIy not considering you for this semester...
!
...perhaps because maiI I sent over the break was not answered?
!
...perhaps because I have not heard from your advisor?
!
If you're on the 605 wait Iist and you are an INI student...
!
...communicating with the INI may not be a bad idea.
!
If you're here but not on any wait Iist, see me right away
!
If you are an M.S. or or Ph.D. student and have not discussed
this cIass with your advisor, pIease do so today
!
We wiII not be registering graduate students without hearing from
their advisors
If you haven't taken 15-213 (A/B, maIIoc Iab ok) If you haven't taken 15-213 (A/B, maIIoc Iab ok)
!
Contact me no Iater than today
3 15-410, S`14
Outline
Topics Topics
!
Process memory modeI
!
IA32 stack organization
!
Register saving conventions
!
Before & after !"#$%&
!
Project 0
4 15-410, S`14
Why Only 32?
You may have Iearned x86-64 aka EMT64 aka AMD64 You may have Iearned x86-64 aka EMT64 aka AMD64
!
x86-64 is simpIer than x86(-32) for user program code
!
Lots of registers, registers more orthogonaI
Why wiII 410 be x86 / IA32? Why wiII 410 be x86 / IA32?
!
x86-64 is not simpIer for kerneI code
!
Machine begins in 16-bit mode, then 32, naIIy 64
You don't have time to write 32"64 transition code
If we gave it to you, it wouId be a big bIack box
!
x86-64 is not simpIer during debugging
!
More registers means more registers to have wrong vaIues
!
x86-64 virtuaI memory is a bit of a drag
!
More steps than x86-32, but not more inteIIectuaIIy stimuIating
!
There are stiII a Iot of 32-bit machines in the worId
!
...which can boot and run your personaI OS
5 15-410, S`14
Private Address Spaces
Each process has its own private address space. Each process has its own private address space.
kernel virtual memory
(code, data, heap, stack)
memory mapped region for
shared libraries
run-time heap
(managed by malloc)
user stack
(created at runtime)
unused
0
%esp (stack pointer)
memory
invisible to
user code
brk
0xc0000000
0x08048000
0x40000000
read/write segments
(.data, .bss)
read-only segments
(.init, .text, .rodata)
loaded from the
executable fle
0xffffffff
Warning: Warning:
numbers numbers
specic to specic to
Linux 2.x Linux 2.x
on IA32!! on IA32!!
Warning: Warning:
detaiIs vary detaiIs vary
by OS and by OS and
kerneI kerneI
version! version!
6 15-410, S`14
Linux Memory Layout
Stack Stack
!
Runtime stack (8MB Iimit by defauIt)
Heap Heap
!
DynamicaIIy aIIocated storage
!
Managed by malloc(), calloc(), new
Shared/Dynamic Libraries aka Shared Objects Shared/Dynamic Libraries aka Shared Objects
!
Library routines (e.g., printf(), malloc())
!
Linked into object code when rst executed
!
Windows has "DLLs (semantic differences)
Data, BSS Data, BSS
!
StaticaIIy aIIocated data (BSS starts aII-zero)
!
e.g., arrays & variabIes decIared in code
Text, RODATA Text, RODATA
!
Text - ExecutabIe machine instructions
!
RODATA - Read-onIy (e.g., "const)
!
String IiteraIs
Upper
2 hex
digits of
address
Red Hat
v. 6.2
~1920MB
memory
Iimit
FF
BF
7F
3F
C0
80
40
00
Stack
Shared
Libraries
Text
Data
Heap
Heap
08
7 15-410, S`14
Linux Memory Allocation
Linked
BF
7F
3F
80
40
00
Stack
Libraries
Text
Data
08
Some
Heap
BF
7F
3F
80
40
00
Stack
Libraries
Text
Data
Heap
08
More
Heap
BF
7F
3F
80
40
00
Stack
Libraries
Text
Data
Heap
Heap
08
InitiaIIy
BF
7F
3F
80
40
00
Stack
Text
Data
08
8 15-410, S`14
IA32 Stack
!
Region of memory managed
with stack discipIine
!
"Grows toward Iower
addresses
!
Register %esp indicates
Iowest stack address
!
address of "top eIement
!
stack pointer
Stack
Pointer
%esp
Stack Grows
Down
Increasing
Addresses
Stack "Top
Stack "Bottom
9 15-410, S`14
IA32 Stack Pushing
Pushing Pushing
!
pushl Src
!
Fetch operand from Src
!
Maybe a register: %ebp
!
Maybe memory: 8(%ebp)
!
Decrement %esp by 4
!
Store operand in memory at
address given by %esp
Stack Grows
Down
Increasing
Addresses
Stack "Top
Stack "Bottom
Stack
Pointer
%esp
-4
10 15-410, S`14
IA32 Stack Popping
Popping Popping
!
popl Dest
!
Read memory at address
given by %esp
!
Increment %esp by 4
!
Store into Dest operand
Stack
Pointer
%esp
Stack Grows
Down
Increasing
Addresses
Stack "Top
Stack "Bottom
+4
11 15-410, S`14
%esp
%eax
%edx
%esp
%eax
%edx
%esp
%eax
%edx
0x104
555
0x108
0x108
0x10c
0x110
0x104
555
213
213
123
Stack Operation Examples
0x108
0x10c
0x110
555
213
123
0x108 0x104
pushl %eax
0x108
0x10c
0x110
213
123
0x104
213
popl %edx
0x108
213
15-410, F'11
12
Procedure Control Flow
!
Use stack to support procedure caII and return
Procedure caII: Procedure caII:
call !"#$! '()* ,-.(,$ "//,-))0 1(!2 .3 !"#$!
" "Return address? Return address?
!
Address of instruction after call
!
ExampIe from disassembIy
804845-6 -7 8/ 9: 99 99 ;"<< 7957=>9 ?!"#$>
8048553: 50 pushl %eax
!
Return address = 0x8048553
Procedure return: Procedure return:
ret '32 "//,-)) @,3! ).";A0 1(!2 .3 "//,-))
13 15-410, S`14
%esp
%eip
%esp
%eip 0x804854e
0x108
0x108
0x10c
0x110
0x104
0x804854e
0x8048553
123
Procedure Call Example
0x108
0x10c
0x110
123
0x108
call 8048b90
804854e: e8 3d 06 00 00 call 8048b90 <main>
8048553: 50 pushl %eax
0x8048b90
0x104
%eip is program counter
14 15-410, S`14
%esp
%eip
0x104
%esp
%eip 0x8048591 0x8048591
0x104 0x104
0x108
0x10c
0x110
0x8048553
123
Procedure Return Example
0x108
0x10c
0x110
123
ret
8048591: c3 ret
0x108
%eip is program counter
0x8048553
0x8048553
15 15-410, S`14
Stack-Based Languages
Languages that support recursion Languages that support recursion
!
e.g., C, PascaI, Java
!
Code must be "reentrant
!
MuItipIe instantiations of a singIe procedure "Iive at same time
!
Need some pIace to store state of each instantiation
!
Arguments
!
LocaI variabIes
!
Return pointer (maybe)
!
Weird things (static Iinks, exception handIing, .)
Stack discipIine - key observation Stack discipIine - key observation
!
State for given procedure needed for Iimited time
!
From time of caII to time of return
!
Note: caIIee returns before caIIer does
Therefore stack aIIocated in nested Therefore stack aIIocated in nested frames frames
!
State for singIe procedure instantiation
16 15-410, S`14
Call Chain Example
Code Structure Code Structure
yoo(.)
{
-
-
who();
-
-
}
who(.)
{
- - -
amI();
- - -
amI();
- - -
}
amI(.)
{
-
-
amI();
-
-
}
yoo
who
amI
amI
amI
CaII Chain
!
Procedure amI()
recursive
amI
17 15-410, S`14
Stack
Pointer
%esp
yoo
who
proc
Frame
Pointer
%ebp
Stack
"Top
Stack Frames
Contents Contents
!
LocaI variabIes
!
Return information
!
Temporary space
Management Management
!
Space aIIocated when enter
procedure
!
"Set-up code
!
DeaIIocated when return
!
"Finish code
Pointers Pointers
!
Stack pointer %esp indicates
stack top
!
Frame pointer %ebp indicates
start of current frame
amI
18 15-410, S`14
IA32/Linux Stack Frame
Current Stack Frame ("Top Current Stack Frame ("Top
to "Bottom) to "Bottom)
!
Parameters for function
we're about to caII
!
"Argument buiId
!
LocaI variabIes
!
If don't aII t in registers
!
CaIIer's saved registers
!
CaIIer's saved frame pointer
CaIIer's Stack Frame CaIIer's Stack Frame
!
Return address
!
Pushed by call instruction
!
Arguments for this caII
Stack Pointer
(%esp)
Frame Pointer
(%ebp)
Return Addr
Saved
Registers
+
LocaI
VariabIes
Argument
BuiId
OId %ebp
Arguments
CaIIer
Frame
19 15-410, S`14
swap()
void swap(int *xp, int *yp)
{
int t0 = *xp;
int t1 = *yp;
*xp = t1;
*yp = t0;
}
int zip1 = 15213;
int zip2 = 91125;
void call_swap()
{
swap(&zip1, &zip2);
}
call_swap:
- - -
pushl $zip2 # Global var
pushl $zip1 # Global var
call swap
- - -
&zip2
&zip1
Rtn adr %esp
ResuIting
Stack

CaIIing swap from call_swap

20 15-410, S`14
swap()
void swap(int *xp, int *yp)
{
int t0 = *xp;
int t1 = *yp;
*xp = t1;
*yp = t0;
}
swap:
pushl %ebp
movl %esp,%ebp
pushl %ebx
movl 12(%ebp),%ecx
movl 8(%ebp),%edx
movl (%ecx),%eax
movl (%edx),%ebx
movl %eax,(%edx)
movl %ebx,(%ecx)
movl -4(%ebp),%ebx
movl %ebp,%esp
popl %ebp
ret
Body
Set
Up
Finish
Core
21 15-410, S`14
swap() Setup
swap:
pushl %ebp
movl %esp,%ebp
pushl %ebx
&zip2
&zip1
Rtn adr %esp
Entering
Stack

%ebp
22 15-410, S`14
swap() Setup #1
swap:
pushl %ebp
movl %esp,%ebp
pushl %ebx
ResuIting
Stack
&zip2
&zip1
Rtn adr %esp
Entering
Stack

%ebp
yp
xp
Rtn adr
OId %ebp
%ebp

%esp
23 15-410, S`14
swap() Setup #2
swap:
pushl %ebp
movl %esp,%ebp
pushl %ebx
yp
xp
Rtn adr
OId %ebp
%ebp
ResuIting
Stack

&zip2
&zip1
Rtn adr %esp
Entering
Stack

%ebp
%esp
24 15-410, S`14
swap() Setup #3
swap:
pushl %ebp
movl %esp,%ebp
pushl %ebx
yp
xp
Rtn adr
OId %ebp
%ebp
ResuIting
Stack

&zip2
&zip1
Rtn adr %esp
Entering
Stack

%ebp
OId %ebx %esp
25 15-410, S`14
Effect of swap() Setup
yp
xp
Rtn adr
OId %ebp
%ebp
0
4
8
12
Offset
(reIative to %ebp)
ResuIting
Stack

&zip2
&zip1
Rtn adr %esp
Entering
Stack

%ebp
OId %ebx %esp
movl 12(%ebp),%ecx # get yp
movl 8(%ebp),%edx # get xp
. . .
Body
-4
26 15-410, S`14
swap() Finish #1
movl -4(%ebp),%ebx
movl %ebp,%esp
popl %ebp
ret
yp
xp
Rtn adr
OId %ebp
%ebp
0
4
8
12
Offset
swap's
Stack

OId %ebx %esp -4

Observation Observation
!
Restoring saved register %ebx
!
"HoId that thought
yp
xp
Rtn adr
OId %ebp
%ebp
0
4
8
12
Offset

OId %ebx %esp -4

27 15-410, S`14
swap() Finish #2
movl -4(%ebp),%ebx
movl %ebp,%esp
popl %ebp
ret
yp
xp
Rtn adr
OId %ebp
%ebp
0
4
8
12
Offset
swap's
Stack

OId %ebx %esp -4

yp
xp
Rtn adr
OId %ebp
%ebp
0
4
8
12
Offset
swap's
Stack

%esp
28 15-410, S`14
swap() Finish #3
movl -4(%ebp),%ebx
movl %ebp,%esp
popl %ebp
ret
yp
xp
Rtn adr
%ebp
4
8
12
Offset
swap's
Stack

yp
xp
Rtn adr
OId %ebp %ebp 0
4
8
12
Offset
swap's
Stack

%esp
%esp
29 15-410, S`14
swap() Finish #4
movl -4(%ebp),%ebx
movl %ebp,%esp
popl %ebp
ret
&zip2
&zip1 %esp
Exiting
Stack

%ebp
Observation/query Observation/query
!
Saved & restored caIIer's register %ebx
!
Didn't do so for %eax, %ecx, or %edx!
yp
xp
Rtn adr
%ebp
4
8
12
Offset
swap's
Stack

%esp
30 15-410, S`14
Register Saving Conventions
When procedure When procedure yoo() yoo() caIIs caIIs who() who(): :
!
yoo() is the caller, who() is the callee
Can a register be used for temporary storage? Can a register be used for temporary storage?
!
Contents of register %edx overwritten by who()
yoo:
- - -
movl $15213, %edx
call who
addl %edx, %eax
- - -
ret
who:
- - -
movl 8(%ebp), %edx
addl $91125, %edx
- - -
ret
31 15-410, S`14
Register Saving Conventions
When procedure When procedure yoo() yoo() caIIs caIIs who() who(): :
!
yoo() is the caller, who() is the callee
Can a register be used for temporary storage? Can a register be used for temporary storage?
Denitions Denitions
!
"CaIIer Save register
!
CaIIer saves temporary in its frame before caIIing
!
"CaIIee Save register
!
CaIIee saves temporary in its frame before using
Conventions Conventions
!
Which registers are caIIer-save, caIIee-save?
32 15-410, S`14
IA32/Linux Register Usage
Integer Registers Integer Registers
!
Two have speciaI uses
!
%ebp, %esp
!
Three managed as
caIIee-save
!
%ebx, %esi, %edi
!
OId vaIues saved on
stack prior to using
!
Three managed as
caIIer-save
!
%eax, %edx, %ecx
!
Do what you pIease,
but expect any caIIee
to do so, as weII
!
Register %eax aIso
hoIds return vaIue
%eax
%edx
%ecx
%ebx
%esi
%edi
%esp
%ebp
CaIIer-Save
Temporaries
CaIIee-Save
Temporaries
SpeciaI
33 15-410, S`14
Stack Summary
Stack makes recursion work Stack makes recursion work
!
Private storage for each instance of procedure caII
!
Instantiations don't cIobber each other
!
Addressing of IocaIs + arguments can be reIative to stack
positions
!
Can be managed by stack discipIine
!
Procedures return in inverse order of caIIs
IA32 procedures: instructions + conventions IA32 procedures: instructions + conventions
!
call / ret instructions mix %eip, %esp in a xed way
!
Register usage conventions
!
CaIIer / CaIIee save
!
%ebp and %esp
!
Stack frame organization conventions
!
Which argument is pushed rst
34 15-410, S`14
Before & After !"#$%&
int main(int argc, char *argv[]) {
if (argc > 1) {
printf(%s\n, argv[1]);
} else {
char * av[3] = { 0, 0, 0 };
av[0] = argv[0]; av[1] = Fred;
execvp(av[0], av);
}
return (0);
}
35 15-410, S`14
The Mysterious Parts
argc, argv argc, argv
!
Strings from one program
!
AvaiIabIe whiIe another program is running
!
Which part of the memory map are they in?
!
How did they get there?
What happens when What happens when !"#$%& !"#$%& does " does ",-.(,$%9& ,-.(,$%9&??? ???
!
There's no more program to run...right?
!
Where does the 0 go?
!
How does it get there?
410 students shouId seek to aboIish mystery 410 students shouId seek to aboIish mystery
36 15-410, S`14
The Mysterious Parts
argc, argv argc, argv
!
Strings from one program
!
AvaiIabIe whiIe another program is running
!
Inter-process sharing/information transfer is OS's job
!
OS copies strings from oId address space to new in exec()
!
TraditionaIIy pIaced "beIow bottom of stack
!
Other weird things (environment, auxiIiary vector) (above argv)
!"#$%&
2,#$.@%&
BBBB
arg
vector
37 15-410, S`14
The Mysterious Parts
What happens when What happens when !"#$%& !"#$%& does " does ",-.(,$%9& ,-.(,$%9&? ?
!
Dened by C to have same effect as "-C#.%9&
!
But how??
38 15-410, S`14
The Mysterious Parts
What happens when What happens when !"#$%& !"#$%& does " does ",-.(,$%9& ,-.(,$%9&? ?
!
Dened by C to have same effect as "-C#.%9&
!
But how??
The "main() wrapper The "main() wrapper
!
Receives argc, argv from OS
!
CaIIs main(), then caIIs exit()
!
Provided by C Iibrary, traditionaIIy in "crt0.s
!
Often has a "strange name
/* not actual code */
void ~~main(int argc, char *argv[]) {
exit(main(argc, argv));
}
39 15-410, S`14
Project 0 - "Stack Crawler"
C/AssembIy function C/AssembIy function
!
Can be caIIed by any C function
!
Prints stack frames in a symboIic way
DDDE.";A F,";- G3<<3H)DDD
G($;.#3$ @($8%;IJ;JK /ILB9>9999&K #$
G($;.#3$ @($L%@I84B999999&K #$
G($;.#3$ @($M%;3($.I9&K #$
G($;.#3$ @($M%;3($.IM&K #$
G($;.#3$ @($M%;3($.IL&K #$
BBB
40 15-410, S`14
Project 0 - "Stack Crawler"
ConceptuaIIy easy ConceptuaIIy easy
!
CaIIing convention species Iayout of stack
!
Stack is "just memory - C happiIy Iets you read & write
Key questions Key questions
!
How do I know 0x80334720 is "@($M?
!
How do I know fun3()'s second parameter is caIIed "/?
41 15-410, S`14
Project 0 "Data Flow"
!"#$% &'$%
&'()*+',*-$%
symbol-table array
many slots, blank
42 15-410, S`14
Project 0 "Data Flow" - Compilation
!"#$+
*.'&/,%0',%1$,
&'$+
&'()*+',*-$+
43 15-410, S`14
Project 0 "Data Flow" - Linking
!"#
&'$+
&'()*+',*-$+
!"#$+
20'"))0/ .#!+
44 15-410, S`14
Project 0 "Data Flow" - P0 "Post-Linking"
!"#
&'$+
&'()*+',*-$+
!"#$+
20'"))0/ .#!+
simpliIy
-45&,')0#
mutate
45 15-410, S`14
Summary
Review of stack knowIedge Review of stack knowIedge
What makes What makes !"#$%& !"#$%& speciaI speciaI
Project 0 overview Project 0 overview
Look for handout this evening
Start interviewing Project 2/3/4 partners! Start interviewing Project 2/3/4 partners!