A program, understanding the stack frame

Source: Internet
Author: User

First, understanding the stack frame

Let's take a look at some magical code:

650) this.width=650; "title=" 1.png "alt=" Wkiom1dioatxgyu3aacn-rpzxjg163.png "src=" http://s2.51cto.com/wyfs02/M00/ 82/db/wkiom1dioatxgyu3aacn-rpzxjg163.png "/>

(under Windows, code below)

#include <stdio.h> #include <stdlib.h> #include <windows.h>void fun () {printf ("done\n"); Sleep (2000);   printf ("Suppose the computer would Shut down~~~~\n"); What if the above line is replaced with system ("reboot")? Sleep (2000); Exit (1);} int fun1 (int a, int b) {int *p = &a; p--; *p = fun; int c = 0XCCCC; return c;} int main () {printf ("Begin run...\n"); int a = 0; int b = 1; fun1 (A, b); printf ("You should run Here\n"); return 0;}

The result of the execution is:

Under Linux:

650) this.width=650; "title=" Qq20160616205819.png "alt=" wkiol1dio5ygvwh0aaa2lljsos8997.png "src="/HTTP/ S5.51cto.com/wyfs02/m00/82/da/wkiol1dio5ygvwh0aaa2lljsos8997.png "/>

Win under:

650) this.width=650; "title=" 3.png "alt=" Wkiol1dio8ei0jdjaaahh3ymuqk709.png "src=" http://s1.51cto.com/wyfs02/M01/ 82/da/wkiol1dio8ei0jdjaaahh3ymuqk709.png "/>

The results seem different than we expected.

In a logical sense, the program starts with the main execution

Call the FUN1 function in the middle

After the call is complete, you should continue with the following printf

Then output:

Should run here

In fact, the program eventually enters the fun function

The reason for this is because of the stack frame .

If you're curious about what's going on up there, you can look down.

Ii. explanation of the principle

On the stack frame , Baidu Encyclopedia is explained this way:

In the C language, each stack frame corresponds to a function that is not running out. The return address and local variables of the function are saved in the stack frame.

In other words, the above code can be understood in memory:

650) this.width=650; "title=" 4.png "style=" height:541px;width:351px; "alt=" Wkiol1diqh_ivwi8aabflbfxhpw385.png "src= "Http://s4.51cto.com/wyfs02/M01/82/DB/wKioL1diqh_ivWi8AABFlbFXhPw385.png" width= "464" height= "616"/>

To explain briefly,

We know that the variables defined in the functions in the C language are created on the stack, and this image represents the stack memory,

Its address from top to bottom indicates from big to small

In the main function, a B is put into the stack successively,

Then call FUN1 (A, B)

The picture of this fun1 () is not actually accurate, it should be the return address

This return address means: After executing fun1 (A, B), you should return to this place and then execute the remaining code in the main function.

Also, between FUN1 () and B, there should be one thing: the stack pointer, EBP (not shown)

Then the parameter a b is a local variable, and it is also placed into the stack,

With the Debug tool, you can see that the address of a B is shown in the figure

Then define a pointer p pointing to a

Next p--, when P points to the address is 0x0018fc20, that is, the return address just said

At this point, it should be possible to find that the return address has changed and become a fun address.

That is, when the FUN1 () is executed, the program does not return to the place where it was called in the main function, but then calls the fun function

650) this.width=650; "title=" 5.png "alt=" Wkiom1diq8ix2p3taabjxz8vme0189.png "src=" http://s2.51cto.com/wyfs02/M01/ 82/dc/wkiom1diq8ix2p3taabjxz8vme0189.png "/>

This causes the program to enter a place that we have no idea of, invoking a function that we didn't want to call.

And because of the loss of this return address, after the call is finished, the program will also hang up because it cannot find the return address.

(I executed exit (1) in the code; This sentence forcibly terminates the procedure)

The above is the explanation of the principle of the code.

Next, you can do one thing with the knowledge of the stack frame just getting to:

Third, modify the value of B

Requirements: Do not directly modify a, b variables, and through the stack frame, to modify the value of a and B variables

Code:

void fun1 (int a, int b) {int *p = &a; P-= 2; int returnaddr = *p; The return value//modifies a p in main = ReturnAddr-4 * 2; *p = 11111; Modify the b p = ReturnAddr-4 * 5 in main; *p = 12345;} int main () {printf ("Begin run...\n"); int a = 0; int b = 1; fun1 (A, b); printf ("You should run here\n"); printf ("%d\n", a) ; printf ("%d\n", b); return 0;}

Previously drawn memory diagram is relatively simple, to achieve this requirement, we must further understand how the stack frame is stored, the following is a detailed stack memory diagram:

650) this.width=650; "title=" 6.png "alt=" Wkiol1diu7wa992laaa_puuqfy0463.png "src=" http://s4.51cto.com/wyfs02/M00/ 82/db/wkiol1diu7wa992laaa_puuqfy0463.png "/>

Linux Code:

650) this.width=650; "title=" 7.png "alt=" Wkiom1dizxajndyraab2f4y7ymw939.png "src=" http://s4.51cto.com/wyfs02/M00/ 82/dc/wkiom1dizxajndyraab2f4y7ymw939.png "/>

Run results

650) this.width=650; "title=" 8.png "alt=" Wkiom1dizzaqhhppaaap5gw3dog271.png "src=" http://s1.51cto.com/wyfs02/M01/ 82/dc/wkiom1dizzaqhhppaaap5gw3dog271.png "/>

(The stack frame holds different rules for GCC and vs compiled programs)

A program, understanding the stack frame

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.