Reading Notes _ Stack

Stack concept: From the data structure point of view, stack is a container for storing data. The operation for storing data is called push ), the operation to retrieve data from the stack is called pop, which adopts the following first-in-first-out rule, that is, LIFO. From the computer system perspective, stack is the continuous memory area that is essential for storing local variables and function calls. When the compiler re-compiles, it will compile function calls and local variable access into appropriate stack operations. When creating a thread, the operating system creates a stack for each thread, including allocating the memory space required by the stack and the initial data structure and registers. Taking x86 system as an example, the SS (stack Segment) register is used to describe the memory Segment of the stack, ESP (Extended
Stack Pointer) registers are used to record the Stack top address.

CPU execution process: first, assuming that the SS and ESP registers have already pointed to a set stack, write data to the memory address pointed to by ESP when executing the PUSH command, and then adjust the ESP value, point to the top of the new stack. When the POP command is executed, the data pops up from the top of the stack and the ESP value is adjusted. Stack is also used when the CPU executes CALL and RET function CALL commands.

From the thread perspective, stack is a required facility for every windows thread. In Windows, each thread has at least one stack. Each thread except the system thread has two stacks, one for the thread to be executed in the user State, it is called the user State stack and the other is used by the thread during kernel state execution. It is called the kernel state stack. In a running multi-task system, there are many stacks because of the existence of multiple threads, but for the CPU, it only uses the current stack, the stack pointed to by the SS and ESP registers. When the system switches between different tasks and between the kernel and user States in the same task, the system will ensure that the SS and ESP registers always point to the appropriate stack. In x86 systems, stacks grow toward low addresses. Stack pressure will make the ESP value smaller, and the ESP value larger when the stack is pushed out, that is, the address pushed into the stack is smaller.

When a thread needs to call the kernel service, it needs to switch from user to kernel. This process is called context switch. Because of security issues, the same stack is not used for user-mode code and kernel service code. Therefore, x86 systems have different stacks based on different privileged levels, when the kuatte permission level is used, different stacks need to be switched. The task Status section (TSS) of each task records the basic stack information (SS segment information and ESP Stack pointer) used by different priorities ), the CPU uses these methods to find the addresses of different stacks under different privileged levels. There are actually only two stacks, because Windows only has one privileged level, which is called user mode stack and kernel mode stack.

The basic data structure maintained by each thread in Windows records the basic information of the kernel state stack and user State stack. The kernel state stack is recorded in the _ kthread structure, the user State stack is recorded in the _ Teb structure.

Every windows thread has a data structure named _ kthread, which is located in the kernel space. It is an important basis for Windows to manage and record thread information and perform thread scheduling.

In the _ kthread structure, several members are used to record stack information.

Stackbase: The base address of the kernel state stack, that is, the starting address of the stack.

Stacklimit: the boundary of the kernel state stack. Because the stack grows down, its value is equal to stackbase minus the size of the kernel state stack.

Largestack: whether the stack has been switched to a large kernel state Stack

Kernelstack: The top stack address of the kernel state stack, used to save the top stack address (ESP)

Kernelstackresident: whether the kernel state stack is in physical memory

Initialstack: used to record the original top position of the stack when the kernel-State Code reversely calls the user-State Code

Callbackstack: used for reverse calling. It is used to record the stack pointer value before Vista.

You can use the. Thread command of windbg to obtain the _ ETHREAD address of a thread, and then use DT nt! _ Kthread [address] to obtain the preceding fields.

Because of the speed and support for multiple processors, windows does not use the x86CPU hardware-level character switching mechanism, but in order to allow the CPU to find the appropriate stack information during mode switching, windows creates a shared TSS segment for common threads in the system. When a software-based task is switched, Windows copies the kernel-state stack information of the current task to the TSS segment. The basic information of the user State stack is recorded in the thread information block (_ NT_TIB) structure. NT_TIB is the first part of the thread environment (TEB) structure, therefore, the _ NT_TIB structure can be displayed based on the TEB address. The basic functions of the User-state stack and kernel stack are the same. The difference is that the user-state stack is allocated to the user space of the process in which the user-state stack is located, and the kernel stack is allocated to the system space. User space is shared, while system space is global. That is to say, there are many user spaces in a system, and there is only one system space. Each process has its own 2 GB user space, that is, each process can use 0 ~ 0x7FFFFFFF, while the system space is global, the entire system only has 0x8000000 ~ 0xFFFFFFFF, 2 GB space, is shared by all processes. The size of a user-mode stack can be specified. The default size is 1 MB, while the kernel-mode stack is completely controlled by the system. The size varies depending on the processor structure, generally, the size ranges from 10 KB to dozens of KB. The following figure shows the default kernel state stack size for windows systems based on different processors.

In the x86CPU system, the initial size of the kernel state stack is 12KB.

In the x64CPU (Intel64 and AMD64) system, the core State stack is about 24KB, And the Itanium (Itanium) processor is about 32KB.

A gui thread usually needs a larger kernel state stack when calling kernel services such as GDI. Therefore, after a thread is changed to a GUI thread, windows will create a larger and increasing kernel state stack for it to replace the original stack, which is called a large Kernel stack.