Simple analysis of C language function call stack

C language function call stack analysis

has been doing relatively low-level programming, long ago to write an article on the C language Call stack related articles. Just this time with a colleague to do the debug tool. Which is to do a call stack function. I then reopened the IA32 document and recorded the principle of the C call stack as follows. Table of Contents 1 Why should there be compilations. 2 will be used before and after the registers 3 function calls, ESP changes 4 How do I get call Stack? 5 Instance Analysis 5.1 Source code 5.2 Register value before calling Foo () 5.3 Value of registers after calling Foo () content inside the 5.4 stack 1  why bootloader and bios need to assemble. This is actually a question that is often asked. Why can't we just use the C language? Can not use the assembly, all BIOS and boot loader code is written in C. This question is often asked, but few people think about it. The answer, of course, is no. Why, then? This is closely related to what we are going to talk about today. C language operation is inseparable from the stack. No stacks, where the temporary variables are placed. How to pass the parameters. But the assembly is not required, in the assembler we can directly manipulate the register. 2  Register Introduction IA32 has a lot of registers, we are here mainly to use the register as follows: Eip:instruction pointer program counters, record the current program running the address ebp:base pointer base register esp:stack pointer stack pointer registers the stack pointer changes before and after the 3  function call the stack grows in a way that is inverted, that is, it grows from a high address to a low address, so when the function is called, the call parameters are pushed from right to left, so the advantage is that when we pop the stack, we get the positive sequence Parameters. And you don't have to know the number of parameters to get the arguments. Imagine if we were to press the stack from left to right. So, when we get into the function, we need to know how many parameters we have, because the parameters are in reverse order when we want to arg1. After the parameter is pressed, then the EIP is called, that is, the address of the next instruction of the function. This allows the called function to be completed before it knows where to go and where to proceed.

 Low Address   ---> +---------+
                   |   ...   | 
                   |   EIP   | <---New ESP
                   |   Arg1  |
                   |   Arg2  |
                   |   Arg3  |
                   |   ...   | 
                   |   Argn  |
                   |   ...   | <---old ESP
                   |   ...   | 
                   |   ...   | 
High Address--->  +---------+

into the C language function, the system will then do another thing, is the pressure ebp into the stack. And then put the current ESP=>EBP.

 Low Address   ---> +---------+
                   |   ...   | 
         EBP  ---> | Old EBP | <---New ESP
                   |   EIP   | <---old ESP
                   |   Arg1  |
                   |   Arg2  |
                   |   Arg3  |
                   |   ...   | 
                   |   Argn  |
                   |   ...   | 
                   |   ...   | 
High Address--->  +---------+

4 How do I get the call Stack for a function?From the previous analysis, we can see that when the function call is complete, the location that EBP points to stores the value before the function call EBP. (ebp+4) is the location of the program's return address (EIP). So through EBP we can constantly get to the position of the last ebp, and we can constantly get the return address of the last program call.

 Low Address   ---> +---------+ +---------+ +       ---------+  
                   |   ...   |        |   ...   |       |   ...   |
         EBP  ---> | Old EBP |   -->  | Old EBP |  -->  | Old EBP |
                   |   EIP   |        |   EIP   |       |   EIP   |
                   |   Arg1  |        |   Arg1  |       |   Arg1  |
                   |   Arg2  |        |   Arg2  |       |   Arg2  |
                   |   Arg3  |        |   Arg3  |       |   Arg3  |
                   |   ...   |        |   ...   |       |   ...   |
                   |   Argn  |        |   Argn  |       |   Argn  |
                   |   ...   |        |   ...   |       |   ...   |
                   |   ...   |        |   ...   |       |   ...   |
High Address---> +---------+ +---------+ +       ---------+

5 Example AnalysisThe following code is very simple, the main want to use a practical example to test the above mentioned theory.5.1 Source CodeThe Foo function is defined as int foo (int a, int b). There are two input parameters. Called by the main function. The following is a major analysis of the call procedure for the Foo function.

#include "stdafx.h"

int foo (intint b)
{
    int sum = 0;
    sum = a + b;
     return sum;
}

int _tmain (int_tchar* argv[])
{
    foo (1, 2);
     return 0;
}

5.2 Register value before calling foo ()

5.3 The value of the register after calling Foo () sets the breakpoint to the first assembly statement after the function call. At this point, the function has not been pressed into the EBP,ESP from 0xfaf958 into 0xfaf94c. 12 bytes less. Then look at the definition of the Foo function, a total of two parameters, plus the push of the EIP is just 12 bytes.

5.4 The contents of the stack from the following figure can be seen, at this time has not been pressed into the EBP

Press into the contents of the EBP front stack: EIP (0x002d1417), parameter a = 1, parameter b = 2.

After pressing into the EBP the contents register changes in the stack, before the EBP into the stack, ESP (0x00faf948) => EBP

Stack of changes, stacks of EBP (0x00fafa24)

Date:2014-07-20 13:29:59

HTML generated by Org-mode 6.31a in Emacs 23