You are on page 1of 47

15-410

“An Experience Like No Other”

IA32 Stack Discipline


Aug 30, 2017
Dave Eckhardt
Dave O’Hallaron

Slides originally stolen from 15-213

1 15-410, F’17
Synchronization
Registration
n  The wait list will probably be done today or tomorrow
n  I don't think everybody will fit
n  If you're here but not on any wait list, see me right away
n  ECE undergrad: most likely 5/15 will fit (could be more)
n  ECE M.S.: 4/7 likely?
n  INI: most likely 10/20?
n  If you are an M.S. or or Ph.D. student and have not discussed
this class with your advisor, do so today
n  We will not be registering graduate students without hearing from
their advisors
n  Some people are being added this morning
n  If you receive mail from an administrator, please reply the same
day

If you haven't taken 15-213 (A/B, malloc lab ok)


n  Contact me no later than today
2 15-410, F’17
Why Only 32?
You learned x86-64 in 213
n  Most machines (even phones!) are 64-bit these days
n  x86-64 is simpler than IA32 for user code

Why will 410 be IA32?


n  x86-64 is not simpler for kernel code
n  Machine begins in 16-bit mode, then 32, finally 64
n  Interrupts are more complicated
n  x86-64 is not simpler during debugging
n  More registers means more registers to have wrong values
n  x86-64 virtual memory is a bit of a drag
n  More steps than x86-32, but not more intellectually stimulating
n  There are still a lot of 32-bit machines in the world
n  ...which can boot and run your personal OS

3 15-410, F’17
IA32 vs x86-64
Generating IA32 code:
gcc –m32 –o hello hello.c

Key differences:
•  IA32 has only 8 32-bit general purpose registers
•  IA32 might use %ebp as a stack frame pointer.
gcc –m32 -fno-stack-protector -fno-omit-frame-pointer …

•  IA32 passes arguments on the stack rather than in registers


•  IA32 has different caller/callee-save register conventions

Detailed IA32 Summary:


http://csapp.cs.cmu.edu/3e/waside/waside-ia32.pdf
4 15-410, F’17
IA32/Linux Registers
32 bits
Integer Registers
n  Two have special uses
n  %ebp, %esp
n  Three managed as Caller-Save %eax
callee-save Temporaries
%edx
n  %ebx, %esi, %edi
n  Old values saved on %ecx
stack prior to using
n  Three managed as Callee-Save %ebx
Temporaries
caller-save %esi
n  %eax, %edx, %ecx
n  Do what you please, %edi
but expect any callee
to do so, as well %esp
Special
n  Register %eax also %ebp
holds return value

5 15-410, F’17
Private Address Spaces
Each process has its own private address space.
0xffffffff
kernel virtual memory memory
(code, data, heap, stack) invisible to
0xc0000000 user code
user stack
(created at runtime)
%esp (stack pointer)

memory mapped region for Warning:


0x40000000
shared libraries details vary
by OS and
Warning: kernel
numbers brk
specific to
run-time heap
(managed by malloc)
version!
Linux 2.x read/write segments
on IA32!! (.data, .bss)
loaded from the
read-only segments executable file
(.init, .text, .rodata)
0x08048000
unused
0
6 15-410, F’17
IA32 Stack
Stack “Bottom”
n  Region of memory managed
with stack discipline
n  “Grows” toward lower
addresses
Increasing
n  Register %esp indicates Addresses
lowest stack address
n  address of “top” element
n  stack pointer

Stack Grows
Stack Down
Pointer
%esp

Stack “Top”

7 15-410, F’17
IA32 Stack Pushing
Pushing Stack “Bottom”
n  pushl Src
n  Fetch operand from Src
n  Maybe a register: %ebp
Increasing
n  Maybe memory: 8(%ebp) Addresses
n  Decrement %esp by 4
n  Store operand in memory at
address given by %esp

Stack Grows
Down
Stack
Pointer
%esp -4

Stack “Top”
8 15-410, F’17
IA32 Stack Popping
Popping Stack “Bottom”
n  popl Dest
n  Read memory at address
given by %esp
Increasing
n  Increment %esp by 4 Addresses
n  Store into Dest operand

Stack
Pointer Stack Grows
%esp Down
+4

Stack “Top”

9 15-410, F’17
Stack Operation Examples
pushl %eax popl %edx

0x110 0x110 0x110


0x10c 0x10c 0x10c
0x108 123 0x108 123 0x108 123
0x104 213 0x104 213

%eax 213 %eax 213 %eax 213


%edx 555 %edx 555 %edx 555
213
%esp 0x108 %esp 0x108
0x104 %esp 0x104
0x108

10 15-410, F’17
Procedure Control Flow
n  Use stack to support procedure call and return
Procedure call:
•  call label Push return address;
Jump to label
“Return address”?
n  Address of instruction after call
n  Example from disassembly
n  804854e: e8 3d 06 00 00 call 8048b90 <main>
n  8048553: 50 pushl %eax
»  Return address = 0x8048553

Procedure return:
•  ret Pop address from stack;
Jump to address

11 15-410, F’17
Procedure Call Example
804854e: e8 3d 06 00 00 call 8048b90 <main>
8048553: 50 pushl %eax

call 8048b90

0x110 0x110
0x10c 0x10c
0x108 123 0x108 123
0x104 0x8048553

%esp 0x108 %esp 0x108


0x104

%eip 0x804854e %eip 0x8048b90


0x804854e

%eip is program counter

12 15-410, F’17
Procedure Return Example
8048591: c3 ret

ret

0x110 0x110
0x10c 0x10c
0x108 123 0x108 123
0x104 0x8048553 0x8048553

%esp 0x104 %esp 0x104


0x108

%eip 0x8048591 %eip 0x8048553


0x8048591

%eip is program counter

13 15-410, F’17
Stack-Based Languages
Languages that support recursion
n  e.g., C, Pascal, Java
n  Code must be “reentrant”
n  Multiple instantiations of a single procedure “live” at same time
n  Need some place to store state of each instantiation
n  Arguments
n  Local variables
n  Return pointer (maybe)
n  Weird things (static links, exception handling, …)
Stack discipline – key observation
n  State for given procedure needed for limited time
n  From time of call to time of return
n  Note: callee returns before caller does
Therefore stack allocated in nested frames
n  State for single procedure instantiation

14 15-410, F’17
Call Chain Example
Code Structure
Call Chain
yoo(…)
{
• yoo

who(); who(…)
• { who
• • • •
} amI();
amI amI
• • •
amI();
• • • amI(…) amI
} {

• amI
amI();
n  Procedure amI() •
recursive •
}

15 15-410, F’17
Stack Frames
Contents
n  Local variables yoo
n  Return information
who
n  Temporary space
amI
Management
n  Space allocated when enter
procedure
n  “Set-up” code
Frame
n  Deallocated when return Pointer
n  “Finish” code %ebp
proc
Pointers Stack
n  Stack pointer %esp indicates Pointer
stack top %esp Stack
“Top”
n  Frame pointer %ebp indicates
start of current frame

16 15-410, F’17
IA32/Linux Stack Frame
Current Stack Frame (“Top”
to “Bottom”)
n  Parameters for function we're Caller
about to call Frame
n  “Argument build”
n  Local variables Arguments
n  If don't all fit in registers Frame Pointer Return Addr
n  Caller's saved registers (%ebp) Old %ebp
n  Caller's saved frame pointer
Saved
Caller's Stack Frame Registers
n  Return address +
Local
n  Pushed by call instruction Variables
n  Arguments for this call
Argument
Stack Pointer Build
(%esp)

17 15-410, F’17
swap()
Calling swap from call_swap
int zip1 = 15213; call_swap:
int zip2 = 91125; • • •
pushl $zip2 # Global var
void call_swap() pushl $zip1 # Global var
{ call swap
swap(&zip1, &zip2); • • •
}

• Resulting

• Stack
void swap(int *xp, int *yp)
{
int t0 = *xp; &zip2
int t1 = *yp;
*xp = t1; &zip1
*yp = t0;
} Rtn adr %esp

18 15-410, F’17
swap()
swap:
pushl %ebp
movl %esp,%ebp Set
pushl %ebx Up
void swap(int *xp, int *yp)
{ movl 12(%ebp),%ecx
int t0 = *xp; movl 8(%ebp),%edx
int t1 = *yp; movl (%ecx),%eax
*xp = t1; movl (%edx),%ebx Body
*yp = t0; movl %eax,(%edx)
} Core movl %ebx,(%ecx)

movl -4(%ebp),%ebx
movl %ebp,%esp
popl %ebp Finish
ret

19 15-410, F’17
swap() Setup
Entering
Stack
%ebp


&zip2
&zip1
Rtn adr %esp

swap:
pushl %ebp
movl %esp,%ebp
pushl %ebx

20 15-410, F’17
swap() Setup #1
Entering Resulting
Stack Stack
%ebp %ebp
• •
• •
• •

&zip2 yp
&zip1 xp
Rtn adr %esp Rtn adr
Old %ebp %esp

swap:
pushl %ebp
movl %esp,%ebp
pushl %ebx

21 15-410, F’17
swap() Setup #2
Resulting
Entering Stack
Stack
%ebp
• •
• •
• •

&zip2 yp
&zip1 xp
Rtn adr %esp Rtn adr
Old %ebp %ebp
%esp
swap:
pushl %ebp
movl %esp,%ebp
pushl %ebx

22 15-410, F’17
swap() Setup #3
Entering Resulting
Stack Stack
%ebp
• •
• •
• •

&zip2 yp
&zip1 xp
Rtn adr %esp Rtn adr
Old %ebp %ebp
Old %ebx %esp
swap:
pushl %ebp
movl %esp,%ebp Observation
pushl %ebx n  Saving caller’s register %ebx

23 15-410, F’17
Effect of swap() Setup
Entering
Stack Resulting
%ebp
Stack
• •
• •
• Offset •
(relative to %ebp)

&zip2 12 yp
&zip1 8 xp
Rtn adr %esp 4 Rtn adr
0 Old %ebp %ebp
-4 Old %ebx %esp

movl 12(%ebp),%ecx # get yp


movl 8(%ebp),%edx # get xp Body
. . .

24 15-410, F’17
swap() Finish #1
swap’s
Stack • •
• •
• •
Offset Offset
12 yp 12 yp
8 xp 8 xp
4 Rtn adr 4 Rtn adr
0 Old %ebp %ebp 0 Old %ebp %ebp
-4 Old %ebx %esp -4 Old %ebx %esp

movl -4(%ebp),%ebx
movl %ebp,%esp
popl %ebp
Observation ret
n  Restoring caller’s register %ebx

25 15-410, F’17
swap() Finish #2
swap’s swap’s
Stack • •
• Stack •
• •
Offset Offset
12 yp 12 yp
8 xp 8 xp
4 Rtn adr 4 Rtn adr
0 Old %ebp %ebp 0 Old %ebp %ebp
-4 Old %ebx %esp %esp

movl -4(%ebp),%ebx
movl %ebp,%esp
popl %ebp
ret

26 15-410, F’17
swap() Finish #3
swap’s %ebp
swap’s •
Stack • Stack •

• •
Offset Offset

12 yp 12 yp

8 xp 8 xp

4 Rtn adr 4 Rtn adr


%esp
0 Old %ebp %ebp
%esp

movl -4(%ebp),%ebx
movl %ebp,%esp
popl %ebp
ret

27 15-410, F’17
swap() Finish #4
swap’s %ebp %ebp
Stack • •
• •
• •
Offset Exiting
Stack
12 yp &zip2
8 xp &zip1 %esp
4 Rtn adr
%esp

movl -4(%ebp),%ebx
movl %ebp,%esp
popl %ebp
Observation/query ret
n  Saved & restored caller's register %ebx
n  Didn't do so for %eax, %ecx, or %edx!
28 15-410, F’17
Register Saving Conventions
When procedure yoo() calls who():
n  yoo() is the caller, who() is the callee
Can a register be used for temporary storage?

yoo: who:
• • • • • •
movl $15213, %edx movl 8(%ebp), %edx
call who addl $91125, %edx
addl %edx, %eax • • •
• • • ret
ret

n  Contents of register %edx overwritten by who()

29 15-410, F’17
Register Saving Conventions
When procedure yoo() calls who():
n  yoo() is the caller, who() is the callee
Can a register be used for temporary storage?
Definitions
n  “Caller Save” register
n  Caller saves temporary in its frame before calling
n  “Callee Save” register
n  Callee saves temporary in its frame before using

Conventions
n  Which registers are caller-save, callee-save?

30 15-410, F’17
IA32/Linux Register Usage
32 bits
Integer Registers
n  Two have special uses
n  %ebp, %esp
n  Three managed as Caller-Save %eax
callee-save Temporaries
%edx
n  %ebx, %esi, %edi
n  Old values saved on %ecx
stack prior to using
n  Three managed as Callee-Save %ebx
Temporaries
caller-save %esi
n  %eax, %edx, %ecx
n  Do what you please, %edi
but expect any callee
to do so, as well %esp
Special
n  Register %eax also %ebp
holds return value

31 15-410, F’17
Stack Summary
Stack makes recursion work
n  Private storage for each instance of procedure call
n  Instantiations don't clobber each other
n  Addressing of locals + arguments can be relative to stack
positions
n  Can be managed by stack discipline
n  Procedures return in inverse order of calls

IA32 procedures: instructions + conventions


n  call / ret instructions mix %eip, %esp in a fixed way
n  Register usage conventions
n  Caller / Callee save
n  %ebp and %esp
n  Stack frame organization conventions
n  Which argument is pushed first

32 15-410, F’17
Before & After main()
int main(int argc, char *argv[]) {
if (argc > 1) {
printf(“%s\n”, argv[1]);
} else {
char * av[3] = { 0, 0, 0 };
av[0] = argv[0]; av[1] = “Fred”;
execvp(av[0], av);
}
return (0);
}

33 15-410, F’17
The Mysterious Parts
argc, argv
n  Strings from one program
n  Which part of the memory map are they in?
n  How did they get there?
What happens when main() does “return(0)”???
n  There's no more program to run...right?
n  Where does the 0 go?
n  How does it get there?
410 students should seek to abolish mystery

34 15-410, F’17
Null-terminated Bottom of stack
environment variable strings
The Mysterious Null-terminated

Parts command-line arg strings

envp[n] == NULL
Stack structure when a envp[n-1]
new program starts ...
envp[0] environ
argc, argv, envp argv[argc] = NULL
n  Come from the argv[argc-1]
program that called
execve ...
argv[0]
n  Kernel copies strings
from old address
space to new envp
argv
argc
return address Top of stack
0xbffffa7c
Future stack frame for
main
35 15-410, F’17
The Mysterious Parts
What happens when main() does “return(0)”?
n  Defined by C to have same effect as “exit(0)”
n  But how??

36 15-410, F’17
The Mysterious Parts
What happens when main() does “return(0)”?
n  Defined by C to have same effect as “exit(0)”
n  But how??
The “main() wrapper”
n  Receives argc, argv from OS
n  Calls main(), then calls exit()
n  Provided by C library, traditionally in “crt0.s”
n  Often has a “strange” name

/* not actual code */


void __main(int argc, char *argv[]) {
exit(main(argc, argv, environ));
}
37 15-410, F’17
Project 0 - “Stack Crawler”
C/Assembly function
n  Can be called by any C function
n  Prints stack frames in a symbolic way

---Stack Trace Follows---


Function fun3(c='c', d=2.090000), in
Function fun2(f=35.000000), in
Function fun1(count=0), in
Function fun1(count=1), in
Function fun1(count=2), in
...

38 15-410, F’17
Project 0 - “Stack Crawler”
Conceptually easy
n  Calling convention specifies layout of stack
n  Stack is “just memory” - C happily lets you read & write
Key questions
n  How do I know 0x80334720 is “fun1”?
n  How do I know fun3()'s second parameter is called “d”?
n  How do I know when to stop?

39 15-410, F’17
Project 0 “Data Flow”

fun.c tb.c

tb_globals.c

symbol-table array
many slots, blank

40 15-410, F’17
Project 0 “Data Flow” - Compilation

libtraceback.a

fun.o tb.o

tb_globals.o

41 15-410, F’17
Project 0 “Data Flow” - Linking

fun

fun.o
tb.o
tb_globals.o
debugger info

42 15-410, F’17
Project 0 “Data Flow” - P0 “Post-Linking”

fun

fun.o
tb.o
mutate
tb_globals.o
symtabgen
debugger info
simplify

43 15-410, F’17
Summary
Review of stack knowledge
What makes main() special
Project 0 overview
Look for handout this evening
Start interviewing Project 2/3/4 partners!

http://csapp.cs.cmu.edu/3e/waside/waside-ia32.pdf

(visit http://csapp.cs.cmu.edu and select “Web Asides”)

44 15-410, F’17
Movie Night

“Primer”
n  Thursday, August 29th
n  19:30, GHC 4401 (“Rashid Auditorium”)
n  $1 Pizza
n  Presented by #!/cmu/cc
n  Funded in part by your Student Activities Fee

45 15-410, F’17
FF
Linux Memory Layout
Stack
n  Runtime stack (8MB limit by default)
C0 Heap
BF Stack n  Dynamically allocated storage
Upper
2 hex n  Managed by malloc(), calloc(), new
digits of Shared/Dynamic Libraries aka Shared Objects
address n  Library routines (e.g., printf(), malloc())
80 n  Linked into object code when first executed
7F Windows has “DLLs” (semantic differences)
Red Hat Heap
n 

v. 6.2 Data, BSS


~1920MB n  Statically allocated data (BSS starts all-zero)
memory Shared
limit n  e.g., arrays & variables declared in code
Libraries
40 Text, RODATA
3F n  Text - Executable machine instructions
Heap n  RODATA – Read-only (e.g., “const”)
String literals
Data n 

08 Text
46 00 15-410, F’17
Linux Memory Allocation
ELF Some More
binary Loaded Heap Heap
BF BF Stack BF Stack BF Stack

80 80 80 80
7F 7F 7F 7F
Heap
Heap

40 40 Libraries 40 Libraries 40 Libraries


3F 3F 3F 3F
Heap
Data Data Data Data
08 Text 08 Text 08 Text 08 Text
00 00 00 00
47 15-410, F’17