Process Layout, Function Calls, and the...
Transcript of Process Layout, Function Calls, and the...
Process Layout, Function Calls, and the Heap
CS 161 – Spring 2011
Prof. Vern Paxson
TAs: Devdatta Akhawe, Mobin Javed, Matthias Vallentin
January 19, 2011
1 / 15
Process Layout in Memory
I StackI grows towards decreasing
addresses.I is initialized at run-time.
I Heap and BSS sectionsI grow towards increasing addresses.I are initialized at run-time.
I Data sectionI is initialized at compile-time.
I Text sectionI holds the program instructions
(read-only).
Stack
Heap
BSS
Data
Text
dynamicgrowth
0xc0000000
0x08048000
high address
low address
Process Layout 4 / 15
Process Layout in Memory
I StackI grows towards decreasing
addresses.I is initialized at run-time.
I Heap and BSS sectionsI grow towards increasing addresses.I are initialized at run-time.
I Data sectionI is initialized at compile-time.
I Text sectionI holds the program instructions
(read-only).
Stack
Heap
BSS
Data
Text
dynamicgrowth
0xc0000000
0x08048000
high address
low address
uninitialized variablesinitialized variables
Process Layout 4 / 15
IA-32
Registers
EAX Accumulator for operands and results data
EBX Pointer to data in the DS segment
ECX Counter for string and loop operations
EDX I/O pointer
ESI Source pointer for string operations
EDI Destination pointer for string operations
EBP Frame pointer
ESP Stack pointer
Terminology
SFP saved frame pointer: saved %ebp on the stack
OFP old frame pointer: old %ebp from the previous stack frame
RIP return instruction pointer: return address on the stack
Function Calls 6 / 15
IA-32
Registers
EAX Accumulator for operands and results data
EBX Pointer to data in the DS segment
ECX Counter for string and loop operations
EDX I/O pointer
ESI Source pointer for string operations
EDI Destination pointer for string operations
EBP Frame pointer
ESP Stack pointer
Terminology
SFP saved frame pointer: saved %ebp on the stack
OFP old frame pointer: old %ebp from the previous stack frame
RIP return instruction pointer: return address on the stack
Function Calls 6 / 15
Function Calls
void foo(int a, int b, int c)
{
int bar[2];
char qux[3];
bar[0] = ’A’;
qux[0] = 0x2a;
}
int main(void)
{
int i = 1;
foo(1, 2, 3);
return 0;
}
Function Calls 7 / 15
Function Calls in Assembler
main:
pushl %ebp
movl %esp,%ebp
subl $4,%esp
movl $1,-4(%ebp)
pushl $3
pushl $2
pushl $1
call foo
addl $12,%esp
xorl %eax,%eax
leave
ret
ebp
esp
Function Calls 8 / 15
Function Calls in Assembler
main:
pushl %ebp
movl %esp,%ebp
subl $4,%esp
movl $1,-4(%ebp)
pushl $3
pushl $2
pushl $1
call foo
addl $12,%esp
xorl %eax,%eax
leave
ret
sfp
ebp
esp
Function Calls 8 / 15
Function Calls in Assembler
main:
pushl %ebp
movl %esp,%ebp
subl $4,%esp
movl $1,-4(%ebp)
pushl $3
pushl $2
pushl $1
call foo
addl $12,%esp
xorl %eax,%eax
leave
ret
sfp
ofp
esp + ebp
Function Calls 8 / 15
Function Calls in Assembler
main:
pushl %ebp
movl %esp,%ebp
subl $4,%esp
movl $1,-4(%ebp)
pushl $3
pushl $2
pushl $1
call foo
addl $12,%esp
xorl %eax,%eax
leave
ret
sfp
ofp
ebpesp
Function Calls 8 / 15
Function Calls in Assembler
main:
pushl %ebp
movl %esp,%ebp
subl $4,%esp
movl $1,-4(%ebp)
pushl $3
pushl $2
pushl $1
call foo
addl $12,%esp
xorl %eax,%eax
leave
ret
sfp
1
ofp
ebpesp
Function Calls 8 / 15
Function Calls in Assembler
main:
pushl %ebp
movl %esp,%ebp
subl $4,%esp
movl $1,-4(%ebp)
pushl $3
pushl $2
pushl $1
call foo
addl $12,%esp
xorl %eax,%eax
leave
ret
sfp
1
3
2
1
ofp
ebp
esp
Function Calls 8 / 15
Function Calls in Assembler
main:
pushl %ebp
movl %esp,%ebp
subl $4,%esp
movl $1,-4(%ebp)
pushl $3
pushl $2
pushl $1
call foo
addl $12,%esp
xorl %eax,%eax
leave
ret
sfp
1
3
2
1
rip
ofp
ebp
esp
Function Calls 8 / 15
Function Calls in Assembler
foo:
pushl %ebp
movl %esp,%ebp
subl $12,%esp
movl $65,-8(%ebp)
movb $66,-12(%ebp)
leave
ret
sfp
1
3
2
1
rip
ofp
ebp
esp
Function Calls 8 / 15
Function Calls in Assembler
foo:
pushl %ebp
movl %esp,%ebp
subl $12,%esp
movl $65,-8(%ebp)
movb $66,-12(%ebp)
leave
ret
sfp
1
3
2
1
rip
sfp
ofp
ebp
esp
Function Calls 8 / 15
Function Calls in Assembler
foo:
pushl %ebp
movl %esp,%ebp
subl $12,%esp
movl $65,-8(%ebp)
movb $66,-12(%ebp)
leave
ret
sfp
1
3
2
1
rip
sfp
ofp
ofp (m)
esp + ebp
Function Calls 8 / 15
Function Calls in Assembler
foo:
pushl %ebp
movl %esp,%ebp
subl $12,%esp
movl $65,-8(%ebp)
movb $66,-12(%ebp)
leave
ret
sfp
1
3
2
1
rip
sfp
ofp
ofp (m)
ebp
esp
Function Calls 8 / 15
Function Calls in Assembler
foo:
pushl %ebp
movl %esp,%ebp
subl $12,%esp
movl $65,-8(%ebp)
movb $66,-12(%ebp)
leave
ret
sfp
1
3
2
1
rip
sfp
ofp
ofp (m)
ebp
esp00 00 00 41
Function Calls 8 / 15
Function Calls in Assembler
foo:
pushl %ebp
movl %esp,%ebp
subl $12,%esp
movl $65,-8(%ebp)
movb $66,-12(%ebp)
leave
ret
sfp
1
3
2
1
rip
sfp
ofp
ofp (m)
ebp
esp00 00 00 41
42
Function Calls 8 / 15
Function Calls in Assembler
foo:
pushl %ebp
movl %esp,%ebp
subl $12,%esp
movl $65,-8(%ebp)
movb $66,-12(%ebp)
leave
ret
sfp
1
3
2
1
rip
sfp
ofp
ofp (m)
esp + ebp
00 00 00 41
42leave: movl %ebp,%esp popl %ebp
Function Calls 8 / 15
Function Calls in Assembler
foo:
pushl %ebp
movl %esp,%ebp
subl $12,%esp
movl $65,-8(%ebp)
movb $66,-12(%ebp)
leave
ret
sfp
1
3
2
1
rip
sfp
ofp
ebp
esp
00 00 00 41
42leave: movl %ebp,%esp popl %ebp
Function Calls 8 / 15
Function Calls in Assembler
foo:
pushl %ebp
movl %esp,%ebp
subl $12,%esp
movl $65,-8(%ebp)
movb $66,-12(%ebp)
leave
ret
sfp
1
3
2
1
rip
sfp
ofp
ebp
esp
00 00 00 41
42ret: popl %eip
Function Calls 8 / 15
Function Calls in Assembler
main:
pushl %ebp
movl %esp,%ebp
subl $4,%esp
movl $1,-4(%ebp)
pushl $3
pushl $2
pushl $1
call foo
addl $12,%esp
xorl %eax,%eax
leave
ret
sfp
1
3
2
1
rip
sfp
ofp
ebp
esp
00 00 00 41
42
Function Calls 8 / 15
Function Calls in Assembler
main:
pushl %ebp
movl %esp,%ebp
subl $4,%esp
movl $1,-4(%ebp)
pushl $3
pushl $2
pushl $1
call foo
addl $12,%esp
xorl %eax,%eax
leave
ret
sfp
1
3
2
1
rip
sfp
ofp
ebpesp
00 00 00 41
42
Function Calls 8 / 15
Function Calls in Assembler
main:
pushl %ebp
movl %esp,%ebp
subl $4,%esp
movl $1,-4(%ebp)
pushl $3
pushl $2
pushl $1
call foo
addl $12,%esp
xorl %eax,%eax
leave
ret
sfp
1
3
2
1
rip
sfp
ofp
ebpesp
00 00 00 41
42
Function Calls 8 / 15
Function Calls in Assembler
main:
pushl %ebp
movl %esp,%ebp
subl $4,%esp
movl $1,-4(%ebp)
pushl $3
pushl $2
pushl $1
call foo
addl $12,%esp
xorl %eax,%eax
leave
ret
sfp
1
3
2
1
rip
sfp
ofp
esp + ebp
00 00 00 41
42
Function Calls 8 / 15
Function Calls in Assembler
main:
pushl %ebp
movl %esp,%ebp
subl $4,%esp
movl $1,-4(%ebp)
pushl $3
pushl $2
pushl $1
call foo
addl $12,%esp
xorl %eax,%eax
leave
ret
sfp
1
3
2
1
rip
sfp
ebp
esp
00 00 00 41
42
Function Calls 8 / 15
Function Calls in Assembler
main:
pushl %ebp
movl %esp,%ebp
subl $4,%esp
movl $1,-4(%ebp)
pushl $3
pushl $2
pushl $1
call foo
addl $12,%esp
xorl %eax,%eax
leave
ret
(rip)
sfp
1
3
2
1
rip
sfp
ebpesp
00 00 00 41
42
Function Calls 8 / 15
The Heap
The heap is ”[...] a pool of memory available for the allocation anddeallocation of arbitrary-sized blocks of memory in arbitrary order.”[WJN+95]
I ANSI-C functions malloc() and friends are used to manage the heap(glibc uses ptmalloc).
I Heap memory is organized in chunks that can be allocated, freed,merged, etc.
I Boundary Tags contain meta information about chunks (size,previous/next pointer, etc.)
I stored both in the front and end of each chunk.→ makes consolidating fragmented chunks into bigger chunks very fast.
The Heap 10 / 15
The Heap
The heap is ”[...] a pool of memory available for the allocation anddeallocation of arbitrary-sized blocks of memory in arbitrary order.”[WJN+95]
I ANSI-C functions malloc() and friends are used to manage the heap(glibc uses ptmalloc).
I Heap memory is organized in chunks that can be allocated, freed,merged, etc.
I Boundary Tags contain meta information about chunks (size,previous/next pointer, etc.)
I stored both in the front and end of each chunk.→ makes consolidating fragmented chunks into bigger chunks very fast.
The Heap 10 / 15
The Heap
The heap is ”[...] a pool of memory available for the allocation anddeallocation of arbitrary-sized blocks of memory in arbitrary order.”[WJN+95]
I ANSI-C functions malloc() and friends are used to manage the heap(glibc uses ptmalloc).
I Heap memory is organized in chunks that can be allocated, freed,merged, etc.
I Boundary Tags contain meta information about chunks (size,previous/next pointer, etc.)
I stored both in the front and end of each chunk.→ makes consolidating fragmented chunks into bigger chunks very fast.
The Heap 10 / 15
The Heap
The heap is ”[...] a pool of memory available for the allocation anddeallocation of arbitrary-sized blocks of memory in arbitrary order.”[WJN+95]
I ANSI-C functions malloc() and friends are used to manage the heap(glibc uses ptmalloc).
I Heap memory is organized in chunks that can be allocated, freed,merged, etc.
I Boundary Tags contain meta information about chunks (size,previous/next pointer, etc.)
I stored both in the front and end of each chunk.→ makes consolidating fragmented chunks into bigger chunks very fast.
The Heap 10 / 15
Chunks in Memory
allocated chunk
wilderness chunk
high
add
ress
es
allocated chunk
free chunk
allocated chunk
free chunk
allocated chunk
heap
gro
wing
dir
ecti
on
The Heap 11 / 15
Understanding Heap Management
Boundary Tags
I prev size: size of previous chunk (if free).
I size: size in bytes, including overhead.
I PREV INUSE: Status bit; set if previous chunk is allocated.
I fd/bk: forward/backward pointer for double links (if free).
prev_size
size
fd
PREV_INUSE
bk
data
chunk
mem
nextchunk
4
4
4
4
>= 0
free chunk
Managing Free Chunks
I Free chunks of similar size aregrouped into bins.
I fd/bk pointers to navigatethrough double links.
prev_size
size
fd
PREV_INUSE
bk
data
chunk
mem
nextchunk
data
allocated chunk
data from previous chunk
4
4
4
4
>= 0
The Heap 12 / 15
Understanding Heap Management
Boundary Tags
I prev size: size of previous chunk (if free).
I size: size in bytes, including overhead.
I PREV INUSE: Status bit; set if previous chunk is allocated.
I fd/bk: forward/backward pointer for double links (if free).
prev_size
size
fd
PREV_INUSE
bk
data
chunk
mem
nextchunk
4
4
4
4
>= 0
free chunk
Managing Free Chunks
I Free chunks of similar size aregrouped into bins.
I fd/bk pointers to navigatethrough double links.
prev_size
size
fd
PREV_INUSE
bk
data
chunk
mem
nextchunk
data
allocated chunk
data from previous chunk
4
4
4
4
>= 0
The Heap 12 / 15
Understanding Heap Management
Boundary Tags
I prev size: size of previous chunk (if free).
I size: size in bytes, including overhead.
I PREV INUSE: Status bit; set if previous chunk is allocated.
I fd/bk: forward/backward pointer for double links (if free).
Managing Free Chunks
I Free chunks of similar size aregrouped into bins.
I fd/bk pointers to navigatethrough double links.
Chunk
Bin
Chunk
Chunk
fdbk bk
fd
bkfd
bkfd
The Heap 12 / 15
Removing Chunks from a Bin: unlink()
#define unlink(P, BK, FD)
{
BK = P->bk;
FD = P->fd;
FD->bk = BK;
BK->fd = FD;
}
prev_size
size
fd
PREV_INUSE
bk
data
prev_size
size
fd
PREV_INUSE
bk
data
prev_size
size
fd
PREV_INUSE
bk
data
high addresses
The Heap 13 / 15
Removing Chunks from a Bin: unlink()
#define unlink(P, BK, FD)
{
BK = P->bk;
FD = P->fd;
FD->bk = BK;
BK->fd = FD;
}
prev_size
size
fd
PREV_INUSE
bk
data
prev_size
size
fd
PREV_INUSE
bk
data
prev_size
size
fd
PREV_INUSE
bk
data
high addresses
The Heap 13 / 15
Removing Chunks from a Bin: unlink()
#define unlink(P, BK, FD)
{
BK = P->bk;
FD = P->fd;
FD->bk = BK;
BK->fd = FD;
}
prev_size
size
fd
PREV_INUSE
bk
data
prev_size
size
fd
PREV_INUSE
bk
data
prev_size
size
fd
PREV_INUSE
bk
data
high addresses
The Heap 13 / 15
Removing Chunks from a Bin: unlink()
#define unlink(P, BK, FD)
{
BK = P->bk;
FD = P->fd;
FD->bk = BK;
BK->fd = FD;
}
prev_size
size
fd
PREV_INUSE
bk
data
prev_size
size
fd
PREV_INUSE
bk
data
prev_size
size
fd
PREV_INUSE
bk
data
high addresses
The Heap 13 / 15
Removing Chunks from a Bin: unlink()
#define unlink(P, BK, FD)
{
BK = P->bk;
FD = P->fd;
FD->bk = BK;
BK->fd = FD;
}
FD + 12 = BK
prev_size
size
fd
PREV_INUSE
bk
data
prev_size
size
fd
PREV_INUSE
bk
data
prev_size
size
fd
PREV_INUSE
bk
data
high addresses
+12
The Heap 13 / 15
Removing Chunks from a Bin: unlink()
#define unlink(P, BK, FD)
{
BK = P->bk;
FD = P->fd;
FD->bk = BK;
BK->fd = FD;
}
prev_size
size
fd
PREV_INUSE
bk
data
prev_size
size
fd
PREV_INUSE
bk
data
prev_size
size
fd
PREV_INUSE
bk
data
high addresses
The Heap 13 / 15
Removing Chunks from a Bin: unlink()
#define unlink(P, BK, FD)
{
BK = P->bk;
FD = P->fd;
FD->bk = BK;
BK->fd = FD;
}
prev_size
size
fd
PREV_INUSE
bk
data
prev_size
size
fd
PREV_INUSE
bk
data
prev_size
size
fd
PREV_INUSE
bk
data
high addresses
The Heap 13 / 15
References
Paul R. Wilson and Mark S. Johnstone and Michael Neely and DavidBoles.Dynamic Storage Allocation: A Survey and Critical Review.International Workshop on Memory Management, 1995.
The Heap 14 / 15
IA-32 Reference
%eax
%edx%ecx
%ebx%esi
%edi
%esp%ebp
IA32 Instructions
movl Src,Dest Dest = Srcaddl Src,Dest Dest = Dest + Srcsubl Src,Dest Dest = Dest - Srcimull Src,Dest Dest = Dest * Srcsall Src,Dest Dest = Dest << Srcsarl Src,Dest Dest = Dest >> Srcshrl Src,Dest Dest = Dest >> Srcxorl Src,Dest Dest = Dest ^ Srcandl Src,Dest Dest = Dest & Srcorl Src,Dest Dest = Dest | Srcincl Dest Dest = Dest + 1decl Dest Dest = Dest - 1negl Dest Dest = - Destnotl Dest Dest = ~ Destleal Src,Dest Dest = address of Srccmpl Src2,Src1 Sets CCs Src1 – Src2testl Src2,Src1 Sets CCs Src1 & Src2jmp label jumpje label jump equaljne label jump not equaljs label jump negative jns label jump non-negativejg label jump greater (signed)jge label jump greater or equal (signed)jl label jump less (signed)jle label jump less or equal (signed)ja label jump above (unsigned)jb label jump below (unsigned)
Addressing Modes
Immediate $val Val
Normal (R) Mem[Reg[R]]
•Register R specifies memory address
movl (%ecx),%eax
Displacement D(R) Mem[Reg[R]+D]
•Register R specifies start of memory region
•Constant displacement D specifies offset
movl 8(%ebp),%edx
Indexed D(Rb,Ri,S) Mem[Reg[Rb]+S*Reg[Ri]+ D]
•D: Constant “displacement” 1, 2, or 4 bytes
•Rb: Base register: Any of 8 integer registers
•Ri: Index register:
•S: Scale: 1, 2, 4, or 8
Condition Codes
CF Carry Flag
ZF Zero Flag
SF Sign Flag
OF Overflow Flag
The Heap 15 / 15