process layout, function calls, and the...

Process Layout, Function Calls, and the Heap

CS 161 – Spring 2011

Prof. Vern Paxson

TAs: Devdatta Akhawe, Mobin Javed, Matthias Vallentin

January 19, 2011

1 / 15

2 / 15

Outline

Process Layout

Function Calls

The Heap

Process Layout 3 / 15

Process Layout in Memory

I StackI grows towards decreasing

addresses.I is initialized at run-time.

I Heap and BSS sectionsI grow towards increasing addresses.I are initialized at run-time.

I Data sectionI is initialized at compile-time.

I Text sectionI holds the program instructions

(read-only).

Stack

Heap

BSS

Data

Text

dynamicgrowth

0xc0000000

0x08048000

high address

low address


Process Layout in Memory

I StackI grows towards decreasing

addresses.I is initialized at run-time.

I Heap and BSS sectionsI grow towards increasing addresses.I are initialized at run-time.

I Data sectionI is initialized at compile-time.

I Text sectionI holds the program instructions

(read-only).

Stack

Heap

BSS

Data

Text

dynamicgrowth

0xc0000000

0x08048000

high address

low address

uninitialized variablesinitialized variables


Outline

Process Layout

Function Calls

The Heap

Function Calls 5 / 15

IA-32

Registers

EAX Accumulator for operands and results data

EBX Pointer to data in the DS segment

ECX Counter for string and loop operations

EDX I/O pointer

ESI Source pointer for string operations

EDI Destination pointer for string operations

EBP Frame pointer

ESP Stack pointer

Terminology

SFP saved frame pointer: saved %ebp on the stack

OFP old frame pointer: old %ebp from the previous stack frame

RIP return instruction pointer: return address on the stack


Function Calls

void foo(int a, int b, int c)

{

int bar[2];

char qux[3];

bar[0] = ’A’;

qux[0] = 0x2a;

}

int main(void)

{

int i = 1;

foo(1, 2, 3);

return 0;

}


Function Calls in Assembler

main:

pushl %ebp

movl %esp,%ebp

subl $4,%esp

movl $1,-4(%ebp)

pushl $3

pushl $2

pushl $1

call foo

addl $12,%esp

xorl %eax,%eax

leave

ret

ebp

esp



main:

pushl %ebp

movl %esp,%ebp

subl $4,%esp

movl $1,-4(%ebp)

pushl $3

pushl $2

pushl $1

call foo

addl $12,%esp

xorl %eax,%eax

leave

ret

sfp

ebp

esp



main:

pushl %ebp

movl %esp,%ebp

subl $4,%esp

movl $1,-4(%ebp)

pushl $3

pushl $2

pushl $1

call foo

addl $12,%esp

xorl %eax,%eax

leave

ret

sfp

ofp

esp + ebp



main:

pushl %ebp

movl %esp,%ebp

subl $4,%esp

movl $1,-4(%ebp)

pushl $3

pushl $2

pushl $1

call foo

addl $12,%esp

xorl %eax,%eax

leave

ret

sfp

ofp

ebpesp



main:

pushl %ebp

movl %esp,%ebp

subl $4,%esp

movl $1,-4(%ebp)

pushl $3

pushl $2

pushl $1

call foo

addl $12,%esp

xorl %eax,%eax

leave

ret

sfp

1

ofp

ebpesp



main:

pushl %ebp

movl %esp,%ebp

subl $4,%esp

movl $1,-4(%ebp)

pushl $3

pushl $2

pushl $1

call foo

addl $12,%esp

xorl %eax,%eax

leave

ret

sfp

1

3

2

1

ofp

ebp

esp



main:

pushl %ebp

movl %esp,%ebp

subl $4,%esp

movl $1,-4(%ebp)

pushl $3

pushl $2

pushl $1

call foo

addl $12,%esp

xorl %eax,%eax

leave

ret

sfp

1

3

2

1

rip

ofp

ebp

esp



foo:

pushl %ebp

movl %esp,%ebp

subl $12,%esp

movl $65,-8(%ebp)

movb $66,-12(%ebp)

leave

ret

sfp

1

3

2

1

rip

ofp

ebp

esp



foo:

pushl %ebp

movl %esp,%ebp

subl $12,%esp

movl $65,-8(%ebp)

movb $66,-12(%ebp)

leave

ret

sfp

1

3

2

1

rip

sfp

ofp

ebp

esp



foo:

pushl %ebp

movl %esp,%ebp

subl $12,%esp

movl $65,-8(%ebp)

movb $66,-12(%ebp)

leave

ret

sfp

1

3

2

1

rip

sfp

ofp

ofp (m)

esp + ebp



foo:

pushl %ebp

movl %esp,%ebp

subl $12,%esp

movl $65,-8(%ebp)

movb $66,-12(%ebp)

leave

ret

sfp

1

3

2

1

rip

sfp

ofp

ofp (m)

ebp

esp



foo:

pushl %ebp

movl %esp,%ebp

subl $12,%esp

movl $65,-8(%ebp)

movb $66,-12(%ebp)

leave

ret

sfp

1

3

2

1

rip

sfp

ofp

ofp (m)

ebp

esp00 00 00 41



foo:

pushl %ebp

movl %esp,%ebp

subl $12,%esp

movl $65,-8(%ebp)

movb $66,-12(%ebp)

leave

ret

sfp

1

3

2

1

rip

sfp

ofp

ofp (m)

ebp

esp00 00 00 41

42



foo:

pushl %ebp

movl %esp,%ebp

subl $12,%esp

movl $65,-8(%ebp)

movb $66,-12(%ebp)

leave

ret

sfp

1

3

2

1

rip

sfp

ofp

ofp (m)

esp + ebp

00 00 00 41

42leave: movl %ebp,%esp popl %ebp



foo:

pushl %ebp

movl %esp,%ebp

subl $12,%esp

movl $65,-8(%ebp)

movb $66,-12(%ebp)

leave

ret

sfp

1

3

2

1

rip

sfp

ofp

ebp

esp

00 00 00 41

42leave: movl %ebp,%esp popl %ebp



foo:

pushl %ebp

movl %esp,%ebp

subl $12,%esp

movl $65,-8(%ebp)

movb $66,-12(%ebp)

leave

ret

sfp

1

3

2

1

rip

sfp

ofp

ebp

esp

00 00 00 41

42ret: popl %eip



main:

pushl %ebp

movl %esp,%ebp

subl $4,%esp

movl $1,-4(%ebp)

pushl $3

pushl $2

pushl $1

call foo

addl $12,%esp

xorl %eax,%eax

leave

ret

sfp

1

3

2

1

rip

sfp

ofp

ebp

esp

00 00 00 41

42



main:

pushl %ebp

movl %esp,%ebp

subl $4,%esp

movl $1,-4(%ebp)

pushl $3

pushl $2

pushl $1

call foo

addl $12,%esp

xorl %eax,%eax

leave

ret

sfp

1

3

2

1

rip

sfp

ofp

ebpesp

00 00 00 41

42



main:

pushl %ebp

movl %esp,%ebp

subl $4,%esp

movl $1,-4(%ebp)

pushl $3

pushl $2

pushl $1

call foo

addl $12,%esp

xorl %eax,%eax

leave

ret

sfp

1

3

2

1

rip

sfp

ofp

esp + ebp

00 00 00 41

42



main:

pushl %ebp

movl %esp,%ebp

subl $4,%esp

movl $1,-4(%ebp)

pushl $3

pushl $2

pushl $1

call foo

addl $12,%esp

xorl %eax,%eax

leave

ret

sfp

1

3

2

1

rip

sfp

ebp

esp

00 00 00 41

42



main:

pushl %ebp

movl %esp,%ebp

subl $4,%esp

movl $1,-4(%ebp)

pushl $3

pushl $2

pushl $1

call foo

addl $12,%esp

xorl %eax,%eax

leave

ret

(rip)

sfp

1

3

2

1

rip

sfp

ebpesp

00 00 00 41

42


Outline

Process Layout

Function Calls

The Heap

The Heap 9 / 15

The Heap

The heap is ”[...] a pool of memory available for the allocation anddeallocation of arbitrary-sized blocks of memory in arbitrary order.”[WJN+95]

I ANSI-C functions malloc() and friends are used to manage the heap(glibc uses ptmalloc).

I Heap memory is organized in chunks that can be allocated, freed,merged, etc.

I Boundary Tags contain meta information about chunks (size,previous/next pointer, etc.)

I stored both in the front and end of each chunk.→ makes consolidating fragmented chunks into bigger chunks very fast.

The Heap 10 / 15

Chunks in Memory

allocated chunk

wilderness chunk

high

add

ress

es

allocated chunk

free chunk

allocated chunk

free chunk

allocated chunk

heap

gro

wing

dir

ecti

on

The Heap 11 / 15

Understanding Heap Management

Boundary Tags

I prev size: size of previous chunk (if free).

I size: size in bytes, including overhead.

I PREV INUSE: Status bit; set if previous chunk is allocated.

I fd/bk: forward/backward pointer for double links (if free).

prev_size

size

fd

PREV_INUSE

bk

data

chunk

mem

nextchunk

4

4

4

4

>= 0

free chunk

Managing Free Chunks

I Free chunks of similar size aregrouped into bins.

I fd/bk pointers to navigatethrough double links.

prev_size

size

fd

PREV_INUSE

bk

data

chunk

mem

nextchunk

data

allocated chunk

data from previous chunk

4

4

4

4

>= 0

The Heap 12 / 15

Understanding Heap Management

Boundary Tags

I prev size: size of previous chunk (if free).

I size: size in bytes, including overhead.

I PREV INUSE: Status bit; set if previous chunk is allocated.

I fd/bk: forward/backward pointer for double links (if free).

Managing Free Chunks

I Free chunks of similar size aregrouped into bins.

I fd/bk pointers to navigatethrough double links.

Chunk

Bin

Chunk

Chunk

fdbk bk

fd

bkfd

bkfd

The Heap 12 / 15

Removing Chunks from a Bin: unlink()

#define unlink(P, BK, FD)

{

BK = P->bk;

FD = P->fd;

FD->bk = BK;

BK->fd = FD;

}

prev_size

size

fd

PREV_INUSE

bk

data

prev_size

size

fd

PREV_INUSE

bk

data

prev_size

size

fd

PREV_INUSE

bk

data

high addresses

The Heap 13 / 15



{

BK = P->bk;

FD = P->fd;

FD->bk = BK;

BK->fd = FD;

}

FD + 12 = BK

prev_size

size

fd

PREV_INUSE

bk

data

prev_size

size

fd

PREV_INUSE

bk

data

prev_size

size

fd

PREV_INUSE

bk

data

high addresses

+12

The Heap 13 / 15



{

BK = P->bk;

FD = P->fd;

FD->bk = BK;

BK->fd = FD;

}

prev_size

size

fd

PREV_INUSE

bk

data

prev_size

size

fd

PREV_INUSE

bk

data

prev_size

size

fd

PREV_INUSE

bk

data

high addresses

The Heap 13 / 15

References

Paul R. Wilson and Mark S. Johnstone and Michael Neely and DavidBoles.Dynamic Storage Allocation: A Survey and Critical Review.International Workshop on Memory Management, 1995.

The Heap 14 / 15

IA-32 Reference

%eax

%edx%ecx

%ebx%esi

%edi

%esp%ebp

IA32 Instructions

movl Src,Dest Dest = Srcaddl Src,Dest Dest = Dest + Srcsubl Src,Dest Dest = Dest - Srcimull Src,Dest Dest = Dest * Srcsall Src,Dest Dest = Dest << Srcsarl Src,Dest Dest = Dest >> Srcshrl Src,Dest Dest = Dest >> Srcxorl Src,Dest Dest = Dest ^ Srcandl Src,Dest Dest = Dest & Srcorl Src,Dest Dest = Dest | Srcincl Dest Dest = Dest + 1decl Dest Dest = Dest - 1negl Dest Dest = - Destnotl Dest Dest = ~ Destleal Src,Dest Dest = address of Srccmpl Src2,Src1 Sets CCs Src1 – Src2testl Src2,Src1 Sets CCs Src1 & Src2jmp label jumpje label jump equaljne label jump not equaljs label jump negative jns label jump non-negativejg label jump greater (signed)jge label jump greater or equal (signed)jl label jump less (signed)jle label jump less or equal (signed)ja label jump above (unsigned)jb label jump below (unsigned)

Addressing Modes

Immediate $val Val

Normal (R) Mem[Reg[R]]

•Register R specifies memory address

movl (%ecx),%eax

Displacement D(R) Mem[Reg[R]+D]

•Register R specifies start of memory region

•Constant displacement D specifies offset

movl 8(%ebp),%edx

Indexed D(Rb,Ri,S) Mem[Reg[Rb]+S*Reg[Ri]+ D]

•D: Constant “displacement” 1, 2, or 4 bytes

•Rb: Base register: Any of 8 integer registers

•Ri: Index register:

•S: Scale: 1, 2, 4, or 8

Condition Codes

CF Carry Flag

ZF Zero Flag

SF Sign Flag

OF Overflow Flag

The Heap 15 / 15

process layout, function calls, and the...

Documents