The Runtime Environment

The Runtime Environment
CSE 340 – Principles of Programming Languages Fall 2016 Adam Doupé Arizona State University

Locations and Names What is the semantic distinction between locations and names? How does the compiler actually implement locations and names? How does the compiler map names to memory locations? We are going to look into this process Assuming static scoping

Global Variables Where can the compiler put variables?
Memory Registers Disk "Cloud" What are the constraints on those variables? Who can access them? Who can't?

mem[A] = mem[A] + mem[B] a @ 0x8049634 b @ 0x8049638 c @ 0x804963c
int a; int b; float c; int main() { a = 10; b = 100; c = 10.45; a = a + b; return 0; } A B C mem[A] = 10 mem[B] = 100 mem[C] = 10.45 mem[A] = mem[A] + mem[B] 0x 0x 0x804963c movl $0xa,0x movl $0x64,0x mov $0x ,%eax mov %eax,0x804963c mov 0x ,%edx mov 0x ,%eax lea (%edx,%eax,1),%eax mov %eax,0x ATT assembly syntax gcc –Wall –m32 objdump –M att –D a.out

Local Variables What are the constraints on local variables?
Where can the compiler place local variables? Global Memory (one for each function)

int fact(int n) { if (n == 0) return 1; } else return fact(n-1) * n;
ATT assembly syntax gcc –Wall –m32 objdump –M att –D a.out

Local Variables What are the constraints on local variables?
Where can the compiler place local variables? Global Memory (one for each function) "Scratch memory" for each function

The Stack Stack is essentially scratch memory for functions
Used in MIPS, ARM, x86, and x86-64 processors Starts at high memory addresses, and grows down Functions are free to push registers or values onto the stack, or pop values from the stack into registers The assembly language supports this on x86 %esp holds the address of the top of the stack push %eax decrements the stack pointer (%esp) then stores the value in %eax to the location pointed to by the stack pointer pop %eax stores the value at the location pointed to by the stack pointer into %eax, then increments the stack pointer (%esp)

Stack Example 0xFFFFFFFF … Garbage push %eax pop %ebx 0x10000
%esp 0x10000

Stack Example 0xFFFFFFFF … 0xa Garbage push %eax pop %ebx 0x10000
%esp 0xFFFC

Stack Example 0xFFFFFFFF … 0xa Garbage push %eax pop %ebx 0x10000
%esp 0x10000

Function Frame Functions would like to use the stack to allocate space for their local variables Can we use the stack pointer for this? Yes, however stack pointer can change throughout program execution Frame pointer points to the start of the function's frame on the stack Each local variable will be (different) offsets of the frame pointer In x86, frame pointer is called the base pointer, and is stored in %ebp

mem[%ebp+A] = mem[%ebp+A] + mem[%ebp+B] a @ %ebp – 0xc b @ %ebp – 0x8
int main() { int a; int b; float c; a = 10; b = 100; c = 10.45; a = a + b; return 0; } %ebp + A %ebp + B %ebp + C mem[%ebp+A] = 10 mem[%ebp+B] = 100 mem[%ebp+C] = 10.45 mem[%ebp+A] = mem[%ebp+A] + mem[%ebp+B] %ebp – 0xc %ebp – 0x8 %ebp – 0x4 mov %esp,%ebp sub $0x10,%esp movl $0xa,-0xc(%ebp) movl $0x64,-0x8(%ebp) mov $0x ,%eax mov %eax,-0x4(%ebp) mov -0x8(%ebp),%eax add %eax,-0xc(%ebp) ATT assembly syntax gcc –Wall –m32 objdump –M att –D a.out

Function Frame 0xFFFFFFFF … mov %esp,%ebp sub $0x10,%esp
movl $0xa,-0xc(%ebp) movl $0x64,-0x8(%ebp) mov $0x ,%eax mov %eax,-0x4(%ebp) mov -0x8(%ebp),%eax add %eax,-0xc(%ebp) 0x10000 0x %eax %esp 0x10000 %ebp

movl $0xa,-0xc(%ebp) movl $0x64,-0x8(%ebp) mov $0x ,%eax mov %eax,-0x4(%ebp) mov -0x8(%ebp),%eax add %eax,-0xc(%ebp) 0x10000 0x %eax %esp 0xFFF0 %ebp 0x10000

movl $0xa,-0xc(%ebp) movl $0x64,-0x8(%ebp) mov $0x ,%eax mov %eax,-0x4(%ebp) mov -0x8(%ebp),%eax add %eax,-0xc(%ebp) 0x10000 0xFFFC 0xFFF8 0xFFF4 0xFFF0 0x %eax %esp 0xFFF0 %ebp 0x10000

Function Frame 0xFFFFFFFF … 0xa mov %esp,%ebp sub $0x10,%esp

Function Frame 0xFFFFFFFF … 0x64 0xa mov %esp,%ebp sub $0x10,%esp

Function Frame 0xFFFFFFFF … 0x64 0xa mov %esp,%ebp sub $0x10,%esp
movl $0xa,-0xc(%ebp) movl $0x64,-0x8(%ebp) mov $0x ,%eax mov %eax,-0x4(%ebp) mov -0x8(%ebp),%eax add %eax,-0xc(%ebp) 0x10000 0xFFFC 0xFFF8 0xFFF4 0xFFF0 0x %eax 0x %esp 0xFFF0 %ebp 0x10000

Function Frame 0xFFFFFFFF … 0x41273333 0x64 0xa mov %esp,%ebp
sub $0x10,%esp movl $0xa,-0xc(%ebp) movl $0x64,-0x8(%ebp) mov $0x ,%eax mov %eax,-0x4(%ebp) mov -0x8(%ebp),%eax add %eax,-0xc(%ebp) 0x10000 0xFFFC 0xFFF8 0xFFF4 0xFFF0 0x %eax 0x %esp 0xFFF0 %ebp 0x10000

sub $0x10,%esp movl $0xa,-0xc(%ebp) movl $0x64,-0x8(%ebp) mov $0x ,%eax mov %eax,-0x4(%ebp) mov -0x8(%ebp),%eax add %eax,-0xc(%ebp) 0x10000 c 0xFFFC b 0xFFF8 a 0xFFF4 0xFFF0 0x %eax 0x %esp 0xFFF0 %ebp 0x10000

sub $0x10,%esp movl $0xa,-0xc(%ebp) movl $0x64,-0x8(%ebp) mov $0x ,%eax mov %eax,-0x4(%ebp) mov -0x8(%ebp),%eax add %eax,-0xc(%ebp) 0x10000 c 0xFFFC b 0xFFF8 a 0xFFF4 0xFFF0 0x %eax 0x64 %esp 0xFFF0 %ebp 0x10000

Function Frame 0xFFFFFFFF … 0x41273333 0x64 0x6E mov %esp,%ebp
sub $0x10,%esp movl $0xa,-0xc(%ebp) movl $0x64,-0x8(%ebp) mov $0x ,%eax mov %eax,-0x4(%ebp) mov -0x8(%ebp),%eax add %eax,-0xc(%ebp) 0x10000 c 0xFFFC b 0xFFF8 a 0xFFF4 0xFFF0 0x %eax 0x64 %esp 0xFFF0 %ebp 0x10000

Functions Declarations Invocation Function name
Formal parameters (names and types) Return type Invocation f(x1,x2,…,xk) x1,x2,...,xk are expressions x1,x2,...xk are called the actual parameters Invoking function must create the frame on the stack with enough space to hold the actual parameters

Function Frames Allows us to allocate memory for the function's local variables However, when considering calling a function, what other information do we need? Return value Parameters Our frame pointer Return address (where to start program execution when function returns) Local variables Temporary variables

Calling Convention All of the previous information must be stored on the stack in order to call the function Who should store that information? Caller? Callee? Thus, we need to define a convention of who pushes/stores what values on the stack to call a function Varies based on processor, operating system, compiler, or type of call

x86 Linux Calling Convention (cdecl)
Caller (in this order) Pushes arguments onto the stack (in right to left order) Pushes address of instruction after call Callee Pushes previous frame pointer onto stack Creates space on stack for local variables Ensures that stack is consistent on return Return value in %eax register

callee: push %ebp mov %esp,%ebp mov 0xc(%ebp),%eax mov 0x8(%ebp),%edx lea (%edx,%eax,1),%eax add $0x1,%eax pop %ebp ret main: sub $0x18,%esp movl $0x28,0x4(%esp) movl $0xa,(%esp) call callee mov %eax,-0x4(%ebp) mov -0x4(%ebp),%eax leave int callee(int a, int b) { return a + b + 1; } int main() int a; a = callee(10, 40); return a; prologue epilogue prologue ATT assembly syntax gcc –Wall –m32 objdump –M att –D a.out leave semantics Set ESP to EBP, then pop EBP. epilogue

0xFFFFFFFF 0xfd2d4 callee: push %ebp 0x mov %esp,%ebp 0x mov 0xc(%ebp),%eax 0x mov 0x8(%ebp),%edx 0x804839a lea (%edx,%eax,1),%eax 0x804839d add $0x1,%eax 0x80483a0 pop %ebp 0x80483a3 ret 0x80483a4 main: 0x80483a5 0x80483a6 sub $0x18,%esp 0x80483a8 movl $0x28,0x4(%esp) 0x80483ab movl $0xa,(%esp) 0x80483b3 call 0x 0x80483ba mov %eax,-0x4(%ebp) 0x80483bf mov -0x4(%ebp),%eax 0x80483c2 leave 0x80483c5 0x80483c6 0x %eax %edx %esp 0xfd2d4 %ebp 0xfd2c0 %eip 0x80483a5

0xFFFFFFFF 0xfd2d4 callee: push %ebp 0x mov %esp,%ebp 0x mov 0xc(%ebp),%eax 0x mov 0x8(%ebp),%edx 0x804839a lea (%edx,%eax,1),%eax 0x804839d add $0x1,%eax 0x80483a0 pop %ebp 0x80483a3 ret 0x80483a4 main: 0x80483a5 0x80483a6 sub $0x18,%esp 0x80483a8 movl $0x28,0x4(%esp) 0x80483ab movl $0xa,(%esp) 0x80483b3 call 0x 0x80483ba mov %eax,-0x4(%ebp) 0x80483bf mov -0x4(%ebp),%eax 0x80483c2 leave 0x80483c5 0x80483c6 0x %eax %edx %esp 0xfd2d0 %ebp 0xfd2c0 %eip 0x80483a5

0xFFFFFFFF 0xfd2d4 callee: push %ebp 0x mov %esp,%ebp 0x mov 0xc(%ebp),%eax 0x mov 0x8(%ebp),%edx 0x804839a lea (%edx,%eax,1),%eax 0x804839d add $0x1,%eax 0x80483a0 pop %ebp 0x80483a3 ret 0x80483a4 main: 0x80483a5 0x80483a6 sub $0x18,%esp 0x80483a8 movl $0x28,0x4(%esp) 0x80483ab movl $0xa,(%esp) 0x80483b3 call 0x 0x80483ba mov %eax,-0x4(%ebp) 0x80483bf mov -0x4(%ebp),%eax 0x80483c2 leave 0x80483c5 0x80483c6 0xfd2c0 0x %eax %edx %esp 0xfd2d0 %ebp 0xfd2c0 %eip 0x80483a5

0xFFFFFFFF 0xfd2d4 callee: push %ebp 0x mov %esp,%ebp 0x mov 0xc(%ebp),%eax 0x mov 0x8(%ebp),%edx 0x804839a lea (%edx,%eax,1),%eax 0x804839d add $0x1,%eax 0x80483a0 pop %ebp 0x80483a3 ret 0x80483a4 main: 0x80483a5 0x80483a6 sub $0x18,%esp 0x80483a8 movl $0x28,0x4(%esp) 0x80483ab movl $0xa,(%esp) 0x80483b3 call 0x 0x80483ba mov %eax,-0x4(%ebp) 0x80483bf mov -0x4(%ebp),%eax 0x80483c2 leave 0x80483c5 0x80483c6 0xfd2c0 0x %eax %edx %esp 0xfd2d0 %ebp 0xfd2c0 %eip 0x80483a6

0xFFFFFFFF 0xfd2d4 callee: push %ebp 0x mov %esp,%ebp 0x mov 0xc(%ebp),%eax 0x mov 0x8(%ebp),%edx 0x804839a lea (%edx,%eax,1),%eax 0x804839d add $0x1,%eax 0x80483a0 pop %ebp 0x80483a3 ret 0x80483a4 main: 0x80483a5 0x80483a6 sub $0x18,%esp 0x80483a8 movl $0x28,0x4(%esp) 0x80483ab movl $0xa,(%esp) 0x80483b3 call 0x 0x80483ba mov %eax,-0x4(%ebp) 0x80483bf mov -0x4(%ebp),%eax 0x80483c2 leave 0x80483c5 0x80483c6 0xfd2c0 0x %eax %edx %esp 0xfd2d0 %ebp %eip 0x80483a6

0xFFFFFFFF 0xfd2d4 callee: push %ebp 0x mov %esp,%ebp 0x mov 0xc(%ebp),%eax 0x mov 0x8(%ebp),%edx 0x804839a lea (%edx,%eax,1),%eax 0x804839d add $0x1,%eax 0x80483a0 pop %ebp 0x80483a3 ret 0x80483a4 main: 0x80483a5 0x80483a6 sub $0x18,%esp 0x80483a8 movl $0x28,0x4(%esp) 0x80483ab movl $0xa,(%esp) 0x80483b3 call 0x 0x80483ba mov %eax,-0x4(%ebp) 0x80483bf mov -0x4(%ebp),%eax 0x80483c2 leave 0x80483c5 0x80483c6 0xfd2c0 0x %eax %edx %esp 0xfd2d0 %ebp %eip 0x80483a8

0xFFFFFFFF 0xfd2d4 callee: push %ebp 0x mov %esp,%ebp 0x mov 0xc(%ebp),%eax 0x mov 0x8(%ebp),%edx 0x804839a lea (%edx,%eax,1),%eax 0x804839d add $0x1,%eax 0x80483a0 pop %ebp 0x80483a3 ret 0x80483a4 main: 0x80483a5 0x80483a6 sub $0x18,%esp 0x80483a8 movl $0x28,0x4(%esp) 0x80483ab movl $0xa,(%esp) 0x80483b3 call 0x 0x80483ba mov %eax,-0x4(%ebp) 0x80483bf mov -0x4(%ebp),%eax 0x80483c2 leave 0x80483c5 0x80483c6 0xfd2c0 0xfd2d0 0xfd2b8 0x %eax %edx %esp 0xfd2b8 %ebp 0xfd2d0 %eip 0x80483a8

0xFFFFFFFF 0xfd2d4 callee: push %ebp 0x mov %esp,%ebp 0x mov 0xc(%ebp),%eax 0x mov 0x8(%ebp),%edx 0x804839a lea (%edx,%eax,1),%eax 0x804839d add $0x1,%eax 0x80483a0 pop %ebp 0x80483a3 ret 0x80483a4 main: 0x80483a5 0x80483a6 sub $0x18,%esp 0x80483a8 movl $0x28,0x4(%esp) 0x80483ab movl $0xa,(%esp) 0x80483b3 call 0x 0x80483ba mov %eax,-0x4(%ebp) 0x80483bf mov -0x4(%ebp),%eax 0x80483c2 leave 0x80483c5 0x80483c6 0xfd2c0 0xfd2d0 0xfd2bc 0xfd2b8 0x %eax %edx %esp 0xfd2b8 %ebp 0xfd2d0 %eip 0x80483ab

0xFFFFFFFF 0xfd2d4 callee: push %ebp 0x mov %esp,%ebp 0x mov 0xc(%ebp),%eax 0x mov 0x8(%ebp),%edx 0x804839a lea (%edx,%eax,1),%eax 0x804839d add $0x1,%eax 0x80483a0 pop %ebp 0x80483a3 ret 0x80483a4 main: 0x80483a5 0x80483a6 sub $0x18,%esp 0x80483a8 movl $0x28,0x4(%esp) 0x80483ab movl $0xa,(%esp) 0x80483b3 call 0x 0x80483ba mov %eax,-0x4(%ebp) 0x80483bf mov -0x4(%ebp),%eax 0x80483c2 leave 0x80483c5 0x80483c6 0xfd2c0 0x28 0xfd2d0 0xfd2bc 0xfd2b8 0x %eax %edx %esp 0xfd2b8 %ebp 0xfd2d0 %eip 0x80483ab

0xFFFFFFFF 0xfd2d4 callee: push %ebp 0x mov %esp,%ebp 0x mov 0xc(%ebp),%eax 0x mov 0x8(%ebp),%edx 0x804839a lea (%edx,%eax,1),%eax 0x804839d add $0x1,%eax 0x80483a0 pop %ebp 0x80483a3 ret 0x80483a4 main: 0x80483a5 0x80483a6 sub $0x18,%esp 0x80483a8 movl $0x28,0x4(%esp) 0x80483ab movl $0xa,(%esp) 0x80483b3 call 0x 0x80483ba mov %eax,-0x4(%ebp) 0x80483bf mov -0x4(%ebp),%eax 0x80483c2 leave 0x80483c5 0x80483c6 0xfd2c0 0x28 0xfd2d0 0xfd2bc 0xfd2b8 0x %eax %edx %esp 0xfd2b8 %ebp 0xfd2d0 %eip 0x80483b3

0xFFFFFFFF 0xfd2d4 callee: push %ebp 0x mov %esp,%ebp 0x mov 0xc(%ebp),%eax 0x mov 0x8(%ebp),%edx 0x804839a lea (%edx,%eax,1),%eax 0x804839d add $0x1,%eax 0x80483a0 pop %ebp 0x80483a3 ret 0x80483a4 main: 0x80483a5 0x80483a6 sub $0x18,%esp 0x80483a8 movl $0x28,0x4(%esp) 0x80483ab movl $0xa,(%esp) 0x80483b3 call 0x 0x80483ba mov %eax,-0x4(%ebp) 0x80483bf mov -0x4(%ebp),%eax 0x80483c2 leave 0x80483c5 0x80483c6 0xfd2c0 0x28 0xa 0xfd2d0 0xfd2bc 0xfd2b8 0x %eax %edx %esp 0xfd2b8 %ebp 0xfd2d0 %eip 0x80483b3

0xFFFFFFFF 0xfd2d4 callee: push %ebp 0x mov %esp,%ebp 0x mov 0xc(%ebp),%eax 0x mov 0x8(%ebp),%edx 0x804839a lea (%edx,%eax,1),%eax 0x804839d add $0x1,%eax 0x80483a0 pop %ebp 0x80483a3 ret 0x80483a4 main: 0x80483a5 0x80483a6 sub $0x18,%esp 0x80483a8 movl $0x28,0x4(%esp) 0x80483ab movl $0xa,(%esp) 0x80483b3 call 0x 0x80483ba mov %eax,-0x4(%ebp) 0x80483bf mov -0x4(%ebp),%eax 0x80483c2 leave 0x80483c5 0x80483c6 0xfd2c0 0x28 0xa 0xfd2d0 0xfd2bc 0xfd2b8 0x %eax %edx %esp 0xfd2b8 %ebp 0xfd2d0 %eip 0x80483ba

0xFFFFFFFF 0xfd2d4 callee: push %ebp 0x mov %esp,%ebp 0x mov 0xc(%ebp),%eax 0x mov 0x8(%ebp),%edx 0x804839a lea (%edx,%eax,1),%eax 0x804839d add $0x1,%eax 0x80483a0 pop %ebp 0x80483a3 ret 0x80483a4 main: 0x80483a5 0x80483a6 sub $0x18,%esp 0x80483a8 movl $0x28,0x4(%esp) 0x80483ab movl $0xa,(%esp) 0x80483b3 call 0x 0x80483ba mov %eax,-0x4(%ebp) 0x80483bf mov -0x4(%ebp),%eax 0x80483c2 leave 0x80483c5 0x80483c6 0xfd2c0 0x28 0xa 0xfd2d0 0xfd2bc 0xfd2b8 0x %eax %edx %esp 0xfd2b4 %ebp 0xfd2d0 %eip 0x80483ba

0xFFFFFFFF 0xfd2d4 callee: push %ebp 0x mov %esp,%ebp 0x mov 0xc(%ebp),%eax 0x mov 0x8(%ebp),%edx 0x804839a lea (%edx,%eax,1),%eax 0x804839d add $0x1,%eax 0x80483a0 pop %ebp 0x80483a3 ret 0x80483a4 main: 0x80483a5 0x80483a6 sub $0x18,%esp 0x80483a8 movl $0x28,0x4(%esp) 0x80483ab movl $0xa,(%esp) 0x80483b3 call 0x 0x80483ba mov %eax,-0x4(%ebp) 0x80483bf mov -0x4(%ebp),%eax 0x80483c2 leave 0x80483c5 0x80483c6 0xfd2c0 0x28 0xa 0x80483bf 0xfd2d0 0xfd2bc 0xfd2b8 0xfd2b4 0x %eax %edx %esp 0xfd2b4 %ebp 0xfd2d0 %eip 0x

0xFFFFFFFF 0xfd2d4 callee: push %ebp 0x mov %esp,%ebp 0x mov 0xc(%ebp),%eax 0x mov 0x8(%ebp),%edx 0x804839a lea (%edx,%eax,1),%eax 0x804839d add $0x1,%eax 0x80483a0 pop %ebp 0x80483a3 ret 0x80483a4 main: 0x80483a5 0x80483a6 sub $0x18,%esp 0x80483a8 movl $0x28,0x4(%esp) 0x80483ab movl $0xa,(%esp) 0x80483b3 call 0x 0x80483ba mov %eax,-0x4(%ebp) 0x80483bf mov -0x4(%ebp),%eax 0x80483c2 leave 0x80483c5 0x80483c6 0xfd2c0 0x28 0xa 0x80483bf 0xfd2d0 0xfd2bc 0xfd2b8 0xfd2b4 0xfd2b0 0x %eax %edx %esp 0xfd2b0 %ebp 0xfd2d0 %eip 0x

0xFFFFFFFF 0xfd2d4 callee: push %ebp 0x mov %esp,%ebp 0x mov 0xc(%ebp),%eax 0x mov 0x8(%ebp),%edx 0x804839a lea (%edx,%eax,1),%eax 0x804839d add $0x1,%eax 0x80483a0 pop %ebp 0x80483a3 ret 0x80483a4 main: 0x80483a5 0x80483a6 sub $0x18,%esp 0x80483a8 movl $0x28,0x4(%esp) 0x80483ab movl $0xa,(%esp) 0x80483b3 call 0x 0x80483ba mov %eax,-0x4(%ebp) 0x80483bf mov -0x4(%ebp),%eax 0x80483c2 leave 0x80483c5 0x80483c6 0xfd2c0 0x28 0xa 0x80483bf 0xfd2d0 0xfd2d0 0xfd2bc 0xfd2b8 0xfd2b4 0xfd2b0 0x %eax %edx %esp 0xfd2b0 %ebp 0xfd2d0 %eip 0x

0xFFFFFFFF 0xfd2d4 callee: push %ebp 0x mov %esp,%ebp 0x mov 0xc(%ebp),%eax 0x mov 0x8(%ebp),%edx 0x804839a lea (%edx,%eax,1),%eax 0x804839d add $0x1,%eax 0x80483a0 pop %ebp 0x80483a3 ret 0x80483a4 main: 0x80483a5 0x80483a6 sub $0x18,%esp 0x80483a8 movl $0x28,0x4(%esp) 0x80483ab movl $0xa,(%esp) 0x80483b3 call 0x 0x80483ba mov %eax,-0x4(%ebp) 0x80483bf mov -0x4(%ebp),%eax 0x80483c2 leave 0x80483c5 0x80483c6 0xfd2c0 0x28 0xa 0x80483bf 0xfd2d0 0xfd2d0 0xfd2bc 0xfd2b8 0xfd2b4 0xfd2b0 0x %eax %edx %esp 0xfd2b0 %ebp %eip 0x

0xFFFFFFFF 0xfd2d4 callee: push %ebp 0x8048394 mov %esp,%ebp 0x8048395
mov 0xc(%ebp),%eax 0x mov 0x8(%ebp),%edx 0x804839a lea (%edx,%eax,1),%eax 0x804839d add $0x1,%eax 0x80483a0 pop %ebp 0x80483a3 ret 0x80483a4 main: 0x80483a5 0x80483a6 sub $0x18,%esp 0x80483a8 movl $0x28,0x4(%esp) 0x80483ab movl $0xa,(%esp) 0x80483b3 call 0x 0x80483ba mov %eax,-0x4(%ebp) 0x80483bf mov -0x4(%ebp),%eax 0x80483c2 leave 0x80483c5 0x80483c6 main 0xfd2c0 0x28 0xa 0x80483bf 0xfd2d0 0xfd2d0 callee 0xfd2bc 0xfd2b8 0xfd2b4 0xfd2b0 0x %eax %edx %esp 0xfd2b0 %ebp %eip 0x

0xFFFFFFFF 0xfd2d4 callee: push %ebp 0x mov %esp,%ebp 0x mov 0xc(%ebp),%eax 0x mov 0x8(%ebp),%edx 0x804839a lea (%edx,%eax,1),%eax 0x804839d add $0x1,%eax 0x80483a0 pop %ebp 0x80483a3 ret 0x80483a4 main: 0x80483a5 0x80483a6 sub $0x18,%esp 0x80483a8 movl $0x28,0x4(%esp) 0x80483ab movl $0xa,(%esp) 0x80483b3 call 0x 0x80483ba mov %eax,-0x4(%ebp) 0x80483bf mov -0x4(%ebp),%eax 0x80483c2 leave 0x80483c5 0x80483c6 0xfd2c0 0x28 0xa 0x80483bf 0xfd2d0 0xfd2d0 0xfd2bc 0xfd2b8 0xfd2b4 0xfd2b0 0x %eax 0x28 %edx %esp 0xfd2b0 %ebp %eip 0x

0xFFFFFFFF 0xfd2d4 callee: push %ebp 0x mov %esp,%ebp 0x mov 0xc(%ebp),%eax 0x mov 0x8(%ebp),%edx 0x804839a lea (%edx,%eax,1),%eax 0x804839d add $0x1,%eax 0x80483a0 pop %ebp 0x80483a3 ret 0x80483a4 main: 0x80483a5 0x80483a6 sub $0x18,%esp 0x80483a8 movl $0x28,0x4(%esp) 0x80483ab movl $0xa,(%esp) 0x80483b3 call 0x 0x80483ba mov %eax,-0x4(%ebp) 0x80483bf mov -0x4(%ebp),%eax 0x80483c2 leave 0x80483c5 0x80483c6 0xfd2c0 0x28 0xa 0x80483bf 0xfd2d0 0xfd2d0 0xfd2bc 0xfd2b8 0xfd2b4 0xfd2b0 0x %eax 0x28 %edx %esp 0xfd2b0 %ebp %eip 0x804839a

0xFFFFFFFF 0xfd2d4 callee: push %ebp 0x mov %esp,%ebp 0x mov 0xc(%ebp),%eax 0x mov 0x8(%ebp),%edx 0x804839a lea (%edx,%eax,1),%eax 0x804839d add $0x1,%eax 0x80483a0 pop %ebp 0x80483a3 ret 0x80483a4 main: 0x80483a5 0x80483a6 sub $0x18,%esp 0x80483a8 movl $0x28,0x4(%esp) 0x80483ab movl $0xa,(%esp) 0x80483b3 call 0x 0x80483ba mov %eax,-0x4(%ebp) 0x80483bf mov -0x4(%ebp),%eax 0x80483c2 leave 0x80483c5 0x80483c6 0xfd2c0 0x28 0xa 0x80483bf 0xfd2d0 0xfd2d0 0xfd2bc 0xfd2b8 0xfd2b4 0xfd2b0 0x %eax 0x28 %edx 0xa %esp 0xfd2b0 %ebp %eip 0x804839a

0xFFFFFFFF 0xfd2d4 callee: push %ebp 0x mov %esp,%ebp 0x mov 0xc(%ebp),%eax 0x mov 0x8(%ebp),%edx 0x804839a lea (%edx,%eax,1),%eax 0x804839d add $0x1,%eax 0x80483a0 pop %ebp 0x80483a3 ret 0x80483a4 main: 0x80483a5 0x80483a6 sub $0x18,%esp 0x80483a8 movl $0x28,0x4(%esp) 0x80483ab movl $0xa,(%esp) 0x80483b3 call 0x 0x80483ba mov %eax,-0x4(%ebp) 0x80483bf mov -0x4(%ebp),%eax 0x80483c2 leave 0x80483c5 0x80483c6 0xfd2c0 0x28 0xa 0x80483bf 0xfd2d0 0xfd2d0 0xfd2bc 0xfd2b8 0xfd2b4 0xfd2b0 0x %eax 0x28 %edx 0xa %esp 0xfd2b0 %ebp %eip 0x804839d

0xFFFFFFFF 0xfd2d4 callee: push %ebp 0x mov %esp,%ebp 0x mov 0xc(%ebp),%eax 0x mov 0x8(%ebp),%edx 0x804839a lea (%edx,%eax,1),%eax 0x804839d add $0x1,%eax 0x80483a0 pop %ebp 0x80483a3 ret 0x80483a4 main: 0x80483a5 0x80483a6 sub $0x18,%esp 0x80483a8 movl $0x28,0x4(%esp) 0x80483ab movl $0xa,(%esp) 0x80483b3 call 0x 0x80483ba mov %eax,-0x4(%ebp) 0x80483bf mov -0x4(%ebp),%eax 0x80483c2 leave 0x80483c5 0x80483c6 0xfd2c0 0x28 0xa 0x80483bf 0xfd2d0 0xfd2d0 0xfd2bc 0xfd2b8 0xfd2b4 0xfd2b0 0x %eax 0x32 %edx 0xa %esp 0xfd2b0 %ebp %eip 0x804839d

0xFFFFFFFF 0xfd2d4 callee: push %ebp 0x mov %esp,%ebp 0x mov 0xc(%ebp),%eax 0x mov 0x8(%ebp),%edx 0x804839a lea (%edx,%eax,1),%eax 0x804839d add $0x1,%eax 0x80483a0 pop %ebp 0x80483a3 ret 0x80483a4 main: 0x80483a5 0x80483a6 sub $0x18,%esp 0x80483a8 movl $0x28,0x4(%esp) 0x80483ab movl $0xa,(%esp) 0x80483b3 call 0x 0x80483ba mov %eax,-0x4(%ebp) 0x80483bf mov -0x4(%ebp),%eax 0x80483c2 leave 0x80483c5 0x80483c6 0xfd2c0 0x28 0xa 0x80483bf 0xfd2d0 0xfd2d0 0xfd2bc 0xfd2b8 0xfd2b4 0xfd2b0 0x %eax 0x32 %edx 0xa %esp 0xfd2b0 %ebp %eip 0x80483a0

0xFFFFFFFF 0xfd2d4 callee: push %ebp 0x mov %esp,%ebp 0x mov 0xc(%ebp),%eax 0x mov 0x8(%ebp),%edx 0x804839a lea (%edx,%eax,1),%eax 0x804839d add $0x1,%eax 0x80483a0 pop %ebp 0x80483a3 ret 0x80483a4 main: 0x80483a5 0x80483a6 sub $0x18,%esp 0x80483a8 movl $0x28,0x4(%esp) 0x80483ab movl $0xa,(%esp) 0x80483b3 call 0x 0x80483ba mov %eax,-0x4(%ebp) 0x80483bf mov -0x4(%ebp),%eax 0x80483c2 leave 0x80483c5 0x80483c6 0xfd2c0 0x28 0xa 0x80483bf 0xfd2d0 0xfd2d0 0xfd2bc 0xfd2b8 0xfd2b4 0xfd2b0 0x %eax 0x33 %edx 0xa %esp 0xfd2b0 %ebp 0xfd2d0 %eip 0x80483a3

0xFFFFFFFF 0xfd2d4 callee: push %ebp 0x mov %esp,%ebp 0x mov 0xc(%ebp),%eax 0x mov 0x8(%ebp),%edx 0x804839a lea (%edx,%eax,1),%eax 0x804839d add $0x1,%eax 0x80483a0 pop %ebp 0x80483a3 ret 0x80483a4 main: 0x80483a5 0x80483a6 sub $0x18,%esp 0x80483a8 movl $0x28,0x4(%esp) 0x80483ab movl $0xa,(%esp) 0x80483b3 call 0x 0x80483ba mov %eax,-0x4(%ebp) 0x80483bf mov -0x4(%ebp),%eax 0x80483c2 leave 0x80483c5 0x80483c6 0xfd2c0 0x28 0xa 0x80483bf 0xfd2d0 0xfd2d0 0xfd2bc 0xfd2b8 0xfd2b4 0xfd2b0 0x %eax 0x33 %edx 0xa %esp 0xfd2b4 %ebp 0xfd2d0 %eip 0x80483bf

0xFFFFFFFF 0xfd2d4 callee: push %ebp 0x mov %esp,%ebp 0x mov 0xc(%ebp),%eax 0x mov 0x8(%ebp),%edx 0x804839a lea (%edx,%eax,1),%eax 0x804839d add $0x1,%eax 0x80483a0 pop %ebp 0x80483a3 ret 0x80483a4 main: 0x80483a5 0x80483a6 sub $0x18,%esp 0x80483a8 movl $0x28,0x4(%esp) 0x80483ab movl $0xa,(%esp) 0x80483b3 call 0x 0x80483ba mov %eax,-0x4(%ebp) 0x80483bf mov -0x4(%ebp),%eax 0x80483c2 leave 0x80483c5 0x80483c6 0xfd2c0 0x28 0xa 0x80483bf 0xfd2d0 0xfd2d0 0xfd2bc 0xfd2b8 0xfd2b4 0xfd2b0 0x %eax 0x33 %edx 0xa %esp 0xfd2b8 %ebp 0xfd2d0 %eip 0x80483bf

0xFFFFFFFF 0xfd2d4 callee: push %ebp 0x mov %esp,%ebp 0x mov 0xc(%ebp),%eax 0x mov 0x8(%ebp),%edx 0x804839a lea (%edx,%eax,1),%eax 0x804839d add $0x1,%eax 0x80483a0 pop %ebp 0x80483a3 ret 0x80483a4 main: 0x80483a5 0x80483a6 sub $0x18,%esp 0x80483a8 movl $0x28,0x4(%esp) 0x80483ab movl $0xa,(%esp) 0x80483b3 call 0x 0x80483ba mov %eax,-0x4(%ebp) 0x80483bf mov -0x4(%ebp),%eax 0x80483c2 leave 0x80483c5 0x80483c6 0xfd2c0 0x33 0x28 0xa 0x80483bf 0xfd2d0 0xfd2d0 0xfd2cc 0xfd2bc 0xfd2b8 0xfd2b4 0xfd2b0 0x %eax 0x33 %edx 0xa %esp 0xfd2b8 %ebp 0xfd2d0 %eip 0x80483bf

0xFFFFFFFF 0xfd2d4 callee: push %ebp 0x mov %esp,%ebp 0x mov 0xc(%ebp),%eax 0x mov 0x8(%ebp),%edx 0x804839a lea (%edx,%eax,1),%eax 0x804839d add $0x1,%eax 0x80483a0 pop %ebp 0x80483a3 ret 0x80483a4 main: 0x80483a5 0x80483a6 sub $0x18,%esp 0x80483a8 movl $0x28,0x4(%esp) 0x80483ab movl $0xa,(%esp) 0x80483b3 call 0x 0x80483ba mov %eax,-0x4(%ebp) 0x80483bf mov -0x4(%ebp),%eax 0x80483c2 leave 0x80483c5 0x80483c6 0xfd2c0 0x33 0x28 0xa 0x80483bf 0xfd2d0 0xfd2d0 0xfd2cc 0xfd2bc 0xfd2b8 0xfd2b4 0xfd2b0 0x %eax 0x33 %edx 0xa %esp 0xfd2b8 %ebp 0xfd2d0 %eip 0x80483c2

mov 0xc(%ebp),%eax 0x mov 0x8(%ebp),%edx 0x804839a lea (%edx,%eax,1),%eax 0x804839d add $0x1,%eax 0x80483a0 pop %ebp 0x80483a3 ret 0x80483a4 main: 0x80483a5 0x80483a6 sub $0x18,%esp 0x80483a8 movl $0x28,0x4(%esp) 0x80483ab movl $0xa,(%esp) 0x80483b3 call 0x 0x80483ba mov %eax,-0x4(%ebp) 0x80483bf mov -0x4(%ebp),%eax 0x80483c2 leave 0x80483c5 0x80483c6 0xfd2c0 0x33 0x28 0xa 0x80483bf 0xfd2d0 0xfd2d0 0xfd2cc 0xfd2bc 0xfd2b8 0xfd2b4 0xfd2b0 0x leave semantics Set ESP to EBP, then pop EBP. %eax 0x33 %edx 0xa %esp 0xfd2b8 %ebp 0xfd2d0 %eip 0x80483c5

mov 0xc(%ebp),%eax 0x mov 0x8(%ebp),%edx 0x804839a lea (%edx,%eax,1),%eax 0x804839d add $0x1,%eax 0x80483a0 pop %ebp 0x80483a3 ret 0x80483a4 main: 0x80483a5 0x80483a6 sub $0x18,%esp 0x80483a8 movl $0x28,0x4(%esp) 0x80483ab movl $0xa,(%esp) 0x80483b3 call 0x 0x80483ba mov %eax,-0x4(%ebp) 0x80483bf mov -0x4(%ebp),%eax 0x80483c2 leave 0x80483c5 0x80483c6 0xfd2c0 0x33 0x28 0xa 0x80483bf 0xfd2d0 0xfd2d0 0xfd2cc 0xfd2bc 0xfd2b8 0xfd2b4 0xfd2b0 0x leave semantics Set ESP to EBP, then pop EBP. %eax 0x33 %edx 0xa %esp 0xfd2d0 %ebp %eip 0x80483c5

mov 0xc(%ebp),%eax 0x mov 0x8(%ebp),%edx 0x804839a lea (%edx,%eax,1),%eax 0x804839d add $0x1,%eax 0x80483a0 pop %ebp 0x80483a3 ret 0x80483a4 main: 0x80483a5 0x80483a6 sub $0x18,%esp 0x80483a8 movl $0x28,0x4(%esp) 0x80483ab movl $0xa,(%esp) 0x80483b3 call 0x 0x80483ba mov %eax,-0x4(%ebp) 0x80483bf mov -0x4(%ebp),%eax 0x80483c2 leave 0x80483c5 0x80483c6 0xfd2c0 0x33 0x28 0xa 0x80483bf 0xfd2d0 0xfd2d0 0xfd2cc 0xfd2bc 0xfd2b8 0xfd2b4 0xfd2b0 0x leave semantics Set ESP to EBP, then pop EBP. %eax 0x33 %edx 0xa %esp 0xfd2d0 %ebp 0xfd2c0 %eip 0x80483c5

Implications of Cdecl Saved EBP and saved EIP are stored on the stack
What prevents a program/function from writing/changing those values? What would happen if they did?

mycpy: push %ebp mov %esp,%ebp sub $0x28,%esp mov 0x8(%ebp),%eax mov %eax,0x4(%esp) lea -0xc(%ebp),%eax mov %eax,(%esp) call strcpy leave ret main: sub $0x10,%esp movl $0x ,(%esp) call mycpy mov $0x ,%eax call printf mov $0x0,%eax #include <string.h> #include <stdio.h> void mycpy(char* str) { char foo[4]; strcpy(foo, str); } int main() callee("asu cse 340 fall 2015 rocks!"); printf("After"); return 0; ATT assembly syntax gcc –Wall –m32 objdump –M att –D a.out leave semantics Set ESP to EBP, then pop EBP. Fix callee()

0xFFFFFFFF 0xfd2d4 mycpy: push %ebp 0x80483f4 mov %esp,%ebp 0x80483f5 sub $0x28,%esp 0x80483f7 mov 0x8(%ebp),%eax 0x80483fa mov %eax,0x4(%esp) 0x80483fd lea -0xc(%ebp),%eax 0x mov %eax,(%esp) 0x call strcpy 0x leave 0x804840c ret 0x804840d main: 0x804840e 0x804840f sub $0x10,%esp 0x movl $0x ,(%esp) 0x call mycpy 0x804841e mov $0x ,%eax 0x 0x call printf 0x804842b mov $0x0,%eax 0x 0x 0x 0x %eax %esp 0xfd2d4 %ebp 0xfd2e0 %eip 0x804840e

0xFFFFFFFF 0xfd2d4 mycpy: push %ebp 0x80483f4 mov %esp,%ebp 0x80483f5 sub $0x28,%esp 0x80483f7 mov 0x8(%ebp),%eax 0x80483fa mov %eax,0x4(%esp) 0x80483fd lea -0xc(%ebp),%eax 0x mov %eax,(%esp) 0x call strcpy 0x leave 0x804840c ret 0x804840d main: 0x804840e 0x804840f sub $0x10,%esp 0x movl $0x ,(%esp) 0x call mycpy 0x804841e mov $0x ,%eax 0x 0x call printf 0x804842b mov $0x0,%eax 0x 0x 0x 0xfd2e0 0x %eax %esp 0xfd2d0 %ebp 0xfd2e0 %eip 0x804840e

0xFFFFFFFF 0xfd2d4 mycpy: push %ebp 0x80483f4 mov %esp,%ebp 0x80483f5 sub $0x28,%esp 0x80483f7 mov 0x8(%ebp),%eax 0x80483fa mov %eax,0x4(%esp) 0x80483fd lea -0xc(%ebp),%eax 0x mov %eax,(%esp) 0x call strcpy 0x leave 0x804840c ret 0x804840d main: 0x804840e 0x804840f sub $0x10,%esp 0x movl $0x ,(%esp) 0x call mycpy 0x804841e mov $0x ,%eax 0x 0x call printf 0x804842b mov $0x0,%eax 0x 0x 0x 0xfd2e0 0x %eax %esp 0xfd2d0 %ebp 0xfd2e0 %eip 0x804840f

0xFFFFFFFF 0xfd2d4 mycpy: push %ebp 0x80483f4 mov %esp,%ebp 0x80483f5 sub $0x28,%esp 0x80483f7 mov 0x8(%ebp),%eax 0x80483fa mov %eax,0x4(%esp) 0x80483fd lea -0xc(%ebp),%eax 0x mov %eax,(%esp) 0x call strcpy 0x leave 0x804840c ret 0x804840d main: 0x804840e 0x804840f sub $0x10,%esp 0x movl $0x ,(%esp) 0x call mycpy 0x804841e mov $0x ,%eax 0x 0x call printf 0x804842b mov $0x0,%eax 0x 0x 0x 0xfd2e0 0x %eax %esp 0xfd2d0 %ebp %eip 0x804840f

0xFFFFFFFF 0xfd2d4 mycpy: push %ebp 0x80483f4 mov %esp,%ebp 0x80483f5 sub $0x28,%esp 0x80483f7 mov 0x8(%ebp),%eax 0x80483fa mov %eax,0x4(%esp) 0x80483fd lea -0xc(%ebp),%eax 0x mov %eax,(%esp) 0x call strcpy 0x leave 0x804840c ret 0x804840d main: 0x804840e 0x804840f sub $0x10,%esp 0x movl $0x ,(%esp) 0x call mycpy 0x804841e mov $0x ,%eax 0x 0x call printf 0x804842b mov $0x0,%eax 0x 0x 0x 0xfd2e0 0x %eax %esp 0xfd2d0 %ebp %eip 0x

0xFFFFFFFF 0xfd2d4 mycpy: push %ebp 0x80483f4 mov %esp,%ebp 0x80483f5 sub $0x28,%esp 0x80483f7 mov 0x8(%ebp),%eax 0x80483fa mov %eax,0x4(%esp) 0x80483fd lea -0xc(%ebp),%eax 0x mov %eax,(%esp) 0x call strcpy 0x leave 0x804840c ret 0x804840d main: 0x804840e 0x804840f sub $0x10,%esp 0x movl $0x ,(%esp) 0x call mycpy 0x804841e mov $0x ,%eax 0x 0x call printf 0x804842b mov $0x0,%eax 0x 0x 0x 0xfd2e0 0xfd2c0 0x %eax %esp 0xfd2c0 %ebp 0xfd2d0 %eip 0x

0xFFFFFFFF 0xfd2d4 mycpy: push %ebp 0x80483f4 mov %esp,%ebp 0x80483f5 sub $0x28,%esp 0x80483f7 mov 0x8(%ebp),%eax 0x80483fa mov %eax,0x4(%esp) 0x80483fd lea -0xc(%ebp),%eax 0x mov %eax,(%esp) 0x call strcpy 0x leave 0x804840c ret 0x804840d main: 0x804840e 0x804840f sub $0x10,%esp 0x movl $0x ,(%esp) 0x call mycpy 0x804841e mov $0x ,%eax 0x 0x call printf 0x804842b mov $0x0,%eax 0x 0x 0x 0xfd2e0 0x 0xfd2c0 0x %eax %esp 0xfd2c0 %ebp 0xfd2d0 %eip 0x

0xFFFFFFFF 0xfd2d4 mycpy: push %ebp 0x80483f4 mov %esp,%ebp 0x80483f5 sub $0x28,%esp 0x80483f7 mov 0x8(%ebp),%eax 0x80483fa mov %eax,0x4(%esp) 0x80483fd lea -0xc(%ebp),%eax 0x mov %eax,(%esp) 0x call strcpy 0x leave 0x804840c ret 0x804840d main: 0x804840e 0x804840f sub $0x10,%esp 0x movl $0x ,(%esp) 0x call mycpy 0x804841e mov $0x ,%eax 0x 0x call printf 0x804842b mov $0x0,%eax 0x 0x 0x 0xfd2e0 0x 0xfd2c0 0x %eax %esp 0xfd2c0 %ebp 0xfd2d0 %eip 0x804841e

0xFFFFFFFF 0xfd2d4 mycpy: push %ebp 0x80483f4 mov %esp,%ebp 0x80483f5 sub $0x28,%esp 0x80483f7 mov 0x8(%ebp),%eax 0x80483fa mov %eax,0x4(%esp) 0x80483fd lea -0xc(%ebp),%eax 0x mov %eax,(%esp) 0x call strcpy 0x leave 0x804840c ret 0x804840d main: 0x804840e 0x804840f sub $0x10,%esp 0x movl $0x ,(%esp) 0x call mycpy 0x804841e mov $0x ,%eax 0x 0x call printf 0x804842b mov $0x0,%eax 0x 0x 0x 0xfd2e0 0x 0x 0xfd2c0 0xfd2bc 0x %eax %esp 0xfd2bc %ebp 0xfd2d0 %eip 0x80483f4

0xFFFFFFFF 0xfd2d4 mycpy: push %ebp 0x80483f4 mov %esp,%ebp 0x80483f5 sub $0x28,%esp 0x80483f7 mov 0x8(%ebp),%eax 0x80483fa mov %eax,0x4(%esp) 0x80483fd lea -0xc(%ebp),%eax 0x mov %eax,(%esp) 0x call strcpy 0x leave 0x804840c ret 0x804840d main: 0x804840e 0x804840f sub $0x10,%esp 0x movl $0x ,(%esp) 0x call mycpy 0x804841e mov $0x ,%eax 0x 0x call printf 0x804842b mov $0x0,%eax 0x 0x 0x 0xfd2e0 0x 0x 0xfd2d0 0xfd2c0 0xfd2bc 0xfd2b8 0x %eax %esp 0xfd2b8 %ebp 0xfd2d0 %eip 0x80483f4

0xFFFFFFFF 0xfd2d4 mycpy: push %ebp 0x80483f4 mov %esp,%ebp 0x80483f5 sub $0x28,%esp 0x80483f7 mov 0x8(%ebp),%eax 0x80483fa mov %eax,0x4(%esp) 0x80483fd lea -0xc(%ebp),%eax 0x mov %eax,(%esp) 0x call strcpy 0x leave 0x804840c ret 0x804840d main: 0x804840e 0x804840f sub $0x10,%esp 0x movl $0x ,(%esp) 0x call mycpy 0x804841e mov $0x ,%eax 0x 0x call printf 0x804842b mov $0x0,%eax 0x 0x 0x 0xfd2e0 0x 0x 0xfd2d0 0xfd2c0 0xfd2bc 0xfd2b8 0x %eax %esp 0xfd2b8 %ebp 0xfd2d0 %eip 0x80483f5

0xFFFFFFFF 0xfd2d4 mycpy: push %ebp 0x80483f4 mov %esp,%ebp 0x80483f5 sub $0x28,%esp 0x80483f7 mov 0x8(%ebp),%eax 0x80483fa mov %eax,0x4(%esp) 0x80483fd lea -0xc(%ebp),%eax 0x mov %eax,(%esp) 0x call strcpy 0x leave 0x804840c ret 0x804840d main: 0x804840e 0x804840f sub $0x10,%esp 0x movl $0x ,(%esp) 0x call mycpy 0x804841e mov $0x ,%eax 0x 0x call printf 0x804842b mov $0x0,%eax 0x 0x 0x 0xfd2e0 0x 0x 0xfd2d0 0xfd2c0 0xfd2bc 0xfd2b8 0x %eax %esp 0xfd2b8 %ebp %eip 0x80483f5

0xfd2d4 mycpy: push %ebp 0x80483f4 mov %esp,%ebp 0x80483f5
0xfd2e0 0x 0x 0xfd2d0 0xfd2d4 mycpy: push %ebp 0x80483f4 mov %esp,%ebp 0x80483f5 sub $0x28,%esp 0x80483f7 mov 0x8(%ebp),%eax 0x80483fa mov %eax,0x4(%esp) 0x80483fd lea -0xc(%ebp),%eax 0x mov %eax,(%esp) 0x call strcpy 0x leave 0x804840c ret 0x804840d main: 0x804840e 0x804840f sub $0x10,%esp 0x movl $0x ,(%esp) 0x call mycpy 0x804841e mov $0x ,%eax 0x 0x call printf 0x804842b mov $0x0,%eax 0x 0x 0x 0xfd2c0 0xfd2bc 0xfd2b8 %eax %esp 0xfd2b8 %ebp %eip 0x80483f7

0xfd2e0 0x 0x 0xfd2d0 0xfd2d4 mycpy: push %ebp 0x80483f4 mov %esp,%ebp 0x80483f5 sub $0x28,%esp 0x80483f7 mov 0x8(%ebp),%eax 0x80483fa mov %eax,0x4(%esp) 0x80483fd lea -0xc(%ebp),%eax 0x mov %eax,(%esp) 0x call strcpy 0x leave 0x804840c ret 0x804840d main: 0x804840e 0x804840f sub $0x10,%esp 0x movl $0x ,(%esp) 0x call mycpy 0x804841e mov $0x ,%eax 0x 0x call printf 0x804842b mov $0x0,%eax 0x 0x 0x 0xfd2c0 0xfd2bc 0xfd2b8 0xfd290 %eax %esp 0xfd290 %ebp 0xfd2b8 %eip 0x80483f7

0xfd2e0 0x 0x 0xfd2d0 0xfd2d4 mycpy: push %ebp 0x80483f4 mov %esp,%ebp 0x80483f5 sub $0x28,%esp 0x80483f7 mov 0x8(%ebp),%eax 0x80483fa mov %eax,0x4(%esp) 0x80483fd lea -0xc(%ebp),%eax 0x mov %eax,(%esp) 0x call strcpy 0x leave 0x804840c ret 0x804840d main: 0x804840e 0x804840f sub $0x10,%esp 0x movl $0x ,(%esp) 0x call mycpy 0x804841e mov $0x ,%eax 0x 0x call printf 0x804842b mov $0x0,%eax 0x 0x 0x 0xfd2c0 0xfd2bc 0xfd2b8 0xfd290 %eax %esp 0xfd290 %ebp 0xfd2b8 %eip 0x80483fa

0xfd2e0 0x 0x 0xfd2d0 0xfd2d4 mycpy: push %ebp 0x80483f4 mov %esp,%ebp 0x80483f5 sub $0x28,%esp 0x80483f7 mov 0x8(%ebp),%eax 0x80483fa mov %eax,0x4(%esp) 0x80483fd lea -0xc(%ebp),%eax 0x mov %eax,(%esp) 0x call strcpy 0x leave 0x804840c ret 0x804840d main: 0x804840e 0x804840f sub $0x10,%esp 0x movl $0x ,(%esp) 0x call mycpy 0x804841e mov $0x ,%eax 0x 0x call printf 0x804842b mov $0x0,%eax 0x 0x 0x 0xfd2c0 0xfd2bc 0xfd2b8 0xfd290 %eax 0x %esp 0xfd290 %ebp 0xfd2b8 %eip 0x80483fa

0xfd2e0 0x 0x 0xfd2d0 0xfd2d4 mycpy: push %ebp 0x80483f4 mov %esp,%ebp 0x80483f5 sub $0x28,%esp 0x80483f7 mov 0x8(%ebp),%eax 0x80483fa mov %eax,0x4(%esp) 0x80483fd lea -0xc(%ebp),%eax 0x mov %eax,(%esp) 0x call strcpy 0x leave 0x804840c ret 0x804840d main: 0x804840e 0x804840f sub $0x10,%esp 0x movl $0x ,(%esp) 0x call mycpy 0x804841e mov $0x ,%eax 0x 0x call printf 0x804842b mov $0x0,%eax 0x 0x 0x 0xfd2c0 0xfd2bc 0xfd2b8 0xfd290 %eax 0x %esp 0xfd290 %ebp 0xfd2b8 %eip 0x80483fd

0xfd2e0 0x 0x 0xfd2d0 0xfd2d4 mycpy: push %ebp 0x80483f4 mov %esp,%ebp 0x80483f5 sub $0x28,%esp 0x80483f7 mov 0x8(%ebp),%eax 0x80483fa mov %eax,0x4(%esp) 0x80483fd lea -0xc(%ebp),%eax 0x mov %eax,(%esp) 0x call strcpy 0x leave 0x804840c ret 0x804840d main: 0x804840e 0x804840f sub $0x10,%esp 0x movl $0x ,(%esp) 0x call mycpy 0x804841e mov $0x ,%eax 0x 0x call printf 0x804842b mov $0x0,%eax 0x 0x 0x 0xfd2c0 0xfd2bc 0xfd2b8 0xfd2ac 0xfd290 %eax 0xfd2ac %esp 0xfd290 %ebp 0xfd2b8 %eip 0x

0xfd2e0 0x 0x 0xfd2d0 0xfd2ac 0xfd2d4 mycpy: push %ebp 0x80483f4 mov %esp,%ebp 0x80483f5 sub $0x28,%esp 0x80483f7 mov 0x8(%ebp),%eax 0x80483fa mov %eax,0x4(%esp) 0x80483fd lea -0xc(%ebp),%eax 0x mov %eax,(%esp) 0x call strcpy 0x leave 0x804840c ret 0x804840d main: 0x804840e 0x804840f sub $0x10,%esp 0x movl $0x ,(%esp) 0x call mycpy 0x804841e mov $0x ,%eax 0x 0x call printf 0x804842b mov $0x0,%eax 0x 0x 0x 0xfd2c0 0xfd2bc 0xfd2b8 0xfd2ac 0xfd290 %eax 0xfd2ac %esp 0xfd290 %ebp 0xfd2b8 %eip 0x

0xfd2e0 0x 0x 0xfd2d0 0xfd2ac 0xfd2d4 mycpy: push %ebp 0x80483f4 mov %esp,%ebp 0x80483f5 sub $0x28,%esp 0x80483f7 mov 0x8(%ebp),%eax 0x80483fa mov %eax,0x4(%esp) 0x80483fd lea -0xc(%ebp),%eax 0x mov %eax,(%esp) 0x call strcpy 0x leave 0x804840c ret 0x804840d main: 0x804840e 0x804840f sub $0x10,%esp 0x movl $0x ,(%esp) 0x call mycpy 0x804841e mov $0x ,%eax 0x 0x call printf 0x804842b mov $0x0,%eax 0x 0x 0x 0xfd2c0 0xfd2bc 0xfd2b8 0xfd2ac 0xfd290 %eax 0xfd2ac %esp 0xfd290 %ebp 0xfd2b8 %eip 0x804840c

0xfd2e0 0x 0x 0xfd2d0 0xfd2ac 0x : "asu cse 340 fall 2015 rocks!" 0xfd2d4 mycpy: push %ebp 0x80483f4 mov %esp,%ebp 0x80483f5 sub $0x28,%esp 0x80483f7 mov 0x8(%ebp),%eax 0x80483fa mov %eax,0x4(%esp) 0x80483fd lea -0xc(%ebp),%eax 0x mov %eax,(%esp) 0x call strcpy 0x leave 0x804840c ret 0x804840d main: 0x804840e 0x804840f sub $0x10,%esp 0x movl $0x ,(%esp) 0x call mycpy 0x804841e mov $0x ,%eax 0x 0x call printf 0x804842b mov $0x0,%eax 0x 0x 0x 0xfd2c0 0xfd2bc 0xfd2b8 0xfd2ac 0xfd290 %eax 0xfd2ac %esp 0xfd290 %ebp 0xfd2b8 %eip 0x804840c

0xfd2e0 0x 0x 0xfd2d0 asu (0x ) 0xfd2ac 0x : "asu cse 340 fall 2015 rocks!" 0xfd2d4 mycpy: push %ebp 0x80483f4 mov %esp,%ebp 0x80483f5 sub $0x28,%esp 0x80483f7 mov 0x8(%ebp),%eax 0x80483fa mov %eax,0x4(%esp) 0x80483fd lea -0xc(%ebp),%eax 0x mov %eax,(%esp) 0x call strcpy 0x leave 0x804840c ret 0x804840d main: 0x804840e 0x804840f sub $0x10,%esp 0x movl $0x ,(%esp) 0x call mycpy 0x804841e mov $0x ,%eax 0x 0x call printf 0x804842b mov $0x0,%eax 0x 0x 0x 0xfd2c0 0xfd2bc 0xfd2b8 0xfd2ac 0xfd290 %eax 0xfd2ac %esp 0xfd290 %ebp 0xfd2b8 %eip 0x804840c

0xfd2e0 0x 0x 0xfd2d0 cse (0x ) asu (0x ) 0xfd2ac 0x : "asu cse 340 fall 2015 rocks!" 0xfd2d4 mycpy: push %ebp 0x80483f4 mov %esp,%ebp 0x80483f5 sub $0x28,%esp 0x80483f7 mov 0x8(%ebp),%eax 0x80483fa mov %eax,0x4(%esp) 0x80483fd lea -0xc(%ebp),%eax 0x mov %eax,(%esp) 0x call strcpy 0x leave 0x804840c ret 0x804840d main: 0x804840e 0x804840f sub $0x10,%esp 0x movl $0x ,(%esp) 0x call mycpy 0x804841e mov $0x ,%eax 0x 0x call printf 0x804842b mov $0x0,%eax 0x 0x 0x 0xfd2c0 0xfd2bc 0xfd2b8 0xfd2ac 0xfd290 %eax 0xfd2ac %esp 0xfd290 %ebp 0xfd2b8 %eip 0x804840c

0xfd2e0 0x 0x 0xfd2d0 340 (0x ) cse (0x ) asu (0x ) 0xfd2ac 0x : "asu cse 340 fall 2015 rocks!" 0xfd2d4 mycpy: push %ebp 0x80483f4 mov %esp,%ebp 0x80483f5 sub $0x28,%esp 0x80483f7 mov 0x8(%ebp),%eax 0x80483fa mov %eax,0x4(%esp) 0x80483fd lea -0xc(%ebp),%eax 0x mov %eax,(%esp) 0x call strcpy 0x leave 0x804840c ret 0x804840d main: 0x804840e 0x804840f sub $0x10,%esp 0x movl $0x ,(%esp) 0x call mycpy 0x804841e mov $0x ,%eax 0x 0x call printf 0x804842b mov $0x0,%eax 0x 0x 0x 0xfd2c0 0xfd2bc 0xfd2b8 0xfd2ac 0xfd290 %eax 0xfd2ac %esp 0xfd290 %ebp 0xfd2b8 %eip 0x804840c

0xfd2e0 0x 0x fall (0x6c6c6166) 340 (0x ) cse (0x ) asu (0x ) 0xfd2ac 0x : "asu cse 340 fall 2015 rocks!" 0xfd2d4 mycpy: push %ebp 0x80483f4 mov %esp,%ebp 0x80483f5 sub $0x28,%esp 0x80483f7 mov 0x8(%ebp),%eax 0x80483fa mov %eax,0x4(%esp) 0x80483fd lea -0xc(%ebp),%eax 0x mov %eax,(%esp) 0x call strcpy 0x leave 0x804840c ret 0x804840d main: 0x804840e 0x804840f sub $0x10,%esp 0x movl $0x ,(%esp) 0x call mycpy 0x804841e mov $0x ,%eax 0x 0x call printf 0x804842b mov $0x0,%eax 0x 0x 0x 0xfd2c0 0xfd2bc 0xfd2b8 0xfd2ac 0xfd290 %eax 0xfd2ac %esp 0xfd290 %ebp 0xfd2b8 %eip 0x804840c

0xfd2e0 0x 201 (0x ) fall (0x6c6c6166) 340 (0x ) cse (0x ) asu (0x ) 0xfd2ac 0x : "asu cse 340 fall 2015 rocks!" 0xfd2d4 mycpy: push %ebp 0x80483f4 mov %esp,%ebp 0x80483f5 sub $0x28,%esp 0x80483f7 mov 0x8(%ebp),%eax 0x80483fa mov %eax,0x4(%esp) 0x80483fd lea -0xc(%ebp),%eax 0x mov %eax,(%esp) 0x call strcpy 0x leave 0x804840c ret 0x804840d main: 0x804840e 0x804840f sub $0x10,%esp 0x movl $0x ,(%esp) 0x call mycpy 0x804841e mov $0x ,%eax 0x 0x call printf 0x804842b mov $0x0,%eax 0x 0x 0x 0xfd2c0 0xfd2bc 0xfd2b8 0xfd2ac 0xfd290 %eax 0xfd2ac %esp 0xfd290 %ebp 0xfd2b8 %eip 0x804840c

0xfd2e0 5 ro (0x6f722035) 201 (0x ) fall (0x6c6c6166) 340 (0x ) cse (0x ) asu (0x ) 0x 0xfd2ac 0x : "asu cse 340 fall 2015 rocks!" 0xfd2d4 mycpy: push %ebp 0x80483f4 mov %esp,%ebp 0x80483f5 sub $0x28,%esp 0x80483f7 mov 0x8(%ebp),%eax 0x80483fa mov %eax,0x4(%esp) 0x80483fd lea -0xc(%ebp),%eax 0x mov %eax,(%esp) 0x call strcpy 0x leave 0x804840c ret 0x804840d main: 0x804840e 0x804840f sub $0x10,%esp 0x movl $0x ,(%esp) 0x call mycpy 0x804841e mov $0x ,%eax 0x 0x call printf 0x804842b mov $0x0,%eax 0x 0x 0x 0xfd2c0 0xfd2bc 0xfd2b8 0xfd2ac 0xfd290 %eax 0xfd2ac %esp 0xfd290 %ebp 0xfd2b8 %eip 0x804840c

0xfd2e0 cks! (0x21736b63) 5 ro (0x6f722035) 201 (0x ) fall (0x6c6c6166) 340 (0x ) cse (0x ) asu (0x ) 0x 0xfd2ac 0x : "asu cse 340 fall 2015 rocks!" 0xfd2d4 mycpy: push %ebp 0x80483f4 mov %esp,%ebp 0x80483f5 sub $0x28,%esp 0x80483f7 mov 0x8(%ebp),%eax 0x80483fa mov %eax,0x4(%esp) 0x80483fd lea -0xc(%ebp),%eax 0x mov %eax,(%esp) 0x call strcpy 0x leave 0x804840c ret 0x804840d main: 0x804840e 0x804840f sub $0x10,%esp 0x movl $0x ,(%esp) 0x call mycpy 0x804841e mov $0x ,%eax 0x 0x call printf 0x804842b mov $0x0,%eax 0x 0x 0x 0xfd2c0 0xfd2bc 0xfd2b8 0xfd2ac 0xfd290 %eax 0xfd2ac %esp 0xfd290 %ebp 0xfd2b8 %eip 0x804840c

0xfd2e0 cks! (0x21736b63) 5 ro (0x6f722035) 201 (0x ) fall (0x6c6c6166) 340 (0x ) cse (0x ) asu (0x ) 0x 0xfd2ac 0x : "asu cse 340 fall 2015 rocks!" 0xfd2d4 mycpy: push %ebp 0x80483f4 mov %esp,%ebp 0x80483f5 sub $0x28,%esp 0x80483f7 mov 0x8(%ebp),%eax 0x80483fa mov %eax,0x4(%esp) 0x80483fd lea -0xc(%ebp),%eax 0x mov %eax,(%esp) 0x call strcpy 0x leave 0x804840c ret 0x804840d main: 0x804840e 0x804840f sub $0x10,%esp 0x movl $0x ,(%esp) 0x call mycpy 0x804841e mov $0x ,%eax 0x 0x call printf 0x804842b mov $0x0,%eax 0x 0x 0x 0xfd2c0 0xfd2bc 0xfd2b8 0xfd2ac 0xfd290 %eax 0xfd2ac %esp 0xfd2b8 %ebp %eip 0x804840c

0xfd2e0 cks! (0x21736b63) 5 ro (0x6f722035) 201 (0x ) fall (0x6c6c6166) 340 (0x ) cse (0x ) asu (0x ) 0x 0xfd2ac 0x : "asu cse 340 fall 2015 rocks!" 0xfd2d4 mycpy: push %ebp 0x80483f4 mov %esp,%ebp 0x80483f5 sub $0x28,%esp 0x80483f7 mov 0x8(%ebp),%eax 0x80483fa mov %eax,0x4(%esp) 0x80483fd lea -0xc(%ebp),%eax 0x mov %eax,(%esp) 0x call strcpy 0x leave 0x804840c ret 0x804840d main: 0x804840e 0x804840f sub $0x10,%esp 0x movl $0x ,(%esp) 0x call mycpy 0x804841e mov $0x ,%eax 0x 0x call printf 0x804842b mov $0x0,%eax 0x 0x 0x 0xfd2c0 0xfd2bc 0xfd2b8 0xfd2ac 0xfd290 %eax 0xfd2ac %esp 0xfd2bc %ebp 0x6c6c6166 %eip 0x804840c

0xfd2e0 cks! (0x21736b63) 5 ro (0x6f722035) 201 (0x ) fall (0x6c6c6166) 340 (0x ) cse (0x ) asu (0x ) 0x 0xfd2ac 0x : "asu cse 340 fall 2015 rocks!" 0xfd2d4 mycpy: push %ebp 0x80483f4 mov %esp,%ebp 0x80483f5 sub $0x28,%esp 0x80483f7 mov 0x8(%ebp),%eax 0x80483fa mov %eax,0x4(%esp) 0x80483fd lea -0xc(%ebp),%eax 0x mov %eax,(%esp) 0x call strcpy 0x leave 0x804840c ret 0x804840d main: 0x804840e 0x804840f sub $0x10,%esp 0x movl $0x ,(%esp) 0x call mycpy 0x804841e mov $0x ,%eax 0x 0x call printf 0x804842b mov $0x0,%eax 0x 0x 0x 0xfd2c0 0xfd2bc 0xfd2b8 0xfd2ac 0xfd290 %eax 0xfd2ac %esp 0xfd2bc %ebp 0x6c6c6166 %eip 0x804840d

0xfd2e0 cks! (0x21736b63) 5 ro (0x6f722035) 201 (0x ) fall (0x6c6c6166) 340 (0x ) cse (0x ) asu (0x ) 0x 0xfd2ac 0x : "asu cse 340 fall 2015 rocks!" 0xfd2d4 mycpy: push %ebp 0x80483f4 mov %esp,%ebp 0x80483f5 sub $0x28,%esp 0x80483f7 mov 0x8(%ebp),%eax 0x80483fa mov %eax,0x4(%esp) 0x80483fd lea -0xc(%ebp),%eax 0x mov %eax,(%esp) 0x call strcpy 0x leave 0x804840c ret 0x804840d main: 0x804840e 0x804840f sub $0x10,%esp 0x movl $0x ,(%esp) 0x call mycpy 0x804841e mov $0x ,%eax 0x 0x call printf 0x804842b mov $0x0,%eax 0x 0x 0x 0xfd2c0 0xfd2bc 0xfd2b8 0xfd2ac 0xfd290 %eax 0xfd2ac %esp 0xfd2c0 %ebp 0x6c6c6166 %eip 0x

0xfd2e0 cks! (0x21736b63) 5 ro (0x6f722035) 201 (0x ) fall (0x6c6c6166) 340 (0x ) cse (0x ) asu (0x ) 0x 0xfd2ac 0x : "asu cse 340 fall 2015 rocks!" 0xfd2d4 mycpy: push %ebp 0x80483f4 mov %esp,%ebp 0x80483f5 sub $0x28,%esp 0x80483f7 mov 0x8(%ebp),%eax 0x80483fa mov %eax,0x4(%esp) 0x80483fd lea -0xc(%ebp),%eax 0x mov %eax,(%esp) 0x call strcpy 0x leave 0x804840c ret 0x804840d main: 0x804840e 0x804840f sub $0x10,%esp 0x movl $0x ,(%esp) 0x call mycpy 0x804841e mov $0x ,%eax 0x 0x call printf 0x804842b mov $0x0,%eax 0x 0x 0x 0xfd2c0 0xfd2bc 0xfd2b8 0xfd2ac Segmentation Fault! 0xfd290 %eax 0xfd2ac %esp 0xfd2c0 %ebp 0x6c6c6166 %eip 0x

[adamd@ragnuk examples]$ gcc -Wall -m32 buffer_overflow.c
examples]$ ./a.out Segmentation fault (core dumped) examples]$ gdb ./a.out (gdb) r Starting program: a.out Program received signal SIGSEGV, Segmentation fault.0x in ?? () (gdb) info registers eax 0xffffd1fc ecx 0x edx 0x ebx 0x908ff esp 0xffffd210 0xffffd210 ebp 0x6c6c x6c6c6166 esi 0x edi 0x eip 0x x e ... #include <string.h> #include <stdio.h> void mycpy(char* str) { char foo[4]; strcpy(foo, str); } int main() callee("asu cse 340 fall 2015 rocks!"); printf("After"); return 0; ATT assembly syntax gcc –Wall –m32 objdump –M att –D a.out leave semantics Set ESP to EBP, then pop EBP.

Buffer Overflow Classic security vulnerability is when an attacker can overwrite the saved EIP value on the stack The attacker's goal is to change a saved EIP value to point to attacker's data Where the program will start executing the attacker's data as code One of the most common vulnerabilities in C and C++ programs Why?

Function Parameter Passing
How cdecl calling convention pass parameters to the function callee? Pushed the values onto the stack What are the semantics of passing parameters to a function? Multiple approaches Pass by value Pass by reference Pass by name

Pass by Value Values of the actual parameters at function invocation are calculated and then copied to the function We have seen how this is done for C, a copy of the values are placed on the stack

#include <stdio.h> int x; void test(int x) { x = x + 5; printf("%d\n", x); } int main() int y = 4; test(y); printf("%d\n", y); return y; gcc –Wall pass_by_value.c ./a.out 9 4 x 9 4 y 4

Pass by Reference The formal parameters are bound to the locations associated with the actual parameters Thus, the actual parameters must be l-values

#include <stdio.h> int x; void test(int& x) { x = x + 5; printf("%d\n", x); } int main() int y = 4; test(y); printf("%d\n", y); return y; g++ –Wall pass_by_value.c ./a.out 9 x y 9 4

Pass by name The formal parameters are replaced by the text of the actual parameters everywhere in the function that the formal parameters occur Algol 60

#include <stdio.h> int x; void test(int x) { x = x + 5; printf("%d\n", x); } int main() int y = 4; test(y); printf("%d\n", y); return y; void test(int y) y = y + 5; gcc –Wall pass_by_name_1.c ./a.out 9

#include <stdio.h> int i; int a[10]; void inc(int x) { i++; x++; } int main() i = 1; a[1] = 1; a[2] = 2; inc(a[i]); printf("%d\n%d\n%d\n", i, a[1], a[2]); return 0; void inc(int a[i]) a[i]++; gcc –Wall pass_by_name_2.c ./a.out 2 1 3

[adamd@ragnuk]$ gcc –Wall pass_by_name_3.c [adamd@ragnuk]$ ./a.out 5
#include <stdio.h> int i; int p(int y) { int j = y; i++; return j + y; } void q() int j = 2; i = 0; printf("%d\n", p(i+j)); } int main() q(); return 0; int p(int (i+j)) int j = (i+j); return j + (i+j); gcc –Wall pass_by_name_3.c ./a.out 5

#include <stdio.h> int foo(int test) { return 10; } int main() int a = 0; int b = foo(a++); printf("%d\n%d\n", a, b); return 0; int foo(int a++) gcc –Wall pass_by_name_4.c ./a.out 10

[adamd@ragnuk]$ gcc –Wall pass_by_name_simulation.c
./a.out 5 #include <stdio.h> int i; int p(int y) { int j = y; i++; return j + y; } void q() int j = 2; i = 0; printf("%d\n", p(i+j)); } int main() q(); return 0; int i, j; int i_plus_j() return i+j; int p(int (*y)(void)) int j = y(); return j + y(); j = 2; printf("%d\n", p(i_plus_j)); }

Java What is the parameter passing semantics of Java? Pass by value?
Pass by reference? Pass by name?

class Testing { int foo; } public class ParameterPassing public static void main(String [] args) Testing bar = new Testing(); Testing snap = new Testing(); bar.foo = 0; snap.foo = 10; PassByQuestionMark(bar, snap); System.out.println(bar.foo + "\n" + snap.foo); public static void PassByQuestionMark(Testing a, Testing b) b = new Testing(); b.foo = 100; a.foo = 42;

Java Essentially pass by value and assignment share semantics
Note that this is not standard terminology How is it implemented under-the-hood?

Local Functions From what we have seen so far, variables are either global or local What if we want a language that allows defining local functions Functions that are only valid in the containing scope

[adamd@ragnuk]$ gcc –Wall local_functions.c [adamd@ragnuk]$ ./a.out 10
#include <stdio.h> void foo() { int x; void bar() void baz() x = x + 1; if (x < 10) bar(); } baz(); x = 0; printf("%d\n", x); gcc –Wall local_functions.c ./a.out 10

Local Functions Can the previously discussed cdecl calling convention support support local functions?

foo #include <stdio.h> void foo() { int x; void bar() void baz() x = x + 1; if (x < 10) bar(); } baz(); x = 0; printf("%d\n", x);

foo bar #include <stdio.h> void foo() { int x; void bar() void baz() x = x + 1; if (x < 10) bar(); } baz(); x = 0; printf("%d\n", x);

foo bar baz #include <stdio.h> void foo() { int x; void bar() void baz() x = x + 1; if (x < 10) bar(); } baz(); x = 0; printf("%d\n", x);

Access Link Saved base pointer (EBP) save the caller's base pointer
We want the base pointer of our lexical parent, not our caller's parent Thus, we need to add another element to our calling convention This is called the "access link" Therefore, a function can follow the access links until the last lexical scope is found

foo bar baz #include <stdio.h> void foo() { int x; void bar() void baz() x = x + 1; if (x < 10) bar(); } baz(); x = 0; printf("%d\n", x);

The Runtime Environment

Similar presentations

Presentation on theme: "The Runtime Environment"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

The Runtime Environment

Similar presentations

Presentation on theme: "The Runtime Environment"— Presentation transcript:

Similar presentations

About project

Feedback