Msg/MemoryStackRedZone: Difference between revisions
From CPUlator Wiki
< Msg
Created page with "A stack frame is a region of memory used by an executing function. The memory region at or above the stack pointer is allocated stack space that may be used, while addresses l..." |
|||
| (2 intermediate revisions by the same user not shown) | |||
| Line 24: | Line 24: | ||
Func: | Func: | ||
stw r0, -4(sp) | stw r0, -4(sp) # Store to stack space we haven't allocated yet | ||
subi sp, sp, 4 | subi sp, sp, 4 # Allocate stack space: Too late. | ||
addi sp, sp, 4 | addi sp, sp, 4 # Deallocate stack space | ||
ret | ret | ||
</syntaxhighlight> | |||
==== MIPS ==== | |||
<syntaxhighlight line lang="Asm" highlight="7"> | |||
.global _start | |||
_start: | |||
li $sp, 0x1000 # Initialize SP to something sane | |||
jal Func | |||
Func: | |||
sw $0, -4($sp) # Store to stack space we haven't allocated yet | |||
addiu $sp, $sp, -4 # Allocate stack space: Too late. | |||
addiu $sp, $sp, 4 # Deallocate stack space | |||
jr $ra | |||
</syntaxhighlight> | </syntaxhighlight> | ||
| Line 33: | Line 46: | ||
=== Debugging === | === Debugging === | ||
* Check that any stack space needed by a function is allocated before used. | * Check that any stack space needed by a function is allocated before being used. Also ensure that stack space is not used after being deallocated. | ||
* Another common cause is overrunning the beginning of arrays that are located on the stack while iterating over them (also called a "buffer overflow", a well-known cause of security vulnerabilities). Check the addresses of the memory access and ensure that it makes sense. | * Another common cause is overrunning the beginning of arrays that are located on the stack while iterating over them (also called a "buffer overflow", a well-known cause of security vulnerabilities). Check the addresses of the memory access and ensure that it makes sense. | ||
=== Implementation === | === Implementation === | ||
The simulator identifies idiomatic call and return instructions executed at runtime. It records the values of registers when executing call instructions, and compares each memory access to the stack pointer at the beginning of the function. This warning is generated if a memory access hits 128-byte region immediately below the stack pointer. This warning is generated at the memory load or store. | The simulator identifies idiomatic call and return instructions executed at runtime. It records the values of registers when executing call instructions, and compares the address of each memory access to the stack pointer at the beginning of the function. This warning is generated if a memory access hits the 128-byte region immediately below the stack pointer. This warning is generated at the memory load or store. | ||
{{DisableMsg|Memory access to unallocated stack space}} | {{DisableMsg|Memory access to unallocated stack space}} | ||
Latest revision as of 00:50, 30 September 2019
A stack frame is a region of memory used by an executing function. The memory region at or above the stack pointer is allocated stack space that may be used, while addresses less than the stack pointer may not be used until allocated first. This warning tells you that a memory access attempted to use memory that is near, but below the stack pointer. It is likely (but not necessarily) a bug in allocating, using, and deallocating stack space.
Example
ARMv7
.global _start
_start:
mov sp, #0x1000 // Initialize SP to something sane
bl Func
Func:
str r0, [sp, #-4] // Store to stack space we haven't allocated yet
sub sp, #4 // Allocate stack space: Too late.
add sp, #4 // Deallocate stack space
bx lr
Nios II
.global _start
_start:
movi sp, 0x1000 # Initialize SP to something sane
call Func
Func:
stw r0, -4(sp) # Store to stack space we haven't allocated yet
subi sp, sp, 4 # Allocate stack space: Too late.
addi sp, sp, 4 # Deallocate stack space
ret
MIPS
.global _start
_start:
li $sp, 0x1000 # Initialize SP to something sane
jal Func
Func:
sw $0, -4($sp) # Store to stack space we haven't allocated yet
addiu $sp, $sp, -4 # Allocate stack space: Too late.
addiu $sp, $sp, 4 # Deallocate stack space
jr $ra
In the above examples, the stack pointer is 0x1000, but a memory access occurred to 0x0ffc, which is not part of the stack because it is below the stack pointer value (0x1000).
Debugging
- Check that any stack space needed by a function is allocated before being used. Also ensure that stack space is not used after being deallocated.
- Another common cause is overrunning the beginning of arrays that are located on the stack while iterating over them (also called a "buffer overflow", a well-known cause of security vulnerabilities). Check the addresses of the memory access and ensure that it makes sense.
Implementation
The simulator identifies idiomatic call and return instructions executed at runtime. It records the values of registers when executing call instructions, and compares the address of each memory access to the stack pointer at the beginning of the function. This warning is generated if a memory access hits the 128-byte region immediately below the stack pointer. This warning is generated at the memory load or store.
Disabling this message
This debugging check can be disabled in the Debugging Checks section of the Settings box: Memory access to unallocated stack space.