我正在使用 x86 指令集编写程序。为什么当我使用存储在大小为 40kb 的堆栈中的本地数组时会崩溃。
我使用带有 i5 处理器的 windows7 操作系统并在 Visual C++ Express Edition 2008 中编译
我认为您以防护页面的形式抓住了机会。
为了在实际使用之前不浪费实际内存,Windows 最初保留完整的堆栈空间(默认为 1MB;可以通过编辑 PE 标头进行更改),但仅提交两页,并将第二页设为保护页。保护页是一个内存页 (4KB),对其进行任何访问都会触发特殊异常 (STATUS_GUARD_PAGE_VIOLATION)。当内核检测到保护页异常时,它会提交所触及的页面并在其后添加另一个保护页。这样,如果您的函数将小变量压入堆栈,它就会“自行”不断增长。
但是,如果您尝试分配大小超过 4K(4096 字节)的局部变量,则会出现问题。通常,堆栈分配是通过简单地从 ESP 中减去来完成的。如果从中减去超过 4K,然后尝试写入堆栈,则有可能越过保护页并访问其后的保留内存。这个不会被内核捕获,但会传递给您的程序,通常会导致崩溃。
解决方案很简单 - 以 4K(=4096=0x1000 字节)为单位进行堆栈分配,并在每次分配后触摸堆栈以触发保护页。 MSVC 编译器通过在使用超过 4K 局部变量的函数开头调用
__chkstk();***
;_chkstk - check stack upon procedure entry
;
;Purpose:
; Provide stack checking on procedure entry. Method is to simply probe
; each page of memory required for the stack in descending order. This
; causes the necessary pages of memory to be allocated via the guard
; page scheme, if possible. In the event of failure, the OS raises the
; _XCPT_UNABLE_TO_GROW_STACK exception.
;
; NOTE: Currently, the (EAX < _PAGESIZE_) code path falls through
; to the "lastpage" label of the (EAX >= _PAGESIZE_) code path. This
; is small; a minor speed optimization would be to special case
; this up top. This would avoid the painful save/restore of
; ecx and would shorten the code path by 4-6 instructions.
;
;Entry:
; EAX = size of local frame
;
;Exit:
; ESP = new stackframe, if successful
;
;Uses:
; EAX
;
;Exceptions:
; _XCPT_GUARD_PAGE_VIOLATION - May be raised on a page probe. NEVER TRAP
; THIS!!!! It is used by the OS to grow the
; stack on demand.
; _XCPT_UNABLE_TO_GROW_STACK - The stack cannot be grown. More precisely,
; the attempt by the OS memory manager to
; allocate another guard page in response
; to a _XCPT_GUARD_PAGE_VIOLATION has
; failed.
;
;*******************************************************************************
public _alloca_probe
_chkstk proc
_alloca_probe = _chkstk
push ecx
; Calculate new TOS.
lea ecx, [esp] + 8 - 4 ; TOS before entering function + size for ret value
sub ecx, eax ; new TOS
; Handle allocation size that results in wraparound.
; Wraparound will result in StackOverflow exception.
sbb eax, eax ; 0 if CF==0, ~0 if CF==1
not eax ; ~0 if TOS did not wrapped around, 0 otherwise
and ecx, eax ; set to 0 if wraparound
mov eax, esp ; current TOS
and eax, not ( _PAGESIZE_ - 1) ; Round down to current page boundary
cs10:
cmp ecx, eax ; Is new TOS
jb short cs20 ; in probed page?
mov eax, ecx ; yes.
pop ecx
xchg esp, eax ; update esp
mov eax, dword ptr [eax] ; get return address
mov dword ptr [esp], eax ; and put it at new TOS
ret
; Find next lower page and probe
cs20:
sub eax, _PAGESIZE_ ; decrease by PAGESIZE
test dword ptr [eax],eax ; probe page.
jmp short cs10
_chkstk endp
在你的情况下,你可能不需要这种复杂的逻辑,像这样的事情就可以了:
xor eax, eax
mov ecx, 40 ; alloc 40 pages
l1:
sub esp, 1000h ; move esp one page
mov [esp], eax ; touch the guard page
loop l1 ; keep looping
sub esp, xxxh ; alloc the remaining variables
有关堆栈和保护页面的更多详细信息,请参阅此处。
对于 x86,这里有一个 MASM prolog 宏(类似于 _chkstk),可以防止大型本地崩溃
W32Prolog MACRO procname, flags, argbytes, localbytes, reglist, userparms:VARARG
LOCAL page_size, probe, max_probe, loopbeg, loopend
page_size = 4096
IF localbytes NE 0
push ebp
mov ebp, esp
IF localbytes GE page_size*5
max_probe = (localbytes-page_size) AND (-page_size)
mov DWORD PTR [ebp-page_size], eax
mov eax, page_size
loopbeg:
cmp eax, max_probe
JA loopend
sub esp, page_size
mov DWORD PTR [esp-page_size],eax
add eax, page_size
JMP loopbeg
loopend:
mov eax, DWORD PTR [ebp-page_size]
mov esp,ebp
ELSEIF localbytes GE page_size
max_probe = (localbytes) AND (-page_size)
probe = page_size
WHILE probe LE max_probe
mov DWORD PTR [ebp-probe], eax
probe = probe + page_size
ENDM
ENDIF
sub esp,localbytes
ELSEIF argbytes NE 0
push ebp
mov ebp, esp
ENDIF
EXITM %localbytes
ENDM
对于 x86_64,这是一个工作示例
hello64.asm
OPTION CASEMAP:NONE
OPTION PROLOGUE:W64Prolog
OPTION EPILOGUE:NONE
W64Prolog MACRO procname, flags, argbytes, localbytes, reglist, userparms:VARARG
LOCAL page_size, probe, max_probe, loopbeg, loopend
page_size = 4096
push rbp
.pushreg rbp
mov rbp,rsp
.setframe rbp,000h
IF localbytes NE 0
IF localbytes GE page_size*5
max_probe = (localbytes-page_size) AND (-page_size)
mov QWORD PTR [rbp-page_size], rax
mov rax, page_size
loopbeg:
cmp rax, max_probe
JA loopend
sub rsp, page_size
mov QWORD PTR [rsp-page_size],rax
add rax, page_size
JMP loopbeg
loopend:
mov rax, QWORD PTR [rbp-page_size]
mov rsp,rbp
ELSEIF localbytes GE page_size
max_probe = (localbytes) AND (-page_size)
probe = page_size
WHILE probe LE max_probe
mov QWORD PTR [rbp-probe], rax
probe = probe + page_size
ENDM
ENDIF
sub rsp,localbytes
.allocstack localbytes
ENDIF
.endprolog
EXITM %localbytes
ENDM
extrn printf:proc
ALIGN_STACK MACRO num_args
IF num_args LT 5 OR (num_args AND 1) EQ 0
AND SPL, 0F0h
ELSE
OR SPL, 08h
ENDIF
ENDM
RESTORE_STACK MACRO num_args
IF num_args LT 5
LEA RSP, [RSP + 5*8]
ELSEIF (num_args AND 1) EQ 0 ; even num_args
LEA RSP, [RSP + (num_args + 1)*8]
ELSE
LEA RSP, [RSP + num_args*8]
ENDIF
ENDM
.data
strFormat DB "%s",13,10,0
strHello DB "Hello World",0
.code
main PROC FRAME
LOCAL myArray[25000]:BYTE
NUM_ARGS = 2
PUSH RSP
PUSH QWORD PTR [RSP]
ALIGN_STACK NUM_ARGS
LEA RDX,strHello
LEA RCX,strFormat
SUB RSP,32
CALL printf
RESTORE_STACK NUM_ARGS
POP RSP
RET
main ENDP
END
使用这些命令构建(假设安装了 MSVS 2019)
@echo on
if not defined DevEnvDir (
call "C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\VC\Auxiliary\Build\vcvars64.bat"
)
ml64 /nologo /c /W3 /Sa /Zi /Zd /Flhello64.lst /Fohello64.obj hello64.asm
link.exe hello64.obj /subsystem:console /defaultlib:kernel32.lib /defaultlib:user32.lib /defaultlib:libcmt.lib