1

following short c program:

void foo(int a, int b) {
        printf("a = %p b = %p\n", &a, &b);
}

main() {
        foo(1, 2);
}

ok, now I used gdb to view this program. I got as output:

a = 0x7fff5fbff9ac b = 0x7fff5fbff9a8

and stopped execution after the output (in foo()). now I examined 0x7fff5fbff9ac and the content was:

1....correct

then 0x7fff5fbff9a8 and the content:

2...correct

now I wanted to view the return address of the function and examined (a + 4 bytes) with:

x/g 0x7fff5fbff9b1 (8 bytes!! address, therefore "g" (giant word))

and its content was:

(gdb) x/g 0x7fff5fbff9b1
0x7fff5fbff9b1: 0xd700007fff5fbff9

BUT: THIS IS NOT THE RETURN ADR FROM MAIN! where is my fault?

Improve this question
9
  • what is different on MAC? does anyone have some xperience? Commented Dec 8, 2010 at 17:56
  • 1
    Did you try looking on the other side of the local variables? What are you expecting as the return address from main(), and why? Did you notice that the result looks more reasonable if you clip off the leading 0xd7 byte? - Oh, never mind, the other guys have got it. :) Commented Dec 8, 2010 at 17:58
  • 2
    Hint: 0x7fff5fbff9b1 is an odd address Commented Dec 8, 2010 at 17:59
  • 1
    For one thing, ((char*)&a + 4) is 0x7fff5fbff9b0, not 0x7fff5fbff9b1. Commented Dec 8, 2010 at 17:59
  • Have you tried subtracting 4 from b instead? A lot of this deals with how the compiler saves stuff on the stack, and I don't know if the return address is put on the stack before or after the parameters. Commented Dec 8, 2010 at 18:00

3 Answers 3

Reset to default
3

There are a whole bunch of faulty assumptions in your question.

You're assuming that integer arguments are passed on the stack immediately above the return address (as they are in many--not all--x86 ABIs under the default calling conventions). If this were the case, then immediately following the call, your stack would look like this:

// stack frame of main( )
// ...
value of b
value of a
return address <--- stack pointer

However, your assumption is incorrect. You have compiled your code into a 64-bit executable (as evidenced by the size of the pointer you are printing). Per the OS X ABI, in a 64-bit Intel executable, the first few integer arguments are passed in register, not on the stack. Thus, immediately following the call, the stack actually looks like this:

// stack frame of main( )
// ...
return address <--- stack pointer

Since you take the address of a and b, they will be written to the stack at some point before the call to printf( ) (unless the compiler is really clever, and realizes that it doesn't actually need to hand printf( ) valid pointers because it won't use the value pointed to, but that would be pretty evil as optimizations go), but you really don't know where they will be relative to the return address; in fact, because the 64-bit ABI provides a red zone, you don't even know whether they're above or below the stack pointer. Thus, at the time that you print out the address of a and b, your stack looks like this:

// stack frame of main( )
// ...
return address                     |
// ...                             |
// a and b are somewhere down here | <-- stack pointer points somewhere in here
// ...                             |

In general, the C language standard says nothing about stack layouts, or even that there needs to be a stack at all. You cannot get this sort of information in any portable fashion from C code.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Firstly, &a + 4 is 0x7FFF5FBFF9B0, so you are looking one byte offset from where you think you are.

Secondly, the saved frame pointer lies between a and the return address, and this is the value you are seeing.

Improve this answer

Comments

1

What you are doing wrong is making a whole bunch of incorrect and random assumptions about the layout of the stack frame on your given platform. Where did you get that weird idea about "a + 4 bytes" location supposedly holding the return address?

If you really want to do this, get the documentation for your platform (or do some reverse engineering) to find out where and how exactly the return address is stored. Making random guesses and then asking other people why your random guesses do not produce results you for some reason expect is not exactly a productive way to do it.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.