一、从源代码文件到可执行文件
从C文件到可执行文件,一般来说需要两步,先将每个C文件编译成.o文件,再把多个.o文件和链接库一起链接成可执行文件。但具体来说,其实是分为四步,下面以example.c为例进行说明。
#define MYINT int short addend1 = 1;
static int addend2 = 2;
const static long addend3 = 3; static MYINT g(MYINT x)
{
return x + addend1;
} static const MYINT f(MYINT x)
{
return g(x + addend2);
} MYINT main(void)
{
return f(8) + addend3;
}
第一步: 预处理,进行宏替换等工作。执行gcc -E -o example.cpp example.c,得到example.cpp如下:
# 1 "example.c"
# 1 "<built-in>"
# 1 "<命令行>"
# 1 "example.c" short addend1 = 1;
static int addend2 = 2;
const static long addend3 = 3; static int g(int x)
{
return x + addend1;
} static const int f(int x)
{
return g(x + addend2);
} int main(void)
{
return f(8) + addend3;
}
第二步:将预处理文件编译成汇编文件。执行 gcc -x cpp-output -S -fno-asynchronous-unwind-tables -o example.s example.cpp,加入 -fno-asynchronous-unwind-tables是为了禁止生成.cfi代码。生成的汇编代码如下:
.file "example.c" ; C文件的文件名
.globl addend1 ; 全局变量
.data ; 数据段
; short addend1 = 1;开始
.align 2 ; 地址对齐,按2的整数倍对齐
.type addend1, @object ; 类型是对象
.size addend1, 2 ; 占两个字节
addend1: ; 起始地址
.value 1 ; 初始值
; static int addend2 = 2;开始
.align 4
.type addend2, @object
.size addend2, 4
addend2:
.long 2
.section .rodata ; 常量存储区开始
.align 4
.type addend3, @object
.size addend3, 4
addend3:
.long 3
.text ; 代码段开始
.type g, @function ; 函数g
g: ; g的起始地址
pushl %ebp ; %ebp入栈
movl %esp, %ebp ; 当前函数栈从%esp开始
movzwl addend1, %eax ; 把short放入%eax
cwtl
addl 8(%ebp), %eax ; int + short
popl %ebp
ret
.size g, .-g
.type f, @function
f:
pushl %ebp
movl %esp, %ebp
subl $4, %esp ; 为调用g时传递参数准备空间
movl addend2, %eax ; 在%eax中计算实参
addl 8(%ebp), %eax
movl %eax, (%esp) ; 实参入栈
call g
leave
ret
.size f, .-f
.globl main ; main未加static,是全局可见的
.type main, @function
main:
pushl %ebp
movl %esp, %ebp
subl $4, %esp
movl $8, (%esp)
call f
movl addend3, %edx
addl %edx, %eax
leave
ret
.size main, .-main
.ident "GCC: (Ubuntu/Linaro 4.6.3-1ubuntu5) 4.6.3"
.section .note.GNU-stack,"",@progbits
由汇编代码可见:1.未加static的全局变量和函数都生成了相应的.globl代码,表示是全局的;2.int和long是4字节的;3.const变量放在常量存储区.rodata处。
第三步,将汇编代码编译成二进制目标文件,gcc -x assembler -c example.s。生成example.o文件,用objdump -D example.o察看,得到如下信息:
example.o: file format elf32-i386 Disassembly of section .text: 00000000 <g>:
0: 55 push %ebp
1: 89 e5 mov %esp,%ebp
3: 0f b7 05 00 00 00 00 movzwl 0x0,%eax
a: 98 cwtl
b: 03 45 08 add 0x8(%ebp),%eax
e: 5d pop %ebp
f: c3 ret 00000010 <f>:
10: 55 push %ebp
11: 89 e5 mov %esp,%ebp
13: 83 ec 04 sub $0x4,%esp
16: a1 04 00 00 00 mov 0x4,%eax
1b: 03 45 08 add 0x8(%ebp),%eax
1e: 89 04 24 mov %eax,(%esp)
21: e8 da ff ff ff call 0 <g>
26: c9 leave
27: c3 ret 00000028 <main>:
28: 55 push %ebp
29: 89 e5 mov %esp,%ebp
2b: 83 ec 04 sub $0x4,%esp
2e: c7 04 24 08 00 00 00 movl $0x8,(%esp)
35: e8 d6 ff ff ff call 10 <f>
3a: 8b 15 00 00 00 00 mov 0x0,%edx
40: 01 d0 add %edx,%eax
42: c9 leave
43: c3 ret Disassembly of section .data: 00000000 <addend1>:
0: 01 00 add %eax,(%eax)
... 00000004 <addend2>:
4: 02 00 add (%eax),%al
... Disassembly of section .rodata: 00000000 <addend3>:
0: 03 00 add (%eax),%eax
... Disassembly of section .comment: 00000000 <.comment>:
0: 00 47 43 add %al,0x43(%edi)
3: 43 inc %ebx
4: 3a 20 cmp (%eax),%ah
6: 28 55 62 sub %dl,0x62(%ebp)
9: 75 6e jne 79 <main+0x51>
b: 74 75 je 82 <main+0x5a>
d: 2f das
e: 4c dec %esp
f: 69 6e 61 72 6f 20 34 imul $0x34206f72,0x61(%esi),%ebp
16: 2e 36 2e 33 2d 31 75 cs ss xor %cs:%ss:0x75627531,%ebp
1d: 62 75
1f: 6e outsb %ds:(%esi),(%dx)
20: 74 75 je 97 <main+0x6f>
22: 35 29 20 34 2e xor $0x2e342029,%eax
27: 36 2e 33 00 ss xor %cs:%ss:(%eax),%eax
第四步,将目标代码编译成可执行文件, gcc -o example example.o。此时可以继续用objdump -D example > example.objdump察看,可见example.objdump文件有728行,已经加入了大量的代码,其中我们自己写的部分是:
080483b4 <g>:
80483b4: 55 push %ebp
80483b5: 89 e5 mov %esp,%ebp
80483b7: 0f b7 05 10 a0 04 08 movzwl 0x804a010,%eax
80483be: 98 cwtl
80483bf: 03 45 08 add 0x8(%ebp),%eax
80483c2: 5d pop %ebp
80483c3: c3 ret 080483c4 <f>:
80483c4: 55 push %ebp
80483c5: 89 e5 mov %esp,%ebp
80483c7: 83 ec 04 sub $0x4,%esp
80483ca: a1 14 a0 04 08 mov 0x804a014,%eax
80483cf: 03 45 08 add 0x8(%ebp),%eax
80483d2: 89 04 24 mov %eax,(%esp)
80483d5: e8 da ff ff ff call 80483b4 <g>
80483da: c9 leave
80483db: c3 ret 080483dc <main>:
80483dc: 55 push %ebp
80483dd: 89 e5 mov %esp,%ebp
80483df: 83 ec 04 sub $0x4,%esp
80483e2: c7 04 24 08 00 00 00 movl $0x8,(%esp)
80483e9: e8 d6 ff ff ff call 80483c4 <f>
80483ee: 8b 15 d0 84 04 08 mov 0x80484d0,%edx
80483f4: 01 d0 add %edx,%eax
80483f6: c9 leave
80483f7: c3 ret
80483f8: 90 nop
80483f9: 90 nop
80483fa: 90 nop
80483fb: 90 nop
80483fc: 90 nop
80483fd: 90 nop
80483fe: 90 nop
80483ff: 90 nop ...
...
... Disassembly of section .data: 0804a008 <__data_start>:
804a008: 00 00 add %al,(%eax)
... 0804a00c <__dso_handle>:
804a00c: 00 00 add %al,(%eax)
... 0804a010 <addend1>:
804a010: 01 00 add %eax,(%eax)
... 0804a014 <addend2>:
804a014: 02 00 add (%eax),%al
... Disassembly of section .bss: 0804a018 <completed.6159>:
804a018: 00 00 add %al,(%eax)
... 0804a01c <dtor_idx.6161>:
804a01c: 00 00 add %al,(%eax)
...
可见此时的代码已经有了它运行时的实际地址,并且.rodata段也已经不存在了。
然后还可以用readelf -a example > example.elf 察看该可执行文件的ELF头部信息,共221行,这里只摘录前57行:
ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: Intel 80386
Version: 0x1
Entry point address: 0x8048300
Start of program headers: 52 (bytes into file)
Start of section headers: 4416 (bytes into file)
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 9
Size of section headers: 40 (bytes)
Number of section headers: 30
Section header string table index: 27 Section Headers:
[Nr] Name Type Addr Off Size ES Flg Lk Inf Al
[ 0] NULL 00000000 000000 000000 00 0 0 0
[ 1] .interp PROGBITS 08048154 000154 000013 00 A 0 0 1
[ 2] .note.ABI-tag NOTE 08048168 000168 000020 00 A 0 0 4
[ 3] .note.gnu.build-i NOTE 08048188 000188 000024 00 A 0 0 4
[ 4] .gnu.hash GNU_HASH 080481ac 0001ac 000020 04 A 5 0 4
[ 5] .dynsym DYNSYM 080481cc 0001cc 000040 10 A 6 1 4
[ 6] .dynstr STRTAB 0804820c 00020c 000045 00 A 0 0 1
[ 7] .gnu.version VERSYM 08048252 000252 000008 02 A 5 0 2
[ 8] .gnu.version_r VERNEED 0804825c 00025c 000020 00 A 6 1 4
[ 9] .rel.dyn REL 0804827c 00027c 000008 08 A 5 0 4
[10] .rel.plt REL 08048284 000284 000010 08 A 5 12 4
[11] .init PROGBITS 08048294 000294 00002e 00 AX 0 0 4
[12] .plt PROGBITS 080482d0 0002d0 000030 04 AX 0 0 16
[13] .text PROGBITS 08048300 000300 0001ac 00 AX 0 0 16
[14] .fini PROGBITS 080484ac 0004ac 00001a 00 AX 0 0 4
[15] .rodata PROGBITS 080484c8 0004c8 00000c 00 A 0 0 4
[16] .eh_frame_hdr PROGBITS 080484d4 0004d4 00002c 00 A 0 0 4
[17] .eh_frame PROGBITS 08048500 000500 0000a4 00 A 0 0 4
[18] .ctors PROGBITS 08049f14 000f14 000008 00 WA 0 0 4
[19] .dtors PROGBITS 08049f1c 000f1c 000008 00 WA 0 0 4
[20] .jcr PROGBITS 08049f24 000f24 000004 00 WA 0 0 4
[21] .dynamic DYNAMIC 08049f28 000f28 0000c8 08 WA 6 0 4
[22] .got PROGBITS 08049ff0 000ff0 000004 04 WA 0 0 4
[23] .got.plt PROGBITS 08049ff4 000ff4 000014 04 WA 0 0 4
[24] .data PROGBITS 0804a008 001008 000010 00 WA 0 0 4
[25] .bss NOBITS 0804a018 001018 000008 00 WA 0 0 4
[26] .comment PROGBITS 00000000 001018 00002a 01 MS 0 0 1
[27] .shstrtab STRTAB 00000000 001042 0000fc 00 0 0 1
[28] .symtab SYMTAB 00000000 0015f0 000450 10 29 49 4
[29] .strtab STRTAB 00000000 001a40 000209 00 0 0 1
Key to Flags:
W (write), A (alloc), X (execute), M (merge), S (strings)
I (info), L (link order), G (group), T (TLS), E (exclude), x (unknown)
O (extra OS processing required) o (OS specific), p (processor specific)
二、运行时堆栈分析
为了使用gdb进行调试,用gcc - g example.c -o example重新编译代码,然后gdb example进入gdb调试。
在main函数入口处设置断点,运行程序,然后察看运行到的汇编指令、此时的寄存器数据和堆栈:
(gdb) b 17
Breakpoint 1 at 0x80483e2: file example.c, line 17.
(gdb) r
Starting program: /home/qpx/操作系统/example Breakpoint 1, main () at example.c:19
19 return f(8) + addend3;
(gdb) disassemble
Dump of assembler code for function main:
0x080483dc <+0>: push %ebp
0x080483dd <+1>: mov %esp,%ebp
0x080483df <+3>: sub $0x4,%esp
=> 0x080483e2 <+6>: movl $0x8,(%esp)
0x080483e9 <+13>: call 0x80483c4 <f>
0x080483ee <+18>: mov 0x80484d0,%edx
0x080483f4 <+24>: add %edx,%eax
0x080483f6 <+26>: leave
0x080483f7 <+27>: ret
End of assembler dump.
(gdb) info registers
eax 0x1 1
ecx 0xbffff394 -1073745004
edx 0xbffff324 -1073745116
ebx 0xb7fc2ff4 -1208209420
esp 0xbffff2f4 0xbffff2f4
ebp 0xbffff2f8 0xbffff2f8
esi 0x0 0
edi 0x0 0
eip 0x80483e2 0x80483e2 <main+6>
eflags 0x200282 [ SF IF ID ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
(gdb) x/2 0xbffff2f4
0xbffff2f4: 0x000000000 x00000000
可见此时主函数的栈基址为0xbffff2f8,而%esp已经下移4字节准备为函数 f 传递参数8,但目前%esp所指堆栈内容为0,%ebp所指内容也为0。下面展示每一步时%esp、%ebp和堆栈内容的变化:
call指令将下一条指令的地址入栈:
将上一个函数的基址入栈,从当前%esp开始作为新基址:
先为传参做准备:
实参的计算在%eax中进行:
实参入栈:
call指令将下一条指令的地址入栈:
计算short+int:
pop %ebp指令将栈顶弹到%ebp中,同时%esp增加4字节:
ret指令将栈顶弹给%eip
因为函数 f 修改了%esp,所以用leave指令恢复。leave指令先将%esp对其到%ebp,然后把栈顶弹给%ebp:
程序最终结束。