Disclosure of Invention
In order to solve the above technical problems, embodiments of the present invention provide a method and an apparatus for stack backtracking, which can correctly backtrack stacks of different stack frame structure programs.
In order to achieve the purpose of the invention, the invention provides a
A method of stack backtracking, comprising:
acquiring a memory value at the current FP-4 position;
determining the stack frame structure type used by the current function according to the memory value;
acquiring a return address and a parent function frame pointer FP according to the stack frame structure type;
and the current FP-4 is the memory address of the position where the value of the current function FP moves 4 bytes in the direction of the low address.
Wherein, the determining the stack frame structure type used by the current function according to the memory value at the current FP-4 position includes: when the memory value is in the range of the program code segment, determining that the current function uses a first stack frame structure; when the memory value is in the range of the current thread stack, determining that the current function uses a second stack frame structure; and when the memory value is neither in the range of the program code segment nor in the range of the current thread stack, determining that the current function uses a third stack frame structure.
Acquiring a return address and a parent function frame pointer FP according to the stack frame structure type, wherein the method comprises the following steps: under the condition that the stack frame structure type is a first stack frame structure, reading a return address from a memory corresponding to FP-4, and reading an FP of a parent function from a memory corresponding to FP-12; for the second stack frame structure, reading a return address from a memory corresponding to the FP, and reading the FP of the parent function from a memory corresponding to the FP-4; for the third stack frame structure, the current function stack SIZE is obtained, FP of the parent function is read from FP + SIZE, and the return address is read from FP + SIZE + 4.
Wherein, the obtaining the stack SIZE of the function includes: performing instruction analysis from the current PC to the low address direction, and searching for an instruction of an extension stack; under the condition that the instruction of the extension stack is found, the SIZE SIZE of the function stack is an immediate number in the instruction; if no instruction to expand the stack is found, then the stack SIZE SIZE is 0.
An apparatus for stack backtracking, comprising:
the acquisition module is used for acquiring a memory value at the current FP-4 position;
the determining module is used for determining the stack frame structure type used by the current function according to the memory value at the current FP-4 position;
the return module is used for acquiring a return address and a parent function frame pointer FP according to the stack frame structure type;
and the current FP-4 is the memory address of the position where the value of the current function FP moves 4 bytes in the direction of the low address.
Wherein the determining module is specifically configured to: when the memory value is in the range of the program code segment, determining that the current function uses a first stack frame structure; when the memory value is in the range of the current thread stack, determining that the current function uses a second stack frame structure; and when the memory value is neither in the range of the program code segment nor in the range of the current thread stack, determining that the current function uses a third stack frame structure.
Wherein, the return module is specifically configured to: for the first stack frame structure, reading a return address from a memory corresponding to FP-4, and reading the FP of the parent function from a memory corresponding to FP-12; for the second stack frame structure, reading a return address from a memory corresponding to the FP, and reading the FP of the parent function from a memory corresponding to the FP-4; for the third stack frame structure, the current function stack SIZE SIZE is calculated, the FP of the parent function is read from FP + SIZE, and the return address is read from FP + SIZE + 4.
An apparatus for stack backtracking, comprising:
a memory storing a stack trace-back program;
a processor configured to execute the stack trace back procedure to perform the following operations: acquiring a memory value at the current FP-4 position; determining the stack frame structure type used by the current function according to the memory value at the current FP-4 position; acquiring a return address and a parent function frame pointer FP according to the stack frame structure type; and the current FP-4 is the memory address of the position where the value of the current function FP moves 4 bytes in the direction of the low address.
A computer readable storage medium, on which a stack trace-back program is stored, which when executed by a processor implements the steps of the above-mentioned stack trace-back method.
In the embodiment of the invention, the stack frame structure of the ARM system program can be automatically identified and processed according to different structures, so that the stack frame backtracking method can correctly backtrack the stacks of different stack frame structure programs, and the correctness and the practicability of the stack frame backtracking method are greatly enhanced.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail below with reference to the accompanying drawings. It should be noted that the embodiments and features of the embodiments in the present application may be arbitrarily combined with each other without conflict.
The steps illustrated in the flow charts of the figures may be performed in a computer system such as a set of computer-executable instructions. Also, while a logical order is shown in the flow diagrams, in some cases, the steps shown or described may be performed in an order different than here.
The ARM architecture ABI specifies three typical stack frame structures, respectively: the frame structure comprises a first stack frame structure of the ARM, a second stack frame structure of the ARM, and a third stack frame structure of the ARM, wherein the first stack frame structure of the ARM is shown in fig. 2, the second stack frame structure of the ARM is shown in fig. 3, and the third stack frame structure of the ARM is shown in fig. 4. Here, in fig. 2, 3, and 4, FP denotes a frame pointer register; PC denotes a program counter; LR denotes a return address register; SP denotes a stack register.
As can be seen from FIGS. 2, 3, and 4, for the first stack frame structure, a return address is stored at FP-4, and an FP of a parent function is stored at FP-12; for the second stack frame structure, the return address is stored at FP, and the FP of the parent function is stored at FP-4; for the third stack frame structure, other stack contents of the function are separated between the FP and the storage position of the parent function FP, local variables, real parameters and the like are possible, for different functions, the contents are different, so that the SIZEs of the contents are not fixed, the storage position of the parent function FP cannot be directly located through the FP, the stack SIZE SIZE of the function needs to be calculated, and then the FP and the return address of the parent function can be acquired from the FP + SIZE and the FP + SIZE +4 respectively.
In the prior art, stack frame backtracking algorithms for ARM systems are all designed according to a first stack frame structure of the above three stack frame structures, and cannot process two stack frame structures, namely a second stack frame structure and a third stack frame structure, so that backtracking fails completely once a function adopting the second stack frame structure and the third stack frame structure is encountered during backtracking. With the development of compilers, the second stack frame structure and the third stack frame structure are used more and more, so that the stack frame backtracking algorithm for the ARM system in the related art can not meet the requirements more and more, and an algorithm capable of automatically identifying three different stack frame structures and performing corresponding processing is urgently needed.
The application provides a stack backtracking scheme aiming at the problems in the prior art, can realize the self-adaptive stack backtracking of various stack frame formats of the ARM architecture, can automatically identify which stack frame format is adopted by the ARM architecture program, and adopts a corresponding algorithm to perform backtracking.
As shown in fig. 5, the present application provides a method for stack backtracking, which includes:
step 501, acquiring a memory value at the current FP-4 position;
step 502, determining a stack frame structure type used by a current function according to a memory value at a current FP-4 position;
step 503, obtaining a return address and a parent function FP according to the stack frame structure type.
According to the method, the memory value of the current FP-4 position is obtained, then the stack frame structure of which the function is used is automatically judged, and then the corresponding backtracking algorithm is adopted according to the characteristics of different stack frame structures, so that the stack frame structure of the ARM system program can be automatically identified and processed according to different structures, the stacks of different stack frame structure programs can be correctly backtracked by the stack frame backtracking method, and the correctness and the practicability of the stack frame backtracking method are greatly enhanced.
It should be noted that, in this document, FP-4 refers to a memory address where the value of FP moves 4 bytes in the low address direction, and FP-12 refers to a memory address where the value of FP moves 12 bytes in the low address direction. Correspondingly, the current FP-4 refers to the memory address where the value of the current function FP moves 4 bytes in the low address direction.
As can be seen from fig. 2, 3, 4, for the first stack frame structure, it is the return address that is held at FP-4, and the return address is within the program code section; for the second stack frame structure, the FP of the parent function is stored at the FP-4, and the FP is a stack frame register and is in the range of the thread stack; for the third stack frame structure, held at FP-4 is some temporary data for the function, neither within the code segment nor within the thread stack. Therefore, which stack frame structure the function uses can be determined according to the range of memory values at the FP-4 position. After the stack frame structure of the function is judged, the return address and the parent function FP can be obtained by adopting a corresponding algorithm according to the characteristics of different stack frame structures.
Based on the above, in this application, the determining the stack frame structure type used by the current function according to the memory value at the current FP-4 position may include: when the memory value is in the range of the program code segment, determining that the current function uses a first stack frame structure; when the memory value is in the range of the current thread stack, determining that the current function uses a second stack frame structure; and when the memory value is neither in the range of the program code segment nor in the range of the current thread stack, determining that the current function uses a third stack frame structure.
In this application, obtaining a return address and a parent function frame pointer FP by using a backtracking algorithm matched with the stack frame structure type may include: for the first stack frame structure, reading a return address from a memory corresponding to FP-4, and reading the FP of the parent function from a memory corresponding to FP-12; for the second stack frame structure, reading a return address from a memory corresponding to the FP, and reading the FP of the parent function from a memory corresponding to the FP-4; for the third stack frame structure, the current function stack SIZE SIZE is calculated, the FP of the parent function is read from FP + SIZE, and the return address is read from FP + SIZE + 4.
Here, the manner of calculating the present function stack SIZE may be various. For example, the following may be employed: performing instruction analysis from the current PC to the low address direction, and searching for an instruction of an extension stack; if the instruction of the extension stack is found, the immediate number in the instruction is the SIZE SIZE of the function stack; if no instruction to expand the stack is found, then the stack SIZE SIZE is 0.
For example, the specific process of stack backtracking in the present application may adopt the flow shown in fig. 6. In practical applications, the process of stack backtracking in the present application may also adopt other processes, which is not limited herein.
As shown in fig. 6, the specific process of stack backtracking may include:
step 601, reading the memory value of 4 bytes at the current FP-4 position;
step 602, which stack frame structure is used by the current backtracking function is determined according to the memory value.
If the obtained memory value is in the program code segment range, it indicates that the stored address is the return address, and the current trace back function uses the first stack frame structure shown in fig. 2, then the process goes to step 603;
if the acquired memory value is in the current thread stack range, it indicates that the stored memory value is a parent function FP, and the current backtracking function uses the second stack frame structure shown in fig. 3, then the process jumps to step 604;
if the obtained memory value is neither within the program code segment nor within the current thread stack, then the jump to step uses the third stack frame structure shown in fig. 4, and then the jump to step 605 is performed.
Step 603, for the first stack frame structure, reading a return address from the memory corresponding to FP-4, and reading the FP of the parent function from the memory corresponding to FP-12.
Step 604, for the second stack frame structure, the return address is read from the memory corresponding to the FP, and the FP of the parent function is read from the memory corresponding to FP-4.
Step 605, for the third stack frame structure, obtain the stack SIZE of the function, read the FP of the parent function from FP + SIZE, and read the return address from FP + SIZE + 4.
Here, since the other stack contents of the function (i.e., the stack SIZE of the function) are separated from the storage location of the FP and the parent FP, the stack SIZE of the function is calculated first.
Here, a specific way of calculating the present function stack SIZE may be: performing instruction analysis from the current PC to the low address direction, and searching an instruction of an extension stack, wherein the instruction format is as follows:
sub sp,#imm;
wherein, the immediate imm is the stack SIZE SIZE of the function. If no instruction to extend the stack is found, indicating that the function has no extension stack (function has no parameters and no local variables), then the stack SIZE SIZE is 0.
Correspondingly, the present application further provides a device for stack backtracking, as shown in fig. 7, including:
an obtaining module 71, configured to obtain a memory value at a current FP-4 position;
a determining module 72, configured to determine, according to a memory value at the current FP-4 position, a stack frame structure type used by the current function;
and the return module 73 is configured to obtain a return address and a parent function FP according to the stack frame structure type.
The determining module 72 is specifically configured to: when the memory value is in the range of the program code segment, determining that the current function uses a first stack frame structure; when the memory value is in the range of the current thread stack, determining that the current function uses a second stack frame structure; and when the memory value is neither in the range of the program code segment nor in the range of the current thread stack, determining that the current function uses a third stack frame structure.
The return module 73 is specifically configured to: for the first stack frame structure, reading a return address from a memory corresponding to FP-4, and reading the FP of the parent function from a memory corresponding to FP-12; for the second stack frame structure, reading a return address from a memory corresponding to the FP, and reading the FP of the parent function from a memory corresponding to the FP-4; for the third stack frame structure, the current function stack SIZE SIZE is calculated, the FP of the parent function is read from FP + SIZE, and the return address is read from FP + SIZE + 4.
In the present application, the stack trace apparatus can implement all the details of the stack trace method (including the flows shown in fig. 5 and fig. 6). In practical applications, in the above apparatus for stack backtracking, the obtaining module 71, the determining module 72, and the returning module 73 may be software, hardware, or a combination of both.
Correspondingly, this application still provides another kind of device that stacks was traced back, includes:
a memory storing a stack trace-back program;
a processor configured to execute the stack trace back procedure to perform the following operations: acquiring a memory value at the current FP-4 position; determining the stack frame structure type used by the current function according to the memory value at the current FP-4 position; and acquiring a return address and a parent function FP according to the stack frame structure type.
In the present application, the stack trace apparatus can implement all the details of the stack trace method (including the flows shown in fig. 5 and fig. 6).
In addition, an embodiment of the present application further provides a computer-readable storage medium, where a stack trace-back program is stored on the computer-readable storage medium, and the stack trace-back program implements the steps of the stack trace-back method when executed by a processor.
Alternatively, the storage medium may include, but is not limited to: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
Optionally, the processor performs the method steps of the above embodiments according to program code stored in the storage medium.
It will be understood by those skilled in the art that all or part of the steps of the above methods may be implemented by a program instructing associated hardware (e.g., a processor) to perform the steps, and the program may be stored in a computer readable storage medium, such as a read only memory, a magnetic or optical disk, and the like. Alternatively, all or part of the steps of the above embodiments may be implemented using one or more integrated circuits. Accordingly, the modules/units in the above embodiments may be implemented in hardware, for example, by an integrated circuit, or may be implemented in software, for example, by a processor executing programs/instructions stored in a memory to implement the corresponding functions. The present application is not limited to any specific form of hardware or software combination.
The foregoing shows and describes the general principles and features of the present application, together with the advantages thereof. The present application is not limited to the above-described embodiments, which are described in the specification and drawings only to illustrate the principles of the application, but also to provide various changes and modifications within the spirit and scope of the application, which are within the scope of the claimed application.