2

As we know, local variables is located on stack. However, what is their order? Are they arranged as the order of their declaration? This means that the first declared variable is arrange on the higher address of stack (stack grows to lower address) ? As an example:

void foo(){
 int iArray[4];
 int iVar;
}

On stack, the local variable-- iArray and iVar are arranged as followed?

alt text

Improve this question
2
  • 2
    Are you talking about a specific operating system, processor architecture and compiler combination or do you want to know in general? I believe the position of local variables on the stack is a compiler detail that can vary widely. Commented Nov 24, 2010 at 8:57
  • I also think it is compiler dependent. Commented Nov 24, 2010 at 9:08

3 Answers 3

Reset to default
5

Only if you have optimisation turned off!

Once the optimiser gets hold of your code all bets are off. Common strategies for aggressive optimisations are:

  • Drop the variable if its never used or is just a copy of another variable.
  • Reorder varaibles in the order they are used. This helps greatly if your app is using swap space and also helps cache utilisation (on some machines).
  • Move often used variables into registers. Common on risk machinces with 32 lovely genreral purpose registers. Not so common on Intel with its measly eight single purpose registers.
  • Change the data type. e.g. casting small ints to intgers often speeds up register loading and caching.
  • reorder storage to minimise slack bytes. eg char a, double b, char c, int d could be reordered to double b, int d, char a, char c thus saving 10 bytes.
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

4

There is no rule you can depend on. Most compilers will use the declaration order unless you start to optimize the code.

Enabling optimizations can cause reuse of stack space, reordering of local variables or even move the variables to CPU registers, so they don't show up on the stack anymore.

[EDIT] On some systems, the stack grows to bigger addresses. So it starts with 0x1000 and the next address is 0x1001 instead of starting with 0xffff and the next address is 0xfffe.

Improve this answer

1 Comment

In order to prevent stack overflow, some compiler may arrange arrays under normal local variables in spite of their declaration order.
1

The simplest implementations make it very easy to predict where various variables will end up on the stack. However, those implementations also allow certain security problems (mainly, overflowing a buffer and predicting what the extra data will overwrite, allowing the injection of shellcode).

Since the layout of the stack is implementation defined in most stack-based languages (technically, many such languages don't mandate the use of a stack, but instead have semantics that are easy to implement with a stack), compiler writers have gone to great lengths to make it hard to predict the stack layout at runtime.

Improve this answer

3 Comments

Buffer overflow attacks are generally targeted at specific executables. The attacker will use the debugger to analyse the storage layout of a widely dirstirbuted version of the executable and design his overflow to dump his executable in the right spot. It doesnt matter what the optimiser did with the variables as the attacker is studying the genrated executable and not the source code.
The kinds of things an attacker would want to overwrite are vtables, the return address pointer stored on the stack, or function pointers. The Wikipedia article I linked to links to a presentation by Theo de Raadt about how ASLR makes the stack unpredictable at runtime ( openbsd.org/papers/ven05-deraadt/mgp00005.html and openbsd.org/papers/ven05-deraadt/mgp00006.html ). ASLR isn't about shuffling the stack at compile time (the optimizer does that), but about making stack addresses change from one run of the program to the next, and from one computer to the next.
And while the OpenBSD, Windows, and Linux kernel implementations of ASLR appear to only change the location of the first variable on the stack (or, more accurately, the distance between that variable and the return address); if more attacks affect other variable on the stack -- overwriting vtables and function pointers -- then ASLR implementations will be changed to keep up.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.