Re: i386 + frameless functions that play with the stack

[Mark Kettenis <kettenis at chello dot nl>]

Daniel Jacobowitz <drow@mvista.com> writes:

> Glibc's system call stubs look like this, in general:
> 
> 0x400ddbc0 <write>:     push   %ebx
> 0x400ddbc1 <write+1>:   mov    0x10(%esp,1),%edx
> 0x400ddbc5 <write+5>:   mov    0xc(%esp,1),%ecx
> 0x400ddbc9 <write+9>:   mov    0x8(%esp,1),%ebx
> 0x400ddbcd <write+13>:  mov    $0x4,%eax
> 0x400ddbd2 <write+18>:  int    $0x80
> 0x400ddbd4 <write+20>:  pop    %ebx
> 0x400ddbd5 <write+21>:  cmp    $0xfffff001,%eax
> 0x400ddbda <write+26>:  jae    0x400ddbdd <write+29>
> 0x400ddbdc <write+28>:  ret
> 
> Plus some error handling code off on the side (after the ret).  Suppose
> we're situated on the pop %ebx, not having executed it yet.  GDB concludes:
> 
> Stack level 0, frame at 0xbffff608:
>  eip = 0x400ddbd4 in write; saved eip 0x4003aa5f
>  (FRAMELESS), called by frame at 0xbffff608
>  Arglist at 0xbffff608, args: 
>  Locals at 0xbffff608, Previous frame's sp in esp
>  Saved registers:
>   ebp at 0xbffff608, eip at 0xbffff60c
> 
> If I single-step over the pop, the output of info frame doesn't work.  But
> before the step, a backtrace looks like:
> 
> (gdb) bt
> #0  0x400ddbd4 in write () from /lib/libc.so.6
> #1  0x401333c4 in sys_sigabbrev () from /lib/libc.so.6
> #2  0x4003aa5f in __libc_start_main () from /lib/libc.so.6
> 
> And after:
> 
> (gdb) bt
> #0  0x400ddbd5 in write () from /lib/libc.so.6
> #1  0x08048487 in main () at pipe.c:9
> 
> So while the stack is pushed we can't figure out where the calling frame is. 
> 0x401333c4 is just being picked up from *$esp instead of trying to do
> prologue analysis.
> 
> Should this work?  How?

My first response is that it would would rather difficult to get this
right, but I'm not sure.  I'll have to look a bit closer at it, and
haven't had the time to do that yet.  The behavious has been annoying
me in the past so there is some hope that eventually I might develop a
solution ;-).

Mark