Advanced C - Workshop Version: <1.3> Date: < 23/10/2006> By Madheswaran D

Advanced C - Workshop

Madheswaran D

Prerequisites
Basic C knowledge (Not covered here)
Familiarity with Unix environment (basic unix commands, user knowledge on Vi or Emacs editors). (Not covered here)

Alignment & P adding issues.Good understanding about pointers.Good understanding about bitwise operators

Advanced Topics

H andy Expressions involving bit wise operationsStack frames What happens during function callsVariable arguments H ow is it implemented?Dynamic memory allocation A sample design of malloc/free

Alignment & Padding

For today¶s session, assume following sizes and study the following program

Char: 1 byteInt: 4 bytesShort: 2 bytes

typedef struct {

char name[30];int empno;

int salary; } EmpRec, * EmpRecPtr;


int x = 1;char y = 2;

int z = 3;EmpRec abc;EmpRecPtr empr = &abc;

printf(³Sizes: int=%d, char=%d, EmpRec=%d, EmpRecPtr=%d\n´, sizeof(x), sizeof(y),sizeof(abc), sizeof(empr));

printf(³Address: &x=%p, &y=%p, &z=%p, &abc=%p, &empr=%p\n´, &x, &y, &z, &abc,&empr); printf("Address: &, &abc.empno=%p, &abc.salary=%p\n", &,&abc.empno, &abc.salary); }

S izes: int=4, char=1, EmpRec=40, EmpRecPtr=4 Address: &x=0xbffffb3c, &y=0xbffffb3b, &z=0xbffffb34,&abc=0xbffffb00, &empr=0xbffffafc

Address: & b00 ,&abc.empno=0xbffffb20, &abc.salary=0xbffffb24

typedef struct{

char name[30];int empno;int salary;

} EmpRec, *EmpRec P tr;


int x = 1;char y = 2;int z = 3;EmpRec abc;EmpRec P tr empr = &abc;

printf("Sizes: int=%d, char=%d, EmpRec=%d,EmpRec P tr=%d\n", sizeof(x), sizeof(y),

sizeof(abc), sizeof(empr));printf("Address: &x=%p, &y=%p, &z=%p,&abc=%p, &empr=%p\n", &x, &y, &z, &abc,&empr);printf("Address: &,&abc.empno=%p, &abc.salary=%p\n",&, &abc.empno, &abc.salary);


Memory view

Stack grows

this way

Lower Memory

H igher Memory

1 | 0 | 0 | 0b3c b3f p | p | p | 2b383 | 0 | 0 | 0


p | p | p | p

p | p | p | pp | p | p | p

| | | b27b28b24

| | |b20| | p | p


| | |

| | |


| | |

| | |

| | || | |




&x&z &y

| | |

Alignment & P adding

Memory address of a variable will align with their size.In some architectures, unaligned access can result in SIGBUS.

In some cases, the memory access will be split

This is applicable for global variables, local variables,

arguments passed to function and structure/union as well.To ensure address is correctly aligned, padding is done. Keepthis in mind:

To calculate the size of structure/unionBeware if this is mapped to a set of registers.

Assembly/C intermixing ± Suitable mask & shifting may neededBit fields doesn¶t have such alignment requirements

Compiler generates code with masks & shifts to handle this.

char x = 10;char y = 20;int *p = &y;

printf(³&y=%p &p=%p\n´, &y, &p);printf(³%d\n´, (*p) & 0xff); /* SIGBUS or unaligned split access */}


Alignment & Padding

Assume aH /W device is memory mapped on the system busO ccupies a address space of 16 bytes where 8 registers are located

Three 32 bit Registers(CNTL1, CNTL2, CNTL3, in that order)Four 8 bit Registers(STAT1, STAT2, STAT3, and ERR in that order)Assume it is located at 0x2000 in the memory map

A structure can be defined to map thisstruct hw_device {

unsigned int cntl1;unsigned int cntl2;unsigned int cntl3;unsigned char stat1;unsigned char stat2;unsigned char stat3;unsigned char err;

} *my_hw_device;

my_hw_device_ptr = (struct hw_device *) (0x2000);The registers can be accessed as my_hw_device->cntl1, my_hw_device->err and so on.S implifies access to device registers, useful to device driver writers, O S developers .

Should be careful about any padding for alignment restrictions

Example ± Where padding causes trouble

Register sequence:Two 32 bit Registers(CNTL1, CNTL2, in that order)Three 8 bit Registers(STAT1, STAT2, STAT3, in that order)O ne 32 bit register CNTL3O ne 8 bit register ERRBad structure that can cause trouble:

typedef struct hw_device {unsigned int cntl1;unsigned int cntl2;unsigned char stat1;unsigned char stat2;unsigned char stat3;unsigned int cntl3;unsigned char err;


Pointers – Basics

P ointer holds address of a x = 10;int *p = &x;printf(³&x=%p, p=%p, x=%d, *p=%d\n´, &x, p, x, *p);

O utput:&x=0x22cce4, p=0x22cce4, x=10, *p=10

Then why do you need a pointer?& cannot be used as a ³lvalue´&x = p; /* this is not a legal statement */

Even const pointers doesn¶t have lvalueInt * const p = x;p = p + 1; /* illegal statement */

const int *p = x;*p = 10; /* illegal statement */

Arrays and P ointerschar a[10]=³ H ello´;char *str = a;int b[10];Int *intp = b;printf(³%s %s\n´, a, str);printf(³%c %c %c %c\n´, a[1], str[1], 1[str], 1[a]);printf(³%p %p %p %p\n´, a, str, &a[1], str+1);printf(³%p %p %p %p\n´, b, intp, &b[1], intp+1);O utput:

H ello H elloe e e e0x22ccd0 0x22ccd0 0x22ccd1 0x22ccd1

Then pointers and arrays be interchangeably used? Yes and No.

Pointers – Basics

Arrays and P ointerschar a[10]=³ H ello´;char *str = a;printf(³%d %d %d\n´, sizeof(a), sizeof(str), strlen(a));

O utput:10 4 5

Double Dimension arrays and double pointersmain(){

char a[5][10]={"One", "Two", "Three", "Four", "Five" };char **str = a;char *b[5]={"One", "Two", "Three", "Four", "Five" };char **str1 = b;

printf("%d %d %d %d\n", sizeof(a), sizeof(str), sizeof(b), sizeof(str1)); printf("%p %p %p %p %p %p\n", a, str, &a[1], &str[1], &a[1][1], &str[1][1]); printf("%p %p %p %p %p %p\n", b, str1, &b[1], &str1[1], &b[1][1], &str1[1][1]);

}O utput:

50 4 20 40x22cca0 0x22cca0 0x22ccaa 0x22cca4 0x22ccab 0x10x22cc60 0x22cc60 0x22cc64 0x22cc64 0x403005 0x403005

Arrays and Pointerschar a[10]=³Hello ;́char *str = a;

printf(³%d %d %d\n´, sizeof(a),sizeof(str), strlen(a));

Output:10 4 5

D ouble D imension arrays and double pointersmain(){

char a[5][10]={"One", "Two", "Three", "Four", "Five" };char **str = a;char *b[5]={"One", "Two", "Three", "Four", "Five" };char **str1 = b;

printf("%d %d %d %d\n", sizeof(a), sizeof(str), sizeof(b), sizeof(str1)); printf("%p %p %p %p %p %p\n", a, str, &a[1], &str[1], &a[1][1], &str[1][1]);

printf("%p %p %p %p %p %p\n", b, str1, &b[1], &str1[1],&b[1][1], &str1[1][1]); }

O utput:50 4 20 40x22cca0 0x22cca0 0x22ccaa 0x22cca4 0x22ccab 0x10x22cc60 0x22cc60 0x22cc64 0x22cc64 0x403005 0x403005

Pointers – Basics

20:because itis array of 5 pointers

S tr points to apointer.&str[1] isstr+1 and since

size of a pointer is4 bytes, str + 1

translates to0x22cca0 + 4

a[1]: S econddimension size of ais 10 and hence 10

is added.

Add 1 to a[1]

&str[1][1] translate to&(*(*(str+4) + 1)), i.e

&(*(*(0x22cca4) + 1))).

This is equal to

&(*(0 + 1)) and isequal to 1 and str[1][1]

will be a junk value

Pointers – Basics












O n e \0

T w o \0

0 1 2 3 4 5 6 7 8 9

T h r e e \0

F o u r \0

F i v e \0










tr1 +4byte)


*(*(str1+4bytes)+0) = T

&str[1][1] translates to&(*(*(str+4byte) + 1)),i.e &(*(*(0x22cca4) +1))). This is equal to

&(*(0 + 1)) and is equalto 1. S o str[1][1] will be

a junk value


Pointers – Basics











O n e \0

T w o \0

0 1 2 3 4 5 6 7 8 9

T h r e e \0

F o u r \0

F i v e \0






a b

char *temp = ³junk´;a[0]=temp;

char *temp= ³junk´;b[2] = temp;


Pointers – Arithmetic & Casting

typedef struct

{int day;int month;int year;

} Date;

int abc=0xdeadbeef;int def=0xc0ffee;char ghi[6]=³abcde´;int jkl = 0xdeafca1f;short mno = 0xcade;Date pqr = { 1, 1, 2006 };


int *ip = &abc;short *sp = (short *)&abc;char *cp = (char *) &abc;Date *dp = (Date *) &abc;


Note: Little endian architecture assumed

ef be ad de ee ff c0 00 µa¶ µb¶ µc¶ µd¶ µe¶ 0 0 1f ca af de de ca 0 0 1 0 00


cp+1 sp+1 ip+1cp+5 sp+3 ip+2 dp+1

ip + 3

sp + 8cp + 12


ip + 6

sp + 16cp + 24

When a pointer is incremented by 1, depending uponthe type, number of bytes moved will defer.

When casting from one type to another

Take care alignment issues ( SIGBUS )

Keep in mind that number of bytes that will movefor every increment/decrement will change.


Pointers – Function pointers

P ointers can point to functions as well in addition to variables.Declaration example: int (*f1)(int,char **) -> P ointer to a function that returns int and takesone integer and one char double pointer as arguments.Assignment example: f1=main;

All the pointer arithmetic, casting, etc is applicable function pointers also.void * fast_algo(int size);void * mid_algo(int size);void * slow_algo(int size);typedef enum { HIGHSPEE D _HIGHMEM, MI D SPEE D _MI D MEM, LOWSPEE D _LOWMEM } ALGO_CLASS;

ALGO_CLASS x;void* (*MemAllocAlgo[3])(int) = { fast_algo, mid_algo, slow_algo};void* (*MyAlloc)(int);void AssignAllocator(ALGO_CLASS user_choice){

void* (**TempMyAlloc)(int);TempMyAlloc = MemAllocAlgo;

MyAlloc = MemAllocAlgo[user_choice]; /* Alternate1: MyAlloc= TempMyAlloc[user_choice] Alternate 2: MyAlloc = *(TempMyAlloc + user_choice) */


Volatile pointers

Volatile keywords informs compiler that optimisations must be disabled for that variable.The following code has a problem. Compiler will not generate code for disabling interrupt.

#define BASE_ADDRESS 0x 8 08 08 000#define INTERRU P T_REGISTER_ O FFSET 0x10CriticalSection(){

int *intr_reg = (BASE_ADDRESS + INTERRU P T_REGISTER_ O FFSET);*(intr_reg) = 1; /* disables interrupt */

/* critical code, interrupt must be disabled here */««.««.

/* critical code is executed, interrupt can be enabled here */*(intr_reg) = 0; /* enables interrupt */


The problem can be solved simply by defining intr_reg as volatile:volatile int *intr_reg = (BASE_ADDRESS + INTERRU P T_REGISTER_ O FFSET);

Think about this – Volatile & Constant together

Can constant and volatile be used together during adeclaration?Example:

volatile int * const p = 0xc 8 000000;

Bit Manipulations


int x = -10;printf(³%d\n´, ~x+1);



unsigned int x = 5 ;while(--x >= 0){


ello World\n´);}}

Bit Manipulations


int x = -10;printf(³%d\n´, ~x+1);



unsigned int x = 5 ;while(--x >= 0){


ello World\n´);}}

O utput: 10~x represents one¶s compliment of x.~x+1 represents two¶s compliment of x. (i.enegative of x)

H elloWorld is printed infinitely.X becomes MAXINT when it is decrementedwhile it is having a value of 0.

Arithmetic and Logical Shifts


int x = 0x 8 0000000;printf(³%x\n´, x >> 1);



unsigned int x = 0x 8 0000000;

printf(³%x\n´, x >> 1);}

O utput: 0xC0000000Signed number, ³sign extension´ happensfor right shift. (Arithmetic shift)

O utput: 0x40000000Unsigned number, ³sign extension´doesn¶t happen for right shift. (Logical shift)

Advanced Topics

H andy Bitwise ExpressionsStack frames What happens during function callsVariable arguments H ow is it implemented?Dynamic memory allocation H ow can it be implemented?

Handy Bitwise Expressions


urpose Remarks1 X & 1 Check whether number

is odd or evenAll numbers are interms of 0¶s and 1¶s andhence it is sufficient check the last bit

2 X << 1 Multiply by 2

3 X >> 1 Divide by 2

4 ~X+1 Negative the number Negative numbers are represented by twocomplement. (one¶s complement +1)

5 X ̂ all¶ones Bit toggling (equivalentto ~)

6 X >> 31 To find out the sign of the number of X

Result is 0 or -1 based on the sign.

7 Mask = X >> 31Result = (~Mask & X) | (Mask & (-X))

ABS(X) without usingcomparisions

Mask contains all zeros if X is positive andall ones if X is negative.

8 Mask = (X-Y) >> 31Result = (Mask & X) | (~Mask & Y)

Min(X, Y) without usingcomparisions

Mask contains all zeros if Y is less than or equal to X and all ones if X is less than Y.

9 Mask = (X-Y) >> 31Result = (Mask & Y) | (~Mask & X)

Max(X, Y) without usingcomparisions

Mask contains all zeros if X is greater thanor equal to Y and all ones if Y is greater than X.

Exercise 1: Power of 2.

Come up with an ³handy´ expression that can be used todetect whether the given number is a power of 2.Clue: All number that is a power of 2 will have just one bit set.


1 ± 000000012 ± 000000104 ± 000001008 ± 0000100016- 0001000032 -00100000

X86 Stack view during function calls in C

Sample program:

/* assuming EB P as a integer pointer */int f2(int x1, int y1) /* x1 is *(EB P +2), y1 *(EB P + 3) */{

int l 5 = 110; /* l 5 is *(EB P ± 1), l6 is *(EB P -2) */int l6 = 120;

return (0)


int f1(int x, int y){

int l3 = 5 0;int l4 = 60;return f2(l3 + x, l4 + y);

/* right most argument pushed to stack first */


int l1 = 10;int l2 = 20;int l3 = f1(l1 + 20, l2 + 20);




Stack grows

this way


Lower Memory

H igher Memory

xRet addr in main

P rev Frame P tr l3

Saved regs in f1y1

x1Ret addr in f1

P rev Frame P tr l5l6

Saved regs in f2

Saved regs in mainl3l2

P rev Frame P tr



Scope – Check your understanding now

Is scope of global and static variables clear?Following code is sequence is perfectly legal. H ow is it handled?

f1(int x, int y){

int abc = 0xdeadbeef;

printf(³%x\n´, abc);

{int abc = 0xc0ffee;

int x = 0x100;printf(³%x\, %xn´, abc, x);

}}(Clue: Local variables can get into stack or register)

Function Arguments – Check your understanding now

A new function named ³File1Func1´ is implemented in file1P rototype of the function is as follows

Int File1Func1();In file1, the function is implemented as follows:

Int File1Func1(int x, int y)

{ «..


In file2, this function is called as follows.

File1Func1(10,20,30);File1Func1 is called with 3 arguments, while theimplementation takes only two arguments. What will happennow?

Exercise 2: Stack tracing

You have a.o file and have a.h and b.ha.h contents are:

extern int func1(int x, int y);extern int func2(int x, int y);

b.h contents areextern int func3(int x, int y);

Given that calling sequence is:Main->func1->func2->func3

You got to implement b.c that has function func3func3 should print value of x passed to func1.

Security issue – Buffer Overflow on stack

main(int argc, char *argv[])

{ int flag;char filename[16];

if (argc != 2){

fprintf(stderr, "Usage: %s filename\n", argv[0]);exit(1);


«.flag = check_permission();

strcpy(filename, argv[1]); /* D epending upon argv[1], the return address could get corrupted */ ........if (flag == 0xdeadbeef){

/* execute the as root or deposit million dollars in a bank account */ }else{

/* execute the program as normal user, deduct $10 from an account */. }

} /* clever hacker will manage the argv[1] such that return address is changed to a desired location. Or he can change the value of flag

*/ /* typically entire binary program of ³undesired program´ is also passed as an argument, along with return address change */

Variable arguments in C

va_start(ap, num_args) Typically implemented as macro, justinitializes ap such that it points to first un-named argument. (Itwill use frame pointer + offset of second argument from fp toiniatialize ap)va_arg(ap, type) Returns an argument & updates apva_end(ap) Implementation specific cleanups.

Number of arguments should be known directly or indirectlymain: argc is the first argument that will tell number of argumentsP rintf: number of arguments are indirectly found from number of %in format argument

Type of the arguments should be knownmain: Strings (char *argv[])printf: character following % tells the argument type

Exercise 3: My Printf Implementation

Implement myprintf(char *fmt, «) functionH andle %d, %x, %c and %s types in fmt string.

You can use putchar function to output a character on to thescreen.

If you use any other C library function, you must implementthem as well.

Dynamic Memory allocation -- Internals

Dynamic memory allocation

Memory allocated from heapIn unix,heap typically comes after BSS areaBrk call is used to change the ³data segment´ memory allocated to a process

Each memory allocation needs additional overhead memory that is also takenfrom heap.Typical implementation, each allocation preceded by MCB (Memory controlBlocks)MCB structure

s truct MCB{

int i s_ava il ab le;int s ize;


Many approaches are there. Serious research topic.Space efficiency: Requested vs Allocated, Number of chunksSpeed: H ow quickly malloc/free can be executed. Critical in RT O S.

Dynamic Memory Allocation



char *ptr1 = malloc(100);

char *ptr2 = malloc(200);




ptr1 = malloc(300);




ptr1 = malloc(50);«.




C ontrol

MC B 1: 0, 108 Allocation 1

MC B 2: 0, 208 Allocation 2Free Memory

Heap S tart

Heap End

Last allocation




When 100 bytes are requested, actually 100 bytes +sizeof(M C B ) has been utilized. M C B is the overhead.

Dynamic Memory Allocation



char *ptr1 = malloc(100);

char *ptr2 = malloc(200);




ptr1 = malloc(300);




ptr1 = malloc(50);«.




C ontrol

MC B 1: 1, 108 Allocation 1

MC B 2: 0, 208 Allocation 2

Free Memory

Heap S tart

Heap End

Last allocation


ptr1MC B 3: 0, 308

Allocation 3


free doesn¶t take size as the the argument. It iscalculated by accessing *(ptr1 ± sizeof(M C B ) +sizeof(int))

MC B 1 & allocation 1 remains intact even though it isnot allotted.

Dynamic Memory Allocation



char *ptr1 = malloc(100);

char *ptr2 = malloc(200);




ptr1 = malloc(300);




ptr1 = malloc(50);«.




C ontrol

MC B 1: 0, 108 Allocation 1

MC B 2: 0, 208 Allocation 2

Free Memory

Heap S tart

Heap End

Last allocation



MC B 3: 1, 308

Allocation 3


First allocation is re-utilised. That is 100 bytes areallocated, when 50 bytes are requested.

Dynamic Memory Allocation



char *ptr1 = malloc(100);

char *ptr2 = malloc(200);




ptr1 = malloc(300);




ptr1 = malloc(50);«.




C ontrol

MC B 1: 1, 108 Allocation 1

MC B 2: 1, 208 Allocation 2

Free Memory

Heap S tart

Heap End

Last allocation MC B 3: 1, 308

Allocation 3

Pros & cons of MCB approach

Simple and Very fastMCB overhead per allocationAllocation based on first match, rather than best match. (100bytes allocated, instead of 5 0 bytes)

ptr1=malloc(1024 * 1024); free(ptr1), ptr1=malloc(10); we would

allocate 1MB for 10 bytes.Improvements: free space could divided into chunks of fixed size.(typically in power of 2). This would limit the wastage.

In case of alignment issues, attach the excess bytes toprevious MCB.

Doesn¶t create new chunks, unless all previous allocatedchunks are used. Less fragmentation.

Rainy day scenarios – What happens now?

1. Lost memory ptr1=malloc(100); ptr1=malloc(200);2. D ouble free


free(ptr1);free(ptr1);3. Accessing memory after free

ptr1=malloc(10);free(ptr1)*(ptr1+9) = µ\0¶¶;4. Out of range access

ptr1=malloc(10);*(ptr1+10) = µ\0¶;

Security issue – buffer overflow on heap

main(int argc, char *argv[]){

char *filename_p;

if (argc != 2){

fprintf(stderr, "Usage: %s filename\n", argv[0]);exit(1);

}filename_p = malloc(1024);

strcpy(filename, argv[1]); /* D epending upon argv[1], MCBs or even other areas canget corrupted */

.... }

Security issues – Be aware

We need to write defensive program to escape security attacksKnow length of a string before you copy.A defence mechanism needed before using any size relatedinformation coming across network.Beware of D O S attacks.

If you write a server program, beware not to accept too manyconnections from same client in a short period.

Thank you.

Information contained and transmitted by this presentation is proprietary to Wipro Limited and is intended for use only by the individual or entity to which it is addressed,and contains information that is privileged, confidential or exempt from disclosure under applicable law.