Chapter 14/17 Functions & Activation Records Recursion.

Chapter 14/17

Functions & Activation RecordsRecursion

2College of CharlestonDr. Anderson, Computer Science

CS 250Comp. Org. & Assembly

Function

Smaller, simpler, subcomponent of program Provides abstraction

– hide low-level details– give high-level structure to program,

easier to understand overall program flow– enables separable, independent development

C functions– zero or multiple arguments passed in– single result returned (optional)– return value is always the same type– by convention, only one function named main (this defines the initial PC)

In other languages, called procedures, subroutines, ...



Functions in C

A function consists of a– Declaration (a.k.a prototype)

includes return value, function name, and the order and data type of all arguments – names of argument are optional)

– Calls – Definition

Names of variables do not need to match prototype, but must match order/type Defines functionality (source code) and returns control (and a value) to caller May produce side-effects

Declaration int Factorial (int n); Call a = x + Factorial (f + g); Definition

int Factorial(int n){ int i; int result = 1; for (i = 1; i <= n; i++) result *= i; return result;}



Why Declaration? Since function definition also includes return and argument types, why

is declaration needed? Use might be seen before definition.

– Compiler needs to know return and arg types and number of arguments. Definition might be in a different file, written by a different

programmer.– include a "header" file with function declarations only– compile separately, link together to make executable

What if we need to pass more parameters than we have registers?!? All the compiler needs to know

– (1) what symbol to call the function (its name), – (2) the type of the return value (for proper usage/intermediate storage)– (3) how to set up the stack to call the function (arguments)

This allows the compiler to inserted the necessary code for function activation when it is called



Implementing a Function Call: Overview Making a function call involves three basic steps

– The parameters of the call are passed from the caller to the callee– The callee does its task– A return value is returned to the caller

Functions in C are caller-independent– Every function must be callable from any other function

Activation record– information about each function, including arguments and local variables– also includes bookkeeping information

values that must always be saved by the caller before doing the JSR– arguments and bookeeping info pushed on run-time stack by caller– callee responsible for other uses of stack (such as local variables)– popped of the stack by caller after getting return value

R5 (the frame pointer) is the “bottom” of the stack as far as the callee function definition is aware. – It should not modify anything existing on the stack before its execution!



Implementing a Function Call: Overview

Calling function

allocate memory for activation record (push)copy arguments into stack arguments

call function

get result from stack (pop)deallocate memory for activation record (pop)

Called functionallocate space for return value [bookkeeping] (push)store mandatory callee save registers [bookkeeping] (push)allocate local variables (push)

execute code

put result in return value spacedeallocate local variables (pop) load callee save registers (pop)return



Activation Record int funName(int a, int b)

{ int w, x, y; . . . return y;}

Name Type Offset Scope

abwxy

intintintintint

450-1-2

funNamefunNamefunNamefunNamefunName

yxw

dynamic linkreturn addressreturn value

ab

bookkeeping

locals

args

R5

R6



Activation Record Bookkeeping

Return value– space for value returned by function– allocated even if function does not return a value

Return address– save pointer to next instruction in calling function– convenient location to store R7 to protect it from change in case

another function (JSR) is called Dynamic link

– caller’s frame pointer (basically a caller save of its own frame pointer R5)– used to “pop” this activation record from stack

In the LC-3 the format for an activation record includes only (and always) these three words pushed in that order!



Run-Time Stack

Caller

Memory

R6

Callee

Memory

R6

Caller

Memory

Caller

Before call During call After call

R5

R5

R6R5



Example Function Call

int Callee (int q, int r) { int k, m; ... return k;}

int Caller (int a) { int w = 25; w = Callee (w,10); return w;}

wdyn linkret addrret vala

25

xFD00

R5R6



The Function Call: Preparation to Jump

int Callee (int q, int r) … int Caller (int a) … … w = Callee(w, 10);… ; push second arg

AND R0, R0, #0ADD R0, R0, #10ADD R6, R6, #-1STR R0, R6, #0; push first argumentLDR R0, R5, #0ADD R6, R6, #-1STR R0, R6, #0

JSR CALLEE ; Jump!Note: Caller needs to know number and type of arguments,doesn't know about local variables.

qrwdyn linkret addrret vala

251025

xFD00

R5R6

New R6



Starting the Callee Function ; push space for return value

ADD R6, R6, #-1; push return addressADD R6, R6, #-1STR R7, R6, #0; push dyn link (caller’s R5)ADD R6, R6, #-1STR R5, R6, #0; set new frame pointerADD R5, R6, #-1; allocate space for localsADD R6, R6, #-2

… execute body of function

mkDyn lnk (R5)ret addrret valueqrwdyn linkret addrret vala

xFCFBx3100

251025

xFD00

R5

R6

new R5

new R6

Note: Callee makes room for bookkeeping variables (standard format) and its local variables (as necessary)



Ending the Callee Function

return k;

; copy k into return valueLDR R0, R5, #0STR R0, R5, #3; pop local variablesADD R6, R5, #1; pop dynamic link (into R5)LDR R5, R6, #0ADD R6, R6, #1; pop return addr (into R7)LDR R7, R6, #0ADD R6, R6, #1; return control to callerRET

mkdyn linkret addrret valqrwdyn linkret addrret vala

-43217xFCFBx310021725 1025

xFD00

R6R5

new R6

new R5



Resuming the Caller Function

w = Callee(w,10);

; JSR Callee ; LAST COMMAND

; load return value (top of stack)LDR R0, R6, #0; perform assignment of return valueSTR R0, R5, #0; pop return value and argumentsADD R6, R6, #3

… Continue caller code

ret valqrwdyn linkret addrret vala

21725 10217

xFD00

R6

R5new R6



Summary of LC-3 Function Call Implementation

1. Caller pushes arguments (last to first).2. Caller invokes subroutine (JSR).3. Callee allocates return value, pushes R7 and R5.4. Callee allocates space for local variables (first to last).5. Callee executes function code.6. Callee stores result into return value slot.7. Callee pops local vars, pops R5, pops R7.8. Callee returns (JMP R7).9. Caller loads return value and pops arguments.10. Caller resumes computation…



x0014x000Ax0001

Group Problem

main() { int x = 1, y = 10, z = 20; … z = foo(x, y); …}

int foo(int a, int b) { int i, j; … i = j + b; … return i;}

Show the assembly code for this instruction.

Assume JSR FOO ends up at address x3C00

zyx

dyn linkret addrret val

xFD00

R5

R6

xFCFFxFCFExFCFDxFCFC



What is Recursion?

A recursive function is one that solves its task by calling itself on smaller pieces of data.– Similar to recurrence function in mathematics.– Like iteration -- can be used interchangeably;

sometimes recursion results in a simpler solution. Standard example: Fibonacci numbers

– The n-th Fibonacci number is the sum of the previous two Fibonacci numbers.

– F(n) = F(n – 1) + F(n – 2) where F(1) = F(0) = 1

int Fibonacci(int n){ if ((n == 0) || (n == 1))

return 1; else

return Fibonacci(n-1) + Fibonacci(n-2);}



Activation Records Whenever Fibonacci is invoked, a new activation record is pushed onto

the stack.

Fib(1)

R6

Fib(2)

Fib(3)

main

main calls Fibonacci(3)

Fibonacci(3) calls Fibonacci(2)

Fibonacci(2) calls Fibonacci(1)

R6Fib(3)

main

R6Fib(2)

Fib(3)

main



Activation Records (cont.)

Fibonacci(1) returns,Fibonacci(2) calls

Fibonacci(0)

Fibonacci(2) returns,Fibonacci(3) calls

Fibonacci(1)

Fibonacci(3)returns

R6main

R6Fib(1)

Fib(3)

main

Fib(0)

R6

Fib(2)

Fib(3)

main



Tracing the Function Calls

If we are debugging this program, we might want to trace all the calls of Fibonacci.– Note: A trace will also contain the arguments

passed into the function.

For Fibonacci(3), a trace looks like: Fibonacci(3)

Fibonacci(2) Fibonacci(1) Fibonacci(0) Fibonacci(1)

What would trace of Fibonacci(4) look like?



Fibonacci: LC-3 Code

Activation Record

tempdynamic link

return addressreturn value

n

bookkeeping

arg

Compiler generatestemporary variable to holdresult of first Fibonacci call.

local



In Summary: The Stack

Since our program usually starts at a low memory address and grows upward, we start the stack at a high memory address and work downward.

Purposes– Temporary storage of variables– Temporary storage of program addresses– Communication with subroutines

Push variables on stack Jump to subroutine Clean stack Return



Parameter passing on the stack If we use registers to pass our parameters:

– Limit of 8 parameters to/from any subroutine.– We use up registers so they are not available to our program.

So, instead we push the parameters onto the stack.– Parameters are passed on the stack– Return values can be provided in registers (such as R0) or on the stack.– Generally, only R6 should be changed by a subroutine.

Other registers that are changed should must be callee saved/restored. Subroutines should be transparent

Both the subroutine and the main program must know how many parameters are being passed!– In C we would use a prototype: int power (int number, int exponent);

In assembly, you must take care of this yourself. After you return from a subroutine, you must also clear the stack.

– Clean up your mess!



Characteristics of good subroutines

Generality – can be called with any arguments– Passing arguments on the stack does this.

Transparency – you have to leave the registers like you found them, except R6.– Registers must be callee saved.

Readability – well documented. Re-entrant – subroutine can call itself if necessary

– Store all information relevant to specific execution to non-fixed memory locations The stack!

– This includes temporary callee storage of register values!



Know how to…

Push parameters onto the stack Access parameters on the stack using base + offset addressing mode Draw the stack to keep track of subroutine execution

– Parameters– Return address

Clean the stack after a subroutine call



String Library Code– Implementation of C/C++ function gets

No way to specify limit on number of characters to read

– Similar problems with other C/C++ functions strcpy,scanf, fscanf, sscanf, when given %s conversion specification cin (as commonly used in C++)

/* Get string from stdin */char *gets(char *dest){ int c = getc(); char *p = dest; while (c != EOF && c != '\n') { *p++ = c; c = getc(); } *p = '\0'; return dest;}



Vulnerable Buffer Code

int main(){ printf("Type a string:"); echo(); return 0;}

/* Echo Line */void echo(){ char buf[4]; /* Way too small! */ gets(buf); puts(buf);}



Buffer Overflow Executions

unix>./bufdemoType a string:123123

unix>./bufdemoType a string:12345Segmentation Fault

unix>./bufdemoType a string:12345678Segmentation Fault



Malicious Use of Buffer Overflow

– Input string contains byte representation of executable code– Overwrite return address with address of buffer– When bar() executes ret, will jump to exploit code

void bar() { char buf[64]; gets(buf); ... }

void foo(){ bar(); ...}

Stack after call to gets()

B

returnaddress

A

foo stack frame

bar stack frameB exploitcode

pad

data written

bygets()



Exploits Based on Buffer Overflows Buffer overflow bugs allow remote machines to execute arbitrary code

on victim machines. Internet worm

– Early versions of the finger server (fingerd) used gets() to read the argument sent by the client:

finger [email protected]– Worm attacked fingerd server by sending phony argument:

finger “exploit-code padding new-return-address” exploit code: executed a root shell on the victim machine with a direct TCP

connection to the attacker. IM War

– AOL exploited existing buffer overflow bug in AIM clients– exploit code: returned 4-byte signature (the bytes at some location in the

AIM client) to server. – When Microsoft changed code to match signature, AOL changed signature

location.



Code Red Worm

History– June 18, 2001. Microsoft announces buffer overflow vulnerability in IIS

Internet server– July 19, 2001. over 250,000 machines infected by new virus in 9 hours– White house must change its IP address. Pentagon shut down public

WWW servers for day When We Set Up CS:APP Web Site

– Received strings of formGET /default.ida?

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN....NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a

HTTP/1.0" 400 325 "-" "-"



Code Red Exploit Code– Starts 100 threads running– Spread self

Generate random IP addresses & send attack string

Between 1st & 19th of month– Attack www.whitehouse.gov

Send 98,304 packets; sleep for 4-1/2 hours; repeat

– Denial of service attack Between 21st & 27th of month

– Deface server’s home page After waiting 2 hours



Avoiding Overflow Vulnerability

Use Library Routines that Limit String Lengths– fgets instead of gets– strncpy instead of strcpy– Don’t use scanf with %s conversion specification

Use fgets to read the string

/* Echo Line */void echo(){ char buf[4]; /* Way too small! */ fgets(buf, 4, stdin); puts(buf);}



Practice problems

14.2, 14.4, 14.9, 14.10, 14.15 (good!) The convention in LC-3 assembly is that all registers are callee-saved

except for R5 (the frame pointer) R6 (the stack pointer) and R7 (the return link).

– Why is R5 not callee-saved?– Why is R6 not callee-saved?– Why is R7 not callee-saved?

Is it true that any problem that can be solved recursively can be solved iteratively using a stack data structure? Why or why not?

Chapter 14/17 Functions & Activation Records Recursion.

Documents

Transcript of Chapter 14/17 Functions & Activation Records Recursion.