Introduction to the Debuggers in Software

Introduction to the Debuggers
The processor uses stack memory areas controlled by a stack register to record the return address where the execution must continue after completing the current function call Because each processor manages the stack in its own way, we focus on the x86 family of processors, as they are common and easily accessible, for all of our examples in this chapter The 64-bit processor-specific aspects are discussed in 12, 64-Bit Debugging, that must be studied before digging into the 64-bit realm The x86 processor stack always grows downward, and it is addressed by the stack pointer register, named esp 5, Memory Corruption Part I Stacks, explains in detail the differences between various calling conventions used in the x86 processor architecture and how they affect code execution This chapter focuses on the __stdcall calling convention, as it is the default convention used by Windows APIs This section (and the remainder of the book), ignores frame pointer omission (FPO) optimization, simply because it is not used in Windows XP SP2 and later operating systems Since FPO optimization makes debugging nearly impossible without symbols, the current recommendation is to avoid it completely Upon entering a function, the compiler generates a so-called stack frame that is maintained using the frame base pointer register ebp The function prolog saves the current value of ebp on the stack and loads the current stack pointer value that will be kept until the function executes the function epilog Within the function, the compiler addresses input parameters using positive offsets for the frame-based pointer and negative offsets for the local variable allocated in the function The simplest function prolog and function epilog are shown here:
0:000> uf 02sample!KBTest::Fibonacci_stdcall: 00401760 8bff mov edi,edi 00401762 55 push ebp 00401763 8bec mov ebp,esp 004017b3 8be5 mov esp,ebp 004017b5 5d pop ebp 004017b6 c20400 ret 4
In the function epilog, the ebp value is reloaded with the saved value so that the register is preserved after the call The layout of the input parameters, the local variable, and the base frame pointer are shown in the next figure Before making a function call, the caller pushes all the function parameters on the stack The processor then saves the address from where the execution will continue on return The called function uses the stack to save the old ebp and allocates the necessary space for the local variable The ebp register is then used to access the input parameters and the local variable, as you can see on the right side of Figure 25
Basic Debugger Tasks
Stack extends downward
0006fc74 0006fc74 0006fc6c
n=1 (first function parameter) 004017b0 = return address 004017b0 = saved ebp Local Parameters
ebp+8 ebp+4 ebp ebp-4
Figure 25 Stack content when calling a function following the __stdcall convention The call stack records the entire chain of function calls made by the current thread, resulting in the invocation of the current function The stack representation starts with the current executed function displayed at the top followed by its caller, the caller of the current function callers, and so on each calling point being identified by its stack frame The process repeats itself until the debugger reaches the last stack frame on the call stack, or an external condition, such as incorrect symbols or a nonaccessible stack, prevents the debugger from further decoding the stack Not surprisingly, the stack of the current fault is one of the most used pieces of information Sometimes the thread stack is used to index and catalogue software failures The k (display stack back trace) command can be used to analyze the current stack using module symbols and formatting the information according to additional parameters passed in the command line As with most context-dependent commands, k interprets the stack from the current context information WinDbg provides a call stack window that s updated every time the debugger stops To experiment with k commands, we will run 02sampleexe under debugger and select the option to generate a normal call stack This option recursively calculates the 32nd number from the Fibonacci series The source code for the function is shown in Listing 223 Listing 223 Source of Fibonacci function implemented in the 02sampleexe sample
#define STOP_ON_DEBUGGER { if (IsDebuggerPresent()) DebugBreak();} unsigned int Fibonacci(unsigned int n) { switch(n) { case 0: STOP_ON_DEBUGGER;return 0; case 1: return 1; default: return Fibonacci(n-1)+Fibonacci(n-2); } }
