當發生函數調用的時候,棧空間中存放的數據是這樣的:
1、調用者函數把被調函數所需要的參數按照與被調函數的形參順序相反的順序壓入棧中,即:從右向左依次把被調函數所需要的參數壓入棧;
2、調用者函數使用call指令調用被調函數,並把call指令的下一條指令的地址當成返回地址壓入棧中(這個壓棧操作隱含在call指令中);
3、在被調函數中,被調函數會先保存調用者函數的棧底地址(push ebp)(從高內在地址--》低內存地址),然后再保存調用者函數的棧頂地址,即:當前被調函數的棧底地址(mov ebp,esp);
4、在被調函數中,從ebp的位置處開始存放被調函數中的局部變量和臨時變量,並且這些變量的地址按照定義時的順序依次減小,即:這些變量的地址是按照棧的延伸方向排列的,先定義的變量先入棧,后定義的變量后入棧;
所以,發生函數調用時,入棧的順序為:
參數N
參數N-1
參數N-2
.....
參數3
參數2
參數1
函數返回地址
上一層調用函數的EBP/BP
局部變量1
局部變量2
....
局部變量N
函數調用棧如下圖所示:
解釋:
首先,將調用者函數的EBP入棧(push ebp),
一般而言,SS:[ebp+4]處為被調函數的返回地址,
如此遞歸,就形成了函數調用棧;
函數內局部變量布局示例:
#include <stdio.h>
#include <string.h>
struct C
{
int a;
int b;
int c;
};
int test2(int x, int y, int z)
{
printf("hello,test2\n");
return 0;
}
int test(int x, int y, int z)
{
int a = 1;
int b = 2;
int c = 3;
struct C st;
printf("addr x = %u\n",(unsigned int)(&x));
printf("addr y = %u\n",(unsigned int)(&y));
printf("addr z = %u\n",(unsigned int)(&z));
printf("addr a = %u\n",(unsigned int)(&a));
printf("addr b = %u\n",(unsigned int)(&b));
printf("addr c = %u\n",(unsigned int)(&c));
printf("addr st = %u\n",(unsigned int)(&st));
printf("addr st.a = %u\n",(unsigned int)(&st.a));
printf("addr st.b = %u\n",(unsigned int)(&st.b));
printf("addr st.c = %u\n",(unsigned int)(&st.c));
return 0;
}
int main(int argc, char** argv)
{
int x = 1;
int y = 2;
int z = 3;
test(x,y,z);
printf("x = %d; y = %d; z = %d;\n", x,y,z);
memset(&y, 0, 8);
printf("x = %d; y = %d; z = %d;\n", x,y,z);
return 0;
}
打印輸出如下:
addr x = 4288282272
addr y = 4288282276
addr z = 4288282280
addr a = 4288282260
addr b = 4288282256
addr c = 4288282252
addr st = 4288282240
addr st.a = 4288282240
addr st.b = 4288282244
addr st.c = 4288282248
a = 1; b = 2; c = 3;
a = 0; b = 0; c = 3;
示例效果圖:
該圖中的局部變量都是在該示例中定義的;
