Meditation, The Art of Exploitation

Thinking? At last I have discovered it--thought; this alone is inseparable from me. I am, I exist--that is certain. But for how long? For as long as I am thinking. For it could be, that were I totally to cease from thinking, I should totally cease to exist....I am, then, in the strict sense only a thing that thinks.

Tuesday, July 25, 2006

C/C++ sequence point by Robbie Hatley on CLC

I was just googling "sequence point", trying to find more info on this,
and I ran across http://c-faq.com/ which is, lo and behold, the FAQ for
this group. That site mentions the following two sentences from the
C standard:

Between the previous and next sequence point an object shall
have its stored value modified at most once by the evaluation
of an expression. Furthermore, the prior value shall be accessed
only to determine the value to be stored.

After staring at those for a while I think I understand them.
If I'm getting the idea right, it says:

1. You aren't supposed to alter the same variable twice between
sequence points.
2. If you alter a variable between two sequence points, you're
not supposed to use the original value of that variable for
any purpose other than computing the final value to be stored
back into the variable.

For example, I think the following violates those rules:

int main()
{
int y=0;
int x=7;
y = 2*x + x++; // violates sentence 2
printf("y = %d", y); // undefined behavior

y=0;
x=7;
y = x++ + x++; // violates sentences 1 and 2
printf("y = %d", y); // undefined behavior

return 0;

}

posted by Fei Liu | 1:01 PM

Monday, July 24, 2006

The mythical 'bss' segment

BSS stands for 'Block Started by Symbols'. This is a segment reserved for uninitialized global variables on most unix/linux platforms. Consider the following example:

#include

int init_d = 10; // .data
int noinit_d; // .bss

int main(){
printf(".data %p .bss %p\n", &init_d, &noinit_d);
}

Compile with -g -O0, run it will print the following lines:
.data 0x8049598 .bss 0x80495a0

Run 'objdump -s a.out':
Contents of section .rodata:
8048478 03000000 01000200 2e646174 61202570 .........data %p
8048488 202e6273 73202570 0a00 .bss %p..
Contents of section .data:
804958c 00000000 00000000 a4940408 0a000000 ................

080494a4 points to the format string, 0a is the value of the initialized variable.

Run 'objdump -x a.out':
Idx Name Size VMA LMA File off Algn
21 .data 00000010 0804958c 0804958c 0000058c 2**2
CONTENTS, ALLOC, LOAD, DATA
22 .bss 00000008 0804959c 0804959c 0000059c 2**2
ALLOC
.bss segment starts from 0804959c and takes 8 bytes. The 2nd variable at 80495a0 is noinit_d in our source code.

posted by Fei Liu | 2:54 PM

Tuesday, July 11, 2006

What does 'static inline' mean?

Declare a function 'static inline' means each definition of the
function is unique and multiple translation units can each have their
own definition of the function and compilation will still work. In the
final executable file, every required copy of the function object code
is included but will be assigned and loaded at different virtual
address.

posted by Fei Liu | 12:14 PM