Windows线程堆栈保护页机制在未初始化的局部变量的情况下如何工作? [英] How Windows thread stack guard page mechanism works in case of uninitialized local variables?

问题描述

在x86-32/x86-64体系结构的Windows操作系统上，线程堆栈虚拟内存由保留部分"，提交部分"，保护页面"和保留页面"组成.

On Windows OS for x86-32/x86-64 architecture thread stack virtual memory consist of "Reserved Part" "Commit Part", "Guard Page" and "Reserved Page".

问题:

想象一下，我有1页的提交内存和1MB的线程堆栈保留内存. 我在堆栈上分配了一些内存，该内存等于K页，而没有初始化.例如，K等于10.似乎在堆栈开始时，堆栈上的内存将由用户空间代码分配，如下所示:

Imagine that I have 1 page of commit memory, and 1MB of reserve memory for thread stack. I allocate on the stack some memory equal to K Pages without initialization. K is equal for example 10. It seems that in start of stack frame memory on the stack will be allocated by user space code like this:

sub esp, K*4096

保护页机制在存在对保护页的读写请求时起作用.

Guard Page mechanism works when It is exist a read|write request to guard page.

但是我将对超出此保护页的某些内存执行读/写操作吗?

But what will be I'll perform read/write to some memory which is beyond this guard page?

推荐答案

您通常会启动测试代码，这些代码在启用运行时检查的情况下进行编译. /MSVC ++上的RTC (在Debug配置中默认启用)，它会注入在函数序言中对_chkstk()的调用. GCC/g ++具有非常相似的.

You normally start out testing code that was compiled with runtime checking enabled. /RTC on MSVC++, enabled by default in the Debug configuration, it injects a call to _chkstk() in the function prologue. GCC/g++ has something very similar.

在函数序言中探查分配的页面，每隔4096个字节读取一次.这样可以确保您总是在遇到错误时访问保护页面，从而触发该网站的名称并帮助您修复错误.

Which probes the pages of the allocation in the function prologue, reading every other 4096th byte. This ensures you'll always hit the guard page when you got it wrong, triggering this site's name and helping you to fix the bug.

如果没有就位检查，则从技术上讲，您可以寻址完全不属于堆栈的页面.尽管很有可能触发处理器的#GP陷阱，但由于页面可能已被另一个不相关的分配映射，因此无法保证.您一定很不幸，它已经完成了.基本的UB，由于您从未怀疑过堆栈，因此绝对难以诊断，/RTC相当有价值.

Without that check in place, you could technically address a page that is not part of the stack at all. Although it is fairly likely to trigger the processor's #GP trap, it is not guaranteed since the page might have been mapped by another unrelated allocation. You'd have to be unlucky, it has been done. Fundamental UB, absolutely horrible to diagnose since you never suspect the stack, /RTC is quite valuable.

这篇关于Windows线程堆栈保护页机制在未初始化的局部变量的情况下如何工作?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！