Changes in the stack memory when we call a function RRS feed

  • Question

  • Hi experts,

    Now I am learning the changes in stack when we call a function (x86)

    For that I just written a small program

    int f1( int a  )
    int c = 20;
    return c;
    int WINAPI WinMain( HINSTANCE hInt, HINSTANCE hPreInst, LPSTR szCmd, int nCmdShow )
    int c;
    f1( 20 );
    return 0;

    I attached the windbg with the binary and executed the binary.

    Debugger hit the manual break point in the code.

    Now I just dumped the stack memory using dds command (dds esp), 

    0:000> dds esp
    0028f9a4  0028fb60
    0028f9a8  00000000
    0028f9ac  7efde000
    0028f9b0  cccccccc
    0028f9b4  cccccccc
    0028f9b8  cccccccc
    0028f9bc  cccccccc
    0028f9c0  cccccccc
    0028f9c4  cccccccc
    0028f9c8  cccccccc
    0028f9cc  cccccccc
    0028f9d0  cccccccc
    0028f9d4  cccccccc
    0028f9d8  cccccccc
    0028f9dc  cccccccc
    0028f9e0  cccccccc
    0028f9e4  cccccccc
    0028f9e8  cccccccc
    0028f9ec  cccccccc
    0028f9f0  cccccccc
    0028f9f4  cccccccc
    0028f9f8  cccccccc
    0028f9fc  cccccccc
    0028fa00  cccccccc
    0028fa04  cccccccc
    0028fa08  cccccccc
    0028fa0c  cccccccc
    0028fa10  cccccccc
    0028fa14  cccccccc
    0028fa18  cccccccc
    0028fa1c  cccccccc
    0028fa20  cccccccc
    0:000> dds
    0028fa24  cccccccc
    0028fa28  cccccccc
    0028fa2c  cccccccc
    0028fa30  cccccccc
    0028fa34  cccccccc
    0028fa38  cccccccc
    0028fa3c  cccccccc
    0028fa40  cccccccc
    0028fa44  cccccccc
    0028fa48  cccccccc
    0028fa4c  cccccccc
    0028fa50  cccccccc
    0028fa54  cccccccc
    0028fa58  cccccccc
    0028fa5c  cccccccc
    0028fa60  cccccccc
    0028fa64  cccccccc
    0028fa68  cccccccc
    0028fa6c  cccccccc
    0028fa70  cccccccc
    0028fa74  00000014
    0028fa78  cccccccc
    0028fa7c  0028fb60
    0028fa80  013c1525 Test_FPO!WinMain+0x25 [d:\personal\study\debugging\reference\test_fpo\test_fpo\test_fpo_main.cpp @ 43]

    After push the argument to the stack I can see around 200 blank bytes in the stack.

    So I Just dissembled my code (function which I called from WinMain i.e. f1() ).

    013c14c0 55               push    ebp
    013c14c1 8bec             mov     ebp,esp
    013c14c3 81eccc000000     sub     esp,0CCh   (WHY inserting this code)
    013c14c9 53             push    ebx
    013c14ca 56               push    esi
    013c14cb 57               push    edi
    013c14cc 8dbd34ffffff     lea     edi,[ebp-0CCh]
    013c14d2 b933000000     mov     ecx,33h
    013c14d7 b8cccccccc     mov     eax,0CCCCCCCCh
    013c14dc f3ab           rep stos dword ptr es:[edi]
    013c14de c745f814000000   mov     dword ptr [ebp-8],14h
    013c14e5 cc             int     3

    I can see that after store the EBP register stack forwarding around 204 bytes (I think this is I can see in the memory dump)

    Experts, could you please tell me what is the intention for this blank stack space?

    (I only started to learn the stack please correct me if any of my understandings are wrong)


    Windows 7 64 bit

    Visual Studio 2010 

    Project is 32 bit (I created my binary in Debug mode)

    • Edited by Parambath Monday, June 10, 2013 3:01 PM
    Monday, June 10, 2013 2:54 PM


All replies

  • You most certainly compiled with /ZI compiler-option, 'Edit and Continue'?
    /Zi option may result in a more 'reasonable' disassembly.

    With kind regards

    • Marked as answer by Parambath Monday, June 10, 2013 4:49 PM
    Monday, June 10, 2013 3:58 PM
  • @MaybeCompletelyW,

    You are right that extra stack space gone when I changed the "Debug Information format" to "Program Database", Thanks for the information!!!

    Also I checked what happen if I enable the "Edit and continue" option and add more than 204 bytes local variables during the debugging.

    Visual studio displayed following error message

    "You are about to view the stale code. Edit and continue could not apply code changes to this function on the call stack. This stale code will go away when this function exists."

    Monday, June 10, 2013 4:49 PM