Lowlevel details of a C program

Posted on 2012-03-13
Last Modified: 2012-03-19
Hi Experts,

When I do the following in GDB, I get the previous function in the call stack.  I am wondering how they are organized.  I read this from a website, but I am not sure why disassemble main-1 would give the dis-assembly of doubelFree. It then calls like this until I reach the glibc start_8, start_7 functions.  Can someone explain this please...
Thank you.

void doubleFree(int x, int y) {
      int a = 10;
      int b = 20;
      char *p1 = (char *) malloc(100);


int main(int argc, char **argv) {

      doubleFree(30, 40);

      return 0;

(gdb) disass main
Dump of assembler code for function main:
   0x00100904 <+0>:     push    {r11, lr}
   0x00100908 <+4>:     add     r11, sp, #4
   0x0010090c <+8>:     sub     sp, sp, #16
   0x00100910 <+12>:    str     r0, [r11, #-16]
   0x00100914 <+16>:    str     r1, [r11, #-20]
   0x00100918 <+20>:    movw    r3, #8196       ; 0x2004
   0x0010091c <+24>:    movt    r3, #16
   0x00100920 <+28>:    ldr     r3, [r3]
   0x00100924 <+32>:    str     r3, [r11, #-8]
   0x00100928 <+36>:    mov     r0, #30
   0x0010092c <+40>:    mov     r1, #40 ; 0x28
   0x00100930 <+44>:    bl      0x10088c <doubleFree>
   0x00100934 <+48>:    mov     r3, #0
   0x00100938 <+52>:    mov     r0, r3
   0x0010093c <+56>:    movw    r3, #8196       ; 0x2004
   0x00100940 <+60>:    movt    r3, #16
   0x00100944 <+64>:    ldr     r2, [r11, #-8]
   0x00100948 <+68>:    ldr     r3, [r3]
   0x0010094c <+72>:    cmp     r2, r3
   0x00100950 <+76>:    beq     0x100958 <main+84>
   0x00100954 <+80>:    bl      0x100628 <__stack_chk_fail>
   0x00100958 <+84>:    sub     sp, r11, #4
   0x0010095c <+88>:    pop     {r11, pc}
End of assembler dump.
(gdb) disas main-1
Dump of assembler code for function doubleFree:
   0x0010088c <+0>:     push    {r11, lr}
   0x00100890 <+4>:     add     r11, sp, #4
   0x00100894 <+8>:     sub     sp, sp, #24
   0x00100898 <+12>:    str     r0, [r11, #-24]
   0x0010089c <+16>:    str     r1, [r11, #-28]
   0x001008a0 <+20>:    movw    r3, #8196       ; 0x2004
   0x001008a4 <+24>:    movt    r3, #16
   0x001008a8 <+28>:    ldr     r3, [r3]
   0x001008ac <+32>:    str     r3, [r11, #-8]
   0x001008b0 <+36>:    mov     r3, #10
   0x001008b4 <+40>:    str     r3, [r11, #-12]
   0x001008b8 <+44>:    mov     r3, #20
   0x001008bc <+48>:    str     r3, [r11, #-16]
   0x001008c0 <+52>:    mov     r0, #100        ; 0x64
   0x001008c4 <+56>:    bl      0x10061c <malloc>
   0x001008c8 <+60>:    mov     r3, r0
   0x001008cc <+64>:    str     r3, [r11, #-20]
   0x001008d0 <+68>:    ldr     r0, [r11, #-20]
   0x001008d4 <+72>:    bl      0x10067c <free>
   0x001008d8 <+76>:    ldr     r0, [r11, #-20]
   0x001008dc <+80>:    bl      0x10067c <free>
   0x001008e0 <+84>:    movw    r3, #8196       ; 0x2004
   0x001008e4 <+88>:    movt    r3, #16
   0x001008e8 <+92>:    ldr     r2, [r11, #-8]
   0x001008ec <+96>:    ldr     r3, [r3]
   0x001008f0 <+100>:   cmp     r2, r3
   0x001008f4 <+104>:   beq     0x1008fc <doubleFree+112>
   0x001008f8 <+108>:   bl      0x100628 <__stack_chk_fail>
   0x001008fc <+112>:   sub     sp, r11, #4
   0x00100900 <+116>:   pop     {r11, pc}
End of assembler dump.
(gdb) disas doubleFree-1
Dump of assembler code for function frame_dummy:
   0x00100814 <+0>:     push    {r4, r5, r11, lr}
   0x00100818 <+4>:     ldr     r4, [pc, #84]   ; 0x100874 <frame_dummy+96>
   0x0010081c <+8>:     ldr     r3, [pc, #84]   ; 0x100878 <frame_dummy+100>
   0x00100820 <+12>:    add     r11, sp, #12
   0x00100824 <+16>:    add     r4, pc, r4
   0x00100828 <+20>:    ldr     r3, [r4, r3]
   0x0010082c <+24>:    cmp     r3, #0
   0x00100830 <+28>:    beq     0x100848 <frame_dummy+52>
   0x00100834 <+32>:    ldr     r0, [pc, #64]   ; 0x10087c <frame_dummy+104>
   0x00100838 <+36>:    ldr     r1, [pc, #64]   ; 0x100880 <frame_dummy+108>
   0x0010083c <+40>:    add     r0, r4, r0
   0x00100840 <+44>:    add     r1, r4, r1
   0x00100844 <+48>:    bl      0x100670 <exit+12>
   0x00100848 <+52>:    ldr     r3, [pc, #52]   ; 0x100884 <frame_dummy+112>
   0x0010084c <+56>:    add     r0, r4, r3
   0x00100850 <+60>:    ldr     r3, [r4, r3]
   0x00100854 <+64>:    cmp     r3, #0
   0x00100858 <+68>:    popeq   {r4, r5, r11, pc}
   0x0010085c <+72>:    ldr     r3, [pc, #36]   ; 0x100888 <frame_dummy+116>
   0x00100860 <+76>:    ldr     r3, [r4, r3]
   0x00100864 <+80>:    cmp     r3, #0
   0x00100868 <+84>:    popeq   {r4, r5, r11, pc}
   0x0010086c <+88>:    blx     r3
   0x00100870 <+92>:    pop     {r4, r5, r11, pc}
   0x00100874 <+96>:    andeq   r1, r0, r8, lsl #15
   0x00100878 <+100>:   andeq   r0, r0, r8, asr #32
   0x0010087c <+104>:                   ; <UNDEFINED> instruction: 0xffffe9b4
   0x00100880 <+108>:   andeq   r0, r0, r12, asr r0
   0x00100884 <+112>:                   ; <UNDEFINED> instruction: 0xffffff14
   0x00100888 <+116>:   andeq   r0, r0, r4, asr #32
End of assembler dump.
Question by:ambuli
LVL 53

Accepted Solution

Infinity08 earned 500 total points
Comment Utility
>> but I am not sure why disassemble main-1 would give the dis-assembly of doubelFree.

Because the doubleFree function is defined in the text segment right before the main function (look at the memory addresses in the disassembler dumps).

The "-1" part means to take the address of the function that is listed, and subtract 1 from that address. Then disassemble whatever function that new address is part of.

For example, main has the address 0x00100904. The address right before that is 0x00100903, which happens to be pointing in the middle of the last instruction of the doubleFree function.

Note that you can equally use "+1", "-2", etc., but it's not very useful to use these address calculations for determining functions to disassamble. It's usually better to get addresses from the call stack (from the return addresses) and/or the current instruction pointer.

Expert Comment

Comment Utility
What are you trying to do when you enter "disassem main-1" or "disassem doutbleFree-1"?

If you are trying to change your current context to the calling function (previous frame), use the "up" command.

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Over the last ten+ years I have seen Linux configuration tools come and go. In the early days there was the tried-and-true, all-powerful linuxconf that many thought would remain the one and only Linux configuration tool until the end of times. Well,…
If you have a server on collocation with the super-fast CPU, that doesn't mean that you get it running at full power. Here is a preamble. When doing inventory of Linux servers, that I'm administering, I've found that some of them are running on l…
Video by: Grant
The goal of this video is to provide viewers with basic examples to understand and use nested-loops in the C programming language.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now