CN115292201B - Function call stack parsing and backtracking method and device - Google Patents

Function call stack parsing and backtracking method and device Download PDF

Info

Publication number
CN115292201B
CN115292201B CN202211187959.1A CN202211187959A CN115292201B CN 115292201 B CN115292201 B CN 115292201B CN 202211187959 A CN202211187959 A CN 202211187959A CN 115292201 B CN115292201 B CN 115292201B
Authority
CN
China
Prior art keywords
stack
function
address
register
return address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211187959.1A
Other languages
Chinese (zh)
Other versions
CN115292201A (en
Inventor
张鹏
方建滨
黄春
彭林
唐滔
崔英博
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National University of Defense Technology
Original Assignee
National University of Defense Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National University of Defense Technology filed Critical National University of Defense Technology
Priority to CN202211187959.1A priority Critical patent/CN115292201B/en
Publication of CN115292201A publication Critical patent/CN115292201A/en
Application granted granted Critical
Publication of CN115292201B publication Critical patent/CN115292201B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3604Software analysis for verifying properties of programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/53Decompilation; Disassembly
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/70Software maintenance or management

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The application relates to a method and a device for analyzing and backtracking a function call stack, wherein the method comprises the following steps: the method comprises the steps of flushing an execution field of an abnormal interrupt or manual interrupt application program, finding a function code of a termination function in an executable file according to a code address of the termination function in the interrupt application program, analyzing the processed function code, reconstructing a stack frame structure of the termination function, analyzing a stack space for executing the field repeat according to the stack frame structure to obtain a return address and a stack address of a previous function, reconstructing a stack frame structure of the previous function corresponding to the return address in the same way, analyzing the flushed stack space, and reconstructing and analyzing a stack frame structure of each function in a call stack until an effective return address or a stack address cannot be obtained, namely call stack trace back is completed.

Description

Function call stack parsing and backtracking method and device
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method and an apparatus for parsing and backtracking a function call stack.
Background
In the actual running process of the application program, the possibility of hardware or software exception occurs, so that the program is terminated to execute, and at the moment, the call stack information of the program is needed to locate the position of the program where the exception occurs.
For the current function call stack backtracking technology, either function with stack frame structure information is needed, or compiler optimization is limited, or whether data in a stack is guessed as a function return address or not is guessed, and the like, and limitations exist such as inaccurate analysis and extra processing.
Due to the uncertainty of the abnormal program, the user does not perform extra processing in advance, so that information is lost, and the function call stack information is difficult to recover.
Therefore, a method for intelligently identifying a stack frame structure and efficiently and accurately acquiring a complete function call stack without additional processing is needed.
Disclosure of Invention
In view of the above, there is a need to provide a method for efficiently and accurately acquiring a complete function call stack without performing additional processing.
A function call stack parsing and backtracking method, the method comprising:
dumping an exception interrupt or manually interrupting an execution site of an application program, the execution site of the application program comprising: the system comprises a stack space and a plurality of processor registers, wherein the processor registers comprise a program counting register and a stack top register respectively, the program counting register stores a code address of a termination function in a current interrupt application program, and the stack top register stores a stack top address of the termination function in the current interrupt application program;
finding out a function code of the termination function in an executable file of the application program according to the code address of the termination function in execution, and reconstructing a stack frame structure of the termination function after performing static code analysis on the function code;
analyzing the stack space to be dumped according to the stack frame structure of the termination function to obtain a return address of the termination function and a stack top address of a parent function;
the return address is a function address for calling the termination function, a function code of a corresponding function is obtained according to the return address, a stack frame structure is reconstructed in the same mode, and a stack space of the dump is analyzed; this operation is repeated until no valid return address or stack top address is available, i.e., call stack backtracking is completed.
In one embodiment, the stack frame structure includes: the size of the open stack, the offset of the function input parameter from the top or bottom position of the stack, and the offset of the return address from the top or bottom position of the stack.
In one embodiment, reconstructing the stack frame structure of the function after performing static analysis according to the function code of the function includes:
disassembling according to the program executable file to obtain an assembly instruction of the function;
starting from a function entry, scanning an assembly instruction of the function, identifying all instructions for modifying a stack top register, and obtaining the stack opening size by tracking the change of the stack top position;
and identifying the stack entering and exiting operations of the function input parameters and the return addresses according to all the instructions for modifying the stack top register, and obtaining the offsets of the function input parameters and the return addresses in the stack relative to the stack top or the stack bottom.
In one embodiment, the instructions for modifying the top-of-stack register include: the special stack access instruction comprises an MOV instruction and an operation instruction which take a stack top register as a destination register, and a self-increasing or self-decreasing access instruction which takes the stack top register as a base register.
In one embodiment, tracking a change in a top-of-stack position to obtain the open stack size includes:
taking the value of the register at the top of the stack when the function starts as the position of the stack bottom of the function;
and identifying all instructions for modifying the stack top register, recording the maximum difference value of the stack top position and the stack bottom position, and taking the maximum difference value as the stack opening size.
In one embodiment, obtaining the offset of the function input parameter and the return address with respect to the top or the bottom of the function stack respectively includes:
obtaining corresponding offset according to function input parameters and return address transfer modes specified in the calling convention;
if stack transfer is specified in the call convention, the offset is the offset of the function input parameter and the return address in a stack relative to the stack top or the stack bottom;
if the transfer is carried out in a register mode specified in the calling convention, identifying the first stack pushing operation with the register as a source register, wherein the offset in the stack pushing operation is the offset of the function input parameter and the return address relative to the stack top or the stack bottom;
and if the corresponding stack pushing operation does not exist, the value of the function input parameter or the return address is stored in a register.
In one embodiment, after obtaining an offset of the input parameter and the return address of the function in the stack relative to the stack top or the stack bottom, respectively, obtaining a storage location of the input parameter and a storage location of the return address according to the offset includes:
and respectively adding the offset of the function input parameter and the return address in the stack relative to the stack top or the stack bottom and the stack top or stack bottom address of the function to obtain corresponding storage positions.
In one embodiment, analyzing the stack space of the dump according to the stack frame structure of the termination function, and obtaining the return address and the parent function stack address of the termination function includes:
acquiring a stack top address of the termination function in the dump stack top register;
obtaining a stack bottom address of the termination function according to the stack top address and the stack opening size of the termination function, and determining a stack top address of the father function according to the stack bottom address of the termination function;
and extracting the input parameter and the return address of the termination function from the dumped stack space according to the stack bottom address of the termination function, and the storage positions of the input parameter and the return address of the termination function.
A function call stack parsing and backtracking apparatus, the apparatus comprising:
an execution site dump module, configured to dump an exception interrupt or a manual interrupt to an execution site of an application program, where the execution site of the application program includes: the system comprises a stack space and a plurality of processor registers, wherein the processor registers comprise a program counting register and a stack top register respectively, the program counting register stores a code address of a termination function in a current interrupt application program in execution, and the stack top register stores a stack top address of the termination function in the current interrupt application program;
a stack frame structure reconstruction module, configured to find a function code of the termination function in the executable file of the application program according to the code address of the termination function being executed, and reconstruct a stack frame structure of the termination function after performing static code analysis on the function code;
the stack space analysis module is used for analyzing the stack space to be dumped according to the stack frame structure of the termination function to obtain a return address of the termination function and a stack top address of a parent function;
and the call stack construction module is used for obtaining a function code of a corresponding function according to the return address, reconstructing a stack frame structure in the same way, analyzing a stack space of the dump, and repeating the operation until an effective return address or a stack top address cannot be obtained, namely completing call stack backtracking.
A computer device comprising a memory and a processor, the memory storing a computer program, the processor implementing the following steps when executing the computer program:
dumping an exception interrupt or manually interrupting an execution site of an application program, the execution site of the application program comprising: the system comprises a stack space and a plurality of processor registers, wherein the processor registers comprise a program counting register and a stack top register respectively, the program counting register stores a code address of a termination function in a current interrupt application program in execution, and the stack top register stores a stack top address of the termination function in the current interrupt application program;
finding the function code of the termination function in the executable file of the application program according to the code address of the termination function in execution, and reconstructing a stack frame structure of the termination function after performing static code analysis on the function code;
analyzing the stack space to be dumped according to the stack frame structure of the termination function to obtain a return address of the termination function and a stack top address of a parent function;
the return address is a function address for calling the termination function, a function code of a corresponding function is obtained according to the return address, a stack frame structure is reconstructed in the same mode, and a stack space of the dump is analyzed; this operation is repeated until no valid return address or stack top address is available, i.e., call stack backtracking is completed.
A computer-readable storage medium, on which a computer program is stored which, when executed by a processor, carries out the steps of:
dumping an exception interrupt or manually interrupting an execution site of an application program, the execution site of the application program comprising: the system comprises a stack space and a plurality of processor registers, wherein the processor registers comprise a program counting register and a stack top register respectively, the program counting register stores a code address of a termination function in a current interrupt application program, and the stack top register stores a stack top address of the termination function in the current interrupt application program;
finding the function code of the termination function in the executable file of the application program according to the code address of the termination function in execution, and reconstructing a stack frame structure of the termination function after performing static code analysis on the function code;
analyzing the stack space to be dumped according to the stack frame structure of the termination function to obtain a return address of the termination function and a stack top address of a parent function;
the return address is a function address for calling the termination function, a function code of a corresponding function is obtained according to the return address, a stack frame structure is reconstructed in the same mode, and a stack space of the dump is analyzed; this operation is repeated until no valid return address or stack top address is available, i.e., call stack backtracking is completed.
According to the function call stack analysis and backtracking method and device, the stack frame structure of the termination function in the application program is obtained by dumping the execution field of the abnormal interrupt or manual application program and analyzing the executable file of the application program; and analyzing the stack space of the dump by using the function stack frame structure to obtain the return address of the termination function and the parent function stack address, and continuing to backtrack according to the stack frame structure of the function corresponding to the return address of the termination function until the call stack backtrack is completed. The method can intelligently identify the stack frame structure, and can efficiently and accurately acquire the complete function call stack without additional processing.
Drawings
FIG. 1 is a flowchart illustrating a function call stack parsing and backtracking method according to an embodiment;
FIG. 2 is a diagram of an application scenario function call chain;
FIG. 3 is a diagram illustrating a stack space structure in an application scenario;
FIG. 4 is a block diagram illustrating an exemplary embodiment of a function call stack parsing and backtracking apparatus;
FIG. 5 is a diagram illustrating an internal structure of a computer device according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
In one embodiment, as shown in fig. 1, there is provided a function call stack parsing and backtracking method, including the following steps:
step S100, dumping an abnormal interrupt or manually interrupting an execution field of an application program, wherein the execution field of the application program comprises: the system comprises a stack space and a plurality of processor registers, wherein the processor registers comprise a program counting register and a stack top register respectively, the program counting register stores a code address of a termination function in a current interrupt application program in execution, and the stack top register stores a stack top address of the termination function in the current interrupt application program;
step S110, finding out a function code of the termination function in an executable file of the application program according to the code address of the termination function in execution, and reconstructing a stack frame structure of the termination function after performing static code analysis on the function code;
step S120, resolving the stack space of the dump according to the stack frame structure of the termination function to obtain a return address of the termination function and a stack top address of the parent function;
step S130, the return address is the function address of the call termination function, the function code of the corresponding function is obtained according to the return address, the stack frame structure is reconstructed in the same way, and the stack space of the dump is analyzed; this operation is repeated until no valid return address or stack top address is available, i.e., call stack backtracking is completed.
In step S100, the application is interrupted due to an exception, wherein the exception includes a memory access exception, a DMA exception, a non-alignment exception, a divide-by-zero exception, an illegal instruction exception, a register write conflict exception, a software exception, and the like.
Specifically, after an exception occurs in the application program, the processor automatically jumps to an exception handling service routine to be executed, and all registers and stack spaces of the processor are saved in the exception handling service routine. In the embodiment, besides saving in the abnormal condition, manual exception triggering in other conditions is supported to save the execution field of the application program. After the software exception is triggered manually, the exception handling service routine returns to the application program to continue normal operation after the field saving action is executed.
In this embodiment, according to the register convention and the calling convention, part of the registers in the application program execution field have special significance. Important registers related to call stack trace back include a program counter, a bottom of stack register, a top of stack register, and a return address register. In some call conventions, the return address is saved in a fixed register. There are also some calling conventions that store the return address in a fixed location on the function stack.
Stack space is allocated by the system when the user program is loaded for execution. The system typically allocates a stack space, i.e., a stack space start address, at a fixed location in the process address space, while an execution field top-of-stack register holds the stack space end address. The upper size limit of the stack space is determined by the system configuration.
In the execution process of the application program, multiple layers of function nested calls are generally present to form a function call chain, for example, as shown in fig. 2, an entry function calls a function 1, a function 1 calls a function 2, and a function 2 calls a current termination function to form a function call chain from the entry function to the termination function. As shown in fig. 3, which is a schematic diagram of a stack space structure, in this embodiment, a function stack frame structure of a lowest layer of a function call chain when an application program is interrupted is reconstructed, and then the stack frame structure of the function is used to analyze a program stack space, so as to obtain a return address and a stack opening size of the function, and further obtain an execution code position and a stack top address of a previous layer of function (that is, a parent function) through calculation, and repeat this process until all functions in the call chain are analyzed, thereby completing function call stack backtracking.
In this embodiment, the stack frame structure includes: the size of the open stack, the offset of the function input parameter from the top or bottom position of the stack, and the offset of the return address from the top or bottom position of the stack.
In step S110, the disassembling tool objdump is used to disassemble the function code of the termination function to obtain the corresponding assembly code, and the assembly code is scanned to obtain all the function information in the application program, including the function name, the function start address, and the function end address. In step S100, the program counter register of the dump stores the address of the code being executed, and according to the address, the corresponding function, i.e. the termination function, can be located, and the assembler instruction of the function is obtained accordingly.
In order to reduce the complexity of the analysis algorithm, the analysis is started from the starting address of the termination function, and is finished when a jump instruction or a function call instruction is encountered, so that the complex control flow can be prevented from being processed. The stack opening operation and the stack pushing operation into the parameter register are generally completed at this time, so that enough stack frame structure information can be obtained.
Further, assuming that the stack bottom address is 65536 (may be any constant, and is only an example here), the stack bottom address is initialized to the top register before parsing, and then the assembly instruction is scanned to identify all instructions therein that modify the top register, and the change of the stack top position is tracked to obtain the stack opening size. And simultaneously, identifying the stack entry and exit operation of the input parameter and the return address of the termination function according to all the instructions for modifying the stack top register, obtaining the offset of the input parameter and the return address of the termination function in the stack relative to the stack bottom, and obtaining the storage position of the input parameter and the storage position of the return address in the stack space of the termination function according to the corresponding offsets.
Specifically, all instructions for modifying the stack top register include: the special stack access instruction comprises an MOV instruction and an operation instruction which take a stack top register as a destination register, and a self-increasing or self-decreasing access instruction which takes the stack top register as a base register.
Further, tracking changes in stack top position to derive an open stack size includes: and taking the value of the stack top register when the termination function starts as a function stack bottom address, identifying all instructions for modifying the stack top register, recording the maximum difference value of the stack top position and the stack bottom position, and taking the maximum difference value as the stack opening size.
Further, obtaining offsets of the termination function input parameter and the return address in the stack relative to the stack bottom respectively includes: and obtaining the corresponding offset according to the input parameter of the termination function and the transmission mode of the return address specified in the calling convention.
If the stack transfer is specified in the call convention, the offset is the offset of the input parameter of the termination function and the return address in the stack relative to the stack bottom;
if the transfer is carried out in a register mode specified in the calling convention, identifying the first stack pushing operation with the register as a source register, wherein the offset is the input parameter of the termination function and the position of a return address at the top of the stack;
if there is no corresponding push operation, the offset is saved in the register.
Specifically, the scanning the assembly instruction includes: the values of all registers are initialized to integer maximum values first, the value of the top of stack register is initialized to 65536, and then the register values are modified according to the semantics of the assembly instruction. For MOV instruction, assigning the value of the source register or the value of the constant to the destination register; for an operation instruction, if the value of the active register is the integer maximum value, directly setting the value of the target register as the maximum value, otherwise, calculating the value of the target register according to the semantic meaning of the instruction; for LD/ST instruction, if the address register is not the stack top register, then ignore the operation, otherwise according to the self-increasing and self-decreasing operation, modify the value of the stack top register, and indicate that the instruction is a push operation; and for special stack in-and-out instructions provided by part of the processors, such as PUSH/POP instructions, modifying the value of a stack top register according to the stack in-and-out behavior.
For the push operation, if the source register is a return address register or a parameter register specified in the call convention, the difference between the value of the stack top register and the initial value of the stack top register at the moment is recorded as the offset of the return address or the parameter in the stack relative to the stack bottom.
In this embodiment, obtaining the storage location of the termination function input parameter and the storage location of the return address according to the corresponding offset includes: and respectively adding the offset of the input parameter and the return address of the termination function in the stack relative to the stack bottom and the stack bottom address of the termination function to obtain corresponding storage positions in a program stack space.
In step S120, analyzing the stack space of the dump according to the stack frame structure of the termination function, and obtaining the return address of the termination function and the stack top address of the parent function includes: acquiring a stack top address of a termination function from a dump stack top register, acquiring a stack bottom address of the termination function according to the stack top and the stack opening size of the termination function, and determining a stack top address of a parent function (namely, a previous layer function) according to the stack bottom address of the termination function; and extracting the value of the input parameter of the termination function and the return address from the dump stack space according to the stack bottom address of the termination function, and the storage positions of the input parameter and the return address of the termination function.
And obtaining the position of the function stack in the dumped stack space according to the difference between the initial address of the dumped stack space and the address of the function stack bottom.
If the return address or the parameter is not pushed, the return address and the value of the function parameter are obtained from the returned return address register or the parameter register.
After the return address and the stack top address of the previous function are obtained, the corresponding function may be determined according to the return address, the stack frame structure, the return address, and the stack top position of the previous function of the function are obtained through steps S110 to S120, and steps S110 to S120 are repeated again until the function corresponding to the return address cannot be found, the call stack tracing back is considered to be completed, and at this time, a function call chain of the interrupted application program, call parameters of each function in the call chain, a code position being executed, and the like are obtained.
It should be understood that, although the steps in the flowchart of fig. 1 are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least some of the steps in fig. 1 may include multiple sub-steps or multiple stages that are not necessarily performed at the same time, but may be performed at different times, and the order of performing the sub-steps or stages is not necessarily sequential, but may be performed alternately or alternately with other steps or at least some of the sub-steps or stages of other steps.
In one embodiment, as shown in fig. 4, there is provided a function call stack parsing and backtracking apparatus, including: executing a field dump module 200, a stack frame structure reconstruction module 210, a stack space parsing module 220, and a call stack constructing module 230, wherein:
an execution site dump module 200, configured to dump an abort or manually abort an execution site of an application program, where the execution site of the application program includes: the system comprises a stack space and a plurality of processor registers, wherein the processor registers comprise a program counting register and a stack top register respectively, the program counting register stores a code address of a termination function in a current interrupt application program in execution, and the stack top register stores a stack top address of the termination function in the current interrupt application program;
a stack frame structure reconstructing module 210, configured to find a function code of the termination function in the executable file of the application according to the code address of the termination function being executed, and perform static code analysis on the function code to reconstruct a stack frame structure of the termination function;
a stack space parsing module 220, configured to parse the stack space to be dumped according to the stack frame structure of the termination function, to obtain a return address of the termination function and a stack top address of a parent function;
a call stack construction module 230, configured to use the return address as a function address for calling the termination function, obtain a function code of a corresponding function according to the return address, reconstruct a stack frame structure in the same manner, and analyze a stack space of the dump; this operation is repeated until no valid return address or stack top address is available, i.e., call stack backtracking is completed.
For specific limitations of the function call stack parsing and backtracking apparatus, reference may be made to the above limitations of the function call stack parsing and backtracking method, which are not described herein again. All or part of each module in the function call stack parsing and backtracking device can be realized by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a terminal, and its internal structure diagram may be as shown in fig. 5. The computer device includes a processor, a memory, a network interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a function call stack parsing and backtracking method. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on a shell of the computer equipment, an external keyboard, a touch pad or a mouse and the like.
Those skilled in the art will appreciate that the architecture shown in fig. 5 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided, comprising a memory and a processor, the memory having a computer program stored therein, the processor implementing the following steps when executing the computer program:
dumping an exception interrupt or manually interrupting an execution site of an application program, the execution site of the application program comprising: the system comprises a stack space and a plurality of processor registers, wherein the processor registers comprise a program counting register and a stack top register respectively, the program counting register stores a code address of a termination function in a current interrupt application program in execution, and the stack top register stores a stack top address of the termination function in the current interrupt application program;
finding the function code of the termination function in the executable file of the application program according to the code address of the termination function in execution, and reconstructing a stack frame structure of the termination function after performing static code analysis on the function code;
analyzing the stack space to be dumped according to the stack frame structure of the termination function to obtain a return address of the termination function and a stack top address of a parent function;
the return address is a function address for calling the termination function, a function code of a corresponding function is obtained according to the return address, a stack frame structure is reconstructed in the same mode, and a stack space of the dump is analyzed; this operation is repeated until no valid return address or stack top address is available, i.e., call stack backtracking is completed.
In one embodiment, a computer-readable storage medium is provided, having a computer program stored thereon, which when executed by a processor, performs the steps of:
dumping an exception interrupt or manually interrupting an execution site of an application program, the execution site of the application program comprising: the system comprises a stack space and a plurality of processor registers, wherein the processor registers comprise a program counting register and a stack top register respectively, the program counting register stores a code address of a termination function in a current interrupt application program in execution, and the stack top register stores a stack top address of the termination function in the current interrupt application program;
finding the function code of the termination function in the executable file of the application program according to the code address of the termination function in execution, and reconstructing a stack frame structure of the termination function after performing static code analysis on the function code;
analyzing the stack space to be dumped according to the stack frame structure of the termination function to obtain a return address of the termination function and a stack top address of a parent function;
the return address is a function address for calling the termination function, a function code of a corresponding function is obtained according to the return address, a stack frame structure is reconstructed in the same way, and a stack space of dump is analyzed; this operation is repeated until a valid return address or stack top address is not available, i.e., call stack backtracking is completed.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database or other medium used in the embodiments provided herein can include non-volatile and/or volatile memory. Non-volatile memory can include read-only memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), rambus (Rambus) direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is specific and detailed, but not to be understood as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (8)

1. The function call stack parsing and backtracking method is characterized by comprising the following steps:
dumping an exception interrupt or manually interrupting an execution site of an application program, the execution site of the application program comprising: the system comprises a stack space and a plurality of processor registers, wherein the processor registers comprise a program counting register and a stack top register respectively, the program counting register stores a code address of a termination function in a current interrupt application program in execution, and the stack top register stores a stack top address of the termination function in the current interrupt application program;
finding the function code of the termination function in the executable file of the application program according to the code address of the termination function being executed, and reconstructing the stack frame structure of the termination function after performing static code analysis on the function code, wherein the method comprises the following steps: disassembling according to a program executable file to obtain an assembly instruction of the function, scanning the assembly instruction of the function from a function inlet, identifying all instructions for modifying a stack top register, tracking the change of the stack top position to obtain the size of an open stack, identifying stack entering and exiting operations of the function input parameter and a return address according to the instructions for modifying the stack top register, obtaining the offset of the function input parameter and the return address in a stack relative to the stack top or the stack bottom respectively, and obtaining the storage position of the function input parameter in a stack space and the storage position of the return address according to the corresponding offset;
analyzing the stack space to be dumped according to the stack frame structure of the termination function to obtain a return address of the termination function and a stack top address of a parent function;
the return address is a function address for calling the termination function, a function code of a corresponding function is obtained according to the return address, a stack frame structure is reconstructed in the same way, and a stack space of dump is analyzed; this operation is repeated until a valid return address or stack top address is not available, i.e., call stack backtracking is completed.
2. The function call stack parsing and backtracking method of claim 1, wherein the stack frame structure comprises: the size of the open stack, the offset of the function input parameter from the top or bottom position of the stack, and the offset of the return address from the top or bottom position of the stack.
3. The function call stack parsing and backtracking method of claim 2 wherein said all instructions that modify a top-of-stack register comprise: the system comprises a special stack access instruction, an MOV instruction and an operation instruction which take a stack top register as a target register, and a self-increasing or self-decreasing access instruction which takes the stack top register as a base register.
4. The function call stack parsing and backtracking method of claim 3, wherein tracking changes in stack top position to obtain the open stack size comprises:
taking the value of a stack top register at the beginning of the function as the position of the stack bottom of the function;
and identifying all instructions for modifying the stack top register, recording the maximum difference value of the stack top position and the stack bottom position, and taking the maximum difference value as the stack opening size.
5. The method of claim 3, wherein obtaining an offset of the function input parameter and the return address relative to the function stack top or the stack bottom, respectively, comprises:
obtaining corresponding offset according to function input parameters and return address transfer modes specified in the calling convention;
if stack transfer is specified in the call convention, the offset is the offset of the function input parameter and the return address in a stack relative to the stack top or the stack bottom;
if the transfer is carried out in a register mode specified in the calling convention, identifying the first stack pushing operation with the register as a source register, wherein the offset in the stack pushing operation is the offset of the function input parameter and the return address relative to the stack top or the stack bottom;
and if the corresponding stack pushing operation does not exist, storing the value of the function input parameter or the return address in a register.
6. The function call stack parsing and backtracking method of claim 3, wherein obtaining the storage location of the input parameter and the storage location of the return address according to an offset of the input parameter and the return address of the function after obtaining the offset of the input parameter and the return address in the stack relative to the stack top or the stack bottom respectively comprises:
and respectively adding the offset of the function input parameter and the return address in the stack relative to the stack top or the stack bottom and the stack top or stack bottom address of the function to obtain corresponding storage positions.
7. The method for function call stack parsing and backtracking according to claim 6, wherein parsing the stack space of the dump according to the stack frame structure of the termination function to obtain the return address and the stack address of the parent function comprises:
acquiring a stack top address of the termination function in the stack top register of the dump;
obtaining a stack bottom address of the termination function according to the stack top address and the stack opening size of the termination function, and determining a stack top address of the father function according to the stack bottom address of the termination function;
and extracting the input parameter and the return address of the termination function from the dumped stack space according to the stack bottom address of the termination function, and the storage positions of the input parameter and the return address of the termination function.
8. A function call stack parsing and backtracking apparatus, the apparatus comprising:
an execution site dump module, configured to dump an exception interrupt or a manual interrupt to an execution site of an application program, where the execution site of the application program includes: the system comprises a stack space and a plurality of processor registers, wherein the processor registers comprise a program counting register and a stack top register respectively, the program counting register stores a code address of a termination function in a current interrupt application program in execution, and the stack top register stores a stack top address of the termination function in the current interrupt application program;
a stack frame structure reconstructing module, configured to find a function code of the termination function in an executable file of the application according to a code address of the termination function being executed, and perform static code analysis on the function code to reconstruct a stack frame structure of the termination function, where the stack frame structure reconstructing module includes: disassembling according to a program executable file to obtain an assembly instruction of the function, scanning the assembly instruction of the function from a function inlet, identifying all instructions for modifying a stack top register, tracking the change of the stack top position to obtain the size of an open stack, identifying stack entering and exiting operations of the function input parameter and a return address according to the instructions for modifying the stack top register, obtaining the offset of the function input parameter and the return address in a stack relative to the stack top or the stack bottom respectively, and obtaining the storage position of the function input parameter in a stack space and the storage position of the return address according to the corresponding offset;
the stack space analysis module is used for analyzing the dumped stack space according to the stack frame structure of the termination function to obtain a return address of the termination function and a stack top address of a parent function;
and the call stack construction module is used for obtaining a function code of a corresponding function according to the return address, reconstructing a stack frame structure in the same way, analyzing a stack space of the dump, and repeating the operation until an effective return address or a stack top address cannot be obtained, namely completing call stack backtracking.
CN202211187959.1A 2022-09-28 2022-09-28 Function call stack parsing and backtracking method and device Active CN115292201B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211187959.1A CN115292201B (en) 2022-09-28 2022-09-28 Function call stack parsing and backtracking method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211187959.1A CN115292201B (en) 2022-09-28 2022-09-28 Function call stack parsing and backtracking method and device

Publications (2)

Publication Number Publication Date
CN115292201A CN115292201A (en) 2022-11-04
CN115292201B true CN115292201B (en) 2022-12-20

Family

ID=83834460

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211187959.1A Active CN115292201B (en) 2022-09-28 2022-09-28 Function call stack parsing and backtracking method and device

Country Status (1)

Country Link
CN (1) CN115292201B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117171058B (en) * 2023-11-03 2024-02-20 睿思芯科(深圳)技术有限公司 Call chain real-time tracking method, system and related equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104484179A (en) * 2014-12-23 2015-04-01 上海斐讯数据通信技术有限公司 Stack recalling method
CN113238883A (en) * 2021-04-30 2021-08-10 烽火通信科技股份有限公司 Stack backtracking method and device
CN113742119A (en) * 2021-07-26 2021-12-03 上海闻泰信息技术有限公司 Call stack backtracking method and device of embedded system and computer equipment

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8291381B2 (en) * 2007-09-27 2012-10-16 Microsoft Corporation Call stack parsing in multiple runtime environments
US9003377B2 (en) * 2010-01-07 2015-04-07 Microsoft Technology Licensing, Llc Efficient resumption of co-routines on a linear stack
CN105812365B (en) * 2016-03-12 2018-09-28 武汉芯泰科技有限公司 A kind of programmable restructural Frame Handler

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104484179A (en) * 2014-12-23 2015-04-01 上海斐讯数据通信技术有限公司 Stack recalling method
CN113238883A (en) * 2021-04-30 2021-08-10 烽火通信科技股份有限公司 Stack backtracking method and device
CN113742119A (en) * 2021-07-26 2021-12-03 上海闻泰信息技术有限公司 Call stack backtracking method and device of embedded system and computer equipment

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
IOS如何记录堆栈信息;JY_;《https://juejin.cn/post/7049267161036205086》;20220104;全文 *
基于堆栈回溯的异常处理;朱剑锋等;《计算机工程与设计》;20141231;第35卷(第12期);全文 *

Also Published As

Publication number Publication date
CN115292201A (en) 2022-11-04

Similar Documents

Publication Publication Date Title
CN108459962B (en) Code normalization detection method and device, terminal equipment and storage medium
JP5213671B2 (en) Test case selection method and selection system
CN115292201B (en) Function call stack parsing and backtracking method and device
CN111008132B (en) Application debugging method and device for Android system, computer equipment and storage medium
CN112882769B (en) Skill pack data processing method, skill pack data processing device, computer equipment and storage medium
CN108241516B (en) Embedded system program loading method and device, computer equipment and storage medium
CN108984392B (en) Single step debugging method and debugger
CN110928778B (en) Dead-loop positioning method, device, computer equipment and storage medium
US7231634B2 (en) Method for determining scope and cause of memory corruption
CN113835713A (en) Source code package downloading method and device, computer equipment and storage medium
CN115017058A (en) Test method and device of kernel module, electronic equipment and storage medium
CN112181388B (en) Initializing method and device of SDK (software development kit) component, storage medium and control terminal
US8769498B2 (en) Warning of register and storage area assignment errors
CN113742224A (en) Test system, method, device, computer equipment and storage medium
CN110851182B (en) Instruction acquisition method and device, computer equipment and storage medium
CN111666102A (en) File format conversion method, chip verification method, related device and network chip
US20060265687A1 (en) Method for Finding a Function Call Stack in Run Time for a Computer System
CN112463431B (en) BIOS error positioning method, device, equipment and storage medium
CN114090434B (en) Code debugging method and device, computer equipment and storage medium
CN115048082A (en) Micro front-end system construction method and device, server and readable storage medium
CN110908869B (en) Application program data monitoring method, device, equipment and storage medium
CN113094052A (en) Application construction method and device, computer equipment and storage medium
CN112394941A (en) Code preheating method and device, electronic equipment and storage medium
CN112187564A (en) vSAN performance test method, apparatus, computer device and storage medium
CN111427623A (en) Program exit method, device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant