|
|
|
|
|
|
by AnimalMuppet
3973 days ago
|
|
|
Function a() called function b(). When function b() returned, a local variable in function a() had changed from 0 to 1. "Aha!" you say. "You're smashing the stack! Function b() is writing outside its stack frame." But function b() was provably not doing that. Function b() called msgrcv(), which has a very badly designed API. It takes a pointer to a structure, and a size parameter. The structure is supposed to be a type field (long), and then a buffer (array of char). The size parameter is supposed to be the size of the buffer, not the size of the structure. The original code that implemented this came from a contractor, and they made the very natural mistake of putting the size of the whole structure in the size field. This meant that an extra long was read from the message queue, and smashed the stack. But that should mess up the stack from from function b(). How did it mess up a variable in function a()? Well, the compiler put that variable in a register, not on the stack. So when b() was called, it had to save off the registers it was going to use, so a()'s local variable wound up in b()'s stack frame. It took me most of a month, off and on, to figure that out. |
|
|