Systems Group Department of Computer Science ETH Zürich Systems Programming and Computer Architecture (252-0061-00) Timothy Roscoe Herbstsemester 2016 1
4: Pointers Computer Architecture and Systems Programming 252-0061-00, Herbstsemester 2016 Timothy Roscoe 2
Process address space 0xffffffffffffffff OS gives each process an address space Contains process virtual memory, visible only to it 2 32 bytes on 32 bit host 2 64 bytes on 64 bit host (shown) code, data, libraries, stack, etc. AS 2016 3 0x0000000000000000
When the OS loads a program, it: creates an address space inspects the executable file to see what s in it (lazily) copies regions of the file into the right place in the address space does any final linking, relocation, or other needed preparation Loading 0xffffffff 0xc0000000 0x40000000 0x08048000 Kernel virtual memory User stack (created at runtime) Memory-mapped region for shared libraries Run-time heap (created by malloc) Read/write segment (.data,.bss) Read-only segment (.init,.text,.rodata) Unused Memory inaccessible to user code Stack pointer brk Loaded from the executable file AS 2016 4 0x00000000
4.1: Recap: the stack Computer Architecture and Systems Programming 252-0061-00, Herbstsemester 2016 Timothy Roscoe 5
Stack-Based Languages Languages supporting recursion (C, C#, Eiffel, Java..) Code must be reentrant Multiple simultaneous instantiations of single procedure Need to store state of each instantiation Arguments, local variables, return pointer Stack discipline State for given procedure needed for limited time From when called to when returns Callee returns before caller does Stack allocated in Frames state for single procedure activation 6
Call Chain Example yoo( ) who(); who( ) ami(); ami(); ami( ) ami(); Example call chain yoo who ami ami ami ami These are all different activations Procedure ami is recursive AS 2016 7
Stack Frames Contents Local variables Return information Temporary space Previous Frame Management Space allocated when enter procedure Set-up code Deallocated when return Finish code Frame Pointer: Stack Pointer: Frame for proc Stack Top 8
Example Stack who( ) ami(); ami(); yoo who ami ami ami Frame Stack yoo who ami 9
Example Stack ami( ) ami(); yoo who ami ami ami yoo who ami ami ami Frame ami AS 2016 10 Stack
Example Stack ami( ) yoo who ami ami ami Frame yoo who ami ami Stack 11
Example Stack you( ) who(); yoo who ami ami ami Frame Stack yoo ami 12
4.2: Pointers in C Computer Architecture and Systems Programming 252-0061-00, Herbstsemester 2016 Timothy Roscoe 13
Addresses and & &x produces the virtual address where the value of x is stored. You can use %p in printf() to print it out. addresses.c #include <stdio.h> int foo(int x) return x+1; int main(int argc, char *argv[]) int x, y; int a[2]; printf("x is at %p\n", &x); printf("y is at %p\n", &y); printf("a[0] is at %p\n", &a[0]); printf("a[1] is at %p\n", &a[1]); printf("foo is at %p\n", &foo); printf("main is at %p\n", &main); return 0; AS 2016 14
Pointers type *name; // declare a pointer type *name = address; // declare + initialize a pointer A variable that contains a memory address points to somewhere in the process virtual address space AS 2016 int main(int argc, char **argv) int x = 42; int *p; // p is a pointer to an integer p = &x; // p now stores the address of x printf("x is %d\n", x); printf("&x is %p\n", &x); printf("p is %p\n", p); return 0; pointy.c
Dereferencing a pointer v = *pointer; *pointer = value; // dereference a pointer // dereference / assign dereference: access the memory referred to by a pointer #include <stdio.h> AS 2016 int main(int argc, char **argv) int x = 42; int *p; // p is a pointer to an integer p = &x; // p now stores the address of x printf("x is %d\n", x); *p = 99; printf("x is %d\n", x); return 0; deref.c
NULL a guaranteed-to-be-invalid memory location typeof(null) is void * In C on Linux: NULL is 0x0000000000000000 (or 0x00000000) Any attempt to dereference NULL segmentation fault #include <stdio.h> AS 2016 int main(int argc, char *argv[]) int *p = NULL; *p = 1; // causes a segmentation fault return 0; segfault.c
Something curious Run this several times: #include <stdio.h> asr.c int main(int argc, char *argv[]) int x = 1; int *p = &x; AS 2016 printf( &x: %p; p: %p; &p: %p\n, &x, p, &p); return 0; troscoe@cixous:~$ gcc -Wall asr.c troscoe@cixous:~$./a.out &x: 0x7fff33b06314; p: 0x7fff33b06314; &p: 0x7fff33b06318 troscoe@cixous:~$./a.out &x: 0x7fffee820f34; p: 0x7fffee820f34; &p: 0x7fffee820f38 troscoe@cixous:~$./a.out &x: 0x7fff230d8b64; p: 0x7fff230d8b64; &p: 0x7fff230d8b68
Address Space Layout Randomization Linux randomizes: Base of stack Shared library locations Security feature We ll see some overflow attacks later Makes debugging tougher Kernel virtual memory User stack shared libraries Run-time heap Read/write segment (.data,.bss) Read-only segment (.init,.text,.rodata) Unused 0xffffffffffffffff 0x0000000000000000 AS 2016 19
Summary Every variable in C has: Name: what is it called? Address: where in memory is it? Type: how to interpret the value Value: what is stored at the address C pointers are variables that contain the addresses of other variables. Java has no pointers (only object references), C# has them only in unsafe code // px is a ptr to an integer int *px; // x is an integer int x; // px gets the address of x // or px points to x px = &x; // x gets the contents of // whatever x points to x = *px; 20
4.3: Box-and-arrow diagrams Computer Architecture and Systems Programming 252-0061-00, Herbstsemester 2016 Timothy Roscoe 21
Box and arrow diagrams #include <stdio.h> int main(int argc, char **argv) int x = 1; int arr[3] = 2, 3, 4; int *p = &arr[1]; boxarrow.c printf("&x: %p; x: %d\n", &x, x); printf("&arr[0]: %p; arr[0]: %d\n", &arr[0], arr[0]); printf("&arr[2]: %p; arr[2]: %d\n", &arr[2], arr[2]); printf("&p: %p; p: %p; *p: %d\n", &p, p, *p); return 0; address name value 0x7fffbe90f854 x 1 0x7fffbe90f860 arr[0] 2 0x7fffbe90f864 arr[1] 3 0x7fffbe90f868 arr[2] 4 0x7fffbe90f858 p 0x7fffbe90f864 22
Box and arrow diagrams #include <stdio.h> int main(int argc, char **argv) int x = 1; int arr[3] = 2, 3, 4; int *p = &arr[1]; boxarrow.c printf("&x: %p; x: %d\n", &x, x); printf("&arr[0]: %p; arr[0]: %d\n", &arr[0], arr[0]); printf("&arr[2]: %p; arr[2]: %d\n", &arr[2], arr[2]); printf("&p: %p; p: %p; *p: %d\n", &p, p, *p); return 0; address name value 0x7fffbe90f868 arr[2] 4 0x7fffbe90f864 arr[1] 3 0x7fffbe90f860 arr[0] 2 0x7fffbe90f858 p 0x7fffbe90f864 0x7fffbe90f854 x 1 23 main() stack frame
Box and arrow diagrams #include <stdio.h> int main(int argc, char **argv) int x = 1; int arr[3] = 2, 3, 4; int *p = &arr[1]; boxarrow.c printf("&x: %p; x: %d\n", &x, x); printf("&arr[0]: %p; arr[0]: %d\n", &arr[0], arr[0]); printf("&arr[2]: %p; arr[2]: %d\n", &arr[2], arr[2]); printf("&p: %p; p: %p; *p: %d\n", &p, p, *p); return 0; address name value 0x7fffbe90f854 x 1 0x7fffbe90f860 arr[0] 2 0x7fffbe90f864 arr[1] 3 0x7fffbe90f868 arr[2] 4 0x7fffbe90f858 p 0x7fffbe90f864 24
Box and arrow diagrams #include <stdio.h> int main(int argc, char **argv) int x = 1; int arr[3] = 2, 3, 4; int *p = &arr[1]; int **dp = &p; boxarrow2.c *(*dp) += 1; p += 1; *(*dp) += 1; return 0; address name value 0x7fffbe90f854 x 1 0x7fffbe90f860 arr[0] 2 0x7fffbe90f864 arr[1] 4 0x7fffbe90f868 arr[2] 4 0x7fffbe90f848 dp 0x7fffbe90f858 0x7fffbe90f858 p 0x7fffbe90f864 25
Box and arrow diagrams #include <stdio.h> int main(int argc, char **argv) int x = 1; int arr[3] = 2, 3, 4; int *p = &arr[1]; int **dp = &p; boxarrow2.c *(*dp) += 1; p += 1; *(*dp) += 1; return 0; address name value 0x7fffbe90f854 x 1 0x7fffbe90f860 arr[0] 2 0x7fffbe90f864 arr[1] 4 0x7fffbe90f868 arr[2] 4 0x7fffbe90f848 dp 0x7fffbe90f858 0x7fffbe90f858 p 0x7fffbe90f868 26
Box and arrow diagrams #include <stdio.h> int main(int argc, char **argv) int x = 1; int arr[3] = 2, 3, 4; int *p = &arr[1]; int **dp = &p; *(*dp) += 1; p += 1; *(*dp) += 1; return 0; boxarrow2.c Pointers are typed: int *int_ptr; char *char_ptr; int **ptr_ptr; Pointer arithmetic follows pointer type address name value 0x7fffbe90f854 x 1 0x7fffbe90f860 arr[0] 2 0x7fffbe90f864 arr[1] 4 0x7fffbe90f848 0x7fffbe90f868 arr[2] 5 dp 0x7fffbe90f858 0x7fffbe90f858 p 0x7fffbe90f868 27
4.4: Pointer arithmetic Computer Architecture and Systems Programming 252-0061-00, Herbstsemester 2016 Timothy Roscoe 28
Pointer arithmetic #include <stdio.h> int main(int argc, char **argv) int arr[3] = 1, 2, 3; int *int_ptr = &arr[0]; char *char_ptr = (char *) int_ptr; // more "type casting" later printf("int_ptr: %p; *int_ptr: %d\n", int_ptr, *int_ptr); int_ptr += 1; printf("int_ptr: %p; *int_ptr: %d\n", int_ptr, *int_ptr); int_ptr -= 2; // uh oh printf("int_ptr: %p; *int_ptr: %d\n", int_ptr, *int_ptr); printf("char_ptr: %p; *char_ptr: %d\n", char_ptr, *char_ptr); char_ptr += 1; printf("char_ptr: %p; *char_ptr: %d\n", char_ptr, *char_ptr); char_ptr += 2; printf("char_ptr: %p; *char_ptr: %d\n", char_ptr, *char_ptr); arr[2] arr[1] arr[0] char_ptr int_ptr Stack (x86, 64-bit, little endian) 3 0 0 0 2 0 0 0 1 0 0 0 return 0; pointerarithmetic.c int_ptr: 0x7fff19be2aa0; *int_ptr: 1 29
Pointer arithmetic #include <stdio.h> int main(int argc, char **argv) int arr[3] = 1, 2, 3; int *int_ptr = &arr[0]; char *char_ptr = (char *) int_ptr; // more "type casting" later printf("int_ptr: %p; *int_ptr: %d\n", int_ptr, *int_ptr); int_ptr += 1; printf("int_ptr: %p; *int_ptr: %d\n", int_ptr, *int_ptr); int_ptr -= 2; // uh oh printf("int_ptr: %p; *int_ptr: %d\n", int_ptr, *int_ptr); printf("char_ptr: %p; *char_ptr: %d\n", char_ptr, *char_ptr); char_ptr += 1; printf("char_ptr: %p; *char_ptr: %d\n", char_ptr, *char_ptr); char_ptr += 2; printf("char_ptr: %p; *char_ptr: %d\n", char_ptr, *char_ptr); arr[2] arr[1] arr[0] char_ptr int_ptr Stack (x86, 64-bit, little endian) 3 0 0 0 2 0 0 0 1 0 0 0 return 0; pointerarithmetic.c int_ptr: 0x7fff19be2aa0; *int_ptr: 1 30
Pointer arithmetic #include <stdio.h> int main(int argc, char **argv) int arr[3] = 1, 2, 3; int *int_ptr = &arr[0]; char *char_ptr = (char *) int_ptr; // more "type casting" later printf("int_ptr: %p; *int_ptr: %d\n", int_ptr, *int_ptr); int_ptr += 1; printf("int_ptr: %p; *int_ptr: %d\n", int_ptr, *int_ptr); int_ptr -= 2; // uh oh printf("int_ptr: %p; *int_ptr: %d\n", int_ptr, *int_ptr); printf("char_ptr: %p; *char_ptr: %d\n", char_ptr, *char_ptr); char_ptr += 1; printf("char_ptr: %p; *char_ptr: %d\n", char_ptr, *char_ptr); char_ptr += 2; printf("char_ptr: %p; *char_ptr: %d\n", char_ptr, *char_ptr); arr[2] arr[1] arr[0] char_ptr int_ptr Stack (x86, 64-bit, little endian) 3 0 0 0 2 0 0 0 1 0 0 0 return 0; pointerarithmetic.c int_ptr: 0x7fff19be2aa0; *int_ptr: 1 int_ptr: 0x7fff19be2aa4; *int_ptr: 2 31
Pointer arithmetic #include <stdio.h> int main(int argc, char **argv) int arr[3] = 1, 2, 3; int *int_ptr = &arr[0]; char *char_ptr = (char *) int_ptr; // more "type casting" later printf("int_ptr: %p; *int_ptr: %d\n", int_ptr, *int_ptr); int_ptr += 1; printf("int_ptr: %p; *int_ptr: %d\n", int_ptr, *int_ptr); int_ptr -= 2; // uh oh printf("int_ptr: %p; *int_ptr: %d\n", int_ptr, *int_ptr); printf("char_ptr: %p; *char_ptr: %d\n", char_ptr, *char_ptr); char_ptr += 1; printf("char_ptr: %p; *char_ptr: %d\n", char_ptr, *char_ptr); char_ptr += 2; printf("char_ptr: %p; *char_ptr: %d\n", char_ptr, *char_ptr); arr[2] arr[1] arr[0] char_ptr int_ptr Stack (x86, 64-bit, little endian) 3 0 0 0 2 0 0 0 1 0 0 0 char_ptr return 0; pointerarithmetic.c int_ptr: 0x7fff19be2aa0; *int_ptr: 1 int_ptr: 0x7fff19be2aa4; *int_ptr: 2 int_ptr: 0x7fff19be2abc; *int_ptr: 32767 32
Pointer arithmetic #include <stdio.h> int main(int argc, char **argv) int arr[3] = 1, 2, 3; int *int_ptr = &arr[0]; char *char_ptr = (char *) int_ptr; // more "type casting" later printf("int_ptr: %p; *int_ptr: %d\n", int_ptr, *int_ptr); int_ptr += 1; printf("int_ptr: %p; *int_ptr: %d\n", int_ptr, *int_ptr); int_ptr -= 2; // uh oh printf("int_ptr: %p; *int_ptr: %d\n", int_ptr, *int_ptr); printf("char_ptr: %p; *char_ptr: %d\n", char_ptr, *char_ptr); char_ptr += 1; printf("char_ptr: %p; *char_ptr: %d\n", char_ptr, *char_ptr); char_ptr += 2; printf("char_ptr: %p; *char_ptr: %d\n", char_ptr, *char_ptr); arr[2] arr[1] arr[0] char_ptr int_ptr Stack (x86, 64-bit, little endian) 3 0 0 0 2 0 0 0 1 0 0 0 char_ptr return 0; pointerarithmetic.c char_ptr: 0x7fff19be2aa0; *char_ptr: 1 33
Pointer arithmetic #include <stdio.h> int main(int argc, char **argv) int arr[3] = 1, 2, 3; int *int_ptr = &arr[0]; char *char_ptr = (char *) int_ptr; // more "type casting" later printf("int_ptr: %p; *int_ptr: %d\n", int_ptr, *int_ptr); int_ptr += 1; printf("int_ptr: %p; *int_ptr: %d\n", int_ptr, *int_ptr); int_ptr -= 2; // uh oh printf("int_ptr: %p; *int_ptr: %d\n", int_ptr, *int_ptr); printf("char_ptr: %p; *char_ptr: %d\n", char_ptr, *char_ptr); char_ptr += 1; printf("char_ptr: %p; *char_ptr: %d\n", char_ptr, *char_ptr); char_ptr += 2; printf("char_ptr: %p; *char_ptr: %d\n", char_ptr, *char_ptr); arr[2] arr[1] arr[0] char_ptr int_ptr Stack (x86, 64-bit, little endian) 3 0 0 0 2 0 0 0 1 0 0 0 char_ptr return 0; pointerarithmetic.c char_ptr: 0x7fff19be2aa0; *char_ptr: 1 char_ptr: 0x7fff19be2aa1; *char_ptr: 0 char_ptr: 0x7fff19be2aa3; *char_ptr: 0 34
Pointer arithmetic #include <stdio.h> int main(int argc, char **argv) int arr[3] = 1, 2, 3; int *int_ptr = &arr[0]; char *char_ptr = (char *) int_ptr; // more "type casting" later printf("int_ptr: %p; *int_ptr: %d\n", int_ptr, *int_ptr); int_ptr += 1; printf("int_ptr: %p; *int_ptr: %d\n", int_ptr, *int_ptr); int_ptr -= 2; // uh oh printf("int_ptr: %p; *int_ptr: %d\n", int_ptr, *int_ptr); printf("char_ptr: %p; *char_ptr: %d\n", char_ptr, *char_ptr); char_ptr += 1; printf("char_ptr: %p; *char_ptr: %d\n", char_ptr, *char_ptr); char_ptr += 2; printf("char_ptr: %p; *char_ptr: %d\n", char_ptr, *char_ptr); arr[2] arr[1] arr[0] char_ptr int_ptr Stack (x86, 64-bit, little endian) 3 0 0 0 2 0 0 0 1 0 0 0 char_ptr return 0; pointerarithmetic.c char_ptr: 0x7fff19be2aa0; *char_ptr: 1 char_ptr: 0x7fff19be2aa1; *char_ptr: 0 char_ptr: 0x7fff19be2aa3; *char_ptr: 0 35
How much memory does a value take up? Depends on machine and compiler! Use: sizeof(type) or sizeof(value) Evaluates at compile time to size in bytes e.g. int nr = 1919; int size = sizeof(nr); 36
Summary No checks on where pointers point to! You can add an integer n to a pointer p. p now points to n objects further on Or back, in n is negative New value of p (not *p!) depends on type of *p sizeof() This looks a bit like array indexing 37
4.5: Arrays and pointers Computer Architecture and Systems Programming 252-0061-00, Herbstsemester 2016 Timothy Roscoe 38
Arrays and pointers An array name in an expression is treated as a pointer to the first element of the array int a[10]; assert(a == &(a[0])); int get_1(int i) int *p = a; return p[i]; void set_1(int i, int v) int *p = a; p[i] = v; int get_2(int i) int *p = a; return *(p+i); void set_2(int i, int v) int *p = a; *(p+i) = v; int get_3(int i) int *p = a+i; return *p; void set_3(int i, int v) int *p = a+i; *p = v; AS 2016 39
except when 1. The array s address is taken with & int a[10]; assert( &a == a ); 2. The array is a string literal initializer 3. The array is an operand of sizeof() int a[10]; assert( sizeof(a) == 10*sizeof(int)); assert( sizeof(&a[0]) == sizeof(int *)); 40
In fact A[i] is always rewritten *(A+i) in the compiler int a[10]; assert(a == &(a[0])); assert(a[5] == 5[a]); int get_2(int i) int *p = a; return i[p]; void set_2(int i, int v) int *p = a; i[p] = v; AS 2016 41
An array name as a function parameter is a pointer The following are all precisely equivalent: int arrfun( int *myarray ) int arrfun( int myarray[] ) int arrfun( int myarray[42] ) Functions are also converted to pointers like this! 42
and can be called in any of these ways: int some_int; int *some_ptr; int some_array[10]; arrfun( &some_int ); arrfun( some_ptr ); arrfun( some_array ); arrfun( &some_array[i] ); all of which turn into pointers. 43
You can t rename an array Compile-time error: int array1[42], array2[42]; main(int argc, char *argv[]) array1 = array2; return 0; But this is OK (it s a pointer): void arrfun(int array[]) array = array2; 44
4.6: Passing by reference Computer Architecture and Systems Programming 252-0061-00, Herbstsemester 2016 Timothy Roscoe 45
Pass-by-value C passes function arguments by value Callee gets a copy of the argument If callee modifies an argument, caller s copy isn t modified #include <stdio.h> void swap(int a, int b) int tmp = a; a = b; b = tmp; int main(int argc, char *argv[]) int a = 42, b = -7; swap(a, b); printf("a: %d, b: %d\n", a, b); return 0; brokenswap.c 46
Pass-by-reference You can use pointers to pass by reference Callee still receives a copy of the argument But it s now a pointer Pointer s value points to the variable in scope of the caller Callee can therefore modify a variable in the scope of the caller #include <stdio.h> void swap(int *a, int *b) int tmp = *a; *a = *b; *b = tmp; int main(int argc, char *argv[]) int a = 42, b = -7; swap(&a, &b); printf("a: %d, b: %d\n", a, b); return 0; swap.c 47
A simple strcpy() char *strcpy(char *dest, char *src) char *r = dest; while(*dest++ = *src++); return r; strcpy.c Lots going on here! Strings are arrays of characters terminated by null bytes Assigment is an expression, not a statement Non-zero values evaluate to true, zero evaluates to false Post-increment operators bind more tightly than pointer dereference A semicolon is statement terminator, not a separator This is also a dangerous function: use strncpy() instead. 48
C Pointer Declarations int *p int *p[13] int *(p[13]) int **p int (*p)[13] int *f() int (*f)() int (*(*f())[13])() p is a pointer to int p is an array[13] of pointer to int p is an array[13] of pointer to int p is a pointer to a pointer to an int p is a pointer to an array[13] of int f is a function returning a pointer to int f is a pointer to a function returning int f is a function returning ptr to an array[13] of pointers to functions returning int int (*(*x[3])())[5] x is an array[3] of pointers to functions returning pointers to array[5] of ints 49