strange 4 assembly instructions for a function

I think that you should get a copy of the Intel IA32/EM64T manuals and read through them. You may find this a better way to learn basic things about x86/x64 rather than attempting to ask all of these things on the mailing list.

See: http://www.intel.com/products/processor/manuals/

Intel will even ship them to you for free as hardcopies, or you can download them as PDFs.

  • S

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Lin George
Sent: Tuesday, August 12, 2008 7:27 AM
To: Kernel Debugging Interest List
Cc: Kernel Debugging Interest List
Subject: Re: [windbg] strange 4 assembly instructions for a function

Thanks Steve,

I understand the basics of how the stack space is reserved by sub esp pointer. My question is why C0h bytes are needed? From my simple test program, I do not think it needs so much bytes for memory on stack.

Any ideas?

regards,
George

----- Original Message ----
From: Steve Johnson
To: Kernel Debugging Interest List
Sent: Tuesday, July 22, 2008 8:02:20 PM
Subject: Re: [windbg] strange 4 assembly instructions for a function
George,

The sub esp,0C0h reserves C0h bytes of local space. 30h * 4(sizeof DWORD) = C0h bytes.


Steve Johnson

On Tue, Jul 22, 2008 at 1:55 AM, Lin George > wrote:
I fully agree with you from your below points. But don’t you think it initializes more stack space than actually needed? – this is why I am confused now.

I posted the assembly code again here. Any comments?

00BA13CC lea edi,[ebp-0C0h]
00BA13D2 mov ecx,30h
00BA13D7 mov eax,0CCCCCCCCh
00BA13DC rep stos dword ptr es:[edi]
— You are currently subscribed to windbg as: xxxxx@yahoo.com To unsubscribe send a blank email to xxxxx@lists.osr.com


You are currently subscribed to windbg as: xxxxx@valhallalegends.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Hi Calin,
I have read through the article you mentioned for a couple of hours. It is really good and I learned something which I donot know before, even if old day technologies.
But, seems it does not directly cover the answer to my question? Or I miss or misunderstand anything? Could you help to clarify please? :slight_smile:
regards,
George

----- Original Message ----
From: Calin Iaru
To: Lin George
Cc: xxxxx@lists.osr.com
Sent: Wednesday, July 23, 2008 7:31:30 AM
Subject: Re: [windbg] strange 4 assembly instructions for a function

The code you presented is code compiled on Win32 with Program Database for Edit and Continue set. If you use Program Database, then the code will look like:

int f(int a, int b) {
009911A0? push? ? ? ? ebp?
009911A1? mov? ? ? ? ebp,esp
? ? return a+b;
009911A3? mov? ? ? ? eax,dword ptr [a]
009911A6? add? ? ? ? eax,dword ptr [b]
}
009911A9? pop? ? ? ? ebp?
009911AA? ret? ? ? ? ? ? ?

I don’t know why does PDEC arrange the code like this; perhaps is due to EC feature. PDEC implies the /Gy compiler switch which places each function definition in a code segment. The sum of these segments is the whole program; to make the code smaller, the linker has the option to remove all unused segments. An article written by Matt Pietrek specifies that the functions compiled with /Gy are aligned on a power of 2 boundary which means that each function will be padded with INT 3 instructions up to the next alignment.
http://www.microsoft.com/msj/archive/S572.aspx
or search for
Matt Pietrek comdat
on msdn.

----- Original Message ----
From: Lin George
To: xxxxx@yahoo.com
Cc: Kernel Debugging Interest List
Sent: Tuesday, July 22, 2008 7:53:57 AM
Subject: Re: [windbg] strange 4 assembly instructions for a function

Thanks Calin,
I fully agree with you from your below points. But don’t you think it initializes more stack space than actually needed?
I posted the assembly code again here. Any comments?
00BA13CC? lea? ? ? ? edi,[ebp-0C0h]
00BA13D2? mov? ? ? ? ecx,30h
00BA13D7? mov? ? ? ? eax,0CCCCCCCCh
00BA13DC? rep stos? ? dword ptr es:[edi]
regards,
George

----- Original Message ----
From: Calin Iaru
To: Kernel Debugging Interest List
Sent: Monday, July 21, 2008 8:24:42 PM
Subject: Re: [windbg] strange 4 assembly instructions for a function

Hi,

? the compiler fills with 0xCC about 0xC0 bytes of local stack data. I expect a release build to clean up the code.

Best regards,
? Calin

PS.
0xCC is a well known value which is distinctively recognized during a crash. For instance, if you have a pointer which contains this value, it will indicate that the pointer is not initialized. Other known value is an 0xfeeefeee which says that the pointer was released. For pointers, use the !address command to find out more information about wether the page was allocated or freed and so on.

— On Mon, 7/21/08, Lin George wrote:

> From: Lin George
> Subject: [windbg] strange 4 assembly instructions for a function
> To: “Kernel Debugging Interest List”
> Date: Monday, July 21, 2008, 11:59 AM
> Hello everyone,
>
> I am confused what is the function of the 4 assembly
> instructions – I found them when debugging function prolog
> and epilog for study? I posted the 4 assembly instructions
> and related whole source code/assembly code below.
> Any ideas?
> <br>&gt; 00BA13CC? lea? ? ? ? edi,[ebp-0C0h] <br>&gt; 00BA13D2? mov? ? ? ? ecx,30h <br>&gt; 00BA13D7? mov? ? ? ? eax,0CCCCCCCCh <br>&gt; 00BA13DC? rep stos? ? dword ptr es:[edi] <br>&gt; <br>&gt; int sumExample (int a, int b)<br>&gt; {<br>&gt; 00BA13C0? push? ? ? ? ebp? <br>&gt; 00BA13C1? mov? ? ? ? ebp,esp <br>&gt; 00BA13C3? sub? ? ? ? esp,0C0h <br>&gt; 00BA13C9? push? ? ? ? ebx? <br>&gt; 00BA13CA? push? ? ? ? esi? <br>&gt; 00BA13CB? push? ? ? ? edi? <br>&gt; 00BA13CC? lea? ? ? ? edi,[ebp-0C0h] <br>&gt; 00BA13D2? mov? ? ? ? ecx,30h <br>&gt; 00BA13D7? mov? ? ? ? eax,0CCCCCCCCh <br>&gt; 00BA13DC? rep stos? ? dword ptr es:[edi] <br>&gt;? ? return a + b;<br>&gt; 00BA13DE? mov? ? ? ? eax,dword ptr [a] <br>&gt; 00BA13E1? add? ? ? ? eax,dword ptr [b] <br>&gt; }<br>&gt; #include <iostream><br>&gt; using namespace std;<br>&gt; int sumExample (int a, int b)<br>&gt; {<br>&gt;? ? return a + b;<br>&gt; }<br>&gt; int main()<br>&gt; {<br>&gt;? int c = sumExample (100, 200);<br>&gt;? cout &lt;&lt; c &lt;&lt; endl;<br>&gt;? return 0;<br>&gt; }<br>&gt;
>
> thanks in advance,
> George
>
>
>? ? ?
>
> —
> You are currently subscribed to windbg as: unknown lmsubst
> tag argument: ‘’
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com

? ? ?


You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

We seem to be going around in circles, so let’s try this differently:

  1. What is your question? Please include ALL the code relevant to it.

My guess is that your question is:

Don’t you think it initializes more stack space than actually needed?

And that this is the code:

> 00BA13C0 push ebp
>> 00BA13C1 mov ebp,esp
>> 00BA13C3 sub esp,0C0h
>> 00BA13C9 push ebx
>> 00BA13CA push esi
>> 00BA13CB push edi
>> 00BA13CC lea edi,[ebp-0C0h]
>> 00BA13D2 mov ecx,30h
>> 00BA13D7 mov eax,0CCCCCCCCh
>> 00BA13DC rep stos dword ptr es:[edi]

Assuming that this is correct, the basic answer is more or less what you’ve already been told. It’s marking the ‘beginning’ of the
local stack with a some padding bytes that happen to the opcode for an ‘INT 3’ (0xCC). I’m not sure the specific purpose the
compiler devs have in mind, but one thing it would definitely help with is diagnosing stack faults, which really suck to debug
without some sort of cheating like this, because by the time you find out about the problem, you’re usually well away from the
cause. With this technique, if you happen to end up outside the stack boundaries - within 0xC0 bytes in this case - the cpu will
execute an 0xCC, a.k.a - INT 3, which will land you immediately in WinDbg, so you have a much better chance to figure out what the
actual problem is more quickly, without having to traverse a blown stack, which itself can confuse WinDbg. So, from above:

> 00BA13C0 push ebp -> standard prolog: preserve the base pointer
>> 00BA13C1 mov ebp,esp -> standard prolog: set the base pointer to the current stack pointer
>> 00BA13C3 sub esp,0C0h -> standard prolog: create 0xC0 (in this case) bytes of local space on the stack
>> 00BA13C9 push ebx -> preserve ebx (for later use)
>> 00BA13CA push esi -> preserve esi (for later use)
>> 00BA13CB push edi -> preserve edi (for use as target of ‘rep stos’)
>> 00BA13CC lea edi,[ebp-0C0h] -> load the effective address of he first byte of the local space created in (2)
>> 00BA13D2 mov ecx,30h -> set ecx (iterations of ‘stos’ to ‘rep’) 0x30==0xC0/sizeof(dword ptr)
>> 00BA13D7 mov eax,0CCCCCCCCh -> set eax to the value of write to memory
>> 00BA13DC rep stos dword ptr es:[edi] -> stores value in EAX to es:[EDI], then decrements ECX, ECX times

The extra space could be used for some other purposes as well, some of which others have mentioned, like ‘Edit and Continue (-ZI’).
As I said, I really don’t know the SPECIFIC purpose in this case, but this is the general idea. If you want to know the SPECIFIC
reason, you’re going to need to find the compiler dev, or someone willing to speak for him.

In general, George, you’re asking very detailed questions, on a very low level subject, that isn’t really on topic here, though
that’s not really an issue, at least as far as I’m concerned. That being said, what I do find to be a little bit of an issue - not
a big one - is that you seem to be unsatisfied with anything but the specific answer to the very question you are asking, all
spelled out for you, on a topic like this - complicated, low level and not on topic, especially since you told us you haven’t read
the Intel Manuals yet. Someone sent you a link to the Intel manuals - I would recommend that you read them thoroughly, because
they are the best source for the answers to the types of questions that you are asking. If your questions were more on topic, or
not on topic but at a higher level on a less complicated subject or had you already read the manual, then it wouldn’t be a problem,
but for something like this, in my opinion, the etiquette here basically says that you have to take what you get for a question like
this, and not keep posting until you get the very specific answer you want, and that people will lose patience if you don’t do your
homework first. Don’t get me wrong - you clearly have been reading what people have suggested (like that article), but you don’t
seem to understand that the entry level for material like this is reading Volumes 1, 2 & 3 of the Intel Manuals, and until you do
that, you’re not going to be able to do anything useful with this information. That doesn’t mean you shouldn’t be told or even
shouldn’t proceed this way, but understand that it will, in my opinion, make people want to help less.

I hope that this is correct; it’s late, and I didn’t look very closely at the previous posts, but I think this is the general idea.

Good luck,

mm

Lin George wrote:

Hi Calin,
I have read through the article you mentioned for a couple of hours. It is really good and I learned something which I donot know before, even if old day technologies.
But, seems it does not directly cover the answer to my question? Or I miss or misunderstand anything? Could you help to clarify please? :slight_smile:
regards,
George

----- Original Message ----
From: Calin Iaru
> To: Lin George
> Cc: xxxxx@lists.osr.com
> Sent: Wednesday, July 23, 2008 7:31:30 AM
> Subject: Re: [windbg] strange 4 assembly instructions for a function
>
> The code you presented is code compiled on Win32 with Program Database for Edit and Continue set. If you use Program Database, then the code will look like:
>
> int f(int a, int b) {
> 009911A0 push ebp
> 009911A1 mov ebp,esp
> return a+b;
> 009911A3 mov eax,dword ptr [a]
> 009911A6 add eax,dword ptr [b]
> }
> 009911A9 pop ebp
> 009911AA ret
>
>
> I don’t know why does PDEC arrange the code like this; perhaps is due to EC feature. PDEC implies the /Gy compiler switch which places each function definition in a code segment. The sum of these segments is the whole program; to make the code smaller, the linker has the option to remove all unused segments. An article written by Matt Pietrek specifies that the functions compiled with /Gy are aligned on a power of 2 boundary which means that each function will be padded with INT 3 instructions up to the next alignment.
> http://www.microsoft.com/msj/archive/S572.aspx
> or search for
> Matt Pietrek comdat
> on msdn.
>
> ----- Original Message ----
> From: Lin George
> To: xxxxx@yahoo.com
> Cc: Kernel Debugging Interest List
> Sent: Tuesday, July 22, 2008 7:53:57 AM
> Subject: Re: [windbg] strange 4 assembly instructions for a function
>
> Thanks Calin,
> I fully agree with you from your below points. But don’t you think it initializes more stack space than actually needed?
> I posted the assembly code again here. Any comments?
> 00BA13CC lea edi,[ebp-0C0h]
> 00BA13D2 mov ecx,30h
> 00BA13D7 mov eax,0CCCCCCCCh
> 00BA13DC rep stos dword ptr es:[edi]
> regards,
> George
>
>
> ----- Original Message ----
> From: Calin Iaru
> To: Kernel Debugging Interest List
> Sent: Monday, July 21, 2008 8:24:42 PM
> Subject: Re: [windbg] strange 4 assembly instructions for a function
>
> Hi,
>
> the compiler fills with 0xCC about 0xC0 bytes of local stack data. I expect a release build to clean up the code.
>
> Best regards,
> Calin
>
> PS.
> 0xCC is a well known value which is distinctively recognized during a crash. For instance, if you have a pointer which contains this value, it will indicate that the pointer is not initialized. Other known value is an 0xfeeefeee which says that the pointer was released. For pointers, use the !address command to find out more information about wether the page was allocated or freed and so on.
>
> — On Mon, 7/21/08, Lin George wrote:
>
>> From: Lin George
>> Subject: [windbg] strange 4 assembly instructions for a function
>> To: “Kernel Debugging Interest List”
>> Date: Monday, July 21, 2008, 11:59 AM
>> Hello everyone,
>>
>> I am confused what is the function of the 4 assembly
>> instructions – I found them when debugging function prolog
>> and epilog for study? I posted the 4 assembly instructions
>> and related whole source code/assembly code below.
>> Any ideas?
>> <br>&gt;&gt; 00BA13CC lea edi,[ebp-0C0h] <br>&gt;&gt; 00BA13D2 mov ecx,30h <br>&gt;&gt; 00BA13D7 mov eax,0CCCCCCCCh <br>&gt;&gt; 00BA13DC rep stos dword ptr es:[edi] <br>&gt;&gt;<br>&gt;&gt; int sumExample (int a, int b)<br>&gt;&gt; {<br>&gt;&gt; 00BA13C0 push ebp <br>&gt;&gt; 00BA13C1 mov ebp,esp <br>&gt;&gt; 00BA13C3 sub esp,0C0h <br>&gt;&gt; 00BA13C9 push ebx <br>&gt;&gt; 00BA13CA push esi <br>&gt;&gt; 00BA13CB push edi <br>&gt;&gt; 00BA13CC lea edi,[ebp-0C0h] <br>&gt;&gt; 00BA13D2 mov ecx,30h <br>&gt;&gt; 00BA13D7 mov eax,0CCCCCCCCh <br>&gt;&gt; 00BA13DC rep stos dword ptr es:[edi] <br>&gt;&gt; return a + b;<br>&gt;&gt; 00BA13DE mov eax,dword ptr [a] <br>&gt;&gt; 00BA13E1 add eax,dword ptr [b] <br>&gt;&gt; }<br>&gt;&gt; #include <iostream><br>&gt;&gt; using namespace std;<br>&gt;&gt; int sumExample (int a, int b)<br>&gt;&gt; {<br>&gt;&gt; return a + b;<br>&gt;&gt; }<br>&gt;&gt; int main()<br>&gt;&gt; {<br>&gt;&gt; int c = sumExample (100, 200);<br>&gt;&gt; cout &lt;&lt; c &lt;&lt; endl;<br>&gt;&gt; return 0;<br>&gt;&gt; }<br>&gt;&gt;
>>
>> thanks in advance,
>> George
>>
>>
>>
>>
>> —
>> You are currently subscribed to windbg as: unknown lmsubst
>> tag argument: ‘’
>> To unsubscribe send a blank email to
>> xxxxx@lists.osr.com
>
>
>
>
> —
> You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
>

Well, I agree with Martin in that this is not the place to learn
assembly language.

And while reading the intel manuals would be of great help, my guess
is you will be total overwhelmed by the intel manuals, and will not be
able to understand them. (Have you read them recently?)

I recommend a book on assembly language that explains all this. You
need to write some assembly language and pay your dues like we did.
Until you write in it it will be hard for you to ever really
understand it.

On Thu, Aug 14, 2008 at 2:52 AM, Martin O’Brien
wrote:
> We seem to be going around in circles, so let’s try this differently:
>
> 1. What is your question? Please include ALL the code relevant to it.
>
> My guess is that your question is:
>
>> Don’t you think it initializes more stack space than actually needed?
>
> And that this is the code:
>
>>> 00BA13C0 push ebp
>>> 00BA13C1 mov ebp,esp
>>> 00BA13C3 sub esp,0C0h
>>> 00BA13C9 push ebx
>>> 00BA13CA push esi
>>> 00BA13CB push edi
>>> 00BA13CC lea edi,[ebp-0C0h]
>>> 00BA13D2 mov ecx,30h
>>> 00BA13D7 mov eax,0CCCCCCCCh
>>> 00BA13DC rep stos dword ptr es:[edi]
>
> Assuming that this is correct, the basic answer is more or less what you’ve
> already been told. It’s marking the ‘beginning’ of the local stack with a
> some padding bytes that happen to the opcode for an ‘INT 3’ (0xCC). I’m not
> sure the specific purpose the compiler devs have in mind, but one thing it
> would definitely help with is diagnosing stack faults, which really suck to
> debug without some sort of cheating like this, because by the time you find
> out about the problem, you’re usually well away from the cause. With this
> technique, if you happen to end up outside the stack boundaries - within
> 0xC0 bytes in this case - the cpu will execute an 0xCC, a.k.a - INT 3, which
> will land you immediately in WinDbg, so you have a much better chance to
> figure out what the actual problem is more quickly, without having to
> traverse a blown stack, which itself can confuse WinDbg. So, from above:
>
>
>>> 00BA13C0 push ebp -> standard prolog: preserve
>>> the base pointer
>>> 00BA13C1 mov ebp,esp -> standard prolog: set the
>>> base pointer to the current stack pointer
>>> 00BA13C3 sub esp,0C0h -> standard prolog: create
>>> 0xC0 (in this case) bytes of local space on the stack
>>> 00BA13C9 push ebx -> preserve ebx (for later
>>> use)
>>> 00BA13CA push esi -> preserve esi (for later
>>> use)
>>> 00BA13CB push edi -> preserve edi (for use as
>>> target of ‘rep stos’)
>>> 00BA13CC lea edi,[ebp-0C0h] -> load the effective
>>> address of he first byte of the local space created in (2)
>>> 00BA13D2 mov ecx,30h -> set ecx (iterations of
>>> ‘stos’ to ‘rep’) 0x30==0xC0/sizeof(dword ptr)
>>> 00BA13D7 mov eax,0CCCCCCCCh -> set eax to the value of
>>> write to memory
>>> 00BA13DC rep stos dword ptr es:[edi] -> stores value in EAX to
>>> es:[EDI], then decrements ECX, ECX times
>
> The extra space could be used for some other purposes as well, some of which
> others have mentioned, like ‘Edit and Continue (-ZI’). As I said, I really
> don’t know the SPECIFIC purpose in this case, but this is the general idea.
> If you want to know the SPECIFIC reason, you’re going to need to find the
> compiler dev, or someone willing to speak for him.
>
> In general, George, you’re asking very detailed questions, on a very low
> level subject, that isn’t really on topic here, though that’s not really an
> issue, at least as far as I’m concerned. That being said, what I do find to
> be a little bit of an issue - not a big one - is that you seem to be
> unsatisfied with anything but the specific answer to the very question you
> are asking, all spelled out for you, on a topic like this - complicated, low
> level and not on topic, especially since you told us you haven’t read the
> Intel Manuals yet. Someone sent you a link to the Intel manuals - I would
> recommend that you read them thoroughly, because they are the best source
> for the answers to the types of questions that you are asking. If your
> questions were more on topic, or not on topic but at a higher level on a
> less complicated subject or had you already read the manual, then it
> wouldn’t be a problem, but for something like this, in my opinion, the
> etiquette here basically says that you have to take what you get for a
> question like this, and not keep posting until you get the very specific
> answer you want, and that people will lose patience if you don’t do your
> homework first. Don’t get me wrong - you clearly have been reading what
> people have suggested (like that article), but you don’t seem to understand
> that the entry level for material like this is reading Volumes 1, 2 & 3 of
> the Intel Manuals, and until you do that, you’re not going to be able to do
> anything useful with this information. That doesn’t mean you shouldn’t be
> told or even shouldn’t proceed this way, but understand that it will, in my
> opinion, make people want to help less.
>
> I hope that this is correct; it’s late, and I didn’t look very closely at
> the previous posts, but I think this is the general idea.
>
>
> Good luck,
>
> mm
>
>
>
>
>
>
>
> Lin George wrote:
>>
>> Hi Calin,
>> I have read through the article you mentioned for a couple of hours. It is
>> really good and I learned something which I donot know before, even if old
>> day technologies.
>> But, seems it does not directly cover the answer to my question? Or I miss
>> or misunderstand anything? Could you help to clarify please? :slight_smile:
>> regards,
>> George
>>
>>
>> ----- Original Message ----
>> From: Calin Iaru
>> To: Lin George
>> Cc: xxxxx@lists.osr.com
>> Sent: Wednesday, July 23, 2008 7:31:30 AM
>> Subject: Re: [windbg] strange 4 assembly instructions for a function
>>
>> The code you presented is code compiled on Win32 with Program Database for
>> Edit and Continue set. If you use Program Database, then the code will look
>> like:
>>
>> int f(int a, int b) {
>> 009911A0 push ebp 009911A1 mov ebp,esp return a+b;
>> 009911A3 mov eax,dword ptr [a] 009911A6 add eax,dword ptr
>> [b] }
>> 009911A9 pop ebp 009911AA ret
>>
>> I don’t know why does PDEC arrange the code like this; perhaps is due to
>> EC feature. PDEC implies the /Gy compiler switch which places each function
>> definition in a code segment. The sum of these segments is the whole
>> program; to make the code smaller, the linker has the option to remove all
>> unused segments. An article written by Matt Pietrek specifies that the
>> functions compiled with /Gy are aligned on a power of 2 boundary which means
>> that each function will be padded with INT 3 instructions up to the next
>> alignment.
>> http://www.microsoft.com/msj/archive/S572.aspx
>> or search for Matt Pietrek comdat
>> on msdn.
>>
>> ----- Original Message ----
>> From: Lin George
>> To: xxxxx@yahoo.com
>> Cc: Kernel Debugging Interest List
>> Sent: Tuesday, July 22, 2008 7:53:57 AM
>> Subject: Re: [windbg] strange 4 assembly instructions for a function
>>
>> Thanks Calin,
>> I fully agree with you from your below points. But don’t you think it
>> initializes more stack space than actually needed?
>> I posted the assembly code again here. Any comments?
>> 00BA13CC lea edi,[ebp-0C0h] 00BA13D2 mov ecx,30h 00BA13D7
>> mov eax,0CCCCCCCCh 00BA13DC rep stos dword ptr es:[edi] regards,
>> George
>>
>>
>> ----- Original Message ----
>> From: Calin Iaru
>> To: Kernel Debugging Interest List
>> Sent: Monday, July 21, 2008 8:24:42 PM
>> Subject: Re: [windbg] strange 4 assembly instructions for a function
>>
>> Hi,
>>
>> the compiler fills with 0xCC about 0xC0 bytes of local stack data. I
>> expect a release build to clean up the code.
>>
>> Best regards,
>> Calin
>>
>> PS.
>> 0xCC is a well known value which is distinctively recognized during a
>> crash. For instance, if you have a pointer which contains this value, it
>> will indicate that the pointer is not initialized. Other known value is an
>> 0xfeeefeee which says that the pointer was released. For pointers, use the
>> !address command to find out more information about wether the page was
>> allocated or freed and so on.
>>
>> — On Mon, 7/21/08, Lin George wrote:
>>
>>> From: Lin George
>>> Subject: [windbg] strange 4 assembly instructions for a function
>>> To: “Kernel Debugging Interest List”
>>> Date: Monday, July 21, 2008, 11:59 AM
>>> Hello everyone,
>>>
>>> I am confused what is the function of the 4 assembly
>>> instructions – I found them when debugging function prolog
>>> and epilog for study? I posted the 4 assembly instructions
>>> and related whole source code/assembly code below.
>>> Any ideas?
>>> <br>&gt;&gt;&gt; 00BA13CC lea edi,[ebp-0C0h] 00BA13D2 mov ecx,30h 00BA13D7<br>&gt;&gt;&gt; mov eax,0CCCCCCCCh 00BA13DC rep stos dword ptr es:[edi]<br>&gt;&gt;&gt; int sumExample (int a, int b)<br>&gt;&gt;&gt; {<br>&gt;&gt;&gt; 00BA13C0 push ebp 00BA13C1 mov ebp,esp 00BA13C3 sub<br>&gt;&gt;&gt; esp,0C0h 00BA13C9 push ebx 00BA13CA push esi 00BA13CB<br>&gt;&gt;&gt; push edi 00BA13CC lea edi,[ebp-0C0h] 00BA13D2 mov<br>&gt;&gt;&gt; ecx,30h 00BA13D7 mov eax,0CCCCCCCCh 00BA13DC rep stos dword ptr<br>&gt;&gt;&gt; es:[edi] return a + b;<br>&gt;&gt;&gt; 00BA13DE mov eax,dword ptr [a] 00BA13E1 add eax,dword ptr<br>&gt;&gt;&gt; [b] }<br>&gt;&gt;&gt; #include <iostream><br>&gt;&gt;&gt; using namespace std;<br>&gt;&gt;&gt; int sumExample (int a, int b)<br>&gt;&gt;&gt; {<br>&gt;&gt;&gt; return a + b;<br>&gt;&gt;&gt; }<br>&gt;&gt;&gt; int main()<br>&gt;&gt;&gt; {<br>&gt;&gt;&gt; int c = sumExample (100, 200);<br>&gt;&gt;&gt; cout &lt;&lt; c &lt;&lt; endl;<br>&gt;&gt;&gt; return 0;<br>&gt;&gt;&gt; }<br>&gt;&gt;&gt;
>>>
>>> thanks in advance,
>>> George
>>>
>>>
>>>
>>> —
>>> You are currently subscribed to windbg as: unknown lmsubst
>>> tag argument: ‘’
>>> To unsubscribe send a blank email to
>>> xxxxx@lists.osr.com
>>
>>
>>
>> —
>> You are currently subscribed to windbg as: unknown lmsubst tag argument:
>> ‘’
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>>
>
> —
> You are currently subscribed to windbg as: xxxxx@jimdonelson.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

Probably better advice - a book on assembler.

mm

Jim Donelson wrote:

Well, I agree with Martin in that this is not the place to learn
assembly language.

And while reading the intel manuals would be of great help, my guess
is you will be total overwhelmed by the intel manuals, and will not be
able to understand them. (Have you read them recently?)

I recommend a book on assembly language that explains all this. You
need to write some assembly language and pay your dues like we did.
Until you write in it it will be hard for you to ever really
understand it.

On Thu, Aug 14, 2008 at 2:52 AM, Martin O’Brien
wrote:
>> We seem to be going around in circles, so let’s try this differently:
>>
>> 1. What is your question? Please include ALL the code relevant to it.
>>
>> My guess is that your question is:
>>
>>> Don’t you think it initializes more stack space than actually needed?
>> And that this is the code:
>>
>>>> 00BA13C0 push ebp
>>>> 00BA13C1 mov ebp,esp
>>>> 00BA13C3 sub esp,0C0h
>>>> 00BA13C9 push ebx
>>>> 00BA13CA push esi
>>>> 00BA13CB push edi
>>>> 00BA13CC lea edi,[ebp-0C0h]
>>>> 00BA13D2 mov ecx,30h
>>>> 00BA13D7 mov eax,0CCCCCCCCh
>>>> 00BA13DC rep stos dword ptr es:[edi]
>> Assuming that this is correct, the basic answer is more or less what you’ve
>> already been told. It’s marking the ‘beginning’ of the local stack with a
>> some padding bytes that happen to the opcode for an ‘INT 3’ (0xCC). I’m not
>> sure the specific purpose the compiler devs have in mind, but one thing it
>> would definitely help with is diagnosing stack faults, which really suck to
>> debug without some sort of cheating like this, because by the time you find
>> out about the problem, you’re usually well away from the cause. With this
>> technique, if you happen to end up outside the stack boundaries - within
>> 0xC0 bytes in this case - the cpu will execute an 0xCC, a.k.a - INT 3, which
>> will land you immediately in WinDbg, so you have a much better chance to
>> figure out what the actual problem is more quickly, without having to
>> traverse a blown stack, which itself can confuse WinDbg. So, from above:
>>
>>
>>>> 00BA13C0 push ebp -> standard prolog: preserve
>>>> the base pointer
>>>> 00BA13C1 mov ebp,esp -> standard prolog: set the
>>>> base pointer to the current stack pointer
>>>> 00BA13C3 sub esp,0C0h -> standard prolog: create
>>>> 0xC0 (in this case) bytes of local space on the stack
>>>> 00BA13C9 push ebx -> preserve ebx (for later
>>>> use)
>>>> 00BA13CA push esi -> preserve esi (for later
>>>> use)
>>>> 00BA13CB push edi -> preserve edi (for use as
>>>> target of ‘rep stos’)
>>>> 00BA13CC lea edi,[ebp-0C0h] -> load the effective
>>>> address of he first byte of the local space created in (2)
>>>> 00BA13D2 mov ecx,30h -> set ecx (iterations of
>>>> ‘stos’ to ‘rep’) 0x30==0xC0/sizeof(dword ptr)
>>>> 00BA13D7 mov eax,0CCCCCCCCh -> set eax to the value of
>>>> write to memory
>>>> 00BA13DC rep stos dword ptr es:[edi] -> stores value in EAX to
>>>> es:[EDI], then decrements ECX, ECX times
>> The extra space could be used for some other purposes as well, some of which
>> others have mentioned, like ‘Edit and Continue (-ZI’). As I said, I really
>> don’t know the SPECIFIC purpose in this case, but this is the general idea.
>> If you want to know the SPECIFIC reason, you’re going to need to find the
>> compiler dev, or someone willing to speak for him.
>>
>> In general, George, you’re asking very detailed questions, on a very low
>> level subject, that isn’t really on topic here, though that’s not really an
>> issue, at least as far as I’m concerned. That being said, what I do find to
>> be a little bit of an issue - not a big one - is that you seem to be
>> unsatisfied with anything but the specific answer to the very question you
>> are asking, all spelled out for you, on a topic like this - complicated, low
>> level and not on topic, especially since you told us you haven’t read the
>> Intel Manuals yet. Someone sent you a link to the Intel manuals - I would
>> recommend that you read them thoroughly, because they are the best source
>> for the answers to the types of questions that you are asking. If your
>> questions were more on topic, or not on topic but at a higher level on a
>> less complicated subject or had you already read the manual, then it
>> wouldn’t be a problem, but for something like this, in my opinion, the
>> etiquette here basically says that you have to take what you get for a
>> question like this, and not keep posting until you get the very specific
>> answer you want, and that people will lose patience if you don’t do your
>> homework first. Don’t get me wrong - you clearly have been reading what
>> people have suggested (like that article), but you don’t seem to understand
>> that the entry level for material like this is reading Volumes 1, 2 & 3 of
>> the Intel Manuals, and until you do that, you’re not going to be able to do
>> anything useful with this information. That doesn’t mean you shouldn’t be
>> told or even shouldn’t proceed this way, but understand that it will, in my
>> opinion, make people want to help less.
>>
>> I hope that this is correct; it’s late, and I didn’t look very closely at
>> the previous posts, but I think this is the general idea.
>>
>>
>> Good luck,
>>
>> mm
>>
>>
>>
>>
>>
>>
>>
>> Lin George wrote:
>>> Hi Calin,
>>> I have read through the article you mentioned for a couple of hours. It is
>>> really good and I learned something which I donot know before, even if old
>>> day technologies.
>>> But, seems it does not directly cover the answer to my question? Or I miss
>>> or misunderstand anything? Could you help to clarify please? :slight_smile:
>>> regards,
>>> George
>>>
>>>
>>> ----- Original Message ----
>>> From: Calin Iaru
>>> To: Lin George
>>> Cc: xxxxx@lists.osr.com
>>> Sent: Wednesday, July 23, 2008 7:31:30 AM
>>> Subject: Re: [windbg] strange 4 assembly instructions for a function
>>>
>>> The code you presented is code compiled on Win32 with Program Database for
>>> Edit and Continue set. If you use Program Database, then the code will look
>>> like:
>>>
>>> int f(int a, int b) {
>>> 009911A0 push ebp 009911A1 mov ebp,esp return a+b;
>>> 009911A3 mov eax,dword ptr [a] 009911A6 add eax,dword ptr
>>> [b] }
>>> 009911A9 pop ebp 009911AA ret
>>>
>>> I don’t know why does PDEC arrange the code like this; perhaps is due to
>>> EC feature. PDEC implies the /Gy compiler switch which places each function
>>> definition in a code segment. The sum of these segments is the whole
>>> program; to make the code smaller, the linker has the option to remove all
>>> unused segments. An article written by Matt Pietrek specifies that the
>>> functions compiled with /Gy are aligned on a power of 2 boundary which means
>>> that each function will be padded with INT 3 instructions up to the next
>>> alignment.
>>> http://www.microsoft.com/msj/archive/S572.aspx
>>> or search for Matt Pietrek comdat
>>> on msdn.
>>>
>>> ----- Original Message ----
>>> From: Lin George
>>> To: xxxxx@yahoo.com
>>> Cc: Kernel Debugging Interest List
>>> Sent: Tuesday, July 22, 2008 7:53:57 AM
>>> Subject: Re: [windbg] strange 4 assembly instructions for a function
>>>
>>> Thanks Calin,
>>> I fully agree with you from your below points. But don’t you think it
>>> initializes more stack space than actually needed?
>>> I posted the assembly code again here. Any comments?
>>> 00BA13CC lea edi,[ebp-0C0h] 00BA13D2 mov ecx,30h 00BA13D7
>>> mov eax,0CCCCCCCCh 00BA13DC rep stos dword ptr es:[edi] regards,
>>> George
>>>
>>>
>>> ----- Original Message ----
>>> From: Calin Iaru
>>> To: Kernel Debugging Interest List
>>> Sent: Monday, July 21, 2008 8:24:42 PM
>>> Subject: Re: [windbg] strange 4 assembly instructions for a function
>>>
>>> Hi,
>>>
>>> the compiler fills with 0xCC about 0xC0 bytes of local stack data. I
>>> expect a release build to clean up the code.
>>>
>>> Best regards,
>>> Calin
>>>
>>> PS.
>>> 0xCC is a well known value which is distinctively recognized during a
>>> crash. For instance, if you have a pointer which contains this value, it
>>> will indicate that the pointer is not initialized. Other known value is an
>>> 0xfeeefeee which says that the pointer was released. For pointers, use the
>>> !address command to find out more information about wether the page was
>>> allocated or freed and so on.
>>>
>>> — On Mon, 7/21/08, Lin George wrote:
>>>
>>>> From: Lin George
>>>> Subject: [windbg] strange 4 assembly instructions for a function
>>>> To: “Kernel Debugging Interest List”
>>>> Date: Monday, July 21, 2008, 11:59 AM
>>>> Hello everyone,
>>>>
>>>> I am confused what is the function of the 4 assembly
>>>> instructions – I found them when debugging function prolog
>>>> and epilog for study? I posted the 4 assembly instructions
>>>> and related whole source code/assembly code below.
>>>> Any ideas?
>>>> <br>&gt;&gt;&gt;&gt; 00BA13CC lea edi,[ebp-0C0h] 00BA13D2 mov ecx,30h 00BA13D7<br>&gt;&gt;&gt;&gt; mov eax,0CCCCCCCCh 00BA13DC rep stos dword ptr es:[edi]<br>&gt;&gt;&gt;&gt; int sumExample (int a, int b)<br>&gt;&gt;&gt;&gt; {<br>&gt;&gt;&gt;&gt; 00BA13C0 push ebp 00BA13C1 mov ebp,esp 00BA13C3 sub<br>&gt;&gt;&gt;&gt; esp,0C0h 00BA13C9 push ebx 00BA13CA push esi 00BA13CB<br>&gt;&gt;&gt;&gt; push edi 00BA13CC lea edi,[ebp-0C0h] 00BA13D2 mov<br>&gt;&gt;&gt;&gt; ecx,30h 00BA13D7 mov eax,0CCCCCCCCh 00BA13DC rep stos dword ptr<br>&gt;&gt;&gt;&gt; es:[edi] return a + b;<br>&gt;&gt;&gt;&gt; 00BA13DE mov eax,dword ptr [a] 00BA13E1 add eax,dword ptr<br>&gt;&gt;&gt;&gt; [b] }<br>&gt;&gt;&gt;&gt; #include <iostream><br>&gt;&gt;&gt;&gt; using namespace std;<br>&gt;&gt;&gt;&gt; int sumExample (int a, int b)<br>&gt;&gt;&gt;&gt; {<br>&gt;&gt;&gt;&gt; return a + b;<br>&gt;&gt;&gt;&gt; }<br>&gt;&gt;&gt;&gt; int main()<br>&gt;&gt;&gt;&gt; {<br>&gt;&gt;&gt;&gt; int c = sumExample (100, 200);<br>&gt;&gt;&gt;&gt; cout &lt;&lt; c &lt;&lt; endl;<br>&gt;&gt;&gt;&gt; return 0;<br>&gt;&gt;&gt;&gt; }<br>&gt;&gt;&gt;&gt;
>>>>
>>>> thanks in advance,
>>>> George
>>>>
>>>>
>>>>
>>>> —
>>>> You are currently subscribed to windbg as: unknown lmsubst
>>>> tag argument: ‘’
>>>> To unsubscribe send a blank email to
>>>> xxxxx@lists.osr.com
>>>
>>>
>>> —
>>> You are currently subscribed to windbg as: unknown lmsubst tag argument:
>>> ‘’
>>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>>
>>>
>>>
>> —
>> You are currently subscribed to windbg as: xxxxx@jimdonelson.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>

Thanks Martin,
I agree with you. One more question, why reserving more space will enable the edit and continue feature as mentioned? This point I am very interested, but can not find any materials through Google search. Do you have any more documents in details? Or you describe by yourself?
(my confusion is, the developer could edit and insert as much as information – like code and data change – as he can, how could we predict the space which developer will be used in edit and continue feature?)
regards,
George

----- Original Message ----
From: Martin O’Brien
To: Kernel Debugging Interest List
Sent: Thursday, August 14, 2008 2:52:30 PM
Subject: Re:[windbg] strange 4 assembly instructions for a function

We seem to be going around in circles, so let’s try this differently:

1.? What is your question?? Please include ALL the code relevant to it.

My guess is that your question is:

> Don’t you think it initializes more stack space than actually needed?

And that this is the code:

>> 00BA13C0? push? ? ? ? ebp
>> 00BA13C1? mov? ? ? ? ebp,esp
>> 00BA13C3? sub? ? ? ? esp,0C0h
>> 00BA13C9? push? ? ? ? ebx
>> 00BA13CA? push? ? ? ? esi
>> 00BA13CB? push? ? ? ? edi
>> 00BA13CC? lea? ? ? ? edi,[ebp-0C0h]
>> 00BA13D2? mov? ? ? ? ecx,30h
>> 00BA13D7? mov? ? ? ? eax,0CCCCCCCCh
>> 00BA13DC? rep stos? ? dword ptr es:[edi]

Assuming that this is correct, the basic answer is more or less what you’ve already been told.? It’s marking the ‘beginning’ of the
local stack with a some padding bytes that happen to the opcode for an ‘INT 3’ (0xCC).? I’m not sure the specific purpose the
compiler devs have in mind, but one thing it would definitely help with is diagnosing stack faults, which really suck to debug
without some sort of cheating like this, because by the time you find out about the problem, you’re usually well away from the
cause.? With this technique, if you happen to end up outside the stack boundaries - within 0xC0 bytes in this case - the cpu will
execute an 0xCC, a.k.a - INT 3, which will land you immediately in WinDbg, so you have a much better chance to figure out what the
actual problem is more quickly, without having to traverse a blown stack, which itself can confuse WinDbg.? So, from above:

>> 00BA13C0? push? ? ? ? ebp??? ??? ??? -> standard prolog: preserve the base pointer
>> 00BA13C1? mov? ? ? ? ebp,esp ??? ??? -> standard prolog: set the base pointer to the current stack pointer
>> 00BA13C3? sub? ? ? ? esp,0C0h ??? ??? -> standard prolog: create 0xC0 (in this case) bytes of local space on the stack
>> 00BA13C9? push? ? ? ? ebx? ??? ??? ??? -> preserve ebx (for later use)
>> 00BA13CA? push? ? ? ? esi? ??? ??? ??? -> preserve esi (for later use)
>> 00BA13CB? push? ? ? ? edi? ??? ??? ??? -> preserve edi (for use as target of ‘rep stos’)
>> 00BA13CC? lea? ? ? ? edi,[ebp-0C0h] ??? ??? -> load the effective address of he first byte of the local space created in (2)
>> 00BA13D2? mov? ? ? ? ecx,30h ??? ??? -> set ecx (iterations of ‘stos’ to ‘rep’) 0x30==0xC0/sizeof(dword ptr)
>> 00BA13D7? mov? ? ? ? eax,0CCCCCCCCh ??? ??? -> set eax to the value of write to memory
>> 00BA13DC? rep stos? ? dword ptr es:[edi] ??? -> stores value in EAX to es:[EDI], then decrements ECX, ECX times

The extra space could be used for some other purposes as well, some of which others have mentioned, like ‘Edit and Continue (-ZI’).
? As I said, I really don’t know the SPECIFIC purpose in this case, but this is the general idea.? If you want to know the SPECIFIC
reason, you’re going to need to find the compiler dev, or someone willing to speak for him.

In general, George, you’re asking very detailed questions, on a very low level subject, that isn’t really on topic here, though
that’s not really an issue, at least as far as I’m concerned.? That being said, what I do find to be a little bit of an issue - not
a big one - is that you seem to be unsatisfied with anything but the specific answer to the very question you are asking, all
spelled out for you, on a topic like this - complicated, low level and not on topic, especially since you told us you haven’t read
the Intel Manuals yet.? Someone sent you a link to the Intel manuals - I would recommend that? you read them thoroughly, because
they are the best source for the answers to the types of questions that you are asking.? If your questions were more on topic, or
not on topic but at a higher level on a less complicated subject or had you already read the manual, then it wouldn’t be a problem,
but for something like this, in my opinion, the etiquette here basically says that you have to take what you get for a question like
this, and not keep posting until you get the very specific answer you want, and that people will lose patience if you don’t do your
homework first.? Don’t get me wrong - you clearly have been reading what people have suggested (like that article), but you don’t
seem to understand that the entry level for material like this is reading Volumes 1, 2 & 3 of the Intel Manuals, and until you do
that, you’re not going to be able to do anything useful with this information.? That doesn’t mean you shouldn’t be told or even
shouldn’t proceed this way, but understand that it will, in my opinion, make people want to help less.

I hope that this is correct; it’s late, and I didn’t look very closely at the previous posts, but I think this is the general idea.

Good luck,

mm

Lin George wrote:
> Hi Calin,
> I have read through the article you mentioned for a couple of hours. It is really good and I learned something which I donot know before, even if old day technologies.
> But, seems it does not directly cover the answer to my question? Or I miss or misunderstand anything? Could you help to clarify please? :slight_smile:
> regards,
> George
>
>
> ----- Original Message ----
> From: Calin Iaru
> To: Lin George
> Cc: xxxxx@lists.osr.com
> Sent: Wednesday, July 23, 2008 7:31:30 AM
> Subject: Re: [windbg] strange 4 assembly instructions for a function
>
> The code you presented is code compiled on Win32 with Program Database for Edit and Continue set. If you use Program Database, then the code will look like:
>
> int f(int a, int b) {
> 009911A0? push? ? ? ? ebp?
> 009911A1? mov? ? ? ? ebp,esp
>? ? return a+b;
> 009911A3? mov? ? ? ? eax,dword ptr [a]
> 009911A6? add? ? ? ? eax,dword ptr [b]
> }
> 009911A9? pop? ? ? ? ebp?
> 009911AA? ret? ? ? ? ? ? ?
>
>
> I don’t know why does PDEC arrange the code like this; perhaps is due to EC feature. PDEC implies the /Gy compiler switch which places each function definition in a code segment. The sum of these segments is the whole program; to make the code smaller, the linker has the option to remove all unused segments. An article written by Matt Pietrek specifies that the functions compiled with /Gy are aligned on a power of 2 boundary which means that each function will be padded with INT 3 instructions up to the next alignment.
> http://www.microsoft.com/msj/archive/S572.aspx
> or search for
> Matt Pietrek comdat
> on msdn.
>
> ----- Original Message ----
> From: Lin George
> To: xxxxx@yahoo.com
> Cc: Kernel Debugging Interest List
> Sent: Tuesday, July 22, 2008 7:53:57 AM
> Subject: Re: [windbg] strange 4 assembly instructions for a function
>
> Thanks Calin,
> I fully agree with you from your below points. But don’t you think it initializes more stack space than actually needed?
> I posted the assembly code again here. Any comments?
> 00BA13CC? lea? ? ? ? edi,[ebp-0C0h]
> 00BA13D2? mov? ? ? ? ecx,30h
> 00BA13D7? mov? ? ? ? eax,0CCCCCCCCh
> 00BA13DC? rep stos? ? dword ptr es:[edi]
> regards,
> George
>
>
> ----- Original Message ----
> From: Calin Iaru
> To: Kernel Debugging Interest List
> Sent: Monday, July 21, 2008 8:24:42 PM
> Subject: Re: [windbg] strange 4 assembly instructions for a function
>
> Hi,
>
>? the compiler fills with 0xCC about 0xC0 bytes of local stack data. I expect a release build to clean up the code.
>
> Best regards,
>? Calin
>
> PS.
> 0xCC is a well known value which is distinctively recognized during a crash. For instance, if you have a pointer which contains this value, it will indicate that the pointer is not initialized. Other known value is an 0xfeeefeee which says that the pointer was released. For pointers, use the !address command to find out more information about wether the page was allocated or freed and so on.
>
> — On Mon, 7/21/08, Lin George wrote:
>
>> From: Lin George
>> Subject: [windbg] strange 4 assembly instructions for a function
>> To: “Kernel Debugging Interest List”
>> Date: Monday, July 21, 2008, 11:59 AM
>> Hello everyone,
>>
>> I am confused what is the function of the 4 assembly
>> instructions – I found them when debugging function prolog
>> and epilog for study? I posted the 4 assembly instructions
>> and related whole source code/assembly code below.
>> Any ideas?
>> <br>&gt;&gt; 00BA13CC? lea? ? ? ? edi,[ebp-0C0h] <br>&gt;&gt; 00BA13D2? mov? ? ? ? ecx,30h <br>&gt;&gt; 00BA13D7? mov? ? ? ? eax,0CCCCCCCCh <br>&gt;&gt; 00BA13DC? rep stos? ? dword ptr es:[edi] <br>&gt;&gt;<br>&gt;&gt; int sumExample (int a, int b)<br>&gt;&gt; {<br>&gt;&gt; 00BA13C0? push? ? ? ? ebp? <br>&gt;&gt; 00BA13C1? mov? ? ? ? ebp,esp <br>&gt;&gt; 00BA13C3? sub? ? ? ? esp,0C0h <br>&gt;&gt; 00BA13C9? push? ? ? ? ebx? <br>&gt;&gt; 00BA13CA? push? ? ? ? esi? <br>&gt;&gt; 00BA13CB? push? ? ? ? edi? <br>&gt;&gt; 00BA13CC? lea? ? ? ? edi,[ebp-0C0h] <br>&gt;&gt; 00BA13D2? mov? ? ? ? ecx,30h <br>&gt;&gt; 00BA13D7? mov? ? ? ? eax,0CCCCCCCCh <br>&gt;&gt; 00BA13DC? rep stos? ? dword ptr es:[edi] <br>&gt;&gt;? ? return a + b;<br>&gt;&gt; 00BA13DE? mov? ? ? ? eax,dword ptr [a] <br>&gt;&gt; 00BA13E1? add? ? ? ? eax,dword ptr [b] <br>&gt;&gt; }<br>&gt;&gt; #include <iostream><br>&gt;&gt; using namespace std;<br>&gt;&gt; int sumExample (int a, int b)<br>&gt;&gt; {<br>&gt;&gt;? ? return a + b;<br>&gt;&gt; }<br>&gt;&gt; int main()<br>&gt;&gt; {<br>&gt;&gt;? int c = sumExample (100, 200);<br>&gt;&gt;? cout &lt;&lt; c &lt;&lt; endl;<br>&gt;&gt;? return 0;<br>&gt;&gt; }<br>&gt;&gt;
>>
>> thanks in advance,
>> George
>>
>>
>>? ? ?
>>
>> —
>> You are currently subscribed to windbg as: unknown lmsubst
>> tag argument: ‘’
>> To unsubscribe send a blank email to
>> xxxxx@lists.osr.com
>
>
>? ? ?
>
> —
> You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>? ? ?
>


You are currently subscribed to windbg as: xxxxx@yahoo.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Thanks Jim,
You understand my pains well. I actually have the manuals and the manuals are not targetted to newbies to learn step by step, but more looks like a dictionary. I have some assembly book, quite old, 8086 series.
Do you have any suggestions for an assembly language book, which covers modern CPU architecture and 64-bit computing? I always work under 64-bit environment and have special interests in this.
regards,
George

----- Original Message ----
From: Jim Donelson
To: Kernel Debugging Interest List
Sent: Thursday, August 14, 2008 8:52:55 PM
Subject: Re: [windbg] strange 4 assembly instructions for a function

Well, I agree with Martin in that this is not the place to learn
assembly language.

And while reading the intel manuals would be of great help, my guess
is you will be total overwhelmed by the intel manuals, and will not be
able to understand them. (Have you read them recently?)

I recommend a book on assembly language that explains all this. You
need to write some assembly language and pay your dues like we did.
Until you write in it it will be hard for you to ever really
understand it.

On Thu, Aug 14, 2008 at 2:52 AM, Martin O’Brien
wrote:
> We seem to be going around in circles, so let’s try this differently:
>
> 1.? What is your question?? Please include ALL the code relevant to it.
>
> My guess is that your question is:
>
>> Don’t you think it initializes more stack space than actually needed?
>
> And that this is the code:
>
>>> 00BA13C0? push? ? ? ? ebp
>>> 00BA13C1? mov? ? ? ? ebp,esp
>>> 00BA13C3? sub? ? ? ? esp,0C0h
>>> 00BA13C9? push? ? ? ? ebx
>>> 00BA13CA? push? ? ? ? esi
>>> 00BA13CB? push? ? ? ? edi
>>> 00BA13CC? lea? ? ? ? edi,[ebp-0C0h]
>>> 00BA13D2? mov? ? ? ? ecx,30h
>>> 00BA13D7? mov? ? ? ? eax,0CCCCCCCCh
>>> 00BA13DC? rep stos? ? dword ptr es:[edi]
>
> Assuming that this is correct, the basic answer is more or less what you’ve
> already been told.? It’s marking the ‘beginning’ of the local stack with a
> some padding bytes that happen to the opcode for an ‘INT 3’ (0xCC).? I’m not
> sure the specific purpose the compiler devs have in mind, but one thing it
> would definitely help with is diagnosing stack faults, which really suck to
> debug without some sort of cheating like this, because by the time you find
> out about the problem, you’re usually well away from the cause.? With this
> technique, if you happen to end up outside the stack boundaries - within
> 0xC0 bytes in this case - the cpu will execute an 0xCC, a.k.a - INT 3, which
> will land you immediately in WinDbg, so you have a much better chance to
> figure out what the actual problem is more quickly, without having to
> traverse a blown stack, which itself can confuse WinDbg.? So, from above:
>
>
>>> 00BA13C0? push? ? ? ? ebp? ? ? ? ? ? ? ? ? ? -> standard prolog: preserve
>>> the base pointer
>>> 00BA13C1? mov? ? ? ? ebp,esp? ? ? ? ? ? ? ? -> standard prolog: set the
>>> base pointer to the current stack pointer
>>> 00BA13C3? sub? ? ? ? esp,0C0h? ? ? ? ? ? ? ? -> standard prolog: create
>>> 0xC0 (in this case) bytes of local space on the stack
>>> 00BA13C9? push? ? ? ? ebx? ? ? ? ? ? ? ? ? ? -> preserve ebx (for later
>>> use)
>>> 00BA13CA? push? ? ? ? esi? ? ? ? ? ? ? ? ? ? -> preserve esi (for later
>>> use)
>>> 00BA13CB? push? ? ? ? edi? ? ? ? ? ? ? ? ? ? -> preserve edi (for use as
>>> target of ‘rep stos’)
>>> 00BA13CC? lea? ? ? ? edi,[ebp-0C0h]? ? ? ? ? -> load the effective
>>> address of he first byte of the local space created in (2)
>>> 00BA13D2? mov? ? ? ? ecx,30h? ? ? ? ? ? ? ? -> set ecx (iterations of
>>> ‘stos’ to ‘rep’) 0x30==0xC0/sizeof(dword ptr)
>>> 00BA13D7? mov? ? ? ? eax,0CCCCCCCCh? ? ? ? ? -> set eax to the value of
>>> write to memory
>>> 00BA13DC? rep stos? ? dword ptr es:[edi]? ? -> stores value in EAX to
>>> es:[EDI], then decrements ECX, ECX times
>
> The extra space could be used for some other purposes as well, some of which
> others have mentioned, like ‘Edit and Continue (-ZI’).? As I said, I really
> don’t know the SPECIFIC purpose in this case, but this is the general idea.
>? If you want to know the SPECIFIC reason, you’re going to need to find the
> compiler dev, or someone willing to speak for him.
>
> In general, George, you’re asking very detailed questions, on a very low
> level subject, that isn’t really on topic here, though that’s not really an
> issue, at least as far as I’m concerned.? That being said, what I do find to
> be a little bit of an issue - not a big one - is that you seem to be
> unsatisfied with anything but the specific answer to the very question you
> are asking, all spelled out for you, on a topic like this - complicated, low
> level and not on topic, especially since you told us you haven’t read the
> Intel Manuals yet.? Someone sent you a link to the Intel manuals - I would
> recommend that? you read them thoroughly, because they are the best source
> for the answers to the types of questions that you are asking.? If your
> questions were more on topic, or not on topic but at a higher level on a
> less complicated subject or had you already read the manual, then it
> wouldn’t be a problem, but for something like this, in my opinion, the
> etiquette here basically says that you have to take what you get for a
> question like this, and not keep posting until you get the very specific
> answer you want, and that people will lose patience if you don’t do your
> homework first.? Don’t get me wrong - you clearly have been reading what
> people have suggested (like that article), but you don’t seem to understand
> that the entry level for material like this is reading Volumes 1, 2 & 3 of
> the Intel Manuals, and until you do that, you’re not going to be able to do
> anything useful with this information.? That doesn’t mean you shouldn’t be
> told or even shouldn’t proceed this way, but understand that it will, in my
> opinion, make people want to help less.
>
> I hope that this is correct; it’s late, and I didn’t look very closely at
> the previous posts, but I think this is the general idea.
>
>
> Good luck,
>
> mm
>
>
>
>
>
>
>
> Lin George wrote:
>>
>> Hi Calin,
>> I have read through the article you mentioned for a couple of hours. It is
>> really good and I learned something which I donot know before, even if old
>> day technologies.
>> But, seems it does not directly cover the answer to my question? Or I miss
>> or misunderstand anything? Could you help to clarify please? :slight_smile:
>> regards,
>> George
>>
>>
>> ----- Original Message ----
>> From: Calin Iaru
>> To: Lin George
>> Cc: xxxxx@lists.osr.com
>> Sent: Wednesday, July 23, 2008 7:31:30 AM
>> Subject: Re: [windbg] strange 4 assembly instructions for a function
>>
>> The code you presented is code compiled on Win32 with Program Database for
>> Edit and Continue set. If you use Program Database, then the code will look
>> like:
>>
>> int f(int a, int b) {
>> 009911A0? push? ? ? ? ebp? 009911A1? mov? ? ? ? ebp,esp? ? return a+b;
>> 009911A3? mov? ? ? ? eax,dword ptr [a] 009911A6? add? ? ? ? eax,dword ptr
>> [b] }
>> 009911A9? pop? ? ? ? ebp? 009911AA? ret
>>
>> I don’t know why does PDEC arrange the code like this; perhaps is due to
>> EC feature. PDEC implies the /Gy compiler switch which places each function
>> definition in a code segment. The sum of these segments is the whole
>> program; to make the code smaller, the linker has the option to remove all
>> unused segments. An article written by Matt Pietrek specifies that the
>> functions compiled with /Gy are aligned on a power of 2 boundary which means
>> that each function will be padded with INT 3 instructions up to the next
>> alignment.
>> http://www.microsoft.com/msj/archive/S572.aspx
>> or search for Matt Pietrek comdat
>> on msdn.
>>
>> ----- Original Message ----
>> From: Lin George
>> To: xxxxx@yahoo.com
>> Cc: Kernel Debugging Interest List
>> Sent: Tuesday, July 22, 2008 7:53:57 AM
>> Subject: Re: [windbg] strange 4 assembly instructions for a function
>>
>> Thanks Calin,
>> I fully agree with you from your below points. But don’t you think it
>> initializes more stack space than actually needed?
>> I posted the assembly code again here. Any comments?
>> 00BA13CC? lea? ? ? ? edi,[ebp-0C0h] 00BA13D2? mov? ? ? ? ecx,30h 00BA13D7
>>? mov? ? ? ? eax,0CCCCCCCCh 00BA13DC? rep stos? ? dword ptr es:[edi] regards,
>> George
>>
>>
>> ----- Original Message ----
>> From: Calin Iaru
>> To: Kernel Debugging Interest List
>> Sent: Monday, July 21, 2008 8:24:42 PM
>> Subject: Re: [windbg] strange 4 assembly instructions for a function
>>
>> Hi,
>>
>>? the compiler fills with 0xCC about 0xC0 bytes of local stack data. I
>> expect a release build to clean up the code.
>>
>> Best regards,
>>? Calin
>>
>> PS.
>> 0xCC is a well known value which is distinctively recognized during a
>> crash. For instance, if you have a pointer which contains this value, it
>> will indicate that the pointer is not initialized. Other known value is an
>> 0xfeeefeee which says that the pointer was released. For pointers, use the
>> !address command to find out more information about wether the page was
>> allocated or freed and so on.
>>
>> — On Mon, 7/21/08, Lin George wrote:
>>
>>> From: Lin George
>>> Subject: [windbg] strange 4 assembly instructions for a function
>>> To: “Kernel Debugging Interest List”
>>> Date: Monday, July 21, 2008, 11:59 AM
>>> Hello everyone,
>>>
>>> I am confused what is the function of the 4 assembly
>>> instructions – I found them when debugging function prolog
>>> and epilog for study? I posted the 4 assembly instructions
>>> and related whole source code/assembly code below.
>>> Any ideas?
>>> <br>&gt;&gt;&gt; 00BA13CC? lea? ? ? ? edi,[ebp-0C0h] 00BA13D2? mov? ? ? ? ecx,30h 00BA13D7<br>&gt;&gt;&gt;? mov? ? ? ? eax,0CCCCCCCCh 00BA13DC? rep stos? ? dword ptr es:[edi]<br>&gt;&gt;&gt; int sumExample (int a, int b)<br>&gt;&gt;&gt; {<br>&gt;&gt;&gt; 00BA13C0? push? ? ? ? ebp? 00BA13C1? mov? ? ? ? ebp,esp 00BA13C3? sub<br>&gt;&gt;&gt;? ? esp,0C0h 00BA13C9? push? ? ? ? ebx? 00BA13CA? push? ? ? ? esi? 00BA13CB<br>&gt;&gt;&gt;? push? ? ? ? edi? 00BA13CC? lea? ? ? ? edi,[ebp-0C0h] 00BA13D2? mov<br>&gt;&gt;&gt;? ecx,30h 00BA13D7? mov? ? ? ? eax,0CCCCCCCCh 00BA13DC? rep stos? ? dword ptr<br>&gt;&gt;&gt; es:[edi]? ? return a + b;<br>&gt;&gt;&gt; 00BA13DE? mov? ? ? ? eax,dword ptr [a] 00BA13E1? add? ? ? ? eax,dword ptr<br>&gt;&gt;&gt; [b] }<br>&gt;&gt;&gt; #include <iostream><br>&gt;&gt;&gt; using namespace std;<br>&gt;&gt;&gt; int sumExample (int a, int b)<br>&gt;&gt;&gt; {<br>&gt;&gt;&gt;? ? return a + b;<br>&gt;&gt;&gt; }<br>&gt;&gt;&gt; int main()<br>&gt;&gt;&gt; {<br>&gt;&gt;&gt;? int c = sumExample (100, 200);<br>&gt;&gt;&gt;? cout &lt;&lt; c &lt;&lt; endl;<br>&gt;&gt;&gt;? return 0;<br>&gt;&gt;&gt; }<br>&gt;&gt;&gt;
>>>
>>> thanks in advance,
>>> George
>>>
>>>
>>>
>>> —
>>> You are currently subscribed to windbg as: unknown lmsubst
>>> tag argument: ‘’
>>> To unsubscribe send a blank email to
>>> xxxxx@lists.osr.com
>>
>>
>>
>> —
>> You are currently subscribed to windbg as: unknown lmsubst tag argument:
>> ‘’
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>>
>
> —
> You are currently subscribed to windbg as: xxxxx@jimdonelson.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>


You are currently subscribed to windbg as: xxxxx@yahoo.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Well, this is a kernel list, so none of ever ever use edit and continue.
I personally never use it as for one thing it does not always work,
for the reason you stated,and over the years there have been various
bugs with it.
Not to mention the fact it causes odd code to be generated.
Best advice - shut it off.

On Fri, Aug 15, 2008 at 8:46 AM, Jim Donelson wrote:
> Well, this is a kernel list, so none of ever ever use edit and continue.
> I personally never use it as for one thing it does not always work,
> for the reason you stated,and over the years there have been various
> bugs with it.
> Not to mention the fact it causes odd code to be generated.
> Best advice - shut it off.
>
>
> On Fri, Aug 15, 2008 at 3:02 AM, Lin George wrote:
>> Thanks Martin,
>> I agree with you. One more question, why reserving more space will enable the edit and continue feature as mentioned? This point I am very interested, but can not find any materials through Google search. Do you have any more documents in details? Or you describe by yourself?
>> (my confusion is, the developer could edit and insert as much as information – like code and data change – as he can, how could we predict the space which developer will be used in edit and continue feature?)
>> regards,
>> George
>>
>>
>> ----- Original Message ----
>> From: Martin O’Brien
>> To: Kernel Debugging Interest List
>> Sent: Thursday, August 14, 2008 2:52:30 PM
>> Subject: Re:[windbg] strange 4 assembly instructions for a function
>>
>> We seem to be going around in circles, so let’s try this differently:
>>
>> 1. What is your question? Please include ALL the code relevant to it.
>>
>> My guess is that your question is:
>>
>>> Don’t you think it initializes more stack space than actually needed?
>>
>> And that this is the code:
>>
>>>> 00BA13C0 push ebp
>>>> 00BA13C1 mov ebp,esp
>>>> 00BA13C3 sub esp,0C0h
>>>> 00BA13C9 push ebx
>>>> 00BA13CA push esi
>>>> 00BA13CB push edi
>>>> 00BA13CC lea edi,[ebp-0C0h]
>>>> 00BA13D2 mov ecx,30h
>>>> 00BA13D7 mov eax,0CCCCCCCCh
>>>> 00BA13DC rep stos dword ptr es:[edi]
>>
>> Assuming that this is correct, the basic answer is more or less what you’ve already been told. It’s marking the ‘beginning’ of the
>> local stack with a some padding bytes that happen to the opcode for an ‘INT 3’ (0xCC). I’m not sure the specific purpose the
>> compiler devs have in mind, but one thing it would definitely help with is diagnosing stack faults, which really suck to debug
>> without some sort of cheating like this, because by the time you find out about the problem, you’re usually well away from the
>> cause. With this technique, if you happen to end up outside the stack boundaries - within 0xC0 bytes in this case - the cpu will
>> execute an 0xCC, a.k.a - INT 3, which will land you immediately in WinDbg, so you have a much better chance to figure out what the
>> actual problem is more quickly, without having to traverse a blown stack, which itself can confuse WinDbg. So, from above:
>>
>>
>>>> 00BA13C0 push ebp -> standard prolog: preserve the base pointer
>>>> 00BA13C1 mov ebp,esp -> standard prolog: set the base pointer to the current stack pointer
>>>> 00BA13C3 sub esp,0C0h -> standard prolog: create 0xC0 (in this case) bytes of local space on the stack
>>>> 00BA13C9 push ebx -> preserve ebx (for later use)
>>>> 00BA13CA push esi -> preserve esi (for later use)
>>>> 00BA13CB push edi -> preserve edi (for use as target of ‘rep stos’)
>>>> 00BA13CC lea edi,[ebp-0C0h] -> load the effective address of he first byte of the local space created in (2)
>>>> 00BA13D2 mov ecx,30h -> set ecx (iterations of ‘stos’ to ‘rep’) 0x30==0xC0/sizeof(dword ptr)
>>>> 00BA13D7 mov eax,0CCCCCCCCh -> set eax to the value of write to memory
>>>> 00BA13DC rep stos dword ptr es:[edi] -> stores value in EAX to es:[EDI], then decrements ECX, ECX times
>>
>> The extra space could be used for some other purposes as well, some of which others have mentioned, like ‘Edit and Continue (-ZI’).
>> As I said, I really don’t know the SPECIFIC purpose in this case, but this is the general idea. If you want to know the SPECIFIC
>> reason, you’re going to need to find the compiler dev, or someone willing to speak for him.
>>
>> In general, George, you’re asking very detailed questions, on a very low level subject, that isn’t really on topic here, though
>> that’s not really an issue, at least as far as I’m concerned. That being said, what I do find to be a little bit of an issue - not
>> a big one - is that you seem to be unsatisfied with anything but the specific answer to the very question you are asking, all
>> spelled out for you, on a topic like this - complicated, low level and not on topic, especially since you told us you haven’t read
>> the Intel Manuals yet. Someone sent you a link to the Intel manuals - I would recommend that you read them thoroughly, because
>> they are the best source for the answers to the types of questions that you are asking. If your questions were more on topic, or
>> not on topic but at a higher level on a less complicated subject or had you already read the manual, then it wouldn’t be a problem,
>> but for something like this, in my opinion, the etiquette here basically says that you have to take what you get for a question like
>> this, and not keep posting until you get the very specific answer you want, and that people will lose patience if you don’t do your
>> homework first. Don’t get me wrong - you clearly have been reading what people have suggested (like that article), but you don’t
>> seem to understand that the entry level for material like this is reading Volumes 1, 2 & 3 of the Intel Manuals, and until you do
>> that, you’re not going to be able to do anything useful with this information. That doesn’t mean you shouldn’t be told or even
>> shouldn’t proceed this way, but understand that it will, in my opinion, make people want to help less.
>>
>> I hope that this is correct; it’s late, and I didn’t look very closely at the previous posts, but I think this is the general idea.
>>
>>
>> Good luck,
>>
>> mm
>>
>>
>>
>>
>>
>>
>>
>> Lin George wrote:
>>> Hi Calin,
>>> I have read through the article you mentioned for a couple of hours. It is really good and I learned something which I donot know before, even if old day technologies.
>>> But, seems it does not directly cover the answer to my question? Or I miss or misunderstand anything? Could you help to clarify please? :slight_smile:
>>> regards,
>>> George
>>>
>>>
>>> ----- Original Message ----
>>> From: Calin Iaru
>>> To: Lin George
>>> Cc: xxxxx@lists.osr.com
>>> Sent: Wednesday, July 23, 2008 7:31:30 AM
>>> Subject: Re: [windbg] strange 4 assembly instructions for a function
>>>
>>> The code you presented is code compiled on Win32 with Program Database for Edit and Continue set. If you use Program Database, then the code will look like:
>>>
>>> int f(int a, int b) {
>>> 009911A0 push ebp
>>> 009911A1 mov ebp,esp
>>> return a+b;
>>> 009911A3 mov eax,dword ptr [a]
>>> 009911A6 add eax,dword ptr [b]
>>> }
>>> 009911A9 pop ebp
>>> 009911AA ret
>>>
>>>
>>> I don’t know why does PDEC arrange the code like this; perhaps is due to EC feature. PDEC implies the /Gy compiler switch which places each function definition in a code segment. The sum of these segments is the whole program; to make the code smaller, the linker has the option to remove all unused segments. An article written by Matt Pietrek specifies that the functions compiled with /Gy are aligned on a power of 2 boundary which means that each function will be padded with INT 3 instructions up to the next alignment.
>>> http://www.microsoft.com/msj/archive/S572.aspx
>>> or search for
>>> Matt Pietrek comdat
>>> on msdn.
>>>
>>> ----- Original Message ----
>>> From: Lin George
>>> To: xxxxx@yahoo.com
>>> Cc: Kernel Debugging Interest List
>>> Sent: Tuesday, July 22, 2008 7:53:57 AM
>>> Subject: Re: [windbg] strange 4 assembly instructions for a function
>>>
>>> Thanks Calin,
>>> I fully agree with you from your below points. But don’t you think it initializes more stack space than actually needed?
>>> I posted the assembly code again here. Any comments?
>>> 00BA13CC lea edi,[ebp-0C0h]
>>> 00BA13D2 mov ecx,30h
>>> 00BA13D7 mov eax,0CCCCCCCCh
>>> 00BA13DC rep stos dword ptr es:[edi]
>>> regards,
>>> George
>>>
>>>
>>> ----- Original Message ----
>>> From: Calin Iaru
>>> To: Kernel Debugging Interest List
>>> Sent: Monday, July 21, 2008 8:24:42 PM
>>> Subject: Re: [windbg] strange 4 assembly instructions for a function
>>>
>>> Hi,
>>>
>>> the compiler fills with 0xCC about 0xC0 bytes of local stack data. I expect a release build to clean up the code.
>>>
>>> Best regards,
>>> Calin
>>>
>>> PS.
>>> 0xCC is a well known value which is distinctively recognized during a crash. For instance, if you have a pointer which contains this value, it will indicate that the pointer is not initialized. Other known value is an 0xfeeefeee which says that the pointer was released. For pointers, use the !address command to find out more information about wether the page was allocated or freed and so on.
>>>
>>> — On Mon, 7/21/08, Lin George wrote:
>>>
>>>> From: Lin George
>>>> Subject: [windbg] strange 4 assembly instructions for a function
>>>> To: “Kernel Debugging Interest List”
>>>> Date: Monday, July 21, 2008, 11:59 AM
>>>> Hello everyone,
>>>>
>>>> I am confused what is the function of the 4 assembly
>>>> instructions – I found them when debugging function prolog
>>>> and epilog for study? I posted the 4 assembly instructions
>>>> and related whole source code/assembly code below.
>>>> Any ideas?
>>>> <br>&gt;&gt;&gt;&gt; 00BA13CC lea edi,[ebp-0C0h]<br>&gt;&gt;&gt;&gt; 00BA13D2 mov ecx,30h<br>&gt;&gt;&gt;&gt; 00BA13D7 mov eax,0CCCCCCCCh<br>&gt;&gt;&gt;&gt; 00BA13DC rep stos dword ptr es:[edi]<br>&gt;&gt;&gt;&gt;<br>&gt;&gt;&gt;&gt; int sumExample (int a, int b)<br>&gt;&gt;&gt;&gt; {<br>&gt;&gt;&gt;&gt; 00BA13C0 push ebp<br>&gt;&gt;&gt;&gt; 00BA13C1 mov ebp,esp<br>&gt;&gt;&gt;&gt; 00BA13C3 sub esp,0C0h<br>&gt;&gt;&gt;&gt; 00BA13C9 push ebx<br>&gt;&gt;&gt;&gt; 00BA13CA push esi<br>&gt;&gt;&gt;&gt; 00BA13CB push edi<br>&gt;&gt;&gt;&gt; 00BA13CC lea edi,[ebp-0C0h]<br>&gt;&gt;&gt;&gt; 00BA13D2 mov ecx,30h<br>&gt;&gt;&gt;&gt; 00BA13D7 mov eax,0CCCCCCCCh<br>&gt;&gt;&gt;&gt; 00BA13DC rep stos dword ptr es:[edi]<br>&gt;&gt;&gt;&gt; return a + b;<br>&gt;&gt;&gt;&gt; 00BA13DE mov eax,dword ptr [a]<br>&gt;&gt;&gt;&gt; 00BA13E1 add eax,dword ptr [b]<br>&gt;&gt;&gt;&gt; }<br>&gt;&gt;&gt;&gt; #include <iostream><br>&gt;&gt;&gt;&gt; using namespace std;<br>&gt;&gt;&gt;&gt; int sumExample (int a, int b)<br>&gt;&gt;&gt;&gt; {<br>&gt;&gt;&gt;&gt; return a + b;<br>&gt;&gt;&gt;&gt; }<br>&gt;&gt;&gt;&gt; int main()<br>&gt;&gt;&gt;&gt; {<br>&gt;&gt;&gt;&gt; int c = sumExample (100, 200);<br>&gt;&gt;&gt;&gt; cout &lt;&lt; c &lt;&lt; endl;<br>&gt;&gt;&gt;&gt; return 0;<br>&gt;&gt;&gt;&gt; }<br>&gt;&gt;&gt;&gt;
>>>>
>>>> thanks in advance,
>>>> George
>>>>
>>>>
>>>>
>>>>
>>>> —
>>>> You are currently subscribed to windbg as: unknown lmsubst
>>>> tag argument: ‘’
>>>> To unsubscribe send a blank email to
>>>> xxxxx@lists.osr.com
>>>
>>>
>>>
>>>
>>> —
>>> You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
>>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>>
>>>
>>>
>>>
>>
>> —
>> You are currently subscribed to windbg as: xxxxx@yahoo.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>>
>>
>>
>> —
>> You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>

Thanks Jim,
Basically I agree with you. I just want to get some referred documents about how edit and continue works on the basis of reserving? more stack space. Do you have any recommendations?
regards,
George

----- Original Message ----
From: Jim Donelson
To: Kernel Debugging Interest List
Sent: Friday, August 15, 2008 8:49:13 PM
Subject: Re: [windbg] strange 4 assembly instructions for a function

Well, this is a kernel list, so none of ever ever use edit and continue.
I personally never use it as for one thing it does not always work,
for the reason you stated,and over the years there have been various
bugs with it.
Not to mention the fact it causes odd code to be generated.
Best advice - shut it off.

On Fri, Aug 15, 2008 at 8:46 AM, Jim Donelson wrote:
> Well, this is a kernel list, so none of ever ever use edit and continue.
> I personally never use it as for one thing it does not always work,
> for the reason you stated,and over the years there have been various
> bugs with it.
> Not to mention the fact it causes odd code to be generated.
> Best advice - shut it off.
>
>
> On Fri, Aug 15, 2008 at 3:02 AM, Lin George wrote:
>> Thanks Martin,
>> I agree with you. One more question, why reserving more space will enable the edit and continue feature as mentioned? This point I am very interested, but can not find any materials through Google search. Do you have any more documents in details? Or you describe by yourself?
>> (my confusion is, the developer could edit and insert as much as information – like code and data change – as he can, how could we predict the space which developer will be used in edit and continue feature?)
>> regards,
>> George
>>
>>
>> ----- Original Message ----
>> From: Martin O’Brien
>> To: Kernel Debugging Interest List
>> Sent: Thursday, August 14, 2008 2:52:30 PM
>> Subject: Re:[windbg] strange 4 assembly instructions for a function
>>
>> We seem to be going around in circles, so let’s try this differently:
>>
>> 1.? What is your question?? Please include ALL the code relevant to it.
>>
>> My guess is that your question is:
>>
>>> Don’t you think it initializes more stack space than actually needed?
>>
>> And that this is the code:
>>
>>>> 00BA13C0? push? ? ? ? ebp
>>>> 00BA13C1? mov? ? ? ? ebp,esp
>>>> 00BA13C3? sub? ? ? ? esp,0C0h
>>>> 00BA13C9? push? ? ? ? ebx
>>>> 00BA13CA? push? ? ? ? esi
>>>> 00BA13CB? push? ? ? ? edi
>>>> 00BA13CC? lea? ? ? ? edi,[ebp-0C0h]
>>>> 00BA13D2? mov? ? ? ? ecx,30h
>>>> 00BA13D7? mov? ? ? ? eax,0CCCCCCCCh
>>>> 00BA13DC? rep stos? ? dword ptr es:[edi]
>>
>> Assuming that this is correct, the basic answer is more or less what you’ve already been told.? It’s marking the ‘beginning’ of the
>> local stack with a some padding bytes that happen to the opcode for an ‘INT 3’ (0xCC).? I’m not sure the specific purpose the
>> compiler devs have in mind, but one thing it would definitely help with is diagnosing stack faults, which really suck to debug
>> without some sort of cheating like this, because by the time you find out about the problem, you’re usually well away from the
>> cause.? With this technique, if you happen to end up outside the stack boundaries - within 0xC0 bytes in this case - the cpu will
>> execute an 0xCC, a.k.a - INT 3, which will land you immediately in WinDbg, so you have a much better chance to figure out what the
>> actual problem is more quickly, without having to traverse a blown stack, which itself can confuse WinDbg.? So, from above:
>>
>>
>>>> 00BA13C0? push? ? ? ? ebp? ? ? ? ? ? -> standard prolog: preserve the base pointer
>>>> 00BA13C1? mov? ? ? ? ebp,esp? ? ? ? -> standard prolog: set the base pointer to the current stack pointer
>>>> 00BA13C3? sub? ? ? ? esp,0C0h? ? ? ? -> standard prolog: create 0xC0 (in this case) bytes of local space on the stack
>>>> 00BA13C9? push? ? ? ? ebx? ? ? ? ? ? ? -> preserve ebx (for later use)
>>>> 00BA13CA? push? ? ? ? esi? ? ? ? ? ? ? -> preserve esi (for later use)
>>>> 00BA13CB? push? ? ? ? edi? ? ? ? ? ? ? -> preserve edi (for use as target of ‘rep stos’)
>>>> 00BA13CC? lea? ? ? ? edi,[ebp-0C0h]? ? ? ? -> load the effective address of he first byte of the local space created in (2)
>>>> 00BA13D2? mov? ? ? ? ecx,30h? ? ? ? -> set ecx (iterations of ‘stos’ to ‘rep’) 0x30==0xC0/sizeof(dword ptr)
>>>> 00BA13D7? mov? ? ? ? eax,0CCCCCCCCh? ? ? ? -> set eax to the value of write to memory
>>>> 00BA13DC? rep stos? ? dword ptr es:[edi]? ? -> stores value in EAX to es:[EDI], then decrements ECX, ECX times
>>
>> The extra space could be used for some other purposes as well, some of which others have mentioned, like ‘Edit and Continue (-ZI’).
>>? As I said, I really don’t know the SPECIFIC purpose in this case, but this is the general idea.? If you want to know the SPECIFIC
>> reason, you’re going to need to find the compiler dev, or someone willing to speak for him.
>>
>> In general, George, you’re asking very detailed questions, on a very low level subject, that isn’t really on topic here, though
>> that’s not really an issue, at least as far as I’m concerned.? That being said, what I do find to be a little bit of an issue - not
>> a big one - is that you seem to be unsatisfied with anything but the specific answer to the very question you are asking, all
>> spelled out for you, on a topic like this - complicated, low level and not on topic, especially since you told us you haven’t read
>> the Intel Manuals yet.? Someone sent you a link to the Intel manuals - I would recommend that? you read them thoroughly, because
>> they are the best source for the answers to the types of questions that you are asking.? If your questions were more on topic, or
>> not on topic but at a higher level on a less complicated subject or had you already read the manual, then it wouldn’t be a problem,
>> but for something like this, in my opinion, the etiquette here basically says that you have to take what you get for a question like
>> this, and not keep posting until you get the very specific answer you want, and that people will lose patience if you don’t do your
>> homework first.? Don’t get me wrong - you clearly have been reading what people have suggested (like that article), but you don’t
>> seem to understand that the entry level for material like this is reading Volumes 1, 2 & 3 of the Intel Manuals, and until you do
>> that, you’re not going to be able to do anything useful with this information.? That doesn’t mean you shouldn’t be told or even
>> shouldn’t proceed this way, but understand that it will, in my opinion, make people want to help less.
>>
>> I hope that this is correct; it’s late, and I didn’t look very closely at the previous posts, but I think this is the general idea.
>>
>>
>> Good luck,
>>
>> mm
>>
>>
>>
>>
>>
>>
>>
>> Lin George wrote:
>>> Hi Calin,
>>> I have read through the article you mentioned for a couple of hours. It is really good and I learned something which I donot know before, even if old day technologies.
>>> But, seems it does not directly cover the answer to my question? Or I miss or misunderstand anything? Could you help to clarify please? :slight_smile:
>>> regards,
>>> George
>>>
>>>
>>> ----- Original Message ----
>>> From: Calin Iaru
>>> To: Lin George
>>> Cc: xxxxx@lists.osr.com
>>> Sent: Wednesday, July 23, 2008 7:31:30 AM
>>> Subject: Re: [windbg] strange 4 assembly instructions for a function
>>>
>>> The code you presented is code compiled on Win32 with Program Database for Edit and Continue set. If you use Program Database, then the code will look like:
>>>
>>> int f(int a, int b) {
>>> 009911A0? push? ? ? ? ebp
>>> 009911A1? mov? ? ? ? ebp,esp
>>>? ? return a+b;
>>> 009911A3? mov? ? ? ? eax,dword ptr [a]
>>> 009911A6? add? ? ? ? eax,dword ptr [b]
>>> }
>>> 009911A9? pop? ? ? ? ebp
>>> 009911AA? ret
>>>
>>>
>>> I don’t know why does PDEC arrange the code like this; perhaps is due to EC feature. PDEC implies the /Gy compiler switch which places each function definition in a code segment. The sum of these segments is the whole program; to make the code smaller, the linker has the option to remove all unused segments. An article written by Matt Pietrek specifies that the functions compiled with /Gy are aligned on a power of 2 boundary which means that each function will be padded with INT 3 instructions up to the next alignment.
>>> http://www.microsoft.com/msj/archive/S572.aspx
>>> or search for
>>> Matt Pietrek comdat
>>> on msdn.
>>>
>>> ----- Original Message ----
>>> From: Lin George
>>> To: xxxxx@yahoo.com
>>> Cc: Kernel Debugging Interest List
>>> Sent: Tuesday, July 22, 2008 7:53:57 AM
>>> Subject: Re: [windbg] strange 4 assembly instructions for a function
>>>
>>> Thanks Calin,
>>> I fully agree with you from your below points. But don’t you think it initializes more stack space than actually needed?
>>> I posted the assembly code again here. Any comments?
>>> 00BA13CC? lea? ? ? ? edi,[ebp-0C0h]
>>> 00BA13D2? mov? ? ? ? ecx,30h
>>> 00BA13D7? mov? ? ? ? eax,0CCCCCCCCh
>>> 00BA13DC? rep stos? ? dword ptr es:[edi]
>>> regards,
>>> George
>>>
>>>
>>> ----- Original Message ----
>>> From: Calin Iaru
>>> To: Kernel Debugging Interest List
>>> Sent: Monday, July 21, 2008 8:24:42 PM
>>> Subject: Re: [windbg] strange 4 assembly instructions for a function
>>>
>>> Hi,
>>>
>>>? the compiler fills with 0xCC about 0xC0 bytes of local stack data. I expect a release build to clean up the code.
>>>
>>> Best regards,
>>>? Calin
>>>
>>> PS.
>>> 0xCC is a well known value which is distinctively recognized during a crash. For instance, if you have a pointer which contains this value, it will indicate that the pointer is not initialized. Other known value is an 0xfeeefeee which says that the pointer was released. For pointers, use the !address command to find out more information about wether the page was allocated or freed and so on.
>>>
>>> — On Mon, 7/21/08, Lin George wrote:
>>>
>>>> From: Lin George
>>>> Subject: [windbg] strange 4 assembly instructions for a function
>>>> To: “Kernel Debugging Interest List”
>>>> Date: Monday, July 21, 2008, 11:59 AM
>>>> Hello everyone,
>>>>
>>>> I am confused what is the function of the 4 assembly
>>>> instructions – I found them when debugging function prolog
>>>> and epilog for study? I posted the 4 assembly instructions
>>>> and related whole source code/assembly code below.
>>>> Any ideas?
>>>> <br>&gt;&gt;&gt;&gt; 00BA13CC? lea? ? ? ? edi,[ebp-0C0h]<br>&gt;&gt;&gt;&gt; 00BA13D2? mov? ? ? ? ecx,30h<br>&gt;&gt;&gt;&gt; 00BA13D7? mov? ? ? ? eax,0CCCCCCCCh<br>&gt;&gt;&gt;&gt; 00BA13DC? rep stos? ? dword ptr es:[edi]<br>&gt;&gt;&gt;&gt;<br>&gt;&gt;&gt;&gt; int sumExample (int a, int b)<br>&gt;&gt;&gt;&gt; {<br>&gt;&gt;&gt;&gt; 00BA13C0? push? ? ? ? ebp<br>&gt;&gt;&gt;&gt; 00BA13C1? mov? ? ? ? ebp,esp<br>&gt;&gt;&gt;&gt; 00BA13C3? sub? ? ? ? esp,0C0h<br>&gt;&gt;&gt;&gt; 00BA13C9? push? ? ? ? ebx<br>&gt;&gt;&gt;&gt; 00BA13CA? push? ? ? ? esi<br>&gt;&gt;&gt;&gt; 00BA13CB? push? ? ? ? edi<br>&gt;&gt;&gt;&gt; 00BA13CC? lea? ? ? ? edi,[ebp-0C0h]<br>&gt;&gt;&gt;&gt; 00BA13D2? mov? ? ? ? ecx,30h<br>&gt;&gt;&gt;&gt; 00BA13D7? mov? ? ? ? eax,0CCCCCCCCh<br>&gt;&gt;&gt;&gt; 00BA13DC? rep stos? ? dword ptr es:[edi]<br>&gt;&gt;&gt;&gt;? ? return a + b;<br>&gt;&gt;&gt;&gt; 00BA13DE? mov? ? ? ? eax,dword ptr [a]<br>&gt;&gt;&gt;&gt; 00BA13E1? add? ? ? ? eax,dword ptr [b]<br>&gt;&gt;&gt;&gt; }<br>&gt;&gt;&gt;&gt; #include <iostream><br>&gt;&gt;&gt;&gt; using namespace std;<br>&gt;&gt;&gt;&gt; int sumExample (int a, int b)<br>&gt;&gt;&gt;&gt; {<br>&gt;&gt;&gt;&gt;? ? return a + b;<br>&gt;&gt;&gt;&gt; }<br>&gt;&gt;&gt;&gt; int main()<br>&gt;&gt;&gt;&gt; {<br>&gt;&gt;&gt;&gt;? int c = sumExample (100, 200);<br>&gt;&gt;&gt;&gt;? cout &lt;&lt; c &lt;&lt; endl;<br>&gt;&gt;&gt;&gt;? return 0;<br>&gt;&gt;&gt;&gt; }<br>&gt;&gt;&gt;&gt;
>>>>
>>>> thanks in advance,
>>>> George
>>>>
>>>>
>>>>
>>>>
>>>> —
>>>> You are currently subscribed to windbg as: unknown lmsubst
>>>> tag argument: ‘’
>>>> To unsubscribe send a blank email to
>>>> xxxxx@lists.osr.com
>>>
>>>
>>>
>>>
>>> —
>>> You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
>>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>>
>>>
>>>
>>>
>>
>> —
>> You are currently subscribed to windbg as: xxxxx@yahoo.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>>
>>
>>
>> —
>> You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>


You are currently subscribed to windbg as: xxxxx@yahoo.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

I can assume that 0xC0 is the size of the local variables that are allowed to be added during edit and continue. I guess you are not using Visual Studio 6? 6 appears to limit to 0x40 the amount of local variables. Here’s a paper describing this:

http://tinyurl.com/6gb4rm
or search for
“Enhanced Debugging with Edit and Continue in Microsoft Visual C++ 6.0”
This is a link for Visual Studio 2008:
http://tinyurl.com/6e8ayf

----- Original Message ----
From: Lin George
To: Kernel Debugging Interest List
Cc: Kernel Debugging Interest List
Sent: Friday, August 15, 2008 3:11:30 PM
Subject: Re: [windbg] strange 4 assembly instructions for a function

Thanks Jim,
Basically I agree with you. I just want to get some referred documents about how edit and continue works on the basis of reserving more stack space. Do you have any recommendations?
regards,
George

----- Original Message ----
From: Jim Donelson
To: Kernel Debugging Interest List
Sent: Friday, August 15, 2008 8:49:13 PM
Subject: Re: [windbg] strange 4 assembly instructions for a function

Well, this is a kernel list, so none of ever ever use edit and continue.
I personally never use it as for one thing it does not always work,
for the reason you stated,and over the years there have been various
bugs with it.
Not to mention the fact it causes odd code to be generated.
Best advice - shut it off.

On Fri, Aug 15, 2008 at 8:46 AM, Jim Donelson wrote:
> Well, this is a kernel list, so none of ever ever use edit and continue.
> I personally never use it as for one thing it does not always work,
> for the reason you stated,and over the years there have been various
> bugs with it.
> Not to mention the fact it causes odd code to be generated.
> Best advice - shut it off.
>
>
> On Fri, Aug 15, 2008 at 3:02 AM, Lin George wrote:
>> Thanks Martin,
>> I agree with you. One more question, why reserving more space will enable the edit and continue feature as mentioned? This point I am very interested, but can not find any materials through Google search. Do you have any more documents in details? Or you describe by yourself?
>> (my confusion is, the developer could edit and insert as much as information – like code and data change – as he can, how could we predict the space which developer will be used in edit and continue feature?)
>> regards,
>> George
>>
>>
>> ----- Original Message ----
>> From: Martin O’Brien
>> To: Kernel Debugging Interest List
>> Sent: Thursday, August 14, 2008 2:52:30 PM
>> Subject: Re:[windbg] strange 4 assembly instructions for a function
>>
>> We seem to be going around in circles, so let’s try this differently:
>>
>> 1. What is your question? Please include ALL the code relevant to it.
>>
>> My guess is that your question is:
>>
>>> Don’t you think it initializes more stack space than actually needed?
>>
>> And that this is the code:
>>
>>>> 00BA13C0 push ebp
>>>> 00BA13C1 mov ebp,esp
>>>> 00BA13C3 sub esp,0C0h
>>>> 00BA13C9 push ebx
>>>> 00BA13CA push esi
>>>> 00BA13CB push edi
>>>> 00BA13CC lea edi,[ebp-0C0h]
>>>> 00BA13D2 mov ecx,30h
>>>> 00BA13D7 mov eax,0CCCCCCCCh
>>>> 00BA13DC rep stos dword ptr es:[edi]
>>
>> Assuming that this is correct, the basic answer is more or less what you’ve already been told. It’s marking the ‘beginning’ of the
>> local stack with a some padding bytes that happen to the opcode for an ‘INT 3’ (0xCC). I’m not sure the specific purpose the
>> compiler devs have in mind, but one thing it would definitely help with is diagnosing stack faults, which really suck to debug
>> without some sort of cheating like this, because by the time you find out about the problem, you’re usually well away from the
>> cause. With this technique, if you happen to end up outside the stack boundaries - within 0xC0 bytes in this case - the cpu will
>> execute an 0xCC, a.k.a - INT 3, which will land you immediately in WinDbg, so you have a much better chance to figure out what the
>> actual problem is more quickly, without having to traverse a blown stack, which itself can confuse WinDbg. So, from above:
>>
>>
>>>> 00BA13C0 push ebp -> standard prolog: preserve the base pointer
>>>> 00BA13C1 mov ebp,esp -> standard prolog: set the base pointer to the current stack pointer
>>>> 00BA13C3 sub esp,0C0h -> standard prolog: create 0xC0 (in this case) bytes of local space on the stack
>>>> 00BA13C9 push ebx -> preserve ebx (for later use)
>>>> 00BA13CA push esi -> preserve esi (for later use)
>>>> 00BA13CB push edi -> preserve edi (for use as target of ‘rep stos’)
>>>> 00BA13CC lea edi,[ebp-0C0h] -> load the effective address of he first byte of the local space created in (2)
>>>> 00BA13D2 mov ecx,30h -> set ecx (iterations of ‘stos’ to ‘rep’) 0x30==0xC0/sizeof(dword ptr)
>>>> 00BA13D7 mov eax,0CCCCCCCCh -> set eax to the value of write to memory
>>>> 00BA13DC rep stos dword ptr es:[edi] -> stores value in EAX to es:[EDI], then decrements ECX, ECX times
>>
>> The extra space could be used for some other purposes as well, some of which others have mentioned, like ‘Edit and Continue (-ZI’).
>> As I said, I really don’t know the SPECIFIC purpose in this case, but this is the general idea. If you want to know the SPECIFIC
>> reason, you’re going to need to find the compiler dev, or someone willing to speak for him.
>>
>> In general, George, you’re asking very detailed questions, on a very low level subject, that isn’t really on topic here, though
>> that’s not really an issue, at least as far as I’m concerned. That being said, what I do find to be a little bit of an issue - not
>> a big one - is that you seem to be unsatisfied with anything but the specific answer to the very question you are asking, all
>> spelled out for you, on a topic like this - complicated, low level and not on topic, especially since you told us you haven’t read
>> the Intel Manuals yet. Someone sent you a link to the Intel manuals - I would recommend that you read them thoroughly, because
>> they are the best source for the answers to the types of questions that you are asking. If your questions were more on topic, or
>> not on topic but at a higher level on a less complicated subject or had you already read the manual, then it wouldn’t be a problem,
>> but for something like this, in my opinion, the etiquette here basically says that you have to take what you get for a question like
>> this, and not keep posting until you get the very specific answer you want, and that people will lose patience if you don’t do your
>> homework first. Don’t get me wrong - you clearly have been reading what people have suggested (like that article), but you don’t
>> seem to understand that the entry level for material like this is reading Volumes 1, 2 & 3 of the Intel Manuals, and until you do
>> that, you’re not going to be able to do anything useful with this information. That doesn’t mean you shouldn’t be told or even
>> shouldn’t proceed this way, but understand that it will, in my opinion, make people want to help less.
>>
>> I hope that this is correct; it’s late, and I didn’t look very closely at the previous posts, but I think this is the general idea.
>>
>>
>> Good luck,
>>
>> mm
>>
>>
>>
>>
>>
>>
>>
>> Lin George wrote:
>>> Hi Calin,
>>> I have read through the article you mentioned for a couple of hours. It is really good and I learned something which I donot know before, even if old day technologies.
>>> But, seems it does not directly cover the answer to my question? Or I miss or misunderstand anything? Could you help to clarify please? :slight_smile:
>>> regards,
>>> George
>>>
>>>
>>> ----- Original Message ----
>>> From: Calin Iaru
>>> To: Lin George
>>> Cc: xxxxx@lists.osr.com
>>> Sent: Wednesday, July 23, 2008 7:31:30 AM
>>> Subject: Re: [windbg] strange 4 assembly instructions for a function
>>>
>>> The code you presented is code compiled on Win32 with Program Database for Edit and Continue set. If you use Program Database, then the code will look like:
>>>
>>> int f(int a, int b) {
>>> 009911A0 push ebp
>>> 009911A1 mov ebp,esp
>>> return a+b;
>>> 009911A3 mov eax,dword ptr [a]
>>> 009911A6 add eax,dword ptr [b]
>>> }
>>> 009911A9 pop ebp
>>> 009911AA ret
>>>
>>>
>>> I don’t know why does PDEC arrange the code like this; perhaps is due to EC feature. PDEC implies the /Gy compiler switch which places each function definition in a code segment. The sum of these segments is the whole program; to make the code smaller, the linker has the option to remove all unused segments. An article written by Matt Pietrek specifies that the functions compiled with /Gy are aligned on a power of 2 boundary which means that each function will be padded with INT 3 instructions up to the next alignment.
>>> http://www.microsoft.com/msj/archive/S572.aspx
>>> or search for
>>> Matt Pietrek comdat
>>> on msdn.
>>>
>>> ----- Original Message ----
>>> From: Lin George
>>> To: xxxxx@yahoo.com
>>> Cc: Kernel Debugging Interest List
>>> Sent: Tuesday, July 22, 2008 7:53:57 AM
>>> Subject: Re: [windbg] strange 4 assembly instructions for a function
>>>
>>> Thanks Calin,
>>> I fully agree with you from your below points. But don’t you think it initializes more stack space than actually needed?
>>> I posted the assembly code again here. Any comments?
>>> 00BA13CC lea edi,[ebp-0C0h]
>>> 00BA13D2 mov ecx,30h
>>> 00BA13D7 mov eax,0CCCCCCCCh
>>> 00BA13DC rep stos dword ptr es:[edi]
>>> regards,
>>> George
>>>
>>>
>>> ----- Original Message ----
>>> From: Calin Iaru
>>> To: Kernel Debugging Interest List
>>> Sent: Monday, July 21, 2008 8:24:42 PM
>>> Subject: Re: [windbg] strange 4 assembly instructions for a function
>>>
>>> Hi,
>>>
>>> the compiler fills with 0xCC about 0xC0 bytes of local stack data. I expect a release build to clean up the code.
>>>
>>> Best regards,
>>> Calin
>>>
>>> PS.
>>> 0xCC is a well known value which is distinctively recognized during a crash. For instance, if you have a pointer which contains this value, it will indicate that the pointer is not initialized. Other known value is an 0xfeeefeee which says that the pointer was released. For pointers, use the !address command to find out more information about wether the page was allocated or freed and so on.
>>>
>>> — On Mon, 7/21/08, Lin George wrote:
>>>
>>>> From: Lin George
>>>> Subject: [windbg] strange 4 assembly instructions for a function
>>>> To: “Kernel Debugging Interest List”
>>>> Date: Monday, July 21, 2008, 11:59 AM
>>>> Hello everyone,
>>>>
>>>> I am confused what is the function of the 4 assembly
>>>> instructions – I found them when debugging function prolog
>>>> and epilog for study? I posted the 4 assembly instructions
>>>> and related whole source code/assembly code below.
>>>> Any ideas?
>>>> <br>&gt;&gt;&gt;&gt; 00BA13CC lea edi,[ebp-0C0h]<br>&gt;&gt;&gt;&gt; 00BA13D2 mov ecx,30h<br>&gt;&gt;&gt;&gt; 00BA13D7 mov eax,0CCCCCCCCh<br>&gt;&gt;&gt;&gt; 00BA13DC rep stos dword ptr es:[edi]<br>&gt;&gt;&gt;&gt;<br>&gt;&gt;&gt;&gt; int sumExample (int a, int b)<br>&gt;&gt;&gt;&gt; {<br>&gt;&gt;&gt;&gt; 00BA13C0 push ebp<br>&gt;&gt;&gt;&gt; 00BA13C1 mov ebp,esp<br>&gt;&gt;&gt;&gt; 00BA13C3 sub esp,0C0h<br>&gt;&gt;&gt;&gt; 00BA13C9 push ebx<br>&gt;&gt;&gt;&gt; 00BA13CA push esi<br>&gt;&gt;&gt;&gt; 00BA13CB push edi<br>&gt;&gt;&gt;&gt; 00BA13CC lea edi,[ebp-0C0h]<br>&gt;&gt;&gt;&gt; 00BA13D2 mov ecx,30h<br>&gt;&gt;&gt;&gt; 00BA13D7 mov eax,0CCCCCCCCh<br>&gt;&gt;&gt;&gt; 00BA13DC rep stos dword ptr es:[edi]<br>&gt;&gt;&gt;&gt; return a + b;<br>&gt;&gt;&gt;&gt; 00BA13DE mov eax,dword ptr [a]<br>&gt;&gt;&gt;&gt; 00BA13E1 add eax,dword ptr [b]<br>&gt;&gt;&gt;&gt; }<br>&gt;&gt;&gt;&gt; #include <iostream><br>&gt;&gt;&gt;&gt; using namespace std;<br>&gt;&gt;&gt;&gt; int sumExample (int a, int b)<br>&gt;&gt;&gt;&gt; {<br>&gt;&gt;&gt;&gt; return a + b;<br>&gt;&gt;&gt;&gt; }<br>&gt;&gt;&gt;&gt; int main()<br>&gt;&gt;&gt;&gt; {<br>&gt;&gt;&gt;&gt; int c = sumExample (100, 200);<br>&gt;&gt;&gt;&gt; cout &lt;&lt; c &lt;&lt; endl;<br>&gt;&gt;&gt;&gt; return 0;<br>&gt;&gt;&gt;&gt; }<br>&gt;&gt;&gt;&gt;
>>>>
>>>> thanks in advance,
>>>> George
>>>>
>>>>
>>>>
>>>>
>>>> —
>>>> You are currently subscribed to windbg as: unknown lmsubst
>>>> tag argument: ‘’
>>>> To unsubscribe send a blank email to
>>>> xxxxx@lists.osr.com
>>>
>>>
>>>
>>>
>>> —
>>> You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
>>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>>
>>>
>>>
>>>
>>
>> —
>> You are currently subscribed to windbg as: xxxxx@yahoo.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>>
>>
>>
>> —
>> You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>


You are currently subscribed to windbg as: xxxxx@yahoo.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

And apparently Lin does not have google available either, as Edit and
Continue only gets 42,000 hits.

(And a link to that article was the first hit).

On Fri, Aug 15, 2008 at 10:45 AM, Jim Donelson wrote:
> And apparently Lin does not have google available either, as Edit and
> Continue only get 42,000 hits.
>
>
> On Fri, Aug 15, 2008 at 9:31 AM, Calin Iaru wrote:
>> I can assume that 0xC0 is the size of the local variables that are allowed to be added during edit and continue. I guess you are not using Visual Studio 6? 6 appears to limit to 0x40 the amount of local variables. Here’s a paper describing this:
>>
>> http://tinyurl.com/6gb4rm
>> or search for
>> “Enhanced Debugging with Edit and Continue in Microsoft Visual C++ 6.0”
>> This is a link for Visual Studio 2008:
>> http://tinyurl.com/6e8ayf
>>
>>
>> ----- Original Message ----
>> From: Lin George
>> To: Kernel Debugging Interest List
>> Cc: Kernel Debugging Interest List
>> Sent: Friday, August 15, 2008 3:11:30 PM
>> Subject: Re: [windbg] strange 4 assembly instructions for a function
>>
>> Thanks Jim,
>> Basically I agree with you. I just want to get some referred documents about how edit and continue works on the basis of reserving more stack space. Do you have any recommendations?
>> regards,
>> George
>>
>>
>> ----- Original Message ----
>> From: Jim Donelson
>> To: Kernel Debugging Interest List
>> Sent: Friday, August 15, 2008 8:49:13 PM
>> Subject: Re: [windbg] strange 4 assembly instructions for a function
>>
>> Well, this is a kernel list, so none of ever ever use edit and continue.
>> I personally never use it as for one thing it does not always work,
>> for the reason you stated,and over the years there have been various
>> bugs with it.
>> Not to mention the fact it causes odd code to be generated.
>> Best advice - shut it off.
>>
>> On Fri, Aug 15, 2008 at 8:46 AM, Jim Donelson wrote:
>>> Well, this is a kernel list, so none of ever ever use edit and continue.
>>> I personally never use it as for one thing it does not always work,
>>> for the reason you stated,and over the years there have been various
>>> bugs with it.
>>> Not to mention the fact it causes odd code to be generated.
>>> Best advice - shut it off.
>>>
>>>
>>> On Fri, Aug 15, 2008 at 3:02 AM, Lin George wrote:
>>>> Thanks Martin,
>>>> I agree with you. One more question, why reserving more space will enable the edit and continue feature as mentioned? This point I am very interested, but can not find any materials through Google search. Do you have any more documents in details? Or you describe by yourself?
>>>> (my confusion is, the developer could edit and insert as much as information – like code and data change – as he can, how could we predict the space which developer will be used in edit and continue feature?)
>>>> regards,
>>>> George
>>>>
>>>>
>>>> ----- Original Message ----
>>>> From: Martin O’Brien
>>>> To: Kernel Debugging Interest List
>>>> Sent: Thursday, August 14, 2008 2:52:30 PM
>>>> Subject: Re:[windbg] strange 4 assembly instructions for a function
>>>>
>>>> We seem to be going around in circles, so let’s try this differently:
>>>>
>>>> 1. What is your question? Please include ALL the code relevant to it.
>>>>
>>>> My guess is that your question is:
>>>>
>>>>> Don’t you think it initializes more stack space than actually needed?
>>>>
>>>> And that this is the code:
>>>>
>>>>>> 00BA13C0 push ebp
>>>>>> 00BA13C1 mov ebp,esp
>>>>>> 00BA13C3 sub esp,0C0h
>>>>>> 00BA13C9 push ebx
>>>>>> 00BA13CA push esi
>>>>>> 00BA13CB push edi
>>>>>> 00BA13CC lea edi,[ebp-0C0h]
>>>>>> 00BA13D2 mov ecx,30h
>>>>>> 00BA13D7 mov eax,0CCCCCCCCh
>>>>>> 00BA13DC rep stos dword ptr es:[edi]
>>>>
>>>> Assuming that this is correct, the basic answer is more or less what you’ve already been told. It’s marking the ‘beginning’ of the
>>>> local stack with a some padding bytes that happen to the opcode for an ‘INT 3’ (0xCC). I’m not sure the specific purpose the
>>>> compiler devs have in mind, but one thing it would definitely help with is diagnosing stack faults, which really suck to debug
>>>> without some sort of cheating like this, because by the time you find out about the problem, you’re usually well away from the
>>>> cause. With this technique, if you happen to end up outside the stack boundaries - within 0xC0 bytes in this case - the cpu will
>>>> execute an 0xCC, a.k.a - INT 3, which will land you immediately in WinDbg, so you have a much better chance to figure out what the
>>>> actual problem is more quickly, without having to traverse a blown stack, which itself can confuse WinDbg. So, from above:
>>>>
>>>>
>>>>>> 00BA13C0 push ebp -> standard prolog: preserve the base pointer
>>>>>> 00BA13C1 mov ebp,esp -> standard prolog: set the base pointer to the current stack pointer
>>>>>> 00BA13C3 sub esp,0C0h -> standard prolog: create 0xC0 (in this case) bytes of local space on the stack
>>>>>> 00BA13C9 push ebx -> preserve ebx (for later use)
>>>>>> 00BA13CA push esi -> preserve esi (for later use)
>>>>>> 00BA13CB push edi -> preserve edi (for use as target of ‘rep stos’)
>>>>>> 00BA13CC lea edi,[ebp-0C0h] -> load the effective address of he first byte of the local space created in (2)
>>>>>> 00BA13D2 mov ecx,30h -> set ecx (iterations of ‘stos’ to ‘rep’) 0x30==0xC0/sizeof(dword ptr)
>>>>>> 00BA13D7 mov eax,0CCCCCCCCh -> set eax to the value of write to memory
>>>>>> 00BA13DC rep stos dword ptr es:[edi] -> stores value in EAX to es:[EDI], then decrements ECX, ECX times
>>>>
>>>> The extra space could be used for some other purposes as well, some of which others have mentioned, like ‘Edit and Continue (-ZI’).
>>>> As I said, I really don’t know the SPECIFIC purpose in this case, but this is the general idea. If you want to know the SPECIFIC
>>>> reason, you’re going to need to find the compiler dev, or someone willing to speak for him.
>>>>
>>>> In general, George, you’re asking very detailed questions, on a very low level subject, that isn’t really on topic here, though
>>>> that’s not really an issue, at least as far as I’m concerned. That being said, what I do find to be a little bit of an issue - not
>>>> a big one - is that you seem to be unsatisfied with anything but the specific answer to the very question you are asking, all
>>>> spelled out for you, on a topic like this - complicated, low level and not on topic, especially since you told us you haven’t read
>>>> the Intel Manuals yet. Someone sent you a link to the Intel manuals - I would recommend that you read them thoroughly, because
>>>> they are the best source for the answers to the types of questions that you are asking. If your questions were more on topic, or
>>>> not on topic but at a higher level on a less complicated subject or had you already read the manual, then it wouldn’t be a problem,
>>>> but for something like this, in my opinion, the etiquette here basically says that you have to take what you get for a question like
>>>> this, and not keep posting until you get the very specific answer you want, and that people will lose patience if you don’t do your
>>>> homework first. Don’t get me wrong - you clearly have been reading what people have suggested (like that article), but you don’t
>>>> seem to understand that the entry level for material like this is reading Volumes 1, 2 & 3 of the Intel Manuals, and until you do
>>>> that, you’re not going to be able to do anything useful with this information. That doesn’t mean you shouldn’t be told or even
>>>> shouldn’t proceed this way, but understand that it will, in my opinion, make people want to help less.
>>>>
>>>> I hope that this is correct; it’s late, and I didn’t look very closely at the previous posts, but I think this is the general idea.
>>>>
>>>>
>>>> Good luck,
>>>>
>>>> mm
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Lin George wrote:
>>>>> Hi Calin,
>>>>> I have read through the article you mentioned for a couple of hours. It is really good and I learned something which I donot know before, even if old day technologies.
>>>>> But, seems it does not directly cover the answer to my question? Or I miss or misunderstand anything? Could you help to clarify please? :slight_smile:
>>>>> regards,
>>>>> George
>>>>>
>>>>>
>>>>> ----- Original Message ----
>>>>> From: Calin Iaru
>>>>> To: Lin George
>>>>> Cc: xxxxx@lists.osr.com
>>>>> Sent: Wednesday, July 23, 2008 7:31:30 AM
>>>>> Subject: Re: [windbg] strange 4 assembly instructions for a function
>>>>>
>>>>> The code you presented is code compiled on Win32 with Program Database for Edit and Continue set. If you use Program Database, then the code will look like:
>>>>>
>>>>> int f(int a, int b) {
>>>>> 009911A0 push ebp
>>>>> 009911A1 mov ebp,esp
>>>>> return a+b;
>>>>> 009911A3 mov eax,dword ptr [a]
>>>>> 009911A6 add eax,dword ptr [b]
>>>>> }
>>>>> 009911A9 pop ebp
>>>>> 009911AA ret
>>>>>
>>>>>
>>>>> I don’t know why does PDEC arrange the code like this; perhaps is due to EC feature. PDEC implies the /Gy compiler switch which places each function definition in a code segment. The sum of these segments is the whole program; to make the code smaller, the linker has the option to remove all unused segments. An article written by Matt Pietrek specifies that the functions compiled with /Gy are aligned on a power of 2 boundary which means that each function will be padded with INT 3 instructions up to the next alignment.
>>>>> http://www.microsoft.com/msj/archive/S572.aspx
>>>>> or search for
>>>>> Matt Pietrek comdat
>>>>> on msdn.
>>>>>
>>>>> ----- Original Message ----
>>>>> From: Lin George
>>>>> To: xxxxx@yahoo.com
>>>>> Cc: Kernel Debugging Interest List
>>>>> Sent: Tuesday, July 22, 2008 7:53:57 AM
>>>>> Subject: Re: [windbg] strange 4 assembly instructions for a function
>>>>>
>>>>> Thanks Calin,
>>>>> I fully agree with you from your below points. But don’t you think it initializes more stack space than actually needed?
>>>>> I posted the assembly code again here. Any comments?
>>>>> 00BA13CC lea edi,[ebp-0C0h]
>>>>> 00BA13D2 mov ecx,30h
>>>>> 00BA13D7 mov eax,0CCCCCCCCh
>>>>> 00BA13DC rep stos dword ptr es:[edi]
>>>>> regards,
>>>>> George
>>>>>
>>>>>
>>>>> ----- Original Message ----
>>>>> From: Calin Iaru
>>>>> To: Kernel Debugging Interest List
>>>>> Sent: Monday, July 21, 2008 8:24:42 PM
>>>>> Subject: Re: [windbg] strange 4 assembly instructions for a function
>>>>>
>>>>> Hi,
>>>>>
>>>>> the compiler fills with 0xCC about 0xC0 bytes of local stack data. I expect a release build to clean up the code.
>>>>>
>>>>> Best regards,
>>>>> Calin
>>>>>
>>>>> PS.
>>>>> 0xCC is a well known value which is distinctively recognized during a crash. For instance, if you have a pointer which contains this value, it will indicate that the pointer is not initialized. Other known value is an 0xfeeefeee which says that the pointer was released. For pointers, use the !address command to find out more information about wether the page was allocated or freed and so on.
>>>>>
>>>>> — On Mon, 7/21/08, Lin George wrote:
>>>>>
>>>>>> From: Lin George
>>>>>> Subject: [windbg] strange 4 assembly instructions for a function
>>>>>> To: “Kernel Debugging Interest List”
>>>>>> Date: Monday, July 21, 2008, 11:59 AM
>>>>>> Hello everyone,
>>>>>>
>>>>>> I am confused what is the function of the 4 assembly
>>>>>> instructions – I found them when debugging function prolog
>>>>>> and epilog for study? I posted the 4 assembly instructions
>>>>>> and related whole source code/assembly code below.
>>>>>> Any ideas?
>>>>>> <br>&gt;&gt;&gt;&gt;&gt;&gt; 00BA13CC lea edi,[ebp-0C0h]<br>&gt;&gt;&gt;&gt;&gt;&gt; 00BA13D2 mov ecx,30h<br>&gt;&gt;&gt;&gt;&gt;&gt; 00BA13D7 mov eax,0CCCCCCCCh<br>&gt;&gt;&gt;&gt;&gt;&gt; 00BA13DC rep stos dword ptr es:[edi]<br>&gt;&gt;&gt;&gt;&gt;&gt;<br>&gt;&gt;&gt;&gt;&gt;&gt; int sumExample (int a, int b)<br>&gt;&gt;&gt;&gt;&gt;&gt; {<br>&gt;&gt;&gt;&gt;&gt;&gt; 00BA13C0 push ebp<br>&gt;&gt;&gt;&gt;&gt;&gt; 00BA13C1 mov ebp,esp<br>&gt;&gt;&gt;&gt;&gt;&gt; 00BA13C3 sub esp,0C0h<br>&gt;&gt;&gt;&gt;&gt;&gt; 00BA13C9 push ebx<br>&gt;&gt;&gt;&gt;&gt;&gt; 00BA13CA push esi<br>&gt;&gt;&gt;&gt;&gt;&gt; 00BA13CB push edi<br>&gt;&gt;&gt;&gt;&gt;&gt; 00BA13CC lea edi,[ebp-0C0h]<br>&gt;&gt;&gt;&gt;&gt;&gt; 00BA13D2 mov ecx,30h<br>&gt;&gt;&gt;&gt;&gt;&gt; 00BA13D7 mov eax,0CCCCCCCCh<br>&gt;&gt;&gt;&gt;&gt;&gt; 00BA13DC rep stos dword ptr es:[edi]<br>&gt;&gt;&gt;&gt;&gt;&gt; return a + b;<br>&gt;&gt;&gt;&gt;&gt;&gt; 00BA13DE mov eax,dword ptr [a]<br>&gt;&gt;&gt;&gt;&gt;&gt; 00BA13E1 add eax,dword ptr [b]<br>&gt;&gt;&gt;&gt;&gt;&gt; }<br>&gt;&gt;&gt;&gt;&gt;&gt; #include <iostream><br>&gt;&gt;&gt;&gt;&gt;&gt; using namespace std;<br>&gt;&gt;&gt;&gt;&gt;&gt; int sumExample (int a, int b)<br>&gt;&gt;&gt;&gt;&gt;&gt; {<br>&gt;&gt;&gt;&gt;&gt;&gt; return a + b;<br>&gt;&gt;&gt;&gt;&gt;&gt; }<br>&gt;&gt;&gt;&gt;&gt;&gt; int main()<br>&gt;&gt;&gt;&gt;&gt;&gt; {<br>&gt;&gt;&gt;&gt;&gt;&gt; int c = sumExample (100, 200);<br>&gt;&gt;&gt;&gt;&gt;&gt; cout &lt;&lt; c &lt;&lt; endl;<br>&gt;&gt;&gt;&gt;&gt;&gt; return 0;<br>&gt;&gt;&gt;&gt;&gt;&gt; }<br>&gt;&gt;&gt;&gt;&gt;&gt;
>>>>>>
>>>>>> thanks in advance,
>>>>>> George
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> —
>>>>>> You are currently subscribed to windbg as: unknown lmsubst
>>>>>> tag argument: ‘’
>>>>>> To unsubscribe send a blank email to
>>>>>> xxxxx@lists.osr.com
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> —
>>>>> You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
>>>>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>> —
>>>> You are currently subscribed to windbg as: xxxxx@yahoo.com
>>>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> —
>>>> You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
>>>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>>>
>>>
>>
>> —
>> You are currently subscribed to windbg as: xxxxx@yahoo.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>>
>>
>>
>> —
>> You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>>
>>
>>
>> —
>> You are currently subscribed to windbg as: xxxxx@jimdonelson.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>

You are so humourous Jim. I am still confused why I can not find any materials regarding to this topic. For any other internally topics, like linker/compiler optimization, there are abundant documents on System Internals.

regards,
George

----- Original Message ----
From: Jim Donelson
To: Lin George
Sent: Friday, August 15, 2008 9:24:26 PM
Subject: Re: [windbg] strange 4 assembly instructions for a function

Yes, get hired by the Microsoft VS Team and look at the source code.

On Fri, Aug 15, 2008 at 9:11 AM, Lin George wrote:

Thanks Jim,
Basically I agree with you. I just want to get some referred documents about how edit and continue works on the basis of reserving? more stack space. Do you have any recommendations?
regards,
George

----- Original Message ----
From: Jim Donelson
To: Kernel Debugging Interest List

Sent: Friday, August 15, 2008 8:49:13 PM
Subject: Re: [windbg] strange 4 assembly instructions for a function

Well, this is a kernel list, so none of ever ever use edit and continue.
I personally never use it as for one thing it does not always work,
for the reason you stated,and over the years there have been various
bugs with it.
Not to mention the fact it causes odd code to be generated.
Best advice - shut it off.

On Fri, Aug 15, 2008 at 8:46 AM, Jim Donelson wrote:
> Well, this is a kernel list, so none of ever ever use edit and continue.
> I personally never use it as for one thing it does not always work,
> for the reason you stated,and over the years there have been various
> bugs with it.
> Not to mention the fact it causes odd code to be generated.
> Best advice - shut it off.
>
>
> On Fri, Aug 15, 2008 at 3:02 AM, Lin George wrote:
>> Thanks Martin,
>> I agree with you. One more question, why reserving more space will enable the edit and continue feature as mentioned? This point I am very interested, but can not find any materials through Google search. Do you have any more documents in details? Or you describe by yourself?
>> (my confusion is, the developer could edit and insert as much as information – like code and data change – as he can, how could we predict the space which developer will be used in edit and continue feature?)
>> regards,
>> George
>>
>>
>> ----- Original Message ----
>> From: Martin O’Brien
>> To: Kernel Debugging Interest List
>> Sent: Thursday, August 14, 2008 2:52:30 PM
>> Subject: Re:[windbg] strange 4 assembly instructions for a function
>>
>> We seem to be going around in circles, so let’s try this differently:
>>
>> 1.? What is your question?? Please include ALL the code relevant to it.
>>
>> My guess is that your question is:
>>
>>> Don’t you think it initializes more stack space than actually needed?
>>
>> And that this is the code:
>>
>>>> 00BA13C0? push? ? ? ? ebp
>>>> 00BA13C1? mov? ? ? ? ebp,esp
>>>> 00BA13C3? sub? ? ? ? esp,0C0h
>>>> 00BA13C9? push? ? ? ? ebx
>>>> 00BA13CA? push? ? ? ? esi
>>>> 00BA13CB? push? ? ? ? edi
>>>> 00BA13CC? lea? ? ? ? edi,[ebp-0C0h]
>>>> 00BA13D2? mov? ? ? ? ecx,30h
>>>> 00BA13D7? mov? ? ? ? eax,0CCCCCCCCh
>>>> 00BA13DC? rep stos? ? dword ptr es:[edi]
>>
>> Assuming that this is correct, the basic answer is more or less what you’ve already been told.? It’s marking the ‘beginning’ of the
>> local stack with a some padding bytes that happen to the opcode for an ‘INT 3’ (0xCC).? I’m not sure the specific purpose the
>> compiler devs have in mind, but one thing it would definitely help with is diagnosing stack faults, which really suck to debug
>> without some sort of cheating like this, because by the time you find out about the problem, you’re usually well away from the
>> cause.? With this technique, if you happen to end up outside the stack boundaries - within 0xC0 bytes in this case - the cpu will
>> execute an 0xCC, a.k.a - INT 3, which will land you immediately in WinDbg, so you have a much better chance to figure out what the
>> actual problem is more quickly, without having to traverse a blown stack, which itself can confuse WinDbg.? So, from above:
>>
>>
>>>> 00BA13C0? push? ? ? ? ebp? ? ? ? ? ? -> standard prolog: preserve the base pointer
>>>> 00BA13C1? mov? ? ? ? ebp,esp? ? ? ? -> standard prolog: set the base pointer to the current stack pointer
>>>> 00BA13C3? sub? ? ? ? esp,0C0h? ? ? ? -> standard prolog: create 0xC0 (in this case) bytes of local space on the stack
>>>> 00BA13C9? push? ? ? ? ebx? ? ? ? ? ? ? -> preserve ebx (for later use)
>>>> 00BA13CA? push? ? ? ? esi? ? ? ? ? ? ? -> preserve esi (for later use)
>>>> 00BA13CB? push? ? ? ? edi? ? ? ? ? ? ? -> preserve edi (for use as target of ‘rep stos’)
>>>> 00BA13CC? lea? ? ? ? edi,[ebp-0C0h]? ? ? ? -> load the effective address of he first byte of the local space created in (2)
>>>> 00BA13D2? mov? ? ? ? ecx,30h? ? ? ? -> set ecx (iterations of ‘stos’ to ‘rep’) 0x30==0xC0/sizeof(dword ptr)
>>>> 00BA13D7? mov? ? ? ? eax,0CCCCCCCCh? ? ? ? -> set eax to the value of write to memory
>>>> 00BA13DC? rep stos? ? dword ptr es:[edi]? ? -> stores value in EAX to es:[EDI], then decrements ECX, ECX times
>>
>> The extra space could be used for some other purposes as well, some of which others have mentioned, like ‘Edit and Continue (-ZI’).
>>? As I said, I really don’t know the SPECIFIC purpose in this case, but this is the general idea.? If you want to know the SPECIFIC
>> reason, you’re going to need to find the compiler dev, or someone willing to speak for him.
>>
>> In general, George, you’re asking very detailed questions, on a very low level subject, that isn’t really on topic here, though
>> that’s not really an issue, at least as far as I’m concerned.? That being said, what I do find to be a little bit of an issue - not
>> a big one - is that you seem to be unsatisfied with anything but the specific answer to the very question you are asking, all
>> spelled out for you, on a topic like this - complicated, low level and not on topic, especially since you told us you haven’t read
>> the Intel Manuals yet.? Someone sent you a link to the Intel manuals - I would recommend that? you read them thoroughly, because
>> they are the best source for the answers to the types of questions that you are asking.? If your questions were more on topic, or
>> not on topic but at a higher level on a less complicated subject or had you already read the manual, then it wouldn’t be a problem,
>> but for something like this, in my opinion, the etiquette here basically says that you have to take what you get for a question like
>> this, and not keep posting until you get the very specific answer you want, and that people will lose patience if you don’t do your
>> homework first.? Don’t get me wrong - you clearly have been reading what people have suggested (like that article), but you don’t
>> seem to understand that the entry level for material like this is reading Volumes 1, 2 & 3 of the Intel Manuals, and until you do
>> that, you’re not going to be able to do anything useful with this information.? That doesn’t mean you shouldn’t be told or even
>> shouldn’t proceed this way, but understand that it will, in my opinion, make people want to help less.
>>
>> I hope that this is correct; it’s late, and I didn’t look very closely at the previous posts, but I think this is the general idea.
>>
>>
>> Good luck,
>>
>> mm
>>
>>
>>
>>
>>
>>
>>
>> Lin George wrote:
>>> Hi Calin,
>>> I have read through the article you mentioned for a couple of hours. It is really good and I learned something which I donot know before, even if old day technologies.
>>> But, seems it does not directly cover the answer to my question? Or I miss or misunderstand anything? Could you help to clarify please? :slight_smile:
>>> regards,
>>> George
>>>
>>>
>>> ----- Original Message ----
>>> From: Calin Iaru
>>> To: Lin George
>>> Cc: xxxxx@lists.osr.com
>>> Sent: Wednesday, July 23, 2008 7:31:30 AM
>>> Subject: Re: [windbg] strange 4 assembly instructions for a function
>>>
>>> The code you presented is code compiled on Win32 with Program Database for Edit and Continue set. If you use Program Database, then the code will look like:
>>>
>>> int f(int a, int b) {
>>> 009911A0? push? ? ? ? ebp
>>> 009911A1? mov? ? ? ? ebp,esp
>>>? ? return a+b;
>>> 009911A3? mov? ? ? ? eax,dword ptr [a]
>>> 009911A6? add? ? ? ? eax,dword ptr [b]
>>> }
>>> 009911A9? pop? ? ? ? ebp
>>> 009911AA? ret
>>>
>>>
>>> I don’t know why does PDEC arrange the code like this; perhaps is due to EC feature. PDEC implies the /Gy compiler switch which places each function definition in a code segment. The sum of these segments is the whole program; to make the code smaller, the linker has the option to remove all unused segments. An article written by Matt Pietrek specifies that the functions compiled with /Gy are aligned on a power of 2 boundary which means that each function will be padded with INT 3 instructions up to the next alignment.
>>> http://www.microsoft.com/msj/archive/S572.aspx
>>> or search for
>>> Matt Pietrek comdat
>>> on msdn.
>>>
>>> ----- Original Message ----
>>> From: Lin George
>>> To: xxxxx@yahoo.com
>>> Cc: Kernel Debugging Interest List
>>> Sent: Tuesday, July 22, 2008 7:53:57 AM
>>> Subject: Re: [windbg] strange 4 assembly instructions for a function
>>>
>>> Thanks Calin,
>>> I fully agree with you from your below points. But don’t you think it initializes more stack space than actually needed?
>>> I posted the assembly code again here. Any comments?
>>> 00BA13CC? lea? ? ? ? edi,[ebp-0C0h]
>>> 00BA13D2? mov? ? ? ? ecx,30h
>>> 00BA13D7? mov? ? ? ? eax,0CCCCCCCCh
>>> 00BA13DC? rep stos? ? dword ptr es:[edi]
>>> regards,
>>> George
>>>
>>>
>>> ----- Original Message ----
>>> From: Calin Iaru
>>> To: Kernel Debugging Interest List
>>> Sent: Monday, July 21, 2008 8:24:42 PM
>>> Subject: Re: [windbg] strange 4 assembly instructions for a function
>>>
>>> Hi,
>>>
>>>? the compiler fills with 0xCC about 0xC0 bytes of local stack data. I expect a release build to clean up the code.
>>>
>>> Best regards,
>>>? Calin
>>>
>>> PS.
>>> 0xCC is a well known value which is distinctively recognized during a crash. For instance, if you have a pointer which contains this value, it will indicate that the pointer is not initialized. Other known value is an 0xfeeefeee which says that the pointer was released. For pointers, use the !address command to find out more information about wether the page was allocated or freed and so on.
>>>
>>> — On Mon, 7/21/08, Lin George wrote:
>>>
>>>> From: Lin George
>>>> Subject: [windbg] strange 4 assembly instructions for a function
>>>> To: “Kernel Debugging Interest List”
>>>> Date: Monday, July 21, 2008, 11:59 AM
>>>> Hello everyone,
>>>>
>>>> I am confused what is the function of the 4 assembly
>>>> instructions – I found them when debugging function prolog
>>>> and epilog for study? I posted the 4 assembly instructions
>>>> and related whole source code/assembly code below.
>>>> Any ideas?
>>>> <br>&gt;&gt;&gt;&gt; 00BA13CC? lea? ? ? ? edi,[ebp-0C0h]<br>&gt;&gt;&gt;&gt; 00BA13D2? mov? ? ? ? ecx,30h<br>&gt;&gt;&gt;&gt; 00BA13D7? mov? ? ? ? eax,0CCCCCCCCh<br>&gt;&gt;&gt;&gt; 00BA13DC? rep stos? ? dword ptr es:[edi]<br>&gt;&gt;&gt;&gt;<br>&gt;&gt;&gt;&gt; int sumExample (int a, int b)<br>&gt;&gt;&gt;&gt; {<br>&gt;&gt;&gt;&gt; 00BA13C0? push? ? ? ? ebp<br>&gt;&gt;&gt;&gt; 00BA13C1? mov? ? ? ? ebp,esp<br>&gt;&gt;&gt;&gt; 00BA13C3? sub? ? ? ? esp,0C0h<br>&gt;&gt;&gt;&gt; 00BA13C9? push? ? ? ? ebx<br>&gt;&gt;&gt;&gt; 00BA13CA? push? ? ? ? esi<br>&gt;&gt;&gt;&gt; 00BA13CB? push? ? ? ? edi<br>&gt;&gt;&gt;&gt; 00BA13CC? lea? ? ? ? edi,[ebp-0C0h]<br>&gt;&gt;&gt;&gt; 00BA13D2? mov? ? ? ? ecx,30h<br>&gt;&gt;&gt;&gt; 00BA13D7? mov? ? ? ? eax,0CCCCCCCCh<br>&gt;&gt;&gt;&gt; 00BA13DC? rep stos? ? dword ptr es:[edi]<br>&gt;&gt;&gt;&gt;? ? return a + b;<br>&gt;&gt;&gt;&gt; 00BA13DE? mov? ? ? ? eax,dword ptr [a]<br>&gt;&gt;&gt;&gt; 00BA13E1? add? ? ? ? eax,dword ptr [b]<br>&gt;&gt;&gt;&gt; }<br>&gt;&gt;&gt;&gt; #include <iostream><br>&gt;&gt;&gt;&gt; using namespace std;<br>&gt;&gt;&gt;&gt; int sumExample (int a, int b)<br>&gt;&gt;&gt;&gt; {<br>&gt;&gt;&gt;&gt;? ? return a + b;<br>&gt;&gt;&gt;&gt; }<br>&gt;&gt;&gt;&gt; int main()<br>&gt;&gt;&gt;&gt; {<br>&gt;&gt;&gt;&gt;? int c = sumExample (100, 200);<br>&gt;&gt;&gt;&gt;? cout &lt;&lt; c &lt;&lt; endl;<br>&gt;&gt;&gt;&gt;? return 0;<br>&gt;&gt;&gt;&gt; }<br>&gt;&gt;&gt;&gt;
>>>>
>>>> thanks in advance,
>>>> George
>>>>
>>>>
>>>>
>>>>
>>>> —
>>>> You are currently subscribed to windbg as: unknown lmsubst
>>>> tag argument: ‘’
>>>> To unsubscribe send a blank email to
>>>> xxxxx@lists.osr.com
>>>
>>>
>>>
>>>
>>> —
>>> You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
>>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>>
>>>
>>>
>>>
>>
>> —
>> You are currently subscribed to windbg as: xxxxx@yahoo.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>>
>>
>>
>> —
>> You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>


You are currently subscribed to windbg as: xxxxx@yahoo.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

George, why are you asking us? I don’t know why some on sysinternals didn’t write the document you want. Either way, it is what it
is, man. You’ve just got to let this one go. I hear you on curiosity, but no matter how many different ways and how many time you
ask this question - we do not appear to know the answer, at least at the moment.

mm

Lin George wrote:

You are so humourous Jim. I am still confused why I can not find any
materials regarding to this topic. For any other internally topics, like
linker/compiler optimization, there are abundant documents on System
Internals.

regards,
George

----- Original Message ----
From: Jim Donelson
> To: Lin George
> Sent: Friday, August 15, 2008 9:24:26 PM
> Subject: Re: [windbg] strange 4 assembly instructions for a function
>
> Yes, get hired by the Microsoft VS Team and look at the source code.
>
>
> On Fri, Aug 15, 2008 at 9:11 AM, Lin George > mailto:xxxxx> wrote:
>
> Thanks Jim,
> Basically I agree with you. I just want to get some referred
> documents about how edit and continue works on the basis of
> reserving more stack space. Do you have any recommendations?
> regards,
> George
>
>
> ----- Original Message ----
> From: Jim Donelson >
> To: Kernel Debugging Interest List > mailto:xxxxx>
> Sent: Friday, August 15, 2008 8:49:13 PM
> Subject: Re: [windbg] strange 4 assembly instructions for a function
>
> Well, this is a kernel list, so none of ever ever use edit and continue.
> I personally never use it as for one thing it does not always work,
> for the reason you stated,and over the years there have been various
> bugs with it.
> Not to mention the fact it causes odd code to be generated.
> Best advice - shut it off.
>
> On Fri, Aug 15, 2008 at 8:46 AM, Jim Donelson > mailto:xxxxx> wrote:
> > Well, this is a kernel list, so none of ever ever use edit and
> continue.
> > I personally never use it as for one thing it does not always work,
> > for the reason you stated,and over the years there have been various
> > bugs with it.
> > Not to mention the fact it causes odd code to be generated.
> > Best advice - shut it off.
> >
> >
> > On Fri, Aug 15, 2008 at 3:02 AM, Lin George
> > wrote:
> >> Thanks Martin,
> >> I agree with you. One more question, why reserving more space
> will enable the edit and continue feature as mentioned? This point I
> am very interested, but can not find any materials through Google
> search. Do you have any more documents in details? Or you describe
> by yourself?
> >> (my confusion is, the developer could edit and insert as much as
> information – like code and data change – as he can, how could we
> predict the space which developer will be used in edit and continue
> feature?)
> >> regards,
> >> George
> >>
> >>
> >> ----- Original Message ----
> >> From: Martin O’Brien > mailto:xxxxx>
> >> To: Kernel Debugging Interest List > mailto:xxxxx>
> >> Sent: Thursday, August 14, 2008 2:52:30 PM
> >> Subject: Re:[windbg] strange 4 assembly instructions for a function
> >>
> >> We seem to be going around in circles, so let’s try this
> differently:
> >>
> >> 1. What is your question? Please include ALL the code relevant
> to it.
> >>
> >> My guess is that your question is:
> >>
> >>> Don’t you think it initializes more stack space than actually
> needed?
> >>
> >> And that this is the code:
> >>
> >>>> 00BA13C0 push ebp
> >>>> 00BA13C1 mov ebp,esp
> >>>> 00BA13C3 sub esp,0C0h
> >>>> 00BA13C9 push ebx
> >>>> 00BA13CA push esi
> >>>> 00BA13CB push edi
> >>>> 00BA13CC lea edi,[ebp-0C0h]
> >>>> 00BA13D2 mov ecx,30h
> >>>> 00BA13D7 mov eax,0CCCCCCCCh
> >>>> 00BA13DC rep stos dword ptr es:[edi]
> >>
> >> Assuming that this is correct, the basic answer is more or less
> what you’ve already been told. It’s marking the ‘beginning’ of the
> >> local stack with a some padding bytes that happen to the opcode
> for an ‘INT 3’ (0xCC). I’m not sure the specific purpose the
> >> compiler devs have in mind, but one thing it would definitely
> help with is diagnosing stack faults, which really suck to debug
> >> without some sort of cheating like this, because by the time you
> find out about the problem, you’re usually well away from the
> >> cause. With this technique, if you happen to end up outside the
> stack boundaries - within 0xC0 bytes in this case - the cpu will
> >> execute an 0xCC, a.k.a - INT 3, which will land you immediately
> in WinDbg, so you have a much better chance to figure out what the
> >> actual problem is more quickly, without having to traverse a
> blown stack, which itself can confuse WinDbg. So, from above:
> >>
> >>
> >>>> 00BA13C0 push ebp -> standard prolog:
> preserve the base pointer
> >>>> 00BA13C1 mov ebp,esp -> standard prolog: set
> the base pointer to the current stack pointer
> >>>> 00BA13C3 sub esp,0C0h -> standard prolog:
> create 0xC0 (in this case) bytes of local space on the stack
> >>>> 00BA13C9 push ebx -> preserve ebx (for
> later use)
> >>>> 00BA13CA push esi -> preserve esi (for
> later use)
> >>>> 00BA13CB push edi -> preserve edi (for
> use as target of ‘rep stos’)
> >>>> 00BA13CC lea edi,[ebp-0C0h] -> load the
> effective address of he first byte of the local space created in (2)
> >>>> 00BA13D2 mov ecx,30h -> set ecx (iterations of
> ‘stos’ to ‘rep’) 0x30==0xC0/sizeof(dword ptr)
> >>>> 00BA13D7 mov eax,0CCCCCCCCh -> set eax to the
> value of write to memory
> >>>> 00BA13DC rep stos dword ptr es:[edi] -> stores value in
> EAX to es:[EDI], then decrements ECX, ECX times
> >>
> >> The extra space could be used for some other purposes as well,
> some of which others have mentioned, like ‘Edit and Continue (-ZI’).
> >> As I said, I really don’t know the SPECIFIC purpose in this
> case, but this is the general idea. If you want to know the SPECIFIC
> >> reason, you’re going to need to find the compiler dev, or
> someone willing to speak for him.
> >>
> >> In general, George, you’re asking very detailed questions, on a
> very low level subject, that isn’t really on topic here, though
> >> that’s not really an issue, at least as far as I’m concerned.
> That being said, what I do find to be a little bit of an issue - not
> >> a big one - is that you seem to be unsatisfied with anything but
> the specific answer to the very question you are asking, all
> >> spelled out for you, on a topic like this - complicated, low
> level and not on topic, especially since you told us you haven’t read
> >> the Intel Manuals yet. Someone sent you a link to the Intel
> manuals - I would recommend that you read them thoroughly, because
> >> they are the best source for the answers to the types of
> questions that you are asking. If your questions were more on topic, or
> >> not on topic but at a higher level on a less complicated subject
> or had you already read the manual, then it wouldn’t be a problem,
> >> but for something like this, in my opinion, the etiquette here
> basically says that you have to take what you get for a question like
> >> this, and not keep posting until you get the very specific
> answer you want, and that people will lose patience if you don’t do your
> >> homework first. Don’t get me wrong - you clearly have been
> reading what people have suggested (like that article), but you don’t
> >> seem to understand that the entry level for material like this
> is reading Volumes 1, 2 & 3 of the Intel Manuals, and until you do
> >> that, you’re not going to be able to do anything useful with
> this information. That doesn’t mean you shouldn’t be told or even
> >> shouldn’t proceed this way, but understand that it will, in my
> opinion, make people want to help less.
> >>
> >> I hope that this is correct; it’s late, and I didn’t look very
> closely at the previous posts, but I think this is the general idea.
> >>
> >>
> >> Good luck,
> >>
> >> mm
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> Lin George wrote:
> >>> Hi Calin,
> >>> I have read through the article you mentioned for a couple of
> hours. It is really good and I learned something which I donot know
> before, even if old day technologies.
> >>> But, seems it does not directly cover the answer to my
> question? Or I miss or misunderstand anything? Could you help to
> clarify please? :slight_smile:
> >>> regards,
> >>> George
> >>>
> >>>
> >>> ----- Original Message ----
> >>> From: Calin Iaru > mailto:xxxxx>
> >>> To: Lin George > mailto:xxxxx>
> >>> Cc: xxxxx@lists.osr.com mailto:xxxxx
> >>> Sent: Wednesday, July 23, 2008 7:31:30 AM
> >>> Subject: Re: [windbg] strange 4 assembly instructions for a
> function
> >>>
> >>> The code you presented is code compiled on Win32 with Program
> Database for Edit and Continue set. If you use Program Database,
> then the code will look like:
> >>>
> >>> int f(int a, int b) {
> >>> 009911A0 push ebp
> >>> 009911A1 mov ebp,esp
> >>> return a+b;
> >>> 009911A3 mov eax,dword ptr [a]
> >>> 009911A6 add eax,dword ptr [b]
> >>> }
> >>> 009911A9 pop ebp
> >>> 009911AA ret
> >>>
> >>>
> >>> I don’t know why does PDEC arrange the code like this; perhaps
> is due to EC feature. PDEC implies the /Gy compiler switch which
> places each function definition in a code segment. The sum of these
> segments is the whole program; to make the code smaller, the linker
> has the option to remove all unused segments. An article written by
> Matt Pietrek specifies that the functions compiled with /Gy are
> aligned on a power of 2 boundary which means that each function will
> be padded with INT 3 instructions up to the next alignment.
> >>> http://www.microsoft.com/msj/archive/S572.aspx
> >>> or search for
> >>> Matt Pietrek comdat
> >>> on msdn.
> >>>
> >>> ----- Original Message ----
> >>> From: Lin George > mailto:xxxxx>
> >>> To: xxxxx@yahoo.com mailto:xxxxx
> >>> Cc: Kernel Debugging Interest List > mailto:xxxxx>
> >>> Sent: Tuesday, July 22, 2008 7:53:57 AM
> >>> Subject: Re: [windbg] strange 4 assembly instructions for a
> function
> >>>
> >>> Thanks Calin,
> >>> I fully agree with you from your below points. But don’t you
> think it initializes more stack space than actually needed?
> >>> I posted the assembly code again here. Any comments?
> >>> 00BA13CC lea edi,[ebp-0C0h]
> >>> 00BA13D2 mov ecx,30h
> >>> 00BA13D7 mov eax,0CCCCCCCCh
> >>> 00BA13DC rep stos dword ptr es:[edi]
> >>> regards,
> >>> George
> >>>
> >>>
> >>> ----- Original Message ----
> >>> From: Calin Iaru > mailto:xxxxx>
> >>> To: Kernel Debugging Interest List > mailto:xxxxx>
> >>> Sent: Monday, July 21, 2008 8:24:42 PM
> >>> Subject: Re: [windbg] strange 4 assembly instructions for a
> function
> >>>
> >>> Hi,
> >>>
> >>> the compiler fills with 0xCC about 0xC0 bytes of local stack
> data. I expect a release build to clean up the code.
> >>>
> >>> Best regards,
> >>> Calin
> >>>
> >>> PS.
> >>> 0xCC is a well known value which is distinctively recognized
> during a crash. For instance, if you have a pointer which contains
> this value, it will indicate that the pointer is not initialized.
> Other known value is an 0xfeeefeee which says that the pointer was
> released. For pointers, use the !address command to find out more
> information about wether the page was allocated or freed and so on.
> >>>
> >>> — On Mon, 7/21/08, Lin George > mailto:xxxxx> wrote:
> >>>
> >>>> From: Lin George > mailto:xxxxx>
> >>>> Subject: [windbg] strange 4 assembly instructions for a function
> >>>> To: “Kernel Debugging Interest List” > mailto:xxxxx>
> >>>> Date: Monday, July 21, 2008, 11:59 AM
> >>>> Hello everyone,
> >>>>
> >>>> I am confused what is the function of the 4 assembly
> >>>> instructions – I found them when debugging function prolog
> >>>> and epilog for study? I posted the 4 assembly instructions
> >>>> and related whole source code/assembly code below.
> >>>> Any ideas?
> >>>> <br>&gt; &gt;&gt;&gt;&gt; 00BA13CC lea edi,[ebp-0C0h]<br>&gt; &gt;&gt;&gt;&gt; 00BA13D2 mov ecx,30h<br>&gt; &gt;&gt;&gt;&gt; 00BA13D7 mov eax,0CCCCCCCCh<br>&gt; &gt;&gt;&gt;&gt; 00BA13DC rep stos dword ptr es:[edi]<br>&gt; &gt;&gt;&gt;&gt;<br>&gt; &gt;&gt;&gt;&gt; int sumExample (int a, int b)<br>&gt; &gt;&gt;&gt;&gt; {<br>&gt; &gt;&gt;&gt;&gt; 00BA13C0 push ebp<br>&gt; &gt;&gt;&gt;&gt; 00BA13C1 mov ebp,esp<br>&gt; &gt;&gt;&gt;&gt; 00BA13C3 sub esp,0C0h<br>&gt; &gt;&gt;&gt;&gt; 00BA13C9 push ebx<br>&gt; &gt;&gt;&gt;&gt; 00BA13CA push esi<br>&gt; &gt;&gt;&gt;&gt; 00BA13CB push edi<br>&gt; &gt;&gt;&gt;&gt; 00BA13CC lea edi,[ebp-0C0h]<br>&gt; &gt;&gt;&gt;&gt; 00BA13D2 mov ecx,30h<br>&gt; &gt;&gt;&gt;&gt; 00BA13D7 mov eax,0CCCCCCCCh<br>&gt; &gt;&gt;&gt;&gt; 00BA13DC rep stos dword ptr es:[edi]<br>&gt; &gt;&gt;&gt;&gt; return a + b;<br>&gt; &gt;&gt;&gt;&gt; 00BA13DE mov eax,dword ptr [a]<br>&gt; &gt;&gt;&gt;&gt; 00BA13E1 add eax,dword ptr [b]<br>&gt; &gt;&gt;&gt;&gt; }<br>&gt; &gt;&gt;&gt;&gt; #include <iostream><br>&gt; &gt;&gt;&gt;&gt; using namespace std;<br>&gt; &gt;&gt;&gt;&gt; int sumExample (int a, int b)<br>&gt; &gt;&gt;&gt;&gt; {<br>&gt; &gt;&gt;&gt;&gt; return a + b;<br>&gt; &gt;&gt;&gt;&gt; }<br>&gt; &gt;&gt;&gt;&gt; int main()<br>&gt; &gt;&gt;&gt;&gt; {<br>&gt; &gt;&gt;&gt;&gt; int c = sumExample (100, 200);<br>&gt; &gt;&gt;&gt;&gt; cout &lt;&lt; c &lt;&lt; endl;<br>&gt; &gt;&gt;&gt;&gt; return 0;<br>&gt; &gt;&gt;&gt;&gt; }<br>&gt; &gt;&gt;&gt;&gt;
> >>>>
> >>>> thanks in advance,
> >>>> George
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> —
> >>>> You are currently subscribed to windbg as: unknown lmsubst
> >>>> tag argument: ‘’
> >>>> To unsubscribe send a blank email to
> >>>> xxxxx@lists.osr.com
> mailto:xxxxx
> >>>
> >>>
> >>>
> >>>
> >>> —
> >>> You are currently subscribed to windbg as: unknown lmsubst tag
> argument: ‘’
> >>> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
> mailto:xxxxx
> >>>
> >>>
> >>>
> >>>
> >>
> >> —
> >> You are currently subscribed to windbg as:
> xxxxx@yahoo.com mailto:xxxxx
> >> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
> mailto:xxxxx
> >>
> >>
> >>
> >>
> >>
> >> —
> >> You are currently subscribed to windbg as: unknown lmsubst tag
> argument: ‘’
> >> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
> mailto:xxxxx
> >>
> >
>
> —
> You are currently subscribed to windbg as: xxxxx@yahoo.com
> mailto:xxxxx
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
> mailto:xxxxx
>
>
>
>
>
></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx>

Thanks Calin,
I have read your referred article carefully. Really good stuff and find better results from my Google! I am using iGoogle and it is really different results. :slight_smile:
Aftre reading the article, I think the related part describing how edit and continue works is below. But my question is, it never mentions the feature is implemented through making stack larger (reserver more space). Do you have any comments or ideas?

http://msdn.microsoft.com/en-us/library/aa260823(VS.60).aspx
How Does Edit and Continue Work?
Edit and Continue begins at build time, when the /ZI compiler switch is used. This switch is parsed by CL.EXE, the compiler driver. The driver handles the switch by expanding it to more switches that it passes to the compiler front end (C1XX.DLL) and compiler back end (C2.DLL) as follows.
Switch
Action by CL.EXE
Switch function
/GF Passed to C1XX.DLL Eliminate duplicate strings.
/FD Passed to C1XX.DLL Generate file dependencies.
/Zi Passed to C1XX.DLL Generate debug information in a program database file (.pdb).
/Gy Passed to C2.DLL Enable function-level linking.
/Zi Passed to C2.DLL Generate debug information in a program database file (.pdb).
/ZI Passed to C2.DLL Tell the compiler back end that Edit and Continue is enabled.
The compiler also stores the following information in the object module (.obj) generated for each compiled source file.
Environment variable
Value
ENC_CWD Compiler working directory at build time.
ENC_CL Path to CL.EXE (compiler driver).
ENC_SRC Path to the source file being compiled.
ENC_PDB Path to the program database file (.pdb).
ENC_CMD The exact command line that was used to compile the file.
-editandcontinue Tells the linker that the object module (.obj) was compiled for Edit and Continue.
When a file is edited in the IDE during a debugging session, the debugger determines whether Edit and Continue is enabled, and if the file is eligible for Edit and Continue. If it is, the Apply Code Changes command is enabled on the Debug menu and toolbar.
When the Apply Code Changes command is invoked, the modified files and their dependent files are recompiled using the environment variable information stored in their .obj modules (see the preceding table). The old .obj modules are renamed with an .enc extension, and a new .obj module is generated for each recompiled file. If compile errors occur, they are reported, and code changes are not applied to the application being debugged. Otherwise, binary code from the new .obj modules is added to memory and used in place of the application’s original code.

regards,
George

----- Original Message ----
From: Calin Iaru
To: Kernel Debugging Interest List
Sent: Friday, August 15, 2008 9:31:37 PM
Subject: Re: [windbg] strange 4 assembly instructions for a function

I can assume that 0xC0 is the size of the local variables that are allowed to be added during edit and continue. I guess you are not using Visual Studio 6? 6 appears to limit to 0x40 the amount of local variables. Here’s a paper describing this:

http://tinyurl.com/6gb4rm
or search for
“Enhanced Debugging with Edit and Continue in Microsoft Visual C++ 6.0”
This is a link for Visual Studio 2008:
http://tinyurl.com/6e8ayf

----- Original Message ----
From: Lin George
To: Kernel Debugging Interest List
Cc: Kernel Debugging Interest List
Sent: Friday, August 15, 2008 3:11:30 PM
Subject: Re: [windbg] strange 4 assembly instructions for a function

Thanks Jim,
Basically I agree with you. I just want to get some referred documents about how edit and continue works on the basis of reserving? more stack space. Do you have any recommendations?
regards,
George

----- Original Message ----
From: Jim Donelson
To: Kernel Debugging Interest List
Sent: Friday, August 15, 2008 8:49:13 PM
Subject: Re: [windbg] strange 4 assembly instructions for a function

Well, this is a kernel list, so none of ever ever use edit and continue.
I personally never use it as for one thing it does not always work,
for the reason you stated,and over the years there have been various
bugs with it.
Not to mention the fact it causes odd code to be generated.
Best advice - shut it off.

On Fri, Aug 15, 2008 at 8:46 AM, Jim Donelson wrote:
> Well, this is a kernel list, so none of ever ever use edit and continue.
> I personally never use it as for one thing it does not always work,
> for the reason you stated,and over the years there have been various
> bugs with it.
> Not to mention the fact it causes odd code to be generated.
> Best advice - shut it off.
>
>
> On Fri, Aug 15, 2008 at 3:02 AM, Lin George wrote:
>> Thanks Martin,
>> I agree with you. One more question, why reserving more space will enable the edit and continue feature as mentioned? This point I am very interested, but can not find any materials through Google search. Do you have any more documents in details? Or you describe by yourself?
>> (my confusion is, the developer could edit and insert as much as information – like code and data change – as he can, how could we predict the space which developer will be used in edit and continue feature?)
>> regards,
>> George
>>
>>
>> ----- Original Message ----
>> From: Martin O’Brien
>> To: Kernel Debugging Interest List
>> Sent: Thursday, August 14, 2008 2:52:30 PM
>> Subject: Re:[windbg] strange 4 assembly instructions for a function
>>
>> We seem to be going around in circles, so let’s try this differently:
>>
>> 1.? What is your question?? Please include ALL the code relevant to it.
>>
>> My guess is that your question is:
>>
>>> Don’t you think it initializes more stack space than actually needed?
>>
>> And that this is the code:
>>
>>>> 00BA13C0? push? ? ? ? ebp
>>>> 00BA13C1? mov? ? ? ? ebp,esp
>>>> 00BA13C3? sub? ? ? ? esp,0C0h
>>>> 00BA13C9? push? ? ? ? ebx
>>>> 00BA13CA? push? ? ? ? esi
>>>> 00BA13CB? push? ? ? ? edi
>>>> 00BA13CC? lea? ? ? ? edi,[ebp-0C0h]
>>>> 00BA13D2? mov? ? ? ? ecx,30h
>>>> 00BA13D7? mov? ? ? ? eax,0CCCCCCCCh
>>>> 00BA13DC? rep stos? ? dword ptr es:[edi]
>>
>> Assuming that this is correct, the basic answer is more or less what you’ve already been told.? It’s marking the ‘beginning’ of the
>> local stack with a some padding bytes that happen to the opcode for an ‘INT 3’ (0xCC).? I’m not sure the specific purpose the
>> compiler devs have in mind, but one thing it would definitely help with is diagnosing stack faults, which really suck to debug
>> without some sort of cheating like this, because by the time you find out about the problem, you’re usually well away from the
>> cause.? With this technique, if you happen to end up outside the stack boundaries - within 0xC0 bytes in this case - the cpu will
>> execute an 0xCC, a.k.a - INT 3, which will land you immediately in WinDbg, so you have a much better chance to figure out what the
>> actual problem is more quickly, without having to traverse a blown stack, which itself can confuse WinDbg.? So, from above:
>>
>>
>>>> 00BA13C0? push? ? ? ? ebp? ? ? ? ? ? -> standard prolog: preserve the base pointer
>>>> 00BA13C1? mov? ? ? ? ebp,esp? ? ? ? -> standard prolog: set the base pointer to the current stack pointer
>>>> 00BA13C3? sub? ? ? ? esp,0C0h? ? ? ? -> standard prolog: create 0xC0 (in this case) bytes of local space on the stack
>>>> 00BA13C9? push? ? ? ? ebx? ? ? ? ? ? ? -> preserve ebx (for later use)
>>>> 00BA13CA? push? ? ? ? esi? ? ? ? ? ? ? -> preserve esi (for later use)
>>>> 00BA13CB? push? ? ? ? edi? ? ? ? ? ? ? -> preserve edi (for use as target of ‘rep stos’)
>>>> 00BA13CC? lea? ? ? ? edi,[ebp-0C0h]? ? ? ? -> load the effective address of he first byte of the local space created in (2)
>>>> 00BA13D2? mov? ? ? ? ecx,30h? ? ? ? -> set ecx (iterations of ‘stos’ to ‘rep’) 0x30==0xC0/sizeof(dword ptr)
>>>> 00BA13D7? mov? ? ? ? eax,0CCCCCCCCh? ? ? ? -> set eax to the value of write to memory
>>>> 00BA13DC? rep stos? ? dword ptr es:[edi]? ? -> stores value in EAX to es:[EDI], then decrements ECX, ECX times
>>
>> The extra space could be used for some other purposes as well, some of which others have mentioned, like ‘Edit and Continue (-ZI’).
>>? As I said, I really don’t know the SPECIFIC purpose in this case, but this is the general idea.? If you want to know the SPECIFIC
>> reason, you’re going to need to find the compiler dev, or someone willing to speak for him.
>>
>> In general, George, you’re asking very detailed questions, on a very low level subject, that isn’t really on topic here, though
>> that’s not really an issue, at least as far as I’m concerned.? That being said, what I do find to be a little bit of an issue - not
>> a big one - is that you seem to be unsatisfied with anything but the specific answer to the very question you are asking, all
>> spelled out for you, on a topic like this - complicated, low level and not on topic, especially since you told us you haven’t read
>> the Intel Manuals yet.? Someone sent you a link to the Intel manuals - I would recommend that? you read them thoroughly, because
>> they are the best source for the answers to the types of questions that you are asking.? If your questions were more on topic, or
>> not on topic but at a higher level on a less complicated subject or had you already read the manual, then it wouldn’t be a problem,
>> but for something like this, in my opinion, the etiquette here basically says that you have to take what you get for a question like
>> this, and not keep posting until you get the very specific answer you want, and that people will lose patience if you don’t do your
>> homework first.? Don’t get me wrong - you clearly have been reading what people have suggested (like that article), but you don’t
>> seem to understand that the entry level for material like this is reading Volumes 1, 2 & 3 of the Intel Manuals, and until you do
>> that, you’re not going to be able to do anything useful with this information.? That doesn’t mean you shouldn’t be told or even
>> shouldn’t proceed this way, but understand that it will, in my opinion, make people want to help less.
>>
>> I hope that this is correct; it’s late, and I didn’t look very closely at the previous posts, but I think this is the general idea.
>>
>>
>> Good luck,
>>
>> mm
>>
>>
>>
>>
>>
>>
>>
>> Lin George wrote:
>>> Hi Calin,
>>> I have read through the article you mentioned for a couple of hours. It is really good and I learned something which I donot know before, even if old day technologies.
>>> But, seems it does not directly cover the answer to my question? Or I miss or misunderstand anything? Could you help to clarify please? :slight_smile:
>>> regards,
>>> George
>>>
>>>
>>> ----- Original Message ----
>>> From: Calin Iaru
>>> To: Lin George
>>> Cc: xxxxx@lists.osr.com
>>> Sent: Wednesday, July 23, 2008 7:31:30 AM
>>> Subject: Re: [windbg] strange 4 assembly instructions for a function
>>>
>>> The code you presented is code compiled on Win32 with Program Database for Edit and Continue set. If you use Program Database, then the code will look like:
>>>
>>> int f(int a, int b) {
>>> 009911A0? push? ? ? ? ebp
>>> 009911A1? mov? ? ? ? ebp,esp
>>>? ? return a+b;
>>> 009911A3? mov? ? ? ? eax,dword ptr [a]
>>> 009911A6? add? ? ? ? eax,dword ptr [b]
>>> }
>>> 009911A9? pop? ? ? ? ebp
>>> 009911AA? ret
>>>
>>>
>>> I don’t know why does PDEC arrange the code like this; perhaps is due to EC feature. PDEC implies the /Gy compiler switch which places each function definition in a code segment. The sum of these segments is the whole program; to make the code smaller, the linker has the option to remove all unused segments. An article written by Matt Pietrek specifies that the functions compiled with /Gy are aligned on a power of 2 boundary which means that each function will be padded with INT 3 instructions up to the next alignment.
>>> http://www.microsoft.com/msj/archive/S572.aspx
>>> or search for
>>> Matt Pietrek comdat
>>> on msdn.
>>>
>>> ----- Original Message ----
>>> From: Lin George
>>> To: xxxxx@yahoo.com
>>> Cc: Kernel Debugging Interest List
>>> Sent: Tuesday, July 22, 2008 7:53:57 AM
>>> Subject: Re: [windbg] strange 4 assembly instructions for a function
>>>
>>> Thanks Calin,
>>> I fully agree with you from your below points. But don’t you think it initializes more stack space than actually needed?
>>> I posted the assembly code again here. Any comments?
>>> 00BA13CC? lea? ? ? ? edi,[ebp-0C0h]
>>> 00BA13D2? mov? ? ? ? ecx,30h
>>> 00BA13D7? mov? ? ? ? eax,0CCCCCCCCh
>>> 00BA13DC? rep stos? ? dword ptr es:[edi]
>>> regards,
>>> George
>>>
>>>
>>> ----- Original Message ----
>>> From: Calin Iaru
>>> To: Kernel Debugging Interest List
>>> Sent: Monday, July 21, 2008 8:24:42 PM
>>> Subject: Re: [windbg] strange 4 assembly instructions for a function
>>>
>>> Hi,
>>>
>>>? the compiler fills with 0xCC about 0xC0 bytes of local stack data. I expect a release build to clean up the code.
>>>
>>> Best regards,
>>>? Calin
>>>
>>> PS.
>>> 0xCC is a well known value which is distinctively recognized during a crash. For instance, if you have a pointer which contains this value, it will indicate that the pointer is not initialized. Other known value is an 0xfeeefeee which says that the pointer was released. For pointers, use the !address command to find out more information about wether the page was allocated or freed and so on.
>>>
>>> — On Mon, 7/21/08, Lin George wrote:
>>>
>>>> From: Lin George
>>>> Subject: [windbg] strange 4 assembly instructions for a function
>>>> To: “Kernel Debugging Interest List”
>>>> Date: Monday, July 21, 2008, 11:59 AM
>>>> Hello everyone,
>>>>
>>>> I am confused what is the function of the 4 assembly
>>>> instructions – I found them when debugging function prolog
>>>> and epilog for study? I posted the 4 assembly instructions
>>>> and related whole source code/assembly code below.
>>>> Any ideas?
>>>> <br>&gt;&gt;&gt;&gt; 00BA13CC? lea? ? ? ? edi,[ebp-0C0h]<br>&gt;&gt;&gt;&gt; 00BA13D2? mov? ? ? ? ecx,30h<br>&gt;&gt;&gt;&gt; 00BA13D7? mov? ? ? ? eax,0CCCCCCCCh<br>&gt;&gt;&gt;&gt; 00BA13DC? rep stos? ? dword ptr es:[edi]<br>&gt;&gt;&gt;&gt;<br>&gt;&gt;&gt;&gt; int sumExample (int a, int b)<br>&gt;&gt;&gt;&gt; {<br>&gt;&gt;&gt;&gt; 00BA13C0? push? ? ? ? ebp<br>&gt;&gt;&gt;&gt; 00BA13C1? mov? ? ? ? ebp,esp<br>&gt;&gt;&gt;&gt; 00BA13C3? sub? ? ? ? esp,0C0h<br>&gt;&gt;&gt;&gt; 00BA13C9? push? ? ? ? ebx<br>&gt;&gt;&gt;&gt; 00BA13CA? push? ? ? ? esi<br>&gt;&gt;&gt;&gt; 00BA13CB? push? ? ? ? edi<br>&gt;&gt;&gt;&gt; 00BA13CC? lea? ? ? ? edi,[ebp-0C0h]<br>&gt;&gt;&gt;&gt; 00BA13D2? mov? ? ? ? ecx,30h<br>&gt;&gt;&gt;&gt; 00BA13D7? mov? ? ? ? eax,0CCCCCCCCh<br>&gt;&gt;&gt;&gt; 00BA13DC? rep stos? ? dword ptr es:[edi]<br>&gt;&gt;&gt;&gt;? ? return a + b;<br>&gt;&gt;&gt;&gt; 00BA13DE? mov? ? ? ? eax,dword ptr [a]<br>&gt;&gt;&gt;&gt; 00BA13E1? add? ? ? ? eax,dword ptr [b]<br>&gt;&gt;&gt;&gt; }<br>&gt;&gt;&gt;&gt; #include <iostream><br>&gt;&gt;&gt;&gt; using namespace std;<br>&gt;&gt;&gt;&gt; int sumExample (int a, int b)<br>&gt;&gt;&gt;&gt; {<br>&gt;&gt;&gt;&gt;? ? return a + b;<br>&gt;&gt;&gt;&gt; }<br>&gt;&gt;&gt;&gt; int main()<br>&gt;&gt;&gt;&gt; {<br>&gt;&gt;&gt;&gt;? int c = sumExample (100, 200);<br>&gt;&gt;&gt;&gt;? cout &lt;&lt; c &lt;&lt; endl;<br>&gt;&gt;&gt;&gt;? return 0;<br>&gt;&gt;&gt;&gt; }<br>&gt;&gt;&gt;&gt;
>>>>
>>>> thanks in advance,
>>>> George
>>>>
>>>>
>>>>
>>>>
>>>> —
>>>> You are currently subscribed to windbg as: unknown lmsubst
>>>> tag argument: ‘’
>>>> To unsubscribe send a blank email to
>>>> xxxxx@lists.osr.com
>>>
>>>
>>>
>>>
>>> —
>>> You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
>>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>>
>>>
>>>
>>>
>>
>> —
>> You are currently subscribed to windbg as: xxxxx@yahoo.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>>
>>
>>
>> —
>> You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>


You are currently subscribed to windbg as: xxxxx@yahoo.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

? ? ?


You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

? ? ?


You are currently subscribed to windbg as: xxxxx@yahoo.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Sorry for any inconveniences, Martin. Even if no result could be found because of a non-open system, I appreciate the process of discussion which I also learn a lot from each other. :slight_smile:
regards,
George

----- Original Message ----
From: Martin O’Brien
To: Kernel Debugging Interest List
Sent: Monday, August 18, 2008 8:33:38 PM
Subject: Re:[windbg] strange 4 assembly instructions for a function

George, why are you asking us?? I don’t know why some on sysinternals didn’t write the document you want.? Either way, it is what it
is, man.? You’ve just got to let this one go.? I hear you on curiosity, but no matter how many different ways and how many time you
ask this question - we do not appear to know the answer, at least at the moment.

mm

Lin George wrote:
> You are so humourous Jim. I am still confused why I can not find any
> materials regarding to this topic. For any other internally topics, like
> linker/compiler optimization, there are abundant documents on System
> Internals.
>?
> regards,
> George
>
> ----- Original Message ----
> From: Jim Donelson
> To: Lin George
> Sent: Friday, August 15, 2008 9:24:26 PM
> Subject: Re: [windbg] strange 4 assembly instructions for a function
>
> Yes, get hired by the Microsoft VS Team and look at the source code.
>
>
> On Fri, Aug 15, 2008 at 9:11 AM, Lin George > mailto:xxxxx> wrote:
>
>? ? Thanks Jim,
>? ? Basically I agree with you. I just want to get some referred
>? ? documents about how edit and continue works on the basis of
>? ? reserving? more stack space. Do you have any recommendations?
>? ? regards,
>? ? George
>
>
>? ? ----- Original Message ----
>? ? From: Jim Donelson >
>? ? To: Kernel Debugging Interest List >? ? mailto:xxxxx>
>? ? Sent: Friday, August 15, 2008 8:49:13 PM
>? ? Subject: Re: [windbg] strange 4 assembly instructions for a function
>
>? ? Well, this is a kernel list, so none of ever ever use edit and continue.
>? ? I personally never use it as for one thing it does not always work,
>? ? for the reason you stated,and over the years there have been various
>? ? bugs with it.
>? ? Not to mention the fact it causes odd code to be generated.
>? ? Best advice - shut it off.
>
>? ? On Fri, Aug 15, 2008 at 8:46 AM, Jim Donelson >? ? mailto:xxxxx> wrote:
>? ? ? > Well, this is a kernel list, so none of ever ever use edit and
>? ? continue.
>? ? ? > I personally never use it as for one thing it does not always work,
>? ? ? > for the reason you stated,and over the years there have been various
>? ? ? > bugs with it.
>? ? ? > Not to mention the fact it causes odd code to be generated.
>? ? ? > Best advice - shut it off.
>? ? ? >
>? ? ? >
>? ? ? > On Fri, Aug 15, 2008 at 3:02 AM, Lin George
>? ? > wrote:
>? ? ? >> Thanks Martin,
>? ? ? >> I agree with you. One more question, why reserving more space
>? ? will enable the edit and continue feature as mentioned? This point I
>? ? am very interested, but can not find any materials through Google
>? ? search. Do you have any more documents in details? Or you describe
>? ? by yourself?
>? ? ? >> (my confusion is, the developer could edit and insert as much as
>? ? information – like code and data change – as he can, how could we
>? ? predict the space which developer will be used in edit and continue
>? ? feature?)
>? ? ? >> regards,
>? ? ? >> George
>? ? ? >>
>? ? ? >>
>? ? ? >> ----- Original Message ----
>? ? ? >> From: Martin O’Brien >? ? mailto:xxxxx>
>? ? ? >> To: Kernel Debugging Interest List >? ? mailto:xxxxx>
>? ? ? >> Sent: Thursday, August 14, 2008 2:52:30 PM
>? ? ? >> Subject: Re:[windbg] strange 4 assembly instructions for a function
>? ? ? >>
>? ? ? >> We seem to be going around in circles, so let’s try this
>? ? differently:
>? ? ? >>
>? ? ? >> 1.? What is your question?? Please include ALL the code relevant
>? ? to it.
>? ? ? >>
>? ? ? >> My guess is that your question is:
>? ? ? >>
>? ? ? >>> Don’t you think it initializes more stack space than actually
>? ? needed?
>? ? ? >>
>? ? ? >> And that this is the code:
>? ? ? >>
>? ? ? >>>> 00BA13C0? push? ? ? ? ebp
>? ? ? >>>> 00BA13C1? mov? ? ? ? ebp,esp
>? ? ? >>>> 00BA13C3? sub? ? ? ? esp,0C0h
>? ? ? >>>> 00BA13C9? push? ? ? ? ebx
>? ? ? >>>> 00BA13CA? push? ? ? ? esi
>? ? ? >>>> 00BA13CB? push? ? ? ? edi
>? ? ? >>>> 00BA13CC? lea? ? ? ? edi,[ebp-0C0h]
>? ? ? >>>> 00BA13D2? mov? ? ? ? ecx,30h
>? ? ? >>>> 00BA13D7? mov? ? ? ? eax,0CCCCCCCCh
>? ? ? >>>> 00BA13DC? rep stos? ? dword ptr es:[edi]
>? ? ? >>
>? ? ? >> Assuming that this is correct, the basic answer is more or less
>? ? what you’ve already been told.? It’s marking the ‘beginning’ of the
>? ? ? >> local stack with a some padding bytes that happen to the opcode
>? ? for an ‘INT 3’ (0xCC).? I’m not sure the specific purpose the
>? ? ? >> compiler devs have in mind, but one thing it would definitely
>? ? help with is diagnosing stack faults, which really suck to debug
>? ? ? >> without some sort of cheating like this, because by the time you
>? ? find out about the problem, you’re usually well away from the
>? ? ? >> cause.? With this technique, if you happen to end up outside the
>? ? stack boundaries - within 0xC0 bytes in this case - the cpu will
>? ? ? >> execute an 0xCC, a.k.a - INT 3, which will land you immediately
>? ? in WinDbg, so you have a much better chance to figure out what the
>? ? ? >> actual problem is more quickly, without having to traverse a
>? ? blown stack, which itself can confuse WinDbg.? So, from above:
>? ? ? >>
>? ? ? >>
>? ? ? >>>> 00BA13C0? push? ? ? ? ebp? ? ? ? ? ? -> standard prolog:
>? ? preserve the base pointer
>? ? ? >>>> 00BA13C1? mov? ? ? ? ebp,esp? ? ? ? -> standard prolog: set
>? ? the base pointer to the current stack pointer
>? ? ? >>>> 00BA13C3? sub? ? ? ? esp,0C0h? ? ? ? -> standard prolog:
>? ? create 0xC0 (in this case) bytes of local space on the stack
>? ? ? >>>> 00BA13C9? push? ? ? ? ebx? ? ? ? ? ? ? -> preserve ebx (for
>? ? later use)
>? ? ? >>>> 00BA13CA? push? ? ? ? esi? ? ? ? ? ? ? -> preserve esi (for
>? ? later use)
>? ? ? >>>> 00BA13CB? push? ? ? ? edi? ? ? ? ? ? ? -> preserve edi (for
>? ? use as target of ‘rep stos’)
>? ? ? >>>> 00BA13CC? lea? ? ? ? edi,[ebp-0C0h]? ? ? ? -> load the
>? ? effective address of he first byte of the local space created in (2)
>? ? ? >>>> 00BA13D2? mov? ? ? ? ecx,30h? ? ? ? -> set ecx (iterations of
>? ? ‘stos’ to ‘rep’) 0x30==0xC0/sizeof(dword ptr)
>? ? ? >>>> 00BA13D7? mov? ? ? ? eax,0CCCCCCCCh? ? ? ? -> set eax to the
>? ? value of write to memory
>? ? ? >>>> 00BA13DC? rep stos? ? dword ptr es:[edi]? ? -> stores value in
>? ? EAX to es:[EDI], then decrements ECX, ECX times
>? ? ? >>
>? ? ? >> The extra space could be used for some other purposes as well,
>? ? some of which others have mentioned, like ‘Edit and Continue (-ZI’).
>? ? ? >>? As I said, I really don’t know the SPECIFIC purpose in this
>? ? case, but this is the general idea.? If you want to know the SPECIFIC
>? ? ? >> reason, you’re going to need to find the compiler dev, or
>? ? someone willing to speak for him.
>? ? ? >>
>? ? ? >> In general, George, you’re asking very detailed questions, on a
>? ? very low level subject, that isn’t really on topic here, though
>? ? ? >> that’s not really an issue, at least as far as I’m concerned.
>? ? That being said, what I do find to be a little bit of an issue - not
>? ? ? >> a big one - is that you seem to be unsatisfied with anything but
>? ? the specific answer to the very question you are asking, all
>? ? ? >> spelled out for you, on a topic like this - complicated, low
>? ? level and not on topic, especially since you told us you haven’t read
>? ? ? >> the Intel Manuals yet.? Someone sent you a link to the Intel
>? ? manuals - I would recommend that? you read them thoroughly, because
>? ? ? >> they are the best source for the answers to the types of
>? ? questions that you are asking.? If your questions were more on topic, or
>? ? ? >> not on topic but at a higher level on a less complicated subject
>? ? or had you already read the manual, then it wouldn’t be a problem,
>? ? ? >> but for something like this, in my opinion, the etiquette here
>? ? basically says that you have to take what you get for a question like
>? ? ? >> this, and not keep posting until you get the very specific
>? ? answer you want, and that people will lose patience if you don’t do your
>? ? ? >> homework first.? Don’t get me wrong - you clearly have been
>? ? reading what people have suggested (like that article), but you don’t
>? ? ? >> seem to understand that the entry level for material like this
>? ? is reading Volumes 1, 2 & 3 of the Intel Manuals, and until you do
>? ? ? >> that, you’re not going to be able to do anything useful with
>? ? this information.? That doesn’t mean you shouldn’t be told or even
>? ? ? >> shouldn’t proceed this way, but understand that it will, in my
>? ? opinion, make people want to help less.
>? ? ? >>
>? ? ? >> I hope that this is correct; it’s late, and I didn’t look very
>? ? closely at the previous posts, but I think this is the general idea.
>? ? ? >>
>? ? ? >>
>? ? ? >> Good luck,
>? ? ? >>
>? ? ? >> mm
>? ? ? >>
>? ? ? >>
>? ? ? >>
>? ? ? >>
>? ? ? >>
>? ? ? >>
>? ? ? >>
>? ? ? >> Lin George wrote:
>? ? ? >>> Hi Calin,
>? ? ? >>> I have read through the article you mentioned for a couple of
>? ? hours. It is really good and I learned something which I donot know
>? ? before, even if old day technologies.
>? ? ? >>> But, seems it does not directly cover the answer to my
>? ? question? Or I miss or misunderstand anything? Could you help to
>? ? clarify please? :slight_smile:
>? ? ? >>> regards,
>? ? ? >>> George
>? ? ? >>>
>? ? ? >>>
>? ? ? >>> ----- Original Message ----
>? ? ? >>> From: Calin Iaru >? ? mailto:xxxxx>
>? ? ? >>> To: Lin George >? ? mailto:xxxxx>
>? ? ? >>> Cc: xxxxx@lists.osr.com mailto:xxxxx
>? ? ? >>> Sent: Wednesday, July 23, 2008 7:31:30 AM
>? ? ? >>> Subject: Re: [windbg] strange 4 assembly instructions for a
>? ? function
>? ? ? >>>
>? ? ? >>> The code you presented is code compiled on Win32 with Program
>? ? Database for Edit and Continue set. If you use Program Database,
>? ? then the code will look like:
>? ? ? >>>
>? ? ? >>> int f(int a, int b) {
>? ? ? >>> 009911A0? push? ? ? ? ebp
>? ? ? >>> 009911A1? mov? ? ? ? ebp,esp
>? ? ? >>>? ? return a+b;
>? ? ? >>> 009911A3? mov? ? ? ? eax,dword ptr [a]
>? ? ? >>> 009911A6? add? ? ? ? eax,dword ptr [b]
>? ? ? >>> }
>? ? ? >>> 009911A9? pop? ? ? ? ebp
>? ? ? >>> 009911AA? ret
>? ? ? >>>
>? ? ? >>>
>? ? ? >>> I don’t know why does PDEC arrange the code like this; perhaps
>? ? is due to EC feature. PDEC implies the /Gy compiler switch which
>? ? places each function definition in a code segment. The sum of these
>? ? segments is the whole program; to make the code smaller, the linker
>? ? has the option to remove all unused segments. An article written by
>? ? Matt Pietrek specifies that the functions compiled with /Gy are
>? ? aligned on a power of 2 boundary which means that each function will
>? ? be padded with INT 3 instructions up to the next alignment.
>? ? ? >>> http://www.microsoft.com/msj/archive/S572.aspx
>? ? ? >>> or search for
>? ? ? >>> Matt Pietrek comdat
>? ? ? >>> on msdn.
>? ? ? >>>
>? ? ? >>> ----- Original Message ----
>? ? ? >>> From: Lin George >? ? mailto:xxxxx>
>? ? ? >>> To: xxxxx@yahoo.com mailto:xxxxx
>? ? ? >>> Cc: Kernel Debugging Interest List >? ? mailto:xxxxx>
>? ? ? >>> Sent: Tuesday, July 22, 2008 7:53:57 AM
>? ? ? >>> Subject: Re: [windbg] strange 4 assembly instructions for a
>? ? function
>? ? ? >>>
>? ? ? >>> Thanks Calin,
>? ? ? >>> I fully agree with you from your below points. But don’t you
>? ? think it initializes more stack space than actually needed?
>? ? ? >>> I posted the assembly code again here. Any comments?
>? ? ? >>> 00BA13CC? lea? ? ? ? edi,[ebp-0C0h]
>? ? ? >>> 00BA13D2? mov? ? ? ? ecx,30h
>? ? ? >>> 00BA13D7? mov? ? ? ? eax,0CCCCCCCCh
>? ? ? >>> 00BA13DC? rep stos? ? dword ptr es:[edi]
>? ? ? >>> regards,
>? ? ? >>> George
>? ? ? >>>
>? ? ? >>>
>? ? ? >>> ----- Original Message ----
>? ? ? >>> From: Calin Iaru >? ? mailto:xxxxx>
>? ? ? >>> To: Kernel Debugging Interest List >? ? mailto:xxxxx>
>? ? ? >>> Sent: Monday, July 21, 2008 8:24:42 PM
>? ? ? >>> Subject: Re: [windbg] strange 4 assembly instructions for a
>? ? function
>? ? ? >>>
>? ? ? >>> Hi,
>? ? ? >>>
>? ? ? >>>? the compiler fills with 0xCC about 0xC0 bytes of local stack
>? ? data. I expect a release build to clean up the code.
>? ? ? >>>
>? ? ? >>> Best regards,
>? ? ? >>>? Calin
>? ? ? >>>
>? ? ? >>> PS.
>? ? ? >>> 0xCC is a well known value which is distinctively recognized
>? ? during a crash. For instance, if you have a pointer which contains
>? ? this value, it will indicate that the pointer is not initialized.
>? ? Other known value is an 0xfeeefeee which says that the pointer was
>? ? released. For pointers, use the !address command to find out more
>? ? information about wether the page was allocated or freed and so on.
>? ? ? >>>
>? ? ? >>> — On Mon, 7/21/08, Lin George >? ? mailto:xxxxx> wrote:
>? ? ? >>>
>? ? ? >>>> From: Lin George >? ? mailto:xxxxx>
>? ? ? >>>> Subject: [windbg] strange 4 assembly instructions for a function
>? ? ? >>>> To: “Kernel Debugging Interest List” >? ? mailto:xxxxx>
>? ? ? >>>> Date: Monday, July 21, 2008, 11:59 AM
>? ? ? >>>> Hello everyone,
>? ? ? >>>>
>? ? ? >>>> I am confused what is the function of the 4 assembly
>? ? ? >>>> instructions – I found them when debugging function prolog
>? ? ? >>>> and epilog for study? I posted the 4 assembly instructions
>? ? ? >>>> and related whole source code/assembly code below.
>? ? ? >>>> Any ideas?
>? ? ? >>>> <br>&gt;? ? ? &gt;&gt;&gt;&gt; 00BA13CC? lea? ? ? ? edi,[ebp-0C0h]<br>&gt;? ? ? &gt;&gt;&gt;&gt; 00BA13D2? mov? ? ? ? ecx,30h<br>&gt;? ? ? &gt;&gt;&gt;&gt; 00BA13D7? mov? ? ? ? eax,0CCCCCCCCh<br>&gt;? ? ? &gt;&gt;&gt;&gt; 00BA13DC? rep stos? ? dword ptr es:[edi]<br>&gt;? ? ? &gt;&gt;&gt;&gt;<br>&gt;? ? ? &gt;&gt;&gt;&gt; int sumExample (int a, int b)<br>&gt;? ? ? &gt;&gt;&gt;&gt; {<br>&gt;? ? ? &gt;&gt;&gt;&gt; 00BA13C0? push? ? ? ? ebp<br>&gt;? ? ? &gt;&gt;&gt;&gt; 00BA13C1? mov? ? ? ? ebp,esp<br>&gt;? ? ? &gt;&gt;&gt;&gt; 00BA13C3? sub? ? ? ? esp,0C0h<br>&gt;? ? ? &gt;&gt;&gt;&gt; 00BA13C9? push? ? ? ? ebx<br>&gt;? ? ? &gt;&gt;&gt;&gt; 00BA13CA? push? ? ? ? esi<br>&gt;? ? ? &gt;&gt;&gt;&gt; 00BA13CB? push? ? ? ? edi<br>&gt;? ? ? &gt;&gt;&gt;&gt; 00BA13CC? lea? ? ? ? edi,[ebp-0C0h]<br>&gt;? ? ? &gt;&gt;&gt;&gt; 00BA13D2? mov? ? ? ? ecx,30h<br>&gt;? ? ? &gt;&gt;&gt;&gt; 00BA13D7? mov? ? ? ? eax,0CCCCCCCCh<br>&gt;? ? ? &gt;&gt;&gt;&gt; 00BA13DC? rep stos? ? dword ptr es:[edi]<br>&gt;? ? ? &gt;&gt;&gt;&gt;? ? return a + b;<br>&gt;? ? ? &gt;&gt;&gt;&gt; 00BA13DE? mov? ? ? ? eax,dword ptr [a]<br>&gt;? ? ? &gt;&gt;&gt;&gt; 00BA13E1? add? ? ? ? eax,dword ptr [b]<br>&gt;? ? ? &gt;&gt;&gt;&gt; }<br>&gt;? ? ? &gt;&gt;&gt;&gt; #include <iostream><br>&gt;? ? ? &gt;&gt;&gt;&gt; using namespace std;<br>&gt;? ? ? &gt;&gt;&gt;&gt; int sumExample (int a, int b)<br>&gt;? ? ? &gt;&gt;&gt;&gt; {<br>&gt;? ? ? &gt;&gt;&gt;&gt;? ? return a + b;<br>&gt;? ? ? &gt;&gt;&gt;&gt; }<br>&gt;? ? ? &gt;&gt;&gt;&gt; int main()<br>&gt;? ? ? &gt;&gt;&gt;&gt; {<br>&gt;? ? ? &gt;&gt;&gt;&gt;? int c = sumExample (100, 200);<br>&gt;? ? ? &gt;&gt;&gt;&gt;? cout &lt;&lt; c &lt;&lt; endl;<br>&gt;? ? ? &gt;&gt;&gt;&gt;? return 0;<br>&gt;? ? ? &gt;&gt;&gt;&gt; }<br>&gt;? ? ? &gt;&gt;&gt;&gt;
>? ? ? >>>>
>? ? ? >>>> thanks in advance,
>? ? ? >>>> George
>? ? ? >>>>
>? ? ? >>>>
>? ? ? >>>>
>? ? ? >>>>
>? ? ? >>>> —
>? ? ? >>>> You are currently subscribed to windbg as: unknown lmsubst
>? ? ? >>>> tag argument: ‘’
>? ? ? >>>> To unsubscribe send a blank email to
>? ? ? >>>> xxxxx@lists.osr.com
>? ? mailto:xxxxx
>? ? ? >>>
>? ? ? >>>
>? ? ? >>>
>? ? ? >>>
>? ? ? >>> —
>? ? ? >>> You are currently subscribed to windbg as: unknown lmsubst tag
>? ? argument: ‘’
>? ? ? >>> To unsubscribe send a blank email to
>? ? xxxxx@lists.osr.com
>? ? mailto:xxxxx
>? ? ? >>>
>? ? ? >>>
>? ? ? >>>
>? ? ? >>>
>? ? ? >>
>? ? ? >> —
>? ? ? >> You are currently subscribed to windbg as:
>? ? xxxxx@yahoo.com mailto:xxxxx
>? ? ? >> To unsubscribe send a blank email to
>? ? xxxxx@lists.osr.com
>? ? mailto:xxxxx
>? ? ? >>
>? ? ? >>
>? ? ? >>
>? ? ? >>
>? ? ? >>
>? ? ? >> —
>? ? ? >> You are currently subscribed to windbg as: unknown lmsubst tag
>? ? argument: ‘’
>? ? ? >> To unsubscribe send a blank email to
>? ? xxxxx@lists.osr.com
>? ? mailto:xxxxx
>? ? ? >>
>? ? ? >
>
>? ? —
>? ? You are currently subscribed to windbg as: xxxxx@yahoo.com
>? ? mailto:xxxxx
>? ? To unsubscribe send a blank email to
>? ? xxxxx@lists.osr.com
>? ? mailto:xxxxx
>
>
>
>
>
>


You are currently subscribed to windbg as: xxxxx@yahoo.com
To unsubscribe send a blank email to xxxxx@lists.osr.com</mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx>

I think the point of frustration for most people is that I think most people agree on the idea that when you do / discover something for yourself, you learn better than when you simply ask a question and get an answer. Also, this is a debugging mailing list. Nothing to do with Edit and Continue. Edit and Continue questsions would best be asked on a compiler / linker mailing list.

Regarding my first point though, many of the things that you ask are very easy to discover on your own. This is no exception. It seems quite easy to figure out why the stack bytes are reserved for Edit and Continue (thinking about it for about 5 seconds I actually have a very good guess, but I’d be doing you an injustice by not letting you discover it on your own). So instead of posting about all these questions which are not related to Windbg, figure them out. Many of us might be curious to know what you found out, but we’re not too interested in answering questions that are not specifically related to the operation and use of Windbg.

So, that being said, create a test that will allow you to figure out what those extra bytes of stack space are for. How to create such a test? Enable Edit and Continue, then edit something, then continue, then look at the new byets of stack space. What happened?


From: xxxxx@lists.osr.com [xxxxx@lists.osr.com] On Behalf Of Lin George [xxxxx@yahoo.com]
Sent: Monday, August 18, 2008 7:47 AM
To: Kernel Debugging Interest List
Cc: Kernel Debugging Interest List
Subject: Re: [windbg] strange 4 assembly instructions for a function

Sorry for any inconveniences, Martin. Even if no result could be found because of a non-open system, I appreciate the process of discussion which I also learn a lot from each other. :slight_smile:
regards,
George

----- Original Message ----
From: Martin O’Brien
To: Kernel Debugging Interest List
Sent: Monday, August 18, 2008 8:33:38 PM
Subject: Re:[windbg] strange 4 assembly instructions for a function

George, why are you asking us? I don’t know why some on sysinternals didn’t write the document you want. Either way, it is what it
is, man. You’ve just got to let this one go. I hear you on curiosity, but no matter how many different ways and how many time you
ask this question - we do not appear to know the answer, at least at the moment.

mm

Lin George wrote:
> You are so humourous Jim. I am still confused why I can not find any
> materials regarding to this topic. For any other internally topics, like
> linker/compiler optimization, there are abundant documents on System
> Internals.
>
> regards,
> George
>
> ----- Original Message ----
> From: Jim Donelson
> To: Lin George
> Sent: Friday, August 15, 2008 9:24:26 PM
> Subject: Re: [windbg] strange 4 assembly instructions for a function
>
> Yes, get hired by the Microsoft VS Team and look at the source code.
>
>
> On Fri, Aug 15, 2008 at 9:11 AM, Lin George > mailto:xxxxx> wrote:
>
> Thanks Jim,
> Basically I agree with you. I just want to get some referred
> documents about how edit and continue works on the basis of
> reserving more stack space. Do you have any recommendations?
> regards,
> George
>
>
> ----- Original Message ----
> From: Jim Donelson >
> To: Kernel Debugging Interest List > mailto:xxxxx>
> Sent: Friday, August 15, 2008 8:49:13 PM
> Subject: Re: [windbg] strange 4 assembly instructions for a function
>
> Well, this is a kernel list, so none of ever ever use edit and continue.
> I personally never use it as for one thing it does not always work,
> for the reason you stated,and over the years there have been various
> bugs with it.
> Not to mention the fact it causes odd code to be generated.
> Best advice - shut it off.
>
> On Fri, Aug 15, 2008 at 8:46 AM, Jim Donelson > mailto:xxxxx> wrote:
> > Well, this is a kernel list, so none of ever ever use edit and
> continue.
> > I personally never use it as for one thing it does not always work,
> > for the reason you stated,and over the years there have been various
> > bugs with it.
> > Not to mention the fact it causes odd code to be generated.
> > Best advice - shut it off.
> >
> >
> > On Fri, Aug 15, 2008 at 3:02 AM, Lin George
> > wrote:
> >> Thanks Martin,
> >> I agree with you. One more question, why reserving more space
> will enable the edit and continue feature as mentioned? This point I
> am very interested, but can not find any materials through Google
> search. Do you have any more documents in details? Or you describe
> by yourself?
> >> (my confusion is, the developer could edit and insert as much as
> information – like code and data change – as he can, how could we
> predict the space which developer will be used in edit and continue
> feature?)
> >> regards,
> >> George
> >>
> >>
> >> ----- Original Message ----
> >> From: Martin O’Brien > mailto:xxxxx>
> >> To: Kernel Debugging Interest List > mailto:xxxxx>
> >> Sent: Thursday, August 14, 2008 2:52:30 PM
> >> Subject: Re:[windbg] strange 4 assembly instructions for a function
> >>
> >> We seem to be going around in circles, so let’s try this
> differently:
> >>
> >> 1. What is your question? Please include ALL the code relevant
> to it.
> >>
> >> My guess is that your question is:
> >>
> >>> Don’t you think it initializes more stack space than actually
> needed?
> >>
> >> And that this is the code:
> >>
> >>>> 00BA13C0 push ebp
> >>>> 00BA13C1 mov ebp,esp
> >>>> 00BA13C3 sub esp,0C0h
> >>>> 00BA13C9 push ebx
> >>>> 00BA13CA push esi
> >>>> 00BA13CB push edi
> >>>> 00BA13CC lea edi,[ebp-0C0h]
> >>>> 00BA13D2 mov ecx,30h
> >>>> 00BA13D7 mov eax,0CCCCCCCCh
> >>>> 00BA13DC rep stos dword ptr es:[edi]
> >>
> >> Assuming that this is correct, the basic answer is more or less
> what you’ve already been told. It’s marking the ‘beginning’ of the
> >> local stack with a some padding bytes that happen to the opcode
> for an ‘INT 3’ (0xCC). I’m not sure the specific purpose the
> >> compiler devs have in mind, but one thing it would definitely
> help with is diagnosing stack faults, which really suck to debug
> >> without some sort of cheating like this, because by the time you
> find out about the problem, you’re usually well away from the
> >> cause. With this technique, if you happen to end up outside the
> stack boundaries - within 0xC0 bytes in this case - the cpu will
> >> execute an 0xCC, a.k.a - INT 3, which will land you immediately
> in WinDbg, so you have a much better chance to figure out what the
> >> actual problem is more quickly, without having to traverse a
> blown stack, which itself can confuse WinDbg. So, from above:
> >>
> >>
> >>>> 00BA13C0 push ebp -> standard prolog:
> preserve the base pointer
> >>>> 00BA13C1 mov ebp,esp -> standard prolog: set
> the base pointer to the current stack pointer
> >>>> 00BA13C3 sub esp,0C0h -> standard prolog:
> create 0xC0 (in this case) bytes of local space on the stack
> >>>> 00BA13C9 push ebx -> preserve ebx (for
> later use)
> >>>> 00BA13CA push esi -> preserve esi (for
> later use)
> >>>> 00BA13CB push edi -> preserve edi (for
> use as target of ‘rep stos’)
> >>>> 00BA13CC lea edi,[ebp-0C0h] -> load the
> effective address of he first byte of the local space created in (2)
> >>>> 00BA13D2 mov ecx,30h -> set ecx (iterations of
> ‘stos’ to ‘rep’) 0x30==0xC0/sizeof(dword ptr)
> >>>> 00BA13D7 mov eax,0CCCCCCCCh -> set eax to the
> value of write to memory
> >>>> 00BA13DC rep stos dword ptr es:[edi] -> stores value in
> EAX to es:[EDI], then decrements ECX, ECX times
> >>
> >> The extra space could be used for some other purposes as well,
> some of which others have mentioned, like ‘Edit and Continue (-ZI’).
> >> As I said, I really don’t know the SPECIFIC purpose in this
> case, but this is the general idea. If you want to know the SPECIFIC
> >> reason, you’re going to need to find the compiler dev, or
> someone willing to speak for him.
> >>
> >> In general, George, you’re asking very detailed questions, on a
> very low level subject, that isn’t really on topic here, though
> >> that’s not really an issue, at least as far as I’m concerned.
> That being said, what I do find to be a little bit of an issue - not
> >> a big one - is that you seem to be unsatisfied with anything but
> the specific answer to the very question you are asking, all
> >> spelled out for you, on a topic like this - complicated, low
> level and not on topic, especially since you told us you haven’t read
> >> the Intel Manuals yet. Someone sent you a link to the Intel
> manuals - I would recommend that you read them thoroughly, because
> >> they are the best source for the answers to the types of
> questions that you are asking. If your questions were more on topic, or
> >> not on topic but at a higher level on a less complicated subject
> or had you already read the manual, then it wouldn’t be a problem,
> >> but for something like this, in my opinion, the etiquette here
> basically says that you have to take what you get for a question like
> >> this, and not keep posting until you get the very specific
> answer you want, and that people will lose patience if you don’t do your
> >> homework first. Don’t get me wrong - you clearly have been
> reading what people have suggested (like that article), but you don’t
> >> seem to understand that the entry level for material like this
> is reading Volumes 1, 2 & 3 of the Intel Manuals, and until you do
> >> that, you’re not going to be able to do anything useful with
> this information. That doesn’t mean you shouldn’t be told or even
> >> shouldn’t proceed this way, but understand that it will, in my
> opinion, make people want to help less.
> >>
> >> I hope that this is correct; it’s late, and I didn’t look very
> closely at the previous posts, but I think this is the general idea.
> >>
> >>
> >> Good luck,
> >>
> >> mm
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> Lin George wrote:
> >>> Hi Calin,
> >>> I have read through the article you mentioned for a couple of
> hours. It is really good and I learned something which I donot know
> before, even if old day technologies.
> >>> But, seems it does not directly cover the answer to my
> question? Or I miss or misunderstand anything? Could you help to
> clarify please? :slight_smile:
> >>> regards,
> >>> George
> >>>
> >>>
> >>> ----- Original Message ----
> >>> From: Calin Iaru > mailto:xxxxx>
> >>> To: Lin George > mailto:xxxxx>
> >>> Cc: xxxxx@lists.osr.com mailto:xxxxx
> >>> Sent: Wednesday, July 23, 2008 7:31:30 AM
> >>> Subject: Re: [windbg] strange 4 assembly instructions for a
> function
> >>>
> >>> The code you presented is code compiled on Win32 with Program
> Database for Edit and Continue set. If you use Program Database,
> then the code will look like:
> >>>
> >>> int f(int a, int b) {
> >>> 009911A0 push ebp
> >>> 009911A1 mov ebp,esp
> >>> return a+b;
> >>> 009911A3 mov eax,dword ptr [a]
> >>> 009911A6 add eax,dword ptr [b]
> >>> }
> >>> 009911A9 pop ebp
> >>> 009911AA ret
> >>>
> >>>
> >>> I don’t know why does PDEC arrange the code like this; perhaps
> is due to EC feature. PDEC implies the /Gy compiler switch which
> places each function definition in a code segment. The sum of these
> segments is the whole program; to make the code smaller, the linker
> has the option to remove all unused segments. An article written by
> Matt Pietrek specifies that the functions compiled with /Gy are
> aligned on a power of 2 boundary which means that each function will
> be padded with INT 3 instructions up to the next alignment.
> >>> http://www.microsoft.com/msj/archive/S572.aspx
> >>> or search for
> >>> Matt Pietrek comdat
> >>> on msdn.
> >>>
> >>> ----- Original Message ----
> >>> From: Lin George > mailto:xxxxx>
> >>> To: xxxxx@yahoo.com mailto:xxxxx
> >>> Cc: Kernel Debugging Interest List > mailto:xxxxx>
> >>> Sent: Tuesday, July 22, 2008 7:53:57 AM
> >>> Subject: Re: [windbg] strange 4 assembly instructions for a
> function
> >>>
> >>> Thanks Calin,
> >>> I fully agree with you from your below points. But don’t you
> think it initializes more stack space than actually needed?
> >>> I posted the assembly code again here. Any comments?
> >>> 00BA13CC lea edi,[ebp-0C0h]
> >>> 00BA13D2 mov ecx,30h
> >>> 00BA13D7 mov eax,0CCCCCCCCh
> >>> 00BA13DC rep stos dword ptr es:[edi]
> >>> regards,
> >>> George
> >>>
> >>>
> >>> ----- Original Message ----
> >>> From: Calin Iaru > mailto:xxxxx>
> >>> To: Kernel Debugging Interest List > mailto:xxxxx>
> >>> Sent: Monday, July 21, 2008 8:24:42 PM
> >>> Subject: Re: [windbg] strange 4 assembly instructions for a
> function
> >>>
> >>> Hi,
> >>>
> >>> the compiler fills with 0xCC about 0xC0 bytes of local stack
> data. I expect a release build to clean up the code.
> >>>
> >>> Best regards,
> >>> Calin
> >>>
> >>> PS.
> >>> 0xCC is a well known value which is distinctively recognized
> during a crash. For instance, if you have a pointer which contains
> this value, it will indicate that the pointer is not initialized.
> Other known value is an 0xfeeefeee which says that the pointer was
> released. For pointers, use the !address command to find out more
> information about wether the page was allocated or freed and so on.
> >>>
> >>> — On Mon, 7/21/08, Lin George > mailto:xxxxx> wrote:
> >>>
> >>>> From: Lin George > mailto:xxxxx>
> >>>> Subject: [windbg] strange 4 assembly instructions for a function
> >>>> To: “Kernel Debugging Interest List” > mailto:xxxxx>
> >>>> Date: Monday, July 21, 2008, 11:59 AM
> >>>> Hello everyone,
> >>>>
> >>>> I am confused what is the function of the 4 assembly
> >>>> instructions – I found them when debugging function prolog
> >>>> and epilog for study? I posted the 4 assembly instructions
> >>>> and related whole source code/assembly code below.
> >>>> Any ideas?
> >>>> <br>&gt; &gt;&gt;&gt;&gt; 00BA13CC lea edi,[ebp-0C0h]<br>&gt; &gt;&gt;&gt;&gt; 00BA13D2 mov ecx,30h<br>&gt; &gt;&gt;&gt;&gt; 00BA13D7 mov eax,0CCCCCCCCh<br>&gt; &gt;&gt;&gt;&gt; 00BA13DC rep stos dword ptr es:[edi]<br>&gt; &gt;&gt;&gt;&gt;<br>&gt; &gt;&gt;&gt;&gt; int sumExample (int a, int b)<br>&gt; &gt;&gt;&gt;&gt; {<br>&gt; &gt;&gt;&gt;&gt; 00BA13C0 push ebp<br>&gt; &gt;&gt;&gt;&gt; 00BA13C1 mov ebp,esp<br>&gt; &gt;&gt;&gt;&gt; 00BA13C3 sub esp,0C0h<br>&gt; &gt;&gt;&gt;&gt; 00BA13C9 push ebx<br>&gt; &gt;&gt;&gt;&gt; 00BA13CA push esi<br>&gt; &gt;&gt;&gt;&gt; 00BA13CB push edi<br>&gt; &gt;&gt;&gt;&gt; 00BA13CC lea edi,[ebp-0C0h]<br>&gt; &gt;&gt;&gt;&gt; 00BA13D2 mov ecx,30h<br>&gt; &gt;&gt;&gt;&gt; 00BA13D7 mov eax,0CCCCCCCCh<br>&gt; &gt;&gt;&gt;&gt; 00BA13DC rep stos dword ptr es:[edi]<br>&gt; &gt;&gt;&gt;&gt; return a + b;<br>&gt; &gt;&gt;&gt;&gt; 00BA13DE mov eax,dword ptr [a]<br>&gt; &gt;&gt;&gt;&gt; 00BA13E1 add eax,dword ptr [b]<br>&gt; &gt;&gt;&gt;&gt; }<br>&gt; &gt;&gt;&gt;&gt; #include <iostream><br>&gt; &gt;&gt;&gt;&gt; using namespace std;<br>&gt; &gt;&gt;&gt;&gt; int sumExample (int a, int b)<br>&gt; &gt;&gt;&gt;&gt; {<br>&gt; &gt;&gt;&gt;&gt; return a + b;<br>&gt; &gt;&gt;&gt;&gt; }<br>&gt; &gt;&gt;&gt;&gt; int main()<br>&gt; &gt;&gt;&gt;&gt; {<br>&gt; &gt;&gt;&gt;&gt; int c = sumExample (100, 200);<br>&gt; &gt;&gt;&gt;&gt; cout &lt;&lt; c &lt;&lt; endl;<br>&gt; &gt;&gt;&gt;&gt; return 0;<br>&gt; &gt;&gt;&gt;&gt; }<br>&gt; &gt;&gt;&gt;&gt;
> >>>>
> >>>> thanks in advance,
> >>>> George
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> —
> >>>> You are currently subscribed to windbg as: unknown lmsubst
> >>>> tag argument: ‘’
> >>>> To unsubscribe send a blank email to
> >>>> xxxxx@lists.osr.com
> mailto:xxxxx
> >>>
> >>>
> >>>
> >>>
> >>> —
> >>> You are currently subscribed to windbg as: unknown lmsubst tag
> argument: ‘’
> >>> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
> mailto:xxxxx
> >>>
> >>>
> >>>
> >>>
> >>
> >> —
> >> You are currently subscribed to windbg as:
> xxxxx@yahoo.com mailto:xxxxx
> >> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
> mailto:xxxxx
> >>
> >>
> >>
> >>
> >>
> >> —
> >> You are currently subscribed to windbg as: unknown lmsubst tag
> argument: ‘’
> >> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
> mailto:xxxxx
> >>
> >
>
> —
> You are currently subscribed to windbg as: xxxxx@yahoo.com
> mailto:xxxxx
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
> mailto:xxxxx
>
>
>
>
>
>


You are currently subscribed to windbg as: xxxxx@yahoo.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com</mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx>

Lin George wrote:

Tim,
Great reply! Do you have any documents links for this topic (about alias for assembly instruction)? I looked through MSDN but seems not do good info here.

Intel and AMD both have excellent and extensive downloadable reference
manuals for all of their processors. They are very detailed.

Start here:
http://www.intel.com/products/processor/manuals/index.htm

There are many thousands of pages of documents there.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Lin George wrote:

Thanks Martin,
I agree with you. One more question, why reserving more space will enable the edit and continue feature as mentioned? This point I am very interested, but can not find any materials through Google search. Do you have any more documents in details? Or you describe by yourself?
(my confusion is, the developer could edit and insert as much as information – like code and data change – as he can, how could we predict the space which developer will be used in edit and continue feature?)

George, this is just common common sense. Edit-and-continue works if
the changes fit in the reserved space. If there isn’t enough space,
then it can’t edit and continue. It has to recompile and relink.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Lin George wrote:

You are so humourous Jim. I am still confused why I can not find any
materials regarding to this topic. For any other internally topics,
like linker/compiler optimization, there are abundant documents on
System Internals.

Why do you care about this? The implementation of edit-and-continue is
a completely uninteresting topic. It has absolutely ZERO impact on
writing or debugging applications, drivers, or operating systems. It is
what is, it does it’s job, and it doesn’t interfere with anything.

IT DOESN’T MATTER. Let it go, and move on to something that matters.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Thanks for your advice, Zach!
About the compiler / linker mail list, do you have any suggestions?
regards,
George

----- Original Message ----
From: Zach Turner
To: Kernel Debugging Interest List
Sent: Monday, August 18, 2008 10:08:26 PM
Subject: RE: [windbg] strange 4 assembly instructions for a function

I think the point of frustration for most people is that I think most people agree on the idea that when you do / discover something for yourself, you learn better than when you simply ask a question and get an answer.? Also, this is a debugging mailing list.? Nothing to do with Edit and Continue.? Edit and Continue questsions would best be asked on a compiler / linker mailing list.

Regarding my first point though, many of the things that you ask are very easy to discover on your own.? This is no exception.? It seems quite easy to figure out why the stack bytes are reserved for Edit and Continue (thinking about it for about 5 seconds I actually have a very good guess, but I’d be doing you an injustice by not letting you discover it on your own).? So instead of posting about all these questions which are not related to Windbg, figure them out.? Many of us might be curious to know what you found out, but we’re not too interested in answering questions that are not specifically related to the operation and use of Windbg.

So, that being said, create a test that will allow you to figure out what those extra bytes of stack space are for.? How to create such a test?? Enable Edit and Continue, then edit something, then continue, then look at the new byets of stack space.? What happened?

________________________________________
From: xxxxx@lists.osr.com [xxxxx@lists.osr.com] On Behalf Of Lin George [xxxxx@yahoo.com]
Sent: Monday, August 18, 2008 7:47 AM
To: Kernel Debugging Interest List
Cc: Kernel Debugging Interest List
Subject: Re: [windbg] strange 4 assembly instructions for a function

Sorry for any inconveniences, Martin. Even if no result could be found because of a non-open system, I appreciate the process of discussion which I also learn a lot from each other. :slight_smile:
regards,
George

----- Original Message ----
From: Martin O’Brien
To: Kernel Debugging Interest List
Sent: Monday, August 18, 2008 8:33:38 PM
Subject: Re:[windbg] strange 4 assembly instructions for a function

George, why are you asking us?? I don’t know why some on sysinternals didn’t write the document you want.? Either way, it is what it
is, man.? You’ve just got to let this one go.? I hear you on curiosity, but no matter how many different ways and how many time you
ask this question - we do not appear to know the answer, at least at the moment.

mm

Lin George wrote:
> You are so humourous Jim. I am still confused why I can not find any
> materials regarding to this topic. For any other internally topics, like
> linker/compiler optimization, there are abundant documents on System
> Internals.
>
> regards,
> George
>
> ----- Original Message ----
> From: Jim Donelson
> To: Lin George
> Sent: Friday, August 15, 2008 9:24:26 PM
> Subject: Re: [windbg] strange 4 assembly instructions for a function
>
> Yes, get hired by the Microsoft VS Team and look at the source code.
>
>
> On Fri, Aug 15, 2008 at 9:11 AM, Lin George > mailto:xxxxx> wrote:
>
>? ? Thanks Jim,
>? ? Basically I agree with you. I just want to get some referred
>? ? documents about how edit and continue works on the basis of
>? ? reserving? more stack space. Do you have any recommendations?
>? ? regards,
>? ? George
>
>
>? ? ----- Original Message ----
>? ? From: Jim Donelson >
>? ? To: Kernel Debugging Interest List >? ? mailto:xxxxx>
>? ? Sent: Friday, August 15, 2008 8:49:13 PM
>? ? Subject: Re: [windbg] strange 4 assembly instructions for a function
>
>? ? Well, this is a kernel list, so none of ever ever use edit and continue.
>? ? I personally never use it as for one thing it does not always work,
>? ? for the reason you stated,and over the years there have been various
>? ? bugs with it.
>? ? Not to mention the fact it causes odd code to be generated.
>? ? Best advice - shut it off.
>
>? ? On Fri, Aug 15, 2008 at 8:46 AM, Jim Donelson >? ? mailto:xxxxx> wrote:
>? ? ? > Well, this is a kernel list, so none of ever ever use edit and
>? ? continue.
>? ? ? > I personally never use it as for one thing it does not always work,
>? ? ? > for the reason you stated,and over the years there have been various
>? ? ? > bugs with it.
>? ? ? > Not to mention the fact it causes odd code to be generated.
>? ? ? > Best advice - shut it off.
>? ? ? >
>? ? ? >
>? ? ? > On Fri, Aug 15, 2008 at 3:02 AM, Lin George
>? ? > wrote:
>? ? ? >> Thanks Martin,
>? ? ? >> I agree with you. One more question, why reserving more space
>? ? will enable the edit and continue feature as mentioned? This point I
>? ? am very interested, but can not find any materials through Google
>? ? search. Do you have any more documents in details? Or you describe
>? ? by yourself?
>? ? ? >> (my confusion is, the developer could edit and insert as much as
>? ? information – like code and data change – as he can, how could we
>? ? predict the space which developer will be used in edit and continue
>? ? feature?)
>? ? ? >> regards,
>? ? ? >> George
>? ? ? >>
>? ? ? >>
>? ? ? >> ----- Original Message ----
>? ? ? >> From: Martin O’Brien >? ? mailto:xxxxx>
>? ? ? >> To: Kernel Debugging Interest List >? ? mailto:xxxxx>
>? ? ? >> Sent: Thursday, August 14, 2008 2:52:30 PM
>? ? ? >> Subject: Re:[windbg] strange 4 assembly instructions for a function
>? ? ? >>
>? ? ? >> We seem to be going around in circles, so let’s try this
>? ? differently:
>? ? ? >>
>? ? ? >> 1.? What is your question?? Please include ALL the code relevant
>? ? to it.
>? ? ? >>
>? ? ? >> My guess is that your question is:
>? ? ? >>
>? ? ? >>> Don’t you think it initializes more stack space than actually
>? ? needed?
>? ? ? >>
>? ? ? >> And that this is the code:
>? ? ? >>
>? ? ? >>>> 00BA13C0? push? ? ? ? ebp
>? ? ? >>>> 00BA13C1? mov? ? ? ? ebp,esp
>? ? ? >>>> 00BA13C3? sub? ? ? ? esp,0C0h
>? ? ? >>>> 00BA13C9? push? ? ? ? ebx
>? ? ? >>>> 00BA13CA? push? ? ? ? esi
>? ? ? >>>> 00BA13CB? push? ? ? ? edi
>? ? ? >>>> 00BA13CC? lea? ? ? ? edi,[ebp-0C0h]
>? ? ? >>>> 00BA13D2? mov? ? ? ? ecx,30h
>? ? ? >>>> 00BA13D7? mov? ? ? ? eax,0CCCCCCCCh
>? ? ? >>>> 00BA13DC? rep stos? ? dword ptr es:[edi]
>? ? ? >>
>? ? ? >> Assuming that this is correct, the basic answer is more or less
>? ? what you’ve already been told.? It’s marking the ‘beginning’ of the
>? ? ? >> local stack with a some padding bytes that happen to the opcode
>? ? for an ‘INT 3’ (0xCC).? I’m not sure the specific purpose the
>? ? ? >> compiler devs have in mind, but one thing it would definitely
>? ? help with is diagnosing stack faults, which really suck to debug
>? ? ? >> without some sort of cheating like this, because by the time you
>? ? find out about the problem, you’re usually well away from the
>? ? ? >> cause.? With this technique, if you happen to end up outside the
>? ? stack boundaries - within 0xC0 bytes in this case - the cpu will
>? ? ? >> execute an 0xCC, a.k.a - INT 3, which will land you immediately
>? ? in WinDbg, so you have a much better chance to figure out what the
>? ? ? >> actual problem is more quickly, without having to traverse a
>? ? blown stack, which itself can confuse WinDbg.? So, from above:
>? ? ? >>
>? ? ? >>
>? ? ? >>>> 00BA13C0? push? ? ? ? ebp? ? ? ? ? ? -> standard prolog:
>? ? preserve the base pointer
>? ? ? >>>> 00BA13C1? mov? ? ? ? ebp,esp? ? ? ? -> standard prolog: set
>? ? the base pointer to the current stack pointer
>? ? ? >>>> 00BA13C3? sub? ? ? ? esp,0C0h? ? ? ? -> standard prolog:
>? ? create 0xC0 (in this case) bytes of local space on the stack
>? ? ? >>>> 00BA13C9? push? ? ? ? ebx? ? ? ? ? ? ? -> preserve ebx (for
>? ? later use)
>? ? ? >>>> 00BA13CA? push? ? ? ? esi? ? ? ? ? ? ? -> preserve esi (for
>? ? later use)
>? ? ? >>>> 00BA13CB? push? ? ? ? edi? ? ? ? ? ? ? -> preserve edi (for
>? ? use as target of ‘rep stos’)
>? ? ? >>>> 00BA13CC? lea? ? ? ? edi,[ebp-0C0h]? ? ? ? -> load the
>? ? effective address of he first byte of the local space created in (2)
>? ? ? >>>> 00BA13D2? mov? ? ? ? ecx,30h? ? ? ? -> set ecx (iterations of
>? ? ‘stos’ to ‘rep’) 0x30==0xC0/sizeof(dword ptr)
>? ? ? >>>> 00BA13D7? mov? ? ? ? eax,0CCCCCCCCh? ? ? ? -> set eax to the
>? ? value of write to memory
>? ? ? >>>> 00BA13DC? rep stos? ? dword ptr es:[edi]? ? -> stores value in
>? ? EAX to es:[EDI], then decrements ECX, ECX times
>? ? ? >>
>? ? ? >> The extra space could be used for some other purposes as well,
>? ? some of which others have mentioned, like ‘Edit and Continue (-ZI’).
>? ? ? >>? As I said, I really don’t know the SPECIFIC purpose in this
>? ? case, but this is the general idea.? If you want to know the SPECIFIC
>? ? ? >> reason, you’re going to need to find the compiler dev, or
>? ? someone willing to speak for him.
>? ? ? >>
>? ? ? >> In general, George, you’re asking very detailed questions, on a
>? ? very low level subject, that isn’t really on topic here, though
>? ? ? >> that’s not really an issue, at least as far as I’m concerned.
>? ? That being said, what I do find to be a little bit of an issue - not
>? ? ? >> a big one - is that you seem to be unsatisfied with anything but
>? ? the specific answer to the very question you are asking, all
>? ? ? >> spelled out for you, on a topic like this - complicated, low
>? ? level and not on topic, especially since you told us you haven’t read
>? ? ? >> the Intel Manuals yet.? Someone sent you a link to the Intel
>? ? manuals - I would recommend that? you read them thoroughly, because
>? ? ? >> they are the best source for the answers to the types of
>? ? questions that you are asking.? If your questions were more on topic, or
>? ? ? >> not on topic but at a higher level on a less complicated subject
>? ? or had you already read the manual, then it wouldn’t be a problem,
>? ? ? >> but for something like this, in my opinion, the etiquette here
>? ? basically says that you have to take what you get for a question like
>? ? ? >> this, and not keep posting until you get the very specific
>? ? answer you want, and that people will lose patience if you don’t do your
>? ? ? >> homework first.? Don’t get me wrong - you clearly have been
>? ? reading what people have suggested (like that article), but you don’t
>? ? ? >> seem to understand that the entry level for material like this
>? ? is reading Volumes 1, 2 & 3 of the Intel Manuals, and until you do
>? ? ? >> that, you’re not going to be able to do anything useful with
>? ? this information.? That doesn’t mean you shouldn’t be told or even
>? ? ? >> shouldn’t proceed this way, but understand that it will, in my
>? ? opinion, make people want to help less.
>? ? ? >>
>? ? ? >> I hope that this is correct; it’s late, and I didn’t look very
>? ? closely at the previous posts, but I think this is the general idea.
>? ? ? >>
>? ? ? >>
>? ? ? >> Good luck,
>? ? ? >>
>? ? ? >> mm
>? ? ? >>
>? ? ? >>
>? ? ? >>
>? ? ? >>
>? ? ? >>
>? ? ? >>
>? ? ? >>
>? ? ? >> Lin George wrote:
>? ? ? >>> Hi Calin,
>? ? ? >>> I have read through the article you mentioned for a couple of
>? ? hours. It is really good and I learned something which I donot know
>? ? before, even if old day technologies.
>? ? ? >>> But, seems it does not directly cover the answer to my
>? ? question? Or I miss or misunderstand anything? Could you help to
>? ? clarify please? :slight_smile:
>? ? ? >>> regards,
>? ? ? >>> George
>? ? ? >>>
>? ? ? >>>
>? ? ? >>> ----- Original Message ----
>? ? ? >>> From: Calin Iaru >? ? mailto:xxxxx>
>? ? ? >>> To: Lin George >? ? mailto:xxxxx>
>? ? ? >>> Cc: xxxxx@lists.osr.com mailto:xxxxx
>? ? ? >>> Sent: Wednesday, July 23, 2008 7:31:30 AM
>? ? ? >>> Subject: Re: [windbg] strange 4 assembly instructions for a
>? ? function
>? ? ? >>>
>? ? ? >>> The code you presented is code compiled on Win32 with Program
>? ? Database for Edit and Continue set. If you use Program Database,
>? ? then the code will look like:
>? ? ? >>>
>? ? ? >>> int f(int a, int b) {
>? ? ? >>> 009911A0? push? ? ? ? ebp
>? ? ? >>> 009911A1? mov? ? ? ? ebp,esp
>? ? ? >>>? ? return a+b;
>? ? ? >>> 009911A3? mov? ? ? ? eax,dword ptr [a]
>? ? ? >>> 009911A6? add? ? ? ? eax,dword ptr [b]
>? ? ? >>> }
>? ? ? >>> 009911A9? pop? ? ? ? ebp
>? ? ? >>> 009911AA? ret
>? ? ? >>>
>? ? ? >>>
>? ? ? >>> I don’t know why does PDEC arrange the code like this; perhaps
>? ? is due to EC feature. PDEC implies the /Gy compiler switch which
>? ? places each function definition in a code segment. The sum of these
>? ? segments is the whole program; to make the code smaller, the linker
>? ? has the option to remove all unused segments. An article written by
>? ? Matt Pietrek specifies that the functions compiled with /Gy are
>? ? aligned on a power of 2 boundary which means that each function will
>? ? be padded with INT 3 instructions up to the next alignment.
>? ? ? >>> http://www.microsoft.com/msj/archive/S572.aspx
>? ? ? >>> or search for
>? ? ? >>> Matt Pietrek comdat
>? ? ? >>> on msdn.
>? ? ? >>>
>? ? ? >>> ----- Original Message ----
>? ? ? >>> From: Lin George >? ? mailto:xxxxx>
>? ? ? >>> To: xxxxx@yahoo.com mailto:xxxxx
>? ? ? >>> Cc: Kernel Debugging Interest List >? ? mailto:xxxxx>
>? ? ? >>> Sent: Tuesday, July 22, 2008 7:53:57 AM
>? ? ? >>> Subject: Re: [windbg] strange 4 assembly instructions for a
>? ? function
>? ? ? >>>
>? ? ? >>> Thanks Calin,
>? ? ? >>> I fully agree with you from your below points. But don’t you
>? ? think it initializes more stack space than actually needed?
>? ? ? >>> I posted the assembly code again here. Any comments?
>? ? ? >>> 00BA13CC? lea? ? ? ? edi,[ebp-0C0h]
>? ? ? >>> 00BA13D2? mov? ? ? ? ecx,30h
>? ? ? >>> 00BA13D7? mov? ? ? ? eax,0CCCCCCCCh
>? ? ? >>> 00BA13DC? rep stos? ? dword ptr es:[edi]
>? ? ? >>> regards,
>? ? ? >>> George
>? ? ? >>>
>? ? ? >>>
>? ? ? >>> ----- Original Message ----
>? ? ? >>> From: Calin Iaru >? ? mailto:xxxxx>
>? ? ? >>> To: Kernel Debugging Interest List >? ? mailto:xxxxx>
>? ? ? >>> Sent: Monday, July 21, 2008 8:24:42 PM
>? ? ? >>> Subject: Re: [windbg] strange 4 assembly instructions for a
>? ? function
>? ? ? >>>
>? ? ? >>> Hi,
>? ? ? >>>
>? ? ? >>>? the compiler fills with 0xCC about 0xC0 bytes of local stack
>? ? data. I expect a release build to clean up the code.
>? ? ? >>>
>? ? ? >>> Best regards,
>? ? ? >>>? Calin
>? ? ? >>>
>? ? ? >>> PS.
>? ? ? >>> 0xCC is a well known value which is distinctively recognized
>? ? during a crash. For instance, if you have a pointer which contains
>? ? this value, it will indicate that the pointer is not initialized.
>? ? Other known value is an 0xfeeefeee which says that the pointer was
>? ? released. For pointers, use the !address command to find out more
>? ? information about wether the page was allocated or freed and so on.
>? ? ? >>>
>? ? ? >>> — On Mon, 7/21/08, Lin George >? ? mailto:xxxxx> wrote:
>? ? ? >>>
>? ? ? >>>> From: Lin George >? ? mailto:xxxxx>
>? ? ? >>>> Subject: [windbg] strange 4 assembly instructions for a function
>? ? ? >>>> To: “Kernel Debugging Interest List” >? ? mailto:xxxxx>
>? ? ? >>>> Date: Monday, July 21, 2008, 11:59 AM
>? ? ? >>>> Hello everyone,
>? ? ? >>>>
>? ? ? >>>> I am confused what is the function of the 4 assembly
>? ? ? >>>> instructions – I found them when debugging function prolog
>? ? ? >>>> and epilog for study? I posted the 4 assembly instructions
>? ? ? >>>> and related whole source code/assembly code below.
>? ? ? >>>> Any ideas?
>? ? ? >>>> <br>&gt;? ? ? &gt;&gt;&gt;&gt; 00BA13CC? lea? ? ? ? edi,[ebp-0C0h]<br>&gt;? ? ? &gt;&gt;&gt;&gt; 00BA13D2? mov? ? ? ? ecx,30h<br>&gt;? ? ? &gt;&gt;&gt;&gt; 00BA13D7? mov? ? ? ? eax,0CCCCCCCCh<br>&gt;? ? ? &gt;&gt;&gt;&gt; 00BA13DC? rep stos? ? dword ptr es:[edi]<br>&gt;? ? ? &gt;&gt;&gt;&gt;<br>&gt;? ? ? &gt;&gt;&gt;&gt; int sumExample (int a, int b)<br>&gt;? ? ? &gt;&gt;&gt;&gt; {<br>&gt;? ? ? &gt;&gt;&gt;&gt; 00BA13C0? push? ? ? ? ebp<br>&gt;? ? ? &gt;&gt;&gt;&gt; 00BA13C1? mov? ? ? ? ebp,esp<br>&gt;? ? ? &gt;&gt;&gt;&gt; 00BA13C3? sub? ? ? ? esp,0C0h<br>&gt;? ? ? &gt;&gt;&gt;&gt; 00BA13C9? push? ? ? ? ebx<br>&gt;? ? ? &gt;&gt;&gt;&gt; 00BA13CA? push? ? ? ? esi<br>&gt;? ? ? &gt;&gt;&gt;&gt; 00BA13CB? push? ? ? ? edi<br>&gt;? ? ? &gt;&gt;&gt;&gt; 00BA13CC? lea? ? ? ? edi,[ebp-0C0h]<br>&gt;? ? ? &gt;&gt;&gt;&gt; 00BA13D2? mov? ? ? ? ecx,30h<br>&gt;? ? ? &gt;&gt;&gt;&gt; 00BA13D7? mov? ? ? ? eax,0CCCCCCCCh<br>&gt;? ? ? &gt;&gt;&gt;&gt; 00BA13DC? rep stos? ? dword ptr es:[edi]<br>&gt;? ? ? &gt;&gt;&gt;&gt;? ? return a + b;<br>&gt;? ? ? &gt;&gt;&gt;&gt; 00BA13DE? mov? ? ? ? eax,dword ptr [a]<br>&gt;? ? ? &gt;&gt;&gt;&gt; 00BA13E1? add? ? ? ? eax,dword ptr [b]<br>&gt;? ? ? &gt;&gt;&gt;&gt; }<br>&gt;? ? ? &gt;&gt;&gt;&gt; #include <iostream><br>&gt;? ? ? &gt;&gt;&gt;&gt; using namespace std;<br>&gt;? ? ? &gt;&gt;&gt;&gt; int sumExample (int a, int b)<br>&gt;? ? ? &gt;&gt;&gt;&gt; {<br>&gt;? ? ? &gt;&gt;&gt;&gt;? ? return a + b;<br>&gt;? ? ? &gt;&gt;&gt;&gt; }<br>&gt;? ? ? &gt;&gt;&gt;&gt; int main()<br>&gt;? ? ? &gt;&gt;&gt;&gt; {<br>&gt;? ? ? &gt;&gt;&gt;&gt;? int c = sumExample (100, 200);<br>&gt;? ? ? &gt;&gt;&gt;&gt;? cout &lt;&lt; c &lt;&lt; endl;<br>&gt;? ? ? &gt;&gt;&gt;&gt;? return 0;<br>&gt;? ? ? &gt;&gt;&gt;&gt; }<br>&gt;? ? ? &gt;&gt;&gt;&gt;
>? ? ? >>>>
>? ? ? >>>> thanks in advance,
>? ? ? >>>> George
>? ? ? >>>>
>? ? ? >>>>
>? ? ? >>>>
>? ? ? >>>>
>? ? ? >>>> —
>? ? ? >>>> You are currently subscribed to windbg as: unknown lmsubst
>? ? ? >>>> tag argument: ‘’
>? ? ? >>>> To unsubscribe send a blank email to
>? ? ? >>>> xxxxx@lists.osr.com
>? ? mailto:xxxxx
>? ? ? >>>
>? ? ? >>>
>? ? ? >>>
>? ? ? >>>
>? ? ? >>> —
>? ? ? >>> You are currently subscribed to windbg as: unknown lmsubst tag
>? ? argument: ‘’
>? ? ? >>> To unsubscribe send a blank email to
>? ? xxxxx@lists.osr.com
>? ? mailto:xxxxx
>? ? ? >>>
>? ? ? >>>
>? ? ? >>>
>? ? ? >>>
>? ? ? >>
>? ? ? >> —
>? ? ? >> You are currently subscribed to windbg as:
>? ? xxxxx@yahoo.com mailto:xxxxx
>? ? ? >> To unsubscribe send a blank email to
>? ? xxxxx@lists.osr.com
>? ? mailto:xxxxx
>? ? ? >>
>? ? ? >>
>? ? ? >>
>? ? ? >>
>? ? ? >>
>? ? ? >> —
>? ? ? >> You are currently subscribed to windbg as: unknown lmsubst tag
>? ? argument: ‘’
>? ? ? >> To unsubscribe send a blank email to
>? ? xxxxx@lists.osr.com
>? ? mailto:xxxxx
>? ? ? >>
>? ? ? >
>
>? ? —
>? ? You are currently subscribed to windbg as: xxxxx@yahoo.com
>? ? mailto:xxxxx
>? ? To unsubscribe send a blank email to
>? ? xxxxx@lists.osr.com
>? ? mailto:xxxxx
>
>
>
>
>
>


You are currently subscribed to windbg as: xxxxx@yahoo.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com


You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com</mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx>