100b8: b580 push {r7, lr}
100ba: b082 sub sp, #8
100bc: af00 add r7, sp, #0
100be: 2304 movs r3, #4
100c0: 607b str r3, [r7, #4]
100c2: 2305 movs r3, #5
100c4: 603b str r3, [r7, #0]
100c6: 6839 ldr r1, [r7, #0]
100c8: 6878 ldr r0, [r7, #4]
100ca: f7ff ffe3 bl 10094
100ce: 4602 mov r2, r0
100d0: f240 03e4 movw r3, #228 ; 0xe4 全局变量m的地址
100d4: f2c0 0302 movt r3, #2
100d8: 601a str r2, [r3, #0]
100da: 2300 movs r3, #0
100dc: 4618 mov r0, r3
100de: 3708 adds r7, #8
100e0: 46bd mov sp, r7
100e2: bd80 pop {r7, pc}
Disassembly of section .data:
000200e4
200e4: 00000008 andeq r0, r0, r8 /* 这里00000008是全局变量m的值,被解读成andeq指令了 */
使用arm-linux-gnueabi-gcc编译器对应的反汇编代码:
00010400
10400: e52db004 push {fp} ; (str fp, [sp, #-4]!)
10404: e28db000 add fp, sp, #0
10408: e24dd014 sub sp, sp, #20
1040c: e50b0010 str r0, [fp, #-16]
10410: e50b1014 str r1, [fp, #-20] ; 0xffffffec
10414: e3a03000 mov r3, #0
10418: e50b3008 str r3, [fp, #-8]
1041c: e51b2010 ldr r2, [fp, #-16]
10420: e51b3014 ldr r3, [fp, #-20] ; 0xffffffec
10424: e0823003 add r3, r2, r3
10428: e50b3008 str r3, [fp, #-8]
1042c: e51b3008 ldr r3, [fp, #-8]
10430: e1a00003 mov r0, r3
10434: e24bd000 sub sp, fp, #0
10438: e49db004 pop {fp} ; (ldr fp, [sp], #4)
1043c: e12fff1e bx lr
00010440
10440: e92d4800 push {fp, lr}
10444: e28db004 add fp, sp, #4
10448: e24dd008 sub sp, sp, #8
1044c: e3a03004 mov r3, #4
10450: e50b300c str r3, [fp, #-12]
10454: e3a03005 mov r3, #5
10458: e50b3008 str r3, [fp, #-8]
1045c: e51b1008 ldr r1, [fp, #-8]
10460: e51b000c ldr r0, [fp, #-12]
10464: ebffffe5 bl 10400
10468: e1a02000 mov r2, r0
1046c: e59f3010 ldr r3, [pc, #16] ; 10484
10470: e5832000 str r2, [r3]
10474: e3a03000 mov r3, #0
10478: e1a00003 mov r0, r3
1047c: e24bd004 sub sp, fp, #4
10480: e8bd8800 pop {fp, pc}
10484: 00021024 andeq r1, r2, r4, lsr #32
个人感觉参考第二份反汇编代码比较好理解堆栈的变化过程,其实函数调用就两个要点:
1. 要保存好函数自己的栈底地址,保证函数结束栈空间能够正常释放,但只有一个fp指针,所以使用fp指针存储本函数的栈底地址之前,要将上一个函数的栈底地址入栈也就是,现将fp入栈,然后再使用fp保存新的栈底指针。
2. 使用bl指令,保证函数调用结束能跳回。将bl指令下一条地址保存到lr寄存器中。
原作者:Lamar Davis
