Function linux x64:由于调用函数时参数值发生不合理更改而导致分段错误_Function_Arguments_64 Bit_Coredump

Function linux x64:由于调用函数时参数值发生不合理更改而导致分段错误

function

Function linux x64:由于调用函数时参数值发生不合理更改而导致分段错误,function,arguments,64-bit,coredump,Function,Arguments,64 Bit,Coredump,由于分段错误，应用程序经常转储内核，其回溯如下所示 (gdb) bt #0 0x00000039c6c71874 in strncpy () from /lib64/libc.so.6 #1 0x00000000016fab83 in CcString::CcString (this=0x470008e0, str=...) at ../../base/src/ccString.cpp:163 #2 0x00000000016face9 in CcString::operator= (th

由于分段错误，应用程序经常转储内核，其回溯如下所示

(gdb) bt
#0  0x00000039c6c71874 in strncpy () from /lib64/libc.so.6
#1  0x00000000016fab83 in CcString::CcString (this=0x470008e0, str=...) at ../../base/src/ccString.cpp:163
#2  0x00000000016face9 in CcString::operator= (this=0x47000bf0, str=...) at ../../base/src/ccString.cpp:250
#3  0x0000000000441193 in RmsDbMgr::getFormatedNumber(const CallPartyNumber_t *, ._2039, CcString &) (this=0x2af86a4de008, apNumber=0xb90160, aFormatType=NUMBER_FORMAT_TYPE_LDAP, aFormatedNumber=...) at ../main/RmsDbMgr.cpp:4465
#4  0x0000000000b1cacf in SessionMt::sendLdapQueryReq (this=0x2cb8d580, apNumber=0x2cb90160, aRecipient=true) at ../session/SessionMt.cpp:1600

在第4帧中，apNumber=0x2cb90160，但在第3帧中，其值更改为0xb90160，该指针随后导致分段错误

什么会导致这种情况发生？为什么第3帧的回溯格式看起来和其他行不太相似

我试过一点组装

(gdb) disass sendLdapQueryReq
Dump of assembler code for function SessionMt::sendLdapQueryReq(CallPartyNumber_t const*, bool):
   0x0000000000b1ca40 <+0>:     mov    %rbp,-0x28(%rsp)
   0x0000000000b1ca45 <+5>:     mov    %r15,-0x8(%rsp)
   0x0000000000b1ca4a <+10>:    mov    %rdi,%rbp
   0x0000000000b1ca4d <+13>:    mov    %rbx,-0x30(%rsp)
   0x0000000000b1ca52 <+18>:    mov    %r12,-0x20(%rsp)
   0x0000000000b1ca57 <+23>:    mov    %rsi,%r15
   0x0000000000b1ca5a <+26>:    mov    %r13,-0x18(%rsp)
   0x0000000000b1ca5f <+31>:    mov    %r14,-0x10(%rsp)
   0x0000000000b1ca64 <+36>:    sub    $0x208,%rsp
   0x0000000000b1ca6b <+43>:    mov    %fs:0x28,%rax
   0x0000000000b1ca74 <+52>:    mov    %rax,0x1c8(%rsp)
   0x0000000000b1ca7c <+60>:    xor    %eax,%eax
   0x0000000000b1ca7e <+62>:    mov    %dl,0x93(%rsp)
   0x0000000000b1ca85 <+69>:    movl   $0x2,0x1c4(%rsp)
   0x0000000000b1ca90 <+80>:    callq  0x1c2b406 <mxLog::GetInstance()>
   0x0000000000b1ca95 <+85>:    movzbl 0x8(%rax),%eax
   0x0000000000b1ca99 <+89>:    test   %al,%al
   0x0000000000b1ca9b <+91>:    jne    0xb1cbb8 <SessionMt::sendLdapQueryReq(CallPartyNumber_t const*, bool)+376>
   0x0000000000b1caa1 <+97>:    lea    0x140(%rsp),%rdi
   0x0000000000b1caa9 <+105>:   callq  0x16f7570 <CcString::CcString()>
   0x0000000000b1caae <+110>:   mov    0xc8(%rbp),%rax
   0x0000000000b1cab5 <+117>:   lea    0x140(%rsp),%rcx
   0x0000000000b1cabd <+125>:   xor    %edx,%edx
   0x0000000000b1cabf <+127>:   mov    %r15,%rsi
   0x0000000000b1cac2 <+130>:   mov    0x28(%rax),%rax
   0x0000000000b1cac6 <+134>:   mov    0x58(%rax),%rdi
   0x0000000000b1caca <+138>:   callq  0x441110 <RmsDbMgr::getFormatedNumber(const CallPartyNumber_t *, ._2039, CcString &)>
=> 0x0000000000b1cacf <+143>:   cmpq   $0x0,0x150(%rsp)
   0x0000000000b1cad8 <+152>:   je     0xb1cb88 <SessionMt::sendLdapQueryReq(CallPartyNumber_t const*, bool)+328>
   0x0000000000b1cade <+158>:   movl   $0x2,0x1c4(%rsp)

和RmsDbMgr:：GetFormattedNumber（）的程序集，如下所示

(gdb) disass getFormatedNumber
Dump of assembler code for function RmsDbMgr::getFormatedNumber(const CallPartyNumber_t *, ._2039, CcString &):
   0x0000000000441110 <+0>:     mov    %rbp,-0x28(%rsp)
   0x0000000000441115 <+5>:     mov    %r13,-0x18(%rsp)
   0x000000000044111a <+10>:    mov    %edx,%ebp
   0x000000000044111c <+12>:    mov    %r14,-0x10(%rsp)
   0x0000000000441121 <+17>:    mov    %r15,-0x8(%rsp)
   0x0000000000441126 <+22>:    mov    %rdi,%r14
   0x0000000000441129 <+25>:    mov    %rbx,-0x30(%rsp)
   0x000000000044112e <+30>:    mov    %r12,-0x20(%rsp)
   0x0000000000441133 <+35>:    sub    $0x178,%rsp
   0x000000000044113a <+42>:    mov    %fs:0x28,%rax
   0x0000000000441143 <+51>:    mov    %rax,0x138(%rsp)
   0x000000000044114b <+59>:    xor    %eax,%eax
   0x000000000044114d <+61>:    test   %rsi,%rsi
   0x0000000000441150 <+64>:    mov    %rsi,%r13
   0x0000000000441153 <+67>:    mov    %rcx,%r15
   0x0000000000441156 <+70>:    je     0x4411e0 <RmsDbMgr::getFormatedNumber(const CallPartyNumber_t *, ._2039, CcString &)+208>
   0x000000000044115c <+76>:    cmp    $0x2,%edx
   0x000000000044115f <+79>:    jg     0x4411e0 <RmsDbMgr::getFormatedNumber(const CallPartyNumber_t *, ._2039, CcString &)+208>
   0x0000000000441165 <+85>:    lea    0x100(%rsp),%rdi
   0x000000000044116d <+93>:    callq  0x16f7570 <CcString::CcString()>
   0x0000000000441172 <+98>:    movzwl 0x53e74(%r14),%esi
   0x000000000044117a <+106>:   lea    0x100(%rsp),%rdi
   0x0000000000441182 <+114>:   callq  0x16f90e0 <CcString::operator+=(u16_t const)>
   0x0000000000441187 <+119>:   lea    0x8(%r13),%rsi
   0x000000000044118b <+123>:   mov    %r15,%rdi
   0x000000000044118e <+126>:   callq  0x16facc0 <CcString::operator=(CcString const&)>
=> 0x0000000000441193 <+131>:   movl   $0x2,0x134(%rsp)
   0x000000000044119e <+142>:   callq  0x1c2b406 <mxLog::GetInstance()>
   0x00000000004411a3 <+147>:   movzbl 0x8(%rax),%eax
   0x00000000004411a7 <+151>:   test   %al,%al

然后在做任何事情之前，%rsi被分配给%r13，但现在r13有一个不同的值，这是错误的

(gdb) p/x $r13
$9 = 0xb90160

任何人都可以帮助找出它有什么问题？

这类问题的一个常见原因是

strncpy

覆盖一些程序数据。仔细检查传递给它的指针和长度参数。同时检查范围重叠（在[src，src+len）和[dst，dst+len”）。%r15和%r13是调用方寄存器，不在内存中。同样从第2帧开始，它访问了不正确的内存指针0xb90160，我认为这是导致分段错误的原因，而且在我使用-fstack-protector选项编译应用程序后，它没有崩溃。但据我所知-fstack-protector应该故意在如果我的代码中存在导致该问题的问题，则会发生堆栈溢出。

(gdb) x/a $rsp+0x178-0x8
0x47000aa0:     0x2cb90160

(gdb) p/x $r13
$9 = 0xb90160