首页 > 系统服务 > 详细

《coredump问题原理探究》Linux x86版7.6节 Map coredump例子

时间:2015-04-30 01:04:52      阅读:481      评论:0      收藏:0      [点我收藏+]

定位一个map相关的coredump来熟悉一下:

Core was generated by `./xuzhina_dump_c07_s3_ex 5 / 6'.
Program terminated with signal 11, Segmentation fault.
#0  0x00000000 in ?? ()
Missing separate debuginfos, use: debuginfo-install glibc-2.12-1.149.el6_6.4.i686 libgcc-4.4.7-11.el6.i686 libstdc++-4.4.7-11.el6.i686
(gdb) bt
#0  0x00000000 in ?? ()
#1  0x08048bd0 in main ()
(gdb) i r 
eax            0x5	5
ecx            0x0	0
edx            0x0	0
ebx            0x6	6
esp            0xbfd3de7c	0xbfd3de7c
ebp            0xbfd3dee8	0xbfd3dee8
esi            0x0	0
edi            0x0	0
eip            0x0	0
eflags         0x210296	[ PF AF SF IF RF ID ]
cs             0x73	115
ss             0x7b	123
ds             0x7b	123
es             0x7b	123
fs             0x0	0
gs             0x33	51

由于栈顶的指令地址为0x0,而eip的值也是0x0,可以知道是调用了函数指针,且函数指针的值为空.而这个函数指针是由main函数调用

看一下main函数的汇编:

(gdb) disassemble 
Dump of assembler code for function main:
   0x0804898f <+0>:	push   %ebp
   0x08048990 <+1>:	mov    %esp,%ebp
   0x08048992 <+3>:	and    $0xfffffff0,%esp
   0x08048995 <+6>:	push   %esi
   0x08048996 <+7>:	push   %ebx
   0x08048997 <+8>:	sub    $0x58,%esp
   0x0804899a <+11>:	cmpl   $0x3,0x8(%ebp)
   0x0804899e <+15>:	jg     0x80489b6 <main+39>
   0x080489a0 <+17>:	movl   $0x8049ce4,(%esp)
   0x080489a7 <+24>:	call   0x804883c <puts@plt>
   0x080489ac <+29>:	mov    $0xffffffff,%ebx
   0x080489b1 <+34>:	jmp    0x8048c42 <main+691>
   0x080489b6 <+39>:	lea    0x18(%esp),%eax
   0x080489ba <+43>:	mov    %eax,(%esp)
   0x080489bd <+46>:	call   0x8048c6e <_ZNSt3mapISsPFiiiESt4lessISsESaISt4pairIKSsS1_EEEC2Ev>
   0x080489c2 <+51>:	lea    0x37(%esp),%eax
   0x080489c6 <+55>:	mov    %eax,(%esp)
   0x080489c9 <+58>:	call   0x804887c <_ZNSaIcEC1Ev@plt>
   0x080489ce <+63>:	lea    0x37(%esp),%eax
   0x080489d2 <+67>:	mov    %eax,0x8(%esp)
   0x080489d6 <+71>:	movl   $0x8049cfa,0x4(%esp)
---Type <return> to continue, or q <return> to quit---
   0x080489de <+79>:	lea    0x30(%esp),%eax
   0x080489e2 <+83>:	mov    %eax,(%esp)
   0x080489e5 <+86>:	call   0x80487ec <_ZNSsC1EPKcRKSaIcE@plt>
   0x080489ea <+91>:	lea    0x30(%esp),%eax
   0x080489ee <+95>:	mov    %eax,0x4(%esp)
   0x080489f2 <+99>:	lea    0x18(%esp),%eax
   0x080489f6 <+103>:	mov    %eax,(%esp)
   0x080489f9 <+106>:	call   0x8048cfc <_ZNSt3mapISsPFiiiESt4lessISsESaISt4pairIKSsS1_EEEixERS5_>
   0x080489fe <+111>:	movl   $0x8048964,(%eax)
   0x08048a04 <+117>:	lea    0x30(%esp),%eax
   0x08048a08 <+121>:	mov    %eax,(%esp)
   0x08048a0b <+124>:	call   0x80487cc <_ZNSsD1Ev@plt>
   0x08048a10 <+129>:	jmp    0x8048a41 <main+178>
   0x08048a12 <+131>:	mov    %edx,%ebx
   0x08048a14 <+133>:	mov    %eax,%esi
   0x08048a16 <+135>:	lea    0x30(%esp),%eax
   0x08048a1a <+139>:	mov    %eax,(%esp)
   0x08048a1d <+142>:	call   0x80487cc <_ZNSsD1Ev@plt>
   0x08048a22 <+147>:	mov    %esi,%eax
   0x08048a24 <+149>:	mov    %ebx,%edx
   0x08048a26 <+151>:	jmp    0x8048a28 <main+153>
   0x08048a28 <+153>:	mov    %edx,%ebx
---Type <return> to continue, or q <return> to quit---
   0x08048a2a <+155>:	mov    %eax,%esi
   0x08048a2c <+157>:	lea    0x37(%esp),%eax
   0x08048a30 <+161>:	mov    %eax,(%esp)
   0x08048a33 <+164>:	call   0x804882c <_ZNSaIcED1Ev@plt>
   0x08048a38 <+169>:	mov    %esi,%eax
   0x08048a3a <+171>:	mov    %ebx,%edx
   0x08048a3c <+173>:	jmp    0x8048c26 <main+663>
   0x08048a41 <+178>:	lea    0x37(%esp),%eax
   0x08048a45 <+182>:	mov    %eax,(%esp)
   0x08048a48 <+185>:	call   0x804882c <_ZNSaIcED1Ev@plt>
   0x08048a4d <+190>:	lea    0x3f(%esp),%eax
   0x08048a51 <+194>:	mov    %eax,(%esp)
   0x08048a54 <+197>:	call   0x804887c <_ZNSaIcEC1Ev@plt>
   0x08048a59 <+202>:	lea    0x3f(%esp),%eax
   0x08048a5d <+206>:	mov    %eax,0x8(%esp)
   0x08048a61 <+210>:	movl   $0x8049cfc,0x4(%esp)
   0x08048a69 <+218>:	lea    0x38(%esp),%eax
   0x08048a6d <+222>:	mov    %eax,(%esp)
   0x08048a70 <+225>:	call   0x80487ec <_ZNSsC1EPKcRKSaIcE@plt>
   0x08048a75 <+230>:	lea    0x38(%esp),%eax
   0x08048a79 <+234>:	mov    %eax,0x4(%esp)
   0x08048a7d <+238>:	lea    0x18(%esp),%eax
   0x08048a81 <+242>:	mov    %eax,(%esp)
---Type <return> to continue, or q <return> to quit---
   0x08048a84 <+245>:	call   0x8048cfc <_ZNSt3mapISsPFiiiESt4lessISsESaISt4pairIKSsS1_EEEixERS5_>
   0x08048a89 <+250>:	movl   $0x8048972,(%eax)
   0x08048a8f <+256>:	lea    0x38(%esp),%eax
   0x08048a93 <+260>:	mov    %eax,(%esp)
   0x08048a96 <+263>:	call   0x80487cc <_ZNSsD1Ev@plt>
   0x08048a9b <+268>:	jmp    0x8048acc <main+317>
   0x08048a9d <+270>:	mov    %edx,%ebx
   0x08048a9f <+272>:	mov    %eax,%esi
   0x08048aa1 <+274>:	lea    0x38(%esp),%eax
   0x08048aa5 <+278>:	mov    %eax,(%esp)
   0x08048aa8 <+281>:	call   0x80487cc <_ZNSsD1Ev@plt>
   0x08048aad <+286>:	mov    %esi,%eax
   0x08048aaf <+288>:	mov    %ebx,%edx
   0x08048ab1 <+290>:	jmp    0x8048ab3 <main+292>
   0x08048ab3 <+292>:	mov    %edx,%ebx
   0x08048ab5 <+294>:	mov    %eax,%esi
   0x08048ab7 <+296>:	lea    0x3f(%esp),%eax
   0x08048abb <+300>:	mov    %eax,(%esp)
   0x08048abe <+303>:	call   0x804882c <_ZNSaIcED1Ev@plt>
   0x08048ac3 <+308>:	mov    %esi,%eax
   0x08048ac5 <+310>:	mov    %ebx,%edx
   0x08048ac7 <+312>:	jmp    0x8048c26 <main+663>
---Type <return> to continue, or q <return> to quit---
   0x08048acc <+317>:	lea    0x3f(%esp),%eax
   0x08048ad0 <+321>:	mov    %eax,(%esp)
   0x08048ad3 <+324>:	call   0x804882c <_ZNSaIcED1Ev@plt>
   0x08048ad8 <+329>:	lea    0x47(%esp),%eax
   0x08048adc <+333>:	mov    %eax,(%esp)
   0x08048adf <+336>:	call   0x804887c <_ZNSaIcEC1Ev@plt>
   0x08048ae4 <+341>:	lea    0x47(%esp),%eax
   0x08048ae8 <+345>:	mov    %eax,0x8(%esp)
   0x08048aec <+349>:	movl   $0x8049cfe,0x4(%esp)
   0x08048af4 <+357>:	lea    0x40(%esp),%eax
   0x08048af8 <+361>:	mov    %eax,(%esp)
   0x08048afb <+364>:	call   0x80487ec <_ZNSsC1EPKcRKSaIcE@plt>
   0x08048b00 <+369>:	lea    0x40(%esp),%eax
   0x08048b04 <+373>:	mov    %eax,0x4(%esp)
   0x08048b08 <+377>:	lea    0x18(%esp),%eax
   0x08048b0c <+381>:	mov    %eax,(%esp)
   0x08048b0f <+384>:	call   0x8048cfc <_ZNSt3mapISsPFiiiESt4lessISsESaISt4pairIKSsS1_EEEixERS5_>
   0x08048b14 <+389>:	movl   $0x8048983,(%eax)
   0x08048b1a <+395>:	lea    0x40(%esp),%eax
   0x08048b1e <+399>:	mov    %eax,(%esp)
   0x08048b21 <+402>:	call   0x80487cc <_ZNSsD1Ev@plt>
   0x08048b26 <+407>:	jmp    0x8048b57 <main+456>
---Type <return> to continue, or q <return> to quit---
   0x08048b28 <+409>:	mov    %edx,%ebx
   0x08048b2a <+411>:	mov    %eax,%esi
   0x08048b2c <+413>:	lea    0x40(%esp),%eax
   0x08048b30 <+417>:	mov    %eax,(%esp)
   0x08048b33 <+420>:	call   0x80487cc <_ZNSsD1Ev@plt>
   0x08048b38 <+425>:	mov    %esi,%eax
   0x08048b3a <+427>:	mov    %ebx,%edx
   0x08048b3c <+429>:	jmp    0x8048b3e <main+431>
   0x08048b3e <+431>:	mov    %edx,%ebx
   0x08048b40 <+433>:	mov    %eax,%esi
   0x08048b42 <+435>:	lea    0x47(%esp),%eax
   0x08048b46 <+439>:	mov    %eax,(%esp)
   0x08048b49 <+442>:	call   0x804882c <_ZNSaIcED1Ev@plt>
   0x08048b4e <+447>:	mov    %esi,%eax
   0x08048b50 <+449>:	mov    %ebx,%edx
   0x08048b52 <+451>:	jmp    0x8048c26 <main+663>
   0x08048b57 <+456>:	lea    0x47(%esp),%eax
   0x08048b5b <+460>:	mov    %eax,(%esp)
   0x08048b5e <+463>:	call   0x804882c <_ZNSaIcED1Ev@plt>
   0x08048b63 <+468>:	lea    0x4f(%esp),%eax
   0x08048b67 <+472>:	mov    %eax,(%esp)
   0x08048b6a <+475>:	call   0x804887c <_ZNSaIcEC1Ev@plt>
   0x08048b6f <+480>:	mov    0xc(%ebp),%eax
---Type <return> to continue, or q <return> to quit---
   0x08048b72 <+483>:	add    $0x8,%eax
   0x08048b75 <+486>:	mov    (%eax),%eax
   0x08048b77 <+488>:	lea    0x4f(%esp),%edx
   0x08048b7b <+492>:	mov    %edx,0x8(%esp)
   0x08048b7f <+496>:	mov    %eax,0x4(%esp)
   0x08048b83 <+500>:	lea    0x48(%esp),%eax
   0x08048b87 <+504>:	mov    %eax,(%esp)
   0x08048b8a <+507>:	call   0x80487ec <_ZNSsC1EPKcRKSaIcE@plt>
   0x08048b8f <+512>:	lea    0x48(%esp),%eax
   0x08048b93 <+516>:	mov    %eax,0x4(%esp)
   0x08048b97 <+520>:	lea    0x18(%esp),%eax
   0x08048b9b <+524>:	mov    %eax,(%esp)
   0x08048b9e <+527>:	call   0x8048cfc <_ZNSt3mapISsPFiiiESt4lessISsESaISt4pairIKSsS1_EEEixERS5_>
   0x08048ba3 <+532>:	mov    (%eax),%esi
   0x08048ba5 <+534>:	mov    0xc(%ebp),%eax
   0x08048ba8 <+537>:	add    $0xc,%eax
   0x08048bab <+540>:	mov    (%eax),%eax
   0x08048bad <+542>:	mov    %eax,(%esp)
   0x08048bb0 <+545>:	call   0x80487fc <atoi@plt>
   0x08048bb5 <+550>:	mov    %eax,%ebx
   0x08048bb7 <+552>:	mov    0xc(%ebp),%eax
   0x08048bba <+555>:	add    $0x4,%eax
---Type <return> to continue, or q <return> to quit---
   0x08048bbd <+558>:	mov    (%eax),%eax
   0x08048bbf <+560>:	mov    %eax,(%esp)
   0x08048bc2 <+563>:	call   0x80487fc <atoi@plt>
   0x08048bc7 <+568>:	mov    %ebx,0x4(%esp)
   0x08048bcb <+572>:	mov    %eax,(%esp)
   0x08048bce <+575>:	call   *%esi
=> 0x08048bd0 <+577>:	mov    %eax,%ebx
   0x08048bd2 <+579>:	lea    0x48(%esp),%eax
   0x08048bd6 <+583>:	mov    %eax,(%esp)
   0x08048bd9 <+586>:	call   0x80487cc <_ZNSsD1Ev@plt>
   0x08048bde <+591>:	jmp    0x8048c0c <main+637>
   0x08048be0 <+593>:	mov    %edx,%ebx
   0x08048be2 <+595>:	mov    %eax,%esi
   0x08048be4 <+597>:	lea    0x48(%esp),%eax
   0x08048be8 <+601>:	mov    %eax,(%esp)
   0x08048beb <+604>:	call   0x80487cc <_ZNSsD1Ev@plt>
   0x08048bf0 <+609>:	mov    %esi,%eax
   0x08048bf2 <+611>:	mov    %ebx,%edx
   0x08048bf4 <+613>:	jmp    0x8048bf6 <main+615>
   0x08048bf6 <+615>:	mov    %edx,%ebx
   0x08048bf8 <+617>:	mov    %eax,%esi
   0x08048bfa <+619>:	lea    0x4f(%esp),%eax
   0x08048bfe <+623>:	mov    %eax,(%esp)
   0x08048c01 <+626>:	call   0x804882c <_ZNSaIcED1Ev@plt>
   0x08048c06 <+631>:	mov    %esi,%eax
   0x08048c08 <+633>:	mov    %ebx,%edx
   0x08048c0a <+635>:	jmp    0x8048c26 <main+663>
   0x08048c0c <+637>:	lea    0x4f(%esp),%eax
   0x08048c10 <+641>:	mov    %eax,(%esp)
   0x08048c13 <+644>:	call   0x804882c <_ZNSaIcED1Ev@plt>
   0x08048c18 <+649>:	lea    0x18(%esp),%eax
   0x08048c1c <+653>:	mov    %eax,(%esp)
   0x08048c1f <+656>:	call   0x8048c5a <_ZNSt3mapISsPFiiiESt4lessISsESaISt4pairIKSsS1_EEED2Ev>
   0x08048c24 <+661>:	jmp    0x8048c42 <main+691>
   0x08048c26 <+663>:	mov    %edx,%ebx
   0x08048c28 <+665>:	mov    %eax,%esi
   0x08048c2a <+667>:	lea    0x18(%esp),%eax
   0x08048c2e <+671>:	mov    %eax,(%esp)
   0x08048c31 <+674>:	call   0x8048c5a <_ZNSt3mapISsPFiiiESt4lessISsESaISt4pairIKSsS1_EEED2Ev>
   0x08048c36 <+679>:	mov    %esi,%eax
   0x08048c38 <+681>:	mov    %ebx,%edx
   0x08048c3a <+683>:	mov    %eax,(%esp)
   0x08048c3d <+686>:	call   0x804889c <_Unwind_Resume@plt>
   0x08048c42 <+691>:	mov    %ebx,%eax
   0x08048c44 <+693>:	add    $0x58,%esp
   0x08048c47 <+696>:	pop    %ebx
   0x08048c48 <+697>:	pop    %esi
   0x08048c49 <+698>:	mov    %ebp,%esp
   0x08048c4b <+700>:	pop    %ebp
   0x08048c4c <+701>:	ret    
End of assembler dump.

出现coredump可能是因为这一条指令

   0x08048bce <+575>:	call   *%esi

看一下esi的值:

(gdb) i r esi
esi            0x0	0

可见esi为0,确实是由于那一条指令引起的.

那么为什么esi的值是从哪里来的?

   0x08048b8f <+512>:	lea    0x48(%esp),%eax
   0x08048b93 <+516>:	mov    %eax,0x4(%esp)
   0x08048b97 <+520>:	lea    0x18(%esp),%eax
   0x08048b9b <+524>:	mov    %eax,(%esp)
   0x08048b9e <+527>:	call   0x8048cfc <_ZNSt3mapISsPFiiiESt4lessISsESaISt4pairIKSsS1_EEEixERS5_>
   0x08048ba3 <+532>:	mov    (%eax),%esi

可见esi是0x08048b9e处所调用的函数,

_ZNSt3mapISsPFiiiESt4lessISsESaISt4pairIKSsS1_EEEixERS5_的返回值

而_ZNSt3mapISsPFiiiESt4lessISsESaISt4pairIKSsS1_EEEixERS5_的实际名称:

[xuzhina@localhost s3_ex]$ c++filt _ZNSt3mapISsPFiiiESt4lessISsESaISt4pairIKSsS1_EEEixERS5_
std::map<std::basic_string<char, std::char_traits<char>, std::allocator<char> >, int (*)(int, int), std::less<std::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::basic_string<char, std::char_traits<char>, std::allocator<char> > const, int (*)(int, int)> > >::operator[](std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)

由于map的operater[]有一个参数,由上面看,可知map对象的地址是esp+0x18,那个参数是放在esp+0x48,而这个刚好是一个string对象的this指针.见0x08048b8a调用了构造函数

   0x08048b6f <+480>:	mov    0xc(%ebp),%eax
   0x08048b72 <+483>:	add    $0x8,%eax
   0x08048b75 <+486>:	mov    (%eax),%eax
   0x08048b77 <+488>:	lea    0x4f(%esp),%edx
   0x08048b7b <+492>:	mov    %edx,0x8(%esp)
   0x08048b7f <+496>:	mov    %eax,0x4(%esp)
   0x08048b83 <+500>:	lea    0x48(%esp),%eax
   0x08048b87 <+504>:	mov    %eax,(%esp)
   0x08048b8a <+507>:	call   0x80487ec <_ZNSsC1EPKcRKSaIcE@plt>

[xuzhina@localhost s3_ex]$ c++filt _ZNSsC1EPKcRKSaIcE
std::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(char const*, std::allocator<char> const&)

可知,这个string的构造函数只是接收了一个参数,而这个参数是由ebp+c所指向内存地址偏移+8所得来的.

而ebp+0xc是main函数的第二个参数,由main函数的原型

int main( int argc, char* argv[] );

可知

这个参数应该是argv[2],而argv[2]是字符串。它的值是多少呢?

(gdb) x /wx $ebp+0xc
0xbfd3def4:	0xbfd3df94
(gdb) x /8wx 0xbfd3df94
0xbfd3df94:	0xbfd3f543	0xbfd3f55c	0xbfd3f55e	0xbfd3f560
0xbfd3dfa4:	0x00000000	0xbfd3f562	0xbfd3f585	0xbfd3f5a4
(gdb) x /s 0xbfd3f55e
0xbfd3f55e:	 "/"

再看一下map的内容有哪些。由上面已经知道map对象的地址是esp+0x18。且由于上面参数的类型可以知道,这个map对象的key是string类型,而val是函数指针

(gdb) x /8wx $esp+0x18
0xbfd3de98:	0x00000001	0x00000000	0x089a7020	0x089a7090
0xbfd3dea8:	0x089a70c8	0x00000004	0x089a7014	0x0804bb84
(gdb) x /8wx 0x089a7020
0x89a7020:	0x00000001	0xbfd3de9c	0x089a7090	0x089a7058
0x89a7030:	0x089a7014	0x08048964	0x00000000	0x00000019
(gdb) x /8wx 0x089a7014
0x89a7014:	0x0000002b	0x00000000	0x00000021	0x00000001
0x89a7024:	0xbfd3de9c	0x089a7090	0x089a7058	0x089a7014
(gdb) x /s 0x089a7014
0x89a7014:	 "+"
(gdb) info symbol 0x08048964
add(int, int) in section .text of /home/xuzhina/code/s3_ex/xuzhina_dump_c07_s3_ex
(gdb) x /8wx 0x089a7090
0x89a7090:	0x00000001	0x089a7020	0x00000000	0x00000000
0x89a70a0:	0x089a7084	0x08048983	0x00000000	0x00000019
(gdb) x /8wx 0x089a7084
0x89a7084:	0x0000002a	0x00000000	0x00000021	0x00000001
0x89a7094:	0x089a7020	0x00000000	0x00000000	0x089a7084
(gdb) x /s 0x089a7084
0x89a7084:	 "*"
(gdb) info symbol 0x08048983
mul(int, int) in section .text of /home/xuzhina/code/s3_ex/xuzhina_dump_c07_s3_ex
(gdb) x /8wx 0x089a7058
0x89a7058:	0x00000001	0x089a7020	0x00000000	0x089a70c8
0x89a7068:	0x089a704c	0x08048972	0x00000000	0x00000019
(gdb) x /8wx 0x089a704c
0x89a704c:	0x0000002d	0x00000000	0x00000021	0x00000001
0x89a705c:	0x089a7020	0x00000000	0x089a70c8	0x089a704c
(gdb) x /s 0x089a704c
0x89a704c:	 "-"
(gdb) info symbol 0x08048972
sub(int, int) in section .text of /home/xuzhina/code/s3_ex/xuzhina_dump_c07_s3_ex
(gdb) x /8wx 0x089a70c8
0x89a70c8:	0x00000000	0x089a7058	0x00000000	0x00000000
0x89a70d8:	0x089a70bc	0x00000000	0x00000000	0x00020f21
(gdb) x /8wx 0x089a70bc
0x89a70bc:	0x0000002f	0x00000000	0x00000021	0x00000000
0x89a70cc:	0x089a7058	0x00000000	0x00000000	0x089a70bc
(gdb) x /s 0x089a70bc
0x89a70bc:	 "/"


而main函数调用_ZNSt3mapISsPFiiiESt4lessISsESaISt4pairIKSsS1_EEEixERS5_除了coredump的附近之外,还有三处调用了。

   0x080489ea <+91>:	lea    0x30(%esp),%eax
   0x080489ee <+95>:	mov    %eax,0x4(%esp)
   0x080489f2 <+99>:	lea    0x18(%esp),%eax
   0x080489f6 <+103>:	mov    %eax,(%esp)
   0x080489f9 <+106>:	call   0x8048cfc <_ZNSt3mapISsPFiiiESt4lessISsESaISt4pairIKSsS1_EEEixERS5_>
   0x080489fe <+111>:	movl   $0x8048964,(%eax)  

 0x08048a75 <+230>:	lea    0x38(%esp),%eax
   0x08048a79 <+234>:	mov    %eax,0x4(%esp)
   0x08048a7d <+238>:	lea    0x18(%esp),%eax
   0x08048a81 <+242>:	mov    %eax,(%esp)
---Type <return> to continue, or q <return> to quit---
   0x08048a84 <+245>:	call   0x8048cfc <_ZNSt3mapISsPFiiiESt4lessISsESaISt4pairIKSsS1_EEEixERS5_>
   0x08048a89 <+250>:	movl   $0x8048972,(%eax)

   0x08048b00 <+369>:	lea    0x40(%esp),%eax
   0x08048b04 <+373>:	mov    %eax,0x4(%esp)
   0x08048b08 <+377>:	lea    0x18(%esp),%eax
   0x08048b0c <+381>:	mov    %eax,(%esp)
   0x08048b0f <+384>:	call   0x8048cfc <_ZNSt3mapISsPFiiiESt4lessISsESaISt4pairIKSsS1_EEEixERS5_>
   0x08048b14 <+389>:	movl   $0x8048983,(%eax)


其中0x8048964,0x8048972,0x8048983正好是那三个函数指针。可见,main函数并没有往map对象里面放入”/”的val。

 

看一下程序代码,

  1 #include <map>
  2 #include <string>
  3 #include <stdio.h>
  4 #include <stdlib.h>
  5 
  6 typedef int (*oper)(int a, int b );
  7 
  8 int add( int a, int b )
  9 {
 10     return a + b;
 11 }
 12 
 13 int sub( int a, int b )
 14 {
 15     return a - b;
 16 }
 17 
 18 int mul( int a, int b )
 19 {
 20     return a * b;
 21 }
 22 
 23 int main( int argc, char* argv[] )
 24 {
 25     if ( argc < 4 )
 26     {
 27         printf( "parameter less than 4\n" );
 28         return -1;
 29     }
 30 
 31     std::map< std::string, oper> operMap;
 32     operMap["+"] = &add;
 33     operMap["-"] = ?
 34     operMap["*"] = &mul;
 35 
 36     return operMap[argv[2]]( atoi( argv[1] ), atoi( argv[3] ) );
 37 }

 

可知,确实如上面所分析那样.所以,对于获取map里面的元素,用operator[]要慎重.


《coredump问题原理探究》Linux x86版7.6节 Map coredump例子

原文:http://blog.csdn.net/xuzhina/article/details/45375265

(0)
(0)
   
举报
评论 一句话评论(0
关于我们 - 联系我们 - 留言反馈 - 联系我们:wmxa8@hotmail.com
© 2014 bubuko.com 版权所有
打开技术之扣,分享程序人生!