{"id":100685,"date":"2019-01-11T07:00:00","date_gmt":"2019-01-11T22:00:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/?p=100685"},"modified":"2025-07-03T12:19:11","modified_gmt":"2025-07-03T19:19:11","slug":"20190111-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20190111-00\/?p=100685","title":{"rendered":"Why do we even need to define a red zone? Can’t I just use my stack for anything?"},"content":{"rendered":"

On Windows, the stack grows downward from high addresses to low. This is sometimes architecturally defined, and sometimes it is merely convention. The value pointed-to by the stack pointer register is the value at the top of the stack, and values deeper on the stack reside at higher addresses. But what’s up with the data at addresses less than<\/i> the stack pointer?<\/p>\n\n\n\n\n\n\n
 <\/td>\n\u22ee<\/td>\n <\/td>\n<\/tr>\n
top of stack<\/td>\nvalid stack data
\nvalid stack data
\nvalid stack data<\/td>\n		\u2190<\/span>stack pointer<\/td>\n<\/tr>\n
 <\/td>\nbelow the stack
\nbelow the stack
\nbelow the stack<\/td>\n		land of mystery<\/td>\n<\/tr>\n
 <\/td>\n\u22ee<\/td>\n <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

The platform conventions for some but not all architectures define a red zone<\/i>, which is a region of the stack below the stack pointer that is still valid for applications to use.<\/p>\n\n\n\n\n\n\n\n
 <\/td>\n\u22ee<\/td>\n <\/td>\n<\/tr>\n
top of stack<\/td>\nvalid stack data
\nvalid stack data
\nvalid stack data<\/td>\n		\u2190<\/span>stack pointer<\/td>\n<\/tr>\n
 <\/td>\nstill valid
\nstill valid<\/td>\n		red zone<\/td>\n<\/tr>\n
 <\/td>\nhere
\nbe
\ndragons<\/td>\n		off limits<\/td>\n<\/tr>\n
 <\/td>\n\u22ee<\/td>\n <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

For Windows, the size of the red zone varies by architecture, and is often zero.<\/p>\n\n\n\n\n\n\n\n\n\n\n\n
Architecture<\/th>\nRed zone size<\/th>\n<\/tr>\n
x86<\/td>\n0 bytes<\/td>\n<\/tr>\n
x64<\/td>\n0 bytes<\/td>\n<\/tr>\n
Itanium<\/td>\n16 bytes*<\/td>\n<\/tr>\n
Alpha AXP<\/td>\n0 bytes<\/td>\n<\/tr>\n
MIPS32<\/td>\n0 bytes<\/td>\n<\/tr>\n
PowerPC<\/td>\n232 bytes<\/td>\n<\/tr>\n
ARM32<\/td>\n8 bytes<\/td>\n<\/tr>\n
ARM64<\/td>\n16 bytes<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

* The Itanium is unusual in that the red zone is placed above<\/i> the stack pointer<\/a>, rather than below it.<\/p>\n

In the case of the PowerPC, the red zone is a side effect of the calling convention<\/a>.<\/p>\n

Any memory below the stack beyond the red zone is considered volatile and may be modified by the operating system at any time.<\/p>\n

But seriously, why does the operating system even care what I do with my stack? I mean, it’s my<\/i> stack! The operating system doesn’t tell me what to do with memory I allocate via Virtual\u00adAlloc<\/code>. What makes the stack any different from any other memory?<\/p>\n

Consider the following sequence on x86<\/a>:<\/p>\n

    MOV     [esp-4], eax       ; save eax below the stack pointer\r\n    MOV     ecx, [esp-4]       ; read it into ecx\r\n    CMP     ecx, eax           ; are they the same?\r\n    JNZ     panic              ; N: something crazy happened\u00b9\r\n<\/pre>\n
Can the jump be taken?<\/p>\n
Since there is no red zone on x86, the memory at negative offsets relative to the stack pointer may be overwritten at any time. Therefore, the above sequence is permitted to jump to panic<\/code>.<\/p>\n
A debugger may use the memory beyond the red zone as a convenient place to store some data. For example, if you use  the .call<\/code> command<\/a>, the debugger will perform the nested call on the same stack, and likely use some of that stack space to preserve registers so that they can be restored after the .call<\/code>ed function returns. Any data stored beyond the red zone will therefore be destroyed.<\/p>\n
Even during normal operation, it’s possible for the operating system to overwrite data beyond the red zone at any time. Here’s one scenario where it can happen:<\/p>\n
Suppose your thread gets pre-empted immediately after you store the data beyond the red zone. While your thread is waiting for a chance to resume execution, the memory manager pages out the code. Eventually, your thread resumes execution, and the memory manager tries to page it back in. Oh no, there’s an I\/O error during the page-in! The operating system pushes an exception frame onto the stack for the STATUS_<\/code>IN_<\/code>PAGE_<\/code>ERROR<\/code>, clobbering the data you had been hiding beyond the red zone.<\/p>\n
The operating system then dispatches the exception. It goes to a vectored exception handler, which some other part of your program had installed specifically to handle this possibility, because your program might be run directly off a CD-ROM or unreliable network. The program displays a prompt to ask the user to reinsert the CD-ROM and offers an opportunity to retry. If the user says to retry, then the vectored exception handler returns EXCEPTION_<\/code>CONTINUE_<\/code>EXECUTION<\/code>, and the operating system will restart the failed instruction.<\/p>\n
This time, the restart succeeds because the CD-ROM is present and the code can be paged back in. The next instruction runs, the one that loads the beyond-the-red-zone value into the ecx<\/var> register, but it doesn’t load the value stored by the previous instruction because the STATUS_<\/code>IN_<\/code>PAGE_<\/code>ERROR<\/code> exception overwrote it. The comparison fails, and we jump to the label panic<\/code>.<\/p>\n
If you want to store data on the stack, push it properly: Decrement the stack pointer first, and then store the value onto the valid portion of the stack. Don’t hide it beyond the red zone. That memory is volatile and may vanish out from under you.<\/p>\n
\u00b9 The coding convention for assembly language\u00b2 says that comments for jump instructions should describe the result if the jump is taken. In the example above, the CMP<\/code> instruction asks the question, “Are they the same?”, and the JNZ<\/code> instruction jumps if they are not equal. The comment therefore begins with “N:” indicating that the jump is taken if the answer to the previous question is No<\/i>, and the rest of the comment describe what it means when the jump is taken.<\/p>\n
\u00b2 Yes, we have a coding convention for assembly language.<\/p>\n","protected":false},"excerpt":{"rendered":"
I mean, it’s my stack, isn’t it?<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25],"class_list":["post-100685","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code"],"acf":[],"blog_post_summary":"
I mean, it’s my stack, isn’t it?<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/100685","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=100685"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/100685\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=100685"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=100685"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=100685"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}