{"id":35833,"date":"2005-04-21T09:00:28","date_gmt":"2005-04-21T09:00:28","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/2005\/04\/21\/the-itaniums-so-called-stack\/"},"modified":"2019-12-29T09:02:57","modified_gmt":"2019-12-29T17:02:57","slug":"the-itaniums-so-called-stack","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20050421-28\/?p=35833","title":{"rendered":"The Itanium&#8217;s so-called stack"},"content":{"rendered":"<p>Last year I alluded to the fact that <a href=\"http:\/\/blogs.msdn.com\/oldnewthing\/archive\/2004\/01\/13\/58199.aspx\"> the Itanium processor has two stacks<\/a>. The one that is traditionally thought of as &#8220;the stack&#8221; (and the one that the <code>sp<\/code> register refers to) is a manually managed block of memory from which a function can carve out space to use during its execution. For example, if you declare a local variable like<\/p>\n<pre>TCHAR szBuffer[MAX_PATH];\r\n<\/pre>\n<p>then that buffer will go on &#8220;the stack&#8221;.<\/p>\n<p>But not all local variables are on &#8220;the stack&#8221;.<\/p>\n<p>Recall that the Itanium has a very large number of registers, most of which participate in function calls. Consequently, many local variables are placed into registers rather than &#8220;the stack&#8221;, and when a function is called, those registers are &#8220;squirreled away&#8221; by the processor and &#8220;unsquirreled&#8221; when the function returns. Where do they get squirreled? Well, the processor can often just squirrel them into other unused registers through a mechanism I won&#8217;t go into. (Those still interested can read Intel&#8217;s documents on the subject.) If the processor runs out of squirrel-space, it spills them into main memory, into a place known as the &#8220;register backing store&#8221;. This is another stack-like chunk of memory separate from &#8220;the stack&#8221;. (Here&#8217;s <a href=\"http:\/\/blogs.msdn.com\/slavao\/archive\/2005\/03\/19\/399117.aspx\"> Slava Oks artistic impression of the layout of the ia64&#8217;s stacks<\/a>.)<\/p>\n<p>As already noted, one consequence of this dual-stack model is that a stack buffer overflow will not corrupt the return address, because the return address is not kept on &#8220;the stack&#8221;; rather, it is kept in the &#8220;squirrel space&#8221; or (in the case of spillage) in the register backing store.<\/p>\n<p>Another consequence of this dual-stack model is that <a href=\"http:\/\/blogs.msdn.com\/oldnewthing\/archive\/2004\/11\/11\/255800.aspx#257609\"> various tricks to locate the start of the stack<\/a> will find only <strong>one<\/strong> of the stacks. Missing out on the other stack will cause problems if you think grovelling &#8220;the&#8221; stack will find all accessible object references.<\/p>\n<p>The Itanium architecture challenges many assumptions and is much less forgiving of various technically-illegal-but-nobody-really-enforced-it-before shenanigans, <a href=\"http:\/\/blogs.msdn.com\/oldnewthing\/archive\/2004\/01\/20\/60603.aspx\"> some of which<\/a> I have discussed <a href=\"http:\/\/blogs.msdn.com\/oldnewthing\/archive\/2004\/01\/19\/60162.aspx\"> in earlier entries<\/a>. To this list, add the &#8220;second stack&#8221;.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Last year I alluded to the fact that the Itanium processor has two stacks. The one that is traditionally thought of as &#8220;the stack&#8221; (and the one that the sp register refers to) is a manually managed block of memory from which a function can carve out space to use during its execution. For example, [&hellip;]<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25],"class_list":["post-35833","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code"],"acf":[],"blog_post_summary":"<p>Last year I alluded to the fact that the Itanium processor has two stacks. The one that is traditionally thought of as &#8220;the stack&#8221; (and the one that the sp register refers to) is a manually managed block of memory from which a function can carve out space to use during its execution. For example, [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/35833","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=35833"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/35833\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=35833"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=35833"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=35833"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}