Inspecting Structure Memory Layouts

You want to see what the compiler has done with the layout of your structure and you want to see it now! There are a number of reasons why you might want to do this. Maybe you want to see what kind of padding has been added (if any) or maybe you want to verify that your structure field layout randomization feature is actually moving fields around!

In any case, I support you, and I think that your reason is 100% valid.

Without further ado, here are the three methods I’ve been using to peek at the memory layout of my structures.

pahole

There’s a program called pahole that (in the Ubuntu repositories) is included in a package called dwarves. It may be worth installing this package just so you can get that much closer to Tolkien’s world of Middle Earth on your computer even if you don’t care about structure layouts.

From its man page:

pahole – Shows and manipulates data structure layout.

pahole is awesome. Compile your project with debugging symbols and then invoke pahole on the produced binary.

Since I’m one of the developers working on a structure field randomization feature for use with the Clang compiler, a relevant example would be using pahole to examine the differences between the structure layouts with and without randomization.

I’ve produced a diff of the output of pahole on a very small program with a single structure with “randomization” and without:

diff rand.layout reg.layout 
2,3c2,3
<       char *                     second;               /*     0     8 */
<       char *                     first;                /*     8     8 */
---
>       char *                     first;                /*     0     8 */
>       char *                     second;               /*     8     8 */

The important bit here is that fields are certainly moving, and that’s a win for me.

Thanks, pahole!

GDB’s ptype

What would we do without debuggers? Probably die. GDB can also help show you a structure’s layout. The disadvantage with this method vs. just using pahole is that now you have to run your program in the debugger. It feels much more involved but we shouldn’t discount it! Learn your debugger! Love your debugger!

GDB has the ptype command, which I believe is just a charmingly terse way of saying “print type”.

$ gdb rand
... snipped gdb startup text
Reading symbols from rand...done.
(gdb) ptype struct mystruct
type = struct mystruct {
    char *second;
    char *first;
}

Hacky pointer arithmetic

Turn back. This is a cold, winding road and it is the way to madness. I’m only including it here because I respect the historical record. This is the depravity that I lived through when I did not know about pahole or GDB’s ptype.

Do not send me your therapy bill.

You have been warned.

#include <stdio.h>

struct mystruct {
    char *first;
    char *second;
}__attribute__((randomize_layout));

int main(void)
{
    struct mystruct m;
    m.first = "I'm the first!";
    m.second = "and I'm the second!";

    printf("%s\n%s\n", *(&m), *(&m + sizeof(char *)));
    return 0;
}

Now, obviously, this doesn’t scale.

I’m glad I could end this blog post with disappointment.

Check back later for more disappointment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s