array address when pushed to stack

Question

hi,

I wrote a simple c function:

void function(){
    int n;
    char s[6];
    n = 1;
    s[0] = 2;
    s[5] = 3;
}

This disassembles to:

pushl %ebp
movl %esp, %ebp
sub $40, %esp
movl $1, -12(%esp)
movb $2, -40(%esp)
movb $3, -35($esp)
leave
ret

I am trying to understand why the char[] is given the address that starts at -40.

it is a 6 byte array, so I would think that it would require 8 bytes (multiple of 4-byte word), in which case it would be assigned to the memory address -20(%esp)

Why -40(%esp)?

Thanks

EDIT: I am also under the assumption that n is given the offset of -12(%esp) because ints and registers are 4 bytes, and eip is pushed to -4(%esp) and ebp is pushed to -8(%esp). Is this correct?

Thank you in advance!!

Answer 1

There should be movl $1, -12(%ebp) and so on.

s[] is a buffer, so compiler may allocate additional space for security checks (but there isn't any checks).

There is the following layout:

esp+44: ebp+04: return address
esp+40: ebp+00: prev ebp value
.......
esp+12: ebp-12: n
.......
esp+04: esp-3C: s[4:6]
esp+00: ebp-40: s[0:4]