Adventures with _chkstk

Friday Oct 14th 2011 by Silviu-Marius Ardelean

Silviu-Marius Ardelean offers some insight into _chkstk and stack corruption.

_chkstk Routine is a helper routine for the C compiler. For x86 compilers, _chkstk Routine is called when the local variables exceed 4K bytes; for x64 compilers it is 8K.
That's all that you get from _chkstk()'s MSDN web page. Nothing more...


A process starts with a fixed stack space. The top of a stack is pointed to by the Extended Stack Pointer (ESP) register and this is a decrementing pointer. Every function call results in a stack created for the function inside this Process Stack. Every thread function has its own stack. The stack is a downward growing array. The default stack reservation size is 1 MB and the heap's size theoretically increases to a limit of 4 GB on 32bits operation systems. See more information here.

Every thread under Windows has its own block of contiguous memory, and while function calls are made, the stack pointer is increasing and decreasing. In contrast, a different thread within the same process might get a different block of contiguous memory – its own stack. When a context switch occurs, the current thread’s ESP (along with the IP and other registers) are saved in the thread’s context structure, and restored when the thread is activated the next time.

In order to specify a different default stack reservation size for all threads and fibers, use the STACKSIZE statement in the module definition (.def) file. To change the initially committed stack space, use the dwStackSize parameter of the CreateThread, CreateRemoteThread, or CreateFiber function.
Most stack problems occur in overflows of existing stacks, as their sizes are fixed and they cannot be expanded.

_chkstk() increases the stack when needed by committing some of the pages previously reserved for the stack. If there is no more physical memory available for committed pages, _chkstk fails. When you enter a function (VC++ with the stack checking enabled), it will call the _chkstk located in CHKSTK.ASM. This function does a stack page probing and causes the necessary pages of memory to be allocated using the guard page scheme, if possible. In this function, it is stated that when it encounters _XCPT_GUARD_PAGE_VIOLATION, the OS will attempt to allocate another guarded page and if it encounters _XCPT_UNABLE_TO_GROW_STACK then it’s a stack overflow error. When _XCPT_UNABLE_TO_GROW_STACK is encountered, the stack is not yet set up properly; it will not call the catch because calling it will use invalid stack variables, which will again cause another exception.

Case – Too Many or Too Big Variables on Stack

As I said above, the function stack size is 1 MB. If you miss that and you're trying to define and use an array internally like this:

int arr[4000][200];

when you compile with VC++ compiler in debug mode, you will have a big surprise: the application crashes on _chkstk() at the moment the _chkstk() tries to create a new memory page on stack and fails.

Call Stack
Figure 1: Call Stack

The output window shows the next message:

First-chance exception at 0x004116e7 in testApp.exe: 0xC00000FD: Stack overflow.
Unhandled exception at 0x004116e7 in testApp.exe: 0xC00000FD: Stack overflow.

This happens because the 1MB limit is overloaded even on a win32 OS: 4000*200*4 = 3.2MB (approx.). It's the same story if you define many local variables and their stack usage overloads the 1MB limit. If you really need this big array then use heap to avoid this crash.

int **arr = new int*[4000];
for(int i=0; i<4000; ++i) {
	arr[i] = new int[200];
// and finaly don't forget to delete
for(int i=0;i<4000; ++i) {
	delete[] arr[i];
delete[] arr;

Case – Recursive Functions

If you have an infinite recursion then you will gate same stack overflow error and the application crashes in _chkstk.asm. Recursive function is outside the scope of this article. Here is a good example of what happens with recursive functions.
The solution is to avoid using recursive functions as much as possible and try to implement an iterative function.

Case – Stack Corruption

I started looking over _chkstk() implementation the moment I got a few bugs with crashes that had similar details. I had to analyze some .dump files and solve a few bugs that contained a call stack with _chkstk() on top. Most of the .dump files call stack contained a second similar thing: the call of a thread function (so called ThreadFoo()) that was running in a threads pool. I started to research why _chkstk() failed and my first track was to debug the stack overflows. I followed a MSDN debugging tutorial and unfortunately I didn't find anything strange. I checked to see if the local stack variables were filling the ThreadFoo() function’s stack and they did not.

A new study of ThreadFoo() function followed, in order to detect internal function calls that can fail in some circumstances. I checked some of the trace function calls in great detail. Those trace functions where defined in an external debug class and each time a new trace file was added it used an internal buffer (TCHAR szBuff[2048] = _T(“”);). The writing of this buffer was done using: swprintf(). As we know, this function is unsafe and is not recommended. As long as the content of these trace lines was dynamically built (in some cases those lines may contain dynamically built SQL queries that fail) then the length of these trace lines could be higher than 2048 bytes; then guess what, a stack corruption appears! UPS! The stack pointer will be corrupted (the classic stack overflow case).

So I have implemented and used the following macros:

#if defined(UNICODE) || defined(_UNICODE)  
#define usprintf(x, ...) \
   _snwprintf(x, _countof(x)-1, ##__VA_ARGS__); \
   x[_countof(x)-1] = 0
#define usprintf(x, ...) \
   _snprintf(x, _countof(x)-1, ##__VA_ARGS__); \
   x[_countof(x)-1] = 0

Now, if we use the safe macro, we will have no issues.

int x = 23;
TCHAR szMsg[2048] = {0};
usprintf(szMsg, _T("Error: %d"), x);

Another safe way is to allocate the buffer in the heap. However, in some cases, stack arrays may be preferred for performance reasons. After that was fixed I met with no other stack corruptions in ThreadFoo() or other code areas. Even if the top of the call stack was _chkstk() this was not the function that failed. The error appeared because of that stack corruption and _chkstk() has just detected.


If your code produces a stack overflow, then you have to rethink your design in the right away:

  • If you see _chkstk() on the top of call stack, check if you have no stack corruptions - stack overflow
  • Don't try to manipulate the stack by yourself. The default 1MB stack size is basically enough
  • Allocate dynamically if you're using big arrays
  • If you have recursive functions producing a stack overflow, re-write them using loops (a tip: it is a proven fact that any recursive functions can be programmed non-recursive)


Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved