Why are some functions located densely and others are aligned and padded with int 3 instructions?

I compile the following program with Visual C++ 10:

include <Windows.h>
int _tmain(int /*argc*/, _TCHAR* /*argv*/[])
{
    Sleep( 0 );
    return 0;
}

and look into disassembly. There're lots of C++ runtime functions in the program image. Some functions are located densely - ret of some function is followed by the first instruction of the next function. For example,

` __declspec(noreturn) void __cdecl __report_gsfailure(ULONGLONG StackCookie)`

ends at address 004013B7 (there's a ret instruction) and address 004013B8 contains some other function for which the debugger can't find the source. Meanwhile

BOOL __cdecl _ValidateImageBase(PBYTE pImageBase)

ends at address 00401554 but the next function

PIMAGE_SECTION_HEADER __cdecl _FindPESection( PBYTE pImageBase, DWORD_PTR rva )

starts at address 00401560 and there're multiple int 3 instructions between the latter two addre开发者_如何学JAVAsses.

Why the difference? Why some functions are put densely and others are separated with unreachable code?

I reproduced this behavior. You can notice as well that these functions start with a mov edi,edi intruction.

The int 3 instructions, along with the mov edi,edi instruction at the beginning of the function allows hotpatching. When a function needs to be hotpatched, the mov edi,edi is replaced by a short jump instruction that jumps before the entry point of the function and the int 3 instructions are replaced by a long jump to the patched function.

Refer to Anyone knows what "mov edi,edi " does?

Don't know why __report_gsfailure is only preceeded by 2 int 3 even if it starts with a mov edi,edi instruction...

Raymond Chen tells all you need to know about this: Why do Windows functions all begin with a pointless MOV EDI, EDI instruction?