1

CS 201Computer Systems Programming

Chapter 12

x86 Call & Return

Herbert G. Mayer, PSUHerbert G. Mayer, PSUStatus 6/28/2015Status 6/28/2015

2

Syllabus Motivation Definitions Stack Frame Stack Operations x86 Stack Operations Masm PROC Recursive Factorial in x86 References

3

Motivation Often not feasible to express complete assembler

program in a single file or as a single procedure Logical modules reduce complexity of human

programming task Allows re-use and reincarnation of the same

procedure through parameterization Higher Level concepts should hide detail of

call/return mechanism. For example, the low-level manipulation of the stack through push and pop and some detail or call and return operations should be hidden

However, some aspects of a context switch should be reflected even in High Level language, in particular the call and return itself

4

Definitions Base Pointer: An address pointer (often implemented via a

dedicated register), that identifies an agreed-upon area in the Stack Frame of an executing procedure. On the x86 architecture, this is implemented via the bp register

Binding: Procedures may have parameters. Formal parameters express attributes such as type, name, and similar attributes. At the place of call, often these formal parameters receive initial, actual values through so-called actual parameters. Sometimes, an actual parameter is solely the address of the true object referenced during the call. The association of actual to formal parameter is referred to as parameter binding

Call: Transfer of control (a.k.a. context switch) to the argument of the call instruction. A call expects that after completion, the program resumes execution at the place after the call instruction

5

Definitions Dynamic Link: Element of Stack Marker, pointing to the Stack

Frame of the calling procedure. This caller is temporarily dormant; i.e. it is the callée’s stack frame that is active. Since the caller also has a Dynamic Link, all currently live Stack Frames are linked together via this data structure

Frame Pointer: Synonym for Base Pointer; x86 uses bp register Pop: Stack operation that frees data from the stack. At times, data

are just popped because they are no longer needed, in which case only the stack space is freed. This can also be accomplished by changing the value of the stack pointer; on x86 the sp register. Often the memory location is not overwritten by a pop, i.e the data just stay. But the memory area is not considered to be part of the active stack anymore

Push: Stack operation that reserves space on the stack. Generally, the space reserved on the stack through a push is initialized with the argument of the push operation. Other times, a push just reserves space on the stack for data to be initialized at a later time. On the x86 architecture a push decreases the top of stack pointer (sp value)

6

Definitions Return: Transfer of control after completion of a call.

Usually, this is accomplished through a return instruction. The return instruction assumes the return address to the code segment sits in a fixed part of the stack frame

Return Address: The code address to which execution will switch once the call completes that activated the current procedure

Return Value: The value returned by a function call. If the return value is a composite data structure, then the location set aside for the function return value is generally a pointer to the actual data

Stack: Run time data structure that grows and shrinks during program execution. It generally holds parameters, locals, temps, plus control information (return addresses, links). Operations that change the stack include push, pop, call, return, and the like

7

Definitions Stack Frame: Run time data structure associated with an

active procedure. A Stack Frame is composed of the procedure parameters, the Stack Marker, local data, and space for temporary data, including saved registers

Stack Marker: Run time data structure on the stack associated with a Stack Frame. The Stack Marker holds fixed information, whose structure is known a priori. This includes the return address, the static link, and the dynamic link. In some implementations, the Stack Marker also holds an entry for the function return value and the saved registers

Stack Pointer: AKA top of stack pointer: A pointer (typically implemented via a register) that addresses the last element allocated (pushed) on top of the stack. On the x86 architecture this is implemented via the sp register. Other architectures have the Stack Pointer refer to the next free location (if any) on the stack

8

Definitions Static Link: An address in the Stack Marker that points to

the Frame Pointer of the last invocation of the procedure, which lexicographically surrounds the one executing currently. This is necessary only for high level languages that allow statically nested scopes, such as Ada, Algol, and Pascal. This is not needed in more restricted languages such as C, Java, or C++

Top of Stack: Stack location last allocated (pushed) object. However, in some run-time systems the next free element is called the top of stack

9

Stack FrameThe figure below shows a schematic layout of an abstract Stack Frame. Some implementations have the stack grow toward higher, others toward lower addresses. The scheme shown here does not care; it just shows the general layout. Key points:•Stack Pointer identifies top of current stack, and also top of current Stack Frame•Stack pointer may vary often during invocation•Stack pointer changes upon call, return, push, pop, explicit assignments•Base pointer does not vary during call•Base pointer is set only once at start of call•Base pointer changed again at return, to value of previous base pointer, hence the name dynamic link•Parameters are typically addressed relative to base pointer in one direction•Locals (and temps) can be addressed relative to base pointer in the other direction•Possible to save base pointer, useful when registers are scarce, as on x86•However, this scheme is difficult, since compiler (or human programmer) must keep dynamic size of stack in mind at any moment of time of code generation

10

Stack Frame

11

Stack Operations 32bBefore Call:Push actual parameters: Changes the stackTrack size of actuals pushedIn many high-level languages the actual-parameter size for a callée is fixed, as defined in the formal parameter specificationNot so in C and C++ as it is allowed to pass a smaller number of actual parameters than formally specified!!!Base pointer bp (AKA frame pointer) still points to Stack Marker of caller before the call is executedWhen the last actual parameter has been pushed: one flexible part of the Stack Frame is complete

12

Stack Operations 32bActual Call:Push the instruction pointer (eip); in x86 done by call instructioneip already holds the address of the instruction after the call; that is the return addressThis slot on the stack identifies the beginning of the Stack MarkerThe call instruction also sets eip to the code address of the destination (callée)Original x86 architecture has 24 flavors of call instructions

13

32bsStack Operations 32bProcedure Entry:Every time something is pushed or popped, the Stack Pointer (esp) register changesPush the current value of the Base Pointer (ebp), this is the dynamic linkC needs no static link, has no nested functionsSet Base Pointer to the value of the Stack Pointer; e.g. mov ebp, espNow the new Stack Frame is being addressedThe fixed part of stack: Stack Marker is being builtAllocate space for local variables, if anyThis establishes another area of the Stack Frame that is variable in size

14

Stack Operations 32bReturn:Pop locals and temps off stackThis frees the second flexible size area from the Stack FramePop all registers to be restored back into those regsPop the top of stack value back into the ebpThis uses the Dynamic Link to reactivate the caller’s Stack FramePop top of stack value into instruction pointerThis sets the eip register back to the instruction after the callThe return instruction does thisEither caller (or an argument of the return instruction on x86) frees the space allocated for actual parametersThe x86 architecture allows an argument to the ret instruction, freeing that amount of bytes off of the stack

15

0. x86 Stack Operations, small model;Procedure Entry, No Locals, no saved Regs:

; ; the call has taken place, and now:push bp ; save dyn link in Stack Markermov bp, sp ; establish new Frame: point to Stack

Marker

;Procedure Exit, No Locals, no Regs restored:

; ; we are ready to “return”pop bp ; must find back old Stack Frameret 0 ; ip to instruction after call instruction

16

1. x86 Stack Operations, Save Regs;Procedure Entry, No Locals, Save Regs ax and bx:

push bp ; save dyn link in Stack Markermov bp, sp ; establish new Frame: point to Stack

Markerpush ax ; save ax if needed by callée, optionalpush bx ; ditto for bx

;Procedure Exit, No Locals, Restore Regs bx and ax:pop bx ; restore bx if was used by calléepop ax ; ditto for axpop bp ; must find back old Stack Frameret args ; ip to instruction after call; free args

17

2. x86 Stack Operations, Locals;Procedure Entry With Locals, No Regs:

push bp ; save dyn link in Stack Markermov bp, sp ; establish new Frame: point to Stack

Markersub sp, 24 ; allocate 24 bytes = 6 words for locals

;Procedure Exit With Locals, No Regs:mov sp, bp ; free all locals and tempspop bp ; must find back old Stack Frame, RA on topret args ; ip to instruction after call; free args

18

3. x86 Stack Operations;Procedure Entry With Locals, Save Regs:

push bp ; save dyn link in Stack Markermov bp, sp ; establish new Frame: point to Stack

Markersub sp, 24 ; allocate 24 bytes un-init space for

localspush ax ; save ax if needed by callée, optionalpush bx ; ditto for bx

;Procedure Exit With Locals, Restore Regs:pop bx ; restore bx if was used by calléepop ax ; ditto for axmov sp, bp ; free all locals and tempspop bp ; must find back old Stack Frame, RA on topret args ; ip to instruction after call; free args

19

Masm PROC A masm proc is a named short-hand for logical code module Introduced by the proc keyword; proc is preceded by the

name of that procedure Ended by the endp keyword; good to repeat the name of that

callable procedure Pattern for proc without arguments, without return value is:

my_name procpush bp ; save dynamic linkmov bp, sp ; new frame is addressed; . . . now your real code herepop bp ; dynamic link of callerret 0 ; clear 0 bytes off stack

my_name endp

And now my_name is callable, but no local space is allocated, no parameters are passed, no function return value is computed, no space needs to be freed at return

20

Masm PROC

At the needed place in your code, an assembler instruction call my_name now transfers control to the procedure by that name

And a ret instruction somewhere in procedure my_name returns to the place after the call

Best to package the sequence of procedural entry instructions into a macro, specifically the push and mov instructions

And to package the procedure exit instructions pop and ret into a macro, perhaps parameterized with the number of bytes to be cleared off the stack after the return

21

Recursive Factorial in x86

// Factorial first in C, x86 next

unsigned fact( unsigned arg ){ // fact

if ( arg <= 1 ) {return 1;

}else{return fact( arg - 1 ) * arg;

} //end if} //end fact

22

Recursive Factorial in x86, set uppentermacro ; save all regs being used

push bpmov bp, sppush bxpush cxpush dxendm ; end of penter

pexit macro args ; restore all saved regspop dxpop cxpop bxpop bpret argsendm ; end of pexit

Errcode = 4chMAX = 9d  ; compute up to fact( 9 )

.model small

.stack 100h

.dataarg dw 0

.codeextrn uPutDec : near

23

Recursive Factorial in x86, actual fact; assume argument for recursive fact( arg ) on stack; return fact( int arg ) in ax: 16 bit x86 moderfact proc

pentermov ax, [bp+4]; arg is 4 bytes b4 dyn linkcmp ax, 1 ; argument > 1?jg recurse ; if so: recursive call

base: mov ax, 1 ; No: then result known: 0!=1!=1pexit 2 ; and done, free 2 bytes = arg

recurse:mov ax, [bp+4]; need to recurse; get next argdec ax ; but decrement firstpush ax ; and pass on stackcall rfact ; recursemov cx,[bp+4] ; partial product in ax, * argmul cx ; product in axpexit 2 ; and done

rfact endp

24

Recursive Factorial in x86, maindrive_r proc

mov arg, 0mov ax, 0 ; initial value againmov bp, sp

again_r:cmp arg,MAXjge done_r; ax holds arg to be

factorialized :-)push ax ; argument on stackcall rfact

 ; now ax holds factorial valuecall uPutDecinc argmov ax, argjmp again_r

done_r: retdrive_r endp

25

PutDec Macros; Source File: putdec.asm; Author: Herb Mayer; Date: 1/4/2001; Purpose: print signed 16-bit number; PutDec is publicPut_Ch MACRO ch ; 'ch' char is printed push ax ; save, cos ax is overwritten push dx ; ditto for dx mov dl, ch ; move into formal parameter mov ah, 02h ; tell DOS who int 021h ; call DOS pop dx ; restore pop ax ; ditto ENDM Put_Str MACRO str_addr ; print string at 'str_addr' push ax ; save push dx ; save mov dx, offset str_addr mov ah, 09h ; DOS routine's id int 021h ; call DOS pop dx ; restore pop ax ; ditto ENDM

26

PutDec Setupbase_10 = 10 .MODEL small .stack 50 .DATA

min_num db '-32768$'  .CODE public PutDec  ; proc PutDec is called with argument in ax ; argument is the signed integer 16-bit number ; whose value is printed as decimal int #

 

27

PutDec FunctionPutDec PROC ; special case, -32768 cannot be negated cmp ax, -32768 ; is it special case? jne do_work ; nope! So do your job Put_Str min_num ; yep: so print it and be done jmp done ; and return to caller do_work: push ax push bx push cx push dx ; number in ax is NOT -32768; make positive cmp ax, 0 ; negative number? jge positive ; if not, invert sign and print - neg ax ; here the inversion Put_Ch '-' ; here the - printed

28

PutDec Functionpositive: sub cx, cx ; cx counts iterations = # digits mov bx, base_10 ; base to be divided by ; now we know number in ax is non-negativepush_m: sub dx, dx ; make a double word div bx ; unsigned divide o.k. add dl, '0' ; make number a char push dx ; save it, cos order reversed inc cx ; count steps cmp ax, 0 ; finally done? jne push_m ; if not, do next step ; now all chars are stored on stack in l-2-r orderpop_m: pop dx ; pop next into dx; dl really Put_Ch dl ; print it as char loop pop_m ; more work? If so, do againdone: pop dx pop cx pop bx pop ax ret ; return to callerPutDec ENDP END PutDec

29

References1. Free masm download:

http://cvrce.blog.com/2009/08/28/masm-v611-free-download/

2. http://www.emsps.com/oldtools/msasmv.htm3. ML 64-bit:

http://msdn.microsoft.com/en-us/library/s0ksfwcf(v=vs.80).aspx