1 CS 201 Computer Systems Programming Chapter 12 x86 Call & Return Herbert G. Mayer, PSU Status 6/28/2015

2 Syllabus Motivation Definitions Stack Frame Stack Operations x86 Stack Operations Masm PROC Recursive Factorial in x86 References

3 Motivation Often not feasible to express complete assembler program in a single file or as a single procedure Logical modules reduce complexity of human programming task Allows re-use and reincarnation of the same procedure through parameterization Higher Level concepts should hide detail of call/return mechanism. For example, the low-level manipulation of the stack through push and pop and some detail or call and return operations should be hidden However, some aspects of a context switch should be reflected even in High Level language, in particular the call and return itself

4 Definitions Base Pointer: An address pointer (often implemented via a dedicated register), that identifies an agreed-upon area in the Stack Frame of an executing procedure. On the x86 architecture, this is implemented via the bp register Binding: Procedures may have parameters. Formal parameters express attributes such as type, name, and similar attributes. At the place of call, often these formal parameters receive initial, actual values through so-called actual parameters. Sometimes, an actual parameter is solely the address of the true object referenced during the call. The association of actual to formal parameter is referred to as parameter binding Call: Transfer of control (a.k.a. context switch) to the argument of the call instruction. A call expects that after completion, the program resumes execution at the place after the call instruction

5 Definitions Dynamic Link: Element of Stack Marker, pointing to the Stack Frame of the calling procedure. This caller is temporarily dormant; i.e. it is the callée’s stack frame that is active. Since the caller also has a Dynamic Link, all currently live Stack Frames are linked together via this data structure Frame Pointer: Synonym for Base Pointer; x86 uses bp register Pop: Stack operation that frees data from the stack. At times, data are just popped because they are no longer needed, in which case only the stack space is freed. This can also be accomplished by changing the value of the stack pointer; on x86 the sp register. Often the memory location is not overwritten by a pop, i.e the data just stay. But the memory area is not considered to be part of the active stack anymore Push: Stack operation that reserves space on the stack. Generally, the space reserved on the stack through a push is initialized with the argument of the push operation. Other times, a push just reserves space on the stack for data to be initialized at a later time. On the x86 architecture a push decreases the top of stack pointer (sp value)

6 Definitions Return: Transfer of control after completion of a call. Usually, this is accomplished through a return instruction. The return instruction assumes the return address to the code segment sits in a fixed part of the stack frame Return Address: The code address to which execution will switch once the call completes that activated the current procedure Return Value: The value returned by a function call. If the return value is a composite data structure, then the location set aside for the function return value is generally a pointer to the actual data Stack: Run time data structure that grows and shrinks during program execution. It generally holds parameters, locals, temps, plus control information (return addresses, links). Operations that change the stack include push, pop, call, return, and the like

7 Definitions Stack Frame: Run time data structure associated with an active procedure. A Stack Frame is composed of the procedure parameters, the Stack Marker, local data, and space for temporary data, including saved registers Stack Marker: Run time data structure on the stack associated with a Stack Frame. The Stack Marker holds fixed information, whose structure is known a priori. This includes the return address, the static link, and the dynamic link. In some implementations, the Stack Marker also holds an entry for the function return value and the saved registers Stack Pointer: AKA top of stack pointer: A pointer (typically implemented via a register) that addresses the last element allocated (pushed) on top of the stack. On the x86 architecture this is implemented via the sp register. Other architectures have the Stack Pointer refer to the next free location (if any) on the stack

8 Definitions Static Link: An address in the Stack Marker that points to the Frame Pointer of the last invocation of the procedure, which lexicographically surrounds the one executing currently. This is necessary only for high level languages that allow statically nested scopes, such as Ada, Algol, and Pascal. This is not needed in more restricted languages such as C, Java, or C++ Top of Stack: Stack location last allocated (pushed) object. However, in some run-time systems the next free element is called the top of stack

9 Stack Frame The figure below shows a schematic layout of an abstract Stack Frame. Some implementations have the stack grow toward higher, others toward lower addresses. The scheme shown here does not care; it just shows the general layout. Key points: Stack Pointer identifies top of current stack, and also top of current Stack Frame Stack pointer may vary often during invocation Stack pointer changes upon call, return, push, pop, explicit assignments Base pointer does not vary during call Base pointer is set only once at start of call Base pointer changed again at return, to value of previous base pointer, hence the name dynamic link Parameters are typically addressed relative to base pointer in one direction Locals (and temps) can be addressed relative to base pointer in the other direction Possible to save base pointer, useful when registers are scarce, as on x86 However, this scheme is difficult, since compiler (or human programmer) must keep dynamic size of stack in mind at any moment of time of code generation

10 Stack Frame

11 Stack Operations 32b Before Call: Push actual parameters: Changes the stack Track size of actuals pushed In many high-level languages the actual-parameter size for a callée is fixed, as defined in the formal parameter specification Not so in C and C++ as it is allowed to pass a smaller number of actual parameters than formally specified!!! Base pointer bp (AKA frame pointer) still points to Stack Marker of caller before the call is executed When the last actual parameter has been pushed: one flexible part of the Stack Frame is complete

12 Stack Operations 32b Actual Call: Push the instruction pointer (eip); in x86 done by call instruction eip already holds the address of the instruction after the call; that is the return address This slot on the stack identifies the beginning of the Stack Marker The call instruction also sets eip to the code address of the destination (callée) Original x86 architecture has 24 flavors of call instructions

13 32bs Stack Operations 32b Procedure Entry: Every time something is pushed or popped, the Stack Pointer (esp) register changes Push the current value of the Base Pointer (ebp), this is the dynamic link C needs no static link, has no nested functions Set Base Pointer to the value of the Stack Pointer; e.g. mov ebp, esp Now the new Stack Frame is being addressed The fixed part of stack: Stack Marker is being built Allocate space for local variables, if any This establishes another area of the Stack Frame that is variable in size

14 Stack Operations 32b Return: Pop locals and temps off stack This frees the second flexible size area from the Stack Frame Pop all registers to be restored back into those regs Pop the top of stack value back into the ebp This uses the Dynamic Link to reactivate the caller’s Stack Frame Pop top of stack value into instruction pointer This sets the eip register back to the instruction after the call The return instruction does this Either caller (or an argument of the return instruction on x86) frees the space allocated for actual parameters The x86 architecture allows an argument to the ret instruction, freeing that amount of bytes off of the stack

15 0. x86 Stack Operations, small model ;Procedure Entry, No Locals, no saved Regs: ;; the call has taken place, and now: pushbp; save dyn link in Stack Marker movbp, sp; establish new Frame: point to Stack Marker ;Procedure Exit, No Locals, no Regs restored: ;; we are ready to “return” popbp; must find back old Stack Frame ret0; ip to instruction after call instruction

16 1. x86 Stack Operations, Save Regs ;Procedure Entry, No Locals, Save Regs ax and bx: pushbp; save dyn link in Stack Marker movbp, sp; establish new Frame: point to Stack Marker pushax; save ax if needed by callée, optional pushbx; ditto for bx ;Procedure Exit, No Locals, Restore Regs bx and ax: popbx; restore bx if was used by callée popax; ditto for ax popbp; must find back old Stack Frame retargs; ip to instruction after call; free args

17 2. x86 Stack Operations, Locals ;Procedure Entry With Locals, No Regs: pushbp; save dyn link in Stack Marker movbp, sp; establish new Frame: point to Stack Marker subsp, 24; allocate 24 bytes = 6 words for locals ;Procedure Exit With Locals, No Regs: movsp, bp; free all locals and temps popbp; must find back old Stack Frame, RA on top retargs; ip to instruction after call; free args

18 3. x86 Stack Operations ;Procedure Entry With Locals, Save Regs: pushbp; save dyn link in Stack Marker movbp, sp; establish new Frame: point to Stack Marker subsp, 24; allocate 24 bytes un-init space for locals pushax; save ax if needed by callée, optional pushbx; ditto for bx ;Procedure Exit With Locals, Restore Regs: popbx; restore bx if was used by callée popax; ditto for ax movsp, bp; free all locals and temps popbp; must find back old Stack Frame, RA on top retargs; ip to instruction after call; free args

19 Masm PROC A masm proc is a named short-hand for logical code module Introduced by the proc keyword; proc is preceded by the name of that procedure Ended by the endp keyword; good to repeat the name of that callable procedure Pattern for proc without arguments, without return value is: my_nameproc pushbp ; save dynamic link movbp, sp ; new frame is addressed ;... now your real code here popbp ; dynamic link of caller ret0 ; clear 0 bytes off stack my_nameendp And now my_name is callable, but no local space is allocated, no parameters are passed, no function return value is computed, no space needs to be freed at return

20 Masm PROC At the needed place in your code, an assembler instruction call my_name now transfers control to the procedure by that name And a ret instruction somewhere in procedure my_name returns to the place after the call Best to package the sequence of procedural entry instructions into a macro, specifically the push and mov instructions And to package the procedure exit instructions pop and ret into a macro, perhaps parameterized with the number of bytes to be cleared off the stack after the return

21 Recursive Factorial in x86 // Factorial first in C, x86 next unsigned fact( unsigned arg ) { // fact if ( arg <= 1 ) { return 1; }else{ return fact( arg - 1 ) * arg; } //end if } //end fact

22 Recursive Factorial in x86, set up pentermacro; save all regs being used pushbp movbp, sp pushbx pushcx pushdx endm; end of penter pexitmacro args; restore all saved regs popdx popcx popbx popbp retargs endm; end of pexit Errcode=4ch MAX=9d ; compute up to fact( 9 ).model small.stack100h.data argdw0.code extrnuPutDec : near

23 Recursive Factorial in x86, actual fact ; assume argument for recursive fact( arg ) on stack ; return fact( int arg ) in ax: 16 bit x86 mode rfactproc penter movax, [bp+4]; arg is 4 bytes b4 dyn link cmpax, 1; argument > 1? jgrecurse; if so: recursive call base:mov ax, 1; No: then result known: 0!=1!=1 pexit 2; and done, free 2 bytes = arg recurse: movax, [bp+4]; need to recurse; get next arg decax; but decrement first pushax; and pass on stack callrfact; recurse movcx,[bp+4]; partial product in ax, * arg mulcx; product in ax pexit 2; and done rfactendp

24 Recursive Factorial in x86, main drive_rproc movarg, 0 movax, 0; initial value again movbp, sp again_r: cmparg,MAX jgedone_r ;ax holds arg to be factorialized :-) pushax; argument on stack callrfact ; now ax holds factorial value calluPutDec incarg movax, arg jmp again_r done_r:ret drive_rendp

25 PutDec Macros ; Source File: putdec.asm ; Author: Herb Mayer ; Date: 1/4/2001 ; Purpose: print signed 16-bit number ; PutDec is public Put_Ch MACRO ch ; 'ch' char is printed push ax ; save, cos ax is overwritten push dx ; ditto for dx mov dl, ch ; move into formal parameter mov ah, 02h ; tell DOS who int 021h ; call DOS pop dx ; restore pop ax ; ditto ENDM Put_Str MACRO str_addr ; print string at 'str_addr' push ax ; save push dx ; save mov dx, offset str_addr mov ah, 09h ; DOS routine's id int 021h ; call DOS pop dx ; restore pop ax ; ditto ENDM

26 PutDec Setup base_10 = 10.MODEL small.stack 50.DATA min_num db '-32768$'.CODE public PutDec ; proc PutDec is called with argument in ax ; argument is the signed integer 16-bit number ; whose value is printed as decimal int #

27 PutDec Function PutDec PROC ; special case, cannot be negated cmp ax, ; is it special case? jne do_work ; nope! So do your job Put_Str min_num ; yep: so print it and be done jmp done ; and return to caller do_work: push ax push bx push cx push dx ; number in ax is NOT ; make positive cmp ax, 0 ; negative number? jge positive ; if not, invert sign and print - neg ax ; here the inversion Put_Ch '-' ; here the - printed

28 PutDec Function positive: sub cx, cx ; cx counts iterations = # digits mov bx, base_10 ; base to be divided by ; now we know number in ax is non-negative push_m: sub dx, dx ; make a double word div bx ; unsigned divide o.k. add dl, '0' ; make number a char push dx ; save it, cos order reversed inc cx ; count steps cmp ax, 0 ; finally done? jne push_m ; if not, do next step ; now all chars are stored on stack in l-2-r order pop_m: pop dx ; pop next into dx; dl really Put_Ch dl ; print it as char loop pop_m ; more work? If so, do again done: pop dx pop cx pop bx pop ax ret ; return to caller PutDec ENDP ENDPutDec

29 References 1. 1.Free masm download: download/ ML 64-bit: us/library/s0ksfwcf(v=vs.80).aspx