Question

UNIX Functions and Stack, I will give good ratings if answered properly

Function calls in UNIX Write assembly code to implement the following function calls, using C/UNIX calling conventions. Show the contents of the stack on entering the called function. int myfunl(int, int, int, char);//prototype myfunl(d, a, 5, 'm');//function call int myfunc2(int, char*);//prototype char[] bob ="Bob's your uncle!"; myfunc2(18, bob);//function call printf("CSU presidents get a car allowance of $%d per month\n", 1000);

Answer 1

This would be the contents of the stack if we have a function foo with the prototype: int foo (int arg1, int arg2, int arg3) ; and foo has two local int variables. (We are assuming here that sizeof(int) is 4 bytes). The stack would look like this if say the main function calledfoo and control of the program is still inside the function foo. In this situation, main is the "caller" and foo is the "callee". The ESP register is being used by foo to point to the top of the stack. The EBP register is acting as a "base pointer". The arguments passed by mainto foo and the local variables in foo can all be referenced as an offset from the base pointer. The convention used here is that the callee is allowed to mess up the values of the EAX, ECX and EDX registers before returning. So, if the caller wants to preserve the values of EAX, ECX and EDX, the caller must explicitly save them on the stack before making the subroutine call. On the other hand, the callee must restore the values of the EBX, ESI and EDI registers. If the callee makes changes to these registers, the callee must save the affected registers on the stack and restore the original values before returning. Parameters passed to foo are pushed on the stack. The last argument is pushed first so in the end the first argument is on top. Local variables declared in foo as well as temporary variables are all stored on the stack. Return values of 4 bytes or less are stored in the EAX register. If a return value with more than 4 bytes is needed, then the caller passes an "extra" first argument to the callee. This extra argument is address of the location where the return value should be stored. I.e., in C parlance the function call: x = foo(a, b, c) ; is transformed into the call: foo(&x, a, b, c) ; Note that this only happens for function calls that return more than 4 bytes. Let's go through a step-by-step process and see how a stack frame is set up and taken down during a function call.

ESP ==> . . . Callee saved registers EBX, ESI & EDI (as needed)    temporary storage local variable #2 [EBP - 8] local variable #1 [EBP - 4] EBP ==> Caller's EBP Return Address Argument #1 [EBP + 8] Argument #2 [EBP + 12] Argument #3 [EBP + 16] Caller saved registers EAX, ECX & EDX (as needed) . . . Fig. 1

---

The caller's actions before the function call

ESP ==>		Return Address
		Arg #1 = 12
		Arg #2 = 15
		Arg #3 = 18
		Caller saved registers EAX, ECX & EDX (as needed)
EBP ==>		. . .
		Fig. 2

In our example, the caller is the main function and is about to call a function foo. Before the function call, main is using the ESP and EBP registers for its own stack frame.

First, main pushes the contents of the registers EAX, ECX and EDX onto the stack. This is an optional step and is taken only if the contents of these 3 registers need to be preserved.

Next, main pushes the arguments for foo one at a time, last argument first onto the stack. For example, if the function call is:

     a = foo(12, 15, 18) ;

The assembly language instructions might be:

        push    dword 18 
        push    dword 15
        push    dword 12

Finally, main can issue the subroutine call instruction:

        call    foo

When the call instruction is executed, the contents of the EIP register is pushed onto the stack. Since the EIP register is pointing to the next instruction in main, the effect is that the return address is now at the top of the stack. After the call instruction, the next execution cycle begins at the label named foo.

Figure 2 shows the contents of the stack after the call instruction. The red line in Figure 2 and in subsequent figures indicates the top of the stack prior to the instructions that initiated the function call process. We will see that after the entire function call has finished, the top of the stack will be restored to this position.

---

The callee's actions after function call

When the function foo, the callee, gets control of the program, it must do 3 things: set up its own stack frame, allocate space for local storage and save the contents of the registers EBX, ESI and EDI as needed. So, first foo must set up its own stack frame. The EBP register is currently pointing at a location in main's stack frame. This value must be preserved. So, EBP is pushed onto the stack. Then the contents of ESP is transferred to EBP. This allows the arguments to be referenced as an offset from EBP and frees up the stack register ESP to do other things. Thus, just about all C functions begin with the two instructions: push ebp mov ebp, esp The resulting stack is shown in Figure 3. Notice that in this scheme the address of the first argument is 8 plus EBP, since main's EBP and the return address each takes 4 bytes on the stack.

ESP=EBP => main's EBP Return Address Arg #1 = 12 [EBP + 8] Arg #2 = 15 [EBP + 12] Arg #3 = 18 [EBP + 16] Caller saved registers EAX, ECX & EDX (as needed) Fig. 3

In the next step, foo must allocate space for its local variables. It must also allocate space for any temporary storage it might need. For example, some C statements in foo might have complicated expressions. The intermediate values of the subexpressions must be stored somewhere. These locations are usually called temporary, because they can be reused for the next complicated expression. Let's say for illustration purposes that foohas 2 local variables of type int (4 bytes each) and needs an additional 12 bytes of temporary storage. The 20 bytes needed can be allocated simply by subtracting 20 from the stack pointer: sub esp, 20 The local variables and temporary storage can now be referenced as an offset from the base pointer EBP. Finally, foo must preserve the contents of the EBX, ESI and EDI registers if it uses these. The resulting stack is shown in Figure 4. The body of the function foo can now be executed. This might involve pushing and popping things off the stack. So, the stack pointer ESP might go up and down, but the EBP register remains fixed. This is convenient because it means we can always refer to the first argument as [EBP + 8] regardless of how much pushing and popping is done in the function. Execution of the function foo might also involve other function calls and even recursive calls to foo. However, as long as the EBP register is restored upon return from these calls, references to the arguments, local variables and temporary storage can continue to be made as offsets from EBP.

ESP ==> Callee saved registers EBX, ESI & EDI (as needed)    temporary storage [EBP - 20] local variable #2 [EBP - 8] local variable #1 [EBP - 4] EBP==> main's EBP Return Address Arg #1 = 12 [EBP + 8] Arg #2 = 15 [EBP + 12] Arg #3 = 18 [EBP + 16] Caller saved registers EAX, ECX & EDX (as needed) Fig. 4

---

The callee's actions before returning

ESP ==>		Arg #1 = 12
		Arg #2 = 15
		Arg #3 = 18
		Caller saved registers EAX, ECX & EDX (as needed)
EBP ==>		. . .
		Fig. 5

Before returning control to the caller, the callee foo must first make arrangements for the return value to be stored in the EAX register. We already discussed above how function calls with return values longer than 4 bytes are transformed into a function call with an extra pointer parameter and no return value.

Secondly, foo must restore the values of the EBX, ESI and EDI registers. If these registers were modified, we pushed their original values onto the stack at the beginning of foo. The original values can be popped off the stack, if the ESP register is pointing to the correct location shown in Figure 4. So, it is important that we do not lose track of the stack pointer ESP during the execution of the body of foo --- i.e., the number of pushes and pops must be balanced.

After these two steps we no longer need the local variables and temporary storage for foo. We can take down the stack frame with these instructions:

        mov     esp, ebp
        pop     ebp

The result is a stack that is exactly the same as the one shown in Figure 2. The return instruction can now be executed. This pops the return address off the stack and stores it in the EIP register. The result is the stack shown in Figure 5.

The i386 instruction set has an instruction "leave" which does exactly the same thing as the mov and pop instructions above. Thus, it is very typical for C functions to end with the instructions:

        leave
        ret