11Assembly Language: Function Calls2Goals of this Lecture• Help you learn:• Function call problems:• Calling and returning• Passing parameters• Storing local variables• Handling registers without interference• Returning values• IA-32 solutions to those problems• Pertinent instructions and conventions23Recall from Last LectureExamples of Operands• Immediate Operand•movl$5, …• CPU uses 5 as source operand•movl$i, …• CPU uses address denoted by i as source operand• Register Operand•movl%eax, …• CPU uses contents of EAX register as source operand4Recall from Last Lecture (cont.)• Memory Operand: Direct Addressing•movli, …• CPU fetches source operand from memory at address i• Memory Operand: Indirect Addressing•movl(%eax), …• CPU considers contents of EAX to be an address; fetches source operand from memory at that address• Memory Operand: Base+Displacement Addressing•movl8(%eax), …• CPU computes address as 8 + [contents of EAX]; fetches source operand from memory at that address35Recall from Last Lecture (cont.)• Memory Operand: Indexed Addressing•movl8(%eax, %ecx), …• CPU computes address as 8 + [contents of EAX] + [contents of ECX]; fetches source operand from memory at that address• Memory Operand: Scaled Indexed Addressing•movl8(%eax, %ecx, 4), …• CPU computes address as 8 + [contents of EAX] + ([contents of ECX] * 4); fetches source operand from memory at that address• Same for destination operand, except…• Destination operand cannot be immediate6Function Call Problems1. Calling and returning• How does caller function jump to callee function?• How does callee function jump back to the right place in caller function?2. Passing parameters• How does caller function pass parameters to callee function?3. Storing local variables• Where does callee function store its local variables?4. Handling registers• How do caller and callee functions use same registers without interference?5. Returning a value• How does callee function send return value back to caller function?47Problem 1: Calling and ReturningHow does caller function jump to callee function?• I.e., Jump to the address of the callee’s first instructionHow does the callee function jump back to the right place in caller function?• I.e., Jump to the instruction immediately following the most-recently-executed call instruction8Attempted Solution: Use Jmp Instruction• Attempted solution: caller and callee use jmp instructionP: # Function P…jmp R # Call RRtn_point1:…R: # Function R…jmp Rtn_point1 # Return59Attempted Solution: Use Jmp Instruction• Problem: callee may be called by multiple callersP: # Function P…jmp R # Call RRtn_point1:…R: # Function R…jmp ??? # ReturnQ: # Function Q…jmp R # Call RRtn_point2:…10Attempted Solution: Use RegisterP: # Function Pmovl $Rtn_point1, %eaxjmp R # Call RRtn_point1:…Q: # Function Qmovl $Rtn_point2, %eaxjmp R # Call RRtn_point2:…R: # Function R…jmp *%eax # Return• Attempted solution 2: Store return address in registerSpecial form of jmpinstruction; we will not use611Attempted Solution: Use RegisterP: # Function Pmovl $Rtn_point1, %eaxjmp Q # Call QRtn_point1:…Q: # Function Qmovl $Rtn_point2, %eaxjmp R # Call RRtn_point2:…jmp %eax # ReturnR: # Function R…jmp *%eax # ReturnProblem if P calls Q, and Q calls RReturn address for P to Q call is lost• Problem: Cannot handle nested function calls12• May need to store many return addresses• The number of nested functions is not known in advance• A return address must be saved for as long as the function invocation continues, and discarded thereafter• Addresses used in reverse order • E.g., function P calls Q, which then calls R• Then R returns to Q which then returns to P• Last-in-first-out data structure (stack)• Caller pushes return address on the stack• … and callee pops return address off the stack• IA 32 solution: Use the stack via call and retIA-32 Solution: Use the StackEIP for PEIP for Q713IA-32 Call and Ret InstructionsP: # Function P…call Rcall Q…Q: # Function Q…call R…retR: # Function R…ret• Ret instruction “knows” the return address1214IA-32 Call and Ret InstructionsP: # Function P…call Rcall Q…Q: # Function Q…call R…retR: # Function R…ret• Ret instruction “knows” the return address3456815Implementation of Callmovl (%esp), destaddl $4, %esppopl destsubl $4, %espmovl src, (%esp)pushl srcEffective OperationsInstructionESP0• ESP (stack pointer register) points to top of stack16Implementation of Callmovl (%esp), destaddl $4, %esppopl destsubl $4, %espmovl src, (%esp)pushl srcpushl %eipjmp addrcall addrEffective OperationsInstructionESPbeforecall0Note: can’t really access EIP directly, but this is implicitly what call is doingCall instruction pushes return address (old EIP) onto stack• EIP (instruction pointer register) points to next instruction to be executed917Implementation of Callmovl (%esp), destaddl $4, %esppopl destsubl $4, %espmovl src, (%esp)pushl srcpushl %eipjmp addrcall addrEffective OperationsInstructionESPaftercall0Old EIP18Implementation of Retmovl (%esp), destaddl $4, %esppopl destsubl $4, %espmovl src, (%esp)pushl srcpop %eipretpushl %eipjmp addrcall addrEffective OperationsInstructionESPbeforeret0Note: can’t really access EIP directly, but this is implicitly what ret is doing.Old EIPRet instruction pops stack, thus placing return address (old EIP) into EIP1019Implementation of Retmovl (%esp), destaddl $4, %esppopl destsubl $4, %espmovl src, (%esp)pushl srcpop %eipretpushl %eipjmp addrcall addrEffective OperationsInstructionESPafterret020Problem 2: Passing Parameters• Problem: How does caller function pass parameters to callee function?int add3(int a, int b, int c){int d;d = a + b + c;return d;}int f(void){return add3(3, 4, 5);}1121Attempted Solution: Use Registers• Attempted solution: Pass parameters in registersf:movl $3, %eaxmovl $4, %ebxmovl $5, %ecxcall add3…add3:…# Use EAX, EBX, ECX…ret22Attempted Solution: Use Registers• Problem: Cannot handle nested function calls• Also: How to pass parameters that are longer than 4 bytes?f:movl $3, %eaxmovl $4, %ebxmovl $5, %ecxcall add3…add3:…movl $6, %eaxcall g# Use EAX, EBX, ECX# But EAX is corrupted!…ret1223IA-32 Solution: Use the StackESP before pushing params0• Caller pushes parameters before executing the call instruction24IA-32 Parameter PassingESP
View Full Document
Unlocking...