What is between ESP and EBP?

Question

Right, I\'m sure this is implicitly answered many times, but I seem not to be able to quite get to it.

If you have a (x86) stack trace (say, looking at it in WinDbg)

Answer 1

Usually, this space is reserved for local variables that end up stored on the stack. At the start of the function, ESP is decremented by the appropriate value.

In your case, there are 104 bytes worth of locals in the function.

Answer 2

ESP is the current stack pointer. EBP is the base pointer for the current stack frame.

When you call a function, typically space is reserved on the stack for local variables. This space is usually referenced via EBP (all local variables and function parameters are a known constant offset from this register for the duration of the function call.) ESP, on the other hand, will change during the function call as other functions are called, or as temporary stack space is used for partial operation results.

Note that most compilers these days have an option to reference all local variables through ESP. This frees up EBP for use as a general purpose register.

In general, when you look at the disassembly code at the top of a function you'll see something like this:

push EBP
mov  EBP, ESP
sub  ESP, <some_number>

So EBP will point to the top of your stack for this frame, and ESP will point to the next available byte on the stack. (Stacks usually - but don't have to - grow down in memory.)