How is return address specified in stack?

Question

This is what I see by disassemble for the statement function(1,2,3);:

movl   $0x3,0x8(%esp)
movl   $0x2,0x4(%esp)
movl   $0x1,(%esp)
call   0x40         


        

Answer 1

It depends on the ABI and the architecture, but if the return address does end up on the stack it's a side-effect of the call instruction that puts it there.

Answer 2

call pushes the current value of the RIP register (return address) to the stack + does the call
ret pops the return address(that call pushed) from the top of the stack (RSP register points there) and writes it in the RIP register.

Example on a GNU/Linux box: function f calls function g and lets look at the frame of g.

LOW ADDRESS

... <- RSP (stack pointer shows top of stack) register points at this address
g's local vars
f's base pointer (old RBP value) <- RBP (base pointer) register points at this address
f's ret address (old RIP value) (this is what the call (from f) pushed, and what the ret (from g) will pop)
args that f called g with and didn't fit in the registers (I think on Windows this is different)
...

HIGH ADDRESS

g will free the local vars (movq %rsp, %rbp)
g will pop the "old RBP" and store it in RBP register (pop %rbp)
g will ret, which will modify RIP with the value that is stored where RSP points at

Hope it helps

Answer 3

Ideally, the call statement should take care of that. The program counter's next location will be pushed into the stack. When the function (sub routine) that was called completes it work and when it encounters a return statement, the control now goes to the address that was pushed into the stack and it will get popped.

Answer 4

On an x86 processor (as for your assembly language example), the call instruction pushes the return address on the stack and transfers control to the function.

So on entry to a function, the stack pointer is pointing at a return address, ready for ret to pop it into the program counter (EIP / RIP).

---

Not all processor architectures put the return address on the stack- often there's a set of one or more registers designed to hold return addresses. On ARM processors, the BL instruction places the return address in a specific register (LR, or the 'link register') and transfers control to the function.

The ia64 processor does something similar, except that there are several possible registers (b0-b7) that can receive the return address and one will be specified in the instruction (with b0 being the default).