How does returning values from a function work?

Question

I recently had a serious bug, where I forgot to return a value in a function. The problem was that even though nothing was returned it worked fine under Linux/Windows and on

Answer 1

Probably by luck, 'a' left in a register that happens to be used for returning single pointer results, something like that.

The calling/ conventions and function result returns are architecture-dependent, so it's not surprising that your code works on Windows/Linux but not on a Mac.

Answer 2

The way of returning of value from the function depends on architecture and the type of value. It could be done thru registers or thru stack. Typically in the x86 architecture the value is returned in EAX register if it is an integral type: char, int or pointer. When you don't specify the return value, that value is undefined. This is only your luck that your code sometimes worked correctly.

Answer 3

When popping values from the stack in IBM PC architecture there is no physical destruction of the old values ​​of data stored there. They just become unavailable through the operation of the stack, but still remain in the same memory cell.

Of course, the previous values ​​of these data will be destroyed during the subsequent pushing of new data on the stack.

So probably you are just lucky enough, and nothing is added to stack during your function's call and return surrounding code.

Answer 4

There are two major ways for a compiler to return a value:

1. Put a value in a register before returning, and
2. Have the caller pass a block of stack memory for the return value, and write the value into that block [more info]

The #1 is usually used with anything that fits into a register; #2 is for everything else (large structs, arrays, et cetera).

In your case, the compiler uses #1 both for the return of new and for the return of your function. On Linux and Windows, the compiler did not perform any value-distorting operations on the register with the returned value between writing it into the pointer variable and returning from your function; on Mac, it did. Hence the difference in the results that you see: in the first case, the left-over value in the return register happened to co-inside with the value that you wanted to return anyway.

Answer 5

On Intel architecture, simple values (integers and pointers) are usually returned in eax register. This register (among others) is also used as temporary storage when moving values in memory and as operand during calculations. So whatever value left in that register is treated as the return value, and in your case it turned out to be exactly what you wanted to be returned.

Answer 6

First off, you need to slightly modify your example to get it to compile. The function must have at least an execution path that returns a value.

A* getA(){
    if(false)
        return NULL;
    A* p = new A(1,2,3);
//  return p;
}

Second, it's obviously undefined behavior, which means anything can happen, but I guess this answer won't satisfy you.

Third, in Windows it works in Debug mode, but if you compile under Release, it doesn't.

The following is compiled under Debug:

    A* p = new A(1,2,3);
00021535  push        0Ch  
00021537  call        operator new (211FEh) 
0002153C  add         esp,4 
0002153F  mov         dword ptr [ebp-0E0h],eax 
00021545  mov         dword ptr [ebp-4],0 
0002154C  cmp         dword ptr [ebp-0E0h],0 
00021553  je          getA+7Eh (2156Eh) 
00021555  push        3    
00021557  push        2    
00021559  push        1    
0002155B  mov         ecx,dword ptr [ebp-0E0h] 
00021561  call        A::A (21271h) 
00021566  mov         dword ptr [ebp-0F4h],eax 
0002156C  jmp         getA+88h (21578h) 
0002156E  mov         dword ptr [ebp-0F4h],0 
00021578  mov         eax,dword ptr [ebp-0F4h] 
0002157E  mov         dword ptr [ebp-0ECh],eax 
00021584  mov         dword ptr [ebp-4],0FFFFFFFFh 
0002158B  mov         ecx,dword ptr [ebp-0ECh] 
00021591  mov         dword ptr [ebp-14h],ecx 

The second instruction, the call to operator new, moves into eax the pointer to the newly created instance.

    A* a = getA();
0010484E  call        getA (1012ADh) 
00104853  mov         dword ptr [a],eax 

The calling context expects eax to contain the returned value, but it does not, it contains the last pointer allocated by new, which is incidentally, p.

So that's why it works.