{"id":105332,"date":"2021-06-22T07:00:00","date_gmt":"2021-06-22T14:00:00","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/oldnewthing\/?p=105332"},"modified":"2021-06-22T07:21:28","modified_gmt":"2021-06-22T14:21:28","slug":"the-arm-processor-thumb-2-part-17-prologues-and-epilogues","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20210622-00\/?p=105332","title":{"rendered":"The ARM processor (Thumb-2), part 17: Prologues and epilogues"},"content":{"rendered":"

The calling convention and ABI for ARM on Windows<\/a> dictates a lot of the structure of function prologues and epilogues.<\/p>\n

Here’s a typical function prologue:<\/p>\n

    push    {r4-r7,r11,lr}      ; save a bunch of registers\r\n    add     r11, sp, #0x10      ; link into frame pointer chain\r\n    sub     sp, sp, #0x20       ; allocate space for locals\r\n                                ; and outbound stack parameters\r\n<\/pre>\n
This is probably easier to explain with pictures.<\/p>\n
On entry, the stack looks like this:<\/p>\n\n\n\n\n\n\n\n
\u00a0<\/td>\n <\/td>\n<\/tr>\n
return address<\/td>\n <\/td>\n<\/tr>\n
previous r11<\/var><\/td>\n\u2190 r11<\/var> (frame chain)<\/td>\n<\/tr>\n
\u22ee<\/td>\n <\/td>\n<\/tr>\n
stack param<\/td>\n\u2190 sp<\/var><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
On entry to the function, lr<\/var> contains the return address. After pushing the r4<\/var> through r7<\/var>, r11<\/var>, and lr<\/var> registers, we have<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n
\u00a0<\/td>\n <\/td>\n<\/tr>\n
return address<\/td>\n <\/td>\n<\/tr>\n
previous r11<\/var><\/td>\n\u2190 r11<\/var> (frame chain)<\/td>\n<\/tr>\n
\u22ee<\/td>\n <\/td>\n<\/tr>\n
stack param<\/td>\n <\/td>\n<\/tr>\n
return address<\/td>\n <\/td>\n<\/tr>\n
previous r11<\/var><\/td>\n <\/td>\n<\/tr>\n
previous r7<\/var><\/td>\n <\/td>\n<\/tr>\n
previous r6<\/var><\/td>\n <\/td>\n<\/tr>\n
previous r5<\/var><\/td>\n <\/td>\n<\/tr>\n
previous r4<\/var><\/td>\n\u2190 sp<\/var><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
The incoming lr<\/var> is saved on the stack, so we know where to return to when we’re done. The incoming r11<\/var> is the head of the linked list of stack frames, and we push it onto the stack so we can create a new node on the linked list. And we also push four saved registers so that they are available for us to use in the function.<\/p>\n
It is not a coincidence that the convention is to use r11<\/var> as the frame pointer. This puts it on the stack right next to the lr<\/var> register, so that the return address is right next to the frame pointer.\u00b9<\/p>\n
The next instruction calculates r11<\/var> as sp<\/var> + 0x10<\/code>, which makes it point to where we saved r11<\/var> onto the stack. This links a new node onto the stack frame chain.<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
\u00a0<\/td>\n
<\/p>\n
 <\/td>\n <\/td>\n\u00a0<\/td>\n <\/td>\n<\/tr>\n
 <\/td>\n <\/td>\nreturn address<\/td>\n <\/td>\n<\/tr>\n
\u00a0<\/td>\n\u25b7<\/td>\nprevious r11<\/var><\/td>\n\u00a0<\/td>\n<\/tr>\n
\u00a0<\/td>\n<\/tr>\n
\u00a0<\/td>\n <\/td>\n\u22ee<\/td>\n <\/td>\n<\/tr>\n
\u00a0<\/td>\n <\/td>\nstack param<\/td>\n <\/td>\n<\/tr>\n
\u00a0<\/td>\n <\/td>\nreturn address<\/td>\n <\/td>\n<\/tr>\n
\u00a0<\/td>\n\u00a0<\/td>\nprevious r11<\/var><\/td>\n\u2190 r11<\/var> (frame chain)<\/td>\n<\/tr>\n
\u00a0<\/td>\n<\/tr>\n
 <\/td>\n <\/td>\nprevious r7<\/var><\/td>\n <\/td>\n<\/tr>\n
 <\/td>\n <\/td>\nprevious r6<\/var><\/td>\n <\/td>\n<\/tr>\n
 <\/td>\n <\/td>\nprevious r5<\/var><\/td>\n <\/td>\n<\/tr>\n
 <\/td>\n <\/td>\nprevious r4<\/var><\/td>\n\u2190 sp<\/var><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
And the last step in the prologue is allocating additional space for local variables and outbound parameters.<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
\u00a0<\/td>\n
<\/p>\n
 <\/td>\n <\/td>\n\u00a0<\/td>\n <\/td>\n<\/tr>\n
 <\/td>\n <\/td>\nreturn address<\/td>\n <\/td>\n<\/tr>\n
\u00a0<\/td>\n\u25b7<\/td>\nprevious r11<\/var><\/td>\n\u00a0<\/td>\n<\/tr>\n
\u00a0<\/td>\n<\/tr>\n
\u00a0<\/td>\n <\/td>\n\u22ee<\/td>\n <\/td>\n<\/tr>\n
\u00a0<\/td>\n <\/td>\nstack param<\/td>\n <\/td>\n<\/tr>\n
\u00a0<\/td>\n <\/td>\nreturn address<\/td>\n <\/td>\n<\/tr>\n
\u00a0<\/td>\n\u00a0<\/td>\nprevious r11<\/var><\/td>\n\u2190 r11<\/var> (frame chain)<\/td>\n<\/tr>\n
\u00a0<\/td>\n<\/tr>\n
 <\/td>\n <\/td>\nprevious r7<\/var><\/td>\n <\/td>\n<\/tr>\n
 <\/td>\n <\/td>\nprevious r6<\/var><\/td>\n <\/td>\n<\/tr>\n
 <\/td>\n <\/td>\nprevious r5<\/var><\/td>\n <\/td>\n<\/tr>\n
 <\/td>\n <\/td>\nprevious r4<\/var><\/td>\n <\/td>\n<\/tr>\n
 <\/td>\n <\/td>\nlocals<\/td>\n <\/td>\n<\/tr>\n
 <\/td>\n <\/td>\noutbound
\nparameters<\/td>\n		\u2190 sp<\/var><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
Windows does not require that the r11<\/var> register be the head of a linked list of stack frames,\u00b2 but all Windows system components are compiled with frame pointers enabled: It makes debugging a lot easier (since the k<\/code> command always produces a stack trace), and it permits automated stack tracing, such as those created by xperf<\/code>. In the stack frame chain, the return address is stored immediately adjacent to the r11<\/var> pointer.<\/p>\n
To return from the function, we run things in reverse:<\/p>\n
    add     sp, sp, #0x20       ; free locals and outbound stack parameters\r\n    pop     {r4-r7,r11,pc}      ; restore registers and return\r\n<\/pre>\n
The pop<\/code> instruction is magic.<\/p>\n
The obvious part of the pop<\/code> instruction is restoring registers r4<\/var> through r7<\/var>.<\/p>\n
The less obvious part is that we pop the original r11<\/var> back into r11<\/var>, which has the effect of deleting the frame from the linked list of stack frames.<\/p>\n
The totally magic part is that we pop the return address (which was originally passed in lr<\/var>) directly into the pc<\/var> register. Writing to the pc<\/var> register acts like a jump instruction, so this jumps to the return address after the work of this instruction is complete.\u00b3<\/p>\n
The last thing the pop<\/code> instruction does is update the stack pointer, which puts it back at the location it had when control originally entered the function. And then execution resumes at the return address.<\/p>\n
The standard prologue looks like this:<\/p>\n
    push    {...,r11,lr}        ; save registers, frame pointer, return address\r\n    add     r11, sp, #nn        ; re-establish frame chain\r\n                                ; can be \"mov r11, sp\" if only r11 and lr were pushed\r\n    vpush   {d8,...}            ; save floating point registers\r\n    sub     sp, sp, #nnn        ; create local frame\r\n<\/pre>\n
I call this the standard prologue because the function unwind metadata is optimized for prologues that take this form.<\/p>\n
Next time, we’ll look at some tweaks and optimizations to this general pattern.<\/p>\n
\u00b9 Now, there are two other registers in between r11<\/var> and lr<\/var>: We have the intraprocedure call scratch register r12<\/var>, and we have the stack pointer sp<\/var> (also known as r13<\/var>). Fortunately, we can avoid having to push either of these two registers. The intraprocedure call scratch register is a volatile register that is not expected to be preserved, and the stack pointer is preserved either by keeping track of its value through the function (subtracting a frame on entry and adding it back on exit), or recovering it from the frame pointer. You aren’t ever tempted to push the stack pointer because you cannot reliably pop it back anyway.<\/p>\n
\u00b2 The documentation is a bit unclear on this. In the discussion of the integer registers, it says<\/p>\n
Windows uses r11 for fast-walking of the stack frame. For more information, see the Stack Walking section. Because of this requirement, r11 must point to the topmost link in the chain at all times. Do not use r11 for general purposes\u2014your code will not generate correct stack walks during analysis.<\/p><\/blockquote>\n
The use of the words requirement<\/i>, must<\/i> and do not<\/i> imply that using r11<\/var> as the frame pointer is mandatory.<\/p>\n
But then when you get to the Stack Walking section, it says<\/p>\n
Generally, the r11 register points to the next link in the chain, which is an {r11, lr} pair that specifies the pointer to the previous frame on the stack and the return address. We recommend that your code also enable frame pointers for improved profiling and tracing.<\/p><\/blockquote>\n
This time, the use of the words generally<\/i> and recommend<\/i> imply that using r11<\/var> as the frame pointer is merely a suggestion, albeit a strong suggestion.<\/p>\n
I’m not sure who is right, but I’m going to assume that the use of r11<\/var> as a frame pointer is strongly recommended<\/i> rather than required<\/i>. I’m interpreting the first paragraph by adding the underlined clarifying words:<\/p>\n
Windows uses r11 for fast-walking of the stack frame. For more information, see the Stack Walking section. Because of this requirement in order for fast-walking to work<\/u>, r11 must point to the topmost link in the chain at all times if you want fast-walking to work<\/u>. If you know what’s good for you<\/u>, do not use r11 for general purposes\u2014if you ignore this advice, then<\/u> your code will not generate correct stack walks during analysis.<\/p><\/blockquote>\n
\u00b3 It is totally not a coincidence that lr<\/var> and pc<\/var> are adjacent registers. This allows you to push a set of registers including lr<\/var>, and then pop the same set of registers, but substituting pc<\/var> for lr<\/var>.<\/p>\n","protected":false},"excerpt":{"rendered":"
Implementing the receiving end of the calling convention.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[2],"class_list":["post-105332","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-history"],"acf":[],"blog_post_summary":"
Implementing the receiving end of the calling convention.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/105332","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=105332"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/105332\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=105332"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=105332"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=105332"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}