Sep 23, 2019

Function prologue and the stack

Prologue is the process that build a stack frame for a function. The compiler is responsible about function prologue. It creates a set of instructions to allocate a space in stack and put some 999 data on it.You know that every function has it's own stack frame.

I'm going to write a small C program to demonstrate of function prologue.

int function1(a, b){
  int x;
  x = a + b;
  return x;

int main(){
  function1(4, 5);
  return 0;

Hear I used a function called function1 and call it from main function. The main function also just a function. So it has a stack frame. That holds some data like argc, argv etc.

function1() receives two arguments as a and b. It has a local variable called x. At the beginning x holds function1() a and b will be added and the result will be saved in local variable x. Finally function1() returns the value of x as it's return value. Just a simple program. Now we can draw a layout of our stack as following.


For now we don't go to examine what inside the main function's stack frame. Let's see how function prologue build the function1's stack frame.

The first thing happen in prologue is pushing arguments to function1() in the stack. In main function we gave 4 and 5 as arguments. So we are going to put them in top of the stack. In assembly level we use PUSH instruction to do this. In above image you can see the stack layout after we put arguments on the stack. Now esp is not same as previous. It has been reduced by eight bytes. Why 8 bytes? Because a single integer is long four bytes. 0x5 and 0x4 are the hexadecimal representations of five and four.


You may notice a special thing that, when we pushing these arguments the second argument (value 5) is pushed before first argument (value 4). I'll explain why we do like that in next tutorial.

Let's see what happen next. We are calling function1() in the middle of main function. So in main function there are some another things to do after completing function1(). The structure of CPU instructions is something like following. In above three section there is a list of CPU instructions and the EIP register is pointing to the instruction that should be executed next. So CPU looks at eip and decide what to execute. So when we switch to function1() from main , we set eip to the first instruction of function1(). What happen when CPU completes the execution of function1? . There are some other instructions in main after function1().


So how we set the eip to the next instruction in main()?. The solution to this problem is saving the address of that instruction in stack. Take a look at our C program. The instruction after function1(4, 5) is return 0. So we save the address of return 0 in stack. We call it as return address. So the return address hold the location to jump after completing function1(). Hear is the stack layout after we push eip.


Now we are going to see next steps.You know that we identify a function's stack frame with ebp and esp. EBP is the beginning point of the stack frame while esp indicates the top of stack frame. So main() function is using ebp to identify it's stack frame. But function1() also need ebp to mark it's stack frame. So what we do hear is save current value of ebp in stack. When we finish function1() and switch to main() function we get this saved ebp value from stack and save it again in ebp register So main() function can use it again with no errors. Following is the stack layout after pushing ebp.


You have to understand that both eip and ebp are 4 bytes in size. So when we comparing current esp with the one we had when beginning we have deducted 16 bytes from esp.

Previous instructions didn't actually make function1's stack frame. They did some pre-operations and prepared stack. Now let's see what to do next. As the next step we copy esp into ebp. Now both of esp and ebp are pointing to the top of stack.


In next steps esp will be changed as stack grows. But ebp will keep pointing to current location. What we expect by this instruction? we marked the beginning point of our new stack frame. Now we are going to make some space on stack for the local variable x. We can do this by reducing 4 bytes from the esp. So stack will grow by 4 bytes.

Hear is the stack layout with the newly created stack frame.

EBP and ESP marking function1's stack frame. So guys in this tutorial you understood how function prologue make a new stack frame for a function. In next tutorials I'll explain more fun stuff about stack and it's features. Thank for reading.

Jun 20
Termux command list

Hi guys, In this document, we are going to talk about a mobile Linux platform. Termux is a terminal....

Aug 20
Assembly basic tutorial - add two numbers

Welcome guys, today another basic tutorial on assembly coding. Hear I'll explain you how we can add....

Jun 16
Remote File Inclusion [RFI]

Remote File Inclusion or RFI is a vulnerability occurs in web applications. We use a Linux....

Replying to 's comment Cancel reply
Thilan Danushka Dissanayaka

Thilan Dissanayaka

Hi, I'm Thilan from Srilanka. An undergraduate Engineering student of University of Ruhuna. I love to explorer things about CS, Hacking, Reverse engineering etc.