I\'m trying to understand how the link register and the frame pointer work in ARM. I\'ve been to a couple of sites, and I wanted to confirm my understanding.
Suppose I had the following code:
int foo(void)
{
// ..
bar();
// (A)
// ..
}
int bar(void)
{
// (B)
int b1;
// ..
// (C)
baz();
// (D)
}
int baz(void)
{
// (E)
int a;
int b;
// (F)
}
and I call foo(). Would the link register contain the address for the code at point (A) and the frame pointer contain the address at the code at point (B)? And the stack pointer would could be any where inside bar(), after all the locals have been declared?
[edit] Added another function call baz()
Some register calling conventions are dependent on the ABI (Application Binary Interface). The FP
is required in the APCS standard and not in the newer AAPCS (2003). For the AAPCS (GCC 5.0+) the FP
does not have to be used but certainly can be; debug info is annotated with stack and frame pointer use for stack tracing and unwinding code with the AAPCS. If a function is static
, a compiler really doesn\'t have to adhere to any conventions.
Generally all ARM registers are general purpose. The lr
(link register, also R14) and pc
(program counter also R15) are special and enshrine in the instruction set. You are correct that the lr
would point to A. The pc
and lr
are related. One is \"where you are\" and the other is \"where you were\". They are the code aspect of a function.
Typically, we have the sp
(stack pointer, R13) and the fp
(frame pointer, R11). These two are also related. This
Microsoft layout does a good job describing things. The stack is used to store temporary data or locals in your function. Any variables in foo()
and bar()
, are stored here, on the stack or in available registers. The fp
keeps track of the variables from function to function. It is a frame or picture window on the stack for that function. The ABI defines a layout of this frame. Typically the lr
and other registers are saved here behind the scenes by the compiler as well as the previous value of fp
. This makes a linked list of stack frames and if you want you can trace it all the way back to main()
. The root is fp
, which points to one stack frame (like a struct
) with one variable in the struct
being the previous fp
. You can go along the list until the final fp
which is normally NULL
.
So the sp
is where the stack is and the fp
is where the stack was, a lot like the pc
and lr
. Each old lr
(link register) is stored in the old fp
(frame pointer). The sp
and fp
are a data aspect of functions.
Your point B is the active pc
and sp
. Point A is actually the fp
and lr
; unless you call yet another function and then the compiler might get ready to setup the fp
to point to the data in B.
Following is some ARM assembler that might demonstrate how this all works. This will be different depending on how the compiler optimizes, but it should give an idea,
; Prologue - setup
mov ip, sp ; get a copy of sp.
stmdb sp!, {fp, ip, lr, pc} ; Save the frame on the stack. See Addendum
sub fp, ip, #4 ; Set the new frame pointer.
...
; Maybe other functions called here.
; Older caller return lr
stored in stack frame.
bl baz
...
; Epilogue - return
ldm sp, {fp, sp, lr} ; restore stack, frame pointer and old link.
... ; maybe more stuff here.
bx lr ; return.
This is what
foo()
would look like. If you don\'t call
bar()
, then the compiler does a
leaf optimization and doesn\'t need to save the
frame; only the
bx lr
is needed. Most likely this maybe why you are confused by web examples. It is not always the same.
The take-away should be,
pc
and lr
are related code registers. One is \"Where you are\", the other is \"Where you were\".
sp
and fp
are related local data registers.
One is \"Where local data is\", the other is \"Where the last local data is\".
- The work together along with parameter passing to create function machinery.
- It is hard to describe a general case because we want compilers to be as fast as possible, so they use every trick they can.
These concepts are generic to all CPUs and compiled languages, although the details can vary. The use of the link register, frame pointer are part of the function prologue and epilogue, and if you understood everything, you know how a stack overflow works on an ARM.
See also: ARM calling convention.
MSDN ARM stack article
University of Cambridge APCS overview
ARM stack trace blog
Apple ABI link
The basic frame layout is,
- fp[-0] saved
pc
, where we stored this frame.
- fp[-1] saved
lr
, the return address for this function.
- fp[-2] previous
sp
, before this function eats stack.
- fp[-3] previous
fp
, the last stack frame.
- many optional registers...
An ABI may use other values, but the above are typical for most setups.
Addendum: This is not an error in the assembler; it is normal. An explanation is in the ARM generated prologs question.
Disclaimer: I think this is roughly right; please correct as needed.
As indicated elsewhere in this Q&A, be aware that the compiler may not be required to generate (ABI) code that uses frame pointers. Frames on the call stack can often require useless information to be put there.
If the compiler options call for \'no frames\' (a pseudo option flag), then the compiler can generate smaller code that keeps call stack data smaller. The calling function is compiled to only store the needed calling info on the stack, and the called function is compiled to only pop the needed calling information from the stack.
This saves execution time and stack space - but it makes tracing backwards in the calling code extremely hard (I gave up trying to...)
Info about the size and shape of the calling information on the stack is only known by the compiler and that info was thrown away after compile time.