Procedure Calls, Interrupts, and
CHAPTER 6 PROCEDURE CALLS, INTERRUPTS, AND
6.3 CALLING PROCEDURES USING CALL AND RET
Vol. 1 6-5 PROCEDURE CALLS, INTERRUPTS, AND EXCEPTIONS
6-6 Vol. 1
PROCEDURE CALLS, INTERRUPTS, AND EXCEPTIONS
When executing a far return, the processor does the following:
1. Pops the top-of-stack value (the return instruction pointer) into the EIP register.
2. Pops the top-of-stack value (the segment selector for the code segment being returned to) into the CS register.
3. If the RET instruction has an optional n argument, increments the stack pointer by the number of bytes specified with the n operand to release parameters from the stack.
4. Resumes execution of the calling procedure.
Figure 6-2. Stack on Near and Far Calls Param 1
Param 2
ESP Before Call Stack During
Near Call
Stack During Far Call
Calling CS Param 1 Param 2
Calling EIP
Param 3 Param 3
ESP After Return
Calling CS Param 1 Param 2
Calling EIP Param 3 Param 1
Param 2 Param 3
Note: On a near or far return, parameters are Calling EIP ESP After Call
Stack During Near Return
Calling EIP
released from the stack based on the optional n operand in the RET n instruction.
ESP Before Return
ESP Before Call ESP After Call
ESP Before Return ESP After Return Stack During
Far Return Stack
Frame Before Call Stack
Frame Before Call
Stack Frame After Call
Stack Frame After Call
Vol. 1 6-7 PROCEDURE CALLS, INTERRUPTS, AND EXCEPTIONS
6.3.3 Parameter Passing
Parameters can be passed between procedures in any of three ways: through general-purpose registers, in an argument list, or on the stack.
6.3.3.1 Passing Parameters Through the General-Purpose Registers
The processor does not save the state of the general-purpose registers on procedure calls. A calling procedure can thus pass up to six parameters to the called procedure by copying the parameters into any of these registers (except the ESP and EBP registers) prior to executing the CALL instruction. The called procedure can likewise pass parameters back to the calling proce-dure through general-purpose registers.
6.3.3.2 Passing Parameters on the Stack
To pass a large number of parameters to the called procedure, the parameters can be placed on the stack, in the stack frame for the calling procedure. Here, it is useful to use the stack-frame base pointer (in the EBP register) to make a frame boundary for easy access to the parameters.
The stack can also be used to pass parameters back from the called procedure to the calling procedure.
6.3.3.3 Passing Parameters in an Argument List
An alternate method of passing a larger number of parameters (or a data structure) to the called procedure is to place the parameters in an argument list in one of the data segments in memory.
A pointer to the argument list can then be passed to the called procedure through a general-purpose register or the stack. Parameters can also be passed back to the calling procedure in this same manner.
6.3.4 Saving Procedure State Information
The processor does not save the contents of the general-purpose registers, segment registers, or the EFLAGS register on a procedure call. A calling procedure should explicitly save the values in any of the general-purpose registers that it will need when it resumes execution after a return.
These values can be saved on the stack or in memory in one of the data segments.
The PUSHA and POPA instructions facilitate saving and restoring the contents of the general-purpose registers. PUSHA pushes the values in all the general-general-purpose registers on the stack in the following order: EAX, ECX, EDX, EBX, ESP (the value prior to executing the PUSHA instruction), EBP, ESI, and EDI. The POPA instruction pops all the register values saved with a PUSHA instruction (except the ESI value) from the stack to their respective registers.
If a called procedure changes the state of any of the segment registers explicitly, it should restore them to their former values before executing a return to the calling procedure.
6-8 Vol. 1
PROCEDURE CALLS, INTERRUPTS, AND EXCEPTIONS
If a calling procedure needs to maintain the state of the EFLAGS register, it can save and restore all or part of the register using the PUSHF/PUSHFD and POPF/POPFD instructions. The PUSHF instruction pushes the lower word of the EFLAGS register on the stack, while the PUSHFD instruction pushes the entire register. The POPF instruction pops a word from the stack into the lower word of the EFLAGS register, while the POPFD instruction pops a double word from the stack into the register.
6.3.5 Calls to Other Privilege Levels
The IA-32 architecture’s protection mechanism recognizes four privilege levels, numbered from 0 to 3, where a greater number mean less privilege. The reason to use privilege levels is to improve the reliability of operating systems. For example, Figure 6-3 shows how privilege levels can be interpreted as rings of protection.
In this example, the highest privilege level 0 (at the center of the diagram) is used for segments that contain the most critical code modules in the system, usually the kernel of an operating system. The outer rings (with progressively lower privileges) are used for segments that contain code modules for less critical software.
Code modules in lower privilege segments can only access modules operating at higher privi-lege segments by means of a tightly controlled and protected interface called a gate. Attempts
Figure 6-3. Protection Rings Level 0
Level 1
Level 2 Level 3 Protection Rings
Operating
Operating System Services (Device Drivers, Etc.)
Applications
0 1 2 3
Highest Lowest
Privilege Levels System
Kernel
Vol. 1 6-9 PROCEDURE CALLS, INTERRUPTS, AND EXCEPTIONS
to access higher privilege segments without going through a protection gate and without having sufficient access rights causes a general-protection exception (#GP) to be generated.
If an operating system or executive uses this multilevel protection mechanism, a call to a proce-dure that is in a more privileged protection level than the calling proceproce-dure is handled in a similar manner as a far call (see Section 6.3.2, “Far CALL and RET Operation”). The differ-ences are as follows:
•
The segment selector provided in the CALL instruction references a special data structure called a call gate descriptor. Among other things, the call gate descriptor provides the following:— access rights information
— the segment selector for the code segment of the called procedure
— an offset into the code segment (that is, the instruction pointer for the called procedure)
•
The processor switches to a new stack to execute the called procedure. Each privilege level has its own stack. The segment selector and stack pointer for the privilege level 3 stack are stored in the SS and ESP registers, respectively, and are automatically saved when a call to a more privileged level occurs. The segment selectors and stack pointers for the privilege level 2, 1, and 0 stacks are stored in a system segment called the task state segment (TSS).The use of a call gate and the TSS during a stack switch are transparent to the calling procedure, except when a general-protection exception is raised.
6.3.6 CALL and RET Operation Between Privilege Levels
When making a call to a more privileged protection level, the processor does the following (see Figure 6-4):
1. Performs an access rights check (privilege check).
2. Temporarily saves (internally) the current contents of the SS, ESP, CS, and EIP registers.
6-10 Vol. 1
PROCEDURE CALLS, INTERRUPTS, AND EXCEPTIONS
3. Loads the segment selector and stack pointer for the new stack (that is, the stack for the privilege level being called) from the TSS into the SS and ESP registers and switches to the new stack.
4. Pushes the temporarily saved SS and ESP values for the calling procedure’s stack onto the new stack.
5. Copies the parameters from the calling procedure’s stack to the new stack. A value in the call gate descriptor determines how many parameters to copy to the new stack.
6. Pushes the temporarily saved CS and EIP values for the calling procedure to the new stack.
7. Loads the segment selector for the new code segment and the new instruction pointer from the call gate into the CS and EIP registers, respectively.
8. Begins execution of the called procedure at the new privilege level.
Figure 6-4. Stack Switch on a Call to a Different Privilege Level Param 1
Param 2
ESP Before Call Stack for
Calling Procedure
ESP After Call
Stack for Called Procedure
Calling SS Calling ESP
Calling CS Param 1 Param 2
Calling EIP Stack Frame
Before Call Stack Frame
After Call
Param 3 Param 3
ESP After Return
ESP Before Return
Calling SS Calling ESP
Calling CS Param 1 Param 2
Calling EIP Param 3 Param 1
Param 2 Param 3
Note: On a return, parameters are
released on both stacks based on the optional n operand in the RET n instruction.
Vol. 1 6-11 PROCEDURE CALLS, INTERRUPTS, AND EXCEPTIONS
When executing a return from the privileged procedure, the processor performs these actions:
1. Performs a privilege check.
2. Restores the CS and EIP registers to their values prior to the call.
3. If the RET instruction has an optional n argument, increments the stack pointer by the number of bytes specified with the n operand to release parameters from the stack. If the call gate descriptor specifies that one or more parameters be copied from one stack to the other, a RET n instruction must be used to release the parameters from both stacks. Here, the n operand specifies the number of bytes occupied on each stack by the parameters. On a return, the processor increments ESP by n for each stack to step over (effectively remove) these parameters from the stacks.
4. Restores the SS and ESP registers to their values prior to the call, which causes a switch back to the stack of the calling procedure.
5. If the RET instruction has an optional n argument, increments the stack pointer by the number of bytes specified with the n operand to release parameters from the stack (see explanation in step 3).
6. Resumes execution of the calling procedure.
See Chapter 4, Protection, in the IA-32 Intel Architecture Software Developer’s Manual, Volume 3, for detailed information on calls to privileged levels and the call gate descriptor.
6.3.7 Branch Functions in 64-Bit Mode
The 64-bit extensions expand branching mechanisms to accommodate branches in 64-bit linear-address space. These are:
•
Near-branch semantics are redefined in 64-bit mode•
In 64-bit mode and compatibility mode, 64-bit call-gate descriptors for far calls are availableIn 64-bit mode, the operand size for all near branches (CALL, RET, JCC, JCXZ, JMP, and LOOP) is forced to 64 bits. These instructions update the 64-bit RIP without the need for a REX operand-size prefix.
The following aspects of near branches are controlled by the effective operand size:
•
Truncation of the size of the instruction pointer•
Size of a stack pop or push, due to a CALL or RET•
Size of a stack-pointer increment or decrement, due to a CALL or RET•
Indirect-branch operand sizeIn 64-bit mode, all of the above actions are forced to 64 bits regardless of operand size prefixes (operand size prefixes are silently ignored). However, the displacement field for relative branches is still limited to 32 bits and the address size for near branches is not forced in 64-bit mode.
6-12 Vol. 1
PROCEDURE CALLS, INTERRUPTS, AND EXCEPTIONS
Address sizes affect the size of RCX used for JCXZ and LOOP; they also impact the address calculation for memory indirect branches. Such addresses are 64 bits by default; but they can be overridden to 32 bits by an address size prefix.
Software typically uses far branches to change privilege levels. The legacy IA-32 architecture provides the call-gate mechanism to allow software to branch from one privilege level to another, although call gates can also be used for branches that do not change privilege levels.
When call gates are used, the selector portion of the direct or indirect pointer references a gate descriptor (the offset in the instruction is ignored). The offset to the destination’s code segment is taken from the call-gate descriptor.
64-bit mode redefines the type value of a 32-bit call-gate descriptor type to a 64-bit call gate descriptor and expands the size of the 64-bit descriptor to hold a 64-bit offset. The 64-bit mode call-gate descriptor allows far branches that reference any location in the supported linear-address space. These call gates also hold the target code selector (CS), allowing changes to priv-ilege level and default size as a result of the gate transition.
Because immediates are generally specified up to 32 bits, the only way to specify a full 64-bit absolute RIP in 64-bit mode is with an indirect branch. For this reason, direct far branches are eliminated from the instruction set in 64-bit mode.
64-bit mode also expands the semantics of the SYSENTER and SYSEXIT instructions so that the instructions operate within a 64-bit memory space. The mode also introduces two new instructions: SYSCALL and SYSRET (which are valid only in 64-bit mode). For details, see the sections on these instructions in IA-32 Intel Architecture Software Developer’s Manual, Volume 2B.