Guide to x86 Assembly (2023)

This is a version adapted by Quentin Carbonneaux from David Evans'original document. The syntax was changed from Intel to AT&T,the standard syntax on UNIX systems, and the HTML code was purified.

This guide describes the basics of 32-bit x86 assembly languageprogramming, covering a small but useful subset of the availableinstructions and assembler directives. There are several differentassembly languages for generating x86 machine code. The one we will usein CS421 is the GNU Assembler (gas) assembler. We will usesthe standard AT&T syntax for writing x86 assembly code.

The full x86 instruction set is large and complex (Intel's x86instruction set manuals comprise over 2900 pages), and we do not coverit all in this guide. For example, there is a 16-bit subset of the x86instruction set. Using the 16-bit programming model can be quitecomplex. It has a segmented memory model, more restrictions on registerusage, and so on. In this guide, we will limit our attention to moremodern aspects of x86 programming, and delve into the instruction setonly in enough detail to get a basic feel for x86 programming.

Registers

Modern (i.e 386 and beyond) x86 processors have eight 32-bit generalpurpose registers, as depicted in Figure 1. The register names aremostly historical. For example, EAX used to be called theaccumulator since it was used by a number of arithmetic operations, andECX was known as the counter since it was used to hold a loopindex. Whereas most of the registers have lost their special purposes inthe modern instruction set, by convention, two are reserved for specialpurposes — the stack pointer (ESP) and the base pointer(EBP).

For the EAX, EBX, ECX, andEDX registers, subsections may be used. For example, the leastsignificant 2 bytes of EAX can be treated as a 16-bit registercalled AX. The least significant byte of AX can beused as a single 8-bit register called AL, while the mostsignificant byte of AX can be used as a single 8-bit registercalled AH. These names refer to the same physicalregister. When a two-byte quantity is placed into DX, theupdate affects the value of DH, DL, andEDX. These sub-registers are mainly hold-overs from older,16-bit versions of the instruction set. However, they are sometimesconvenient when dealing with data that are smaller than 32-bits(e.g. 1-byte ASCII characters).

Figure 1. x86 Registers

Memory and Addressing Modes

Declaring Static Data Regions

You can declare static data regions (analogous to global variables) inx86 assembly using special assembler directives for this purpose. Datadeclarations should be preceded by the .datadirective. Following this directive, the directives .byte, .short, and .long can be used to declare one, two, and four bytedata locations, respectively. To refer to the address of the data created,we can label them. Labels are very useful and versatile in assembly, theygive names to memory locations that will be figured out later by the assembleror the linker. This is similar to declaring variables by name, but abides bysome lower level rules. For example, locations declared in sequence will belocated in memory next to one another.

Example declarations:

.data
var:
	.byte64	/* Declare a byte, referred to as location var, containing the value 64. */
	.byte10	/* Declare a byte with no label, containing the value 10. Its location is var + 1. */
x:
	.short42	/* Declare a 2-byte value initialized to 42, referred to as location x. */
y:
	.long30000	/* Declare a 4-byte value, referred to as location y, initialized to 30000. */

Unlike in high level languages where arrays can have many dimensions andare accessed by indices, arrays in x86 assembly language are simply anumber of cells located contiguously in memory. An array can be declaredby just listing the values, as in the first example below.For the special case of an array of bytes, string literals can be used.In case a large area of memory is filled with zeroes the .zero directive can be used.

Some examples:

s:
	.long 1, 2, 3	/* Declare three 4-byte values, initialized to 1, 2, and 3. The value at location s + 8 will be 3. */
barr:
	.zero 10	/* Declare 10 bytes starting at location barr, initialized to 0. */
str:
	.string "hello"	/* Declare 6 bytes starting at the address str initialized to the ASCII character values for hello followed by a nul (0) byte. */

Addressing Memory

Modern x86-compatible processors are capable of addressing up to2³² bytes of memory: memory addresses are 32-bits wide. Inthe examples above, where we used labels to refer to memory regions,these labels are actually replaced by the assembler with 32-bitquantities that specify addresses in memory. In addition to supportingreferring to memory regions by labels (i.e. constant values), the x86provides a flexible scheme for computing and referring to memoryaddresses: up to two of the 32-bit registers and a 32-bit signedconstant can be added together to compute a memory address. One of theregisters can be optionally pre-multiplied by 2, 4, or 8.

The addressing modes can be used with many x86 instructions(we'll describe them in the next section). Here we illustrate some examplesusing the mov instruction that moves databetween registers and memory. This instruction has two operands: thefirst is the source and the second specifies the destination.

Some examples of mov instructionsusing address computations are:

mov (%ebx), %eax	/* Load 4 bytes from the memory address in EBX into EAX. */
mov %ebx, var(,1)	/* Move the contents of EBX into the 4 bytes at memory address var. (Note, var is a 32-bit constant). */
mov -4(%esi), %eax	/* Move 4 bytes at memory address ESI + (-4) into EAX. */
mov %cl, (%esi,%eax,1)	/* Move the contents of CL into the byte at address ESI+EAX. */
mov (%esi,%ebx,4), %edx	/* Move the 4 bytes of data at address ESI+4*EBX into EDX. */

Some examples of invalid address calculations include:

mov (%ebx,%ecx,-1), %eax	/* Can only add register values. */
mov %ebx, (%eax,%esi,%edi,1)	/* At most 2 registers in address computation. */

Operation Suffixes

In general, the intended size of the of the data item at a given memoryaddress can be inferred from the assembly code instruction in which itis referenced. For example, in all of the above instructions, the sizeof the memory regions could be inferred from the size of the registeroperand. When we were loading a 32-bit register, the assembler couldinfer that the region of memory we were referring to was 4 byteswide. When we were storing the value of a one byte register to memory,the assembler could infer that we wanted the address to refer to asingle byte in memory.

However, in some cases the size of a referred-to memory region isambiguous. Consider the instruction mov $2, (%ebx).Should this instruction move the value 2 into thesingle byte at address EBX? Perhapsit should move the 32-bit integer representation of 2 into the 4-bytesstarting at address EBX. Since eitheris a valid possible interpretation, the assembler must be explicitlydirected as to which is correct. The size prefixes b, w,and l serve this purpose,indicating sizes of 1, 2, and 4 bytes respectively.

For example:

movb $2, (%ebx)	/* Move 2 into the single byte at the address stored in EBX. */
movw $2, (%ebx)	/* Move the 16-bit integer representation of 2 into the 2 bytes starting at the address in EBX. */
movl $2, (%ebx)	/* Move the 32-bit integer representation of 2 into the 4 bytes starting at the address in EBX. */

Instructions

Machine instructions generally fall into three categories: datamovement, arithmetic/logic, and control-flow. In this section, we willlook at important examples of x86 instructions from each category. Thissection should not be considered an exhaustive list of x86 instructions,but rather a useful subset. For a complete list, see Intel'sinstruction set reference.

We use the following notation:

<reg32>	Any32-bit register (%eax,%ebx,%ecx,%edx,%esi,%edi,%esp, or%ebp)
<reg16>	Any16-bit register (%ax,%bx,%cx, or%dx)
<reg8>	Any8-bit register (%ah,%bh,%ch,%dh,%al,%bl,%cl, or%dl)
<reg>	Any register
<mem>	A memory address (e.g., (%eax), 4+var(,1),or (%eax,%ebx,1))
<con32>	Any 32-bit immediate
<con16>	Any 16-bit immediate
<con8>	Any 8-bit immediate
<con>	Any 8-, 16-, or 32-bit immediate

In assembly language, all the labels and numeric constants used as immediate operands(i.e. not in an address calculation like 3(%eax,%ebx,8))are always prefixed by a dollar sign. When needed, hexadecimal notation canbe used with the 0x prefix(e.g. $0xABC). Without the prefix, numbers areinterpreted in the decimal basis.

Data Movement Instructions

mov — Move

The mov instruction copies the data item referred to byits first operand (i.e. register contents, memory contents, or a constantvalue) into the location referred to by its second operand (i.e. a register ormemory). While register-to-register moves are possible, direct memory-to-memorymoves are not. In cases where memory transfers are desired, the source memorycontents must first be loaded into a register, then can be stored to thedestination memory address.

Syntax
mov <reg>, <reg>
mov <reg>, <mem>
mov <mem>, <reg>
mov <con>, <reg>
mov <con>, <mem>

Examples
mov %ebx, %eax — copy the value in EBX into EAX
movb $5, var(,1) — store the value 5 into thebyte at location var

push — Push on stack

The push instruction places its operand ontothe top of the hardware supported stack in memory. Specifically, push first decrements ESP by 4, then places itsoperand into the contents of the 32-bit location at address (%esp). ESP(the stack pointer) is decremented by push since the x86 stack growsdown — i.e. the stack grows from high addresses to lower addresses.

Syntax
push <reg32>
push <mem>
push <con32>

Examples
push %eax — push eax on the stack
push var(,1) — push the 4 bytes ataddress var onto the stack

pop — Pop from stack

The pop instruction removes the 4-byte dataelement from the top of the hardware-supported stack into the specifiedoperand (i.e. register or memory location). It first moves the 4 byteslocated at memory location (%esp) into thespecified register or memory location, and then increments ESP by 4.

Syntax
pop <reg32>
pop <mem>

Examples
pop %edi — pop the top element of the stack into EDI.
pop (%ebx) — pop the top element of thestack into memory at the four bytes starting at location EBX.

lea — Load effective address

The lea instruction places the address specified by its first operandinto the register specified by its second operand.Note, the contents of the memory location are notloaded, only the effective address is computed and placed into the register.This is useful for obtaining a pointer into a memory region or to perform simplearithmetic operations.

Syntax
lea <mem>, <reg32>

Examples
lea (%ebx,%esi,8), %edi — the quantity EBX+8*ESI is placed in EDI.
lea val(,1), %eax — the value val is placed in EAX.

Arithmetic and Logic Instructions

add — Integer addition

The add instruction addstogether its two operands, storing the result in its secondoperand. Note, whereas both operands may be registers, at most oneoperand may be a memory location.

Syntax
add <reg>, <reg>
add <mem>, <reg>
add <reg>, <mem>
add <con>, <reg>
add <con>, <mem>

Examples
add $10, %eax — EAX is set to EAX + 10
addb $10, (%eax) — add 10 to thesingle byte stored at memory address stored in EAX

sub — Integer subtraction

The sub instruction stores in the value ofits second operand the result of subtracting the value of its firstoperand from the value of its second operand. As with add, whereas both operands may be registers, at mostone operand may be a memory location.

Syntax
sub <reg>, <reg>
sub <mem>, <reg>
sub <reg>, <mem>
sub <con>, <reg>
sub <con>, <mem>

Examples
sub %ah, %al — AL is set to AL - AH
sub $216, %eax — subtract 216 from thevalue stored in EAX

inc, dec — Increment, Decrement

The inc instruction incrementsthe contents of its operand by one. The decinstruction decrements the contents of its operand by one.

Syntax
inc <reg>
inc <mem>
dec <reg>
dec <mem>

Examples
dec %eax — subtract one from the contents of EAX
incl var(,1) — add one to the32-bit integer stored at location var

imul — Integer multiplication

The imul instruction has two basic formats:two-operand (first two syntax listings above) and three-operand (lasttwo syntax listings above).

The two-operand form multiplies its two operands together and stores the resultin the second operand. The result (i.e. second) operand must be aregister.

(Video) x86 Assembly: Hello World!

The three operand form multiplies its second and third operands togetherand stores the result in its last operand. Again, the result operandmust be a register. Furthermore, the first operand is restricted tobeing a constant value.

Syntax
imul <reg32>, <reg32>
imul <mem>, <reg32>
imul <con>, <reg32>, <reg32>
imul <con>, <mem>, <reg32>

Examples

imul (%ebx), %eax — multiply the contentsof EAX by the 32-bit contents of the memory at location EBX. Storethe result in EAX.

imul $25, %edi, %esi — ESI is set to EDI * 25

idiv — Integer division

The idiv instruction divides thecontents of the 64 bit integer EDX:EAX (constructed by viewing EDX asthe most significant four bytes and EAX as the least significant fourbytes) by the specified operand value. The quotient result of thedivision is stored into EAX, while the remainder is placed in EDX.

Syntax
idiv <reg32>
idiv <mem>

Examples

idiv %ebx — divide the contents ofEDX:EAX by the contents of EBX. Place the quotient in EAX and theremainder in EDX.

idivw (%ebx) — divide thecontents of EDX:EAS by the 32-bit value stored at the memory location inEBX. Place the quotient in EAX and the remainder in EDX.

and, or, xor — Bitwise logicaland, or, and exclusive or

These instructions perform the specified logical operation (logicalbitwise and, or, and exclusive or, respectively) on their operands, placing theresult in the first operand location.

Syntax
and <reg>, <reg>
and <mem>, <reg>
and <reg>, <mem>
and <con>, <reg>
and <con>, <mem>

or <reg>, <reg>
or <mem>, <reg>
or <reg>, <mem>
or <con>, <reg>
or <con>, <mem>

xor <reg>, <reg>
xor <mem>, <reg>
xor <reg>, <mem>
xor <con>, <reg>
xor <con>, <mem>

Examples
and $0x0f, %eax — clear all but the last 4bits of EAX.
xor %edx, %edx — set the contents of EDXto zero.

not — Bitwise logical not

Logically negates the operand contents (that is, flips all bit values inthe operand).

Syntax
not <reg>
not <mem>

Example
not %eax — flip all the bits of EAX

neg — Negate

Performs the two's complement negation of the operand contents.

Syntax
neg <reg>
neg <mem>

Example
neg %eax — EAX is set to (- EAX)

shl, shr — Shift left and right

These instructions shift the bits in their first operand's contentsleft and right, padding the resulting empty bitpositions with zeros. The shifted operand can be shifted up to 31 places. Thenumber of bits to shift is specified by the second operand, which can beeither an 8-bit constant or the register CL. In either case, shifts counts ofgreater then 31 are performed modulo 32.

Syntax
shl <con8>, <reg>
shl <con8>, <mem>
shl %cl, <reg>
shl %cl, <mem>

shr <con8>, <reg>
shr <con8>, <mem>
shr %cl, <reg>
shr %cl, <mem>

Examples

shl $1, eax — Multiply the value of EAXby 2 (if the most significant bit is 0)

shr %cl, %ebx — Store in EBX the floor ofresult of dividing the value of EBX by 2ⁿ where n is thevalue in CL. Caution: for negative integers, it is different from the Csemantics of division!

Control Flow Instructions

The x86 processor maintains an instruction pointer (EIP) register that isa 32-bit value indicating the location in memory where the currentinstruction starts. Normally, it increments to point to the nextinstruction in memory begins after execution an instruction. The EIPregister cannot be manipulated directly, but is updated implicitly byprovided control flow instructions.

We use the notation <label> to refer tolabeled locations in the program text. Labels can be inserted anywherein x86 assembly code text by entering a labelname followed by a colon. For example,

 mov 8(%ebp), %esibegin: xor %ecx, %ecx mov (%esi), %eax

The second instruction in this code fragment is labeled begin. Elsewhere in the code, we can refer to thememory location that this instruction is located at in memory using themore convenient symbolic name begin. Thislabel is just a convenient way of expressing the location instead of its32-bit value.

jmp — Jump

Transfers program control flow to the instruction at the memorylocation indicated by the operand.

Syntax
jmp <label>

Example
jmp begin — Jump to the instructionlabeled begin.

jcondition — Conditional jump

These instructions are conditional jumps that are based on the status ofa set of condition codes that are stored in a special register calledthe machine status word. The contents of the machine statusword include information about the last arithmetic operationperformed. For example, one bit of this word indicates if the lastresult was zero. Another indicates if the last result wasnegative. Based on these condition codes, a number of conditional jumpscan be performed. For example, the jzinstruction performs a jump to the specified operand label if the resultof the last arithmetic operation was zero. Otherwise, control proceedsto the next instruction in sequence.

A number of the conditional branches are given names that areintuitively based on the last operation performed being a specialcompare instruction, cmp (see below). For example, conditional branchessuch as jle and jne are based on first performing a cmp operationon the desired operands.

Syntax
je <label> (jump when equal)
jne <label> (jump when not equal)
jz <label> (jump when last result was zero)
jg <label> (jump when greater than)
jge <label> (jump when greater than or equal to)
jl <label> (jump when less than)
jle <label> (jump when less than or equal to)

Example

cmp %ebx, %eaxjle done

If the contents of EAX are less than or equal to the contents of EBX,jump to the label done. Otherwise, continue to the nextinstruction.

cmp — Compare

Compare the values of the two specified operands, setting the conditioncodes in the machine status word appropriately. This instruction isequivalent to the sub instruction, except theresult of the subtraction is discarded instead of replacing the firstoperand.

Syntax
cmp <reg>, <reg>
cmp <mem>, <reg>
cmp <reg>, <mem>
cmp <con>, <reg>

Example
cmpb $10, (%ebx)
jeq loop

If the byte stored at the memory location in EBX is equal to theinteger constant 10, jump to the location labeled loop.

call, ret — Subroutine call and return

These instructions implement a subroutine call and return.The call instruction first pushes the currentcode location onto the hardware supported stack in memory (see the push instruction for details), and then performsan unconditional jump to the code location indicated by the labeloperand. Unlike the simple jump instructions, the call instruction saves the location to return towhen the subroutine completes.

The ret instruction implements a subroutinereturn mechanism. This instruction first pops a code location off thehardware supported in-memory stack (see the pop instruction for details). It then performs anunconditional jump to the retrieved code location.

(Video) x86 Assembly Crash Course

Syntax
call <label>
ret

Calling Convention

To allow separate programmers to share code and develop libraries foruse by many programs, and to simplify the use of subroutines in general,programmers typically adopt a common calling convention. Thecalling convention is a protocol about how to call and return fromroutines. For example, given a set of calling convention rules, aprogrammer need not examine the definition of a subroutine to determinehow parameters should be passed to that subroutine. Furthermore, given aset of calling convention rules, high-level language compilers can bemade to follow the rules, thus allowing hand-coded assembly languageroutines and high-level language routines to call one another.

In practice, many calling conventions are possible. We will describe thewidely used C language calling convention. Following this conventionwill allow you to write assembly language subroutines that are safelycallable from C (and C++) code, and will also enable you to call Clibrary functions from your assembly language code.

The C calling convention is based heavily on the use of thehardware-supported stack. It is based on the push, pop, call, and retinstructions. Subroutine parameters are passed on the stack. Registersare saved on the stack, and local variables used by subroutines areplaced in memory on the stack. The vast majority of high-levelprocedural languages implemented on most processors have used similarcalling conventions.

The calling convention is broken into two sets of rules. The first setof rules is employed by the caller of the subroutine, and the second setof rules is observed by the writer of the subroutine (the callee). Itshould be emphasized that mistakes in the observance of these rulesquickly result in fatal program errors since the stack will be left inan inconsistent state; thus meticulous care should be used whenimplementing the call convention in your own subroutines.

A good way to visualize the operation of the calling convention is todraw the contents of the nearby region of the stack during subroutineexecution. The image above depicts the contents of the stack during theexecution of a subroutine with three parameters and three localvariables. The cells depicted in the stackare 32-bit wide memory locations, thus the memory addresses of the cellsare 4 bytes apart. The firstparameter resides at an offset of 8 bytes from the base pointer. Abovethe parameters on the stack (and below the base pointer), the call instruction placed the return address, thusleading to an extra 4 bytes of offset from the base pointer to the firstparameter. When the ret instruction is usedto return from the subroutine, it will jump to the return address storedon the stack.

Caller Rules

To make a subrouting call, the caller should:

1. Before calling a subroutine, the caller shouldsave the contents of certain registers that are designatedcaller-saved. The caller-saved registers are EAX, ECX, EDX.Since the called subroutine is allowed to modify these registers, if thecaller relies on their values after the subroutine returns, the callermust push the values in these registers onto the stack (so they can berestore after the subroutine returns.
2. To pass parameters to the subroutine, push them onto the stackbefore the call. The parameters should be pushed in inverted order(i.e. last parameter first). Since the stack grows down, the firstparameter will be stored at the lowest address (this inversion ofparameters was historically used to allow functions to be passed avariable number of parameters).
3. To call the subroutine, use the callinstruction. This instruction places the return address on top of theparameters on the stack, and branches to the subroutine code. Thisinvokes the subroutine, which should follow the callee rules below.

After the subroutine returns (immediately following the call instruction), the caller can expect to findthe return value of the subroutine in the register EAX. To restore themachine state, the caller should:

1. Remove the parameters from stack. This restores the stack to itsstate before the call was performed.
2. Restore the contents of caller-saved registers (EAX, ECX, EDX) bypopping them off of the stack. The caller can assume that no otherregisters were modified by the subroutine.

Example

The code below shows a function call that follows the caller rules. Thecaller is calling a function myFunc that takes three integerparameters. First parameter is in EAX, the second parameter is theconstant 216; the third parameter is in the memory location stored in EBX.

push (%ebx) /* Push last parameter first */push $216 /* Push the second parameter */push %eax /* Push first parameter last */call myFunc /* Call the function (assume C naming) */add $12, %esp

Note that after the call returns, the caller cleans up the stack usingthe add instruction. We have 12 bytes (3parameters * 4 bytes each) on the stack, and the stack grows down. Thus,to get rid of the parameters, we can simply add 12 to the stack pointer.

The result produced by myFunc is now available for use in theregister EAX. The values of the caller-saved registers (ECX and EDX),may have been changed. If the caller uses them after the call, it wouldhave needed to save them on the stack before the call and restore themafter it.

Callee Rules

The definition of the subroutine should adhere to the following rules atthe beginning of the subroutine:

1. Push the value of EBP onto the stack, and then copy the value of ESPinto EBP using the following instructions:

    push %ebp mov %esp, %ebp

   This initial action maintains the base pointer, EBP. The basepointer is used by convention as a point of reference for findingparameters and local variables on the stack. When a subroutine isexecuting, the base pointer holds a copy of the stack pointer value fromwhen the subroutine started executing. Parameters and local variableswill always be located at known, constant offsets away from the basepointer value. We push the old base pointer value at the beginning ofthe subroutine so that we can later restore the appropriate base pointervalue for the caller when the subroutine returns. Remember, the calleris not expecting the subroutine to change the value of the basepointer. We then move the stack pointer into EBP to obtain our point ofreference for accessing parameters and local variables.
2. Next, allocate local variables by making space on thestack. Recall, the stack grows down, so to make space on the top of thestack, the stack pointer should be decremented. The amount by which the stackpointer is decremented depends on the number and size of local variablesneeded. For example, if 3 local integers (4 bytes each) were required,the stack pointer would need to be decremented by 12 to make space forthese local variables (i.e., sub$12,%esp).As with parameters, local variables will be located at known offsetsfrom the base pointer.
3. Next, save the values of the callee-saved registers thatwill be used by the function. To save registers, push them onto thestack. The callee-saved registers are EBX, EDI, and ESI (ESP and EBPwill also be preserved by the calling convention, but need not be pushedon the stack during this step).

After these three actions are performed, the body of thesubroutine may proceed. When the subroutine is returns, it must followthese steps:

1. Leave the return value in EAX.
2. Restore the old values of any callee-saved registers (EDI and ESI)that were modified. The register contents are restored by popping themfrom the stack. The registers should be popped in the inverseorder that they were pushed.
3. Deallocate local variables. The obvious way to do this might be toadd the appropriate value to the stack pointer (since the space wasallocated by subtracting the needed amount from the stack pointer). Inpractice, a less error-prone way to deallocate the variables is tomove the value in the base pointer into the stack pointer: mov%ebp,%esp. This works because thebase pointer always contains the value that the stack pointer contained immediatelyprior to the allocation of the local variables.
4. Immediately before returning, restore the caller's base pointervalue by popping EBP off the stack. Recall that the first thing we did onentry to the subroutine was to push the base pointer to save its oldvalue.
5. Finally, return to the caller by executing a ret instruction. This instruction will find andremove the appropriate return address from the stack.

Note that the callee's rules fall cleanly into two halves that arebasically mirror images of one another. The first half of the rulesapply to the beginning of the function, and are commonly saidto define the prologue to the function. The latter half of therules apply to the end of the function, and are thus commonly said todefine the epilogue of the function.

Example

Here is an example function definition that follows the callee rules:

 /* Start the code section */ .text /* Define myFunc as a global (exported) function. */ .globl myFunc .type myFunc, @functionmyFunc: /* Subroutine Prologue */ push %ebp /* Save the old base pointer value. */ mov %esp, %ebp /* Set the new base pointer value. */ sub $4, %esp /* Make room for one 4-byte local variable. */ push %edi /* Save the values of registers that the function */ push %esi /* will modify. This function uses EDI and ESI. */ /* (no need to save EBX, EBP, or ESP) */ /* Subroutine Body */ mov 8(%ebp), %eax /* Move value of parameter 1 into EAX. */ mov 12(%ebp), %esi /* Move value of parameter 2 into ESI. */ mov 16(%ebp), %edi /* Move value of parameter 3 into EDI. */ mov %edi, -4(%ebp) /* Move EDI into the local variable. */ add %esi, -4(%ebp) /* Add ESI into the local variable. */ add -4(%ebp), %eax /* Add the contents of the local variable */ /* into EAX (final result). */ /* Subroutine Epilogue */ pop %esi /* Recover register values. */ pop %edi mov %ebp, %esp /* Deallocate the local variable. */ pop %ebp /* Restore the caller's base pointer value. */ ret

The subroutine prologue performs the standard actions of saving asnapshot of the stack pointer in EBP (the base pointer), allocatinglocal variables by decrementing the stack pointer, and saving registervalues on the stack.

In the body of the subroutine we can see the use of the basepointer. Both parameters and local variables are located at constantoffsets from the base pointer for the duration of the subroutinesexecution. In particular, we notice that since parameters were placedonto the stack before the subroutine was called, they are always locatedbelow the base pointer (i.e. at higher addresses) on the stack. Thefirst parameter to the subroutine can always be found at memory location(EBP+8), the second at (EBP+12), the third at (EBP+16). Similarly,since local variables are allocated after the base pointer is set, theyalways reside above the base pointer (i.e. at lower addresses) on thestack. In particular, the first local variable is always located at(EBP-4), the second at (EBP-8), and so on. This conventional use of thebase pointer allows us to quickly identify the use of local variablesand parameters within a function body.

The function epilogue is basically a mirror image of the functionprologue. The caller's register values are recovered from the stack,the local variables are deallocated by resetting the stack pointer, thecaller's base pointer value is recovered, and the ret instruction isused to return to the appropriate code location in the caller.

Credits: This guide was originally created by Adam Ferrari many years ago,
and since updated by Alan Batson, Mike Lack, and Anita Jones.
It was revised for 216 Spring 2006 by David Evans.
It was finally modified by Quentin Carbonneaux to use the AT&T syntax for Yale's CS421.