why is c program reserving space for local variables unused?

Question

I'm reading Programming from the Ground Up. pdf address: http://mirror.ossplanet.net/nongnu/pgubook/ProgrammingGroundUp-0-8.pdf

I'm curious about Page37's reserve space for local variables. He said, we need to 2 words of memory, so move stack pointer down 2 words. execute this instruction: subl $8, %esp so, here, I think I'm understand.

But, I write c code to verify this reserve space.

#include <stdio.h>

int test(int a1, int a2, int a3, int a4, int a5, int a6, int a7, int a8, int a9, int a10, int a11, int a12) {
    printf("a1=%#x, a2=%#x, a3=%#x, a4=%#x, a5=%#x, a6=%#x, a7=%#x, a8=%#x, a9=%#x, a10=%#x, a11=%#x, a12=%#x", a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12);

    return 0;
}

int main(void){
    test(0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x10, 0x11, 0x12);
    printf("Wick is me!");

    return 0;
}

then, I use gcc convert to Executable file, gcc -Og -g, and use gdb debugger.

I use disass to main function, and copied some of the asm code in below.

   0x000055555555519d <+0>: endbr64 
   0x00005555555551a1 <+4>: sub    $0x8,%rsp  # reserve space?
   0x00005555555551a5 <+8>: pushq  $0x12
   0x00005555555551a7 <+10>:    pushq  $0x11
   0x00005555555551a9 <+12>:    pushq  $0x10
   0x00005555555551ab <+14>:    pushq  $0x9
   0x00005555555551ad <+16>:    pushq  $0x8
   0x00005555555551af <+18>:    pushq  $0x7
   0x00000000000011b1 <+20>:    mov    $0x6,%r9d
   0x00000000000011b7 <+26>:    mov    $0x5,%r8d
   0x00000000000011bd <+32>:    mov    $0x4,%ecx
   0x00000000000011c2 <+37>:    mov    $0x3,%edx
   0x00000000000011c7 <+42>:    mov    $0x2,%esi
   0x00000000000011cc <+47>:    mov    $0x1,%edi
   0x00000000000011d1 <+52>:    callq  0x1149 <test>
   0x00000000000011d6 <+57>:    add    $0x30,%rsp
   0x00000000000011da <+61>:    lea    0xe89(%rip),%rsi        # 0x206a
   0x00000000000011e1 <+68>:    mov    $0x1,%edi
   0x00000000000011e6 <+73>:    mov    $0x0,%eax
   0x00000000000011eb <+78>:    callq  0x1050 <__printf_chk@plt>
   0x00000000000011f0 <+83>:    mov    $0x0,%eax
   0x00000000000011f5 <+88>:    add    $0x8,%rsp
   0x00005555555551f9 <+92>:    retq

I'm dubious that this is reserve space instruction. then, I execute assembly code line by line and check content in the stack.

Why is this instruction only sub 8 byte, and 0x7fffffffe390 seems main function's return address. Should this not be reserve space?

below is rsp address nearby content. i r $rsp, x/40xb rsp address

0x7fffffffe390: 0x00    0x52    0x55    0x55    0x55    0x55    0x00    0x00   => after sub
0x7fffffffe398: 0xb3    0x20    0xdf    0xf7    0xff    0x7f    0x00    0x00   => before sub

then, I execute all pushq instruction, and use x/64xb 0x7fffffffe360.

0x7fffffffe360: 0x07    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x7fffffffe368: 0x08    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x7fffffffe370: 0x09    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x7fffffffe378: 0x10    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x7fffffffe380: 0x11    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x7fffffffe388: 0x12    0x00    0x00    0x00    0x00    0x00    0x00    0x00

above is local variables
==========================

0x7fffffffe390: 0x00    0x52    0x55    0x55    0x55    0x55    0x00    0x00
0x7fffffffe398: 0xb3    0x20    0xdf    0xf7    0xff    0x7f    0x00    0x00

I think 0x7fffffffe390~0x7fffffffe398 is reserve space for local variables, but it no change! Is my test way wrong?

Execution environment:

• GDB version: 9.2
• GCC version: 9.4.0
• os: x86_64 GNU/Linux

Answer 1

The x86-64 SysV ABI requires that stacks be 16-aligned at the time of a call. Since a call instructions pushes an 8-byte return-address to the stack, the stack is always misaligned by 8 at the start of a function and if a nested call is to be made then the caller will need to have pushed an odd number of eight-bytes to the stack to make it 16-aligned again.

Since your function takes 12 integer arguments, 6 of which go to the stack as eight-bytes each, an extra 8-byte needs to be pushed to the stack before the stack arguments so the stack is 16-aligned before the call.

If your function took 11 arguments (or any other 6 (register arguments) +odd stack number of arguments), then no extra stack push should be needed.

Gcc and clang are still weirdly generating sub rsp, 16 (gcc) and push rax; sub rsp, 8; (clang) for that case (https://gcc.godbolt.org/z/jGj5WPq8c). I don't understand why.

Answer 2

Update:

I misread -Og as -O0. With optimization on, there are several additional complications (such as how exactly GCC choses to pass arguments, whether it reserves space for locals at all or keeps these locals in a register, etc. etc.).

To understand what's going on, you should first understand the picture without optimizations.

---

Where is reserve space?

There are several ways to "reserve space" on stack on x86_64:

• push ...
• sub ...,%rsp
• enter ...

There are also several ways to "unreserve" it: pop ..., add ...,%rsp, leave.

In your case, it's the pushq instruction which simultaneously puts a value into the stack slot and reserves space for that value.

You didn't show what happens just before retq, but I suspect that your "unreserve" looks something like add $68,%rsp.

P.S. You have a sequence of 0x01, 0x02 ..., 0x09, 0x10, .... Note that these are not consecutive numbers: the next number after 0x09 is 0x0a.

Answer 3

Recall that in x86_64, the call instruction does the following:

1. push the current value of RIP, which is the next instruction that will be executed when the function returns. (which moves RSP down in memory - recall that in x86_64 the stack grows down, thus RBP > RSP).

2. push the current value of RBP, which is used to help restore the caller's stack frame. (which moves RSP down again)

3. move the current bottom pointer, RBP, to the current stack pointer, RSP. (effectively this creates a zero sized stack starting at where RSP is currently at)

Thus in the memory dump that you show:

0x7fffffffe390: 0x00    0x52    0x55    0x55    0x55    0x55    0x00    0x00
0x7fffffffe398: 0xb3    0x20    0xdf    0xf7    0xff    0x7f    0x00    0x00

The value at 0x7fffffffe390 is the address of the next function to be executed afer the return from main. This instruction is located at 0x0000555555555200 (remember that intel processor are little endian, so you have to read the value backwards). This memory address is consistent with the other memory values you've shown for the code.

Additionally, the bottom of the stack frame for main (RBP) is located at 0x7ffff7df20b3, which looks consistent with the other stack addresses you've shown.

As soon as the call to `main' is executed, you enter the preable of the function, which is the first three lines of the disassembly you have:

0x000055555555519d <+0>: endbr64 
0x00005555555551a1 <+4>: sub    $0x8,%rsp  # reserve space?
0x00005555555551a5 <+8>: pushq  $0x12

The second line sub $0x8, %rsp subtracts 0x8 from the stack pointer, thus forming a new stack from RBP->RSP. This space is the space reserved for local variables (and any other space that might be needed as the function executes.

Next we have a series of pushq's and mov's - and these all are doing the same thing. You need to recall that

1. arguments to a function are evaluated right to left, thus the last argument to test is evaluated first

2. the fist six arguments are passed in registers in 64-bit code, thus a1 -> a6 are passed in the register that you see.

3. anything beyond six arguments are pushed on the stack, thus a7 -> a12 are pushed on the stack.

All of you arguments are literals, so there is no local variables and the values are used directly in the pushq's or mov's.

The next bit of assembly is

0x00000000000011d1 <+52>:    callq  0x1149 <test>
0x00000000000011d6 <+57>:    add    $0x30,%rsp
0x00000000000011da <+61>:    lea    0xe89(%rip),%rsi        # 0x206a
0x00000000000011e1 <+68>:    mov    $0x1,%edi
0x00000000000011e6 <+73>:    mov    $0x0,%eax

In this we see the actual call to test. The next instruction is to clean up the stack. Recall that we push 6 8-byte values on the stack, causing the stack to grow downwards by 48-bytes. Adding 0x30 (48 decimal) effectively removes thos 6 values from the stack by moving RSP upward.

The next two lines are setting up the parameters that are going to be passed to printf, the next line mov $0x0, %eax is clearing the EAX, which is where the return value from a function typically goes.

The last bit of assembly (memory address have change, I suspect that this is from a second run of the code):

0x00000000000011eb <+78>:    callq  0x1050 <__printf_chk@plt>
0x00000000000011f0 <+83>:    mov    $0x0,%eax
0x00000000000011f5 <+88>:    add    $0x8,%rsp
0x00005555555551f9 <+92>:    retq

performs that actual call to printf, then clears the return value (printf returns an int value with the number of characters printed), and finally the add $0x8, %rsp undoes the subtraction performed on line 2 of the disassembly, effectively destroying the stack frame for main. The last line retq is the return from main.

You are correct in that sub $0x8,%rsp is reserving 8 bytes for local variables (or intermediate values). However, main does not use any local variables, so nothing is going to change.

As a test, you could add a few local variables to main:

int a = 5, b = 10, c;
c = 3*a + 2*b;

printf("Wick is me %d\n", c);   // <--- note modification in this line

In this case you should see some modification to the value being subtracted from RSP in line 2. We would expect an additional 24 byte of stack space being needed, however it can be different for a few reasons

1. The results of the calculations 3*a' and 2*b' need to be stored somewhere -- either on the stack or in registers.
2. The value of a and b are literals and may be stored in registers.
3. The compiles might be able to deduce that 3a + 2b is a constant and perform the math at compile time, optimize away both a' and b' and just set `c' to 35.

Using -O0 or -Og as well as using -m32 (forcing code for a 32-bit processor) might remove some of these issues.