Assembly language basics-framework pointer omitted (FPO)

Frame pointer omission (FPO)

FPO is an optimization that compresses or omits the process of creating framework pointers for the function on the stack. This option accelerates function calling because you do not need to create or remove the framework pointer (ESP, EBP. At the same time, it also freed up a register to store frequently used variables. This optimization is available only in the intelcpu architecture.

 

Any call convention that has been discussed currently stores the stack information in the previous function (Press stack EBP, then let EBP = ESP, and then move ESP to save local variables ). A fpo function may save the stack pointer (ESP, EBP) of the previous function, but does not set up EBP for the current function call. Instead, he uses EBP to store some other variables. The debugger calculates the stack pointer, but the debugger must receive a reminder using FPO. This reminder is based on the FPO type information.

 

This feature can be enabled in MS Visual C ++ Professional Edition and Enterprise Edition. The/Oy option of the compiler is used.

 

The FPO data structure can be found in winnt. h in Microsoft SDK, which contains information about the stack framework. This information is used on the debugger, or other information that needs to be searched for by the FPO function in the stackProgram. The KV command displays additional runtime information including FPO information.

 

0: 000> kV

Childebp retaddr

0012ff74 00401009 addemup! Addemup (FPO: [2, 0, 0])

0012ff80 00401115 addemup! Main + 0x9 (FPO: [0, 0])

0012ffc0 77e87903 addemup! Maincrtstartup + 0xb4

0012fff0 00000000 Kernel32! Baseprocessstart + 0x3d (FPO: [non-FPO]

 

In the above example, the FPO Data Structure enclosed in parentheses has the following meanings:

FPO Data Representation	(FPO: [ebp addr] [x, y, z])
X represents	Number of Dwords that have been pushed to the stack as a parameter
Y	Number of Dwords that have been pushed to the stack as a local variable
Z representative	StartCodeNumber of registers that have been pushed to the middle (prologue) Stack
EBP ADDRRepresentative	It is displayed only when EBP is saved in the opening code.

In the above example, because the debugger has the correct symbol, the debugger calculates the position of the bottom of the stack (frame pointer) instead of saving it in the EBP. For example, the first parameter is at the bottom of the stack + 0x8, and the return value is at the bottom of the stack + 0x4. after FPO is enabled, these values cannot be obtained through EBP + 0x8. Frame pointer equivalent to EBP needs to be calculated before it can be obtained.

 

It is still a bit difficult to understand FPO by relying on the above information.

FPOArticleI have made a very good introduction, and I have made it very clear. The link is listed below:

Http://blogs.msdn.com/larryosterman/archive/2007/03/12/fpo.aspx.

I have summarized some key points below to help you better understand some FPO concepts.

The following table lists the assembly code with the same function but different FPO options.

Assembly Code of functions with FPO Enabled	Assembly code for functions with FPO Enabled
myfunction: push EBP mov EBP, esp sub ESP, mov eax, [EBP + 8] :< BR >:< br> mov ESP, EBP pop EBP Retd	myfunction: sub sp, mov eax, [esp + 4 + ] :< br> Add SP, Retd
Note: The code for accessing the first parameter here is MoV eax, [EBP + 8]	Note: The code for accessing the first parameter here is MoV eax, [esp + 4 + <localvariablestorage>]

 

The following two tables list the same functions, but FPO option stack content allocation and parameter access methods.

FPO pointer not enabled	Stack content
Ebp-04 [Ebp-01] [EBP + 00] [EBP + 04] [EBP + 08]	First address of the first local variable The Return Value of the EBP value on the last byte of the first local variable, that is, the first address of the first parameter of the value of the EIP register before calling this function
	Note: Because the parameters are from right to left, EBP + 8 is the parameter of the last stack, so it is the first parameter. In the called function, ESP is first moved up to the size of all local variables, and then the local variables are assigned a value from the first to the last according to the EBP position, so ebp-1 is the last byte of the first local variable.

 

the FPO pointer is enabled	stack content
[esp] ... [esp + 08] [esp + 11] [esp + 12] [esp + 16] ... [esp + 20]	the first byte of the last local variable ... first address of the first local variable last byte of the first local variable return value first address of the first parameter ... local variable of the previous function
	Note: assume that the current FPO data is (FPO: [, 0]) that is, the parameter has one Dwords (4 bytes) local variable, and two Dwords (8 bytes) Pressure stack registers are 0 (0 bytes)

I have also referred to the other two articles, which is a bit difficult to understand. However, for my contribution to understanding this concept, I still want to list the links of the articles below.

Frame pointer omission (FPO) and consequences when debugging, part 1.

Frame pointer omission (FPO) and consequences when debugging, part 2.

 

Observe FPO Functions

If the current function and the symbol of the previous function are correctly loaded, the debugger can calculate the position of the bottom pointer of the stack.

Because EBP is retained and used as a general register, it is not used to establish a stack framework, so it is not necessary to push this register into the stack. This is why it no longer refers to the forward EBP.

If the FPO function has local variables, the bottom position of the stack calculated by the debugger points to the first local variable.

If the FPO function does not have any local variables, the bottom position of the stack calculated by the debugger points to the first reserved register.

If the FPO function does not have any local variables or reserved registers, the bottom position of the stack calculated by the debugger points to the unused stack space.

What is confusing is that when a FPO function uses fastcall to call the convention. The function does not have the bottom pointer of the stack, and the parameter is not pressed on the stack. However, these functions are usually relatively small. Disassemble the previous functions to see how registers are loaded.

Xueyou believes that the above words can be summarized as follows: the FPO function does not save EBP, so EBP cannot be used when accessing parameters and so on. Therefore, the FPO function calculates a pointer similar to the position pointed to by EBP based on the information in symbol. The difference is that EBP points to the position at the bottom of the previous stack saved in the stack. But now it is pointing to a location that is as close as possible to the original EBP and that is as close as possible to the bottom (large address end) in the stack.