Where does RET return to? [duplicate]

c return x86 function-pointers call

Solution 1:

CALL subroutine address is equivalent to
PUSH next instruction address + JMP subroutine address.

At the same time, PUSH address is nearly equivalent to
SUB xSP, pointer size + MOV [xSP], address.

SUB xSP, pointer size can be replaced by PUSH.

RET is nearly equivalent to
JMP [xSP] followed by ADD xSP, pointer address at the location where JMP leads.

And ADD xSP, pointer address can be replaced by POP.

So, you can see what kind of basic freedom the compiler has. Oh, btw, it can optimize your code such that your function is entirely inlined and there's neither a call to it, nor a return from it.

While somewhat perverse, it's not impossible to devise much weirder control transfers using instructions and techniques highly specific to the platform (CPU and OS).

You can use IRET instead of CALL and RET for control transfer, provided you put the appropriate stuff on the stack for the instruction.

You can use Windows Structured Exception Handling in a way that an instruction that causes a CPU exception (e.g. division by 0, page fault, etc) diverts execution to your exception handler and from there control can be transferred either back to that same instruction or to the next or to the next exception handler or to any location. And most of x86 instructions can cause CPU exceptions.

I'm sure there are other unusual ways for control transfer to, from and within subroutines/functions.

It's not uncommon to see code something like this either:

...
CALL A
A: JMP B
db "some data", 0
B: CALL C ; effectively call C with a pointer to "some data" as a parameter.
...

C:
; extracts the location of "some data" from the stack and uses it.
...
RET

Here, the first call isn't to a subroutine, it's just a way to put on the stack the address of the data stuck in the middle of the code.

This is probably what a programmer would write, not a compiler. But I may be wrong.

What I'm trying to say with all this is that you shouldn't expect to have CALL and RET as the only ways to enter and leave subroutines and you shouldn't expect them to be used for that purpose only and balance each other.

Solution 2:

A "well behaved" C program could be translated by a compiler to a program that does not follow this pattern. For example for obfuscation reasons the code could use a push / ret combination instead of a jmp.

Related

Python pandas find the largest value after date of each row
Firebase transaction on where query
What's the number in square brackets, in the maillog for?
Batch script errorlevel issue with registry key
Linux Delete Files Older Than and the Same Time Smaller Than
When and how often does ZFS 'autotrim' take place?
Extra ip rule table breaking my connectivity with container
About Let's encrypt ACMEv1 deprecation. How to make certificate renewal work again in Ubuntu 14.04? [closed]
What is the best way to compress postgres database dump file?
kubectl error: cannot add key dashboard.yaml, another key by that name already exists
Office365 Guest Access to Shared Mailbox
Intune Autopilot replace WDS or Sccm