Raymond posted an article on AMD64 calling conventions.
In the comments, I wrote:
I assume that using a single subtraction to adjust the stack for the whole duration of the function - including function call parameters - simplifies the exception unwind procedure.
Context: SEH exceptions on AMD64 (for 64-bit programs) are table-based, NOT based on an exception handler chain at fs:[0] as on x86. Raymond, any idea why x86 is the only architecture which uses this frame-based exception handler chain?
Also I note that table-based exception handlers can't be exploited by overwriting the handler on the stack, because they're not on the stack.
Coming from a Windows CE background of table-based handlers, it seems odd that the unwind table contains descriptions of the function of each operation performed in the function prologue. I suppose this allows the unwind code in the OS to be a little more generic (applicable to many architectures). Windows CE just interprets the instruction stream for the prologue, executing it backwards (i.e. performing the reverse meaning of each instruction, in reverse order - if the prologue says push register A, then subtract 20 from register B, the unwind code adds 20 to B then pops A).
The desktop approach does allow the unwind code to be interpreted forwards, but adds to the size of the executable (and probably the working set when unwinding the call). However, the CE approach may cause parts of the executable to be paged in solely so that the stack can be unwound. Horses for courses, I suppose - it's more important to preserve memory on CE, while fast code is more important on the desktop.

No comments:
Post a Comment