What is the address returned by the function from the stack?

Question

I have the following code

int isBST(struct node* node) 
{ 
  return(isBSTUtil(node, INT_MIN, INT_MAX)); 
} 

int isBSTUtil(struct node* node, int min, int max) 
{
  if (node==NULL) 
     return 1;      

  if (node->data <= min || node->data > max) 
     return 0; 

  return
    isBSTUtil(node->left, min, node->data) &&  // Allow only distinct values
    isBSTUtil(node->right, node->data, max);  // Allow only distinct values
}

When I do debug the code in GDB, I see that the second parameter is set by address ebp + 0xc (0xbffff188+0xc), the third parameter is set to ebp + 0x10 and the first parameter is not clear where, in theory, we know that the return address of the function is located EBP + 4 , the first parameter is located EBP +8 and ....from what I have so ?

Answer 1

In theory, we don't know anything about where the arguments or the return address is located. On a specific architecture, we can (usually) figure out what a specific compiler does by examining some of the generated assembler. The first thing to examine is the function preable. On an Intel 32 bit processor, the frame pointer will be in EBP, and it will be set up after a certain number of push to save registers. (In particular, there must be a push EBP before EBP is set up for the local frame.) A typical preable for an Intel might be:

function:
        PUSH EBP
        MOV  EBP, ESP
        SUB  ESP, n         ;   allocate space for local variables

Beyond that: the Intel stack grows down, and compilers for Intel almost universally push the arguments from right to left, so in your case, max will have the highest address, min will be right below it, and node below that. So your image of the frame will be:

[EBP - ...]     local variables
[EBP + 0]       the pushed old EBP
[EBP + 4]       the return address
[EBP + 8]       the first argument (node)
[EBP + 12]      the second argument (min)
[EBP + 16]      the third argument (max)

(This is supposing that the arguments are all 32 bit values.) Of course, a compiler might push additional registers before pushing EBP, causing the offsets to be correspondingly higher. This is just one possible layout.