cedecl calling convention -- compiled asm instructions cause crash

Treat this more as pseudocode than anything. If there's some macro or other element that you feel should be included, let me know.

I'm rather new to assembly. I programmed on a pic processor back in college, but nothing since.

The problem here (segmentation fault) is the first instruction after "Compile function entrance, setup stack frame." or "push %ebp". Here's what I found out about those two instructions:

http://unixwiz.net/techtips/win32-callconv-asm.html

Save and update the %ebp :

Now that we're in the new function, we need a new local stack frame pointed to by %ebp, so this is done by saving the current %ebp (which belongs to the previous function's frame) and making it point to the top of the stack.

    push ebp
    mov  ebp, esp    // ebp « esp

Once %ebp has been changed, it can now refer directly to the function's arguments as 8(%ebp), 12(%ebp). Note that 0(%ebp) is the old base pointer and 4(%ebp) is the old instruction pointer.

Here's the code. This is from a JIT compiler for a project I'm working on. I'm doing this more for the learning experience than anything.

IL_CORE_COMPILE(avs_x86_compiler_compile)
{
    X86GlobalData *gd = X86_GLOBALDATA(ctx);
    ILInstruction *insn;

    avs_debug(print("X86: Compiling started..."));
    /* Initialize X86 Assembler opcode context */
    x86_context_init(&gd->ctx, 4096, 1024*1024);

    /* Compile function entrance, setup stack frame*/
    x86_emit1(&gd->ctx, pushl, ebp);
    x86_emit2(&gd->ctx, movl, esp, ebp);

    /* Setup floating point rounding mode to integer truncation */
    x86_emit2(&gd->ctx, subl, imm(8), esp);
    x86_emit1(&gd->ctx, fstcw, disp(0, esp));
    x86_emit2(&gd->ctx, movl, disp(0, esp), eax);
    x86_emit2(&gd->ctx, orl, imm(0xc00), eax);
    x86_emit2(&gd->ctx, movl, eax, disp(4, esp));
    x86_emit1(&gd->ctx, fldcw, disp(4, esp));

    for (insn=avs_il_tree_base(tree); insn != NULL; insn = insn->next) {
        avs_debug(print("X86: Compiling instruction: %p", insn));
        compile_opcode(gd, obj, insn);
    }

    /* Restore floating point rounding mode */
    x86_emit1(&gd->ctx, fldcw, disp(开发者_运维百科0, esp));
    x86_emit2(&gd->ctx, addl, imm(8), esp);

    /* Cleanup stack frame */
    x86_emit0(&gd->ctx, emms);
    x86_emit0(&gd->ctx, leave);
    x86_emit0(&gd->ctx, ret);

    /* Link machine */
    obj->run = (AvsRunnableExecuteCall) gd->ctx.buf;
    return 0;
}

And when obj->run is called, it's called with obj as its only argument:

obj->run(obj);

If it helps, here are the instructions for the entire function call. It's basically an assignment operation: foo=3*0.2;. foo is pointing to a float in C.

0x8067990:  push   %ebp 
0x8067991:  mov    %esp,%ebp
0x8067993:  sub    $0x8,%esp
0x8067999:  fnstcw (%esp)
0x806799c:  mov    (%esp),%eax
0x806799f:  or     $0xc00,%eax
0x80679a4:  mov    %eax,0x4(%esp)
0x80679a8:  fldcw  0x4(%esp)
0x80679ac:  flds   0x806793c
0x80679b2:  fsts   0x805f014
0x80679b8:  fstps  0x8067954
0x80679be:  fldcw  (%esp)
0x80679c1:  add    $0x8,%esp
0x80679c7:  emms   
0x80679c9:  leave  
0x80679ca:  ret    

Edit: Like I said above, in the first instruction in this function, %ebp is void. This is also the instruction that causes the segmentation fault. Is that because it's void, or am I looking for something else?

Edit: Scratch that. I keep typing edp instead of ebp. Here are the values of ebp and esp.

(gdb) print $esp
$1 = (void *) 0xbffff14c
(gdb) print $ebp
$3 = (void *) 0xbffff168

Edit: Those values above are wrong. I should have used the 'x' command, like below:

(gdb) x/x $ebp
0xbffff168: 0xbffff188
(gdb) x/x $esp
0xbffff14c: 0x0804e481

Here's a reply from someone on a mailing list regarding this. Anyone care to illuminate what he means a bit? How do I check to see how the stack is set up?

An immediate problem I see is that the stack pointer is not properly aligned. This is 32-bit code, and the Intel manual says that the stack should be aligned at 32-bit addresses. That is, the least significant digit in esp should be 0, 4, 8, or c.

I also note that the values in ebp and esp are very far apart. Typically, they contain similar values -- addresses somewhere in the stack.

I would look at how the stack was set up in this program.

He replied with corrections to the above comments. He was unable to see any problems after further input.

Another edit: Someone replied that the code page may not be marked executable. How can I insure it is marked as such?

The problem had nothing to do with the code. Adding -z execstack to the linker fixed the problem.

If push %ebp is causing a segfault, then your stack pointer isn't pointing at valid stack. How does control reach that point? What platform are you on, and is there anything odd about the runtime environment? At the entry to the function, %esp should point to the return address in the caller on the stack. Does it?

Aside from that, the whole function is pretty weird. You go out of your way to set the rounding bits in the fp control word, and then don't perform any operations that are affected by rounding. All the function does is copy some data, but uses floating-point registers to do it when you could use the integer registers just as well. And then there's the spurious emms, which you need after using MMX instructions, not after doing x87 computations.

Edit See Scott's (the original questioner) answer for the actual reason for the crash.