Differences between call, push+ret and push+jump in assembly

Question

I have a trace instruction and want to extract function calls and returns.

I found that except call instruction, push+jmp and push+ret can be used for function call? At first I want to be sure is that correct? and if yes what are the differences between them?

Also if push+ret is kind of call so what would be the end or return of a function? Seeing only ret without push instruction before it?

Answer 1

In simplified terms:

call address

This will push the updated program counter (which points to the instruction after the call) onto the stack then jump to the address indicated (addressing modes may apply).

ret

This instruction internally pops and address off the stack and jumps to it. This is nicely matched with call so it can return to the instruction after the prior call.

jmp address

This simply jumps to the given address (addressing modes may apply). It doesn't do anything with the stack at all.

---

So, you can also do this:

push address
ret

Which will pop and jump to the address that was pushed onto the stack as described above. It's a clever way to do an indirect jump in a microprocessor that doesn't support indirect addressing modes in their jump instructions.

The sequence:

push address
jmp someplace

Will simply jump to someplace and not affect the stack or use the address that was pushed onto the stack. If address is the instruction after the jmp, this is roughly equivalent to call someplace.

For instruction sets that don't support an indirect addressing jump, I've seen this nice little work-around:

push address
ret

Which will jump to whatever address is.

Answer 2

Yes, you are correct.

When a call is issued, the return address pushed onto the stack is the next address where execution should continue (the address immediately following the current instruction). In essence it is an atomic push followed by a jmp.

This means that if you manually push and then jmp, the function that you jump into can later ret and, provided all stack access in the function is balanced, it will return to the address that you previously pushed.

Similarly, you can push and then ret to simulate a call return, but this does not set you up to be able to later return again. This type of behavior is more commonly done to throw off disassemblers, making it more difficult to determine which address the code is actually heading to with a simple disassembler.