x64 Tail Call Elimination

今天编译一份x64发行版代码,发现调用某函数的代码反汇编代码并不是call,而是jmp指令。本人是读过x64 deep dive的,所以对这种情形并不陌生。这是编译器对代码的优化,但是什么情况下优化,本人有记不太清了。于是又看了下x64 deep dive,上面这样说的

X64 compiler can optimize the last call made from a function by replacing it with a jump to the callee. This avoids the overhead of setting up the stack frame for the callee. The caller and the callee share the same stack frame and the callee returns directly to the caller's caller. This is especially beneficial when the caller and the callee have the same parameters, since, if the relevant parameters are already in the required registers and those registers haven't changed, they don't have to be reloaded. Figure 2 shows tail call elimination in Function1 when calling Function4. Function1 jumps to Function4 and when Function4 finishes execution, it returns directly to the caller of Function1.

Figure 2 : Tail Call Elimination





VOID CalcRoutine (__in struct _KDPC *Dpc,__in_opt PVOID DeferredContext,__in_opt PVOID SystemArgument1,__in_opt PVOID SystemArgument2){int a = 10;int b = 30;int c = Calc(a,b);DbgPrint("Calc(%d , %d) = %d ,Calc(%d , %d) = %d \n", a, b, c, a, b, c);}


kd> uf GoonSys!CalcRoutineGoonSys!CalcRoutine [e:\driverproj\topdesk\topdesk\main.c @ 34]:   34 fffff880`02df706c ba0a000000      mov     edx,0Ah   39 fffff880`02df7071 488d0d98000000  lea     rcx,[GoonSys! ?? ::FNODOBFM::`string' (fffff880`02df7110)]   39 fffff880`02df7078 41b9e0fcffff    mov     r9d,0FFFFFCE0h   39 fffff880`02df707e 448d4214        lea     r8d,[rdx+14h]   40 fffff880`02df7082 e97f000000      jmp     GoonSys!DbgPrint (fffff880`02df7106)


kd> uf GoonSys!CalcRoutineGoonSys!CalcRoutine [e:\driverproj\topdesk\topdesk\main.c @ 34]:   34 fffff880`02df106c 4883ec48        sub     rsp,48h   39 fffff880`02df1070 41b81e000000    mov     r8d,1Eh   39 fffff880`02df1076 41b9e0fcffff    mov     r9d,0FFFFFCE0h   39 fffff880`02df107c 488d0dad000000  lea     rcx,[GoonSys! ?? ::FNODOBFM::`string' (fffff880`02df1130)]   39 fffff880`02df1083 44894c2430      mov     dword ptr [rsp+30h],r9d   39 fffff880`02df1088 418d50ec        lea     edx,[r8-14h]   39 fffff880`02df108c 4489442428      mov     dword ptr [rsp+28h],r8d   39 fffff880`02df1091 89542420        mov     dword ptr [rsp+20h],edx   39 fffff880`02df1095 e88c000000      call    GoonSys!DbgPrint (fffff880`02df1126)   40 fffff880`02df109a 4883c448        add     rsp,48h   40 fffff880`02df109e c3              ret

