In the following function kmalloc2, take a look the first parameter, the memory location of that parameter is stated by dwarf “DW_AT_location : 2 byte block: 91 0 (DW_OP_fbreg: 0)”, where “DW_OP_fbreg: 0” means stack+0. I was thinking why it is possible. Because when cpu executed call instruction, it already pushed 4 bytes into the stack. So the offset of the first parameter should be ESP+4, not ESP+0.
<1><502c>: Abbrev Number: 34 (DW_TAG_subprogram) <502d> DW_AT_external : 1 <502d> DW_AT_name : (indirect string, offset: 0x18cd): kmalloc2 <5031> DW_AT_decl_file : 1 <5032> DW_AT_decl_line : 725 <5034> DW_AT_prototyped : 1 <5034> DW_AT_type : <0x482e> <5038> DW_AT_low_pc : 0x1607b50 <503c> DW_AT_high_pc : 0x82 <5040> DW_AT_frame_base : 1 byte block: 9c (DW_OP_call_frame_cfa) <5042> DW_AT_GNU_all_call_sites: 1 <5042> DW_AT_sibling : <0x50d4> <2><5046>: Abbrev Number: 39 (DW_TAG_formal_parameter) <5047> DW_AT_name : (indirect string, offset: 0x17aa): virtualAddress <504b> DW_AT_decl_file : 1 <504c> DW_AT_decl_line : 725 <504e> DW_AT_type : <0x47da> <5052> DW_AT_location : 2 byte block: 91 0 (DW_OP_fbreg: 0)
I searched around in google and has no answer, finally i found this chinese blog http://tsecer.blog.163.com/blog/static/150181720118395251117/. And I finally know even i don’t have .debug_frames, but I have .eh_frame section. After I dump it out that section, it should be the formula of DW_OP_call_frame_cfa is “r4 (esp) ofs 4”, which mean esp plus four.