What does subl do here?

Question

So... I'm compiling into assembler, with gcc -S -O2 -m32:

void h(int y){int x; x=y+1; f(y); f(2); }

And it gives me the following:

.file   "sample.c"
.text
.p2align 4,,15
.globl h
.type   h, @function
 h:
pushl   %ebp
movl    %esp, %ebp
subl    $24, %esp
movl    8(%ebp), %eax
movl    %eax, (%esp)
call    f
movl    $2, 8(%ebp)
leave
jmp f
.size   h, .-h
.ident  "GCC: (GNU) 4.4.3 20100127 (Red Hat 4.4.3-4)"
.section    .note.GNU-stack,"",@progbits

Now I know what pushl and movel: they store the current frame pointer onto the stack and then set the value of the frame pointer register to the value of the Stack Pointer.

1. But I have no idea what the subl $24, %esp is. I understood that it moves the stack pointer down by 24 bytes. Correct?
2. What is immed by the way?
3. Why does movl 8(%ebp), %eax use 8? Is it 8 bytes? Is this to accommodate for return value + argument y to h? Or am I completely off here. So this means look back 8 bytes from the stack pointer?
4. What does movl $2, 8(%ebp) do? It copies contant 2 to the location 8 bytes before the frame pointer. Did the frame pointer change when we called f? If yes - then 8(%ebp) points to the argument location for f.
5. What does leave do? How can it "remove" a stack frame? I mean you cant just remove a piece of memory. In the doc it says it does mov(esp, ebp), pop ebp.

Thanks!

Answer 1

The compiler is reserving space on the stack for locals and whatever other needs it might have. I'm not sure offhand why it's reserving 24 bytes (it doesn't seem to need or use it all).

When calling function f(), instead of using a push instruction to put the parameter on the stack, it uses a simple movl to the last location it reserved:

movl    8(%ebp), %eax    ; get the value of `y` passed in to `h()`
movl    %eax, (%esp)     ; put that value on the stack for call to `f()`

A more interesting (in my opinion) thing happening here is how the compiler is handling the call to f(2):

movl    $2, 8(%ebp)      ; store 2 in the `y` argument passed to `h()`
                         ;     since `h()` won't be using `y` anymore
leave                    ; get rid of the stackframe for `h()`
jmp f                    ; jump to `f()` instead of calling it - it'll return
                         ;     directly to whatever called `h()`

---

To answer your question, "immed by the way?" - that is what the instruction reference uses to indicate that the value is encoded in the instruction opcode instead of coming somewhere else like a register or memory location.