Function detection

Functions frequently include known prolog and epilogues.

• Prolog: set up the stack and optionally set up Stack Guard Canaries.

• Epilog: optionally check the canaries and release stack.

This information may be used to determine function boundaries.

• But it is architecture and compiler-dependent.

Alternatives:

• Pattern matching (automatic, done by disassemblers) can also recover functions.

• Exception handling code in the .eh_frame section.

• gcc intrinsics to cleanup stacks with exceptions __attribute__((__cleanup__(f))) and __builtin_return_address(n).

Typical Prologue with Stack Guard

Typical Epilogue with Stack Guard