MASM x86，ret 返回错误地址

Question

I have an assembly code which loads a COM file to the memory and runs it. The COM file will be loaded to a separate data-segment, changes the DS and SS to that segment and calls it to run the COM file. My data and the Stack segments are:

STACKSEG SEGMENT  STACK 'stack'
    DW 512 DUP(?)
STACKSEG ENDS

DATASEG1 SEGMENT PARA  'data'
    
    stacksp dw 0
    stackbp dw 0
DATASEG1 ENDS

DATASEG2 SEGMENT PARA 'data'
WHERETOJ:
    ;stck db 32 dup (?)
    txt db 4096 dup (?)  , "$"
    
    ;string B
DATASEG2 ENDS

and my caller is:

mov stacksp, sp
            mov stackbp, bp
            ASSUME DS: DATASEG2, SS:DATASEG2
            mov ax, DATASEG2
            mov DS, AX
            mov ES, AX
            MOV SS, AX
                   
            
            mov SP, 0FFFFh
               call far ptr WHERETOJ ; (Now registers are SP:FFFF, BP:0, SI:0C40, DI:0C16, DS:1820,ES:1820, SS:1820, CS:192D, IP:00BD)

            ASSUME DS: DATASEG1, SS:STACKSEG
            mov ax, STACKSEG
            MOV SS, AX

            MOV AX, DATASEG1
            MOV DS, AX
            MOV ES, AX

               
            mov bx, offset stackbp
            mov bp, [bx]
            mov bx, offset  stacksp
            mov sp, [bx]


            ret

The COM file just runs int 10h to print a character and should return to the caller:

        mov ax, 0945h  ; (Now registers are changed to SP:FFFB, BP:0, SI:0C40, DI:0C16, DS:1820,ES:1820, SS:1820, CS:1820, IP:0000)
        mov bx, 0006
        mov cx, 40
        int 10h
        
        ret ;; ( registers are   SP:FFFB, BP:0, SI:0C40, DI:0C16, DS:1820,ES:1820, SS:1820, CS:1820, IP:000B)

;;ret is ran, the registers are: SP:FFFBD, BP:0, SI:0C40, DI:0C16, DS:1820,ES:1820, SS:1820, CS:1820, IP:00C2

The problem is that when COM file is ran, the ret does not return to the caller but to a wrong unknown IP.

Answer 1

Your primary issue is that the RET you are performing is a NEAR return. A NEAR return in real mode will result in a 16-bit offset being popped off the stack and the IP (Instruction Pointer) being set to that value. The segment will not change.

Your code:

call far ptr WHERETOJ

Is a FAR CALL and pushed the 16-bit Code Segment ( CS ) followed by the 16-bit IP. The NEAR RETURN only popped off the 16-bit IP and left the segment on the stack.

At the point of the FAR CALL you said the registers had:

SP:FFFF, SS:1820, CS:192D, IP:00BD

A CALL pushes the CS followed by IP of the instruction after the CALL . The FAR CALL is encoded as a 5 byte instruction so the address pushed on the stack is 192Dh:00C2h (00BDh+5=00C2h). When you did the NEAR return it didn't change CS but it changed IP to 00C2h. It only popped 2 bytes off the stack as well. This is why you saw this in the debugger when the RET instruction was executed:

SP:FFFD, SS:1820, CS:1820, IP:00C2

SP was incremented by 2 from 0FFFBh to 0FFFDh. CS remained the same and IP was set to 00C2h. The CS:IP pair is incorrect so you ended up executing memory you didn't intend to. If you replace RET with RETF (FAR RETURN) then your code would have worked as expected and the registers would have had these values when RET was executed:

SP:FFFF, SS:1820, CS:192D, IP:00C2

---

DOS COM programs

You use the term COM program, but your code suggests it is likely a binary with an ORG (origin point) of 0000h instead of a typical ORG of 0100h in DOS COM programs. To be compatible with DOS COM you have to load the code and data at an offset 256 bytes from the beginning of the Code Segment the program will be run from. In a DOS COM program, the first instruction executed is CS:0100h and not CS:0000h

In a typical DOS COM program the DOS loader pushes 0000h on the top of the stack. If you do a NEAR RET that will start executing at CS:0000h. The first 256 bytes contain the DOS Program Segment Prefix (PSP) . The first 2 bytes of the PSP (and thus CS:0000h) are an INT 20H instruction.

INT 20h will terminate a DOS COM program and return an ERRORLEVEL of 0 to the DOS command prompt that launched the program. INT 20h should not be used to exit DOS EXE programs, you use INT 21h/AH=4C instead.

If your intention is to find a way to use a NEAR RETURN to exit your program like DOS does then you will have to provide a mechanism (code) inside the code segment to do that. Since you don't have a DOS PSP (or have chosen not to use one) you will have to find a place to copy such code within the segment. The easiest mechanism is to create a code trampoline on the stack before you start executing the program. The simplest way is to push a FAR CALL (or FAR JMP) onto the stack that takes you back to the instruction after the call far ptr WHERETOJ instruction.

A FAR CALL is encoded on the stack as:

9A oooo ssss

Where 9A is the opcode for a FAR CALL, oooo is the offset to call, ssss is the segment to use. We want to keep the stack pointer ( SP ) on an even alignment ¹ so we add a NOP instruction for a total of 6 bytes (6 is an even number). The stack would look like:

90 9A oooo ssss

Once you have the NOP+FAR CALL built on the stack, you need to push the offset of that code so that a NEAR RET will end up calling it when executed.

The path of execution in the COM program will be NEAR RET ( ret ) causing IP to change to the address on the stack where the NOP+FAR CALL is and execute that instruction to call back to the location of the FAR JMP used to start executing the COM program in the first place. You could have encoded a NOP+FAR JMP on the stack as well, but the NOP+FAR CALL has the advantage of pushing the value of CS on the stack which could be useful later on, especially if you load more than one COM program in memory.

A sample program written to run on 8086 or later processors could look like this:

.8086

STACKSEG SEGMENT  STACK 'stack'
    DW 512 DUP(?)
STACKSEG ENDS

DATASEG1 SEGMENT PARA  'data'
    finstr db 0dh, 0ah, 'Returned from COM program', 0dh, 0ah, '$'    
    stacksp dw 0
    stackbp dw 0
DATASEG1 ENDS

DATASEG2 SEGMENT PARA 'data'
WHERETOJ:
    mov ax, 0945h
    mov bx, 0057h
    mov cx, 40
    int 10h   
    ret
    org 65536            ; Expand the segment to 64KiB
DATASEG2 ENDS

CODESEG1 SEGMENT PARA 'code'
main:
    ASSUME DS: DATASEG1, SS:STACKSEG
    mov [stacksp], SP
    mov [stackbp], BP

    ASSUME DS: DATASEG2, SS:DATASEG2
    mov AX, DATASEG2
    mov DS, AX
    mov ES, AX           ; DS=ES=SS=DATASEG2

    ; CLI                ; If running on BUGGY 8088 you would need to have CLI/STI
    MOV SS, AX
    xor SP, SP           ; SP = 0. Grow down from top of 64KiB SS segment
    ; STI

    ; Build FAR CALL on the COM programs stack
    ; to return to this code when NEAR RET done
    push CS              ; Put CS on stack as part of FAR CALL
    mov AX, offset aftercom
                         ; Push the IP of the instruction after the FAR JMP below
    push AX
    mov AX, 09a90h       ; Put a NOP(90h) on the stack and 9AH (FAR CALL opcode)
    push AX              ; NOP used as padding to keep SP aligned on an even address

    mov AX, SP
    push AX              ; Push a copy of SP on the stack. SP is the address of the
                         ;     NOP
                         ;     CALL FAR PTR segment:offset instruction built on stack

    jmp far ptr WHERETOJ ; Start executing our program code
aftercom:
    add SP, 10           ; When we return the stack has 10 bytes on it (6 bytes
                         ;     for FAR CALL and the NOP + 4 bytes of the CALLers
                         ;     IP and CS). Clean them up

    ASSUME DS: DATASEG1, SS:STACKSEG
    MOV AX, DATASEG1
    MOV DS, AX
    MOV ES, AX

    mov AX, STACKSEG
    ; CLI                ; If running on BUGGY 8088 you would need to have CLI/STI
    MOV SS, AX           ; Restore SS:SP one after another since interrupts
                         ;     will be off until the instruction after changing SS
    mov SP, [stacksp]
    ; STI
    mov BP, [stackbp]
   
    mov AH, 09           ; Display a string saying we returned
    mov DX, offset finstr
    int 21h

    mov AX, 4c00h        ; Exit DOS EXE program with ERRORLEVEL 0
    int 21h
CODESEG1 ENDS

END main

A properly functioning version of the code would look similar to this when run:

---

Footnotes

• ¹ In real mode you should always align the stack pointer ( SP ) to an even offset for performance reasons. Rather than use 0FFFFh as a starting stack address use 0000h instead. The first PUSH that gets done will wrap SP to 0FFFEh (0000h-0002h=0FFFEh) before writing the value on the stack.