1.17 - Calling Conventions (Linux)

X86 (32-bit, Linux)

Stack layout (before call):

[esp]   argN (last pushed, lowest address)
[esp+4] argN-1
...
[esp+4*(n-1)] arg1

Example:

push 3        ; arg2
push 2        ; arg1
call func
add esp, 8    ; caller cleans up

Example:

mov eax, 1      ; sys_exit
mov ebx, 0      ; status
int 0x80

Arguments (register order): 1 → RDI 2 → RSI 3 → RDX 4 → RCX 5 → R8 6 → R9 Remaining args: stack (right to left)
Return value: RAX
Stack cleanup: caller
Stack alignment: stack pointer (RSP) must be 16-byte aligned at the call instruction
Callee-saved registers: RBX, RBP, R12–R15, RSP
Caller-saved registers: RAX, RCX, RDX, RSI, RDI, R8–R11

Stack layout (at call entry):

[RSP]      return address
[RSP+8]    possible spill slots for extra args

Example:

mov rdi, 2     ; arg1
mov rsi, 3     ; arg2
call func
; result in RAX

Example:

mov rax, 60    ; sys_exit
mov rdi, 0     ; status
syscall

Platform	Function args order	Syscall args order	Return	Notes
x86	stack (Left←Right)	EBX, ECX, EDX, ESI, EDI, EBP	EAX	Caller cleans stack
x86-64 SysV	RDI, RSI, RDX, RCX, R8, R9	RDI, RSI, RDX, R10, R8, R9	RAX	Stack 16-byte aligned

On 32-bit, look for pushes before calls; on 64-bit, look for register moves into RDI, RSI, etc.
If you see int 0x80, you’re in 32-bit syscall land. If you see syscall, you’re in 64-bit.
If the stack is adjusted to maintain 16-byte alignment (sub rsp, 8), that’s a sign you’re in x86-64 System V ABI.
Preserved (callee-saved) registers usually hold values across calls; volatile (caller-saved) can be trashed by function calls.

Link	Description
1.17 - Calling Conventions (Windows)