ARM Calling Convention

Returning from function calls in ARM is typically a BX lr. In x86, you would typically see a leave or ret instruction which pops the return address from stack and jumps to it.  The X in BX allows eXchange of instruction sets i.e. switching between thumb and ARM instruction sets. How does BX know when to transition to thumb or when to transition to ARM ? If the address ends with a 0, then BX would transition to ARM state. If the last bit of address is set to 1, then BX would transition to Thumb state. Using BX, permits functions to return safely irrespective of the nature of their callers.⁴

The current instruction set is determined by 2 bits (bit 5 and bit 24) in Current Program Status Register CPSR, a 32-bit ARM register. Ignoring bit 24 and details around it for now, if you see 0x10 as the last byte of CPSR (making bit 5 zero), the instruction set is ARM. If you see 0x30 as the last byte of CPSR, which will probably be the case when you are debugging your code in Xcode, the processor is in thumb mode. When in thumb mode, you will see code addresses jump 2 bytes or 4 bytes depending on the instruction. This can be an indirect clue for determining whether the processor is in Thumb mode. In ARM mode⁵, all instructions are 4 bytes and 32-bit aligned.

ARM has a SP register. SP stands for stack pointer (also known as r13) and tracks top of stack like other platforms. ARM stack is full descending i.e. grows down when push instruction executes and points to a location that is already in use (just like in x86). Now that we have the basics covered, let us delve into how arguments are passed in ARM.

The first four integer/pointer arguments are passed in r0, r1, r2 and r3 registers respectively. Spill over arguments are passed in stack. The results are generally returned in r0⁶. If we have a simple square function like below:

int square(int number_to_square)
{
    return number_to_square*number_to_square;
}