Coming from this question, would not it be more secure to push return address to a specific stack register, so that we can not exploit the stack overflow?
call
) to a return address stack register
.ret
pops the value of return address stack register
into RIP
/EIP
.Passing the return address in a register instead of on the stack doesn't help in most cases.
Most RISC ISAs already do this with a link register, and their call
equivalent is jump-and-link (MIPS jal
) or ARM bl
). The callee has to save the return address on the stack themself if they want to call a child function, because jal
clobbers the link register. (So they eventually return by loading the return address into a register and using a jump-to-register instruction.)
This is not fundamentally different than what x86 does, where ret
is basically pop rip
directly. The only difference would be leaf functions, where the return address never goes into memory unless the callee spills/reloads it to get an extra scratch register.