Win32 calling conventions review

Recently, I’ve posted about the Win32 calling conventions. Here’s a table of contents of the various different posts I’ve made.

  1. Win32 calling conventions: Concepts
  2. Win32 calling conventions: Usage cases
  3. Win32 calling conventions: __cdecl in assembler
  4. Win32 calling conventions: __stdcall in assembler
  5. Win32 calling conventions: __fastcall in assembler
  6. Win32 calling conventions: __thiscall in assembler

Remember that when picking a calling convention to use, there are a number of factors to consider. There is no one calling convention that fits all cases (however, __stdcall is a good default if you are not sure).

Hopefully, you’ll have found this series to be enlightening, useful, and practically applicable.

12 Responses to “Win32 calling conventions review”

  1. Marc Sherman says:

    Thanks for pointing out how the “this” pointer is passed in COM calls. I didn’t know it used __stdcall.


  2. Alex Ionescu says:

    The link to __fastcall is broken :(

  3. […] Ken Johnson (Skywing) from Nyaneve has posted a TOC for his great series on Win32 calling conventions. It seems every systems developer always posts a SEH and Calling Convention guide on his blog, but the best I’ve found until now is his, so make sure you take a read! […]

  4. shmarya says:

    Great series… very informative!

    What about a series on various kinds of BP based frames?

    Also, I’ve noticed a function which appears to have __cdecl semantics (callee does stack-correction) but also makes use of the ecx register for what appears to be a ‘this’ transfer… any ideas!?

  5. Skywing says:

    There have been a couple of posts recently talking about frame pointer usage (and how it relates to FPO) that you might check out. I’ll probably go into more detail when describing how some of the new optimizations for accessing stack variables work with the x64 compiler, such as ephemeral frame pointers that are only used until the first sub-function call.

    I would suspect that the function you are describing is __thiscall. There is an article that describes that calling convention in more detail which is already up on the blog, but suffice it to say that a function that both uses only ecx as an apparant parameter register, also uses the stack (but not edx) for parameter passing, and where the callee cleans the stack is very likely __thiscall.

  6. shmarya says:

    Another question:

    What about ‘safecall’? (COM)… I can’t seem to find any good resources on it!

  7. Skywing says:

    Never heard of “safecall”, sorry.

  8. […] Using our knowledge of calling conventions, it’s easy to retrieve the arguments to lldiv from the stack: counter.QuadPart is 0xd5f158ce6f602e40, and freq is 0×0000000000369e99 […]

  9. Waldermort says:

    You articles on the calling conventions were really helpfull. Now I wonder if you could help me with one thing. How is the __thiscall and the this pointer handled in the 64-bit architecture. I have been searching for the answer to this for quite some time but so far come up empty.

    The reason I ask is that I need to write a __thiscall thunk to be used on a 64-bit machine. The 32-bit was quite easy:
    mov ecx _ThisPtr;
    call MemberCallback;

  10. Skywing says:

    __thiscall on x64 uses the standard x64 calling convention, except that the first parameter register (rcx) holds the `this’ pointer.

    Otherwise, it is identical to the normal calling convention on x64.

  11. […] breakpoint needs to be imbued with the knowledge of how to display the first argument based on the calling convention of the routine in question. Since CreateFile is __stdcall, that would be [esp+4] (for x86), and rcx […]