The <stackpointer> tag informs Ghidra of the main stack mechanism for the compiler. The register attribute gives the name of the register that holds the current offset into the stack, and the space attribute specifies the name of the address space that holds the actual data. This tag triggers the creation of a formal stack space. A separate stack space exists virtually for each function being analyzed where offsets are calculated relative to the incoming value of this register. This provides a concrete storage location for a function's local variables even though the true location is dynamically determined.

By default the stack is assumed to grow in the negative direction, meaning that entries which are deeper on the stack are stored at larger offsets, and each new entry pushed on the stack causes the stackpointer register to be decremented. But this can be changed by setting the growth attribute to positive, which reverses the direction that new entries are pushed on the stack.

This tag describes how the return address is stored, upon entry to a function. It takes a single varnode sub-tag describing the storage location (See the section called “Varnode Tags”). In many cases, the decompiler can eliminate return value data-flow without knowing this information because the value is never used within the function and other parameter passing is explicitly laid out. Sometimes however, return values can look like part of a structure allocated on the stack or can be confused with other data-flow. In these cases, the <returnaddress> tag can help by making the standard storage location explicit.

The storage location of the return address is actually a property of a prototype model. This tag defines a global default for all prototype models, but it can be overridden for individual prototype models. See the section called “<returnaddress>”.

  <returnaddress>
    <varnode space="stack" offset="0" size="4"/>
  </returnaddress>