Each function has its own stack frame between %fp and %sp. Let Caller calls Callee. Then Caller's %sp becomes callee's %fp, and callee's %sp set to be a new value (a smaller one because stack grows from large address to small address). You can think that Callee's stack frame is on top of Caller's stack frame.

In Caller: put arguments in %o0 to %o5 registers or if number of arguments more than 6, prepare values in call linkage of the current stack frame. Then "call" address_of_callee; %o7 stored the returned address. (This %o7 will becomes %i7 in callee after the callee executes save instruction.)

In Callee: it executes "save" instruction:

• 0. Caller's %i (input registers) and %l (local registers) are reserved in its own stack frame. They are put in the top portion of the caller's stack frame. Implication: the return address of Caller (NOT CALLEE), %i7, is stored there.
• 1. set callee's %i (input registers) by callers %o (output registers). The implication: pass parameters and return address now is in %i7. And now callee's fp (%i6) <-- caller's sp (%o6).
• 2. Allocate space for new frame pointers. Caller's sp (%o6) is now set to be the new value.

So at this point in callee, %i6 (%fp was caller's %o6) is set, and %o6 (%sp is set to be a new value). Question: where is the old %fp? It is stored somewhere in the top portion of the previous stack frame (see step 0.) The return address of Callee is stored in %i7. Is it possible to write a program to overflow this %i7? What return address that you really can overflow? Question: how to access that return address.

The "restore" instruction is the inverse function of save. Then the "ret" instruction should branch to %i7+8. The normal address should be %i7+4 as the next instruction address after call. The extra 4 is because sparc has a "branch delay" instruction that is executed BEFORE the call is made even it is put just after CALL. Is it strange. Not really. This is because modern CPU is a pipeline machine. It loads instruction every clock cycle, and branch (or jump or call) somewhat cannot be really done until the later stage the pipeline. And then it is already too late because the one JUST after this branch has already been executed. If you want to know more, you should take a look at computer architecture textbook which I think every graduate should know.

You should be very clear what return address in server.c is overflowed? Is it the return address of main() or the return address of copy()?