airs-notes/elf.html

2504 lines
128 KiB
HTML
Raw Permalink Normal View History

2021-02-03 01:23:20 +00:00
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Executable and Linkable Format (ELF)</title>
</head>
<body alink="#FF6600" bgcolor="#000000" link="#00FFFF" text="#EEEEEE" vlink="#00FFFF">
<p>This page is a copy of the <a href="https://web.archive.org/web/20201202024834/https://web.archive.org/web/20120922073347/http://www.acsu.buffalo.edu/~charngda/elf.html">Archive.org</a>
copy of the now no longer availabel <a href="https://web.archive.org/web/20201202024834/http://www.acsu.buffalo.edu/~charngda/elf.html">http://www.acsu.buffalo.edu/~charngda/elf.html</a>.
It is kept here online as a reference only.</p>
<hr>
<h2>Acronyms relevant to Executable and Linkable Format (ELF)</h2>
<table border="">
<tbody><tr><td><a href="https://web.archive.org/web/20201202024834/http://www.wikipedia.org/wiki/Application_binary_interface">ABI</a></td><td>Application binary interface</td></tr>
<tr><td><a href="https://web.archive.org/web/20201202024834/http://www.wikipedia.org/wiki/A.out">a.out</a></td><td>Assembler output file format</td></tr>
<tr><td><a href="https://web.archive.org/web/20201202024834/http://www.wikipedia.org/wiki/.bss">BSS</a></td><td>Block started by symbol. The uninitialized data segment containing statically-allocated variables.</td></tr>
<tr><td><a href="https://web.archive.org/web/20201202024834/http://www.wikipedia.org/wiki/COFF">COFF</a></td><td>Common object file format</td></tr>
<tr><td>DTV</td><td>Dynamic thread vector (for TLS)</td></tr>
<tr><td><a href="https://web.archive.org/web/20201202024834/http://www.wikipedia.org/wiki/DWARF">DWARF</a></td><td>A standardized debugging data format</td></tr>
<tr><td>GD</td><td>Global Dynamic (dynamic TLS) One of the <a href="https://web.archive.org/web/20201202024834/http://download.oracle.com/docs/cd/E19963-01/html/819-0690/chapter8-1.html">Thread-Local Storage access models</a>.</td></tr>
<tr><td>GOT</td><td>Global offset table</td></tr>
<tr><td>IE</td><td>Initial Executable (static TLS with assigned offsets) One of the <a href="https://web.archive.org/web/20201202024834/http://download.oracle.com/docs/cd/E19963-01/html/819-0690/chapter8-1.html">Thread-Local Storage access models</a>.</td></tr>
<tr><td>LD</td><td>Local Dynamic (dynamic TLS of local symbols) One of the <a href="https://web.archive.org/web/20201202024834/http://download.oracle.com/docs/cd/E19963-01/html/819-0690/chapter8-1.html">Thread-Local Storage access models</a>.</td></tr>
<tr><td>LE</td><td>Local Executable (static TLS) One of the <a href="https://web.archive.org/web/20201202024834/http://download.oracle.com/docs/cd/E19963-01/html/819-0690/chapter8-1.html">Thread-Local Storage access models</a>.</td></tr>
<tr><td><a href="https://web.archive.org/web/20201202024834/http://www.wikipedia.org/wiki/Mach-O">Mach-O</a></td><td>Mach object file format</td></tr>
<tr><td>PC</td><td>Program counter. On x86, this is the same as IP (Instruction Pointer) register.</td></tr>
<tr><td><a href="https://web.archive.org/web/20201202024834/http://www.wikipedia.org/wiki/Portable_Executable">PE</a></td><td>Portable executable</td></tr>
<tr><td>PHT</td><td>Program header table</td></tr>
<tr><td><a href="https://web.archive.org/web/20201202024834/http://www.wikipedia.org/wiki/Position_independent_code">PIC</a></td><td>Position independent code</td></tr>
<tr><td><a href="https://web.archive.org/web/20201202024834/http://www.wikipedia.org/wiki/Position_independent_code">PIE</a></td><td>Position independent executable</td></tr>
<tr><td>PLT</td><td>Procedure linkage table</td></tr>
<tr><td>REL<br>RELA</td><td>Relocation</td></tr>
<tr><td>RVA</td><td>Relative virtual address</td></tr>
<tr><td>SHF</td><td>Section header flag</td></tr>
<tr><td>SHT</td><td>Section header table</td></tr>
<tr><td>SO</td><td>Shared object (another name for dynamic link library)</td></tr>
<tr><td>VMA</td><td>Virtual memory area/address</td></tr>
</tbody></table>
<h2>Useful books and references</h2>
<a href="https://web.archive.org/web/20201202024834/http://manpages.courier-mta.org/htmlman5/elf.5.html">ELF man page</a><a>
</a><p><a>
</a><a href="https://web.archive.org/web/20201202024834/http://www.sco.com/developers/gabi/latest/contents.html">System V Application Binary Interface</a><a>
</a></p><p><a>
</a><a href="https://web.archive.org/web/20201202024834/http://www.x86-64.org/documentation/abi.pdf">AMD64 System V Application Binary Interface</a>
</p><p>
<a href="https://web.archive.org/web/20201202024834/http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/function-calling-conventions.html">The gen on function calling conventions</a>
</p><p>
Section II of <a href="https://web.archive.org/web/20201202024834/http://refspecs.freestandards.org/LSB_4.0.0/LSB-Core-generic/LSB-Core-generic/book1.html">Linux Standard Base 4.0 Core Specification</a>
</p><p>
<i>Self-Service Linux: Mastering the Art of Problem Determination</i> by Mark Wilding and Dan Behman
</p><p>
<a href="https://web.archive.org/web/20201202024834/http://download.oracle.com/docs/cd/E19963-01/html/819-0690/">Solaris Linker and Libraries Guide</a>
</p><p>
<a href="https://web.archive.org/web/20201202024834/http://www.iecc.com/linker">Linkers and Loaders</a> by John Levine
</p><p>
<a href="https://web.archive.org/web/20201202024834/http://s.eresi-project.org/inc/articles/elf-rtld.txt">Understanding Linux ELF RTLD internals</a> by mayhem (this article gives
you an idea how the runtime linker <tt>ld.so</tt> works)
</p><p>
<a href="https://web.archive.org/web/20201202024834/http://manpages.courier-mta.org/htmlman8/ld.so.8.html"><tt>ld.so</tt> man page</a>
</p><p>
<a href="https://web.archive.org/web/20201202024834/http://www.wikipedia.org/wiki/Prelink">Prelink</a> by Jakub Jelinek (and <a href="https://web.archive.org/web/20201202024834/http://linux.die.net/man/8/prelink">prelink man page</a>)
</p><h2>Executable and Linkable Format</h2>
An ELF executable binary contains at least two kinds of headers: ELF file header
(see <tt>struct Elf32_Ehdr</tt>/<tt>struct Elf64_Ehdr</tt> in <tt><a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=elf/elf.h">/usr/include/elf.h</a></tt>)
and one or more Program Headers (see <tt>struct Elf32_Phdr</tt>/<tt>struct Elf64_Phdr</tt> in <tt><a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=elf/elf.h">/usr/include/elf.h</a></tt>)
<p>
Usually there is another kind of header called Section Header, which describe
attributes of an ELF section (e.g. <tt>.text</tt>, <tt>.data</tt>,
<tt>.bss</tt>, etc) The Section Header is
described by <tt>struct Elf32_Shdr</tt>/<tt>struct Elf64_Shdr</tt> in <tt><a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=elf/elf.h">/usr/include/elf.h</a></tt>
</p><p>
The Program Headers are used during execution (ELF's "<b>execution view</b>"); it tells the kernel or the runtime linker
<tt>ld.so</tt> what to load into memory and how to find dynamic linking information.
</p><p>
The Section Headers are used during compile-time linking (ELF's "<b>linking view</b>"); it tells the link editor <tt>ld</tt>
how to resolve symbols, and how to group similar byte streams from different ELF binary
objects.
</p><p>
Conceptually, the two ELF's "views" are as follows (borrowed from Shaun Clowes's <i>Fixing/Making Holes in Binaries</i> slides):
</p><pre> +-----------------+
+----| ELF File Header |----+
| +-----------------+ |
v v
+-----------------+ +-----------------+
| Program Headers | | Section Headers |
+-----------------+ +-----------------+
|| ||
|| ||
|| ||
|| +------------------------+ ||
+--&gt; | Contents (Byte Stream) |&lt;--+
+------------------------+
</pre>
<p>
In reality, the layout of a typical ELF executable binary on a disk file is like this:
</p><pre> +-------------------------------+
| ELF File Header |
+-------------------------------+
| Program Header for segment #1 |
+-------------------------------+
| Program Header for segment #2 |
+-------------------------------+
| ... |
+-------------------------------+
| Contents (Byte Stream) |
| ... |
+-------------------------------+
| Section Header for section #1 |
+-------------------------------+
| Section Header for section #2 |
+-------------------------------+
| ... |
+-------------------------------+
| ".shstrtab" section |
+-------------------------------+
| ".symtab" section |
+-------------------------------+
| ".strtab" section |
+-------------------------------+
</pre>
The ELF File Header contains the file offsets of the first Program Header,
the first Section Header, and <tt>.shstrtab</tt> section which contains
the section names (a series of NULL-terminated strings)
<p>
The ELF File Header also contains the number of Program Headers
and the number of Section Headers.
</p><p>
Each Program Header describes a "segment": It contains the permissions (Readable, Writeable, or Executable)
, offset of the "segment" (which is just a byte stream) into the file, and the size of the
"segment". The following table shows the purposes of special segments.
Some information
can be found in GNU Binutil's source file <a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=binutils.git;a=blob_plain;f=include/elf/common.h"><tt>include/elf/common.h</tt></a>:
</p><p>
<table border="">
<tbody><tr>
<th>ELF Segment</th>
<th>Purpose</th>
</tr>
<tr>
<td><tt>DYNAMIC</tt></td>
<td>For dynamic binaries, this segment hold dynamic linking information and is usually
the same as <tt>.dynamic</tt> section in ELF's linking view. See paragraph below.
</td>
</tr>
<tr>
<td><tt>GNU_EH_FRAME</tt></td>
<td>Frame unwind information (EH = Exception Handling). This segment is usually the same as <tt>.eh_frame_hdr</tt> section in ELF's linking view.
</td>
</tr>
<tr>
<td><tt>GNU_RELRO</tt></td>
<td>This segment indicates the memory region which should be made Read-Only after relocation is done.
This segment usually appears in a dynamic link library and it
contains <tt>.ctors</tt>, <tt>.dtors</tt>, <tt>.dynamic</tt>, <tt>.got</tt>
sections. See paragraph below.
</td>
</tr>
<tr>
<td><tt>GNU_STACK</tt></td>
<td>The permission flag of this segment indicates whether the
<a href="https://web.archive.org/web/20201202024834/http://www.gentoo.org/proj/en/hardened/gnu-stack.xml">stack is executable or not</a>.
This segment does not have any content; it is just an indicator.
</td>
</tr>
<tr>
<td><tt>INTERP</tt></td>
<td>For dynamic binaries, this holds the full pathname of runtime linker <tt>ld.so</tt><p>
This segement is the same as <tt>.interp</tt> section in ELF's linking view.
</p></td>
</tr>
<tr>
<td><tt>LOAD</tt></td>
<td><b>Loadable program segment. Only segments of this type are loaded into memory during execution.</b></td>
</tr>
<tr>
<td><tt>NOTE</tt></td>
<td>Auxiliary information.<p>For core dumps, this segment contains the status of the process (when the core dump is created),
such as the signal (the process received and caused it to dump core), pending &amp; held signals,
process ID, parent process ID, user ID, nice value,
cumulative user &amp; system time, values of registers (including the program counter!)</p><p>For more info, see
<tt>struct elf_prstatus</tt> and <tt>struct elf_prpsinfo</tt> in Linux kernel source file
<a href="https://web.archive.org/web/20201202024834/http://lxr.linux.no/linux/include/linux/elfcore.h"><tt>include/linux/elfcore.h</tt></a>
and <tt>struct user_regs_struct</tt> in
<a href="https://web.archive.org/web/20201202024834/http://lxr.linux.no/linux/arch/x86/include/asm/user_64.h"><tt>arch/x86/include/asm/user_64.h</tt></a></p></td>
</tr>
<tr>
<td><tt>TLS</tt></td>
<td>Thread-Local Storage</td>
</tr>
</tbody></table>
</p><p>
Likewise, each Section Header contains the file offset of its corresponding "content"
and the size of the "content".
The following table shows the purposes of some special sections. Most information
here comes from <a href="https://web.archive.org/web/20201202024834/http://refspecs.freestandards.org/LSB_4.0.0/LSB-Core-generic/LSB-Core-generic/specialsections.html">LSB specification</a>.
Some information can be found in GNU Binutil's source file
<a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=binutils.git;a=blob_plain;f=bfd/elf.c"><tt>bfd/elf.c</tt></a> (look for
<tt>bfd_elf_special_section</tt>)
and <a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=binutils.git;a=blob_plain;f=bfd/elflink.c"><tt>bfd/elflink.c</tt></a> (look for
double-quoted section names such as <tt>".got.plt"</tt>)
</p><p>
<table border="">
<tbody><tr>
<th>ELF Section</th>
<th>Purpose</th>
</tr>
<tr>
<td><tt>.bss</tt></td>
<td>Uninitialized global data ("Block Started by Symbol").
<p>Depending on the compilers, uninitialized global variables could
be stored in a nameness section called <tt>COMMON</tt> (named after
Fortran 77's "common blocks".) To wit, consider
the following code:
</p><pre> int globalVar;
static int globalStaticVar;
void dummy() {
static int localStaticVar;
}
</pre>
Compile with <tt>gcc -c</tt>, then on x86_64, the resulting object file has the
following structure:
<pre> $ objdump -t foo.o
SYMBOL TABLE:
....
0000000000000000 l O .bss 0000000000000004 globalStaticVar
0000000000000004 l O .bss 0000000000000004 localStaticVar.1619
....
0000000000000004 O *COM* 0000000000000004 globalVar
</pre>
so only the file-scope and local-scope global variables are in
the <tt>.bss</tt> section.
<p>
If one wants <tt>globalVar</tt> to reside in the <tt>.bss</tt> section,
use the <font color="LightGreen"><tt>-fno-common</tt></font>
compiler command-line option. Using <font color="LightGreen"><tt>-fno-common</tt></font>
is encouraged, as the following example shows:
</p><pre> $ cat foo.c
int globalVar;
$ cat bar.c
double globalVar;
int main(){}
$ gcc foo.c bar.c
</pre>
Not only there is no error message about redefinition of the same symbol
in both source files (notice we did not use the <tt>extern</tt> keyword here),
there is no complaint about their different data
types and sizes either. However, if one uses <font color="LightGreen"><tt>-fno-common</tt></font>,
the compiler will complain:
<pre> /tmp/ccM71JR7.o:(.bss+0x0): <font color="Red">multiple definition</font> of `globalVar'
/tmp/ccIbS5MO.o:(.bss+0x0): first defined here
ld: Warning: <font color="Red">size of symbol</font> `globalVar' changed from 8 in /tmp/ccIbS5MO.o to 4 in /tmp/ccM71JR7.o
</pre>
</td>
</tr>
<tr>
<td><tt>.comment</tt></td>
<td>A series of NULL-terminated strings containing compiler information.</td>
</tr>
<tr>
<td><tt>.ctors</tt></td>
<td><b>Pointers</b> to functions which are marked as
<tt>__attribute__ ((constructor))</tt> as well as static C++ objects' constructors.
They will be used by <tt>__libc_global_ctors</tt> function.<p>
See paragraphs below.
</p></td>
</tr>
<tr>
<td><tt>.data</tt></td>
<td>Initialized data.</td>
</tr>
<tr>
<td><tt>.data.rel.ro</tt></td>
<td>Similar to <tt>.data</tt> section, but this section
should be made Read-Only after relocation is done.
</td>
</tr>
<tr>
<td><tt>.debug_XXX</tt></td>
<td>Debugging information (for the programs which are compiled with <tt>-g</tt> option)
which is in the DWARF 2.0 format.
<p>
See <a href="https://web.archive.org/web/20201202024834/http://dwarfstd.org/">here</a> for DWARF debugging format.
</p></td>
</tr>
<tr>
<td><tt>.dtors</tt></td>
<td><b>Pointers</b> to functions which are marked as
<tt>__attribute__ ((destructor))</tt> as well as static C++ objects' destructors.
<p>
See paragraphs below.
</p></td>
</tr>
<tr>
<td><tt>.dynamic</tt></td>
<td>For dynamic binaries, this section holds dynamic linking information used by <tt>ld.so</tt>.
See paragraphs below.</td>
</tr>
<tr>
<td><tt>.dynstr</tt></td>
<td>NULL-terminated strings of names of symbols in <tt>.dynsym</tt> section.
<p>One can use commands such as <tt>readelf -p .dynstr a.out</tt> to see these strings.
</p></td>
</tr>
<tr>
<td><tt>.dynsym</tt></td>
<td><b>Runtime</b>/Dynamic symbol table. For dynamic binaries, this section is the symbol table of
globally visible symbols. For example, if a dynamic link library wants to export
its symbols, these symbols will be stored here. On the other hand, if
a dynamic executable binary uses symbols from a dynamic link library,
then these symbols are stored here too.
<p>
The symbol names (as NULL-terminated strings) are stored in <tt>.dynstr</tt> section.
</p></td>
</tr>
<tr>
<td><tt>.eh_frame</tt><br><tt>.eh_frame_hdr</tt></td>
<td>Frame unwind information (EH = Exception Handling).
<p>
See <a href="https://web.archive.org/web/20201202024834/http://refspecs.freestandards.org/LSB_4.0.0/LSB-Core-generic/LSB-Core-generic/ehframechpt.html">here</a>
for details.
</p><p>To see the content of <tt>.eh_frame</tt> section, use
</p><pre>readelf --debug-dump=frames-interp a.out</pre>
</td>
</tr>
<tr>
<td><tt>.fini</tt></td>
<td>Code which will be executed when program exits normally. See paragraphs below.</td>
</tr>
<tr>
<td><tt>.fini_array</tt></td>
<td><b>Pointers</b> to functions which will be executed when program exits normally. See paragraphs below.</td>
</tr>
<tr>
<td><tt>.GCC.command.line</tt></td>
<td>A series of NULL-terminated strings containing
GCC command-line (that is used to compile the code) options.<p>This feature is supported since GCC 4.5
and the program must be compiled with <tt>-frecord-gcc-switches</tt> option.
</p></td>
</tr>
<tr>
<td><tt>.gnu.hash</tt></td>
<td>GNU's extension to hash table for symbols.<p>
See <a href="https://web.archive.org/web/20201202024834/http://blogs.sun.com/ali/entry/gnu_hash_elf_sections">here</a> for its structure and the hash algorithm.
</p><p>
The link editor <tt>ld</tt> calls <tt>bfd_elf_gnu_hash</tt> in
in GNU Binutil's source file <a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=binutils.git;a=blob_plain;f=bfd/elf.c"><tt>bfd/elf.c</tt></a>
to compute the hash value.
</p><p>
The runtime linker <tt>ld.so</tt> calls <tt>do_lookup_x</tt> in
<a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=elf/dl-lookup.c"><tt>elf/dl-lookup.c</tt></a>
to do the symbol look-up. The hash computing function here is <tt>dl_new_hash</tt>.
</p></td>
</tr>
<tr>
<td><tt>.gnu.linkonceXXX</tt></td>
<td>GNU's extension. It means only a single copy of the section will be used in linking.
This is used to by g++. g++ will emit each template expansion in its own section.
The symbols will be defined as weak, so that multiple definitions
are permitted.
</td>
</tr>
<tr>
<td><tt>.gnu.version</tt></td>
<td>Versions of symbols.
<p>See <a href="https://web.archive.org/web/20201202024834/http://refspecs.freestandards.org/LSB_4.0.0/LSB-Core-generic/LSB-Core-generic/symversion.html">here</a>,
<a href="https://web.archive.org/web/20201202024834/http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/4/html/Using_ld_the_GNU_Linker/version.html">here</a>,
<a href="https://web.archive.org/web/20201202024834/http://download.oracle.com/docs/cd/E19963-01/html/819-0690/appendixb-45356.html">here</a>,
and
<a href="https://web.archive.org/web/20201202024834/http://people.redhat.com/drepper/symbol-versioning">here</a>
for details of symbol versioning.
</p></td>
</tr>
<tr>
<td><tt>.gnu.version_d</tt></td>
<td>Version definitions of symbols.</td>
</tr>
<tr>
<td><tt>.gnu.version_r</tt></td>
<td>Version references (version needs) of symbols.</td>
</tr>
<tr>
<td><tt>.got</tt></td>
<td>For dynamic binaries, this Global Offset Table holds the addresses of variables which are
relocated upon loading. See paragraphs below.
</td>
</tr>
<tr>
<td><tt>.got.plt</tt></td>
<td>For dynamic binaries, this Global Offset Table holds the addresses of functions in dynamic libraries.
They are used by trampoline code in <tt>.plt</tt> section.
If <tt>.got.plt</tt> section is present, it contains at least three entries, which
have special meanings. See paragraphs below.
</td>
</tr>
<tr>
<td><tt>.hash</tt></td>
<td>Hash table for symbols.<p>
See <a href="https://web.archive.org/web/20201202024834/http://www.sco.com/developers/gabi/latest/ch5.dynamic.html#hash">here</a> for its structure and the hash algorithm.
</p><p>
The link editor <tt>ld</tt> calls <tt>bfd_elf_hash</tt> in
in GNU Binutil's source file <a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=binutils.git;a=blob_plain;f=bfd/elf.c"><tt>bfd/elf.c</tt></a>
to compute the hash value.
</p><p>
The runtime linker <tt>ld.so</tt> calls <tt>do_lookup_x</tt> in
<a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=elf/dl-lookup.c"><tt>elf/dl-lookup.c</tt></a>
to do the symbol look-up. The hash computing function here is <tt>_dl_elf_hash</tt>.
</p></td>
</tr>
<tr>
<td><tt>.init</tt></td>
<td>Code which will be executed when program initializes. See paragraphs below.</td>
</tr>
<tr>
<td><tt>.init_array</tt></td>
<td><b>Pointers</b> to functions which will be executed when program starts. See paragraphs below.</td>
</tr>
<tr>
<td><tt>.interp</tt></td>
<td>For dynamic binaries, this holds the full pathname of runtime linker <tt>ld.so</tt></td>
</tr>
<tr>
<td><tt>.jcr</tt></td>
<td>Java class registration information.<p>
Like <tt>.ctors</tt> section, it contains a list of addresses
which will be used by <tt>_Jv_RegisterClasses</tt> function
in CRT (C Runtime) startup files (see <a href="https://web.archive.org/web/20201202024834/http://gcc.gnu.org/viewcvs/trunk/gcc/crtstuff.c?view=markup"><tt>gcc/crtstuff.c</tt></a>
in GCC's source tree)
</p></td>
</tr>
<tr>
<td><tt>.note.ABI-tag</tt></td>
<td>This Linux-specific section is structured as a <a href="https://web.archive.org/web/20201202024834/http://www.sco.com/developers/gabi/latest/ch5.pheader.html#note_section">note</a>
section in ELF specification. Its content is mandated
<a href="https://web.archive.org/web/20201202024834/http://refspecs.freestandards.org/LSB_4.0.0/LSB-Core-generic/LSB-Core-generic/noteabitag.html">here</a>.
</td>
</tr>
<tr>
<td><tt>.note.gnu.build-id</tt></td>
<td>A unique build ID. See <a href="https://web.archive.org/web/20201202024834/http://fedoraproject.org/wiki/RolandMcGrath/BuildID">here</a> and
<a href="https://web.archive.org/web/20201202024834/http://fedoraproject.org/wiki/Releases/FeatureBuildId">here</a>
</td>
</tr>
<tr>
<td><tt>.note.GNU-stack</tt></td>
<td>See <a href="https://web.archive.org/web/20201202024834/http://www.airs.com/blog/archives/518">here</a>
</td>
</tr>
<tr>
<td><tt>.nvFatBinSegment</tt></td>
<td>This segment contains information of nVidia's CUDA fat binary container. Its format
is described by <tt>struct __cudaFatCudaBinaryRec</tt> in <tt>__cudaFatFormat.h</tt>
</td>
</tr>
<tr>
<td><tt>.plt</tt></td>
<td>For dynamic binaries, this Procedure Linkage Table holds the trampoline/linkage code. See paragraphs below.</td>
</tr>
<tr>
<td><tt>.preinit_array</tt></td>
<td>Similar to <tt>.init_array</tt> section. See paragraphs below.</td>
</tr>
<tr>
<td><tt>.rela.dyn</tt></td>
<td><b>Runtime</b>/Dynamic relocation table.
<p>
For dynamic binaries, this relocation table holds information of variables which
must be relocated upon loading. Each entry in this table is a
<tt>struct Elf64_Rela</tt> (see <tt><a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=elf/elf.h">/usr/include/elf.h</a></tt>) which
has only three members:
</p><ul>
<li><tt>offset</tt> (the variable's [usually position-independent] virtual memory address
which holds the "patched" value during the relocation process)
</li><li><tt>info</tt> (Index into <tt>.dynsym</tt> section and Relocation Type)
</li><li><tt>addend</tt>
</li></ul>
See paragraphs below for details about runtime relocation.
</td>
</tr>
<tr>
<td><tt>.rela.plt</tt></td>
<td><b>Runtime</b>/Dynamic relocation table.
<p>
This relocation table is similar to the one in <tt>.rela.dyn</tt> section;
the difference is this one is for functions, not variables.
</p><p>The relocation type of entries in this table is
<tt>R_386_JMP_SLOT</tt> or <tt>R_X86_64_JUMP_SLOT</tt> and
the "offset" refers to memory addresses which are
inside <tt>.got.plt</tt> section.
</p><p>Simply put, this table holds information to relocate entries in
<tt>.got.plt</tt> section.
</p></td>
</tr>
<tr>
<td><tt>.rel.text</tt><br><tt>.rela.text</tt></td>
<td><b>Compile-time</b>/Static relocation table.
<p>For programs compiled with <tt>-c</tt> option,
this section provides information to the link editor <tt>ld</tt>
where and how to "patch" executable code in <tt>.text</tt> section.
</p><p>The difference between <tt>.rel.text</tt> and <tt>.rela.text</tt>
is entries in the former does not have <tt>addend</tt> member.
(Compare <tt>struct Elf64_Rel</tt> with <tt>struct Elf64_Rela</tt> in <tt>/usr/include/elf.h</tt>)
Instead, the addend is taken from the memory location
described by <tt>offset</tt> member.
</p><p>
Whether to use <tt>.rel</tt> or <tt>.rela</tt> is platform-dependent.
For x86_32, it is <tt>.rel</tt> and for x86_64, <tt>.rela</tt>
</p></td>
</tr>
<tr>
<td><tt>.rel.XXX</tt><br><tt>.rela.XXX</tt></td>
<td>Compile-time/Static relocation table for other sections. For example,
<tt>.rela.init_array</tt> is the relocation table for <tt>.init_array</tt>
section.
</td>
</tr>
<tr>
<td><tt>.rodata</tt></td>
<td>Read-only data.</td>
</tr>
<tr>
<td><tt>.shstrtab</tt></td>
<td>NULL-terminated strings of section names.
<p>One can use commands such as <tt>readelf -p .shstrtab a.out</tt> to see these strings.
</p></td>
</tr>
<tr>
<td><tt>.strtab</tt></td>
<td>NULL-terminated strings of names of symbols in <tt>.symtab</tt> section.
<p>One can use commands such as <tt>readelf -p .strtab a.out</tt> to see these strings.
</p></td>
</tr>
<tr>
<td><tt>.symtab</tt></td>
<td><b>Compile-time</b>/Static symbol table.
<p>This is the main symbol table used in compile-time linking
or runtime debugging.
</p><p>
The symbol names (as NULL-terminated strings) are stored in <tt>.strtab</tt> section.
</p><p>Both <tt>.symtab</tt> and <tt>.symtab</tt> can be stripped away by the <tt>strip</tt>
command.
</p></td>
</tr>
<tr>
<td><tt>.tbss</tt></td>
<td>Similar to <tt>.bss</tt> section, but for <i>Thread-Local data</i>. See paragraphs below.</td>
</tr>
<tr>
<td><tt>.tdata</tt></td>
<td>Similar to <tt>.data</tt> section, but for <i>Thread-Local data</i>. See paragraphs below.</td>
</tr>
<tr>
<td><tt>.text</tt></td>
<td>User's executable code</td>
</tr>
</tbody></table>
</p><h2>How is an executable binary in Linux being executed ?</h2>
First, the operating system must recognize executable binaries. For example,
<tt>zcat /proc/config.gz | grep <a href="https://web.archive.org/web/20201202024834/http://cateee.net/lkddb/web-lkddb/BINFMT_ELF.html">CONFIG_BINFMT_ELF</a></tt> can show whether the Linux kernel is compiled
to support ELF executable binary format (if <tt>/proc/config.gz</tt> does not exist, try
<tt>/lib/modules/`uname -r`/build/.config</tt>)
<p>
When the shell makes an <tt>execvc</tt> system call to run an executable binary, the Linux kernel responds as
follows (see <a href="https://web.archive.org/web/20201202024834/http://asm.sourceforge.net/articles/startup.html">here</a> and
<a href="https://web.archive.org/web/20201202024834/http://s.eresi-project.org/inc/articles/elf-rtld.txt">here</a> for more details) in sequence:
</p><ol>
<li><a href="https://web.archive.org/web/20201202024834/http://lxr.linux.no/linux/arch/x86/kernel/process.c#L301"><tt>sys_execve</tt></a> function (in <tt>arch/x86/kernel/process.c</tt>) handles the <tt>execvc</tt> system call
from user space. It calls <tt>do_execve</tt> function.
</li><li><tt>do_execve</tt> function (in <tt>fs/exec.c</tt>) opens the executable binary file and does some preparation.
It calls <tt>search_binary_handler</tt> function.
</li><li><a href="https://web.archive.org/web/20201202024834/http://lxr.linux.no/linux/fs/exec.c#L1240"><tt>search_binary_handler</tt></a> function (in <tt>fs/exec.c</tt>) finds out the type of executable binary
and calls the corresponding handler, which in our case, is <tt>load_elf_binary</tt> function.
</li><li><a href="https://web.archive.org/web/20201202024834/http://lxr.linux.no/linux/fs/binfmt_elf.c#L564"><tt>load_elf_binary</tt></a> (in <tt>fs/binfmt_elf.c</tt>) loads the user's executable binary file into memory.
It allocates memory segments and zeros out the BSS section by calling the <tt>padzero</tt> function.
<p><tt>load_elf_binary</tt> also examines
whether the user's executable binary contains an <tt>INTERP</tt> segment or not.
</p></li><li>If the executable binary is dynamically linked, then the compiler will usually creates an
<tt>INTERP</tt> segment (which is usually the same as <tt>.interp</tt> section in
ELF's "linking view"), which contains the full pathname of an "interpreter", usually
is the Glibc runtime linker <a href="https://web.archive.org/web/20201202024834/http://linux.die.net/man/8/ld-linux">ld.so</a>.
<p>To see this, use command <tt>readelf -p .interp a.out</tt>
</p><p>According to <a href="https://web.archive.org/web/20201202024834/http://www.x86-64.org/documentation/abi.pdf">AMD64 System V Application Binary Interface</a>,
the only valid interpreter for programs conforming to AMD64 ABI is <tt>/lib/ld64.so.1</tt>
and on Linux, GCC usually uses <tt>/lib64/ld-linux-x86-64.so.2</tt>
or <tt>/lib/ld-linux-x86-64.so.2</tt> instead:
</p><pre>$ gcc -dumpspecs
....
*link:
...
%{!m32:%{!dynamic-linker:-dynamic-linker %{muclibc:%{mglibc:%e-mglibc and -muclibc used
together}/lib/ld64-uClibc.so.0;:<font color="LightGreen">/lib/ld-linux-x86-64.so.2</font>}}}}
...
</pre>
<p>To change the runtime linker, compile the program using something like </p><pre>gcc foo.c -Wl,-I/my/own/ld.so</pre>
<p>The <a href="https://web.archive.org/web/20201202024834/http://www.sco.com/developers/gabi/latest/ch5.dynamic.html">System V Application Binary Interface</a>
specifies, the operating system, instead of running the user's executable binary, should run this
"interpreter". This interpreter should complete the binding of user's executable binary
to its dependencies.
</p></li><li>Thus, if the ELF executable binary file contains an <tt>INTERP</tt> segment, <tt>load_elf_binary</tt> will
call <a href="https://web.archive.org/web/20201202024834/http://lxr.linux.no/linux/fs/binfmt_elf.c#L383"><tt>load_elf_interp</tt></a> function to load the image of this interpreter as well.
</li><li>Finally, <tt>load_elf_binary</tt> calls <tt>start_thread</tt> (in <tt>arch/x86/kernel/process_64.c</tt>)
and passes control to either the interpreter or the user program.
</li></ol>
<h2>What about <tt>ld.so</tt> ?</h2>
<tt>ld.so</tt> is the runtime linker/loader (the compile-time linker <tt>ld</tt> is formally called "link editor")
for dynamic executables. It provides the <a href="https://web.archive.org/web/20201202024834/http://download.oracle.com/docs/cd/E19963-01/html/819-0690/chapter3-1.html">following services</a>:
<ul>
<li>Analyzes the user's executable binary's <tt>DYNAMIC</tt> segment and determines what
dependencies are required. (See below)
</li><li>Locates and loads these dependencies, analyzes their <tt>DYNAMIC</tt> segments
to determine if more dependencies are required.
</li><li>Performs any necessary relocations to bind these objects.
</li><li>Calls any initialization functions (see below) provided by these dependencies.
</li><li>Passes control to user's executable binary.
</li></ul>
<h2>Compile your own <tt>ld.so</tt> </h2>
The internal working of <tt>ld.so</tt> is complex, so you might want to compile and experiment your
own <tt>ld.so</tt>.
The source code of <tt>ld.so</tt> can be found in <font color="lightgreen">Glibc</font>. The main files are
<a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=elf/rtld.c"><tt>elf/rtld.c</tt></a>,
<a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=elf/dl-reloc.c"><tt>elf/dl-reloc.c</tt></a>, and
<a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=sysdeps/x86_64/dl-machine.h"><tt>sysdeps/x86_64/dl-machine.h</tt></a>.
<p>
<a href="https://web.archive.org/web/20201202024834/http://www.linuxfromscratch.org/lfs/view/development/chapter05/glibc.html">This link</a>
provides general tips for building Glibc. Glibc's own
<a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=INSTALL">INSTALL</a> and
<a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=FAQ">FAQ</a> documents
are useful too.
</p><p>
To compile Glibc (<font color="lightgreen"><tt>ld.so</tt> cannot be compiled independently</font>) download and unpack Glibc source tarball.
</p><ul>
<li>Make sure the version of Glibc you downloaded is the same as the system's current one.
</li><li>Make sure the environmental variable <tt>LD_RUN_PATH</tt> is not set.
</li><li>Read the <a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=INSTALL">INSTALL</a> and make sure all necessary tool chains (Make, Binutils, etc)
are up-to-date.
</li><li>Make sure the file system you are doing the compilation is <font color="lightgreen">case sensitive</font>, or
you will see <a href="https://web.archive.org/web/20201202024834/http://crossgcc.rts-software.org/doku.php?id=i386linuxgccformac">weird errors</a> like
<pre>/scratch/elf/librtld.os: In function `process_envvars':
/tmp/glibc-2.x.y/elf/rtld.c:2718: undefined reference to `__open'
...
</pre>
</li><li><tt>ld.so</tt> should be compiled with the <font color="lightgreen">optimization flag on</font>
(<tt>-O2</tt> is the default). Failing to do so will end up with weird errors (see Question 1.23 in
<a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=FAQ">FAQ</a>)
</li><li>Suppose Glibc is unpacked at <pre>/tmp/glibc-2.x.y/</pre>
Then edit <tt>/tmp/glibc-2.x.y/Makefile.in</tt>: Un-comment the line <pre># PARALLELMFLAGS = -j 4</pre> and
change 4 to an appropriate number.<p>
</p></li><li>Since we are only interested in <tt>ld.so</tt> and not the whole Glibc,
we only want to build the essential source files needed by <tt>ld.so</tt>.
To do so, edit <tt>/tmp/glibc-2.x.y/Makeconfig</tt>: Find the line started with
<pre>all-subdirs = csu assert ctype locale intl catgets math setjmp signal \
...
</pre>
and change it to
<pre>all-subdirs = csu elf gmon io misc posix setjmp signal stdlib string time
</pre>
</li><li>Find a scratch directory, say <tt>/scratch</tt>. Then
<pre>$ cd /scratch
$ /tmp/glibc-2.x.y/configure --prefix=/scratch --disable-profile
$ gmake
</pre>
</li><li>Since we are not building the entire Glibc, when the <tt>gmake</tt>
stops (probably with some errors), check if <tt>/scratch/elf/ld.so</tt> exists
or not.
</li><li><tt>ld.so</tt> is a static binary, which means it has its own
implementation of standard C routines (e.g. <tt>memcpy</tt>, <tt>strcmp</tt>, etc)
It has its own <tt>printf</tt>-like routine called <tt>_dl_debug_printf</tt>.
<p>
<a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=elf/dl-misc.c"><tt>_dl_debug_printf</tt></a>
is not the full-blown <tt>printf</tt> and has very limited capabilities.
For example, to print the address, one would need to use
</p><pre>_dl_debug_printf("0x%0*lx\n", (int)sizeof (void*)*2, &amp;foo);
</pre>
</li></ul>
<h2>How does <tt>ld.so</tt> work ?</h2>
<tt>ld.so</tt>, by its nature, cannot be a dynamic executable itself. The
entry point of <tt>ld.so</tt> is <tt>_start</tt> defined in
the macro <tt>RTLD_START</tt> (in <a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=sysdeps/x86_64/dl-machine.h"><tt>sysdeps/x86_64/dl-machine.h</tt></a>).
<tt>_start</tt> is placed at the beginning of <tt>.text</tt> section, and
the default <tt>ld</tt> script specifies
"Entry point address" (in ELF header, use <tt>readelf -h ld.so|grep Entry</tt> command to see)
to be the address of <tt>_start</tt> (use <tt>ld -verbose | grep ENTRY</tt> command to see). One
can set the entry point to a different address at compile time
by <a href="https://web.archive.org/web/20201202024834/http://sourceware.org/binutils/docs/ld/Entry-Point.html"><tt>-e</tt> option</a>)
so <tt>ld.so</tt> is executed from here. The very first thing it does is to call <tt>_dl_start</tt> of
<tt>elf/rtld.c</tt>. To see this, run gdb on some ELF executable binary, and do
<pre>(gdb) break _dl_start
Function "_dl_start" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (_dl_start) pending.
(gdb) run
Starting program: a.out
Breakpoint 1, 0x0000003433e00fa0 in _dl_start () from /lib64/ld-linux-x86-64.so.2
(gdb) bt
#0 0x0000003433e00fa0 in <font color="lightgreen">_dl_start</font> () from /lib64/ld-linux-x86-64.so.2
#1 0x0000003433e00a78 in <font color="lightgreen">_start</font> () from /lib64/ld-linux-x86-64.so.2
#2 0x0000000000000001 in ?? ()
#3 0x00007fffffffe4f2 in ?? ()
#4 0x0000000000000000 in ?? ()
...
(gdb) x/10i $pc
0x3433e00a70 &lt;_start&gt;: mov %rsp,%rdi
0x3433e00a73 &lt;_start+3&gt;: callq 0x3433e00fa0 &lt;<font color="lightgreen">_dl_start</font>&gt;
0x3433e00a78 &lt;_dl_start_user&gt;: mov %rax,%r12
0x3433e00a7b &lt;_dl_start_user+3&gt;: mov 0x21b30b(%rip),%eax # 0x343401bd8c &lt;_dl_skip_args&gt;
...
</pre>
At this breakpoint, we can use <tt>pmap</tt> to see the memory map of a.out, which would
look like this:
<pre>0000000000400000 8K r-x-- a.out
0000000000601000 4K rw--- a.out
0000003433e00000 112K r-x-- /lib64/ld-2.5.so
000000343401b000 8K rw--- /lib64/ld-2.5.so
00007ffffffea000 84K rw--- [ stack ]
ffffffffff600000 8192K ----- [ anon ]
total 8408K
</pre>
The memory segment of <tt>/lib64/ld-2.5.so</tt> indeed starts at 3433e00000 (page aligned) and
this can be verified by running <tt>readelf -t /lib64/ld-2.5.so</tt>.
<p>
If we put another breakpoint at <tt>main</tt> and continue, then when it stops, the memory
map would change to this:
</p><pre>0000000000400000 8K r-x-- a.out
0000000000601000 4K rw--- a.out
0000003433e00000 112K r-x-- /lib64/ld-2.5.so
000000343401b000 4K r---- /lib64/ld-2.5.so
000000343401c000 4K rw--- /lib64/ld-2.5.so
<font color="lightgreen">0000003434200000 1336K r-x-- /lib64/libc-2.5.so &lt;-- The first "LOAD" segment, which contains .text and .rodata sections
000000343434e000 2044K ----- /lib64/libc-2.5.so &lt;-- "Hole"
000000343454d000 16K r---- /lib64/libc-2.5.so &lt;-- Relocation (GNU_RELRO) info -+---- The second "LOAD" segment
0000003434551000 4K rw--- /lib64/libc-2.5.so &lt;-- .got.plt .data sections -+
0000003434552000 20K rw--- [ anon ] &lt;-- The remaining zero-filled sections (e.g. .bss)
0000003434e00000 88K r-x-- /lib64/libpthread-2.5.so &lt;-- The first "LOAD" segment, which contains .text and .rodata sections
0000003434e16000 2044K ----- /lib64/libpthread-2.5.so &lt;-- "Hole"
0000003435015000 4K r---- /lib64/libpthread-2.5.so &lt;-- Relocation (GNU_RELRO) info -+---- The second "LOAD" segment
0000003435016000 4K rw--- /lib64/libpthread-2.5.so &lt;-- .got.plt .data sections -+
0000003435017000 16K rw--- [ anon ] &lt;-- The remaining zero-filled sections (e.g. .bss)
00002aaaaaaab000 4K rw--- [ anon ]
00002aaaaaac6000 12K rw--- [ anon ]</font>
00007ffffffea000 84K rw--- [ stack ]
ffffffffff600000 8192K ----- [ anon ]
total 14000K
</pre>
Indeed, <tt>ld.so</tt> has brought in all the required dynamic libraries.<p>Note that there
are two memory regions of 2044KB with <font color="lightgreen">null permissions</font>.
As mentioned earlier, the ELF's 'execution view' is concerned with how to load an executable
binary into memory. When <tt>ld.so</tt> brings in the dynamic libraries, it looks at the segments labelled
as <tt>LOAD</tt> (look at "Program Headers" and "Section to Segment mapping"
from <tt>readelf -a xxx.so</tt> command.) Usually there are two <tt>LOAD</tt> segments, and
there is a "hole" between the two segments (look at the VirtAddr and MemSiz of these
two segments), so <tt>ld.so</tt> will
make this hole inaccessible deliberately: Look for the <tt>PROT_NONE</tt> symbol in
<tt>_dl_map_object_from_fd</tt> in <a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=elf/dl-load.c"><tt>elf/dl-load.c</tt></a>
</p><p>
Also note that each of
<tt>libc-2.5.so</tt> and <tt>libpthread-2.5.so</tt> has a read-only memory region
(at 0x343454d000 and 0x3435015000, respectively). This is a for
<a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=elf/dl-reloc.c"><tt>elf/dl-reloc.c</tt></a>.
The <tt>GNU_RELRO</tt> segment is contained in the the second <tt>LOAD</tt> segment, which
contains the following sections (look at "Program Headers" and "Section to Segment mapping"
from <tt>readelf -l xxx.so</tt> command):
<tt>.tdata</tt>, <tt>.fini_array</tt>, <tt>.ctors</tt>, <tt>.dtors</tt>, <tt>__libc_subfreeres</tt>,
<tt>__libc_atexit</tt>, <tt>__libc_thread_subfreeres</tt>, <tt>.data.rel.ro</tt>, <tt>.dynamic</tt>,
<tt>.got</tt>, <tt>.got.plt</tt>, <tt>.data</tt>, and <tt>.bss</tt>. Except for
<tt>.got.plt</tt>, <tt>.data</tt>, and <tt>.bss</tt>, all sections in the the second <tt>LOAD</tt> segment
are also in the <tt>GNU_RELRO</tt> segment, and they are thus made read-only.
</p><p>
The two <tt>[anon]</tt> memory segments at 0x3434552000 and 0x3435017000 are for sections which do not take space in the ELF
binary files. For example, <tt>readelf -t xxx.so</tt> will show that <tt>.bss</tt> section
has <tt>NOBITS</tt> flag, which means that section takes no disk space. When segments
containing <tt>NOBITS</tt> sections are mapped into memory, <tt>ld.so</tt> allocates
extra memory pages to accomodate these <tt>NOBITS</tt> sections. A <tt>LOAD</tt>
segment is usually structured as a series of <b>contiguous</b> sections, and if
a segment contains <tt>NOBITS</tt> sections, these <tt>NOBITS</tt> sections will
be grouped together and placed at the tail of the segment.
</p><p>
So what does <tt>_dl_start</tt> do ?
</p><ul>
<li>Allocate the initial TLS block and initialize the Thread Pointer if needed (these are for <tt>ld.so</tt>'s own, not for the user program)
</li><li>Call <tt>_dl_sysdep_start</tt>, which will call <tt>dl_main</tt>
</li><li><tt>dl_main</tt> does the majority of the hard work, for example:<p>
It calls <tt>process_envvars</tt> to handle these <tt>LD_</tt> prefix environmental
variables such as <tt>LD_PRELOAD</tt>, <tt>LD_LIBRARY_PATH</tt>.</p><p>
It examines the <tt>NEEDED</tt> field(s) in the user executable binary's <tt>DYNAMIC</tt> segment
section (see below) to determine the dependencies.</p><p>
It calls <tt>_dl_init_paths</tt> (in <a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=elf/dl-load.c"><tt>elf/dl-load.c</tt></a>)
to initialize the dynamic libraries search paths.
According to <a href="https://web.archive.org/web/20201202024834/http://manpages.courier-mta.org/htmlman8/ld.so.8.html"><tt>ld.so</tt> man page</a>
and <a href="https://web.archive.org/web/20201202024834/http://blog.lxgcc.net/?tag=dt_runpath">this page</a>,
the dynamic libraries are searched in the following order:
</p><p>
</p><ol>
<li>The <tt>RPATH</tt> in the <tt>DYNAMIC</tt> segment if there is no
<tt>RUNPATH</tt> in the <tt>DYNAMIC</tt> segment.
<p><tt>RPATH</tt> can be specified when
the code is compiled with <tt>gcc -Wl,-rpath=...</tt>
</p><p><font color="red">Use of <tt>RPATH</tt> is deprecated</font>
because it has an obvious drawback: There is no way to override
it except using <tt>LD_PRELOAD</tt> environmental variable
or removing it from the <tt>DYNAMIC</tt> segment.
</p><p>Both <tt>RPATH</tt> and <tt>RUNPATH</tt> can
contain <font color="LightGreen"><tt>$ORIGIN</tt></font>
(or equivalently <font color="LightGreen"><tt>${ORIGIN}</tt></font>), which will be
expanded to the value of environmental variable <tt>LD_ORIGIN_PATH</tt>
or the full path of the loaded object
(unless the programs use <tt>setuid</tt> or <tt>setgid</tt>)
</p><p>
</p></li><li>The <tt>LD_LIBRARY_PATH</tt> environmental variable (unless
the programs use <tt>setuid</tt> or <tt>setgid</tt>)
</li><li>The <tt>RUNPATH</tt> in the <tt>DYNAMIC</tt> segment.<br><tt>RUNPATH</tt> can be specified when
the code is compiled with <tt>gcc -Wl,-rpath=...<font color="LightGreen">,--enable-new-dtags</font></tt>
<br>
One can use <a href="https://web.archive.org/web/20201202024834/http://linux.die.net/man/1/chrpath">chrpath</a>
tool to manipulate <tt>RPATH</tt> and <tt>RUNPATH</tt> settings.
</li><li><a href="https://web.archive.org/web/20201202024834/http://manpages.courier-mta.org/htmlman8/ldconfig.8.html"><tt>/etc/ld.so.cache</tt></a>
</li><li><tt>/lib</tt>
</li><li><tt>/usr/lib</tt>
</li></ol>
<p>
It calls <tt>_dl_map_object_from_fd</tt> (in <a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=elf/dl-load.c"><tt>elf/dl-load.c</tt></a>)
to load the dynamic libraries, sets up the right read/write/execute permissions for the memory segments,
(within <tt>_dl_map_object_from_fd</tt>, look at calls to <tt>mmap</tt>, <tt>mprotect</tt> and symbols such as
<tt>PROT_READ</tt>, <tt>PROT_WRITE</tt>, <tt>PROT_EXEC</tt>, <tt>PROT_NONE</tt>),
<b>zeroes out BSS sections of dynamic libraries</b> (inside <tt>_dl_map_object_from_fd</tt> function, look at calls to <tt>memset</tt>),
updates the link map, and performs relocations.</p><p>
It calls <tt>_dl_relocate_object</tt> (in <a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=elf/dl-reloc.c"><tt>elf/dl-reloc.c</tt></a>) to perform <b>runtime relocations</b> (see details below).
</p><p>
</p></li><li>When <tt>_dl_start</tt> returns, it continues to execute
code in <tt>_dl_start_user</tt> (see <a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=sysdeps/x86_64/dl-machine.h"><tt>sysdeps/x86_64/dl-machine.h</tt></a>)
</li><li><tt>_dl_start_user</tt> will call <tt>_dl_init_internal</tt>, which will call <tt>call_init</tt>
to invoke initialization function of each dynamic library loaded.
<p>Note that <tt>_dl_init_internal</tt> is defined in <a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=elf/dl-init.c"><tt>elf/dl-init.c</tt></a> as:
</p><pre>void
internal_function
_dl_init (struct link_map *main_map, int argc, char **argv, char **env)
</pre>
<tt>call_init</tt> is also in <a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=elf/dl-init.c"><tt>elf/dl-init.c</tt></a><p>
</p></li><li>The initialization function of a dynamic library, say <tt>libfoo.so</tt>, is located at the
address marked with type "<tt>INIT</tt>" in the output of <tt>readelf -d libfoo.so</tt>
<font color="lightgreen">For Glibc, its initialization function is named <tt>_init</tt></font> (not to be confused with the <tt>_init</tt>
inside the user's executable binary) and its source code is in
<a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=sysdeps/unix/sysv/linux/x86_64/init-first.c"><tt>sysdeps/unix/sysv/linux/x86_64/init-first.c</tt></a>.
<p><tt>_init</tt> will do the following things:
</p><ul>
<li>Save <tt>argc</tt>, <tt>argv</tt>, <tt>envp</tt> to hidden variables
<tt>__libc_argc</tt>, <tt>__libc_argv</tt>, <tt>__environ</tt>
</li><li>Call <tt>VDSO_SETUP</tt> to set up Virtaul Dynamic Shared Objects (see <a href="https://web.archive.org/web/20201202024834/http://www.acsu.buffalo.edu/%7Echarngda/x86assembly.html">here</a>)
<tt>VDSO_SETUP</tt> is a platform-dependent macro. For x86_64, this macro is defined as
<tt>_libc_vdso_platform_setup</tt> in <a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=sysdeps/unix/sysv/linux/x86_64/init-first.c"><tt>sysdeps/unix/sysv/linux/x86_64/init-first.c</tt></a>
</li><li>Call <tt>__init_misc</tt> (in
<a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=misc/init-misc.c"><tt>misc/init-misc.c</tt></a>) which saves <tt>argv[0]</tt>
to two global variables: <tt>program_invocation_name</tt> and <tt>program_invocation_short_name</tt>
</li><li>Call <tt>__libc_global_ctors</tt> (in <a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=elf/soinit.c"><tt>elf/soinit.c</tt></a>) to invoke each function listed in
the <tt>.ctors</tt> section (see below).<p>
For x86_64, <tt>.ctors</tt> section contains only one function: <tt>init_cacheinfo</tt></p><p>
</p></li></ul>
</li><li>At the end of <tt>_dl_start_user</tt>, the control transfers to user program's entry point address (use <tt>readelf -h a.out|grep Entry</tt> to see)
which is usually the initial address of <tt>.text</tt> section and contains
the entry of a function named <tt>_start</tt>, and in the control transfer, the finalizer function
<tt>_dl_fini</tt> is passed as an argument,
and the stack frames are completely clobbered, as if the user program
is run without any <tt>ld.so</tt> intervention. The latter is done by manipulating the stack (see the
<a href="https://web.archive.org/web/20201202024834/http://articles.manugarg.com/aboutelfauxiliaryvectors.html">on-stack auxiliary vector</a> adjustment
code and <tt>HAVE_AUX_VECTOR</tt> in <tt>dl_main</tt>)
</li></ul>
<p>
</p><center><h1>Here is the <a href="https://web.archive.org/web/20201202024834/http://www.acsu.buffalo.edu/%7Echarngda/code/gdb_callgraph/examples/callgraphLDSO.gif">call graph</a>,
which is worth a thousand words</h1> and see <a href="https://web.archive.org/web/20201202024834/http://www.acsu.buffalo.edu/%7Echarngda/callgraph.html">here</a>
on how it is generated.</center>
<p>
<font color="lightgreen">To see <tt>ld.so</tt> in action, set the environmental
variable <tt>LD_DEBUG</tt> to <tt>all</tt></font> and then run a user program.
</p><p>The above debugging information does not show <tt>mmap</tt> and <tt>mprotect</tt> calls.
However, we can use <tt>strace</tt>. If we run the user program again with
</p><pre>strace -e trace=mmap,mprotect,munmap,open a.out</pre> we should see something like the
following:
<pre>mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2ae62c0d1000
.... (a lot of failed attempts to open 'libpthread.so.0' using LD_LIBRARY_PATH)
<font color="LightBlue">open("/etc/ld.so.cache", O_RDONLY) = 3
mmap(NULL, 104801, PROT_READ, MAP_PRIVATE, 3, 0) = 0x2ae62c0d2000</font>
<font color="LightCoral">open("/lib64/libpthread.so.0", O_RDONLY) = 3</font>
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2ae62c0ec000
<font color="LightCoral">mmap(0x3434e00000, 2204528, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3434e00000 &lt;-- Bring in the first "LOAD" segment
mprotect(0x3434e16000, 2093056, PROT_NONE) = 0 &lt;-- Make the "hole" inaccessible
mmap(0x3435015000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15000) = 0x3435015000 &lt;-- Bring in the second "LOAD" segment
mmap(0x3435017000, 13168, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3435017000</font>
(note: 0x3435017000 is the [anon] part which follows immediately after libpthread-2.5.so)
...
.... (a lot of failed attempts to open 'libc.so.6' using LD_LIBRARY_PATH)
<font color="Orange">open("/lib64/libc.so.6", O_RDONLY) = 3
mmap(0x3434200000, 3498328, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3434200000 &lt;-- Bring in the first "LOAD" segment
mprotect(0x343434e000, 2093056, PROT_NONE) = 0 &lt;-- Make the "hole" inaccessible
mmap(0x343454d000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x14d000) = 0x343454d000 &lt;-- Bring in the second "LOAD" segment
mmap(0x3434552000, 16728, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3434552000</font>
(note: 0x3434552000 is the [anon] part which follows immediately after libc-2.5.so)
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2ae62c0ed000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2ae62c0ee000
<font color="Orange">mprotect(0x343454d000, 16384, PROT_READ) = 0</font> &lt;-- Make the GNU_RELRO segment read-only
<font color="LightCoral">mprotect(0x3435015000, 4096, PROT_READ) = 0</font> &lt;-- Make the GNU_RELRO segment read-only
mprotect(0x343401b000, 4096, PROT_READ) = 0
<font color="LightBlue">munmap(0x2ae62c0d2000, 104801)= 0</font>
mmap(NULL, 10489856, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_32BIT, -1, 0) = 0x40dc7000
mprotect(0x40dc7000, 4096, PROT_NONE) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2aaaaaaab000
</pre>
<h2><tt>.plt</tt> section</h2>
This section contains trampolines for functions defined in dynamic libraries.
A sample disassembly (run the command <tt>objdump -M intel -dj .plt a.out</tt>) will show the following:
<pre>4003c0 &lt;<font color="lightgreen">printf@plt-0x10</font>&gt;:
4003c0: push QWORD PTR [RIP+0x2004d2] # 600898 &lt;_GLOBAL_OFFSET_TABLE_+0x8&gt;
4003c6: jmp QWORD PTR [RIP+0x2004d4] # 6008a0 &lt;_GLOBAL_OFFSET_TABLE_+0x10&gt;
4003cc: nop DWORD PTR [RAX+0x0]
4003d0 &lt;printf@plt&gt;:
4003d0: jmp QWORD PTR [RIP+0x2004d2] # <font color="lightgreen">6008a8</font> &lt;_GLOBAL_OFFSET_TABLE_+0x18&gt;
4003d6: push 0
4003db: jmp 4003c0 &lt;<font color="lightgreen">printf@plt-0x10</font>&gt;
4003e0 &lt;__libc_start_main@plt&gt;:
4003e0: jmp QWORD PTR [RIP+0x2004ca] # 6008b0 &lt;_GLOBAL_OFFSET_TABLE_+0x20&gt;
4003e6: push 1
4003eb: jmp 4003c0 &lt;<font color="lightgreen">printf@plt-0x10</font>&gt;
</pre>
The <tt>_GLOBAL_OFFSET_TABLE_</tt> (labeled as <tt>R_X86_64_JUMP_SLOT</tt> and starts at address 0x600890) is located in
<tt>.got.plt</tt> section (to see this, run the command <tt>objdump -h a.out |grep -A 1 600890</tt>
or the command <tt>readelf -r a.out</tt>)
The data in <tt>.got.plt</tt> section look like the following <font color="lightgreen">during runtime</font>
(use gdb to see them)
<pre>(gdb) b *0x4003d0
(gdb) run
(gdb) x/6a 0x600890
0x600890: 0x6006e8 &lt;_DYNAMIC&gt; 0x32696159a8
0x6008a0: 0x326950aa20 &lt;_dl_runtime_resolve&gt; <font color="lightgreen">0x4003d6</font> &lt;printf@plt+6&gt;
0x6008b0: 0x326971c3f0 &lt;__libc_start_main&gt; 0x0
</pre>
When <tt>printf</tt> is called the first time in the user program, the
jump at 4003d0 will jump to <font color="lightgreen">4003d6</font>, which is just the next instruction (<tt>push 0</tt>)
The it jumps to 4003c0, which does not have a function name (so it is
shown as <tt>&lt;printf@plt-0x10&gt;</tt>). At 4003c6, it will jumps
to <tt>_dl_runtime_resolve</tt>. This function (in Glibc's source file
<a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=sysdeps/x86_64/dl-trampoline.S"><tt>sysdeps/x86_64/dl-trampoline.S</tt></a>)
is a trampoline to <tt>_dl_fixup</tt> (in Glibc's source file
<a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=elf/dl-runtime.c"><tt>elf/dl-runtime.c</tt></a>).
<tt>_dl_fixup</tt> again, is part of Glibc runtime linker <tt>ld.so</tt>. In particular, <font color="lightgreen">it will change
the address stored at 6008a8 to the actual
address of <tt>printf</tt> in <tt>libc.so.6</tt></font>. To see this, set up a
hardware watchpoint
<pre>(gdb) watch *0x6008a8
(gdb) cont
Continuing.
Hardware watchpoint 2: *0x6008a8
Old value = 4195286
New value = 1769244016
0x000000326950abc2 in fixup () from /lib64/ld-linux-x86-64.so.2
</pre>
If we continue execution, <tt>printf</tt> will be called, as
expected. When <tt>printf</tt> is called again in the user program, the
jump at 4003d0 will bounce directly to <tt>printf</tt>:
<pre>(gdb) x/6a 0x600890
0x600890: 0x6006e8 &lt;_DYNAMIC&gt; 0x32696159a8
0x6008a0: 0x326950aa20 &lt;_dl_runtime_resolve&gt; <font color="lightgreen">0x3269748570</font> &lt;printf&gt;
0x6008b0: 0x326971c3f0 &lt;__libc_start_main&gt; 0x0
</pre>
<h2><tt>.init</tt>, <tt>.fini</tt>, <tt>.preinit_array</tt>, <tt>.init_array</tt> and <tt>.fini_array</tt> sections</h2>
<tt>.init</tt> and <tt>.fini</tt> sections contain code to do
<a href="https://web.archive.org/web/20201202024834/http://download.oracle.com/docs/cd/E19963-01/html/819-0690/chapter3-8.html">initialization and termination</a>, as
specified by the <a href="https://web.archive.org/web/20201202024834/http://www.sco.com/developers/gabi/latest/ch4.sheader.html#special_sections">System V Application Binary Interface</a>.
If the code is compiled by GCC, then one will see the following code in
<tt>.init</tt> and <tt>.fini</tt> sections, respectively:
<pre>4003a8 &lt;_init&gt;:
4003a8: sub RSP, 8
4003ac: call call_gmon_start
4003b1: call frame_dummy
4003b6: call __do_global_ctors_aux
4003bb: add RSP, 8
4003bf: ret
400618 &lt;_fini&gt;:
400618: sub RSP, 8
40061c: call __do_global_dtors_aux
400621: add RSP, 8
400625: ret
</pre>
There is only one function: <tt>_init</tt>, in <tt>.init</tt> section, and
likewise, only one function: <tt>_fini</tt> in <tt>.fini</tt> section.
Both <tt>_init</tt> and <tt>_fini</tt> are <b>synthesized</b> at compile time
by the compiler/linker. Glibc
provides its own prolog and epilog for <tt>_init</tt> and <tt>_fini</tt>, but
the compiler is free to choose how to use them and add more code into <tt>_init</tt>
and <tt>_fini</tt>.
<p>
In Glibc, the source file <a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=sysdeps/generic/initfini.c"><tt>sysdeps/generic/initfini.c</tt></a>
(and some system dependent ones, such as <a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=sysdeps/x86_64/elf/initfini.c"><tt>sysdeps/x86_64/elf/initfini.c</tt></a>)
is compiled into two files: <tt>/usr/lib64/crti.o</tt> for prolog
and <tt>/usr/lib64/crtn.o</tt> for epilog.
</p><p>
For the compiler part, GCC uses different prolog and epilog files, depending
on the compiler command-line options. To see them, execute <tt>gcc -dumpspec</tt>,
and one can see
</p><pre>...
*endfile:
%{ffast-math|funsafe-math-optimizations:crtfastmath.o%s}
%{mpc32:crtprec32.o%s}
%{mpc64:crtprec64.o%s}
%{mpc80:crtprec80.o%s}
%{shared|pie:crtendS.o%s;:crtend.o%s}
crtn.o%s
...
*startfile:
%{!shared: %{pg|p|profile:gcrt1.o%s;pie:Scrt1.o%s;:crt1.o%s}}
crti.o%s
%{static:crtbeginT.o%s;shared|pie:crtbeginS.o%s;:crtbegin.o%s}
...
</pre>
The detailed explanation of GCC spec file is <a href="https://web.archive.org/web/20201202024834/http://gcc.gnu.org/onlinedocs/gcc/Spec-Files.html">here</a>.
For above snippet, it means, for example, if compiler command-line
option <tt>-ffast-math</tt> is used, include GCC's <tt>crtfastmath.o</tt>
file (this file can be found under <tt>/usr/lib/gcc/&lt;arch&gt;/&lt;version&gt;/</tt>)
at the end of the linking process. Glibc's <tt>crtn.o</tt> is always
included at the end of linking. The <tt>%s</tt> means this preceding file is a startup file. (GCC allows
to skip startup files during linking using <tt>-nostartfiles</tt> compiler option)
<p>Similarly, if <tt>-shared</tt> compiler command-line option is not used,
then always include Glibc's <tt>crt1.o</tt> at the start of the linking process.
<tt>crt1.o</tt> contains the function <tt>_start</tt> in <tt>.text</tt> section (not <tt>.init</tt> section!)
<tt>_start</tt> is the <font color="lightgreen">function that is executed before anything else</font>... see below.
Next, include Glibc's <tt>crti.o</tt> in the linking. Finally, include either
<tt>crtbeginT.o</tt>, <tt>crtbeginS.o</tt>, or <tt>crtbegin.o</tt> (both are part of GCC, of course), depending on
whether <tt>-static</tt> or <tt>-shared</tt> (or neither) is used.
</p><p>
So, for example, if a program is compiled using dynamic linking (which is default), no profiling, no fast
math optimizations, then the linking will include the following files in the following order:
</p><ol>
<li><tt>crt1.o</tt> (part of Glibc)
</li><li><tt>crti.o</tt> (part of Glibc and contributes the code at 4003a8, 4003ac, 400618, and the body of <tt>call_gmon_start</tt>)
</li><li><tt>crtbegin.o</tt> (part of GCC and contributes the code at 4003b1 and 40061c, and the body of <tt>frame_dummy</tt> and <tt>__do_global_dtors_aux</tt>)
</li><li>user's code
</li><li><tt>crtend.o</tt> (part of GCC and contributes the code at 4003b6 and the body of <tt>__do_global_ctors_aux</tt>)
</li><li><tt>crtn.o</tt> (part of Glibc and contributes the code at 4003bb, 4003bf, 400621, 400625)
</li></ol>
Why <tt>__do_global_ctors_aux</tt> is in <tt>crtend*.o</tt> and <tt>__do_global_dtors_aux</tt>
is in <tt>crtbegin*.o</tt> ? Recall the order of invocation of destructors should be the reverse order
of invocation of constructors. Therefore, GCC doing so will ensure <tt>__do_global_ctors_aux</tt> is called
as late as possible in <tt>.init</tt> section and <tt>__do_global_dtors_aux</tt> is called
as early as possible in <tt>.fini</tt> section.
<p>
Now back to the <tt>4003a8 &lt;_init&gt;</tt>.
</p><p>
<tt>call_gmon_start</tt> is part of the Glibc prolog <tt>/usr/lib64/crti.o</tt>.
It initializes <a href="https://web.archive.org/web/20201202024834/http://sourceware.org/binutils/docs/gprof/">gprof</a> related
data structures.
</p><p>
<tt>frame_dummy</tt> is in GCC code <a href="https://web.archive.org/web/20201202024834/http://gcc.gnu.org/viewcvs/trunk/gcc/crtstuff.c?view=markup"><tt>gcc/crtstuff.c</tt></a> and it
is used to set up excepion handling and Java class registration (JCR) information.
</p><p>
The most interesting code is <tt>__do_global_ctors_aux</tt> (in
GCC's <a href="https://web.archive.org/web/20201202024834/http://gcc.gnu.org/viewcvs/trunk/gcc/crtstuff.c?view=markup"><tt>gcc/crtstuff.c</tt></a> and
<a href="https://web.archive.org/web/20201202024834/http://gcc.gnu.org/viewcvs/trunk/gcc/gbl-ctors.h?view=markup"><tt>gcc/gbl-ctors.h</tt></a>) What it does
is to call functions which are marked as
<tt>__attribute__ ((constructor))</tt> (and static C++ objects' constructors) one by one:
</p><pre> __SIZE_TYPE__ nptrs = (__SIZE_TYPE__) __CTOR_LIST__[0];
unsigned i;
if (nptrs == (__SIZE_TYPE__)-1)
for (nptrs = 0; __CTOR_LIST__[nptrs + 1] != 0; nptrs++);
for (i = nptrs; i &gt;= 1; i--)
__CTOR_LIST__[i] ();
</pre>
The array <tt>__CTOR_LIST__</tt> is stored in a special section called <tt>.ctors</tt>.
Suppose a function called <tt>foo</tt> is marked as <tt>__attribute__ ((constructor))</tt>,
then the runtime call stack trace would be
<pre>(gdb) break foo
(gdb) run
(gdb) bt
#0 0x00000000004004d8 in foo ()
#1 0x0000000000400606 in __do_global_ctors_aux ()
#2 0x00000000004003bb in _init ()
#3 0x00000000004005a0 in ?? ()
#4 0x0000000000400561 in <font color="lightgreen">__libc_csu_init</font> ()
#5 0x000000326971c46f in __libc_start_main ()
#6 0x000000000040041a in _start ()
</pre>
Similarly, the <tt>__do_global_dtors_aux</tt> in <tt>_fini</tt> function
will invoke all functions which are marked as
<tt>__attribute__ ((destructor))</tt>. <tt>__do_global_dtors_aux</tt> code is also
in GCC's source tree at <a href="https://web.archive.org/web/20201202024834/http://gcc.gnu.org/viewcvs/trunk/gcc/crtstuff.c?view=markup"><tt>gcc/crtstuff.c</tt></a>. If
a function called <tt>foo</tt> is marked as <tt>__attribute__ ((destructor))</tt>
(and static C++ objects' destructors), then the runtime call stack trace would be
<pre>(gdb) bt
#0 0x0000000000400518 in foo ()
#1 0x00000000004004ca in __do_global_dtors_aux ()
#2 0x0000000000400641 in _fini ()
#3 0x00000032699367e8 in ?? () from /lib64/tls/libc.so.6
#4 0x0000003269730c95 in exit () from /lib64/tls/libc.so.6
#5 0x000000326971c4d2 in __libc_start_main () from /lib64/tls/libc.so.6
#6 0x000000000040045a in _start ()
</pre>
The array <tt>__DTOR_LIST__</tt> contains the addresses of these destructors
and it is stored in a special section called <tt>.dtors</tt>.
<h2>What user functions will be executed before <tt>main</tt> and at program exit? </h2>
As above call strack trace shows, <tt>_init</tt> is NOT the only function to be called before <tt>main</tt>.
It is <tt>__libc_csu_init</tt> function (in Glibc's source file <a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=csu/elf-init.c"><tt>csu/elf-init.c</tt></a>)
that determines what functions to be run before <tt>main</tt>
and the order of running them. Its code is like this
<pre> void __libc_csu_init (int argc, char **argv, char **envp)
{
#ifndef LIBC_NONSHARED
{
const size_t size = __preinit_array_end - __preinit_array_start;
size_t i;
for (i = 0; i &lt; size; i++)
<font color="lightgreen">(*__preinit_array_start [i]) (argc, argv, envp)</font>;
}
#endif
<font color="lightgreen">_init ()</font>;
const size_t size = __init_array_end - __init_array_start;
for (size_t i = 0; i &lt; size; i++)
<font color="lightgreen">(*__init_array_start [i]) (argc, argv, envp)</font>;
}
</pre>
(Symbols such as <tt>__preinit_array_start</tt>, <tt>__preinit_array_end</tt>, <tt>__init_array_start</tt>,
<tt>__init_array_end</tt> are defined by the default <tt>ld</tt> script;
look for <a href="https://web.archive.org/web/20201202024834/http://sourceware.org/binutils/docs/ld/PROVIDE.html"><tt>PROVIDE</tt>
and <tt>PROVIDE_HIDDEN</tt> keywords</a> in the output of <tt>ld -verbose</tt> command.)
<p>
The <tt>__libc_csu_fini</tt> function has similar code, but what
functions to be executed at program exit are actually determined by <tt>exit</tt>:
</p><pre> void __libc_csu_fini (void)
{
#ifndef LIBC_NONSHARED
size_t i = __fini_array_end - __fini_array_start;
while (i-- &gt; 0)
(*__fini_array_start [i]) ();
<font color="lightgreen">_fini ()</font>;
#endif
}
</pre>
<p>
To see what's going on, consider the following C code example:
</p><pre> #include &lt;stdio.h&gt;
#include &lt;stdlib.h&gt;
void preinit(<font color="lightgreen">int argc, char **argv, char **envp</font>) {
printf("%s\n", __FUNCTION__);
}
void init(<font color="lightgreen">int argc, char **argv, char **envp</font>) {
printf("%s\n", __FUNCTION__);
}
void fini() {
printf("%s\n", __FUNCTION__);
}
<font color="lightgreen">__attribute__((section(".init_array")))</font> typeof(init) *__init = init;
<font color="lightgreen">__attribute__((section(".preinit_array")))</font> typeof(preinit) *__preinit = preinit;
<font color="lightgreen">__attribute__((section(".fini_array")))</font> typeof(fini) *__fini = fini;
void <font color="lightgreen">__attribute__ ((constructor))</font> constructor() {
printf("%s\n", __FUNCTION__);
}
void <font color="lightgreen">__attribute__ ((destructor))</font> destructor() {
printf("%s\n", __FUNCTION__);
}
void <font color="lightgreen">my_atexit</font>() {
printf("%s\n", __FUNCTION__);
}
void <font color="lightgreen">my_atexit2</font>() {
printf("%s\n", __FUNCTION__);
}
int main() {
<font color="lightgreen">atexit(my_atexit)</font>;
<font color="lightgreen">atexit(my_atexit2)</font>;
}
</pre>
The output will be
<pre> preinit
constructor
init
my_atexit2
my_atexit
fini
destructor
</pre>
The <tt>.preinit_array</tt> and <tt>.init_array</tt> sections must contain
<b>function pointers</b> (NOT code!) The prototype of these functions must be <pre>void func(int argc,char** argv,char** envp)</pre>
<tt>__libc_csu_init</tt> execute them in the following order:
<ol>
<li>Function pointers in <tt>.preinit_array</tt> section
</li><li>Functions marked as <tt>__attribute__ ((constructor))</tt>, via <tt>_init</tt>
</li><li>Function pointers in <tt>.init_array</tt> section
</li></ol>
The <tt>.fini_array</tt> section must also contain <b>function pointers</b>
and the prototype is like the destructor, i.e. taking no arguments and returning void. If the program exits <b>normally</b>, then
the <tt>exit</tt> function (Glibc source file <a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=stdlib/exit.c"><tt>stdlib/exit.c</tt></a>) is called and it
will do the following:
<ol>
<li>In reverse order, functions registered via <tt>atexit</tt> or <tt>on_exit</tt>
</li><li>Function pointers in <tt>.fini_array</tt> section, via <tt>__libc_csu_fini</tt>
</li><li>Functions marked as <tt>__attribute__ ((destructor))</tt>, via <tt>__libc_csu_fini</tt> (which calls <tt>_fini</tt> after Step 2)
</li><li>stdio cleanup functions
</li></ol>
<p>
It is <font color="lightgreen">not advisable</font> to put a code in <tt>.init</tt> section, e.g.
</p><pre>void __attribute__((section(".init"))) foo() {
...
}
</pre>
because doing so will cause <tt>__do_global_ctors_aux</tt> NOT to be called. The <tt>.init</tt>
section will now look like this:
<pre>4003a0 &lt;_init&gt;:
4003a0: sub RSP, 8
4003a4: call call_gmon_start
4003a9: call frame_dummy
4003ae &lt;foo&gt;:
4003ae: push RBP
4003af: mov RBP, RSP
.... (foo's body)
4003b2: leave
4003b3: <font color="lightgreen">ret</font>
4003b4: call __do_global_ctors_aux
4003b9: add RSP, 8
4003bd: ret
</pre>
<p>
Now <tt>.init</tt> section contains more than one function, but the
epilog of <tt>_init</tt> is distorted by the insertion of <tt>foo</tt>
</p><p>
Similarly, it is <font color="lightgreen">not advisable</font> to put a code in <tt>.fini</tt> section,
because otherwise the code will look like this:
</p><pre>4006d8 &lt;_fini&gt;:
4006d8: sub RSP, 8
4006dc: call __do_global_dtors_aux
4006e1 &lt;foo&gt;:
4006e1: push RBP
4006e2: mov RBP, RSP
.... (foo's body)
4006ef: leave
4006f0: <font color="lightgreen">ret</font>
4006f1: add RSP, 8
4006f5: ret
</pre>
Now the epilog of <tt>_fini</tt> is distorted by the insertion of <tt>foo</tt>, so
the stack frame pointer will not be adjusted (<tt>add RSP, 8</tt> is not executed),
causing segmentation fault.
<h2>What do <tt>_start</tt> and <tt>__libc_start_main</tt> do? </h2>
The above call stack traces show that
<tt>_start</tt> calls <tt>__libc_start_main</tt>, which runs
all of the code before <tt>main</tt>.
<p>
<tt>_start</tt> is part of Glibc code, as in <a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=sysdeps/x86_64/elf/start.S"><tt>sysdeps/x86_64/elf/start.S</tt></a>.
As mentioned earlier, it is compiled as <tt>/usr/lib64/crt1.o</tt> and is statically linked to
user's executable binary during compilation. To see this, run gcc with <tt>-v</tt> command, and
the last line would be something like:
</p><pre>.../collect2 ... /usr/lib64/crt1.o /usr/lib64/crti.o ... /usr/lib64/crtn.o
</pre>
<tt>_start</tt> is always placed <font color="lightgreen">at the beginning of <tt>.text</tt> section, and
the default <tt>ld</tt> script specifies
"Entry point address" (in ELF header, use <tt>readelf -h ld.so|grep Entry</tt> command to see)
to be the address of <tt>_start</tt> (use <tt>ld -verbose | grep ENTRY</tt> command to see), so
<tt>_start</tt> is guaranteed to
be run before anything else</font>. (This is changeable, however, at compile time
one can specify a different initial address
by <a href="https://web.archive.org/web/20201202024834/http://sourceware.org/binutils/docs/ld/Entry-Point.html"><tt>-e</tt> option</a>)
<p>
<tt>_start</tt> does only one thing: It sets up the arguments needed by
<tt>__libc_start_main</tt> and then call it.
<tt>__libc_start_main</tt>'s source code is <a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=csu/libc-start.c"><tt>csu/libc-start.c</tt></a>
and its function prototype is:
</p><pre>__libc_start_main (int (*main) (int, char **, char **),
int argc,
char *argv,
int (*init) (int, char **, char **),
void (*fini) (void),
void (*rtld_fini) (void),
void *stack_end)
)
</pre>
<tt>__libc_start_main</tt> does quite a lot of work in
addition to kicking off <tt>__libc_csu_init</tt>:
<ol>
<li>Set up <tt>argv</tt> and <tt>envp</tt>
<!--
<li>Set up dynamic linker's flags (<tt>_dl_aux_init</tt> in <tt>elf/dl-support.c</tt>)
-->
</li><li>Initialize the thread local storage by calling <tt>__pthread_initialize_minimal</tt> (which
only calls <tt>__libc_setup_tls</tt>).<p><tt>__libc_setup_tls</tt> will initialize Thread Control Block
and Dynamic Thread Vector.
</p></li><li>Set up the thread stack guard
</li><li>Register the destructor (i.e. the <tt>rtld_fini</tt> argument passed to <tt>__libc_start_main</tt>)
of the dynamic linker (by calling <tt>__cxa_atexit</tt>) if there is any
</li><li>Initialize Glibc inself by calling <tt>__libc_init_first</tt>
</li><li>Register <tt>__libc_csu_fini</tt> (i.e. the <tt>fini</tt> argument passed to <tt>__libc_start_main</tt>)
using <tt>__cxa_atexit</tt>
</li><li><font color="lightgreen">Call <tt>__libc_csu_init</tt></font> (i.e. the <tt>init</tt> argument
passed to <tt>__libc_start_main</tt>)
<ol>
<li>Call function pointers in <tt>.preinit_array</tt> section
</li><li>Execute the code in <tt>.init</tt> section, which is usually <tt>_init</tt> function.
What <tt>_init</tt> function does is <font color="lightgreen">compiler-specific</font>.
For GCC, <tt>_init</tt> executes user functions marked as <tt>__attribute__ ((constructor))</tt>
(in <tt>__do_global_dtors_aux</tt>)
</li><li>Call function pointers in <tt>.init_array</tt> section
</li></ol>
</li><li>Set up data structures needed for thread unwinding/cancellation
</li><li><font color="lightgreen">Call <tt>main</tt></font> of user's program.
</li><li><font color="lightgreen">Call <tt>exit</tt></font>
</li></ol>
So if the last line of user program's <tt>main</tt> is <tt>return XX</tt>,
then the <tt>XX</tt> will be passed to <tt>exit</tt> at Step #11 above. If
the last line is not <tt>return XX</tt> or is simply <tt>return</tt>, then
the value passed to <tt>exit</tt> would be undefined.<p>Of course, if
the user program calls <tt>exit</tt> or <tt>abort</tt>, then <tt>exit</tt>
will gets called.
</p><center><h1>Here is the <a href="https://web.archive.org/web/20201202024834/http://www.acsu.buffalo.edu/%7Echarngda/code/gdb_callgraph/examples/callgraphEmpty.gif">call graph</a>,
which is worth a thousand words</h1> and see <a href="https://web.archive.org/web/20201202024834/http://www.acsu.buffalo.edu/%7Echarngda/callgraph.html">here</a>
on how it is generated.</center>
<p>
If one tries to build a program which does not contain <tt>main</tt>, then one should see the following error:
</p><pre>/usr/lib/crt1.o: In function `_start': (<font color="lightgreen">.text+0x20</font>): undefined reference to `main'
collect2: ld returned 1 exit status
</pre>
As mentioned earlier, <tt>crt1.o</tt> (part of Glibc) contains the function
<tt>_start</tt>, which will call
<tt>__libc_start_main</tt> and pass <tt>main</tt> (a function pointer) as one of the arguments.
If one uses
<pre>nm -u /usr/lib/crt1.o
</pre>
then it will show <tt>main</tt> is a undefined symbol in <tt>crt1.o</tt>. Now let's disassemble
<tt>crt1.o</tt>:
<pre>$ objdump -M intel -dj .text /usr/lib/crt1.o
crt1.o: file format elf64-x86-64
Disassembly of section .text:
0000000000000000 &lt;_start&gt;:
0: 31 ed xor ebp,ebp
2: 49 89 d1 mov r9,rdx
5: 5e pop rsi
6: 48 89 e2 mov rdx,rsp
9: 48 83 e4 f0 and rsp,0xfffffffffffffff0
d: 50 push rax
e: 54 push rsp
f: 49 c7 c0 00 00 00 00 mov r8,0x0
16: 48 c7 c1 00 00 00 00 mov rcx,0x0
1d: 48 c7 c7 <font color="lightgreen">00 00 00 00</font> mov rdi,0x0
24: e8 00 00 00 00 call 29 &lt;_start+0x29&gt;
29: f4 hlt
...
</pre>
Above shows <font color="lightgreen">.text+0x20</font> refers to
the 4 bytes of an <tt>mov</tt> instruction. This means during the
linking, the address of <tt>main</tt> should be resolved
and then inserted at the right memory location: .text+0x20. Now let's cross reference
the relocation table:
<pre>$ readelf -p /usr/lib/crt1.o
Relocation section '.rela.text' at offset 0x410 contains 4 entries:
Offset Info Type Sym. Value Sym. Name + Addend
000000000012 00090000000b R_X86_64_32S 0000000000000000 __libc_csu_fini + 0
000000000019 000b0000000b R_X86_64_32S 0000000000000000 __libc_csu_init + 0
<font color="lightgreen">000000000020</font> 000c0000000b R_X86_64_32S 0000000000000000 main + 0
000000000025 000f00000002 R_X86_64_PC32 0000000000000000 __libc_start_main - 4
</pre>
Above shows where <font color="lightgreen">0x20</font> comes from.
<h2>How to find the address of <tt>main</tt> of an executable binary ?</h2>
When an ELF executable binary is stripped off symbolic information, it
is not clear where the <tt>main</tt> is located.
<p>
From above analysis, it's possible to find out the address of <tt>main</tt> (which is
NOT the "Entry point address" seen from the output of <tt>readelf -h a.out | grep Entry</tt>
command. "Entry point address" is the address of <tt>_start</tt>)
</p><p>
Since the address of <tt>main</tt> is the first argument to the call
to <tt>__libc_start_main</tt>, we can extract the value of the first
argument as follows.
</p><p>
On <font color="LightGreen">64-bit x86</font>, the <a href="https://web.archive.org/web/20201202024834/http://www.acsu.buffalo.edu/%7Echarngda/x86assembly.html">calling convention</a>
requires that the first argument
goes to <font color="LightGreen"><tt>RDI</tt> register</font>, so the
address can be extracted by
</p><pre>objdump -j .text -d a.out | grep -B5 'call.*__libc_start_main' | awk '/mov.*%rdi/ { print $NF }'
</pre>
On <font color="LightGreen">32-bit x86</font>, the C calling
convention ("<a href="https://web.archive.org/web/20201202024834/http://www.wikipedia.org/wiki/X86_calling_conventions#cdecl">cdecl</a>") is that the first argument
is the <font color="LightGreen">last item to be pushed onto the stack</font>
before the call, so the
address can be extracted by
<pre>objdump -j .text -d a.out | grep -B2 'call.*__libc_start_main' | awk '/push.*0x/ { print $NF }'
</pre>
<h2>PIC, TLS, and AMD64 code models</h2>
Relocation is the process of connecting symbolic references with symbolic definitions.
The runtime relocation is done by <tt>ld.so</tt>, as in <tt>elf_machine_rela</tt> function
in Glibc's source file <a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=sysdeps/x86_64/dl-machine.h"><tt>sysdeps/x86_64/dl-machine.h</tt></a>.
The link-time relocation is done by the link-editor <tt>ld</tt>, which uses the relocation
table in the object file (<tt>.rela.text</tt> section). Each symbolic reference has an entry
in the relocation table, and
each entry contains three fields: offset, info (relocation type, symbol table index), and addend.
The relocation types are:
<p>
<table border="">
<tbody><tr>
<th>Relocation type</th>
<th>Meaning</th>
<th>Used when</th>
</tr>
<tr>
<td><tt>R_X86_64_16</tt></td>
<td>Direct 16 bit zero extended</td>
<td></td>
</tr>
<tr>
<td><tt>R_X86_64_32</tt></td>
<td>Direct 32 bit zero extended</td>
<td></td>
</tr>
<tr>
<td><tt>R_X86_64_32S</tt></td>
<td>Direct 32 bit
sign extended<span></span></td>
<td></td>
</tr>
<tr>
<td><tt>R_X86_64_64</tt></td>
<td>Direct 64 bit</td>
<td>Large code model</td>
</tr>
<tr>
<td><tt>R_X86_64_8</tt></td>
<td>Direct 8 bit sign extended</td>
<td></td>
</tr>
<tr>
<td><tt>R_X86_64_COPY</tt></td>
<td>Copy symbol at runtime</td>
<td></td>
</tr>
<tr>
<td><tt>R_X86_64_DTPMOD64</tt></td>
<td>ID of module containing symbol</td>
<td>TLS</td>
</tr>
<tr>
<td><tt>R_X86_64_DTPOFF32</tt></td>
<td>Offset in TLS block</td>
<td>TLS</td>
</tr>
<tr>
<td><tt>R_X86_64_DTPOFF64</tt></td>
<td>Offset in module's TLS block</td>
<td>TLS</td>
</tr>
<tr>
<td><tt>R_X86_64_GLOB_DAT</tt></td>
<td><tt>.got</tt> section, which contains addresses to the actual functions in DLL</td>
<td></td>
</tr>
<tr>
<td><tt>R_X86_64_GOT32</tt></td>
<td>32 bit GOT entry</td>
<td></td>
</tr>
<tr>
<td><tt>R_X86_64_GOT64</tt></td>
<td>64-bit GOT entry offset</td>
<td>PIC &amp; Large code model</td>
</tr>
<tr>
<td><tt>R_X86_64_GOTOFF64</tt></td>
<td>64-bit GOT offset</td>
<td>PIC &amp; Large code model</td>
</tr>
<tr>
<td><tt>R_X86_64_GOTPC32</tt></td>
<td>32-bit PC relative offset to GOT</td>
<td></td>
</tr>
<tr>
<td><tt>R_X86_64_GOTPC32_TLSDESC</tt></td>
<td>32-bit PC relative to TLS descriptor in GOT</td>
<td>TLS</td>
</tr>
<tr>
<td><tt>R_X86_64_GOTPC64</tt></td>
<td>64-bit PC relative offset to GOT</td>
<td>PIC &amp; Large code model</td>
</tr>
<tr>
<td><tt>R_X86_64_GOTPCREL</tt></td>
<td>32 bit signed PC relative offset to GOT</td>
<td>PIC</td>
</tr>
<tr>
<td><tt>R_X86_64_GOTPCREL64</tt></td>
<td>64-bit PC relative offset to GOT entry</td>
<td>PIC &amp; Large code model</td>
</tr>
<tr>
<td><tt>R_X86_64_GOTPLT64</tt></td>
<td>Like GOT64, indicates that PLT entry needed</td>
<td>PIC &amp; Large code model</td>
</tr>
<tr>
<td><tt>R_X86_64_GOTTPOFF</tt></td>
<td>32 bit signed PC relative offset to GOT entry for IE symbol</td>
<td>TLS</td>
</tr>
<tr>
<td><tt>R_X86_64_JUMP_SLOT</tt></td>
<td><tt>.got.plt</tt> section, which contains addresses to the actual functions in DLL</td>
<td>DLL</td>
</tr>
<tr>
<td><tt>R_X86_64_PC16</tt></td>
<td>16 bit sign extended PC relative</td>
<td></td>
</tr>
<tr>
<td><tt>R_X86_64_PC32</tt></td>
<td>PC relative 32 bit signed</td>
<td></td>
</tr>
<tr>
<td><tt>R_X86_64_PC64</tt></td>
<td>64-bit PC relative</td>
<td>Large code model</td>
</tr>
<tr>
<td><tt>R_X86_64_PC8</tt></td>
<td>8 bit sign extended PC relative</td>
<td></td>
</tr>
<tr>
<td><tt>R_X86_64_PLT32</tt></td>
<td>32 bit PLT address</td>
<td></td>
</tr>
<tr>
<td><tt>R_X86_64_PLTOFF64</tt></td>
<td>64-bit GOT relative offset to PLT entry</td>
<td>PIC &amp; Large code model</td>
</tr>
<tr>
<td><tt>R_X86_64_RELATIVE</tt></td>
<td>Adjust by program base</td>
<td></td>
</tr>
<tr>
<td><tt>R_X86_64_SIZE32</tt></td>
<td></td>
<td></td>
</tr>
<tr>
<td><tt>R_X86_64_SIZE64</tt></td>
<td></td>
<td></td>
</tr>
<tr>
<td><tt>R_X86_64_TLSDESC</tt></td>
<td>2 by 64-bit TLS descriptor</td>
<td>TLS</td>
</tr>
<tr>
<td><tt>R_X86_64_TLSDESC_CALL</tt></td>
<td>Relaxable call through TLS descriptor</td>
<td>TLS</td>
</tr>
<tr>
<td><tt>R_X86_64_TLSGD</tt></td>
<td>32 bit signed PC relative offset to two GOT entries for GD symbol</td>
<td>TLS &amp; PIC</td>
</tr>
<tr>
<td><tt>R_X86_64_TLSLD</tt></td>
<td>32 bit signed PC relative offset to two GOT entries for LD symbol</td>
<td>TLS</td>
</tr>
<tr>
<td><tt>R_X86_64_TPOFF32</tt></td>
<td>Offset in initial TLS block</td>
<td>TLS</td>
</tr>
<tr>
<td><tt>R_X86_64_TPOFF64</tt></td>
<td>Offset in initial TLS block<span></span></td>
<td>TLS &amp; Large code model</td>
</tr>
</tbody></table>
</p><p>
According to Chapter 3.5 of <a href="https://web.archive.org/web/20201202024834/http://www.x86-64.org/documentation/abi.pdf">AMD64 System V Application Binary Interface</a>,
there are four code models and they differ in addressing modes (absolute versus relative):
</p><ul>
<li><b>Small</b>: All compile- and link-time addresses and symbols are assumed to fit
in 32-bit immediate operands. This model restricts code and global data to the low
2 GB of the address space (to be exact, between 0x0 and 0x7eff ffff, which is 2031 MB)
<p>The compiler can encode symbolic references
</p><ul>
<li>In sign-extended immediate operands for offsets in the range of 0x8000 0000 (-2<sup>31</sup>)
to 0x100 0000 (2<sup>24</sup>)
</li><li>In zero-extended immediate operands for offsets in the range of 0x0
to 0x7f00 0000 (2<sup>31</sup> - 2<sup>24</sup>)
</li><li>In <a href="https://web.archive.org/web/20201202024834/http://www.tortall.net/projects/yasm/manual/html/nasm-effaddr.html">RIP relative addressing mode</a>
for offsets in the range 0xff00 0000 (-2<sup>24</sup> = -16 MB) to 0x100 0000 (2<sup>24</sup> = 16 MB)
</li></ul>
<p>This mode is the default mode for most compilers.</p><p>
</p></li><li><b>Large</b>: No restrictions are placed on the size or placement of code and data.
The max virtual memory space is 48 bits (256 TB).
</li><li><b>Medium</b>: Like the Small code model, except the data sections are split into two parts, e.g.
instead of having just <tt>.data</tt>, <tt>.rodata</tt>, <tt>.bss</tt> sections, there would also be
<tt>.ldata</tt>, <tt>.lrodata</tt>, <tt>.lbss</tt> sections. The smaller <tt>.data</tt>, etc
are still the same as in the Small code model, and the larger <tt>.ldata</tt>, etc
are as in the Large code model.
</li><li><b>Kernel</b>: Like the Small code model, but the 2 GB address space spans
from 0xffff ffff 8000 0000 (2<sup>64</sup>-2<sup>31</sup>)
to 0xffff ffff ff00 0000 (2<sup>64</sup>-2<sup>24</sup>) Because of this, the
offsets which can be encoded using sign-extended and zero-extended immediate operands
change.
</li></ul>
Now consider the following C code
<pre>extern int esrc[100];
int gsrc[100];
static int ssrc[100];
void foo() {
int k;
k = esrc[5];
k = gsrc[5];
k = ssrc[5];
}
</pre>
<ul>
<li><b>Small</b> code model, no PIC (i.e. compiled with just <tt>gcc -c</tt>):
<pre>k = esrc[5]; mov EAX, DWORD PTR[RIP+0x0]
mov DWORD PTR[RBP-0x4], EAX
k = gsrc[5]; mov EAX, DWORD PTR[RIP+0x0]
mov DWORD PTR[RBP-0x4], EAX
k = ssrc[5]; mov EAX, DWORD PTR[RIP+0x0]
mov DWORD PTR[RBP-0x4], EAX
</pre>
and the relocation table is (use <tt>readelf -r foo.o</tt> command)
<pre>type Sym. Name + Addend
R_X86_64_PC32 esrc + 10
R_X86_64_PC32 gsrc + 10
R_X86_64_PC32 .bss + 10
</pre>
All of the 0x0's in the generated assembly will be filled at link-time
with their relative offsets in respective sections, as indicated by the relocation table.
<p>
</p></li><li><b>Large</b> code model, no PIC (i.e. compiled with <tt>gcc -c -mcmodel=large</tt>)
<pre>k = esrc[5]; mov RAX, 0x0
mov EAX, DWORD PTR[RAX+0x10]
mov DWORD PTR[RBP-0x4], EAX
k = gsrc[5]; mov RAX, 0x0
mov EAX, DWORD PTR[RAX+0x10]
mov DWORD PTR[RBP-0x4], EAX
k = ssrc[5]; mov RAX, 0x0
mov EAX, DWORD PTR[RAX+0x10]
mov DWORD PTR[RBP-0x4], EAX
</pre>
and the relocation table is:
<pre>type Sym. Name + Addend
R_X86_64_64 esrc + 0
R_X86_64_64 gsrc + 0
R_X86_64_64 .bss + 0
</pre>
All of the 0x0's in the generated assembly will be filled at link-time
with their (64-bit) absolute addresses.
<p>
</p></li><li><b>Small</b> code model, PIC (i.e. compiled with <tt>gcc -c -fPIC</tt>. Note that adding <tt>-shared</tt> or not will not affect the generated code)
<pre>k = esrc[5]; mov RAX, QWORD PTR[RIP+0x0]
mov EAX, DWORD PTR[RAX+0x10]
mov DWORD PTR[RBP-0x4], EAX
k = gsrc[5]; mov RAX, QWORD PTR[RIP+0x0]
mov EAX, DWORD PTR[RAX+0x10]
mov DWORD PTR[RBP-0x4], EAX
k = ssrc[5]; mov EAX, DWORD PTR[RIP+0x0]
mov DWORD PTR[RBP-0x4], EAX
</pre>
and the relocation table is:
<pre>type Sym. Name + Addend
R_X86_64_GOTPCREL esrc - 4
R_X86_64_GOTPCREL gsrc - 4
R_X86_64_PC32 .bss + 10
</pre>
The first two 0x0's in the generated assembly will be filled with the relative
offset of <tt>_GLOBAL_OFFSET_TABLE_</tt> (i.e. the <tt>.got.plt</tt> section)
<p>
</p></li><li><b>Large</b> code model, PIC (i.e. compiled with <tt>gcc -c -fPIC -mcmodel=large</tt>)
<pre> lea RBX, [RIP-0x7]
mov R11, 0x0
add RBX, R11
k = esrc[5]; mov RAX, 0x0
mov RAX, QWORD PTR[RBX+RAX*1]
mov EAX, DWORD PTR[RAX+0x10]
mov DWORD PTR[RBP-0x4], EAX
k = gsrc[5]; mov RAX, 0x0
mov RAX, QWORD PTR[RBX+RAX*1]
mov EAX, DWORD PTR[RAX+0x10]
mov DWORD PTR[RBP-0x4], EAX
k = ssrc[5]; mov RAX, 0x0
mov RAX, QWORD PTR[RBX+RAX*1]
mov EAX, DWORD PTR[RAX+0x10]
mov DWORD PTR[RBP-0x4], EAX
</pre>
The first 0x0 is in the generated assembly will be filled with the absolute
address of <tt>_GLOBAL_OFFSET_TABLE_</tt>
</li></ul>
<h2><tt>_GLOBAL_OFFSET_TABLE_</tt>, <tt>.got.plt</tt> section, and <tt>DYNAMIC</tt> segment</h2>
Earlier we see that the <tt>_GLOBAL_OFFSET_TABLE_</tt> is located in <tt>.got.plt</tt> section:
<pre>(gdb) b *0x4003d0
(gdb) run
(gdb) x/6a 0x600890
0x600890: 0x6006e8 &lt;_DYNAMIC&gt; 0x32696159a8
0x6008a0: 0x326950aa20 &lt;_dl_runtime_resolve&gt; <font color="lightgreen">0x4003d6</font> &lt;printf@plt+6&gt;
0x6008b0: 0x326971c3f0 &lt;__libc_start_main&gt; 0x0
</pre>
According to Chapter 5.2 of <a href="https://web.archive.org/web/20201202024834/http://www.x86-64.org/documentation/abi.pdf">AMD64 System V Application Binary Interface</a>,
the first 3 entries of this table are reserved for special purposes.
The first entry is set up during compilation by the link editor <tt>ld</tt>.
The second and third entries are set up during runtime by the runtime linker <tt>ld.so</tt>
(see function <tt>_dl_relocate_object</tt> in Glibc source file <a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=elf/dl-reloc.c"><tt>elf/dl-reloc.c</tt></a>
and in particular, notice the <tt>ELF_DYNAMIC_RELOCATE</tt> macro,
which calls function <tt>elf_machine_runtime_setup</tt> in <a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=sysdeps/x86_64/dl-machine.h"><tt>sysdeps/x86_64/dl-machine.h</tt></a>)
<p>
The first entry <tt>_DYNAMIC</tt> has value 6006e8, and this is exactly
the starting address of <tt>.dynamic</tt> section (or <tt>DYNAMIC</tt> segment, in ELF's "execution view".)
The runtime linker <tt>ld.so</tt> uses this section to find the all necessary
information needed for runtime relocation and dynamic linking.
</p><p>
To see <tt>DYNAMIC</tt> segment's content, use <tt>readelf -d a.out</tt> command, or
<tt>objdump -x a.out</tt>, or just use <tt>x/50a 0x6006e8</tt> in gdb.
The <tt>readelf -d a.out</tt> command will show something like this:
</p><pre>Dynamic section at offset 0x6e8 contains 21 entries:
Tag Type Name/Value
0x0000000000000001 (NEEDED) Shared library: [libc.so.6] &lt;-- dependent dynamic library name
0x000000000000000c (INIT) 0x4003a8 &lt;-- address of .init section
0x000000000000000d (FINI) 0x400618 &lt;-- address of .fini section
0x0000000000000004 (HASH) 0x400240 &lt;-- address of .hash section
0x000000006ffffef5 (GNU_HASH) 0x400268 &lt;-- address of .gnu.hash section
0x0000000000000005 (STRTAB) 0x4002e8 &lt;-- address of .strtab section
0x0000000000000006 (SYMTAB) 0x400288 &lt;-- address of .symtab section
0x000000000000000a (STRSZ) 63 (bytes) &lt;-- size of .strtab section
0x000000000000000b (SYMENT) 24 (bytes) &lt;-- size of an entry in .symtab section
0x0000000000000015 (DEBUG) 0x0 &lt;-- see below
0x0000000000000003 (PLTGOT) 0x600860 &lt;-- address of .got.plt section
0x0000000000000002 (PLTRELSZ) 48 (bytes) &lt;-- total size of .rela.plt section
0x0000000000000014 (PLTREL) RELA &lt;-- RELA or REL ?
0x0000000000000017 (JMPREL) 0x400368 &lt;-- address of .rela.plt section
0x0000000000000007 (RELA) 0x400350 &lt;-- address of .rela.dyn section
0x0000000000000008 (RELASZ) 24 (bytes) &lt;-- total size of .rela.dyn section
0x0000000000000009 (RELAENT) 24 (bytes) &lt;-- size of an entry in .rela.dyn section
0x000000006ffffffe (VERNEED) 0x400330 &lt;-- address of .gnu.version_r section
0x000000006fffffff (VERNEEDNUM) 1 &lt;-- number of needed versions
0x000000006ffffff0 (VERSYM) 0x400328 &lt;-- address of .gnu.version section
0x0000000000000000 (NULL) 0x0 &lt;-- marks the end of .dynamic section
</pre>
Each entry in <tt>DYNAMIC</tt> segment is a struct of only two members:
"tag" and "value". The <tt>NEEDED</tt>, <tt>INIT</tt> ... above
are "tags" (see <tt><a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=elf/elf.h">/usr/include/elf.h</a></tt>)
<p>Other tags of interest are:
</p><pre>BIND_NOW The same as BIND_NOW in FLAGS. This has been superseded by
BIND_NOW in FLAGS
CHECKSUM The checksum value used by <a href="https://web.archive.org/web/20201202024834/http://www.wikipedia.org/wiki/Prelink">prelink</a>.
DEBUG At runtime ld.so will fill its value with the runtime
address of r_debug structure (see elf/rtld.c)
and this info is used by GDB (see elf_locate_base function
in GDB's source tree).
FINI Address of .fini section
FINI_ARRAY Address of .fini_array section
FINI_ARRAYSZ Size of .fini_array section
FLAGS Additional flags, such as BIND_NOW, STATIC_TLS, TEXTREL..
FLAGS_1 Additional flags used by Solaris, such as NOW (the same as BIND_NOW), INTERPOSE..
GNU_PRELINKED The timestamp string when the binary object is last <a href="https://web.archive.org/web/20201202024834/http://www.wikipedia.org/wiki/Prelink">prelinked</a>.
INIT Address of .init section
INIT_ARRAY Address of .init_array section
INIT_ARRAYSZ Size of .init_array section
INTERP Address of .interp section
PREINIT_ARRAY Address of .preinit_array section
PREINIT_ARRAYSZ Size of .preinit_array section
RELACOUNT Number of R_X86_64_RELATIVE entries in RELA segment (.rela.dyn
section)
RPATH Dynamic library search path, which has higher precendence than
LD_LIBRARY_PATH. RPATH is ignored if RUNPATH is present.
<font color="red">Use of RPATH is deprecated</font>.
When one uses "gcc -Wl,-rpath=... " to build binaries, the info
is stored here.
RUNPATH Dynamic library search path, which has lower precendence than
LD_LIBRARY_PATH.
When one uses "gcc -Wl,-rpath=...<font color="LightGreen">,--enable-new-dtags</font>"
to build binaries, the info is stored here.
(See <a href="https://web.archive.org/web/20201202024834/http://blog.lxgcc.net/?tag=dt_runpath">here</a> for details.)
One can use <a href="https://web.archive.org/web/20201202024834/http://linux.die.net/man/1/chrpath">chrpath</a>
tool to manipulate RPATH and RUNPATH settings.
SONAME Shared object (i.e. dynamic library) name. When one uses
"gcc -Wl,-soname=... " to build binaries, the info is
stored here.
TEXTREL Relocation might modify .text section.
VERDEF Address of .gnu.version_d section
VERDEFNUM Number of version definitions.
</pre>
<h2>Runtime Relocation</h2>
After exploring <tt>DYNAMIC</tt> segment, we can explain how <tt>ld.so</tt> performs
runtime relocation.
<p>
First, before <tt>ld.so</tt> loads all dependent libraries of a dynamic executable,
it needs to run its own relocation! Even if <tt>ld.so</tt> is a statically-linked binary,
it also has a <tt>DYNAMIC</tt> segment and thus <tt>PLTREL</tt> (<tt>.rela.dyn</tt> section)
and <tt>JMPREL</tt> (<tt>.rela.plt</tt> section) tags:
</p><pre>$ readelf -a `readelf -p .interp /bin/sh | awk '/ld/ {print $3}'`
....
Dynamic section at offset 0x14e18 contains 22 entries:
Tag Type Name/Value
0x000000000000000e (SONAME) Library soname: [ld-linux-x86-64.so.2]
0x0000000000000004 (HASH) 0x3269500190
0x0000000000000005 (STRTAB) 0x3269500578
0x0000000000000006 (SYMTAB) 0x3269500260
0x000000000000000a (STRSZ) 388 (bytes)
0x000000000000000b (SYMENT) 24 (bytes)
0x0000000000000003 (PLTGOT) 0x3269614f98
0x0000000000000002 (PLTRELSZ) 120 (bytes)
0x0000000000000014 (PLTREL) RELA
0x0000000000000017 (JMPREL) 0x32695009a0
0x0000000000000007 (RELA) 0x32695007c0
0x0000000000000008 (RELASZ) 480 (bytes)
0x0000000000000009 (RELAENT) 24 (bytes)
0x000000006ffffffc (VERDEF) 0x3269500740
0x000000006ffffffd (VERDEFNUM) 4
0x0000000000000018 (BIND_NOW)
0x000000006ffffffb (FLAGS_1) Flags: NOW
0x000000006ffffff0 (VERSYM) 0x32695006fc
0x000000006ffffff9 (RELACOUNT) 19
0x000000006ffffdf8 (CHECKSUM) 0x4c4e099e
0x000000006ffffdf5 (<font color="Orange">GNU_PRELINKED</font>) 2010-08-26T08:13:28
0x0000000000000000 (NULL) 0x0
Relocation section '.rela.dyn' at offset 0x7c0 contains 20 entries:
Offset Info Type Sym. Value Sym. Name + Addend
003269614cf0 000000000008 R_X86_64_RELATIVE 000000326950dd80
....
003269615820 000000000008 R_X86_64_RELATIVE 0000003269501140
003269614fe0 001e00000006 R_X86_64_GLOB_DAT 0000003269615980 _r_debug + 0
Relocation section '.rela.plt' at offset 0x9a0 contains 5 entries:
Offset Info Type Sym. Value Sym. Name + Addend
003269614fb0 000b00000007 R_X86_64_JUMP_SLO 000000326950f1b0 <font color="LightGreen">__libc_memalign</font> + 0
003269614fb8 000c00000007 R_X86_64_JUMP_SLO 000000326950f2b0 <font color="LightGreen">malloc</font> + 0
003269614fc0 001200000007 R_X86_64_JUMP_SLO 000000326950f2c0 <font color="LightGreen">calloc</font> + 0
003269614fc8 001800000007 R_X86_64_JUMP_SLO 000000326950f340 <font color="LightGreen">realloc</font> + 0
003269614fd0 002000000007 R_X86_64_JUMP_SLO 000000326950f300 <font color="LightGreen">free</font> + 0
</pre>
Note that the <tt>ld.so</tt> is <font color="Orange">prelinked</font>. On Fedora and Red Hat Enterprise Linux
(RHEL) systems, <a href="https://web.archive.org/web/20201202024834/http://lwn.net/Articles/341244/">prelink is run every two weeks</a>.
To see if your Linux has similar setup, check <tt>/etc/sysconfig/prelink</tt>
and <tt>/etc/prelink.conf</tt>
<p>
<b>What does this prelink do</b>? It changes the base address of a dynamic library
to the actual address in the user program's address space when it is loaded into memory.
Of course, <tt>ld.so</tt> recognizes <font color="Orange"><tt>GNU_PRELINKED</tt></font>
tag and will load a dynamic library to its this base address (recall the first argument of
<tt>mmap</tt> is the preferred address; of course, this is subject to the operating system.)
</p><p>Normally, a dynamic library
is built as <a href="https://web.archive.org/web/20201202024834/http://www.wikipedia.org/wiki/Position_independent_code">position independent code</a>,
i.e. the <tt>-fPIC</tt> compiler command-line option, and thus the base address is
0. For example, a normal libc.so has ELF program header as follows (<tt>readelf -l</tt> command):
</p><pre>Program Headers:
Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
LOAD 0x0000000000000000 <font color="Orange">0x0000000000000000</font> 0x0000000000000000
0x0000000000179058 0x0000000000179058 R E 200000
LOAD 0x0000000000179730 0x0000000000379730 0x0000000000379730
0x0000000000004668 0x00000000000090f8 RW 200000
....
</pre>
And when calling <tt>mmap</tt> with address 0 (i.e. NULL)
the operating system can choose any address it feels appropriate.
<p>
A prelinked one, on the other hand, has its ELF program header as follows:
</p><pre>Program Headers:
Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
LOAD 0x0000000000000000 <font color="Orange">0x0000003433e00000</font> 0x0000003433e00000
0x000000000001bb80 0x000000000001bb80 R E 200000
LOAD 0x000000000001bb90 0x000000343401bb90 0x000000343401bb90
0x0000000000000f58 0x00000000000010f8 RW 200000
</pre>
<b>What is the advantage of prelinking</b>?
<tt>ld.so</tt> will not process <tt>R_X86_64_RELATIVE</tt> relocation types
since they are already in the "right" place in user program's address space.
The extra benefit of this is the memory regions which
<tt>ld.so</tt> would have written to (if <tt>R_X86_64_RELATIVE</tt> needs
processing) will not incur any Copy-On-Writes and thus can be made Read-Only.<p>
According to <a href="https://web.archive.org/web/20201202024834/http://lwn.net/Articles/341309/">this post</a>, for GUI
programs, which tend to link against dozens of dynamic libraries and use lengthy
C++ demangled names, the speed up can be an order of magnitude.
</p><p>
<b>How to disable prelinking at runtime</b>?
Run the user program with <tt>LD_USE_LOAD_BIAS</tt> environmental
variable set to 0.
</p><p>
<b>How does <tt>ld.so</tt> process its own relocation</b>?
</p><p>
The relocation is done by <tt>_dl_relocate_object</tt> function
in Glibc's <a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=elf/dl-reloc.c"><tt>elf/dl-reloc.c</tt></a>, which will call
<tt>elf_machine_rela</tt> function in <a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=sysdeps/x86_64/dl-machine.h"><tt>sysdeps/x86_64/dl-machine.h</tt></a>
to do the majority of work.
</p><p>
First to be processed is the <tt>.rela.dyn</tt> relocation table,
which contains a bunch of <tt>R_X86_64_RELATIVE</tt> types
and one <tt>R_X86_64_GLOB_DAT</tt> type (the variable <tt>_r_debug</tt>)
</p><p>
If prelink is used, i.e. <tt>ld.so</tt> is indeed loaded
to the desired address, then <tt>R_X86_64_RELATIVE</tt>
relocation types will be ignored. If not,
then the address calculation for <tt>R_X86_64_RELATIVE</tt> types
is
</p><pre>Base Address + Value Stored at [Base Address + Offset]
</pre>
For example, in <tt>ld.so</tt>'s case, its base address
is 2a95556000 (can be obtained from <tt>pmap</tt> command; inside <tt>ld.so</tt>,
it calls <tt>elf_machine_load_address</tt> function to get this value)
<pre>0000400000 4K r-x-- /tmp/a.out
0000500000 4K rw--- /tmp/a.out
<font color="lightgreen">2a95556000</font> 92K r-x-- /lib64/ld.so
2a9556d000 8K rw--- [ anon ]
2a95599000 4K rw--- [ anon ]
2a9566c000 4K r---- /lib64/ld.so
2a9566d000 4K rw--- /lib64/ld.so
3269700000 1216K r-x-- /lib64/libc-2.3.4.so
...
</pre>
And <tt>ld.so</tt>'s <tt>.rela.dyn</tt> relocation table is (<font color="red">no prelinked</font>!
If <tt>ld.so</tt> is prelinked, the offset will be in a much higher address)
<pre>Relocation section '.rela.dyn' at offset 0x7c0 contains 20 entries:
Offset Info Type Sym. Value Sym. Name + Addend
000000116d50 000000000008 R_X86_64_RELATIVE 000000000000e250
...
</pre>
so the relocation for 000000116d50 is processed as
<pre><font color="lightgreen">0x2a95556000</font> + *(0x116d50+<font color="lightgreen">0x2a95556000</font>)
</pre>
and this new value is stored at 0x2a9566cd50 (=0x116d50+0x2a95556000)
<p>As <tt>R_X86_64_RELATIVE</tt> types do not require symbol lookups,
they are handled in a tight loop in
<tt>elf_machine_rela_relative</tt> function in
<a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=sysdeps/x86_64/dl-machine.h"><tt>sysdeps/x86_64/dl-machine.h</tt></a>
</p><p>
<b>Any relocation types other than <tt>R_X86_64_RELATIVE</tt> need to go
through symbol resolution first.</b>
</p><p>
So what about <tt>R_X86_64_GLOB_DAT</tt> relocation type in <tt>ld.so</tt> ?
First, <tt>RESOLVE_MAP</tt> (a macro defined within <a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=elf/dl-reloc.c"><tt>elf/dl-reloc.c</tt></a>)
is called (with r_type = <tt>R_X86_64_GLOB_DAT</tt>)
to find out which ELF binary (could be the user's program or its dependent
dynamic libraries)
contains this symbol. Then
<tt>R_X86_64_GLOB_DAT</tt> relocation type is calculated as
</p><pre>Base Address + Symbol Value + Addend
</pre>
where <tt>Base Address</tt> is the base address
of ELF binary which contains the symbol, and
<tt>Symbol Value</tt> is the symbol value from
the symbol table of ELF binary which contains the symbol.
<p>
So for <tt>ld.so</tt>,
</p><pre>Relocation section '.rela.dyn' at offset 0x7c0 contains 20 entries:
Offset Info Type Sym. Value Sym. Name + Addend
....
000000116fe0 001e00000006 R_X86_64_GLOB_DAT <font color="SkyBlue">00000000001179c0</font> _r_debug + <font color="MediumOrchid">0</font>
</pre>
The relocation for 000000116fe0 is processed as
<pre><font color="lightgreen">0x2a95556000</font> + <font color="SkyBlue">0x1179c0</font> + <font color="MediumOrchid">0</font>
</pre>
because <tt>ld.so</tt> determines <tt>_r_debug</tt>
can be found from itself. The calculated value is stored at 0x2a9566cfe0 (=0x116fe0+0x2a95556000).
<p>
The next to be processed by <tt>ld.so</tt>
is its own <tt>.rela.plt</tt> relocation table,
which contains a bunch of <tt>R_X86_64_JUMP_SLOT</tt> types.
This reloction type is handled exactly the same way as <tt>R_X86_64_GLOB_DAT</tt>.
</p><p>
After <tt>ld.so</tt> finishes its own relocation, it loads user program's
dependent libraries and process their relocations one by one.
First, <tt>ld.so</tt> handles <tt>libc.so</tt>'s relocation.
<tt>libc.so</tt> has two relocation types we have not covered so far:
<tt>R_X86_64_64</tt> and <tt>R_X86_64_TPOFF64</tt>.
</p><p>
<tt>R_X86_64_64</tt> relocation type is processed by first looking
up the symbol's runtime <b>absolute</b> address, and then
calculating
</p><pre>Absolute Address + Addend
</pre>
And the <tt>R_X86_64_TPOFF64</tt> relocation type is calculated as
<pre>Symbol Value + Addend - TLS Offset
</pre>
which usually results in a negative value.
<h2><tt>R_X86_64_COPY</tt> relocation type</h2>
<tt>R_X86_64_COPY</tt> relocation type is used when a dynamic binary refers
to an <b>initialized</b> global variable (not a function!) defined in a dynamic link library. Unlike
functions, <font color="Yellow">for variables, there is no lazy binding, and
the trampoline trick used in <tt>.plt</tt> section
does not work.</font> Instead, the global variable will actually be allocated
in dynamic binary's <font color="Yellow"><tt>.bss</tt> section</font>.
<p>
To see how <tt>R_X86_64_COPY</tt> relocation type works, consider the following two code:
</p><pre>foo.c
int foo=4;
void foo_access() {
foo=5;
}
bar.c
#include &lt;stdio.h&gt;
extern int foo;
int main() {
printf("foo=%d\n",foo);
}
</pre>
Now compile them as follows:
<pre>$ gcc -shared -fPIC -Wl,-soname=libfoo.so foo.c -o /tmp/libfoo.so
$ gcc bar.c -o bar -L/tmp -lfoo
</pre>
And run them as
<pre>$ LD_PRELOAD=/tmp/libfoo.so ./bar
</pre>
Before explaining what happened during runtime, we need to examine
the binaries first.
<p>
The <tt>foo_access</tt> in <tt>libfoo.so</tt> is like this:
</p><pre>69c &lt;foo_access&gt;:
69c: push rbp
69d: mov rbp,rsp
6a0: mov rax,QWORD PTR [rip+0x100269] # <font color="lightgreen">100910</font> &lt;_DYNAMIC+0x198&gt;
6a7: mov DWORD PTR [rax],0x5
6ad: leave
6ae: ret
</pre>
So for <tt>libfoo.so</tt>, the <b>address</b> of variable <tt>foo</tt> is
in its <tt>.got</tt> section, not <tt>.data</tt> section:
<pre>$ readelf -a /tmp/libfoo.so
Section Headers:
[Nr] Name Type Address Offset
Size EntSize Flags Link Info Align
...
[18] .got PROGBITS <font color="lightgreen">0000000000100908</font> 00000908
0000000000000020 0000000000000008 WA 0 0 8
[19] .got.plt PROGBITS 0000000000100928 00000928
0000000000000020 0000000000000008 WA 0 0 8
...
[20] .data PROGBITS <font color="lightblue">0000000000100948</font> 00000948
0000000000000014 0000000000000000 WA 0 0 8
...
Relocation section '.rela.dyn' at offset 0x520 contains 6 entries:
Offset Info Type Sym. Value Sym. Name + Addend
000000100948 000000000008 R_X86_64_RELATIVE 0000000000100948
000000100950 000000000008 R_X86_64_RELATIVE 0000000000100768
000000100908 000f00000006 R_X86_64_GLOB_DAT 0000000000000000 __cxa_finalize + 0
000000100910 001100000006 R_X86_64_GLOB_DAT <font color="lightblue">0000000000100958</font> foo + 0
....
</pre>
But what about the address <font color="lightblue">0x100958</font> ? This address
is in <tt>libfoo.so</tt>'s <tt>.data</tt> section! Well, <font color="lightblue">0x100958</font>
has the initial value of <tt>foo</tt> (in our example, 4) At runtime, <tt>ld.so</tt>
will copy this value to <tt>bar</tt>'s <tt>.bss</tt> section:
<pre>$ objdump -sj .data libfoo.so
libfoo.so: file format elf64-x86-64
Contents of section .data:
100948 48091000 00000000 68071000 00000000 H.......h.......
<font color="lightblue">100958 04000000</font> ....
</pre>
<p>
Next, disassemble the <tt>main</tt> function of <tt>bar</tt>:
</p><pre>4005f8 &lt;main&gt;:
4005f8: push rbp
4005f9: mov rbp,rsp
4005fc: mov esi,DWORD PTR [rip+0x1003de] # <font color="lightgreen">5009e0</font> &lt;__bss_start&gt;
400602: mov edi,0x40070c
400607: mov eax,0x0
40060c: call 400528 &lt;printf@plt&gt;
400611: leave
400612: ret
</pre>
So the variable <tt>foo</tt> is indeed located in
<tt>bar</tt>'s <tt>.bss</tt> section. Let's double check with <tt>nm</tt>:
<pre>$ nm -n bar | grep 5009e0
00000000005009e0 A __bss_start
00000000005009e0 A _edata
00000000005009e0 B <font color="lightgreen">foo</font>
</pre>
(Symbols such as <tt>__bss_start</tt> and <tt>_edata</tt> are defined by the default <tt>ld</tt> script;
one can search them in the output of <tt>ld -verbose</tt> command.)
<p>
The dynamic relocation table of <tt>bar</tt> is:
</p><pre>Relocation section '<font color="lightgreen">.rela.dyn</font>' at offset 0x490 contains 2 entries:
Offset Info Type Sym. Value Sym. Name + Addend
000000500998 000c00000006 R_X86_64_GLOB_DAT 0000000000000000 __gmon_start__ + 0
0000005009e0 000700000005 <font color="lightgreen">R_X86_64_COPY 00000000005009e0</font> foo + 0
</pre>
<b>Now what happens during runtime is this</b>: After <tt>ld.so</tt> loads all dependent
dynamic libraries, it starts processing their relocations.
When it sees <tt>foo</tt> of <tt>libfoo.so</tt>, it
calls <tt>RESOLVE_MAP</tt> with r_type = <tt>R_X86_64_GLOB_DAT</tt> to get
the Base Address, which is 0, and Symbol Value, which is
<font color="lightgreen">5009e0</font>. Next it
sees <tt>foo</tt> of <tt>libfoo.so</tt> has
<tt>R_X86_64_GLOB_DAT</tt> relocation type,
so it calculates the new address as 5009e0 = 0 + 5009e0 + 0 (addend)
and stores the result somewhere inside <tt>.got</tt> section.
<p>
After <tt>ld.so</tt> has processed relocations of all
dynamic libraries, it starts processing the relocation table
of <tt>bar</tt>. When it sees <tt>foo</tt> of <tt>bar</tt>, it
calls <tt>RESOLVE_MAP</tt> again, but with r_type = <tt>R_X86_64_COPY</tt>. This time, the address returned is
the runtime address of <font color="lightblue"><tt>foo</tt> in <tt>libfoo.so</tt>'s
<tt>.data</tt> section</font>. As mentioned earlier, this
address holds the initial value of <tt>foo</tt>.
Next it sees <tt>foo</tt> of <tt>bar</tt> has <font color="lightgreen"><tt>R_X86_64_COPY</tt></font>
relocation type, so it uses <tt>memcpy</tt>
to copy data to <font color="lightgreen">5009e0</font>
(see the <tt>Sym. Value</tt> of <tt>.rela.dyn</tt> section of <tt>bar</tt> above)
from the runtime address of <font color="lightblue"><tt>foo</tt> in <tt>libfoo.so</tt>'s
<tt>.data</tt> section</font> (see Glibc source file <a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=sysdeps/x86_64/dl-machine.h"><tt>sysdeps/x86_64/dl-machine.h</tt></a>)
</p><p>
The above example also illustrates <font color="Yellow">the difference
between <tt>.got</tt> section and <tt>.got.plt</tt> section.</font>
For the runtime linker <tt>ld.so</tt>, all it knows is
entries in <tt>PLTREL</tt> segment, i.e. <tt>.rela.dyn</tt> section,
(which corresponds to <tt>.got</tt> section)
must be <font color="Yellow">resolved/relocated immediately</font>, while entries in
<tt>JMPREL</tt> segment, i.e. <tt>.rela.plt</tt> section,
(which corresponds to <tt>.got.plt</tt> section) can use
<font color="Yellow">lazy binding</font>. For x86_64 architecture, the relocation is actually not
needed for <tt>R_X86_64_JUMP_SLOT</tt> relocation types (albeit the
symbol resolution is still needed)
</p><h2>PIC or no PIC</h2>
When building a dynamic library, we are told to <b>always</b> compile the code with <tt>-fPIC</tt>
option.
<p>
<b>What's the difference then</b> ?
</p><p>
Consider the following simple code:
</p><pre>#include &lt;stdio.h&gt;
int bar;
void foo() {
printf("%d\n",bar);
}
</pre>
Compile the above code in 32-bit mode with and without <tt>-fPIC</tt>:
<pre>$ gcc -shared -m32 foo.c -o nopic.so
$ gcc -shared -m32 -fPIC foo.c -o pic.so
</pre>
(If you try to compile the above in 64-bit mode, <font color="red">GCC will
stop and insist you should compile with <tt>-fPIC</tt> option</font>, i.e. you are going to
see error message such as
<tt>relocation R_X86_64_PC32 against symbol `XXXYYY' can not be used when making a shared object; recompile with -fPIC</tt>)
The sections and relocation tables of <font color="Orange"><tt>nopic.so</tt></font>
and <font color="LightCoral"><tt>pic.so</tt></font>
are shown at left and right hand side, respectively:
<pre>Section Headers: Section Headers:
[Nr] Name Type Addr [Nr] Name Type Addr
[ 0] NULL 0000 [ 0] NULL 0000
... ...
[ 8] .init PROGBITS 02f8 [ 8] .init PROGBITS 02f0
[ 9] .plt PROGBITS 0310 [ 9] .plt PROGBITS 0308
<font color="Orange">[10] .text PROGBITS 0340</font> [10] .text PROGBITS 0350
[11] .fini PROGBITS 0488 [11] .fini PROGBITS 04a8
[12] .rodata PROGBITS 04a4 [12] .rodata PROGBITS 04c4
... ...
[17] .dynamic DYNAMIC 14c0 [17] .dynamic DYNAMIC 14e0
[18] .got PROGBITS 1590 <font color="LightCoral">[18] .got PROGBITS 15a8</font>
[19] .got.plt PROGBITS 159c <font color="LightCoral">[19] .got.plt PROGBITS 15b8</font>
<font color="Orange">[20] .data PROGBITS 15b0</font> [20] .data PROGBITS 15d0
... ...
Relocation section '.rel.dyn' at offset 0x2b0 Relocation section '.rel.dyn' at offset 0x2b0
contains 7 entries: contains 5 entries:
Offset Info Type Sym.Value Sym. Name Offset Info Type Sym.Value Sym. Name
<font color="Orange">00000439 00000008 R_386_RELATIVE</font> 000015d0 00000008 R_386_RELATIVE
<font color="Orange">000015b0 00000008 R_386_RELATIVE</font> <font color="LightCoral">000015a8 00000106 R_386_GLOB_DAT 000015dc bar</font>
<font color="Orange">00000434 00000101 R_386_32 000015bc bar</font> ...
<font color="Orange">00000445 00000602 R_386_PC32 00000000 printf</font>
...
Relocation section '.rel.plt' at offset 0x2e8: Relocation section '.rel.plt' at offset 0x2d8
contains 2 entries: contains 3 entries:
Offset Info Type Sym.Value Sym. Name Offset Info Type Sym.Value Sym. Name
000015a8 00000207 R_386_JUMP_SLOT 00000000 __gmon_start__ 000015c4 00000207 R_386_JUMP_SLOT 00000000 __gmon_start__
000015ac 00000a07 R_386_JUMP_SLOT 00000000 __cxa_finalize <font color="LightCoral">000015c8 00000607 R_386_JUMP_SLOT 00000000 printf</font>
...
</pre>
When we compile with <tt>-fPIC</tt> we can see the variable <tt>bar</tt>
has the right relocation type (<tt>R_386_GLOB_DAT</tt>)
and the relocation takes place in the right section (<tt>.got</tt>) The same for
<tt>printf</tt>.
<p>
Without <tt>-fPIC</tt>, the relocations of the format string "\n", <tt>bar</tt>
and <tt>printf</tt> all take place inside the <tt>.text</tt> section!
But we know <tt>.text</tt> section is in a Read-Only <tt>LOAD</tt>
segment, so what <tt>ld.so</tt> would do ?
</p><p>
As expected, <tt>ld.so</tt> will make <tt>.text</tt> section
writeable, patch the bytes, and make it Read-Only again. Since the
relocation of both <tt>bar</tt> and <tt>printf</tt> are
in <tt>.rel.dyn</tt>, their relocations are performed immediately
(no lazy binding), so this approach is feasible.
</p><p>
So how does <tt>ld.so</tt> handle
<font color="Orange"><tt>R_386_RELATIVE</tt></font>,
<font color="Orange"><tt>R_386_32</tt></font>
and <font color="Orange"><tt>R_386_PC32</tt></font> relocation types ?
</p><p>
Let's look at the disassembly:
</p><pre>0000042c &lt;foo&gt;:
42c: 55 push ebp
42d: 89 e5 mov ebp,esp
42f: 83 ec 18 sub esp,0x18
432: 8b 15 <font color="Orange">00 00 00 00</font> mov edx,DWORD PTR ds:0x0 &lt;-- reference to bar
438: b8 <font color="Orange">a4 04 00 00</font> mov eax,0x4a4 &lt;-- reference to "%d\n" format string in .rodata
43d: 89 54 24 04 mov DWORD PTR [esp+0x4],edx
441: 89 04 24 mov DWORD PTR [esp],eax
444: e8 <font color="Orange">fc ff ff ff</font> call 445 &lt;foo+0x19&gt; &lt;-- reference to printf
449: c9 leave
44a: c3 ret
</pre>
How would the 4 bytes starting at 445 (<tt>R_386_PC32</tt> type)
be patched ? Suppose at runtime, our
<font color="Orange"><tt>nopic.so</tt></font> is loaded
into memory with base address 8000, and the 4 bytes
to be patched are now at 8000 + 445 = 8445.
Furthermore, suppose <tt>ld.so</tt> has determined
the entry address of <tt>printf</tt> to be 10000, then
<tt>ld.so</tt> calculates the <b>relative</b> offset as follows:
<pre>10000 - 8445 + fffffffc = 7bb7
</pre>
(fffffffc is -4) so <tt>ld.so</tt> replaces <font color="Orange"><tt>fc ff ff ff</tt></font>
with <font color="Orange"><tt>b7 7b 00 00</tt></font>
<p>
To patch the 4 bytes starting at 434 (<tt>R_386_32</tt> type) is simpler.
<tt>ld.so</tt> will simply overwrite the 4 bytes with the runtime <b>absolute</b>
address of <tt>bar</tt>.
</p><p>
To patch the 4 bytes starting at 439 (<tt>R_386_RELATIVE</tt> type)
<tt>ld.so</tt> calculates the address as
</p><pre>10000 + 4a4 = 104a4
</pre>
so <tt>ld.so</tt> replaces <font color="Orange"><tt>a4 04 00 00</tt></font>
with <font color="Orange"><tt>a4 04 01 00</tt></font>
<p>
Finally, what about the <tt>R_386_RELATIVE</tt> relocation at <font color="Orange">15b0</font> ?
15b0 is the starting address of <tt>.data</tt> section, and the first 4 bytes
of <tt>.data</tt> section stores its own address, 15b0. So it has to be
relocated and patched as <tt>115b0</tt>.
</p><p>
In conclusion, <tt>R_386_RELATIVE</tt> means "32-bit relative to base address",
<tt>R_386_PC32</tt> means the "32-bit IP-relative offset"
and <tt>R_386_32</tt> means the "32-bit absolute."
</p><h2>Troubleshooting <tt>ld.so</tt></h2>
<h3>What is "<font color="red">error while loading shared libraries: requires glibc 2.5 or later dynamic linker</font>" ?</h3>
The cause of this error is the dynamic binary (or one of its dependent shared libraries)
you want to run only has <tt>.gnu.hash</tt> section, but the <tt>ld.so</tt> on the target machine
is too old to recognize <tt>.gnu.hash</tt>; it only recognizes the old-school <tt>.hash</tt> section.
<p>
This usually happens when the dynamic binary in question is built using newer version of GCC.
The solution is to recompile the code with either <tt>-static</tt> compiler command-line option
(to create a static binary), or the following option:
</p><pre>-Wl,--hash-style=both
</pre>
This tells the link editor <tt>ld</tt> to create both <tt>.gnu.hash</tt> and <tt>.hash</tt> sections.
<p>According to <tt>ld</tt> documentation <a href="https://web.archive.org/web/20201202024834/http://sourceware.org/binutils/docs/ld/Options.html">here</a>,
the old-school <tt>.hash</tt> section is the default, but the compiler can override it. For example,
the GCC (which is version 4.1.2) on RHEL (Red Hat Enterprise Linux) Server release 5.5 has
this line:
</p><pre>$ gcc -dumpspecs
....
*link:
%{!static:--eh-frame-hdr} %{!m32:-m elf_x86_64} %{m32:-m elf_i386} <font color="LightGreen">--hash-style=gnu</font> %{shared:-shared} ....
...
</pre>
<p>For more information, see <a href="https://web.archive.org/web/20201202024834/http://crtags.blogspot.com/2010/11/elf-elf-elf-dont-do-it.html">here</a>.
</p><h3>What is "<font color="red">Floating point exception</font>" ?</h3>
The cause of this error is the same as the previous question. On certain systems, e.g. RHEL, the old version <tt>ld.so</tt>
is <a href="https://web.archive.org/web/20201202024834/http://www.wikipedia.org/wiki/Backporting">backported</a> to emit "error while loading shared libraries: requires glibc 2.5 or later dynamic linker", but
this is not always the case, and you will see this error instead.
<h3>What is "<font color="red">.../libc.so.6: version `GLIBC_2.4' not found </font>" ?</h3>
As the error message says, some of the symbols need Glibc version 2.4 or higher. This can also be
seen by
<pre>$ objdump -x foo | grep 'Version References' -A10
Version References:
required from libc.so.6:
0x0d696914 0x00 03 GLIBC_2.4
0x09691a75 0x00 02 GLIBC_2.2.5
...
</pre>
The fix is to recompile the code with <tt>-static</tt> compiler command-line option.
<h3>What is "<font color="red">FATAL: kernel too old</font>" ?</h3>
Even if you recompile the code with <tt>-static</tt> compiler command-line option to avoid
any dependency on the dynamic Glibc library, you could still encounter the error
in question, and your code will exit with Segmentation Fault error.
<p>
This kernel version check is done by <tt>DL_SYSDEP_OSCHECK</tt> macro in Glibc's
<a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=sysdeps/unix/sysv/linux/dl-osinfo.h"><tt>sysdeps/unix/sysv/linux/dl-osinfo.h</tt></a>
It calls <tt>_dl_discover_osversion</tt> to get current kernel's version.
</p><p>
To wit, run your code (suppose it is not stripped) inside gdb,
</p><pre>(gdb) <font color="LightGreen">run</font>
Starting program: foo
FATAL: kernel too old
Program received signal SIGSEGV, Segmentation fault.
0x00000000004324a9 in ptmalloc_init ()
(gdb) <font color="LightGreen">call _dl_discover_osversion()</font>
$1 = 132617
(gdb) <font color="LightGreen">p/x $1</font>
$2 = 0x20609
(gdb)
</pre>
Here <tt>0x20609</tt> means the current kernel version is 2.6.9.
<p>
The fix (or hack) is to add the following function in your code:
</p><pre>int _dl_discover_osversion() { return 0xffffff; }
</pre>
and compile your code with <tt>-static</tt> compiler command-line option.
<h2>Exploring Glibc's <tt>pthread_t</tt></h2>
When one creates a thread using the Pthread API, one will get a <tt>pthread_t</tt> object as a handle.
In Glibc, <tt>pthread_t</tt> is actually a pointer pointing to a <tt>pthread</tt>
struct, which is opaque. Its definition can be found in Glibc's source tree at
<a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=nptl/descr.h"><tt>nptl/descr.h</tt></a>. The first member of <tt>pthread</tt> struct is yet
another struct called <tt>tcbhead_t</tt> defined in
system-dependent header files such as
<a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=nptl/sysdeps/x86_64/tls.h"><tt>nptl/sysdeps/x86_64/tls.h</tt></a>. It holds TLS related
information. It contains at least an integer member called <tt>multiple_threads</tt> which
indicates if the process is running in multi-thread mode.
<p>
The second member of <tt>pthread</tt> struct is also
a struct called <tt>list_t</tt> defined in
<a href="https://web.archive.org/web/20201202024834/http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=nptl/sysdeps/pthread/list.h"><tt>nptl/sysdeps/pthread/list.h</tt></a>.
</p><p>
The third and fourth members of <tt>pthread</tt> struct are thread ID and thread
group ID (both are of <tt>pid_t</tt> type).
</p><p>
Other members of <tt>pthread</tt> struct which are of interest: <tt>int cancelhandling</tt> for
cancellation information, <tt>int flags</tt> for thread attributes,
<tt>start_routine</tt> for start position of the code to be executed for the thread,
<tt>void *arg</tt> for the argument to <tt>start_routine</tt>
<tt>void *stackblock</tt> and <tt>size_t stackblock_size</tt> for thread-specific
stack information.
</p><p>
Since <tt>pthread</tt> struct is opaque, how can one obtain the above information,
or more precisely, how can one obtain the offsets of these members within the
<tt>pthread</tt> struct ? We can use the known information and search
for the memory region pointed by <tt>pthread_t</tt>, as in this <a href="https://web.archive.org/web/20201202024834/http://www.acsu.buffalo.edu/%7Echarngda/code/tcb.c">code snippet</a>.
</p></body></html>
<!--
FILE ARCHIVED ON 7:33:47 Sep 22, 2012 AND RETRIEVED FROM THE
INTERNET ARCHIVE ON 14:44:12 Oct 28, 2013.
JAVASCRIPT APPENDED BY WAYBACK MACHINE, COPYRIGHT INTERNET ARCHIVE.
ALL OTHER CONTENT MAY ALSO BE PROTECTED BY COPYRIGHT (17 U.S.C.
SECTION 108(a)(3)).
-->
<!--
FILE ARCHIVED ON 02:48:34 Dec 02, 2020 AND RETRIEVED FROM THE
INTERNET ARCHIVE ON 01:20:04 Feb 03, 2021.
JAVASCRIPT APPENDED BY WAYBACK MACHINE, COPYRIGHT INTERNET ARCHIVE.
ALL OTHER CONTENT MAY ALSO BE PROTECTED BY COPYRIGHT (17 U.S.C.
SECTION 108(a)(3)).
-->