Date: Wed, 5 Apr 2006 17:28:37 +0200 From: "Nicolas Cormier" <n.cormier@gmail.com> To: freebsd-hackers@freebsd.org Subject: Re: Function calling Message-ID: <c4630b800604050828n79ba4f42v3501ab72cb7c5b43@mail.gmail.com> In-Reply-To: <200604041214.01692.lboehne@damogran.de> References: <c4630b800604040305l4a46f816oa33edd2a09858845@mail.gmail.com> <200604041214.01692.lboehne@damogran.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On 4/4/06, Lutz Boehne <lboehne@damogran.de> wrote: > Hi, > > > But when the program uses the libc I have more RET than call ... > > What's the good way to find function calls and return ? > > I'm doing something similar at the moment, utilizing the Branch Single > Stepping feature available in most x86 CPUs and came across that same pro= blem. > > While debugging the issue, I found out that the dynamic linker "calls" > requested functions by returning to them. I believe this is done because = this > is a (the only) generic way to "call" a variable addresses without destro= ying > register contents. Any further info or a confirmation of that guess would= be > much appreciated. > > --- the code in /usr/src/libexec/rtld-elf/i386/rtld_start.S: > /* > * Binder entry point. Control is transferred to here by code in the PLT= . > * On entry, there are two arguments on the stack. In ascending address > * order, they are (1) "obj", a pointer to the calling object's Obj_Entry= , > * and (2) "reloff", the byte offset of the appropriate relocation entry > * in the PLT relocation table. > * > * We are careful to preserve all registers, even the the caller-save > * registers. That is because this code may be invoked by low-level > * assembly-language code that is not ABI-compliant. > */ > .align 4 > .globl _rtld_bind_start > .type _rtld_bind_start,@function > _rtld_bind_start: > pushf # Save eflags > pushl %eax # Save %eax > pushl %edx # Save %edx > pushl %ecx # Save %ecx > pushl 20(%esp) # Copy reloff argument > pushl 20(%esp) # Copy obj argument > > call _rtld_bind@PLT # Transfer control to the binder > /* Now %eax contains the entry point of the function being called= . */ > > addl $8,%esp # Discard binder arguments > movl %eax,20(%esp) # Store target over obj argument > popl %ecx # Restore %ecx > popl %edx # Restore %edx > popl %eax # Restore %eax > popf # Restore eflags > leal 4(%esp),%esp # Discard reloff, do not change e= flags > ret # "Return" to target address > --- > > Lutz > > > Thanks for your answer, it's more difficult than I thought :(
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?c4630b800604050828n79ba4f42v3501ab72cb7c5b43>