From owner-freebsd-hackers@FreeBSD.ORG Wed Apr 5 15:35:13 2006 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D57AE16A424 for ; Wed, 5 Apr 2006 15:35:13 +0000 (UTC) (envelope-from n.cormier@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 29AFB43D6B for ; Wed, 5 Apr 2006 15:35:13 +0000 (GMT) (envelope-from n.cormier@gmail.com) Received: by wproxy.gmail.com with SMTP id i31so1477118wra for ; Wed, 05 Apr 2006 08:35:12 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=t8m93Cgmo+NfWwVfarCbKyBNXKLbssPt3nI3a5Rh8EfLDq3r+wmYIf3FM/9WU+FMSQRQ9NVShiHDc7G5sBpQzHbWMjZiKPqmwVyt83U9NzvVnSQ0rOCHG/9Ji6C5nOr3XaQG8Jpg/b/lsThI7lFwu/3Io5YHpFwLerbSmO7+Lss= Received: by 10.65.196.7 with SMTP id y7mr659464qbp; Wed, 05 Apr 2006 08:28:37 -0700 (PDT) Received: by 10.65.116.5 with HTTP; Wed, 5 Apr 2006 08:28:37 -0700 (PDT) Message-ID: Date: Wed, 5 Apr 2006 17:28:37 +0200 From: "Nicolas Cormier" To: freebsd-hackers@freebsd.org In-Reply-To: <200604041214.01692.lboehne@damogran.de> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <200604041214.01692.lboehne@damogran.de> Subject: Re: Function calling X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Apr 2006 15:35:14 -0000 On 4/4/06, Lutz Boehne wrote: > Hi, > > > But when the program uses the libc I have more RET than call ... > > What's the good way to find function calls and return ? > > I'm doing something similar at the moment, utilizing the Branch Single > Stepping feature available in most x86 CPUs and came across that same pro= blem. > > While debugging the issue, I found out that the dynamic linker "calls" > requested functions by returning to them. I believe this is done because = this > is a (the only) generic way to "call" a variable addresses without destro= ying > register contents. Any further info or a confirmation of that guess would= be > much appreciated. > > --- the code in /usr/src/libexec/rtld-elf/i386/rtld_start.S: > /* > * Binder entry point. Control is transferred to here by code in the PLT= . > * On entry, there are two arguments on the stack. In ascending address > * order, they are (1) "obj", a pointer to the calling object's Obj_Entry= , > * and (2) "reloff", the byte offset of the appropriate relocation entry > * in the PLT relocation table. > * > * We are careful to preserve all registers, even the the caller-save > * registers. That is because this code may be invoked by low-level > * assembly-language code that is not ABI-compliant. > */ > .align 4 > .globl _rtld_bind_start > .type _rtld_bind_start,@function > _rtld_bind_start: > pushf # Save eflags > pushl %eax # Save %eax > pushl %edx # Save %edx > pushl %ecx # Save %ecx > pushl 20(%esp) # Copy reloff argument > pushl 20(%esp) # Copy obj argument > > call _rtld_bind@PLT # Transfer control to the binder > /* Now %eax contains the entry point of the function being called= . */ > > addl $8,%esp # Discard binder arguments > movl %eax,20(%esp) # Store target over obj argument > popl %ecx # Restore %ecx > popl %edx # Restore %edx > popl %eax # Restore %eax > popf # Restore eflags > leal 4(%esp),%esp # Discard reloff, do not change e= flags > ret # "Return" to target address > --- > > Lutz > > > Thanks for your answer, it's more difficult than I thought :(