Date: Tue, 4 Apr 2006 12:13:53 +0200 From: Lutz Boehne <lboehne@damogran.de> To: freebsd-hackers@freebsd.org Subject: Re: Function calling Message-ID: <200604041214.01692.lboehne@damogran.de> In-Reply-To: <c4630b800604040305l4a46f816oa33edd2a09858845@mail.gmail.com> References: <c4630b800604040305l4a46f816oa33edd2a09858845@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart3416366.mDFkP4rg4W Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Hi, > But when the program uses the libc I have more RET than call ... > What's the good way to find function calls and return ? I'm doing something similar at the moment, utilizing the Branch Single Stepping feature available in most x86 CPUs and came across that same probl= em. While debugging the issue, I found out that the dynamic linker "calls"=20 requested functions by returning to them. I believe this is done because th= is=20 is a (the only) generic way to "call" a variable addresses without destroyi= ng=20 register contents. Any further info or a confirmation of that guess would b= e=20 much appreciated. =2D-- the code in /usr/src/libexec/rtld-elf/i386/rtld_start.S: /* * Binder entry point. Control is transferred to here by code in the PLT. * On entry, there are two arguments on the stack. In ascending address * order, they are (1) "obj", a pointer to the calling object's Obj_Entry, * and (2) "reloff", the byte offset of the appropriate relocation entry * in the PLT relocation table. * * We are careful to preserve all registers, even the the caller-save * registers. That is because this code may be invoked by low-level * assembly-language code that is not ABI-compliant. */ .align 4 .globl _rtld_bind_start .type _rtld_bind_start,@function _rtld_bind_start: pushf # Save eflags pushl %eax # Save %eax pushl %edx # Save %edx pushl %ecx # Save %ecx pushl 20(%esp) # Copy reloff argument pushl 20(%esp) # Copy obj argument call _rtld_bind@PLT # Transfer control to the binder /* Now %eax contains the entry point of the function being called. */ addl $8,%esp # Discard binder arguments movl %eax,20(%esp) # Store target over obj argument popl %ecx # Restore %ecx popl %edx # Restore %edx popl %eax # Restore %eax popf # Restore eflags leal 4(%esp),%esp # Discard reloff, do not change eflags ret # "Return" to target address =2D-- Lutz --nextPart3416366.mDFkP4rg4W Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQBEMkbpDbEkl9DbWrYRAuVcAJ9LOORkA0QbT5UWGjKjiZWr5Q35EACcDfCN Jrj73TTHN1Jsynvk2pzFdPU= =KAyO -----END PGP SIGNATURE----- --nextPart3416366.mDFkP4rg4W--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200604041214.01692.lboehne>