From owner-freebsd-hackers@FreeBSD.ORG Tue Apr 4 10:14:35 2006 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 28F7716A400 for ; Tue, 4 Apr 2006 10:14:35 +0000 (UTC) (envelope-from lboehne@damogran.de) Received: from cthulhu.zoidberg.org (zoidberg.org [213.133.99.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8C16543D46 for ; Tue, 4 Apr 2006 10:14:34 +0000 (GMT) (envelope-from lboehne@damogran.de) Received: from localhost (dslb-084-063-020-175.pools.arcor-ip.net [::ffff:84.63.20.175]) (AUTH: PLAIN kasperle, TLS: TLSv1/SSLv3,256bits,AES256-SHA) by cthulhu.zoidberg.org with esmtp; Tue, 04 Apr 2006 12:14:32 +0200 id 00051784.44324708.00003BA5 From: Lutz Boehne To: freebsd-hackers@freebsd.org Date: Tue, 4 Apr 2006 12:13:53 +0200 User-Agent: KMail/1.9.1 References: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3416366.mDFkP4rg4W"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200604041214.01692.lboehne@damogran.de> Subject: Re: Function calling X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Apr 2006 10:14:35 -0000 --nextPart3416366.mDFkP4rg4W Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Hi, > But when the program uses the libc I have more RET than call ... > What's the good way to find function calls and return ? I'm doing something similar at the moment, utilizing the Branch Single Stepping feature available in most x86 CPUs and came across that same probl= em. While debugging the issue, I found out that the dynamic linker "calls"=20 requested functions by returning to them. I believe this is done because th= is=20 is a (the only) generic way to "call" a variable addresses without destroyi= ng=20 register contents. Any further info or a confirmation of that guess would b= e=20 much appreciated. =2D-- the code in /usr/src/libexec/rtld-elf/i386/rtld_start.S: /* * Binder entry point. Control is transferred to here by code in the PLT. * On entry, there are two arguments on the stack. In ascending address * order, they are (1) "obj", a pointer to the calling object's Obj_Entry, * and (2) "reloff", the byte offset of the appropriate relocation entry * in the PLT relocation table. * * We are careful to preserve all registers, even the the caller-save * registers. That is because this code may be invoked by low-level * assembly-language code that is not ABI-compliant. */ .align 4 .globl _rtld_bind_start .type _rtld_bind_start,@function _rtld_bind_start: pushf # Save eflags pushl %eax # Save %eax pushl %edx # Save %edx pushl %ecx # Save %ecx pushl 20(%esp) # Copy reloff argument pushl 20(%esp) # Copy obj argument call _rtld_bind@PLT # Transfer control to the binder /* Now %eax contains the entry point of the function being called. */ addl $8,%esp # Discard binder arguments movl %eax,20(%esp) # Store target over obj argument popl %ecx # Restore %ecx popl %edx # Restore %edx popl %eax # Restore %eax popf # Restore eflags leal 4(%esp),%esp # Discard reloff, do not change eflags ret # "Return" to target address =2D-- Lutz --nextPart3416366.mDFkP4rg4W Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQBEMkbpDbEkl9DbWrYRAuVcAJ9LOORkA0QbT5UWGjKjiZWr5Q35EACcDfCN Jrj73TTHN1Jsynvk2pzFdPU= =KAyO -----END PGP SIGNATURE----- --nextPart3416366.mDFkP4rg4W--