Dynamic Linker

An Overview

Sanjiv Malik

Type of Linking

Static Linking : All symbols resolved at the time of linking. For example, gcc static flag sets the program to be linked in static fashion. Disadvantage : Large program size Advantage : Fast processing Dynamic Linking : Symbols are resolved at the time of execution of the program. gcc by default links the program dynamically. The program size is small, but the runtime performance cost is substantial.

2009/1/26

Example linking process

m.c Translators m.o Linker (ld) p executable object file (contains code and data for all functions defined in m.c and a.c) a.c Translators a.o separately compiled relocatable object files

2009/1/26

What does a linker do?

Merges object files merges multiple relocatable (.o) object files into a single executable object file that can loaded and executed by the loader. Resolves external references as part of the merging process, resolves external references. external reference: reference to a symbol defined in another object file. Relocates symbols relocates symbols from their relative locations in the .o files to new absolute positions in the executable. updates all references to these symbols to reflect their new positions. references can be in either code or data code: a(); /* ref to symbol a */ data: int *xp=&x; /* ref to symbol x */

2009/1/26

Executable and linkable format (ELF)

Standard binary format for object files Derives from AT&T System V Unix

later adopted by BSD Unix variants and Linux

One unified format for relocatable object files (.o), executable

object files, and shared object files (.so)

generic name: ELF binaries

Better support for

shared libraries than old a.out formats.

2009/1/26

ELF object file format

Elf header magic number, type (.o, exec, .so), machine, byte ordering, etc. Program header table page size, virtual addresses for memory segments (sections), segment sizes. .text section code .data section initialized (static) data .bss section uninitialized (static) data Block Started by Symbol Better Save Space has section header but occupies no space
2009/1/26

ELF header Program header table (required for executables) .text section .data section .bss section .symtab .rel.txt .rel.data .debug Section header table (required for relocatables)

ELF object file format

.symtab section

symbol table procedure and static variable names section names and locations .rel.text section relocation info for .text section addresses of instructions that will need to be modified in the executable instructions for modifying. .rel.data section relocation info for .data section addresses of pointer data that will need to be modified in the merged executable .debug section info for symbolic debugging (gcc -g)

ELF header Program header table (required for executables) .text section .data section .bss section .symtab .rel.text .rel.data .debug Section header table (required for relocatables)

2009/1/26

Example C program
m.c int e=7; int main() { int r = a(); exit(0); } a.c extern int e; int *ep=&e; int x=15; int y; int a() { return *ep+x+y; }

2009/1/26

Merging .o files into an executable

Relocatable object files system code system data
.text .data & .bss

Executable object file 0 headers system code main()

.text

m.o

main() int e = 7

.text .data

a() more system code system data int e = 7 int *ep = &e int x = 15 uninitialized data .symtab .debug
.data .bss

a() a.o int *ep = &e int x = 15 int y

.text .data .bss

2009/1/26

Relocating symbols and resolving external references

Symbols are lexical entities that name functions and variables. Each symbol has a value (typically a memory address). Code consists of symbol definitions and references. References can be either local or external. m.c a.c extern int e; int e=7; Def of local symbol e int *ep=&e; int main() { int x=15; int r = a(); int y; exit(0); Def of } int a() { local return *ep+x+y; symbol Ref to external } symbol exit Ref to external ep (defined in symbol a Def of Refs of local libc.so) local symbols e,x,y symbol a
2009/1/26

Ref to external symbol e Defs of local symbols x and y

10

m.o relocation info

m.c int e=7; int main() { int r = a(); exit(0); }
Disassembly of section .text: 00000000 <main>: 00000000 <main>: 0: 55 pushl %ebp 1: 89 e5 movl %esp,%ebp 3: e8 fc ff ff ff call 4 <main+0x4> 4: R_386_PC32 a 8: 6a 00 pushl $0x0 a: e8 fc ff ff ff call b <main+0xb> b: R_386_PC32 exit f: 90 nop

Disassembly of section .data: 00000000 <e>: 0: 07 00 00 00

source: objdump
2009/1/26 11

a.o relocation info (.text)

a.c extern int e; int *ep=&e; int x=15; int y; int a() { return *ep+x+y; }
Disassembly of section .text: 00000000 <a>: 0: 55 1: 8b 15 00 00 00 6: 00 7: c: e: 10: 12: 17: 18: 19: a1 00 00 00 00 89 03 89 03 00 5d c3 e5 02 ec 05 00 00 00 pushl movl %ebp 0x0,%edx

3: R_386_32 ep movl 0x0,%eax 8: R_386_32 x movl %esp,%ebp addl (%edx),%eax movl %ebp,%esp addl 0x0,%eax 14: R_386_32 popl %ebp ret y

2009/1/26

12

a.o relocation info (.data)

a.c extern int e; int *ep=&e; int x=15; int y; int a() { return *ep+x+y; }
Disassembly of section .data: 00000000 <ep>: 0: 00 00 00 00 0: R_386_32 00000004 <x>: 4: 0f 00 00 00 e

2009/1/26

13

Executable after relocation and external reference resolution (.text)

08048530 <main>: 8048530: 55 8048531: 89 8048533: e8 8048538: 6a 804853a: e8 804853f: 90 08048540 <a>: 8048540: 8048541: 8048546: 8048547: 804854c: 804854e: 8048550: 8048552: 8048557: 8048558: 8048559:
2009/1/26

e5 08 00 00 00 00 35 ff ff ff

pushl movl call pushl call nop

%ebp %esp,%ebp 8048540 <a> $0x0 8048474 <_init+0x94>

55 8b 08 a1 89 03 89 03 08 5d c3

15 1c a0 04 20 a0 04 08 e5 02 ec 05 d0 a3 04

pushl movl movl movl addl movl addl popl ret

%ebp 0x804a01c,%edx 0x804a020,%eax %esp,%ebp (%edx),%eax %ebp,%esp 0x804a3d0,%eax %ebp

14

Executable after relocation and external reference resolution (.data)

m.c int e=7; int main() { int r = a(); exit(0); } a.c extern int e; int *ep=&e; int x=15; int y; int a() { return *ep+x+y; }
2009/1/26

Disassembly of section .data: 0804a010 <__data_start>: 804a010: 00 00 00 00 0804a014 <p.2>: 804a014: f8 a2 04 08 0804a018 <e>: 804a018: 0804a01c <ep>: 804a01c: 0804a020 <x>: 804a020:

07 00 00 00

18 a0 04 08

0f 00 00 00

15

Strong and weak symbols

Program symbols are either strong or weak

strong: procedures and initialized globals weak: uninitialized globals p1.c: p2.c: int foo; p2() { } weak strong int foo=5; p1() { }

strong strong

2009/1/26

16

Static libraries (archives)

p1.c Translator p1.o p2.c Translator p2.o Linker (ld) p executable object file (only contains code and data for libc functions that are called from p1.c and p2.c) libc.a static library (archive) of relocatable object files concatenated into one file.

Further improves modularity and efficiency by packaging commonly used functions (e.g., C standard library, math library) Linker selectively includes only the .o files in the archive that are actually needed by the program.
2009/1/26 17

Creating static libraries

atoi.c Translator atoi.o printf.c Translator printf.o random.c

...

Translator random.o

Archiver (ar)

ar rs libc.a \ atoi.o printf.o random.o

libc.a

C standard library

Archiver allows incremental updates: recompile function that changes and replace .o file in archive.

2009/1/26

18

The complete picture

m.c Translator m.o a.c Translator a.o libwhatever.a

Static Linker (ld) p libc.so libm.so

Loader/Dynamic Linker (ld-linux.so)

p
2009/1/26 19

Dynamically linked shared libraries m.c a.c

Translators (cc1, as) m.o Translators (cc1,as) a.o Linker (ld) libm.so p libc.so shared libraries of dynamically relocatable object files libc.so functions called by m.c and a.c are loaded, linked, and (potentially) shared among processes.

Loader/Dynamic Linker (ld-linux.so)

2009/1/26

20

Solaris specific options for generating static and dynamic executables

2009/1/26

21

Linking process in Solaris

In Solaris/Open Solaris, the linking process is performed in two steps: Compile time linking is done by the ld tool called the Link Editor. The link-editor, ld(1), concatenates and interprets data from one or more input files. These files can be relocatable objects, shared objects, or archive libraries. From these input files, one output file is created. This file is either a relocatable object, an executable application, or a shared object. The link-editor is most commonly invoked as part of the compilation environment.

2009/1/26

22

Dynamic linker in Solaris

The runtime linker, ld.so.1, processes dynamic executables and shared objects at runtime, binding the executable and shared objects together to create a runnable process. During the link-editing of a dynamic executable, a special .interp section, together with an associated program header, are created. This section contains a path name specifying the programs interpreter. The default name supplied by the link-editor is the name of the runtime linker: /usr/lib/ld.so.1 for a 32bit executable and /usr/lib/64/ld.so.1 for a 64bit executable. The dynamic linker ld.so.1 is itself an ELF shared library. At program startup, the system maps the ld.so to a part of the address space and runs its bootstrap code.

2009/1/26

23

Link Editor Functions

Following is summary of Link Editor functions: The concatenation of sections of the same characteristics from the input relocatable objects to form new sections within the output file. The concatenated sections can in turn be associated to output segments. The processing of symbol table information from both relocatable objects and shared objects to verify and unite references with definitions. The generation of a new symbol table, or tables, within the output file. The processing of relocation information from the input relocatable objects, and the application of this information to the output file by updating other input sections. In addition, output relocation sections might be generated for use by the runtime linker. The generation of program headers that describe all the segments that are created. The generation of dynamic linking information sections if necessary, which provide information such as shared object dependencies and symbol bindings to the runtime linker.

2009/1/26

24

Symbol processing by Link Editor

During input file processing, all local symbols from the input relocatable objects are passed through to the output file image. All global symbols are accumulated internally within the link-editor. Each global symbol supplied by a relocatable object is searched for within this internal symbol table. If a symbol with the same name has already been encountered from a previous input file, a symbol resolution process is called. This symbol resolution process determines which of the two entries are kept. On completing input file processing, and providing no fatal symbol resolution errors have occurred, the link-editor determines if any unresolved symbol references remain. Unresolved symbol references can cause the link-edit to terminate. Finally, the link-editors internal symbol table is added to the symbol tables of the image being created.

2009/1/26

25

Example

$ cat main.c
extern int u_bar; extern int u_foo(); int t_bar; int d_bar = 1; d_foo() { return (u_foo(u_bar, t_bar, d_bar)); }

$ cc -o main.o -c main.c $ nm -x main.o

[Index] Value Size Type Bind Other Shndx Name ............... [8] |0x00000000|0x00000000|NOTY |GLOB |0x0 |UNDEF |u_foo [9] |0x00000000|0x00000040|FUNC |GLOB |0x0 |2 |d_foo [10] |0x00000004|0x00000004|OBJT |GLOB |0x0 |COMMON |t_bar [11] |0x00000000|0x00000000|NOTY |GLOB |0x0 |UNDEF |u_bar [12] |0x00000000|0x00000004|OBJT |GLOB |0x0 |3|d_bar

2009/1/26

26

ELF File processing

Sections are the smallest indivisible units that can be processed within an ELF file. Segments are a collection of sections that represent the smallest individual units that can be mapped to a memory image by the dynamic linker ld.so.

2009/1/26

27

Functions of the Dynamic Linker

The runtime linker: Analyzes the executables dynamic information section (.dynamic) and determines what dependencies are required. Locates and loads these dependencies, analyzing their dynamic information sections to determine if any additional dependencies are required. Performs any necessary relocations to bind these objects in preparation for process execution. Calls any initialization functions provided by the dependencies. Passes control to the application. Can be called upon during the applications execution, to perform any delayed function binding.
2009/1/26 28

ELF Parsing by Dynamic Linker

Executable object file for example program p ELF header Program header table (required for executables) .text section .data section .bss section .symtab .rel.text .dynamic .debug Section header table (required for relocatables)
0x0804a3b0

0 Process image init and shared lib segments virtual addr

0x080483e0

.text segment (r/o)

0x08048494

.data segment (initialized r/w)

0x0804a010

.bss segment (uninitialized r/w)

2009/1/26

29

1. Resolving the Dependencies

When linking a dynamic executable, one or more shared objects are explicitly referenced. These objects are recorded as dependencies within the dynamic executable. The runtime linker uses this dependency information to locate, and load, the associated objects. These dependencies are processed in the same order as the dependencies were referenced during the link-edit of the executable. Once all the dynamic executables dependencies are loaded, each dependency is inspected, in the order the dependency is loaded, to locate any additional dependencies. This process continues until all dependencies are located and loaded. This technique results in a breadth-first ordering of all dependencies.

2009/1/26

30

1. Resolving the Dependencies

The Solaris runtime linker looks in two default locations for dependencies /lib and /usr/lib. The dependencies of a dynamic executable or shared object can be displayed using ldd. For example, the file /usr/bin/cat has the following dependencies: $ ldd /usr/bin/cat
libc.so.1 => /lib/libc.so.1 libm.so.2 => /lib/libm.so.2

The dependencies recorded in an object can be inspected using dump. Use this command to display the files .dynamic section, and look for entries that have a NEEDED tag.
$ dump -Lvp prog prog: [INDEX] Tag Value [1] NEEDED libfoo.so.1 [2] NEEDED libc.so.1 [3] RUNPATH /home/me/lib:/home/you/lib .........

2009/1/26

31

1. Resolving the Dependencies

The dynamic segment (pointed to by the program header) in the ELF file contains a pointer to the file's string table (DT_STRTAB) as well as to the DT_NEEDED entries, each of which contains the offset in the string table for the name of a required library. The dynamic linker creates a scope list for the executable, consisting of libraries to be loaded. For each of the entries in the scope list , the linker searches for the file containing the library. Once the file is found, the linker reads the ELF Header to find the program header, which points to the dynamic segment . The linker maps the library to the process address space. From the dynamic segment, it adds the library's symbol table to the chain of symbol tables - and if the libraries has further dependencies, it adds those libraries to the list to be loaded and the process is continued. For clarification, note that in fact it actually creates a struct link_map for each of the library and adds it into a global linked list.
32

2009/1/26

Symbol table structure

typedef struct{
Elf32_Word st_name; Elf32_Addr st_value; Elf32_Word st_size; unsignedchar st_info; unsignedchar st_other; Elf32_Half st_shndx;

}Elf32_Sym;

2009/1/26

33

Parsing other sections of ELF

For dynamic linking, the Dynamic linker primarily uses two processor-specific tables, the Global Offset Table (GOT) and the Procedure Linkage Table (PLT). Dynamic linkers support PIC Code through the GOT in each shared library. The GOT contains absolute addresses to all of the static data referenced in the program. Both the executables that use the shared libraries and the shared library itself has a PLT. Similar to how the GOT redirects any position-independent address calculations to absolute locations, the PLT redirects positionindependent function calls to absolute locations.

2009/1/26

34

Parsing other sections of ELF

In the .dynamic section, the important tag types are:

DT_NEEDED: This element holds the string table offset of a null-terminated string, giving the name of a needed library. The offset is an index into the table recorded in the DT_STRTAB entry. DT_HASH: This element holds the address of the symbol hash table which refers to the symbol table referenced by the DT_SYMTAB element. DT_STRTAB: This element holds the address of the string table. DT_SYMTAB: This element holds the address of the symbol table.

2009/1/26

35

2. Relocation Processing

After the runtime linker has loaded all the dependencies required by an application, the linker processes each object and performs all necessary relocations. Relocation is the process of connecting symbolic references with symbolic definitions. For example, when a program calls a function, the associated call instruction must transfer control to the proper destination address at execution. Relocatable files must have information that describes how to modify their section contents. This information allows executable and shared object files to hold the right information for a processs program image.

2009/1/26

36

3. Loading segments in memory

The LD_BIND_NOW variable determines the dynamic linking behavior. If its set, the dynamic linker evaluates the PLT entries, which is all entries of type R_386_JMP_SLOT, at the load time itself. Otherwise, the dynamic linker does lazy linking of procedure addresses and hence the addresses are not bound unless the routines are called.

2009/1/26

37

4. Delayed Function Binding

Under delayed function binding or lazy loading model, any dependencies that are labeled for lazy loading are loaded only when explicitly referenced. By taking advantage of the lazy binding of a function call, the loading of a dependency is delayed until the function is first referenced. As a result, objects that are never referenced are never loaded. As a practical example (.dynamic), shows libdebug.so.1 is marked for lazy loading. The symbol information section
(.SUNW_syminfo), shows the symbol reference that triggers libdebug.so.1 loading. $ cc -o prog prog.c -L. -zlazyload -ldebug -znolazyload -lelf -R$ORIGIN $ elfdump -d prog Dynamic Section: .dynamic index tag value [0] POSFLAG_1 0x1 [ LAZY ] [1] NEEDED 0x123libdebug.so.1 [2] NEEDED 0x131 libelf.so.1 [3] NEEDED 0x13d libc.so.1

2009/1/26

38

A look into Solaris runtime linker

The File dl_runtime.c contains the following main routines: _dl_fixup [Resolves the PLT Symbols] _dl_profile_fixup _dl_call_pltexit Other related routines: elf_machine_plt_value elf_machine_fixup_plt _dl_lookup_symbol_x

2009/1/26

39

ARM Specific ELF Header Settings

For ARM target environment, the values in the ELF header are specifically defined. All other values are as specified in the Tool Interface Standard Portable Formats Specification: e_machine is set to EM_ARM (defined as 40) e_ident[EI_CLASS] is set to ELFCLASS32 e_ident[EI_DATA] is set to:
ELFDATA2LSB for little-endian targets ELFDATA2MSB for big-endian targets

2009/1/26

40

Special sections in ARM ELF Files

In Executable ARM ELF, all Executables have at least two Sections, unless the linker has been invoked with -nodebug: The Symbol Table Section:
This Section has the following attributes:
sh_name: ".symtab" sh_type: SHT_SYMTAB sh_addr: 0 (to indicate it is not part of the image)

The String Table Section:

This Section has the following attributes:

sh_name: ".strtab" sh_type: SHT_STRTAB sh_addr: 0 (to indicate it is not part of the image)

2009/1/26

41

Special Sections in ARM ELF

1.

Debugging Sections ARM Executable ELF supports three types of debugging information held in debugging Sections. ASD debugging tables
These provide backwards compatibility with ARM's Symbolic Debugger. ASD debugging information is stored in a single Section in the executable named .asd.

2. 3.

DWARF Version 1.0 DWARF Version 2.0

2009/1/26

42