Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Flags in objdump output of object file

Tags:

linux

elf

objdump

There is this output of objdump on some object file:

$ objdump -h main.o

main.o:     file format elf32-i386

Sections:
Idx Name          Size      VMA       LMA       File off  Algn
  0 .text         0000000b  00000000  00000000  00000034  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  1 .data         00000000  00000000  00000000  00000040  2**2
                  CONTENTS, ALLOC, LOAD, DATA
  2 .bss          00000000  00000000  00000000  00000040  2**2
                  ALLOC
  3 .note.GNU-stack 00000000  00000000  00000000  00000040  2**0
                  CONTENTS, READONLY, CODE

What do these flags CONTENTS, ALLOC, LOAD and so on mean?

like image 717
scdmb Avatar asked Jun 25 '12 19:06

scdmb


People also ask

What does objdump return?

objdump displays information about one or more object files. The options control what particular information to display. This information is mostly useful to programmers who are working on the compilation tools, as opposed to programmers who just want their program to compile and work.

Which parameter of objdump is used to show all disassembled output of an executable?

Similarly, you can use the -D command-line option to make objdump display assembler contents of all sections, and -S option to make sure the tool intermixes source code with disassembly.

Which command would you use to Dissassemble a object file?

Passing --disassemble=SYMBOL to objdump will disassemble only the specified function. No need to pass the start address and the end address.


2 Answers

What you see is the interpretation of the combination of ELF segment flags, section type and section flags for each section in the object file.

  • LOAD means that the section resides in a loadable segment, i.e. its content could be read from the file into memory when a process is created

Section flags are well documented in the Chapter 4 of the System V Application Binary Interface, although under slightly different names from what objdump shows.

  • CODE means that the section contains executable code; it is indicated by the SHF_EXECINSTR flag in the section header
  • DATA means that the section is not executable but is writable, indicated by the presence of the SHF_WRITE flag
  • READONLY means that the section is neither executable nor writtable and should be placed in read-only memory pages
  • ALLOC means that the section occupies memory, e.g. memory pages are actually allocated to hold the section content when a process is created, indicated by the SHF_ALLOC flag. Some sections, e.g. those containing debug information, are not read into memory during normal program execution and are not marked as ALLOC to save memory.

Sections of type SHT_PROGBITS have corresponding content in the file and are shown as CONTENTS. Some sections does not have corresponding content in the file, e.g. the .bss section, which is of type SHT_NOBITS.

The .text section contains the program executable code. It is show as CONTENTS since it is of type SHT_PROGBITS. Memory should be reserved for this section since it is ALLOC and its contents should be loaded from the file since it is placed in a LOAD-able segment. Program code is generally non-modifiable and hence the section is placed in read-only memory. It contains instructions that are to be executed and hence the CODE flag.

Initialised variables with static storage class go into the .data section. Their initial values are stored in the file and read from there as the process is created. In C/C++ these are global variables, static local variables and C++ static member variables that are initialised appropriately, e.g. static int a = 10;. Fortran places initialised SAVE-d variables and COMMON blocks, which are given intiial value with a block DATA statement there.

The .bss section (historic name, abbreviation from Block Started by Symbol) is the most simple one. It holds uninitialised variables with static storage class. It is a section of type SHT_NOBITS and takes no space in the file. Memory is ALLOC-ated for it but nothing is read from the file to prepopulate the memory - it just stays all zeroes as delivered by the kernel memory allocator.

Constants usually go into the .rodata section (not present in your example), which looks like .data but is not marked as writable and is thus shown as READONLY.

like image 69
Hristo Iliev Avatar answered Oct 17 '22 18:10

Hristo Iliev


Found pieces of information on Ubuntu elf man page and this is just my understanding.
I think they are information from both the program header and section header.

LOAD: may correspond to PT_LOAD in the Program header table. Brief description:
It specifies the type of that particular element in the program header table.
The array element specifies a loadable segment

ALLOC: may correspond to SHF_ALLOC in the section table. Brief description:
Its specifies the flag of that particular element in the section header.
This  section  occupies  memory during process execution.

CODE/ DATA: indicates the belonging segment

READONLY: specifies a read-only segment

CONTENTS: I didn't find anything to conclude.

Hope this helps

like image 42
Joseph Elcid Avatar answered Oct 17 '22 20:10

Joseph Elcid