A Case Study on UNIX a.

out File Format

a.out Object File Format

A.out is an object/executable file format used on UNIX machines.
Think about why the default output name used by gcc on UNIX machines is a.out.

It had been used for a long time (since 1975 and up to 1998) on BSD UNIX machines.
For FreeBSD, a.out is used up to 2.2.6 version.

Recently it has been replaced by another more popular object/executable file format called elf. Now both FreeBSD and Linux uses elf as their default object/executable file format.
An executable file in the a.out format can still be executed correctly.

elf Object File Format

ELF stands for executable and linking format. It was developed by AT&T Bell lab for its UNIX system V. Elf now has replaced a.out because it can more easily support dynamic linking. Also, elf can support C++ better than a.out.
This is because in C++, there are initializer and finalizer code that need to be treated. However, a file in the a.out format has no room for the initializer and finalizer code.

Hardware Memory Relocation

With the virtual memory mechanism and the help of hardware memory relocation (i.e., the memory management unit), each process now has a separate and empty address space. Therefore, when a program is executed, it can always be loaded to the same virtual address without the need to do relocations.
The a.out format can be very simple. In the physical memory, the program may be loaded to any place.

So, for most programs, loading a program and then executing it can be easily done.

The Header of a.out

A binary file can contain up to 7 sections. In order, these sections are:
Exec header
Contains parameters used by the kernel to load a binary file into memory and execute it, and by the link editor ld(1) to combine a binary file with other binary files. This section is the only mandatory one.

Text segment
Contains machine code and related data that are loaded into memory when a program executes. May be loaded read-only. String table

The Header of a.out (Contd)

Data segment
Contains initialized data; always loaded into writable memory.

Text relocation
ontains records used by the link editor to update pointers in the text segment when combining binary files.

Data relocation
Like the text relocation section, but for data segment pointers.

Symbol table
Contains records used by the link editor to cross reference the addresses of named variables and functions (`symbols') between binary files.

String table
Contains the character strings corresponding to the symbol names.

Exec Header
struct exec { unsigned long unsigned long unsigned long unsigned long unsigned long unsigned long unsigned long unsigned long };

a_midmag; a_text; a_data; a_bss; a_syms; a_entry; a_trsize; a_drsize;

a_midmag
a_midmag
Three macros can be used to fetch information encoded in this field. GETFLAG()
DYNAMIC
indicates that the executable requires the services of the run-time link editor.

PIC
indicates that the object contains position independent code.

If both flags are set, the object file is a position independent executable image (eg. a shared library), which is to be loaded into the process address space by the run-time link editor.

GETMID()
returns the machine-id. This indicates which machine(s) the binary is intended to run on.

Machine ID
#define MID_ZERO 0 /* unknown - implementation dependent */ #define MID_SUN010 1 /* sun 68010/68020 binary */ #define MID_SUN020 2 /* sun 68020-only binary */ #define MID_I386 134 /* i386 BSD binary */ #define MID_SPARC 138 /* sparc */ #define MID_HP200 200 /* hp200 (68010) BSD binary */ #define MID_HP300 300 /* hp300 (68020+68881) BSD binary */ #define MID_HPUX 0x20C /* hp200/300 HP-UX binary */

a_midmag (contd)
GETMAGIC()
Specifies the magic number, which uniquely identifies binary files and distinguishes different loading conventions. OMAGIC
The text and data segments immediately follow the header and are contiguous. The kernel loads both text and data segments into writable memory.

NMAGIC
As with OMAGIC, text and data segments immediately follow the header and are contiguous. However, the kernel loads the text into read-only memory and loads the data into writable memory at the next page boundary after the text.

ZMAGIC
The kernel loads individual pages on demand from the binary. The header, text segment and data segment are all padded by the link editor to a multiple of the page size. Pages that the kernel loads from the text segment are read-only, while pages from the data segment are writable.

Various Magic Numbers

#define OMAGIC #define NMAGIC #define ZMAGIC #define QMAGIC 0407 0410 0413 0314 /* old impure format */ /* read-only text */ /* demand load format */ /* "compact" demand load format */

In order for the text segment to start at the page boundary, we give the header a page size (4KB).

Do not use page 0 to catch pointer errors

Combine header and text to save memory space.

Exec Header (contd)

a_text
Contains the size of the text segment in bytes

a_data
Contains the size of the data segment in bytes.

a_bss
Contains the number of bytes in the `bss segment' and is used by the kernel to set the initial break (brk(2)) after the data segment. The kernel loads the program so that this amount of writable memory appears to follow the data segment and initially reads as zeroes. Note: the bss segment is used for un-initialized data.

a_syms
Contains the size in bytes of the symbol table section.

Exec Header (contd)

a_entry
Contains the address in memory of the entry point of the program after the kernel has loaded it; the kernel starts the execution of the program from the machine instruction at this address.

a_trsize
Contains the size in bytes of the text relocation table.

a_drsize
Contains the size in bytes of the data relocation table.

Relocation Record Format

struct relocation_info { int unsigned int

r_address; r_symbolnum : 24, r_pcrel : 1, r_length : 2, r_extern : 1, r_baserel : 1, r_jmptable : 1, r_relative : 1, r_copy : 1;

};

Relocation Record (contd)

r_address
Contains the byte offset of a pointer that needs to be link-edited. Text relocation offsets are reckoned from the start of the text segment, and data relocation offsets from the start of the data segment. The link editor adds the value that is already stored at this offset into the new value that it computes using this relocation record.

Relocation Record (contd)

r_symbolnum
Contains the ordinal number of a symbol structure in the symbol table (it is not a byte offset). After the link editor resolves the absolute address for this symbol, it adds that address to the pointer that is undergoing relocation.

r_pcrel
If this is set, the link editor assumes that it is updating a pointer that is part of a machine code instruction using pcrelative addressing. The address of the relocated pointer is implicitly added to its value when the running program uses it.

r_length
Contains the log base 2 of the length of the pointer in bytes; 0 for 1-byte displacements, 1 for 2-byte displacements, 2 for 4byte displacements.

Relocation Record (contd)

r_extern
Set if this relocation requires an external reference; the link editor must use a symbol address to update the pointer. When the r_extern bit is clear, the relocation is `local'; the link editor updates the pointer to reflect changes in the load addresses of the various segments, rather than changes in the value of a symbol (except when r_baserel is also set (see below). In this case, the content of the r_symbolnum field is an n_type value (see below); this type field tells the link editor what segment the relocated pointer points into.

r_baserel
If set, the symbol, as identified by the r_symbolnum field, is to be relocated to an offset into the Global Offset Table. At run-time, the entry in the Global Offset Table at this offset is set to be the address of the symbol.

Relocation Record (contd)

r_jmptable
If set, the symbol, as identified by the r_symbolnum field, is to be relocated to an offset into the Procedure Linkage Table.

r_relative
If set, this relocation is relative to the (run-time) load address of the image this object file is going to be a part of. This type of relocation only occurs in shared objects.

r_copy
If set, this relocation record identifies a symbol whose contents should be copied to the location given in r_address. The copying is done by the run-time link-editor from a suitable data item in a shared object.

GOT and PLT

Global offset table and procedure linkage table are used for shared libraries. We will present their usages when we present the design and implementation of shared libraries.

A.out Linking

Symbol Table
Symbols map names to addresses (or more generally, strings to values). Since the link-editor adjusts addresses, a symbol's name must be used to stand for its address until an absolute value has been assigned. Symbols consist of a fixed-length record in the symbol table and a variable-length name in the string table. The symbol table is an array of nlist structures:
Why we separately store symbols names into another table (string table)? This is because there is no length limitation on a symbols name.

Symbol Table Entry Format

struct nlist { union { char *n_name; long n_strx; } n_un; unsigned char n_type; char n_other; short n_desc; unsigned long n_value; };

Nlist Structure
n_un.n_strx
Contains a byte offset into the string table for the name of this symbol. When a program accesses a symbol table with the nlist(3) function, this field is replaced with the n_un.n_name field, which is a pointer to the string in memory.

n_type
Used by the link editor to determine how to update the symbol's value. The n_type field is broken down into three sub-fields using bitmasks. The link editor treats symbols with the N_EXT type bit set as `external' symbols and permits references to them from other binary files. The N_TYPE mask selects bits of interest to the link editor:

N_type in NList
N_UNDF
An undefined symbol. The link editor must locate an external symbol with the same name in another binary file to determine the absolute value of this symbol. As a special case, if the n_value field is nonzero and no binary file in the link-edit defines this symbol, the linkeditor will resolve this symbol to an address in the bss segment, reserving an amount of bytes equal to n_value. If this symbol is undefined in more than one binary file and the binary files do not agree on the size, the link editor chooses the greatest size found across all binaries.

N_ABS
An absolute symbol. The link editor does not update an absolute symbol.

N_type in Nlist (contd)

N_TEXT
A text symbol. This symbol's value is a text address and the link editor will update it when it merges binary files.

N_DATA
A data symbol; similar to N_TEXT but for data addresses.

N_BSS
A bss symbol; like text or data symbols but has no corresponding offset in the binary file.

N_FN
A filename symbol. The link editor inserts this symbol before the other symbols from a binary file when merging binary files. The name of the symbol is the filename given to the link editor, and its value is the first text address from that binary file. Filename symbols are not needed for linkediting or loading, but are useful for debuggers.

Nlist Structure (contd)

n_other
This field provides information on the nature of the symbol independent of the symbol's location in terms of segments as determined by the n_type field. Currently, the lower 4 bit of the n_other field hold one of two values: AUX_FUNC and AUX_OBJECT (see <link.h> for their definitions). AUX_FUNC associates the symbol with a callable function, while AUX_OBJECT associates the symbol with data, irrespective of their locations in either the text or the data segment. This field is intended to be used by ld(1) for the construction of dynamic executables.

Nlist Structure (contd)

n_desc
Reserved for use by debuggers; passed untouched by the link editor. Different debuggers use this field for different purposes.

n_value
Contains the value of the symbol. For text, data and bss symbols, this is an address; for other symbols (such as debugger symbols), the value may be arbitrary.

String Table
The string table consists of an unsigned long length followed by null-terminated symbol strings. The length represents the size of the entire table in bytes, so its minimum value (or the offset of the first string) is always 4 on 32-bit machines.

Related Tools on UNIX

Objdump
You can use this tool to disassemble an object code and see the contents in its various headers.

Nm
You can use this tool to display the contents in a binary files symbol table.

Example 1 (p1.c)
int xx, yy; main() {
xx = 1; yy = 2; }

Example 1s Output
value
SYMBOL TABLE: 00000000 l df 00000000 l d 00000000 l d Local/global 00000000 l d 00000000 l 00000000 l d 00000000 l d 00000000 g F 00000004 O 00000004 O

size

*ABS* 00000000 p1.c .text 00000000 .data 00000000 .bss 00000000 .text 00000000 gcc2_compiled. .note 00000000 .comment 00000000 Unallocated C external .text 00000019 main variables (external here *COM* 00000004 xx *COM* 00000004 yy means that this variable

Function/Object
RELOCATION RECORDS FOR [.text]: OFFSET TYPE VALUE 00000005 R_386_32 xx 0000000f R_386_32 yy

can be used in other programs. In p5.c and p6.c when we use static, the result becomes different.

Example 1s Output
Disassembly of section .text:
00000000 <main>: 0: 55 1: 89 e5 3: c7 05 00 00 00 00 01 a: 00 00 00 d: c7 05 00 00 00 00 02 14: 00 00 00 17: c9 18: c3

push %ebp mov %esp,%ebp movl $0x1,0x0 movl $0x2,0x0 leave ret

Example 2 (p2.c)
main() { int xx, yy;
xx = 1; yy = 2; }

Example 2s Output
SYMBOL TABLE: 00000000 l 00000000 l 00000000 l 00000000 l 00000000 l 00000000 l 00000000 l 00000000 g df d d d *ABS* 00000000 p2.c .text 00000000 .data 00000000 .bss 00000000 .text 00000000 gcc2_compiled. d .note 00000000 d .comment 00000000 F .text 00000016 main

Because now xx and yy are dynamically allocated space in the stack, they do not show up in the symbol table.

Example 2s Output
Disassembly of section .text: 00000000 <main>: 0: 55 push 1: 89 e5 mov 3: 83 ec 18 sub 6: c7 45 fc 01 00 00 00 movl $0x1,0xfffffffc(%ebp) -4: (old_sp 4) d: c7 45 f8 02 00 00 00 movl $0x2,0xfffffff8(%ebp) -8: (old_sp 8) 14: c9 leave 15: c3 ret

%ebp %esp,%ebp $0x18,%esp

Example 3 (p3.c)
extern int xx, yy; main() {
xx = 1; yy = 2; }

Example 3s Output
SYMBOL TABLE: 00000000 l 00000000 l 00000000 l 00000000 l 00000000 l 00000000 l 00000000 l 00000000 g 00000000 00000000 df d d d *ABS* 00000000 p3.c .text 00000000 .data 00000000 .bss 00000000 .text 00000000 gcc2_compiled. d .note 00000000 d .comment 00000000 F .text 00000019 main *UND* 00000000 xx *UND* 00000000 yy

undefined
RELOCATION RECORDS FOR [.text]: OFFSET TYPE VALUE 00000005 R_386_32 xx 0000000f R_386_32 yy

Example 3s Output
Disassembly of section .text:
00000000 <main>: 0: 55 1: 89 e5 3: c7 05 00 00 00 00 01 a: 00 00 00 d: c7 05 00 00 00 00 02 14: 00 00 00 17: c9 18: c3

push mov movl movl leave ret

%ebp %esp,%ebp $0x1,0x0 $0x2,0x0

Example 4 (p4.c)
int xx, yy;

Example 4s Output
SYMBOL TABLE: 00000000 l 00000000 l 00000000 l 00000000 l 00000000 l 00000000 l 00000000 l 00000004 00000004
df d d d *ABS* 00000000 p4.c .text 00000000 .data 00000000 .bss 00000000 .text 00000000 gcc2_compiled. d .note 00000000 d .comment 00000000 O *COM* 00000004 xx O *COM* 00000004 yy

Example 4s Output
Disassembly of section .text:

None

P3.c and p4.c

P3.c and p4.c can be separately compiled and then linked together. We see that although in p4.c, there are only variable declarations and no C statements, p4.c can still be successfully compiled and its object code be generated. This shows that an object file need not always include text (code).

Example 5 (p5.c)
static int xx, yy; main() {
xx = 1; yy = 2; }

Example 5s Output
SYMBOL TABLE: 00000000 l 00000000 l 00000000 l 00000000 l 00000000 l 00000000 l 00000004 l 00000000 l 00000000 l 00000000 g df d d d *ABS* 00000000 p5.c .text 00000000 .data 00000000 .bss 00000000 .text 00000000 gcc2_compiled. O .bss 00000004 xx Now become O .bss 00000004 yy local symbols d .note 00000000 d .comment 00000000 F .text 00000019 main

RELOCATION RECORDS FOR [.text]: OFFSET TYPE VALUE 00000005 R_386_32 .bss 0000000f R_386_32 .bss

Because xx and yy do not have initial values, they are put into the bss segment.

Example 5s Output
Disassembly of section .text:
00000000 <main>: 0: 55 1: 89 e5 3: c7 05 00 00 00 00 01 a: 00 00 00 d: c7 05 04 00 00 00 02 14: 00 00 00 17: c9 18: c3 As soon as the address of

push mov movl movl

%ebp %esp,%ebp $0x1,0x0 $0x2,0x4

leave ret bss segment the

is resolved, the address will be added to these places.

Example 6 (p6.c)
static int xx=1, yy=2; main() {
xx = 1; yy = 2; }

Example 6s Output
SYMBOL TABLE: 00000000 l 00000000 l 00000000 l 00000000 l 00000000 l 00000000 l 00000004 l 00000000 l 00000000 l 00000000 g df d d d *ABS* 00000000 p6.c .text 00000000 .data 00000000 .bss 00000000 .text 00000000 gcc2_compiled. O .data 00000004 xx O .data 00000004 yy d .note 00000000 d .comment 00000000 F .text 00000019 main

RELOCATION RECORDS FOR [.text]: OFFSET TYPE VALUE 00000005 R_386_32 .data 0000000f R_386_32 .data

Because xx and yy now have initial values, they are put into the data segment.

Example 6s Output
Disassembly of section .text:
00000000 <main>: 0: 55 1: 89 e5 3: c7 05 00 00 00 00 01 a: 00 00 00 d: c7 05 04 00 00 00 02 14: 00 00 00 17: c9 18: c3 As soon as the address of

push mov movl movl

%ebp %esp,%ebp $0x1,0x0 $0x2,0x4

leave ret data segment the

is resolved, the address will be added to these places.