工作了这么久, 现在也终于有时间来写写这几年在程序世界中的感受。一时之间并不知道从哪里开始。想来想去,还是从大学入学开始吧。记得那是一个风和日丽的下午,一堆大学生抱着书跑进教室,那个时候并没有那么多逃课的,只知道相传C语言是一门学了就能找到工作的科目。从此我和我们内敛含蓄的hello world妹妹来了一次深入的体会。老师说main函数就是hello world的一切,我们的程序都是从main开始,虽然老师是好意,但是这确实导致未来很大一部分初级程序员都认为C语言的入口就是main函数。
下面这个Hello World 不知道坑害了多少善良无辜的程序员。现在我们就来解剖她,看她这么较小单纯,真舍不得让她一丝不挂的展现出来。
点击(此处)折叠或打开
- #include <stdio.h>
- int main (int argc, char *argv[])
- {
- printf ("Hello World\n");
- return 0;
- }
保存为hello.c
我们可以通过gcc hello.c -o hello得到可执行程序hello. 很多人会认为运行hello, CPU会首先跳转到main函数,执行printf. 至少绝大部分刚毕业的软件工程师是这样认为(因为老师就是这样说的)。下面我们就来详细讲讲CPU是怎么运行到main函数的。
先用strace跟踪一下./hello程序在运行的时候都做了一些什么, strace ./hello:
点击(此处)折叠或打开
- $ strace ./hello
- execve("./hello", ["./hello"], [/* 33 vars */]) = 0
- brk(NULL) = 0x1fde000
- access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
- access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
- open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
- fstat(3, {st_mode=S_IFREG|0644, st_size=118062, ...}) = 0
- mmap(NULL, 118062, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f4dfc15b000
- close(3) = 0
- access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
- open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
- read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\t\2\0\0\0\0\0"..., 832) = 832
- fstat(3, {st_mode=S_IFREG|0755, st_size=1868984, ...}) = 0
- mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4dfc15a000
- mmap(NULL, 3971488, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f4dfbb89000
- mprotect(0x7f4dfbd49000, 2097152, PROT_NONE) = 0
- mmap(0x7f4dfbf49000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1c0000) = 0x7f4dfbf49000
- mmap(0x7f4dfbf4f000, 14752, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f4dfbf4f000
- close(3) = 0
- mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4dfc159000
- mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4dfc158000
- arch_prctl(ARCH_SET_FS, 0x7f4dfc159700) = 0
- mprotect(0x7f4dfbf49000, 16384, PROT_READ) = 0
- mprotect(0x600000, 4096, PROT_READ) = 0
- mprotect(0x7f4dfc178000, 4096, PROT_READ) = 0
- munmap(0x7f4dfc15b000, 118062) = 0
- fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 21), ...}) = 0
- brk(NULL) = 0x1fde000
- brk(0x1fff000) = 0x1fff000
- write(1, "Hello World\n", 12Hello World
- ) = 12
- exit_group(0) = ?
- +++ exited with 0 +++
可以发现在shell终端在执行./hello的时候,实际上shell会调用execve函数来进行一次进程替换,即当前shell--->hello。execve是一个系统调用,Linux内核会在这个系统调用里面为hello程序映射必要的内存,最重要的是.text代码段, 然后为其设置对应的环境变量(具体过程在内核篇会详细讲解),最后通过修改lr寄存器的方式,在execve返回的时候将控制权交给ld-linux-x86-64.so.2(可能在某些嵌入式环境里面名字不叫这个, 这个名字可以通过readelf -l hello | grep interpreter 获取到)
点击(此处)折叠或打开
- $ readelf -l hello | grep interpreter
- [Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]
点击(此处)折叠或打开
- $ readelf -h hello
- ELF Header:
- Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
- Class: ELF64
- Data: 2's complement, little endian
- Version: 1 (current)
- OS/ABI: UNIX - System V
- ABI Version: 0
- Type: EXEC (Executable file)
- Machine: Advanced Micro Devices X86-64
- Version: 0x1
- Entry point address: 0x400430
- Start of program headers: 64 (bytes into file)
- Start of section headers: 6616 (bytes into file)
- Flags: 0x0
- Size of this header: 64 (bytes)
- Size of program headers: 56 (bytes)
- Number of program headers: 9
- Size of section headers: 64 (bytes)
- Number of section headers: 31
- Section header string table index: 28
点击(此处)折叠或打开
- hello: file format elf64-x86-64
- hello
- architecture: i386:x86-64, flags 0x00000112:
- EXEC_P, HAS_SYMS, D_PAGED
- start address 0x0000000000400430
- 省略其他段....
- Disassembly of section .init:
- 00000000004003c8 <_init>:
- 4003c8: 48 83 ec 08 sub $0x8,%rsp
- 4003cc: 48 8b 05 25 0c 20 00 mov 0x200c25(%rip),%rax # 600ff8 <_DYNAMIC+0x1d0>
- 4003d3: 48 85 c0 test %rax,%rax
- 4003d6: 74 05 je 4003dd <_init+0x15>
- 4003d8: e8 43 00 00 00 callq 400420 <__libc_start_main@plt+0x10>
- 4003dd: 48 83 c4 08 add $0x8,%rsp
- 4003e1: c3 retq
- Disassembly of section .plt:
- 00000000004003f0 <puts@plt-0x10>:
- 4003f0: ff 35 12 0c 20 00 pushq 0x200c12(%rip) # 601008 <_GLOBAL_OFFSET_TABLE_+0x8>
- 4003f6: ff 25 14 0c 20 00 jmpq *0x200c14(%rip) # 601010 <_GLOBAL_OFFSET_TABLE_+0x10>
- 4003fc: 0f 1f 40 00 nopl 0x0(%rax)
- 0000000000400400 <puts@plt>:
- 400400: ff 25 12 0c 20 00 jmpq *0x200c12(%rip) # 601018 <_GLOBAL_OFFSET_TABLE_+0x18>
- 400406: 68 00 00 00 00 pushq $0x0
- 40040b: e9 e0 ff ff ff jmpq 4003f0 <_init+0x28>
- 0000000000400410 <__libc_start_main@plt>:
- 400410: ff 25 0a 0c 20 00 jmpq *0x200c0a(%rip) # 601020 <_GLOBAL_OFFSET_TABLE_+0x20>
- 400416: 68 01 00 00 00 pushq $0x1
- 40041b: e9 d0 ff ff ff jmpq 4003f0 <_init+0x28>
- Disassembly of section .plt.got:
- 0000000000400420 <.plt.got>:
- 400420: ff 25 d2 0b 20 00 jmpq *0x200bd2(%rip) # 600ff8 <_DYNAMIC+0x1d0>
- 400426: 66 90 xchg %ax,%ax
- Disassembly of section .text:
- 0000000000400430 <_start>:
- 400430: 31 ed xor %ebp,%ebp
- 400432: 49 89 d1 mov %rdx,%r9
- 400435: 5e pop %rsi
- 400436: 48 89 e2 mov %rsp,%rdx
- 400439: 48 83 e4 f0 and $0xfffffffffffffff0,%rsp
- 40043d: 50 push %rax
- 40043e: 54 push %rsp
- 40043f: 49 c7 c0 c0 05 40 00 mov $0x4005c0,%r8
- 400446: 48 c7 c1 50 05 40 00 mov $0x400550,%rcx
- 40044d: 48 c7 c7 26 05 40 00 mov $0x400526,%rdi
- 400454: e8 b7 ff ff ff callq 400410 <__libc_start_main@plt>
- 400459: f4 hlt
- 40045a: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
- 0000000000400460 <deregister_tm_clones>:
- 400460: b8 3f 10 60 00 mov $0x60103f,%eax
- 400465: 55 push %rbp
- 400466: 48 2d 38 10 60 00 sub $0x601038,%rax
- 40046c: 48 83 f8 0e cmp $0xe,%rax
- 400470: 48 89 e5 mov %rsp,%rbp
- 400473: 76 1b jbe 400490 <deregister_tm_clones+0x30>
- 400475: b8 00 00 00 00 mov $0x0,%eax
- 40047a: 48 85 c0 test %rax,%rax
- 40047d: 74 11 je 400490 <deregister_tm_clones+0x30>
- 40047f: 5d pop %rbp
- 400480: bf 38 10 60 00 mov $0x601038,%edi
- 400485: ff e0 jmpq *%rax
- 400487: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1)
- 40048e: 00 00
- 400490: 5d pop %rbp
- 400491: c3 retq
- 400492: 0f 1f 40 00 nopl 0x0(%rax)
- 400496: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
- 40049d: 00 00 00
- 00000000004004a0 <register_tm_clones>:
- 4004a0: be 38 10 60 00 mov $0x601038,%esi
- 4004a5: 55 push %rbp
- 4004a6: 48 81 ee 38 10 60 00 sub $0x601038,%rsi
- 4004ad: 48 c1 fe 03 sar $0x3,%rsi
- 4004b1: 48 89 e5 mov %rsp,%rbp
- 4004b4: 48 89 f0 mov %rsi,%rax
- 4004b7: 48 c1 e8 3f shr $0x3f,%rax
- 4004bb: 48 01 c6 add %rax,%rsi
- 4004be: 48 d1 fe sar %rsi
- 4004c1: 74 15 je 4004d8 <register_tm_clones+0x38>
- 4004c3: b8 00 00 00 00 mov $0x0,%eax
- 4004c8: 48 85 c0 test %rax,%rax
- 4004cb: 74 0b je 4004d8 <register_tm_clones+0x38>
- 4004cd: 5d pop %rbp
- 4004ce: bf 38 10 60 00 mov $0x601038,%edi
- 4004d3: ff e0 jmpq *%rax
- 4004d5: 0f 1f 00 nopl (%rax)
- 4004d8: 5d pop %rbp
- 4004d9: c3 retq
- 4004da: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
- 00000000004004e0 <__do_global_dtors_aux>:
- 4004e0: 80 3d 51 0b 20 00 00 cmpb $0x0,0x200b51(%rip) # 601038 <__TMC_END__>
- 4004e7: 75 11 jne 4004fa <__do_global_dtors_aux+0x1a>
- 4004e9: 55 push %rbp
- 4004ea: 48 89 e5 mov %rsp,%rbp
- 4004ed: e8 6e ff ff ff callq 400460 <deregister_tm_clones>
- 4004f2: 5d pop %rbp
- 4004f3: c6 05 3e 0b 20 00 01 movb $0x1,0x200b3e(%rip) # 601038 <__TMC_END__>
- 4004fa: f3 c3 repz retq
- 4004fc: 0f 1f 40 00 nopl 0x0(%rax)
- 0000000000400500 <frame_dummy>:
- 400500: bf 20 0e 60 00 mov $0x600e20,%edi
- 400505: 48 83 3f 00 cmpq $0x0,(%rdi)
- 400509: 75 05 jne 400510 <frame_dummy+0x10>
- 40050b: eb 93 jmp 4004a0 <register_tm_clones>
- 40050d: 0f 1f 00 nopl (%rax)
- 400510: b8 00 00 00 00 mov $0x0,%eax
- 400515: 48 85 c0 test %rax,%rax
- 400518: 74 f1 je 40050b <frame_dummy+0xb>
- 40051a: 55 push %rbp
- 40051b: 48 89 e5 mov %rsp,%rbp
- 40051e: ff d0 callq *%rax
- 400520: 5d pop %rbp
- 400521: e9 7a ff ff ff jmpq 4004a0 <register_tm_clones>
- 0000000000400526 <main>:
- 400526: 55 push %rbp
- 400527: 48 89 e5 mov %rsp,%rbp
- 40052a: 48 83 ec 10 sub $0x10,%rsp
- 40052e: 89 7d fc mov %edi,-0x4(%rbp)
- 400531: 48 89 75 f0 mov %rsi,-0x10(%rbp)
- 400535: bf d4 05 40 00 mov $0x4005d4,%edi
- 40053a: e8 c1 fe ff ff callq 400400 <puts@plt>
- 40053f: b8 00 00 00 00 mov $0x0,%eax
- 400544: c9 leaveq
- 400545: c3 retq
- 400546: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
- 40054d: 00 00 00
- 0000000000400550 <__libc_csu_init>:
- 400550: 41 57 push %r15
- 400552: 41 56 push %r14
- 400554: 41 89 ff mov %edi,%r15d
- 400557: 41 55 push %r13
- 400559: 41 54 push %r12
- 40055b: 4c 8d 25 ae 08 20 00 lea 0x2008ae(%rip),%r12 # 600e10 <__frame_dummy_init_array_entry>
- 400562: 55 push %rbp
- 400563: 48 8d 2d ae 08 20 00 lea 0x2008ae(%rip),%rbp # 600e18 <__init_array_end>
- 40056a: 53 push %rbx
- 40056b: 49 89 f6 mov %rsi,%r14
- 40056e: 49 89 d5 mov %rdx,%r13
- 400571: 4c 29 e5 sub %r12,%rbp
- 400574: 48 83 ec 08 sub $0x8,%rsp
- 400578: 48 c1 fd 03 sar $0x3,%rbp
- 40057c: e8 47 fe ff ff callq 4003c8 <_init>
- 400581: 48 85 ed test %rbp,%rbp
- 400584: 74 20 je 4005a6 <__libc_csu_init+0x56>
- 400586: 31 db xor %ebx,%ebx
- 400588: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1)
- 40058f: 00
- 400590: 4c 89 ea mov %r13,%rdx
- 400593: 4c 89 f6 mov %r14,%rsi
- 400596: 44 89 ff mov %r15d,%edi
- 400599: 41 ff 14 dc callq *(%r12,%rbx,8)
- 40059d: 48 83 c3 01 add $0x1,%rbx
- 4005a1: 48 39 eb cmp %rbp,%rbx
- 4005a4: 75 ea jne 400590 <__libc_csu_init+0x40>
- 4005a6: 48 83 c4 08 add $0x8,%rsp
- 4005aa: 5b pop %rbx
- 4005ab: 5d pop %rbp
- 4005ac: 41 5c pop %r12
- 4005ae: 41 5d pop %r13
- 4005b0: 41 5e pop %r14
- 4005b2: 41 5f pop %r15
- 4005b4: c3 retq
- 4005b5: 90 nop
- 4005b6: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
- 4005bd: 00 00 00
- 00000000004005c0 <__libc_csu_fini>:
- 4005c0: f3 c3 repz retq
- Disassembly of section .fini:
- 00000000004005c4 <_fini>:
- 4005c4: 48 83 ec 08 sub $0x8,%rsp
- 4005c8: 48 83 c4 08 add $0x8,%rsp
- 4005cc: c3 retq
点击(此处)折叠或打开
- Disassembly of section .text:
- 0000000000400430 <_start>:
- 400430: 31 ed xor %ebp,%ebp
- 400432: 49 89 d1 mov %rdx,%r9
- 400435: 5e pop %rsi
- 400436: 48 89 e2 mov %rsp,%rdx
- 400439: 48 83 e4 f0 and $0xfffffffffffffff0,%rsp
- 40043d: 50 push %rax
- 40043e: 54 push %rsp
- 40043f: 49 c7 c0 c0 05 40 00 mov $0x4005c0,%r8
- 400446: 48 c7 c1 50 05 40 00 mov $0x400550,%rcx
- 40044d: 48 c7 c7 26 05 40 00 mov $0x400526,%rdi
- 400454: e8 b7 ff ff ff callq 400410 <__libc_start_main@plt>
- 400459: f4 hlt
- 40045a: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
现在继续正题,由地址0x400430,我们可以看出,hello文件的真正入口并不是main函数,而是我们的_start函数,当然这个入口函数和用的C库有关,所以这个_start函数实际上是由C库实现的,hello程序在ld链接的阶段,gcc会默认将crtbegin.o, crtend.o,crt1.o,crti.o,crtn.o等目标文件链接到hello当中,这其中就包括_start函数的内容。而链接的地址有链接脚本而定,通常我们采用默认的链接脚本,这个脚本可以通过ld --verbose查看。
_start函数具体的情况大家可以下载C库来找到具体的代码实现,这里简单看看汇编,可以了解到_start函数最后调用了__libc_start_main函数,并向__libc_start_main函数传入了3个参数,0x4005c0,0x400550,0x400526;这三个地址上所存放的内容是:
0x4005c0:__libc_csu_fini函数实现
0x400550:__libc_csu_init函数实现
0x400526:main函数实现
由于__libc_start_main的具体实现在动态库中,libc.so当中,因此,我们在hello.s中是无法看到它的具体实现的。__libc_start_main@plt表示这是一个延迟加载函数,什么是延迟加载函数呢?延迟加载函数就是指在动态解释阶段不进行代码重定位,只有在真正使用该函数的时候,才去定位该函数的地址, 这样做的目的是加快程序启动,常见就是很多大型游戏,存在大量动态库的时候, 解析会很耗费启动时间。这里__libc_start_main函数的作用就是把传入的这三个函数分别运行,运行的顺序为:__libc_csu_init->main->__libc_csu_fini。
__libc_csu_init函数,主要完成一些构造函数相关的内容。是的,C语言也有构造函数。
我们可以通过在函数上添加__attribute__ ((constructor)),来标记函数为C程序的构造函数,用__attribute__ ((destructor))来标记对应函数为析构函数,如:
点击(此处)折叠或打开
- #include <stdio.h>
- static void hello_after() __attribute__ ((destructor));
- static void hello_before() __attribute__ ((constructor));
- static void hello_before(void)
- {
- printf("Before main\n");
- }
- static void hello_after(void)
- {
- printf("After main\n");
- }
- int main (int argc, char *argv[])
- {
- printf ("Hello World\n");
- return 0;
- }
点击(此处)折叠或打开
- $ ./hello
- Before main
- Hello World
- After main
因此,我们通过分析能很清楚的分析到,C语言的构造函数在main函数运行之前运行,析构函数在main函数运行之后运行。
__libc_csu_init的实现汇编如下:
点击(此处)折叠或打开
- 0000000000400550 <__libc_csu_init>:
- 400550: 41 57 push %r15
- 400552: 41 56 push %r14
- 400554: 41 89 ff mov %edi,%r15d
- 400557: 41 55 push %r13
- 400559: 41 54 push %r12
- 40055b: 4c 8d 25 ae 08 20 00 lea 0x2008ae(%rip),%r12 # 600e10 <__frame_dummy_init_array_entry>
- 400562: 55 push %rbp
- 400563: 48 8d 2d ae 08 20 00 lea 0x2008ae(%rip),%rbp # 600e18 <__init_array_end>
- 40056a: 53 push %rbx
- 40056b: 49 89 f6 mov %rsi,%r14
- 40056e: 49 89 d5 mov %rdx,%r13
- 400571: 4c 29 e5 sub %r12,%rbp
- 400574: 48 83 ec 08 sub $0x8,%rsp
- 400578: 48 c1 fd 03 sar $0x3,%rbp
- 40057c: e8 47 fe ff ff callq 4003c8 <_init>
- 400581: 48 85 ed test %rbp,%rbp
- 400584: 74 20 je 4005a6 <__libc_csu_init+0x56>
- 400586: 31 db xor %ebx,%ebx
- 400588: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1)
- 40058f: 00
- 400590: 4c 89 ea mov %r13,%rdx
- 400593: 4c 89 f6 mov %r14,%rsi
- 400596: 44 89 ff mov %r15d,%edi
- 400599: 41 ff 14 dc callq *(%r12,%rbx,8)
- 40059d: 48 83 c3 01 add $0x1,%rbx
- 4005a1: 48 39 eb cmp %rbp,%rbx
- 4005a4: 75 ea jne 400590 <__libc_csu_init+0x40>
- 4005a6: 48 83 c4 08 add $0x8,%rsp
- 4005aa: 5b pop %rbx
- 4005ab: 5d pop %rbp
- 4005ac: 41 5c pop %r12
- 4005ae: 41 5d pop %r13
- 4005b0: 41 5e pop %r14
- 4005b2: 41 5f pop %r15
- 4005b4: c3 retq
- 4005b5: 90 nop
- 4005b6: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
- 4005bd: 00 00 00
点击(此处)折叠或打开
- 0000000000400526 <main>:
- 400526: 55 push %rbp
- 400527: 48 89 e5 mov %rsp,%rbp
- 40052a: 48 83 ec 10 sub $0x10,%rsp
- 40052e: 89 7d fc mov %edi,-0x4(%rbp)
- 400531: 48 89 75 f0 mov %rsi,-0x10(%rbp)
- 400535: bf d4 05 40 00 mov $0x4005d4,%edi
- 40053a: e8 c1 fe ff ff callq 400400 <puts@plt>
- 40053f: b8 00 00 00 00 mov $0x0,%eax
- 400544: c9 leaveq
- 400545: c3 retq
- 400546: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
- 40054d: 00 00 00
点击(此处)折叠或打开
- 00000000004005c0 <__libc_csu_fini>:
- 4005c0: f3 c3 repz retq
NOTE: Linux当中,任何应用程序的退出,都是由do_exit完成,即使是main函数主动return也是如此,最多只是封装不一样。c库中调用main函数的逻辑如下:
点击(此处)折叠或打开
- XXXX(....)
- {
- result = main (argc, argv, __environ MAIN_AUXVEC_PARAM);
- exit (result);
- }
从上面的简单说明当中,我们初步的了解了程序从运行是怎么到main函数的。以上遗留的问题,会在下一篇文档给出说明:
1、execve函数内核实现,创建进程逻辑,生命的摇篮(后续讲解)
2、动态解释器工作细节(后续讲解)
3、延迟加载PLT实现细节(后续讲解)
4、do_exit怎么完成回收(后续讲解)
文中对汇编代码并没有详细描述,对于__libc_csu_fini,__libc_csu_init函数的实现,大家可以下载glibc库,去查看具体的对应实现。
注:第一次写,写的比较尴尬。