Home
Blogs
Forums
News
Portfolios
Projects
Tutorials
48 users logged in
New? Learn about game development.
Before posting, review our community guidelines.
Follow Us
Chat in the GameDev.net Discord!
Mastodon
Back to General and Gameplay Programming

Function addresses are not fixed relative to each other?

Started by
13 comments, last by codingJoe 10 years, 9 months ago

AFAIK, it can be noted that Linux uses ASLR by default (ASLR = Address Space Layout Randomization).

where basically, not only does where the library get loaded in RAM vary, but also its exact starting address within a page (the loader may invoke a random number generator in its operation). this makes buffer-overflow exploits harder as function addresses are much more random (and thus harder to guess).

note that you don't just want to randomize absolute addresses, but also relative addresses, since most ISAs use relative addresses for jumps/..., making the relative address fairly relevant as well.

it is possible that the linker may also perform randomization (causing different builds of a program or library to have different layouts). this behavior depends some on the flags used during compilation.

note that it isn't necessarily the case that when getting function pointers within C or C++ code that one will necessarily get the "true" function pointer either. sometimes, a person may instead get what is known as a "trampoline", a function pointer that simply points to a "jmp" instruction or similar which goes somewhere else (sometimes these will be put in as part of the compilation or linking process).

This is on in Windows 7 and up as well, but ASLR is easy to break when the memory address space is nearly completely used and that is why this stuff is only seen as a first line defense.

Worked on titles: CMR:DiRT2, DiRT 3, DiRT: Showdown, GRID 2, theHunter, theHunter: Primal, Mad Max, Watch Dogs: Legion

Advertisement
Going off on a completely different tangent, which probably has no impact in this specific situation --
When you cast your function pointers to integers, I'd always preclude that with a static-assertion testing that the size of your function pointer type is smaller or equal to the size of your int type.

. 22 Racing Series .

I'm only familiar with how this works in Windows PE (exe and dll) files:

- The assembler and linker will organize machine code however it feels like it. Typically a compiler will generate each function as they appear in the source file and the linker will generate a library in the order that objects are passed to it - this is mainly subject to change due to optimizations.

- The output object/library/executable files are partitioned into 'sections'. Each section can be relocated anywhere in RAM when the loader loads it.

- Once the exe or dll is generated, the code within each section of that file will assume that the section will be treated as an immutable chunk. Function calls within one section rely on this.

- A relocation table can be used to remap pointers within the code sections (typically addresses to other sections within the same file), but this never changes the relative offsets of things within the same section.

You should expect code within one section to get the same relative offsets to each other, but only until you recompile or re-link your exe/dll. It will not change between runs of the program. You should never rely on cross-section offsets being the same, OR absolute addresses being the same between runs of the same app, even if you did not recompile.

I've never inspected Linux binaries closely to see if they use this same pattern or not.

it is the same basic pattern, yes.

there are possible differences and things that could be clarified, but I decided against going too much into the specifics of PE/COFF and ELF loaders.

the main difference is mostly that, as applicable, the compiler (GCC) may shuffle things around and link objects in a pseudo-random order.

this doesn't usually change much between runs of a program though, but may effect things between builds.

the assumption in Linux land is generally that people will be regularly recompiling pretty much everything, rather than keeping the same binary around for a decade or more.

the rest is mostly randomizing the load address for a given image, so at one time it may be loaded at one address, and at another time another.

if the functions are not necessarily in the same image, then they will vary.

also it may happen that if you try to fetch a function pointer to a function in a different library, you will not get its true address.

partly it has to do with lazy linking:

the GOT holds an initialization stub, which when called will replace itself with the appropriate function address.

so, it isn't a good idea to return the address directly from the GOT, since if the function hasn't yet been called, it may be the wrong address (pointing to the stub, rather than the target function).

so, instead, what will be returned is a function pointer to a trampoline, which will jump to the address in the GOT.

this way, when the stub is called it can do its thing, and the function pointer will go to the right place.

PE/COFF will often also use trampoline stubs, mostly as a means to allow the compiler to more easily use cheap local calls when possible (at a slight added cost for the case where the function turns out to be a DLL import).

also, ELF will tend to use the GOT as a means of avoiding need for explicit relocation tables, allowing libraries to be mapped to arbitrary addresses without needing to be rebased, and allowing more pages to be shared. but, again, this comes at a slight cost to performance (pretty much everything is done indirectly), and typically keeping a register tied up with keeping track of the GOT.

in contrast, with PE/COFF, the solution is basically "try when possible to always map the DLL to the same base address in every process".

I personally like the PE/COFF strategy a little more, FWIW.

also, the addition of RIP-relative addressing on x64 greatly reduces the need for explicit relocations, while still allowing fast/cheap access to local variables and functions.

though, ELF has a few things it did well as well, FWIW...

Current Status / Downloads: http://cr88192.mooo.com:8080/wiki/index.php/BGB_Current_Status

YouTube Channel: http://www.youtube.com/user/BGBTech

Main Page: http://cr88192.mooo.com:8080/wiki/index.php/Main_Page

When you cast your function pointers to integers, I'd always preclude that with a static-assertion testing that the size of your function pointer type is smaller or equal to the size of your int type.

Of course, if I really have to use printf to output any kind of pointer, I'd just use %p in the first place...

f@dzhttp://festini.device-zero.de

Thanks for all the interesting inputs! It was for me a little bit too much in-depth though ;)

Returning to my initial problem, I would be very curious if someone finds out what is going on because it is extremely mysterious to me:

1) I am not doing any fancy things. Specially not memory manipulation, etc.

2) The strange thing only happens on Linux. Windows and Mac run fine.

3) The application is cross-platform and based on Qt.

4) When working with Qt4.8, the problem doesn't happen on Linux. With Qt5.1.0, yes, even if the compiler is the same g++ 4.6.3

5) And here the actual mysterious thing:

a) I have a library LIB that exports several API functions. I also have a client application APP that dynamically loads the LIB and binds ALL of its functions at once.

b) Internally, the LIB itself calls some of its exported API functions

c) If APP calls the API function X, or rather just "mentions" a call to the API function X (i.e. the function doesn't need to be executed), then the LIB cannot call the same function, because the function pointer is invalid for the LIB (but working for the APP)

d) if a second APP, say APP2 doesn't call and doesn't "mention" a call to the API function X, then the LIB can call the function X and it works (i.e. no crash with APP2)

e) between c) and d) the LIB has not changed. It is exactly the same file. I verified also that the crash is linked to the function pointer X being invalid internally

To summarize above explanations, here a typical example:

LIB, file1:


void randomFunction()
{
    printHello(); // internally calling the API function that this LIB exports
}

LIB, file2:


extern "C" __attribute__((visibility("default"))) void printHello()
{ // one of the functions that this LIB exports
    printf("Hello\n");
}

APP:


int main(int argc,char* argv[])
{
    // Dynamically load LIB with: lib=dlopen(pathAndFilename,RTLD_LAZY)
    // Bind ALL API functions with: dlsym(lib,funcName);
    for (int i=0;i<10000000000;i++)
        printf("."); // just spend "almost" infinite time here
    printHello(); // this is actually never executed. But if we remove the loop here above, this function would execute correctly
}

APP2:


int main(int argc,char* argv[])
{
    // Dynamically load LIB with: lib=dlopen(pathAndFilename,RTLD_LAZY)
    // Bind ALL API functions with: dlsym(lib,funcName);
    for (int i=0;i<10000000000;i++)
        printf("."); // just spend "almost" infinite time here
    // printHello(); 
}

The difference between APP and APP2 is minimal. The LIB that APP and APP2 load and bind is exactly the same. However, only with APP2 can the LIB function 'randomFunction' safely call 'printHello'. With APP, 'randomFunction' executes only to the point where 'printHello' has to be called, then crashes. Verifying the 'printHello' function address inside that 'randomFunction' reveals an illegal address --> it is logical that it crashes, but not logical that the address is illegal with APP and not illegal with APP2.

Did I make sense? I am already trying to figure out what is going on since a few days, and the more I move forward, the more I feel lost..

This topic is closed to new replies.

Advertisement

Popular Topics

theish
Can AI Tools Streamline Game Development? For Beginners
Nosey
Ideas for a new genre (anonimous) Game Design and Theory
Calin
Avoiding other units without using pathfinding General and Gameplay Programming
elboursicode
I need help about my client netcode Networking and Multiplayer
black4
Quake 1 source code triangle rasterization General and Gameplay Programming
pixelamped
What's the best way to make items/upgrades in a rouge-like? General and Gameplay Programming
Advertisement

Recommended Tutorials

Myopic Rhino
Map File Format General and Gameplay Programming
Jean-Ren
Making Machines Learn Artificial Intelligence
polyfrag
Preview: Reliable UDP implementation, lockstep, LAN, and parity bit checking Networking and Multiplayer
Myopic Rhino
Point in a poly Math and Physics
Myopic Rhino
So you wanna work in a startup? Career Development

Reticulating splines

About GameDev.net
Community Guidelines
Terms of Service
Privacy Policy
Contact Us
Copyright (c) 1999-2024 GameDev.net, LLC
Back to Top