2

I scripted a simply assembly code, and now i'm trying to debug it using gdb.

In gdb i typed :

(gdb) break _start
Breakpoint 1 at 0x4000b0

Is the breakpoint address (0x4000b0) relative to the hard-disk memory location of the code line ? Or is it only relative to the program length ? (I think that at this point the program is still not loaded in RAM)

Koinos
  • 151
  • 3
  • 14

1 Answers1

4

It's a virtual address in RAM. You have a position-dependent executable, so the absolute address it will be loaded to is right there in the ELF metadata. (you can use readelf my_program, or the GDB command info files.)

If you had a PIE executable and set a breakpoint before starting it, GDB will give you a breakpoint address that isn't relocated yet, so the first byte of the file is treated as address 0. e.g.

(gdb) b main
Breakpoint 1 at 0x64e: file hello.c, line 3.
(gdb) run
Starting program: /tmp/hello

Breakpoint 1, main () at hello.c:3
(gdb) info br
Num     Type           Disp Enb Address            What
1       breakpoint     keep y   0x000055555555464e in main at hello.c:3
        breakpoint already hit 1 time

Note that 0x64e and 0x000055555555464e have the same offset within a 4k page, because the file gets mapped to a page-aligned address.

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
  • What the address 0x000055555555464e represents here ? It's a very big number o.o – Koinos Nov 09 '18 at 06:42
  • 1
    @Koinos: PIE executables on x86-64 Linux are mapped outside of the low 32-bits of virtual address space by default, even with ASLR disabled. Only position-*dependent* executables default to having their text segment at around `0x400000`. `0x000055555555464e` is just a normal user-space virtual address (in the low half of virtual address space; the kernel reserves the high half for itself in every process). – Peter Cordes Nov 09 '18 at 06:45
  • Ah nice, i thought that the example you give using gdb shell referred to a ELF :) – Koinos Nov 09 '18 at 07:03
  • 1
    @Koinos: PIE executables are ELF, but they're ELF shared objects with an entry point rather than the traditional "ELF Executable" file type. See [32-bit absolute addresses no longer allowed in x86-64 Linux?](https://stackoverflow.com/q/43367427) for more about them. – Peter Cordes Nov 09 '18 at 07:12