7.5.2. Indirect PLTs

An indirect PLT stores the data entry at a different location to the PLT code. The PLT code is placed in the code section of the executable. The data entry is normally stored in the data section of the executable, in a special area of the Global Offset Table (GOT) called the PLTGOT. The separation of the data entry and the code obviously means the code generated for an indirect PLT is different to that of a direct PLT as well as providing more flexibility. Rather than the dynamic linker writing to the PLT directly in the executable image, it writes the address of bar into the PLTGOT. The dynamic linker typically loads the PLTGOT into a more easily accessible read/write area of memory.

The target platform or operating system determines whether the GOT is generated by the dynamic linker or the static linker. Figure 7.2 shows the GOT being generated by the dynamic linker, as in the BPABI model, whereas the GOT is generated by the static linker when targeting the SysV ARM Linux model.

Figure 7.2. Function calls via indirect PLTs

To view this graphic, your browser must support the SVG format. Either install a browser with native support, or install an appropriate plugin such as Adobe SVG Viewer.


The following example disassembly shows an indirect PLT and relocation.

** Section #1 'ER_RO' (SHT_PROGBITS) [SHF_ALLOC + SHF_EXECINSTR]
    Size   : 44 bytes (alignment 4)
    Address: 0x00008000

    $t
        0x00008000:    4778        xG      BX       pc
        0x00008002:    46C0        .F      MOV      r8,r8
    $a
        0x00008004:    E59FC004    ....    LDR      r12,[pc,#4] ; [0x8010] = 0
        0x00008008:    E59CC000    ....    LDR      r12,[r12,#0]
        0x0000800C:    E12FFF1C    ../.    BX       r12
    $d
        0x00008010:    00000000    ....    DCD    0
    $a
    .text
    foo
        0x00008014:    E92D4010    .@-.    PUSH     {r4,lr}
        0x00008018:    EBFFFFF9    ....    BL       0x8004 ; 0x8004
        0x0000801C:    E59F0004    ....    LDR      r0,[pc,#4] ; [0x8028] = 0
        0x00008020:    E5900000    ....    LDR      r0,[r0,#0]
        0x00008024:    E8BD8010    ....    POP      {r4,pc}
    $d
        0x00008028:    00000000    ....    DCD    0

:
:

** Section #5 '.dyn' (SHT_REL)
    Size   : 16 bytes (alignment 4)
    Symbol table #3 '.dynsym'
    2 relocations applied to section #0 '[Anonymous Section]'

    #  Offset       Relocation Type    Wrt   Symbol   Defined in

    0  0x00008010   95 R_ARM_GOT_ABS   2     bar      Ref
    1  0x00008028    2 R_ARM_ABS32     3     x        Ref

There are two obvious differences:

The R_ARM_GOT_ABS relocation instructs the dynamic linker to provide the absolute address of the GOT entry. The first LDR instruction loads into register R12 the address of the GOT entry, determined by the dynamic linker.

Copyright © 2010 ARM. All rights reserved.ARM DAI 0242A
Non-ConfidentialID011411