Application binaries are a result of compile and build operations performed on a single or a set of source files. Program Source files contain functions, data variables of various types (local, global, register, static), and abstract data objects, all written and neatly indented with nested control structures as per high level programming language syntax (C/C++). Compilers translate code in each source file into machine instructions (1’s and 0’s) as per target processors Instruction set Architecture and bury that code into object files. Further, Linkers integrate compiled object files with other pre-compiled objects files (libraries, runtime binaries) to create end application binary image called executable.
Source debuggers are tools used to trace execution of an application executable binary. Most amazing feature of a source debugger is its ability to list source code of the program being debugged; it can show the line or expression in the source code that resulted in a particular machine code instruction of a running program loaded in memory. This helps the programmer to analyze a program’s behavior in the high-level terms like source-level flow control constructs, procedure calls, named variables, etc, instead of machine instructions and memory locations. Source-level debugging also makes it possible to step through execution a line at a time and set source-level breakpoints. (If you do not have any prior hands on experience with source debuggers I suggest you to look at this before continuing with following.)
lets explore how source debuggers like gnu gdb work ? So how does a debugger know where to stop when you ask it to break at the entry to some function? How does it manage to find what to show you when you ask it for the value of a variable? The answer is – debug information. All modern compilers are designed to generate Debug information together with the machine code of the source file. It is a representation of the relationship between the executable program and the original source code. This information is encoded as per a pre-defined format and stored alongside the machine code. Many such formats were invented over the years for different platforms and executable files (aim of this article isn’t to survey the history of these formats, but rather to show how they work). Gnu compiler and ELF executable on Linux/ UNIX platforms use DWARF, which is widely used today as default debugging information format.
Word of Advice : Does an Application/ Kernel programmer need to know Dwarf?
Obvious answer to this question is a big NO. It is purely subject matter for developers involved in implementation of a Debugger tool. A normal Application developer using debugger tools would never need to learn or dig into binary files for debug information. This in no way adds any edge to your debugging skills nor adds any new skills into your armory. However, if you are a developer using debuggers for years and curious about how debuggers work read this document for an outline into debug information. If you are a beginner to systems programming or fresher’s learning programming I would suggest not to waste your time as you can safely ignore this.
ELF -DWARF sections
Gnu compiler generates debug information which is organized into various sections of the ELF object file. Let’s use the following source file for compiling and observing DWARF sections
All of the sections with naming debug_xxx are debugging information sections. Information in these sections is interpreted by source debugger like gdb. Each debug_ section holds specific information like
1234567891011
.debug_info core DWARF data containing DIEs
.debug_line Line Number Program
.debug_frame Call Frame Information
.debug_macinfo lookup table for global objects and functions
.debug_pubnames lookup table for global objects and functions
.debug_pubtypes lookup table for global types
.debug_loc Macro descriptions
.debug_abbrev Abbreviations used in the .debug_info section
.debug_aranges mapping between memory address and compilation
.debug_ranges Address ranges referenced by DIEs
.debug_str String table used by .debug_info
Debugging Information Entry (DIE)
Dwarf format organizes debug data in all of the above sections using special objects (program descriptive entities) called Debugging Information Entry (DIE). Each DIE has a tag filed whose value specifies its type, and a set of attributes. DIEs are interlinked via sibling and child links, and values of attributes can point at other DIEs. Now let’s dig into ELF file to view how a DIE looks like. We will begin our exploration with .debug_info section of the ELF file since core DIE’s are listed in it.
123456789101112131415161718192021
root@techveda:~# objdump --dwarf=info . /sample
Above operation shows long list of DIE’s. Let’s limit ourselves to relevant information
./sample: file format elf32-i386
Contents of the .debug_info section:
Compilation Unit @ offset 0x0:
Length: 0x110 (32-bit)
Version: 2
Abbrev Offset: 0
Pointer Size: 4
<0><b>: Abbrev Number: 1 (DW_TAG_compile_unit)
< c> DW_AT_producer : (indirect string, offset: 0xe): GNU C 4.5.2
<10> DW_AT_language : 1 (ANSI C)
<11> DW_AT_name : (indirect string, offset: 0x44): sample.c
<15> DW_AT_comp_dir : (indirect string, offset: 0x71): /root
<19> DW_AT_low_pc : 0x80483c4
<1d> DW_AT_high_pc : 0x8048423
<21> DW_AT_stmt_list : 0x0
Each source file in the application is referred in dwarf terminology as a “compilation unit”. Dwarf data for each compilation unit (source file) starts with a compilation unit DIE. Above dump shows the first DIE’s and tag value “DW_TAG_compile_unit “. This DIE provides general information about compilation unit like source file name (DW_AT_name : (indirect string, offset: 0×44): sample.c), high level programming language used to write source file(DW_AT_language : 1 (ANSI C)) , directory of the source file(DW_AT_comp_dir : (indirect string, offset: 0×71): /root) , compiler and producer of dwarf data( DW_AT_producer : (indirect string, offset: 0xe): GNU C 4.5.2) , start virtual address of the compilation unit (DW_AT_low_pc : 0x80483c4), end virtual address of the unit (DW_AT_high_pc : 0×8048423).
Compilation Unit DIE is the parent for all the other DIE’s that describe elements of source file. Generally, the list of DIE’s that follow will describe data types, followed by global data, then the functions that make up the source file. The DIEs for variables and functions are in the same order in which they appear in the source file.
How does debugger locate Function Information ?
While using source debuggers we often instruct debugger to insert or place break point at some function, expecting the debugger to pause program execution at functions. To be able to perform this task, debugger must have some mapping between a function name in the high-level code and the address in the machine code where the instructions for this function begin. For this mapping information debuggers rely on DIE’s that describes specified function. DIE’s describing functions in a compilation unit are assigned tag value “DW_TAG_subprogram” subprogram as per dwarf terminology is a function.
In our sample application source we have two functions (main, add), dwarf should generate a “DW_TAG_subprogram” DIE’s for each function, these DIE attributes would define function mapping information that debugger needs for resolving machine code addresses with function name.
12345678910
Each “DW_TAG_subprogam” DIE contains
function scope
function name
source file or compilation unit in which function is located
line no in the source file where the function starts
Functions return type
Start address of the fucntion
End address of the function
Frame information of the function.
We now have accessed DIE description of function’s main and add. Let’s analyze attribute information of add fucntions DIE.
Function scope: DW_AT_external : 1 (scope external)
Function name: DW_AT_name : add
Source file or compilation unit in which function is located: DW_AT_decl_file : 1 (indicates 1st compilation unit which is sample.c)
line no in the source file where the function starts: DW_AT_decl_line : 4 ( indicates line no 4 in source file)
1234567891011121314151617
1#include <stdio.h>
2#include <stdlib.h>
3
4int add(int x, int y)
5{
6 return x + y;
7}
8int main()
9{
10 int a = 10, b = 20;
11 int result;
12 int (*fp) (int, int);
13
14 fp = add;
15 result = (*fp) (a, b);
16 printf(" %dn", result);
17}
Function’s source line no matched with DIE description of line no. let’s continue with rest of the attribute values
Functions return type: DW_AT_type : <0x4f>
As we have already understood that values of attributes can point to other DIE , here is an example of it. Value DW_AT_type : <0x4f> indicates that return type description is stored in other DIE at offset 0x4f.
This DIE describes data type and composition of return type of the function add, as per DIE attribute values return type is signed int of size 4 bytes.
Start address of the function : DW_AT_low_pc : 0x80483c4
End address of the function: DW_AT_high_pc : 0x80483d1
Above values indicate start and end virtual address of the machine instructions of add function, we can verify that with binary dump of the function
How does debugger find program data (variables…) Information?
When the program hits assigned break point in a function, debugger pauses the program execution, at this time we can instruct debugger to show or print values of variables, by using debugger commands like print or display followed by variable name (ex: print a) How does debugger know where to find memory location of the variable ? Variables can be located in global storage, on the stack, and even in registers.The debugging information has to be able to reflect all these variations, and indeed DWARF does. As an example let’s take a look at complete DIE information set for main function.
Note the first number inside the angle brackets in each entry. This is the nesting level – in this example entries with <2> are children of the entry with <1>. main function has three integer variables a,b and result each of these variables are described with DW_TAG_variable nested DIE’s (0xc4, 0xd0, 0xdc). main function also has a function pointer fp described in DIE 0xea . Variable DIE attributes specify variable name (DW_AT_name), declaration line no in source function (DW_AT_decl_line ), pointer to address of DIE describing variables data type (DW_AT_type) and relative location of the variable within function’s frame (DW_AT_location).
To locate the variable in the memory image of the executing process, the debugger will look at the DW_AT_location attribute of DIE. For a its value is DW_OP_fbreg4 (esp):28. This means that the variable is stored at offset 28 from the top in the frame of containing function. The DW_AT_frame_base attribute of main has the value 0×38(location list), which means that this value actually has to be looked up in the location list section. Let’s look at it:
Offset column 0×38 values are the entries for main function variables. Each entry here describes possible frame base address with respect to where debugger may be paused by break point within function instructions; it specifies the current frame base from which offsets to variables are to be computed as an offset from a register. For x86, bpreg4 refers to esp and bpreg5 refers to ebp. Before analyzing further lets look at disassemble dump for main function
First two instructions deal with function’s preamble, function’s stack frame base pointer is determined after pre-amble instructions are executed. Ebp remains constant throughout function’s execution and esp keeps changing with data being pushed and popped from the stack frame. From the above dump instructions at offset 80483db and 80483e3 are assigning values 10 and 20 to variables a, and b. These variables are being accessed their offset in stack frame relative to location of current esp( variable a: 0x1c(%esp), variable b: 0×18(%esp)). Now let’s assume that break point was set after initializing a and b variables and program paused, and we have run print command to view conents of a or b variables. Debugger would access 3rd record of the main function’s dwarf debug.loc table since our break point falls between 080483d5 – 08048422 region of the function code.
Now as per records debugger will locate a with esp + 28 , b with esp +24 and so on…
Looking up line number information
We can set breakpoints mentioning line no’s Lets now look at how debuggers resolve line no’s to machine instruction’s? DWARF encodes a full mapping between lines in the C source code and machine code addresses in the executable. This information is contained in the .debug_line section and can be extracted using objdump
1234567891011121314151617
root@techveda:~# objdump --dwarf=decodedline ./sample
./sample: file format elf32-i386
Decoded dump of debug contents of section .debug_line:
CU: sample.c:
File name Line number Starting address
sample.c 5 0x80483c4
sample.c 6 0x80483c7
sample.c 7 0x80483d0
sample.c 9 0x80483d2
sample.c 10 0x80483db
sample.c 14 0x80483eb
sample.c 15 0x80483f3
sample.c 16 0x804840c
sample.c 17 0x8048421
This dump shows machine instruction line no’s for our program. It is quite obvious that line no’s for non-executable statements of the source file need not be tracked by dwarf .we can map the above dump to our source code for analysis.
1234567891011121314151617
1 #include <stdio.h>
2 #include <stdlib.h>
3
4 int add(int x, int y)
5 {
6 return x + y;
7 }
8 int main()
9 {
10 int a = 10, b = 20;
11 int result;
12 int (*fp) (int, int);
13
14 fp = add;
15 result = (*fp) (a, b);
16 printf(" %dn", result);
17 }
From the above it should be clear of what debugger does it is instructed to set breakpoint at entry into function add, it would insert break point at line no 6 and pause after pre-amble of function add is executed.
What’s next?
if you are into implementation of debugging tools or involved in writing programs/tools that simulate debugger facilities/ read binary files , you may be interested in specific programming libraries libbfd or libdwarf.
Binary File Descriptor library (BFD) or libbfd as it is called provides ready to use functions to read into ELF and other popular binary files. BFD works by presenting a common abstract view of object files. An object file has a “header” with descriptive info; a variable number of “sections” that each has a name, some attributes, and a block of data; a symbol table; relocation entries; and so forth. Gnu binutils package tools like objdump, readelf and others have been written using these libraries.
Libdwarf is a C library intended to simplify reading (and writing) applications built with DWARF2, DWARF3 debug information.
Dwarfdump is an application written using libdwarf to print dwarf information in a human readable format. It is also open sourced and is copyrighted GPL. It provides an example of using libdwarf to read DWARF2/3 information as well as providing readable text output.
