Next: elfedit, Previous: dlltool, Up: Top [Contents][Index]

14 readelf

readelf displays information about one or more ELF format objectfiles. The options control what particular information to display.

Linux Objdump

elffile… are the object files to be examined. 32-bit and64-bit ELF files are supported, as are archives containing ELF files.

Mar 14, 2013 objDump, a small Java framework that dumps any Java object to a string. Apr 13, 2021 objdump - Displays information from object files. Ranlib - Generates an index to the contents of an archive. Readelf - Displays information from any ELF format object file. Size - Lists the section sizes of an object or archive file. Strings - Lists printable strings from files. Strip - Discards symbols. Mar 04, 2015 Objdump is a program that displays information about inputted object files. The object file that is created when code is compiled is an ELF(Executable and Linkable Format) or as we will see it, “a.out”. We can take this object file and use Objdump to view the programs object code.

This program performs a similar function to objdump but itgoes into more detail and it exists independently of the BFDlibrary, so if there is a bug in BFD then readelf will not beaffected.

The long and short forms of options, shown here as alternatives, areequivalent. At least one option besides ‘-v’ or ‘-H’ must begiven.

Equivalent to specifying --file-header,--program-headers, --sections, --symbols,--relocs, --dynamic, --notes,--version-info, --arch-specific, --unwind,--section-groups and --histogram.

Note - this option does not enable --use-dynamic itself, soif that option is not present on the command line then dynamic symbolsand dynamic relocs will not be displayed.

Displays the information contained in the ELF header at the start of thefile.

Displays the information contained in the file’s segment headers, if ithas any.

Displays the information contained in the file’s section headers, if ithas any.

Displays the information contained in the file’s section groups, if ithas any.

Displays the detailed section information. Implies -S.

Displays the entries in symbol table section of the file, if it has one.If a symbol has version information associated with it then this isdisplayed as well. The version string is displayed as a suffix to thesymbol name, preceded by an @ character. For example‘foo@VER_1’. If the version is the default version to be usedwhen resolving unversioned references to the symbol then it isdisplayed as a suffix preceded by two @ characters. For example‘foo@@VER_2’.

Displays the entries in dynamic symbol table section of the file, if ithas one. The output format is the same as the format used by the--syms option.

Displays the contents of any LTO symbol tables in the file.

Decode (demangle) low-level symbol names into user-level names.This makes C++ function names readable. Different compilers havedifferent mangling styles. The optional demangling style argument canbe used to choose an appropriate demangling style for yourcompiler. See c++filt, for more information on demangling.

Do not demangle low-level symbol names. This is the default.

Enables or disables a limit on the amount of recursion performedwhilst demangling strings. Since the name mangling formats allow foran infinite level of recursion it is possible to create strings whosedecoding will exhaust the amount of stack space available on the hostmachine, triggering a memory fault. The limit tries to prevent thisfrom happening by restricting recursion to 2048 levels of nesting.

The default is for this limit to be enabled, but disabling it may benecessary in order to demangle truly complicated names. Note howeverthat if the recursion limit is disabled then stack exhaustion ispossible and any bug reports about such an event will be rejected.

Display all the headers in the file. Equivalent to -h -l -S.

Displays the contents of the NOTE segments and/or sections, if any.

Displays the contents of the file’s relocation section, if it has one.

Displays the contents of the file’s unwind section, if it has one. Onlythe unwind sections for IA64 ELF files, as well as ARM unwind tables(.ARM.exidx / .ARM.extab) are currently supported. Ifsupport is not yet implemented for your architecture you could trydumping the contents of the .eh_frames section using the--debug-dump=frames or --debug-dump=frames-interpoptions.

Displays the contents of the file’s dynamic section, if it has one.

Displays the contents of the version sections in the file, it theyexist.

Displays architecture-specific information in the file, if thereis any.

When displaying symbols, this option makes readelf use thesymbol hash tables in the file’s dynamic section, rather than thesymbol table sections.

When displaying relocations, this option makes readelfdisplay the dynamic relocations rather than the static relocations.

Displays warning messages about possible problems with the file(s)being examined. If used on its own then all of the contents of thefile(s) will be examined. If used with one of the dumping optionsthen the warning messages will only be produced for the things beingdisplayed.

Displays the contents of the indicated section as a hexadecimal bytes.A number identifies a particular section by index in the section table;any other string identifies all sections with that name in the object file.

Displays the contents of the indicated section as a hexadecimalbytes. A number identifies a particular section by index in thesection table; any other string identifies all sections with that namein the object file. The contents of the section will be relocatedbefore they are displayed.

Displays the contents of the indicated section as printable strings.A number identifies a particular section by index in the section table;any other string identifies all sections with that name in the object file.

Requests that the section(s) being dumped by x, R orp options are decompressed before being displayed. If thesection(s) are not compressed then they are displayed as is.

Displays the file symbol index information contained in the header partof binary archives. Performs the same function as the tcommand to ar, but without using the BFD library. See ar.

Displays the contents of the DWARF debug sections in the file, if anyare present. Compressed debug sections are automatically decompressed(temporarily) before they are displayed. If one or more of theoptional letters or words follows the switch then only those type(s)of data will be dumped. The letters and words refer to the followinginformation:

Displays the contents of the ‘.debug_abbrev’ section.

Displays the contents of the ‘.debug_addr’ section.

Displays the contents of the ‘.debug_cu_index’ and/or‘.debug_tu_index’ sections.

Display the raw contents of a ‘.debug_frame’ section.

Display the interpreted contents of a ‘.debug_frame’ section.

Displays the contents of the ‘.gdb_index’ and/or‘.debug_names’ sections.

Displays the contents of the ‘.debug_info’ section. Note: theoutput from this option can also be restricted by the use of the --dwarf-depth and --dwarf-start options.

Displays the contents of the ‘.gnu_debuglink’ and/or‘.gnu_debugaltlink’ sections. Also displays any links toseparate dwarf object files (dwo), if they are specified by the DW_AT_GNU_dwo_name or DW_AT_dwo_name attributes in the‘.debug_info’ section.

Display the contents of any selected debug sections that are found inlinked, separate debug info file(s). This can result in multipleversions of the same debug section being displayed if it exists inmore than one file.

Objdump Command

In addition, when displaying DWARF attributes, if a form is found thatreferences the separate debug info file, then the referenced contentswill also be displayed.

Displays the contents of the ‘.debug_line’ section in a rawformat.

Displays the interpreted contents of the ‘.debug_line’ section.

Displays the contents of the ‘.debug_macro’ and/or‘.debug_macinfo’ sections.

Displays the contents of the ‘.debug_loc’ and/or‘.debug_loclists’ sections.

Displays the contents of the ‘.debug_str_offsets’ section.

Displays the contents of the ‘.debug_pubnames’ and/or‘.debug_gnu_pubnames’ sections.

Displays the contents of the ‘.debug_aranges’ section.

Displays the contents of the ‘.debug_ranges’ and/or‘.debug_rnglists’ sections.

Displays the contents of the ‘.debug_str’, ‘.debug_line_str’and/or ‘.debug_str_offsets’ sections.

Displays the contents of the ‘.debug_pubtypes’ and/or‘.debug_gnu_pubtypes’ sections.

Displays the contents of the ‘.trace_aranges’ section.

Displays the contents of the ‘.trace_abbrev’ section.

Displays the contents of the ‘.trace_info’ section.

Note: displaying the contents of ‘.debug_static_funcs’,‘.debug_static_vars’ and ‘debug_weaknames’ sections is notcurrently supported.

Limit the dump of the .debug_info section to n children.This is only useful with --debug-dump=info. The default isto print all DIEs; the special value 0 for n will also have thiseffect.

With a non-zero value for n, DIEs at or deeper than nlevels will not be printed. The range for n is zero-based.

Print only DIEs beginning with the DIE numbered n. This is onlyuseful with --debug-dump=info.

If specified, this option will suppress printing of any headerinformation and all DIEs before the DIE numbered n. Onlysiblings and children of the specified DIE will be printed.

This can be used in conjunction with --dwarf-depth.

Display the contents of the specified CTF section. CTF sections themselvescontain many subsections, all of which are displayed in order.

Specify the name of another section from which the CTF dictionary can inherittypes. (If none is specified, we assume the CTF dictionary inherits typesfrom the default-named member of the archive contained within this section.)

Specify the name of another section from which the CTF file can inheritstrings and symbols. By default, the .symtab and its linkedstring table are used.

If either of --ctf-symbols or --ctf-strings is specified, theother must be specified as well.

Display a histogram of bucket list lengths when displaying the contentsof the symbol tables.

Display the version number of readelf.

Don’t break output lines to fit into 80 columns. By defaultreadelf breaks section header and segment listing lines for64-bit ELF files, so that they fit into 80 columns. This option causesreadelf to print each section header resp. each segment one asingle line, which is far more readable on terminals wider than 80 columns.

Normally when readelf is displaying a symbol name, and it has totruncate the name to fit into an 80 column display, it will add asuffix of [...] to the name. This command line optiondisables this behaviour, allowing 5 more characters of the name to bedisplayed and restoring the old behaviour of readelf (prior to release2.35).

Display the command-line options understood by readelf.

Next: elfedit, Previous: dlltool, Up: Top [Contents][Index]

• eBPF Step by Step with LLVM

This post was left aside as a draft for a long time. Most of it was written inDecember 2017. I publish it with the hope it can still be helpful today, eventhough the Cilium guide also covers the feature.

Objdump Function Dependencies

One of the most useful evolution of eBPF (extended Berkeley Packet Filter)over the old BPF version (or cBPF, for classic BPF) is the availability of aback end based on clang and LLVM, allowing to produce eBPF bytecode from Csource code.¹

For example, a simple eBPF program returning zero can be compiled from thefollowing code:

The command line looks like:

Note: some programs, more evolved than this sample, might need to pass the-mcpu option to llc and would use something closer to the following commandinstead:

This creates an object file in ELF format that contains the compiled bytecode.By default, the code is under the .text ELF section. Let’s dump it:

It worked! We have two eBPF instructions here:

If you are not familiar with eBPF assembly syntax, you may be interested inthis short reference(or atthe complete documentation,but it is dense).

Compiling from C to eBPF bytecode as an object file is really useful. The ELFfile produced can be directly used to attach the programs to the various hooks:TC, XDP, kprobes, etc. Writing advanced programs as bytecode would be very timeconsuming, and as I finish to edit this article in 2020, leveraging morecomplex features such asCO-REsimply cannot be done by hand. Clang and LLVM are an integral part of the eBPFworkflow.

However, it may not be a convenient solution for someone who needs to test avery specific eBPF instruction sequence, or to fine-tune a particular aspect ofthe program. What if I want to tinker with the instructions? What if I want toadd a third eBPF instruction at the end of my program to set another value toregister r0 after the program exited? Granted, this example is useless, butstill, I should be able to try that!

To do so, we can:

• Write an eBPF program in eBPF bytecode, from scratch. This is perfectlydoable, but can be long and tedious, and absolutely not user-friendly. And toremain compatible with tools like tc, the program has to be turned into anobject file anyway, which adds an additional step to the process.

• Use an assembly language to write the program from scratch, at least not inbytecode, then compile it with a dedicated assembler (for example:ebpf_asm in Python by Solarflare).

As part of recent improvements to LLVM, another solution has emerged, and wecan also:

• Compile from C to an eBPF assembly language. Edit the assembly, then assembleit as bytecode in an object file.

Objdump Command

Clang and LLVM now allow to do just that! Generating a human-readable versionof the program on one side, then assembling it on the other side. Bonus:llvm-objdump can even be used to dump the program contained in anobject-file.

To use all clang and LLVM features presented in this section, you need to usethese tools in version 6.0 or higher. It was the development branch when Istarted to draft this article, but by the time I finished it version 10 hasbeen released, so it should not be problematic.

Compiling from C to eBPF Assembly

Let’s use clang to compile the same program as before from C to eBPF assembly.This is actually done in the same way as you would normally produce assemblyfor your processor from C source code, except you tell clang the target isbpf.²

Great, now let’s modify it and add our instruction at the bottom!

Assembling to an ELF Object File

We can assemble this file into an ELF object file containing the bytecode forthis program. It requires the llvm-mc tool that deals with machine code andcomes along with LLVM.

We have the ELF file! Let’s dump the bytecode:

The first two instructions are unchanged in regard to the original version ofthe program. The third instructions corresponds to what we added to theassembly file: it loads 3 into register r0. We successfully edited theinstructions. We could now load the program into the kernel with bpftool, forexample. Mission complete!

Note that LLVM also provides a way to dump an eBPF object file in ahuman-readable fashion (since version 4.0, if I remember correctly). This isdone with llvm-objdump:

We get the assembly instructions, with the syntax used by LLVM (the one we needto write or edit eBPF assembly, so this is useful). Note the dead instructionwe added at the end of the program.

In addition to the bytecode and assembly instructions, LLVM is able to embeddebug symbols so they can be dumped for inspection. Concretely, we can have theC instructions at the same time as the bytecode. It comes handy to rememberwhat your original program was, but most of all it is super helpful tounderstand how the C instructions map to the eBPF code. Embedding theinstructions is done by compiling from C with the -g flag passed to clang.Let’s give it a try:

Note that we passed -g to clang, and that we also changed the command (now-S instead of -d) passed to llvm-objdump. The return 0; instructionappeared, and is mapped (placed just above) the relevant instructions in theeBPF program. Nice.

Since clang and LLVM know how to produce and compile eBPF assembly, there isanother way to handle instructions. eBPF assembly can now be used directlyinline in a C program, again to produce specific sequences in the bytecode. Seethe example below, somewhat inspired by the example from the BPF and XDPReference Guide from Cilium.

It produces an atomic increment of the value at the address pointed by r2.Because the instruction was written in the C source, we do not need theintermediate step of compilation to assembly.

Should we use inline assembly or intermediate compilation? Both methods areuseful in my opinion: insert a couple instructions as assembly in your C sourcefiles, or create small programs for testing specific sequences of instructions.At Netronome, we have often used the latter for unit tests to check the eBPFhardware offload feature of the nfp driver.

In short, instead of compiling an eBPF program from C to an ELF object file,you can alternatively compile it to an assembly language, edit it according toyour needs, and then assemble this version as the final object file. For thisyou need clang and LLVM in version 6.0 and higher, and the commands are:

And to dump that file in human-readable format:

Additionally, the asm keyword can be used to include eBPF assembler inline ina C program.

eBPF assembly support in LLVM allows one to write any eBPF instruction sequencethey want. Including bugged programs. Do not forget: Even if it compiles, itstill has to pass the verifier. Good luck, and have fun!

1. As I finish this article, there is now a GCC backend as well, but itseems nowhere as complete as the clang/LLVM version, which clearly remainsthe reference tool to produce eBPF bytecode. ↩

2. See the BPF and XDP Reference Guide from Cilium forfurther information on the bpf target, and on the differences with thedefault target. ↩