Introduction

Compiling and executing a C program is a multi-stage process. In this post I’ll walk through each stages of compiling and executing the following C program with filename test.c:

#include <stdio.h>

#define LOOP_TIMES 10

int main(int argc, char *argv[])
{
    for (int i = 0; i < LOOP_TIMES; i++)
    {
        printf("Hello World #%i!\n", i);
    }
    return 0;
}

Our testings are performs on Debian Bullseye AMD64, intermediate result may vary depending on the OS and hardware.

Preprocessing

The first stage of compilation is called preprocessing. In this stage, the C pre-processor is responsible for handling pre-processor directives (lines starting with a # character). These pre-processor directives form a simple macro language with its own syntax and semantics. This language is used to reduce repetition in source code, e.g. lines with #include are replaced by the contents of the referenced file (with different search rules for names in quotes versus those in angle brackets). Names introduced with #define are systematically replaced with their definitions throughout the program, #if and its relatives are processed to conditionally omit code, etc…

To get the result of the preprocessing stage, we can pass -E option to gcc

gcc -E -o test.i test.c

The output after preprocessing stage in my machine look like following

// ... omitted for brevity
# 873 "/usr/include/stdio.h" 3 4

# 2 "test.c" 2




# 5 "test.c"
int main(int argc, char *argv[])
{
    for (int i = 0; i < 10; i++)
    {
        printf("Hello World #%i!\n", i);
    }
    return 0;
}

Compilation

In this stage, the actual compiler translates pre-processed source into assembly language. These form an intermediate human-readable language. The existence of this step allows for C code to contain inline assembly instructions and for different assemblers to be used. To get the result of the compilation stage, pass the -S option to gcc:

gcc -S -o test.s test.i

The output after compilation stage in my machine look like following

    .file	"test.c"
    .text
    .section	.rodata
.LC0:
    .string	"Hello World #%i!\n"
    .text
    .globl	main
    .type	main, @function
main:
.LFB0:
    .cfi_startproc
    pushq	%rbp
    .cfi_def_cfa_offset 16
    .cfi_offset 6, -16
    movq	%rsp, %rbp
    .cfi_def_cfa_register 6
    subq	$32, %rsp
    movl	%edi, -20(%rbp)
    movq	%rsi, -32(%rbp)
    movl	$0, -4(%rbp)
    jmp	.L2
.L3:
    movl	-4(%rbp), %eax
    movl	%eax, %esi
    leaq	.LC0(%rip), %rdi
    movl	$0, %eax
    call	printf@PLT
    addl	$1, -4(%rbp)
.L2:
    cmpl	$9, -4(%rbp)
    jle	.L3
    movl	$0, %eax
    leave
    .cfi_def_cfa 7, 8
    ret
    .cfi_endproc
.LFE0:
    .size	main, .-main
    .ident	"GCC: (Debian 10.2.1-6) 10.2.1 20210110"
    .section	.note.GNU-stack,"",@progbits

Assembly

During this stage, The assembler converts the assembly language source to an unlinked relocatable object file in ELF format. The output contains the actual instructions to be run by the target processor. However, an unlinked relocatable object file is not executable yet: it may require definitions from other files, including libraries. To get the result of the assembly stage, pass the -c option to gcc:

gcc -c -o test.o test.s

or we can manually invoke as

as -o test.o test.s

Running the above command will produce an unlinked relocatable object file in ELF format named test.o. We can inspect the ELF sections with readelf -a test.o | less and to see the content of specific section we can use readelf -x .text test.o.

Linking

The object files generated in the assembly stage is composed of machine instructions that the processor understands, but some pieces of the program are out of order or missing. The linker resolves all the references in a set of object files or archive so that functions in some pieces can successfully call functions in other ones, and then produces an executable. To get the final executable use following command, -v option give us detail information of linking process.

gcc -v -o test.elf test.o

We can also manually invoke linker separately using ld to get the final executable.

GLIBC_LIB_DIR="/usr/lib/x86_64-linux-gnu"
GCC_LIB_DIR="/usr/lib/gcc/x86_64-linux-gnu/10"
STARTFILES="$GLIBC_LIB_DIR/crt1.o $GLIBC_LIB_DIR/crti.o"
ENDFILES="$GLIBC_LIB_DIR/crtn.o"
ld -o test.elf -dynamic-linker /lib64/ld-linux-x86-64.so.2 $STARTFILES test.o $GLIBC_LIB_DIR/libc.so $ENDFILES

The final executable is also a ELF file.

ELF

Executable and Linkable Format (ELF) is a common standard file format used in UNIX system for executable files, object code, shared libraries, and core dumps.

Execution

At first, it seems when a program is executed, it starts with the int main(int argc, char *argv[]), however it is not quite true.

Load Executable with Interpreter

Firstly, when we try to run a program, it trigger an execve system call to the kernel. The kernel allocates the structure linux_binprm for a new process, open the executable file from disk, find the corresponding interpreter for the executable, in case of our C program executable in ELF format is then executed with ELF loader.

Load Dynamic Linker

The ELF loader read program headers table of executable which contains a field INTERP. For dynamically linked program INTERP is the path to dynamic linker. We can use readelf --program-headers test.elf to see the program headers table and use readelf -x .interp test.elf to see the value of INTERP, its value is /lib64/ld-linux-x86-64.so.2 in my machine. The kernel opens and reads the dynamic linker executable in ELF format.

Auxiliary Vector

Kernel uses a special structure called the auxiliary vector or auxv to comminicate with dymanic linker. Kernel prepares auxv and pass auxv by putting on the stack for the newly created program. Thus, when the dynamic linker starts it can use its stack pointer to find the all the startup information required. It contains system specific information that may be required, such as the default size of a virtual memory page on the system or hardware capabilities. We can request the dynamic linker to show some debugging output of the auxv by specifying the environment value LD_SHOW_AUXV=1

Call Dynamic Linker with Program Entry Point

Kernel looks for the e_entry field from the ELF header of our program executable which contains the entry point address which by default is symbol _start. We can examine the entry point with objdump -f test.elf. We can use option --entry=<symbol name> of ld to change entry point to other symbol.

Kernel adds the value of e_entry to auxv. Kernel then starts the execution from the entry point address as specified by dynamic linker.

Dynamic Linker

Investigating the dynamic linker with command objdump -f /lib64/ld-linux-x86-64.so.2 and objdump --disassemble --section=.text /lib64/ld-linux-x86-64.so.2 we found the entry point of dynamic linker is function _dl_rtld_di_serinfo. It does some linking process on the fly by loading any libraries as specified in the dynamic section of the program executable in ELF format and then continue execution from our program executable entry point address which was passed in.

Kernel Library

To avoid the overheads of system calls by triggering a trap to the processor which is slow. Kernel loads a shared library (ref: #1, #2, #3) into the address space of every newly created process which contains a function that makes system calls for you. When the kernel starts the dynamic linker it adds an entry AT_SYSINFO_EHDR to the auxv structure (ref: #1, #2) which is the address in the memory that the special kernel library lives in. When the dynamic linker starts it can look for the AT_SYSINFO_EHDR pointer, and if found load that library for the program. The program has no idea this library exists; this is a private arrangement between the dynamic linker and the kernel.

The programmers make system calls indirectly through calling functions in the standard C library. The standard C library can check to see if the special kernel binary is loaded, and if so use the functions within that to make system calls. If the kernel determines the hardware is capable, this will use the fast system call method.

The role of _start function

As you might have already noticed, in the linking section we have to include somes extras files, this is because the symbol _start is defined in crt1.o (Some systems use crt0.o, while some use crt1.o and a few even use crt2.o or higher). It takes care of bootstrapping the initial execution of the program, e.g. setup arguments, prepare environment variables for program execution etc. What exactly that entails is highly libc implementation dependent. The objects are provided by different implementations of libc and cannot be mixed with other ones.

The following code is disassembled version of _start with objdump --disassemble=_start test.elf:

0000000000401040 <_start>:
          401040:	      31 ed                	xor    %ebp,%ebp
          401042:	      49 89 d1             	mov    %rdx,%r9
          401045:	      5e                   	pop    %rsi
          401046:	      48 89 e2             	mov    %rsp,%rdx
          401049:	      48 83 e4 f0          	and    $0xfffffffffffffff0,%rsp
          40104d:	      50                   	push   %rax
          40104e:	      54                   	push   %rsp
          40104f:	      49 c7 c0 10 11 40 00 	mov    $0x401110,%r8        # __libc_csu_fini
          401056:	      48 c7 c1 b0 10 40 00 	mov    $0x4010b0,%rcx       # __libc_csu_init
          40105d:	      48 c7 c7 71 10 40 00 	mov    $0x401071,%rdi       # our main function
          401064:	      ff 15 86 2f 00 00    	callq  *0x2f86(%rip)        # 403ff0 <__libc_start_main@GLIBC_2.2.5>
          40106a:	      f4                   	hlt    

On glibc 2.31, _start initializes very early ABI requirements (like the stack or frame pointer), setting up the argc/argv/env values, and then pass pointers of __libc_csu_init, __libc_csu_fini and main function to __libc_start_main which in turn does more general bootstrapping before finally calling the real main function.

The implementation of __libc_start_main is quite complicated as it needs to be portable across the very wide number of systems and architectures that glibc can run on. It does a number of specific things related to setting up the C library which the most of the programmers don’t need to worry about.

Initialization and Termination Routines

init and fini are two special parts of code in shared libraries that may need to be called before the library starts, and before the library is unloaded respectively. This might be useful for library programmers to setup variables when the library is started, or to clean up at the end. __libc_start_main call the __libc_csu_init before calling our main function and register __libc_csu_fini as a callback to be called before program exit with __cxa_atexit. What __libc_csu_init/__libc_csu_fini do is simply loop the list of init/fini function and invokes them.

In order to traverse the list of init functions, two symbols __init_array_start and __init_array_end is defined during the linking process and exported as part of ELF symbol table .symtab.

We can use __attribute__((constructor)) and __attribute__((destructor)) (ref: #1) to add initialization and termination routines to our program, e.g.

void __attribute__((constructor)) program_init(void)
{
    printf("init\n");
}

void __attribute__((destructor)) program_fini(void)
{
    printf("fini\n");
}

In the new realease of glibc the process of fini was changed as part of this commit.

Call Main Function

Once __libc_start_main has completed with the initialization it finally calls the main function! Remember that it had the stack setup initially with the arguments and environment pointers from the kernel; this is how main gets its argc, argv[], envp[] arguments.

Exit

When the main function returns __libc_start_main call void exit(int exit_code) with return value of main function as exit code. The implementation of exit is trigger a syscall exit_group (ref: #1, #2, #3, #4, #5, #6) to immediately stops the current process.

Writing program without startfiles

Now we know how the call to the main is made. We can override the _start function to make it call our main().

#include <stdio.h>
#include <stdlib.h>

#define LOOP_TIMES 10

void _start()
{
    exit(main());
}

int main(void)
{
    for (int i = 0; i < LOOP_TIMES; i++)
    {
        printf("Hello World #%i!\n", i);
    }
    return 0;
}

Now we have to force gcc to use our implementation of _start().

gcc -nostartfiles -o test.elf test.c

We can also manually invoke ld:

gcc -c -o test.o test.c
GLIBC_LIB_DIR="/usr/lib/x86_64-linux-gnu"
GCC_LIB_DIR="/usr/lib/gcc/x86_64-linux-gnu/10"
ld -o test.elf -dynamic-linker /lib64/ld-linux-x86-64.so.2 test.o $GLIBC_LIB_DIR/libc.so

Reference

• The Four Stages of Compiling a C Program
• Computer Science from the Bottom Up - Chapter 8. Behind the process - Starting a process
• What happens when you compile?
• GAS: Explanation of .cfi_def_cfa_offset
• segfault when linking with ld
• How to build a C program using a custom version of glibc and static linking?
• Linking a C program directly with ld fails with undefined reference to __libc_csu_fini
• Linking a dynamically linked executable with ld
• What is the difference between crtbegin.o, crtbeginT.o and crtbeginS.o?
• ld(1) - Linux man page
• readelf(1) — Linux manual page
• GCC - Options for Linking: -nostartfiles
• GCC Options for Code Generation Conventions
• gcc(1) — Linux manual page
• When is the gcc flag -nostartfiles used?
• How do I tell GCC not to link with the runtime library and the standard library?
• Executing main() in C/C++ – behind the scene
• objdump(1) - Linux man page
• Objcopy elf to bin file
• objcopy(1) - Linux man page
• BFD
• Wikipedia: Executable and Linkable Format
• elf(5) — Linux manual page
• elf.h
• How can I examine contents of a data section of an ELF file on Linux?
• exec(3) - Linux man page
• execve(2) — Linux manual page
• Executing a flat binary file under Linux
• load_flat_binary
• What is the difference between exit and return?
• What is the use of _start() in C?
• Syscall implementation of exit()