[Qemu-devel] qemu-user: relocating target code weakness

[Stefano Bonifazi]

Hi!
 I am working on a project based on qemu-user. More exactly it is 
qemu-ppc (version 0.13.0) with x86 host.
All the project and documentation about qemu will be open for everybody 
as it is a project for my university that is a public one..
I have the need to relocate the target code in the memory space to some 
other starting address.
So I went inside linux-user/elfload.c: load_elf_binary and there I found 
many things that according to me are someway buggy or just "weak" ..
Of course I am only a student, and all of this was far beyond my 
knowledge .. I am studying like a crazy for understanding all of this.. 
elf stuff, linking and loading .. and I may be just confused.. 
nevertheless I think it is worth of some attention by some of you gurus 
outta there :)
First of all:
> info->start_mmap = (abi_ulong)ELF_START_MMAP;
What is this? what is start_mmap supposed to point at at the end? Why 
that static value is chosen at the beginning?

Then there is a block of code protected by the define:
> #if defined(CONFIG_USE_GUEST_BASE)
this define appears to be enabled in my code though I do not use any 
special parameter for qemu-ppc.. What is it supposed to do?
I mean I guess it wants to reserve a memory area for the target code, 
starting at a user defined address (guest_base).. and all of that is 
done in linux-user/main.c: main, through a proper command line 
parameter, but then the guest_base address is not more used in the code 
of qemu-user o.O
Inside the code, protected by that define in load_elf_binary, seems to 
check if the system can reserve the requested area of program address 
space, otherwise find a suitable address and set again guest_base to 
that address.. but oddly that variable is never more taken in any 
consideration then!!!
Going down the code I notice that for executable target binaries the 
flag MAP_FIXED for mmap is set.. and in the requested starting address 
the variable load_bias is always zero for executable files, so that the 
starting address is simply the p_vaddr of the various program 
segments..what does it mean? Simple! A target executable code is ALWAYS 
loaded at the same address of the program address space it would be if 
run on a target machine (not on the host machine through qemu)..far 
enough? No for me!!
When executing in the original machine the binary was created for, its 
OS creates an address space only for the target.. that means all the 
address are free for it, and it can be loaded at any address chosen by 
the link editor when creating the binary.. but here in qemu-user it 
shares the address space with qemu-user code itself (and in my case with 
all other I added to it!) so those addresses can be not free at all!!
Isn't that a big weakness??
I went a little forward, though with my poor skills.. I forced a bias, 
created assembly PPC simple test binaries and had a look at what happens 
when a shift of the start address is required (after fixing some 
variables that did not consider fine such possibility):
The target global variables addresses are hard coded into the target 
binary.. nothing in the process of elf loading or then in TCG do 
anything for patching those addresses when there is a shift of the 
starting code.. the result is simply got: segmentation fault when trying 
to access those variables!
 Moreover the way the various variables like start_code, start_data, 
end_data, elf_brk were set was very odd to me:
It was like while cycling through all the program segments they could be 
set for any new segment checked!
Now I must admit, through all my studying of ELF, I did not understand 
yet (I'd appreciate very much if you can tell me it!!!) if it is 
possible to have multiple code segments or multiple data segments in an 
executable binary..
What I did was to check if the code had the PF_X flag or PF_W flag for 
distinguishing whether it was a code segment or a data segment (hoping 
there was only one of each), and set those variables accordingly..
This approach fails anyway when I use PIC code (I am trying to use PIC 
code now as a solution for relocating code), it seems there are many 
code segments and many writable segments, and I can't understand how to 
set properly start_code, end_code.. etc there.
Another thing I had to edit while setting those variable was making them 
consider as address not more p_vaddr, but the actual loading address 
(error) ..
If any of you is interested in solving this problem I can provide all my 
logs for various tests, source code for the test ppc binaries for 
testing everything and of course my elfload.c
Thank you in advance for any support!
Best regards,
Stefano B.