1. Oracle Solaris 11.4 Linkers and Libraries Guide
  2. ELF Application Binary Interface
  3. Program Loading and Dynamic Linking
  4. Procedure Linkage Table (Processor-Specific)
  5. x64: Procedure Linkage Table

x64: Procedure Linkage Table

For x64 dynamic objects, the procedure linkage table resides in shared text but uses addresses in the private global offset table. The runtime linker determines the absolute addresses of the destinations and modifies the global offset table's memory image accordingly. The runtime linker thus redirects the entries without compromising the position-independence and shareability of the program's text. Dynamic objects have separate procedure linkage tables.

Table 15-18 x64: Procedure Linkage Table Example

.PLT0:
    pushq   GOT+8(%rip)                         # GOT[1]
    jmp     *GOT+16(%rip)                       # GOT[2]
    nop;    nop
    nop;    nop
.PLT1:
    jmp     *name1@GOTPCREL(%rip)               # 16 bytes from .PLT0
    pushq   $index1
    jmp     .PLT0
.PLT2:
    jmp     *name2@GOTPCREL(%rip)               # 16 bytes from .PLT1
    pushl   $index2
    jmp     .PLT0

The following steps describe how the runtime linker and program cooperate to resolve the symbolic references through the procedure linkage table and the global offset table.

  1. When the memory image of the program is initially created, the runtime linker sets the second and third entries in the global offset table to special values. The following steps explain these values.

  2. Each shared object file in the process image has its own procedure linkage table, and control transfers to a procedure linkage table entry only from within the same object file.

  3. For example, the program calls name1, which transfers control to the label .PLT1.

  4. The first instruction jumps to the address in the global offset table entry for name1. Initially, the global offset table holds the address of the following pushq instruction, not the real address of name1.

  5. The program pushes a relocation index (index1) on the stack. The relocation offset is a 32-bit, nonnegative index into the relocation table. The relocation table is identified by the DT_JUMPREL dynamic section entry. The designated relocation entry has the type R_AMD64_JMP_SLOT, and its offset specifies the global offset table entry used in the previous jmp instruction. The relocation entry also contains a symbol table index, which the runtime linker uses to get the referenced symbol, name1.

  6. After pushing the relocation index, the program jumps to .PLT0, the first entry in the procedure linkage table. The pushq instruction pushes the value of the second global offset table entry (GOT+8) on the stack, giving the runtime linker one word of identifying information. The program then jumps to the address in the third global offset table entry (GOT+16), to jump to the runtime linker.

  7. The runtime linker unwinds the stack, checks the designated relocation entry, gets the symbol's value, stores the actual address of name1 in its global offset entry table, and jumps to the destination.

  8. Subsequent executions of the procedure linkage table entry transfer directly to name1, without calling the runtime linker again. The jmp instruction at .PLT1 jumps to name1 instead of falling through to the pushq instruction.

The LD_BIND_NOW environment variable changes dynamic linking behavior. If its value is non-null, the runtime linker processes R_AMD64_JMP_SLOT relocation entries before transferring control to the program.