[PATCH 0/4] Implement single global definition marker

[PATCH 0/4] Implement single global definition marker

[H.J. Lu]

On systems with copy relocation:
* A copy in executable is created for the definition in a shared library
at run-time by ld.so.
* The copy is referenced by executable and shared libraries.
* Executable can access the copy directly.

Issues are:
* Overhead of a copy, time and space, may be visible at run-time.
* Read-only data in the shared library becomes read-write copy in
executable at run-time.
* Local access to data with the STV_PROTECTED visibility in the shared
library must use GOT.

On systems without function descriptor, function pointers vary depending
on where and how the functions are defined.
* If the function is defined in executable, it can be the address of
function body.
* If the function, including the function with STV_PROTECTED visibility,
is defined in the shared library, it can be the address of the PLT entry
in executable or shared library.

Issues are:
* The address of function body may not be used as its function pointer.
* ld.so needs to search loaded shared libraries for the function pointer
of the function with STV_PROTECTED visibility.

Here is a proposal to remove copy relocation and use canonical function
pointer:

1. Accesses, including in PIE and non-PIE, to undefined symbols must
use GOT.
  a. Linker may optimize out GOT access if the data is defined in PIE or
  non-PIE.
2. Read-only data in the shared library remain read-only at run-time
3. Address of global data with the STV_PROTECTED visibility in the shared
library is the address of data body.
  a. Can use IP-relative access.
  b. May need GOT without IP-relative access.
4. For systems without function descriptor,
  a. All global function pointers of undefined functions in PIE and
  non-PIE must use GOT.  Linker may optimize out GOT access if the
  function is defined in PIE or non-PIE.
  b. Function pointer of functions with the STV_PROTECTED visibility in
  executable and shared library is the address of function body.
   i. Can use IP-relative access.
   ii. May need GOT without IP-relative access.
   iii. Branches to undefined functions may use PLT.
5. Single global definition marker:

Add GNU_PROPERTY_1_NEEDED:

#define GNU_PROPERTY_1_NEEDED GNU_PROPERTY_UINT32_OR_LO

to indicate the needed properties by the object file.

Add GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION:

#define GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION (1U << 0)

to indicate that the object file requires canonical function pointers and
cannot be used with copy relocation.

  a. Copy relocation should be disallowed at link-time and run-time.
  b. Canonical function pointers are required at link-time and run-tima

Dynamic linker changes:

* Scan the single global definition marker on all components, including
the executable and its dependency shared libraries.
* When performing symbol lookup for references in an object without
  single global definition:
  a. Disallow copy relocations against protected data symbols in an object
  with single global definition.
  b. Disallow non-zero symbol values of undefined function symbols, which
  are used as the function pointer, against protected function symbols in
  an object with single global definition.

The corresponding binutils patches are posted at

https://sourceware.org/pipermail/binutils/2021-June/117091.html

and GCC patches are posted at

https://gcc.gnu.org/pipermail/gcc-patches/2021-June/573236.html

H.J. Lu (4):
  Initial support for GNU_PROPERTY_1_NEEDED
  Check -z single-global-definition and -fsingle-global-definition
  Add run-time chesk for single global definition
  Update tests for protected data and function symbols

 configure                      |  73 +++++++++++++++++-
 configure.ac                   |  37 ++++++++++
 elf/Makefile                   |  54 ++++++++++++++
 elf/dl-lookup.c                |   5 ++
 elf/elf.h                      |  17 +++++
 elf/tst-protected1moda.c       |  10 +--
 elf/tst-protected1modb.c       |   4 +-
 elf/tst-protected2a.c          | 130 +++++++++++++++++++++++++++++++++
 elf/tst-protected2apie.c       |   1 +
 elf/tst-protected2b.c          | 121 ++++++++++++++++++++++++++++++
 elf/tst-protected2bpie.c       |   1 +
 elf/tst-protected2mod.h        |  35 +++++++++
 elf/tst-protected2moda.c       |  52 +++++++++++++
 elf/tst-protected2moda2.c      |  41 +++++++++++
 elf/tst-protected2modb.c       |  45 ++++++++++++
 elf/tst-protected2modb2.c      |  28 +++++++
 sysdeps/generic/dl-prop.h      |   9 ++-
 sysdeps/generic/dl-protected.h |  51 +++++++++++++
 sysdeps/generic/link_map.h     |   3 +-
 sysdeps/x86/dl-prop.h          |  19 +++--
 sysdeps/x86/link_map.h         |   2 +
 21 files changed, 720 insertions(+), 18 deletions(-)
 create mode 100644 elf/tst-protected2a.c
 create mode 100644 elf/tst-protected2apie.c
 create mode 100644 elf/tst-protected2b.c
 create mode 100644 elf/tst-protected2bpie.c
 create mode 100644 elf/tst-protected2mod.h
 create mode 100644 elf/tst-protected2moda.c
 create mode 100644 elf/tst-protected2moda2.c
 create mode 100644 elf/tst-protected2modb.c
 create mode 100644 elf/tst-protected2modb2.c
 create mode 100644 sysdeps/generic/dl-protected.h

-- 
2.31.1

[PATCH 1/4] Initial support for GNU_PROPERTY_1_NEEDED

[H.J. Lu]

1. Add GNU_PROPERTY_1_NEEDED:

 #define GNU_PROPERTY_1_NEEDED      GNU_PROPERTY_UINT32_OR_LO

to indicate the needed properties by the object file.
2. Add GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION:

 #define GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION  (1U << 0)

to indicate that the object file requires canonical function pointers and
cannot be used with copy relocation.
3. Scan GNU_PROPERTY_1_NEEDED property and store it in l_1_needed.
---
 elf/elf.h                  | 17 +++++++++++++++++
 sysdeps/generic/dl-prop.h  |  9 ++++++++-
 sysdeps/generic/link_map.h |  3 ++-
 sysdeps/x86/dl-prop.h      | 19 ++++++++++++++-----
 sysdeps/x86/link_map.h     |  2 ++
 5 files changed, 43 insertions(+), 7 deletions(-)

diff --git a/elf/elf.h b/elf/elf.h
index 2a62b98d4a..45b107fdcf 100644
--- a/elf/elf.h
+++ b/elf/elf.h
@@ -1310,6 +1310,23 @@ typedef struct
 /* No copy relocation on protected data symbol.  */
 #define GNU_PROPERTY_NO_COPY_ON_PROTECTED	2
 
+/* A 4-byte unsigned integer property: A bit is set if it is set in all
+   relocatable inputs.  */
+#define GNU_PROPERTY_UINT32_AND_LO	0xb0000000
+#define GNU_PROPERTY_UINT32_AND_HI	0xb0007fff
+
+/* A 4-byte unsigned integer property: A bit is set if it is set in any
+   relocatable inputs.  */
+#define GNU_PROPERTY_UINT32_OR_LO	0xb0008000
+#define GNU_PROPERTY_UINT32_OR_HI	0xb000ffff
+
+/* The needed properties by the object file.  */
+#define GNU_PROPERTY_1_NEEDED		GNU_PROPERTY_UINT32_OR_LO
+
+/* Set if the object file requires canonical function pointers and
+   cannot be used with copy relocation.  */
+#define GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION	(1U << 0)
+
 /* Processor-specific semantics, lo */
 #define GNU_PROPERTY_LOPROC			0xc0000000
 /* Processor-specific semantics, hi */
diff --git a/sysdeps/generic/dl-prop.h b/sysdeps/generic/dl-prop.h
index eaee8052b6..207aadb35d 100644
--- a/sysdeps/generic/dl-prop.h
+++ b/sysdeps/generic/dl-prop.h
@@ -47,7 +47,14 @@ static inline int __attribute__ ((always_inline))
 _dl_process_gnu_property (struct link_map *l, int fd, uint32_t type,
 			  uint32_t datasz, void *data)
 {
-  return 0;
+  /* Continue until GNU_PROPERTY_1_NEEDED is found.  */
+  if (type == GNU_PROPERTY_1_NEEDED)
+    {
+      if (datasz == 4)
+	l->l_1_needed = *(unsigned int *) data;
+      return 0;
+    }
+  return 1;
 }
 
 #endif /* _DL_PROP_H */
diff --git a/sysdeps/generic/link_map.h b/sysdeps/generic/link_map.h
index a056184690..9f482b8c20 100644
--- a/sysdeps/generic/link_map.h
+++ b/sysdeps/generic/link_map.h
@@ -1 +1,2 @@
-/* No architecture specific definitions.  */
+/* GNU_PROPERTY_1_NEEDED of this object.  */
+unsigned int l_1_needed;
diff --git a/sysdeps/x86/dl-prop.h b/sysdeps/x86/dl-prop.h
index 56bd020b3c..385548fad3 100644
--- a/sysdeps/x86/dl-prop.h
+++ b/sysdeps/x86/dl-prop.h
@@ -97,6 +97,7 @@ _dl_process_property_note (struct link_map *l, const ElfW(Nhdr) *note,
 
   const ElfW(Addr) start = (ElfW(Addr)) note;
 
+  unsigned int needed_1 = 0;
   unsigned int feature_1_and = 0;
   unsigned int isa_1_needed = 0;
   unsigned int last_type = 0;
@@ -141,7 +142,8 @@ _dl_process_property_note (struct link_map *l, const ElfW(Nhdr) *note,
 	      last_type = type;
 
 	      if (type == GNU_PROPERTY_X86_FEATURE_1_AND
-		  || type == GNU_PROPERTY_X86_ISA_1_NEEDED)
+		  || type == GNU_PROPERTY_X86_ISA_1_NEEDED
+		  || type == GNU_PROPERTY_1_NEEDED)
 		{
 		  /* The sizes of types which we are searching for are
 		     4 bytes.  There is no point to continue if this
@@ -151,12 +153,18 @@ _dl_process_property_note (struct link_map *l, const ElfW(Nhdr) *note,
 
 		  /* NB: Stop the scan only after seeing all types which
 		     we are searching for.  */
-		  _Static_assert ((GNU_PROPERTY_X86_ISA_1_NEEDED >
-				   GNU_PROPERTY_X86_FEATURE_1_AND),
+		  _Static_assert (((GNU_PROPERTY_X86_ISA_1_NEEDED
+				    > GNU_PROPERTY_X86_FEATURE_1_AND)
+				   && (GNU_PROPERTY_X86_FEATURE_1_AND
+				       > GNU_PROPERTY_1_NEEDED)),
 				  "GNU_PROPERTY_X86_ISA_1_NEEDED > "
-				  "GNU_PROPERTY_X86_FEATURE_1_AND");
+				  "GNU_PROPERTY_X86_FEATURE_1_AND && "
+				  "GNU_PROPERTY_X86_FEATURE_1_AND > "
+				  "GNU_PROPERTY_1_NEEDED");
 		  if (type == GNU_PROPERTY_X86_FEATURE_1_AND)
 		    feature_1_and = *(unsigned int *) ptr;
+		  else if (type == GNU_PROPERTY_1_NEEDED)
+		    needed_1 = *(unsigned int *) ptr;
 		  else
 		    {
 		      isa_1_needed = *(unsigned int *) ptr;
@@ -187,9 +195,10 @@ _dl_process_property_note (struct link_map *l, const ElfW(Nhdr) *note,
     }
 
   /* We get here only if there is one or no GNU property note.  */
-  if (isa_1_needed != 0 || feature_1_and != 0)
+  if (needed_1 != 0 || isa_1_needed != 0 || feature_1_and != 0)
     {
       l->l_property = lc_property_valid;
+      l->l_1_needed = needed_1;
       l->l_x86_isa_1_needed = isa_1_needed;
       l->l_x86_feature_1_and = feature_1_and;
     }
diff --git a/sysdeps/x86/link_map.h b/sysdeps/x86/link_map.h
index 4c46a25f83..0c7e25dc96 100644
--- a/sysdeps/x86/link_map.h
+++ b/sysdeps/x86/link_map.h
@@ -29,3 +29,5 @@ unsigned int l_x86_feature_1_and;
 
 /* GNU_PROPERTY_X86_ISA_1_NEEDED of this object.  */
 unsigned int l_x86_isa_1_needed;
+
+#include <sysdeps/generic/link_map.h>
-- 
2.31.1

[PATCH 2/4] Check -z single-global-definition and -fsingle-global-definition

[H.J. Lu]

1. Check linker support for -z single-global-definition.  If
GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION is set on any input
relocatable files:
  a. Don't generate copy relocations.
  b. Turn off extern_protected_data.
  c. Treate reference to protected symbols with single global definition
  as local.
  d. Set GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION on output.
  e. Add -z [no]single-global-definition to control single global
  definition.
2. Check compiler support for -fsingle-global-definition:
  a. Generate a single global definition marker in relocatable objects.
    i. Always use GOT to access undefined data and function symbols,
    including in PIE and non-PIE.  These will avoid copy relocations in
    executables.
    ii. This is compatible with existing executables and shared libraries.
  b. In executable and shared library, bind symbols with the STV_PROTECTED
     visibility locally:
    i. The address of data symbol is the address of data body.
    ii. For systems without function descriptor, the function pointer is
    the address of function body.
    iii. The resulting shared libraries may not be incompatible with
    executables which have copy relocations on protected symbols.

Size comparison of non-PIE builds with GCC 12 -O2:

1. On x86-64:
   text	   data	    bss	    dec	    hex	filename
 190218	   9672	    416	 200306	  30e72	ld.so (original)
 190258	   9336	    416	 200010	  30d4a ld.so (-fsingle-global-definition)
1917384	  20232	  52424	1990040	 1e5d98	libc.so (original)
1919946	  20240	  52432	1992618	 1e67aa	libc.so (-fsingle-global-definition)
 261734	  10339	    744	 272817	  429b1	localedef (original)
 233084	  41734	    648	 275466	  4340a	localedef (-fsingle-global-definition)
2. On i686:
   text	   data	    bss	    dec	    hex	filename
 199369	   6796	    212	 206377	  32629	ld.so (original)
 199381	   6796	    212	 206389	  32635 ld.so (-fsingle-global-definition)
2058080	  11136	  38856	2108072	 202aa8	libc.so (original)
2058092	  11136	  38856	2108084	 202ab4	libc.so (-fsingle-global-definition)
 276207	   9559	    552	 286318	  45e6e localedef (original)
 254249	  33734	    520	 288503	  466f7	localedef (-fsingle-global-definition)
---
 configure    | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++-
 configure.ac | 37 ++++++++++++++++++++++++++
 2 files changed, 109 insertions(+), 1 deletion(-)

diff --git a/configure b/configure
index 9619c10991..5844dad68f 100755
--- a/configure
+++ b/configure
@@ -732,6 +732,7 @@ infodir
 docdir
 oldincludedir
 includedir
+runstatedir
 localstatedir
 sharedstatedir
 sysconfdir
@@ -844,6 +845,7 @@ datadir='${datarootdir}'
 sysconfdir='${prefix}/etc'
 sharedstatedir='${prefix}/com'
 localstatedir='${prefix}/var'
+runstatedir='${localstatedir}/run'
 includedir='${prefix}/include'
 oldincludedir='/usr/include'
 docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
@@ -1096,6 +1098,15 @@ do
   | -silent | --silent | --silen | --sile | --sil)
     silent=yes ;;
 
+  -runstatedir | --runstatedir | --runstatedi | --runstated \
+  | --runstate | --runstat | --runsta | --runst | --runs \
+  | --run | --ru | --r)
+    ac_prev=runstatedir ;;
+  -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
+  | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
+  | --run=* | --ru=* | --r=*)
+    runstatedir=$ac_optarg ;;
+
   -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
     ac_prev=sbindir ;;
   -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
@@ -1233,7 +1244,7 @@ fi
 for ac_var in	exec_prefix prefix bindir sbindir libexecdir datarootdir \
 		datadir sysconfdir sharedstatedir localstatedir includedir \
 		oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
-		libdir localedir mandir
+		libdir localedir mandir runstatedir
 do
   eval ac_val=\$$ac_var
   # Remove trailing slashes.
@@ -1386,6 +1397,7 @@ Fine tuning of the installation directories:
   --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
   --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
   --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
+  --runstatedir=DIR       modifiable per-process data [LOCALSTATEDIR/run]
   --libdir=DIR            object code libraries [EPREFIX/lib]
   --includedir=DIR        C header files [PREFIX/include]
   --oldincludedir=DIR     C header files for non-gcc [/usr/include]
@@ -5746,6 +5758,65 @@ fi
 $as_echo "$libc_cv_insert" >&6; }
 
 
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking -z single-global-definition" >&5
+$as_echo_n "checking -z single-global-definition... " >&6; }
+if ${libc_cv_z_single_global_definition+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat > conftest.c <<EOF
+		__attribute__ ((visibility ("protected")))
+		void bar (void) {}
+		void *bar_p (void) { return &bar; }
+EOF
+		libc_cv_z_single_global_definition=no
+		if { ac_try='${CC-cc} -Wl,-z,single-global-definition
+			-nostdlib -nostartfiles $CFLAGS $CPPFLAGS $LDFLAGS
+			-fPIC -shared $no_ssp -o conftest.so conftest.c
+			1>&5'
+  { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; }; then
+		  libc_cv_z_single_global_definition=yes
+		else
+		  libc_cv_z_single_global_definition=no
+		fi
+		rm -f conftest.*
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $libc_cv_z_single_global_definition" >&5
+$as_echo "$libc_cv_z_single_global_definition" >&6; }
+config_vars="$config_vars
+have-z-single-global-definition = $libc_cv_z_single_global_definition"
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for -fsingle-global-definition" >&5
+$as_echo_n "checking for -fsingle-global-definition... " >&6; }
+if ${libc_cv_fsingle_global_definition+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat > conftest.c <<EOF
+int foo;
+EOF
+		if { ac_try='${CC-cc} $CFLAGS $CPPFLAGS -S
+			-fsingle-global-definition
+			conftest.c 1>&5'
+  { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; }; then
+		  libc_cv_fsingle_global_definition=yes
+		else
+		  libc_cv_fsingle_global_definition=no
+		fi
+		rm -f conftest*
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $libc_cv_fsingle_global_definition" >&5
+$as_echo "$libc_cv_fsingle_global_definition" >&6; }
+config_vars="$config_vars
+have-fsingle-global-definition = $libc_cv_fsingle_global_definition"
+
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for broken __attribute__((alias()))" >&5
 $as_echo_n "checking for broken __attribute__((alias()))... " >&6; }
 if ${libc_cv_broken_alias_attribute+:} false; then :
diff --git a/configure.ac b/configure.ac
index 34ecbba540..26932812da 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1222,6 +1222,43 @@ EOF
 	       ])
 AC_SUBST(libc_cv_insert)
 
+AC_CACHE_CHECK(-z single-global-definition,
+	       libc_cv_z_single_global_definition,
+	       [cat > conftest.c <<EOF
+		__attribute__ ((visibility ("protected")))
+		void bar (void) {}
+		void *bar_p (void) { return &bar; }
+EOF
+		libc_cv_z_single_global_definition=no
+		if AC_TRY_COMMAND([${CC-cc} -Wl,-z,single-global-definition
+			-nostdlib -nostartfiles $CFLAGS $CPPFLAGS $LDFLAGS
+			-fPIC -shared $no_ssp -o conftest.so conftest.c
+			1>&AS_MESSAGE_LOG_FD]); then
+		  libc_cv_z_single_global_definition=yes
+		else
+		  libc_cv_z_single_global_definition=no
+		fi
+		rm -f conftest.*
+	       ])
+LIBC_CONFIG_VAR([have-z-single-global-definition],
+		[$libc_cv_z_single_global_definition])
+
+AC_CACHE_CHECK(for -fsingle-global-definition,
+	       libc_cv_fsingle_global_definition,
+	       [cat > conftest.c <<EOF
+int foo;
+EOF
+		if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS -S
+			-fsingle-global-definition
+			conftest.c 1>&AS_MESSAGE_LOG_FD]); then
+		  libc_cv_fsingle_global_definition=yes
+		else
+		  libc_cv_fsingle_global_definition=no
+		fi
+		rm -f conftest*])
+LIBC_CONFIG_VAR([have-fsingle-global-definition],
+		[$libc_cv_fsingle_global_definition])
+
 AC_CACHE_CHECK(for broken __attribute__((alias())),
 	       libc_cv_broken_alias_attribute,
 	       [cat > conftest.c <<EOF
-- 
2.31.1

[PATCH 3/4] Add run-time chesk for single global definition

[H.J. Lu]

When performing symbol lookup for references in an object without single
global definition:

1. Disallow copy relocations against protected data symbols in an object
with single global definition.
2. Disallow non-zero symbol values of undefined function symbols, which
are used as the function pointer, against protected function symbols in
an object with single global definition.
---
 elf/dl-lookup.c                |  5 ++++
 sysdeps/generic/dl-protected.h | 51 ++++++++++++++++++++++++++++++++++
 2 files changed, 56 insertions(+)
 create mode 100644 sysdeps/generic/dl-protected.h

diff --git a/elf/dl-lookup.c b/elf/dl-lookup.c
index eea217eb28..430359af39 100644
--- a/elf/dl-lookup.c
+++ b/elf/dl-lookup.c
@@ -24,6 +24,7 @@
 #include <ldsodefs.h>
 #include <dl-hash.h>
 #include <dl-machine.h>
+#include <dl-protected.h>
 #include <sysdep-cancel.h>
 #include <libc-lock.h>
 #include <tls.h>
@@ -527,6 +528,10 @@ do_lookup_x (const char *undef_name, uint_fast32_t new_hash,
 	  if (__glibc_unlikely (dl_symbol_visibility_binds_local_p (sym)))
 	    goto skip;
 
+	  if (ELFW(ST_VISIBILITY) (sym->st_other) == STV_PROTECTED)
+	    _dl_check_protected_symbol (undef_name, undef_map, ref, map,
+					type_class);
+
 	  switch (ELFW(ST_BIND) (sym->st_info))
 	    {
 	    case STB_WEAK:
diff --git a/sysdeps/generic/dl-protected.h b/sysdeps/generic/dl-protected.h
new file mode 100644
index 0000000000..a530eb3e51
--- /dev/null
+++ b/sysdeps/generic/dl-protected.h
@@ -0,0 +1,51 @@
+/* Support for STV_PROTECTED visibility.  Generic version.
+   Copyright (C) 2021 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#ifndef _DL_PROTECTED_H
+#define _DL_PROTECTED_H
+
+static inline void __attribute__ ((always_inline))
+_dl_check_protected_symbol (const char *undef_name,
+			    const struct link_map *undef_map,
+			    const ElfW(Sym) *ref,
+			    const struct link_map *map,
+			    int type_class)
+{
+  if (undef_map != NULL
+      && !(undef_map->l_1_needed
+	   & GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION)
+      && (map->l_1_needed
+	  & GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION))
+    {
+      if ((type_class & ELF_RTYPE_CLASS_COPY))
+	/* Disallow copy relocations against protected data symbols in
+	   an object with single global definition.  */
+	_dl_fatal_printf ("copy relocation against non-copyable protected symbol=%s in file=%s\n",
+			  undef_name, DSO_FILENAME (map->l_name));
+      else if (ref->st_value != 0
+	       && ref->st_shndx == SHN_UNDEF
+	       && (type_class & ELF_RTYPE_CLASS_PLT))
+	/* Disallow non-zero symbol values of undefined symbols, which
+	   are used as the function pointer, against protected function
+	   symbols in an object with single global definition.  */
+	_dl_fatal_printf ("non-canonical reference to canonical protected function symbol=%s in file=%s\n",
+			  undef_name, DSO_FILENAME (map->l_name));
+    }
+}
+
+#endif /* _DL_PROTECTED_H */
-- 
2.31.1

[PATCH 4/4] Update tests for protected data and function symbols

[H.J. Lu]

Protected data and function symbols don't work well without
-fsingle-global-definition:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=37611
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=44166

1. Compile tst-protected1[ab].c and tst-protected1mod[ab].c with
-fsingle-global-definition if possible so that GOT entries are used
for undefined data accesses.
2. Add tests for protected function pointers.
3. Build tst-prelink.c without single global definition to keepp COPY
relocation.
---
 elf/Makefile              |  54 ++++++++++++++++
 elf/tst-protected1moda.c  |  10 +--
 elf/tst-protected1modb.c  |   4 +-
 elf/tst-protected2a.c     | 130 ++++++++++++++++++++++++++++++++++++++
 elf/tst-protected2apie.c  |   1 +
 elf/tst-protected2b.c     | 121 +++++++++++++++++++++++++++++++++++
 elf/tst-protected2bpie.c  |   1 +
 elf/tst-protected2mod.h   |  35 ++++++++++
 elf/tst-protected2moda.c  |  52 +++++++++++++++
 elf/tst-protected2moda2.c |  41 ++++++++++++
 elf/tst-protected2modb.c  |  45 +++++++++++++
 elf/tst-protected2modb2.c |  28 ++++++++
 12 files changed, 512 insertions(+), 10 deletions(-)
 create mode 100644 elf/tst-protected2a.c
 create mode 100644 elf/tst-protected2apie.c
 create mode 100644 elf/tst-protected2b.c
 create mode 100644 elf/tst-protected2bpie.c
 create mode 100644 elf/tst-protected2mod.h
 create mode 100644 elf/tst-protected2moda.c
 create mode 100644 elf/tst-protected2moda2.c
 create mode 100644 elf/tst-protected2modb.c
 create mode 100644 elf/tst-protected2modb2.c

diff --git a/elf/Makefile b/elf/Makefile
index 38d08e03b8..abbb9a46b4 100644
--- a/elf/Makefile
+++ b/elf/Makefile
@@ -367,15 +367,59 @@ tests += tst-protected1a tst-protected1b
 $(objpfx)tst-protected1a: $(addprefix $(objpfx),tst-protected1moda.so tst-protected1modb.so)
 $(objpfx)tst-protected1b: $(addprefix $(objpfx),tst-protected1modb.so tst-protected1moda.so)
 tst-protected1modb.so-no-z-defs = yes
+ifeq (yes,$(have-fsingle-global-definition))
+CFLAGS-tst-protected1a.c += -fsingle-global-definition
+CFLAGS-tst-protected1b.c += -fsingle-global-definition
+CFLAGS-tst-protected1moda.c += -fsingle-global-definition
+CFLAGS-tst-protected1modb.c += -fsingle-global-definition
+else
 # These tests fail with GCC versions prior to 5.1 and with some versions
 # of binutils.  See https://sourceware.org/bugzilla/show_bug.cgi?id=17709
 # and https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65248 for details.
 # Perhaps in future we can make these XFAILs conditional on some detection
 # of compiler/linker behavior/version.
+# NB: These tests pass with -fsingle-global-definition when GOT entries
+# are used for undefined data accesses.
 test-xfail-tst-protected1a = yes
 test-xfail-tst-protected1b = yes
 endif
+ifeq (yes,$(have-z-single-global-definition))
+LDFLAGS-tst-protected1moda.so += -Wl,-z,single-global-definition
+LDFLAGS-tst-protected1modb.so += -Wl,-z,single-global-definition
+endif
+endif
 ifeq (yesyes,$(have-fpie)$(build-shared))
+ifeq (yes,$(have-z-single-global-definition))
+modules-names += tst-protected2moda tst-protected2modb
+tests += tst-protected2a tst-protected2b
+tests += tst-protected2apie tst-protected2bpie
+tests-pie += tst-protected2apie tst-protected2bpie
+test-extras += tst-protected2moda2 tst-protected2modb2
+extra-test-objs += tst-protected2moda2.os tst-protected2modb2.os
+LDFLAGS-tst-protected2moda.so += -Wl,-z,single-global-definition
+LDFLAGS-tst-protected2modb.so += -Wl,-z,single-global-definition
+CFLAGS-tst-protected2apie.c += $(PIE-ccflag)
+CFLAGS-tst-protected2bpie.c += $(PIE-ccflag)
+ifeq (yes,$(have-fsingle-global-definition))
+CFLAGS-tst-protected2a.c += -fsingle-global-definition
+CFLAGS-tst-protected2b.c += -fsingle-global-definition
+CFLAGS-tst-protected2moda.c += -fsingle-global-definition
+CFLAGS-tst-protected2moda2.c += -fsingle-global-definition
+CFLAGS-tst-protected2modb.c += -fsingle-global-definition
+CFLAGS-tst-protected2modb2.c += -fsingle-global-definition
+else
+# These non-PIE tests fail when GOT entries are not used for undefined
+# function pointers.
+test-xfail-tst-protected2a = yes
+test-xfail-tst-protected2b = yes
+endif
+$(objpfx)tst-protected2moda.so: $(objpfx)tst-protected2moda2.os
+$(objpfx)tst-protected2modb.so: $(objpfx)tst-protected2modb2.os
+$(objpfx)tst-protected2a: $(addprefix $(objpfx),tst-protected2moda.so tst-protected2modb.so)
+$(objpfx)tst-protected2b: $(addprefix $(objpfx),tst-protected2modb.so tst-protected2moda.so)
+$(objpfx)tst-protected2apie: $(addprefix $(objpfx),tst-protected2moda.so tst-protected2modb.so)
+$(objpfx)tst-protected2bpie: $(addprefix $(objpfx),tst-protected2modb.so tst-protected2moda.so)
+endif
 modules-names += tst-piemod1
 tests += tst-pie1 tst-pie2 tst-dlopen-pie tst-dlopen-tlsmodid-pie \
   tst-dlopen-self-pie
@@ -469,6 +513,16 @@ tests += tst-prelink
 tests-internal += tst-prelink-cmp
 # Don't compile tst-prelink.c with PIE for GLOB_DAT relocation.
 CFLAGS-tst-prelink.c += -fno-pie
+ifeq ($(have-fsingle-global-definition),yes)
+# Compile tst-prelink.c with -fno-single-global-definition to keepp COPY
+# relocation.
+CFLAGS-tst-prelink.c += -fno-single-global-definition
+endif
+ifeq ($(have-z-single-global-definition),yes)
+# Link tst-prelink with -z nosingle-global-definition to keepp COPY
+# relocation.
+LDFLAGS-tst-prelink += -Wl,-z,nosingle-global-definition
+endif
 tst-prelink-no-pie = yes
 endif
 
diff --git a/elf/tst-protected1moda.c b/elf/tst-protected1moda.c
index eeb18306bb..3d0eb1e877 100644
--- a/elf/tst-protected1moda.c
+++ b/elf/tst-protected1moda.c
@@ -17,17 +17,13 @@
 
 #include "tst-protected1mod.h"
 
-int protected1 = 3;
+int protected1 __attribute__ ((visibility("protected"))) = 3;
 static int expected_protected1 = 3;
-int protected2 = 4;
+int protected2 __attribute__ ((visibility("protected"))) = 4;
 static int expected_protected2 = 4;
-int protected3 = 5;
+int protected3 __attribute__ ((visibility("protected"))) = 5;
 static int expected_protected3 = 5;
 
-asm (".protected protected1");
-asm (".protected protected2");
-asm (".protected protected3");
-
 void
 set_protected1a (int i)
 {
diff --git a/elf/tst-protected1modb.c b/elf/tst-protected1modb.c
index 2cb1e61b17..ca82c64689 100644
--- a/elf/tst-protected1modb.c
+++ b/elf/tst-protected1modb.c
@@ -19,11 +19,9 @@
 #include "tst-protected1mod.h"
 
 int protected1 = -3;
-int protected3 = -5;
+int protected3 __attribute__ ((visibility("protected"))) = -5;
 static int expected_protected3 = -5;
 
-asm (".protected protected3");
-
 void
 set_protected1b (int i)
 {
diff --git a/elf/tst-protected2a.c b/elf/tst-protected2a.c
new file mode 100644
index 0000000000..21b666e12b
--- /dev/null
+++ b/elf/tst-protected2a.c
@@ -0,0 +1,130 @@
+/* Test the protected visibility when main is linked with moda and modb
+   in that order:
+   1. Protected function symbols, protected1, protected2 and protected3,
+      defined in moda, are used in moda.
+   2. Protected function symbol, protected3, defined in modb, are used
+      in modb.
+   3. Symbol, protected1, defined in moda, is also used in main and modb.
+   4. Symbol, protected2, defined in main, is used in main.
+   5. Symbol, protected3, defined in moda, is also used in main.
+
+   Copyright (C) 2021 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "tst-protected2mod.h"
+
+int
+protected2 (void)
+{
+  return -1;
+}
+
+int
+__attribute__ ((weak, noclone, noinline))
+call_ptr (protected_func_type ptr)
+{
+  return ptr ();
+}
+
+int
+do_test (void)
+{
+  int res = 0;
+
+  /* Check if we get the same address for the protected function symbol.  */
+  protected_func_type ptr = protected1a_p ();
+  if (&protected1 != ptr)
+    {
+      puts ("`protected1' in main and moda doesn't have the same address");
+      res = 1;
+    }
+  ptr = protected1b_p ();
+  if (&protected1 != ptr)
+    {
+      puts ("`protected1' in main and modb doesn't have the same address");
+      res = 1;
+    }
+
+  /* Check if we get the right protected function symbol.  */
+  if (call_ptr (ptr) != 3)
+    {
+      puts ("`protected1' in main and moda doesn't return the same value");
+      res = 1;
+    }
+
+  /* Check if we get the right function defined in executable.  */
+  if (protected2 () != -1)
+    {
+      puts ("`protected2' in main returns the wrong value");
+      res = 1;
+    }
+
+  /* Check `protected1' in moda.  */
+  if (!check_protected1 ())
+    {
+      puts ("`protected1' in moda returns the wrong value");
+      res = 1;
+    }
+
+  /* Check `protected2' in moda.  */
+  if (!check_protected2 ())
+    {
+      puts ("`protected2' in moda returns the wrong value");
+      res = 1;
+    }
+
+  /* Check if we get the same address for the protected function symbol.  */
+  if (&protected3 != protected3a_p ())
+    {
+      puts ("`protected3' in main and moda doesn't have the same address");
+      res = 1;
+    }
+  if (&protected3 == protected3b_p ())
+    {
+      puts ("`protected3' in main and modb has the same address");
+      res = 1;
+    }
+
+  /* Check if we get the right value for the protected data symbol.  */
+  if (protected3 () != 5)
+    {
+      puts ("`protected3' in main and moda doesn't return the same value");
+      res = 1;
+    }
+
+  /* Check `protected3' in moda.  */
+  if (!check_protected3a ())
+    {
+      puts ("`protected3' in moda has the wrong value");
+      res = 1;
+    }
+
+  /* Check `protected3' in modb.  */
+  if (!check_protected3b ())
+    {
+      puts ("`protected3' in modb has the wrong value");
+      res = 1;
+    }
+
+  return res;
+}
+
+#include <support/test-driver.c>
diff --git a/elf/tst-protected2apie.c b/elf/tst-protected2apie.c
new file mode 100644
index 0000000000..28a7aa3d1a
--- /dev/null
+++ b/elf/tst-protected2apie.c
@@ -0,0 +1 @@
+#include "tst-protected2a.c"
diff --git a/elf/tst-protected2b.c b/elf/tst-protected2b.c
new file mode 100644
index 0000000000..500323e33f
--- /dev/null
+++ b/elf/tst-protected2b.c
@@ -0,0 +1,121 @@
+/* Test the protected visibility when main is linked with modb and moda
+   in that order:
+   1. Protected function symbols, protected1, protected2 and protected3,
+      defined in moda, are used in moda.
+   2. Protected function symbol, protected3, defined in modb, are used
+      in modb.
+   3. Symbol, protected1, defined in modb, is used in main and modb.
+   4. Symbol, protected2, defined in main, is used in main.
+   5. Symbol, protected3, defined in modb, is also used in main.
+
+   Copyright (C) 2021 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "tst-protected2mod.h"
+
+int
+protected2 (void)
+{
+  return -1;
+}
+
+int
+do_test (void)
+{
+  int res = 0;
+
+  /* Check if we get the same address for the protected data symbol.  */
+  if (&protected1 == protected1a_p ())
+    {
+      puts ("`protected1' in main and moda has the same address");
+      res = 1;
+    }
+  if (&protected1 != protected1b_p ())
+    {
+      puts ("`protected1' in main and modb doesn't have the same address");
+      res = 1;
+    }
+
+  /* Check if we get the right protected function symbol.  */
+  if (protected1 () != -3)
+    {
+      puts ("`protected1' in main and modb doesn't return the same value");
+      res = 1;
+    }
+
+  /* Check if we get the right function defined in executable.  */
+  if (protected2 () != -1)
+    {
+      puts ("`protected2' in main returns the wrong value");
+      res = 1;
+    }
+
+  /* Check `protected1' in moda.  */
+  if (!check_protected1 ())
+    {
+      puts ("`protected1' in moda returns the wrong value");
+      res = 1;
+    }
+
+  /* Check `protected2' in moda.  */
+  if (!check_protected2 ())
+    {
+      puts ("`protected2' in moda returns the wrong value");
+      res = 1;
+    }
+
+  /* Check if we get the same address for the protected function symbol.  */
+  if (&protected3 == protected3a_p ())
+    {
+      puts ("`protected3' in main and moda has the same address");
+      res = 1;
+    }
+  if (&protected3 != protected3b_p ())
+    {
+      puts ("`protected3' in main and modb doesn't have the same address");
+      res = 1;
+    }
+
+  /* Check if we get the right protected function symbol.  */
+  if (protected3 () != -5)
+    {
+      puts ("`protected3' in main and modb doesn't return the same value");
+      res = 1;
+    }
+
+  /* Check `protected3' in moda.  */
+  if (!check_protected3a ())
+    {
+      puts ("`protected3' in moda returns the wrong value");
+      res = 1;
+    }
+
+  /* Check `protected3' in modb.  */
+  if (!check_protected3b ())
+    {
+      puts ("`protected3' in modb returns the wrong value");
+      res = 1;
+    }
+
+  return res;
+}
+
+#include <support/test-driver.c>
diff --git a/elf/tst-protected2bpie.c b/elf/tst-protected2bpie.c
new file mode 100644
index 0000000000..8dcfbd04cb
--- /dev/null
+++ b/elf/tst-protected2bpie.c
@@ -0,0 +1 @@
+#include "tst-protected2b.c"
diff --git a/elf/tst-protected2mod.h b/elf/tst-protected2mod.h
new file mode 100644
index 0000000000..feb28ab0d5
--- /dev/null
+++ b/elf/tst-protected2mod.h
@@ -0,0 +1,35 @@
+/* Test protected function symbols.
+   Copyright (C) 2021 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+/* Prototypes for the functions in the DSOs.  */
+extern int protected1 (void);
+extern int protected2 (void);
+extern int protected3 (void);
+
+typedef int (*protected_func_type) (void);
+
+extern protected_func_type protected1a_p (void);
+extern protected_func_type protected1b_p (void);
+
+extern int check_protected1 (void);
+extern int check_protected2 (void);
+
+extern int check_protected3a (void);
+extern protected_func_type protected3a_p (void);
+extern int check_protected3b (void);
+extern protected_func_type protected3b_p (void);
diff --git a/elf/tst-protected2moda.c b/elf/tst-protected2moda.c
new file mode 100644
index 0000000000..db04e8dfb9
--- /dev/null
+++ b/elf/tst-protected2moda.c
@@ -0,0 +1,52 @@
+/* Test protected function symbols.
+   Copyright (C) 2021 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include "tst-protected2mod.h"
+
+__attribute__ ((visibility("protected")))
+int
+protected1 (void)
+{
+  return 3;
+}
+
+__attribute__ ((visibility("protected")))
+int
+protected2 (void)
+{
+  return 4;
+}
+
+__attribute__ ((visibility("protected")))
+int
+protected3 (void)
+{
+  return 5;
+}
+
+protected_func_type
+protected1a_p (void)
+{
+  return &protected1;
+}
+
+protected_func_type
+protected3a_p (void)
+{
+  return &protected3;
+}
diff --git a/elf/tst-protected2moda2.c b/elf/tst-protected2moda2.c
new file mode 100644
index 0000000000..fae72177f9
--- /dev/null
+++ b/elf/tst-protected2moda2.c
@@ -0,0 +1,41 @@
+/* Test protected function symbols.
+   Copyright (C) 2021 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include "tst-protected2mod.h"
+
+extern int protected1 (void) __attribute__ ((visibility("protected")));
+extern int protected2 (void) __attribute__ ((visibility("protected")));
+extern int protected3 (void) __attribute__ ((visibility("protected")));
+
+int
+check_protected1 (void)
+{
+  return protected1 () == 3;
+}
+
+int
+check_protected2 (void)
+{
+  return protected2 () == 4;
+}
+
+int
+check_protected3a (void)
+{
+  return protected3 () == 5;
+}
diff --git a/elf/tst-protected2modb.c b/elf/tst-protected2modb.c
new file mode 100644
index 0000000000..3c5063f0c3
--- /dev/null
+++ b/elf/tst-protected2modb.c
@@ -0,0 +1,45 @@
+/* Test protected function symbols.
+   Copyright (C) 2021 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include <stdlib.h>
+#include "tst-protected2mod.h"
+
+int
+protected1 (void)
+{
+  return -3;
+}
+
+__attribute__ ((visibility("protected")))
+int
+protected3 (void)
+{
+  return -5;
+}
+
+protected_func_type
+protected1b_p (void)
+{
+  return &protected1;
+}
+
+protected_func_type
+protected3b_p (void)
+{
+  return &protected3;
+}
diff --git a/elf/tst-protected2modb2.c b/elf/tst-protected2modb2.c
new file mode 100644
index 0000000000..b21b827134
--- /dev/null
+++ b/elf/tst-protected2modb2.c
@@ -0,0 +1,28 @@
+/* Test protected function symbols.
+   Copyright (C) 2021 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include <stdlib.h>
+#include "tst-protected2mod.h"
+
+extern int protected3 (void) __attribute__ ((visibility("protected")));
+
+int
+check_protected3b (void)
+{
+  return protected3 () == -5;
+}
-- 
2.31.1

Re: [PATCH 1/4] Initial support for GNU_PROPERTY_1_NEEDED

[Florian Weimer]

* H. J. Lu via Libc-alpha:

> diff --git a/elf/elf.h b/elf/elf.h
> index 2a62b98d4a..45b107fdcf 100644
> --- a/elf/elf.h
> +++ b/elf/elf.h
> @@ -1310,6 +1310,23 @@ typedef struct
>  /* No copy relocation on protected data symbol.  */
>  #define GNU_PROPERTY_NO_COPY_ON_PROTECTED	2
>  
> +/* A 4-byte unsigned integer property: A bit is set if it is set in all
> +   relocatable inputs.  */
> +#define GNU_PROPERTY_UINT32_AND_LO	0xb0000000
> +#define GNU_PROPERTY_UINT32_AND_HI	0xb0007fff
> +
> +/* A 4-byte unsigned integer property: A bit is set if it is set in any
> +   relocatable inputs.  */
> +#define GNU_PROPERTY_UINT32_OR_LO	0xb0008000
> +#define GNU_PROPERTY_UINT32_OR_HI	0xb000ffff
> +
> +/* The needed properties by the object file.  */
> +#define GNU_PROPERTY_1_NEEDED		GNU_PROPERTY_UINT32_OR_LO
> +
> +/* Set if the object file requires canonical function pointers and
> +   cannot be used with copy relocation.  */
> +#define GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION	(1U << 0)
> +
>  /* Processor-specific semantics, lo */
>  #define GNU_PROPERTY_LOPROC			0xc0000000
>  /* Processor-specific semantics, hi */

Please add a stable link to the full specification.

I think we need more bits: one bit to indicate the status (in this
patch), and another bit to indicate linker support for this feature.
And perhaps yet another to indicate incompatibility with this feature.

Thanks,
Florian

Re: [PATCH 3/4] Add run-time chesk for single global definition

[Florian Weimer]

* H. J. Lu via Libc-alpha:

> +static inline void __attribute__ ((always_inline))
> +_dl_check_protected_symbol (const char *undef_name,
> +			    const struct link_map *undef_map,
> +			    const ElfW(Sym) *ref,
> +			    const struct link_map *map,
> +			    int type_class)
> +{
> +  if (undef_map != NULL
> +      && !(undef_map->l_1_needed
> +	   & GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION)
> +      && (map->l_1_needed
> +	  & GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION))
> +    {
> +      if ((type_class & ELF_RTYPE_CLASS_COPY))
> +	/* Disallow copy relocations against protected data symbols in
> +	   an object with single global definition.  */
> +	_dl_fatal_printf ("copy relocation against non-copyable protected symbol=%s in file=%s\n",
> +			  undef_name, DSO_FILENAME (map->l_name));
> +      else if (ref->st_value != 0
> +	       && ref->st_shndx == SHN_UNDEF
> +	       && (type_class & ELF_RTYPE_CLASS_PLT))
> +	/* Disallow non-zero symbol values of undefined symbols, which
> +	   are used as the function pointer, against protected function
> +	   symbols in an object with single global definition.  */
> +	_dl_fatal_printf ("non-canonical reference to canonical protected function symbol=%s in file=%s\n",
> +			  undef_name, DSO_FILENAME (map->l_name));
> +    }
> +}

Why are those fatal errors?

I have trouble understanding the second comment (for the
ELF_RTYPE_CLASS_PLT).

Thanks,
Florian

Re: [PATCH 4/4] Update tests for protected data and function symbols

[Florian Weimer]

* H. J. Lu via Libc-alpha:

> Protected data and function symbols don't work well without
> -fsingle-global-definition:
>
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=37611
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=44166
>
> 1. Compile tst-protected1[ab].c and tst-protected1mod[ab].c with
> -fsingle-global-definition if possible so that GOT entries are used
> for undefined data accesses.
> 2. Add tests for protected function pointers.
> 3. Build tst-prelink.c without single global definition to keepp COPY
> relocation.

I think these tests need to check that the statically linked bits from
GCC have been built with -fsingle-global-definition.  I don't think
that's guaranteed even if GCC supports -fsingle-global-definition.

I think this shows the limitation of the single bit of markup: the
statically linked GCC bits are all hidden, so setting
GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION so is not correct as a
marker to *require* a single global definition, but neither is not
setting it because libgcc.a etc. should be *compatible* with
GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION.

Thanks,
Florian

Re: [PATCH 2/4] Check -z single-global-definition and -fsingle-global-definition

[Andreas Schwab]

On Jun 20 2021, H.J. Lu via Libc-alpha wrote:

> diff --git a/configure b/configure
> index 9619c10991..5844dad68f 100755
> --- a/configure
> +++ b/configure
> @@ -732,6 +732,7 @@ infodir
>  docdir
>  oldincludedir
>  includedir
> +runstatedir
>  localstatedir
>  sharedstatedir
>  sysconfdir

Please use a vanilla autoconf version.

Andreas.

-- 
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510  2552 DF73 E780 A9DA AEC1
"And now for something completely different."

Re: [PATCH 2/4] Check -z single-global-definition and -fsingle-global-definition

[Florian Weimer]

* H. J. Lu via Libc-alpha:

> 1. Check linker support for -z single-global-definition.  If
> GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION is set on any input
> relocatable files:
>   a. Don't generate copy relocations.
>   b. Turn off extern_protected_data.
>   c. Treate reference to protected symbols with single global definition
>   as local.
>   d. Set GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION on output.
>   e. Add -z [no]single-global-definition to control single global
>   definition.
> 2. Check compiler support for -fsingle-global-definition:
>   a. Generate a single global definition marker in relocatable objects.
>     i. Always use GOT to access undefined data and function symbols,
>     including in PIE and non-PIE.  These will avoid copy relocations in
>     executables.
>     ii. This is compatible with existing executables and shared libraries.
>   b. In executable and shared library, bind symbols with the STV_PROTECTED
>      visibility locally:
>     i. The address of data symbol is the address of data body.
>     ii. For systems without function descriptor, the function pointer is
>     the address of function body.
>     iii. The resulting shared libraries may not be incompatible with
>     executables which have copy relocations on protected symbols.
>
> Size comparison of non-PIE builds with GCC 12 -O2:
>
> 1. On x86-64:
>    text	   data	    bss	    dec	    hex	filename
>  190218	   9672	    416	 200306	  30e72	ld.so (original)
>  190258	   9336	    416	 200010	  30d4a ld.so (-fsingle-global-definition)
> 1917384	  20232	  52424	1990040	 1e5d98	libc.so (original)
> 1919946	  20240	  52432	1992618	 1e67aa	libc.so (-fsingle-global-definition)
>  261734	  10339	    744	 272817	  429b1	localedef (original)
>  233084	  41734	    648	 275466	  4340a	localedef (-fsingle-global-definition)

I must say these numbers do not make sense to me.  Why do libc.so and
localedef data sizes increase with -fsingle-global-definition?  Fewer
copy relocations should *reduce* data size on both sides.  localedef
would have to have nearly 4,000 data relocations to account for the size
increase.  And shouldn't the GOT overlap with BSS anyway (so not even
show up in the data column)?

And I don't think we can build glibc with -fsingle-global-definition
anyway because it would be an ABI break.

> ---
>  configure    | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++-
>  configure.ac | 37 ++++++++++++++++++++++++++
>  2 files changed, 109 insertions(+), 1 deletion(-)
>
> diff --git a/configure b/configure
> index 9619c10991..5844dad68f 100755
> --- a/configure
> +++ b/configure
> @@ -732,6 +732,7 @@ infodir
>  docdir
>  oldincludedir
>  includedir
> +runstatedir
>  localstatedir
>  sharedstatedir
>  sysconfdir

Please regenerate with an unpatched autoconf.

Thanks,
Florian

Re: [PATCH 2/4] Check -z single-global-definition and -fsingle-global-definition

[H.J. Lu]

On Mon, Jun 21, 2021 at 12:43 AM Florian Weimer <fweimer@redhat.com> wrote:
>
> * H. J. Lu via Libc-alpha:
>
> > 1. Check linker support for -z single-global-definition.  If
> > GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION is set on any input
> > relocatable files:
> >   a. Don't generate copy relocations.
> >   b. Turn off extern_protected_data.
> >   c. Treate reference to protected symbols with single global definition
> >   as local.
> >   d. Set GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION on output.
> >   e. Add -z [no]single-global-definition to control single global
> >   definition.
> > 2. Check compiler support for -fsingle-global-definition:
> >   a. Generate a single global definition marker in relocatable objects.
> >     i. Always use GOT to access undefined data and function symbols,
> >     including in PIE and non-PIE.  These will avoid copy relocations in
> >     executables.
> >     ii. This is compatible with existing executables and shared libraries.
> >   b. In executable and shared library, bind symbols with the STV_PROTECTED
> >      visibility locally:
> >     i. The address of data symbol is the address of data body.
> >     ii. For systems without function descriptor, the function pointer is
> >     the address of function body.
> >     iii. The resulting shared libraries may not be incompatible with
> >     executables which have copy relocations on protected symbols.
> >
> > Size comparison of non-PIE builds with GCC 12 -O2:
> >
> > 1. On x86-64:
> >    text          data     bss     dec     hex filename
> >  190218          9672     416  200306   30e72 ld.so (original)
> >  190258          9336     416  200010   30d4a ld.so (-fsingle-global-definition)
> > 1917384         20232   52424 1990040  1e5d98 libc.so (original)
> > 1919946         20240   52432 1992618  1e67aa libc.so (-fsingle-global-definition)
> >  261734         10339     744  272817   429b1 localedef (original)
> >  233084         41734     648  275466   4340a localedef (-fsingle-global-definition)
>
> I must say these numbers do not make sense to me.  Why do libc.so and
> localedef data sizes increase with -fsingle-global-definition?  Fewer

I haven't investigated them in detail yet.  My main purposes were to
check if anything breaks.

> copy relocations should *reduce* data size on both sides.  localedef
> would have to have nearly 4,000 data relocations to account for the size
> increase.  And shouldn't the GOT overlap with BSS anyway (so not even
> show up in the data column)?

I will take a closer look.

> And I don't think we can build glibc with -fsingle-global-definition
> anyway because it would be an ABI break.

Correct.

> > ---
> >  configure    | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++-
> >  configure.ac | 37 ++++++++++++++++++++++++++
> >  2 files changed, 109 insertions(+), 1 deletion(-)
> >
> > diff --git a/configure b/configure
> > index 9619c10991..5844dad68f 100755
> > --- a/configure
> > +++ b/configure
> > @@ -732,6 +732,7 @@ infodir
> >  docdir
> >  oldincludedir
> >  includedir
> > +runstatedir
> >  localstatedir
> >  sharedstatedir
> >  sysconfdir
>
> Please regenerate with an unpatched autoconf.
>

Will do.

Thanks.

-- 
H.J.

Re: [PATCH 4/4] Update tests for protected data and function symbols

[H.J. Lu]

On Mon, Jun 21, 2021 at 12:19 AM Florian Weimer <fweimer@redhat.com> wrote:
>
> * H. J. Lu via Libc-alpha:
>
> > Protected data and function symbols don't work well without
> > -fsingle-global-definition:
> >
> > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=37611
> > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=44166
> >
> > 1. Compile tst-protected1[ab].c and tst-protected1mod[ab].c with
> > -fsingle-global-definition if possible so that GOT entries are used
> > for undefined data accesses.
> > 2. Add tests for protected function pointers.
> > 3. Build tst-prelink.c without single global definition to keepp COPY
> > relocation.
>
> I think these tests need to check that the statically linked bits from
> GCC have been built with -fsingle-global-definition.  I don't think
> that's guaranteed even if GCC supports -fsingle-global-definition.
>
> I think this shows the limitation of the single bit of markup: the
> statically linked GCC bits are all hidden, so setting
> GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION so is not correct as a
> marker to *require* a single global definition, but neither is not
> setting it because libgcc.a etc. should be *compatible* with
> GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION.

The output bit is ORed from all inputs.   When one input object file doesn't
work with COPY relocation, the final output object is marked incompatible
with COPY relocation even if some inputs do work with COPY relocation.

-- 
H.J.

Re: [PATCH 1/4] Initial support for GNU_PROPERTY_1_NEEDED

[H.J. Lu]

On Mon, Jun 21, 2021 at 12:06 AM Florian Weimer <fweimer@redhat.com> wrote:
>
> * H. J. Lu via Libc-alpha:
>
> > diff --git a/elf/elf.h b/elf/elf.h
> > index 2a62b98d4a..45b107fdcf 100644
> > --- a/elf/elf.h
> > +++ b/elf/elf.h
> > @@ -1310,6 +1310,23 @@ typedef struct
> >  /* No copy relocation on protected data symbol.  */
> >  #define GNU_PROPERTY_NO_COPY_ON_PROTECTED    2
> >
> > +/* A 4-byte unsigned integer property: A bit is set if it is set in all
> > +   relocatable inputs.  */
> > +#define GNU_PROPERTY_UINT32_AND_LO   0xb0000000
> > +#define GNU_PROPERTY_UINT32_AND_HI   0xb0007fff
> > +
> > +/* A 4-byte unsigned integer property: A bit is set if it is set in any
> > +   relocatable inputs.  */
> > +#define GNU_PROPERTY_UINT32_OR_LO    0xb0008000
> > +#define GNU_PROPERTY_UINT32_OR_HI    0xb000ffff
> > +
> > +/* The needed properties by the object file.  */
> > +#define GNU_PROPERTY_1_NEEDED                GNU_PROPERTY_UINT32_OR_LO
> > +
> > +/* Set if the object file requires canonical function pointers and
> > +   cannot be used with copy relocation.  */
> > +#define GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION       (1U << 0)
> > +
> >  /* Processor-specific semantics, lo */
> >  #define GNU_PROPERTY_LOPROC                  0xc0000000
> >  /* Processor-specific semantics, hi */
>
> Please add a stable link to the full specification.

I will work on it.

> I think we need more bits: one bit to indicate the status (in this
> patch), and another bit to indicate linker support for this feature.
> And perhaps yet another to indicate incompatibility with this feature.
>

There is

#define GNU_PROPERTY_1_NEEDED                GNU_PROPERTY_UINT32_OR_LO

Since the setting on output is ORed from inputs, one bit is
sufficient.

-- 
H.J.

Re: [PATCH 4/4] Update tests for protected data and function symbols

[Florian Weimer]

* H. J. Lu:

> On Mon, Jun 21, 2021 at 12:19 AM Florian Weimer <fweimer@redhat.com> wrote:
>>
>> * H. J. Lu via Libc-alpha:
>>
>> > Protected data and function symbols don't work well without
>> > -fsingle-global-definition:
>> >
>> > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=37611
>> > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=44166
>> >
>> > 1. Compile tst-protected1[ab].c and tst-protected1mod[ab].c with
>> > -fsingle-global-definition if possible so that GOT entries are used
>> > for undefined data accesses.
>> > 2. Add tests for protected function pointers.
>> > 3. Build tst-prelink.c without single global definition to keepp COPY
>> > relocation.
>>
>> I think these tests need to check that the statically linked bits from
>> GCC have been built with -fsingle-global-definition.  I don't think
>> that's guaranteed even if GCC supports -fsingle-global-definition.
>>
>> I think this shows the limitation of the single bit of markup: the
>> statically linked GCC bits are all hidden, so setting
>> GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION so is not correct as a
>> marker to *require* a single global definition, but neither is not
>> setting it because libgcc.a etc. should be *compatible* with
>> GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION.
>
> The output bit is ORed from all inputs.   When one input object file doesn't
> work with COPY relocation, the final output object is marked incompatible
> with COPY relocation even if some inputs do work with COPY relocation.

But for the main executable, it has to work the other way round.

Thanks,
Florian

Re: [PATCH 4/4] Update tests for protected data and function symbols

[H.J. Lu]

On Mon, Jun 21, 2021 at 5:57 AM Florian Weimer <fweimer@redhat.com> wrote:
>
> * H. J. Lu:
>
> > On Mon, Jun 21, 2021 at 12:19 AM Florian Weimer <fweimer@redhat.com> wrote:
> >>
> >> * H. J. Lu via Libc-alpha:
> >>
> >> > Protected data and function symbols don't work well without
> >> > -fsingle-global-definition:
> >> >
> >> > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=37611
> >> > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=44166
> >> >
> >> > 1. Compile tst-protected1[ab].c and tst-protected1mod[ab].c with
> >> > -fsingle-global-definition if possible so that GOT entries are used
> >> > for undefined data accesses.
> >> > 2. Add tests for protected function pointers.
> >> > 3. Build tst-prelink.c without single global definition to keepp COPY
> >> > relocation.
> >>
> >> I think these tests need to check that the statically linked bits from
> >> GCC have been built with -fsingle-global-definition.  I don't think
> >> that's guaranteed even if GCC supports -fsingle-global-definition.
> >>
> >> I think this shows the limitation of the single bit of markup: the
> >> statically linked GCC bits are all hidden, so setting
> >> GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION so is not correct as a
> >> marker to *require* a single global definition, but neither is not
> >> setting it because libgcc.a etc. should be *compatible* with
> >> GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION.
> >
> > The output bit is ORed from all inputs.   When one input object file doesn't
> > work with COPY relocation, the final output object is marked incompatible
> > with COPY relocation even if some inputs do work with COPY relocation.
>
> But for the main executable, it has to work the other way round.
>

We need a new property which is ANDed for executables.

-- 
H.J.

Re: [PATCH 3/4] Add run-time chesk for single global definition

[H.J. Lu]

On Mon, Jun 21, 2021 at 12:16 AM Florian Weimer <fweimer@redhat.com> wrote:
>
> * H. J. Lu via Libc-alpha:
>
> > +static inline void __attribute__ ((always_inline))
> > +_dl_check_protected_symbol (const char *undef_name,
> > +                         const struct link_map *undef_map,
> > +                         const ElfW(Sym) *ref,
> > +                         const struct link_map *map,
> > +                         int type_class)
> > +{
> > +  if (undef_map != NULL
> > +      && !(undef_map->l_1_needed
> > +        & GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION)
> > +      && (map->l_1_needed
> > +       & GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION))
> > +    {
> > +      if ((type_class & ELF_RTYPE_CLASS_COPY))
> > +     /* Disallow copy relocations against protected data symbols in
> > +        an object with single global definition.  */
> > +     _dl_fatal_printf ("copy relocation against non-copyable protected symbol=%s in file=%s\n",
> > +                       undef_name, DSO_FILENAME (map->l_name));
> > +      else if (ref->st_value != 0
> > +            && ref->st_shndx == SHN_UNDEF
> > +            && (type_class & ELF_RTYPE_CLASS_PLT))
> > +     /* Disallow non-zero symbol values of undefined symbols, which
> > +        are used as the function pointer, against protected function
> > +        symbols in an object with single global definition.  */
> > +     _dl_fatal_printf ("non-canonical reference to canonical protected function symbol=%s in file=%s\n",
> > +                       undef_name, DSO_FILENAME (map->l_name));
> > +    }
> > +}
>
> Why are those fatal errors?

2 copies of the data symbol can be out of sync between executable and
shared library.  We can make them as warnings with tunable to control
it.

> I have trouble understanding the second comment (for the
> ELF_RTYPE_CLASS_PLT).

If st_value is the undefined symbol in executable is not zero, it
is the PLT address in executable and ld.so will use it for function
pointer which is different from the function address in shared
library.

-- 
H.J.

Re: [PATCH 0/4] Implement single global definition marker

[Joseph Myers]

My inclination is that this is a user-visible feature so should have a 
NEWS entry.

-- 
Joseph S. Myers
joseph@codesourcery.com

Re: [PATCH 3/4] Add run-time chesk for single global definition

[Florian Weimer]

* H. J. Lu:

> On Mon, Jun 21, 2021 at 12:16 AM Florian Weimer <fweimer@redhat.com> wrote:
>>
>> * H. J. Lu via Libc-alpha:
>>
>> > +static inline void __attribute__ ((always_inline))
>> > +_dl_check_protected_symbol (const char *undef_name,
>> > +                         const struct link_map *undef_map,
>> > +                         const ElfW(Sym) *ref,
>> > +                         const struct link_map *map,
>> > +                         int type_class)
>> > +{
>> > +  if (undef_map != NULL
>> > +      && !(undef_map->l_1_needed
>> > +        & GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION)
>> > +      && (map->l_1_needed
>> > +       & GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION))
>> > +    {
>> > +      if ((type_class & ELF_RTYPE_CLASS_COPY))
>> > +     /* Disallow copy relocations against protected data symbols in
>> > +        an object with single global definition.  */
>> > +     _dl_fatal_printf ("copy relocation against non-copyable protected symbol=%s in file=%s\n",
>> > +                       undef_name, DSO_FILENAME (map->l_name));
>> > +      else if (ref->st_value != 0
>> > +            && ref->st_shndx == SHN_UNDEF
>> > +            && (type_class & ELF_RTYPE_CLASS_PLT))
>> > +     /* Disallow non-zero symbol values of undefined symbols, which
>> > +        are used as the function pointer, against protected function
>> > +        symbols in an object with single global definition.  */
>> > +     _dl_fatal_printf ("non-canonical reference to canonical protected function symbol=%s in file=%s\n",
>> > +                       undef_name, DSO_FILENAME (map->l_name));
>> > +    }
>> > +}
>>
>> Why are those fatal errors?
>
> 2 copies of the data symbol can be out of sync between executable and
> shared library.  We can make them as warnings with tunable to control
> it.

I meant: Why can't you turn them into regular dlopen errors that are
reported to the caller?  (Use _dl_signal_error or any of the related
functions.)

>> I have trouble understanding the second comment (for the
>> ELF_RTYPE_CLASS_PLT).
>
> If st_value is the undefined symbol in executable is not zero, it
> is the PLT address in executable and ld.so will use it for function
> pointer which is different from the function address in shared
> library.

Ahh, I wasn't aware of that ELF detail.

Thanks,
Florian