0

I am running some benchmarks in Linux, and I am looking for some indication that the program has completed loading and started running. Is it reasonable to expect that main() would always be at the same EIP?

Is the EIP of main() dependent on the language? Is it dependent on the compiler?

Is there any EIP that a program can always be expected to start at?

Nathan Fellman
  • 122,701
  • 101
  • 260
  • 319
  • I'm writing a tool for sampling performance across various runs. I want to start up PEBS before running the benchmarks and ignore all of the samples before they start (for instance, I don't really care about time spent loading the executable from disk). I can't think of any way to detect that the program has started except by sampling the EIP and identifying the beginning of the run. – Nathan Fellman Sep 23 '12 at 19:33

1 Answers1

3

Nope. In C, the entry point is actually _start, which comes from libc; _start does some libc initialization, then calls main.

main is just a regular function. The linker can choose to rearrange it anyway it likes in the process image. Furthermore, with things like relocation tables at the start of the executable, the start of the .text section might not even be constant. Heck, if you're writing the program in assembly, main might not even exist.

A program, however, can always be trusted to start at the entry point address declared in its ELF header (assuming it's an ELF executable). So, use that. readelf can tell you the value.

nneonneo
  • 171,345
  • 36
  • 312
  • 383
  • is `_start_` guaranteed to be at the same EIP on a single system? – Nathan Fellman Sep 23 '12 at 09:40
  • And it is a bit more complex than that. dynamically ELF executables actually reference an ELF interpreter, which practically is the dynamic library loader (`ld.so` or `ld-linux-x86-64.so`), which is starting and loading the `libc.so` when running your executable. – Basile Starynkevitch Sep 23 '12 at 16:56