I/O patterns on ELF binary initialization

[ I meant to finish this article much earlier, but i had to leave it in a half-written draft state for quite some time due to other activities ]

One particular issue that arises with big binary files is that of I/O patterns. It looks like it is not something under the usual scope for both ld.so and programs/libraries, but it can have a dramatic influence on startup times. My analysis is far from complete, would need to be improved by actually investigating ld.so code further, and so far has been limited to libxul.so built from mozilla-central, with the help of icegrind, on x86-64 linux.

As I wrote recently, icegrind allows to track memory accesses within mmap()ed memory ranges. As ld.so does mmap() the program and library binaries, tracking the memory accesses within these mmap()s allows to get a better idea at I/O patterns when an ELF binary is initialized. I only focused on local accesses within a single given binary file (libxul.so) because the case of Firefox loading many files at startup is already being scrutinized, and because most of the non-Firefox files being read at Firefox startup (system and GNOME libraries) are most likely already in the page cache. I also focused on that because it was an interesting case that could be helpful to understand how big (and maybe less big) binaries may be affected by the toolchain (compiler, linker and dynamic linker) and possibly by some coding practices.

For the record, what I did to get these results is to use icegrind and elflog, with further additions to the "sections" file with some output from "objdump -h": I added sections that elflog wouldn't give (such as .plt, .hash, .dynsym, etc.), and even down to the entry level for the .rela.dyn section. The latter is particularly interesting because icegrind only outputs the first access for any given section. To see sequential accesses within that section, you need to split it in smaller pieces, which I did for .rela.dyn entries (each one being 24 bytes on x86-64). Uncommenting some parts of the icegrind code was also useful to track where some accesses were made from, code-wise.

Now, the interesting data:

One of the first accesses is a nullification of a few variables within the .bss section. The .bss section is usually an anonymous piece of memory, that is, a range of mmap()ed memory that is not backed by a file, and filled with zeroes by the kernel (I think it even does that lazily). It is used for e.g. variables that are initialized with zeroes in the code, and obviously, any code accessing these variables would be addressing at some offset of the .bss section. It means the section needs to start in memory at the offset it has been assigned by the linker at build time. This is actually where problems begin.

When the .bss section offset as assigned by the linker doesn't align on a page (usually 4KB), the mmap()ed .bss can't be at that location, and really starts on the next page. The remainder is still mmap()ed from the binary file, and ld.so will itself fill that part. As the .bss section doesn't start on a page boundary, any write at this location will trigger the kernel reading the entire page. This means one of the first set of data being read from the file is the end of the section preceding .bss, and the beginning of the following one. Most likely, respectively the .data and .comment sections.

While this probably doesn't matter much when the binary file is small, when it is big enough, reading in a non sequential manner will trigger hard disk seeks, and we all know how they can hurt performance. Although thankfully, cheap SSDs should be coming some day, in the meanwhile, we still need to cope with the bad performance. The interesting part is, the .bss section is really empty in the binary file, so its "virtual" memory address could be anywhere. Why the linker wouldn't align it at a page boundary without having to resort to a linker script is beyond me.

The next accesses go back and forth between .dynamic, .gnu.hash, .dynstr, .gnu.version_r, .gnu.version and .dynsym. These are probably all related to symbol version resolution and DT_NEEDED library loading. While most of these sections are at the beginning of the file (not necessarily in the order they are read from), the .dynamic section is much nearer to the end, but way before .data, so that it won't even have been loaded as a by-product of the .bss section loading.

After that, the .rela.dyn section is read, and for each relocation entry it contains, the relocations are being applied. Relocations is one of the mechanisms by which position independent code (PIC) is made possible. When a library is loaded in memory, it is not necessarily loaded at the same address every time. The code and data contained in the library thus need to cope with that constraint. Fortunately, while the base address where the library is mmap()ed in memory is not necessary constant, the offsets of the various sections are still as codified in the binary. The library code can thus directly access data at the right offset if it knows the base offset of the library (which is what is done on the x86 ABI), or if it knows where the current instruction is located (which is what is done on the x86-64 ABI).

"Static" data (initialized in e.g. a const or a global variable, or, in C++ case, vtables), on the other hand, may contain pointers to other locations. This is where relocation enters the scene. The .rela.dyn section contains a set of rules describing where in the binary some pointers need to be adjusted depending on the base library offset (or some other information), and how they should be updated. ld.so thus reads all .rela.dyn entries, and applies each relocation, which means that while .rela.dyn is being read sequentially, reads and writes are also performed at various places of the binary, depending on the content of the .rela.dyn entries.

This is where this gets ugly for Firefox: there are near 200000 such relocations. On x86-64 an entry is 24 bytes (12 on x86), and each of these is going to read/write a pointer (8 bytes on x86-64, 4 on x86) at some random (though mostly ordered) location. The whole .rela.dyn section not being read ahead, what actually happens is that it is read in small batches, with seeks and reads of other data at various locations in between. In libxul.so case, this spreads over .ctors, .data.rel.ro, .got, and .data. The relocation entries are somehow ordered by address to be rewritten, though they occasionally jump backwards. Some of these relocations also appear to be touching to .gnu.version, .dynsym and .dynstr, because their type involves a symbol resolution.

Once .rela.dyn relocation have been dealt with comes .rela.plt's turn. The principle is the same for this section: entries describe what kind of relocation must be done where, and how the result must be calculated. The scope of this section, though, is apparently limited to .got.plt. But before explaining these relocations, I'll explain what happens with the PLT.

The PLT (Procedure Linkage Table) is used when calling functions from external libraries. For example, in a Hello World example, the PLT would be used for calls to the puts function. The function making the call would in fact call the corresponding PLT location. The PLT itself, on x86 and x86-64, at least, consists of 3 instructions (I'll skip the gory details, especially for x86, where the caller needs to also set some register before calling the PLT). The first instruction is the only one to be called most of the time: it reads the final destination in the .got.plt section, and jumps there. That final destination, obviously, is not fixed in the library file, since it needs to be resolved by its symbol. This is why the two subsequent instructions exist : originally, the destination "stored" in the .got.plt section points back to the second instruction ; the first instruction will effectively be a nop (no operation), and the following instructions will be executed. They will jump into code responsible for symbol resolution, update of the .got.plt entry for the next call, and call of the real function.

But pointing back to the second instruction is like the pointers in static data we saw above : it's not possible in position independent code. So, the .rela.plt relocations are actually filling the .got.plt section with these pointers back to the PLT. There are a tad more than 3000 such relocations.

All these relocations should be going away when prelinking the binaries, but from my several experimentations, it looks like prelinking only avoids relative relocations, and not the others, while it technically could skip all of them. prelink even properly applies all the relocations in the binary, but executing the binary rewrites the same information at startup for all but relative relocations. That could well be a bug in either ld.so not skipping enough relocations or prelink not marking enough relocations to be skipped. I haven't dug deep enough in the code to know how prelinking works exactly. Anyways, prelinking is not a perfect solution, as it also breaks ASLR. Sure, prelink can randomize library locations, but it relies on the user or a cron job doing so at arbitrary times, but that's far from satisfying.

An interesting thing to note, though, is that a good part of the relocations prelinking doesn't rid us of in libxul.so (more than 25000) are due to the __cxa_pure_virtual symbol, which is used for, well, pure virtual methods. In other words, virtual methods that don't have an implementation in a given class. The __cxa_pure_virtual function is set as method in the corresponding field(s) of the class VTABLE in the .data.rel.ro section. This function is provided by libstdc++, and as such, is dynamically linked. But this function is just a dummy function, doing nothing. Defining an empty __cxa_pure_virtual function to be included in libxul.so makes these relocations become relative, thus taken care of by prelinking.

After all relocations occur, the library initialization itself can begin, and the content of the .init section is executed. That section, indirectly, executes all functions stored in the .ctors section. This includes static initializers, which are unfortunately called backwards, as Taras pointed out already. Each of these static initializers are also accessing various locations in the .data or .bss sections, which may or may not have already been loaded during the relocation phase. The execution of these initializers will also (obviously) read various pieces of the .text section (despite its name, it contains executable sections, i.e. functions code).

The initialization of the library ends there, and no access should happen until a function from the library is called. In libxul.so case, XRE_main is first called, then many other functions, but that's another story. All that needs to be remembered about the startup process past this point is that the .text section will be read heavily, as well as the various data, got, plt and dynamic symbol sections, in a very scattered way. While most of these sections may have been retrieved in memory already, as a byproduct of the various initialization processes described above, some may have not, increasing even more the need to seek at all places in the binary file.

Now the main problem with all these I/O patterns at startup, is that it seems the only way reorganizing the binary layout may have a visible impact is by considering all the above, and not only a part of it, because only addressing a part of it is very likely to only move part of the problem to a different layer.

All in all, making sure the relevant sections of libxul.so are read by the kernel before ld.so enters the game is a good short-term solution to avoid many seeks at startup.

2010-07-14 18:37:13+0900

mozilla, p.m.o

You can leave a response, or trackback from your own site.

11 Responses to “I/O patterns on ELF binary initialization”

  1. Boris Says:

    > there are near 200000 such relocations.

    Do we know what the sources are? Is it worth trying to reduce this number?

  2. Kurt Roeckx Says:

    The best way to speed up the start up time is to avoid relocations. I suggest you read http://people.redhat.com/drepper/dsohowto.pdf

  3. James Vega Says:

    The people.redhat.com link doesn’t work anymore. Use http://www.akkadia.org/drepper/dsohowto.pdf

  4. Taras’ Blog » My Startup Summary Says:

    […] most of icegrind so in addition optimizing startup, it can also facilitate investigative work like Mike Hommey is […]

  5. glandium Says:

    Boris: I think it’s worthwhile to try to reduce the number of relocations. On the other hand, 166700 out of 204807 are due to vtables… considering XPCOM relies on them, it may be hard, though the de-COM-tamination process may help a bit.
    Reducing the other relocations and grouping the vtables together may help reducing seeks, too.

  6. Digital Blog Says:

    And Is it worth trying to reduce this number?

  7. Jakub Jelinek Says:

    If you have __cxa_pure_virtual prelink conflicts, the only possible reason for that is that you are defining __cxa_pure_virtual somewhere earlier in the search scope than in libstdc++.so.6. That is not the usual case and you should generally avoid that. E.g. linking static libstdc++ into the binary would result in something like that. Just never do something like that. Looking at firefox in Fedora 14, it has just
    Relocation section ‘.gnu.conflict’ at offset 0x748 contains 173 entries:
    (nothing in the order of thousands).

  8. Mark Heltor Says:

    Many fake crypto trading platforms have successfully managed to con victims of their hard-earned money. A few weeks ago, I was contacted by a crypto trader on Instagram who claimed to be a manager on a trading platform, he convinced me to invest my money into crypto mining hoping to make huge profits from it, I was convinced when I saw my account balance on their platform, but when I wanted to withdraw my earnings, they kept requesting for money for tax and other unnecessary fees. I realized then that I was being catfished, I stopped all communication and went to the internet to do my research about crypto when I came across Firmwall Cyber Security Service, a well reliable crypto recovery company, I was very pleased with the reviews I saw about this crypto recovery company and I contacted them to assist me to recover my crypto, I gave them all the information and within a few hours, Firmwall Cyber Security was able to recover my crypto assets. I’m truly grateful for their service and I highly recommend them

    E-mail = Firmwallcyber@techie. com
    Web = https://firmwallcyber.wixsite.com/firmwall
    Whats App = + 1 937 542 0667

  9. Rosemary Harper Says:


    Scams involving bitcoin are getting increasingly sophisticated, and a lot of people fall for them. It can be rather frustrating, but if you’ve fallen for a bitcoin or USDT scam, don’t feel guilty. Instead, report the incident, , and seek the assistance you require. get your money back from fraudsters or Bitcoin, USDT, or other cryptocurrencies. The legitimate procedure to recover your stolen or defrauded money is to visit Wizard Williams Recovery Team if you have ever been the victim of a scam and would like to get your money back. I once lost roughly $210,000 in early January to a fraudulent broker who assured me of a 100% monthly return on my investment. A few days later, I realised that it was a dubious investment, and I started to worry that my money was lost. Fortunately, a close friend introduced me to Wizard Williams Recovery Team, and this team was able to fully recover my stolen funds in a matter of hours.I hired them, and this has been the best online service I’ve ever had. The agency is worthy of the great reviews they have received here. For comparable assistance, get in contact right away at:

    Email: Wizardwilliams@mail.com
    WhatsApp:  +4,9,1,7,6,1,2,4,5,2,0,6,6.

  10. Antonio Wenner Says:


    I was scammed over ( $345,000 ) by someone I met online on a fake investment project. I started searching for help legally to recover my money and I came across a lot of Testimonies about ETHICREFINANCE Recovery Expects. I contacted them providing the necessary information’s and it took the experts about 27hours to locate and help recover my stolen funds. I am so relieved and the best part was, the scammer was located and arrested by local authorities in his region. I hope this help as many out there who are victims and have lost to these fake online investment scammers. I strongly recommend their professional services for assistance with swift and efficient recovery. They can reached through the link below.
    Email Address: ethicsrefinance @gmail com
    Telegram: @ethicsrefinance

  11. Myra Jay Says:

    Hi everyone, I am indebted to this psychic and I still can’t believe my husband is back to me even in more stronger bond than we have ever been, with the help of this psychic, his services are outstanding and wonderful, within 24hours of connecting with him I got a surprise call from my husband and that’s how a problem that almost destroyed my marriage was solved. I highly recommend Priest Ray to anyone that wants accurate spell casting to get his or her ex partner back. You can dm him via WhatsApp +12133525735 or email psychicspellshrine@gmail.com
    Kindly visit https://psychicspellshrine.wixsite.com/my-site

Leave a Reply