(3b2) functions in data space

KW Heuer kwh at bentley.UUCP
Wed Mar 12 02:22:56 AEST 1986 

I've changed the cross-posting from net.unix to net.unix-wizards, as
this is no longer a neophyte question.

In article <728 at petsd.UUCP> petsd!law (Steve Law) writes:
>UNIX System V link editor (ld) allows one to put functions in the .data
>section of a COFF file.  All you need to do is to create a ld command
>file (also called ifile).  For example ...

The person who started this discussion was already able to create code
in the .data space; whether it's done by the loader or at run-time by
the program is irrelevant.  The question is whether it's possible to
_execute_ such a function.  On a vax, you can.  On a pdp11 with split
I/D, you can't, because .text and .data addresses are each 16 bits,
so an attempt to call a function from .data space will actually call
the function at the same address in .text space.  (The workaround is
to use ld -N, so you don't have split I/D.)  The remainder of this
discussion focuses on the 3b2, where .text and .data addresses have
separate ranges (.text normally starts at 0x80800000, .data at
0x80880000).

The first thing I tried was "ld -N" as described in ld(1) and a.out(4).
It produced a normal 0410 file, just like a plain "ld" or "ld -n".
Then I tried patching the a.out file to change the magic number from
0410 to 0407; the resulting a.out could not be run (ENOEXEC).  So I
looked at the kernel source.  In the code for sys exec, there was a
comment which stated that 0407 is unimplemented on the 3b2 because of
a hardware restriction; it's apparently just not possible to have a
segment which is simultaneously executable and writable (or readable).

In article <1486 at devwrl.DEC.COM> williams at kirk.DEC (John Williams) writes:
>Perhaps a way around it would be to gain access somehow to the memory
>management register, have a function that flips a bit just before
>calling the data code, and cleans up afterwards.

This would allow a block of impure code to be _alternately_ .text
and .data, which is sufficient for some applications.  Certainly this
sort of thing can be done in kernel mode (ptrace() is a good example);
Perhaps sys3b() is the loophole to user mode?  The man page says it's
for the 3b20s -- there's a function of the same name on the 3b2, but
it might have a different set of subcommands.  Subcommand 7 is to
"Modify the System Status Register".  Is this it?  In what way should
the register be modified to transmute a block at a given address?

More information about the Comp.unix.wizards mailing list