[-- Attachment #1: Type: text/plain, Size: 394 bytes --] I'm trying to use pfunct to identify software that bundles internal copies of common libraries (I've started with zlib's adler32 function for now), and I've seen this message being repeated tons of times for kile, kxmleditor, VirtualBox and a lot more stuff. Has anybody an idea of what that means? Thanks, -- Diego "Flameeyes" Pettenò http://farragut.flameeyes.is-a-geek.org/ [-- Attachment #2: Type: application/pgp-signature, Size: 188 bytes --]

```
Em Fri, Feb 15, 2008 at 01:54:22PM +0100, Diego 'Flameeyes' Pettenò escreveu:
>
> I'm trying to use pfunct to identify software that bundles internal
> copies of common libraries (I've started with zlib's adler32 function
> for now), and I've seen this message being repeated tons of times for
> kile, kxmleditor, VirtualBox and a lot more stuff.
>
> Has anybody an idea of what that means?
virtual public classes :-\ Can you send me one of the object files? I'll
try to work on supporting non-trivial DWARF expressions so that we
properly support this.
- Arnaldo
```

```
Em Fri, Feb 15, 2008 at 11:08:18AM -0200, Arnaldo Carvalho de Melo escreveu:
> Em Fri, Feb 15, 2008 at 01:54:22PM +0100, Diego 'Flameeyes' Pettenò escreveu:
> >
> > I'm trying to use pfunct to identify software that bundles internal
> > copies of common libraries (I've started with zlib's adler32 function
> > for now), and I've seen this message being repeated tons of times for
> > kile, kxmleditor, VirtualBox and a lot more stuff.
> >
> > Has anybody an idea of what that means?
>
> virtual public classes :-\ Can you send me one of the object files? I'll
> try to work on supporting non-trivial DWARF expressions so that we
> properly support this.
No need for that, I have an object from the ATLAS project that has these
types of classes:
struct IL1JetTools : virtual public IAlgTool {
public:
/* struct IAlgTool <ancestor>; */ /* 4294967295 4 */
<SNIP>
See the offset?
- Arnaldo
```

```
Em Fri, Feb 15, 2008 at 11:11:36AM -0200, Arnaldo Carvalho de Melo escreveu:
> Em Fri, Feb 15, 2008 at 11:08:18AM -0200, Arnaldo Carvalho de Melo escreveu:
> > Em Fri, Feb 15, 2008 at 01:54:22PM +0100, Diego 'Flameeyes' Pettenò escreveu:
> > >
> > > I'm trying to use pfunct to identify software that bundles internal
> > > copies of common libraries (I've started with zlib's adler32 function
> > > for now), and I've seen this message being repeated tons of times for
> > > kile, kxmleditor, VirtualBox and a lot more stuff.
> > >
> > > Has anybody an idea of what that means?
> >
> > virtual public classes :-\ Can you send me one of the object files? I'll
> > try to work on supporting non-trivial DWARF expressions so that we
> > properly support this.
>
> No need for that, I have an object from the ATLAS project that has these
> types of classes:
>
> struct IL1JetTools : virtual public IAlgTool {
> public:
>
> /* struct IAlgTool <ancestor>; */ /* 4294967295 4 */
>
> <SNIP>
>
> See the offset?
dwarf_expr: unhandled DWARF expression: DW_OP_dup DW_OP_deref DW_OP_lit28 DW_OP_minus DW_OP_deref DW_OP_plus
dwarf_expr: unhandled DWARF expression: DW_OP_dup DW_OP_deref DW_OP_const1u DW_OP_shl DW_OP_minus DW_OP_deref DW_OP_plus
dwarf_expr: unhandled DWARF expression: DW_OP_dup DW_OP_deref DW_OP_lit28 DW_OP_minus DW_OP_deref DW_OP_plus
dwarf_expr: unhandled DWARF expression: DW_OP_dup DW_OP_deref DW_OP_lit20 DW_OP_minus DW_OP_deref DW_OP_plus
dwarf_expr: unhandled DWARF expression: DW_OP_dup DW_OP_deref DW_OP_const1u DW_OP_lit28 DW_OP_minus DW_OP_deref DW_OP_plus
dwarf_expr: unhandled DWARF expression: DW_OP_dup DW_OP_deref DW_OP_const1u DW_OP_reg8 DW_OP_minus DW_OP_deref DW_OP_plus
dwarf_expr: unhandled DWARF expression: DW_OP_dup DW_OP_deref DW_OP_const1u DW_OP_lit20 DW_OP_minus DW_OP_deref DW_OP_plus
dwarf_expr: unhandled DWARF expression: DW_OP_dup DW_OP_deref DW_OP_lit28 DW_OP_minus DW_OP_deref DW_OP_plus
dwarf_expr: unhandled DWARF expression: DW_OP_dup DW_OP_deref DW_OP_const1u DW_OP_shl DW_OP_minus DW_OP_deref DW_OP_plus
dwarf_expr: unhandled DWARF expression: DW_OP_dup DW_OP_deref DW_OP_lit28 DW_OP_minus DW_OP_deref DW_OP_plus
dwarf_expr: unhandled DWARF expression: DW_OP_dup DW_OP_deref DW_OP_lit20 DW_OP_minus DW_OP_deref DW_OP_plus
dwarf_expr: unhandled DWARF expression: DW_OP_dup DW_OP_deref DW_OP_const1u DW_OP_lit28 DW_OP_minus DW_OP_deref DW_OP_plus
dwarf_expr: unhandled DWARF expression: DW_OP_dup DW_OP_deref DW_OP_const1u DW_OP_lit20 DW_OP_minus DW_OP_deref DW_OP_plus
dwarf_expr: unhandled DWARF expression: DW_OP_dup DW_OP_deref DW_OP_const1u DW_OP_reg8 DW_OP_minus DW_OP_deref DW_OP_plus
So, for the first expression: it takes the value of some register,
duplicates it on the stack, dereference the top of the stack and put it
on the stack, puts lit28 on the stack, subtracts the two entries in the
stack and puts the result on the stack and then dereferences the top of
the stack and adds the two and puts the result on the stack, that should
be the end result that will tell where the ancestor class instance is.
Now to understand what is DW_OP_lit28, perhaps just the value 28? But
why do we have also DW_OP_const28u? /me reads the DWARF docs...
- Arnaldo
```

Em Fri, Feb 15, 2008 at 11:36:20AM -0200, Arnaldo Carvalho de Melo escreveu: > Em Fri, Feb 15, 2008 at 11:11:36AM -0200, Arnaldo Carvalho de Melo escreveu: > > struct IL1JetTools : virtual public IAlgTool { > > public: > > > > /* struct IAlgTool <ancestor>; */ /* 4294967295 4 */ > > > > <SNIP> > > > > See the offset? > > dwarf_expr: unhandled DWARF expression: DW_OP_dup DW_OP_deref DW_OP_lit28 DW_OP_minus DW_OP_deref DW_OP_plus <SNIP> > So, for the first expression: it takes the value of some register, > duplicates it on the stack, dereference the top of the stack and put it > on the stack, puts lit28 on the stack, subtracts the two entries in the > stack and puts the result on the stack and then dereferences the top of > the stack and adds the two and puts the result on the stack, that should > be the end result that will tell where the ancestor class instance is. > > Now to understand what is DW_OP_lit28, perhaps just the value 28? But > why do we have also DW_OP_const28u? /me reads the DWARF docs... Dwarf3.pdf page 14: 2.5.1.1 Literal Encodings The following operations all push a value onto the DWARF stack. 1. DW_OP_lit0, DW_OP_lit1, ..., DW_OP_lit31 The DW_OP_litn operations encode the unsigned literal values from 0 through 31, inclusive. 2. DW_OP_addr The DW_OP_addr operation has a single operand that encodes a machine address and whose size is the size of an address on the target machine. 3. DW_OP_const1u The single operand of the DW_OP_const1u operation provides a 1-byte unsigned integer constant. 4. DW_OP_const1s The single operand of the DW_OP_const1s operation provides a 1-byte signed integer constant. 5. DW_OP_const2u The single operand of the DW_OP_const2u operation provides a 2-byte unsigned integer constant. 6. DW_OP_const2s The single operand of the DW_OP_const2s operation provides a 2-byte signed integer constant. <SNIP> 11. DW_OP_constu The single operand of the DW_OP_constu operation provides an unsigned LEB128 integer constant. 12. DW_OP_consts The single operand of the DW_OP_consts operation provides a signed LEB128 integer constant. <SNIP> 7. DW_OP_deref The DW_OP_deref operation pops the top stack entry and treats it as an address. The value retrieved from that address is pushed. The size of the data retrieved from the dereferenced address is the size of an address on the target machine. So probably the best thing to do is to convert this location expression to a C like syntax and show it in the offset comment. - Arnaldo