最近对 newlib 中的启动代码 crt0 产生了兴趣,于是就分析了下其代码。crt0 的源码位于 libgloss/arm/crt0.S,为了兼容各种 ARM 架构,crt0.S 中有大量的条件判断宏定义,对于只关心 ARMv7e-M 的我来说很是痛苦。刚好手上有个基于 STM32F412 的 mbed 工程用的是 crt0 的启动方式,参考 crt0.o 的反汇编我可以提炼出 crt0.S 中和 ARMv7e-M 相关的部分代码。
crt0.o 的反汇编如下:
08008220 <_mainCRTStartup>: 8008220: 4b15 ldr r3, [pc, #84] ; (8008278 <_mainCRTStartup+0x58>) 8008222: 2b00 cmp r3, #0 8008224: bf08 it eq 8008226: 4b13 ldreq r3, [pc, #76] ; (8008274 <_mainCRTStartup+0x54>) 8008228: 469d mov sp, r3 800822a: f5a3 3a80 sub.w sl, r3, #65536 ; 0x10000 800822e: 2100 movs r1, #0 8008230: 468b mov fp, r1 8008232: 460f mov r7, r1 8008234: 4813 ldr r0, [pc, #76] ; (8008284 <_mainCRTStartup+0x64>) 8008236: 4a14 ldr r2, [pc, #80] ; (8008288 <_mainCRTStartup+0x68>) 8008238: 1a12 subs r2, r2, r0 800823a: f01c fcd7 bl 8024bec800823e: 4b0f ldr r3, [pc, #60] ; (800827c <_mainCRTStartup+0x5c>) 8008240: 2b00 cmp r3, #0 8008242: d000 beq.n 8008246 <_mainCRTStartup+0x26> 8008244: 4798 blx r3 8008246: 4b0e ldr r3, [pc, #56] ; (8008280 <_mainCRTStartup+0x60>) 8008248: 2b00 cmp r3, #0 800824a: d000 beq.n 800824e <_mainCRTStartup+0x2e> 800824c: 4798 blx r3 800824e: 2000 movs r0, #0 8008250: 2100 movs r1, #0 8008252: 0004 movs r4, r0 8008254: 000d movs r5, r1 8008256: 480d ldr r0, [pc, #52] ; (800828c <_mainCRTStartup+0x6c>) 8008258: 2800 cmp r0, #0 800825a: d002 beq.n 8008262 <_mainCRTStartup+0x42> 800825c: 480c ldr r0, [pc, #48] ; (8008290 <_mainCRTStartup+0x70>) 800825e: f00f f868 bl 8017332 <__wrap_atexit> 8008262: f01c f805 bl 8024270 <__libc_init_array> 8008266: 0020 movs r0, r4 8008268: 0029 movs r1, r5 800826a: f00f f821 bl 80172b0 <__wrap_main> 800826e: f00f f85d bl 801732c <__wrap_exit> 8008272: bf00 nop 8008274: 00080000 .word 0x00080000 8008278: 20040000 .word 0x20040000 800827c: 00000000 .word 0x00000000 8008280: 080172a3 .word 0x080172a3 8008284: 20000c00 .word 0x20000c00 8008288: 2000ac58 .word 0x2000ac58 800828c: 08017333 .word 0x08017333 8008290: 00000000 .word 0x00000000
提炼后的 crt0.S 代码如下:
FUNC_START _mainCRTStartup FUNC_START _start/* Start by setting up a stack */ /* Set up the stack pointer to a fixed value */ /* Changes by toralf: - Allow linker script to provide stack via __stack symbol - see defintion of .Lstack - Provide "hooks" that may be used by the application to add custom init code - see .Lhwinit and .Lswinit - Go through all execution modes and set up stack for each of them. Loosely based on init.s from ARM/Motorola example code. Note: Mode switch via CPSR is not allowed once in non-privileged mode, so we take care not to enter "User" to set up its sp, and also skip most operations if already in that mode. */ ldr r3, .Lstack cmp r3, #0 it eq ldreq r3, .LC0 /* Note: This 'mov' is essential when starting in User, and ensures we always get *some* sp value for the initial mode, even if we have somehow missed it below (in which case it gets the same value as FIQ - not ideal, but better than nothing.) */ mov sp, r3.LC23: /* Setup a default stack-limit in-case the code has been compiled with "-mapcs-stack-check". Hard-wiring this value is not ideal, since there is currently no support for checking that the heap and stack have not collided, or that this default 64k is enough for the program being executed. However, it ensures that this simple crt0 world will not immediately cause an overflow event: */ sub sl, r3, #64 << 10 /* Still assumes 256bytes below sl */ /* Zero the memory in the .bss section. */ movs a2, #0 /* Second arg: fill value */ mov fp, a2 /* Null frame pointer */ mov r7, a2 /* Null frame pointer for Thumb */ ldr a1, .LC1 /* First arg: start of memory block */ ldr a3, .LC2 subs a3, a3, a1 /* Third arg: length of block */ bl memset/* Changes by toralf: Taken from libgloss/m68k/crt0.S * initialize target specific stuff. Only execute these * functions it they exist. */ ldr r3, .Lhwinit cmp r3, #0 beq .LC24 indirect_call r3.LC24: ldr r3, .Lswinit cmp r3, #0 beq .LC25 indirect_call r3.LC25: movs r0, #0 /* no arguments */ movs r1, #0 /* no argv either */ /* Some arm/elf targets use the .init and .fini sections to create constructors and destructors, and for these targets we need to call the _init function and arrange for _fini to be called at program exit. */ movs r4, r0 movs r5, r1e /* Make reference to atexit weak to avoid unconditionally pulling in support code. Refer to comments in __atexit.c for more details. */ ldr r0, .Latexit cmp r0, #0 beq .Lweak_atexit ldr r0, .Lfini bl atexit.Lweak_atexit: bl _init movs r0, r4 movs r1, r5 bl main bl exit /* Should not return. */ /* For Thumb, constants must be after the code since only positive offsets are supported for PC relative addresses. */.LC0: .word 0x80000 /* Top of RAM on the PIE board. */.Lstack: .word __stack.Lhwinit: .word ardware_init_hook.Lswinit: .word software_init_hook /* Set up defaults for the above variables in the form of weak symbols - so that application will link correctly, and get value 0 in runtime (meaning "ignore setting") for the variables, when the user does not provide the symbols. (The linker uses a weak symbol if, and only if, a normal version of the same symbol isn't provided e.g. by a linker script or another object file.) */ .weak __stack .weak hardware_init_hook .weak software_init_hook.LC1: .word __bss_start__.LC2: .word __bss_end__ .weak atexit.Latexit: .word atexit /* Weak reference _fini in case of lite exit. */ .weak _fini.Lfini: .word _fini
crt0 启动流程如下:
- 设置 SP 为 __stack,若 __stack 未被用户定义,则使用默认的值(0x80000处的值)。
- 清空 .bss 段,起始地址为 __bss_start__,结束地址为 __bss_end__ 。
- 若用户定义了 hardware_init_hook 和 software_init_hook ,则调用它们。
- 若用户定义了 atexit,则调用它,并将传递参数 _fini(_fini 被宏定义为 __libc_fini_array)。
- 调用 _init(_ini 被宏定义为 __libc_ini_array)。
- 调用 main(argc 和 argv 都等于 0)。
- 调用 exit。
其中 __stack,__bss_start__ 和 __bss_end__ 必须被定义。
hardware_init_hook 和 software_init_hook 可以实现一些需要在 main 之前的功能。
aiexit,exit,_init 和 _fini 一般是和 C++ 的全局构造和析构有关,这个放在下一节来分析。