xref: /illumos-gate/usr/src/cmd/sgs/rtld/amd64/boot_elf.S (revision 5d9d9091f564c198a760790b0bfa72c44e17912b)

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */

/*
 * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 * Copyright (c) 2018 Joyent, Inc. All rights reserved.
 */

/*
 * Welcome to the magic behind the PLT (procedure linkage table). When rtld
 * fills out the PLT entries, it will refer initially to the functions in this
 * file. As such our goal is simple:
 *
 *     The lie of the function call must be preserved at all costs.
 *
 * This means that we need to prepare the system for an arbitrary series of
 * instructions to be called. For example, as a side effect of resolving a
 * symbol we may need to open a shared object which will cause any _init
 * functions to be called. Those functions can use any and all of the ABI state
 * that they desire (for example, the FPU registers). Therefore we must save and
 * restore all the ABI mandated registers here.
 *
 * For the full information about what we need to save and restore and why,
 * please see the System V amd64 PS ABI '3.2.3 Parameter Passing'. For general
 * purpose registers, we need to take care of the following:
 *
 * 	%rax	- Used for information about the number of vector arguments
 *	%rdi	- arg0
 *	%rsi	- arg1
 *	%rdx	- arg2
 *	%rcx	- arg3
 *	%r8	- arg4
 *	%r9	- arg5
 *	%r10	- static chain pointer
 *
 * Unfortunately, the world of the FPU is more complicated.
 *
 * The ABI mandates that we must save %xmm0-%xmm7. On newer Intel processors,
 * %xmm0-%xmm7 shadow %ymm0-%ymm7 and %zmm0-%zmm7. Historically, when saving the
 * FPU, we only saved and restored these eight registers. Unfortunately, this
 * process itself ended up having side effects. Because the registers shadow one
 * another, if we saved a full %zmm register when only a %xmm register was
 * valid, we would end up causing the processor to think that the full %zmm
 * register was valid. Once it believed that this was the case, it would then
 * degrade performance of code that only used the %xmm registers.
 *
 * One way to tackle this problem would have been to use xgetbv with ecx=1 to
 * get information about what was actually in use and only save and restore
 * that. You can imagine that this logic roughly ends up as something like:
 *
 *         if (zmm_inuse)
 *		save_zmm()
 *         if (ymm_inuse)
 *		save_ymm()
 *         save_xmm()
 *
 * However, this logic leaves us at the mercy of the branch predictor. This
 * means that all of our efforts can end up still causing the CPU to execute
 * things to make it think that some of these other FPU registers are in use and
 * thus defeat the optimizations that it has.
 *
 * To deal with this problem, Intel has suggested using the xsave family of
 * instructions. The kernel provides information about the size required for the
 * floating point registers as well as which of several methods we need to
 * employ through the aux vector. This gets us out of trying to look at the
 * hardware capabilities and make decisions every time. As part of the
 * amd64-specific portion of rtld, it will process those values and determine
 * the functions on an as-needed basis.
 *
 * There are two different functions that we export. The first is elf_rtbndr().
 * This is basically the glue that gets us into the PLT and to perform
 * relocations. elf_rtbndr() determines the address of the function that we must
 * call and arranges its stack such that when we return from elf_rtbndr() we
 * will instead jump to the actual relocated function which will return to the
 * original caller. Because of this, we must preserve all of the registers that
 * are used for arguments and restore them before returning.
 *
 * The second function we export is elf_plt_trace(). This is used to add support
 * for audit libraries among other things. elf_plt_trace() may or may not call
 * the underlying function as a side effect or merely set up its return to it.
 * This changes how we handle %rax. If we call the function ourself, then we end
 * up making sure that %rax is the return value versus the initial value. In
 * addition, because we get %r11 from the surrounding PLT code, we opt to
 * preserve it in case some of the relocation logic ever ends up calling back
 * into us again.
 */

#if	defined(lint)

#include	<sys/types.h>
#include	<_rtld.h>
#include	<_audit.h>
#include	<_elf.h>
#include	<sys/regset.h>
#include	<sys/auxv_386.h>

#else

#include	<link.h>
#include	<_audit.h>
#include	<sys/asm_linkage.h>
#include	<sys/auxv_386.h>
#include	<sys/x86_archext.h>

/*
 * This macro is used to zero the xsave header. The contents of scratchreg will
 * be destroyed. locreg should contain the starting address of the xsave header.
 */
#define	XSAVE_HEADER_ZERO(scratch, loc) \
	xorq	scratch, scratch;	\
	movq	scratch, 0x200(loc);	\
	movq	scratch, 0x208(loc);	\
	movq	scratch, 0x210(loc);	\
	movq	scratch, 0x218(loc);	\
	movq	scratch, 0x220(loc);	\
	movq	scratch, 0x228(loc);	\
	movq	scratch, 0x230(loc);	\
	movq	scratch, 0x238(loc)


	.file	"boot_elf.s"
	.text

/*
 * This section of the code contains glue functions that are used to take care
 * of saving and restoring the FPU. We deal with this in a few different ways
 * based on the hardware support and what exists. Historically we've only saved
 * and restored the first 8 floating point registers rather than the entire FPU.
 * That implementation still exists here and is kept around mostly as an
 * insurance policy.
 */
	ENTRY(_elf_rtbndr_fp_save_orig)
	movq	org_scapset@GOTPCREL(%rip),%r11
	movq	(%r11),%r11		/* Syscapset_t pointer */
	movl	8(%r11),%edx		/* sc_hw_2 */
	testl	$AV_386_2_AVX512F,%edx
	jne	.save_zmm
	movl	(%r11),%edx		/* sc_hw_1 */
	testl	$AV_386_AVX,%edx
	jne	.save_ymm
	movdqa	%xmm0, (%rdi)
	movdqa	%xmm1, 64(%rdi)
	movdqa	%xmm2, 128(%rdi)
	movdqa	%xmm3, 192(%rdi)
	movdqa	%xmm4, 256(%rdi)
	movdqa	%xmm5, 320(%rdi)
	movdqa	%xmm6, 384(%rdi)
	movdqa	%xmm7, 448(%rdi)
	jmp	.save_finish

.save_ymm:
	vmovdqa	%ymm0, (%rdi)
	vmovdqa	%ymm1, 64(%rdi)
	vmovdqa	%ymm2, 128(%rdi)
	vmovdqa	%ymm3, 192(%rdi)
	vmovdqa	%ymm4, 256(%rdi)
	vmovdqa	%ymm5, 320(%rdi)
	vmovdqa	%ymm6, 384(%rdi)
	vmovdqa	%ymm7, 448(%rdi)
	jmp	.save_finish

.save_zmm:
	vmovdqa64	%zmm0, (%rdi)
	vmovdqa64	%zmm1, 64(%rdi)
	vmovdqa64	%zmm2, 128(%rdi)
	vmovdqa64	%zmm3, 192(%rdi)
	vmovdqa64	%zmm4, 256(%rdi)
	vmovdqa64	%zmm5, 320(%rdi)
	vmovdqa64	%zmm6, 384(%rdi)
	vmovdqa64	%zmm7, 448(%rdi)

.save_finish:
	ret
	SET_SIZE(_elf_rtbndr_fp_save_orig)

	ENTRY(_elf_rtbndr_fp_restore_orig)
	movq	org_scapset@GOTPCREL(%rip),%r11
	movq	(%r11),%r11		/* Syscapset_t pointer */
	movl	8(%r11),%edx		/* sc_hw_2 */
	testl	$AV_386_2_AVX512F,%edx
	jne	.restore_zmm
	movl	(%r11),%edx		/* sc_hw_1 */
	testl	$AV_386_AVX,%edx
	jne	.restore_ymm

	movdqa	(%rdi), %xmm0
	movdqa	64(%rdi), %xmm1
	movdqa	128(%rdi), %xmm2
	movdqa	192(%rdi), %xmm3
	movdqa	256(%rdi), %xmm4
	movdqa	320(%rdi), %xmm5
	movdqa	384(%rdi), %xmm6
	movdqa	448(%rdi), %xmm7
	jmp	.restore_finish

.restore_ymm:
	vmovdqa	(%rdi), %ymm0
	vmovdqa	64(%rdi), %ymm1
	vmovdqa	128(%rdi), %ymm2
	vmovdqa	192(%rdi), %ymm3
	vmovdqa	256(%rdi), %ymm4
	vmovdqa	320(%rdi), %ymm5
	vmovdqa	384(%rdi), %ymm6
	vmovdqa	448(%rdi), %ymm7
	jmp	.restore_finish

.restore_zmm:
	vmovdqa64	(%rdi), %zmm0
	vmovdqa64	64(%rdi), %zmm1
	vmovdqa64	128(%rdi), %zmm2
	vmovdqa64	192(%rdi), %zmm3
	vmovdqa64	256(%rdi), %zmm4
	vmovdqa64	320(%rdi), %zmm5
	vmovdqa64	384(%rdi), %zmm6
	vmovdqa64	448(%rdi), %zmm7

.restore_finish:
	ret
	SET_SIZE(_elf_rtbndr_fp_restore_orig)

	ENTRY(_elf_rtbndr_fp_fxsave)
	fxsaveq	(%rdi)
	ret
	SET_SIZE(_elf_rtbndr_fp_fxsave)

	ENTRY(_elf_rtbndr_fp_fxrestore)
	fxrstor	(%rdi)
	ret
	SET_SIZE(_elf_rtbndr_fp_fxrestore)

	ENTRY(_elf_rtbndr_fp_xsave)
	XSAVE_HEADER_ZERO(%rdx, %rdi)
	movq	$_CONST(XFEATURE_FP_ALL), %rdx
	movl	%edx, %eax
	shrq	$32, %rdx
	xsave	(%rdi)			/* save data */
	ret
	SET_SIZE(_elf_rtbndr_fp_xsave)

	ENTRY(_elf_rtbndr_fp_xrestore)
	movq	$_CONST(XFEATURE_FP_ALL), %rdx
	movl	%edx, %eax
	shrq	$32, %rdx
	xrstor	(%rdi)			/* save data */
	ret
	SET_SIZE(_elf_rtbndr_fp_xrestore)

#endif

#if	defined(lint)

/* ARGSUSED0 */
int
elf_plt_trace()
{
	return (0);
}

#else

/*
 * On entry the 'glue code' has already  done the following:
 *
 *	pushq	%rbp
 *	movq	%rsp, %rbp
 *	subq	$0x10, %rsp
 *	leaq	trace_fields(%rip), %r11
 *	movq	%r11, -0x8(%rbp)
 *	movq	$elf_plt_trace, %r11
 *	jmp	*%r11
 *
 * so - -8(%rbp) contains the dyndata ptr
 *
 *	0x0	Addr		*reflmp
 *	0x8	Addr		*deflmp
 *	0x10	Word		symndx
 *	0x14	Word		sb_flags
 *	0x18	Sym		symdef.st_name
 *	0x1c			symdef.st_info
 *	0x1d			symdef.st_other
 *	0x1e			symdef.st_shndx
 *	0x20			symdef.st_value
 *	0x28			symdef.st_size
 *
 * Also note - on entry 16 bytes have already been subtracted
 * from the %rsp.  The first 8 bytes is for the dyn_data_ptr,
 * the second 8 bytes are to align the stack and are available
 * for use.
 */
#define	REFLMP_OFF		0x0
#define	DEFLMP_OFF		0x8
#define	SYMNDX_OFF		0x10
#define	SBFLAGS_OFF		0x14
#define	SYMDEF_OFF		0x18
#define	SYMDEF_VALUE_OFF	0x20

/*
 * Next, we need to create a bunch of local storage. First, we have to preserve
 * the standard registers per the amd64 ABI. This means we need to deal with:
 *	%rax	- Used for information about the number of vector arguments
 *	%rdi	- arg0
 *	%rsi	- arg1
 *	%rdx	- arg2
 *	%rcx	- arg3
 *	%r8	- arg4
 *	%r9	- arg5
 *	%r10	- static chain pointer
 *	%r11	- PLT Interwork register, our caller is using this, so it's not
 *		  a temporary for us.
 *
 * In addition, we need to save the amd64 ABI floating point arguments. Finally,
 * we need to deal with our local storage. We need a La_amd64_regs and a
 * uint64_t for the previous stack size.
 *
 * To deal with this and the potentially variable size of the FPU regs, we have
 * to play a few different games. We refer to all of the standard registers, the
 * previous stack size, and La_amd64_regs structure off of %rbp. These are all
 * values that are below %rbp.
 */
#define	SPDYNOFF	-8
#define	SPDESTOFF	-16
#define	SPPRVSTKOFF	-24
#define	SPLAREGOFF	-88
#define	ORIG_RDI	-96
#define	ORIG_RSI	-104
#define	ORIG_RDX	-112
#define	ORIG_RCX	-120
#define	ORIG_R8		-128
#define	ORIG_R9		-136
#define	ORIG_R10	-144
#define	ORIG_R11	-152
#define	ORIG_RAX	-160
#define	PLT_SAVE_OFF	168

	ENTRY(elf_plt_trace)
	/*
	 * Save our static registers. After that 64-byte align us and subtract
	 * the appropriate amount for the FPU. The frame pointer has already
	 * been pushed for us by the glue code.
	 */
	movq	%rdi, ORIG_RDI(%rbp)
	movq	%rsi, ORIG_RSI(%rbp)
	movq	%rdx, ORIG_RDX(%rbp)
	movq	%rcx, ORIG_RCX(%rbp)
	movq	%r8, ORIG_R8(%rbp)
	movq	%r9, ORIG_R9(%rbp)
	movq	%r10, ORIG_R10(%rbp)
	movq	%r11, ORIG_R11(%rbp)
	movq	%rax, ORIG_RAX(%rbp)

	subq	$PLT_SAVE_OFF, %rsp

	movq	_plt_save_size@GOTPCREL(%rip),%r9
	movq	_plt_fp_save@GOTPCREL(%rip),%r10
	subq	(%r9), %rsp
	andq	$-64, %rsp
	movq	%rsp, %rdi
	call	*(%r10)

	/*
	 * Now that we've saved all of our registers, figure out what we need to
	 * do next.
	 */
	movq	SPDYNOFF(%rbp), %rax			/ %rax = dyndata
	testb	$LA_SYMB_NOPLTENTER, SBFLAGS_OFF(%rax)	/ <link.h>
	je	.start_pltenter
	movq	SYMDEF_VALUE_OFF(%rax), %rdi
	movq	%rdi, SPDESTOFF(%rbp)		/ save destination address
	jmp	.end_pltenter

.start_pltenter:
	/*
	 * save all registers into La_amd64_regs
	 */
	leaq	SPLAREGOFF(%rbp), %rsi	/ %rsi = &La_amd64_regs
	leaq	8(%rbp), %rdi
	movq	%rdi, 0(%rsi)		/ la_rsp
	movq	0(%rbp), %rdi
	movq	%rdi, 8(%rsi)		/ la_rbp
	movq	ORIG_RDI(%rbp), %rdi
	movq	%rdi, 16(%rsi)		/ la_rdi
	movq	ORIG_RSI(%rbp), %rdi
	movq	%rdi, 24(%rsi)		/ la_rsi
	movq	ORIG_RDX(%rbp), %rdi
	movq	%rdi, 32(%rsi)		/ la_rdx
	movq	ORIG_RCX(%rbp), %rdi
	movq	%rdi, 40(%rsi)		/ la_rcx
	movq	ORIG_R8(%rbp), %rdi
	movq	%rdi, 48(%rsi)		/ la_r8
	movq	ORIG_R9(%rbp), %rdi
	movq	%rdi, 56(%rsi)		/ la_r9

	/*
	 * prepare for call to la_pltenter
	 */
	movq	SPDYNOFF(%rbp), %r11		/ %r11 = &dyndata
	leaq	SBFLAGS_OFF(%r11), %r9		/ arg6 (&sb_flags)
	leaq	SPLAREGOFF(%rbp), %r8		/ arg5 (&La_amd64_regs)
	movl	SYMNDX_OFF(%r11), %ecx		/ arg4 (symndx)
	leaq	SYMDEF_OFF(%r11), %rdx		/ arg3 (&Sym)
	movq	DEFLMP_OFF(%r11), %rsi		/ arg2 (dlmp)
	movq	REFLMP_OFF(%r11), %rdi		/ arg1 (rlmp)
	call	audit_pltenter@PLT
	movq	%rax, SPDESTOFF(%rbp)		/ save calling address
.end_pltenter:

	/*
	 * If *no* la_pltexit() routines exist
	 * we do not need to keep the stack frame
	 * before we call the actual routine.  Instead we
	 * jump to it and remove our stack from the stack
	 * at the same time.
	 */
	movl	audit_flags(%rip), %eax
	andl	$AF_PLTEXIT, %eax		/ value of audit.h:AF_PLTEXIT
	cmpl	$0, %eax
	je	.bypass_pltexit
	/*
	 * Has the *nopltexit* flag been set for this entry point
	 */
	movq	SPDYNOFF(%rbp), %r11		/ %r11 = &dyndata
	testb	$LA_SYMB_NOPLTEXIT, SBFLAGS_OFF(%r11)
	je	.start_pltexit

.bypass_pltexit:
	/*
	 * No PLTEXIT processing required.
	 */
	movq	0(%rbp), %r11
	movq	%r11, -8(%rbp)			/ move prev %rbp
	movq	SPDESTOFF(%rbp), %r11		/ r11 == calling destination
	movq	%r11, 0(%rbp)			/ store destination at top

	/* Restore FPU */
	movq	_plt_fp_restore@GOTPCREL(%rip),%r10

	movq	%rsp, %rdi
	call	*(%r10)

	movq	ORIG_RDI(%rbp), %rdi
	movq	ORIG_RSI(%rbp), %rsi
	movq	ORIG_RDX(%rbp), %rdx
	movq	ORIG_RCX(%rbp), %rcx
	movq	ORIG_R8(%rbp), %r8
	movq	ORIG_R9(%rbp), %r9
	movq	ORIG_R10(%rbp), %r10
	movq	ORIG_R11(%rbp), %r11
	movq	ORIG_RAX(%rbp), %rax

	subq	$8, %rbp			/ adjust %rbp for 'ret'
	movq	%rbp, %rsp			/
	/*
	 * At this point, after a little doctoring, we should
	 * have the following on the stack:
	 *
	 *	16(%rsp):  ret addr
	 *	8(%rsp):  dest_addr
	 *	0(%rsp):  Previous %rbp
	 *
	 * So - we pop the previous %rbp, and then
	 * ret to our final destination.
	 */
	popq	%rbp				/
	ret					/ jmp to final destination
						/ and clean up stack :)

.start_pltexit:
	/*
	 * In order to call the destination procedure and then return
	 * to audit_pltexit() for post analysis we must first grow
	 * our stack frame and then duplicate the original callers
	 * stack state.  This duplicates all of the arguements
	 * that were to be passed to the destination procedure.
	 */
	movq	%rbp, %rdi			/
	addq	$16, %rdi			/    %rdi = src
	movq	(%rbp), %rdx			/
	subq	%rdi, %rdx			/    %rdx == prev frame sz
	/*
	 * If audit_argcnt > 0 then we limit the number of
	 * arguements that will be duplicated to audit_argcnt.
	 *
	 * If (prev_stack_size > (audit_argcnt * 8))
	 *	prev_stack_size = audit_argcnt * 8;
	 */
	movl	audit_argcnt(%rip),%eax		/   %eax = audit_argcnt
	cmpl	$0, %eax
	jle	.grow_stack
	leaq	(,%rax,8), %rax			/    %eax = %eax * 4
	cmpq	%rax,%rdx
	jle	.grow_stack
	movq	%rax, %rdx
	/*
	 * Grow the stack and duplicate the arguements of the
	 * original caller.
	 */
.grow_stack:
	movq	%rsp, %r11
	subq	%rdx, %rsp			/    grow the stack
	movq	%rdx, SPPRVSTKOFF(%rbp)		/    -88(%rbp) == prev frame sz
	movq	%rsp, %rcx			/    %rcx = dest
	addq	%rcx, %rdx			/    %rdx == tail of dest
.while_base:
	cmpq	%rdx, %rcx			/   while (base+size >= src++) {
	jge	.end_while			/
	movq	(%rdi), %rsi
	movq	%rsi,(%rcx)			/        *dest = *src
	addq	$8, %rdi			/	 src++
	addq	$8, %rcx			/        dest++
	jmp	.while_base			/    }

	/*
	 * The above stack is now an exact duplicate of
	 * the stack of the original calling procedure.
	 */
.end_while:
	/
	/ Restore registers using %r11 which contains our old %rsp value
	/ before growing the stack.
	/
	movq	_plt_fp_restore@GOTPCREL(%rip),%r10
	movq	%r11, %rdi
	call	*(%r10)

.trace_r2_finish:
	movq	ORIG_RDI(%rbp), %rdi
	movq	ORIG_RSI(%rbp), %rsi
	movq	ORIG_RDX(%rbp), %rdx
	movq	ORIG_RCX(%rbp), %rcx
	movq	ORIG_R8(%rbp), %r8
	movq	ORIG_R9(%rbp), %r9
	movq	ORIG_R10(%rbp), %r10
	movq	ORIG_RAX(%rbp), %rax
	movq	ORIG_R11(%rbp), %r11

	/*
	 * Call to desitnation function - we'll return here
	 * for pltexit monitoring.
	 */
	call	*SPDESTOFF(%rbp)

	addq	SPPRVSTKOFF(%rbp), %rsp	/ cleanup dupped stack

	/
	/ prepare for call to audit_pltenter()
	/
	movq	SPDYNOFF(%rbp), %r11		/ %r11 = &dyndata
	movq	SYMNDX_OFF(%r11), %r8		/ arg5 (symndx)
	leaq	SYMDEF_OFF(%r11), %rcx		/ arg4 (&Sym)
	movq	DEFLMP_OFF(%r11), %rdx		/ arg3 (dlmp)
	movq	REFLMP_OFF(%r11), %rsi		/ arg2 (rlmp)
	movq	%rax, %rdi			/ arg1 (returnval)
	call	audit_pltexit@PLT

	/*
	 * Clean up after ourselves and return to the
	 * original calling procedure. Make sure to restore
	 * registers.
	 */

	movq	_plt_fp_restore@GOTPCREL(%rip),%r10
	movq	%rsp, %rdi
	movq	%rax, SPPRVSTKOFF(%rbp)
	call	*(%r10)

	movq	ORIG_RDI(%rbp), %rdi
	movq	ORIG_RSI(%rbp), %rsi
	movq	ORIG_RDX(%rbp), %rdx
	movq	ORIG_RCX(%rbp), %rcx
	movq	ORIG_R8(%rbp), %r8
	movq	ORIG_R9(%rbp), %r9
	movq	ORIG_R10(%rbp), %r10
	movq	ORIG_R11(%rbp), %r11
	movq	SPPRVSTKOFF(%rbp), %rax

	movq	%rbp, %rsp			/
	popq	%rbp				/
	ret					/ return to caller
	SET_SIZE(elf_plt_trace)
#endif

/*
 * We got here because a call to a function resolved to a procedure
 * linkage table entry.  That entry did a JMPL to the first PLT entry, which
 * in turn did a call to elf_rtbndr.
 *
 * the code sequence that got us here was:
 *
 * .PLT0:
 *	pushq	GOT+8(%rip)	#GOT[1]
 *	jmp	*GOT+16(%rip)	#GOT[2]
 *	nop
 *	nop
 *	nop
 *	nop
 *	...
 * PLT entry for foo:
 *	jmp	*name1@GOTPCREL(%rip)
 *	pushl	$rel.plt.foo
 *	jmp	PLT0
 *
 * At entry, the stack looks like this:
 *
 *	return address			16(%rsp)
 *	$rel.plt.foo	(plt index)	8(%rsp)
 *	lmp				0(%rsp)
 *
 */
#if defined(lint)

extern unsigned long	elf_bndr(Rt_map *, unsigned long, caddr_t);

void
elf_rtbndr(Rt_map * lmp, unsigned long reloc, caddr_t pc)
{
	(void) elf_bndr(lmp, reloc, pc);
}

#else

/*
 * The PLT code that landed us here placed 2 arguments on the stack as
 * arguments to elf_rtbndr.
 * Additionally the pc of caller is below these 2 args.
 * Our stack will look like this after we establish a stack frame with
 * push %rbp; movq %rsp, %rbp sequence:
 *
 *	8(%rbp)			arg1 - *lmp
 *	16(%rbp), %rsi		arg2 - reloc index
 *	24(%rbp), %rdx		arg3 - pc of caller
 */
#define	LBPLMPOFF	8	/* arg1 - *lmp */
#define	LBPRELOCOFF	16	/* arg2 - reloc index */
#define	LBRPCOFF	24	/* arg3 - pc of caller */

/*
 * With the above in place, we must now proceed to preserve all temporary
 * registers that are also used for passing arguments. Specifically this
 * means:
 *
 *	%rax	- Used for information about the number of vector arguments
 *	%rdi	- arg0
 *	%rsi	- arg1
 *	%rdx	- arg2
 *	%rcx	- arg3
 *	%r8	- arg4
 *	%r9	- arg5
 *	%r10	- static chain pointer
 *
 * While we don't have to preserve %r11, we do have to preserve the FPU
 * registers. The FPU logic is delegated to a specific function that we'll call.
 * However, it requires that its stack is 64-byte aligned. We defer the
 * alignment to that point. This will also take care of the fact that a caller
 * may not call us with a correctly aligned stack pointer per the amd64 ABI.
 */

	.extern _plt_save_size
	.extern _plt_fp_save
	.extern plt_fp_restore

	.weak	_elf_rtbndr
	_elf_rtbndr = elf_rtbndr

	ENTRY(elf_rtbndr)
	pushq	%rbp		/* Establish stack frame */
	movq	%rsp, %rbp

	/*
	 * Save basic regs.
	 */
	pushq	%rax
	pushq	%rdi
	pushq	%rsi
	pushq	%rdx
	pushq	%rcx
	pushq	%r8
	pushq	%r9
	pushq	%r10
	pushq	%r12

	/*
	 * Save the amount of space we need for the FPU registers and call that
	 * function. Save %rsp before we manipulate it to make restore easier.
	 */
	movq	%rsp, %r12
	movq	_plt_save_size@GOTPCREL(%rip),%r9
	movq	_plt_fp_save@GOTPCREL(%rip),%r10
	subq	(%r9), %rsp
	andq	$-64, %rsp

	movq	%rsp, %rdi
	call	*(%r10)

	/*
	 * Perform actual PLT logic. Note that the plt related arguments are
	 * located at an offset relative to %rbp.
	 */
	movq	LBPLMPOFF(%rbp), %rdi	/* arg1 - *lmp */
	movq	LBPRELOCOFF(%rbp), %rsi	/* arg2 - reloc index */
	movq	LBRPCOFF(%rbp), %rdx	/* arg3 - pc of caller */
	call	elf_bndr@PLT		/* call elf_rtbndr(lmp, relndx, pc) */
	movq	%rax, LBPRELOCOFF(%rbp)	/* store final destination */

	/* Restore FPU */
	movq	_plt_fp_restore@GOTPCREL(%rip),%r10

	movq	%rsp, %rdi
	call	*(%r10)

	movq	%r12, %rsp
	popq	%r12
	popq	%r10
	popq	%r9
	popq	%r8
	popq	%rcx
	popq	%rdx
	popq	%rsi
	popq	%rdi
	popq	%rax

	movq	%rbp, %rsp	/* Restore our stack frame */
	popq	%rbp

	addq	$8, %rsp	/* pop 1st plt-pushed args */
				/* the second arguement is used */
				/* for the 'return' address to our */
				/* final destination */

	ret			/* invoke resolved function */

	SET_SIZE(elf_rtbndr)
#endif