D4d4
7 days ago
- #assembly
- #ARM
- #LLD
- A co-worker found unreachable d4d4 instructions in disassembled ARM code, which LLVM's objdump interprets as a relative branch to -0x58.
- Experiments with minimal C code showed that these d4d4 instructions appear when functions are aligned to 32-bit boundaries by the linker (LLD), not the compiler.
- The d4d4 instruction is actually a conditional branch (B instruction in Thumb) with a condition code of 0b0100, not a trap instruction as intended.
- GNU ld uses zeroes for alignment instead of d4d4, which is more benign.
- Research traced the d4d4 insertion to LLD's ARM.cpp, where it was added as a trap instruction based on Theo de Raadt's suggestion, but it doesn't function as a trap.
- The ARMv7-M Architecture Reference Manual confirms that d4d4 is a conditional branch, not a trap, making it a poor choice for alignment padding.
- The conclusion is that LLD's use of d4d4 for alignment is a bug, as it doesn't halt the processor but instead causes an unintended branch.