Various cleanups to the self-relocation code (#129)

* Use byte_add where possible

* Hardcode relocation entry sizes

Glibc only checks the DT_REL*ENT it in a debug assertion and musl
ignores them entirely, so we can be pretty sure that they will never
change. Hardcoding them makes the produced binaries a tiny bit smaller
and faster.

* Avoid all uses of with_exposed_provenance in relocate

By keeping around the original pointers rather than immediately
converting them to addresses. This is safe as none of these pointers,
nor their pointed to memory are affected by the relocations we are about
to perform.

* Ensure self-relocation never panics

This is necessary as panicking would crash before relocations are
performed. I've manually verified that no panic calls are made in
release mode. When debug assertions are enabled there are still a couple
of panics inserted by the compiler, but these should be unreachable if
there are no bugs in the self-relocation code.

Author: bjorn3

src/arch/aarch64.rs

@@ -40,6 +40,17 @@ pub(super) unsafe extern "C" fn _start() -> ! {
     )
 }
 
+/// Abort the process without involving any panic handling code.
+///
+/// This is a stable equivalent to `core::intrinsics::abort()`.
+#[cfg(all(feature = "experimental-relocate", feature = "origin-start"))]
+#[cfg(relocation_model = "pic")]
+pub(super) fn abort() -> ! {
+    unsafe {
+        asm!("brk #0x1", options(noreturn));
+    }
+}
+
 /// Compute the dynamic address of `_DYNAMIC`.
 #[cfg(all(feature = "experimental-relocate", feature = "origin-start"))]
 #[cfg(relocation_model = "pic")]
@@ -161,7 +172,11 @@ pub(super) unsafe fn relocation_mprotect_readonly(ptr: usize, len: usize) {
         options(nostack, preserves_flags),
     );
 
-    assert_eq!(r0, 0);
+    if r0 != 0 {
+        // Do not panic here as libstd's panic handler needs TLS, which is not
+        // yet initialized at this point.
+        abort();
+    }
 }
 
 /// The required alignment for the stack pointer.

src/arch/arm.rs

@@ -40,6 +40,17 @@ pub(super) unsafe extern "C" fn _start() -> ! {
     )
 }
 
+/// Abort the process without involving any panic handling code.
+///
+/// This is a stable equivalent to `core::intrinsics::abort()`.
+#[cfg(all(feature = "experimental-relocate", feature = "origin-start"))]
+#[cfg(relocation_model = "pic")]
+pub(super) fn abort() -> ! {
+    unsafe {
+        asm!(".inst 0xe7ffdefe", options(noreturn));
+    }
+}
+
 /// Compute the dynamic address of `_DYNAMIC`.
 #[cfg(all(feature = "experimental-relocate", feature = "origin-start"))]
 #[cfg(relocation_model = "pic")]
@@ -173,7 +184,11 @@ pub(super) unsafe fn relocation_mprotect_readonly(ptr: usize, len: usize) {
         options(nostack, preserves_flags),
     );
 
-    assert_eq!(r0, 0);
+    if r0 != 0 {
+        // Do not panic here as libstd's panic handler needs TLS, which is not
+        // yet initialized at this point.
+        abort();
+    }
 }
 
 /// The required alignment for the stack pointer.

src/arch/riscv64.rs

@@ -40,6 +40,17 @@ pub(super) unsafe extern "C" fn _start() -> ! {
     )
 }
 
+/// Abort the process without involving any panic handling code.
+///
+/// This is a stable equivalent to `core::intrinsics::abort()`.
+#[cfg(all(feature = "experimental-relocate", feature = "origin-start"))]
+#[cfg(relocation_model = "pic")]
+pub(super) fn abort() -> ! {
+    unsafe {
+        asm!("unimp", options(noreturn));
+    }
+}
+
 /// Compute the dynamic address of `_DYNAMIC`.
 #[cfg(all(feature = "experimental-relocate", feature = "origin-start"))]
 #[cfg(relocation_model = "pic")]
@@ -158,7 +169,11 @@ pub(super) unsafe fn relocation_mprotect_readonly(ptr: usize, len: usize) {
         options(nostack, preserves_flags),
     );
 
-    assert_eq!(r0, 0);
+    if r0 != 0 {
+        // Do not panic here as libstd's panic handler needs TLS, which is not
+        // yet initialized at this point.
+        abort();
+    }
 }
 
 /// The required alignment for the stack pointer.

src/arch/x86.rs

@@ -45,6 +45,17 @@ pub(super) unsafe extern "C" fn _start() -> ! {
     )
 }
 
+/// Abort the process without involving any panic handling code.
+///
+/// This is a stable equivalent to `core::intrinsics::abort()`.
+#[cfg(all(feature = "experimental-relocate", feature = "origin-start"))]
+#[cfg(relocation_model = "pic")]
+pub(super) fn abort() -> ! {
+    unsafe {
+        asm!("ud2", options(noreturn));
+    }
+}
+
 /// Compute the dynamic address of `_DYNAMIC`.
 #[cfg(all(feature = "experimental-relocate", feature = "origin-start"))]
 #[cfg(relocation_model = "pic")]
@@ -190,7 +201,11 @@ pub(super) unsafe fn relocation_mprotect_readonly(ptr: usize, len: usize) {
         options(nostack, preserves_flags),
     );
 
-    assert_eq!(r0, 0);
+    if r0 != 0 {
+        // Do not panic here as libstd's panic handler needs TLS, which is not
+        // yet initialized at this point.
+        abort();
+    }
 }
 
 /// The required alignment for the stack pointer.

src/arch/x86_64.rs

@@ -40,6 +40,17 @@ pub(super) unsafe extern "C" fn _start() -> ! {
     )
 }
 
+/// Abort the process without involving any panic handling code.
+///
+/// This is a stable equivalent to `core::intrinsics::abort()`.
+#[cfg(all(feature = "experimental-relocate", feature = "origin-start"))]
+#[cfg(relocation_model = "pic")]
+pub(super) fn abort() -> ! {
+    unsafe {
+        asm!("ud2", options(noreturn));
+    }
+}
+
 /// Compute the dynamic address of `_DYNAMIC`.
 #[cfg(all(feature = "experimental-relocate", feature = "origin-start"))]
 #[cfg(relocation_model = "pic")]
@@ -162,7 +173,11 @@ pub(super) unsafe fn relocation_mprotect_readonly(ptr: usize, len: usize) {
         options(nostack, preserves_flags),
     );
 
-    assert_eq!(r0, 0);
+    if r0 != 0 {
+        // Do not panic here as libstd's panic handler needs TLS, which is not
+        // yet initialized at this point.
+        abort();
+    }
 }
 
 /// The required alignment for the stack pointer.