Where are GDB symbols coming from?

Question

When I load Fedora 28\'s /usr/bin/ls file into GDB, I can access to the symbol abformat_init, even if it is not present as a string nor in the symb

Answer 1

TL;DR:

1. There is a special .gnu_debugdata compressed section in Fedora binaries that GDB reads, and which contains mini-symbols.
2. Contents of that section can be conveniently printed with eu-readelf -Ws --elf-section /usr/bin/ls

---

readelf -S /usr/bin/ls | grep abformat

That command is dumping sections. You want symbols instead:

readelf -s /usr/bin/ls | grep abformat
readelf --all /usr/bin/ls | grep abformat

strings /usr/bin/ls | grep abformat

Strings tries to guess what you want, and doesn't output all strings found in the binary. See this blog post and try:

strings -a /usr/bin/ls | grep abformat

Update: I confirmed the results you've observed: abformat does not appear anywhere, yet GDB knows about it.

Turns out, there is a .gnu_debugdata compressed section (described here), which has mini-symbols.

To extract this data, normally you would do:

objcopy -O binary -j .gnu_debugdata /usr/bin/ls ls.mini.xz

However, that is broken on my system (produces empty output), so instead I used dd:

# You may need to adjust the numbers below from "readelf -WS /usr/bin/ls"
dd if=/usr/bin/ls of=ls.mini.xz bs=1 skip=151896 count=3764
xz -d ls.mini.xz
nm ls.mini | grep abformat

This produced:

00000000000005db0 t abformat_init

QED.

Additional info:

1. Confusing GDB no debugging symbols is addressed in this bug.
2. objcopy refusing to copy .gnu_debugdata is the subject of this bug.

3. There is a tool that can conveniently dump this info:

   eu-readelf -Ws --elf-section /usr/bin/ls | grep abformat 37: 0000000000005db0 593 FUNC LOCAL DEFAULT 14 abformat_init