srxfixup: detect function symbols at .text offset 0

fjtrujy · fjtrujy · commit 719197905d4a · 2026-03-06T22:40:11.000+01:00
Add a check for STT_FUNC/STT_NOTYPE symbols at .text value 0, which
can become unintended targets of jal 0x0 when called through an
export table.

New --allow-zero-text flag to bypass the check for modules that
have no export table (where jal 0x0 is not a hazard).
_start and _ftext are excluded (entry point / linker label, never
dispatched via export table).
Document the check and flag in README.md.
diff --git a/iop/Rules.make b/iop/Rules.make
@@ -145,8 +145,15 @@ $(IOP_BIN_STRIPPED_ELF): $(IOP_BIN_ELF)
 	$(DIR_GUARD)
 	$(IOP_STRIP) --strip-unneeded --remove-section=.pdr --remove-section=.comment --remove-section=.mdebug.abi32 --remove-section=.gnu.attributes -o $@ $<
 
+# If the module has no export table, allow symbols at .text offset 0.
+# The jal 0x0 hazard only matters when an export table can dispatch to offset 0.
+IOP_SRXFIXUP_FLAGS := --rb --irx1
+ifeq ($(filter %exports.o,$(IOP_OBJS)),)
+IOP_SRXFIXUP_FLAGS += --allow-zero-text
+endif
+
 $(IOP_BIN): $(IOP_BIN_STRIPPED_ELF) $(PS2SDKSRC)/tools/srxfixup/bin/srxfixup
-	$(PS2SDKSRC)/tools/srxfixup/bin/srxfixup --rb --irx1 -o $@ $<
+	$(PS2SDKSRC)/tools/srxfixup/bin/srxfixup $(IOP_SRXFIXUP_FLAGS) -o $@ $<
 
 $(IOP_LIB)_tmp$(MAKE_CURPID): $(IOP_OBJS)
 	$(DIR_GUARD)
diff --git a/tools/srxfixup/README.md b/tools/srxfixup/README.md
@@ -26,3 +26,23 @@ This tool provides the following:
 
 To see usage and possible command line arguments that can be used with the
 program, run it without arguments.
+
+## Zero-.text symbol check
+
+When processing a relocatable ELF (`ET_REL`), `srxfixup` checks for function
+or no-type symbols in the `.text` section whose `st_value` is exactly 0.  Such
+symbols indicate that a tiny stub/thunk object was placed first in `.text` by
+the linker.  IOP loaders that do not apply `R_MIPS_26` relocations at load
+time will leave the corresponding `jal` instructions targeting address 0,
+causing an immediate crash (EPC = 0x10).
+
+If any offending symbol is found, `srxfixup` prints an error like:
+
+```
+ERROR: foo.irx: symbol 'bar' (sym#3) is in .text with value 0 -- causes jal 0x0; reorder or pad module.
+```
+
+and exits with a non-zero status so the build fails.
+
+Use `--allow-zero-text` to suppress the check (e.g. when the caller knows the
+loader correctly applies `R_MIPS_26` relocations and accepts the risk).
diff --git a/tools/srxfixup/src/srxfixup.c b/tools/srxfixup/src/srxfixup.c
@@ -26,6 +26,7 @@ static unsigned int dispmod_flag = 0;
 static int irx1_flag = 0;
 static int br_conv = 0;
 static int print_config = 0;
+static int allow_zero_text = 0;
 // clang-format off
 static const Opttable opttable[] =
 {
@@ -42,6 +43,7 @@ static const Opttable opttable[] =
 	{ "--rb", ARG_HAVEARG_NONE, 'f', &br_conv },
 	{ "--relative-branch", ARG_HAVEARG_NONE, 'f', &br_conv },
 	{ "--print-internal-config", ARG_HAVEARG_NONE, 'f', &print_config },
+	{ "--allow-zero-text", ARG_HAVEARG_NONE, 'f', &allow_zero_text },
 	{ NULL, 0, '\0', NULL },
 };
 static const Opttable stripopttable[] =
@@ -56,13 +58,15 @@ static const Opttable stripopttable[] =
 	{ "--rb", ARG_HAVEARG_NONE, 'f', &br_conv },
 	{ "--relative-branch", ARG_HAVEARG_NONE, 'f', &br_conv },
 	{ "--print-internal-config", ARG_HAVEARG_NONE, 'f', &print_config },
+	{ "--allow-zero-text", ARG_HAVEARG_NONE, 'f', &allow_zero_text },
 	{ NULL, 0, '\0', NULL },
 };
 // clang-format on
 
 static void display_module_info(elf_file *elf);
 static void convert_relative_branch_an_section(elf_section *relsect);
 static void convert_relative_branch(elf_file *elf);
+static int check_zero_text_symbols(const char *source, const elf_file *elf);
 
 void usage(const char *myname)
 {
@@ -79,7 +83,8 @@ void usage(const char *myname)
 				 "    -o <elf_relocatable_nosymbol_output_file>\n"
 				 "    -r <elf_relocatable_output_file>\n"
 				 "    -e <entry_point_symbol>\n"
-				 "    --relative-branch  or  --rb\n");
+				 "    --relative-branch  or  --rb\n"
+				 "    --allow-zero-text  (skip check for .text symbols with value 0)\n");
 	if ( verbose )
 	{
 		printf("    -t <.text start address>\n"
@@ -223,6 +228,10 @@ int main(int argc, char **argv)
 	{
 		exit(1);
 	}
+	if ( !allow_zero_text && check_zero_text_symbols(source, elf) )
+	{
+		exit(1);
+	}
 	if (
 		((elf->ehp->e_flags & EF_MIPS_MACH) == EF_MIPS_MACH_5900)
 		&& ((elf->ehp->e_flags & EF_MIPS_ARCH) == EF_MIPS_ARCH_3) )
@@ -487,3 +496,79 @@ static void convert_relative_branch(elf_file *elf)
 		}
 	}
 }
+
+static int check_zero_text_symbols(const char *source, const elf_file *elf)
+{
+	int text_idx;
+	int i;
+	int found;
+
+	if ( elf->scp == NULL )
+	{
+		return 0;
+	}
+
+	/* Find the index of the .text section by name */
+	text_idx = -1;
+	for ( i = 1; i < elf->ehp->e_shnum; i += 1 )
+	{
+		if ( elf->scp[i]->name && strcmp(elf->scp[i]->name, ".text") == 0 )
+		{
+			text_idx = i;
+			break;
+		}
+	}
+	if ( text_idx < 0 )
+	{
+		return 0; /* No .text section — nothing to check */
+	}
+
+	found = 0;
+	for ( i = 1; i < elf->ehp->e_shnum; i += 1 )
+	{
+		elf_section *sect;
+		unsigned int nsyms;
+		unsigned int j;
+		elf_syment **syms;
+
+		sect = elf->scp[i];
+		if ( sect->shr.sh_type != SHT_SYMTAB || sect->data == NULL || sect->shr.sh_entsize == 0 )
+		{
+			continue;
+		}
+		nsyms = sect->shr.sh_size / sect->shr.sh_entsize;
+		syms = (elf_syment **)sect->data;
+		for ( j = 1; j < nsyms; j += 1 ) /* skip sym[0]: ELF null symbol */
+		{
+			elf_syment *sym;
+
+			sym = syms[j];
+			/* _start is the IOP module entry point called via the .iopmod
+			 * header, never via a jal from within the module.
+			 * _ftext is a linker label at the start of .text, also never
+			 * the target of an intra-module jal.  Both are safe at .text+0. */
+			if ( sym->name
+				&& (strcmp(sym->name, "_start") == 0 || strcmp(sym->name, "_ftext") == 0) )
+			{
+				continue;
+			}
+			if ( (unsigned int)sym->sym.st_shndx == (unsigned int)text_idx
+				&& (sym->type == STT_FUNC || sym->type == STT_NOTYPE)
+				&& sym->sym.st_value == 0 )
+			{
+				fprintf(
+					stderr,
+					"ERROR: %s: symbol '%s' (sym#%u) is in .text with value 0"
+					" -- if this module has an export table, put exports.o"
+					" first in IOP_OBJS and move _retonly after"
+					" DECLARE_EXPORT_TABLE in exports.tab;"
+					" otherwise use --allow-zero-text.\n",
+					source,
+					(sym->name && sym->name[0]) ? sym->name : "<unnamed>",
+					j);
+				found = 1;
+			}
+		}
+	}
+	return found;
+}
