On x86-64, I got [hjl@gnu-6 binutils]$ cat x.c #include <stdio.h> int main () { printf ("hello\n"); return 0; } [hjl@gnu-6 binutils]$ gcc -g x.c [hjl@gnu-6 binutils]$ valgrind ./objdump -S a.out ==10472== Memcheck, a memory error detector ==10472== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==10472== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==10472== Command: ./objdump -S a.out ==10472== a.out: file format elf64-x86-64 Disassembly of section .init: 00000000004003c8 <_init>: 4003c8: 48 83 ec 08 sub $0x8,%rsp 4003cc: 48 8b 05 25 0c 20 00 mov 0x200c25(%rip),%rax # 600ff8 <_DYNAMIC+0x1d8> 4003d3: 48 85 c0 test %rax,%rax 4003d6: 74 02 je 4003da <_init+0x12> 4003d8: ff d0 callq *%rax 4003da: 48 83 c4 08 add $0x8,%rsp 4003de: c3 retq Disassembly of section .plt: ==10472== Invalid read of size 2 ==10472== at 0x468729: _bfd_elf_get_symbol_version_string (elf.c:1769) ==10472== by 0x40519A: objdump_print_symname (objdump.c:826) ==10472== by 0x4059A7: objdump_print_addr_with_sym (objdump.c:1032) ==10472== by 0x407E5C: disassemble_section (objdump.c:2107) ==10472== by 0x44BA9B: bfd_map_over_sections (section.c:1395) ==10472== by 0x4086A9: disassemble_data (objdump.c:2301) ==10472== by 0x40AD14: dump_bfd (objdump.c:3395) ==10472== by 0x40AE9B: display_object_bfd (objdump.c:3452) ==10472== by 0x40B0D5: display_any_bfd (objdump.c:3541) ==10472== by 0x40B147: display_file (objdump.c:3562) ==10472== by 0x40B9D2: main (objdump.c:3845) ==10472== Address 0x561e6d8 is 24 bytes after a block of size 64 in arena "client" ==10472== 00000000004003e0 <puts@plt-0x10>: 4003e0: ff 35 22 0c 20 00 pushq 0x200c22(%rip) # 601008 <_GLOBAL_OFFSET_TABLE_+0x8> 4003e6: ff 25 24 0c 20 00 jmpq *0x200c24(%rip) # 601010 <_GLOBAL_OFFSET_TABLE_+0x10> 4003ec: 0f 1f 40 00 nopl 0x0(%rax) 00000000004003f0 <puts@plt>: 4003f0: ff 25 22 0c 20 00 jmpq *0x200c22(%rip) # 601018 <_GLOBAL_OFFSET_TABLE_+0x18> 4003f6: 68 00 00 00 00 pushq $0x0 4003fb: e9 e0 ff ff ff jmpq 4003e0 <_init+0x18> Disassembly of section .text: 0000000000400400 <_start>: 400400: 31 ed xor %ebp,%ebp 400402: 49 89 d1 mov %rdx,%r9 400405: 5e pop %rsi 400406: 48 89 e2 mov %rsp,%rdx 400409: 48 83 e4 f0 and $0xfffffffffffffff0,%rsp 40040d: 50 push %rax 40040e: 54 push %rsp 40040f: 49 c7 c0 80 05 40 00 mov $0x400580,%r8 400416: 48 c7 c1 10 05 40 00 mov $0x400510,%rcx 40041d: 48 c7 c7 f6 04 40 00 mov $0x4004f6,%rdi 400424: ff 15 c6 0b 20 00 callq *0x200bc6(%rip) # 600ff0 <_DYNAMIC+0x1d0> 40042a: f4 hlt 40042b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) 0000000000400430 <deregister_tm_clones>: 400430: b8 2f 10 60 00 mov $0x60102f,%eax 400435: 55 push %rbp 400436: 48 2d 28 10 60 00 sub $0x601028,%rax 40043c: 48 83 f8 0e cmp $0xe,%rax 400440: 48 89 e5 mov %rsp,%rbp 400443: 76 1b jbe 400460 <deregister_tm_clones+0x30> 400445: b8 00 00 00 00 mov $0x0,%eax 40044a: 48 85 c0 test %rax,%rax 40044d: 74 11 je 400460 <deregister_tm_clones+0x30> 40044f: 5d pop %rbp 400450: bf 28 10 60 00 mov $0x601028,%edi 400455: ff e0 jmpq *%rax 400457: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1) 40045e: 00 00 400460: 5d pop %rbp 400461: c3 retq 400462: 0f 1f 40 00 nopl 0x0(%rax) 400466: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1) 40046d: 00 00 00 0000000000400470 <register_tm_clones>: 400470: be 28 10 60 00 mov $0x601028,%esi 400475: 55 push %rbp 400476: 48 81 ee 28 10 60 00 sub $0x601028,%rsi 40047d: 48 c1 fe 03 sar $0x3,%rsi 400481: 48 89 e5 mov %rsp,%rbp 400484: 48 89 f0 mov %rsi,%rax 400487: 48 c1 e8 3f shr $0x3f,%rax 40048b: 48 01 c6 add %rax,%rsi 40048e: 48 d1 fe sar %rsi 400491: 74 15 je 4004a8 <register_tm_clones+0x38> 400493: b8 00 00 00 00 mov $0x0,%eax 400498: 48 85 c0 test %rax,%rax 40049b: 74 0b je 4004a8 <register_tm_clones+0x38> 40049d: 5d pop %rbp 40049e: bf 28 10 60 00 mov $0x601028,%edi 4004a3: ff e0 jmpq *%rax 4004a5: 0f 1f 00 nopl (%rax) 4004a8: 5d pop %rbp 4004a9: c3 retq 4004aa: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1) 00000000004004b0 <__do_global_dtors_aux>: 4004b0: 80 3d 6d 0b 20 00 00 cmpb $0x0,0x200b6d(%rip) # 601024 <_edata> 4004b7: 75 11 jne 4004ca <__do_global_dtors_aux+0x1a> 4004b9: 55 push %rbp 4004ba: 48 89 e5 mov %rsp,%rbp 4004bd: e8 6e ff ff ff callq 400430 <deregister_tm_clones> 4004c2: 5d pop %rbp 4004c3: c6 05 5a 0b 20 00 01 movb $0x1,0x200b5a(%rip) # 601024 <_edata> 4004ca: f3 c3 repz retq 4004cc: 0f 1f 40 00 nopl 0x0(%rax) 00000000004004d0 <frame_dummy>: 4004d0: bf 18 0e 60 00 mov $0x600e18,%edi 4004d5: 48 83 3f 00 cmpq $0x0,(%rdi) 4004d9: 75 05 jne 4004e0 <frame_dummy+0x10> 4004db: eb 93 jmp 400470 <register_tm_clones> 4004dd: 0f 1f 00 nopl (%rax) 4004e0: b8 00 00 00 00 mov $0x0,%eax 4004e5: 48 85 c0 test %rax,%rax 4004e8: 74 f1 je 4004db <frame_dummy+0xb> 4004ea: 55 push %rbp 4004eb: 48 89 e5 mov %rsp,%rbp 4004ee: ff d0 callq *%rax 4004f0: 5d pop %rbp 4004f1: e9 7a ff ff ff jmpq 400470 <register_tm_clones> 00000000004004f6 <main>: #include <stdio.h> int main () { 4004f6: 55 push %rbp 4004f7: 48 89 e5 mov %rsp,%rbp printf ("hello\n"); 4004fa: bf a0 05 40 00 mov $0x4005a0,%edi ==10472== Invalid read of size 2 ==10472== at 0x468729: _bfd_elf_get_symbol_version_string (elf.c:1769) ==10472== by 0x40519A: objdump_print_symname (objdump.c:826) ==10472== by 0x4059A7: objdump_print_addr_with_sym (objdump.c:1032) ==10472== by 0x405CAC: objdump_print_addr (objdump.c:1092) ==10472== by 0x405CE9: objdump_print_address (objdump.c:1102) ==10472== by 0x43F5D2: print_insn (i386-dis.c:13649) ==10472== by 0x406F1B: disassemble_bytes (objdump.c:1725) ==10472== by 0x408175: disassemble_section (objdump.c:2165) ==10472== by 0x44BA9B: bfd_map_over_sections (section.c:1395) ==10472== by 0x4086A9: disassemble_data (objdump.c:2301) ==10472== by 0x40AD14: dump_bfd (objdump.c:3395) ==10472== by 0x40AE9B: display_object_bfd (objdump.c:3452) ==10472== Address 0x561e6d8 is 24 bytes after a block of size 64 in arena "client" ==10472== 4004ff: e8 ec fe ff ff callq 4003f0 <puts@plt> return 0; 400504: b8 00 00 00 00 mov $0x0,%eax } 400509: 5d pop %rbp 40050a: c3 retq 40050b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) 0000000000400510 <__libc_csu_init>: 400510: 41 57 push %r15 400512: 41 56 push %r14 400514: 41 89 ff mov %edi,%r15d 400517: 41 55 push %r13 400519: 41 54 push %r12 40051b: 4c 8d 25 e6 08 20 00 lea 0x2008e6(%rip),%r12 # 600e08 <__frame_dummy_init_array_entry> 400522: 55 push %rbp 400523: 48 8d 2d e6 08 20 00 lea 0x2008e6(%rip),%rbp # 600e10 <__init_array_end> 40052a: 53 push %rbx 40052b: 49 89 f6 mov %rsi,%r14 40052e: 49 89 d5 mov %rdx,%r13 400531: 4c 29 e5 sub %r12,%rbp 400534: 48 83 ec 08 sub $0x8,%rsp 400538: 48 c1 fd 03 sar $0x3,%rbp 40053c: e8 87 fe ff ff callq 4003c8 <_init> 400541: 48 85 ed test %rbp,%rbp 400544: 74 20 je 400566 <__libc_csu_init+0x56> 400546: 31 db xor %ebx,%ebx 400548: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1) 40054f: 00 400550: 4c 89 ea mov %r13,%rdx 400553: 4c 89 f6 mov %r14,%rsi 400556: 44 89 ff mov %r15d,%edi 400559: 41 ff 14 dc callq *(%r12,%rbx,8) 40055d: 48 83 c3 01 add $0x1,%rbx 400561: 48 39 dd cmp %rbx,%rbp 400564: 75 ea jne 400550 <__libc_csu_init+0x40> 400566: 48 83 c4 08 add $0x8,%rsp 40056a: 5b pop %rbx 40056b: 5d pop %rbp 40056c: 41 5c pop %r12 40056e: 41 5d pop %r13 400570: 41 5e pop %r14 400572: 41 5f pop %r15 400574: c3 retq 400575: 90 nop 400576: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1) 40057d: 00 00 00 0000000000400580 <__libc_csu_fini>: 400580: f3 c3 repz retq Disassembly of section .fini: 0000000000400584 <_fini>: 400584: 48 83 ec 08 sub $0x8,%rsp 400588: 48 83 c4 08 add $0x8,%rsp 40058c: c3 retq ==10472== ==10472== HEAP SUMMARY: ==10472== in use at exit: 204 bytes in 4 blocks ==10472== total heap usage: 179 allocs, 175 frees, 77,468 bytes allocated ==10472== ==10472== LEAK SUMMARY: ==10472== definitely lost: 0 bytes in 0 blocks ==10472== indirectly lost: 0 bytes in 0 blocks ==10472== possibly lost: 0 bytes in 0 blocks ==10472== still reachable: 204 bytes in 4 blocks ==10472== suppressed: 0 bytes in 0 blocks ==10472== Rerun with --leak-check=full to see details of leaked memory ==10472== ==10472== For counts of detected and suppressed errors, rerun with: -v ==10472== ERROR SUMMARY: 3 errors from 2 contexts (suppressed: 0 from 0) [hjl@gnu-6 binutils]$
The problem is that disassemble_data only copies and sorts array of asymbol, not array of elf_symbol_type. We can either changes disassemble_data to copy and sort the proper symbols or disable symbol version in disassembler.
Testing a fix.
The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f2b2af2c9f403ead49de8f0e01a9c149b0b420f9 commit f2b2af2c9f403ead49de8f0e01a9c149b0b420f9 Author: Alan Modra <amodra@gmail.com> Date: Tue Jun 28 18:59:33 2016 +0930 Invalid read in _bfd_elf_get_symbol_version_string PR 20304 * objdump.c (objdump_print_symname): Don't attempt to retrieve version info from synthetic symbols.
The binutils-2_26-branch branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=73590ef79194e7e588d4dd1281d0b451fe485fec commit 73590ef79194e7e588d4dd1281d0b451fe485fec Author: Alan Modra <amodra@gmail.com> Date: Tue Jun 28 18:59:33 2016 +0930 Invalid read in _bfd_elf_get_symbol_version_string PR 20304 * objdump.c (objdump_print_symname): Don't attempt to retrieve version info from synthetic symbols.
Fixed.
Fixed for 2.27 and 2.26 branch.