https://bugs.winehq.org/show_bug.cgi?id=49139
--- Comment #5 from Damjan Jovanovic damjan.jov@gmail.com --- Gen, thank you so much for your debugging so far. It would have taken me forever to get started without it. I've begun my own debugging from the other end: how the bad value gets into the binary in the first place.
Your patch modifies dlls/ntdll/loader.c to use dyn->d_un.d_ptr as the initializer address instead of map->l_addr + dyn->d_un.d_val when its d_tag is 0x60009992. The d_tag of 0x60009992 comes from winebuild, function fixup_elf32(), called from fixup_constructors(), called from main() when "--fixup-ctors" was passed as a command line option. winebuild gets passed --fixup-ctors from winegcc when its own function fixup_constuctors() is called, and the commit I bisected the regression to (1ccd638b1aa85fb3c43b49d69d279cd509ebdc21) calls fixup_constructors() in a new place.
However what does 0x60009992 actually do? The fixup_elf32() function in winebuild iterates over (what are effectively) Elf32_Dyn entries in the PT_DYNAMIC section, and overwrites the d_tag containing DT_INIT with 0x60009992. Presumably, this is done so ELF initializers aren't run in the native dynamic loader, but in Wine's NTDLL. But the 0x60009992 is still in every other way a DT_INIT entry.
Testing on native FreeBSD binaries on both i386 and amd64 shows how (1) the DT_INIT value in my own test executable on disk matches the value returned by dlinfo() in memory, and (2) the value is also given by "objdump -x <executable>|grep INIT".
But is that value an absolute address, or an offset relative to l_addr? Both Wine and glibc seem to treat it as the latter: https://code.woboq.org/userspace/glibc/elf/dl-init.c.html#58 DL_CALL_DT_INIT(l, l->l_addr + l->l_info[DT_INIT]->d_un.d_ptr, argc, argv, env);