一些用于调试iOS应用的lldb命令。Some very useful lldb commands for iOS debugging and reverse engineering.
Breakpoint:
* baf - break all functions in module
* bdc - breakpoint disable current
* bda - breakpoint disable at class
* bdr - breakpoint disable in range
* bblocks - break blocks (arm64 only)
* binitfunc - break mod init func
* bmain - break main function
Search:
* fblock - find block (arm64 only)
* blocks - find blocks (arm64 only)
Trace:
* rtrace
* notifier
Patch:
* patch (private)
Dump:
* dmodule - dump module (private)
File:
* commads to get common directory
* ls
* ufile - upload local file to device
* rm - remove file
Module:
* image_list
* info_plist
* executable - print main executable name
* bundle_id
* group_id
* team_id
* appdelegate
* main
* initfunc - print mod init func
* func_starts - function starts
* lazy_sym - print __la_symbol_ptr section
* entitlements - dump entitlements
* classes - print class names
Assembly:
* inst2bytes
* bytes2inst
Memory:
* read_mem_as_addr
* read_cstring - read memory as c style string
Others:
* symbolic
* find_el - find endless loop
* thread_eb - extended backtrace of thread
- Clone this repo
- Open up (or create) ~/.lldbinit
- Add the following command to your ~/.lldbinit file:
command script import /path/to/YJLLDB/src/yjlldb.py
Set breakpoints at the specified bytes in user modules.
// for example, break at ret
(lldb) bab c0 03 5f d6
Breakpoint 1: where = LLDBCode`-[ViewController viewDidLoad] + 240 at ViewController.m:29:1, address = 0x1029b3008
...
set 728 breakpoints
(lldb) x 0x1029b3008
0x1029b3008: c0 03 5f d6 ff 03 03 d1 fd 7b 0b a9 fd c3 02 91 .._......{......
0x1029b3018: e8 03 01 aa e1 03 02 aa e3 0f 00 f9 a0 83 1f f8 ................
(lldb) dis -s 0x1029b3008 -c 1
LLDBCode`-[ViewController viewDidLoad]:
0x1029b3008 <+240>: retBreak all functions and methods in the specified module.
For example,break Foundation:
(lldb) baf Foundation
-----break functions in Foundation-----
will set breakpoint for 13880 names
Breakpoint 4: 13961 locationsDisable current breakpoint and continue.
(lldb) thread info
thread #1: tid = 0x2cb739, 0x000000018354f950 libsystem_kernel.dylib`open, queue = 'com.apple.main-thread', stop reason = breakpoint 5.13
(lldb) bdc
disable breakpoint 5.13 [0x18354f950]libsystem_kernel.dylib`open
and continueDisable breakpoint(s) at the specified class.
(lldb) bda -i ViewController
disable breakpoint 1.8: where = LLDBCode`__41-[ViewController touchesBegan:withEvent:]_block_invoke_4 at ViewController.m:57, address = 0x00000001040e32f8, unresolved, hit count = 1 Options: disabled
...
disable breakpoint 1.27: where = LLDBCode`__41-[ViewController touchesBegan:withEvent:]_block_invoke at ViewController.m:45, address = 0x00000001040e318c, unresolved, hit count = 1 Options: disabled
(lldb) bda -i ViewController(extension)
disable breakpoint 1.23: where = LLDBCode`-[ViewController(extension) test] at ViewController.m:20, address = 0x0000000102ec2e7c, unresolved, hit count = 0 Options: disabled Disable breakpoint(s) in the specified range.
(lldb) bdr 980~992
disable breakpoint 980.1: where = LLDBCode`-[Test .cxx_destruct] at Test.m:22, address = 0x00000001049fa1b0, unresolved, hit count = 0 Options: disabled
...
disable breakpoint 991.1: where = LLDBCode`func1 at Test.m:42, address = 0x00000001049faaf8, unresolved, hit count = 0 Options: disabled Break all blocks in user modules
(lldb) bblocks
-----try to lookup block in JITDemo-----
break block: 0x104a78150 with Breakpoint 4: JITDemo`globalBlock_block_invoke at ViewController.m:16:0, address = 0x104a74990
...
break stack block with Breakpoint 9: JITDemo`__41-[ViewController touchesBegan:withEvent:]_block_invoke_4 at ViewController.m:75:0, address = 0x104a74f08
...
-----try to lookup block in LLDBJIT-----
break block: 0x104b341c0 with Breakpoint 82: LLDBJIT`__22+[MachoTool findMacho]_block_invoke at MachoTool.m:110:0, address = 0x104b2b130
...
find a stack block @0x104b32080 in LLDBJIT`+[Image getBlocksInfo:] at Image.m:0:0
break stack block with Breakpoint 88: LLDBJIT`None, address = 0x104b34d40
set 85 breakpoints
(lldb) or
(lldb) bblocks JITDemo
-----try to lookup block in JITDemo-----
break block: 0x1026ac140 with Breakpoint 87: JITDemo`___lldb_unnamed_symbol75, address = 0x1026a92f4
...
find a stack block @0x1026a9694 in JITDemo`___lldb_unnamed_symbol82
break stack block with Breakpoint 93: JITDemo`___lldb_unnamed_symbol83, address = 0x1026a9700
set 7 breakpointsBreak module init function(s) in user modules.
(lldb) binitfunc
-----try to lookup init function in JITDemo-----
Breakpoint 6: JITDemo`entry1 at main.m:708:0, address = 0x100e08cb0
Breakpoint 7: JITDemo`entry2 at main.m:740:0, address = 0x100e0960cBreak the specified method(s) in user modules
(lldb) bmethod load
-----try to method in JITDemo-----
Breakpoint 3: JITDemo`+[ViewController load] at ViewController.m:26:0, address = 0x1024f89bc
Breakpoint 4: JITDemo`+[AppDelegate load] at AppDelegate.m:16:0, address = 0x1024f96a4
-----try to method in LLDBJIT-----
set 2 breakpoints(lldb) bmain
Breakpoint 9: BasicSyntax`___lldb_unnamed_symbol266, address = 0x10017c3fcLookup the specified string, between start addr and end addr.
(lldb) image_list -c 8
index load addr(slide) vmsize path
--------------------------------------------------------
[ 0] 0x1022e4000(0x0022e4000) 81.9K /var/containers/Bundle/Application/C134E909-CC52-4A93-9557-37BA808854D3/LLDBCode.app/LLDBCode
...
[ 6] 0x18406f000(0x004044000) 8.7K /usr/lib/libSystem.B.dylib
[ 7] 0x184071000(0x004044000) 394.1K /usr/lib/libc++.1.dylib
(lldb) slookup PROGRAM 0x18406f000 0x184071000
found at 0x184070f7c where = [0x000000018002cf78-0x000000018002cfb8) libSystem.B.dylib.__TEXT.__const
1 locations found
(lldb) x 0x184070f7c -c 64
0x184070f7c: 50 52 4f 47 52 41 4d 3a 53 79 73 74 65 6d 2e 42 PROGRAM:System.B
0x184070f8c: 20 20 50 52 4f 4a 45 43 54 3a 4c 69 62 73 79 73 PROJECT:Libsys
0x184070f9c: 74 65 6d 2d 31 32 35 32 2e 35 30 2e 34 0a 00 00 tem-1252.50.4...
0x184070fac: 00 00 00 00 00 00 00 00 00 92 93 40 01 00 00 00 ...........@....Lookup the specified bytes in user modules.
(lldb) blookup c0 03 5f d6
-----try to lookup bytes in LLDBCode-----
0x104961018
...
0x104969ab8
32 locations foundFind the specified block(s) in user modules.
(lldb) po $x0
<__NSGlobalBlock__: 0x100f18210>
(lldb) x/4g 0x100f18210
0x100f18210: 0x00000001b57df288 0x0000000050000000
0x100f18220: 0x00000001043b9724 0x00000001043bc1f0
(lldb) info 0x00000001043b9724
0x00000001043b9724, ___lldb_unnamed_symbol77 <+0> `JITDemo`__TEXT.__text + 0x290
(lldb) fblock 0x100f18210
-----try to lookup block in JITDemo-----
find a block: 0x100f18210 in JITDemo`-[ViewController touchesBegan:withEvent:]
1 block(s) resolvedFind blocks in user modules and save block symbols to block_symbol.json
(lldb) blocks
-----try to lookup block in JITDemo-----
* using global block var: 0x104a78150 in JITDemo`-[ViewController viewDidLoad] at ViewController.m:39:5
find a block: 0x104a78190 in JITDemo`-[ViewController viewDidLoad] at ViewController.m:0:0
...
find a stack block @0x104a74e7c in JITDemo`__41-[ViewController touchesBegan:withEvent:]_block_invoke_3 at ViewController.m:0:0
stack block func addr 0x104a74f08 JITDemo`__41-[ViewController touchesBegan:withEvent:]_block_invoke_4 at ViewController.m:75:0
...
-----try to lookup block in LLDBJIT-----
find a block: 0x104b341c0 in LLDBJIT`+[MachoTool findMacho] at MachoTool.m:0:0
...
find a stack block @0x104b32080 in LLDBJIT`+[Image getBlocksInfo:] at Image.m:0:0
stack block func addr 0x104b34d40 LLDBJIT`None
85 block(s) resolvedfind function by callee function name
(lldb) ffunc -n open -i 5900
-----parsing module Demo-----
function call found at: 0x1057c09b0, where = Demo`___lldb_unnamed_symbol255344 + 88find function by callee funcation address
(lldb) ffunc -a 0x1005106a0 -i 5000
-----parsing module Demo-----
function call found at: 0x10050dcd8, where = Demo`test_func + 2360find function by c string
(lldb) ffunc -k test -i 700 -x 800
-----parsing module Demo-----
keyword test found at 0x105bb5227(lldb) overridden_methodTrace all functions in the specified module. By default, only OC methods are traced. To trace swift module, you need to add the -a option.
// begin trace
(lldb) mtrace LLDBCode
-----trace functions in LLDBCode-----
will trace 35 names
begin trace with Breakpoint 1: 35 locations
(lldb) c
// trace log
frame #0: 0x0000000102dd2fb8 LLDBCode`-[ViewController touchesBegan:withEvent:](self=0x00000001d4108040, _cmd="touchesBegan:withEvent:", touches=0x000000015fd0fff0, event=1 element) at ViewController.m:35
...
frame #0: 0x0000000102dd318c LLDBCode`__41-[ViewController touchesBegan:withEvent:]_block_invoke(.block_descriptor=0x0000000102ec1500) at ViewController.m:45trace functions using regular expressions
(lldb) rtrace -i GetDeviceInfo
begin trace with Breakpoint 4: where = CoreTelephony`_CTServerConnectionPhoneServicesGetDeviceInfo, address = 0x1bab0f6a0
...
begin trace with Breakpoint 8: where = MediaRemote`MRMediaRemoteGetDeviceInfo, address = 0x1c85b4c84
begin trace with 5 breakpoint(s)trace notificaton posting action
(lldb) notifier
begin trace -[NSNotificationCenter postNotification:] with Breakpoint 8
begin trace -[NSNotificationCenter postNotificationName:object:userInfo:] with Breakpoint 9
begin trace CFNotificationCenterPostNotificationWithOptions with Breakpoint 10Patch bytes in user modules.
(lldb) patch c0 03 5f d6
-----try to patch bytes in LLDBCode-----
patch 32 locationsDump the specified module from memory.
(lldb) dmodule UIKit
dumping UIKit, this may take a while
ignore __DATA.__bss
ignore __DATA.__common
ignore __DATA_DIRTY.__bss
ignore __DATA_DIRTY.__common
924057600 bytes dump to ~/lldb_dump_macho/UIKit/macho_UIKit注意:加载时被修改的数据未恢复
Dump current iOS App (arm64 only). Typically, dump decrypted ipa from jailbreak device.
(lldb) dapp
dumping JITDemo, this may take a while
copy file JITDemo.app/Base.lproj/LaunchScreen.storyboardc/01J-lp-oVM-view-Ze5-6b-2t3.nib
...
copy file JITDemo.app/embedded.mobileprovision
no file need patch
Generating "JITDemo.ipa"
dump success, ipa path: /Users/xxx/lldb_dump_macho/JITDemo/JITDemo.ipa(lldb) bundle_dir
/var/containers/Bundle/Application/63954B0E-79FA-42F2-A7EA-3568026008A1/Interlock.app
(lldb) home_dir
/var/mobile/Containers/Data/Application/1161FDFD-5D69-47CD-B5C6-C2724B8E2F28
(lldb) doc_dir
/var/mobile/Containers/Data/Application/1161FDFD-5D69-47CD-B5C6-C2724B8E2F28/Documents
(lldb) caches_dir
/var/mobile/Containers/Data/Application/1161FDFD-5D69-47CD-B5C6-C2724B8E2F28/Library/Caches
(lldb) lib_dir
/var/mobile/Containers/Data/Application/1161FDFD-5D69-47CD-B5C6-C2724B8E2F28/Library
(lldb) tmp_dir
/var/mobile/Containers/Data/Application/1161FDFD-5D69-47CD-B5C6-C2724B8E2F28/tmp
(lldb) group_dir
/private/var/mobile/Containers/Shared/AppGroup/9460EA21-AE6A-4220-9BB3-6EC8B971CDAEList directory contents, just like ls -lh on Mac.
(lldb) ls bu
/var/containers/Bundle/Application/D0419A6E-053C-4E35-B422-7C0FD6CAB060/Interlock.app
drwxr-xr-x 128B 1970-01-01 00:00:00 +0000 Base.lproj
drwxr-xr-x 96B 1970-01-01 00:00:00 +0000 _CodeSignature
drwxr-xr-x 64B 1970-01-01 00:00:00 +0000 META-INF
-rw-r--r-- 1.5K 2023-05-16 03:17:32 +0000 Info.plist
-rwxr-xr-x 103.0K 2023-05-19 11:07:02 +0000 Interlock
-rw-r--r-- 8B 2023-05-16 03:17:32 +0000 PkgInfo
-rw-r--r-- 194.7K 2023-05-16 03:17:31 +0000 embedded.mobileprovision
(lldb) ls home
/var/mobile/Containers/Data/Application/09E63130-623F-4124-BCBB-59E20BD28964
drwxr-xr-x 96B 2023-05-19 07:28:01 +0000 Documents
drwxr-xr-x 128B 2023-05-16 04:51:14 +0000 Library
drwxr-xr-x 64B 1970-01-01 00:00:00 +0000 SystemData
drwxr-xr-x 64B 2023-05-16 04:51:14 +0000 tmp
(lldb) ls /var/mobile/Containers/Data/Application/09E63130-623F-4124-BCBB-59E20BD28964/Documents
-rw-r--r-- 18B 2023-05-16 05:36:05 +0000 report.txtDownload file from home, bundle or group path.
(lldb) dfile /var/containers/Bundle/Application/7099B2B8-39BE-4204-9BEB-5DF6A75BAA29/JITDemo.app/Info.plist
dumping Info.plist, this may take a while
1464 bytes written to '/Users/xxx/Info.plist'or
(lldb) dfile bundle/Info.plist
dumping Info.plist, this may take a while
1464 bytes written to '/Users/xxx/Info.plist'Download dir from home, bundle or group path.
(lldb) ddir /var/containers/Bundle/Application/7099B2B8-39BE-4204-9BEB-5DF6A75BAA29/JITDemo.app
dumping JITDemo.app, this may take a while
1197 bytes written to '/Users/xxx/JITDemo.app/Base.lproj/LaunchScreen.storyboardc/01J-lp-oVM-view-Ze5-6b-2t3.nib'
...
8 bytes written to '/Users/xxx/JITDemo.app/PkgInfo'
196731 bytes written to '/Users/xxx/JITDemo.app/embedded.mobileprovision'Upload local file to the specified directory or path on device.
(lldb) doc
/var/mobile/Containers/Data/Application/1171F451-C2DC-47E6-B6E3-74A0FE5A6572/Documents
(lldb) ufile /Users/xxx/uploadfile /var/mobile/Containers/Data/Application/1171F451-C2DC-47E6-B6E3-74A0FE5A6572/Documents
uploading uploadfile, this may take a while
upload success
(lldb) ufile /Users/xxx/uploadfile /var/mobile/Containers/Data/Application/1171F451-C2DC-47E6-B6E3-74A0FE5A6572/Documents/test
uploading uploadfile, this may take a while
upload success
(lldb) ls doc
/var/mobile/Containers/Data/Application/1171F451-C2DC-47E6-B6E3-74A0FE5A6572/Documents
-rw-r--r-- 12.1K 2023-08-10 07:11:29 +0000 test
-rw-r--r-- 12.1K 2023-08-10 07:11:22 +0000 uploadfileRemove file or directory on remote device.
(lldb) ls doc
/var/mobile/Containers/Data/Application/B142040E-B1A0-4E97-8E76-03357585BFF8/Documents
-rw-r--r-- 12.1K 2023-08-10 07:32:05 +0000 test
-rw-r--r-- 12.1K 2023-08-10 08:22:40 +0000 uploadfile
(lldb) rm /var/mobile/Containers/Data/Application/B142040E-B1A0-4E97-8E76-03357585BFF8/Documents/uploadfile
remove success
(lldb) ls doc
/var/mobile/Containers/Data/Application/B142040E-B1A0-4E97-8E76-03357585BFF8/Documents
-rw-r--r-- 12.1K 2023-08-10 07:32:05 +0000 testList current executable and dependent shared library images, sorted by load address.
(lldb) image_list
index load addr(slide) vmsize path
------------------------------------------------------------
[ 0] 0x1048dc000(0x0048dc000) 655.4K /private/var/containers/Bundle/Application/D5752641-F291-4170-9576-67D8011C88D3/JITDemo.app
[ 1] 0x10497c000(0x10497c000) 131.1K /Users/xxx/Library/Developer/Xcode/DerivedData/LLDBJIT-xxx/Build/Products/Debug-iphoneos/JITDemo.app/Frameworks/LLDBJIT.framework/LLDBJIT
...(lldb) image_list -v
index load addr - end addr(slide) vmsize arch uuid path
------------------------------------------------------------
[ 0] 0x1048dc000 - 0x10497c000(0x0048dc000) 655.4K arm64 5B4BAB05-B614-339D-909E-1877AA53AD11 /private/var/containers/Bundle/Application/D5752641-F291-4170-9576-67D8011C88D3/JITDemo.app
[ 1] 0x10497c000 - 0x10499c000(0x10497c000) 131.1K arm64 E8938575-D438-3175-B846-B60CF9DE0304 /Users/xxx/Library/Developer/Xcode/DerivedData/LLDBJIT-xxx/Build/Products/Debug-iphoneos/JITDemo.app/Frameworks/LLDBJIT.framework/LLDBJIT
...(lldb) info_plist
-----parsing module Demo-----
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
...
</dict>
</plist>Print main executable name.
(lldb) executable
LLDBCodePrint bundle identifer
(lldb) bundle_id
xxx.com.test.xxxPrint group id
(lldb) group_id
group id not foundPrint team identifer
(lldb) team_id
xxxxxxxxxxFind the class that conforms to the UIApplicationDelegate protocol.
(lldb) appdelegate
AppDelegateGet module name with header address.
(lldb) mname 0x1043e8000
LLDBCodePrint segments and section info of macho.
(lldb) segments JITDemo
-----parsing module JITDemo-----
[start - end) size name
------------------------------------------------------------
[0x497c000 -0x10497c000) 0x100000000 __PAGEZERO
------------------------------------------------------------
[0x10497c000-0x104984000) 0x8000 __TEXT
[0x104980000-0x1049811b0) 0x11b0 __text
[0x1049811b0-0x104981270) 0xc0 __stubs
[0x104981270-0x104981348) 0xd8 __stub_helper
[0x104981348-0x1049815a8) 0x260 __objc_stubs
[0x1049815a8-0x1049824e5) 0xf3d __objc_methname
[0x1049824e5-0x104982736) 0x251 __cstring
[0x104982736-0x1049827b5) 0x7f __objc_classname
[0x1049827b5-0x1049832de) 0xb29 __objc_methtype
[0x1049832e0-0x104983360) 0x80 __unwind_info
------------------------------------------------------------
[0x104984000-0x104988000) 0x4000 __DATA
[0x104984000-0x104984030) 0x30 __got
[0x104984030-0x1049840b0) 0x80 __la_symbol_ptr
[0x1049840b0-0x1049841f0) 0x140 __cfstring
[0x1049841f0-0x104984210) 0x20 __objc_classlist
[0x104984210-0x104984218) 0x8 __objc_nlclslist
[0x104984218-0x104984238) 0x20 __objc_protolist
[0x104984238-0x104984240) 0x8 __objc_imageinfo
[0x104984240-0x104985408) 0x11c8 __objc_const
[0x104985408-0x1049854a8) 0xa0 __objc_selrefs
[0x1049854a8-0x1049854e0) 0x38 __objc_classrefs
[0x1049854e0-0x1049854e8) 0x8 __objc_superrefs
[0x1049854e8-0x1049854f0) 0x8 __objc_ivar
[0x1049854f0-0x104985630) 0x140 __objc_data
[0x104985630-0x1049857c0) 0x190 __data
[0x1049857c0-0x104985800) 0x40 __common
[0x104985800-0x104985818) 0x18 __bss
------------------------------------------------------------
[0x104988000-0x104994000) 0xc000 __LINKEDIT
[0x1049887c0-0x1049887f0) 0x30 Function Starts
[0x1049887f0-0x104989d10) 0x1520 Symbol Table
[0x1049887f0-0x1049887f0) 0x0 Data In Code Entries
[0x104989d10-0x104989da8) 0x98 Dynamic Symbol Table
[0x104989da8-0x10498b470) 0x16c8 String Table
[0x10498b470-0x104990140) 0x4cd0 Code SignaturePrint the address of main function.
(lldb) main
function main at 0x102911b70, fileoff: 0x5b70Dump module init function(s) in user modules.
(lldb) initfunc
-----try to lookup init function in JITDemo-----
address = 0x100e08cb0 JITDemo`entry1 at main.m:708:0
address = 0x100e0960c JITDemo`entry2 at main.m:740:0Print function starts
(lldb) func_starts
-----parsing module JITDemo-----
address = 0x1021bc5c8 where = JITDemo`globalBlock_block_invoke at ViewController.m:17
address = 0x1021bc608 where = JITDemo`+[ViewController load] at ViewController.m:27
...
address = 0x1021bdae0 where = JITDemo`-[SceneDelegate .cxx_destruct] at SceneDelegate.m:14
(lldb) (lldb) got
-----parsing module JITDemo-----
address = 0x1ac734ce0 where = Foundation`NSFileModificationDate
...
address = 0x180d44900 where = libobjc.A.dylib`objc_msgSend
address = 0x1814ce1c0 where = libdyld.dylib`dyld_stub_binder
13 location(s) found(lldb) lazy_sym
-----parsing module JITDemo-----
address = 0x104c7fe14 where = JITDemo`my_NSHomeDirectory at ViewController.m:63 -> NSHomeDirectory
...
address = 0x1815fb950 where = libsystem_kernel.dylib`open -> open
36 location(s) foundDump codesign entitlements of the specified module if any.
(lldb) ent
Interlock:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>application-identifier</key>
<string>XXXX.com.xxx.Interlock</string>
<key>com.apple.developer.team-identifier</key>
<string>XXXX</string>
<key>com.apple.security.application-groups</key>
<array/>
<key>get-task-allow</key>
<true/>
</dict>
</plist>(lldb) ent UIKit
UIKit apparently does not contain code signaturePrint class names in the specified module.
(lldb) classes
AppDelegate <0x10468e378>
SceneDelegate <0x10468e418>
ViewController <0x10468e260>Convert assembly instructions to machine code.
(lldb) inst2bytes 'mov x9, sp;mov x8, x0'
disassembly:
0: 910003e9 mov x9, sp
4: aa0003e8 mov x8, x0
machine code: e9030091e80300aaConvert machine code to assembly instructions.
(lldb) bytes2inst e9030091e80300aa
<+0>: mov x9, sp
<+4>: mov x8, x0(lldb) seg
...
------------------------------------------------------------
[0x102ee0000-0x102ee4000) 0x4000 __DATA
[0x102ee0000-0x102ee0000) 0x68 __got
...
[0x102ee02e0-0x102ee0560) 0x280 __cfstring
...
// read __got section
(lldb) read_mem_as_addr 0x102ee0000 0x102ee0068
0x102ee0000: 0x00000001ac734ce0 Foundation`NSFileModificationDate
...
0x102ee0058: 0x0000000180d44900 libobjc.A.dylib`objc_msgSend
0x102ee0060: 0x00000001814ce1c0 libdyld.dylib`dyld_stub_binder
// read __cfstring section
(lldb) read_mem_as_addr 0x102ee02e0 0x102ee0560
0x102ee02e0: 0x00000001b40b2610 (void *)0x00000001b40b25c0: __NSCFConstantString
0x102ee02e8: 0x00000000000007c8
0x102ee02f0: 0x0000000102ede156 "%s"
0x102ee02f8: 0x0000000000000002
...
0x102ee0540: 0x00000001b40b2610 (void *)0x00000001b40b25c0: __NSCFConstantString
0x102ee0548: 0x00000000000007c8
0x102ee0550: 0x0000000102ede2cc "Default Configuration"
0x102ee0558: 0x0000000000000015(lldb) seg
...
[0x10077b3ae-0x10077b424) 0x76 __objc_classname
....
[0x100782898-0x1007857f0) 0x2f58 String Table
...
// read __TEXT.__objc_classname
(lldb) read_cstring 0x10077b3ae 0x10077b424
0x10077b3ae: "ViewController"
...
0x10077b414: "UISceneDelegate"
9 locations found
// read String Table
(lldb) read_cstring 0x100782898 0x1007857f0
0x100782898: " "
0x10078289a: "_JITDemoVersionNumber"
...
0x1007857c8: "__OBJC_PROTOCOL_$_UIWindowSceneDelegate"
338 locations foundSymbolic address list.
(lldb) symbolic (0x1845aed8c 0x1837685ec 0x18450a448 0x104360f78 0x18e4fd83c 0x18e3a3760 0x18e39d7c8 0x18e392890 0x18e3911d0 0x18eb72d1c 0x18eb752c8 0x18eb6e368 0x184557404 0x184556c2c 0x18455479c 0x184474da8 0x186459020 0x18e491758 0x104361da0 0x183f05fc0)
backtrace:
frame #0: 0x1845aed8c CoreFoundation`__exceptionPreprocess + 228
frame #1: 0x1837685ec libobjc.A.dylib`objc_exception_throw + 56
frame #2: 0x18450a448 CoreFoundation`-[__NSArray0 objectEnumerator] + 0
frame #3: 0x104360f78 Interlock`-[ViewController touchesBegan:withEvent:] + at ViewController.m:51:5
...or
(lldb) symbolic 0x1845aed8c 0x1837685ec 0x18450a448 0x104360f78 0x18e4fd83c 0x18e3a3760 0x18e39d7c8 0x18e392890 0x18e3911d0 0x18eb72d1c 0x18eb752c8 0x18eb6e368 0x184557404 0x184556c2c 0x18455479c 0x184474da8 0x186459020 0x18e491758 0x104361da0 0x183f05fc0
backtrace:
frame #0: 0x1845aed8c CoreFoundation`__exceptionPreprocess + 228
frame #1: 0x1837685ec libobjc.A.dylib`objc_exception_throw + 56
frame #2: 0x18450a448 CoreFoundation`-[__NSArray0 objectEnumerator] + 0
frame #3: 0x104360f78 Interlock`-[ViewController touchesBegan:withEvent:] + at ViewController.m:51:5
...Detects endless loop in all threads at this point.
- (void)touchesBegan:(NSSet<UITouch *> *)touches withEvent:(UIEvent *)event {
int a = 1;
NSLog(@"%s", __PRETTY_FUNCTION__);
while (a) {
a++;
}
}# touch device screen
2023-05-20 12:29:52.604910+0800 Interlock[56660:1841567] -[ViewController touchesBegan:withEvent:]
# pause program execution, then execute find_el in lldb
(lldb) find_el
Breakpoint 1: where = Interlock`-[ViewController touchesBegan:withEvent:] + 136 at ViewController.mm:34:5, address = 0x109dd8d48
Breakpoint 2: where = Interlock`main + 110 at main.m:17:5, address = 0x109dd911e
delete breakpoint 2
call Interlock`-[ViewController touchesBegan:withEvent:] + 136 at ViewController.m:34:5, 22 times per second, hit_count: 100
...Get extended backtrace of thread.
(lldb) bt
* thread #2, queue = 'com.apple.root.default-qos', stop reason = breakpoint 6.1
* frame #0: 0x0000000104ab58f8 Concurrency`__41-[ViewController touchesBegan:withEvent:]_block_invoke(.block_descriptor=0x0000000104ab80f8) at ViewController.m:29:13
frame #1: 0x0000000104df51dc libdispatch.dylib`_dispatch_call_block_and_release + 24
frame #2: 0x0000000104df519c libdispatch.dylib`_dispatch_client_callout + 16
frame #3: 0x0000000104e01200 libdispatch.dylib`_dispatch_queue_override_invoke + 968
frame #4: 0x0000000104e067c8 libdispatch.dylib`_dispatch_root_queue_drain + 604
frame #5: 0x0000000104e06500 libdispatch.dylib`_dispatch_worker_thread3 + 136
frame #6: 0x0000000181fc3fac libsystem_pthread.dylib`_pthread_wqthread + 1176
frame #7: 0x0000000181fc3b08 libsystem_pthread.dylib`start_wqthread + 4
(lldb) thread_eb
thread #4294967295: tid = 0x190c, 0x0000000104e907cc libdispatch.dylib`_dispatch_root_queue_push_override + 160, queue = 'com.apple.main-thread'
frame #0: 0x0000000104e907cc libdispatch.dylib`_dispatch_root_queue_push_override + 160
frame #1: 0x0000000104ded884 Concurrency`-[ViewController touchesBegan:withEvent:](self=<unavailable>, _cmd=<unavailable>, touches=<unavailable>, event=<unavailable>) at ViewController.m:25:5
frame #2: 0x000000018bb1583c UIKit`forwardTouchMethod + 340
frame #3: 0x000000018b9bb760 UIKit`-[UIResponder touchesBegan:withEvent:] + 60
...https://github.com/DerekSelander/LLDB
https://github.com/facebook/chisel
https://github.com/aaronst/macholibre
YJLLDB is released under the Apache License 2.0. See LICENSE file for details.