工具路径
Android从NDK 24开始只包含lldb
{NDK-Dir}/toolchains/llvm/prebuilt/darwin-x86_64/bin/lldb //bin {NDK-Dir}/toolchains/llvm/prebuilt/darwin-x86_64/bin/lldb.sh //启动脚本
脚本内容
#!/bin/bash
CURDIR=$(cd $(dirname $0) && pwd)
export PYTHONHOME="$CURDIR/../python3"
export DYLD_LIBRARY_PATH="$CURDIR/../python3/lib:$DYLD_LIBRARY_PATH"
"$CURDIR/lldb" "$@"
为了使用方便,可以将lldb.sh的路径写入环境变量(NDK-Dir是自己的NDK路径)
$ vi ~/.bash_profile
export PATH=${PATH}:{NDK-Dir}/toolchains/llvm/prebuilt/darwin-x86_64/bin
启动lldb加载coredump
执行lldb
先加载lib库
(lldb) settings set target.exec-search-paths /Users/pang/lib
再加载Core和app_process
(lldb) target create "app_process64" --core "core-2136-2166"
若输出不完整,尝试强制刷新符号:
(lldb) settings set target.load-script-from-symbol-file true
(lldb) bt
* thread #1, name = 'test.crash', stop reason = signal SIGSEGV
* frame #0: 0x00000071b32e84f4 libnative-lib.so`sample_test_dlsym(filename="", symbol="", debug_symbol=true, cache=0x0000007fc926aa50, try_force_dlopen=false) at sample.c:70:6
frame #1: 0x00000071b32e8198 libnative-lib.so`crash_test(env=0xb40000735ec2d650, thiz=0x00000074d82ac188) at sample.c:140:3
frame #2: 0x000000722b227434 libart.so`art_quick_generic_jni_trampoline at quick_entrypoints_arm64.S:1872
frame #3: 0x000000722b210c84 libart.so`art_quick_invoke_static_stub at quick_entrypoints_arm64.S:688
(lldb) image add /Users/Downloads/coredump/lib/libart.so
(lldb) image add /Users/Downloads/coredump/lib/libnative-lib.so
(lldb) image add /Users/Downloads/coredump/lib/libc++_shared.so
(lldb) image add /Users/Downloads/coredump/lib/boot-framework.oat
(lldb) image list
[ 0] E8762C07-2E6C-37BB-8093-E340CC42E9F2 0x00000061cd703000 /Users/Downloads/coredump/app_process64
[ 1] B221DDF9-4935-96DE-C8A8-4B0692083BEF libart.so[0x0000000000000000] /Users/Downloads/coredump/lib/libart.so
[ 2] 439D8A40-5A06-C778-392C-DCD9FC7876E5-48F7AD00 libnative-lib.so[0x0000000000000000] /Users/Downloads/coredump/lib/libnative-lib.so
[ 3] 7DC5F791-24FB-C1A4-8650-6D25783650B0-7E98A111 libc++_shared.so[0x0000000000000000] /Users/Downloads/coredump/lib/libc++_shared.so
[ 4] 4F98E153-22C5-8B22-E963-0BB1EFBF0633-EB3F0536 boot-framework.oat[0x0000000000000000] /Users/Downloads/coredump/lib/boot-framework.oat
常用命令
堆栈打印
使用bt命令,如果嫌堆栈打印太长,可以加一个值限制,如bt 5,只打印前5帧
(lldb) bt
* thread #1, name = 'test.crash', stop reason = signal SIGSEGV
* frame #0: 0x00000071b32e84f4 libsample.so`sample_test_dlsym(filename="", symbol="", debug_symbol=true, cache=0x0000007fc926aa50, try_force_dlopen=false) at sample.c:70:6
frame #1: 0x00000071b32e8198 libsample.so`crash_test(env=0xb40000735ec2d650, thiz=0x00000074d82ac188) at sample.c:140:3
frame #2: 0x000000722b227434 libart.so`art_quick_generic_jni_trampoline at quick_entrypoints_arm64.S:1872
frame #3: 0x000000722b210c84 libart.so`art_quick_invoke_static_stub at quick_entrypoints_arm64.S:688
所有线程堆栈打印
(lldb) thread backtrace all
* thread #1, name = 'ndroid.lark', stop reason = signal SIGSEGV
frame #0: 0x00000070261efed8 libc.so`getenv + 76
* frame #1: 0x0000006f76dbb560 libsscronet.so`event_base_new + 220
frame #2: 0x0000006f76c2858c libsscronet.so`base::MessagePumpLibevent::MessagePumpLibevent() + 48
frame #3: 0x0000006f76be0ff0 libsscronet.so`base::MessagePump::Create(base::MessagePump::Type) + 84
frame #4: 0x0000006f76be0af8 libsscronet.so`base::MessageLoop::BindToCurrentThread() + 60
frame #5: 0x0000006f76c144e8 libsscronet.so`base::internal::MessageLoopTaskEnvironment::BindToCurrentThread(base::TimerSlack) + 28
frame #6: 0x0000006f76c14318 libsscronet.so`base::Thread::ThreadMain() + 224
frame #7: 0x0000006f76c22418 libsscronet.so`base::(anonymous namespace)::ThreadFunc(void*) + 100
frame #8: 0x0000007026204a70 libc.so`__pthread_start(void*) + 40
frame #9: 0x00000070261a56e8 libc.so`__start_thread + 72
thread #2, stop reason = signal SIGSEGV
frame #0: 0x0000000071e6562c
frame #1: 0x0000006f9fde162c libart.so`art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*) + 236
frame #2: 0x0000006fa01843ec libart.so`art::(anonymous namespace)::InvokeWithArgArray(art::ScopedObjectAccessAlreadyRunnable const&, art::ArtMethod*, art::(anonymous namespace)::ArgArray*, art::JValue*, char const*) + 108
frame #3: 0x0000006fa01850a8 libart.so`art::InvokeWithJValues(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jmethodID*, jvalue*) + 412
frame #4: 0x0000006fa006d4ac libart.so`art::JNI::CallStaticObjectMethodA(_JNIEnv*, _jclass*, _jmethodID*, jvalue*) + 640
frame #5: 0x0000006fa021e808 libart.so`art::InvokeProxyInvocationHandler(art::ScopedObjectAccessAlreadyRunnable&, char const*, _jobject*, _jobject*, std::__1::vector<jvalue, std::__1::allocator<jvalue> >&) + 608
frame #6: 0x0000006fa023d8ac libart.so`artQuickProxyInvokeHandler + 1000
frame #7: 0x0000006fa0292170 libart.so`art_quick_proxy_invoke_handler + 80
查看栈帧
使用frame n命令,n表示要查看的第几层栈帧
(lldb) frame 0
frame #0: 0x00000071b32e84f4 libsample.so`sample_test_dlsym(filename="", symbol="", debug_symbol=true, cache=0x0000007fc926aa50, try_force_dlopen=false) at sample.c:70:6
查看函数入参和函数内变量
使用frame variable命令,缩写fr v,类似gdb中info args+info locals
(lldb) frame variable
//函数入参
(const char *) filename = 0x00000071b32e7d70 ""
(const char *) symbol = 0x00000071b32e7c32 ""
(bool) debug_symbol = true
(void **) cache = 0x0000007fc926aa50
(bool) try_force_dlopen = false
//函数局部变量
(int *) a = 0x0000000000000000
(xdl_info_t) info = {
dli_fname = 0x0000007fc926a9f0 "\x80\xaa&\xc9\U0000007f"
dli_fbase = 0x00000071b32e84a0
dli_sname = 0xb40000725ec2a010 ""
dli_saddr = 0xb40000725ec2a010
dli_ssize = 9
dlpi_phdr = NULL
dlpi_phnum = 488337475956
}
(void *) handle = 0x0000000000000000
(size_t) symbol_size = 1721216442352843089
(void *) symbol_addr = 0x00000071b32e8974
(void *) linker_handle = 0x00000074e00380ec
查看函数局部变量,使用frame variable --no-args,缩写fr v -a,类似gdb info locals命令
(lldb) frame variable --no- args
(int *) a = 0x0000000000000000
(xdl_info_t) info = {
dli_fname = 0x0000007fc926a9f0 "\x80\xaa&\xc9\U0000007f"
dli_fbase = 0x00000071b32e84a0
dli_sname = 0xb40000725ec2a010 ""
dli_saddr = 0xb40000725ec2a010
dli_ssize = 9
dlpi_phdr = NULL
dlpi_phnum = 488337475956
}
(void *) handle = 0x0000000000000000
(size_t) symbol_size = 1721216442352843089
(void *) symbol_addr = 0x00000071b32e8974
(void *) linker_handle = 0x00000074e00380ec
查看函数汇编
使用disassemble命令,缩写dis
(lldb) dis
libsample.so`sample_test_dlsym:
0x71b32e84ac <+0>: sub sp, sp, #0x1d0
0x71b32e84b0 <+4>: stp x29, x30, [sp, #0x1b0]
0x71b32e84b4 <+8>: str x28, [sp, #0x1c0]
0x71b32e84b8 <+12>: add x29, sp, #0x1b0
0x71b32e84bc <+16>: mrs x8, TPIDR_EL0
0x71b32e84c0 <+20>: ldr x8, [x8, #0x28]
0x71b32e84c4 <+24>: stur x8, [x29, #-0x8]
0x71b32e84c8 <+28>: stur x0, [x29, #-0xb0]
0x71b32e84cc <+32>: stur x1, [x29, #-0xb8]
0x71b32e84d0 <+36>: and w8, w2, #0x1
0x71b32e84d4 <+40>: sturb w8, [x29, #-0xbc]
0x71b32e84d8 <+44>: stur x3, [x29, #-0xc8]
0x71b32e84dc <+48>: and w8, w4, #0x1
0x71b32e84e0 <+52>: sturb w8, [x29, #-0xcc]
0x71b32e84e4 <+56>: mov x8, xzr
0x71b32e84e8 <+60>: str x8, [sp, #0xd8]
0x71b32e84ec <+64>: ldr x9, [sp, #0xd8]
0x71b32e84f0 <+68>: mov w8, #0x9
-> 0x71b32e84f4 <+72>: str w8, [x9]
0x71b32e84f8 <+76>: ldurb w8, [x29, #-0xcc]
0x71b32e84fc <+80>: tbz w8, #0x0, 0x1550 ; <+164> at sample.c:80:3
0x71b32e8500 <+84>: b 0x1504 ; <+88> at sample.c:75:34
可以使用-n+函数名打印对应函数汇编
(lldb) disassemble -n event_base_new
libsscronet.so`event_base_new:
0x6f76dbb484 <+0>: stp x22, x21, [sp, #-0x30]!
0x6f76dbb488 <+4>: stp x20, x19, [sp, #0x10]
0x6f76dbb48c <+8>: stp x29, x30, [sp, #0x20]
0x6f76dbb490 <+12>: add x29, sp, #0x20
0x6f76dbb494 <+16>: mov w0, #0x1
0x6f76dbb498 <+20>: mov w1, #0x628
0x6f76dbb49c <+24>: bl 0x6f76c22770 ; __wrap_calloc
0x6f76dbb4a0 <+28>: mov x19, x0
0x6f76dbb4a4 <+32>: cbnz x0, 0x6f76dbb4c0 ; <+60>
可以使用-a+地址打印对应函数汇编
(lldb) disassemble -a 0x6f76dbb560
libsscronet.so`event_base_new:
0x6f76dbb484 <+0>: stp x22, x21, [sp, #-0x30]!
0x6f76dbb488 <+4>: stp x20, x19, [sp, #0x10]
0x6f76dbb48c <+8>: stp x29, x30, [sp, #0x20]
0x6f76dbb490 <+12>: add x29, sp, #0x20
0x6f76dbb494 <+16>: mov w0, #0x1
0x6f76dbb498 <+20>: mov w1, #0x628
读内存,打印对应函数汇编
(lldb) memory read/128gx 0x0000005aedef0d00
0x5aedef0d00: 0x0000005aede76e78 0x0000005aede77398
0x5aedef0d10: 0x0000005aede4c840 0x0000005aede4c8a0
0x5aedef0d20: 0x0000005aede4c914 0x0000000000000000
0x5aedef0d30: 0x0000005aede4c9c4 0x0000005aede5df4c
0x5aedef0d40: 0x0000005aede4ca0c 0x0000000000000000
(lldb) disass -s 0x5aede76e78
ld-musl-aarch64.so.1`mmap64:
0x5aede76e78 <+0>: stp x29, x30, [sp, #-0x50]!
0x5aede76e7c <+4>: str x25, [sp, #0x10]
0x5aede76e80 <+8>: stp x24, x23, [sp, #0x20]
0x5aede76e84 <+12>: stp x22, x21, [sp, #0x30]
0x5aede76e88 <+16>: stp x20, x19, [sp, #0x40]
0x5aede76e8c <+20>: mov x29, sp
0x5aede76e90 <+24>: tst x5, #0xfff
0x5aede76e94 <+28>: b.ne 0x5aede76f44 ; <+204>
(lldb) disass -s 5aede77398
ld-musl-aarch64.so.1`__munmap:
0x5aede77398 <+0>: stp x29, x30, [sp, #-0x30]!
0x5aede7739c <+4>: str x21, [sp, #0x10]
0x5aede773a0 <+8>: stp x20, x19, [sp, #0x20]
0x5aede773a4 <+12>: mov x29, sp
0x5aede773a8 <+16>: adrp x8, 649
0x5aede773ac <+20>: mov x19, x1
0x5aede773b0 <+24>: mov x20, x0
0x5aede773b4 <+28>: ldr w2, [x8, #0x2c]
(lldb) disass -s 0x5aede77398
ld-musl-aarch64.so.1`__munmap:
0x5aede77398 <+0>: stp x29, x30, [sp, #-0x30]!
0x5aede7739c <+4>: str x21, [sp, #0x10]
0x5aede773a0 <+8>: stp x20, x19, [sp, #0x20]
0x5aede773a4 <+12>: mov x29, sp
0x5aede773a8 <+16>: adrp x8, 649
0x5aede773ac <+20>: mov x19, x1
0x5aede773b0 <+24>: mov x20, x0
0x5aede773b4 <+28>: ldr w2, [x8, #0x2c]
(lldb) disass -s 0x0000005aede4c840
ld-musl-aarch64.so.1`libc_gwp_asan_malloc:
0x5aede4c840 <+0>: stp x29, x30, [sp, #-0x20]!
0x5aede4c844 <+4>: str x19, [sp, #0x10]
0x5aede4c848 <+8>: mov x29, sp
0x5aede4c84c <+12>: adrp x8, 690
0x5aede4c850 <+16>: mov x19, x0
0x5aede4c854 <+20>: ldrb w8, [x8, #0x370]
0x5aede4c858 <+24>: cmp w8, #0x1
0x5aede4c85c <+28>: b.eq 0x5aede4c870 ; <+48>
(lldb) disass -s 0x0000005aede4c8a0
ld-musl-aarch64.so.1`libc_gwp_asan_calloc:
0x5aede4c8a0 <+0>: stp x29, x30, [sp, #-0x20]!
0x5aede4c8a4 <+4>: stp x20, x19, [sp, #0x10]
0x5aede4c8a8 <+8>: mov x29, sp
0x5aede4c8ac <+12>: adrp x8, 690
0x5aede4c8b0 <+16>: mov x19, x1
0x5aede4c8b4 <+20>: mov x20, x0
0x5aede4c8b8 <+24>: ldrb w8, [x8, #0x370]
0x5aede4c8bc <+28>: cmp w8, #0x1
(lldb) disass -s 0x0000005aede4c914
ld-musl-aarch64.so.1`libc_gwp_asan_realloc:
0x5aede4c914 <+0>: sub sp, sp, #0x30
0x5aede4c918 <+4>: stp x29, x30, [sp, #0x10]
0x5aede4c91c <+8>: stp x20, x19, [sp, #0x20]
0x5aede4c920 <+12>: add x29, sp, #0x10
0x5aede4c924 <+16>: adrp x8, 690
0x5aede4c928 <+20>: ldrb w8, [x8, #0x370]
0x5aede4c92c <+24>: tbnz w8, #0x0, 0x5aede4c940 ; <+44>
0x5aede4c930 <+28>: ldp x20, x19, [sp, #0x20]
(lldb) disass -s 0x0000005aede4c9c4
ld-musl-aarch64.so.1`libc_gwp_asan_free:
0x5aede4c9c4 <+0>: stp x29, x30, [sp, #-0x20]!
0x5aede4c9c8 <+4>: str x19, [sp, #0x10]
0x5aede4c9cc <+8>: mov x29, sp
0x5aede4c9d0 <+12>: adrp x8, 690
0x5aede4c9d4 <+16>: ldrb w8, [x8, #0x370]
0x5aede4c9d8 <+20>: tbnz w8, #0x0, 0x5aede4c9e8 ; <+36>
0x5aede4c9dc <+24>: ldr x19, [sp, #0x10]
0x5aede4c9e0 <+28>: ldp x29, x30, [sp], #0x20
相关命令
(lldb) disassemble --frame
(lldb) di -f
(lldb) disassemble --name main
(lldb) di -n main
(lldb) disassemble --start-address 0x1eb8 --end-address 0x1ec3
(lldb) di -s 0x1eb8 -e 0x1ec3
(lldb) disassemble --start-address 0x1eb8 --count 20
(lldb) di -s 0x1eb8 -c 20
查看寄存器信息
register read
(lldb) register read
General Purpose Registers:
x0 = 0x00000071b32e7d70
x1 = 0x00000071b32e7c32
x2 = 0x0000000000000001
x3 = 0x0000007fc926aa50
x4 = 0x0000000000000000
x5 = 0x0000000000008a98
x6 = 0x2c2c2c2c2c2c2c2c
x7 = 0x7f7f7f7f7f7f7f7f
x8 = 0x0000000000000009
x9 = 0x0000000000000000
x10 = 0x00000000000003e8
x11 = 0x17e2fd3c2400b951
x12 = 0x0000007fc9269220
x13 = 0x0000000000000043
x14 = 0x0000007fc926a568
x15 = 0x00000000c939641a
x16 = 0x00000074cb5413c8
x17 = 0x00000074cb51e3f0 libc.so`nanosleep
x18 = 0x00000074ee83a000
x19 = 0xb40000725ec2a010
x20 = 0x0000000000000000
x21 = 0xb40000725ec2a0d8
x22 = 0xb40000725ec2a0c0
x23 = 0x0000007fc926ac30
x24 = 0x0000000000000000
x25 = 0x0000007fc926ac70
x26 = 0x00000074d82ac188
x27 = 0xb40000725ec2a010
x28 = 0x0000007fc926aa80
fp = 0x0000007fc926a9e0
lr = 0x00000071b32e8198 libsample.so`sample_test + 88 at sample.c:140:3
sp = 0x0000007fc926a830
pc = 0x00000071b32e84f4 libsample.so`sample_test_dlsym + 72 at sample.c:70:6
cpsr = 0x60001000
打印变量
p:输出值+值类型+引用名+内存地址
po:输出值
打印结构体变量
(lldb) p info
(xdl_info_t) $2 = {
dli_fname = 0x0000007fc926a9f0 "\x80\xaa&\xc9\U0000007f"
dli_fbase = 0x00000071b32e84a0
dli_sname = 0xb40000725ec2a010 ""
dli_saddr = 0xb40000725ec2a010
dli_ssize = 9
dlpi_phdr = NULL
dlpi_phnum = 488337475956
}
(lldb) p/x info
(xdl_info_t) $3 = {
dli_fname = 0x0000007fc926a9f0 "\x80\xaa&\xc9\U0000007f"
dli_fbase = 0x00000071b32e84a0
dli_sname = 0xb40000725ec2a010 ""
dli_saddr = 0xb40000725ec2a010
dli_ssize = 0x0000000000000009
dlpi_phdr = NULL
dlpi_phnum = 0x00000071b32e8974
}
//打印某个寄存器值
(lldb) p/x $ sp
(unsigned long) $4 = 0x0000007fc926a830
读取内存
memory read命令
(lldb) memory read 0x0000007fc926a830
0x7fc926a830: 50 12 31 b3 71 00 00 00 28 a9 26 c9 7f 00 00 00 P.1.q...(.&.....
0x7fc926a840: 00 70 2e b3 71 00 00 00 00 32 9e ec 74 00 00 00 .p..q....2..t...
(lldb) memory read/ 4 gx 0x0000007fc926a830
0x7fc926a830: 0x00000071b3311250 0x0000007fc926a928
0x7fc926a840: 0x00000071b32e7000 0x00000074ec9e3200
缩写x +地址或变量
(lldb) x 0x0000007fc926a830
0x7fc926a830: 50 12 31 b3 71 00 00 00 28 a9 26 c9 7f 00 00 00 P.1.q...(.&.....
0x7fc926a840: 00 70 2e b3 71 00 00 00 00 32 9e ec 74 00 00 00 .p..q....2..t...
(lldb) x/ 4 gx 0x0000007fc926a830
0x7fc926a830: 0x00000071b3311250 0x0000007fc926a928
0x7fc926a840: 0x00000071b32e7000 0x00000074ec9e3200
//memory read --size 8 --format x --count 8 0x7fc926a830
(lldb) x -s8 -fx -c8 0x7fc926a830
0x7fc926a830: 0x00000071b3311250 0x0000007fc926a928
0x7fc926a840: 0x00000071b32e7000 0x00000074ec9e3200
0x7fc926a850: 0x00000071b32e7040 0x0000000000000009
0x7fc926a860: 0x0000000000000146 0x0000000000000000
说明:
x是读取内存的命令,x/4gx中第一个x是读取内存命令,后面的g是每次读取8字节,x的意思是16进制显示结果,4表示连续打印4段。
对于g,常用的大小格式为b对应byte 1字节,h对应half word 2字节,w对应word 4字节,g对应giant word 8字节
对于x,我们还可以用o对应8机制,b对应2进制,x对应16进制,f对应浮点,d对应10进制
查看线程信息
(lldb) thread info
thread #1: tid = 4786, 0x00000071b32e84f4 libsample.so`sample_test_dlsym(filename="", symbol="", debug_symbol=true, cache=0x0000007fc926aa50, try_force_dlopen=false) at sample.c:70:6, name = 'king.xdl.sample', stop reason = signal SIGSEGV
切换线程
(lldb) thread select n
(lldb) t x
查看线程列表
(lldb) thread list
Process 4786 stopped
* thread #1: tid = 4786, 0x00000071b32e84f4 libsample.so`sample_test_dlsym(filename="", symbol="", debug_symbol=true, cache=0x0000007fc926aa50, try_force_dlopen=false) at sample.c:70:6, name = 'king.xdl.sample', stop reason = signal SIGSEGV
thread #2: tid = 4800, 0x00000074cb51dc78 libc.so`__ioctl at syscalls-arm64.S:799, stop reason = signal 0
thread #3: tid = 4797, 0x00000074cb4c123c libc.so`syscall at syscall.S:41, stop reason = signal 0
thread #4: tid = 4805, 0x00000074cb51ec38 libc.so`__epoll_pwait at syscalls-arm64.S:2370, stop reason = signal 0
thread #5: tid = 4825, 0x00000074cb51ec38 libc.so`__epoll_pwait at syscalls-arm64.S:2370, stop reason = signal 0
thread #6: tid = 4824, 0x00000074cb4c123c libc.so`syscall at syscall.S:41, stop reason = signal 0
thread #7: tid = 4811, 0x00000074cb51ed34 libc.so`__ppoll at syscalls-arm64.S:2469, stop reason = signal 0
thread #8: tid = 4847, 0x00000074cb51e3f4 libc.so`nanosleep at syscalls-arm64.S:1550, stop reason = signal 0
thread #9: tid = 4798, 0x00000074cb4c123c libc.so`syscall at syscall.S:41, stop reason = signal 0
thread #10: tid = 4837, 0x00000074cb4c123c libc.so`syscall at syscall.S:41, stop reason = signal 0
thread #11: tid = 4819, 0x00000074cb4c123c libc.so`syscall at syscall.S:41, stop reason = signal 0
thread #12: tid = 4843, 0x00000074cb51dc78 libc.so`__ioctl at syscalls-arm64.S:799, stop reason = signal 0
thread #13: tid = 4793, 0x00000074cb51ed34 libc.so`__ppoll at syscalls-arm64.S:2469, stop reason = signal 0
thread #14: tid = 4791, 0x00000074cb51e658 libc.so`__rt_sigtimedwait at syscalls-arm64.S:1790, stop reason = signal 0
thread #15: tid = 4820, 0x00000074cb4c123c libc.so`syscall at syscall.S:41, stop reason = signal 0
thread #16: tid = 4801, 0x00000074cb51dc78 libc.so`__ioctl at syscalls-arm64.S:799, stop reason = signal 0
thread #17: tid = 4792, 0x00000074cb51d954 libc.so`read at syscalls-arm64.S:486, stop reason = signal 0
thread #18: tid = 4794, 0x00000074cb4c123c libc.so`syscall at syscall.S:41, stop reason = signal 0
thread #19: tid = 4799, 0x000000722b3e1a84 libart.so`art::EnsureInitialized(self=0xb40000725ec5c6a0, shadow_frame=0x00000071b82d8020) at common_dex_operations.h:63, stop reason = signal 0
thread #20: tid = 4796, 0x00000074cb4c123c libc.so`syscall at syscall.S:41, stop reason = signal 0
thread #21: tid = 4803, 0x00000074cb4c123c libc.so`syscall at syscall.S:41, stop reason = signal 0
thread #22: tid = 4812, 0x00000074cb4c123c libc.so`syscall at syscall.S:41, stop reason = signal 0
thread #23: tid = 4855, 0x00000074cb51dc78 libc.so`__ioctl at syscalls-arm64.S:799, stop reason = signal 0
thread #24: tid = 4822, 0x00000074cb51ec38 libc.so`__epoll_pwait at syscalls-arm64.S:2370, stop reason = signal 0
thread #25: tid = 4795, 0x00000074cb4c123c libc.so`syscall at syscall.S:41, stop reason = signal 0
常量的进制转换
//默认打印为10进制
(lldb) p 100
(int) $7 = 100
//转16进制
(lldb) p/x 100
(int) $8 = 0x00000064
//转8进制
(lldb) p/o 100
(int) $9 = 0144
//转二进制
(lldb) p/t 100
(int) $10 = 0b00000000000000000000000001100100
//字符转10进制数字
(lldb) p/d 'a'
(char) $11 = 97
//10进制数字转字符
(lldb) p/c 97
(int) $12 = a\0\0\0
查看指定so中的符号表
image dump symfile <index/so_file>:打印指定模块中的符号列表
(lldb) image dump symfile /Users/pang/.lldb/module_cache/remote-ohos/.cache/BA282D4E-0C9A-DD4F-48AA-3FF367D51FC7/ld-musl-aarch64.so.1
SymbolFile symtab (/Users/pang/.lldb/module_cache/remote-ohos/.cache/BA282D4E-0C9A-DD4F-48AA-3FF367D51FC7/ld-musl-aarch64.so.1)
Types:
Compile units:
Symtab, file = /Users/pang/.lldb/module_cache/remote-ohos/.cache/BA282D4E-0C9A-DD4F-48AA-3FF367D51FC7/ld-musl-aarch64.so.1, num_symbols = 4073:
Debug symbol
|Synthetic symbol
||Externally Visible
|||
Index UserID DSX Type File Address/Value Load Address Size Flags Name
------- ------ --- --------------- ------------------ ------------------ ------------------ ---------- ----------------------------------
[ 0] 1 Data 0x00000000001ee7e0 0x0000000000000008 0x00000001 _dlstart_c.static_func_ptr
[ 1] 2 Code 0x000000000009051c 0x000000000000025c 0x00000202 _dlstart_c
[ 2] 3 Code 0x000000000009ad2c 0x0000000000000138 0x00000002 check_verinfo
[ 3] 4 Code 0x0000000000090cac 0x0000000000000210 0x00000002 do_init_fini
[ 4] 5 Code 0x0000000000090ebc 0x0000000000000004 0x00000002 dl_debug_state
[ 5] 6 Code 0x00000000000911c4 0x00000000000001c4 0x00000002 kernel_mapped_dso
[ 6] 7 Code 0x0000000000091388 0x00000000000002d0 0x00000002 decode_dyn
[ 7] 8 Code 0x0000000000091658 0x00000000000007c0 0x00000002 reloc_all
[ 8] 9 Code 0x000000000009bd78 0x0000000000000360 0x00000002 find_sym2
[ 9] 10 Code 0x000000000009ae64 0x000000000000098c 0x00000002 do_relocs
[ 10] 11 Code 0x000000000009b7f0 0x0000000000000588 0x00000002 do_android_relocs
[ 11] 12 Code 0x0000000000093a38 0x00000000000000e8 0x00000002 error_impl
[ 12] 13 Code 0x0000000000093b20 0x0000000000000164 0x00000002 reclaim_gaps
[ 13] 14 Code 0x0000000000093c84 0x0000000000000160 0x00000002 find_and_set_bss_name
[ 14] 15 Code 0x000000000009c5b4 0x00000000000000d4 0x00000002 set_ns_attrs
......
[ 1959] 1960 Code 0x000000000014b840 0x0000000000000060 0x00000002 libc_gwp_asan_malloc
[ 1960] 1961 Code 0x000000000015cf4c 0x0000000000000004 0x00000002 __libc_aligned_alloc
[ 1961] 1962 Code 0x000000000014b9c4 0x0000000000000048 0x00000002 libc_gwp_asan_free
[ 1962] 1963 Code 0x0000000000175e78 0x0000000000000158 0x00000002 __libc_mmap
[ 1963] 1964 Code 0x0000000000176398 0x00000000000000b8 0x00000002 __libc_munmap
[ 1964] 1965 Code 0x000000000014b8a0 0x0000000000000074 0x00000002 libc_gwp_asan_calloc
[ 1965] 1966 Code 0x000000000014b914 0x00000000000000b0 0x00000002 libc_gwp_asan_realloc
[ 1966] 1967 Code 0x000000000014ba0c 0x0000000000000048 0x00000002 libc_gwp_asan_malloc_usable_size
[ 1967] 1968 Code 0x0000000000154400 0x00000000000001d8 0x00000002 __libc_prctl
[ 1968] 1969 Code 0x000000000014e210 0x0000000000000160 0x00000202 HiLogAdapterPrint
[ 1969] 1970 Code 0x000000000015d8cc 0x0000000000000004 0x00000002 __libc_malloc_usable_size
[ 1970] 1971 Code 0x0000000000182fac 0x00000000000002cc 0x00000002 __libc_socket
[ 1971] 1972 Code 0x000000000015d0d0 0x00000000000002a8 0x00000202 __libc_free
[ 1972] 1973 Code 0x00000000001c8aa4 0x000000000000032c 0x00000002 trace_marker_end
[ 1973] 1974 Data 0x00000000001efb64 0x0000000000000004 0x00000201 __default_stacksize
[ 1974] 1975 Code 0x000000000015f638 0x0000000000000004 0x00000202 __libc_malloc
[ 1975] 1976 Code 0x000000000015ef1c 0x00000000000004a8 0x00000202 __libc_realloc
......
[ 2788] 2790 X Data 0x0000000000409350 0x0000000000000178 0x00000011 __musl_libc_globals
......
[ 2825] 2827 X Data 0x00000000001efd00 0x00000000000000b0 0x00000011 __libc_malloc_default_dispatch
查找指定符号在那个so
(lldb) image lookup -n mallinfo
1 match found in /Users/pang/.lldb/module_cache/remote-ohos/.cache/BA282D4E-0C9A-DD4F-48AA-3FF367D51FC7/ld-musl-aarch64.so.1:
Address: ld-musl-aarch64.so .1 [ 0x00000000001c95a4 ] (ld-musl-aarch64.so.1.PT_LOAD[1]..text + 1282212)
Summary: ld-musl-aarch64.so.1`mallinfo
(lldb) image lookup -n je_mallinfo
1 match found in /Users/pang/.lldb/module_cache/remote-ohos/.cache/BA282D4E-0C9A-DD4F-48AA-3FF367D51FC7/ld-musl-aarch64.so.1:
Address: ld-musl-aarch64.so .1 [ 0x00000000000c5dc8 ] (ld-musl-aarch64.so.1.PT_LOAD[1]..text + 219336)
Summary: ld-musl-aarch64.so.1`je_mallinfo
readelf查看对应地址
entry 311 {
initial_location: 0xc5dc8
address: 0x6efb8
}
dwarf信息
[0x6efb8] FDE length=44 cie=[0x6b558]
initial_location: 0xc5dc8
address_range: 0x3a8 (end : 0xc6170)
Program:
DW_CFA_advance_loc: 4
DW_CFA_def_cfa_offset: +112
DW_CFA_advance_loc: 28
DW_CFA_def_cfa: reg29 +96
DW_CFA_offset: reg19 -8
DW_CFA_offset: reg20 -16
DW_CFA_offset: reg21 -24
DW_CFA_offset: reg22 -32
DW_CFA_offset: reg23 -40
DW_CFA_offset: reg24 -48
DW_CFA_offset: reg25 -56
DW_CFA_offset: reg26 -64
DW_CFA_offset: reg27 -72
DW_CFA_offset: reg28 -80
DW_CFA_offset: reg30 -88
DW_CFA_offset: reg29 -96
objdump查看对应汇编
c5dc8: ff c3 01 d1 sub sp, sp, #112
c5dcc: fd 7b 01 a9 stp x29, x30, [sp, #16]
c5dd0: fc 6f 02 a9 stp x28, x27, [sp, #32]
c5dd4: fa 67 03 a9 stp x26, x25, [sp, #48]
c5dd8: f8 5f 04 a9 stp x24, x23, [sp, #64]
c5ddc: f6 57 05 a9 stp x22, x21, [sp, #80]
c5de0: f4 4f 06 a9 stp x20, x19, [sp, #96]
c5de4: fd 43 00 91 add x29, sp, #16
c5de8: 00 e4 00 6f movi v0.2d, #0000000000000000
c5dec: a0 09 00 90 adrp x0, #1261568
c5df0: 00 e0 29 91 add x0, x0, #2680
c5df4: f3 03 08 aa mov x19, x8
c5df8: 00 81 00 ad stp q0, q0, [x8, #16]
c5dfc: 00 81 01 ad stp q0, q0, [x8, #48]
c5e00: 00 01 80 3d str q0, [x8]
c5e04: 77 d8 03 94 bl #1008092 <pthread_mutex_trylock>
c5e08: a0 19 00 35 cbnz w0, #820 <strncpy+0x21138>
c5e0c: a8 09 00 90 adrp x8, #1261568
c5e10: 08 a1 29 91 add x8, x8, #2664
查看某地址在那个so中
image lookup -a 0x0000005aee10a350
(lldb) image lookup -a 0x0000005aee10a350
Address: ld-musl-aarch64.so.1[0x0000000000409350] (ld-musl-aarch64.so.1.PT_LOAD[3]..bss + 2200912)
Summary: ld-musl-aarch64.so.1`__musl_libc_globals
查看某地址在哪块maps中
memory region addr
(lldb) memory region 0x0000006f97d28638
[0x0000006f97c01000-0x0000006f97e00000) rw-
