How do I resolve dyld imported symbols?

Question

I'm trying to implement some parts of what dyld does and I'm a little bit stuck at stub trampolines.

Consider the following ARM instruction:

BL  0x2fec

It branches with link (subprocedure call) to 0x2fec. I'm aware of the fact, that there is a section __symbolstub1 in the __TEXT segment starting at 0x2fd8, so it's a jump to 20 bytes inside of __symbolstub1.

Now, there is a symbol

(undefined) external _objc_autoreleasePoolPush (from libobjc)

that I've resolved through LC_SYMTAB load command. There is no known address provided. I know, as a fact, that 0x2fec address is a trampoline to _objc_autoreleasePoolPush, but I cannot prove it via any means.

I've checked the LC_DYLD_INFO_ONLY command, and I had a slight hint in there, in the lazy_bind symbols I've found:

{:offset=>20, :segment=>2, :library=>6, :flags=>[], :name=>"_objc_autoreleasePoolPush"}

where the name and offset match what I have exactly, and the library #6 is "/usr/lib/libobjc.A.dylib", which is also perfect. Now the issue is that segment #2 is __TEXT, but __TEXT starts at 0x1000, and __symbolstub1 is way down there at 0x2fd8. So I'm missing some reference down to section.

Any ideas on how am I supposed to map 0x2fec virtual address to _objc_autoreleasePoolPush?

Answer 1

Heh, just a little more digging and I've found it at LC_DYSYMTAB's indirect symbols.

Now the long answer.

1. Find a section for given address;
2. The section should be of type S_NON_LAZY_SYMBOL_POINTERS, S_LAZY_SYMBOL_POINTERS, S_LAZY_DYLIB_SYMBOL_POINTERS, S_THREAD_LOCAL_VARIABLE_POINTERS or S_SYMBOL_STUBS;
3. If the section type is S_SYMBOL_STUBS, then the byte size is stored in reserved2, otherwise it is considered equal to 4;
4. The offset into indirect symbols table is stored in reserved1;

5. The index into indirect symbols table is calculated as

   index = sect.reserved1 + (vmaddr - sect.addr) / bytesize;

6. The symbol in the symbols table is found at symbols[indirect_symbols[index]].