Search code examples
iosiphonedebuggingios-simulatorlldb

How to get the load address of an ios app running on simulator

Without the load address it is not possible to run atos on a binary correctly. I'm debugging an iOS app inside (lldb) and the app has reported a diagnostic message (thread sanitizer report) which has list of addresses like this:

  1 ==================
  2 ^[[1m^[[31mWARNING: ThreadSanitizer: data race (pid=90559)
  3 ^[[1m^[[0m^[[1m^[[34m  Write of size 4 at 0x000113050868 by thread T35:
  4 ^[[1m^[[0m    #0 <null> <null>:2 (MyApp):x86_64+0x100d5963b)
  5     #1 <null> <null>:2 (MyApp):x86_64+0x100d5b09b)
  6     #2 <null> <null>:2 (MyApp):x86_64+0x100d59c3b)
  7     #3 <null> <null>:2 (MyApp):x86_64+0x100d59f1b)
  8     #4 <null> <null>:2 (MyApp):x86_64+0x10806a8b3)
  9     #5 <null> <null>:2 (MyApp):x86_64+0x10725557f)
 10     #6 <null> <null>:2 (MyApp):x86_64+0x106c406e3)
 11     #7 <null> <null>:2 (MyApp):x86_64+0x1081cfe78)
 12     #8 <null> <null>:2 (MyApp):x86_64+0x107d076b1)
 13     #9 <null> <null>:2 (MyApp):x86_64+0x1081d1f1d)
 14     #10 <null> <null>:2 (MyApp):x86_64+0x1081d2206)
 15     #11 <null> <null>:2 (MyApp):x86_64+0x107d0735b)
 16     #12 <null> <null>:2 (MyApp):x86_64+0x107d05dc9)
 17     #13 <null> <null>:2 (MyApp):x86_64+0x108375009)
 18     #14 __tsan::invoke_and_release_block(void*) <null>:2 (libclang_rt.tsan_iossim_dynamic.dylib:x86_64+0x7428b)
 19     #15 _dispatch_client_callout <null>:2 (libdispatch.dylib:x86_64+0x4c0b)
 20
 21 ^[[1m^[[34m  Previous write of size 4 at 0x000113050868 by thread T6:
 22 ^[[1m^[[0m    #0 <null> <null>:2 (MyApp):x86_64+0x100d5963b)
 23     #1 <null> <null>:2 (MyApp):x86_64+0x100d5b09b)
 24     #2 <null> <null>:2 (MyApp):x86_64+0x100d59c3b)
 25     #3 <null> <null>:2 (MyApp):x86_64+0x100d59f1b)
 26     #4 <null> <null>:2 (MyApp):x86_64+0x10806a8b3)
 27     #5 <null> <null>:2 (MyApp):x86_64+0x10725557f)
 28     #6 <null> <null>:2 (MyApp):x86_64+0x107255c6f)
 29     #7 <null> <null>:2 (MyApp):x86_64+0x1072520ca)
 30     #8 <null> <null>:2 (MyApp):x86_64+0x10727f576)
 31     #9 <null> <null>:2 (MyApp):x86_64+0x1072c8ded)
 32     #10 <null> <null>:2 (MyApp):x86_64+0x1072c70e3)
 33     #11 <null> <null>:2 (MyApp):x86_64+0x1072c90b7)
 34     #12 <null> <null>:2 (MyApp):x86_64+0x1072b8b4f)
 35     #13 <null> <null>:2 (MyApp):x86_64+0x1072b907a)
 36     #14 <null> <null>:2 (MyApp):x86_64+0x108375009)
 37     #15 __tsan::invoke_and_release_block(void*) <null>:2 (libclang_rt.tsan_iossim_dynamic.dylib:x86_64+0x7428b)
 38     #16 _dispatch_client_callout <null>:2 (libdispatch.dylib:x86_64+0x4c0b)
 39 
 40 ^[[1m^[[32m  Location is global '<null>' at 0x000000000000 (MyApp)+0x00010c9d2868)
 41 
 42 ^[[1m^[[0m^[[1m^[[36m  Thread T35 (tid=65692125, running) is a GCD worker thread
 43 
 44 ^[[1m^[[0m^[[1m^[[36m  Thread T6 (tid=65688838, running) is a GCD worker thread
 45 
 46 ^[[1m^[[0mSUMMARY: ThreadSanitizer: data race (MyApp):x86_64+0x100d5963b)

I can do image lookup -va 0x100d5963b for example, from within the lldb session. I think that is too tedious. Is there a way to get the load address such that i can run atos on all the addresses by putting this report in a file?

Solution

  • lldb has target module lookup -a flag that shows the name of the module and it's load address.

    e.g.,

    Address: MyApp[0x0000000109b99868] (MyApp.__TEXT.__cstring + 75576)
      Summary: "foo"

    There is another flag to list all the modules and their load addresses:

    target module list

    Just beware that it will print all the modules with their load addresses, and you may have to grep for the module you are looking for.