Debugging has a rather bad reputation. I mean, if the developer had a complete understanding of the program, there wouldn’t be any bugs and they wouldn’t be debugging in the first place, right? Don’t think like that. There are always going to be bugs in your software — or any software, for that matter. No amount of test coverage imposed by your product manager is going to fix that. In fact, viewing debugging as just a process of fixing something that’s broken is actually a poisonous way of thinking that will mentally hinder your analytical abilities. Instead, you should view debugging as simply a process to better understand a program. It’s a subtle difference, but if you truly believe it, any previous drudgery of debugging simply disappears.
Since Grace Hopper, the founder of the Cobol language, discovered the world's first Bug in a relay computer, the generation of Bug in software development has never stopped. As the preface to the book of《Advanced Apple Debugging & Reverse Engineering》tells us: Developers don't want to think that if there is a good understanding of how software works, there will be no Bug. Therefore, debugging is almost an inevitable phase in the software development life cycle.
Debugging Overview
If you ask an inexperienced programmer
about how to define debugging, he might say "Debugging is something you do to find a solution for your software problem". He is right, but that's just a tiny part of a real debugging.
Here are the steps of a real debugging:
Find out why it's behaving unexpectedly
Resolve it
Try to make sure no new issue is involved
Improve the quality of your code, include readability, architecture, test coverage and performance etc.
Make sure that the same problem does not occur anywhere else
Among above steps, the most important step is the first step: find out the problem. Apparently, it's a prerequisite of other steps.
Research shows the time experienced programmers spend on debugging to locate the same set of defects is about one twentieth of inexperienced programmers. That means debugging experience makes an enormous difference in programming efficiency. We have lots of books on software design, unfortunately, rare of them have introduction about debugging, even the courses in school.
As the debugger improving over the years, the programmers' coding style is changed thoroughly. Of course, the debugger can not replace the good thinking, thinking can not replace the excellent debugger, the most perfect combination is excellent debugger with good thinking.
The following graph is the nine debugging rules described in book <Debugging: The 9 Indispensable Rules for Finding Even the Most Elusive Software and Hardware Problems>.
Assembly Language
Although as an iOS programmer, most of the time in the work will not deal with the assembly language, but understand the assembly is still very helpful, especially when debugging a system framework or a third-party framework without the source code.
Asssembly Language is a low-level machine-oriented programming language, which can be thought of as a collection of mnemonics for machine instructions for various CPUs. Programmers can use assembly language to control the computer hardware system directly. and the program written in assembly language have many merits, like fast execution speed and less memory occupied.
So far, two major architectures are widely used on the Apple platform, x86 and ARM. In the mobile device using the ARM assembly language, which is mainly because the ARM is a reduced instruction set computing (RISC) architecture, with low power consumption advantage. While the desktop platform like Mac OS, x86 architecture is used. The Apps installed on iOS simulators is actually running as a Mac OS App inside the simulator, which means simulator is working like a container. Since our case was debugged in the iOS simulators, the main research goal is x86 assembly language.
AT&T and Intel
x86 assembly language evolves into two syntax branches: Intel (orignially used in the x86 platform documentation) and AT&T. Intel dominates the MS-DOS and Windows family, while AT&T is common in UNIX family. There is a huge difference on syntax between Intel and AT&T, like variable, constant, the access of registers, indirect addressing and offset. Although their syntax difference is enormous, the hardware system is the same which means one of them can be migrated to the other seamlessly. Since AT&T assembly language is used on Xcode, we will focus on AT&T in below part.
Please notice that Intel syntax is used on
the disassembly tools of Hopper Disassemble and IDA Pro.
Belows are the differences between Intel and AT&T:
The prefix of operand: In AT&T syntax, % is used as the prefix of registers' name and $ is used as the prefix of immediate operand, while no prefix is used for both registers and immediate operand in Intel. The other difference is 0x is added as the prefix for hexadecimal in AT&T. The chart below demonstrates the difference between their prefixes:
AT&T
Intel
movq %rax, %rbx
mov rbx, rax
addq $0x10, %rsp
add rsp, 010h
In Intel syntax, h suffix is used for hexadecimal operand and b suffix is used for binary operand.
Operand: In AT&T syntax, the first operand is source operand, the second operand is destination operand. However, in Intel syntax, the order of operand is opposite. From this point, the syntax of AT&T is more comfortable for us according to our reading habit.
Addressing Mode: Comparing with Intel syntax, the indirect addressing mode of AT&T is hard to read. However, the algorithm of address calculation is the same: address = disp + base + index * scale. base represents the base address, disp stands for offset address, index * scale determines the location of an element, scale is the size of an element which can only be a power of two. disp/base/index/scale are all optional, the default value of index is 0, while the default value of scale is 1. Now let's see the instruction of address calculation: %segreg: disp(base,index,scale) is for AT&T, and segreg: [base+index*scale+disp] is for Intel. In fact, above two instructions both belong to segment addressing mode. segreg stands for segment register which is usually used in real mode when the digit capacity of CPU addressing beyonds the register' digit. For example, CPU can address 20-bit space, but the register only has 16-bit. To achieve 20-digit space, another addressing mode needs to be used: segreg:offset. With this addressing mode, the offset address will be segreg * 16 + offset, but it's more complicated than flat memory mode. In protect mode, the addressing is under linear address space, which means segment base address can be ignored.
AT&T
Intel
movq 0xb57751(%rip), %rsi
mov rsi, qword ptr [rip+0xb57751h]
leaq (%rax,%rbx,8), %rdi
lea rdi, qword ptr [rax+rbx*8]
If immediate operand comes at the place of disp or scale, $ suffix can be omitted. In Intel syntax, byte ptr, word ptr, dword ptr and qword ptr need to be added before the memory operand.
Suffix of opcode: In AT&T syntax, all opcodes have a suffix to specify the size. There are generally four kinds of suffixes:b,w,l and q. brepresents 8-bit byte, w means 16-bit word, l means 32-bit double word. 32-digit word is also called as long word which is from the 16-bit days. q represents 64-bit quadword. The chart below illustrates the syntax of data transition instruction(mov) in AT&T and Intel.
AT&T
Intel
movb %al, %bl
mov bl, al
movw %ax, %bx
mov bx, ax
movl %eax, %ebx
mov ebx, eax
movq %rax, %rbx
mov rbx, rax
Register
As we know, Memory is used to store instructions and data for CPU. Memory is essentially an array of bytes. Although the speed of memory access is very fast, we still need a smaller and faster storage unit to speed up the CPU's instruction execution, which is register. During the instruction execution, all data are temporarily stored in registers. That's why register is named in.
When processors grows from 16-bit to 32-bit, 8 registers are extended to 32-bit too. After that, when the extended registers are used, E prefix is added to the original register name. 32-bit processor is Intel Architecture 32-bit, which is IA32. Today, the main processors are 64-bit Intel architecture, which is extended from IA32 and been called x86-64. Since IA32 is past, this article will only focus on x86-64. Note that in x86-64, the amount of registers is extended from 8 to 16. Just because of this extension, the program state can be stored in registers but not stacks. Thus, the frequency of memory access is hugely reduced.
In x86-64, there are 16 64-bit general registers and 16 floating pointer registers. Besides, CPU has one more 64-bit instruction pointer register called rip. It is designed to store the address of the next executed instruction. There are also some other registers which are not widely used, we don't intend to talk about them in this article. Among the 16 general registers, eight of them are from the IA32: rax、rcx、rdx、rbx、rsi、rdi、rsp and rbp. The other eight general registers are new added since x86-64 which are r8 - r15. The 16 floating registers are xmm0 - xmm15.
Current CPUs are from 8088, the register is also extended from 16-bit to 32-bit and finally to 64-bit. Thus, the program can still access the low 8-bit or 16-bit or 32-bit of the registers.
Below chart illustrates the 16 general registers of x86-64:
Using register read command in LLDB can dump the register data of current stack frame.
For example, we can use below command to show all the data in the register:
As we know, there are 16 floating pointer registers in x86-64: xmm0 - xmm15. In fact, there are some other details of it. In the output of register read -a command, you may notice that there have stmm and ymm registers besides xmm register group. Here stmm is an alias of st register, and st is a register of FPU(Float Point Unit) in x86 to handle float data. The FPU contains one float pointer register which has eight 80-bit float pointer registers: st0 - st7. We can observe that the stmm register is 80-bit from the output, which can prove the stmm register is st register. xmm is 128-bit register, and ymm register is 256-bit which is an extension of xmm. In fact, xmm register is the low 128-bit of ymm register. Like the eax register is the low 32-bit of rax register. In Pentium III, Intel published an instruction set called SSE(Streaming SIMD Extensions) which is an extension of MMX. Eight new 128-bit registers(xmm0 - xmm7) are added in SSE. AVX(Advanced Vector Extensions) instruction set is an extension architecture of SSE. Also in AVX, the 128-bit register xmm was extended to 256-bit register ymm.
Function
A function calling includes parameter passing and control transfer from one compilation unit to another. In function calling procedure, data passing, local variable assignment and release are carried out by stack. And the stacks assigned to a single function calling are called Stack Frame.
During LLDB debugging, we may use bt command to print the stack trace of the current thread, like below:
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
* frame #0: 0x00000001054e09d4 TestDemo`-[ViewController viewDidLoad](self=0x00007fd349558950, _cmd="viewDidLoad") at ViewController.m:18
frame #1: 0x00000001064a6931 UIKit`-[UIViewController loadViewIfRequired] + 1344
frame #2: 0x00000001064a6c7d UIKit`-[UIViewController view] + 27
frame #3: 0x00000001063840c0 UIKit`-[UIWindow addRootViewControllerViewIfPossible] + 61
// many other frames are ommitted here
In fact, bt command is workable upon stack frame. The stack frame preserves return address and local variable for functions which can be seen as a context of a function execution. As we know, the heap grows upward, while the stack grows downward which is from large-numbered memory addresses to small-numbered ones. Once a function is called, one standalone stack frame is assigned for the function calling. The rbp register, called as frame pointer, always points to the end of the latest allocated stack frame (high address). The rsp register, called as stack pointer, always points to the top of the latest allocated stack frame (low address). Below is a chart of frame stack:
The left column Position is memory address which uses indirect addressing mode. Content is the value of the address in Position points to. According to the struct of stack frame in above chart, the function calling procedure can be described as several steps as follows:
Calling function pushes the parameters on the stack. If there is no parameter, this step can be skipped.
Push the first instruction after the function calling onto the stack which is actually the return address.
Jump to the start address of the called function and execute.
Called function preserves the start address in %rbp register.
Preserve the value in %rsp register to %rbp register, so that %rbp register can point to the stack frame's start address of the called function.
Push the called function's register on the stack. This is optional.
Step 2 and 3 actually belong to call instruction. In addition, step 4 and step 5 can be described in assembly instruction as follows:
It's easy to notice that these two steps are along with each function calling. There is another detail of above chart: there is a red area below rsp register, which is called as Red Zone by ABI. It is a reserved and shall not be modified by signal or interrupt handlers. Since it can be modified during function calling, therefore, leaf functions which means those functions that never call other functions can use this area for temporary data.
Among above instructions, instruction from 0x1064a63f5 to 0x1064a63fd belong to step 6. There is a kind of registers called function preserve register which means they belong to calling function, but the called function is required to preserve their values. From below assembly instructions, we can see rbx, rsp and r12 - r15 all belong to such registers.
The instruction to call a function is call, refer to below:
call function
function in the parameter is the procedures in TEXT segment. Call instruction can split into two steps. The first step is to push the next instruction address of call instruction on stack. Here, the next address is actually the return address after the called function is finished. The second step is jump to function. call instruction is equivalent to below two instructions:
push next_instruction
jmp function
Following is the example of call instruction in iOS simulator:
Above code shows two usages of call instruction. In the first usage, the operand is a memory address which is actually a Symbol Stub of a Mach-O file. It can search the symbol of a function through the dynamical linker. In the second usage, the operand is actually obtained by indirect addressing mode. Furthermore, in AT&T syntax, * needs to be added to the immediate operand in the jump/call instruction(or the jumps related with programmer counter) as a prefix.
Ret instruction
In general, ret instruction is used to return the procedure from the called function to the calling function. This instruction pops the address from the top of stack and jump back to that address and keep executing. In above example, it jumps back to next_instruction. Before ret instruction is executed, the registers belong to calling function will be poped. This is already mentioned in step 6 of function calling procedure.
Parameter passing and return value
Most of the functions have parameter which can be integer, float, pointer and so on. Besides, functions usually have return value which can indicate the execution result is succeed or failed. In OSX, at most 6 parameters can be passed through registers which are rdi, rsi, rdx, rcx, r8 and r9 in order. How about a function with more than 6 parameters? Of course, this circumstance exists. If this happens, stack can be used to preserve the remaining parameters in reversed order. OSX has eight floating point registers which allow to pass up to 8 float parameters.
About the return value of a function, rax register is used to save the integer return value. If the return value is a float, xmm0 - xmm1 registers shall be used. Below chart clearly illustrates the register usage convention during the function calling.
preserved across function calls indicates whether the register needs to be preserved across function call. We can see that besides rbx, r12 - r15 registers mentioned above, rsp and rbp registers also belong to callee-saved registers. This is because these two registers reserve the important location pointers that point to the program stack.
Next we'll follow a real example to demonstrate the instructions in a function call. Take the macro DDLogError in CocoaLumberjack as example. When this macro is called, class method log:level:flag:context:file:function:line:tag:format: is called. Following code and instructions are about the call of DDLogError and the corresponding assembly instructions:
Since all functions of Objective-C will turn into the invocation of objc_msgSend function, so log:level:flag:context:file:function:line:tag:format: method finally turn into below codes:
We already mentioned at most 6 registers can be used for parameter passing. The excess parameters can use stack to do the passing. Since above function has more than 6 parameters, the parameter passing would use both registers and stack. Below two tables describe the detail usage of registers and stack for the parameter passing of DDLogError function invocation.
The corresponding invocation of DDLogError is in Line 34
0x18(%rsp)
0X0
tag
0x102c56916 <+214>: movq $0x0, 0x18(%rsp)
nil
0x20(%rsp)
"TestDDLog:%@"
format
0x102c5691f <+223>: movq %r10, 0x20(%rsp)
0x28(%rsp)
sender
The first parameter of variable parameters
0x102c56924 <+228>: movq %r14, 0x28(%rsp)
A instance of UIButton
If the value of register is a string, like op parameter in rsi register, the string can be printed directly in LLDB through po (char *) $rsi command. Else, po $rsi can be used to print a value in integer format.
With the help of assembly language, we can look into some low-level knowledge which is very necessary during debugging. I try very hard to introduce the assembly related knowledge as detailed as I can. However, the knowledge hierarchy of assembly is too enormous to describe in one article. Please refer to the references mentioned above. In addition, the third chapter of CSAPP -- Machine level representation of a program is highly recommended too. It's a rare good material for reference.
Case
This article illustrates the procedure of debugging through a real case. Some of the details are changed to protect personal privacy.
Issue
The issue we are going to talk about was happening when I was developing a login SDK. One user claimed the app crashed when he pressed the "QQ" button in login page. As we debugged this issue, we found the crash happened if the QQ app was not installed at the same time. When user presses QQ button to require a login, the QQ login SDK tries to launch an authorization web page in our app. In this case, an unrecognized selector error [TCWebViewController setRequestURLStr:] occurs.
P.S: To focus on the issue, the unnecessary business debug information is not listed below. Meanwhile AADebug is used as our app name.
请发表评论