Chapter 1 Gettting Started 概览

常用寄存器（x86_64)
• FirstArgument:RDI
• SecondArgument:RSI
• ThirdArgument:RDX
• FourthArgument:RCX
• FifthArgument:R8
• SixthArgument:R9

• 返回值RAX

常用寄存器 (arm64)

• x1

真机

[Tab 1]
$ iproxy 5000 22
[Tab 2]
$ iproxy 1234 1234
[Tab 3]
$ ssh root@localhost -p 5000
root# ps -e | grep Preferences
root# debugserver *:1234 -attach=40776
[Tab 4]
lldb
(lldb) process connect connect://localhost:1234

[Terminal 1]
$ tty
/dev/ttys003

[Terminal 2]
(lldb) file /Applications/Xcode.app/Contents/MacOS/Xcode
(lldb) process launch -e /dev/ttys003
(Ctrl + C)
(lldb) breakpoint set -n "-[NSView hitTest:]"
Breakpoint 1: where = AppKit`-[NSView hitTest:], address =
0x000000010338277b
(lldb) continue
Process 9532 resuming

(make sure the breakpoint is triggered)
Process 9532 resuming
Process 9532 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
    frame #0: 0x00007fff817becfb AppKit`-[NSView hitTest:]
AppKit`-[NSView hitTest:]:
->  0x7fff817becfb <+0>: pushq  %rbp
    0x7fff817becfc <+1>: movq   %rsp, %rbp
    0x7fff817becff <+4>: pushq  %r15
    0x7fff817bed01 <+6>: pushq  %r14

# po is usually more useful as it gives the NSObject’s description or debugDescription, if available.
(lldb) po $rdi
<_NSThemeCloseWidget: 0x11ca41f80>

# 给断点添加条件
(lldb) breakpoint modify 1 -c "(BOOL)[$rdi isKindOfClass:[NSTextView class]]"
（触发断点后）
(lldb) po [$rdi superclass]

# 用lldb查看私有API r-使用正则表达式；n-通过名字寻找函数或符号
(lldb) image lookup -rn 'DVTSourceTextView\ '

# 通过block注入来swizzle
(lldb) po @import Foundation
(lldb) po
Enter expressions, then terminate with an empty line to evaluate:
@import Cocoa;
id $class = [NSObject class];
SEL $sel = @selector(init);
void *$method = (void *)class_getInstanceMethod($class, $sel);
IMP $oldImp = (IMP)method_getImplementation($method);
id (^$block)(id) = ^id(id object) {
  if ((BOOL)[object isKindOfClass:[NSView class]]) {
    fprintf(stderr, "%s\n", (char *)[[[object class] description]
UTF8String]);
  }
  return object;
};
IMP $newImp = (IMP)imp_implementationWithBlock($block);
method_setImplementation($method, $newImp);

# 善于用help和apropos查看文档
(lldb) help breakpoint name
# will do a case-insensitive search for any word or string against the LLDB documentation and return any matching results.
(lldb) apropos swift

Chapter 3: Attaching with LLDB

LLDB attaching实际是个误导人的词。debugserver才是真正负责attaching到进程的。

# attach到已存在进程
$ lldb -n Xcode
$ lldb -p `pgrep -x Xcode`

# attach到未存在进程
$ lldb -n Finder -w  # LLDB会等待直到一个叫Finder的进程下次启动

# attach到自己想要的进程。这种方式有个弊端是进程的stderr output (i.e. NSLog & company)回自动发送到Terminal里面去。
$ lldb -f /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder
(lldb) process launch

# Options while launching
$ lldb -f /bin/ls
(lldb) process launch -w /Applications   # 改变当前工作目录，等于cd再ls
(lldb) process launch -- /Applications  # 给ls传参，等于 ls /Applications
(lldb) process launch -- ~/Desktop  # ls会报错，这个目录不存在
(lldb) process launch -X true -- ~/Desktop  # 用-X true来展开任何shell符号
(lldb) run ~/Desktop  # run 等价于 process launch -X true --
(lldb) process launch -o /tmp/ls_output.txt -- /Applications

(lldb) target delete
(lldb) target create /usr/bin/wc
$ echo "hello world" > /tmp/wc_input.txt
(lldb) process launch -i /tmp/wc_input.txt  # 等价于 wc < /tmp/wc_input.txt

(lldb) run  # 不想要stdin，程序会一直在那等着，输入内容，Ctrl+D结束输入

(lldb) process launch -n  # -n告诉LLDB不创建stdin，于是wc会立即结束突出

Chapter 4: Stopping in Code

# 检查一个函数是否存在
(lldb) image lookup -n "-[UIViewController viewDidLoad]"
1 match found in /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/iPhoneSimulator.sdk//System/Library/Frameworks/UIKit.framework/UIKit:
        Address: UIKit[0x00000000001ca654] (UIKit.__TEXT.__text + 1867588)
        Summary: UIKit`-[UIViewController viewDidLoad]

(lldb) image lookup -rn test  # 正则查找在任何包含有test（大小写匹配）的函数或框架

# 然后添加断点
(lldb) b -[UIViewController viewDidLoad]
(lldb) rb '\-\[UIViewController\ '  # rb = breakpoint set -r %1
(lldb) breakpoint delete  # 删除所有断点
(lldb) rb '\-\[UIViewController(\(\w+\))?\ '  # 找出包括category方法的有所UIVC的实例方法
(lldb) rb . -f DetailViewController.swift  # -f域限制，这个为所有的属性getter/setter，block，category，方法或函数添加断点
(lldb) rb .  # 这个是非常疯狂的，为所有一切添加断点
(lldb) rb . -s UIKit  # 限制在某个library，为这个库的所有东西添加断点
(lldb) rb . -s UIKit -o  # 断点只会被触发一次然后被删除

修改或删除断点

(lldb) b main
  Breakpoint 1: 20 locations.
(lldb) breakpoint list
(lldb) breakpoint list 1
(lldb) breakpoint list 1 -b
(lldb) breakpoint list 1 3
(lldb) breakpoint list 1-3  # 以上也适用delete
(lldb) breakpoint delete 1
(lldb) breakpoint delete 1,1

Chapter 5: Expression

关于expression命令的介绍，用它你可以在debugger中执行任意代码

Formatting p & po

'p' = 'expression --'
'po' = 'expression -O --' # -O用来打印object的description

(lldb) p self
(Signals.MasterViewController) $R3 = 0x00007fc08860e960 {
  UIKit.UITableViewController = {
    baseUIViewController@0 = <extracting data from value failed>

    _tableViewStyle = 0
    _keyboardSupport = nil
    _staticDataSource = nil
    _filteredDataSource = 0x0000608000245e20
    _filteredDataType = 0
  }
  detailViewController = nil
}
(lldb) type summary add Signals.MasterViewController --summary-string "Wahoo!"
(lldb) p self
(Signals.MasterViewController) $R5 = 0x00007fc08860e960 Wahoo!
(lldb) type summary clear

Swift vs Objective-C debugging contexts

调试oc代码时，lldb便是oc语法；调试swift代码时，lldb便是swift语法。
有个例外时非断点停止而是主动点击暂停按钮(pause the application out of the blue)，进入的context一定是OC，不管app是不是swift

# 在swift环境强制使用oc语法
(lldb) expression -l objc -O -- [UIApplication sharedApplication]

User defined variables

一定要带上美元符号
oc环境创建的变量，最好还是不要用于swift环境，行为是未定义的，Apple的开发者正在开发这个语境

(lldb) po id $test = [NSObject new]
(lldb) po $test
<NSObject: 0x60000001d190>
(lldb) expression -l swift -O -- $test
<NSObject: 0x60000001d190>
(lldb) exppression -l swift -O -- $test.description
error: <EXPR>:3:1: error: use of unresolved identifier '$test'
$test.description
^~~~~

# 随便在一个类的实例方法里面设置一个断点（最好是ViewController的，这样易于观察实验结果），run并命中断点
(lldb) p self  # lldb会赋予一个变量 $R0 引用它，请恢复执行，并手动停止
(lldb) po $R0.title  # 记住上面的内容，主动停止会进入oc环境
error: use of undeclared identifier '$R0'
(lldb) expression -l swift -- $R0.title
(String?) $R1 = "Quarterback"  # 会打印出ViewController的title！
(lldb) expression -l swift -- $R0.title = "💩💩💩💩💩 "  # ⌘ + ⌃ + space然后输入poop可以找到这个emoji
# 恢复执行你就可以看到ViewController的title变成五坨翔啦。这个东西特别好用，当你需要观察给一个方法传一些特殊的值观察对应行为的时候

# 假设上面你下的断点在viewDidAppear函数里，暂停执行
(lldb) expression -l swift -O -- $R0.viewDidLoad()  
# 你会发现断点并没有命中！这是因为lldb默认忽视任何断点。你可以通过-i来打开
(lldb) expression -l swift -O -i 0 -- $R0.viewDidLoad()
# 现在断点可以正常的被触发了。这个技巧是一个很好的用来测试函数的方法。比如，你可以实现test-driven debugging，通过给一个函数传递不同的参数来观察它是如何处理不同的输入

Type formatting类型格式化

LLDB有一个很不错的功能是格式化基本类型数据，这使得LLDB是一个很好的

# 主动停止app
(lldb) expression -G x -- 10  # G代表GDB
(int) $0 = 0x0000000a
(lldb) p/x 10  # /x 指定用十六进制格式
(int) $1 = 0x0000000a
(lldb) p/t 10  # /t 指定用二进制格式
(int) $2 = 0b00000000000000000000000000001010
(lldb) p/t -10
(int) $3 = 0b11111111111111111111111111110110
(lldb) p/t 10.0
(double) $4 = 0b0100000000100100000000000000000000000000000000000000000000000000
(lldb) p/d 'D'  # /d 指定用十进制格式
(char) $5 = 68
(lldb) p/c 1430672467  # /c 指定用char格式
(int) $6 = STFU  # 将这个整型转换成二进制，并分成4个byte，把每个byte转换成ASCII码

完整的输出格式化列表如下：
• x: hexadecimal
• d: decimal
• u: unsigned decimal
• o: octal
• t: binary
• a: address
• c: character constant
• f: float
• s: string
如果这些格式化还不能够满足你，你可以使用lldb额外的formatters，但此时你不可以使用GDB的格式化语法了：

(lldb) expression -f Y -- 1430672467
(int) $0 = 53 54 46 55             STFU

Chapter 6: Thread, Frame & Stepping Around

一个神奇的方法：Control+Shift+StepOver/StepIn
可以控制其他线程保持停止状态，这个在排查棘手的同步问题时特别有用

(lldb) thread backtrace
(lldb) bt  # 这两个其实是不一样的，用help验证
(lldb) frame info  # 打印出当前frame
frame #0: 0x000000010f5ce87a Signals`MasterViewController.viewWillAppear(animated=false, self=0x00007fcb3651be10) -> () at MasterViewController.swift:55

(lldb) frame select 1
frame #1: 0x000000010f5cee51 Signals`@objc MasterViewController.viewWillAppear(Bool) -> () at MasterViewController.swift:0
   1    /**
   2     * MasterViewController.swift
   3     *
   4     * Copyright (c) 2017 Razeware LLC
   5     *
   6     * Permission is hereby granted, free of charge, to any person obtaining a copy
   7     * of this software and associated documentation files (the "Software"), to deal
(lldb) run  # 重新启动app，Xcode不需要重编译
(lldb) next  # step over
(lldb) step  # step into Xcode默认next如果没有debug symbols
(lldb) settings show target.process.thread.step-in-avoid-nodebug
target.process.thread.step-in-avoid-nodebug (boolean) = true
(lldb) step -a0  # 忽视设置，不管有无debug symbols都进入
(lldb) finish  # step out 回车lldb会执行上一条指令
(lldb) next/step --run-mode/-m  # 控制其余线程是否停止

查看栈上数据

一个非常有用的frame子命令是frame variable。这个命令会用在可执行文件头部中（或dSYM如果你的app被stripped了）的debug symbol信息来dump出关于那个栈帧的信息。有了这个debug信息，这个命令只要带上恰当的参数，你很容易就知道函数中所有变量（包括程序中的全局变量）的作用域

(lldb) frame variable  # 查看当前栈帧的变量
(Bool) animated = false
(Signals.MasterViewController) self = 0x00007f94de713760 {
  UIKit.UITableViewController = {
    baseUIViewController@0 = <extracting data from value failed>

    _tableViewStyle = 0
    _keyboardSupport = 0x000060800002aa00
    _staticDataSource = nil
    _filteredDataSource = 0x000060800005bcc0
    _filteredDataType = 0
  }
  detailViewController = nil
}
(CGFloat) bottomInset = 4.9406564584124654E-324
(lldb) frame info


  (lldb) frame variable -F self  # 查看所有私有变量，F是flat的意思

Chapter 7: Image

block所在函数的参数是如何传给block的呢？
编译器能够分析出哪些参数是block需要的，然后创建一个以这些参数为参数的函数。但block被调用时，实际上是这个函数被调用了。

(lldb) image list
(lldb) image list Foundation
(lldb) image dump symtab UIKit -s address  # dump all the symbol table informaton available for UIKit
(lldb) image lookup -n "-[UIViewController viewDidLoad]"
1 match found in /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/iPhoneSimulator.sdk//System/Library/Frameworks/UIKit.framework/UIKit:
        Address: UIKit[0x00000000001ca9a4] (UIKit.__TEXT.__text + 1868340)
        Summary: UIKit`-[UIViewController viewDidLoad]
(lldb) image lookup -rn UIViewController
(lldb) image lookup -rn '\[UIViewController\ '
(lldb) image lookup -rn '\[UIViewController\(\w+\)\ '  # 包括category的方法
(lldb) image lookup -rn _block_invoke
(lldb) image lookup -rn _block_invoke ImageName

# 给一个block下断点，观察block的frame variable
(lldb) frame variable
(__block_literal_5 *)  = 0x0000600000269c00
(int) sig = 23
(siginfo_t *) siginfo = 0x00007fff55a67588
(UnixSignalHandler *) self = 0x0000608000262c80
(UnixSignal *) unixSignal = 0x000000010eb3cd08
(__NSCFConstantString *) kSignalHandlerCountUpdatedNotification = 0x000000010a25e488 @"com.razeware.breakpoints.contentupdated"
(lldb) image dump symfile ImageName
# 很多内容出来，文本查找__block_literal_5
0x7fb975802760:   Type{0x100000ce6} , name = "__block_literal_5", size = 52, decl = UnixSignalHandler.m:123, compiler_type = 0x00007fb979082860 struct __block_literal_5 {
        void *__isa;
        int __flags;
        int __reserved;
        void (*__FuncPtr)();
        __block_descriptor_withcopydispose *__descriptor;
        UnixSignalHandler *const self;
        siginfo_t *siginfo;
        int sig;
    }
这个就是定义了block的东东啦
(lldb) po (__block_literal_5 *)0x0000600000269c00
<__NSMallocBlock__: 0x600000269c00>
(lldb) p/x ((__block_literal_5 *)0x0000600000269c00)->__FuncPtr
(void (*)()) $2 = 0x000000010a259810 (Commons`__38-[UnixSignalHandler appendSignal:sig:]_block_invoke_2 at UnixSignalHandler.m:123)
(lldb) image lookup -a 0x000000010a259810
      Address: Commons[0x0000000000002810] (Commons.__TEXT.__text + 2352)
      Summary: Commons`__38-[UnixSignalHandler appendSignal:sig:]_block_invoke_2 at UnixSignalHandler.m:123
(lldb) po ((__block_literal_5 *)0x0000600000269c00)->sig
23

使用image dump symfile ImageName命令来探究一个未知的数据类型是如何工作的，这是一个很好的手段。这个命令也可以让我们了解编译器如何生成目标代码。除此之外，你也可以通过它来检查block是怎么引用block外部的指针来调试内存循环引用问题。

(lldb) image lookup -rn __NSMallocBlock__  # 没有任何输出，说明它没有重写父类的任何方法
(lldb) po [__NSMallocBlock__ superclass]
__NSMallocBlock
(lldb) image lookup -rn __NSMallocBlock  # 输出的方法看起来都和内存管理有关
(lldb) po [__NSMallocBlock superclass]
NSBlock
(lldb) image lookup -rn 'NSBlock\ '
6 matches found in /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/iPhoneSimulator.sdk//System/Library/Frameworks/CoreFoundation.framework/CoreFoundation:
        Address: CoreFoundation[0x00000000000400c0] (CoreFoundation.__TEXT.__text + 257696)
        Summary: CoreFoundation`-[NSBlock copy]        Address: CoreFoundation[0x0000000000078330] (CoreFoundation.__TEXT.__text + 487696)
        Summary: CoreFoundation`-[NSBlock copyWithZone:]        Address: CoreFoundation[0x00000000001892b0] (CoreFoundation.__TEXT.__text + 1605776)
        Summary: CoreFoundation`+[NSBlock allocWithZone:]        Address: CoreFoundation[0x00000000001892d0] (CoreFoundation.__TEXT.__text + 1605808)
        Summary: CoreFoundation`+[NSBlock alloc]        Address: CoreFoundation[0x00000000001892f0] (CoreFoundation.__TEXT.__text + 1605840)
        Summary: CoreFoundation`-[NSBlock invoke]        Address: CoreFoundation[0x0000000000189300] (CoreFoundation.__TEXT.__text + 1605856)
        Summary: CoreFoundation`-[NSBlock performAfterDelay:]
# 接下来我们想探究下invoke这个方法，但是我们调用invoke之后不希望这个block被内存管理给释放掉。可以这样处理
(lldb) po id $block = (id)0x0000600000269c00
(lldb) po [$block retain]
<__NSMallocBlock__: 0x600000269c00>
(lldb) po [$block invoke]
2017-07-11 10:38:05.075 Signals[507:5687492] Appending new signal: SIGIO

(lldb) image lookup -rn (?i)\ _\w+description\]  # (?i) means case insensitive
(lldb) image lookup -rn NSObject\(IvarDescription\)
这3个方法非常吸引人：
_ivarDescription
_propertyDescription 
_methodDescription
(lldb) po [[UIApplication sharedApplication] _ivarDescription]  # 可以发现一个叫UIStatusBar的私有类
(lldb) image lookup -rn '\[UIStatusBar\ set'
(lldb) po [[UIApplication sharedApplication] statusBar]
<UIStatusBar: 0x7fcb42809e00; frame = (0 0; 414 20); opaque = NO; autoresize = W+BM; layer = <CALayer: 0x608000032400>>
(lldb) po [0x7fcb42809e00 setBackgroundColor:[UIColor purpleColor]]  # statusBar就会变成紫色的啦

Chapter 8: Persisting & Customizing Commands 持久化和自定义命令

如何持久化

LLDB启动时会在几个目录里面寻找初始化文件，如果找到则会被加载到LLDB中，加载时机是在LLDB启动后attach到process之前。
LLDB将会在以下几个地方寻找初始化文件：
1.~/.lldbinit-[context]。其中context为Xcode或者lldb。即如果只想生效于Xcode中的lldb，用~/.lldbinit-Xcode，如果只想生效与命令行中的lldb，用~/.lldbinit-lldb

2. 接下来LLDB就会搜索在~/.lldbinit-[context]中找到的内容。这个是最理想的文件，大部分情形我们还是希望两种场景下都使用
3. LLDB将会搜索被启动时的目录。不幸的是，Xcode启动LLDB在/目录

创建.lldbinit文件

# 注意这里的lldb context应该是Swift，所以才强制为oc语法
(lldb) command alias -- Yay_Autolayout expression -l objc -O -- [[[[[UIApplication sharedApplication] keyWindow] rootViewController] view] recursiveDescription]
(lldb) command alias cpo expression -l objc -O --

Chapter 9: Regex Commands

alias只能方便我们处理静态的命令，如果命令有接受输入的话alias就显得很捉急了。

# 对新命令后面的内容进行正则替换。下面这个命令alias是无法完成的
(lldb) command regex rlook 's/(.+)/image lookup -rn %1/'  # %1指的是被匹配的内容
(lldb) rlook F00  # 等同于 image lookup -rn FOO, 正则表达式是从rlook之后开始匹配
(lldb) rl viewDidLoad  # 等同于 rlook viewDidLoad
(lldb) rl viewDidLoad Signals
# 来点高级点的
(lldb) command regex -- tv 's/(.+)/expression -l objc -O -- @import QuartzCore; [%1 setHidden:!(BOOL)[%1 isHidden]]; (void)[CATransaction flush];/'
(lldb) tv [[[UIApp keyWindow] rootViewController] view]  # 重复这个命令，手机就会黑屏、恢复黑屏一直循环

(lldb) command regex getcls 's/(([0-9]|\$|\@|\[).*)/cpo [%1 class]/'
(lldb) getcls @"hello world"
__NSCFString
(lldb) getcls @[@"hello world"] 
__NSSingleObjectArrayI
(lldb) getcls [UIDevice currentDevice] 
UIDevice
(lldb) cpo [UIDevice currentDevice] 
<UIDevice: 0x60800002b520>
(lldb) getcls 0x60800002b520
UIDevice
(lldb) command regex getcls 's/(([0-9]|\$|\@|\[).*)/cpo [%1 class]/' 's/(.+)/expression -l swift -O -- type(of: %1)/'
(lldb) getcls self
Signals.MasterViewController