用Hopper找BUG

最新项目有一些BUG。莫名奇怪。
网上给出的都是要DSYM文件的。我之前项目没有生成DSYM文件。

用之前的办法找了一些。对于一些古怪的BUG不清楚不好用。
我写一个崩溃的例子：

[self doesNotRecognizeSelector:@selector(xxx)];

很明显。这里会崩溃：

_CFRunLoopError_RunCalledWithInvalidMode to debug. This message will only appear once per execution.
2017-05-23 13:16:14.564712+0800 ShangXin[236:5197] UMLOG: error: session_id=2EDD98E50F32B02D719C97C632C05FD8, context=-[SXHomeViewController xxx]: unrecognized selector sent to instance 0x101528c40
(null)
((
    0   CoreFoundation                      0x0000000186026ff0 <redacted> + 148
    1   libobjc.A.dylib                     0x0000000184a88538 objc_exception_throw + 56
    2   CoreFoundation                      0x000000018602def4 <redacted> + 0
    3   ShangXin                            0x0000000100402198 -[SXHomeViewController viewDidLoad] + 84
    4   ShangXin                            0x00000001006017b8 __vcViewDidLoad + 480
    5   UIKit                               0x000000018c155f9c <redacted> + 1036
    6   UIKit                               0x000000018c20e0c4 <redacted> + 72
    7   UIKit                               0x000000018c20df9c <redacted> + 416
    8   UIKit                               0x000000018c20d2cc <redacted> + 144
    9   UIKit                               0x000000018c20cd00 <redacted> + 856
    10  UIKit                               0x000000018c20c8b4 <redacted> + 64
    11  UIKit                               0x000000018c20c818 <redacted> + 188
    12  UIKit                               0x000000018c153158 <redacted> + 1200
    13  QuartzCore                          0x0000000189343274 <redacted> + 148
    14  QuartzCore                          0x0000000189337de8 <redacted> + 292
    15  QuartzCore                          0x0000000189337ca8 <redacted> + 32
    16  QuartzCore                          0x00000001892b3360 <redacted> + 252
    17  QuartzCore                          0x00000001892da3c0 <redacted> + 504
    18  QuartzCore                          0x00000001892dae8c <redacted> + 120
    19  CoreFoundation                      0x0000000185fd49a0 <redacted> + 32
    20  CoreFoundation                      0x0000000185fd2628 <redacted> + 372
    21  CoreFoundation                      0x0000000185f02db4 CFRunLoopRunSpecific + 456
    22  UIKit                               0x000000018c1c045c <redacted> + 652
    23  UIKit                               0x000000018c1bb130 UIApplicationMain + 208
    24  ShangXin                            0x00000001004af6b8 main + 124
    25  libdyld.dylib                       0x0000000184f1159c <redacted> + 4
)

dSYM UUID: A558F24E-26FD-31B3-B23D-241289FF6D44
CPU Type: arm64
Slide Address: 0x0000000100000000
Binary Image: ShangXin
Base Address: 0x00000001000a0000
2017-05-23 13:16:14.591106+0800 ShangXin[236:5197] UMLOG: session: session_id=2EDD98E50F32B02D719C97C632C05FD8, duration=10.790535

WX20170523-132010@2x.png

上图Xcode 已经帮我定位到是-[SXHomeViewController viewDidLoad] + 84的位置。

WX20170523-132521@2x.png

(lldb) image list -o -f
[  0] 0x00000000000a0000 /Users/zhangxiaoliang/Library/Developer/Xcode/DerivedData/ShangXin-fqfhhkkpshfleqeggllubtmnpskg/Build/Products/Debug-iphoneos/ShangXin.app/ShangXin
[  1] 0x0000000101298000 /Users/zhangxiaoliang/Library/Developer/Xcode/iOS DeviceSupport/10.3 (14E277)/Symbols/usr/lib/dyld
[  2] 0x00000000049e0000 /Users/zhangxiaoliang/Library/Developer/Xcode/iOS DeviceSupport/10.3 (14E277)/Symbols/usr/lib/libc++.1.dylib
[  3] 0x0000000101320000 /Users/zhangxiaoliang/Library/Developer/Xcode/DerivedData/ShangXin-fqfhhkkpshfleqeggllubtmnpskg/Build/Products/Debug-iphoneos/ShangXin.app/Frameworks/RevealServer.framework/RevealServer
[  4] 0x00000000049e0000 /Users/zhangxiaoliang/Library/Developer/Xcode/iOS DeviceSupport/10.3 (14E277)/Symbols/usr/lib/libz.1.dylib
[  5] 0x00000000049e0000 /Users/zhangxiaoliang/Library/Developer/Xcode/iOS DeviceSupport/10.3 (14E277)/Symbols/System/Library/Frameworks/MobileCoreServices.framework/MobileCoreServices
[  6] 0x00000000049e0000 /Users/zhangxiaoliang/Library/Developer/Xcode/iOS DeviceSupport/10.3 (14E277)/Symbols/System/Library/Frameworks/AudioToolbox.framework/AudioToolbox
[  7] 0x00000000049e0000 /Users/zhangxiaoliang/Library/Developer/Xcode/iOS DeviceSupport/10.3 (14E277)/Symbols/System/Library/Frameworks/AssetsLibrary.framework/AssetsLibrary
[  8] 0x00000000049e0000 /Users/zhangxiaoliang/Library/Developer/Xcode/iOS DeviceSupport/10.3 (14E277)/Symbols/System/Library/Frameworks/AVFoundation.framework/AVFoundation
[  9] 0x00000000049e0000 /Users/zhangxiaoliang/Library/Developer/Xcode/iOS DeviceSupport/10.3 (14E277)/Symbols/System/Library/Frameworks/ImageIO.framework/ImageIO
[ 10] 0x00000000049e0000 /Users/zhangxiaoliang/Library/Developer/Xcode/iOS DeviceSupport/10.3 
此处省略N个动静态库的偏移信息

镜像地址如上：不知道为什么xcode 没给出 偏移后的地址。
其实上面的有个这样的信息：

Slide Address: 0x0000000100000000
Binary Image: ShangXin
Base Address: 0x00000001000a0000

Base Address: 0x00000001000a0000 = Slide Address: 0x0000000100000000 + 0x00000000000a0000 ;
0x00000000000a0000是随机值，每次都不一样。Slide Address 在ios 貌似永远是0x0000000100000000。和hoper 里面里面 从0x0000000100000000开始 是一样的。

上面：

 3   ShangXin                            0x0000000100402198 -[SXHomeViewController viewDidLoad] + 84 

就是崩溃点，崩溃信息 永远都是最后的APPName 地址处导致崩溃。其他都是都是苹果的动静态库，是没有错的。
上面的stack 地址 ： 0x0000000100402198 = -[SXHomeViewController viewDidLoad] +84；
0x0000000100402198 - randomization地址（0x00000000000a000） = -[SXHomeViewController viewDidLoad] (hopper 里面的地址，内存中的地址是要 减去 0x00000000000a000) + 86（此处要换算为16进制）；

有图有证据：

WX20170523-134749@2x.png

0000000100362144 + 0x54(86) = 0x0000000100402198 - randomization地址（0x00000000000a000）；

定位到汇编的 0000000100362198 ldur x1, [x29, #0xffffffe8]
所以我们可以这样找崩溃信息，虽有一点偏差，差一行代码。

手机上的显示崩溃日志跟这个稍微不一样：

Snip20170523_2.png

Last Exception Backtrace:
0   CoreFoundation                  0x186026fd8 __exceptionPreprocess + 124
1   libobjc.A.dylib                 0x184a88538 objc_exception_throw + 56
2   CoreFoundation                  0x18602def4 -[NSObject(NSObject) doesNotRecognizeSelector:] + 140
3   ShangXin                        0x100406198 0x1000a4000 + 3547544
4   ShangXin                        0x1006057b8 0x1000a4000 + 5642168

发现此处 ：

 3   ShangXin                       0x100406198 0x1000a4000 + 3547544
4   ShangXin                        0x1006057b8 0x1000a4000 + 5642168

0x100406198 = 0x1000a4000 + 0x362198 （3547544）
苹果给出 镜像 地址列表和xcode 里面不一样：
Binary Images:

0x1000a4000 - 0x100923fff ShangXin arm64  <a558f24e26fd31b3b23d241289ff6d44> /var/containers/Bundle/Application/D1A648DA-6D9F-490D-913A-ABE73433F222/ShangXin.app/ShangXin

直接给出了偏移后的地址。
xocde 里面只会给出偏移随机值；
所以要从手机上看出的日志在hopper里面找 是这样的： 0x1000a4000 - 0xa4000 + 0x362198(3547544) ;

0x1000a4000 - 0xa4000(randomization地址)+ 0x362198(3547544) = -[SXHomeViewController viewDidLoad](hopper 里面的地址0x100362144) +0x54 (86（此处要换算为16进制）)

。我们来看看友盟怎么给我们传回数据呢

WX20170523-135528@2x.png

可能是我打开了生成DYSM文件吧。这个直接在hopper 搜 0x100362198 即可找到崩溃位置。但是大多时候给我的是内存地址。

最后总结下：
Base Address = Slide Address + 偏移；

stack address = 函数地址+ 代码偏移(函数内部偏移) ；
stack address = Base Address + 函数偏移(hopper中位置 - 0x100000000 (Slide Address)) +代码偏移(函数内部偏移)；

xcode：
直接在xocde里面根据崩溃函数名找，或者用 stack address - app可执行文件（偏移），在hopper里面看。
手机崩溃日志：
stack address - 偏移在hopper 找，偏移 = Base Address - Slide Address， Slide Address貌似永远是0x100000000;
友盟：
直接根据 崩溃的地址找