CoreSymbolication icon indicating copy to clipboard operation
CoreSymbolication copied to clipboard
verified publisher icon mountainstorm

Incorrect kCSNow

Open ghost opened this issue 10 years ago • 1 comments

It seems kCSNow is 0x8000000000000000llu instead of 0x80000000u. This makes sense as times are uint64_t. This can be checked by e.g. disassembling the 64-bit part of /usr/lib/libdtrace.dylib, function symbolOwnerForName: Source:

CSSymbolOwnerRef symbolOwnerForName(CSSymbolicatorRef symbolicator, const char* name) {        
    // Check for a.out specifically
    if (strcmp(name, "a.out") == 0) {
        __block CSSymbolOwnerRef owner = kCSNull;
        if (CSSymbolicatorForeachSymbolOwnerWithFlagsAtTime(symbolicator, kCSSymbolOwnerIsAOut, kCSNow, ^(CSSymbolOwnerRef t) { owner = t; }) == 1) {
            return owner;
        }
        return kCSNull;
    }
…

Disassembly:

                                             _symbolOwnerForName:
000000000003a028 55                              pushq      %rbp                ; XREF=_Pxlookup_by_name+89, _Plmid_to_map+42, _Psymbol_iter_by_addr+95
000000000003a029 4889E5                          movq       %rsp, %rbp
000000000003a02c 4157                            pushq      %r15
000000000003a02e 4156                            pushq      %r14
000000000003a030 4155                            pushq      %r13
000000000003a032 4154                            pushq      %r12
000000000003a034 53                              pushq      %rbx
000000000003a035 4881ECD8000000                  subq       $0xd8, %rsp
000000000003a03c 4889D3                          movq       %rdx, %rbx          ; const char* name
000000000003a03f 4989F7                          movq       %rsi, %r15          ; CSSymbolicatorRef symbolicator
000000000003a042 4989FC                          movq       %rdi, %r12
000000000003a045 488D35CC4C0300                  leaq       %ds:0x6ed18, %rsi   ; "a.out", argument "s2" for method imp___stubs__strcmp
000000000003a04c 4889DF                          movq       %rbx, %rdi          ; argument "s1" for method imp___stubs__strcmp
000000000003a04f E868F80100                      callq      $imp___stubs__strcmp
000000000003a054 85C0                            testl      %eax, %eax
000000000003a056 0F8481010000                    jeq        $0x3a1dd

000000000003a05c 48C745B000000000                movq       $0x0, %ss:var_50(%rbp)
000000000003a064 4C8D6DB0                        leaq       %ss:var_50(%rbp), %r13
000000000003a068 4C896DB8                        movq       %r13, %ss:var_48(%rbp)
000000000003a06c C745C000000000                  movl       $0x0, %ss:var_40(%rbp)
000000000003a073 C745C428000000                  movl       $0x28, %ss:var_3C(%rbp)
000000000003a07a 48C745D000000000                movq       $0x0, %ss:var_30(%rbp)
000000000003a082 48C745C800000000                movq       $0x0, %ss:var_38(%rbp)
000000000003a08a 4C8B35778F0300                  movq       %ds:imp___got___NSConcreteStackBlock, %r14
000000000003a091 4C89B560FFFFFF                  movq       %r14, %ss:var_A0(%rbp)
000000000003a098 C78568FFFFFF00000042            movl       $0x42000000, %ss:var_98(%rbp)
000000000003a0a2 C7856CFFFFFF00000000            movl       $0x0, %ss:var_94(%rbp)
000000000003a0ac 488D0540020000                  leaq       %ds:___symbolOwnerForName_block_invoke2, %rax
000000000003a0b3 48898570FFFFFF                  movq       %rax, %ss:var_90(%rbp)
000000000003a0ba 488D051F250400                  leaq       %ds:___block_descriptor_tmp5, %rax
000000000003a0c1 48898578FFFFFF                  movq       %rax, %ss:var_88(%rbp)
000000000003a0c8 4C896D80                        movq       %r13, %ss:var_80(%rbp)
000000000003a0cc 4C8D8560FFFFFF                  leaq       %ss:var_A0(%rbp), %r8 ; argument "iterator" for method imp___stubs__CSSymbolicatorForeachSymbolOwnerWithPathAtTime
000000000003a0d3 4C89E7                          movq       %r12, %rdi          ; argument #1 for method imp___stubs__CSSymbolicatorForeachSymbolOwnerWithPathAtTime
000000000003a0d6 4C89FE                          movq       %r15, %rsi          ; argument "symbolicator" for method imp___stubs__CSSymbolicatorForeachSymbolOwnerWithPathAtTime
000000000003a0d9 4889DA                          movq       %rbx, %rdx          ; argument "name" for method imp___stubs__CSSymbolicatorForeachSymbolOwnerWithPathAtTime
000000000003a0dc 48B90000000000000080            movabsq    $0x8000000000000000, %rcx ; argument "time" for method imp___stubs__CSSymbolicatorForeachSymbolOwnerWithPathAtTime
000000000003a0e6 E88DF30100                      callq      $imp___stubs__CSSymbolicatorForeachSymbolOwnerWithPathAtTime
000000000003a0eb 4885C0                          testq      %rax, %rax
000000000003a0ee 0F85D2000000                    jneq       $0x3a1c6

ghost avatar Aug 08 '15 10:08 ghost

Looking at the i386 disassembly, it seems to be pushing 0x0 and 0x80000000 (at offsets 0xC and 0x10):

...
00040a2e    movl    $0x80000000, %eax       ## imm = 0x80000000
00040a33    movl    %eax, 0x10(%esp)
00040a37    movl    %ebx, 0x8(%esp)
00040a3b    movl    0xc(%ebp), %eax
00040a3e    movl    %eax, 0x4(%esp)
00040a42    movl    0x8(%ebp), %eax
00040a45    movl    %eax, (%esp)
00040a48    movl    $0x0, 0xc(%esp)
00040a50    calll   0x60a10                 ## symbol stub for: _CSSymbolicatorForeachSymbolOwnerWithPathAtTime
...

Hopper pseudocode comparison between i386 vs x86_64:

rax = CSSymbolicatorForeachSymbolOwnerWithFlagsAtTime(r12, r15, 0x10, 0x8000000000000000, __NSConcreteStackBlock);
eax = CSSymbolicatorForeachSymbolOwnerWithFlagsAtTime(arg0, arg1, 0x10, 0x0, 0x80000000, __NSConcreteStackBlock);

Perhaps there are two separate arguments? The first one could potentially be a boolean (0x0 or 0x1).

For instance, take a look at CSSymbolicatorCopyDescriptionWithIndent (i386) in /System/Library/PrivateFrameworks/CoreSymbolication.framework/Versions/A/CoreSymbolication:

...
#0x8000000000000001 for x86_64
000283da         mov        dword [ss:esp+0xc], 0x80000000
000283e2         mov        dword [ss:esp+0x8], 0x1
000283ea         call       _CSSymbolicatorForeachSymbolOwnerAtTime
...

There are a couple other references to 0x8000000000000001 as well.

Another constant could be created for 0x8000000000000001 if the two arguments really are tied together, but I've no idea what it means.

zorgiepoo avatar Aug 09 '15 16:08 zorgiepoo