Matching up offsets in iOS crash dump to disassembled binary

Question

I\'m having trouble matching up the offsets in the stack traces of iOS crash dumps with offsets in the disassembly of the binary as output by otool.

Can anybody confirm

Answer 1

Provided that myapp did not strip out symbols you'll be able to use atos.

You can always man atos for more details but this should be sufficient for your problem:

-o symbol_file # debugging information output by the compiler this may be a dSYM or the binary itself depending on who you saved symbol information
-l load address # the base address in the process space at which your library is loaded into the springboard process (Looks like 0x1000)
Also a list of addresses you wish to symbolicate

Usage:
    atos -o myapp -l 0x1000 0x00005b0a 0x0005bca ... etc

That output should be a list of symbol names to the terminal. Again, this requires that the myapp did not have symbols stripped out.

Answer 2

Add the virtual address of the __TEXT segment to the relative address given in the crash dump. The result is the address to look up in the disassembly. Here are the steps:

1. Use otool -lv <application-binary> to dump the load commands from the application binary. Look for the load command for the __TEXT segment and the associated value for vmaddr, typically 0x1000. You don't need the information about the __text section that is shown above, just the information about the segment.

2. In the crash dump, addresses in the call stack are given in the form 0x00124ff4 0xf4000 + 200692. The last part is an offset within the binary in decimal. Add this to the value obtained in step 1 and convert to hexadecimal. In this example, we would calculate 0x1000 + 200692 which is 0x31ff4 in hex.

3. Use otool -tV <application-binary> to dump disassembly for the application binary. Locate the address obtained in step 2 (0x31ff4 in this example). For the topmost frame of the call stack this is where the application crashed. For all other levels, at the calculated address should be a branch instruction which corresponds to the next higher level in the stack.