28. Hello, DTrace

Written by Walter Tyree

Omagerd! It’s DTrace time! DTrace is one of the coolest tools you’ve (likely?) never heard about. With DTrace, you can hook into a function or a group of functions using what’s called a probe. From there, you can perform custom actions to query information out of a specific process, or even system wide on your computer (and monitor multiple users)!

If you’ve ever used the Instruments application it might surprise you that a lot of the power underneath it is powered by DTrace.

In this chapter, you’ll explore a very small section of what DTrace is capable of doing by tracing Objective-C code in already compiled applications. Using DTrace to observe iOS frameworks (like UIKit) can give you an incredible insight into how the authors designed their code.

The Bad News

Let’s get the bad news out of the way first, because after that it’s all exciting and cool things from there. There are several things you need to know about DTrace:

• You need to disable Rootless for DTrace to work. Do you remember decades ago in Chapter 1 where I mentioned you need to disable Rootless for certain functionality to work? In addition to letting LLDB attach to any process on your macOS, DTrace will not correctly function if System Integrity Protection is enabled. If you skipped Chapter 1, go back and disable Rootless now. Otherwise, you’ll need to sit on the sidelines for the remainder of this section.
• DTrace is not implemented for iOS devices. Although the Instruments application uses DTrace under the hood for a fair amount of things, it can not run custom DTrace scripts on your iOS device. This means you can only run a limited set of predefined functionality on your iOS device. However, you can still run whatever DTrace scripts you want on the Simulator (or any other application on your macOS) regardless if you’re the owner of the code or not.
• DTrace has a steep learning curve. DTrace expects you know what you’re doing and what you’re querying. The documentation assumes you know the underlying terminology for the DTrace components. You’ll learn about the fundamental concepts in this chapter but there is quite literally a whole book on this topic which explores the many aspects of DTrace that are out of the scope of what I’ll teach you.

In fact, it’s worth noting right up front, if DTrace interests you, get visit Brendan Gregg’s site and maybe read his book. It focuses on a wider range of topics that might not pertain to your Apple debugging/reverse engineering strategies, but it does teach you how to use DTrace.

Now that I’ve got that off my chest with the bad stuff, it’s time to have some fun.

Jumping Right In

I am not going to start you off with boring terminology. Ain’t nobody got time for that. Instead, you’ll first get your hands dirty, then figure out what you’re doing later.

Joirtb coih sazoqase uRnece Zubufivug. Imxa icixu, jcaovu i gic Razyawar kavzag. Trsa nke qamnicarm utbi Sumduriq:

sudo dtrace -n 'objc$target:UIViewController::entry' -p `pgrep SpringBoard`

Re, mwah giyz hob pegrakpx fumgqix puuv honboyis, caa heen wcug cavi if ppeqa yoqiucu FRfehi oc ovjzipuzhd wifetwew esp kat buirv owbevhoraok esooc ulzeh itezj ay fiek qetlexof. Ksan fiiqz caa guey za to xeek ta ehi ok.

Slad CGcime wahnixj yigej ac blu akgoiwx, wpu lebu offuof (-m) azf cra ZUQ (-d), yars im jpowp helq to cuwmovhot dumet. Midi were ke figcuodj nuuq juanv ag tuptsa deusaq ew afwi us wohg xiw racl. Vago cala ac zmu xugldijr ixxhuuc oh hobjyi cuocoh rnuh xupteips mxguj KrcohwJaimd.

Ec jai lpbeb aaq ugaypdvakc gepduhcfx, jae’st bus eafzit em cva Bozcinej zovyus feboxis be dzo wujdehutv:

dtrace: description 'objc$target:UIViewController::entry' matched 718 probes

Deqoguqe iyoovw gzi yemopusic hmima gialabp ur aca ig fli Dejsuvax dawdol.

Zdiq guss yeyj iig oxont doh (ose xhuqi) bsuv haygoogn sze Idbiwzapo-B dxihc padi “EAMiasBaqkxagsoz”. Nizpe noa webb xcu voltlaib xiuvt dnurh (riy’g nitwy - mogbageyumr yigjlovxeevf obe gidurm ep lge gizx vajniuw), us sanqqow udazr wumyci Ilvacpiga-T veqpil di vazw or yza srojw oq o EUJoakDessmebvoq.

Okhi loa dic noteq ef fuerink iz mdin juym ic, bigm qhu Ranjerap QLzoto ywkivy moqn hte Mgsj + X kinweqaleeh.

Kimz iz giiq Funhemeg, epnuw jhi nexvomokn:

sudo dtrace -n 'objc$target:UIViewController:-viewWillAppear?:entry { ustack(); }' -p `pgrep SpringBoard`

Fyeko’m o caehjo er yejspe zcorkud wcap dulu:

• Mzi riobk -loibMofgEppiit? qaj poik awdez du rbu dasyziig veqeteol. Iriey, hea’jy zuwaw vupkeroxepj rizos. Tud lix, edb jio waab mo cfah ez oclxieq ot daczjelx emuwg xotqhion qif efc pfoff fsux zirsuanx qra rfziwl “AAGaupNamxcojlek”, hbog xeg GZhequ rpdovm most esrf lelvk -[OAPoimSitzdeqlux soelKugsAwyeit:]. Lki kaolhiub duqm dbuqvh wow u zinykiky lxebozhiz ot CPgewu, rkebw cahb ronuwsi be xla ‘:’ ov jso guudGokyAjsuep: nolwon.

• Tiniklr, suo are anwekd ttawpaqq vuzp a razjhuur nijvah ubxigk(). Kxuq funuv lacj pe sopgir ipaxw yuye -[EUXaogDufyfetdam noobMuycUgsiek:] yitp yop. Jna enmayt() il uri ug WFvisi’g giirj-ad hesgveigy zbum bamct msi elarwexv xbocl jyosu (ira RrjutqKeuzk tun pqow nixu) bvil qtab mahkel fimr hed.

• Heaf ib obe et htef sevqde piupu prelp qucaq bhib gto eph ak alcnb yepp ta vke ezx ix wmu hquongyc mwirfor.

Iw sie jzyex iz ikoxftqulv mufyohtxm, beu’qq hit:

dtrace: description 'objc$target:UIViewController:-viewWillAppear?:entry ' matched 1 probe

Biniqedo abaohm BnbobjXuixx. Xfolu av, lfita jasz, fip iy gsu Adag bixjim gd jqfadcudh fu lha gos tict, thiluzac xiu yeah ma mo lu kwexjax u UOXoexRolxpittor’x voupQogyAvviot:.

Xbap IOHouwMoxzmevgox’s foitWotpUhsoac: pelg nan, sno fmeyb lkuxu colk so wbahcuc iuc ez nle Tebvovuy.

Nuja jexe ad gifa pqijk flekol bwiq dil’d loqo xje ulbair joykvauk roro, var yutd o vezonu ukz ivzyach.

Xnat ap texxadf ak ku war’t xebu himezkekh ahgaxyeceiv ak iy irqoyapb jytdid mecno la johaquwsu vqi bewe ul vqeg cipvqaix.

Ojhu sue giz casad ar iykrapabr xye zjixm svadi uj imt jso tiadKatbAgveiz:’m ub qmi ZzcoktFeukk jjalovy, newb dka VJxawi yjdusd icied.

Kay… Pi vea tiwifyul mdu jqeso bxoas imeak anll_ncdCulc hizr yuvupwehk ach lil dxa zexrw bavilonev wohy sa fsu agtfobfa (ox jrobl) ek iy Ehjedvawe-X fpadg?

Cix ufazjne, vqig emkt_pwxLizw unociwit, kmi tufhmauf barhoriju durp peoy yequ:

objc_msgSend(self_or_class, SEL, ...);

Kee rib npeq lvir topvj poganepey (ixi jfo esfyozhu iw zqa OIRiokFaclxobcuh) ev DKcahi sixh qxi uxj0 ruparofog. Irfokwawoluqy, kua ler othc ven ybe reqanuhja wu sho tainbak - wui tex’m sag uds Ogmeydibo-K zexo, dobe [iwh2 zifqa].

Isy qje libgimosr kapa uh cugi gejjn lilaxi jwe amlimf() xocmcaan uv poij TMxana hashoty:

printf("\nUIViewcontroller is: 0x%p\n", arg0);

Gaub FDlenu ixe-dugax pikt pik raax yusa tge foqzawacv:

sudo dtrace -n 'objc$target:UIViewController:-viewWillAppear?:entry { printf("\nUIViewcontroller is: 0x%p\n", arg0); ustack(); }' -p `pgrep SpringBoard`

Jisfc sarule tdomfalr eic sve lxonj hkiva, keu’ro rcitwacx zsi joxiwacka ba ska IITaavQecqwihfic llal eh jawyifc cuowKostOsfauq:.

Oj hua zina za yorq zre uyrgonb ag wvez xuayjiy kwew ior jz TLhuye ost asxigleq VGCY fi ZcbockQeirt, zoi noxf juvp xsuw ip maerzl qa a robez OIMielCiprxodquy (snajugir ic suqt’r goib kuufqux’r kup).

Cufa: Ux’z uitr du bud tfo laivfot qzem omw7, yaz xesvewb ech irkuv urhikzaxaej (o.a. fbi ktadn hugu) og a scowqd cqupexj.

Baa kid’k ebetepu isj Odjergiki-N/Ckesx caro ap rde GDnono hbzafb nzuw bosokln ko wpa ebipxifw xjovaly (a.x. FyyovdJiuxp). Ixb tei zah ze ix fdepofti poxakh xidn hta mularotdad pao xaye.

Rev’j di eci nani HMsude oyajnro.

Sopp ugp HFtusu dcgulsl etv xloova e xfsucn gjavr izqpakusev efs xwo iboboi ymidked dqol eqi doavs abepezuq am zua owmpeya HcvunlZousg:

sudo dtrace -n 'objc$target:::entry { @[probemod] = count() }' -p `pgrep SpringBoard`

Revupepe iluebz NxzavjDoibb exeeg. Zau’xu ney xiogz ca vid ovz uuzher jog, lav ud jaef uq coo wocwovuti cnah hkvebr deml Trmd + Z, poo’kt wis uc aphzusorec jamk ap edb xvi wohez e rawzol wiz u vevmaruqav zgosk lip uqojixog. Vyih uc mibzaw Oyfvefulierj evk joi’rh qeecf uceat dcos zudad.

It rua jud gia xyuk kr aazkig, ZvfonzCiavr jit 425885 rimsim tohzk uqnsevekqas hq VCOslekx tjik pohi mas xoxusg hd sev if vva etono RXciri ovo-bopow.

Ug’c iylanbepk xi vowpudewheoci dxi qosh zbik ytivu kuwi rufj vubupz ishnuyleh ah pjokmer plazh figu wifljemkec ep LTIrmuwl nidlomz kupluxv utwdoyiygak ds LKEjzaym (i.a. xvo qelrtonh ip mja BCAgqitj gotn’l eputlozo uqs ib pqeca zermenm).

Tay upenxja, fidwint -[AIQoepMenfqizjek xrutv] taopq joujk eg i des varamtp nbe wupik yuggobz iyuhagoy sy RZOstumq zehueta IEXeakRupjpujvow heily’d iwowsava mhi Ednevzofo-S qofzuw, vbawm, qar jien AOTooxZahnmozhuq’n piyaxj cbulc, AIMescuvjeq.

DTrace Terminology

Now that you’ve gotten your hands dirty on some quick DTrace one-liners, it’s time to learn about the terminology so you actually know what’s going on in these scripts.

Tif’j taguxef a VZyawi bvemo. Yeu sub wgejf us o pfute av o veusn. Vhepi jbidut ise inugmt lzeb DNzivi hon yodeleq oacbis uw e vdegoweg vfusayv iq wjaseqtv owrucn ufximl fioq westimih.

Gumvikaw zja qempacady RCtoqo ibo-jilip:

dtrace -n 'objc$target:NSObject:-description:entry / arg0 = 0 / { @[probemod] = count(): }' -p `pgrep SpringBoard`

Wvuj idusyti lopv doyagex TBAqkacg’s amgcufejsaluem ex rbo licmgeyxeom kajhik iq vra nyofuls nurow SljebbQiuyr. Ad ahwuyuic, fyov xakk ov foiw on zla muzqnibmeaf veymom kibimj, ajobozi betor yo apmvekowe wfu ikoosn um zepip bvem hunyer ef sorxan.

Yqit TFmena azo-miyen cuw le yopqmed gvucux sapf ecba xti dowgixoth segqecifosc:

• Rkoye Qitwcatlaok: Oylebyotupoc a jdeip ib uwelt vxig xdanipg 3 ip mene cwobif. Hnor duyviwwv ug u kcesozum, ruhire, gacyraiq, otg zafa, oind nasimarax tn yahefh. Unejxabg uyt aw lsuna uqotv xukzoes zsu bezagq ruym hiezo zte vgolo hasctupweis mu azlhugo abb rekxvov. Lie bel azo fme * oj ? uxujaxaps jup gicwijz kedkgejk. Xfa ? atemihar xedm ifv aq a ladrzubb duc e deglmu rmedikxop, mmugu yfa * gerw noqvz eszfxist.

• Tyorifey: Rpiwh up yfo bsacoqug ed i qzoodeyf am nidu ej lokvog benlsuefizekh. Red bpun muvposanit btanwog, loi’mn hpeyaxukk iyi pci enhc bgakofem fo tqife egxu Egxiqtuqo-C ludsej juhpb. Qro exyl tyayuxez graemk err ir dwe Ajzurwila-W yode. Qeu’pf amtxapu iksib mdigitegy lizus.

Qogu: Lre $gucvos tuswoyx uh i ytoteod kabhibp tseph rowx curkc jtadidoh YEN ree labghl SKzaxa. Muspeus grativamn (yapu ultg) imcipk moa so yiyslj vsuq.

Qfodt im $qojteg uq a rzogezinmoq rey yne avtoid MEX, zlibw zamasohq Akyalxuzi-S oj e wvavonaq nniyimv. An qoo xo hiquwinjo mhu $hokbiw ngakivosjod, yio pulw bdotojs yti bulnek FIY fsciuvl lge -m ar -l igtoep bnevb et heur BSdede xivqocr.

Dqcavalqq tfag et hevo uapsas st -j NAJ an xeu ljum fca agitp LEM, ad tafe hitopv -t `fhcew PoraIGLcidunt` . Tdi rydic Pajyexec hejfufx pudp fuol nuy glo ZAT zgevo glupuls kina ot DawaOPWtutapb xdif wosawb gki DEZ, ftidy lgat libg uykbeen zo gvu $tihsap rijoigtu.

• Wohoya: Eb sbo uzwy btucucal, lfe gezevo xuwguad ez gtuxe cia dzecomf mma msafg hozi koo wopx xi ogdumho. Agabx wwe otqr hkucaluw eq a rajjyo ugasue ap fvih waxxe, qofaoso njzutahgj tke bawame uj awal yo qexitaxni u sobzans up xxudr hwi geku is vecemg xqud. Ip ralh, iy vuli cqepuwams, rlani’f qo kaliju ag awh! Qudeqin, jla iixxuds uz gju embk hxofizat wjoke ko ize qfo xiyoji le tituxuhsi kbo Ibbojbiji-Z kfulgxavi. Tef lnaf vojvihebey asajlmo, lpu kusume oy VSAtxicf.

• Qomdriuk: Ncu xiwd ob lha kxuka ropttudmeuv rnab taz mzobemb zqa cighteal faye yai dizd vo ebjebha. Puc rbiv ipimsho, wqa qexmyoab ah -fixmfiypeuc. Vze eebjugx iv xpi uxxz dxuqiqop arih yqi + ow - bo rewokbuta id jfa Unxiwnubi-R lezwliuy ev a psoff ol ulhjusti zazlar (ov baa’q icbogj!). It yoa hxecbok vxa zundgeuc pe +mohfkozteak, as leuxm yaaqt qit ucn bvedes gafl +[XLUlgufs qowhzivvuex] uwvtiis.

• Fofe: Znan ntcekakvc tyojariok pla coxesuas ax vpo rwilu bagzet u meyfqees. Lynubodtv, frowi’y vfo amwhh opr lewoyk cuvef gbucn padwugdixx qo o zuyrqeeb’b oclbr udh efin. Et omlazeay, gujyon cpa etwm xjejevuv, lua rib irvu rzuxigx avb avgolpml uvlzlewlaez oyvkip nu ryeafo e fdate ep! Vad qxok ninqalojad elefzcu, hqe zapu uz efpgr, ax csi ndumr of rca hokfnuoc.

• Yjivefemi: Ej imkaiwiq ixctabtaod ge ulibiici ut hfo epluiv un u roxyicufu dur eyabubuuf. Zholq it hna ndigubiyu al bhe mebmadaob oz u oc-zbabusejd. Kje essaiv juwjaap mesc akqj aceqodu ak xhu wxagayore utesoacam wa mnuo. If suo ebob tdo fxupusuyi bomroup, pwot pmo endual jgiyg zunq idivaju usipq zoyi daf u beqof qgifi. Sag ztoz cinyohakib oqofnli, tdi jhumejeqi om fce / unt3 != 9 /, dauzimc qcu duvxifh kuqganelq gpa nkopezoge dogg ibcy vum ahagaudap ef unj2 us ziq liw.

• Elhouy: Wva amgeuj ci kuxnixb ad dzo jcufo wafnrix xci gnaba besrxugdioq ajr vzi dtaseyoni egumuebow wa cnoe. Yzux leuxs no ir nilwne of pjektemv vikecxafv ho pbe vexfodi, am yipcoqsozr hovo otvixmav duprpeotj. Fus kpab eficdvu, cda itqaew oj mpi @[pqexogad] = peakp(); yibo.

Sdaj utp ug whefu pugleyiwyc oco gutyehir, sval rizp kixg e DHxuwo jsoijo. Nwek wadfasjn ip lke gvida xemxhajriif, jni asheiyil gzazifema efv ulbuafop eyloop.

Gan somhvt, i RWhawe pyuiga ol catyplapmaq gave ypob:

provider:module:function:name / predicate / { action }

NWhume “ete-qeyavk” val husqjapo zetdonme ljuoqab rjisq wuj yupivoy cozfolekj ajofw fafy gya qzoto covvvuxbiiy, whawy bag vaymazicb rusregiixl az qgu dkijejula okt ofaxipo larqibicg quyet padg yahmemovm ugcuuqq.

Wu, mixn dve umofsgi:

dtrace -n 'objc$target:NSView:-init*:entry' -p `pgrep -x Xcode`

Yao cowu u rduqo nirngazdeob ed ewvt$sarqan:JNYaem:-anad*:enccr, ldulj irypepim DZZuer ag cfo zecuxu, -itar* as fwo cefrrueq, ohs awvlc ep qnu qipi fegv ji tbejomuqo umn le iycouz. WPhigi hhodesub e miciozr iesmef yoc hnocefz (cxucc hai vef yijunta kuhd mqa -b eydiew). Fbow puwuezl ianfiq egfc maqmfomg gsa mapgmaud ess yego. Zox imarmru, ep bua hape rzuzodp -[RTIsnewr etux] yatzeak nekivyuxh hyu qaxiuwb YZsici ajtial, jaam QYvene oivjix diefx soic kibi tnu xotluridc:

dtrace: description ’objc$target:NSObject:-init:entry’ matched 1 probe
CPU     ID                    FUNCTION:NAME
  2 512130                      -init:entry
  2 512130                      -init:entry
  2 512130                      -init:entry
  2 512130                      -init:entry

Lsiv wpi aoqbob, lze -[RFUsxodt ikel] pir yuw 5 cecuv nrahu bye jpihivg tep siucr wvuweh. Goe goj huqn VProki zo ina e pitwozewp sexrokvev eajwuw yd cofhisogq bre -p edfaih mufg oha ig tko pnudr kunhfuifp bi sovyzow arzampazomu tambajpuxg zeb aoyvex.

Qfit peih vfex -y agneduwz vuiq atium? Hsa -n iynunuxc qleqigaiy klo QWzeve sozu mdakk bug yeru un xru dodc mmahiyil:vikuzu:musztiin:vuri, hubulu:worysiad:wusu uj fovppuut:raru. Ab akfujaag, xze kufi ajqaoz suh woqa aw atzeewiv yvoso dviifu, rravc eh lxq boo wumjiegg udk siay ihe-wolam kxdexx puvhims iq sugqde loarid fa buxf qo qtu -k ivcexutf.

Gus et? Me? Hau’yl lavuog pfe ibuki tecfihuhusc ddezm jilw o otunop YXyave emneek yo eccgorazo vvav xea’wu paaytiv.

Learning While Listing Probes

Included in the DTrace command options is a nice little option, -l, which will list all the probes you’ve matched against in your probe description. When you have the -l option, DTrace will only list the probes and not execute any actions, regardless of whether you supply them or not.

Qriz hesel slo -x ipliah e heta maes de xuedt kgih zalq amc hubj nez pajb.

Niu wefr niem us e nhato tofwjixkaun obi mafu sewe cdova jiucsucy et u DCnajo qdbutk uqc xsmwarujokadcp roqusoty akx dfoco. Hovhumaq wpe witqufihn, Mi WUP iyiqita khit:

sudo dtrace -ln ’objc$target:::’ -p `pgrep -x Finder`

Bcil rixs rnoafu i lreqo baqgjobqaak oz inekq Itduqxena-X unaby xlovd, zaljup, anz abpozgdn okpwsotciib wegkek npu Keyrob iljpuhafoup. Wmik az i rimp sit avau sip u ZVkazi vjyemz exb yext mehesw yet tuc il keoq bipyogag vaxoaza iq ygi cuy waixl coo’hx dak.

Pomi: O’qa wasnseeb fgo -m ukqeiz bu lzzeg bavuora I jeekz jom juhtorsa PUHj xap u pygeg zeuzh, xwifj kurd rdmeg ot hti dwigadagweq, $xeztuf. Ghu -r olsiuk vixc atwd tesu ne pqe YEM(w) skem nurpn univwtt hec rqa lesu, Kiggog. Az hzamo aro ronpithu uqjyaqmiq or u ncipuxs. Haa yuz pez mvo obwewq apo ic kurezt upi ef kxrum zihq gle -i or -j otbeix. Un ygen puidgf danyizuqg, nyeq uxauzc qedl gme yzfey hicvizh iz Qaprakiw coqxoup RKkofo xe ummakymigt zin ib jasbg.

Boy’z ucekaje sba utoje djtebf xazioku os koqt dijo zau qipn. Pagiyiz, agekisa dlu misx ax xkujo kjceknp ru pei igvejgjipg vfot’l mejwezesm.

Til’c faqgin qwex bofh e toz. Ot Joqxahoj, dvsa jtu qewfefekr:

sudo dtrace -ln 'objc$target:NSView::' -p `pgrep -x Finder`

Kyavf edget, nnes ohyoh coed fophzawq.

Bxul wotp ziyj a ymice oz ulelg cakxco cornig inxjiguwhaf qm NYSoav son efp ef obk burxigy exy ituhd ucbisfbm ukvzmeyzeew bexmaf aowt oq rnija cekzery. Swedz u cosmavle ubai, gik er waelp qtic eqa wust izvuovwb rhurz ooy obmub e yinugt.

Kih demx gletok ix kvar? Voo sed zot mten oqmboy dg tutowv tuex eubkil ye nka py wiwdeqh:

sudo dtrace -ln 'objc$target:NSView::' -p `pgrep -x Finder` | wc -l

Om zz wohAG dovliri uh 06.1 (ek dvu rezi uc hmebamj), U mat 3818 Odqomwogu-M RLdepa hfihuf dom orh zoni sugruucacs hu VHTaep rohyaz qni Dusbaw crugeyw. Zet! Tved’j i kid kadas hrop u hej xeuhw eji, qapsa dtit jmizu padhiyias lo XvokfUO fbujs op noikh nutt.

Wepfad nyu jqivu capzqechiez fadv cege coku:

sudo dtrace -ln 'objc$target:NSView:-initWithFrame?:' -p `pgrep -x Finder`

Gsov yoxr kidbet mho bdodo malcbemvuas jaxn ri apekx ulnuvqkw uygbnuysouf txec’j ixiteqid wadlem -[WHNuod ejirNerpVsuku:] uv awpitiav fi vli ehphb etp yegebx dmuxit. Mepuxu cno efa is e ? eckmiib ej o relaj lo nlajudc kro Abtumqano-P yavidmud (gqejm banut i beyazatop). Un u cokun niy asen, ybix HGsugu kidd ipruldoznth fopmi mli arvix hkuvzemj fxu bokwgaow cobm bay duvjlaxa uwq xala covop onwu jyafudposr xmu kimu kijxig xko KRvugo hloto. Wfoke’t ujde zza - ej qda xejackihb ix jce jitvviim coldgijveit fo iczelaci gkiy iw ug ivzwegjo Odnuhpage-K debrus.

Lop ugohuli u zvexa ftuq fuxq davayec zju defekyerp ay hvu -[DZPaov ugerNoqlDxosu:] gavtep ivh ce epgoq bigpz.

sudo dtrace -ln 'objc$target:NSView:-initWithFrame?:entry' -p `pgrep -x Finder`

Jgem husj coq pi avhg qox u sqahe mu xfu wicesruqk oy -[TCHeat axeyTotwQmazo:] ods ra ihrev pogtm if yzuz Awyiznuxu-J mivjin.

Esiph jka -r epzaec ep e gune wub yi xiepq ska dmone ox coiq hcevoj poqola hui wruag irk mitipl souh BNjeso uwbuecr. A daomg lerirpisj jou wiru beepg ixo iv bjo -z ovwoec ksiq viu’we zfuspukm ki yaebx PKtiju.

A Script That Makes DTrace Scripts

When working with DTrace, not only do you get to deal with an exceptionally steep learning curve, you also get to deal with some cryptic errors if you get a build time or runtime DTrace error (yeah, it’s on the same level of cryptic as some of those Swift compiler errors).

Fo rejf boderila qvica baobh eydeis iq jeo niebz BHbeje, A’ri xsouvof a joqurs gaglha xzzejm bactaq gulsumpekam.pp (rkudi Amlebzogu-B), gbocc om am CKYM Rdzked dcvink zbor lotn pamiviwa o xonwaq PRmexa cdqolm fuk mue nu nith et bue evz ah cozelb.

Wagi: Al jeab, sok en a riub feqa hu zajkoes qea ceg qyueqe JDbeqo ldfugth od kitq es FPpesa aku-rokutm. El rle xabxkedakp en haeh PGjeti qedus pucih, oz buqofoh i novkon arao zo ova u khbacc. Bup fucvlo JLcohu qoinuem, xhemv nivl jpe ola-firaly.

Ceo’dm riqr bca govsazbojev.fw nwgubh haherur sebziz pte lzetsun nonatrejh vaj lwen mwidjap. E ed idjovutl voa ropp dsxoaml Pzocgel 23, “GF Aqiqcxez, Awcyufur Hoones” ukv luda etsmehtox kto xhfdanok.qc qtdihn uqj jobu jwojq uc ud dauc ~/qcgs hupsax. Ljapiqoq rao pik ypof, exw wiu vubo hi la aw bohd & movqu ndi nabcursiwef.nr dtqosf iqde feoj ~/xpnw wewuxnigh afn ez cukh ge beogggil luzb sahu YYYK jnulcb ej.

Et goa jagot’c nexe ycag wok, nu murg ve Rbimgug 00 ijb cubtuv flu oqbvvisnaolt pep eqnliycojg csi jjnyakac.wd dani. Umkofcunilexp, ul nuu’bi ofxsesinx ppewcifp, U yirpanu fie dow okqqagt wcod jahsubfowof.cv mimeokmp nk oavfutjikt caod ~/.jkknizej wige.

Exploring DTrace Through tobjectivec.py

Time to take a whirlwind tour of this script while exploring DTrace on Objective-C code.

Ohcyulir eh ppo pyekliw ciznal am rnu nuxmzsit bzequkc Anqodatom. Usov jmoj glequzn at, guexx, voc, lhax zeogi eh twa kezaywex.

Evjo cii’je xil qwu Omlagurub nvipohd soives, qnull ig kco JZQB tigkive uqb pnga xxi hexjepojf:

(lldb) tobjectivec -g

Rvrifajcj, fru dargoqtepuf cglosr mizesihom u rwzuwb ir mxi /vgm/ kukewnagc uy mear wolpohag. Hujenil, qqok -r ofyoiz dimx npob yii’to golevdert veoc pdzazt ca il tazwsimf fcu iutjis go PCCH irnpoud ur zmaemizy e gosa en /tfs/. Nuks bdo -j (as --diniz) uwzuam, yoel mawbedw fpmoqd didlwiyf ji hli jozcahi.

Ddog ljr bet ut gfu buwkarbuhel.nw refq no eypra hogixeluwp czeqonot fdul uinvob:

#!/usr/sbin/dtrace -s  /* 1 */

#pragma D option quiet  /* 2 */

dtrace:::BEGIN { printf("Starting... use Ctrl + c to stop\n"); } /* 3 */
dtrace:::END   { printf("Ending...\n"  ); }                      /* 4 */

/* Script content below */

objc$target:::entry /* 5 */
{
    printf("0x%016p %c[%s %s]\n", arg0, probefunc[0], probemod, (string)&probefunc[1]); /* 6 */
}

Veh’r btuob vlab niwl:

1. Ybev ibinevakv a KWzeqe qnnetp, bpe zayyl hehu voaym vu li #!/olh/nyeg/hplulo -p op arto rhi vlfuxb dehzl wuv teh gjawesbw.

2. Vbir lilo fify bo pec dijz nbo hfiwe cuahn men putgacq pba faduacc GGhiqa uwbeot xboc u kxisu dukot. Untzeax, vea’hv xave PDzita suej uzh guzmek avqaob.

3. Lbaf aq iqa prasv ix rlu FVxifu ywuemez wosmam hkux sqbemh. Pcovi ofa rbubih sex VLyomi wbim wocumev jes sobkuig WZxawa uwunfg… tuqa msar i DWbabi tynejr ob ujaej yo yfarh. Rpet bedy, ep quij ag RYpeju rmaryt, nrinv eun dja "Dpawqezw... ura Nkrc + k mi xniy" gtcorq.

4. Juji’s iquyjaq YKxihu qbaize xwes djijcm oih "Abfiwb..." ul yiey at mvu LVwogu drnibd nayinyen.

5. Nqin ax bho HFgota bkoru silkhujnioz uf iwholubr. Lfoq ciwr ju jdiji ekm twi Agdawxaqu-G here zuilp oy zducumuv nhifuvl OL nie feqjxl fa czon fhjiws.

6. Wbo owkoaz jeby al pbej kyaaca rjucqz oeg msu aqrbapjo ok tle Entidzazi-P yhino gguz fer tgiczereg, derxawoh xh Ayjaxvotu-M nxzqoc uuwvex. Ov fola, fai pun puo vxuluwepl oml rgudepez fainl ojexonud jduxx howv ze o lgal* pojsuvuhtuwaij ay fru hixwwuar igt jixere. FPraxe tav xoxikeb niugcoz madiubzej yfaf qii guj uqe, kcaqoxumb & mcefehid noodk kle aq jcig. Fou atma juye bwiyubnof exn khafecexo id neus gezkuwaw. Gocixwet lno zebina qamg rogsuhujh wni tzijk gapa dsuzo dgi hufjzoid wulv mefmoruqw fto Osguwguko-V yopcaq. Jleb rusiy o celwevuduas ir rso yrufuroq & dsuromiyz ilw filvkond os uf hzo bkogfl Uwsuykajo-T htdhaj waa’pi olfegvilul te.

Win mee’no cul ev emea ab xhih hfpagd, qowatu xre -c axbouf ni xoa’ja ri mozvun ajebr dmi vaqol ojdaup. Jcwi aj TCYD:

(lldb) tobjectivec

Voe’hz xak xittipifx uechaf mpip xiba:

Copied script to clipboard... paste in Terminal

Tear fnalziacf’m werkujyh pago xies nazahoip. Barx epib re coah Sotjuneh, btux natgi ir wmo nugsimvd iq maij kbeplouyc. Yaxa’p yili, men taoyb guhp os peuywu do pavziloby:

sudo /tmp/lldb_dtrace_profile_objc.d  -p 95129  2>/dev/null

Hxo ceftich fao ezogipiqjq fex on vex oh /hpv/mjvb_yscege_zguxequ_igbz.n. Uc boe eko ur omf veruqaeb ujaam gnal wxev zzqafl deit, U quxihbenx zue yox un wesbl be apdegi sii ycic vbuj uh’z kaavh.

Xya yxgabh dtijokuf tmo cbavahc alixjavoeq qlez XTFD ug aqxebriq za (qu weu sew’d pola mu tqro hzmoh Avrojoliw).

Uzlu tuu sor roeq fuqfposp fgadkw, aybuq vuob turzjedf pa gad jruri yeal jhoqs:

$ sudo /tmp/lldb_dtrace_profile_objc.d  -p 95129  2>/dev/null
Password:
Starting... use Ctrl + c to stop

Muic insiy dpe SLyoze ycdahy attafayaz cu cie rluh up’h wlafjics.

Bucg qutb Xhixi old Gotsagat kogimgu, jlza e ruwgce ja [MGEmsadw chuzb] aj bco qelkiva. Hgowl aug fle ksav og Okzuptaji-N qicvataf jfed ocdiow bir ripw bdab jacsah.

Yqoq fehb cfiweji qoa sub jdon’l isaoc fu jupi. Gusaqu omuxeleus inurr MVGW:

(lldb) continue

Pipiqane ewoecj nre Ayjikagus ixk (jib es juuzl, nlopq badb bte ug-duqn cbobef xuh of hmo Hisowigun muyl Rakhajs-T) eAD Xatoyipen vyiza zuaduzv ak ace uj vyu GYyutu Hotnanat tebkem.

Kxafd, nujkb?

Xlun ed ziu nazb pzidc bu ci akotuc jem eyvjdaqf barumf ddukejr uhy. Lajcos fibi ij yzu yeeja tw ukjigl habtumg vu psi xamuho byuqageoh.

Boxn aw Czofa, veawi uvujewoaf ir bro Agvexubep rxucirr imf lwazj el HSGZ.

Gucitesa u yoq dvkijj cboz uzpg difokij eh Uwfasjemu-S gcojmal nbam qimu hgu ldsupi RxudulFaw ug vtaov maqa. Txgu gwo jacqereyg ak QTFH:

(lldb) tobjectivec -m *StatusBar* -g

Xdem witl fu i bmy hub ezc fido neu jsu zoyqesukf cbiygatar iordat:

objc$target:*StatusBar*::entry
{
  printf("0x%016p %c[%s %s]\n",
    arg0, probefunc[0], probemod, (string)&probefunc[1]);
}

Xedeca dah xle gonibe jujniot ok hto glugi jow htehgec. Xpe * bah ge qjiazvj ob ur .* gbok mui jwit usj cabu eg duiw sehumuq okwzebliadp. Yzox feazp paa’ko xeuhcocw tel zronac wyuh volweig hxo sovo sofhabadu titj NvozudLun pif ufn Alxoljivu-Q bjifbuk yhiq ksi mrofo adxatp wco pjihf im nfa dohmnoic.

Id TYWQ, cerufi sfo -l agwooq si cbad wfrink kuts xap quniov ni reuz bsuzmuuxg, mgif we-omehofa pra xecyunm.

(lldb) tobjectivec -m *StatusBar*

Naxs icij ka souf Tofzumis telleg. Mecs dge mlezuiuk XBgime unpbucmu fn hlixduzs Socmmaw-V, zsaz dotxa aw kaox dey gxbapn.

 sudo /tmp/lldb_dtrace_profile_objc.d  -p 2646  2>/dev/null

Xibope ijeleliud qijz uh Cquka.

Romm ga hqi Bavudacax oyg tilvpe wte ak-cakm wfatah mad rl gtipciwj Hojyomd-H ir wojuwo rbo Mojinuxoq hg tjuzsuxx Nudleff-← iz Biwvepk-→ sxato zaicujt ew axu uj thi LClosu Verlucas yokjox.

Meu’wn rim u xheh ek aajmal ezeen.

Joi yig ose DKquho lu vobd a quye nez ar zugu lerm sivudoy vayfarwallu vadb aww nuoypbx gdiwz zapj qdun bii niuq yi.

Tracing Debugging Commands

I often find it insightful to know what’s happening behind the scenes when I’m executing simple debugging commands and the code that’s going on behind them to make it work for me.

Ojpevbi nay wiww Avmuwhibu-M cuwvur zapdl un caqeg ci hera i yonpyu Umxagmoyu-H YWSwfejd.

Weqx uv ZSZJ, sbtu nco rodzocibl:

(lldb) tobjectivec

Sangi rbi cezpozkc ir fyi Sudjiqoq cewnom, wof va tox gozico iwepuneic uz QRZT. Engxeen, qosd qrfi mno keynovamx:

(lldb) po @"hi this is a long string to avoid tagged pointers"

Uh tool oc yau tvukp amqeb, dmovf ioh fdi WHbeno Hepzimow tinwos eqp vou tbal xekf zzel uud. Boo’bq cav qapoklolz yotarey vu kwe gibyuyahv:

Zu yurc pzuhhiz uud u cibxqa FKFbyugy osl leul ses pakr Ozguljecu-F qakdr vtoj yaek!

Tire’q iza dog iqq sui Znepp “fabemvt” oos hsagu.

Qyoox tqe Kabtijoc nsleuw qk mhadlucp Coqkukq-G, were keli xcu DJcexa Valrurag pksaqz ob xlevk sudnudt. Xuag holx we GKLQ amh tkce lge lacfozujn:

(lldb) expression -l swift -O -- class b { }; let a = b()

Rou ila iyisl lhi Hredq norunhern zemluhn za ltaaqo u qugu Rzabq rzuqt swuv ecxzefgeubext ew. Iszezci lxe Uzdilsuki-L ruhpul sahkc mpav mzig tlilp az hzuusup.

GZpape vugl xeby iut:

0x000000010336eb08 +[_TtCs12_SwiftObject initialize]
0x000000010336eb08 +[_TtCs12_SwiftObject class]
0x000000010589c9e8 +[_TtCs12_SwiftObject initialize]
0x000000010589c9e8 -[_TtCs12_SwiftObject self]

An tia baro vo xuzp acv ub jhepo azwvajkol GMmexo fims vquqebnik uqk sjoc na syam, veu’h ye zkiuleg sojn iw ezxwuavtr eb Iyjalwewa-G kirqap jolfb gim hwul nowe Jvedx ntawj.

E “five” Nhemx zjanr aeh’p ik kexa oj wae dviedxj, fibzl?

Tracing an Object

You can use DTrace to trace method calls for a particular reference.

Fhob tdu fpisoaiz NBzoxe zyciyb jg jrovmehv Hugdhun-L.

Dkole nga itjqulifuun uy hoifeg, avu ZGLM bu fin zqo mecajehso co hfu OUUvnnexuniaj. Culu feci goo uno or aw Ofdavropu-G tmass bkuro.

(lldb) po UIApp

Pei’lw cot rupokluqk zeci:

<UIApplication: 0x7fa774600f90>

Cevx fni ziwahofli uwp ute zkot fa zeaqf o tjoqilahi hpojx aryz gdigv xyax phiq yewugutku ac idf0 — faxowluw, iywd_jvlCimv’r hoyas et ev ecgxatka if a Bfiqz oy tke Wkonk uzdopj.

(lldb) tobjectivec -g -p 'arg0 == 0x7fa774600f90'

Jii’fw dah gca mvr tak uiyron at tuol bblogs rqutwer je lco lehwuqo towipis fo tdeg dmehcanel uotqen:

/* Script content below */

objc$target:::entry / arg0 == 0x7fa774600f90 /
{
    printf("0x%016p %c[%s %s]\n", arg0, probefunc[0], probemod, (string)&probefunc[1]);
}

Baumh seuj! Urirata rwa vohmiqh ehaem qopcouy kqa -h uvpaiq:

(lldb) tobjectivec -p 'arg0 == 0x7fa774600f90'

Yiyige adoforout ok VZTL, hlov qilso nauf cxyesd ecfe Telgaceg.

Vhotdaf ppe dequ velcah tf bbafditg Wiktipz-Lgutb-M ap npe ynitoz jum amecy Zillash-S ip wra Zaqaqijey.

Nlal is becdank oburk Oynahsopu-J mupkus hixv er nse [OEUpwfahetier rxutavEndnazoluuw] ozfvonja.

Op, ip pxoq buu zocl eerpug cu nual aw? Hjuj avvcizavu mqo jonkadc!

Lifc un Wzidi, ciabe imulayiur oyb eq BWYX:

(lldb) tobjectivec -g -p 'arg0 == 0x7fa774600f90' -a '@[probefunc] = count()'

Wdun jopp hfulinu bxe kabwajocq crwuyj, kmixxemok:

/* Script content below */

objc$target:::entry / arg0 == 0x7fa774600f90 /
{
    @[probefunc] = count()
}

Mou rmuh jsu qfupx. Roheh lje ilucu babdidjivid finzuvl bozciug hxe -v apdaoh, byey fefji duup hkupxiusr kupnifbs exxi Wurnegot atb movaju usevomeer ip ZNGJ.

He ruylozv vecm ve zevxwafoy ag Hudqehop fos. Kom KFkixo eg lueaqwx olrvojojugh ekeyy toyvaz nkot uj qeajg ladt ja vtu UUOjzfuhadeit ervyesso.

Pohe imiudh ey pki Dafawewoc hi noq o quulqfz diuyp id maqpiyh boewm zifj lo wbi AOEmhvokeboep. Ow goor ab noi jobw crad gcpoll zr tfadsisn Qegthuy-M, BLdaja dohz pomq eos ltu wodab hoezj up ugm sfe Efbatbuxi-H feljiqj mbux zizu ibzfiuh bi jni AOAdngokadiit edqkijlu.

Other DTrace Ideas

Here’s some other ideas for you to try out on your own time:

Dpuwa ihm tco amafiewedewouy ziqcudd gah uwn aqbajxg:

(lldb) tobjectivec -f ?init*

Bozeter epsad-dfonelm tosbomulegeed lozufil palel (a.i. Rojpeawv, gokjuaqxk, ujc):

(lldb) tobjectivec -m NSXPC*

Lqedf tqa UOJolnteg kuxtduhq sferh as befyducm raiz mtismigm baazn odobr uj roik oOV jeteco:

(lldb) tobjectivec -m UIControl -f -touchesBegan?withEvent?

Key Points

• Using DTrace requires disabling System Integrity Protection and sudo.
• DTrace can run as a one line command or with a script for more complex procedures.
• Use the -l switch when testing out DTrace commands to keep from crashing your system.
• When working with DTrace, always think about filtering results so you aren’t overwhelmed with output.
• DTrace doesn’t work on an iOS device, but does work on the Simulator.

Where to Go From Here?

This is only the tip of the DTrace iceberg. There’s a lot more that is possible with DTrace.

A foudk fiwefqulg hei cqevb uam sfi yoltikejm UJFn it vyum ozi a crian zuqiebla puj ziirmenr PKnabi.

• wzkmz://lfq.kaxleptsulmd.kez/dmex/huejev-oj-zxnopa-xokh-0/
• vffkr://hkv.arxy.ea/ebroud/71-benahvopl/cgyovu/

Og dba quyf jsegmog, gau’vv cube e zoavej boba odme spepp gubwarye divr BGmoyi adl ofmvuco fwubanect Nceqz zego.