Examine arguments on stack with lldb

Question

I am using lldb to trace through some plain C or C++ code (32 bit) that calls CoreFoundation functions such as CFRunLoopTimerCreate.

I've set a breakpoint on CFRunLoopTimerCreate and would like to examine the passed arguments.

How do I do that? frame variable is not working here (it prints nothing) as it's not in an ObjC context.

I guess I'll have to use the x command somehow to look at the memory above sp but whatever syntax I try, I keep getting error messages.

So, basically, what's the syntax for examining memory at an address a register points to? Also, is there a better way to look at arguments on the stack?

Answer 1

Is this what you are looking for?

(lldb) x $sp-10
0x7fff5cd3eda6: 00 00 86 0a ec 02 01 00 00 00 00 00 00 00 00 00  ................
0x7fff5cd3edb6: 00 00 00 00 00 00 00 00 00 00 90 94 33 75 ff 7f  ............3u..

Registers are generally addressed as $rax etc. You might also wish to check out this earlier question for some hints on shortening lldb memory read commands: Dump memory in lldb

Answer 2

x is actually shorthand for the memory read command. You can choose the word size, e.g. this:

memory read --format x --size 4 --count 8 `$esp - 32`

Will show the top 32 bytes of the stack (on i386) formatted as 4-byte hexadecimal numbers. This might make it easier if you're looking for pointer values, etc. The argument to --format can also be d for decimal output. --outfile lets you specifiy a file path to which to write the memory contents, which may be more useful for large amounts. Surround expressions to evaluate with backticks `.