Improve compatibility with iOS / macOS 27 shared caches#8260
Open
bdash wants to merge 4 commits into
Open
Conversation
These shared caches contain symbols pointing into address ranges that are no longer mapped, such as `objc_msgSend$stub` functions that are now merged into stub island regions.
…shared caches * `objc_msgSend$stub` functions no longer appear in the `__objc_stubs` section of their dylib. Instead they're coalesced across multiple dylibs and appear in a stub island region of the shared cache. This means that `AnalyzeStubFunction` can no longer determine the type of stub it is processing purely based on the containing section name. It now considers the target of the call to determine the type of the stub. * `objc_msgSend` and friends now have definitions in multiple dylibs throughout the shared cache (`/usr/lib/objc/libobjcMsgSendN.dylib`). This means that loading the target of `objc_msgSend` calls within `objc_msgSend$stub` functions is not sufficient to make selector definitions visible to analysis. Instead, we explicitly load `/usr/lib/libobjc.A.dylib` whenever we process a stub function that references `libobjcMsgSendN.dylib`.
…e to selector base address These show up in iOS 27 shared caches.
This helps for stripped binaries, and in cases such as the macOS 27 shared cache where the symbols are no longer accruate for stub functions since they are coalesced into stub island regions outside of any dylib.
emesare
reviewed
Jun 12, 2026
| return Ok(()); | ||
| } | ||
|
|
||
| let func = ac.function(); |
Member
There was a problem hiding this comment.
I think we need to update AnalysisContext::function to be an Option<Ref<Function>>, since it can be executed in the context of the binary view for a module level workflow.
This isn't an issue with your PR I just noticed it when reviewing.
emesare
approved these changes
Jun 13, 2026
emesare
left a comment
emesare
left a comment
Member
There was a problem hiding this comment.
Seeing as the comment above about the AnalysisContext::function call relates to the bindings and not the workflow itself, we can do that separately.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
objc_msgSend$stubfunctions no longer appear in the__objc_stubssection of their dylib. Instead they're coalesced across multiple dylibs and appear in a stub island region of the shared cache. This means thatAnalyzeStubFunctioncan no longer determine the type of stub it is processing purely based on the containing section name. It now considers the target of the call to determine the type of the stub.objc_msgSendand friends now have definitions in multiple dylibs throughout the shared cache (/usr/lib/objc/libobjcMsgSendN.dylib). This means that loading the target ofobjc_msgSendcalls withinobjc_msgSend$stubfunctions is not sufficient to make selector definitions visible to analysis. Instead, we explicitly load/usr/lib/libobjc.A.dylibwhenever we process a stub function that referenceslibobjcMsgSendN.dylib.objc_msgSend$stubstub functions. They no longer have symbol information since they live in stub island regions outside of images. This also helps with regular stripped Mach-O binaries.