iOS插庄 order

二进制重排 

https://mp.weixin.qq.com/s/Drmmx5JtjG3UtTFksL6Q8Q

clang 官方文档

http://clang.llvm.org/docs/SanitizerCoverage.html

1 添加参数 

-fsanitize-coverage=trace-pc-guard

在编译时候 所有方法前面 插入 __sanitizer_cov_trace_pc_guard

oc 工程    只有func函数hook   -fsanitize-coverage=func,trace-pc-guard

swift 工程 的话    

-sanitize-coverage=func 

-sanitize=undefined

order生成后

生成  -fsanitize-coverage=func,trace-pc-guard 干掉

// trace-pc-guard-cb.cc

#include

#include<stdio.h>

#include

// This callback is inserted by the compiler as a module constructor

// into every DSO. 'start' and 'stop' correspond to the

// beginning and end of the section with the guards for the entire

// binary (executable or DSO). The callback will be called at least

// once per DSO and may be called multiple times with the same parameters.

extern "C" void __sanitizer_cov_trace_pc_guard_init(uint32_t *start,

                                                    uint32_t*stop) {

  static uint64_tN;  // Counter for the guards.

  if(start == stop || *start)return;  // Initialize only once.

  printf("INIT: %p %p\n", start, stop);

  for(uint32_t*x = start; x < stop; x++)

    *x = ++N;  // Guards should start from 1.

}

// This callback is inserted by the compiler on every edge in the

// control flow (some optimizations apply).

// Typically, the compiler will emit the code like this:

//    if(*guard)

//      __sanitizer_cov_trace_pc_guard(guard);

// But for large functions it will emit a simple call:

//    __sanitizer_cov_trace_pc_guard(guard);

extern "C" void __sanitizer_cov_trace_pc_guard(uint32_t *guard) {

  if (!*guard) return;  // Duplicate the guard check.

  // If you set *guard to 0 this code will not be called again for this edge.

  // Now you can get the PC and do whatever you want:

  //  store it somewhere or symbolize it and print right away.

  // The values of `*guard` are as you set them in

  // __sanitizer_cov_trace_pc_guard_init and so you can make them consecutive

  // and use them to dereference an array or a bit vector.

//  void *PC = __builtin_return_address(0);

  charPcDescr[1024];

  // This function is a part of the sanitizer run-time.

  // To use it, link with AddressSanitizer or other sanitizer.

//  __sanitizer_symbolize_pc(PC, "%p %F %L", PcDescr, sizeof(PcDescr));

  printf("guard: %p %x PC %s\n", guard, *guard, PcDescr);

}