As we all know, the value of the lazy symbol pointer section in Mach-O will be bound to the corresponding actual memory address before the function first execute.
For example, I print the value of the lazy symbol pointer section in the DATA section before the function is executed.
We can see that the value of 0x100003038 is 0x0000000100001f02. After the function is executed, 0x100003038 became 0x00007fff6f8cd52d, which has been bound to the corresponding actual memory address by dyld_stub_binder.
So, how dyld_stub_binder works? Let me use the following figure to explain.
- When the
getenvfunction is called, it will jump to the address 0x000002000 corresponding to 0x100000F94. - The corresponding assembly of 0x100000F94 is to push the parameter 0x0 and jump to 0x100000F70.
- The assembly corresponding to 0x100000F70 is a built-in stub jump code, which will eventually be called to dyld_stub_binder.
- dyld_stub_binder searches for the function’s information to be bound according to the parameters pushed in 2. For example, the parameter pushed in 2 is 0x0, which means select the address 0x00003020 with offset 0 from Lazy Binding Info to start reading data.
- the information from 0x00003020
- segment(3) means to select the section corresponding to the fourth segment, which is __DATA Section.
- offset(0) represents the address based on the offset of 0 in the current section, 0x00000200.
- name(_getenv) indicates the name of the function to be bound.
6. When dyld_stub_binder finds the actual address that needs to be bound, it will write the data to 0x000002000 to complete the first call binding.
