Skip to content

Instantly share code, notes, and snippets.

@kemlath
Last active April 1, 2019 04:09
Show Gist options
  • Save kemlath/7285356f97f67af5023cf99ee57317d6 to your computer and use it in GitHub Desktop.
Save kemlath/7285356f97f67af5023cf99ee57317d6 to your computer and use it in GitHub Desktop.
gdb 8.2.1 under Mojave

gdb has been more or less broken under OSX and was unusable under mojave, but there is hope...

This is description on how I got the latest release (dating fro 5.1.2019) up and running under mojave. In particular code signing has become more intricate under mojave since a debugger now needs the right entitlements not just a signature.

I'm assuming that a working gcc-8 installation is present (e.g. brew install gcc) and that a valid code signing certificate is in the SYSTEM keychain.

Here are the steps I took to get a working gdb:

1.) Download ftp://sourceware.org/pub/gdb/snapshots/current/gdb-8.2.50.20190105.tar.xz

2.) Build using GCC-8 and G++-8 NOT CLANG: Heres the shell command I used:

CC=gcc-8 CXX=g++-8 ./configure --prefix=/usr/local/opt/gdb/ --disable-debug --disable-dependency-tracking --enable-targets=all --with-python=/usr

If the build fails see "Caveats" below

3.) Codesign it with the right! entitlements:

codesign --entitlements gdb.xml -fs gdb_cert /usr/local/opt/gdb/bin/gdb

Important "gdb_cert" has to be a valid code signing cert from the SYSTEM keychain (login keychain won't do)

The entitlements in gdb.xml look like:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.cs.allow-jit</key>
    <true/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
    <true/>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
    <key>com.apple.security.cs.disable-executable-page-protection</key>
    <true/>
    <key>com.apple.security.cs.debugger</key>
    <true/>
    <key>com.apple.security.get-task-allow</key>
    <true/>
</dict>
</plist>

Not sure if all of them are needed... I stumbled upon the need for entitlement "com.apple.security.cs.debugger" while googling and ended up adding putting all of them in there in my despair.

You can check the entitlements via

codesign -d --entitlements - /usr/local/opt/gdb/bin/gdb

3.) Maybe optionally call (didn't help with gdb 8.2.1 form homebrew)

DevToolsSecurity -enable

In any case this should rid you from password entry prior to debugging

4.) Maybe optionally call (didn't help on Mojave with gdb 8.2.1 form homebrew but was nescessary under el Capitan)

sudo dseditgroup -o edit -a <your user name> -t user procmod

Which adds you to group procmod. It's just bcause only users in procmod can use function task_for_pid

5.) Enjoy ;)

Caveats:

1.) The compile initially fails because of some problems in gb/darwin-nat.c (some variables are double defined and that make gcc fail)

Patch darwin-nat.c as below to get rid of some compiler errors

--- ./gdb-8.2.50_working/gdb/darwin-nat.c	2019-01-05 19:51:48.000000000 +0100
+++ ./gdb-8.2.50.20190105/gdb/darwin-nat.c	2019-01-05 02:49:08.000000000 +0100
@@ -687,7 +687,7 @@
       /* Not a known inferior.  This could happen if the child fork, as
 	 the created process will inherit its exception port.
 	 FIXME: should the exception port be restored ?  */
-      // kern_return_t kret;
+      kern_return_t kret;
       mig_reply_error_t reply;

       inferior_debug
@@ -1125,14 +1125,14 @@

 	  if (!priv->no_ptrace)
 	    {
-	      pid_t pid_res;
+	      pid_t res;
 	      int wstatus;

-	      pid_res = wait4 (inf->pid, &wstatus, 0, NULL);
-	      if (pid_res < 0 || pid_res != inf->pid)
+	      res = wait4 (inf->pid, &wstatus, 0, NULL);
+	      if (res < 0 || res != inf->pid)
 		{
 		  printf_unfiltered (_("wait4: res=%d: %s\n"),
-				     pid_res, safe_strerror (errno));
+				     res, safe_strerror (errno));
 		  status->kind = TARGET_WAITKIND_IGNORE;
 		  return minus_one_ptid;
 		}
@@ -1148,7 +1148,7 @@
 		}

 	      inferior_debug (4, _("darwin_wait: pid=%d exit, status=0x%x\n"),
-			      pid_res, wstatus);
+			      res, wstatus);

 	      /* Looks necessary on Leopard and harmless...  */
 	      wait4 (inf->pid, &wstatus, 0, NULL);
@@ -1559,7 +1559,7 @@
          signaled thus darwin_decode_message function knows that the kill
          signal was sent by gdb and will take the appropriate action
          (cancel signal and reply to the signal message).  */
-      priv = get_darwin_inferior (inf);
+      darwin_inferior *priv = get_darwin_inferior (inf);
       for (darwin_thread_t *thread : priv->threads)
         thread->signaled = 1;

2.) (Not sure if this is important) The way gdb is built it links to the system python version. I've had difficulties in other programs unsing the system python and had python@2 from homebrew installed. Because python@2 overrides the system python I deleted the homebrew generated symlinks /usr/local/bin/python such that an application that calls python gets the system python version. You can then still call python2 for the homebre python@2 installation

@deepio
Copy link

deepio commented Apr 1, 2019

@leslieharland
All snapshots are public
https://sourceware.org/pub/gdb/snapshots/current/gdb-weekly-8.3.50.20190326.tar.xz

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment