Figure 6-33 [PSListController tableView:cellForRowAtIndexPath:]
Because the return value is stored in R0 and R0 comes from “MOV R0, R6”, we can simply
set a breakpoint on this instruction and print out R6. The address of this instruction is
0x2A9F79E6, so set the breakpoint at 0x6db3000 + 0x2A9F79E6 = 0x317AA9E6. Re-enter
MobilePhoneSettings to trigger the breakpoint:
(lldb) br s -a 0x317AA9E6
Breakpoint 5: where = Preferences`-[PSListController tableView:cellForRowAtIndexPath:] +
1026, address = 0x317aa9e6
Process 268587 stopped
* thread #1: tid = 0x4192b, 0x317aa9e6 Preferences`-[PSListController
tableView:cellForRowAtIndexPath:] + 1026, queue = ‘com.apple.main-thread, stop reason =
breakpoint 5.1
frame #0: 0x317aa9e6 Preferences`-[PSListController
tableView:cellForRowAtIndexPath:] + 1026
Preferences`-[PSListController tableView:cellForRowAtIndexPath:] + 1026:
0x317aa9e6: mov r0, r6
0x317aa9e8: add sp, #28
0x317aa9ea: pop.w {r8, r10, r11}
0x317aa9ee: pop {r4, r5, r6, r7, pc}
(lldb) po $r6
<PSTableCell: 0x15f8c6a0; baseClass = UITableViewCell; frame = (0 0; 320 44); text = ‘My
Number’; tag = 2; layer = <CALayer: 0x15f7c0b0>>
(lldb) po [$r6 detailTextLabel]
<UITableViewLabel: 0x15f7b8d0; frame = (0 0; 0 0); text = ‘+86PhoneNumber’;
userInteractionEnabled = NO; layer = <_UILabelLayer: 0x15f7b990>>
Now we can confirm that objc_msgSendSuper2 calls [PSListController
tableView:cellForRowAtIndexPath:], and its return value does come from R6. Well, where does
R6 come from? When we track back to look for the source of R6, we can see multiple
occurrences of R6 as the 1st argument of multiple objc_msgSend, as shown in figure 6-34.