How to use lldb "memory find" command?

Question

According to the lldb online help, memory find should work like this:

Find a value in the memory of the process being debugged.

Syntax: memory find <cmd-options> <address> <value> [<value> [...]]

Command Options Usage:
  memory find <address> <value> [<value> [...]]
  memory find [-e <expr>] [-s <name>] [-c <count>] [-o <offset>] <address> <value> [<value> [...]]

       -c <count> ( --count <count> )
            How many times to perform the search.

       -e <expr> ( --expression <expr> )
            Evaluate an expression to obtain a byte pattern.

       -o <offset> ( --dump-offset <offset> )
            When dumping memory for a match, an offset from the match location
            to start dumping from.

       -s <name> ( --string <name> )
            Use text to find a byte pattern.

     This command takes options and free-form arguments.  If your arguments
     resemble option specifiers (i.e., they start with a - or --), you must use
     ' -- ' between the end of the command options and the beginning of the
     arguments.

I suspect that the implementation does not match the help info, as whatever syntax I use I seem to get one of various cryptic error messages, e.g.:

error: two addresses needed for memory find

or

error: do not know how to deal with larger than 8 byte result types. pass a string instead

or

error: please pass either a block of text, or an expression to evaluate.

I've Googled for usage examples and come up with nothing. If anyone has an example that works I'd be grateful. In particular I want to search from the start of a block identified by a pointer, for a given no of bytes, to find the first occurrence of a particular (byte) value (255 in this case).

I'm using Xcode 7.0.1 on OS X and the lldb version is lldb-340.4.70.

---

UPDATE

I've found that the -s option can be made to work, e.g. like this:

(lldb) me fi -s "f" -- ptr ptr+8192*256
Your data was found at location: 0x11033e20c
0x11033e20c: 66 bb 58 07 d0 b7 32 7d ff 7f 00 00 66 5b e7 82  f.X...2}....f[..

It may just be that the -e option (which is what I need in this instance) is broken, e.g.:

(lldb) me fi -e 255 -- ptr ptr+8191*256
error: expression evaluation failed. pass a string instead?

Trying to coax the -s option into accepting an escaped hex or decimal value doesn't seem to work either, unfortunately:

(lldb) me fi -s "\xff" -- ptr ptr+8191*256
Your data was not found within the range.

(lldb) me fi -s "\255" -- ptr ptr+8191*256
Your data was not found within the range.

Answer 1

This issue has been fixed in open source LLDB, as revision 243893 (http://llvm.org/viewvc/llvm-project?view=revision&revision=243893)

I cannot make any comments as to the availability of this fix in Xcode, but one thing you can try is to compile LLDB from source and use that hand-built LLDB with the fix to debug your issue