iOS-底層(10):objc_msgSend流程分析之慢速查找與消息轉(zhuǎn)發(fā)

objc_msgSend 慢速查找流程分析

前一篇我們分析了匯編快速查找,如果沒有找到,就會進入CheckMiss或者JumpMiss

.macro CheckMiss
    // miss if bucket->sel == 0
.if $0 == GETIMP
    cbz p9, LGetImpMiss
.elseif $0 == NORMAL
    cbz p9, __objc_msgSend_uncached
.elseif $0 == LOOKUP
    cbz p9, __objc_msgLookup_uncached
.else
.abort oops
.endif
.endmacro

.macro JumpMiss
.if $0 == GETIMP
    b   LGetImpMiss
.elseif $0 == NORMAL
    b   __objc_msgSend_uncached
.elseif $0 == LOOKUP
    b   __objc_msgLookup_uncached
.else
.abort oops
.endif
.endmacro

然后進入到__objc_msgSend_uncached,

STATIC_ENTRY __objc_msgSend_uncached
    UNWIND __objc_msgSend_uncached, FrameWithNoSaves

    // THIS IS NOT A CALLABLE C FUNCTION
    // Out-of-band p16 is the class to search
    
    MethodTableLookup //方法表中查找
    TailCallFunctionPointer x17

    END_ENTRY __objc_msgSend_uncached

MethodTableLookup

.macro MethodTableLookup
    
    // push frame
    SignLR
    stp fp, lr, [sp, #-16]!
    mov fp, sp

    // save parameter registers: x0..x8, q0..q7
    sub sp, sp, #(10*8 + 8*16)
    stp q0, q1, [sp, #(0*16)]
    stp q2, q3, [sp, #(2*16)]
    stp q4, q5, [sp, #(4*16)]
    stp q6, q7, [sp, #(6*16)]
    stp x0, x1, [sp, #(8*16+0*8)]
    stp x2, x3, [sp, #(8*16+2*8)]
    stp x4, x5, [sp, #(8*16+4*8)]
    stp x6, x7, [sp, #(8*16+6*8)]
    str x8,     [sp, #(8*16+8*8)]

    // lookUpImpOrForward(obj, sel, cls, LOOKUP_INITIALIZE | LOOKUP_RESOLVER)
    // receiver and selector already in x0 and x1
    mov x2, x16
    mov x3, #3
    bl  _lookUpImpOrForward//跳轉(zhuǎn)到_lookUpImpOrForward

    // IMP in x0
    mov x17, x0
    
    // restore registers and return
    ldp q0, q1, [sp, #(0*16)]
    ldp q2, q3, [sp, #(2*16)]
    ldp q4, q5, [sp, #(4*16)]
    ldp q6, q7, [sp, #(6*16)]
    ldp x0, x1, [sp, #(8*16+0*8)]
    ldp x2, x3, [sp, #(8*16+2*8)]
    ldp x4, x5, [sp, #(8*16+4*8)]
    ldp x6, x7, [sp, #(8*16+6*8)]
    ldr x8,     [sp, #(8*16+8*8)]

    mov sp, fp
    ldp fp, lr, [sp], #16
    AuthenticateLR

imp找不到會跳轉(zhuǎn)到_lookUpImpOrForward, _lookUpImpOrForward沒有.macro宏,說明跳轉(zhuǎn)到c或者c++的代碼中。我們可以通過匯編調(diào)試驗證一下,添加斷點,點擊control + stepinto

打開debug--> Debug WorkFlow --> always show disassembly

image.png

斷住objc_msgSend,繼續(xù)control + stepInto, 斷住_objc_msgSend_uncached,繼續(xù)control + stepInto

image.png

最后走到的是lookUpImpOrForward,這里并不是匯編實現(xiàn),而是C/C++實現(xiàn)

  • C/C++中調(diào)用匯編,在匯編的定義中要加一個 _ 下劃線
  • 匯編中調(diào)用C/C++C/C++的函數(shù)定義中要減一個 _ 下劃線

慢速查找的C/C++部分

全局搜索lookUpImpOrForward,在最新的objc-runtime-new.mm找到,是一個C函數(shù),我們來看代碼,我加了相應(yīng)的注釋

IMP lookUpImpOrForward(id inst, SEL sel, Class cls, int behavior)
{
    const IMP forward_imp = (IMP)_objc_msgForward_impcache;
    IMP imp = nil;
    Class curClass;

    runtimeLock.assertUnlocked();

    // Optimistic cache lookup
    //在多線程情況下方法可能會緩存
    if (fastpath(behavior & LOOKUP_CACHE)) {
        //通過匯編獲取imp
        imp = cache_getImp(cls, sel);
        if (imp) goto done_nolock;
    }

    //線程加鎖
    runtimeLock.lock();

    //檢查是否是被認(rèn)可的對象,已知類(或者是內(nèi)置到二進制文件中,或者合法注冊通過)
    checkIsKnownClass(cls);
    //如果類沒有實現(xiàn)
    if (slowpath(!cls->isRealized())) {
        //實現(xiàn)類,內(nèi)部父類繼承鏈向上依次實現(xiàn)。確保后面的方法查找可以進行。
        cls = realizeClassMaybeSwiftAndLeaveLocked(cls, runtimeLock);
        // runtimeLock may have been dropped but is now locked again
    }

    //判斷類是否初始化,如果沒有,需要先初始化
    if (slowpath((behavior & LOOKUP_INITIALIZE) && !cls->isInitialized())) {
        cls = initializeAndLeaveLocked(cls, inst, runtimeLock);
    }

    runtimeLock.assertLocked();
    curClass = cls;

    //*unreasonableClassCount為類的任何迭代提供一個上限,在運行時元數(shù)據(jù)被破壞時防止自旋。
    //這是個無限循環(huán),要使用break或goto來跳出循環(huán)
    for (unsigned attempts = unreasonableClassCount();;) {
        // curClass method list.
       // 本類進行一次imp查找
        Method meth = getMethodNoSuper_nolock(curClass, sel);
        if (meth) {
            imp = meth->imp;
            goto done;
        }

        // curClass向繼承鏈傳遞賦值,當(dāng)找到nil的時候讓 imp = forward_imp, break,終止循環(huán)
        if (slowpath((curClass = curClass->superclass) == nil)) {
            // No implementation found, and method resolver didn't help.
            // Use forwarding.
            imp = forward_imp;
            break;
        }

        // Halt if there is a cycle in the superclass chain.
       // 如果父類鏈存在循環(huán),則報錯。
        if (slowpath(--attempts == 0)) {
            _objc_fatal("Memory corruption in class list.");
        }

        // Superclass cache.
        //匯編查找父類緩存
        imp = cache_getImp(curClass, sel); 
        // 當(dāng)imp == forward_imp 
        if (slowpath(imp == forward_imp)) {
            // Found a forward:: entry in a superclass.
            // Stop searching, but don't cache yet; call method
            // resolver for this class first.
            break;
        }
        // 如果在父類中找到了,直接 goto done
        if (fastpath(imp)) {
            // Found the method in a superclass. Cache it in this class.
            goto done;
        }
    }

    // No implementation found. Try method resolver once.
    //這個& ^= 這個算法是為了讓這段代碼只執(zhí)行一次
    if (slowpath(behavior & LOOKUP_RESOLVER)) {
        behavior ^= LOOKUP_RESOLVER;
  // 進入動態(tài)方法決議
        return resolveMethod_locked(inst, sel, cls, behavior);
    }

 done:
    log_and_fill_cache(cls, imp, sel, inst, curClass);
    runtimeLock.unlock();
 done_nolock:
    if (slowpath((behavior & LOOKUP_NIL) && imp == forward_imp)) {
        return nil;
    }
    return imp;
}

總結(jié)一下上述過程:

  1. 找一下緩存,排除多線程影響
  2. 判斷類是否被認(rèn)可的類,已知類
  3. 判斷類是否已實現(xiàn)
  4. 判斷類是否已初始化
  5. 進入for死循環(huán),先進行一次本類的方法查找(二分查找),讓臨時類curClass指向父類,通過匯編依次向上查找(cache_getImp),直到curClass找到nil ,將imp賦值為_objc_msgForward_impcache,然后break跳出循環(huán)。
  6. 進行一次動態(tài)方法決議,resolveMethod_locked 判斷,resolveInstanceMethod和resolveInstanceMethod,是否有做處理,如果處理了,重新找一遍imp,若果沒有處理,繼續(xù)lookUpImpOrForward。
  7. 消息快速轉(zhuǎn)發(fā),
  8. 消息的慢速轉(zhuǎn)發(fā)

上面是結(jié)合代碼的描述過程,我只描述了關(guān)鍵部分,接下來我們來看一下流程圖

2251862-8f3c817f232e953b.png

我們來看看二分查找算法的實現(xiàn):

ALWAYS_INLINE static method_t *
findMethodInSortedMethodList(SEL key, const method_list_t *list)
{
    ASSERT(list);

    const method_t * const first = &list->first;
    const method_t *base = first;
    const method_t *probe;
    uintptr_t keyValue = (uintptr_t)key;
    uint32_t count;
    
    for (count = list->count; count != 0; count >>= 1) {
        probe = base + (count >> 1);
        
        uintptr_t probeValue = (uintptr_t)probe->name;
        
        if (keyValue == probeValue) {
            //如果分類有相同方法,取分類的方法
            while (probe > first && keyValue == (uintptr_t)probe[-1].name) {
                probe--;
            }
            return (method_t *)probe;
        }
        
        if (keyValue > probeValue) {
            base = probe + 1;
            count--;
        }
    }
    
    return nil;
}

二分查找是一種非常高效的查找算法,它的時間復(fù)雜度是O(logn),O(logn) 這種對數(shù)時間復(fù)雜度。這是一種極其高效的時間復(fù)雜度,因為 logn 是一個非?!翱植馈钡臄?shù)量級,即便 n 非常非常大,對應(yīng)的 logn 也很小。比如 n 等于 2 的 32 次方,這個數(shù)很大了吧?大約是 42 億。也就是說,如果我們在 42 億個數(shù)據(jù)中用二分查找一個數(shù)據(jù),最多需要比較 32 次。

我們再來看看動態(tài)方法決議

static NEVER_INLINE IMP
resolveMethod_locked(id inst, SEL sel, Class cls, int behavior)
{
    runtimeLock.assertLocked();
    ASSERT(cls->isRealized());
    // 給你一次機會,添加imp
    runtimeLock.unlock();
    //當(dāng)前類不是元類
    if (! cls->isMetaClass()) {
        // try [cls resolveInstanceMethod:sel]
        resolveInstanceMethod(inst, sel, cls);
    } 
    else {
   //當(dāng)前類是元類
        // try [nonMetaClass resolveClassMethod:sel]
        // and [cls resolveInstanceMethod:sel]
        resolveClassMethod(inst, sel, cls);
        if (!lookUpImpOrNil(inst, sel, cls)) {
        // 類方法在元類里就是實例方法,我們無法在元類里面寫方法來處理,但是在NSObject里面是可以處理的,也就是實例方法
            resolveInstanceMethod(inst, sel, cls);
        }
    }

    // chances are that calling the resolver have populated the cache
    // so attempt using it
    return lookUpImpOrForward(inst, sel, cls, behavior | LOOKUP_CACHE);
}

resolveInstanceMethod

static void resolveInstanceMethod(id inst, SEL sel, Class cls)
{
    runtimeLock.assertUnlocked();
    ASSERT(cls->isRealized());
    SEL resolve_sel = @selector(resolveInstanceMethod:);

    if (!lookUpImpOrNil(cls, resolve_sel, cls->ISA())) {
        // Resolver not implemented.
        // resolve_sel 沒有實現(xiàn)返回
        return;
    }
    //發(fā)送一次resolve_sel消息,也就是調(diào)用一次resolve_sel方法
    BOOL (*msg)(Class, SEL, SEL) = (typeof(msg))objc_msgSend;
    bool resolved = msg(cls, resolve_sel, sel);

    // Cache the result (good or bad) so the resolver doesn't fire next time.
    // +resolveInstanceMethod adds to self a.k.a. cls
    // 再找一次sel的imp;
    IMP imp = lookUpImpOrNil(inst, sel, cls);

    if (resolved  &&  PrintResolving) {
        if (imp) {
            _objc_inform("RESOLVE: method %c[%s %s] "
                         "dynamically resolved to %p", 
                         cls->isMetaClass() ? '+' : '-', 
                         cls->nameForLogging(), sel_getName(sel), imp);
        }
        else {
            // Method resolver didn't add anything?
            _objc_inform("RESOLVE: +[%s resolveInstanceMethod:%s] returned YES"
                         ", but no new implementation of %c[%s %s] was found",
                         cls->nameForLogging(), sel_getName(sel), 
                         cls->isMetaClass() ? '+' : '-', 
                         cls->nameForLogging(), sel_getName(sel));
        }
    }
}

resolveClassMethod

static void resolveClassMethod(id inst, SEL sel, Class cls)
{
    runtimeLock.assertUnlocked();
    ASSERT(cls->isRealized());
    ASSERT(cls->isMetaClass());

    if (!lookUpImpOrNil(inst, @selector(resolveClassMethod:), cls)) {
        // Resolver not implemented.
        return;
    }

    Class nonmeta;
    {
        mutex_locker_t lock(runtimeLock);
        nonmeta = getMaybeUnrealizedNonMetaClass(cls, inst);
        // +initialize path should have realized nonmeta already
        if (!nonmeta->isRealized()) {
            _objc_fatal("nonmeta class %s (%p) unexpectedly not realized",
                        nonmeta->nameForLogging(), nonmeta);
        }
    }
    BOOL (*msg)(Class, SEL, SEL) = (typeof(msg))objc_msgSend;
    bool resolved = msg(nonmeta, @selector(resolveClassMethod:), sel);

    // Cache the result (good or bad) so the resolver doesn't fire next time.
    // +resolveClassMethod adds to self->ISA() a.k.a. cls
    IMP imp = lookUpImpOrNil(inst, sel, cls);

    if (resolved  &&  PrintResolving) {
        if (imp) {
            _objc_inform("RESOLVE: method %c[%s %s] "
                         "dynamically resolved to %p", 
                         cls->isMetaClass() ? '+' : '-', 
                         cls->nameForLogging(), sel_getName(sel), imp);
        }
        else {
            // Method resolver didn't add anything?
            _objc_inform("RESOLVE: +[%s resolveClassMethod:%s] returned YES"
                         ", but no new implementation of %c[%s %s] was found",
                         cls->nameForLogging(), sel_getName(sel), 
                         cls->isMetaClass() ? '+' : '-', 
                         cls->nameForLogging(), sel_getName(sel));
        }
    }
}

首先判斷resolveInstanceMethod是否實現(xiàn),沒有時間直接返回,如果有實現(xiàn),發(fā)送消息resolveInstanceMethod,即調(diào)用我們自己處理的resolveInstanceMethod方法,然后進入慢速查找lookUpImpOrNil查找IMP,這里找到IMP只是為了打印消息,然后再進入lookUpImpOrNil查找IMP 返回IMP

動態(tài)方法決議的處理

#import "LGPerson.h"
#import <objc/message.h>

@implementation LGPerson
- (void)sayHello{
    NSLog(@"%s",__func__);
}

- (void)sayNB{
    NSLog(@"%s",__func__);
}
- (void)sayMaster{
    NSLog(@"%s",__func__);
}


+ (void)lgClassMethod{
    NSLog(@"%s",__func__);
}


+ (BOOL)resolveInstanceMethod:(SEL)sel{
    NSLog(@"%@ 來了",NSStringFromSelector(sel));
    if (sel == @selector(say666)) {
        NSLog(@"%@ 來了",NSStringFromSelector(sel));

        IMP imp           = class_getMethodImplementation(self, @selector(sayMaster));
        Method sayMMethod = class_getInstanceMethod(self, @selector(sayMaster));
        const char *type  = method_getTypeEncoding(sayMMethod);
        return class_addMethod(self, sel, imp, type);
    }
   
    return [super resolveInstanceMethod:sel];
}

+ (BOOL)resolveClassMethod:(SEL)sel{
    NSLog(@"%@ 來了",NSStringFromSelector(sel));
    if (sel == @selector(sayNB)) {
         //注意這里類方法要添加到元類里面
        IMP imp           = class_getMethodImplementation(objc_getMetaClass("LGPerson"), @selector(lgClassMethod));
        Method sayMMethod = class_getInstanceMethod(objc_getMetaClass("LGPerson"), @selector(lgClassMethod));
        const char *type  = method_getTypeEncoding(sayMMethod);
        return class_addMethod(objc_getMetaClass("LGPerson"), sel, imp, type);
    }
    return [super resolveClassMethod:sel];
}

在類方法查找imp的過程中,最終找到NSObject,那么我們想可以統(tǒng)一將動態(tài)方法決議寫到NSObject的分類中

implementation NSObject (LG)

// 調(diào)用方法的時候 - 分類

+ (BOOL)resolveInstanceMethod:(SEL)sel{
    

    NSLog(@"%@ 來了",NSStringFromSelector(sel));
    if (sel == @selector(say666)) {
        NSLog(@"%@ 來了",NSStringFromSelector(sel));

        IMP imp           = class_getMethodImplementation(self, @selector(sayMaster));
        Method sayMMethod = class_getInstanceMethod(self, @selector(sayMaster));
        const char *type  = method_getTypeEncoding(sayMMethod);
        return class_addMethod(self, sel, imp, type);
    }
    else if (sel == @selector(sayNB)) {
        
        IMP imp           = class_getMethodImplementation(objc_getMetaClass("LGPerson"), @selector(lgClassMethod));
        Method sayMMethod = c lass_getInstanceMethod(objc_getMetaClass("LGPerson"), @selector(lgClassMethod));
        const char *type  = method_getTypeEncoding(sayMMethod);
        return class_addMethod(objc_getMetaClass("LGPerson"), sel, imp, type);
    }
    return NO;
}

/**
 
 1: 分類 - 便利
 2: 方法 - lg_model_tracffic
        - lg - model home - 奔潰 - pop Home
        - lg - mine  - mine
    切面 - SDK - 上傳
 3: AOP - 封裝SDK - 不處理
 4: 消息轉(zhuǎn)發(fā) - 
 
 */

@end

一般我們不在這一步做處理,因為有可能被子類攔截。我們繼續(xù)探索動態(tài)方法決議之后還走了哪些

在源碼中有打印消息發(fā)送的開關(guān),我們在OC中使用要用extern 開放出來

extern void instrumentObjcMessageSends(BOOL flag);

int main(int argc, const char * argv[]) {
    @autoreleasepool {
        instrumentObjcMessageSends(YES);
        LGPerson *person = [LGPerson alloc];
        [person sayHello];
        instrumentObjcMessageSends(YES);
        NSLog(@"Hello, World!");
    }
    return 0;
}

通過logMessageSend源碼,消息發(fā)送打印信息存儲在/tmp/msgSends/ 目錄,如下所示我們找到打印文件:

image.png

  • 發(fā)送了兩次動態(tài)方法決議:resolveInstanceMethod方法
  • 發(fā)送了兩次消息快速轉(zhuǎn)發(fā):forwardingTargetForSelector方法
  • 發(fā)送了兩次消息慢速轉(zhuǎn)發(fā):methodSignatureForSelector + resolveInstanceMethod

我們在通過bt命令看一下調(diào)用堆棧


image.png

我們發(fā)現(xiàn)___forwardingTarget___CoreFoundation框架中,但是這個框架蘋果并沒有開源,我們可以通過image list,讀取整個鏡像文件,然后搜索CoreFoundation,查看其可執(zhí)行文件的路徑,找到文件,通過hopper進行反匯編

image.png
image.png

image.png
image.png

判斷是否可以響應(yīng),發(fā)送消息看是否有接收者。

- (id)forwardingTargetForSelector:(SEL)aSelector{
    NSLog(@"%s - %@",__func__,NSStringFromSelector(aSelector));

    // runtime + aSelector + addMethod + imp
    return [super forwardingTargetForSelector:aSelector];
}


- (NSMethodSignature *)methodSignatureForSelector:(SEL)aSelector{
    NSLog(@"%s - %@",__func__,NSStringFromSelector(aSelector));
    return nil;
}

- (void)forwardInvocation:(NSInvocation *)anInvocation{
    NSLog(@"%s - %@",__func__,anInvocation);
    // GM  sayHello - anInvocation - 漂流瓶 - anInvocation
    anInvocation.target = [LGStudent alloc];
    // anInvocation 保存 - 方法
    [anInvocation invoke];
}
2251862-71932fb077753303.jpg
image.png

我們可以看到 匯編又調(diào)用了一次動態(tài)方法決議,這也是為什么resolveInstanceMethod走兩遍的原因。

消息轉(zhuǎn)發(fā)流程圖

未命名文件.png
最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時請結(jié)合常識與多方信息審慎甄別。
平臺聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點,簡書系信息發(fā)布平臺,僅提供信息存儲服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容