上篇文章我们知道cache_t是方法的缓存,方法的本质又是什么?
1. 方法的本质
1.1 探索
还是熟悉的测试代码
@interface AKPerson : NSObject
- (void)person_instanceMethed;
+ (void)person_ClassMethod;
@end
@implementation AKPerson
- (void)person_instanceMethed {
NSLog(@"%s", __func__);
}
+ (void)person_ClassMethod {
NSLog(@"%s", __func__);
}
@end
@interface AKStudent : AKPerson
- (void)student_instanceMethed;
+ (void)student_ClassMethod;
@end
@implementation AKStudent
- (void)student_instanceMethed {
NSLog(@"%s", __func__);
}
+ (void)student_ClassMethod {
NSLog(@"%s", __func__);
}
@end
void run() {
NSLog(@"%s", __func__);
}
int main(int argc, const char * argv[]) {
@autoreleasepool {
AKStudent *student = [AKStudent alloc];
[student student_instanceMethed];
run();
}
return 0;
}
- AKPerson是AKStudent的父类,两个类各有一个类方法和实例方法。
- run()的C语言方法
clang -rewrite-objc main.m -o main.cpp 查看汇编代码
AKStudent *student = ((AKStudent *(*)(id, SEL))(void *)objc_msgSend)((id)objc_getClass("AKStudent"), sel_registerName("alloc"));
((void (*)(id, SEL))(void *)objc_msgSend)((id)student, sel_registerName("student_instanceMethed"));
删除掉类型强制代码
AKStudent *student = objc_msgSend(objc_getClass("AKStudent"), sel_registerName("alloc"));
objc_msgSend)(student, sel_registerName("student_instanceMethed"));
run();
-
由此可知:方法的本质其实就是通过objc_msgSend(id,SEL) 向特定的对象发送特定的消息。id是消息接受者,SEL是方法编号。
-
在clang编译之后还是run(),而不是通过objc_msgSend去调用。因为发送消息就是找函数实现的过程,而C函数可以通过函数名就可以找到。
1.2 向不同的对象发送消息
发送实例方法
receiver:实例对象
AKStudent *student = [AKStudent alloc];
objc_msgSend(student, sel_registerName("student_instanceMethed"));
发送类方法
receiver:类对象
objc_msgSend(objc_getClass("AKStudent"), sel_registerName("student_ClassMethod"));
向父类发送实例方法
objc_msgSend不能向父类发送消息,需要使用objc_msgSendSuper,objc_super结构体在objc2中只需要赋值receiver、super_class。
receiver:实例对象;super_class:父类类对象
/// Specifies the superclass of an instance.
struct objc_super {
/// Specifies an instance of a class.
__unsafe_unretained _Nonnull id receiver;
/// Specifies the particular superclass of the instance to message.
#if !defined(__cplusplus) && !__OBJC2__
/* For compatibility with old objc-runtime.h header */
__unsafe_unretained _Nonnull Class class;
#else
__unsafe_unretained _Nonnull Class super_class;
#endif
/* super_class is the first class to search */
};
#endif
向父类发送类方法
receiver:类对象;super_class:父类元类对象
struct objc_super akSuper;
akSuper.receiver = [student class];
akSuper.super_class = class_getSuperclass(object_getClass([student class]));
objc_msgSendSuper(&akSuper, sel_registerName("person_ClassMethod"));
如果出现Too many arguments to function call, expected 0, have 2问题,来到BuildSetting把配置修改成如下图
2. objc_msgSend 快速查找
2.1 找到切入点
打开汇编代码,找到我们的student_instanceMethed和objc_msgSend方法,control + in 进入objc_msgSend方法。
打开源码的objc-msg-arm64.s文件,找到ENTRY _objc_msgSend入口(在汇编里面,函数的入口格式是ENTRY + 函数名)
ENTRY _objc_msgSend
UNWIND _objc_msgSend, NoFrame
cmp p0, #0 // nil check and tagged pointer check
#if SUPPORT_TAGGED_POINTERS
b.le LNilOrTagged // (MSB tagged pointer looks negative)
#else
b.eq LReturnZero
#endif
ldr p13, [x0] // p13 = isa
GetClassFromIsa_p16 p13 // p16 = class
LGetIsaDone:
CacheLookup NORMAL // calls imp or objc_msgSend_uncached
- 对象空值判断:nil check and tagged pointer check
- 通过GetClassFromIsa_p16获取当前的类
- 通过CacheLookup Normal到缓存中,开始快速查找
2.2 快速查找流程
.macro CacheLookup
// p1 = SEL, p16 = isa
ldp p10, p11, [x16, #CACHE] // p10 = buckets, p11 = occupied|mask
#if !__LP64__
and w11, w11, 0xffff // p11 = mask
#endif
and w12, w1, w11 // x12 = _cmd & mask
add p12, p10, p12, LSL #(1+PTRSHIFT)
// p12 = buckets + ((_cmd & mask) << (1+PTRSHIFT))
ldp p17, p9, [x12] // {imp, sel} = *bucket
1: cmp p9, p1 // if (bucket->sel != _cmd)
b.ne 2f // scan more
CacheHit $0 // call or return imp
2: // not hit: p12 = not-hit bucket
CheckMiss $0 // miss if bucket->sel == 0
cmp p12, p10 // wrap if bucket == buckets
b.eq 3f
ldp p17, p9, [x12, #-BUCKET_SIZE]! // {imp, sel} = *--bucket
b 1b // loop
3: // wrap: p12 = first bucket, w11 = mask
add p12, p12, w11, UXTW #(1+PTRSHIFT)
// p12 = buckets + (mask << 1+PTRSHIFT)
// Clone scanning loop to miss instead of hang when cache is corrupt.
// The slow path may detect any corruption and halt later.
ldp p17, p9, [x12] // {imp, sel} = *bucket
1: cmp p9, p1 // if (bucket->sel != _cmd)
b.ne 2f // scan more
CacheHit $0 // call or return imp
2: // not hit: p12 = not-hit bucket
CheckMiss $0 // miss if bucket->sel == 0
cmp p12, p10 // wrap if bucket == buckets
b.eq 3f
ldp p17, p9, [x12, #-BUCKET_SIZE]! // {imp, sel} = *--bucket
b 1b // loop
3: // double wrap
JumpMiss $0
.endmacro
- #CACHE是个宏定义表示16个字节,[x16, #CACHE]表示类对象内存地址偏移16字节得到cache。cache一分为二——8字节的buckets存放在p10,两个4字节的occupied和mask存放在p11
#define CLASS __SIZEOF_POINTER__
#define CACHE (2 * __SIZEOF_POINTER__)
- 通过hash函数、平移、取值一列操作,找打当前sel对应hash表里面的imp.
and w12, w1, w11 // x12 = _cmd & mask
add p12, p10, p12, LSL #(1+PTRSHIFT)
// p12 = buckets + ((_cmd & mask) << (1+PTRSHIFT))
ldp p17, p9, [x12] // {imp, sel} = *bucket
- 接下来的流程就和cache_t里面的查找流程相同,找不到就开始递归查找,直到找到为止。上面我们可以看到会有两次123这样的流程,第二次123就是防止多线程调用的时候给的一次容错机会。
- cacheHit 缓存命中,表示找到了sel对应的imp,直接返回imp。
- cacheMiss 当前对应的bucket没找到,继续递归查找。
- JumpMiss 递归查找介绍,没有缓存命中,跳出当前流程。
.macro JumpMiss
.if $0 == GETIMP
b LGetImpMiss
.elseif $0 == NORMAL
b __objc_msgSend_uncached
.elseif $0 == LOOKUP
b __objc_msgLookup_uncached
.else
.abort oops
.endif
.endmacro
- 方法未命中缓存处理函数:
我们刚才传递的类型为NORMAL,所以接下来会调用__objc_msgSend_uncached方法,并且内部只调用了MethodTableLookup的方法以及回调一个方法指针
STATIC_ENTRY __objc_msgSend_uncached
UNWIND __objc_msgSend_uncached, FrameWithNoSaves
MethodTableLookup
TailCallFunctionPointer x17
END_ENTRY __objc_msgSend_uncached
.macro MethodTableLookup
// push frame
...省略部分信息...
// save parameter registers: x0..x8, q0..q7
...省略部分信息...
// receiver and selector already in x0 and x1
mov x2, x16
bl __class_lookupMethodAndLoadCache3
// IMP in x0
mov x17, x0
// restore registers and return
...省略部分信息...
AuthenticateLR
.endmacro
先是做了一系列准备工作,之后调用了__class_lookupMethodAndLoadCache3方法,进行方法查找和加载缓存,到此汇编阶段结束,准备进入C/C++阶段。至此快速查找结束,进入慢速查找流程。
3. 慢速查找
3.1 _class_lookupMethodAndLoadCache3
我们在源码中找到_class_lookupMethodAndLoadCache3,开始慢速查找分析。
IMP _class_lookupMethodAndLoadCache3(id obj, SEL sel, Class cls)
{
return lookUpImpOrForward(cls, sel, obj,
YES/*initialize*/, NO/*cache*/, YES/*resolver*/);
}
- id obj:方法接受者
- SEL sel:方法签名
- Class cls:实例方法就是实例对象,类方法就是元类。
3.2 lookUpImpOrForward
// initialize = YES , cache = NO , resolver = YES
IMP lookUpImpOrForward(Class cls, SEL sel, id inst,
bool initialize, bool cache, bool resolver)
{
IMP imp = nil;
bool triedResolver = NO;
runtimeLock.assertUnlocked();
// 缓存查找,cache为YES,直接跳过
if (cache) {
imp = cache_getImp(cls, sel);
if (imp) return imp;
}
// runtimeLock is held during isRealized and isInitialized checking
// to prevent races against concurrent realization.
// runtimeLock is held during method search to make
// method-lookup + cache-fill atomic with respect to method addition.
// Otherwise, a category could be added but ignored indefinitely because
// the cache was re-filled with the old value after the cache flush on
// behalf of the category.
// lock是为了防止多线程操作; 类是否被编译
runtimeLock.lock();
checkIsKnownClass(cls);
// 为查找方法做准备条件,如果类没有初始化时,初始化类和父类、元类等
if (!cls->isRealized()) {
realizeClass(cls);
}
if (initialize && !cls->isInitialized()) {
runtimeLock.unlock();
_class_initialize (_class_getNonMetaClass(cls, inst));
runtimeLock.lock();
// If sel == initialize, _class_initialize will send +initialize and
// then the messenger will send +initialize again after this
// procedure finishes. Of course, if this is not being called
// from the messenger then it won`t happen. 2778172
}
retry:
runtimeLock.assertLocked();
// Try this class`s cache.
// 从缓存里面查找一遍,若有直接goto done
imp = cache_getImp(cls, sel);
if (imp) goto done;
// Try this class`s method lists.
// 形成局部作用域,避免局部变量命名重复
{
// 在类的方法列表中查找方法,若有直接cache_fill
Method meth = getMethodNoSuper_nolock(cls, sel);
if (meth) {
log_and_fill_cache(cls, meth->imp, sel, inst, cls);
imp = meth->imp;
goto done;
}
}
// Try superclass caches and method lists.
{
unsigned attempts = unreasonableClassCount();
// 遍历父类进行查找
for (Class curClass = cls->superclass;
curClass != nil;
curClass = curClass->superclass)
{
// Halt if there is a cycle in the superclass chain.
if (--attempts == 0) {
_objc_fatal("Memory corruption in class list.");
}
// Superclass cache.
// 在父类缓存中查找,若有直接cache_fill
imp = cache_getImp(curClass, sel);
if (imp) {
if (imp != (IMP)_objc_msgForward_impcache) {
// Found the method in a superclass. Cache it in this class.
log_and_fill_cache(cls, imp, sel, inst, curClass);
goto done;
}
else {
// Found a forward:: entry in a superclass.
// Stop searching, but don`t cache yet; call method
// resolver for this class first.
break;
}
}
// Superclass method list.
// 在父类的方法列表中查找方法,若有直接cache_fill
Method meth = getMethodNoSuper_nolock(curClass, sel);
if (meth) {
log_and_fill_cache(cls, meth->imp, sel, inst, curClass);
imp = meth->imp;
goto done;
}
}
}
// No implementation found. Try method resolver once.
// 如果方法仍然没找到,就开始做动态方法解析
if (resolver && !triedResolver) {
runtimeLock.unlock();
_class_resolveMethod(cls, sel, inst);
runtimeLock.lock();
// Don`t cache the result; we don`t hold the lock so it may have
// changed already. Re-do the search from scratch instead.
triedResolver = YES;
goto retry;
}
// No implementation found, and method resolver didn`t help.
// Use forwarding.
// 开始消息转发
imp = (IMP)_objc_msgForward_impcache;
cache_fill(cls, sel, imp, inst);
done:
runtimeLock.unlock();
return imp;
}
lookUpImpOrForward就是消息慢速查找的流程,我们逐步分析。
- 先缓存查找,有直接cache_getImp并返回imp
if (cache) {
imp = cache_getImp(cls, sel);
if (imp) return imp;
}
-
runtimeLock.lock()加锁,防止查找方法A的时候,查找方法B进来,导致返回的imp错误。
-
检查和准备类,为查找方法做准备条件,如果类没有初始化时,初始化类和父类、元类等
checkIsKnownClass(cls);
if (!cls->isRealized()) {
realizeClass(cls);
}
- checkIsKnownClass(cls):检查类是否在内存中存在
- realizeClass(cls):如果类没有初始化时,初始化类和父类、元类等
- 在自己类的方法列表中查找方法,若有直接cache_fill
// Try this class's method lis
{
Method meth = getMethodNoSuper_nolock(cls, sel);
if (meth) {
log_and_fill_cache(cls, meth->imp, sel, inst, cls);
imp = meth->imp;
goto done;
}
}
- { } 形成局部作用域,避免局部变量命名重复
- 在类的方法列表中查找方法,若有直接cache_fill
- 自己类的方法列表没有找到,遍历父类,去父类的方法列表查找
// Try superclass caches and method lists
{
unsigned attempts = unreasonableClassCount();
// 遍历父类进行查找
for (Class curClass = cls->superclass;
curClass != nil;
curClass = curClass->superclass)
{
// Halt if there is a cycle in the superclass chain.
if (--attempts == 0) {
_objc_fatal("Memory corruption in class list.");
}
// Superclass cache.
// 在父类缓存中查找,若有直接cache_fill
imp = cache_getImp(curClass, sel);
if (imp) {
if (imp != (IMP)_objc_msgForward_impcache) {
// Found the method in a superclass. Cache it in this class.
log_and_fill_cache(cls, imp, sel, inst, curClass);
goto done;
}
else {
// Found a forward:: entry in a superclass.
// Stop searching, but don`t cache yet; call method
// resolver for this class first.
break;
}
}
// Superclass method list.
// 在父类的方法列表中查找方法,若有直接cache_fill
Method meth = getMethodNoSuper_nolock(curClass, sel);
if (meth) {
log_and_fill_cache(cls, meth->imp, sel, inst, curClass);
imp = meth->imp;
goto done;
}
}
}
和第4步流程相同,熟悉isa走位和类的继承关系的话,很好理解。
- 如果还没找到就动态方法解析_class_resolveMethod,标记为triedResolver = YES(已尝试自我补救),goRetry慢速流程4
- 如果动态方法解析之后再找一遍仍然没找到imp,就抛出错误_objc_msgForward_impcache得到imp并cache_fill, 开始消息转发。
3.3 补充
- getMethodNoSuper_nolock 对class_rw_t结构体的methods开始遍历
static method_t *
getMethodNoSuper_nolock(Class cls, SEL sel)
{
for (auto mlists = cls->data()->methods.beginLists(),
end = cls->data()->methods.endLists();
mlists != end;
++mlists)
{
method_t *m = search_method_list(*mlists, sel);
if (m) return m;
}
return nil;
}
- search_method_list内部调用findMethodInSortedMethodList
static method_t *findMethodInSortedMethodList(SEL key, const method_list_t *list)
{
assert(list);
const method_t * const first = &list->first;
const method_t *base = first;
const method_t *probe;
uintptr_t keyValue = (uintptr_t)key;
uint32_t count;
// >>1 表示将变量n的各个二进制位顺序右移1位,最高位补二进制0
// count >>= 1 如果count为偶数则值变为(count / 2);如果count为奇数则值变为(count-1) / 2
for (count = list->count; count != 0; count >>= 1) {
probe = base + (count >> 1);
// 取出中间method_t的name,也就是SEL
uintptr_t probeValue = (uintptr_t)probe->name;
if (keyValue == probeValue) {
// `probe` is a match.
// Rewind looking for the *first* occurrence of this value.
// This is required for correct category overrides.
// 继续向前二分查询
while (probe > first && keyValue == (uintptr_t)probe[-1].name) {
probe--;
}
// 取出 probe
return (method_t *)probe;
}
// 如果keyValue > probeValue 则折半向后查询
if (keyValue > probeValue) {
base = probe + 1;
count--;
}
}
return nil;
}
这里分两步
- findMethodInSortedMethodList使用二分法有序查找,同样也是根据name来判断。
- else里面是针对无序的结构,直接遍历查找,name相同直接返回。
3.4 慢速查找流程图
4. 总结
4.1 OC消息机制
OC的消息机制分为三个阶段:
- 消息查找阶段:从类及父类的方法缓存列表及方法列表查找方法
- 动态解析阶段:如果消息发送阶段没有找到方法,则会进入动态解析阶段,负责动态的添加方法实现
- 消息转发阶段:如果没有实现动态解析方法,则会进行消息转发阶段,将消息转发给可以处理消息的接受者来处理
objc_msgSend是使用汇编写的,主要是速度够快,够灵活(C语言做不到写一个函数来保留未知的参数并且跳转到任意的函数指针)
4.2 方法查找流程
- 对象方法查找:SelfClass -> SuperClass ->...->NSObject -> nil
- 类方法查找:SelfMetaClass -> SuperMetaClass -> ... -> NSObjectMetaClass-> NSObject -> nil
- 如果找不到:unrecognized selector sent to instance
本文主要讲了消息查找流程,由于objc_msgSend底层是汇编写的,本人才疏学浅,只简单介绍了下流程,没有具体深入分析,大家见谅。下一篇文章将详细介绍消息转发机制。
