Runtimer之消息发送

2021-03-24  本文已影响0人  NJKNJK

官方文档地址
官方源码地址
github源码地址

这里介绍的Runtime是Modern版本
对应的编程接口:Objective-C 2.0
对应的平台:iPhone程序和Mac OS X V10.5及以后的系统中的64位程序

Runtime 基本是用 C、C++ 和汇编写的,消息发送过程由汇编和C两部分代码实现的,我们先来看汇编部分(以ARM64架构为例)。

打开项目搜索_objc_msgSend关键字,打开objc-msg-arm64.s源文件。
1.ENTRY _objc_msgSend消息发送函数的入口
2.cmp x0,cmp比较指令,x0存储的是recevier 消息接收者,检查消息接收者是否为nil或是Tagged Pointer。
通过比较指令检查消息接收者是否为nil或是Tagged Pointer。
3.b.le LNilOrTaggedb跳转指令,通常和cmp搭配使用,命中则跳转到LNilOrTagged
4.ldr x13, [x0]ldr取值指令,从x0指向的地址里面取出值存入 x13x13中存的是isa指针地址,这里的isa在ARM64架构是优化过的指针。
5.and x9, x13:通过掩码进行与运算找到对应的类
6.CacheLookup NORMALCacheLookup汇编中定义的宏,NORMAL参数,在类的缓存列表中查找方法名称,如果找到就调用方法实现(calls imp),否则到类的方法列表中查找方法名称(__objc_msgSend_uncached_impcache

    ENTRY _objc_msgSend
    MESSENGER_START

    cmp x0, #0          // nil check and tagged pointer check
    b.le    LNilOrTagged        //  (MSB tagged pointer looks negative)
    ldr x13, [x0]       // x13 = isa
    and x9, x13, #ISA_MASK  // x9 = class   
LGetIsaDone:
    CacheLookup NORMAL      // calls imp or objc_msgSend_uncached

检查消息接收者是否为nil或是Tagged Pointer
1.b.eq LReturnZero:如果消息接收者为nil,跳转到LReturnZero直接return结束当前的消息发送。
这里就解释了为什么给空对象发送消息不会Crash
2.b LGetIsaDone:如果是Tagged Pointer完成获取isa所指的对象后跳回_objc_msgSend继续执行

LNilOrTagged:
    b.eq    LReturnZero     // nil check

    // tagged
    adrp    x10, _objc_debug_taggedpointer_classes@PAGE
    add x10, x10, _objc_debug_taggedpointer_classes@PAGEOFF
    ubfx    x11, x0, #60, #4
    ldr x9, [x10, x11, LSL #3]
    b   LGetIsaDone

LReturnZero:
    // x0 is already zero
    mov x1, #0
    movi    d0, #0
    movi    d1, #0
    movi    d2, #0
    movi    d3, #0
    MESSENGER_END_NIL
    ret                      // return

    END_ENTRY _objc_msgSend  // 消息发送结束

在缓存中查找

CacheLookup宏定义
1.CacheHit命中调用方法实现或返回imp
2.CheckMiss未命中到类的方法列表中查找方法名称(__objc_msgSend_uncached_impcache)

.macro CacheLookup
    // x1 = SEL, x9 = isa
    ldp x10, x11, [x9, #CACHE]  // x10 = buckets, x11 = occupied|mask
    and w12, w1, w11        // x12 = _cmd & mask
    add x12, x10, x12, LSL #4   // x12 = buckets + ((_cmd & mask)<<4)

    ldp x16, x17, [x12]     // {x16, x17} = *bucket
1:  cmp x16, x1         // if (bucket->sel != _cmd)
    b.ne    2f          //     scan more
    CacheHit $0         // call or return imp

2:  // not hit: x12 = not-hit bucket
    CheckMiss $0            // miss if bucket->cls == 0
    cmp x12, x10        // wrap if bucket == buckets
    b.eq    3f
    ldp x16, x17, [x12, #-16]!  // {x16, x17} = *--bucket
    b   1b          // loop

……

.endmacro

CacheHit宏定义
br x17:调用方法实现

.macro CacheHit
    MESSENGER_END_FAST
.if $0 == NORMAL
    br  x17         // call imp
.else
    b   LGetImpHit
.endif
.endmacro

CheckMiss宏定义
cbz x16, __objc_msgSend_uncached_impcache:到类的方法列表中查找方法名称

.macro CheckMiss
.if $0 == NORMAL            // miss if bucket->cls == 0
    cbz x16, __objc_msgSend_uncached_impcache
.else
    cbz x16, LGetImpMiss
.endif
.endmacro

在类的方法列表中查找方法名称
bl __class_lookupMethodAndLoadCache3__class_lookupMethodAndLoadCache3是C中实现的函数,会跳转到函数中在类的方法列表中查找方法名称和方法实现,找到后会返回汇编部分继续执行。

STATIC_ENTRY __objc_msgSend_uncached_impcache
    ……

    // receiver and selector already in x0 and x1
    mov x2, x9
    bl  __class_lookupMethodAndLoadCache3

    // imp in x0
    mov x17, x0
    ……

    END_ENTRY __objc_msgSend_uncached_impcache

汇编部分这此就结束了。

在方法列表中查找

注意搜索关键字_class_lookupMethodAndLoadCache3前面少了一个下划线_,这是汇编和C的一个命名约定,打开新版的文件objc-runtime-new.mm

// id  对象
// sel 方法名称
// cls  实例对象类
IMP _class_lookupMethodAndLoadCache3(id obj, SEL sel, Class cls)
{
    return lookUpImpOrForward(cls, sel, obj, 
                              YES/*initialize*/, NO/*cache*/, YES/*resolver*/);
}

因为_class_lookupMethodAndLoadCache3传入的cache=NO,所以这里会直接跳过if中代码的执行,在objc_msgSend中已经使用汇编代码查找过了。

runtimeLock.assertUnlocked();

    // Optimistic cache lookup
    if (cache) {
        imp = cache_getImp(cls, sel);
        if (imp) return imp;
    }

初始化的过程中会对其中的类进行第一次初始化也就是执行realizeClass方法,为类分配可读写结构体class_rw_t的空间,并返回正确的类结构体。

if (!cls->isRealized()) {
        runtimeLock.unlockRead();
        runtimeLock.write();
        realizeClass(cls);
        runtimeLock.unlockWrite();
        runtimeLock.read();
    }

_class_initialize方法会调用类的initialize方法进行初始化

    if (initialize  &&  !cls->isInitialized()) {
        runtimeLock.unlockRead();
        _class_initialize (_class_getNonMetaClass(cls, inst));
        runtimeLock.read();
    }

再次从cache中查找方法的实现,如果找到就会跳转到done标签,返回imp方法实现。cache_getImp又回到汇编部分,它会进入一个CacheLookup的标签。

imp = cache_getImp(cls, sel);
    if (imp) goto done;

从类的方法列表中寻找方法的实现

Method meth = getMethodNoSuper_nolock(cls, sel);
       if (meth) {
           log_and_fill_cache(cls, meth->imp, sel, inst, cls);
           imp = meth->imp;
           goto done;
       }

调用getMethodNoSuper_nolock方法查找对应的方法的结构体指针method_t

static method_t * getMethodNoSuper_nolock(Class cls, SEL sel)
{
    runtimeLock.assertLocked();
    assert(cls->isRealized());
    for (auto mlists = cls->data()->methods.beginLists(), 
              end = cls->data()->methods.endLists(); 
         mlists != end;
         ++mlists)
    {
        method_t *m = search_method_list(*mlists, sel);
        if (m) return m;
    }
    return nil;
}

类中数据的方法列表methods是一个二维数组method_array_t,写一个for循环遍历整个方法列表

static method_t *search_method_list(const method_list_t *mlist, SEL sel)
{
    int methodListIsFixedUp = mlist->isFixedUp();
    int methodListHasExpectedSize = mlist->entsize() == sizeof(method_t);
    if (__builtin_expect(methodListIsFixedUp && methodListHasExpectedSize, 1)) {
        return findMethodInSortedMethodList(sel, mlist);
    } else {
        // Linear search of unsorted method list
        for (auto& meth : *mlist) {
            if (meth.name == sel) return &meth;
        }
    }
    return nil;
}

在已排序的方法列表中查找method,返回方法结构体method_t。

static method_t *findMethodInSortedMethodList(SEL key, const method_list_t *list){
    const method_t * const first = &list->first;
    const method_t *base = first;
    const method_t *probe;
    uintptr_t keyValue = (uintptr_t)key;
    uint32_t count;

    for (count = list->count; count != 0; count >>= 1) {
        probe = base + (count >> 1);
        uintptr_t probeValue = (uintptr_t)probe->name;

        if (keyValue == probeValue) {
                while (probe > first && keyValue == (uintptr_t)probe[-1].name) {
                probe--;
            }
            return (method_t *)probe;
        }

        if (keyValue > probeValue) {
            base = probe + 1;
            count--;
        }
    }
    return nil;
}

如果在这里找到了方法的实现,将它加入类的缓存中,这个操作最后是由log_and_fill_cache方法来完成的,并跳转到done标签返回方法实现。

static void log_and_fill_cache(Class cls, IMP imp, SEL sel, id receiver, Class implementer){
#if SUPPORT_MESSAGE_LOGGING
    if (objcMsgLogEnabled) {
        bool cacheIt = logMessageSend(implementer->isMetaClass(), 
                                      cls->nameForLogging(),
                                      implementer->nameForLogging(), 
                                      sel);
        if (!cacheIt) return;
    }
#endif
    cache_fill (cls, sel, imp, receiver);
}

在父类中寻找实现

先查找父类缓存,未命中再搜索方法列表。

 unsigned attempts = unreasonableClassCount();
        for (Class curClass = cls->superclass;
             curClass != nil;
             curClass = curClass->superclass){
            // Halt if there is a cycle in the superclass chain.
            if (--attempts == 0) {
                _objc_fatal("Memory corruption in class list.");
            }

            // Superclass cache.
            imp = cache_getImp(curClass, sel);
            if (imp) {
                if (imp != (IMP)_objc_msgForward_impcache) {
                    // Found the method in a superclass. Cache it in this class.
                    log_and_fill_cache(cls, imp, sel, inst, curClass);
                    goto done;
                }
                else {
                    // Found a forward:: entry in a superclass.
                    // Stop searching, but don't cache yet; call method 
                    // resolver for this class first.
                    break;
                }
            }

            // Superclass method list.
            Method meth = getMethodNoSuper_nolock(curClass, sel);
            if (meth) {
                log_and_fill_cache(cls, meth->imp, sel, inst, curClass);
                imp = meth->imp;
                goto done;
            }
        }

方法解析

消息发送方法实现如果没有找到会尝试一次方法解析。

    // No implementation found. Try method resolver once.
    if (resolver  &&  !triedResolver) {
        runtimeLock.unlockRead();
        _class_resolveMethod(cls, sel, inst);
        runtimeLock.read();
        // Don't cache the result; we don't hold the lock so it may have 
        // changed already. Re-do the search from scratch instead.
        triedResolver = YES;
        goto retry;
    }   

解析类方法或解析实例方法。

void _class_resolveMethod(Class cls, SEL sel, id inst)
{
    if (! cls->isMetaClass()) {
        // try [cls resolveInstanceMethod:sel]
        _class_resolveInstanceMethod(cls, sel, inst);
    } 
    else {
        // try [nonMetaClass resolveClassMethod:sel]
        // and [cls resolveInstanceMethod:sel]
        _class_resolveClassMethod(cls, sel, inst);
        if (!lookUpImpOrNil(cls, sel, inst, 
                            NO/*initialize*/, YES/*cache*/, NO/*resolver*/)) 
        {
            _class_resolveInstanceMethod(cls, sel, inst);
        }
    }
}

在执行了方法解析之后,会跳转到retry标签,重新执行查找方法实现的流程,只不过不会再调用resolveInstanceMethod:方法了(将triedResolver标记为YES)。

消息转发

没有找到方法实现,动态方法解析也没有帮助,进入消息转发机制。

 // No implementation found, and method resolver didn't help. 
    // Use forwarding.

    imp = (IMP)_objc_msgForward_impcache;
    cache_fill(cls, sel, imp, inst);

消息转发又进入了汇编部分,搜索__objc_msgForward_impcache

STATIC_ENTRY __objc_msgForward_impcache

   MESSENGER_START
   nop
   MESSENGER_END_SLOW

   // No stret specialization.
   b   __objc_msgForward

   END_ENTRY __objc_msgForward_impcache

b __objc_msgForward 通过跳转指令跳到__objc_msgForward方法

ENTRY __objc_msgForward

    adrp    x17, __objc_forward_handler@PAGE
    ldr x17, [x17, __objc_forward_handler@PAGEOFF]
    br  x17

    END_ENTRY __objc_msgForward

br x17 通过跳转指令又回到了C代码中 ,搜索_objc_forward_handler

// Default forward handler halts the process.
__attribute__((noreturn)) void 
objc_defaultForwardHandler(id self, SEL sel)
{
    _objc_fatal("%c[%s %s]: unrecognized selector sent to instance %p "
                "(no message forward handler is installed)", 
                class_isMetaClass(object_getClass(self)) ? '+' : '-', 
                object_getClassName(self), sel_getName(sel), self);
}
void *_objc_forward_handler = (void*)objc_defaultForwardHandler;

_objc_forward_handler是个函数指针,并给了一个默认的函数实现。也就是我的方法没有实现会抛出错误信息。

打印runtime的消息

整个消息发送部分的源码就已经结束了,再往下的部分没有开源我们看不到。
我们可以通过消息打印的API,看到消息转发的内部执行过程。

// 声明外部打印函数
extern void instrumentObjcMessageSends(BOOL);
int main(int argc, const char * argv[]) {
    @autoreleasepool {
        // 打开打印消息
        instrumentObjcMessageSends(YES);
        [Person run];
        // 关闭打印消息
        instrumentObjcMessageSends(NO);
    }
    return 0;
}

打印结果输出到 /private/tmp/msgSends-xxxx文件
终端执行 open msgSends-xxxx,就可看到函数的调用过程

+ Person NSObject initialize
+ Person NSObject resolveClassMethod:
+ Person NSObject resolveClassMethod:
+ NSObject NSObject resolveInstanceMethod:
+ NSObject NSObject resolveInstanceMethod:
+ Person Person forwardingTargetForSelector:
+ Person Person forwardingTargetForSelector:
+ NSObject NSObject forwardingTargetForSelector:
+ Person Person methodSignatureForSelector:
+ Person Person methodSignatureForSelector:
+ NSMethodSignature NSObject initialize
+ NSMethodSignature NSMethodSignature signatureWithObjCTypes:
+ NSMethodSignature NSObject alloc
- NSMethodSignature NSMethodSignature _typeString
- NSMethodSignature NSMethodSignature _frameDescriptor
- NSTaggedPointerString NSTaggedPointerString retain
- NSMethodSignature NSObject release
- NSMethodSignature NSMethodSignature _frameDescriptor
+ Person NSObject resolveClassMethod:
+ Person NSObject resolveClassMethod:
+ NSObject NSObject resolveInstanceMethod:
+ NSObject NSObject resolveInstanceMethod:
+ Person Person forwardInvocation:
+ NSInvocation NSObject initialize
+ NSInvocation NSInvocation _invocationWithMethodSignature:frame:
+ NSInvocation NSObject alloc
- NSMethodSignature NSObject retain
- NSMethodSignature NSMethodSignature frameLength
- NSMethodSignature NSMethodSignature _frameDescriptor
- NSMethodSignature NSMethodSignature frameLength
- NSMethodSignature NSMethodSignature _frameDescriptor
- NSInvocation NSObject autorelease
+ Person Person forwardInvocation:
- NSInvocation NSInvocation setSelector:
- NSInvocation NSInvocation setArgument:atIndex:
- NSMethodSignature NSMethodSignature numberOfArguments
- NSMethodSignature NSMethodSignature _frameDescriptor
- NSMethodSignature NSMethodSignature _argInfo:
- NSMethodSignature NSMethodSignature _frameDescriptor
- NSInvocation NSInvocation setTarget:
- NSInvocation NSInvocation setArgument:atIndex:
- NSMethodSignature NSMethodSignature numberOfArguments
- NSMethodSignature NSMethodSignature _frameDescriptor
- NSMethodSignature NSMethodSignature _argInfo:
- NSMethodSignature NSMethodSignature _frameDescriptor
- NSInvocation NSInvocation invoke
- NSInvocation NSInvocation getArgument:atIndex:
- NSMethodSignature NSMethodSignature numberOfArguments
- NSMethodSignature NSMethodSignature _frameDescriptor
- NSMethodSignature NSMethodSignature _argInfo:
- NSMethodSignature NSMethodSignature _frameDescriptor
- NSMethodSignature NSMethodSignature _frameDescriptor
- NSMethodSignature NSMethodSignature frameLength
- NSMethodSignature NSMethodSignature _frameDescriptor
+ Person Person run
- __NSCFConstantString __NSCFString _fastCStringContents:
- NSMethodSignature NSMethodSignature methodReturnType
- NSMethodSignature NSMethodSignature _argInfo:
- NSMethodSignature NSMethodSignature _frameDescriptor
上一篇下一篇

猜你喜欢

热点阅读