objc对象调用方法详细过程
2020-01-31 本文已影响0人
大墙66370
在调用对象的方法之前我们首先弄清楚对象的方法存在哪里.
实例方法存在类对象中
类方法存在元类对象中(元类其实也是一个类对象)
我们先看下类对象的结构布局
struct objc_class : objc_object {
// Class ISA;
Class superclass;
cache_t cache; // formerly cache pointer and vtable
class_data_bits_t bits; // class_rw_t * plus custom rr/alloc flags
}
我们看到一个类对象就是一个结构体继承与objc_object结构体,我们以前的文章中分析过objc_object结构体,这里简单的说一下objc_object, objc_object里面有一个isa是一个共用体.里面有一个结构体使用位域来存储更多的信息.
superclass是指向父类的指针
cache方法的缓存列表
bits& FAST_DATA_MASK的到class_rw_t结构体
struct class_rw_t {
// Be warned that Symbolication knows the layout of this structure.
uint32_t flags;
uint32_t version;
const class_ro_t *ro;
method_array_t methods;
property_array_t properties;
protocol_array_t protocols;
Class firstSubclass;
Class nextSiblingClass;
char *demangledName;
}
在class_rw_t中 methods就是方法的缓存类表
我们以前讨论分类的的时候也分析过method_array_t methods;结构
methods是一个二维数组, 数组里面的元素是分类的的方法类表
[
[分类方法1a方法,分类方法1b方法],
[分类方法2a方法,分类方法2b方法]
]
我们给一个对象发消息的时候就会找到methods这个数组里面然后缓存到cache中,就算给一个对象调用父类的方法也会缓存到cache中的_buckets, 当往_buckets缓存bucket_t的时候_buckets会检查是否需要扩容,需要扩容就会清空所有元素然后,在缓存进来.(这个时候以前的缓存就没有了)
struct cache_t {
struct bucket_t *_buckets;
mask_t _mask; //散列表的长度
mask_t _occupied; //已经缓存方法的个数
}
struct bucket_t {
private:
cache_key_t _key;
IMP _imp;
}
我看到cache结构体中_buckets是一个数组里面是bucket_t结构体_key就是方法名字_buckets就相当于一个离散列表(类似字典)
image.png
image.png
image.png
源码分析调用方法过程
ENTRY _objc_msgSend
UNWIND _objc_msgSend, NoFrame
MESSENGER_START
cmp x0, #0 // nil check and tagged pointer check
b.le LNilOrTagged // (MSB tagged pointer looks negative)
ldr x13, [x0] // x13 = isa
and x16, x13, #ISA_MASK // x16 = class
LGetIsaDone:
CacheLookup NORMAL // calls imp or objc_msgSend_uncached
LNilOrTagged:
b.eq LReturnZero // nil check
// tagged
mov x10, #0xf000000000000000
cmp x0, x10
b.hs LExtTag
adrp x10, _objc_debug_taggedpointer_classes@PAGE
add x10, x10, _objc_debug_taggedpointer_classes@PAGEOFF
ubfx x11, x0, #60, #4
ldr x16, [x10, x11, LSL #3]
b LGetIsaDone
LExtTag:
// ext tagged
adrp x10, _objc_debug_taggedpointer_ext_classes@PAGE
add x10, x10, _objc_debug_taggedpointer_ext_classes@PAGEOFF
ubfx x11, x0, #52, #8
ldr x16, [x10, x11, LSL #3]
b LGetIsaDone
LReturnZero:
// x0 is already zero
mov x1, #0
movi d0, #0
movi d1, #0
movi d2, #0
movi d3, #0
MESSENGER_END_NIL
ret
END_ENTRY _objc_msgSend
x0, 寄存器里面存的是receiver消息接受者
b.le LNilOrTagged //如果receiver为nil跳转到LNilOrTagged
b.eq LReturnZero // nil check
ret (表示return)
如果对象为nil就return
如果对象不为nil就走到CacheLookup 在缓存中寻找
.macro CacheLookup
// x1 = SEL, x16 = isa
ldp x10, x11, [x16, #CACHE] // x10 = buckets, x11 = occupied|mask
and w12, w1, w11 // x12 = _cmd & mask
add x12, x10, x12, LSL #4 // x12 = buckets + ((_cmd & mask)<<4)
ldp x9, x17, [x12] // {x9, x17} = *bucket
1: cmp x9, x1 // if (bucket->sel != _cmd)
b.ne 2f // scan more
CacheHit $0 // call or return imp
2: // not hit: x12 = not-hit bucket
CheckMiss $0 // miss if bucket->sel == 0
cmp x12, x10 // wrap if bucket == buckets
b.eq 3f
ldp x9, x17, [x12, #-16]! // {x9, x17} = *--bucket
b 1b // loop
3: // wrap: x12 = first bucket, w11 = mask
add x12, x12, w11, UXTW #4 // x12 = buckets+(mask<<4)
// Clone scanning loop to miss instead of hang when cache is corrupt.
// The slow path may detect any corruption and halt later.
ldp x9, x17, [x12] // {x9, x17} = *bucket
1: cmp x9, x1 // if (bucket->sel != _cmd)
b.ne 2f // scan more
CacheHit $0 // call or return imp
2: // not hit: x12 = not-hit bucket
CheckMiss $0 // miss if bucket->sel == 0
cmp x12, x10 // wrap if bucket == buckets
b.eq 3f
ldp x9, x17, [x12, #-16]! // {x9, x17} = *--bucket
b 1b // loop
3: // double wrap
JumpMiss $0
.endmacro
CacheHit 命中缓存 结果是直接调用方法或者返回imp指针
.macro CacheHit
.if $0 == NORMAL
MESSENGER_END_FAST
br x17 // call imp
.elseif $0 == GETIMP
mov x0, x17 // return imp
ret
.elseif $0 == LOOKUP
ret // return imp via x17
.else
.abort oops
.endif
.endmacro
CheckMiss在缓存中没有找到
.macro CheckMiss
// miss if bucket->sel == 0
.if $0 == GETIMP
cbz x9, LGetImpMiss
.elseif $0 == NORMAL
cbz x9, __objc_msgSend_uncached
.elseif $0 == LOOKUP
cbz x9, __objc_msgLookup_uncached
.else
.abort oops
.endif
.endmacro
因为CacheLookup NORMAL传的值是NORMAL 这里我们暂时只分析__objc_msgSend_uncached
STATIC_ENTRY __objc_msgSend_uncached
UNWIND __objc_msgSend_uncached, FrameWithNoSaves
// THIS IS NOT A CALLABLE C FUNCTION
// Out-of-band x16 is the class to search
MethodTableLookup
br x17
END_ENTRY __objc_msgSend_uncached
我们再分析MethodTableLookup 发现是个宏
.macro MethodTableLookup
// push frame
stp fp, lr, [sp, #-16]!
mov fp, sp
// save parameter registers: x0..x8, q0..q7
sub sp, sp, #(10*8 + 8*16)
stp q0, q1, [sp, #(0*16)]
stp q2, q3, [sp, #(2*16)]
stp q4, q5, [sp, #(4*16)]
stp q6, q7, [sp, #(6*16)]
stp x0, x1, [sp, #(8*16+0*8)]
stp x2, x3, [sp, #(8*16+2*8)]
stp x4, x5, [sp, #(8*16+4*8)]
stp x6, x7, [sp, #(8*16+6*8)]
str x8, [sp, #(8*16+8*8)]
// receiver and selector already in x0 and x1
mov x2, x16
bl __class_lookupMethodAndLoadCache3
// imp in x0
mov x17, x0
// restore registers and return
ldp q0, q1, [sp, #(0*16)]
ldp q2, q3, [sp, #(2*16)]
ldp q4, q5, [sp, #(4*16)]
ldp q6, q7, [sp, #(6*16)]
ldp x0, x1, [sp, #(8*16+0*8)]
ldp x2, x3, [sp, #(8*16+2*8)]
ldp x4, x5, [sp, #(8*16+4*8)]
ldp x6, x7, [sp, #(8*16+6*8)]
ldr x8, [sp, #(8*16+8*8)]
mov sp, fp
ldp fp, lr, [sp], #16
.endmacro
bl __class_lookupMethodAndLoadCache3 意思是跳转到__class_lookupMethodAndLoadCache3这个方法.
IMP _class_lookupMethodAndLoadCache3(id obj, SEL sel, Class cls)
{
return lookUpImpOrForward(cls, sel, obj,
YES/*initialize*/, NO/*cache*/, YES/*resolver*/);
}
接下来就来到了lookUpImpOrForward
IMP lookUpImpOrForward(Class cls, SEL sel, id inst,
bool initialize, bool cache, bool resolver)
{
IMP imp = nil;
bool triedResolver = NO;
runtimeLock.assertUnlocked();
// Optimistic cache lookup
if (cache) { //cache为NO在_objc_msgSend汇编代码中已经在cache中找过了,这里就不用再在缓存中找了
imp = cache_getImp(cls, sel);
if (imp) return imp;
}
// runtimeLock is held during isRealized and isInitialized checking
// to prevent races against concurrent realization.
// runtimeLock is held during method search to make
// method-lookup + cache-fill atomic with respect to method addition.
// Otherwise, a category could be added but ignored indefinitely because
// the cache was re-filled with the old value after the cache flush on
// behalf of the category.
runtimeLock.read();
//判断类是否已经实现过了
if (!cls->isRealized()) {
// Drop the read-lock and acquire the write-lock.
// realizeClass() checks isRealized() again to prevent
// a race while the lock is down.
runtimeLock.unlockRead();
runtimeLock.write();
realizeClass(cls);//如果类没有实现过,就去实现类
runtimeLock.unlockWrite();
runtimeLock.read();
}
if (initialize && !cls->isInitialized()) {
runtimeLock.unlockRead();
_class_initialize (_class_getNonMetaClass(cls, inst));
runtimeLock.read();
// If sel == initialize, _class_initialize will send +initialize and
// then the messenger will send +initialize again after this
// procedure finishes. Of course, if this is not being called
// from the messenger then it won't happen. 2778172
}
retry:
runtimeLock.assertReading();
// Try this class's cache.
imp = cache_getImp(cls, sel);//再次从缓存中检查
if (imp) goto done;
// Try this class's method lists.从自己的类中查找方法找到就把imp返回了
{
Method meth = getMethodNoSuper_nolock(cls, sel);
if (meth) {
log_and_fill_cache(cls, meth->imp, sel, inst, cls);
imp = meth->imp;
goto done;
}
}
// Try superclass caches and method lists. //如果自己的的类中没有找到从父类中找到
{
unsigned attempts = unreasonableClassCount();
for (Class curClass = cls->superclass;curClass != nil;curClass = curClass->superclass)
{
//curClass是父类 curClass != nil;curClass = curClass->superclass一直便利,父类
// Halt if there is a cycle in the superclass chain.如果超类链中存在循环,则停止。
if (--attempts == 0) {
_objc_fatal("Memory corruption in class list.");
}
// Superclass cache.从父类的缓存中找imp
imp = cache_getImp(curClass, sel);
if (imp) {
if (imp != (IMP)_objc_msgForward_impcache) {
// Found the method in a superclass. Cache it in this class.在父类中的缓存中找都方法
log_and_fill_cache(cls, imp, sel, inst, curClass);//缓存到消息接受者的类中的缓存中
goto done;
}
else {
// Found a forward:: entry in a superclass.
// Stop searching, but don't cache yet; call method
// resolver for this class first.
break;
}
}
// Superclass method list. 在父类中的方法缓存中没有找到方法,就下父类的方法列表中寻找
Method meth = getMethodNoSuper_nolock(curClass, sel);
if (meth) {
log_and_fill_cache(cls, meth->imp, sel, inst, curClass);
imp = meth->imp;
goto done;
}
}
}
// No implementation found. Try method resolver once.
//自己类的缓存,方法列表,所有父类的缓存,方法类表都没找到 进入动态方法解析阶段
if (resolver && !triedResolver) {
runtimeLock.unlockRead();
_class_resolveMethod(cls, sel, inst);
runtimeLock.read();
// Don't cache the result; we don't hold the lock so it may have
// changed already. Re-do the search from scratch instead.
triedResolver = YES;
goto retry; //在动态解析后就会 返回到retry 从新走一遍消息发送流程(如果动态解析阶段我们动态的添加了方法.就会找到imp 如果没有动态解析就会走到最后一个阶段消息转发)
}
// No implementation found, and method resolver didn't help.
// Use forwarding.
imp = (IMP)_objc_msgForward_impcache; //消息转发
cache_fill(cls, sel, imp, inst);
done:
runtimeLock.unlockRead();
return imp;
}
我们分析一下_class_resolveMethod
void _class_resolveMethod(Class cls, SEL sel, id inst)
{
if (! cls->isMetaClass()) {
// try [cls resolveInstanceMethod:sel]
_class_resolveInstanceMethod(cls, sel, inst);
}
else {
// try [nonMetaClass resolveClassMethod:sel]
// and [cls resolveInstanceMethod:sel]
_class_resolveClassMethod(cls, sel, inst);
if (!lookUpImpOrNil(cls, sel, inst,
NO/*initialize*/, YES/*cache*/, NO/*resolver*/))
{
_class_resolveInstanceMethod(cls, sel, inst);
}
}
}
如果是实例方法则会调用 _class_resolveInstanceMethod.
static void _class_resolveInstanceMethod(Class cls, SEL sel, id inst)
{
if (! lookUpImpOrNil(cls->ISA(), SEL_resolveInstanceMethod, cls,
NO/*initialize*/, YES/*cache*/, NO/*resolver*/))
{
// Resolver not implemented.
return;
}
BOOL (*msg)(Class, SEL, SEL) = (typeof(msg))objc_msgSend;
bool resolved = msg(cls, SEL_resolveInstanceMethod, sel);
// Cache the result (good or bad) so the resolver doesn't fire next time.
// +resolveInstanceMethod adds to self a.k.a. cls
IMP imp = lookUpImpOrNil(cls, sel, inst,
NO/*initialize*/, YES/*cache*/, NO/*resolver*/);
if (resolved && PrintResolving) {
if (imp) {
_objc_inform("RESOLVE: method %c[%s %s] "
"dynamically resolved to %p",
cls->isMetaClass() ? '+' : '-',
cls->nameForLogging(), sel_getName(sel), imp);
}
else {
// Method resolver didn't add anything?
_objc_inform("RESOLVE: +[%s resolveInstanceMethod:%s] returned YES"
", but no new implementation of %c[%s %s] was found",
cls->nameForLogging(), sel_getName(sel),
cls->isMetaClass() ? '+' : '-',
cls->nameForLogging(), sel_getName(sel));
}
}
}
我们分析一下_class_resolveInstanceMethod方法SEL_resolveInstanceMethod 是+ (BOOL)resolveInstanceMethod:(SEL)sel 通过objc_msgSend调用这个类方法, 我们可以重写这个类方法, 并且在类方法中 动态添加方法
-(void)test1{
NSLog(@"---");
}
+(void)test1{
NSLog(@"---");
}
+ (BOOL)resolveClassMethod:(SEL)sel{
if (sel == @selector(test)) {
Class class = object_getClass(self);
Method method = class_getInstanceMethod(class, @selector(test1));
IMP imp = method_getImplementation(method);
const char * types = method_getTypeEncoding(method);
class_addMethod(class, sel,imp,types);
}
return [super resolveClassMethod:sel];
}
+ (BOOL)resolveInstanceMethod:(SEL)sel{
if (sel == @selector(test)) {
Method method = class_getInstanceMethod(self, @selector(test1));
IMP imp = method_getImplementation(method);
const char * types = method_getTypeEncoding(method);
class_addMethod(self, sel,imp,types);
}
return [super resolveInstanceMethod:sel];
}
如果我们动态解析没有做事情 就会来到消息转发_objc_msgForward_impcache这个imp我们发现在汇编中找到,但是经过分析是没有源码的,这里暂不分析汇编
下面列出动态转发的几个方法.
- (id)forwardingTargetForSelector:(SEL)aSelector {
if (aSelector == @selector(test)) {
return [LC_Tool new];
}
return [super forwardingTargetForSelector:aSelector];
}
- (NSMethodSignature *)methodSignatureForSelector:(SEL)aSelector{
if (aSelector == @selector(test)) {
NSMethodSignature *methodSignature = [NSMethodSignature signatureWithObjCTypes:""];
return methodSignature;
}
return [super methodSignatureForSelector:aSelector];
}
- (void)forwardInvocation:(NSInvocation *)anInvocation{
//这里拿到 anInvocation可以为所欲为
//可以任何事情都不做
//可以转发给一个对象调用方法
//[anInvocation invokeWithTarget:[NSObject new]];
//可以改变参数
int a = 10;
[anInvocation setArgument:&a atIndex:2]; //第0个参数是消息接受者.第1个参数是_cmd
[anInvocation invokeWithTarget:[NSObject new]];
}
在消息转发阶段如果-forwardingTargetForSelector没有实现,就会调用- methodSignatureForSelector方法自己返回方法签名,
然后调用-forwardInvocation返回一个NSInvocation对象
补充一点如果 消息转发阶段这个消息是类方法就会调用+forwardingTargetForSelector,+ methodSignatureForSelector
,+ forwardInvocation (虽然没有暴露出api)
不管是类方法还是对象方法在消息转发阶段, 其实都是消息接受者调用以上的方法.(这样就可以理解为啥 ,对象方法调用-号类方法调用+号了 因为消息接受者不同)
objc_msgSend的执行流程可以分为3大阶段
1消息发送
2动态方法解析
3消息转发
image.png
image.png
image.png
