01_Jack
01_Jack

dyld源码解读

前言

dyld全称the dynamic link editor,即动态链接器,其本质是Mach-O文件,他是专门用来加载动态库的库。源码可以从这里下载,本文采用的是| dyld-635.2 |
源码进行分析。dyld位于/usr/lib/dyld,可以从越狱机或者mac电脑中找到。以mac为例,终端执行如下命令:

cd /usr/lib/
file dyld

输出为:

dyld: Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit dynamic linker x86_64] [i386:Mach-O dynamic linker i386]
dyld (for architecture x86_64): Mach-O 64-bit dynamic linker x86_64
dyld (for architecture i386):   Mach-O dynamic linker i386

即,dyld是Mach-O类型的通用二进制文件,支持x86_64和i386两种架构。当然,iPhone真机对应的dyld支持的为arm系列架构。

  • otool简介
    otool是专门用来查看Mach-O类型文件的工具,终端输入otool可以看到很多用法:
$ otool
Usage: /Library/Developer/CommandLineTools/usr/bin/otool [-arch arch_type] [-fahlLDtdorSTMRIHGvVcXmqQjCP] [-mcpu=arg] [--version]  ...
    -f print the fat headers
    -a print the archive header
    -h print the mach header
    -l print the load commands
    -L print shared libraries used
    -D print shared library id name
    -t print the text section (disassemble with -v)
    -p   start dissassemble from routine name
    -s   print contents of section
    -d print the data section
    -o print the Objective-C segment
    -r print the relocation entries
    -S print the table of contents of a library (obsolete)
    -T print the table of contents of a dynamic shared library (obsolete)
    -M print the module table of a dynamic shared library (obsolete)
    -R print the reference table of a dynamic shared library (obsolete)
    -I print the indirect symbol table
    -H print the two-level hints table (obsolete)
    -G print the data in code table
    -v print verbosely (symbolically) when possible
    -V print disassembled operands symbolically
    -c print argument strings of a core file
    -X print no leading addresses or headers
    -m don't use archive(member) syntax
    -B force Thumb disassembly (ARM objects only)
    -q use llvm's disassembler (the default)
    -Q use otool(1)'s disassembler
    -mcpu=arg use `arg' as the cpu for disassembly
    -j print opcode bytes
    -P print the info plist section as strings
    -C print linker optimization hints
    --version print the version of /Library/Developer/CommandLineTools/usr/bin/otool
 
 
比如,可以通过-L来查看当前Mach-O所依赖的动态库。如,常用的gcd依赖以下这些动态库:
 
 
$ otool -L /usr/lib/system/libdispatch.dylib
/usr/lib/system/libdispatch.dylib:
    /usr/lib/system/libdispatch.dylib (compatibility version 1.0.0, current version 1008.250.7)
    /usr/lib/system/libsystem_darwin.dylib (compatibility version 1.0.0, current version 1.0.0)
    /usr/lib/system/libdyld.dylib (compatibility version 1.0.0, current version 655.1.1)
    /usr/lib/system/libcompiler_rt.dylib (compatibility version 1.0.0, current version 63.4.0)
    /usr/lib/system/libsystem_kernel.dylib (compatibility version 1.0.0, current version 4903.255.45)
    /usr/lib/system/libsystem_platform.dylib (compatibility version 1.0.0, current version 177.250.1)
    /usr/lib/system/libsystem_pthread.dylib (compatibility version 1.0.0, current version 330.250.2)
    /usr/lib/system/libsystem_malloc.dylib (compatibility version 1.0.0, current version 166.250.4)
    /usr/lib/system/libsystem_c.dylib (compatibility version 1.0.0, current version 1272.250.1)
    /usr/lib/system/libsystem_blocks.dylib (compatibility version 1.0.0, current version 73.0.0)
    /usr/lib/system/libunwind.dylib (compatibility version 1.0.0, current version 35.4.0)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)

 
 
当然,也可以通过MachOView更加直观的查看相关信息
 
 
 
 
  
 
   
 
    dyld源码解读_第1张图片 
   
 
  
 
  

    libdispatch.dylib 
  
 
 
 
 
 
 
dyld加载
 
 
动态库的加载必然在main函数之前,而load方法的调用也在main之前,因此从这里入手。新建工程,打上符号断点[NSObject load],运行程序后如图所示:
 
 
 
 
  
 
   
  
   
 
  
 
  

    符号断点 
  
 
 
 
 
 
 
可见,load的加载是从_dyld_start这个函数开始的。_dyld_start对应汇编文件,内部调用dyldbootstrap::start,位于dyldInitialization.cpp中:
 
 
//
//  This is code to bootstrap dyld.  This work in normally done for a program by dyld and crt.
//  In dyld we have to do this manually.
//
uintptr_t start(const struct macho_header* appsMachHeader, int argc, const char* argv[], 
                intptr_t slide, const struct macho_header* dyldsMachHeader,
                uintptr_t* startGlue)
{
    // if kernel had to slide dyld, we need to fix up load sensitive locations
    // we have to do this before using any global variables
    slide = slideOfMainExecutable(dyldsMachHeader);
    bool shouldRebase = slide != 0;
#if __has_feature(ptrauth_calls)
    shouldRebase = true;
#endif
    if ( shouldRebase ) {
        rebaseDyld(dyldsMachHeader, slide);
    }

    // allow dyld to use mach messaging
    mach_init();

    // kernel sets up env pointer to be just past end of agv array
    const char** envp = &argv[argc+1];
    
    // kernel sets up apple pointer to be just past end of envp array
    const char** apple = envp;
    while(*apple != NULL) { ++apple; }
    ++apple;

    // set up random value for stack canary
    __guard_setup(apple);

#if DYLD_INITIALIZER_SUPPORT
    // run all C++ initializers inside dyld
    runDyldInitializers(dyldsMachHeader, slide, argc, argv, envp, apple);
#endif

    // now that we are done bootstrapping dyld, call dyld's main
    uintptr_t appsSlide = slideOfMainExecutable(appsMachHeader);
    return dyld::_main(appsMachHeader, appsSlide, argc, argv, envp, apple, startGlue);
}

 
 
流程很简单:获取dyld对应的slide->通过slide对dyld进行rebase->mach初始化->栈溢出保护->获取应用的slide(appsSlide)->调用dyld的main函数
 
 
slide与rebase
 
 
由于apple采用了ASLR(Address space layout randomization)技术,所以Mach-O每次加载到内存中的首地址是变化的,此时想找到代码在内存中对应的地址需要重定位rebase。rebase要用到slide值,那么slide如何计算?
 
 
static uintptr_t slideOfMainExecutable(const struct macho_header* mh)
{
    const uint32_t cmd_count = mh->ncmds;
    const struct load_command* const cmds = (struct load_command*)(((char*)mh)+sizeof(macho_header));
    const struct load_command* cmd = cmds;
    for (uint32_t i = 0; i < cmd_count; ++i) {
        if ( cmd->cmd == LC_SEGMENT_COMMAND ) {
            const struct macho_segment_command* segCmd = (struct macho_segment_command*)cmd;
            if ( (segCmd->fileoff == 0) && (segCmd->filesize != 0)) {
                return (uintptr_t)mh - segCmd->vmaddr;
            }
        }
        cmd = (const struct load_command*)(((char*)cmd)+cmd->cmdsize);
    }
    return 0;
}

 
 
intptr_t _dyld_get_image_vmaddr_slide(uint32_t imageIndex)
{
    log_apis("_dyld_get_image_vmaddr_slide(%d)\n", imageIndex);

    const mach_header* mh = gAllImages.imageLoadAddressByIndex(imageIndex);
    if ( mh != nullptr )
        return dyld3::_dyld_get_image_slide(mh);
    return 0;
}

intptr_t _dyld_get_image_slide(const mach_header* mh)
{
    log_apis("_dyld_get_image_slide(%p)\n", mh);

    const MachOLoaded* mf = (MachOLoaded*)mh;
    if ( !mf->hasMachOMagic() )
        return 0;

    return mf->getSlide();
}

intptr_t MachOLoaded::getSlide() const
{
    Diagnostics diag;
    __block intptr_t slide = 0;
    forEachLoadCommand(diag, ^(const load_command* cmd, bool& stop) {
        if ( cmd->cmd == LC_SEGMENT_64 ) {
            const segment_command_64* seg = (segment_command_64*)cmd;
            if ( strcmp(seg->segname, "__TEXT") == 0 ) {
                slide = (uintptr_t)(((uint64_t)this) - seg->vmaddr);
                stop = true;
            }
        }
        else if ( cmd->cmd == LC_SEGMENT ) {
            const segment_command* seg = (segment_command*)cmd;
            if ( strcmp(seg->segname, "__TEXT") == 0 ) {
                slide = (uintptr_t)(((uint64_t)this) - seg->vmaddr);
                stop = true;
            }
        }
    });
    diag.assertNoError();   // any malformations in the file should have been caught by earlier validate() call
    return slide;
}

 
 
由于应用本身的Mach-O及dyld的特殊性,这两个采用的是slideOfMainExecutable的方式获取slide,而动态库加载采用的是_dyld_get_image_vmaddr_slide的方式获取slide。
 
 
对比后不难发现:
 slide = mh首地址 - load_command中__TEXT段中vmaddr的值(slideOfMainExecutable方式中以(segCmd->fileoff == 0) && (segCmd->filesize != 0)为条件,对于应用本身Mach-O及dyld,此时也是对应__TEXT段)
 
 
简单验证一下,以应用Mach-O为例:
 
 
 
  
 
   
 
    dyld源码解读_第2张图片 
   
 
  
 
  

    VM Address 
  
 
 
 
 
 
  
 
   
 
    dyld源码解读_第3张图片 
   
 
  
 
  

    image list 
  
 
 
 
 
可以看到,Mach-O的地址为0x101321000(16进制),VM Address的地址为4294967296(十进制,对应16进制为0x100000000)。当然,也可以通过命令行直接获取slide的值,这里为了方便理解,采用手动计算
 
 
image list -o -f

 
 
 
  
 
   
 
    dyld源码解读_第4张图片 
   
 
  
 
  

    Calculation 
  
 
 
 
 
1、用Mach-O的内存地址减去对应虚拟地址,得到20058112(十进制)为slide的值
 2、获取viewDidLoad函数在当前内存中的地址
 3、用viewDidLoad内存地址减去slide得到Mach-O中对应的虚拟地址
 4、将虚拟地址转化为16进制
 
 
 
  
 
   
 
    dyld源码解读_第5张图片 
   
 
  
 
  

    viewDidLoad 
  
 
 
 
 
可以看到,最终计算出的值0x100001750与在Mach-O中看到的值一致
 
 
dyld::_main
 
 
ASLR有个基本认知后,接着看dyld中的main干了什么。由于内部代码过长,此处先贴出流程再逐步分析:设置运行环境->加载共享缓存->实例化主程序->加载插入的动态库->链接主程序->链接插入的动态库->执行弱符号绑定->执行初始化方法->查找入口点并返回
 
 
     
  
  • 设置运行环境
    •  
 
 
 
uintptr_t
_main(const macho_header* mainExecutableMH, uintptr_t mainExecutableSlide, 
        int argc, const char* argv[], const char* envp[], const char* apple[], 
        uintptr_t* startGlue)
{
  ...
   // Grab the cdHash of the main executable from the environment
    uint8_t mainExecutableCDHashBuffer[20];
    const uint8_t* mainExecutableCDHash = nullptr;
    if ( hexToBytes(_simple_getenv(apple, "executable_cdhash"), 40, mainExecutableCDHashBuffer) )
                //  获取主程序hash
        mainExecutableCDHash = mainExecutableCDHashBuffer;

    // Trace dyld's load
        // 告知kernel,dyld已加载
    notifyKernelAboutImage((macho_header*)&__dso_handle, _simple_getenv(apple, "dyld_file"));
#if !TARGET_IPHONE_SIMULATOR
    // Trace the main executable's load
        // 告知kernel,主程序Mach-O已加载
    notifyKernelAboutImage(mainExecutableMH, _simple_getenv(apple, "executable_file"));
#endif

    uintptr_t result = 0;
    sMainExecutableMachHeader = mainExecutableMH;
    sMainExecutableSlide = mainExecutableSlide;
#if __MAC_OS_X_VERSION_MIN_REQUIRED
    // if this is host dyld, check to see if iOS simulator is being run
        // 获取dyld路径
    const char* rootPath = _simple_getenv(envp, "DYLD_ROOT_PATH");
    if ( (rootPath != NULL) ) {
        // look to see if simulator has its own dyld
        char simDyldPath[PATH_MAX]; 
        strlcpy(simDyldPath, rootPath, PATH_MAX);
        strlcat(simDyldPath, "/usr/lib/dyld_sim", PATH_MAX);
        int fd = my_open(simDyldPath, O_RDONLY, 0);
        if ( fd != -1 ) {
                        // 如果是模拟器,并且正确加载`dyld_sim`,则直接返回主程序地址
            const char* errMessage = useSimulatorDyld(fd, mainExecutableMH, simDyldPath, argc, argv, envp, apple, startGlue, &result);
            if ( errMessage != NULL )
                halt(errMessage);
            return result;
        }
    }
#endif

    CRSetCrashLogMessage("dyld: launch started");
        // 设置上下文
    setContext(mainExecutableMH, argc, argv, envp, apple);

    // Pickup the pointer to the exec path.
        // 获取主程序路径
    sExecPath = _simple_getenv(apple, "executable_path");

    //  Remove interim apple[0] transition code from dyld
    if (!sExecPath) sExecPath = apple[0];
    
        // 获取Mach-O绝对路径
    if ( sExecPath[0] != '/' ) {
        // have relative path, use cwd to make absolute
        char cwdbuff[MAXPATHLEN];
        if ( getcwd(cwdbuff, MAXPATHLEN) != NULL ) {
            // maybe use static buffer to avoid calling malloc so early...
            char* s = new char[strlen(cwdbuff) + strlen(sExecPath) + 2];
            strcpy(s, cwdbuff);
            strcat(s, "/");
            strcat(s, sExecPath);
            sExecPath = s;
        }
    }

    // Remember short name of process for later logging
        //  设置进程名称
    sExecShortName = ::strrchr(sExecPath, '/');
    if ( sExecShortName != NULL )
        ++sExecShortName;
    else
        sExecShortName = sExecPath;
    // 配置进程受限模式
    configureProcessRestrictions(mainExecutableMH);

//  再次检测/设置上下文环境
#if __MAC_OS_X_VERSION_MIN_REQUIRED
    if ( !gLinkContext.allowEnvVarsPrint && !gLinkContext.allowEnvVarsPath && !gLinkContext.allowEnvVarsSharedCache ) {
        pruneEnvironmentVariables(envp, &apple);
        // set again because envp and apple may have changed or moved
        setContext(mainExecutableMH, argc, argv, envp, apple);
    }
    else
#endif
    {
        checkEnvironmentVariables(envp);
        defaultUninitializedFallbackPaths(envp);
    }

...
        
        // 如果设置了DYLD_PRINT_OPTS,则打印参数
    if ( sEnv.DYLD_PRINT_OPTS )
        printOptions(argv);
        // 如果设置了DYLD_PRINT_ENV,则打印环境变量
    if ( sEnv.DYLD_PRINT_ENV ) 
        printEnvironmentVariables(envp);
        // 获取主程序架构信息
    getHostInfo(mainExecutableMH, mainExecutableSlide);
}

 
 
通过源码可以看到,如果是模拟器运行的程序,其实是通过dyld_sim来进行后续加载工作的,与正常真机加载流程略有不同,具体实现在useSimulatorDyld这个函数中,本文不做进一步解析。不难看出,模拟器比真机多加载一个dyld_sim
 
 
 
  
 
   
 
    dyld源码解读_第6张图片 
   
 
  
 
  

    模拟器 
  
 
 
 
 
 
  
 
   
 
    dyld源码解读_第7张图片 
   
 
  
 
  

    真机 
  
 
 
 
 
这里还有一个知识点,环境变量DYLD_PRINT_OPTSDYLD_PRINT_ENV
 
 
 
  
 
   
 
    dyld源码解读_第8张图片 
   
 
  
 
  

    processDyldEnvironmentVariable 
  
 
 
 
 
添加这两个环境变量,对应的字段会被设置为true,可以看到,这里并不需要设置value
 
 
 
  
 
   
 
    dyld源码解读_第9张图片 
   
 
  
 
  

    arguments & environment 
  
 
 
 
 
输出如下:
 
 
 
 
 
  
 
   
 
    dyld源码解读_第10张图片 
   
 
  
 
  

    输出 
  
 
 
 
 
但是并非每个环境变量都不需要配置value,如:
 
 
void processDyldEnvironmentVariable(const char* key, const char* value, const char* mainExecutableDir)
{
    if ( strcmp(key, "DYLD_FRAMEWORK_PATH") == 0 ) {
        appendParsedColonList(value, mainExecutableDir, &sEnv.DYLD_FRAMEWORK_PATH);
    }
    else if ( strcmp(key, "DYLD_FALLBACK_FRAMEWORK_PATH") == 0 ) {
        appendParsedColonList(value, mainExecutableDir, &sEnv.DYLD_FALLBACK_FRAMEWORK_PATH);
    }
    else if ( strcmp(key, "DYLD_LIBRARY_PATH") == 0 ) {
        appendParsedColonList(value, mainExecutableDir, &sEnv.DYLD_LIBRARY_PATH);
    }
    else if ( strcmp(key, "DYLD_FALLBACK_LIBRARY_PATH") == 0 ) {
        appendParsedColonList(value, mainExecutableDir, &sEnv.DYLD_FALLBACK_LIBRARY_PATH);
    }
...
}

 
 
这些环境变量是需要配置value的,更多可配置的环境变量可从processDyldEnvironmentVariable函数中找到
 
 
     
  
  • 加载共享缓存
    •  
 
 
 
uintptr_t
_main(const macho_header* mainExecutableMH, uintptr_t mainExecutableSlide, 
        int argc, const char* argv[], const char* envp[], const char* apple[], 
        uintptr_t* startGlue)
{
...
    // load shared cache
        // 检测共享缓存是否可用
checkSharedRegionDisable((dyld3::MachOLoaded*)mainExecutableMH, mainExecutableSlide);
#if TARGET_IPHONE_SIMULATOR
    //  until  is fixed
    gLinkContext.sharedRegionMode = ImageLoader::kUsePrivateSharedRegion;
    // 
#endif
    if ( gLinkContext.sharedRegionMode != ImageLoader::kDontUseSharedRegion ) {
                // 映射共享缓存到共享区
        mapSharedCache();
    }

    ...                     

#if !TARGET_IPHONE_SIMULATOR
#ifdef WAIT_FOR_SYSTEM_ORDER_HANDSHAKE
    //  Add gating mechanism to dyld support system order file generation process
    WAIT_FOR_SYSTEM_ORDER_HANDSHAKE(dyld::gProcessInfo->systemOrderFlag);
#endif
#endif

    try {
        // add dyld itself to UUID list
                // 添加dyld的UUID到共享缓存UUID列表中
        addDyldImageToUUIDList();

        ...
        }
#endif
...
}

 
 
这部分流程也很简单:检测共享缓存是否可用->如果可用,映射共享缓存到共享区->添加dyld的UUID到缓存列表
 
 
其中,检测共享缓存是否可用checkSharedRegionDisable这个函数中有两句注释:
 
 
 
  
// if main executable has segments that overlap the shared region, then disable using the shared region
 // iOS cannot run without shared region
 
 
 
 
意思是:如果主程序Mach-O有segments与共享区重叠,那么共享区不可用。并且,iOS不开启共享区无法运行。
 
 
看下是如何检测这两者是否重叠的:
 
 
...
// 调用
 mainExecutableMH->intersectsRange(SHARED_REGION_BASE, SHARED_REGION_SIZE) 
...

bool MachOLoaded::intersectsRange(uintptr_t start, uintptr_t length) const
{
    __block bool result = false;
    uintptr_t slide = getSlide();
    forEachSegment(^(const SegmentInfo& info, bool& stop) {
        if ( (info.vmAddr+info.vmSize+slide >= start) && (info.vmAddr+slide < start+length) )
            result = true;
    });
    return result;
}

 
 
如果主程序segment中的虚拟地址+虚拟地址+偏移量 >= 共享区起始地址并且主程序segment中的虚拟地址 + 偏移量 < 共享区终止地址,那么认为主程序Mach-O有segments与共享区重叠,此时共享区不可用,从而动态库缓存不可用
 
 
疑问:可以看到这段检测代码在满足重叠条件后,并没有将stop设为true,所以源码其实是检测Mach-O最后一段segment与共享区是否重叠,但之前的每个segment都计算了一次。这里是否在满足重叠条件后将stop设为true跳出循环,或者只检测最后一段segment都比原方法更好?
 
 
加载共享缓存最核心的步骤在mapSharedCache中:
 
 
static void mapSharedCache()
{
    dyld3::SharedCacheOptions opts;
    opts.cacheDirOverride   = sSharedCacheOverrideDir;
    opts.forcePrivate       = (gLinkContext.sharedRegionMode == ImageLoader::kUsePrivateSharedRegion);


#if __x86_64__ && !TARGET_IPHONE_SIMULATOR
    opts.useHaswell         = sHaswell;
#else
    opts.useHaswell         = false;
#endif
    opts.verbose            = gLinkContext.verboseMapping;
    loadDyldCache(opts, &sSharedCacheLoadInfo);

    // update global state
    if ( sSharedCacheLoadInfo.loadAddress != nullptr ) {
        gLinkContext.dyldCache                              = sSharedCacheLoadInfo.loadAddress;
        dyld::gProcessInfo->processDetachedFromSharedRegion = opts.forcePrivate;
        dyld::gProcessInfo->sharedCacheSlide                = sSharedCacheLoadInfo.slide;
        dyld::gProcessInfo->sharedCacheBaseAddress          = (unsigned long)sSharedCacheLoadInfo.loadAddress;
        sSharedCacheLoadInfo.loadAddress->getUUID(dyld::gProcessInfo->sharedCacheUUID);
        dyld3::kdebug_trace_dyld_image(DBG_DYLD_UUID_SHARED_CACHE_A, (const uuid_t *)&dyld::gProcessInfo->sharedCacheUUID[0], {0,0}, {{ 0, 0 }}, (const mach_header *)sSharedCacheLoadInfo.loadAddress);
    }

//#if __IPHONE_OS_VERSION_MIN_REQUIRED && !TARGET_IPHONE_SIMULATOR
// RAM disk booting does not have shared cache yet
// Don't make lack of a shared cache fatal in that case
//  if ( sSharedCacheLoadInfo.loadAddress == nullptr ) {
//      if ( sSharedCacheLoadInfo.errorMessage != nullptr )
//          halt(sSharedCacheLoadInfo.errorMessage);
//      else
//          halt("error loading dyld shared cache");
//  }
//#endif
}

bool loadDyldCache(const SharedCacheOptions& options, SharedCacheLoadInfo* results)
{
    results->loadAddress        = 0;
    results->slide              = 0;
    results->errorMessage       = nullptr;

#if TARGET_IPHONE_SIMULATOR
    // simulator only supports mmap()ing cache privately into process
    return mapCachePrivate(options, results);
#else
    if ( options.forcePrivate ) {
        // mmap cache into this process only
        return mapCachePrivate(options, results);
    }
    else {
        // fast path: when cache is already mapped into shared region
        bool hasError = false;
        if ( reuseExistingCache(options, results) ) {
            hasError = (results->errorMessage != nullptr);
        } else {
            // slow path: this is first process to load cache
            hasError = mapCacheSystemWide(options, results);
        }
        return hasError;
    }
#endif
}

 
 
可以看到,加载缓存分三种情况:
 1、仅加载到当前进程,通过mapCachePrivate加载并返回错误信息
 2、已经加载过的,仅获取加载错误信息并返回
 3、未加载过的,通过mapCacheSystemWide加载并返回错误信息
 
 
options.forcePrivate为true或者模拟器运行时,仅加载到当前进程。而options.forcePrivate的值是这么定义的:
 
 
opts.forcePrivate = (gLinkContext.sharedRegionMode == ImageLoader::kUsePrivateSharedRegion)

enum SharedRegionMode { kUseSharedRegion, kUsePrivateSharedRegion, kDontUseSharedRegion, kSharedRegionIsSharedCache };

 
 
gLinkContext.sharedRegionMode就是之前检测共享区是否可用的标识值,可以看到默认值为kUseSharedRegion
 
 
     
  
  • 实例化主程序
    •  
 
 
 
uintptr_t
_main(const macho_header* mainExecutableMH, uintptr_t mainExecutableSlide, 
        int argc, const char* argv[], const char* envp[], const char* apple[], 
        uintptr_t* startGlue)
{
...
  try {
  ...
        CRSetCrashLogMessage(sLoadingCrashMessage);
        // instantiate ImageLoader for main executable
                // 实例化主程序
        sMainExecutable = instantiateFromLoadedImage(mainExecutableMH, mainExecutableSlide, sExecPath);
        gLinkContext.mainExecutable = sMainExecutable;
        gLinkContext.mainExecutableCodeSigned = hasCodeSignatureLoadCommand(mainExecutableMH);

#if TARGET_IPHONE_SIMULATOR
        // check main executable is not too new for this OS
                // 检测主程序是否支持当前设备版本
        {
            if ( ! isSimulatorBinary((uint8_t*)mainExecutableMH, sExecPath) ) {
                throwf("program was built for a platform that is not supported by this runtime");
            }
            uint32_t mainMinOS = sMainExecutable->minOSVersion();

            // dyld is always built for the current OS, so we can get the current OS version
            // from the load command in dyld itself.
            uint32_t dyldMinOS = ImageLoaderMachO::minOSVersion((const mach_header*)&__dso_handle);
            if ( mainMinOS > dyldMinOS ) {
    #if TARGET_OS_WATCH
                throwf("app was built for watchOS %d.%d which is newer than this simulator %d.%d",
                        mainMinOS >> 16, ((mainMinOS >> 8) & 0xFF),
                        dyldMinOS >> 16, ((dyldMinOS >> 8) & 0xFF));
    #elif TARGET_OS_TV
                throwf("app was built for tvOS %d.%d which is newer than this simulator %d.%d",
                        mainMinOS >> 16, ((mainMinOS >> 8) & 0xFF),
                        dyldMinOS >> 16, ((dyldMinOS >> 8) & 0xFF));
    #else
                throwf("app was built for iOS %d.%d which is newer than this simulator %d.%d",
                        mainMinOS >> 16, ((mainMinOS >> 8) & 0xFF),
                        dyldMinOS >> 16, ((dyldMinOS >> 8) & 0xFF));
    #endif
            }
        }
  }
#endif

    ...
        // dyld_all_image_infos image list does not contain dyld
        // add it as dyldPath field in dyld_all_image_infos
        // for simulator, dyld_sim is in image list, need host dyld added
#if TARGET_IPHONE_SIMULATOR
        // get path of host dyld from table of syscall vectors in host dyld
        void* addressInDyld = gSyscallHelpers;
#else
        // get path of dyld itself
        void*  addressInDyld = (void*)&__dso_handle;
#endif
              // 获取dyld路径并与gProcessInfo->dyldPath对比
              // 如果不同将获取到的路径复制给gProcessInfo->dyldPath
        char dyldPathBuffer[MAXPATHLEN+1];
        int len = proc_regionfilename(getpid(), (uint64_t)(long)addressInDyld, dyldPathBuffer, MAXPATHLEN);
        if ( len > 0 ) {
            dyldPathBuffer[len] = '\0'; // proc_regionfilename() does not zero terminate returned string
            if ( strcmp(dyldPathBuffer, gProcessInfo->dyldPath) != 0 )
                gProcessInfo->dyldPath = strdup(dyldPathBuffer);
        }
...

}

 
 
这一步流程为:实例化主程序->检测主程序是否支持当前设备版本->检测进程信息中dyld路径是否与dyld路径相符,若不符则重新赋值
 
 
源码中有这样一段注释:
 
 
 
  
// dyld_all_image_infos image list does not contain dyld
 // add it as dyldPath field in dyld_all_image_infos
 // for simulator, dyld_sim is in image list, need host dyld added
 
 
 
 
就是说,dyld加载的image_infos并不包含dyld本身,他被放到dyld_all_image_infosdyldPath字段中去了。而对于模拟器,dyld加载的image_infos是包含dyld_sim的。
 
 
dyld_all_image_infos是个结构体,同样分为32位及64位两个版本,分别对应dyld_all_image_infos_32dyld_all_image_infos_64,由于获取dyld_all_image_infos需要用到一些未开源信息,这里为了方便,从侧面验证一下这条注释信息:
 
 
- (void)viewDidLoad {
    [super viewDidLoad];
    
    for (uint32_t i = 0; i < _dyld_image_count(); ++i) {
        NSLog(@"%s", _dyld_get_image_name(i));
    }
}

 
 
 
  
 
   
 
    dyld源码解读_第11张图片 
   
 
  
 
  

    真机 
  
 
 
 
 
 
  
 
   
 
    dyld源码解读_第12张图片 
   
 
  
 
  

    模拟器 
  
 
 
 
 
可以看到,真机打印出的加载image中并没有dyld,第0个image是主程序。同样,模拟器对应打印的image也没有dyld,第0个image是dyld_sim,第一个image才是主程序
 
 
回到最核心的instantiateFromLoadedImage函数,实例化主程序:
 
 
// The kernel maps in main executable before dyld gets control.  We need to 
// make an ImageLoader* for the already mapped in main executable.
static ImageLoaderMachO* instantiateFromLoadedImage(const macho_header* mh, uintptr_t slide, const char* path)
{
    // try mach-o loader
    if ( isCompatibleMachO((const uint8_t*)mh, path) ) {
        ImageLoader* image = ImageLoaderMachO::instantiateMainExecutable(mh, slide, path, gLinkContext);
        addImage(image);
        return (ImageLoaderMachO*)image;
    }
    
    throw "main executable not a known format";
}

 
 
从注释及源码可以看到,kernel在dyld之前已经加载了主程序Mach-O,dyld判断Mach-O的兼容性后,实例化成ImageLoader加载到内存中交给dyld管理
 
 
// create image for main executable
ImageLoader* ImageLoaderMachO::instantiateMainExecutable(const macho_header* mh, uintptr_t slide, const char* path, const LinkContext& context)
{
    //dyld::log("ImageLoader=%ld, ImageLoaderMachO=%ld, ImageLoaderMachOClassic=%ld, ImageLoaderMachOCompressed=%ld\n",
    //  sizeof(ImageLoader), sizeof(ImageLoaderMachO), sizeof(ImageLoaderMachOClassic), sizeof(ImageLoaderMachOCompressed));
    bool compressed;
    unsigned int segCount;
    unsigned int libCount;
    const linkedit_data_command* codeSigCmd;
    const encryption_info_command* encryptCmd;
    sniffLoadCommands(mh, path, false, &compressed, &segCount, &libCount, context, &codeSigCmd, &encryptCmd);
    // instantiate concrete class based on content of load commands
    if ( compressed ) 
        return ImageLoaderMachOCompressed::instantiateMainExecutable(mh, slide, path, segCount, libCount, context);
    else
#if SUPPORT_CLASSIC_MACHO
        return ImageLoaderMachOClassic::instantiateMainExecutable(mh, slide, path, segCount, libCount, context);
#else
        throw "missing LC_DYLD_INFO load command";
#endif
}


 
 
instantiateMainExecutable内部调用sniffLoadCommands,这个函数会对主程序Mach-O进行一系列的校验。从函数名也可以看出,这里的校验并不包括对主程序Mach-O的解密操作,这个操作是由xnu完成的。
 
 
可以看到,当compressed为true时,通过ImageLoaderMachOCompressed::instantiateMainExecutable初始化,否则通过ImageLoaderMachOClassic::instantiateMainExecutable初始化。其实两者内部的逻辑相同,只是返回类型一个是ImageLoaderMachOCompressed一个是ImageLoaderMachOClassic而已。
 
 
以ImageLoaderMachOCompressed为例:
 
 
// create image for main executable
ImageLoaderMachOCompressed* ImageLoaderMachOCompressed::instantiateMainExecutable(const macho_header* mh, uintptr_t slide, const char* path, 
                                                                        unsigned int segCount, unsigned int libCount, const LinkContext& context)
{
        // 初始化image
    ImageLoaderMachOCompressed* image = ImageLoaderMachOCompressed::instantiateStart(mh, path, segCount, libCount);

    // set slide for PIE programs
        // 设置image偏移量
    image->setSlide(slide);

    // for PIE record end of program, to know where to start loading dylibs
    if ( slide != 0 )
                // 设置动态库起始地址
        fgNextPIEDylibAddress = (uintptr_t)image->getEnd();

        // 禁用段覆盖检测
    image->disableCoverageCheck();
        // 结束image上下文
    image->instantiateFinish(context);
        // 设置image加载状态为dyld_image_state_mapped
    image->setMapped(context);

    if ( context.verboseMapping ) {
        dyld::log("dyld: Main executable mapped %s\n", path);
        for(unsigned int i=0, e=image->segmentCount(); i < e; ++i) {
            const char* name = image->segName(i);
            if ( (strcmp(name, "__PAGEZERO") == 0) || (strcmp(name, "__UNIXSTACK") == 0)  )
                dyld::log("%18s at 0x%08lX->0x%08lX\n", name, image->segPreferredLoadAddress(i), image->segPreferredLoadAddress(i)+image->segSize(i));
            else
                dyld::log("%18s at 0x%08lX->0x%08lX\n", name, image->segActualLoadAddress(i), image->segActualEndAddress(i));
        }
    }

    return image;
}

 
 
此处流程为:初始化image->设置image偏移量->设置动态库起始地址->禁用段覆盖检测->结束image上下文->设置image加载状态为dyld_image_state_mapped,并调用notifySingle进行处理
 
 
其中,结束image上下文内部做了:解析loadCmds、设置动态库连接信息、设置符号表相关信息等
 
 
     
  
  • 加载插入的动态库
    •  
 
 
 
uintptr_t
_main(const macho_header* mainExecutableMH, uintptr_t mainExecutableSlide, 
        int argc, const char* argv[], const char* envp[], const char* apple[], 
        uintptr_t* startGlue)
{
...
        // load any inserted libraries
                // 插入动态库
        if  ( sEnv.DYLD_INSERT_LIBRARIES != NULL ) {
            for (const char* const* lib = sEnv.DYLD_INSERT_LIBRARIES; *lib != NULL; ++lib) 
                loadInsertedDylib(*lib);
        }
        // record count of inserted libraries so that a flat search will look at 
        // inserted libraries, then main, then others.
                // 记录插入的动态库个数
        sInsertedDylibCount = sAllImages.size()-1;
...
}

 
 
如果配置了DYLD_INSERT_LIBRARIES环境变量,通过loadInsertedDylib插入配置的动态库。对于越狱插件而言,其实就是添加DYLD_INSERT_LIBRARIES这个环境变量达到加载插件的目的
 
 
static void loadInsertedDylib(const char* path)
{
    ImageLoader* image = NULL;
    unsigned cacheIndex;
    try {
        LoadContext context;
        context.useSearchPaths      = false;
        context.useFallbackPaths    = false;
        context.useLdLibraryPath    = false;
        context.implicitRPath       = false;
        context.matchByInstallName  = false;
        context.dontLoad            = false;
        context.mustBeBundle        = false;
        context.mustBeDylib         = true;
        context.canBePIE            = false;
        context.enforceIOSMac       = true;
        context.origin              = NULL; // can't use @loader_path with DYLD_INSERT_LIBRARIES
        context.rpath               = NULL;
        image = load(path, context, cacheIndex);
    }
    catch (const char* msg) {
        if ( gLinkContext.allowInsertFailures )
            dyld::log("dyld: warning: could not load inserted library '%s' into hardened process because %s\n", path, msg);
        else
            halt(dyld::mkstringf("could not load inserted library '%s' because %s\n", path, msg));
    }
    catch (...) {
        halt(dyld::mkstringf("could not load inserted library '%s'\n", path));
    }
}

 
 
内部构建context后调用load函数生成image
 
 
ImageLoader* load(const char* path, const LoadContext& context, unsigned& cacheIndex)
{

...
    // try all path permutations and check against existing loaded images

    ImageLoader* image = loadPhase0(path, orgPath, context, cacheIndex, NULL);
    if ( image != NULL ) {
        CRSetCrashLogMessage2(NULL);
        return image;
    }

    // try all path permutations and try open() until first success
    std::vector exceptions;
    image = loadPhase0(path, orgPath, context, cacheIndex, &exceptions);
#if !TARGET_IPHONE_SIMULATOR
    //  support symlinks on disk to a path in dyld shared cache
    if ( image == NULL)
        image = loadPhase2cache(path, orgPath, context, cacheIndex, &exceptions);
#endif
    CRSetCrashLogMessage2(NULL);
    if ( image != NULL ) {
        //  leak in dyld during dlopen when using DYLD_ variables
        for (std::vector::iterator it = exceptions.begin(); it != exceptions.end(); ++it) {
            free((void*)(*it));
        }
        // if loaded image is not from cache, but original path is in cache
        // set gSharedCacheOverridden flag to disable some ObjC optimizations
        if ( !gSharedCacheOverridden && !image->inSharedCache() && image->isDylib() && cacheablePath(path) && inSharedCache(path) ) {
            gSharedCacheOverridden = true;
        }
        return image;
    }
...
}

 
 
可以看到,先调用了loadPhase0查找image,如果没找到再调用loadPhase2cache查找image。其实内部有一整套loadPhase0~loadPhase6的流程来查找及加载image,如果在共享缓存中找到则直接调用instantiateFromCache 实例化image,否则通过loadPhase5open打开文件并调用loadPhase6,内部通过instantiateFromFile实例化image,最后再调用checkandAddImage将image加载进内存
 
 
     
  
  • 链接主程序
    •  
 
 
 
uintptr_t
_main(const macho_header* mainExecutableMH, uintptr_t mainExecutableSlide, 
        int argc, const char* argv[], const char* envp[], const char* apple[], 
        uintptr_t* startGlue)
{
...
        // link main executable
        gLinkContext.linkingMainExecutable = true;
#if SUPPORT_ACCELERATE_TABLES
        if ( mainExcutableAlreadyRebased ) {
            // previous link() on main executable has already adjusted its internal pointers for ASLR
            // work around that by rebasing by inverse amount
            sMainExecutable->rebase(gLinkContext, -mainExecutableSlide);
        }
#endif
                // 链接主程序
        link(sMainExecutable, sEnv.DYLD_BIND_AT_LAUNCH, true, ImageLoader::RPathChain(NULL, NULL), -1);
        sMainExecutable->setNeverUnloadRecursive();
        if ( sMainExecutable->forceFlat() ) {
            gLinkContext.bindFlat = true;
            gLinkContext.prebindUsage = ImageLoader::kUseNoPrebinding;
        }
...
}

 
 
可以看到,主程序的链接是通过link这个函数完成的:
 
 
void ImageLoader::link(const LinkContext& context, bool forceLazysBound, bool preflightOnly, bool neverUnload, const RPathChain& loaderRPaths, const char* imagePath)
{
    //dyld::log("ImageLoader::link(%s) refCount=%d, neverUnload=%d\n", imagePath, fDlopenReferenceCount, fNeverUnload);
    
    // clear error strings
    (*context.setErrorStrings)(0, NULL, NULL, NULL);

    uint64_t t0 = mach_absolute_time();
        // 递归加载主程序依赖的库
    this->recursiveLoadLibraries(context, preflightOnly, loaderRPaths, imagePath);
    context.notifyBatch(dyld_image_state_dependents_mapped, preflightOnly);

    // we only do the loading step for preflights
    if ( preflightOnly )
        return;

    uint64_t t1 = mach_absolute_time();
        // 清空image层级关系
    context.clearAllDepths();
        // 递归更新image层级关系
    this->recursiveUpdateDepth(context.imageCount());

    __block uint64_t t2, t3, t4, t5;
    {
        dyld3::ScopedTimer(DBG_DYLD_TIMING_APPLY_FIXUPS, 0, 0, 0);
        t2 = mach_absolute_time();
                // 递归进行rebase
        this->recursiveRebase(context);
        context.notifyBatch(dyld_image_state_rebased, false);

        t3 = mach_absolute_time();
        if ( !context.linkingMainExecutable )
                        // 递归绑定符号表
            this->recursiveBindWithAccounting(context, forceLazysBound, neverUnload);

        t4 = mach_absolute_time();
        if ( !context.linkingMainExecutable )
                        // 绑定弱符号表
            this->weakBind(context);
        t5 = mach_absolute_time();
    }

    if ( !context.linkingMainExecutable )
        context.notifyBatch(dyld_image_state_bound, false);
    uint64_t t6 = mach_absolute_time(); 

    std::vector dofs;
        // 递归获取dof信息
    this->recursiveGetDOFSections(context, dofs);
        // 注册dofs信息
    context.registerDOFs(dofs);
    uint64_t t7 = mach_absolute_time(); 

    // interpose any dynamically loaded images
    if ( !context.linkingMainExecutable && (fgInterposingTuples.size() != 0) ) {
        dyld3::ScopedTimer timer(DBG_DYLD_TIMING_APPLY_INTERPOSING, 0, 0, 0);
                // 递归应用插入的动态库
        this->recursiveApplyInterposing(context);
    }

    // clear error strings
    (*context.setErrorStrings)(0, NULL, NULL, NULL);

    fgTotalLoadLibrariesTime += t1 - t0;
    fgTotalRebaseTime += t3 - t2;
    fgTotalBindTime += t4 - t3;
    fgTotalWeakBindTime += t5 - t4;
    fgTotalDOF += t7 - t6;
    
    // done with initial dylib loads
    fgNextPIEDylibAddress = 0;
}

 
 
内部加载动态库、rebase、绑定符号表、注册dofs信息等,同时还计算各步骤的耗时。如果想获取这些耗时,只需要在环境变量中添加DYLD_PRINT_STATISTICS就可以了,同样,这个环境变量也不需要value
 
 
     
  
  • 链接插入的动态库
    •  
 
 
 
uintptr_t
_main(const macho_header* mainExecutableMH, uintptr_t mainExecutableSlide, 
        int argc, const char* argv[], const char* envp[], const char* apple[], 
        uintptr_t* startGlue)
{
...
        // link any inserted libraries
        // do this after linking main executable so that any dylibs pulled in by inserted 
        // dylibs (e.g. libSystem) will not be in front of dylibs the program uses
        if ( sInsertedDylibCount > 0 ) {
            for(unsigned int i=0; i < sInsertedDylibCount; ++i) {
                ImageLoader* image = sAllImages[i+1];
                link(image, sEnv.DYLD_BIND_AT_LAUNCH, true, ImageLoader::RPathChain(NULL, NULL), -1);
                image->setNeverUnloadRecursive();
            }
            // only INSERTED libraries can interpose
            // register interposing info after all inserted libraries are bound so chaining works
            for(unsigned int i=0; i < sInsertedDylibCount; ++i) {
                ImageLoader* image = sAllImages[i+1];
                image->registerInterposing(gLinkContext);
            }
        }
...
    // apply interposing to initial set of images
        for(int i=0; i < sImageRoots.size(); ++i) {
            sImageRoots[i]->applyInterposing(gLinkContext);
        }
        ImageLoader::applyInterposingToDyldCache(gLinkContext);
        gLinkContext.linkingMainExecutable = false;

        // Bind and notify for the main executable now that interposing has been registered
        uint64_t bindMainExecutableStartTime = mach_absolute_time();
        sMainExecutable->recursiveBindWithAccounting(gLinkContext, sEnv.DYLD_BIND_AT_LAUNCH, true);
        uint64_t bindMainExecutableEndTime = mach_absolute_time();
        ImageLoaderMachO::fgTotalBindTime += bindMainExecutableEndTime - bindMainExecutableStartTime;
        gLinkContext.notifyBatch(dyld_image_state_bound, false);

        // Bind and notify for the inserted images now interposing has been registered
        if ( sInsertedDylibCount > 0 ) {
            for(unsigned int i=0; i < sInsertedDylibCount; ++i) {
                ImageLoader* image = sAllImages[i+1];
                image->recursiveBind(gLinkContext, sEnv.DYLD_BIND_AT_LAUNCH, true);
            }
        }
...
}

 
 
这里很简单,从加载的images中取出image,重复前面的link操作进行连接。registerInterposing内部会加载loadCmds并查找__interpose__DATA段,读取段信息保存到fgInterposingTuples中,然后调用applyInterposing,内部调用recursiveApplyInterposing,通过这个函数调用到doInterpose,同样以ImageLoaderMachOCompressed为例:
 
 
void ImageLoaderMachOCompressed::doInterpose(const LinkContext& context)
{
    if ( context.verboseInterposing )
        dyld::log("dyld: interposing %lu tuples onto image: %s\n", fgInterposingTuples.size(), this->getPath());

    // update prebound symbols
    eachBind(context, ^(const LinkContext& ctx, ImageLoaderMachOCompressed* image,
                        uintptr_t addr, uint8_t type, const char* symbolName,
                        uint8_t symbolFlags, intptr_t addend, long libraryOrdinal,
                        ExtraBindData *extraBindData,
                        const char* msg, LastLookup* last, bool runResolver) {
        return ImageLoaderMachOCompressed::interposeAt(ctx, image, addr, type, symbolName, symbolFlags,
                                                       addend, libraryOrdinal, extraBindData,
                                                       msg, last, runResolver);
    });
    eachLazyBind(context, ^(const LinkContext& ctx, ImageLoaderMachOCompressed* image,
                            uintptr_t addr, uint8_t type, const char* symbolName,
                            uint8_t symbolFlags, intptr_t addend, long libraryOrdinal,
                            ExtraBindData *extraBindData,
                            const char* msg, LastLookup* last, bool runResolver) {
        return ImageLoaderMachOCompressed::interposeAt(ctx, image, addr, type, symbolName, symbolFlags,
                                                       addend, libraryOrdinal, extraBindData,
                                                       msg, last, runResolver);
    });
}


 
 
这里eachBind与eachLazyBind都调用了interposeAt,interposeAt通过interposedAddress在上文提到的fgInterposingTuples中找到需要替换的符号地址进行替换
 
 
     
  
  • 弱符号绑定
    •  
 
 
 
uintptr_t
_main(const macho_header* mainExecutableMH, uintptr_t mainExecutableSlide, 
        int argc, const char* argv[], const char* envp[], const char* apple[], 
        uintptr_t* startGlue)
{
...
        //  do weak binding only after all inserted images linked
        sMainExecutable->weakBind(gLinkContext);
...
}

void ImageLoader::weakBind(const LinkContext& context)
{
...
// get set of ImageLoaders that participate in coalecsing
    ImageLoader* imagesNeedingCoalescing[fgImagesRequiringCoalescing];
    unsigned imageIndexes[fgImagesRequiringCoalescing];
// 合并所有动态库的弱符号到列表中
    int count = context.getCoalescedImages(imagesNeedingCoalescing, imageIndexes);

    // count how many have not already had weakbinding done
    int countNotYetWeakBound = 0;
    int countOfImagesWithWeakDefinitionsNotInSharedCache = 0;
    for(int i=0; i < count; ++i) {
        if ( ! imagesNeedingCoalescing[i]->weakSymbolsBound(imageIndexes[i]) )
                        // 获取未进行绑定的弱符号的个数
            ++countNotYetWeakBound;
        if ( ! imagesNeedingCoalescing[i]->inSharedCache() )
                    // 获取在共享缓存中已绑定的弱符号个数
            ++countOfImagesWithWeakDefinitionsNotInSharedCache;
    }

    // don't need to do any coalescing if only one image has overrides, or all have already been done
    if ( (countOfImagesWithWeakDefinitionsNotInSharedCache > 0) && (countNotYetWeakBound > 0) ) {
        // make symbol iterators for each
        ImageLoader::CoalIterator iterators[count];
        ImageLoader::CoalIterator* sortedIts[count];
        for(int i=0; i < count; ++i) {
                        // 对需要绑定的弱符号排序
            imagesNeedingCoalescing[i]->initializeCoalIterator(iterators[i], i, imageIndexes[i]);
            sortedIts[i] = &iterators[i];
            if ( context.verboseWeakBind )
                dyld::log("dyld: weak bind load order %d/%d for %s\n", i, count, imagesNeedingCoalescing[i]->getIndexedPath(imageIndexes[i]));
        }

    // walk all symbols keeping iterators in sync by 
        // only ever incrementing the iterator with the lowest symbol 
        int doneCount = 0;
        while ( doneCount != count ) {
            //for(int i=0; i < count; ++i)
            //  dyld::log("sym[%d]=%s ", sortedIts[i]->loadOrder, sortedIts[i]->symbolName);
            //dyld::log("\n");
            // increment iterator with lowest symbol
                        // 计算弱符号偏移量及大小,绑定弱符号
            if ( sortedIts[0]->image->incrementCoalIterator(*sortedIts[0]) )
                ++doneCount; 
...
        }
}

 
 
主要流程:合并所有动态库的弱符号到列表中->对需要绑定的弱符号排序->计算弱符号偏移量及大小,绑定弱符号
 
 
     
  
  • 初始化主程序
    •  
 
 
 
uintptr_t
_main(const macho_header* mainExecutableMH, uintptr_t mainExecutableSlide, 
        int argc, const char* argv[], const char* envp[], const char* apple[], 
        uintptr_t* startGlue)
{
...
 
        CRSetCrashLogMessage("dyld: launch, running initializers");
    #if SUPPORT_OLD_CRT_INITIALIZATION
        // Old way is to run initializers via a callback from crt1.o
        if ( ! gRunInitializersOldWay ) 
            initializeMainExecutable(); 
    #else
        // run all initializers
        initializeMainExecutable(); 
    #endif

        // notify any montoring proccesses that this process is about to enter main()
        if (dyld3::kdebug_trace_dyld_enabled(DBG_DYLD_TIMING_LAUNCH_EXECUTABLE)) {
            dyld3::kdebug_trace_dyld_duration_end(launchTraceID, DBG_DYLD_TIMING_LAUNCH_EXECUTABLE, 0, 0, 2);
        }
        notifyMonitoringDyldMain();

...
}

void initializeMainExecutable()
{
    // record that we've reached this step
    gLinkContext.startedInitializingMainExecutable = true;

    // run initialzers for any inserted dylibs
    ImageLoader::InitializerTimingList initializerTimes[allImagesCount()];
    initializerTimes[0].count = 0;
    const size_t rootCount = sImageRoots.size();
    if ( rootCount > 1 ) {
        for(size_t i=1; i < rootCount; ++i) {
                        // 初始化动态库
            sImageRoots[i]->runInitializers(gLinkContext, initializerTimes[0]);
        }
    }
    
    // run initializers for main executable and everything it brings up 
        // 初始化主程序
    sMainExecutable->runInitializers(gLinkContext, initializerTimes[0]);
    
    // register cxa_atexit() handler to run static terminators in all loaded images when this process exits
    if ( gLibSystemHelpers != NULL ) 
        (*gLibSystemHelpers->cxa_atexit)(&runAllStaticTerminators, NULL, NULL);

    // dump info if requested
    if ( sEnv.DYLD_PRINT_STATISTICS )
        ImageLoader::printStatistics((unsigned int)allImagesCount(), initializerTimes[0]);
    if ( sEnv.DYLD_PRINT_STATISTICS_DETAILS )
        ImageLoaderMachO::printStatisticsDetails((unsigned int)allImagesCount(), initializerTimes[0]);
}

 
 
先初始化动态库,然后初始化主程序。上文提到的DYLD_PRINT_STATISTICS环境变量在这里也出现了,除此之外还有个detail版的环境变量DYLD_PRINT_STATISTICS_DETAILS
 
 
void ImageLoader::runInitializers(const LinkContext& context, InitializerTimingList& timingInfo)
{
    uint64_t t1 = mach_absolute_time();
    mach_port_t thisThread = mach_thread_self();
    ImageLoader::UninitedUpwards up;
    up.count = 1;
    up.images[0] = this;
    processInitializers(context, thisThread, timingInfo, up);
    context.notifyBatch(dyld_image_state_initialized, false);
    mach_port_deallocate(mach_task_self(), thisThread);
    uint64_t t2 = mach_absolute_time();
    fgTotalInitTime += (t2 - t1);
}

void ImageLoader::processInitializers(const LinkContext& context, mach_port_t thisThread,
                                     InitializerTimingList& timingInfo, ImageLoader::UninitedUpwards& images)
{
    uint32_t maxImageCount = context.imageCount()+2;
    ImageLoader::UninitedUpwards upsBuffer[maxImageCount];
    ImageLoader::UninitedUpwards& ups = upsBuffer[0];
    ups.count = 0;
    // Calling recursive init on all images in images list, building a new list of
    // uninitialized upward dependencies.
    for (uintptr_t i=0; i < images.count; ++i) {
        images.images[i]->recursiveInitialization(context, thisThread, images.images[i]->getPath(), timingInfo, ups);
    }
    // If any upward dependencies remain, init them.
    if ( ups.count > 0 )
        processInitializers(context, thisThread, timingInfo, ups);
}

 
 
动态库和主程序的初始化是调用runInitializers,内部通过processInitializers调用recursiveInitialization递归初始化当前image锁依赖的库
 
 
void ImageLoader::recursiveInitialization(const LinkContext& context, mach_port_t this_thread, const char* pathToInitialize,
                                          InitializerTimingList& timingInfo, UninitedUpwards& uninitUps)
{
    recursive_lock lock_info(this_thread);
    recursiveSpinLock(lock_info);

    if ( fState < dyld_image_state_dependents_initialized-1 ) {
        uint8_t oldState = fState;
        // break cycles
        fState = dyld_image_state_dependents_initialized-1;
        try {
            // initialize lower level libraries first
            for(unsigned int i=0; i < libraryCount(); ++i) {
                ImageLoader* dependentImage = libImage(i);
                if ( dependentImage != NULL ) {
                    // don't try to initialize stuff "above" me yet
                    if ( libIsUpward(i) ) {
                        uninitUps.images[uninitUps.count] = dependentImage;
                        uninitUps.count++;
                    }
                    else if ( dependentImage->fDepth >= fDepth ) {
                        dependentImage->recursiveInitialization(context, this_thread, libPath(i), timingInfo, uninitUps);
                    }
                }
            }
            
            // record termination order
            if ( this->needsTermination() )
                context.terminationRecorder(this);
            
            // let objc know we are about to initialize this image
            uint64_t t1 = mach_absolute_time();
            fState = dyld_image_state_dependents_initialized;
            oldState = fState;
            context.notifySingle(dyld_image_state_dependents_initialized, this, &timingInfo);
            
            // initialize this image
            bool hasInitializers = this->doInitialization(context);

            // let anyone know we finished initializing this image
            fState = dyld_image_state_initialized;
            oldState = fState;
            context.notifySingle(dyld_image_state_initialized, this, NULL);
            
            if ( hasInitializers ) {
                uint64_t t2 = mach_absolute_time();
                timingInfo.addTime(this->getShortName(), t2-t1);
            }
        }
        catch (const char* msg) {
            // this image is not initialized
            fState = oldState;
            recursiveSpinUnLock();
            throw;
        }
    }
    
    recursiveSpinUnLock();
}

 
 
递归初始化很简单没啥好说的,注意内部有个调用context.notifySingle(dyld_image_state_initialized, this, NULL),其实每次image状态改变都会调用notifySingle这个方法:
 
 
static void notifySingle(dyld_image_states state, const ImageLoader* image, ImageLoader::InitializerTimingList* timingInfo)
{
    //dyld::log("notifySingle(state=%d, image=%s)\n", state, image->getPath());
    std::vector* handlers = stateToHandlers(state, sSingleHandlers);
    if ( handlers != NULL ) {
        dyld_image_info info;
        info.imageLoadAddress   = image->machHeader();
        info.imageFilePath      = image->getRealPath();
        info.imageFileModDate   = image->lastModified();
        for (std::vector::iterator it = handlers->begin(); it != handlers->end(); ++it) {
            const char* result = (*it)(state, 1, &info);
            if ( (result != NULL) && (state == dyld_image_state_mapped) ) {
                //fprintf(stderr, "  image rejected by handler=%p\n", *it);
                // make copy of thrown string so that later catch clauses can free it
                const char* str = strdup(result);
                throw str;
            }
        }
    }
    if ( state == dyld_image_state_mapped ) {
        //  Save load addr + UUID for images from outside the shared cache
        if ( !image->inSharedCache() ) {
            dyld_uuid_info info;
            if ( image->getUUID(info.imageUUID) ) {
                info.imageLoadAddress = image->machHeader();
                addNonSharedCacheImageUUID(info);
            }
        }
    }
    if ( (state == dyld_image_state_dependents_initialized) && (sNotifyObjCInit != NULL) && image->notifyObjC() ) {
        uint64_t t0 = mach_absolute_time();
        dyld3::ScopedTimer timer(DBG_DYLD_TIMING_OBJC_INIT, (uint64_t)image->machHeader(), 0, 0);
        (*sNotifyObjCInit)(image->getRealPath(), image->machHeader());
        uint64_t t1 = mach_absolute_time();
        uint64_t t2 = mach_absolute_time();
        uint64_t timeInObjC = t1-t0;
        uint64_t emptyTime = (t2-t1)*100;
        if ( (timeInObjC > emptyTime) && (timingInfo != NULL) ) {
            timingInfo->addTime(image->getShortName(), timeInObjC);
        }
    }
    // mach message csdlc about dynamically unloaded images
    if ( image->addFuncNotified() && (state == dyld_image_state_terminated) ) {
        notifyKernel(*image, false);
        const struct mach_header* loadAddress[] = { image->machHeader() };
        const char* loadPath[] = { image->getPath() };
        notifyMonitoringDyld(true, 1, loadAddress, loadPath);
    }
}

 
 
可见,当state == dyld_image_state_mapped时,将image对应的UUID存起来,当state == dyld_image_state_dependents_initialized并且有sNotifyObjCInit回调时调用sNotifyObjCInit函数。
 
 
搜索回调函数赋值入口:
 
 
void registerObjCNotifiers(_dyld_objc_notify_mapped mapped, _dyld_objc_notify_init init, _dyld_objc_notify_unmapped unmapped)
{
    // record functions to call
    sNotifyObjCMapped   = mapped;
    sNotifyObjCInit     = init;
    sNotifyObjCUnmapped = unmapped;

...
}

void _dyld_objc_notify_register(_dyld_objc_notify_mapped    mapped,
                                _dyld_objc_notify_init      init,
                                _dyld_objc_notify_unmapped  unmapped)
{
    dyld::registerObjCNotifiers(mapped, init, unmapped);
}

 
 
发现是通过_dyld_objc_notify_register这个函数注册回调的,回到文章开头符号断点[NSObject load]截图中的堆栈:
 
 
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.2
  * frame #0: 0x000000010944f3b1 libobjc.A.dylib`+[NSObject load]
    frame #1: 0x000000010943d317 libobjc.A.dylib`call_load_methods + 691
    frame #2: 0x000000010943e814 libobjc.A.dylib`load_images + 77
    frame #3: 0x0000000108b73b97 dyld_sim`dyld::registerObjCNotifiers(void (*)(unsigned int, char const* const*, mach_header const* const*), void (*)(char const*, mach_header const*), void (*)(char const*, mach_header const*)) + 260
    frame #4: 0x000000010b779bf3 libdyld.dylib`_dyld_objc_notify_register + 113
    frame #5: 0x000000010944ca12 libobjc.A.dylib`_objc_init + 115
    frame #6: 0x000000010b7015c0 libdispatch.dylib`_os_object_init + 13
    frame #7: 0x000000010b70f4e5 libdispatch.dylib`libdispatch_init + 300
    frame #8: 0x0000000109e05a78 libSystem.B.dylib`libSystem_initializer + 164
    frame #9: 0x0000000108b82b96 dyld_sim`ImageLoaderMachO::doModInitFunctions(ImageLoader::LinkContext const&) + 506
    frame #10: 0x0000000108b82d9c dyld_sim`ImageLoaderMachO::doInitialization(ImageLoader::LinkContext const&) + 40
    frame #11: 0x0000000108b7e3fc dyld_sim`ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int, char const*, ImageLoader::InitializerTimingList&, ImageLoader::UninitedUpwards&) + 324
    frame #12: 0x0000000108b7e392 dyld_sim`ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int, char const*, ImageLoader::InitializerTimingList&, ImageLoader::UninitedUpwards&) + 218
    frame #13: 0x0000000108b7d5d3 dyld_sim`ImageLoader::processInitializers(ImageLoader::LinkContext const&, unsigned int, ImageLoader::InitializerTimingList&, ImageLoader::UninitedUpwards&) + 133
    frame #14: 0x0000000108b7d665 dyld_sim`ImageLoader::runInitializers(ImageLoader::LinkContext const&, ImageLoader::InitializerTimingList&) + 73
    frame #15: 0x0000000108b71333 dyld_sim`dyld::initializeMainExecutable() + 129
    frame #16: 0x0000000108b75434 dyld_sim`dyld::_main(macho_header const*, unsigned long, int, char const**, char const**, char const**, unsigned long*) + 4384
    frame #17: 0x0000000108b70630 dyld_sim`start_sim + 136
    frame #18: 0x00000001155c1234 dyld`dyld::useSimulatorDyld(int, macho_header const*, char const*, int, char const**, char const**, char const**, unsigned long*, unsigned long*) + 2238
    frame #19: 0x00000001155bf0ce dyld`dyld::_main(macho_header const*, unsigned long, int, char const**, char const**, char const**, unsigned long*) + 522
    frame #20: 0x00000001155ba503 dyld`dyldbootstrap::start(macho_header const*, int, char const**, long, macho_header const*, unsigned long*) + 1167
    frame #21: 0x00000001155ba036 dyld`_dyld_start + 54

 
 
可以看到,_dyld_objc_notify_register是在初始化libobjc.A.dylib这个动态库时调用的,然后_objc_init内部调用了load_images,进而调用call_load_methods,从而调用各个类中的load方法,感兴趣可以下载源码查看具体流程
 
 
notifySingle调用完毕后,开始真正初始化工作doInitialization
 
 
bool ImageLoaderMachO::doInitialization(const LinkContext& context)
{
    CRSetCrashLogMessage2(this->getPath());

    // mach-o has -init and static initializers
    doImageInit(context);
    doModInitFunctions(context);
    
    CRSetCrashLogMessage2(NULL);
    
    return (fHasDashInit || fHasInitializers);
}

 
 
doImageInit执行LC_ROUTINES_COMMAND segment中保存的函数,doModInitFunctions执行__DATA,__mod_init_func section中保存的函数。这个section中保存的是C++的构造函数及带有attribute((constructor))的C函数,简单验证一下:
 
 
class Test {
public:
    Test();
};

Test::Test(){
    NSLog(@"%s", __func__);
}

Test test;

__attribute__((constructor)) void testConstructor() {
    NSLog(@"%s", __func__);
}

 
 
 
  
 
   
 
     
   
 
  
 
  

    __mod_init_func 
  
 
 
 
 
同样,通过MachOView也可以看到:
 
 
 
 
 
  
 
   
 
    dyld源码解读_第13张图片 
   
 
  
 
  

    MachOView 
  
 
 
 
 
显然,__mod_init_func中的函数在类对应的load方法之后调用。
 
 
     
  
  • 查找主程序入口函数指针并返回
    •  
 
 
 
uintptr_t
_main(const macho_header* mainExecutableMH, uintptr_t mainExecutableSlide, 
        int argc, const char* argv[], const char* envp[], const char* apple[], 
        uintptr_t* startGlue)
{
... 
        // find entry point for main executable
        result = (uintptr_t)sMainExecutable->getEntryFromLC_MAIN();
        if ( result != 0 ) {
            // main executable uses LC_MAIN, we need to use helper in libdyld to call into main()
            if ( (gLibSystemHelpers != NULL) && (gLibSystemHelpers->version >= 9) )
                *startGlue = (uintptr_t)gLibSystemHelpers->startGlueToCallExit;
            else
                halt("libdyld.dylib support not present for LC_MAIN");
        }
        else {
            // main executable uses LC_UNIXTHREAD, dyld needs to let "start" in program set up for main()
            result = (uintptr_t)sMainExecutable->getEntryFromLC_UNIXTHREAD();
            *startGlue = 0;
        }
#if __has_feature(ptrauth_calls)
        // start() calls the result pointer as a function pointer so we need to sign it.
        result = (uintptr_t)__builtin_ptrauth_sign_unauthenticated((void*)result, 0, 0);
#endif
    }
    catch(const char* message) {
        syncAllImages();
        halt(message);
    }
    catch(...) {
        dyld::log("dyld: launch failed\n");
    }

    CRSetCrashLogMessage("dyld2 mode");

    if (sSkipMain) {
        if (dyld3::kdebug_trace_dyld_enabled(DBG_DYLD_TIMING_LAUNCH_EXECUTABLE)) {
            dyld3::kdebug_trace_dyld_duration_end(launchTraceID, DBG_DYLD_TIMING_LAUNCH_EXECUTABLE, 0, 0, 2);
        }
        result = (uintptr_t)&fake_main;
        *startGlue = (uintptr_t)gLibSystemHelpers->startGlueToCallExit;
    }
    
    return result;
}

 
 
此处两步走:调用getEntryFromLC_MAIN获取入口,如果没有入口则调用getEntryFromLC_UNIXTHREAD获取入口。这个入口就是主程序main函数的地址
 
 
void* ImageLoaderMachO::getEntryFromLC_MAIN() const
{
    const uint32_t cmd_count = ((macho_header*)fMachOData)->ncmds;
    const struct load_command* const cmds = (struct load_command*)&fMachOData[sizeof(macho_header)];
    const struct load_command* cmd = cmds;
    for (uint32_t i = 0; i < cmd_count; ++i) {
        if ( cmd->cmd == LC_MAIN ) {
            entry_point_command* mainCmd = (entry_point_command*)cmd;
            void* entry = (void*)(mainCmd->entryoff + (char*)fMachOData);
            //  verify entry point is in image
            if ( this->containsAddress(entry) )
                return entry;
            else
                throw "LC_MAIN entryoff is out of range";
        }
        cmd = (const struct load_command*)(((char*)cmd)+cmd->cmdsize);
    }
    return NULL;
}

void* ImageLoaderMachO::getEntryFromLC_UNIXTHREAD() const
{
    const uint32_t cmd_count = ((macho_header*)fMachOData)->ncmds;
    const struct load_command* const cmds = (struct load_command*)&fMachOData[sizeof(macho_header)];
    const struct load_command* cmd = cmds;
    for (uint32_t i = 0; i < cmd_count; ++i) {
        if ( cmd->cmd == LC_UNIXTHREAD ) {
    #if __i386__
            const i386_thread_state_t* registers = (i386_thread_state_t*)(((char*)cmd) + 16);
            void* entry = (void*)(registers->eip + fSlide);
            //  verify entry point is in image
            if ( this->containsAddress(entry) )
                return entry;
    #elif __x86_64__
            const x86_thread_state64_t* registers = (x86_thread_state64_t*)(((char*)cmd) + 16);
            void* entry = (void*)(registers->rip + fSlide);
            //  verify entry point is in image
            if ( this->containsAddress(entry) )
                return entry;
    #elif __arm64__ && !__arm64e__
            // temp support until  is fixed
            const uint64_t* regs64 = (uint64_t*)(((char*)cmd) + 16);
            void* entry = (void*)(regs64[32] + fSlide); // arm_thread_state64_t.__pc
            //  verify entry point is in image
            if ( this->containsAddress(entry) )
                return entry;
    #endif
        }
        cmd = (const struct load_command*)(((char*)cmd)+cmd->cmdsize);
    }
    throw "no valid entry point";
}

 
 
可以看到,入口是在load_command的LC_MAIN或者LC_UNIXTHREAD
 
 
 
  
 
   
 
    dyld源码解读_第14张图片 
   
 
  
 
  

    LC_MAIN 
  
 
 
 
 
 
 
受能力所限,可能存在部分理解偏差,欢迎指正。
 
 
Have fun!
 

                            
                        
                    
                    
                    

                    
                    
                    

                
                

                    
                

            
        
    
    

        
你可能感兴趣的:(dyld源码解读)

        

            

                
    
                    
  • dispatch_once源码分析
                        福伟_Y

                        
    GCD里的单例函数dispatch_once是我们经常会用到的,今天我们来稍做深入分析一下。GCD的源码都在libdispatch.dylib库里,这个库在libSystem_initializer被初始化,可理解为在dyld里被加载和初始化的(之前的文章有分析过)。dispatch_once作为单例的使用入口,通过分析得到它是一个宏定义,_dispatch_once函数在libdispatch.
    
                    
    • 
                    
  • K8S源码及定制化系列-源码解读第一步Kubectl(三)
                        申专
Golang云原生kubernetes容器云原生
                        
    本节重点介绍:kubectl的职责和kubectl的代码原理cobra库的使用简介kubectl的职责主要的工作是处理用户提交的东西(包括,命令行参数,yaml文件等)然后其会把用户提交的这些东西组织成一个数据结构体然后把其发送给APIServerKubectl系统架构图kubectl的代码原理从命令行和yaml文件中获取信息通过Builder模式并把其转成一系列的资源最后用Visitor模式模式
    
                    
    • 
                    
  • netty源码解读三(NioEventLoop)
                        orcharddd_real
nettyjavanetty
                        
    NioEventLoop初始化EventExecutor类型的数组数组大小默认为cpu数量的两倍,遍历数组,通过newNioEventLoop(xxx)往数组中添加元素,NioEventLoop继承了EventExecutor;每次需要线程时,执行chooser的next方法从数组中取出一个线程;关键代码打开netty源码,找到example包下的EchoService类,追溯创建boss线程组和
    
                    
    • 
                    
  • Java源码解读-数据容器都是如何实现同步的
                        问道飞鱼
Java开发Java源码解读数据容器同步机制
                        
    用Java的同学可能在自己使用或者面试的时候经常遇到这么一个问题,哪些数据结构或者容器是同步的,是怎么实现的同步?其实很多的数据同步原理都比较简单,我把目前知道的数据容器的同步方式稍微梳理了一下1.线程安全容器StringBuffer(太明显,synchronized关键字)@OverridepublicsynchronizedStringBufferappend(Stringstr){toStr
    
                    
    • 
                    
  • Vue 源码解读(10)—— 编译器 之 生成渲染函数
                        xuhss_com
计算机udplinuxc语言计算机
                        
    Python微信订餐小程序课程视频https://edu.csdn.net/course/detail/36074Python实战量化交易理财系统https://edu.csdn.net/course/detail/35475前言这篇文章是Vue编译器的最后一部分,前两部分分别是:Vue源码解读(8)——编译器之解析、Vue源码解读(9)——编译器之优化。从HTML模版字符串开始,解析所有标签以及
    
                    
    • 
                    
  • iOS 模拟器打不开:unable to boot the simulator
                        明似水
flutterios
                        
    重启电脑后发现模拟器打不开,提示如下:解决方法:1、在Finder里command+shift+G前往文件夹~/Library/Developer/CoreSimulator/Caches2、删除Caches文件里面的dyld文件3、重启模拟器即可
    
                    
    • 
                    
  • Spring 源码解读:实现单例与原型的Bean作用域
                        捕风捉你
spring源码解读springjava后端
                        
    引言在Spring框架中,Bean的作用域(Scope)定义了Bean的生命周期和访问范围。Spring提供了多种作用域,包括常用的单例(Singleton)和原型(Prototype)。了解并正确使用这些作用域对于管理应用的资源和性能至关重要。本篇文章将通过手动实现单例和原型作用域的Bean管理机制,并对比Spring中的@Scope注解,帮助你理解不同Bean作用域的使用场景和实现细节。Bea
    
                    
    • 
                    
  • 类的加载
                        深圳_你要的昵称

                        
    前言书接上回dyld&objc的关联,我们知道了系统在objc库的_objc_init函数中注册了关于镜像文件读取、加载和移除的回调函数,然后在dyld链接的过程去触发这些回调,告知objc库去加载类信息等一系列操作。今天我们大致分析下类的加载的具体流程。1_objc_init大致流程先看源码:void_objc_init(void){staticboolinitialized=false;if(
    
                    
    • 
                    
  • MyBatis 源码解读:专栏导读与学习路线
                        捕风捉你
MyBatis源码解读mybatis学习java
                        
    前言MyBatis是Java开发中广泛使用的持久层框架,其简洁的配置和强大的功能使得它在开发人员中备受欢迎。然而,MyBatis的背后隐藏着许多设计巧妙的架构和复杂的实现逻辑。通过源码解读,我们可以更深入地理解MyBatis的设计思想和工作原理,从而更好地应用它。本专栏将以源码分析为主线,结合实际应用场景,带你一步步深入了解MyBatis的内部实现。无论你是MyBatis的新手还是有经验的开发者,
    
                    
    • 
                    
  • PostgreSQL 源码解读(89)- 查询语句#74(SeqNext函数#2)
                        EthanHe

                        
    本节是SeqNext函数介绍的第二部分,主要介绍了SeqNext->heap_getnext函数的实现逻辑。一、数据结构TupleTableSlotTupleTableSlot,用于存储元组相关信息/*basetupletableslottype*/typedefstructTupleTableSlot{NodeTagtype;//Node标记#defineFIELDNO_TUPLETABLESL
    
                    
    • 
                    
  • Spring 源码解读专栏:从零到一深度掌握 Spring 框架
                        捕风捉你
spring源码解读springjava后端
                        
    前言Spring是Java世界中无可争议的王者框架,它以其灵活、轻量、强大而著称,成为企业级开发的首选工具。然而,很多开发者在使用Spring时,往往只停留在会用的层面,对于其内部实现和设计原理知之甚少。本专栏旨在通过系统化的Spring源码解读,从实践到源码分析,再到设计模式的探讨,带你逐步揭开Spring的神秘面纱,真正掌握这款框架的精髓。专栏目标在这个专栏中,我们将通过以下几个步骤,帮助你深
    
                    
    • 
                    
  • 【深度学习】COCO API源码解读
                        CS_Zero
深度学习人工智能
                        
    COCOAPI从C、cython,到PythonAPI:实现语义分割标注mask的解析,从具体实现cocoapi/common/maskApi.hcocoapi/common/maskApi.c到Cython封装实现pycocotools._maskcocoapi/PythonAPI/pycocotools/_mask.pyx#distutils:language=c#distutils:sour
    
                    
    • 
                    
  • opencv源码---imread、cvLoadImage、waitKey、imshow函数源码解读
                        hairuiJY
Opencv学习计算机视觉opencv计算机视觉图像处理
                        
    参考:https://blog.csdn.net/hujingshuang/article/details/47184717https://blog.csdn.net/kuweicai/article/details/73395018
    
                    
    • 
                    
  • SpringBoot源码解读与原理分析(五)SpringBoot的装配机制
                        灰色孤星A
springbootjava后端spring开发语言
                        
    文章目录2.5SpringBoot的装配机制[email protected]@ComponentScan的基本使用方法2.5.1.2TypeExcludeFilter(类型排除过滤器)2.5.1.3AutoConfigurationExcludeFilter(自动配置类排除过滤器)[email protected]@EnableAutoConf
    
                    
    • 
                    
  • Flink 细粒度滑动窗口性能优化
                        hyunbar
Flink大数据flinkjava数据库
                        
    大数据技术AIFlink/Spark/Hadoop/数仓,数据分析、面试,源码解读等干货学习资料118篇原创内容公众号1、概述1.1细粒度滑动的影响当使用细粒度的滑动窗口(窗口长度远远大于滑动步长)时,重叠的窗口过多,一个数据会属于多个窗口,性能会急剧下降。以1分钟的频率实时计算App内各个子模块近24小时的PV和UV。我们需要用粒度为1440/1=1440的滑动窗口来实现它,但是细粒度的滑动窗口
    
                    
    • 
                    
  • Transformer实战-系列教程19:DETR 源码解读6(编码器:TransformerEncoder类/TransformerEncoderLayer类)
                        机器学习杨卓越
Transformer实战transformer深度学习pytorchDETR人工智能计算机视觉
                        
    Transformer实战-系列教程总目录有任何问题欢迎在下面留言本篇文章的代码运行界面均在Pycharm中进行本篇文章配套的代码资源已经上传点我下载源码DETR算法解读DETR源码解读1(项目配置/CocoDetection类/ConvertCocoPolysToMask类)DETR源码解读2(DETR类)DETR源码解读3(位置编码:Joiner类/PositionEmbeddingSine类
    
                    
    • 
                    
  • Transformer实战-系列教程20:DETR 源码解读7(解码器:TransformerDecoder类/TransformerDecoderLayer类)
                        机器学习杨卓越
Transformer实战transformer深度学习计算机视觉DETR人工智能物体检测
                        
    Transformer实战-系列教程总目录有任何问题欢迎在下面留言本篇文章的代码运行界面均在Pycharm中进行本篇文章配套的代码资源已经上传点我下载源码DETR算法解读DETR源码解读1(项目配置/CocoDetection类/ConvertCocoPolysToMask类)DETR源码解读2(DETR类)DETR源码解读3(位置编码:Joiner类/PositionEmbeddingSine类
    
                    
    • 
                    
  • Transformer实战-系列教程18:DETR 源码解读5(Transformer类)
                        机器学习杨卓越
Transformer实战transformer深度学习人工智能pytorchDETR物体检测
                        
    Transformer实战-系列教程总目录有任何问题欢迎在下面留言本篇文章的代码运行界面均在Pycharm中进行本篇文章配套的代码资源已经上传点我下载源码DETR算法解读DETR源码解读1(项目配置/CocoDetection类/ConvertCocoPolysToMask类)DETR源码解读2(DETR类)DETR源码解读3(位置编码:Joiner类/PositionEmbeddingSine类
    
                    
    • 
                    
  • Transformer实战-系列教程21:DETR 源码解读8 损失计算:(SetCriterion类)
                        机器学习杨卓越
Transformer实战transformer深度学习人工智能计算机视觉DETR物体检测
                        
    Transformer实战-系列教程总目录有任何问题欢迎在下面留言本篇文章的代码运行界面均在Pycharm中进行本篇文章配套的代码资源已经上传点我下载源码DETR算法解读DETR源码解读1(项目配置/CocoDetection类/ConvertCocoPolysToMask类)DETR源码解读2(DETR类)DETR源码解读3(位置编码:Joiner类/PositionEmbeddingSine类
    
                    
    • 
                    
  • Apache Doris 聚合函数源码阅读与解析|源码解读系列
                        

                        
    笔者最近由于工作需要开始调研ApacheDoris,通过阅读聚合函数代码切入ApacheDoris内核,同时也秉承着开源的精神,开发了array_agg函数并贡献给社区。笔者通过这篇文章记录下对源码的一些理解,同时也方便后面的新人更快速地上手源码开发。聚合函数,顾名思义,即对一组数据执行聚合计算并返回结果的函数,在统计分析过程中属于最常见的函数之一,最典型的聚合函数包括count、min、max、
    
                    
    • 
                    
  • 「Redis源码解读」—持久化(一)RDB
                        wh4763

                        
    知识点RDB文件用于保存和还原Redis服务器所有数据库中的所有键值对数据SAVE命令由服务器服务器进程直接执行保存操作,所以该命令会阻塞服务器BGSAVE命令由子进程执行保存操作,所以该命令不会阻塞服务器服务器状态中会保存所有用save选项设置的保存条件,当任意一个保存条件被满足时,服务器会自动执行BGSAVE命令RDB文件是一个经过压缩的二进制文件,由多个部分组成对不同类型的键值对,RDB文件
    
                    
    • 
                    
  • Vue源码解读之Dep,Observer和Watcher
                        小豆soybean

                        
    原文转:https://segmentfault.com/a/1190000016208088在解读Dep,Observer和Watcher之前,首先我去了解了一下Vue的数据双向绑定,即MVVM,学习于:https://blog.csdn.net/u013321...以及关于Observer和watcher的学习来自于:https://www.jb51.net/article/...整体过程Vu
    
                    
    • 
                    
  • java面试题/认证答辩 ---主流框架(springboot)
                        Fuly1024
面试刷题spring
                        
    springboot源码解读:springboot2.4.4#https://blog.csdn.net/qq_32828253/article/details/109496848#https://zhuanlan.zhihu.com/p/95217578以下所有知识均来自于网络从main方法开始publicstaticvoidmain(String[]args){//SpringApplicat
    
                    
    • 
                    
  • Transformer实战-系列教程17:DETR 源码解读4(Joiner类/PositionEmbeddingSine类/位置编码/backbone)
                        机器学习杨卓越
Transformer实战transformer深度学习人工智能计算机视觉pytorchDETR
                        
    Transformer实战-系列教程总目录有任何问题欢迎在下面留言本篇文章的代码运行界面均在Pycharm中进行本篇文章配套的代码资源已经上传点我下载源码DETR算法解读DETR源码解读1(项目配置/CocoDetection类)DETR源码解读2(ConvertCocoPolysToMask类)DETR源码解读3(DETR类)DETR源码解读4(Joiner类/PositionEmbedding
    
                    
    • 
                    
  • Transformer实战-系列教程16:DETR 源码解读3(DETR类)
                        机器学习杨卓越
Transformer实战transformer深度学习人工智能计算机视觉DETRpytorch
                        
    Transformer实战-系列教程总目录有任何问题欢迎在下面留言本篇文章的代码运行界面均在Pycharm中进行本篇文章配套的代码资源已经上传点我下载源码DETR算法解读DETR源码解读1(项目配置/CocoDetection类)DETR源码解读2(ConvertCocoPolysToMask类)DETR源码解读3(DETR类)DETR源码解读4(Joiner类/PositionEmbedding
    
                    
    • 
                    
  • Transformer实战-系列教程15:DETR 源码解读2(ConvertCocoPolysToMask类)
                        机器学习杨卓越
Transformer实战transformer深度学习计算机视觉DETR物体检测pytorch
                        
    Transformer实战-系列教程总目录有任何问题欢迎在下面留言本篇文章的代码运行界面均在Pycharm中进行本篇文章配套的代码资源已经上传点我下载源码DETR算法解读DETR源码解读1(项目配置/CocoDetection类)DETR源码解读2(ConvertCocoPolysToMask类)DETR源码解读3(DETR类)DETR源码解读4(Joiner类/PositionEmbedding
    
                    
    • 
                    
  • vue3源码解读--effect
                        习惯水文的前端苏

                        
    目录vue2源码vue3源码示例源码其实,在不看源码之前,就已经能想到其大概实现逻辑了:每一个effect在执行过程中如果遇到设置了响应式的值那么就会执行依赖收集,那么此时如果打一个标记,并根据此标记将存在依赖的effect放到某个队列中。当依赖改变后从队列中挑选判断并执行即可接下来就来验证下是不是这样将代码定位到effect函数可以看到这里获取了ReactiveEffect实例,紧接着又调用了.
    
                    
    • 
                    
  • Android AsyncTask源码解读
                        糖葫芦_倩倩

                        
    屡思路1.初始AsyncTaskAsyncTask这个类的声明如下:publicabstractclassAsyncTask{.....}是一个抽象类Params表示输入参数的类型Progress表示后台任务的执行进度Result表示返回结果的类型2.使用在AsyncTask这个类的顶部有一些代码注释,里面讲述了如何使用一个AsyncTask,如下:*Hereisanexampleofsubcla
    
                    
    • 
                    
  • Pytorch底层源码解读(一)概览
                        firework_97df

                        
    前言作为最受欢迎的深度学习框架,Pytorch如今已拥有极大的用户群体以及开发者。但对于开发者而言,针对日益臃肿的pytorch框架进一步更新迭代已经成为了较大的问题,特别是对刚想要上手对pytorch底层框架进行理解的初学者而言。因此本系列主要针对于pytorch底层框架中的核心部分进行解读,为读者展现其背后工作机理的同时也能使得读者在阅读完本系列的文章后,能够对pytorch框架有个基本的了解
    
                    
    • 
                    
  • RabbitMQ详解以及spring对RabbitMQ的集成(附带部分源码解读)
                        HAKUNA·MATATA
RabbitMQ
                        
    一·简介1丶为什么要使用消息队列https://wenku.baidu.com/view/e297236f83c4bb4cf7ecd193.html①异步处理(高并发)②系统解耦③流量削锋2丶为什么使用RabbitMQ①给予AMQP协议②高并发③高可用④强大的社区支持,以及很多公司都在使用⑤高性能⑥支持插件(监控管理界面的插件,安装插件支持jms)⑦支持多语言(PHP,Python,.net)3丶
    
                    
    • 
                                
  • ios内付费
                                    374016526
ios内付费
                                    
    近年来写了很多IOS的程序,内付费也用到不少,使用IOS的内付费实现起来比较麻烦,这里我写了一个简单的内付费包,希望对大家有帮助。 
  
具体使用如下: 
这里的sender其实就是调用者,这里主要是为了回调使用。 
[KuroStoreApi kuroStoreProductId:@"产品ID" storeSender:self storeFinishCallBa
    
                                
    • 
                                
  • 20 款优秀的 Linux 终端仿真器
                                    brotherlamp
linuxlinux视频linux资料linux自学linux教程
                                    
      
终端仿真器是一款用其它显示架构重现可视终端的计算机程序。换句话说就是终端仿真器能使哑终端看似像一台连接上了服务器的客户机。终端仿真器允许最终用户用文本用户界面和命令行来访问控制台和应用程序。(LCTT 译注:终端仿真器原意指对大型机-哑终端方式的模拟,不过在当今的 Linux 环境中,常指通过远程或本地方式连接的伪终端,俗称“终端”。) 
你能从开源世界中找到大量的终端仿真器,它们
    
                                
    • 
                                
  • Solr Deep Paging(solr 深分页)
                                    eksliang
solr深分页solr分页性能问题
                                    
    转载请出自出处:http://eksliang.iteye.com/blog/2148370 
作者:eksliang(ickes) blg:http://eksliang.iteye.com/ 概述 
长期以来,我们一直有一个深分页问题。如果直接跳到很靠后的页数,查询速度会比较慢。这是因为Solr的需要为查询从开始遍历所有数据。直到Solr的4.7这个问题一直没有一个很好的解决方案。直到solr
    
                                
    • 
                                
  • 数据库面试题
                                    18289753290
面试题 数据库
                                    
    1.union ,union all 
网络搜索出的最佳答案: 
union和union all的区别是,union会自动压缩多个结果集合中的重复结果,而union all则将所有的结果全部显示出来,不管是不是重复。 
Union:对两个结果集进行并集操作,不包括重复行,同时进行默认规则的排序; 
Union All:对两个结果集进行并集操作,包括重复行,不进行排序; 
2.索引有哪些分类?作用是
    
                                
    • 
                                
  • Android TV屏幕适配
                                    酷的飞上天空
android
                                    
    先说下现在市面上TV分辨率的大概情况 
两种分辨率为主 
1.720标清,分辨率为1280x720. 
屏幕尺寸以32寸为主,部分电视为42寸 
2.1080p全高清,分辨率为1920x1080 
屏幕尺寸以42寸为主,此分辨率电视屏幕从32寸到50寸都有 
  
适配遇到问题,已1080p尺寸为例: 
分辨率固定不变,屏幕尺寸变化较大。 
如:效果图尺寸为1920x1080,如果使用d
    
                                
    • 
                                
  • Timer定时器与ActionListener联合应用
                                    永夜-极光
java
                                    
    功能:在控制台每秒输出一次 
  
代码: 
package Main;
import javax.swing.Timer;
 import java.awt.event.*;

 public class T {
    private static int count = 0; 

    public static void main(String[] args){

    
                                
    • 
                                
  • Ubuntu14.04系统Tab键不能自动补全问题解决
                                    随便小屋
Ubuntu 14.04
                                    
    Unbuntu 14.4安装之后就在终端中使用Tab键不能自动补全,解决办法如下: 
  
1、利用vi编辑器打开/etc/bash.bashrc文件(需要root权限) 
sudo vi /etc/bash.bashrc 
 接下来会提示输入密码 
2、找到文件中的下列代码 
#enable bash completion in interactive shells
#if
    
                                
    • 
                                
  • 学会人际关系三招 轻松走职场
                                    aijuans
职场
                                    
    要想成功,仅有专业能力是不够的,处理好与老板、同事及下属的人际关系也是门大学问。如何才能在职场如鱼得水、游刃有余呢?在此,教您简单实用的三个窍门。 
  第一,多汇报 
 最近,管理学又提出了一个新名词“追随力”。它告诉我们,做下属最关键的就是要多请示汇报,让上司随时了解你的工作进度,有了新想法也要及时建议。不知不觉,你就有了“追随力”,上司会越来越了解和信任你。 
  第二,勤沟通 
 团队的力
    
                                
    • 
                                
  • 《O2O:移动互联网时代的商业革命》读书笔记
                                    aoyouzi
读书笔记
                                    
    移动互联网的未来:碎片化内容+碎片化渠道=各式精准、互动的新型社会化营销。 
  
O2O:Online to OffLine 线上线下活动 
O2O就是在移动互联网时代,生活消费领域通过线上和线下互动的一种新型商业模式。 
  
手机二维码本质:O2O商务行为从线下现实世界到线上虚拟世界的入口。 
  
线上虚拟世界创造的本意是打破信息鸿沟,让不同地域、不同需求的人
    
                                
    • 
                                
  • js实现图片随鼠标滚动的效果
                                    百合不是茶
JavaScript滚动属性的获取图片滚动属性获取页面加载
                                    
    1,获取样式属性值 
top  与顶部的距离
left  与左边的距离
right 与右边的距离
bottom 与下边的距离
zIndex 层叠层次 
  
  例子:获取左边的宽度,当css写在body标签中时 
<div id="adver" style="position:absolute;top:50px;left:1000p
    
                                
    • 
                                
  • ajax同步异步参数async
                                    bijian1013
jqueryAjaxasync
                                    
            开发项目开发过程中,需要将ajax的返回值赋到全局变量中,然后在该页面其他地方引用,因为ajax异步的原因一直无法成功,需将async:false,使其变成同步的。 
        格式: 
$.ajax({ type: 'POST', ur
    
                                
    • 
                                
  • Webx3框架(1)
                                    Bill_chen
eclipsespringmaven框架ibatis
                                    
    Webx是淘宝开发的一套Web开发框架,Webx3是其第三个升级版本;采用Eclipse的开发环境,现在支持java开发; 
采用turbine原型的MVC框架,扩展了Spring容器,利用Maven进行项目的构建管理,灵活的ibatis持久层支持,总的来说,还是一套很不错的Web框架。 
Webx3遵循turbine风格,velocity的模板被分为layout/screen/control三部
    
                                
    • 
                                
  • 【MongoDB学习笔记五】MongoDB概述
                                    bit1129
mongodb
                                    
    MongoDB是面向文档的NoSQL数据库,尽量业界还对MongoDB存在一些质疑的声音,比如性能尤其是查询性能、数据一致性的支持没有想象的那么好,但是MongoDB用户群确实已经够多。MongoDB的亮点不在于它的性能,而是它处理非结构化数据的能力以及内置对分布式的支持(复制、分片达到的高可用、高可伸缩),同时它提供的近似于SQL的查询能力,也是在做NoSQL技术选型时,考虑的一个重要因素。Mo
    
                                
    • 
                                
  • spring/hibernate/struts2常见异常总结
                                    白糖_
Hibernate
                                    
     
 Spring 
 
①ClassNotFoundException: org.aspectj.weaver.reflect.ReflectionWorld$ReflectionWorldException 
缺少aspectjweaver.jar,该jar包常用于spring aop中 
  
②java.lang.ClassNotFoundException: org.sprin
    
                                
    • 
                                
  • jquery easyui表单重置(reset)扩展思路
                                    bozch
formjquery easyuireset
                                    
    在jquery easyui表单中 尚未提供表单重置的功能,这就需要自己对其进行扩展。 
扩展的时候要考虑的控件有: 
 combo,combobox,combogrid,combotree,datebox,datetimebox 
需要对其添加reset方法,reset方法就是把初始化的值赋值给当前的组件,这就需要在组件的初始化时将值保存下来。 
在所有的reset方法添加完毕之后,就需要对fo
    
                                
    • 
                                
  • 编程之美-烙饼排序
                                    bylijinnan
编程之美
                                    
    
package beautyOfCoding;

import java.util.Arrays;

/*
 *《编程之美》的思路是:搜索+剪枝。有点像是写下棋程序:当前情况下,把所有可能的下一步都做一遍;在这每一遍操作里面,计算出如果按这一步走的话,能不能赢(得出最优结果)。
 *《编程之美》上代码有很多错误,且每个变量的含义令人费解。因此我按我的理解写了以下代码:
 */

    
                                
    • 
                                
  • Struts1.X 源码分析之ActionForm赋值原理
                                    chenbowen00
struts
                                    
    struts1在处理请求参数之前,首先会根据配置文件action节点的name属性创建对应的ActionForm。如果配置了name属性,却找不到对应的ActionForm类也不会报错,只是不会处理本次请求的请求参数。 
 
如果找到了对应的ActionForm类,则先判断是否已经存在ActionForm的实例,如果不存在则创建实例,并将其存放在对应的作用域中。作用域由配置文件action节点的s
    
                                
    • 
                                
  • [空天防御与经济]在获得充足的外部资源之前,太空投资需有限度
                                    comsci
资源
                                    
     
      这里有一个常识性的问题: 
 
      地球的资源,人类的资金是有限的,而太空是无限的..... 
 
      就算全人类联合起来,要在太空中修建大型空间站,也不一定能够成功,因为资源和资金,技术有客观的限制.... 
 
&
    
                                
    • 
                                
  • ORACLE临时表—ON COMMIT PRESERVE ROWS
                                    daizj
oracle临时表
                                    
    ORACLE临时表 转 
临时表:像普通表一样,有结构,但是对数据的管理上不一样,临时表存储事务或会话的中间结果集,临时表中保存的数据只对当前 
会话可见,所有会话都看不到其他会话的数据,即使其他会话提交了,也看不到。临时表不存在并发行为,因为他们对于当前会话都是独立的。 
创建临时表时,ORACLE只创建了表的结构(在数据字典中定义),并没有初始化内存空间,当某一会话使用临时表时,ORALCE会
    
                                
    • 
                                
  • 基于Nginx XSendfile+SpringMVC进行文件下载
                                    denger
应用服务器Webnginx网络应用lighttpd
                                    
        在平常我们实现文件下载通常是通过普通 read-write方式,如下代码所示。 
 
   @RequestMapping("/courseware/{id}") 
   public void download(@PathVariable("id") String courseID, HttpServletResp
    
                                
    • 
                                
  • scanf接受char类型的字符
                                    dcj3sjt126com
c
                                    
    /*
	2013年3月11日22:35:54
	目的:学习char只接受一个字符
*/
# include <stdio.h>

int main(void)
{
	int i;
	char ch;

	scanf("%d", &i);
	printf("i = %d\n", i);
	scanf("%
    
                                
    • 
                                
  • 学编程的价值
                                    dcj3sjt126com
编程
                                    
    发一个人会编程, 想想以后可以教儿女, 是多么美好的事啊, 不管儿女将来从事什么样的职业, 教一教, 对他思维的开拓大有帮助 
  
像这位朋友学习:   
http://blog.sina.com.cn/s/articlelist_2584320772_0_1.html 
  
 
  VirtualGS教程 (By @林泰前): 几十年的老程序员,资深的
    
                                
    • 
                                
  • 二维数组(矩阵)对角线输出
                                    飞天奔月
二维数组
                                    
    今天在BBS里面看到这样的面试题目, 
  
1,二维数组(N*N),沿对角线方向,从右上角打印到左下角如N=4: 4*4二维数组  
{ 1 2 3 4 }
{ 5 6 7 8 }
{ 9 10 11 12 }
{13 14 15 16 } 
打印顺序  
4
3 8
2 7 12
1 6 11 16
5 10 15
9 14
13 
要
    
                                
    • 
                                
  • Ehcache(08)——可阻塞的Cache——BlockingCache
                                    234390216
并发ehcacheBlockingCache阻塞
                                    
    可阻塞的Cache—BlockingCache 
  
       在上一节我们提到了显示使用Ehcache锁的问题,其实我们还可以隐式的来使用Ehcache的锁,那就是通过BlockingCache。BlockingCache是Ehcache的一个封装类,可以让我们对Ehcache进行并发操作。其内部的锁机制是使用的net.
    
                                
    • 
                                
  • mysqldiff对数据库间进行差异比较
                                    jackyrong
mysqld
                                    
      mysqldiff该工具是官方mysql-utilities工具集的一个脚本,可以用来对比不同数据库之间的表结构,或者同个数据库间的表结构 
   如果在windows下,直接下载mysql-utilities安装就可以了,然后运行后,会跑到命令行下: 
 
1) 基本用法 
   mysqldiff --server1=admin:12345
    
                                
    • 
                                
  • spring data jpa 方法中可用的关键字
                                    lawrence.li
javaspring
                                    
    spring data jpa 支持以方法名进行查询/删除/统计。 
查询的关键字为find 
删除的关键字为delete/remove (>=1.7.x) 
统计的关键字为count (>=1.7.x) 
  
修改需要使用@Modifying注解 
@Modifying
@Query("update User u set u.firstna
    
                                
    • 
                                
  • Spring的ModelAndView类
                                    nicegege
spring
                                    
    项目中controller的方法跳转的到ModelAndView类,一直很好奇spring怎么实现的? 
/*
 * Copyright 2002-2010 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * yo
    
                                
    • 
                                
  • 搭建 CentOS 6 服务器(13) - rsync、Amanda
                                    rensanning
centos
                                    
    (一)rsync 
 
Server端 
 
# yum install rsync
# vi /etc/xinetd.d/rsync
    service rsync
    {
        disable = no
        flags           = IPv6
        socket_type     = stream
        wait    
    
                                
    • 
                                
  • Learn Nodejs 02
                                    toknowme
nodejs
                                    
    (1)npm是什么   
npm is the package manager for node 
官方网站:https://www.npmjs.com/ 
npm上有很多优秀的nodejs包,来解决常见的一些问题,比如用node-mysql,就可以方便通过nodejs链接到mysql,进行数据库的操作 
在开发过程往往会需要用到其他的包,使用npm就可以下载这些包来供程序调用 
&nb
    
                                
    • 
                                
  • Spring MVC 拦截器
                                    xp9802
spring mvc
                                    
    Controller层的拦截器继承于HandlerInterceptorAdapter 
 
 HandlerInterceptorAdapter.java   1  public   abstract   class  HandlerInterceptorAdapter  implements  HandlerIntercep
    
                                
    •