objc_class 中 cache 分析

cache_t 结构

ISA指向、类结构中分析过 cache_t 占用的内存大小,今天来分析下它的原理。

struct cache_t {
    // macOS和模拟器
    explicit_atomic _buckets;
    explicit_atomic _mask;
    // 64位真机
    // 真机下mask与Buckets写一起的优化
    explicit_atomic _maskAndBuckets;
    mask_t _mask_unused;
    // 类似isa联合体的位域
    // How much the mask is shifted by.
    static constexpr uintptr_t maskShift = 48;

    // 非64位真机
    explicit_atomic _maskAndBuckets;
    mask_t _mask_unused;
    ..... 位域代码 通上
    static constexpr uintptr_t maskBits = 4;
#error Unknown cache mask storage type.
#if __LP64__
    uint16_t _flags;
    uint16_t _occupied;

bucket_t 声明在arm64架构和非arm64架构有不同的定义

struct bucket_t {
    // IMP-first is better for arm64e ptrauth and no worse for arm64.
    // SEL-first is better for armv7* and i386 and x86_64.
#if __arm64__
    explicit_atomic _imp;
    explicit_atomic _sel;
    explicit_atomic _sel;
    explicit_atomic _imp;

从上面分析可以得出 cache_t主要是存储 impsel的,先来定义一个类分析下

@interface LGPerson : NSObject
- (void)sayHello;
- (void)sayHappy;

int main(int argc, const char * argv[]) {
    @autoreleasepool {
        LGPerson *person = [LGPerson alloc];
        [person sayHappy];
        [person sayHello];
    return 0;
  • 第一个断点分析
(lldb) x/4gx LGPerson.class
0x1000082a8: 0x0000000100008280 0x000000010034c140
0x1000082b8: 0x0000000100346440 0x0000801000000000
(lldb) p (cache_t *)0x1000082b8
(cache_t *) $1 = 0x00000001000082b8
(lldb) p *$1
(cache_t) $2 = {
  _buckets = {
    std::__1::atomic = {
      Value = 0x0000000100346440
  _mask = {
    std::__1::atomic = {
      Value = 0
  _flags = 32784
  _occupied = 0
(lldb) p $2.buckets()
(bucket_t *) $3 = 0x0000000100346440
(lldb) p *$3
(bucket_t) $4 = {
  _sel = {
    std::__1::atomic = (null) {
      Value = (null)
  _imp = {
    std::__1::atomic = {
      Value = 0
(lldb) p $4.sel()
(SEL) $5 = 
(lldb) p $4.imp(LGPerson.class)
(IMP) $6 = 0x0000000000000000

从类结构分析中知道,可以使用首地址的内存偏移获取响应的变量地址,cache只需从首地址偏移16个字节即可得到cache,即 0x1000082a8 变为 0x1000082b8,接下来就类似 bits分析里面的那样找 方法获取 bucket_t,然后通过里面的 sel() 方法获取 sel, imp(Class)(注意入参)方法获取IMP
Tip: 什么时候用 -> 什么时候用 .
当当前变量为指针类型的时候用 ->, 不是的话用 .

  • 第二个断点分析
(lldb) p *$3 
(bucket_t) $7 = {
  _sel = {
    std::__1::atomic = (null) {
      Value = (null)
  _imp = {
    std::__1::atomic = {
      Value = 0


(lldb) p $2.buckets()
(bucket_t *) $8 = 0x0000000100d046f0

原来问题在这里,与上个方法(bucket_t *) $3 = 0x0000000100346440 明显不是一个地址。

(lldb) p *$8
(bucket_t) $9 = {
  _sel = {
    std::__1::atomic = "" {
      Value = ""
  _imp = {
    std::__1::atomic = {
      Value = 49080

(lldb) p $9.sel()
(SEL) $11 = "sayHappy"
(lldb) p $9.imp(LGPerson.class)
(IMP) $12 = 0x0000000100003d10 (KCObjc`-[LGPerson sayHappy])


lldb) p *($8 +1)
(bucket_t) $13 = {
  _sel = {
    std::__1::atomic = "" {
      Value = ""
  _imp = {
    std::__1::atomic = {
      Value = 48712
(lldb) p $13.sel()
(SEL) $14 = "sayHello"
(lldb) p $13.imp(LGPerson.class)
(IMP) $15 = 0x0000000100003ce0 (KCObjc`-[LGPerson sayHello])
(lldb) p *($8 +2)
(bucket_t) $16 = {
  _sel = {
    std::__1::atomic = (null) {
      Value = (null)
  _imp = {
    std::__1::atomic = {
      Value = 0
(lldb) p $16.sel()
(SEL) $17 = 
(lldb) p $16.imp(LGPerson.class)
(IMP) $18 = 0x0000000000000000

要取指针类型的 $8,能获取到 sayHappyselimp



typedef uint32_t mask_t;  // x86_64 & arm64 asm are less efficient with 16-bits

struct lg_bucket_t {
    SEL _sel;
    IMP _imp;

struct lg_cache_t {
    struct lg_bucket_t * _buckets;
    mask_t _mask;
    uint16_t _flags;
    uint16_t _occupied;

struct lg_class_data_bits_t {
    uintptr_t bits;

struct lg_objc_class {
    Class ISA;
    Class superclass;
    struct lg_cache_t cache;             // formerly cache pointer and vtable
    struct lg_class_data_bits_t bits;    // class_rw_t * plus custom rr/alloc flags

int main(int argc, const char * argv[]) {
    @autoreleasepool {
        LGPerson *p  = [LGPerson alloc];
        Class pClass = [LGPerson class];  // objc_clas
        [p say1];
        [p say2];
        [p say3];
        [p say4];
        struct lg_objc_class *lg_pClass = (__bridge struct lg_objc_class *)(pClass);
        NSLog(@"%hu - %u",lg_pClass->cache._occupied,lg_pClass->cache._mask);
        for (mask_t i = 0; icache._mask; i++) {
            // 打印获取的 bucket
            struct lg_bucket_t bucket = lg_pClass->cache._buckets[i];
            NSLog(@"%@ - %p",NSStringFromSelector(bucket._sel),bucket._imp);

        NSLog(@"Hello, World!");
    return 0;

自定义一个 lg_objc_class 结构体和所需的其他结构体,从源码中copy过来关键参数,注意 Class ISA变量,源码工程中的 ISA是从 objc_object中继承过去的。

先只调用 say1say2方法:

2020-10-28 10:07:51.135761+0800 003-cache_t脱离源码环境分析[15880:405998] LGPerson say : -[LGPerson say1]
2020-10-28 10:07:51.136104+0800 003-cache_t脱离源码环境分析[15880:405998] LGPerson say : -[LGPerson say2]
2020-10-28 10:07:51.136145+0800 003-cache_t脱离源码环境分析[15880:405998] 2 - 3
2020-10-28 10:07:51.136245+0800 003-cache_t脱离源码环境分析[15880:405998] say1 - 0xb858
2020-10-28 10:07:51.136341+0800 003-cache_t脱离源码环境分析[15880:405998] say2 - 0xb808
2020-10-28 10:07:51.136395+0800 003-cache_t脱离源码环境分析[15880:405998] (null) - 0x0

加上调用 say3say4方法:

2020-10-28 10:09:55.838791+0800 003-cache_t脱离源码环境分析[15904:407473] LGPerson say : -[LGPerson say1]
2020-10-28 10:09:55.839174+0800 003-cache_t脱离源码环境分析[15904:407473] LGPerson say : -[LGPerson say2]
2020-10-28 10:09:55.839209+0800 003-cache_t脱离源码环境分析[15904:407473] LGPerson say : -[LGPerson say3]
2020-10-28 10:09:55.839243+0800 003-cache_t脱离源码环境分析[15904:407473] LGPerson say : -[LGPerson say4]
2020-10-28 10:09:55.839283+0800 003-cache_t脱离源码环境分析[15904:407473] 2 - 7
2020-10-28 10:09:55.839400+0800 003-cache_t脱离源码环境分析[15904:407473] say4 - 0xb9b8
2020-10-28 10:09:55.839452+0800 003-cache_t脱离源码环境分析[15904:407473] (null) - 0x0
2020-10-28 10:09:55.839507+0800 003-cache_t脱离源码环境分析[15904:407473] say3 - 0xb9e8
2020-10-28 10:09:55.839532+0800 003-cache_t脱离源码环境分析[15904:407473] (null) - 0x0
2020-10-28 10:09:55.839552+0800 003-cache_t脱离源码环境分析[15904:407473] (null) - 0x0
2020-10-28 10:09:55.839570+0800 003-cache_t脱离源码环境分析[15904:407473] (null) - 0x0
2020-10-28 10:09:55.839626+0800 003-cache_t脱离源码环境分析[15904:407473] (null) - 0x0

1、 _mask_occupied 是什么含义?
2、 为什么调用两个方法和四个方法的 _occupied_mask 数值发生了变化?
3、 say4 方法的打印为什么在 say3方法前面?
4、 为什么会有空的打印?



struct cache_t {
    static bucket_t *emptyBuckets();
    struct bucket_t *buckets();
    mask_t mask();
    mask_t occupied();
    void incrementOccupied();
    void setBucketsAndMask(struct bucket_t *newBuckets, mask_t newMask);
    void initializeToEmpty();

    unsigned capacity();
    bool isConstantEmptyCache();
    bool canBeFreed();

既然想知道 occupied 先看下 occupied(),还有一个 incrementOccupied方法里面 有_occupied自增操作,此处下个断点。 [person say1]; 后看下调用顺序。

mask_t cache_t::occupied() 
    return _occupied;

void cache_t::incrementOccupied() 

objc_class 中 cache 分析_第1张图片

找到 cache_tinsert方法进行分析:

void cache_t::insert(Class cls, SEL sel, IMP imp, id receiver)

    ASSERT(sel != 0 && cls->isInitialized());

    // Use the cache as-is if it is less than 3/4 full 当缓存使用小于 3/4 时
    mask_t newOccupied = occupied() + 1;
    unsigned oldCapacity = capacity(), capacity = oldCapacity;
    // 当occupied() == 0 创建储存空间
    if (slowpath(isConstantEmptyCache())) {
        // Cache is read-only. Replace it.
        if (!capacity) capacity = INIT_CACHE_SIZE; //(1 << INIT_CACHE_SIZE_LOG2 = 1 << 2 = 4)
        // 创建并写入内存 不清理旧的缓存空间
        reallocate(oldCapacity, capacity, /* freeOld */false);
    // 小于等于占用内存的 3/4 时候什么也不做 newOccupied = _occupied +1  CACHE_END_MARKER = 1 所以首次触发 扩展内存时机为缓存第三个方法
    else if (fastpath(newOccupied + CACHE_END_MARKER <= capacity / 4 * 3)) {
        // Cache is less than 3/4 full. Use it as-is.
    else {
        // 内存空间翻倍
        capacity = capacity ? capacity * 2 : INIT_CACHE_SIZE;
        // 限制最大开辟空间 2^16
        if (capacity > MAX_CACHE_SIZE) {
            capacity = MAX_CACHE_SIZE;
        // 重新创建并写入内存 清理旧的缓存空间
        reallocate(oldCapacity, capacity, true);
    // 获取当前的buckets
    bucket_t *b = buckets();
    mask_t m = capacity - 1;
    // 通过hash (mask_t)(uintptr_t)sel & mask 算出应该插入的下标
    mask_t begin = cache_hash(sel, m);
    mask_t i = begin;

    // Scan for the first unused slot and insert there.
    // There is guaranteed to be an empty slot because the
    // minimum size is 4 and we resized at 3/4 full.
    do {
        // 根据当前 hash算出来的下标位置没有 sel()
        if (fastpath(b[i].sel() == 0)) { 
            // _occupied++
            b[i].set(sel, imp, cls);
        if (b[i].sel() == sel) { // 当前位置方法等于传入的方法
            // The entry was added to the cache by some other thread
            // before we grabbed the cacheUpdateLock.
        // i+1 与mask再次进行hash 算出下标 进行循环
    } while (fastpath((i = cache_next(i, m)) != begin));
    // 没存进去 报错
    cache_t::bad_cache(receiver, (SEL)sel, cls);
        LGPerson *person = [LGPerson alloc];
        // 断点1
        [person say1];
        // 断点2
        [person say2];
        // 断点3
        [person say3];
  • 断点1 添加第一个方法分析,occupied()返回的_occupied0newOccupied = 1,进入 slowpath(isConstantEmptyCache()) 判断条件,capacity = 1<<2 = 4reallocate方法创建并写入缓存,通过 sel = "say1" & capacity - 1 =3 算出下标 1 ,通过 do while循环插入sel, _occupied自增为 1
(lldb) p buckets()
(bucket_t *) $0 = 0x0000000100675420
(lldb) p *$0
(bucket_t) $1 = {
  _sel = {
    std::__1::atomic = (null) {
      Value = (null)
  _imp = {
    std::__1::atomic = {
      Value = 0

(lldb) p *($0 +1)  // 首地址指针 + 1 指向第二个元素
(bucket_t) $2 = {
  _sel = {
    std::__1::atomic = "" {
      Value = ""
  _imp = {
    std::__1::atomic = {
      Value = 48752
(lldb) p $2.sel()
(SEL) $3 = "say1"
(lldb) p $2.imp(cls)
(IMP) $4 = 0x0000000100003c80 (KCObjc`-[LGPerson say1])

  • 断点2 添加第二个方法分析,occupied()返回的_occupied1newOccupied = 2oldCapacity = 4capacity = 4,进入 fastpath(newOccupied + CACHE_END_MARKER <= capacity / 4 * 3) 判断条件(没有操作),通过 sel = "say2" & capacity - 1 =3 算出下标 2 ,通过 do while循环插入sel, _occupied自增为 2
(lldb) p *($0 +2)
(bucket_t) $6 = {
  _sel = {
    std::__1::atomic = "" {
      Value = ""
  _imp = {
    std::__1::atomic = {
      Value = 48704
(lldb) p $6.sel()
(SEL) $7 = "say2"
(lldb) p $6.imp(cls)
(IMP) $8 = 0x0000000100003cb0 (KCObjc`-[LGPerson say2])
  • 断点3 添加第三个方法分析,occupied()返回的_occupied2newOccupied= 3oldCapacity = 4capacity = 4,进入 else 判断条件,capacity = 4*2 =8 扩展一倍,限制最大分配空间为 2^16,reallocate() 重新创建内存,并且清理旧的缓存空间 _occupied 被置为 0
    buckets() 获取 (bucket_t *) b = 0x00000001007612f0 已经分配新的内存空间 没有任何缓存 通过 sel = "say3" & capacity - 1 =7 算出下标 7 ,通过 do while循环插入sel,b[7].sel() 不为空,cache_next i+1mask再次进行hash 算出下标 0 进行循环 ,储存成功, _occupied自增为 1
(lldb) p b[7].sel()
(SEL) $10 = 
(lldb) p b[7].imp(cls)
(IMP) $11 = 0x0000000000769000 (0x0000000000769000)
(lldb) p b[0].sel()
(SEL) $12 = 
(lldb) p b[0].sel()
(SEL) $13 = "say3"
(lldb) p b[0].imp(cls)
(IMP) $14 = 0x0000000100003ce0 (KCObjc`-[LGPerson say3])

reallocate 方法源码:

void cache_t::reallocate(mask_t oldCapacity, mask_t newCapacity, bool freeOld)
    // 首次创建 buckets()中只包含一个空的 imp和sel
    bucket_t *oldBuckets = buckets();
    // 首次创建 也是空的
    bucket_t *newBuckets = allocateBuckets(newCapacity);

    // Cache's old contents are not propagated. 
    // This is thought to save cache memory at the cost of extra cache fills.
    // fixme re-measure this

    ASSERT(newCapacity > 0);
    ASSERT((uintptr_t)(mask_t)(newCapacity-1) == newCapacity-1);
    // 把newBuckets写入内存
    setBucketsAndMask(newBuckets, newCapacity - 1);
    if (freeOld) {
        // 释放旧的内存
        cache_collect_free(oldBuckets, oldCapacity);

setBucketsAndMask 源码:

void cache_t::setBucketsAndMask(struct bucket_t *newBuckets, mask_t newMask)
#ifdef __arm__  //真机环境
    // 储存
    _buckets.store(newBuckets, memory_order::memory_order_relaxed);
    _mask.store(newMask, memory_order::memory_order_relaxed);
    _occupied = 0;
#elif __x86_64__ || i386  // MacOS 或者模拟器
    _buckets.store(newBuckets, memory_order::memory_order_release);
    _mask.store(newMask, memory_order::memory_order_release);
    _occupied = 0;
#error Don't know how to do setBucketsAndMask on this architecture.


1、 _mask_occupied 是什么含义?
_occupied 为 缓存的 imp - sel的个数,相当于数组中的实际储存量。
_mask哈希算法掩码,为当前开辟的空间大小 capacity -1

2、 为什么调用两个方法和四个方法的 _occupied_mask 数值发生了变化?
当调用 say1say2方法的时候,capacity为4,因为默认开辟空间为 4,没有触发 扩容操作,所以capacity没有发生变化。 _mask4 -1 = 3
当存入 say3的时候进行了扩容,capacity4*2 = 8,因为是新的内存段 say1say2就没有了,_occupied在此时也被赋值为0,存入say3 _occupied++ = 1 ,存入 say4方法的时候(+1)并没有超过 capacity =83/4_occupied ++ =2_mask为 8-1 = 7
Tips: 当调用点语法 init 方法 和 say方法一样都会进行缓存。

3、 say4 方法的打印为什么在 say3方法前面?
存入方法的时候是根据 maskcapacity -1 & sel 或者 (i+1) & mask 算出来的,结果具有随机性,并不是按顺序排的。

cache_t::insert 方法流程图

objc_class 中 cache 分析_第2张图片
cache_t:insert 方法解析

