OC底层-消息发送机制

方法

在类和对象篇中,我们了解到,方法存放在类中.那么问题来了.方法长啥样呢?

method_t

struct method_t {
    struct big {
        SEL name;
        const char *types;
        MethodListIMP imp;
    };
}

从源码中,我们得知objc_class中有一个类型为method_array_t的二位数组的成员methods.扒开method_array_t的类型,我们找到了最终的method_t,就是方法函数本身的样子.可以看到.一个method_t中包含3个属性

  • name:方法名
  • types:编码(包含参数,返回值类型).TypeEncoding的方式
  • imp:方法实现

TypeEncoding

由苹果定制的一系列方法返回值类型,以及参数类型的编码规则.如下图


image-20210521095538614.png

image-20210521095546866.png

OC方法调用机制

objc_msgSend

OC中,方法调用最终转换为objc_msgSend调用.这种方式称为 消息机制,即发送消息给方法调用者.

  • 消息接收者(receiver):调用方法的对象

  • 消息名称:@selector(xx)

    [a foo] //实例方法
    objc_msgSend(a, @selector(foo))
    [A foo] //类方法
    objc_msgSend(objc_getClass("A"),@selector(foo))

objc_msgSend主要分为三个阶段

  • 消息发送
  • 动态方法解析
  • 消息转发

消息发送

苹果开放的源码中,objc_msgsend以汇编的方式实现.汇编

    ENTRY _objc_msgSend
    UNWIND _objc_msgSend, NoFrame

    cmp p0, #0          // nil check and tagged pointer check
#if SUPPORT_TAGGED_POINTERS
    b.le    LNilOrTagged        //  (MSB tagged pointer looks negative)
#else
    b.eq    LReturnZero
#endif
    ldr p13, [x0]       // p13 = isa
    GetClassFromIsa_p16 p13, 1, x0  // p16 = class
LGetIsaDone:
    // calls imp or objc_msgSend_uncached
    CacheLookup NORMAL, _objc_msgSend, __objc_msgSend_uncached

#if SUPPORT_TAGGED_POINTERS
LNilOrTagged:
    b.eq    LReturnZero     // nil check
    GetTaggedClass
    b   LGetIsaDone
// SUPPORT_TAGGED_POINTERS
#endif

LReturnZero:
    // x0 is already zero
    mov x1, #0
    movi    d0, #0
    movi    d1, #0
    movi    d2, #0
    movi    d3, #0
    ret

    END_ENTRY _objc_msgSend
LNilOrTagged

如果消息接收者是nil,直接return

CacheLookup

确定消息接收者不为空,查找缓存.如果缓存命中,调用_objc_msgSend,如果未命中.调用__objc_msgSend_uncached再调用MethodTableLookup,再调用_lookUpImpOrForward

lookUpImpOrForward
IMP lookUpImpOrForward(id inst, SEL sel, Class cls, int behavior)
{
    for (unsigned attempts = unreasonableClassCount();;) {
        if (curClass->cache.isConstantOptimizedCache(/* strict */true)) {
#if CONFIG_USE_PREOPT_CACHES
            imp = cache_getImp(curClass, sel);
            if (imp) goto done_unlock;
            curClass = curClass->cache.preoptFallbackClass();
#endif
        } else {
            // curClass method list.
            Method meth = getMethodNoSuper_nolock(curClass, sel);
            if (meth) {
                imp = meth->imp(false);
                goto done;
            }

            if (slowpath((curClass = curClass->getSuperclass()) == nil)) {
                // No implementation found, and method resolver didn't help.
                // Use forwarding.
                imp = forward_imp;
                break;
            }
        }

        // Halt if there is a cycle in the superclass chain.
        if (slowpath(--attempts == 0)) {
            _objc_fatal("Memory corruption in class list.");
        }

        // Superclass cache.
        imp = cache_getImp(curClass, sel);
        if (slowpath(imp == forward_imp)) {
            // Found a forward:: entry in a superclass.
            // Stop searching, but don't cache yet; call method
            // resolver for this class first.
            break;
        }
        if (fastpath(imp)) {
            // Found the method in a superclass. Cache it in this class.
            goto done;
        }
    }

    // No implementation found. Try method resolver once.
    if (slowpath(behavior & LOOKUP_RESOLVER)) {
        behavior ^= LOOKUP_RESOLVER;
        return resolveMethod_locked(inst, sel, cls, behavior);
    }
 done:
    if (fastpath((behavior & LOOKUP_NOCACHE) == 0)) {
#if CONFIG_USE_PREOPT_CACHES
        while (cls->cache.isConstantOptimizedCache(/* strict */true)) {
            cls = cls->cache.preoptFallbackClass();
        }
#endif
        log_and_fill_cache(cls, imp, sel, inst, curClass);
    }
 done_unlock:
    runtimeLock.unlock();
    if (slowpath((behavior & LOOKUP_NIL) && imp == forward_imp)) {
        return nil;
    }
    return imp;
}

这里我截取了lookUpImpOrForward的部分代码.可以得出.

  • 1.cache_getImp从类的缓存方法列表寻找,若命中,直接返回imp,
  • 2.未命中,调用getMethodNoSuper_nolock尝试从类的方法列表中查找方法.
    • 2.1命中,则调用cache_t::insert将方法缓存到消息接收者缓存列表中,并返回imp供消息接收者调用.
    • 2.2未命中,则找到父类,重新执行步骤1,
    • 2.3若未命中,执行2.2
  • 2.直到父类为nil时,imp未命中,则进入动态解析resolveMethod_locked
getMethodNoSuper_nolock
static method_t *
getMethodNoSuper_nolock(Class cls, SEL sel)
{
    runtimeLock.assertLocked();
    ASSERT(cls->isRealized());
    auto const methods = cls->data()->methods();
    for (auto mlists = methods.beginLists(),
              end = methods.endLists();
         mlists != end;
         ++mlists)
    {
        method_t *m = search_method_list_inline(*mlists, sel);
        if (m) return m;
    }
    return nil;
}

static method_t *
search_method_list_inline(const method_list_t *mlist, SEL sel)
{
    int methodListIsFixedUp = mlist->isFixedUp();
    int methodListHasExpectedSize = mlist->isExpectedSize();
    
    if (fastpath(methodListIsFixedUp && methodListHasExpectedSize)) {
        return findMethodInSortedMethodList(sel, mlist);
    } else {
        // Linear search of unsorted method list
        if (auto *m = findMethodInUnsortedMethodList(sel, mlist))
            return m;
    }
}

可以看到搜索方法列表的search_method_list_inline方法中,对已经排好序的方法列表是进行二分查找.而未排序的,则采用遍历查找

动态方法解析

resolveMethod_locked
static NEVER_INLINE IMP
resolveMethod_locked(id inst, SEL sel, Class cls, int behavior)
{
    runtimeLock.assertLocked();
    ASSERT(cls->isRealized());

    runtimeLock.unlock();

    if (! cls->isMetaClass()) {
        // try [cls resolveInstanceMethod:sel]
        resolveInstanceMethod(inst, sel, cls);
    } 
    else {
        // try [nonMetaClass resolveClassMethod:sel]
        // and [cls resolveInstanceMethod:sel]
        resolveClassMethod(inst, sel, cls);
        if (!lookUpImpOrNilTryCache(inst, sel, cls)) {
            resolveInstanceMethod(inst, sel, cls);
        }
    }
    // chances are that calling the resolver have populated the cache
    // so attempt using it
    return lookUpImpOrForwardTryCache(inst, sel, cls, behavior);
}

动态解析时,根据类或者元类属性来分别调用resolveInstanceMethod,resolveClassMethod

实现动态方法解析

每一个NSObject类,都存在下述方法供我们处理动态方法解析.

+ (BOOL)resolveClassMethod:(SEL)sel OBJC_AVAILABLE(10.5, 2.0, 9.0, 1.0, 2.0);
+ (BOOL)resolveInstanceMethod:(SEL)sel OBJC_AVAILABLE(10.5, 2.0, 9.0, 1.0, 2.0);

那么怎么处理呢?上代码吧

@interface Test : NSObject
+ (void)test;
- (void)test;
@end

@implementation Test

+ (BOOL)resolveClassMethod:(SEL)sel {
    if (sel == @selector(test)) {
        Method method = class_getClassMethod(self, @selector(handleResolveClassMethod));
        class_addMethod(object_getClass(self), sel, method_getImplementation(method), method_getTypeEncoding(method));
        return YES;
    }
    return [super resolveClassMethod:sel];
}

+ (void)handleResolveClassMethod {
    NSLog(@"%s",__func__);
}

+ (BOOL)resolveInstanceMethod:(SEL)sel {
    if (sel == @selector(test)) {
        Method method = class_getInstanceMethod(self, @selector(handleResolveInstanceMethod));
        class_addMethod(self, sel, method_getImplementation(method), method_getTypeEncoding(method));
        return YES;
    }
    return [super resolveInstanceMethod:sel];
}

- (void)handleResolveInstanceMethod {
    NSLog(@"%s",__func__);
}

@end

int main(int argc, const char * argv[]) {
    @autoreleasepool {
        [Test test];
        [[Test new] test];
    }
    return 0;
}

值得注意的是.类方法存在元类里面.所以用runtime动态添加类方法时,记得要找到类的元类进行添加.

而如果是添加实例方法,则直接传入self即可.

当我们动态为类添加了对应的方法实现后.会重新走一次objc_msgSend

_lookUpImpTryCache
ALWAYS_INLINE
static IMP _lookUpImpTryCache(id inst, SEL sel, Class cls, int behavior)
{
    runtimeLock.assertUnlocked();

    if (slowpath(!cls->isInitialized())) {
        // see comment in lookUpImpOrForward
        return lookUpImpOrForward(inst, sel, cls, behavior);
    }

    IMP imp = cache_getImp(cls, sel);
    if (imp != NULL) goto done;
#if CONFIG_USE_PREOPT_CACHES
    if (fastpath(cls->cache.isConstantOptimizedCache(/* strict */true))) {
        imp = cache_getImp(cls->cache.preoptFallbackClass(), sel);
    }
#endif
    if (slowpath(imp == NULL)) {
        return lookUpImpOrForward(inst, sel, cls, behavior);
    }

done:
    if ((behavior & LOOKUP_NIL) && imp == (IMP)_objc_msgForward_impcache) {
        return nil;
    }
    return imp;
}

从方法可以看出.实现动态方法解析后,也是重新走消息发送的流程.先从方法缓存列表找起.再走lookUpImpOrForward

到这一步,动态方法解析基本走完.如果我们没有实现动态方法解析的话,就会进入第三阶段.消息转发

消息转发

消息转发

找遍了源码.也找不到消息转发相关的东西.但是从最终崩溃的调用栈来看.

*** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '+[Test test]: unrecognized selector sent to class 0x100008208'
*** First throw call stack:
(
    0   CoreFoundation                      0x00007fff206206af __exceptionPreprocess + 242
    1   libobjc.A.dylib                     0x00000001002fbb80 objc_exception_throw + 48
    2   CoreFoundation                      0x00007fff206a2bdd __CFExceptionProem + 0
    3   CoreFoundation                      0x00007fff2058807d ___forwarding___ + 1467
    4   CoreFoundation                      0x00007fff20587a38 _CF_forwarding_prep_0 + 120
    5   KCObjcBuild                         0x0000000100003ee5 main + 53
    6   libdyld.dylib                       0x00007fff204c9621 start + 1
)

看到了forwarding,进入该调用栈的汇编.发现有一句注释讲到未实现methodSignatureForSelector,那我们尝试实现一下.

0x7fff20587fbe <+1276>: leaq   0x5febb1ab(%rip), %rsi    ; @"*** NSForwarding: warning: object %p of class '%s' does not implement methodSignatureForSelector: -- did you forget to declare the superclass of '%s'?"

methodSignatureForSelector

+ (NSMethodSignature *)methodSignatureForSelector:(SEL)aSelector

可以看到这个方法需要返回一个NSMethodSignature.查看该类的初始化方法,我们需要传入方法实现的Method_t的types参数.也就是typeEncoding.那我们试试实现一下.我们在Test类中添加如下代码,然后运行

+ (NSMethodSignature *)methodSignatureForSelector:(SEL)aSelector {
    if (aSelector == @selector(test)) {
        return [NSMethodSignature signatureWithObjCTypes:"v16@0:8"];
    }
    return [super methodSignatureForSelector:aSelector];
}

运行过后继续报错.继续输出调用栈.

*** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '+[Test test]: unrecognized selector sent to class 0x100008258'
*** First throw call stack:
(
    0   CoreFoundation                      0x00007fff206206af __exceptionPreprocess + 242
    1   libobjc.A.dylib                     0x00000001002fbb80 objc_exception_throw + 48
    2   CoreFoundation                      0x00007fff206a2bdd __CFExceptionProem + 0
    3   libobjc.A.dylib                     0x0000000100350957 +[NSObject forwardInvocation:] + 103
    4   CoreFoundation                      0x00007fff20587e07 ___forwarding___ + 837
    5   CoreFoundation                      0x00007fff20587a38 _CF_forwarding_prep_0 + 120
    6   KCObjcBuild                         0x0000000100003ea3 main + 51
    7   libdyld.dylib                       0x00007fff204c9621 start + 1
)

forwardInvocation

此时可以看到.多了一个[NSObject forwardInvocation:].

+ (void)forwardInvocation:(NSInvocation *)invocation {
    [self doesNotRecognizeSelector:(invocation ? [invocation selector] : 0)];
}

- (void)forwardInvocation:(NSInvocation *)invocation {
    [self doesNotRecognizeSelector:(invocation ? [invocation selector] : 0)];
}

// Replaced by CF (throws an NSException)
+ (void)doesNotRecognizeSelector:(SEL)sel {
    _objc_fatal("+[%s %s]: unrecognized selector sent to instance %p", 
                class_getName(self), sel_getName(sel), self);
}

进入NSObject的源码中发现.调用了doesNotRecognizeSelector方法.最终发现了万恶之源...

就是每次崩溃时输出的unrecognized selector sent to class错误

NSInvocation

@interface NSInvocation : NSObject

+ (NSInvocation *)invocationWithMethodSignature:(NSMethodSignature *)sig;

@property (readonly, retain) NSMethodSignature *methodSignature;

- (void)retainArguments;
@property (readonly) BOOL argumentsRetained;

@property (nullable, assign) id target;
@property SEL selector;

- (void)getReturnValue:(void *)retLoc;
- (void)setReturnValue:(void *)retLoc;

- (void)getArgument:(void *)argumentLocation atIndex:(NSInteger)idx;
- (void)setArgument:(void *)argumentLocation atIndex:(NSInteger)idx;

- (void)invoke;
- (void)invokeWithTarget:(id)target;

@end

我们在forwardInvocation中加入断点.看看anInvocation放了什么东西.

(lldb) po anInvocation

return value: {v} void
target: {@} 0x100008298
selector: {:} test

(lldb) po 0x100008298
Test

可以看到.anInvocation里面放了要执行的方法名以及执行它的target.如果我们此时调用invoke.那还是会继续报找不到方法错误.那么怎么解决呢.如果我们让其他实现了test方法的类来作为target.是不是就可以呢.让我们试试

@interface Test1 : NSObject
@end

@implementation Test1

+ (void)test {
    NSLog(@"%s",__func__);
}

@end

@interface Test : NSObject
+ (void)test;
@end

@implementation Test
+ (NSMethodSignature *)methodSignatureForSelector:(SEL)aSelector {
    if (aSelector == @selector(test)) {
        return [NSMethodSignature signatureWithObjCTypes:"v16@0:8"];
    }
    return [super methodSignatureForSelector:aSelector];
}

+ (void)forwardInvocation:(NSInvocation *)anInvocation {
    [anInvocation invokeWithTarget:[Test1 class]];
}

@end

int main(int argc, const char * argv[]) {
    @autoreleasepool {
        [Test test];
    }
    return 0;
}

我们发现.最终通过消息转发.Test1成为了消息接收者并完成了方法的调用.到此消息转发就结束了.

你可能感兴趣的:(OC底层-消息发送机制)