image
我们在iOS底层探索 --- dyld加载流程提到了
_objc_init。但是我们并没有对这个函数做详细的探索,当时我们只是探索到_dyld_objc_notify_register里面的参数load_images。
这里呢,我们要探索
类是如何从Mach-O文件中,加载到内存里面的。所以我们今天要回过头,从新探索一下_objc_init这个函数。本章主要探索一下
_objc_init中函数的执行流程,对于类的加载有一个基本的理解。
一、_objc_init源码
首先我们来回顾一下_objc_init的源码。
void _objc_init(void)
{
static bool initialized = false;
if (initialized) return;
initialized = true;
// fixme defer initialization until an objc-using image is found?
environ_init();
tls_init();
static_init();
runtime_init();
exception_init();
#if __OBJC2__
cache_t::init();
#endif
_imp_implementationWithBlock_init();
_dyld_objc_notify_register(&map_images, load_images, unmap_image);
// map_images()
// load_images()
#if __OBJC2__
didCallDyldNotifyRegister = true;
#endif
}
我们可以看到,在
_dyld_objc_notify_register函数被调用之前,还有一些函数的调用,那么这些函数又起到什么样的作用呢?下面我们就来一一讲解一下。
1.1 environ_init()
environ_init():读取影响运行时的环境变量。(如果需要,还可以打印环境变量帮助,终端:$ export OBJC_HELP=1)
这里我们可以简单的看一下其中的一些代码:
image
日常的开发过程中,我们是利用Xcode来设置环境变量的。
-
比如
OBJC_PRINT_LOAD_METHODS我们只要设置了之后,控制台就可以打印出工程中所有用到的load函数:
image
image 具体的一些环境变量的作用,可以参考下表
| 环境变量名 | 说明 |
|---|---|
| OBJC_PRINT_OPTIONS | 输出OBJC已设置的选项 |
| OBJC_PRINT_IMAGES | 输出已load的image信息 |
| OBJC_PRINT_LOAD_METHODS | 打印 Class 及 Category 的 + (void)load 方法的调用信息 |
| OBJC_PRINT_INITIALIZE_METHODS | 打印 Class 的 + (void)initialize 的调用信息 |
| OBJC_PRINT_RESOLVED_METHODS | 打印通过 +resolveClassMethod: 或 +resolveInstanceMethod: 生成的类方法 |
| OBJC_PRINT_CLASS_SETUP | 打印 Class 及 Category 的设置过程 |
| OBJC_PRINT_PROTOCOL_SETUP | 打印 Protocol 的设置过程 |
| OBJC_PRINT_IVAR_SETUP | 打印 Ivar 的设置过程 |
| OBJC_PRINT_VTABLE_SETUP | 打印 vtable 的设置过程 |
| OBJC_PRINT_VTABLE_IMAGES | 打印 vtable 被覆盖的方法 |
| OBJC_PRINT_CACHE_SETUP | 打印方法缓存的设置过程 |
| OBJC_PRINT_FUTURE_CLASSES | 打印从 CFType 无缝转换到 NSObject 将要使用的类(如 CFArrayRef 到 NSArray * ) |
| OBJC_PRINT_GC | 打印一些垃圾回收操作 |
| OBJC_PRINT_PREOPTIMIZATION | 打印 dyld 共享缓存优化前的问候语 |
| OBJC_PRINT_CXX_CTORS | 打印类实例中的 C++ 对象的构造与析构调用 |
| OBJC_PRINT_EXCEPTIONS | 打印异常处理 |
| OBJC_PRINT_EXCEPTION_THROW | 打印所有异常抛出时的 Backtrace |
| OBJC_PRINT_ALT_HANDLERS | 打印 alt 操作异常处理 |
| OBJC_PRINT_REPLACED_METHODS | 打印被 Category 替换的方法 |
| OBJC_PRINT_DEPRECATION_WARNINGS | 打印所有过时的方法调用 |
| OBJC_PRINT_POOL_HIGHWATER | 打印 autoreleasepool 高水位警告 |
| OBJC_PRINT_CUSTOM_RR | 打印含有未优化的自定义 retain/release 方法的类 |
| OBJC_PRINT_CUSTOM_AWZ | 打印含有未优化的自定义 allocWithZone 方法的类 |
| OBJC_PRINT_RAW_ISA | 打印需要访问原始 isa 指针的类 |
| OBJC_DEBUG_UNLOAD | 卸载有不良行为的 Bundle 时打印警告 |
| OBJC_DEBUG_FRAGILE_SUPERCLASSES | 当子类可能被对父类的修改破坏时打印警告 |
| OBJC_DEBUG_FINALIZERS | 警告实现了 -dealloc 却没有实现 -finalize 的类 |
| OBJC_DEBUG_NIL_SYNC | 警告 @synchronized(nil) 调用,这种情况不会加锁 |
| OBJC_DEBUG_NONFRAGILE_IVARS | 打印突发地重新布置 non-fragile ivars 的行为 |
| OBJC_DEBUG_ALT_HANDLERS | 记录更多的 alt 操作错误信息 |
| OBJC_DEBUG_MISSING_POOLS | 警告没有 pool 的情况下使用 autorelease,可能内存泄漏 |
| OBJC_DEBUG_DUPLICATE_CLASSES | 当出现类重名时停机 |
| OBJC_USE_INTERNAL_ZONE | 在一个专用的 malloc 区分配运行时数据 |
| OBJC_DISABLE_GC | 强行关闭自动垃圾回收,即使可执行文件需要垃圾回收 |
| OBJC_DISABLE_VTABLES | 关闭 vtable 分发 |
| OBJC_DISABLE_PREOPTIMIZATION | 关闭 dyld 共享缓存优化前的问候语 |
| OBJC_DISABLE_TAGGED_POINTERS | 关闭 NSNumber 等的 tagged pointer 优化 |
| OBJC_DISABLE_NONPOINTER_ISA | 关闭 non-pointer isa 字段的访问 |
1.2 tls_init()
tls_init():关于线程key的绑定,比如每个线程数据的析构函数。
void tls_init(void)
{
#if SUPPORT_DIRECT_THREAD_KEYS
pthread_key_init_np(TLS_DIRECT_KEY, &_objc_pthread_destroyspecific);
#else
_objc_pthread_key = tls_create(&_objc_pthread_destroyspecific);
#endif
}
1.3 static_init()
static_init():运行C++静态构造函数(系统级别的构造函数)。在dyld调用我们的静态构造函数之前,libc调用_objc_init()。也就是说系统级别的C++构造函数早于自定义的C++构造函数执行。
/***********************************************************************
* static_init
* Run C++ static constructor functions.
* libc calls _objc_init() before dyld would call our static constructors,
* so we have to do it ourselves.
**********************************************************************/
static void static_init()
{
size_t count;
auto inits = getLibobjcInitializers(&_mh_dylib_header, &count);
for (size_t i = 0; i < count; i++) {
inits[i]();
}
auto offsets = getLibobjcInitializerOffsets(&_mh_dylib_header, &count);
for (size_t i = 0; i < count; i++) {
UnsignedInitializer init(offsets[i]);
init();
}
}
1.4 runtime_init()
runtime_init():Runtime运行时环境初始化,主要是unattachedCategories 和 allocatedClasses。
void runtime_init(void)
{
objc::unattachedCategories.init(32);
objc::allocatedClasses.init();
}
1.5 exception_init()
exception_init():初始化libobjc的异常处理系统,注册异常处理的回调,从而监控异常的处理。
/***********************************************************************
* exception_init
* Initialize libobjc's exception handling system.
* Called by map_images().
**********************************************************************/
void exception_init(void)
{
old_terminate = std::set_terminate(&_objc_terminate);
}
当遇到crash的时候,会来到_objc_terminate,执行到uncaught_handler抛出异常:
/***********************************************************************
* _objc_terminate
* Custom std::terminate handler.
*
* The uncaught exception callback is implemented as a std::terminate handler.
* 1. Check if there's an active exception
* 2. If so, check if it's an Objective-C exception
* 3. If so, call our registered callback with the object.
* 4. Finally, call the previous terminate handler.
**********************************************************************/
static void (*old_terminate)(void) = nil;
static void _objc_terminate(void)
{
if (PrintExceptions) {
_objc_inform("EXCEPTIONS: terminating");
}
if (! __cxa_current_exception_type()) {
// No current exception.
(*old_terminate)();
}
else {
// There is a current exception. Check if it's an objc exception.
@try {
__cxa_rethrow();
} @catch (id e) {
// It's an objc object. Call Foundation's handler, if any.
(*uncaught_handler)((id)e);
(*old_terminate)();
} @catch (...) {
// It's not an objc object. Continue to C++ terminate.
(*old_terminate)();
}
}
}
1.6 cache_t::init()
缓存条件初始化。
void cache_t::init()
{
#if HAVE_TASK_RESTARTABLE_RANGES
mach_msg_type_number_t count = 0;
kern_return_t kr;
while (objc_restartableRanges[count].location) {
count++;
}
kr = task_restartable_ranges_register(mach_task_self(),
objc_restartableRanges, count);
if (kr == KERN_SUCCESS) return;
_objc_fatal("task_restartable_ranges_register failed (result 0x%x: %s)",
kr, mach_error_string(kr));
#endif // HAVE_TASK_RESTARTABLE_RANGES
}
1.7 _imp_implementationWithBlock_init()
启动回调机制。通常不会做什么,因为所有的初始化都是惰性的,但是对于某些进程,我们会迫不及待的加载libobjc-trampolines.dylib。
/// Initialize the trampoline machinery. Normally this does nothing, as
/// everything is initialized lazily, but for certain processes we eagerly load
/// the trampolines dylib.
void
_imp_implementationWithBlock_init(void)
{
#if TARGET_OS_OSX
// Eagerly load libobjc-trampolines.dylib in certain processes. Some
// programs (most notably QtWebEngineProcess used by older versions of
// embedded Chromium) enable a highly restrictive sandbox profile which
// blocks access to that dylib. If anything calls
// imp_implementationWithBlock (as AppKit has started doing) then we'll
// crash trying to load it. Loading it here sets it up before the sandbox
// profile is enabled and blocks it.
//
// This fixes EA Origin (rdar://problem/50813789)
// and Steam (rdar://problem/55286131)
if (__progname &&
(strcmp(__progname, "QtWebEngineProcess") == 0 ||
strcmp(__progname, "Steam Helper") == 0)) {
Trampolines.Initialize();
}
#endif
}
1.8 _dyld_objc_notify_register(&map_images, load_images, unmap_image)
到这里,就看到我们熟悉的_dyld_objc_notify_register。其官方注释如下:
image
从官方注释中我们可以知道:
- 仅供
objc运行时使用 - 注册处理程序,以便于在
映射、取消映射和初始化objc镜像时调用 -
dyld将会通过一个包含objc-image-info的镜像文件的数组回调mapped函数。
其中_dyld_objc_notify_register的三个参数的意义如下:
-
map_images:dyld将镜像文件加载到内存时,会触发该函数。注意,该函数传的是地址,也就是说是实时同步变化的,相当于Block。 -
load_images:dyld初始化镜像文件会触发该函数。 -
unmap_image:dyld移除镜像文件时,会触发该函数。
二、map_images
看到这里,不知道大家是否还记得我们这篇文章要探索的内容。没错,就是类是如何加载到内存中的?。
通过上面我们知道,镜像文件加载到内存,需要通过map_images函数;因此,我们探索的重点就落到了map_images函数身上。
/***********************************************************************
* map_images
* Process the given images which are being mapped in by dyld.
* Calls ABI-agnostic code after taking ABI-specific locks.
*
* Locking: write-locks runtimeLock
**********************************************************************/
void
map_images(unsigned count, const char * const paths[],
const struct mach_header * const mhdrs[])
{
mutex_locker_t lock(runtimeLock);
return map_images_nolock(count, paths, mhdrs);
}
可以看到,map_images最终会调用map_images_nolock,那么根据我们之前探索的经验,现在我们要做的就是跟进去。
image
在阅读
map_images_nolock的源码的时候,我们可以先将一些判断先收起来,然后结合函数名还有官方给的注释,我们很快就可以定位到我们要找的关键代码。_read_images(hList, hCount, totalClasses, unoptimizedTotalClasses)
注意:在阅读源码的时候,不是所有的代码我们都要一行一行的去阅读,我们只需要去寻找我们需要的关键代码就可以了。
既然找到了_read_images,从字面意思看是读取镜像文件。那我们跟进去看一下就知道了。
2.1 _read_images
这里_read_images的源码也是有很多的。同样的我们把判断的代码块折叠起来,会发现不一样的效果。
image
可以看到,当我们把代码折叠之后,会看到一些层次分明的
log;这些正是我们阅读源码所需要的注释。
根据官方的log提示,我们大致可以将_read_images分为以下10个部分:
- 1、条件控制,进行一次加载。
- 2、修复预编译阶段的
@selector混乱的问题。 - 3、错误混乱的类处理。
- 4、修复重映射一些没有被镜像文件加载进来的类。
- 5、修复一些消息。
- 6、当我们的类里面有协议的时候,添加协议到协议列表。
- 7、修复没有被加载的协议。
- 8、分类处理。
- 9、类的加载处理。
- 10、没有被处理的类,优化那些被侵犯的类。
2.1.1 条件控制,进行一次加载
首先来讲,当我们第一次进入_read_images,会进入下面的代码块:
if (!doneOnce) {
doneOnce = YES;
launchTime = YES;
#if SUPPORT_NONPOINTER_ISA
// Disable non-pointer isa under some conditions.
# if SUPPORT_INDEXED_ISA
// Disable nonpointer isa if any image contains old Swift code
for (EACH_HEADER) {
if (hi->info()->containsSwift() &&
hi->info()->swiftUnstableVersion() < objc_image_info::SwiftVersion3)
{
DisableNonpointerIsa = true;
if (PrintRawIsa) {
_objc_inform("RAW ISA: disabling non-pointer isa because "
"the app or a framework contains Swift code "
"older than Swift 3.0");
}
break;
}
}
# endif
# if TARGET_OS_OSX
// Disable non-pointer isa if the app is too old
// (linked before OS X 10.11)
// if (!dyld_program_sdk_at_least(dyld_platform_version_macOS_10_11)) {
// DisableNonpointerIsa = true;
// if (PrintRawIsa) {
// _objc_inform("RAW ISA: disabling non-pointer isa because "
// "the app is too old.");
// }
// }
// Disable non-pointer isa if the app has a __DATA,__objc_rawisa section
// New apps that load old extensions may need this.
for (EACH_HEADER) {
if (hi->mhdr()->filetype != MH_EXECUTE) continue;
unsigned long size;
if (getsectiondata(hi->mhdr(), "__DATA", "__objc_rawisa", &size)) {
DisableNonpointerIsa = true;
if (PrintRawIsa) {
_objc_inform("RAW ISA: disabling non-pointer isa because "
"the app has a __DATA,__objc_rawisa section");
}
}
break; // assume only one MH_EXECUTE image
}
# endif
#endif
if (DisableTaggedPointers) {
disableTaggedPointers();
}
initializeTaggedPointerObfuscator();
if (PrintConnecting) {
_objc_inform("CLASS: found %d classes during launch", totalClasses);
}
// namedClasses
// Preoptimized classes don't go in this table.
// 4/3 is NXMapTable's load factor
// objc::unattachedCategories.init(32);
// objc::allocatedClasses.init();
int namedClassesSize =
(isPreoptimized() ? unoptimizedTotalClasses : totalClasses) * 4 / 3;
gdb_objc_realized_classes =
NXCreateMapTable(NXStrValueMapPrototype, namedClassesSize);
ts.log("IMAGE TIMES: first time tasks");
}
主要看这一段代码:
int namedClassesSize =
(isPreoptimized() ? unoptimizedTotalClasses : totalClasses) * 4 / 3;
gdb_objc_realized_classes =
NXCreateMapTable(NXStrValueMapPrototype, namedClassesSize);
可以看到,在第一次进来的时候,会通过NXCreateMapTable创建一张表gdb_objc_realized_classes;用于存储不在共享缓存,但是已经命名的所有类。其容量是类数量的4/3。
2.1.2 修复预编译阶段的@selector混乱的问题
static size_t UnfixedSelectors;
{
mutex_locker_t lock(selLock);
for (EACH_HEADER) {
if (hi->hasPreoptimizedSelectors()) continue;
bool isBundle = hi->isBundle();
SEL *sels = _getObjc2SelectorRefs(hi, &count);
UnfixedSelectors += count;
for (i = 0; i < count; i++) {
const char *name = sel_cname(sels[i]);
SEL sel = sel_registerNameNoLock(name, isBundle);
if (sels[i] != sel) {
sels[i] = sel;
}
}
}
}
可以看到,会从两个表中提取名字相同SEL,当发现两个SEL不相等的情况,就进行修复。(名字相同,但是里面的地址可能不同)
2.1.3 错误混乱的类处理
// Discover classes. Fix up unresolved future classes. Mark bundle classes.
bool hasDyldRoots = dyld_shared_cache_some_image_overridden();
for (EACH_HEADER) {
if (! mustReadClasses(hi, hasDyldRoots)) {
// Image is sufficiently optimized that we need not call readClass()
continue;
}
classref_t const *classlist = _getObjc2ClassList(hi, &count);
bool headerIsBundle = hi->isBundle();
bool headerIsPreoptimized = hi->hasPreoptimizedClasses();
for (i = 0; i < count; i++) {
//此时读取的cls只是一个地址
Class cls = (Class)classlist[i];
//通过readClass函数获取处理后的新类,处理后,cls是一个类名
Class newCls = readClass(cls, headerIsBundle, headerIsPreoptimized);
if (newCls != cls && newCls) {
// Class was moved but not deleted. Currently this occurs
// only when the new class resolved a future class.
// Non-lazily realize the class below.
resolvedFutureClasses = (Class *)
realloc(resolvedFutureClasses,
(resolvedFutureClassCount+1) * sizeof(Class));
resolvedFutureClasses[resolvedFutureClassCount++] = newCls;
}
}
}
ts.log("IMAGE TIMES: discover classes");
2.1.4 修复重映射一些没有被镜像文件加载进来的类
// Fix up remapped classes
// Class list and nonlazy class list remain unremapped.
// Class refs and super refs are remapped for message dispatching.
if (!noClassesRemapped()) {
for (EACH_HEADER) {
Class *classrefs = _getObjc2ClassRefs(hi, &count);
for (i = 0; i < count; i++) {
remapClassRef(&classrefs[i]);
}
// fixme why doesn't test future1 catch the absence of this?
classrefs = _getObjc2SuperRefs(hi, &count);
for (i = 0; i < count; i++) {
remapClassRef(&classrefs[i]);
}
}
}
ts.log("IMAGE TIMES: remap classes");
将未映射的Class和Super Class进行重新映射。
-
_getObjc2ClassRefs是获取Mach-O文件中的__objc_classrefs -
_getObjc2SuperRefs是获取Mach-O文件中的__objc_superrefs
2.2.5 修复一些消息
#if SUPPORT_FIXUP
// Fix up old objc_msgSend_fixup call sites
for (EACH_HEADER) {
message_ref_t *refs = _getObjc2MessageRefs(hi, &count);
if (count == 0) continue;
if (PrintVtables) {
_objc_inform("VTABLES: repairing %zu unsupported vtable dispatch "
"call sites in %s", count, hi->fname());
}
for (i = 0; i < count; i++) {
fixupMessageRef(refs+i);
}
}
ts.log("IMAGE TIMES: fix up objc_msgSend_fixup");
#endif
通过_getObjc2MessageRefs获取Mach-O文件中的__objc_msgrefs。
当获取的字段存在内容的时候,遍历执行fixupMessageRef函数。
2.1.6 当我们的类里面有协议的时候,添加协议到协议列表
// Discover protocols. Fix up protocol refs.
for (EACH_HEADER) {
extern objc_class OBJC_CLASS_$_Protocol;
Class cls = (Class)&OBJC_CLASS_$_Protocol;
ASSERT(cls);
NXMapTable *protocol_map = protocols();
bool isPreoptimized = hi->hasPreoptimizedProtocols();
// Skip reading protocols if this is an image from the shared cache
// and we support roots
// Note, after launch we do need to walk the protocol as the protocol
// in the shared cache is marked with isCanonical() and that may not
// be true if some non-shared cache binary was chosen as the canonical
// definition
if (launchTime && isPreoptimized) {
if (PrintProtocols) {
_objc_inform("PROTOCOLS: Skipping reading protocols in image: %s",
hi->fname());
}
continue;
}
bool isBundle = hi->isBundle();
protocol_t * const *protolist = _getObjc2ProtocolList(hi, &count);
for (i = 0; i < count; i++) {
readProtocol(protolist[i], cls, protocol_map,
isPreoptimized, isBundle);
}
}
ts.log("IMAGE TIMES: discover protocols");
调用_getObjc2ProtocolList获取__objc_protolist列表,通过遍历,执行readProtocol函数,将protocol添加到protocol_map表中。
2.1.7 修复没有被加载的协议
// Fix up @protocol references
// Preoptimized images may have the right
// answer already but we don't know for sure.
for (EACH_HEADER) {
// At launch time, we know preoptimized image refs are pointing at the
// shared cache definition of a protocol. We can skip the check on
// launch, but have to visit @protocol refs for shared cache images
// loaded later.
if (launchTime && hi->isPreoptimized())
continue;
protocol_t **protolist = _getObjc2ProtocolRefs(hi, &count);
for (i = 0; i < count; i++) {
remapProtocolRef(&protolist[i]);
}
}
ts.log("IMAGE TIMES: fix up @protocol references");
通过_getObjc2ProtocolRefs获取__objc_protorefs,然后遍历,执行remapProtocolRef函数。
2.1.8 分类处理
仅在分类初始化,并且数据加载到类之后才执行。对于启动时出现的分类,推迟到_dyld_objc_notify_register调用完成后的第一个load_images调用。
// Discover categories. Only do this after the initial category
// attachment has been done. For categories present at startup,
// discovery is deferred until the first load_images call after
// the call to _dyld_objc_notify_register completes. rdar://problem/53119145
if (didInitialAttachCategories) {
for (EACH_HEADER) {
load_categories_nolock(hi);
}
}
ts.log("IMAGE TIMES: discover categories");
2.1.9 类的加载处理
// Realize non-lazy classes (for +load methods and static instances)
for (EACH_HEADER) {
classref_t const *classlist = hi->nlclslist(&count);
for (i = 0; i < count; i++) {
Class cls = remapClass(classlist[i]);
if (!cls) continue;
addClassTableEntry(cls);
if (cls->isSwiftStable()) {
if (cls->swiftMetadataInitializer()) {
_objc_fatal("Swift class %s with a metadata initializer "
"is not allowed to be non-lazy",
cls->nameForLogging());
}
// fixme also disallow relocatable classes
// We can't disallow all Swift classes because of
// classes like Swift.__EmptyArrayStorage
}
realizeClassWithoutSwift(cls, nil);
}
}
ts.log("IMAGE TIMES: realize non-lazy classes");
2.1.10 没有被处理的类,优化那些被侵犯的类
// Realize newly-resolved future classes, in case CF manipulates them
if (resolvedFutureClasses) {
for (i = 0; i < resolvedFutureClassCount; i++) {
Class cls = resolvedFutureClasses[i];
if (cls->isSwiftStable()) {
_objc_fatal("Swift class is not allowed to be future");
}
realizeClassWithoutSwift(cls, nil);
cls->setInstancesRequireRawIsaRecursively(false/*inherited*/);
}
free(resolvedFutureClasses);
}
ts.log("IMAGE TIMES: realize future classes");