objc对象调用方法详细过程

在调用对象的方法之前我们首先弄清楚对象的方法存在哪里.

实例方法存在类对象中
类方法存在元类对象中(元类其实也是一个类对象)

我们先看下类对象的结构布局

struct objc_class : objc_object {
    // Class ISA;
    Class superclass;
    cache_t cache;             // formerly cache pointer and vtable
    class_data_bits_t bits;    // class_rw_t * plus custom rr/alloc flags
}

我们看到一个类对象就是一个结构体继承与objc_object结构体,我们以前的文章中分析过objc_object结构体,这里简单的说一下objc_object, objc_object里面有一个isa是一个共用体.里面有一个结构体使用位域来存储更多的信息.

superclass是指向父类的指针
cache方法的缓存列表
bits& FAST_DATA_MASK的到class_rw_t结构体

struct class_rw_t {
    // Be warned that Symbolication knows the layout of this structure.
    uint32_t flags;
    uint32_t version;

    const class_ro_t *ro;

    method_array_t methods;
    property_array_t properties;
    protocol_array_t protocols;

    Class firstSubclass;
    Class nextSiblingClass;

    char *demangledName;
}

在class_rw_t中 methods就是方法的缓存类表
我们以前讨论分类的的时候也分析过method_array_t methods;结构

methods是一个二维数组, 数组里面的元素是分类的的方法类表
[
[分类方法1a方法,分类方法1b方法],
[分类方法2a方法,分类方法2b方法]
]

我们给一个对象发消息的时候就会找到methods这个数组里面然后缓存到cache中,就算给一个对象调用父类的方法也会缓存到cache中的_buckets, 当往_buckets缓存bucket_t的时候_buckets会检查是否需要扩容,需要扩容就会清空所有元素然后,在缓存进来.(这个时候以前的缓存就没有了)

struct cache_t {
    struct bucket_t *_buckets;
    mask_t _mask; //散列表的长度
    mask_t _occupied; //已经缓存方法的个数
}

struct bucket_t {
private:
    cache_key_t _key;
    IMP _imp;
}

我看到cache结构体中_buckets是一个数组里面是bucket_t结构体_key就是方法名字_buckets就相当于一个离散列表(类似字典)

image.png
image.png
image.png

源码分析调用方法过程

ENTRY _objc_msgSend
    UNWIND _objc_msgSend, NoFrame
    MESSENGER_START

    cmp x0, #0          // nil check and tagged pointer check
    b.le    LNilOrTagged        //  (MSB tagged pointer looks negative)
    ldr x13, [x0]       // x13 = isa
    and x16, x13, #ISA_MASK // x16 = class  
LGetIsaDone:
    CacheLookup NORMAL      // calls imp or objc_msgSend_uncached

LNilOrTagged:
    b.eq    LReturnZero     // nil check

    // tagged
    mov x10, #0xf000000000000000
    cmp x0, x10
    b.hs    LExtTag
    adrp    x10, _objc_debug_taggedpointer_classes@PAGE
    add x10, x10, _objc_debug_taggedpointer_classes@PAGEOFF
    ubfx    x11, x0, #60, #4
    ldr x16, [x10, x11, LSL #3]
    b   LGetIsaDone

LExtTag:
    // ext tagged
    adrp    x10, _objc_debug_taggedpointer_ext_classes@PAGE
    add x10, x10, _objc_debug_taggedpointer_ext_classes@PAGEOFF
    ubfx    x11, x0, #52, #8
    ldr x16, [x10, x11, LSL #3]
    b   LGetIsaDone
    
LReturnZero:
    // x0 is already zero
    mov x1, #0
    movi    d0, #0
    movi    d1, #0
    movi    d2, #0
    movi    d3, #0
    MESSENGER_END_NIL
    ret

    END_ENTRY _objc_msgSend

x0, 寄存器里面存的是receiver消息接受者
b.le LNilOrTagged //如果receiver为nil跳转到LNilOrTagged
b.eq LReturnZero // nil check
ret (表示return)
如果对象为nil就return

如果对象不为nil就走到CacheLookup 在缓存中寻找

.macro CacheLookup
    // x1 = SEL, x16 = isa
    ldp x10, x11, [x16, #CACHE] // x10 = buckets, x11 = occupied|mask
    and w12, w1, w11        // x12 = _cmd & mask
    add x12, x10, x12, LSL #4   // x12 = buckets + ((_cmd & mask)<<4)

    ldp x9, x17, [x12]      // {x9, x17} = *bucket
1:  cmp x9, x1          // if (bucket->sel != _cmd)
    b.ne    2f          //     scan more
    CacheHit $0         // call or return imp
    
2:  // not hit: x12 = not-hit bucket
    CheckMiss $0            // miss if bucket->sel == 0
    cmp x12, x10        // wrap if bucket == buckets
    b.eq    3f
    ldp x9, x17, [x12, #-16]!   // {x9, x17} = *--bucket
    b   1b          // loop

3:  // wrap: x12 = first bucket, w11 = mask
    add x12, x12, w11, UXTW #4  // x12 = buckets+(mask<<4)

    // Clone scanning loop to miss instead of hang when cache is corrupt.
    // The slow path may detect any corruption and halt later.

    ldp x9, x17, [x12]      // {x9, x17} = *bucket
1:  cmp x9, x1          // if (bucket->sel != _cmd)
    b.ne    2f          //     scan more
    CacheHit $0         // call or return imp
    
2:  // not hit: x12 = not-hit bucket
    CheckMiss $0            // miss if bucket->sel == 0
    cmp x12, x10        // wrap if bucket == buckets
    b.eq    3f
    ldp x9, x17, [x12, #-16]!   // {x9, x17} = *--bucket
    b   1b          // loop

3:  // double wrap
    JumpMiss $0
    
.endmacro

CacheHit 命中缓存 结果是直接调用方法或者返回imp指针

.macro CacheHit
.if $0 == NORMAL
    MESSENGER_END_FAST
    br  x17         // call imp
.elseif $0 == GETIMP
    mov x0, x17         // return imp
    ret
.elseif $0 == LOOKUP
    ret             // return imp via x17
.else
.abort oops
.endif
.endmacro

CheckMiss在缓存中没有找到

.macro CheckMiss
    // miss if bucket->sel == 0
.if $0 == GETIMP
    cbz x9, LGetImpMiss
.elseif $0 == NORMAL
    cbz x9, __objc_msgSend_uncached
.elseif $0 == LOOKUP
    cbz x9, __objc_msgLookup_uncached
.else
.abort oops
.endif
.endmacro

因为CacheLookup NORMAL传的值是NORMAL 这里我们暂时只分析__objc_msgSend_uncached

STATIC_ENTRY __objc_msgSend_uncached
    UNWIND __objc_msgSend_uncached, FrameWithNoSaves

    // THIS IS NOT A CALLABLE C FUNCTION
    // Out-of-band x16 is the class to search
    
    MethodTableLookup
    br  x17

END_ENTRY __objc_msgSend_uncached

我们再分析MethodTableLookup 发现是个宏

.macro MethodTableLookup
    
    // push frame
    stp fp, lr, [sp, #-16]!
    mov fp, sp

    // save parameter registers: x0..x8, q0..q7
    sub sp, sp, #(10*8 + 8*16)
    stp q0, q1, [sp, #(0*16)]
    stp q2, q3, [sp, #(2*16)]
    stp q4, q5, [sp, #(4*16)]
    stp q6, q7, [sp, #(6*16)]
    stp x0, x1, [sp, #(8*16+0*8)]
    stp x2, x3, [sp, #(8*16+2*8)]
    stp x4, x5, [sp, #(8*16+4*8)]
    stp x6, x7, [sp, #(8*16+6*8)]
    str x8,     [sp, #(8*16+8*8)]

    // receiver and selector already in x0 and x1
    mov x2, x16
    bl  __class_lookupMethodAndLoadCache3

    // imp in x0
    mov x17, x0
    
    // restore registers and return
    ldp q0, q1, [sp, #(0*16)]
    ldp q2, q3, [sp, #(2*16)]
    ldp q4, q5, [sp, #(4*16)]
    ldp q6, q7, [sp, #(6*16)]
    ldp x0, x1, [sp, #(8*16+0*8)]
    ldp x2, x3, [sp, #(8*16+2*8)]
    ldp x4, x5, [sp, #(8*16+4*8)]
    ldp x6, x7, [sp, #(8*16+6*8)]
    ldr x8,     [sp, #(8*16+8*8)]

    mov sp, fp
    ldp fp, lr, [sp], #16

.endmacro

bl __class_lookupMethodAndLoadCache3 意思是跳转到__class_lookupMethodAndLoadCache3这个方法.

IMP _class_lookupMethodAndLoadCache3(id obj, SEL sel, Class cls)
{
    return lookUpImpOrForward(cls, sel, obj, 
                              YES/*initialize*/, NO/*cache*/, YES/*resolver*/);
}

接下来就来到了lookUpImpOrForward

IMP lookUpImpOrForward(Class cls, SEL sel, id inst, 
                       bool initialize, bool cache, bool resolver)
{
    IMP imp = nil;
    bool triedResolver = NO;

    runtimeLock.assertUnlocked();

    // Optimistic cache lookup
    if (cache) { //cache为NO在_objc_msgSend汇编代码中已经在cache中找过了,这里就不用再在缓存中找了
        imp = cache_getImp(cls, sel);
        if (imp) return imp;
    }  

    // runtimeLock is held during isRealized and isInitialized checking
    // to prevent races against concurrent realization.

    // runtimeLock is held during method search to make
    // method-lookup + cache-fill atomic with respect to method addition.
    // Otherwise, a category could be added but ignored indefinitely because
    // the cache was re-filled with the old value after the cache flush on
    // behalf of the category.

    runtimeLock.read();
    
    //判断类是否已经实现过了
    if (!cls->isRealized()) {
        // Drop the read-lock and acquire the write-lock.
        // realizeClass() checks isRealized() again to prevent
        // a race while the lock is down.
        runtimeLock.unlockRead();
        runtimeLock.write();

        realizeClass(cls);//如果类没有实现过,就去实现类

        runtimeLock.unlockWrite();
        runtimeLock.read();
    }

    if (initialize  &&  !cls->isInitialized()) {
        runtimeLock.unlockRead();
        _class_initialize (_class_getNonMetaClass(cls, inst));
        runtimeLock.read();
        // If sel == initialize, _class_initialize will send +initialize and 
        // then the messenger will send +initialize again after this 
        // procedure finishes. Of course, if this is not being called 
        // from the messenger then it won't happen. 2778172
    }

    
 retry:    
    runtimeLock.assertReading();

    // Try this class's cache.

    imp = cache_getImp(cls, sel);//再次从缓存中检查
    if (imp) goto done;

    // Try this class's method lists.从自己的类中查找方法找到就把imp返回了
    {
        Method meth = getMethodNoSuper_nolock(cls, sel);
        if (meth) {
            log_and_fill_cache(cls, meth->imp, sel, inst, cls);
            imp = meth->imp;
            goto done;
        }
    }

    // Try superclass caches and method lists. //如果自己的的类中没有找到从父类中找到
    {
        unsigned attempts = unreasonableClassCount();
        for (Class curClass = cls->superclass;curClass != nil;curClass = curClass->superclass)
        {
            //curClass是父类 curClass != nil;curClass = curClass->superclass一直便利,父类
            // Halt if there is a cycle in the superclass chain.如果超类链中存在循环,则停止。
            if (--attempts == 0) {
                _objc_fatal("Memory corruption in class list.");
            }
            
            // Superclass cache.从父类的缓存中找imp
            imp = cache_getImp(curClass, sel);
            if (imp) {
                if (imp != (IMP)_objc_msgForward_impcache) {
                    // Found the method in a superclass. Cache it in this class.在父类中的缓存中找都方法
                    log_and_fill_cache(cls, imp, sel, inst, curClass);//缓存到消息接受者的类中的缓存中
                    goto done;
                }
                else {
                    // Found a forward:: entry in a superclass.
                    // Stop searching, but don't cache yet; call method 
                    // resolver for this class first.
                    break;
                }
            }
            
            // Superclass method list. 在父类中的方法缓存中没有找到方法,就下父类的方法列表中寻找
            Method meth = getMethodNoSuper_nolock(curClass, sel);
            if (meth) {
                log_and_fill_cache(cls, meth->imp, sel, inst, curClass);
                imp = meth->imp;
                goto done;
            }
        }
    }

    // No implementation found. Try method resolver once.
    //自己类的缓存,方法列表,所有父类的缓存,方法类表都没找到 进入动态方法解析阶段 
    if (resolver  &&  !triedResolver) {
        runtimeLock.unlockRead();
        _class_resolveMethod(cls, sel, inst);
        runtimeLock.read();
        // Don't cache the result; we don't hold the lock so it may have 
        // changed already. Re-do the search from scratch instead.
        triedResolver = YES;
        goto retry;   //在动态解析后就会 返回到retry 从新走一遍消息发送流程(如果动态解析阶段我们动态的添加了方法.就会找到imp 如果没有动态解析就会走到最后一个阶段消息转发)
    }

    // No implementation found, and method resolver didn't help. 
    // Use forwarding.

    imp = (IMP)_objc_msgForward_impcache; //消息转发
    cache_fill(cls, sel, imp, inst);

 done:
    runtimeLock.unlockRead();

    return imp;
}

我们分析一下_class_resolveMethod

void _class_resolveMethod(Class cls, SEL sel, id inst)
{
    if (! cls->isMetaClass()) {
        // try [cls resolveInstanceMethod:sel]
        _class_resolveInstanceMethod(cls, sel, inst);
    } 
    else {
        // try [nonMetaClass resolveClassMethod:sel]
        // and [cls resolveInstanceMethod:sel]
        _class_resolveClassMethod(cls, sel, inst);
        if (!lookUpImpOrNil(cls, sel, inst, 
                            NO/*initialize*/, YES/*cache*/, NO/*resolver*/)) 
        {
            _class_resolveInstanceMethod(cls, sel, inst);
        }
    }
}

如果是实例方法则会调用 _class_resolveInstanceMethod.

static void _class_resolveInstanceMethod(Class cls, SEL sel, id inst)
{
    if (! lookUpImpOrNil(cls->ISA(), SEL_resolveInstanceMethod, cls, 
                         NO/*initialize*/, YES/*cache*/, NO/*resolver*/)) 
    {
        // Resolver not implemented.
        return;
    }

    BOOL (*msg)(Class, SEL, SEL) = (typeof(msg))objc_msgSend;
    bool resolved = msg(cls, SEL_resolveInstanceMethod, sel);

    // Cache the result (good or bad) so the resolver doesn't fire next time.
    // +resolveInstanceMethod adds to self a.k.a. cls
    IMP imp = lookUpImpOrNil(cls, sel, inst, 
                             NO/*initialize*/, YES/*cache*/, NO/*resolver*/);

    if (resolved  &&  PrintResolving) {
        if (imp) {
            _objc_inform("RESOLVE: method %c[%s %s] "
                         "dynamically resolved to %p", 
                         cls->isMetaClass() ? '+' : '-', 
                         cls->nameForLogging(), sel_getName(sel), imp);
        }
        else {
            // Method resolver didn't add anything?
            _objc_inform("RESOLVE: +[%s resolveInstanceMethod:%s] returned YES"
                         ", but no new implementation of %c[%s %s] was found",
                         cls->nameForLogging(), sel_getName(sel), 
                         cls->isMetaClass() ? '+' : '-', 
                         cls->nameForLogging(), sel_getName(sel));
        }
    }
}

我们分析一下_class_resolveInstanceMethod方法SEL_resolveInstanceMethod 是+ (BOOL)resolveInstanceMethod:(SEL)sel 通过objc_msgSend调用这个类方法, 我们可以重写这个类方法, 并且在类方法中 动态添加方法

-(void)test1{
    NSLog(@"---");
}

+(void)test1{
    NSLog(@"---");
}

+ (BOOL)resolveClassMethod:(SEL)sel{
    if (sel == @selector(test)) {
        Class class = object_getClass(self);
        Method method = class_getInstanceMethod(class, @selector(test1));
        IMP imp = method_getImplementation(method);
        const char * types =  method_getTypeEncoding(method);
        class_addMethod(class, sel,imp,types);
    }
    return [super resolveClassMethod:sel];
}


+ (BOOL)resolveInstanceMethod:(SEL)sel{
    if (sel == @selector(test)) {
        Method method = class_getInstanceMethod(self, @selector(test1));
        IMP imp = method_getImplementation(method);
        const char * types =  method_getTypeEncoding(method);
        class_addMethod(self, sel,imp,types);
    }
    return [super resolveInstanceMethod:sel];
}

如果我们动态解析没有做事情 就会来到消息转发_objc_msgForward_impcache这个imp我们发现在汇编中找到,但是经过分析是没有源码的,这里暂不分析汇编
下面列出动态转发的几个方法.

- (id)forwardingTargetForSelector:(SEL)aSelector {
    
    if (aSelector == @selector(test)) {
        return [LC_Tool new];
    }
    return [super forwardingTargetForSelector:aSelector];
}

- (NSMethodSignature *)methodSignatureForSelector:(SEL)aSelector{
    if (aSelector == @selector(test)) {
        NSMethodSignature *methodSignature = [NSMethodSignature signatureWithObjCTypes:""];
        return methodSignature;
    }
    return [super methodSignatureForSelector:aSelector];
}

- (void)forwardInvocation:(NSInvocation *)anInvocation{
    //这里拿到 anInvocation可以为所欲为
    //可以任何事情都不做
    //可以转发给一个对象调用方法
    //[anInvocation invokeWithTarget:[NSObject new]];
    
    //可以改变参数
    int a = 10;
    [anInvocation setArgument:&a atIndex:2]; //第0个参数是消息接受者.第1个参数是_cmd
    [anInvocation invokeWithTarget:[NSObject new]];
    
}

在消息转发阶段如果-forwardingTargetForSelector没有实现,就会调用- methodSignatureForSelector方法自己返回方法签名,
然后调用-forwardInvocation返回一个NSInvocation对象

补充一点如果 消息转发阶段这个消息是类方法就会调用+forwardingTargetForSelector,+ methodSignatureForSelector
,+ forwardInvocation (虽然没有暴露出api)

不管是类方法还是对象方法在消息转发阶段, 其实都是消息接受者调用以上的方法.(这样就可以理解为啥 ,对象方法调用-号类方法调用+号了 因为消息接受者不同)

objc_msgSend的执行流程可以分为3大阶段

1消息发送
2动态方法解析
3消息转发

image.png
image.png
image.png

你可能感兴趣的:(objc对象调用方法详细过程)