iOS|iOS objc_msgSend 慢速查找流程分析 iOSobjc_msgSend慢速查找流程分析

在 iOS objc_msgSend 流程中我们讲到了， objc_msgSend 首先通过汇编快速查找方法缓存，如果找到，调用 TailCallCachedImp 直接将方法缓存起来然后进行调用就OK了，如果查找不到就跳到 CheckMiss ，然后走慢速查找流程。接下来我们一起分析一下 objc_msgSend 慢速查找流程。
objc_msgSend 查找流程：

获取传入对象所属的类。
获取该类的方法缓存表。
使用传入的选择子在缓存中查询。
如果缓存中不存在，则开始慢速查找流程。
跳转至 IMP 映射位置的方法。

在 iOS objc_msgSend 流程中我们分析过了，先通过 GetClassFromIsa_p16 获取到传入对象所属的类，然后通过 CacheLookup 在方法缓存表中查找，如果缓存命中走 CacheHit 方法，缓存没命中走 CheckMiss 方法。
一、CheckMiss 方法

.macro CheckMiss // miss if bucket->sel == 0 .if $0 == GETIMP cbz p9, LGetImpMiss .elseif $0 == NORMAL //传进来的是NORMAL,所以走这里 cbz p9, __objc_msgSend_uncached .elseif $0 == LOOKUP cbz p9, __objc_msgLookup_uncached .else .abort oops .endif .endmacro

传进来的是NORMAL，所以会走到 __objc_msgSend_uncached 方法
二、__objc_msgSend_uncached 方法

STATIC_ENTRY __objc_msgSend_uncached UNWIND __objc_msgSend_uncached, FrameWithNoSaves// THIS IS NOT A CALLABLE C FUNCTION // Out-of-band p16 is the class to searchMethodTableLookup TailCallFunctionPointer x17END_ENTRY __objc_msgSend_uncached

紧接着又会来到 MethodTableLookup 方法
三、MethodTableLookup 方法

.macro MethodTableLookup// push frame SignLR stp fp, lr, [sp, #-16]! mov fp, sp// save parameter registers: x0..x8, q0..q7 sub sp, sp, #(10*8 + 8*16) stp q0, q1, [sp, #(0*16)] stp q2, q3, [sp, #(2*16)] stp q4, q5, [sp, #(4*16)] stp q6, q7, [sp, #(6*16)] stp x0, x1, [sp, #(8*16+0*8)] stp x2, x3, [sp, #(8*16+2*8)] stp x4, x5, [sp, #(8*16+4*8)] stp x6, x7, [sp, #(8*16+6*8)] str x8,[sp, #(8*16+8*8)]// lookUpImpOrForward(obj, sel, cls, LOOKUP_INITIALIZE | LOOKUP_RESOLVER) // receiver and selector already in x0 and x1 mov x2, x16 mov x3, #3 bl_lookUpImpOrForward// IMP in x0 mov x17, x0// restore registers and return ldp q0, q1, [sp, #(0*16)] ldp q2, q3, [sp, #(2*16)] ldp q4, q5, [sp, #(4*16)] ldp q6, q7, [sp, #(6*16)] ldp x0, x1, [sp, #(8*16+0*8)] ldp x2, x3, [sp, #(8*16+2*8)] ldp x4, x5, [sp, #(8*16+4*8)] ldp x6, x7, [sp, #(8*16+6*8)] ldr x8,[sp, #(8*16+8*8)]mov sp, fp ldp fp, lr, [sp], #16 AuthenticateLR.endmacro

接着又会来到 lookUpImpOrForward 方法
四、lookUpImpOrForward 方法

IMP lookUpImpOrForward(id inst, SEL sel, Class cls, int behavior) { const IMP forward_imp = (IMP)_objc_msgForward_impcache; IMP imp = nil; Class curClass; runtimeLock.assertUnlocked(); // Optimistic cache lookup if (fastpath(behavior & LOOKUP_CACHE)) { imp = cache_getImp(cls, sel); if (imp) goto done_nolock; }runtimeLock.lock(); // TODO: this check is quite costly during process startup. checkIsKnownClass(cls); if (slowpath(!cls->isRealized())) { cls = realizeClassMaybeSwiftAndLeaveLocked(cls, runtimeLock); // runtimeLock may have been dropped but is now locked again }if (slowpath((behavior & LOOKUP_INITIALIZE) && !cls->isInitialized())) { cls = initializeAndLeaveLocked(cls, inst, runtimeLock); }runtimeLock.assertLocked(); curClass = cls; for (unsigned attempts = unreasonableClassCount(); ; ) { // curClass method list. Method meth = getMethodNoSuper_nolock(curClass, sel); if (meth) { imp = meth->imp; goto done; }if (slowpath((curClass = curClass->superclass) == nil)) { imp = forward_imp; break; }// Halt if there is a cycle in the superclass chain. if (slowpath(--attempts == 0)) { _objc_fatal("Memory corruption in class list."); }// Superclass cache. imp = cache_getImp(curClass, sel); // 有问题???? cache_getImp - lookup - lookUpImpOrForward if (slowpath(imp == forward_imp)) { break; } if (fastpath(imp)) { goto done; } }if (slowpath(behavior & LOOKUP_RESOLVER)) { behavior ^= LOOKUP_RESOLVER; return resolveMethod_locked(inst, sel, cls, behavior); } done: log_and_fill_cache(cls, imp, sel, inst, curClass); runtimeLock.unlock(); done_nolock: if (slowpath((behavior & LOOKUP_NIL) && imp == forward_imp)) { return nil; } return imp; }

4.1 判断缓存是否存在，存在则直接通过cls和sel直接获取imp，并返回。

if (fastpath(behavior & LOOKUP_CACHE)) { imp = cache_getImp(cls, sel); if (imp) goto done_nolock; }

4.2 相关类信息判断

根据所有已知类的列表检查给定的类，有问题直接内部抛出异常。
判断类是否已经被实现，未实现则去实现，这部分后面类的加载章节会详细分析，主要是按照 superclass 和 isa 走向去递归实现父类和元类，同时准备好对象方法和类方法的查找链。
判断类是否被初始化，未初始化则去初始化。

checkIsKnownClass(cls); if (slowpath(!cls->isRealized())) { cls = realizeClassMaybeSwiftAndLeaveLocked(cls, runtimeLock); }if (slowpath((behavior & LOOKUP_INITIALIZE) && !cls->isInitialized())) { cls = initializeAndLeaveLocked(cls, inst, runtimeLock); }

4.3 查找本类的方法列表 4.3.1 利用 getMethodNoSuper_nolock 查找本类的方法列表，如果找到了，进入

goto done;

for (unsigned attempts = unreasonableClassCount(); ; ) { // curClass method list. Method meth = getMethodNoSuper_nolock(curClass, sel); if (meth) { imp = meth->imp; goto done; } }

4.3.2 getMethodNoSuper_nolock 方法 调用 search_method_list_inline 方法 对本类方法列表进行查找

static method_t * getMethodNoSuper_nolock(Class cls, SEL sel) { runtimeLock.assertLocked(); ASSERT(cls->isRealized()); // fixme nil cls? // fixme nil sel?auto const methods = cls->data()->methods(); for (auto mlists = methods.beginLists(), end = methods.endLists(); mlists != end; ++mlists) { // getMethodNoSuper_nolock is the hottest // caller of search_method_list, inlining it turns // getMethodNoSuper_nolock into a frame-less function and eliminates // any store from this codepath. method_t *m = search_method_list_inline(*mlists, sel); if (m) return m; }return nil; }

4.3.3 search_method_list_inline 方法 调用 findMethodInSortedMethodList 方法 对本类方法列表进行二分查找

search_method_list_inline(const method_list_t *mlist, SEL sel) { int methodListIsFixedUp = mlist->isFixedUp(); int methodListHasExpectedSize = mlist->entsize() == sizeof(method_t); if (fastpath(methodListIsFixedUp && methodListHasExpectedSize)) { return findMethodInSortedMethodList(sel, mlist); } else { // Linear search of unsorted method list for (auto& meth : *mlist) { if (meth.name == sel) return &meth; } }#if DEBUG // sanity-check negative results if (mlist->isFixedUp()) { for (auto& meth : *mlist) { if (meth.name == sel) { _objc_fatal("linear search worked when binary search did not"); } } } #endifreturn nil; }

4.3.4 findMethodInSortedMethodList 方法 对本类方法列表进行二分查找

findMethodInSortedMethodList(SEL key, const method_list_t *list) { ASSERT(list); const method_t * const first = &list->first; const method_t *base = first; const method_t *probe; uintptr_t keyValue = https://www.it610.com/article/(uintptr_t)key; uint32_t count; for (count = list->count; count != 0; count >>= 1) { probe = base + (count >> 1); uintptr_t probeValue = https://www.it610.com/article/(uintptr_t)probe->name; if (keyValue =https://www.it610.com/article/= probeValue) { // `probe` is a match. // Rewind looking for the *first* occurrence of this value. // This is required for correct category overrides. while (probe> first && keyValue =https://www.it610.com/article/= (uintptr_t)probe[-1].name) { probe--; } return (method_t *)probe; }if (keyValue> probeValue) { base = probe + 1; count--; } }return nil; }

4.4 done 方法

如果找到了，进入本方法，调用 log_and_fill_cache 方法

done: log_and_fill_cache(cls, imp, sel, inst, curClass); runtimeLock.unlock();

4.5 log_and_fill_cache 方法

利用 cache_fill 方法 写入到缓存里面，为了下次直接从缓存里面快速查找到。

static void log_and_fill_cache(Class cls, IMP imp, SEL sel, id receiver, Class implementer) { #if SUPPORT_MESSAGE_LOGGING if (slowpath(objcMsgLogEnabled && implementer)) { bool cacheIt = logMessageSend(implementer->isMetaClass(), cls->nameForLogging(), implementer->nameForLogging(), sel); if (!cacheIt) return; } #endif // objc_msgSend -> 二分查找自己 -> cache_fill -> objc_msgSend // cache_fill(cls, sel, imp, receiver); }

4.6 递归查找父类的缓存 4.6.1 查找本类的方法列表如果找不到，就递归查找父类的缓存

调用 cache_getImp 方法 找到父类

// Superclass cache. imp = cache_getImp(curClass, sel); // 有问题???? cache_getImp - lookUpImpOrForward

cache_getImp 方法

STATIC_ENTRY _cache_getImpGetClassFromIsa_p16 p0 CacheLookup GETIMP, _cache_getImpLGetImpMiss: mov p0, #0 retEND_ENTRY _cache_getImp

4.7 递归父类缓存查找不到，利用 imp = forward_imp

if (slowpath((curClass = curClass->superclass) == nil)) { // No implementation found, and method resolver didn't help. // Use forwarding. imp = forward_imp; break; } if (slowpath(imp == forward_imp)) { // Found a forward:: entry in a superclass. // Stop searching, but don't cache yet; call method // resolver for this class first. break; }

4.7.1 forward_imp

const IMP forward_imp = (IMP)_objc_msgForward_impcache;

4.7.2 _objc_msgForward_impcache

_objc_msgForward_impcache 方法 调用 __objc_msgForward 方法
__objc_msgForward 方法 调用 TailCallFunctionPointer x17

STATIC_ENTRY __objc_msgForward_impcache// No stret specialization. b__objc_msgForwardEND_ENTRY __objc_msgForward_impcacheENTRY __objc_msgForwardadrpx17, __objc_forward_handler@PAGE ldr p17, [x17, __objc_forward_handler@PAGEOFF] TailCallFunctionPointer x17END_ENTRY __objc_msgForward

4.7.3 TailCallFunctionPointer 方法 TailCallFunctionPointer 方法 就是返回指针的值，返回 x17 的值，x17 的值是 __objc_forward_handler 方法 确定的

.macro TailCallFunctionPointer // $0 = function pointer value braaz$0 .endmacro

4.7.4 __objc_forward_handler 方法

objc_defaultForwardHandler(id self, SEL sel) { _objc_fatal("%c[%s %s]: unrecognized selector sent to instance %p " "(no message forward handler is installed)", class_isMetaClass(object_getClass(self)) ? '+' : '-', object_getClassName(self), sel_getName(sel), self); } void *_objc_forward_handler = (void*)objc_defaultForwardHandler;

如果方法没有实现，imp 会置换成 forward_imp , forward_imp 最终会走到 __objc_forward_handler 方法 返回 unrecognized selector sent to instance ... 信息，我们查看一下方法没有实现的报错信息会发现，报错信息的模板原来在这。

Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '-[LGPerson say666]: unrecognized selector sent to instance 0x1007738f0'

4.8 动态方法决议 【iOS|iOS objc_msgSend 慢速查找流程分析】在4.7中将 imp 置换成 forward_imp 后，会 break 跳出循环，走到动态方法决议这里：

if (slowpath(behavior & LOOKUP_RESOLVER)) { behavior ^= LOOKUP_RESOLVER; return resolveMethod_locked(inst, sel, cls, behavior); }

4.8.1 resolveMethod_locked 方法

resolveMethod_locked(id inst, SEL sel, Class cls, int behavior) { runtimeLock.assertLocked(); ASSERT(cls->isRealized()); // 方法没有你怎么不知道 // 报错 // 给你一次机会 runtimeLock.unlock(); if (! cls->isMetaClass()) { // try [cls resolveInstanceMethod:sel] resolveInstanceMethod(inst, sel, cls); } else { // try [nonMetaClass resolveClassMethod:sel] // and [cls resolveInstanceMethod:sel] resolveClassMethod(inst, sel, cls); if (!lookUpImpOrNil(inst, sel, cls)) { resolveInstanceMethod(inst, sel, cls); } }// chances are that calling the resolver have populated the cache // so attempt using it return lookUpImpOrForward(inst, sel, cls, behavior | LOOKUP_CACHE); }

4.8.2 resolveInstanceMethod 方法`

我们发现在 resolveInstanceMethod 方法 中将 IMP imp = lookUpImpOrNil(inst, sel, cls); ，所以我们跳进 lookUpImpOrNil 方法 看一下会发现又回到了 lookUpImpOrForward 方法 ，那对之前做了什么产生了好奇。
往上走我们发现有下面两行代码
BOOL (*msg)(Class, SEL, SEL) = (typeof(msg))objc_msgSend;
bool resolved = msg(cls, resolve_sel, sel);
如果我们实现 resolveInstanceMethod 方法 将方法的 imp 进行赋值，然后再回到 lookUpImpOrForward 方法 之后 imp 有值，就不会报错了。

static void resolveInstanceMethod(id inst, SEL sel, Class cls) { runtimeLock.assertUnlocked(); ASSERT(cls->isRealized()); SEL resolve_sel = @selector(resolveInstanceMethod:); if (!lookUpImpOrNil(cls, resolve_sel, cls->ISA())) { // Resolver not implemented. return; }BOOL (*msg)(Class, SEL, SEL) = (typeof(msg))objc_msgSend; bool resolved = msg(cls, resolve_sel, sel); // Cache the result (good or bad) so the resolver doesn't fire next time. // +resolveInstanceMethod adds to self a.k.a. cls IMP imp = lookUpImpOrNil(inst, sel, cls); if (resolved&&PrintResolving) { if (imp) { _objc_inform("RESOLVE: method %c[%s %s] " "dynamically resolved to %p", cls->isMetaClass() ? '+' : '-', cls->nameForLogging(), sel_getName(sel), imp); } else { // Method resolver didn't add anything? _objc_inform("RESOLVE: +[%s resolveInstanceMethod:%s] returned YES" ", but no new implementation of %c[%s %s] was found", cls->nameForLogging(), sel_getName(sel), cls->isMetaClass() ? '+' : '-', cls->nameForLogging(), sel_getName(sel)); } } }

lookUpImpOrNil(id obj, SEL sel, Class cls, int behavior = 0) { return lookUpImpOrForward(obj, sel, cls, behavior | LOOKUP_CACHE | LOOKUP_NIL); }

4.8.3 动态方法决议实现

#import "LGPerson.h" #import @implementation LGPerson- (void)sayMaster{ NSLog(@"%s",__func__); }+ (BOOL)resolveInstanceMethod:(SEL)sel{if (sel == @selector(say666)) { NSLog(@"%@ 来了",NSStringFromSelector(sel)); IMP imp= class_getMethodImplementation(self, @selector(sayMaster)); Method sayMMethod = class_getInstanceMethod(self, @selector(sayMaster)); const char *type= method_getTypeEncoding(sayMMethod); return class_addMethod(self, sel, imp, type); }return [super resolveInstanceMethod:sel]; }

2020-09-22 23:32:48.798620+0800 KCObjc[29296:555622] say666 来了 2020-09-22 23:32:48.799018+0800 KCObjc[29296:555622] -[LGPerson sayMaster]

5. 总结

当在 objc_msgSend 缓存中没有找到方法，就会来到 CheckMiss -> __objc_msgSend_uncached -> MethodTableLookup -> lookUpImpOrForward 进行慢速查找流程。
在 lookUpImpOrForward 里面会先去本类当中查找方法 getMethodNoSuper_nolock ，本类没有找到就会去递归的去父类当中查找。
如果本类和父类都没有找到，就会进行动态方法决议_class_resolveMethod ，这是苹果爸爸给我们的最后一次机会。
动态方法我们还不处理，最后就会走到将 imp 置换成 forward_imp ,
最终到 _objc_forward_handler 方法 崩溃报错 unrecognized selector sent to instance ...。