cache_t 结构
在ISA指向、类结构中分析过 cache_t 占用的内存大小,今天来分析下它的原理。
struct cache_t {
// macOS和模拟器
#if CACHE_MASK_STORAGE == CACHE_MASK_STORAGE_OUTLINED
explicit_atomic<struct bucket_t *> _buckets;
explicit_atomic<mask_t> _mask;
// 64位真机
#elif CACHE_MASK_STORAGE == CACHE_MASK_STORAGE_HIGH_16
// 真机下mask与Buckets写一起的优化
explicit_atomic<uintptr_t> _maskAndBuckets;
mask_t _mask_unused;
// 类似isa联合体的位域
// How much the mask is shifted by.
static constexpr uintptr_t maskShift = 48;
......
// 非64位真机
#elif CACHE_MASK_STORAGE == CACHE_MASK_STORAGE_LOW_4
explicit_atomic<uintptr_t> _maskAndBuckets;
mask_t _mask_unused;
..... 位域代码 通上
static constexpr uintptr_t maskBits = 4;
#else
#error Unknown cache mask storage type.
#endif
#if __LP64__
uint16_t _flags;
#endif
uint16_t _occupied;
......
bucket_t 声明在arm64架构和非arm64架构有不同的定义
struct bucket_t {
private:
// IMP-first is better for arm64e ptrauth and no worse for arm64.
// SEL-first is better for armv7* and i386 and x86_64.
#if __arm64__
explicit_atomic<uintptr_t> _imp;
explicit_atomic<SEL> _sel;
#else
explicit_atomic<SEL> _sel;
explicit_atomic<uintptr_t> _imp;
#endif
.....
从上面分析可以得出 cache_t主要是存储 imp 和 sel的,先来定义一个类分析下
@interface LGPerson : NSObject
- (void)sayHello;
- (void)sayHappy;
@end
int main(int argc, const char * argv[]) {
@autoreleasepool {
LGPerson *person = [LGPerson alloc];
NSLog(@"第一个断点在这里");
[person sayHappy];
[person sayHello];
NSLog(@"第二个断点在这里");
}
return 0;
}
- 第一个断点分析
(lldb) x/4gx LGPerson.class
0x1000082a8: 0x0000000100008280 0x000000010034c140
0x1000082b8: 0x0000000100346440 0x0000801000000000
(lldb) p (cache_t *)0x1000082b8
(cache_t *) $1 = 0x00000001000082b8
(lldb) p *$1
(cache_t) $2 = {
_buckets = {
std::__1::atomic<bucket_t *> = {
Value = 0x0000000100346440
}
}
_mask = {
std::__1::atomic<unsigned int> = {
Value = 0
}
}
_flags = 32784
_occupied = 0
}
(lldb) p $2.buckets()
(bucket_t *) $3 = 0x0000000100346440
(lldb) p *$3
(bucket_t) $4 = {
_sel = {
std::__1::atomic<objc_selector *> = (null) {
Value = (null)
}
}
_imp = {
std::__1::atomic<unsigned long> = {
Value = 0
}
}
}
(lldb) p $4.sel()
(SEL) $5 = <no value available>
(lldb) p $4.imp(LGPerson.class)
(IMP) $6 = 0x0000000000000000
从类结构分析中知道,可以使用首地址的内存偏移获取响应的变量地址,cache只需从首地址偏移16个字节即可得到cache,即 0x1000082a8 变为 0x1000082b8,接下来就类似 bits分析里面的那样找 方法获取 bucket_t,然后通过里面的 sel() 方法获取 sel, imp(Class)(注意入参)方法获取IMP。
Tip: 什么时候用 -> 什么时候用 . ?
当当前变量为指针类型的时候用 ->, 不是的话用 .。
- 第二个断点分析
(lldb) p *$3
(bucket_t) $7 = {
_sel = {
std::__1::atomic<objc_selector *> = (null) {
Value = (null)
}
}
_imp = {
std::__1::atomic<unsigned long> = {
Value = 0
}
}
}
方法调用了为什么buckets里面还是没变?
(lldb) p $2.buckets()
(bucket_t *) $8 = 0x0000000100d046f0
原来问题在这里,与上个方法(bucket_t *) $3 = 0x0000000100346440 明显不是一个地址。
(lldb) p *$8
(bucket_t) $9 = {
_sel = {
std::__1::atomic<objc_selector *> = "" {
Value = ""
}
}
_imp = {
std::__1::atomic<unsigned long> = {
Value = 49080
}
}
}
(lldb) p $9.sel()
(SEL) $11 = "sayHappy"
(lldb) p $9.imp(LGPerson.class)
(IMP) $12 = 0x0000000100003d10 (KCObjc`-[LGPerson sayHappy])
调用了2个方法,怎么打印另一个方法呢?回顾类结构分析中数组可以通过指针+1方式获取后面的元素,来试下!
lldb) p *($8 +1)
(bucket_t) $13 = {
_sel = {
std::__1::atomic<objc_selector *> = "" {
Value = ""
}
}
_imp = {
std::__1::atomic<unsigned long> = {
Value = 48712
}
}
}
(lldb) p $13.sel()
(SEL) $14 = "sayHello"
(lldb) p $13.imp(LGPerson.class)
(IMP) $15 = 0x0000000100003ce0 (KCObjc`-[LGPerson sayHello])
(lldb) p *($8 +2)
(bucket_t) $16 = {
_sel = {
std::__1::atomic<objc_selector *> = (null) {
Value = (null)
}
}
_imp = {
std::__1::atomic<unsigned long> = {
Value = 0
}
}
}
(lldb) p $16.sel()
(SEL) $17 = <no value available>
(lldb) p $16.imp(LGPerson.class)
(IMP) $18 = 0x0000000000000000
(lldb)
要取指针类型的 $8,能获取到 sayHappy的 sel 和 imp。
脱离源码解析
创建一个正常的OC项目。
typedef uint32_t mask_t; // x86_64 & arm64 asm are less efficient with 16-bits
struct lg_bucket_t {
SEL _sel;
IMP _imp;
};
struct lg_cache_t {
struct lg_bucket_t * _buckets;
mask_t _mask;
uint16_t _flags;
uint16_t _occupied;
};
struct lg_class_data_bits_t {
uintptr_t bits;
};
struct lg_objc_class {
Class ISA;
Class superclass;
struct lg_cache_t cache; // formerly cache pointer and vtable
struct lg_class_data_bits_t bits; // class_rw_t * plus custom rr/alloc flags
};
int main(int argc, const char * argv[]) {
@autoreleasepool {
LGPerson *p = [LGPerson alloc];
Class pClass = [LGPerson class]; // objc_clas
[p say1];
[p say2];
[p say3];
[p say4];
struct lg_objc_class *lg_pClass = (__bridge struct lg_objc_class *)(pClass);
NSLog(@"%hu - %u",lg_pClass->cache._occupied,lg_pClass->cache._mask);
for (mask_t i = 0; i<lg_pClass->cache._mask; i++) {
// 打印获取的 bucket
struct lg_bucket_t bucket = lg_pClass->cache._buckets[i];
NSLog(@"%@ - %p",NSStringFromSelector(bucket._sel),bucket._imp);
}
NSLog(@"Hello, World!");
}
return 0;
}
自定义一个 lg_objc_class 结构体和所需的其他结构体,从源码中copy过来关键参数,注意 Class ISA变量,源码工程中的 ISA是从 objc_object中继承过去的。
先只调用 say1 和say2方法:
2020-10-28 10:07:51.135761+0800 003-cache_t脱离源码环境分析[15880:405998] LGPerson say : -[LGPerson say1]
2020-10-28 10:07:51.136104+0800 003-cache_t脱离源码环境分析[15880:405998] LGPerson say : -[LGPerson say2]
2020-10-28 10:07:51.136145+0800 003-cache_t脱离源码环境分析[15880:405998] 2 - 3
2020-10-28 10:07:51.136245+0800 003-cache_t脱离源码环境分析[15880:405998] say1 - 0xb858
2020-10-28 10:07:51.136341+0800 003-cache_t脱离源码环境分析[15880:405998] say2 - 0xb808
2020-10-28 10:07:51.136395+0800 003-cache_t脱离源码环境分析[15880:405998] (null) - 0x0
加上调用 say3 和say4方法:
2020-10-28 10:09:55.838791+0800 003-cache_t脱离源码环境分析[15904:407473] LGPerson say : -[LGPerson say1]
2020-10-28 10:09:55.839174+0800 003-cache_t脱离源码环境分析[15904:407473] LGPerson say : -[LGPerson say2]
2020-10-28 10:09:55.839209+0800 003-cache_t脱离源码环境分析[15904:407473] LGPerson say : -[LGPerson say3]
2020-10-28 10:09:55.839243+0800 003-cache_t脱离源码环境分析[15904:407473] LGPerson say : -[LGPerson say4]
2020-10-28 10:09:55.839283+0800 003-cache_t脱离源码环境分析[15904:407473] 2 - 7
2020-10-28 10:09:55.839400+0800 003-cache_t脱离源码环境分析[15904:407473] say4 - 0xb9b8
2020-10-28 10:09:55.839452+0800 003-cache_t脱离源码环境分析[15904:407473] (null) - 0x0
2020-10-28 10:09:55.839507+0800 003-cache_t脱离源码环境分析[15904:407473] say3 - 0xb9e8
2020-10-28 10:09:55.839532+0800 003-cache_t脱离源码环境分析[15904:407473] (null) - 0x0
2020-10-28 10:09:55.839552+0800 003-cache_t脱离源码环境分析[15904:407473] (null) - 0x0
2020-10-28 10:09:55.839570+0800 003-cache_t脱离源码环境分析[15904:407473] (null) - 0x0
2020-10-28 10:09:55.839626+0800 003-cache_t脱离源码环境分析[15904:407473] (null) - 0x0
对上面的打印我们先提几个问题?
1、 _mask 和 _occupied 是什么含义?
2、 为什么调用两个方法和四个方法的 _occupied 和 _mask 数值发生了变化?
3、 say4 方法的打印为什么在 say3方法前面?
4、 为什么会有空的打印?
源码解析
带着这几个问题,我们去看下源码实现,从哪里下手分析呢?先从方法下手。
struct cache_t {
.....
public:
static bucket_t *emptyBuckets();
struct bucket_t *buckets();
mask_t mask();
mask_t occupied();
void incrementOccupied();
void setBucketsAndMask(struct bucket_t *newBuckets, mask_t newMask);
void initializeToEmpty();
unsigned capacity();
bool isConstantEmptyCache();
bool canBeFreed();
.....
}
既然想知道 occupied 先看下 occupied(),还有一个 incrementOccupied方法里面 有_occupied自增操作,此处下个断点。 [person say1]; 后看下调用顺序。
mask_t cache_t::occupied()
{
return _occupied;
}
void cache_t::incrementOccupied()
{
_occupied++;
}
断点调用顺序
找到 cache_t的 insert方法进行分析:
void cache_t::insert(Class cls, SEL sel, IMP imp, id receiver)
{
#if CONFIG_USE_CACHE_LOCK
cacheUpdateLock.assertLocked();
#else
runtimeLock.assertLocked();
#endif
ASSERT(sel != 0 && cls->isInitialized());
// Use the cache as-is if it is less than 3/4 full 当缓存使用小于 3/4 时
mask_t newOccupied = occupied() + 1;
unsigned oldCapacity = capacity(), capacity = oldCapacity;
// 当occupied() == 0 创建储存空间
if (slowpath(isConstantEmptyCache())) {
// Cache is read-only. Replace it.
if (!capacity) capacity = INIT_CACHE_SIZE; //(1 << INIT_CACHE_SIZE_LOG2 = 1 << 2 = 4)
// 创建并写入内存 不清理旧的缓存空间
reallocate(oldCapacity, capacity, /* freeOld */false);
}
// 小于等于占用内存的 3/4 时候什么也不做 newOccupied = _occupied +1 CACHE_END_MARKER = 1 所以首次触发 扩展内存时机为缓存第三个方法
else if (fastpath(newOccupied + CACHE_END_MARKER <= capacity / 4 * 3)) {
// Cache is less than 3/4 full. Use it as-is.
}
else {
// 内存空间翻倍
capacity = capacity ? capacity * 2 : INIT_CACHE_SIZE;
// 限制最大开辟空间 2^16
if (capacity > MAX_CACHE_SIZE) {
capacity = MAX_CACHE_SIZE;
}
// 重新创建并写入内存 清理旧的缓存空间
reallocate(oldCapacity, capacity, true);
}
// 获取当前的buckets
bucket_t *b = buckets();
mask_t m = capacity - 1;
// 通过hash (mask_t)(uintptr_t)sel & mask 算出应该插入的下标
mask_t begin = cache_hash(sel, m);
mask_t i = begin;
// Scan for the first unused slot and insert there.
// There is guaranteed to be an empty slot because the
// minimum size is 4 and we resized at 3/4 full.
do {
// 根据当前 hash算出来的下标位置没有 sel()
if (fastpath(b[i].sel() == 0)) {
// _occupied++
incrementOccupied();
b[i].set<Atomic, Encoded>(sel, imp, cls);
return;
}
if (b[i].sel() == sel) { // 当前位置方法等于传入的方法
// The entry was added to the cache by some other thread
// before we grabbed the cacheUpdateLock.
return;
}
// i+1 与mask再次进行hash 算出下标 进行循环
} while (fastpath((i = cache_next(i, m)) != begin));
// 没存进去 报错
cache_t::bad_cache(receiver, (SEL)sel, cls);
}
LGPerson *person = [LGPerson alloc];
// 断点1
[person say1];
// 断点2
[person say2];
// 断点3
[person say3];
-
断点1 添加第一个方法分析,
occupied()返回的_occupied为0,newOccupied = 1,进入slowpath(isConstantEmptyCache())判断条件,capacity=1<<2 = 4,reallocate方法创建并写入缓存,通过sel = "say1"&capacity - 1 =3算出下标1,通过do while循环插入sel,_occupied自增为1。
(lldb) p buckets()
(bucket_t *) $0 = 0x0000000100675420
(lldb) p *$0
(bucket_t) $1 = {
_sel = {
std::__1::atomic<objc_selector *> = (null) {
Value = (null)
}
}
_imp = {
std::__1::atomic<unsigned long> = {
Value = 0
}
}
}
(lldb) p *($0 +1) // 首地址指针 + 1 指向第二个元素
(bucket_t) $2 = {
_sel = {
std::__1::atomic<objc_selector *> = "" {
Value = ""
}
}
_imp = {
std::__1::atomic<unsigned long> = {
Value = 48752
}
}
}
(lldb) p $2.sel()
(SEL) $3 = "say1"
(lldb) p $2.imp(cls)
(IMP) $4 = 0x0000000100003c80 (KCObjc`-[LGPerson say1])
-
断点2 添加第二个方法分析,
occupied()返回的_occupied为1,newOccupied = 2,oldCapacity=4,capacity=4,进入fastpath(newOccupied + CACHE_END_MARKER <= capacity / 4 * 3)判断条件(没有操作),通过sel = "say2"&capacity - 1 =3算出下标2,通过do while循环插入sel,_occupied自增为2。
(lldb) p *($0 +2)
(bucket_t) $6 = {
_sel = {
std::__1::atomic<objc_selector *> = "" {
Value = ""
}
}
_imp = {
std::__1::atomic<unsigned long> = {
Value = 48704
}
}
}
(lldb) p $6.sel()
(SEL) $7 = "say2"
(lldb) p $6.imp(cls)
(IMP) $8 = 0x0000000100003cb0 (KCObjc`-[LGPerson say2])
(lldb)
-
断点3 添加第三个方法分析,
occupied()返回的_occupied为2,newOccupied=3,oldCapacity=4,capacity=4,进入else判断条件,capacity = 4*2 =8扩展一倍,限制最大分配空间为2^16,reallocate()重新创建内存,并且清理旧的缓存空间_occupied被置为0。
buckets()获取(bucket_t *) b = 0x00000001007612f0已经分配新的内存空间 没有任何缓存 通过sel = "say3"&capacity - 1 =7算出下标7,通过do while循环插入sel,b[7].sel()不为空,cache_nexti+1与mask再次进行hash 算出下标0进行循环 ,储存成功,_occupied自增为1。
(lldb) p b[7].sel()
(SEL) $10 = <no value available>
(lldb) p b[7].imp(cls)
(IMP) $11 = 0x0000000000769000 (0x0000000000769000)
(lldb) p b[0].sel()
(SEL) $12 = <no value available>
(lldb) p b[0].sel()
(SEL) $13 = "say3"
(lldb) p b[0].imp(cls)
(IMP) $14 = 0x0000000100003ce0 (KCObjc`-[LGPerson say3])
(lldb)
reallocate 方法源码:
void cache_t::reallocate(mask_t oldCapacity, mask_t newCapacity, bool freeOld)
{
// 首次创建 buckets()中只包含一个空的 imp和sel
bucket_t *oldBuckets = buckets();
// 首次创建 也是空的
bucket_t *newBuckets = allocateBuckets(newCapacity);
// Cache's old contents are not propagated.
// This is thought to save cache memory at the cost of extra cache fills.
// fixme re-measure this
ASSERT(newCapacity > 0);
ASSERT((uintptr_t)(mask_t)(newCapacity-1) == newCapacity-1);
// 把newBuckets写入内存
setBucketsAndMask(newBuckets, newCapacity - 1);
if (freeOld) {
// 释放旧的内存
cache_collect_free(oldBuckets, oldCapacity);
}
}
setBucketsAndMask 源码:
void cache_t::setBucketsAndMask(struct bucket_t *newBuckets, mask_t newMask)
{
#ifdef __arm__ //真机环境
mega_barrier();
// 储存
_buckets.store(newBuckets, memory_order::memory_order_relaxed);
mega_barrier();
_mask.store(newMask, memory_order::memory_order_relaxed);
_occupied = 0;
#elif __x86_64__ || i386 // MacOS 或者模拟器
_buckets.store(newBuckets, memory_order::memory_order_release);
_mask.store(newMask, memory_order::memory_order_release);
_occupied = 0;
#else
#error Don't know how to do setBucketsAndMask on this architecture.
#endif
}
问题回答
1、 _mask 和 _occupied 是什么含义?
_occupied 为 缓存的 imp - sel的个数,相当于数组中的实际储存量。
_mask 为哈希算法 的 掩码,为当前开辟的空间大小 capacity -1。
2、 为什么调用两个方法和四个方法的 _occupied 和 _mask 数值发生了变化?
当调用 say1 、 say2方法的时候,capacity为4,因为默认开辟空间为 4,没有触发 扩容操作,所以capacity没有发生变化。 _mask为4 -1 = 3。
当存入 say3的时候进行了扩容,capacity为 4*2 = 8,因为是新的内存段 say1、say2就没有了,_occupied在此时也被赋值为0,存入say3 _occupied++ = 1 ,存入 say4方法的时候(+1)并没有超过 capacity =8的3/4,_occupied ++ =2,_mask为 8-1 = 7。
Tips: 当调用点语法 init 方法 和 say方法一样都会进行缓存。
3、 say4 方法的打印为什么在 say3方法前面?
存入方法的时候是根据 mask即 capacity -1 & sel 或者 (i+1) & mask 算出来的,结果具有随机性,并不是按顺序排的。
cache_t::insert 方法流程图
cache_t:insert 方法解析
