前言
本篇将会介绍block的类型、循环引用和一些相关的面试题,并在下一篇文章对这些上层表现用底层源码进行验证和分析。
准备
一、clang 分析 block
基本变量 clang分析
在main.m中创建mMain函数:
int mMain(void);
int main(int argc, const char * argv[]) {
@autoreleasepool {
return mMain();
}
return NSApplicationMain(argc, argv);
}
int mMain(void) {
int a = 18;
void(^block)(void) = ^{
printf("ssl - %d",a);
};
block();
return 0;
}
通过命令clang -rewrite-objc main.m -o main.cpp得到main.cpp文件,查看相关函数:
int mMain(void) {
int a = 18;
void(*block)(void) = __mMain_block_impl_0(__mMain_block_func_0, &__mMain_block_desc_0_DATA, a));
block->FuncPtr(block);
return 0;
}
struct __mMain_block_impl_0 {
struct __block_impl impl;
struct __mMain_block_desc_0* Desc;
int a;
__mMain_block_impl_0(void *fp, struct __mMain_block_desc_0 *desc, int _a, int flags=0) : a(_a) {
impl.isa = &_NSConcreteStackBlock;
impl.Flags = flags;
impl.FuncPtr = fp;
Desc = desc;
}
};
- 在
mMain函数中调用了__mMain_block_impl_0。 __mMain_block_impl_0是个结构体,有一个int a成员变量,有个构造函数,其中a(_a)是对a成员变量进行了赋值操作。impl.isa = &_NSConcreteStackBlock;,可以看到这里是一个栈block,而在我们的理解里,这应该是堆block才对,下面会进行分析。fp是mMain中的__mMain_block_func_0,将它赋值给了FuncPtr,而最终block的调用就是调用了FuncPtr也就是__mMain_block_func_0。
查看__mMain_block_func_0:
static void __mMain_block_func_0(struct __mMain_block_impl_0 *__cself) {
int a = __cself->a; // bound by copy
printf("ssl - %d",a);
}
__cself就是__mMain_block_impl_0结构体。- 这里的
a和外面的a不是一个值,所以修改会报错。
__block修饰的基本变量 clang分析
修改下代码,用__block修饰a:
int mMain(void) {
__block int a = 18;
void(^block)(void) = ^{
printf("ssl - %d",a);
};
block();
return 0;
}
还是通过clang -rewrite-objc main.m -o main.cpp命令得到main.cpp文件,查看相关函数:
int mMain(void) {
__Block_byref_a_0 a = {
(void*)0,
(__Block_byref_a_0 *)&a,
0,
sizeof(__Block_byref_a_0),
18}; // 结构体的初始化
void(*block)(void) = __mMain_block_impl_0(__mMain_block_func_0, &__mMain_block_desc_0_DATA, (__Block_byref_a_0 *)&a, 570425344));
block->FuncPtr(block);
return 0;
}
struct __mMain_block_impl_0 {
struct __block_impl impl;
struct __mMain_block_desc_0* Desc;
__Block_byref_a_0 *a; // by ref
__mMain_block_impl_0(void *fp, struct __mMain_block_desc_0 *desc, __Block_byref_a_0 *_a, int flags=0) : a(_a->__forwarding) {
impl.isa = &_NSConcreteStackBlock;
impl.Flags = flags;
impl.FuncPtr = fp;
Desc = desc;
}
};
struct __Block_byref_a_0 {
void *__isa;
__Block_byref_a_0 *__forwarding;
int __flags;
int __size;
int a;
};
static void __mMain_block_func_0(struct __mMain_block_impl_0 *__cself) {
__Block_byref_a_0 *a = __cself->a; // bound by ref
printf("ssl - %d",(a->__forwarding->a));
}
- 可以看到变量
a在这里被编译成了__Block_byref_a_0结构体,初始化时将&a赋值给了__forwarding,也就是将自己的地址赋值给了自身的__forwarding。 - 调用
__mMain_block_impl_0的构造函数时,又将__forwarding赋值给了__mMain_block_impl_0的成员变量a。 - 所以调用
__mMain_block_func_0函数时,__cself->a和外部的a是指向同一内存地址的,可以进行修改。
二、block汇编分析 签名、copy过程
汇编分析 得到底层调用和库
创建一个NSObject对象在block中进行打印,通过汇编调试找到block第一个调用的函数objc_retainBlock:
下objc_retainBlock符号断点,得到下一调用函数_Block_copy:
下_Block_copy符号断点,得到libsystem_blocks.dylib库:
_Block_copy是在libsystem_blocks库中的,但是libsystem_blocks库并没有开源,可以通过反汇编来找到源码,也可以通过替代工程 libclosure 79 进行分析,我们接下来通过替代工程来进行分析。
_Block_copy 源码分析
进入_Block_copy函数:
// Copy, or bump refcount, of a block. If really copying, call the copy helper if present.
void *_Block_copy(const void *arg) {
struct Block_layout *aBlock;
if (!arg) return NULL;
// The following would be better done as a switch statement
aBlock = (struct Block_layout *)arg;
// 如果是释放状态,直接返回
if (aBlock->flags & BLOCK_NEEDS_FREE) {
// latches on high
latching_incr_int(&aBlock->flags);
return aBlock;
}
// 如果是 全局block 直接返回
else if (aBlock->flags & BLOCK_IS_GLOBAL) {
return aBlock;
}
else { // 编译期过来生成的是栈block
// Its a stack block. Make a copy. 计算所需空间大小
size_t size = Block_size(aBlock);
// 开辟新的空间 创建block
struct Block_layout *result = (struct Block_layout *)malloc(size);
if (!result) return NULL;
// 下面进行各种拷贝
memmove(result, aBlock, size); // bitcopy first
#if __has_feature(ptrauth_calls)
// Resign the invoke pointer as it uses address authentication.
result->invoke = aBlock->invoke;
#if __has_feature(ptrauth_signed_block_descriptors)
if (aBlock->flags & BLOCK_SMALL_DESCRIPTOR) {
uintptr_t oldDesc = ptrauth_blend_discriminator(
&aBlock->descriptor,
_Block_descriptor_ptrauth_discriminator);
uintptr_t newDesc = ptrauth_blend_discriminator(
&result->descriptor,
_Block_descriptor_ptrauth_discriminator);
// descriptor 的拷贝
result->descriptor =
ptrauth_auth_and_resign(aBlock->descriptor,
ptrauth_key_asda, oldDesc,
ptrauth_key_asda, newDesc);
}
#endif
#endif
// reset refcount
result->flags &= ~(BLOCK_REFCOUNT_MASK|BLOCK_DEALLOCATING); // XXX not needed
result->flags |= BLOCK_NEEDS_FREE | 2; // logical refcount 1
_Block_call_copy_helper(result, aBlock);
// isa 标记为 MallocBlock
result->isa = _NSConcreteMallocBlock;
return result;
}
}
block的本质是Block_layout结构体。- 函数传过来的是
栈block时,会重新开辟一个堆block,再将栈block相关的值拷贝到堆上。
查看Block_layout:
struct Block_layout {
void * __ptrauth_objc_isa_pointer isa; // 指向哪儿种block,栈/堆/全局
volatile int32_t flags; // contains ref count 是否正在析构、是否有签名等信息
int32_t reserved;
BlockInvokeFunction invoke; // 调用函数
struct Block_descriptor_1 *descriptor; // 其他一些描述信息
// imported variables
};
查看flags值:
// Values for Block_layout->flags to describe block objects
enum {
BLOCK_DEALLOCATING = (0x0001), // runtime 是否正在析构
BLOCK_REFCOUNT_MASK = (0xfffe), // runtime 引用计数掩码
BLOCK_INLINE_LAYOUT_STRING = (1 << 21), // compiler
#if BLOCK_SMALL_DESCRIPTOR_SUPPORTED
BLOCK_SMALL_DESCRIPTOR = (1 << 22), // compiler
#endif
BLOCK_IS_NOESCAPE = (1 << 23), // compiler
BLOCK_NEEDS_FREE = (1 << 24), // runtime 是否释放状态
BLOCK_HAS_COPY_DISPOSE = (1 << 25), // compiler 是否有copy、dispose函数
BLOCK_HAS_CTOR = (1 << 26), // compiler: helpers have C++ code
BLOCK_IS_GC = (1 << 27), // runtime
BLOCK_IS_GLOBAL = (1 << 28), // compiler 是否全局block
BLOCK_USE_STRET = (1 << 29), // compiler: undefined if !BLOCK_HAS_SIGNATURE
BLOCK_HAS_SIGNATURE = (1 << 30), // compiler 是否有签名
BLOCK_HAS_EXTENDED_LAYOUT=(1 << 31) // compiler
};
汇编分析 签名、copy 过程
下_Block_copy符号断点,通过寄存器打印block:
- 可以看到这时的
block还是StackBlock。
汇编跟流程,走到最底部,再次通过寄存器打印block:
- 可以看到
StackBlock变成了MallocBlock,block的地址也不一样了。 signature:v8@?0(返回值是void,占8个字节,@?类型,从0号位置开始)。invoke:函数调用者,copy、dispose下面将进行分析。
通过NSMethodSignature获取signature的详细信息:
(lldb) po [NSMethodSignature signatureWithObjCTypes:"v8@?0"]
<NSMethodSignature: 0xb91f68c7625b0cf7>
number of arguments = 1 // 传了一个参数
frame size = 224
is special struct return? NO // 没有返回值
return value: -------- -------- -------- --------
type encoding (v) 'v'
flags {}
modifiers {}
frame {offset = 0, offset adjust = 0, size = 0, size adjust = 0}
memory {offset = 0, size = 0}
argument 0: -------- -------- -------- -------- // 参数从0号位置开始
type encoding (@) '@?' // 类型是@?
flags {isObject, isBlock} // 是对象 是block
modifiers {}
frame {offset = 0, offset adjust = 0, size = 8, size adjust = 0} // 0号位置开始大小为8
memory {offset = 0, size = 8}
(lldb)
三、Block_layout 的结构
查看Block_layout及相关descriptor结构:
struct Block_layout {
void * __ptrauth_objc_isa_pointer isa; // 指向哪儿种block,栈/堆/全局
volatile int32_t flags; // contains ref count 是否正在析构、是否有签名等信息
int32_t reserved;
BlockInvokeFunction invoke; // 调用函数
struct Block_descriptor_1 *descriptor; // 其他一些描述信息
// imported variables
};
#define BLOCK_DESCRIPTOR_1 1
struct Block_descriptor_1 {
uintptr_t reserved;
uintptr_t size;
};
#define BLOCK_DESCRIPTOR_2 1
struct Block_descriptor_2 {
// requires BLOCK_HAS_COPY_DISPOSE
BlockCopyFunction copy;
BlockDisposeFunction dispose;
};
#define BLOCK_DESCRIPTOR_3 1
struct Block_descriptor_3 {
// requires BLOCK_HAS_SIGNATURE
const char *signature;
const char *layout; // contents depend on BLOCK_HAS_EXTENDED_LAYOUT
};
- 这里的
Block_descriptor_2、Block_descriptor_3是可选的,可能有也可能没有,接下来通过它们的get函数来进行分析。
通过搜索查询,找到_Block_descriptor_2、_Block_descriptor_3函数:
static struct Block_descriptor_2 * _Block_descriptor_2(struct Block_layout *aBlock)
{
uint8_t *desc = (uint8_t *)_Block_get_descriptor(aBlock);
desc += sizeof(struct Block_descriptor_1);
return (struct Block_descriptor_2 *)desc;
}
static struct Block_descriptor_3 * _Block_descriptor_3(struct Block_layout *aBlock)
{
uint8_t *desc = (uint8_t *)_Block_get_descriptor(aBlock);
desc += sizeof(struct Block_descriptor_1);
if (aBlock->flags & BLOCK_HAS_COPY_DISPOSE) {
desc += sizeof(struct Block_descriptor_2);
}
return (struct Block_descriptor_3 *)desc;
}
Block_descriptor_2是通过block平移Block_descriptor_1的大小得到的。- 如果有
copy、dispose函数,block先平移Block_descriptor_1的大小得到Block_descriptor_2,Block_descriptor_2再平移自身大小得到Block_descriptor_3。 - 如果没有
copy、dispose函数,Block_descriptor_3则通过block平移Block_descriptor_1的大小直接得到。
回到汇编调试,lldb 打印验证
0x00000001048f0010是Block_descriptor_2的地址,它的第32字节处0x00000001048ef3e3是Block_descriptor_3的第一个成员变量signature,打印出了它的值v8@?0。
四、__block 的捕获变量生命周期
block内打印__block修饰的NSObject对象:
int mMain(void) {
__block NSObject *obj = [NSObject new];
void(^block)(void) = ^{
NSLog(@"ssl - %@",obj);
};
block();
return 0;
}
通过clang -rewrite-objc main.m -o main.cpp命令得到main.cpp文件,查看相关函数:
int mMain(void) {
__Block_byref_obj_0 obj = {
(void*)0,(__Block_byref_obj_0 *)&obj,
33554432,
sizeof(__Block_byref_obj_0),
__Block_byref_id_object_copy_131,
__Block_byref_id_object_dispose_131,
objc_msgSend((id)objc_getClass("NSObject"), sel_registerName("new"))
};
void(*block)(void) = __mMain_block_impl_0(__mMain_block_func_0, &__mMain_block_desc_0_DATA, (__Block_byref_obj_0 *)&obj, 570425344));
block->FuncPtr(block);
return 0;
}
struct __mMain_block_impl_0 {
struct __block_impl impl;
struct __mMain_block_desc_0* Desc;
__Block_byref_obj_0 *obj; // by ref
__mMain_block_impl_0(void *fp, struct __mMain_block_desc_0 *desc, __Block_byref_obj_0 *_obj, int flags=0) : obj(_obj->__forwarding) {
impl.isa = &_NSConcreteStackBlock;
impl.Flags = flags;
impl.FuncPtr = fp;
Desc = desc;
}
};
struct __block_impl {
void *isa;
int Flags;
int Reserved;
void *FuncPtr;
};
struct __Block_byref_obj_0 {
void *__isa;
__Block_byref_obj_0 *__forwarding;
int __flags;
int __size;
void (*__Block_byref_id_object_copy)(void*, void*);
void (*__Block_byref_id_object_dispose)(void*);
NSObject *obj;
};
static void __mMain_block_func_0(struct __mMain_block_impl_0 *__cself) {
__Block_byref_obj_0 *obj = __cself->obj; // bound by ref
NSLog((NSString *)&__NSConstantStringImpl__var_folders_tb_rpsdqw797gn7n3l8myk82s5w0000gn_T_main_35fc7e_mi_0,(obj->__forwarding->obj));
}
捕获变量 Block_byref 拷贝分析
查看__mMain_block_desc_0相关函数:
static struct __mMain_block_desc_0 {
size_t reserved;
size_t Block_size;
void (*copy)(struct __mMain_block_impl_0*, struct __mMain_block_impl_0*);
void (*dispose)(struct __mMain_block_impl_0*);
} __mMain_block_desc_0_DATA = { 0,
sizeof(struct __mMain_block_impl_0),
__mMain_block_copy_0,
__mMain_block_dispose_0};
static void __mMain_block_copy_0(struct __mMain_block_impl_0*dst, struct __mMain_block_impl_0*src) {
_Block_object_assign((void*)&dst->obj, (void*)src->obj, 8/*BLOCK_FIELD_IS_BYREF*/);
}
static void __mMain_block_dispose_0(struct __mMain_block_impl_0*src) {
_Block_object_dispose((void*)src->obj, 8/*BLOCK_FIELD_IS_BYREF*/);
}
copy和dispose是上面我们提到的Block_descriptor_2中的成员变量,这里被赋值为__mMain_block_copy_0函数和__mMain_block_dispose_0函数,__mMain_block_copy_0中调用了_Block_object_assign函数。_Block_object_assign的第一个参数&dst->obj是堆中的__Block_byref_obj_0。_Block_object_assign的第二个参数src->obj是栈中的__Block_byref_obj_0。_Block_object_assign函数的第三个传参是8也就是BLOCK_FIELD_IS_BYREF类型。enum { // see function implementation for a more complete description of these fields and combinations BLOCK_FIELD_IS_OBJECT = 3, // id, NSObject, __attribute__((NSObject)), block, ... BLOCK_FIELD_IS_BLOCK = 7, // a block variable BLOCK_FIELD_IS_BYREF = 8, // the on stack structure holding the __block variable BLOCK_FIELD_IS_WEAK = 16, // declared __weak, only used in byref copy helpers BLOCK_BYREF_CALLER = 128, // called from __block (byref) copy/dispose support routines. };
源码中搜索_Block_object_assign函数:
void _Block_object_assign(void *destArg, const void *object, const int flags) {
const void **dest = (const void **)destArg;
switch (os_assumes(flags & BLOCK_ALL_COPY_DISPOSE_FLAGS)) {
// 普通的对象类型
case BLOCK_FIELD_IS_OBJECT:
/*******
id object = ...;
[^{ object; } copy];
********/
// 没有操作,交给了系统级的arc处理 _Block_retain_object_default = fn (arc)
_Block_retain_object(object);
// 栈block中object 赋值给堆block中object
*dest = object;
break;
// __block 修饰类型
case BLOCK_FIELD_IS_BLOCK:
/*******
void (^object)(void) = ...;
[^{ object; } copy];
********/
*dest = _Block_copy(object);
break;
case BLOCK_FIELD_IS_BYREF | BLOCK_FIELD_IS_WEAK:
case BLOCK_FIELD_IS_BYREF: // 8
/*******
// copy the onstack __block container to the heap
// Note this __weak is old GC-weak/MRC-unretained.
// ARC-style __weak is handled by the copy helper directly.
__block ... x;
__weak __block ... x;
[^{ x; } copy];
********/
// 这里的object是__Block_byref_obj_0
*dest = _Block_byref_copy(object);
break;
case BLOCK_BYREF_CALLER | BLOCK_FIELD_IS_OBJECT:
case BLOCK_BYREF_CALLER | BLOCK_FIELD_IS_BLOCK:
/*******
// copy the actual field held in the __block container
// Note this is MRC unretained __block only.
// ARC retained __block is handled by the copy helper directly.
__block id object;
__block void (^object)(void);
[^{ object; } copy];
********/
*dest = object;
break;
case BLOCK_BYREF_CALLER | BLOCK_FIELD_IS_OBJECT | BLOCK_FIELD_IS_WEAK:
case BLOCK_BYREF_CALLER | BLOCK_FIELD_IS_BLOCK | BLOCK_FIELD_IS_WEAK:
/*******
// copy the actual field held in the __block container
// Note this __weak is old GC-weak/MRC-unretained.
// ARC-style __weak is handled by the copy helper directly.
__weak __block id object;
__weak __block void (^object)(void);
[^{ object; } copy];
********/
*dest = object;
break;
default:
break;
}
}
flags是BLOCK_FIELD_IS_BYREF类型,所以调用的是_Block_byref_copy函数,传入的object上面已经说过是栈中的__Block_byref_obj_0。
进入_Block_byref_copy:
static struct Block_byref *_Block_byref_copy(const void *arg) {
// 强转为Block_byref类型
struct Block_byref *src = (struct Block_byref *)arg;
if ((src->forwarding->flags & BLOCK_REFCOUNT_MASK) == 0) {
// 在堆上重新开辟内存,创建变量copy
struct Block_byref *copy = (struct Block_byref *)malloc(src->size);
// 接下来进行相关拷贝操作
copy->isa = NULL;
// byref value 4 is logical refcount of 2: one for caller, one for stack
copy->flags = src->flags | BLOCK_BYREF_NEEDS_FREE | 4;
copy->forwarding = copy; // patch heap copy to point to itself
src->forwarding = copy; // patch stack to point to heap copy
copy->size = src->size;
if (src->flags & BLOCK_BYREF_HAS_COPY_DISPOSE) {
// Trust copy helper to copy everything of interest
// If more than one field shows up in a byref block this is wrong XXX
struct Block_byref_2 *src2 = (struct Block_byref_2 *)(src+1);
struct Block_byref_2 *copy2 = (struct Block_byref_2 *)(copy+1);
copy2->byref_keep = src2->byref_keep;
copy2->byref_destroy = src2->byref_destroy;
if (src->flags & BLOCK_BYREF_LAYOUT_EXTENDED) {
struct Block_byref_3 *src3 = (struct Block_byref_3 *)(src2+1);
struct Block_byref_3 *copy3 = (struct Block_byref_3*)(copy2+1);
copy3->layout = src3->layout;
}
// 捕获到了外界的变量 - 内存处理 - 生命周期的保存
(*src2->byref_keep)(copy, src);
}
else {
// Bitwise copy.
// This copy includes Block_byref_3, if any.
memmove(copy+1, src+1, src->size - sizeof(*src));
}
}
// already copied to heap
else if ((src->forwarding->flags & BLOCK_BYREF_NEEDS_FREE) == BLOCK_BYREF_NEEDS_FREE) {
latching_incr_int(&src->forwarding->flags);
}
return src->forwarding;
}
- 在堆上重新开辟
Block_byref结构内存,将栈上Block_byref的值都拷贝过来,而且栈和堆上的forwarding都指向了这片内存空间。 - 拷贝等操作完成以后,调用了
byref_keep函数,这个函数是调用了啥呢。
Block_byref 中的 object 拷贝分析
先源码看下Block_byref相关结构:
// 结构体
struct Block_byref {
void * __ptrauth_objc_isa_pointer isa; // 8
struct Block_byref *forwarding; // 8
volatile int32_t flags; // contains ref count//4
uint32_t size; // 4
};
struct Block_byref_2 {
// requires BLOCK_BYREF_HAS_COPY_DISPOSE
BlockByrefKeepFunction byref_keep; // 8
BlockByrefDestroyFunction byref_destroy; // 8
};
struct Block_byref_3 {
// requires BLOCK_BYREF_LAYOUT_EXTENDED
const char *layout;
};
size成员变量下面是byref_keep变量,再结合clang编译代码看一下:
int mMain(void) {
__Block_byref_obj_0 obj = {
(void*)0,(__Block_byref_obj_0 *)&obj,
33554432,
sizeof(__Block_byref_obj_0),
__Block_byref_id_object_copy_131,
__Block_byref_id_object_dispose_131,
objc_msgSend((id)objc_getClass("NSObject"), sel_registerName("new"))
};
void(*block)(void) = __mMain_block_impl_0(__mMain_block_func_0, &__mMain_block_desc_0_DATA, (__Block_byref_obj_0 *)&obj, 570425344));
block->FuncPtr(block);
return 0;
}
struct __Block_byref_obj_0 {
void *__isa;
__Block_byref_obj_0 *__forwarding;
int __flags;
int __size;
void (*__Block_byref_id_object_copy)(void*, void*);
void (*__Block_byref_id_object_dispose)(void*);
NSObject *obj;
};
byref_keep函数在这里调用的就是__Block_byref_id_object_copy_131:
// block -> Block_byref -> object
static void __Block_byref_id_object_copy_131(void *dst, void *src) {
_Block_object_assign((char*)dst + 40, *(void * *) ((char*)src + 40), 131);
}
- 结合
__Block_byref_obj_0结构和Block_byref结构,向下平移40个字节,得到的是NSObject *obj,对obj也是调用了_Block_object_assign函数,传入的flags是131。
3+128=131,所以当flags是131时做的是*dest = object操作,也就是堆中object和栈中object指向同一片内存空间。
block拷贝总结:
block通过_Block_copy函数从栈拷贝到堆上。block捕获变量Block_byref,通过_Block_object_assign函数从栈拷贝到堆上。Block_byref中的object也是通过_Block_object_assign函数进行相关拷贝。
释放
释放时调用的__Block_byref_id_object_dispose_131函数:
static void __Block_byref_id_object_dispose_131(void *src) {
_Block_object_dispose(*(void * *) ((char*)src + 40), 131);
}
然后调用_Block_object_dispose函数:
void _Block_object_dispose(const void *object, const int flags) {
switch (os_assumes(flags & BLOCK_ALL_COPY_DISPOSE_FLAGS)) {
case BLOCK_FIELD_IS_BYREF | BLOCK_FIELD_IS_WEAK:
case BLOCK_FIELD_IS_BYREF:
// get rid of the __block data structure held in a Block
_Block_byref_release(object);
break;
case BLOCK_FIELD_IS_BLOCK:
_Block_release(object);
break;
case BLOCK_FIELD_IS_OBJECT:
_Block_release_object(object);
break;
case BLOCK_BYREF_CALLER | BLOCK_FIELD_IS_OBJECT:
case BLOCK_BYREF_CALLER | BLOCK_FIELD_IS_BLOCK:
case BLOCK_BYREF_CALLER | BLOCK_FIELD_IS_OBJECT | BLOCK_FIELD_IS_WEAK:
case BLOCK_BYREF_CALLER | BLOCK_FIELD_IS_BLOCK | BLOCK_FIELD_IS_WEAK:
break;
default:
break;
}
}
