(接上篇)
五. Aspects hook過程詳解
先看看函式呼叫棧的情況
- aspect_prepareClassAndHookSelector(self, selector, error);
├── aspect_hookClass(self, error)
│ ├──aspect_swizzleClassInPlace
│ ├──aspect_swizzleForwardInvocation
│ │ └──__ASPECTS_ARE_BEING_CALLED__
│ │ ├──aspect_aliasForSelector
│ │ ├──aspect_getContainerForClass
│ │ ├──aspect_invoke
│ │ └──aspect_remove
│ └── aspect_hookedGetClass
├── aspect_isMsgForwardIMP
├──aspect_aliasForSelector(selector)
└── aspect_getMsgForwardIMP複製程式碼從呼叫棧可以看出,Aspects hook過程主要分4個階段,hookClass,ASPECTS_ARE_BEING_CALLED,prepareClassAndHookSelector,remove。
1. hookClass
NSCParameterAssert(self);
Class statedClass = self.class;
Class baseClass = object_getClass(self);
NSString *className = NSStringFromClass(baseClass);複製程式碼statedClass 和 baseClass是有區別的的。
Class object_getClass(id obj)
{
if (obj) return obj->getIsa();
else return Nil;
}
+ (Class)class {
return self;
}複製程式碼statedClass 是獲取類物件,baseClass是獲取到類的isa。
// Already subclassed
if ([className hasSuffix:AspectsSubclassSuffix]) {
return baseClass;
// We swizzle a class object, not a single object.
}else if (class_isMetaClass(baseClass)) {
return aspect_swizzleClassInPlace((Class)self);
// Probably a KVO'ed class. Swizzle in place. Also swizzle meta classes in place.
}else if (statedClass != baseClass) {
return aspect_swizzleClassInPlace(baseClass);
}複製程式碼先判斷是用來className是否包含hasSuffix:AspectsSubclassSuffix
static NSString *const AspectsSubclassSuffix = @"_Aspects_";複製程式碼如果包含了@"_Aspects_"字尾,代表該類已經被hook過了,直接return。
如果不包含@"_Aspects_"字尾,再判斷是否是baseClass是否是元類,如果是元類,呼叫aspect_swizzleClassInPlace。如果也不是元類,再判斷statedClass 和 baseClass是否相等,如果不相等,說明為KVO過的物件,因為KVO的物件isa指標會指向一箇中間類。對KVO中間類呼叫aspect_swizzleClassInPlace。
static Class aspect_swizzleClassInPlace(Class klass) {
NSCParameterAssert(klass);
NSString *className = NSStringFromClass(klass);
_aspect_modifySwizzledClasses(^(NSMutableSet *swizzledClasses) {
if (![swizzledClasses containsObject:className]) {
aspect_swizzleForwardInvocation(klass);
[swizzledClasses addObject:className];
}
});
return klass;
}複製程式碼_aspect_modifySwizzledClasses會傳入一個入參為(NSMutableSet *swizzledClasses)的block,block裡面就是判斷在這個Set裡面是否包含當前的ClassName,如果不包含,就呼叫aspect_swizzleForwardInvocation()方法,並把className加入到Set集合裡面。
static void _aspect_modifySwizzledClasses(void (^block)(NSMutableSet *swizzledClasses)) {
static NSMutableSet *swizzledClasses;
static dispatch_once_t pred;
dispatch_once(&pred, ^{
swizzledClasses = [NSMutableSet new];
});
@synchronized(swizzledClasses) {
block(swizzledClasses);
}
}複製程式碼_aspect_modifySwizzledClasses方法裡面保證了swizzledClasses這個Set集合是全域性唯一的,並且給傳入的block加上了執行緒鎖@synchronized( ),保證了block呼叫中執行緒是安全的。
關於呼叫aspect_swizzleForwardInvocation,將原IMP指向forwardInvocation是下個階段的事情,我們先把hookClass看完。
// Default case. Create dynamic subclass.
const char *subclassName = [className stringByAppendingString:AspectsSubclassSuffix].UTF8String;
Class subclass = objc_getClass(subclassName);
if (subclass == nil) {
subclass = objc_allocateClassPair(baseClass, subclassName, 0);
if (subclass == nil) {
NSString *errrorDesc = [NSString stringWithFormat:@"objc_allocateClassPair failed to allocate class %s.", subclassName];
AspectError(AspectErrorFailedToAllocateClassPair, errrorDesc);
return nil;
}
aspect_swizzleForwardInvocation(subclass);
aspect_hookedGetClass(subclass, statedClass);
aspect_hookedGetClass(object_getClass(subclass), statedClass);
objc_registerClassPair(subclass);
}
object_setClass(self, subclass);複製程式碼當className沒有包含@"_Aspects_"字尾,並且也不是元類,也不是KVO的中間類,即statedClass = = baseClass 的情況,於是,預設的新建一個子類subclass。
到此,我們可以瞭解到Aspects的設計思想,hook 是在runtime中動態建立子類的基礎上實現的。所有的 swizzling 操作都發生在子類,這樣做的好處是你不需要去更改物件本身的類,也就是,當你在 remove aspects 的時候,如果發現當前物件的 aspect 都被移除了,那麼,你可以將 isa 指標重新指回物件本身的類,從而消除了該物件的 swizzling ,同時也不會影響到其他該類的不同物件)這樣對原來替換的類或者物件沒有任何影響而且可以在子類基礎上新增或者刪除aspect。
新建的類的名字,會先加上AspectsSubclassSuffix字尾,即在className後面加上@"_Aspects_",標記成子類。再呼叫objc_getClass方法,建立這個子類。
/***********************************************************************
* objc_getClass. Return the id of the named class. If the class does
* not exist, call _objc_classLoader and then objc_classHandler, either of
* which may create a new class.
* Warning: doesn't work if aClassName is the name of a posed-for class's isa!
**********************************************************************/
Class objc_getClass(const char *aClassName)
{
if (!aClassName) return Nil;
// NO unconnected, YES class handler
return look_up_class(aClassName, NO, YES);
}複製程式碼objc_getClass會呼叫look_up_class方法。
/***********************************************************************
* look_up_class
* Look up a class by name, and realize it.
* Locking: acquires runtimeLock
**********************************************************************/
Class look_up_class(const char *name,
bool includeUnconnected __attribute__((unused)),
bool includeClassHandler __attribute__((unused)))
{
if (!name) return nil;
Class result;
bool unrealized;
{
rwlock_reader_t lock(runtimeLock);
result = getClass(name);
unrealized = result && !result->isRealized();
}
if (unrealized) {
rwlock_writer_t lock(runtimeLock);
realizeClass(result);
}
return result;
}複製程式碼這個方法會去檢視有沒有實現叫name的class,檢視過程中會用到rwlock_reader_t lock(runtimeLock),讀寫鎖,底層是用pthread_rwlock_t實現的。
由於是我們剛剛新建的一個子類名,很有可能是objc_getClass()返回nil。那麼我們需要新建這個子類。呼叫objc_allocateClassPair()方法。
/***********************************************************************
* objc_allocateClassPair
* fixme
* Locking: acquires runtimeLock
**********************************************************************/
Class objc_allocateClassPair(Class superclass, const char *name,
size_t extraBytes)
{
Class cls, meta;
rwlock_writer_t lock(runtimeLock);
// Fail if the class name is in use.
// Fail if the superclass isn't kosher.
if (getClass(name) || !verifySuperclass(superclass, true/*rootOK*/)) {
return nil;
}
// Allocate new classes.
cls = alloc_class_for_subclass(superclass, extraBytes);
meta = alloc_class_for_subclass(superclass, extraBytes);
// fixme mangle the name if it looks swift-y?
objc_initializeClassPair_internal(superclass, name, cls, meta);
return cls;
}複製程式碼呼叫objc_allocateClassPair會新建一個子類,它的父類是入參superclass。
如果新建的子類subclass = = nil,就會報錯,objc_allocateClassPair failed to allocate class。
aspect_swizzleForwardInvocation(subclass)這是下一階段的事情,主要作用是替換當前類forwardInvocation方法的實現為__ASPECTS_ARE_BEING_CALLED__,先略過。
接著呼叫aspect_hookedGetClass( ) 方法。
static void aspect_hookedGetClass(Class class, Class statedClass) {
NSCParameterAssert(class);
NSCParameterAssert(statedClass);
Method method = class_getInstanceMethod(class, @selector(class));
IMP newIMP = imp_implementationWithBlock(^(id self) {
return statedClass;
});
class_replaceMethod(class, @selector(class), newIMP, method_getTypeEncoding(method));
}複製程式碼aspect_hookedGetClass方法是把class的例項方法替換成返回statedClass,也就是說把呼叫class時候的isa指向了statedClass了。
aspect_hookedGetClass(subclass, statedClass);
aspect_hookedGetClass(object_getClass(subclass), statedClass);複製程式碼這兩句的意圖我們也就明白了。
第一句是把subclass的isa指向了statedClass,第二句是把subclass的元類的isa,也指向了statedClass。
最後呼叫objc_registerClassPair( ) 註冊剛剛新建的子類subclass,再呼叫object_setClass(self, subclass);把當前self的isa指向子類subclass。
至此,hookClass階段就完成了,成功的把self hook成了其子類 xxx_Aspects_。
2. ASPECTS_ARE_BEING_CALLED
在上一階段hookClass的時候,有幾處都呼叫了aspect_swizzleForwardInvocation方法。
static NSString *const AspectsForwardInvocationSelectorName = @"__aspects_forwardInvocation:";
static void aspect_swizzleForwardInvocation(Class klass) {
NSCParameterAssert(klass);
// If there is no method, replace will act like class_addMethod.
IMP originalImplementation = class_replaceMethod(klass, @selector(forwardInvocation:), (IMP)__ASPECTS_ARE_BEING_CALLED__, "v@:@");
if (originalImplementation) {
class_addMethod(klass, NSSelectorFromString(AspectsForwardInvocationSelectorName), originalImplementation, "v@:@");
}
AspectLog(@"Aspects: %@ is now aspect aware.", NSStringFromClass(klass));
}複製程式碼aspect_swizzleForwardInvocation就是整個Aspects hook方法的開始。
/***********************************************************************
* class_replaceMethod
**********************************************************************/
IMP class_replaceMethod(Class cls, SEL name, IMP imp, const char *types)
{
if (!cls) return nil;
return _class_addMethod(cls, name, imp, types, YES);
}複製程式碼呼叫class_replaceMethod方法,實際底層實現是呼叫_class_addMethod方法。
static IMP _class_addMethod(Class cls, SEL name, IMP imp,
const char *types, bool replace)
{
old_method *m;
IMP result = nil;
if (!types) types = "";
mutex_locker_t lock(methodListLock);
if ((m = _findMethodInClass(cls, name))) {
// already exists
// fixme atomic
result = method_getImplementation((Method)m);
if (replace) {
method_setImplementation((Method)m, imp);
}
} else {
// fixme could be faster
old_method_list *mlist =
(old_method_list *)calloc(sizeof(old_method_list), 1);
mlist->obsolete = fixed_up_method_list;
mlist->method_count = 1;
mlist->method_list[0].method_name = name;
mlist->method_list[0].method_types = strdup(types);
if (!ignoreSelector(name)) {
mlist->method_list[0].method_imp = imp;
} else {
mlist->method_list[0].method_imp = (IMP)&_objc_ignored_method;
}
_objc_insertMethods(cls, mlist, nil);
if (!(cls->info & CLS_CONSTRUCTING)) {
flush_caches(cls, NO);
} else {
// in-construction class has no subclasses
flush_cache(cls);
}
result = nil;
}
return result;
}複製程式碼從上述原始碼中,我們可以看到,先_findMethodInClass(cls, name),從cls中查詢有沒有name的方法。如果有,並且能找到對應的IMP的話,就進行替換method_setImplementation((Method)m, imp),把name方法的IMP替換成imp。這種方式_class_addMethod返回的是name方法對應的IMP,實際上就是我們替換完的imp。
如果在cls中沒有找到name方法,那麼就新增該方法,在mlist -> method_list[0] 的位置插入新的name方法,對應的IMP就是傳入的imp。這種方式_class_addMethod返回的是nil。
回到aspect_swizzleForwardInvocation中,
IMP originalImplementation = class_replaceMethod(klass, @selector(forwardInvocation:), (IMP)__ASPECTS_ARE_BEING_CALLED__, "v@:@");
if (originalImplementation) {
class_addMethod(klass, NSSelectorFromString(AspectsForwardInvocationSelectorName), originalImplementation, "v@:@");
}複製程式碼把forwardInvocation:的IMP替換成__ASPECTS_ARE_BEING_CALLED__ 。如果在klass裡面找不到forwardInvocation:方法,就會新新增該方法。
由於子類本身並沒有實現 forwardInvocation ,隱藏返回的 originalImplementation 將為空值,所以也不會生成 NSSelectorFromString(AspectsForwardInvocationSelectorName) 。所以還需要_class_addMethod會為我們新增了forwardInvocation:方法的實現
如果originalImplementation返回的不是nil,就說明已經替換成功。替換完方法之後,我們在klass中再加入一個叫“__aspects_forwardInvocation:”的方法,對應的實現也是(IMP)__ASPECTS_ARE_BEING_CALLED__。
接下來就是整個Aspects的核心實現了:__ASPECTS_ARE_BEING_CALLED__
static void __ASPECTS_ARE_BEING_CALLED__(__unsafe_unretained NSObject *self, SEL selector, NSInvocation *invocation) {
NSCParameterAssert(self);
NSCParameterAssert(invocation);
SEL originalSelector = invocation.selector;
SEL aliasSelector = aspect_aliasForSelector(invocation.selector);
invocation.selector = aliasSelector;
AspectsContainer *objectContainer = objc_getAssociatedObject(self, aliasSelector);
AspectsContainer *classContainer = aspect_getContainerForClass(object_getClass(self), aliasSelector);
AspectInfo *info = [[AspectInfo alloc] initWithInstance:self invocation:invocation];
NSLog(@"%@",info.arguments);
NSArray *aspectsToRemove = nil;
…… ……
}複製程式碼這一段是hook前的準備工作:
- 獲取原始的selector
- 獲取帶有aspects_xxxx字首的方法
- 替換selector
- 獲取例項物件的容器objectContainer,這裡是之前aspect_add關聯過的物件。
- 獲取獲得類物件容器classContainer
- 初始化AspectInfo,傳入self、invocation引數
// Before hooks.
aspect_invoke(classContainer.beforeAspects, info);
aspect_invoke(objectContainer.beforeAspects, info);複製程式碼呼叫巨集定義執行Aspects切片功能
#define aspect_invoke(aspects, info) \
for (AspectIdentifier *aspect in aspects) {\
[aspect invokeWithInfo:info];\
if (aspect.options & AspectOptionAutomaticRemoval) { \
aspectsToRemove = [aspectsToRemove?:@[] arrayByAddingObject:aspect]; \
} \
}複製程式碼之所以這裡用一個巨集定義來實現裡面的功能,是為了獲得一個更加清晰的堆疊資訊。
巨集定義裡面就做了兩件事情,一個是執行了[aspect invokeWithInfo:info]方法,一個是把需要remove的Aspects加入等待被移除的陣列中。
[aspect invokeWithInfo:info]方法在上篇裡面詳細分析過了其實現,這個函式的主要目的是把blockSignature初始化blockSignature得到invocation。然後處理引數,如果引數block中的引數大於1個,則把傳入的AspectInfo放入blockInvocation中。然後從originalInvocation中取出引數給blockInvocation賦值。最後呼叫[blockInvocation invokeWithTarget:self.block];這裡Target設定為self.block。也就執行了我們hook方法的block。
所以只要呼叫aspect_invoke(classContainer.Aspects, info);這個核心替換的方法,就能hook我們原有的SEL。對應的,函式第一個引數分別傳入的是classContainer.beforeAspects、classContainer.insteadAspects、classContainer.afterAspects就能對應的實現before、instead、after對應時間的Aspects切片的hook。
// Instead hooks.
BOOL respondsToAlias = YES;
if (objectContainer.insteadAspects.count || classContainer.insteadAspects.count) {
aspect_invoke(classContainer.insteadAspects, info);
aspect_invoke(objectContainer.insteadAspects, info);
}else {
Class klass = object_getClass(invocation.target);
do {
if ((respondsToAlias = [klass instancesRespondToSelector:aliasSelector])) {
[invocation invoke];
break;
}
}while (!respondsToAlias && (klass = class_getSuperclass(klass)));
}複製程式碼這一段程式碼是實現Instead hooks的。先判斷當前insteadAspects是否有資料,如果沒有資料則判斷當前繼承鏈是否能響應aspects_xxx方法,如果能,則直接呼叫aliasSelector。注意:這裡的aliasSelector是原方法method
// After hooks.
aspect_invoke(classContainer.afterAspects, info);
aspect_invoke(objectContainer.afterAspects, info);複製程式碼這兩行是對應的執行After hooks的。原理如上。
至此,before、instead、after對應時間的Aspects切片的hook如果能被執行的,都執行完畢了。
如果hook沒有被正常執行,那麼就應該執行原來的方法。
// If no hooks are installed, call original implementation (usually to throw an exception)
if (!respondsToAlias) {
invocation.selector = originalSelector;
SEL originalForwardInvocationSEL = NSSelectorFromString(AspectsForwardInvocationSelectorName);
if ([self respondsToSelector:originalForwardInvocationSEL]) {
((void( *)(id, SEL, NSInvocation *))objc_msgSend)(self, originalForwardInvocationSEL, invocation);
}else {
[self doesNotRecognizeSelector:invocation.selector];
}
}複製程式碼invocation.selector先換回原來的originalSelector,如果沒有被hook成功,那麼AspectsForwardInvocationSelectorName還能再拿到原來的IMP對應的SEL。如果能相應,就呼叫原來的SEL,否則就報出doesNotRecognizeSelector的錯誤。
[aspectsToRemove makeObjectsPerformSelector:@selector(remove)];複製程式碼最後呼叫移除方法,移除hook。
3. prepareClassAndHookSelector
現在又要回到上篇中提到的aspect_prepareClassAndHookSelector方法中來了。
static void aspect_prepareClassAndHookSelector(NSObject *self, SEL selector, NSError **error) {
NSCParameterAssert(selector);
Class klass = aspect_hookClass(self, error);
Method targetMethod = class_getInstanceMethod(klass, selector);
IMP targetMethodIMP = method_getImplementation(targetMethod);
if (!aspect_isMsgForwardIMP(targetMethodIMP)) {
// Make a method alias for the existing method implementation, it not already copied.
const char *typeEncoding = method_getTypeEncoding(targetMethod);
SEL aliasSelector = aspect_aliasForSelector(selector);
if (![klass instancesRespondToSelector:aliasSelector]) {
__unused BOOL addedAlias = class_addMethod(klass, aliasSelector, method_getImplementation(targetMethod), typeEncoding);
NSCAssert(addedAlias, @"Original implementation for %@ is already copied to %@ on %@", NSStringFromSelector(selector), NSStringFromSelector(aliasSelector), klass);
}
// We use forwardInvocation to hook in.
class_replaceMethod(klass, selector, aspect_getMsgForwardIMP(self, selector), typeEncoding);
AspectLog(@"Aspects: Installed hook for -[%@ %@].", klass, NSStringFromSelector(selector));
}
}複製程式碼klass是我們hook完原始的class之後得到的子類,名字是帶有_Aspects_字尾的子類。因為它是當前類的子類,所以也可以從它這裡獲取到原有的selector的IMP。
static BOOL aspect_isMsgForwardIMP(IMP impl) {
return impl == _objc_msgForward
#if !defined(__arm64__)
|| impl == (IMP)_objc_msgForward_stret
#endif
;
}複製程式碼這裡是判斷當前IMP是不是_objc_msgForward或者_objc_msgForward_stret,即判斷當前IMP是不是訊息轉發。
如果不是訊息轉發,就先獲取當前原始的selector對應的IMP的方法編碼typeEncoding。
如果子類裡面不能響應aspects_xxxx,就為klass新增aspects_xxxx方法,方法的實現為原生方法的實現。
Aspects整個hook的入口就是這句話:
class_replaceMethod(klass, selector, aspect_getMsgForwardIMP(self, selector), typeEncoding);複製程式碼由於我們將slector指向_objc_msgForward 和_objc_msgForward_stret,可想而知,當selector被執行的時候,也會觸發訊息轉發從而進入forwardInvocation,而我們又對forwardInvacation進行了swizzling,因此,最終轉入我們自己的處理邏輯程式碼中。
4. aspect_remove
aspect_remove整個銷燬過程的函式呼叫棧
- aspect_remove(AspectIdentifier *aspect, NSError **error)
└── aspect_cleanupHookedClassAndSelector
├──aspect_deregisterTrackedSelector
│ └── aspect_getSwizzledClassesDict
├──aspect_destroyContainerForObject
└── aspect_undoSwizzleClassInPlace
└── _aspect_modifySwizzledClasses
└──aspect_undoSwizzleForwardInvocation複製程式碼
static BOOL aspect_remove(AspectIdentifier *aspect, NSError **error) {
NSCAssert([aspect isKindOfClass:AspectIdentifier.class], @"Must have correct type.");
__block BOOL success = NO;
aspect_performLocked(^{
id self = aspect.object; // strongify
if (self) {
AspectsContainer *aspectContainer = aspect_getContainerForObject(self, aspect.selector);
success = [aspectContainer removeAspect:aspect];
aspect_cleanupHookedClassAndSelector(self, aspect.selector);
// destroy token
aspect.object = nil;
aspect.block = nil;
aspect.selector = NULL;
}else {
NSString *errrorDesc = [NSString stringWithFormat:@"Unable to deregister hook. Object already deallocated: %@", aspect];
AspectError(AspectErrorRemoveObjectAlreadyDeallocated, errrorDesc);
}
});
return success;
}複製程式碼aspect_remove 是整個 aspect_add的逆過程。
aspect_performLocked是保證執行緒安全。把AspectsContainer都置為空,remove最關鍵的過程就是aspect_cleanupHookedClassAndSelector(self, aspect.selector);移除之前hook的class和selector。
static void aspect_cleanupHookedClassAndSelector(NSObject *self, SEL selector) {
NSCParameterAssert(self);
NSCParameterAssert(selector);
Class klass = object_getClass(self);
BOOL isMetaClass = class_isMetaClass(klass);
if (isMetaClass) {
klass = (Class)self;
}
…… ……
}複製程式碼klass是現在的class,如果是元類,就轉換成元類。
// Check if the method is marked as forwarded and undo that.
Method targetMethod = class_getInstanceMethod(klass, selector);
IMP targetMethodIMP = method_getImplementation(targetMethod);
if (aspect_isMsgForwardIMP(targetMethodIMP)) {
// Restore the original method implementation.
const char *typeEncoding = method_getTypeEncoding(targetMethod);
SEL aliasSelector = aspect_aliasForSelector(selector);
Method originalMethod = class_getInstanceMethod(klass, aliasSelector);
IMP originalIMP = method_getImplementation(originalMethod);
NSCAssert(originalMethod, @"Original implementation for %@ not found %@ on %@", NSStringFromSelector(selector), NSStringFromSelector(aliasSelector), klass);
class_replaceMethod(klass, selector, originalIMP, typeEncoding);
AspectLog(@"Aspects: Removed hook for -[%@ %@].", klass, NSStringFromSelector(selector));
}複製程式碼先回復MsgForward訊息轉發函式,獲得方法簽名,然後把原始轉發方法替換回我們hook過的方法。
這裡有一個需要注意的問題。
如果當前Student有2個例項,stu1和stu2,並且他們都同時hook了相同的方法study( ),stu2在執行完aspect_remove,把stu2的study( )方法還原了。這裡會把stu1的study( )方法也還原了。因為remove方法這個操作是對整個類的所有例項都生效的。
要想每個例項還原各自的方法,不影響其他例項,上述這段程式碼刪除即可。因為在執行 remove 操作的時候,其實和這個物件相關的資料結構都已經被清除了,即使不去恢復 stu2 的study( ) 的執行,在進入 __ASPECTS_ARE_BEING_CALLED__,由於這個沒有響應的 aspects ,其實會直接跳到原來的處理邏輯,並不會有其他附加影響。
static void aspect_deregisterTrackedSelector(id self, SEL selector) {
if (!class_isMetaClass(object_getClass(self))) return;
NSMutableDictionary *swizzledClassesDict = aspect_getSwizzledClassesDict();
NSString *selectorName = NSStringFromSelector(selector);
Class currentClass = [self class];
AspectTracker *subclassTracker = nil;
do {
AspectTracker *tracker = swizzledClassesDict[currentClass];
if (subclassTracker) {
[tracker removeSubclassTracker:subclassTracker hookingSelectorName:selectorName];
} else {
[tracker.selectorNames removeObject:selectorName];
}
if (tracker.selectorNames.count == 0 && tracker.selectorNamesToSubclassTrackers) {
[swizzledClassesDict removeObjectForKey:currentClass];
}
subclassTracker = tracker;
}while ((currentClass = class_getSuperclass(currentClass)));
}複製程式碼還要移除AspectTracker裡面所有標記的swizzledClassesDict。銷燬全部記錄的selector。
AspectsContainer *container = aspect_getContainerForObject(self, selector);
if (!container.hasAspects) {
// Destroy the container
aspect_destroyContainerForObject(self, selector);
// Figure out how the class was modified to undo the changes.
NSString *className = NSStringFromClass(klass);
if ([className hasSuffix:AspectsSubclassSuffix]) {
Class originalClass = NSClassFromString([className stringByReplacingOccurrencesOfString:AspectsSubclassSuffix withString:@""]);
NSCAssert(originalClass != nil, @"Original class must exist");
object_setClass(self, originalClass);
AspectLog(@"Aspects: %@ has been restored.", NSStringFromClass(originalClass));
// We can only dispose the class pair if we can ensure that no instances exist using our subclass.
// Since we don't globally track this, we can't ensure this - but there's also not much overhead in keeping it around.
//objc_disposeClassPair(object.class);
}else {
// Class is most likely swizzled in place. Undo that.
if (isMetaClass) {
aspect_undoSwizzleClassInPlace((Class)self);
}else if (self.class != klass) {
aspect_undoSwizzleClassInPlace(klass);
}
}
}複製程式碼最後,我們還需要還原類的AssociatedObject關聯物件,以及用到的AspectsContainer容器。
static void aspect_destroyContainerForObject(id<NSObject> self, SEL selector) {
NSCParameterAssert(self);
SEL aliasSelector = aspect_aliasForSelector(selector);
objc_setAssociatedObject(self, aliasSelector, nil, OBJC_ASSOCIATION_RETAIN);
}複製程式碼這個方法銷燬了AspectsContainer容器,並且把關聯物件也置成了nil。
static void aspect_undoSwizzleClassInPlace(Class klass) {
NSCParameterAssert(klass);
NSString *className = NSStringFromClass(klass);
_aspect_modifySwizzledClasses(^(NSMutableSet *swizzledClasses) {
if ([swizzledClasses containsObject:className]) {
aspect_undoSwizzleForwardInvocation(klass);
[swizzledClasses removeObject:className];
}
});
}複製程式碼aspect_undoSwizzleClassInPlace會再呼叫aspect_undoSwizzleForwardInvocation方法。
static void aspect_undoSwizzleForwardInvocation(Class klass) {
NSCParameterAssert(klass);
Method originalMethod = class_getInstanceMethod(klass, NSSelectorFromString(AspectsForwardInvocationSelectorName));
Method objectMethod = class_getInstanceMethod(NSObject.class, @selector(forwardInvocation:));
// There is no class_removeMethod, so the best we can do is to retore the original implementation, or use a dummy.
IMP originalImplementation = method_getImplementation(originalMethod ?: objectMethod);
class_replaceMethod(klass, @selector(forwardInvocation:), originalImplementation, "v@:@");
AspectLog(@"Aspects: %@ has been restored.", NSStringFromClass(klass));
}複製程式碼最後還原ForwardInvocation的Swizzling,把原來的ForwardInvocation再交換回來。
六. 關於Aspects 的一些 “坑”
在Aspects這個庫了,用到了Method Swizzling有幾處,這幾處如果處理不好,就會掉“坑”裡了。
1.aspect_prepareClassAndHookSelector 中可能遇到的“坑”
在aspect_prepareClassAndHookSelector方法中,會把原始的selector hook成_objc_msgForward。但是如果這裡的selector就是_objc_msgForward會發生什麼呢?
其實這裡的坑在作者的程式碼註釋裡面已經隱藏的提到了。
在__ASPECTS_ARE_BEING_CALLED__方法中,最後轉發訊息的那段程式碼裡面有這樣一段註釋
// If no hooks are installed, call original implementation (usually to throw an exception)複製程式碼看到這段註釋以後,你肯定會思考,為何到了這裡就會throw an exception呢?原因是因為找不到NSSelectorFromString(AspectsForwardInvocationSelectorName)對應的IMP。
再往上找,就可以找到原因了。在實現aspect_prepareClassAndHookSelector中,會判斷當前的selector是不是_objc_msgForward,如果不是msgForward,接下來什麼也不會做。那麼aliasSelector是沒有對應的實現的。
由於 forwardInvocation 被 aspects 所 hook ,最終會進入到 aspects 的處理邏輯__ASPECTS_ARE_BEING_CALLED__中來,此時如果沒有找不到 aliasSelector 的 IMP 實現,因此會在此進行訊息轉發。而且子類並沒有實現 NSSelectorFromString(AspectsForwardInvocationSelectorName),於是轉發就會丟擲異常。
這裡的“坑”就在於,hook的selector如果變成了_objc_msgForward,就會出現異常了,但是一般我們不會去hook _objc_msgForward這個方法,出現這個問題的原因是有其他的Swizzling會去hook這個方法。
比如說JSPatch把傳入的 selector 先被 JSPatch hook ,那麼,這裡我們將不會再處理,也就不會生成 aliasSelector 。就會出現閃退的異常了。
static Class aspect_hookClass(NSObject *self, NSError **error) {
...
subclass = objc_allocateClassPair(baseClass, subclassName, 0);
...
IMP originalImplementation = class_replaceMethod(subclass, @selector(forwardInvocation:), (IMP)__ASPECTS_ARE_BEING_CALLED__, "v@:@");
if (originalImplementation) {
class_addMethod(subclass, NSSelectorFromString(AspectsForwardInvocationSelectorName), originalImplementation, "v@:@");
} else {
Method baseTargetMethod = class_getInstanceMethod(baseClass, @selector(forwardInvocation:));
IMP baseTargetMethodIMP = method_getImplementation(baseTargetMethod);
if (baseTargetMethodIMP) {
class_addMethod(subclass, NSSelectorFromString(AspectsForwardInvocationSelectorName), baseTargetMethodIMP, "v@:@");
}
}
...
}複製程式碼這裡在這篇文章中給出了一個解決辦法:
在對子類的 forwardInvocation方法進行交換而不僅僅是替換,實現邏輯如下,強制生成一個 NSSelectorFromString(AspectsForwardInvocationSelectorName)指向原物件的 forwardInvocation的實現。
注意如果 originalImplementation為空,那麼生成的 NSSelectorFromString(AspectsForwardInvocationSelectorName)
將指向 baseClass 也就是真正的這個物件的 forwradInvocation ,這個其實也就是 JSPatch hook 的方法。同時為了保證 block 的執行順序(也就是前面介紹的 before hooks / instead hooks / after hooks ),這裡需要將這段程式碼提前到 after hooks 執行之前進行。這樣就解決了 forwardInvocation 在外面已經被 hook 之後的衝突問題。
2. aspect_hookSelector 可能出現的 “坑”
在Aspects中主要是hook selector,此時如果有多個地方會和Aspects去hook相同方法,那麼也會出現doesNotRecognizeSelector的問題。
舉個例子,比如說在NSArray中用Aspects 去hook了objectAtIndex的方法,然後在NSMutableArray中Swizzling了objectAtIndex方法。在
NSMutableArray中,呼叫objectAtIndex就有可能出錯。
因為還是在於Aspects hook 了selector之後,會把原來的selector變成_objc_msgForward。等到NSMutableArray再去hook這個方法的時候,記錄的是IMP就是_objc_msgForward這個了。如果這時objc_msgSend執行原有實現,就會出錯了。因為原有實現已經被替換為_objc_msgForward,而真的IMP由於被Aspects先Swizzling掉了,所以找不到。
解決辦法還是類似JSPatch的解決辦法:
把-forwardInvocation:也進行Swizzling,在自己的-forwardInvocation:方法中進行同樣的操作,就是判斷傳入的NSInvocation的Selector,被Swizzling的方法指向了_objc_msgForward(或_objc_msgForward_stret)如果是自己可以識別的Selector,那麼就將Selector變為原有Selector在執行,如果不識別,就直接轉發。
最後
最後用一張圖總結一下Aspects整體流程:
請大家多多指教。