(接上篇)
五. Aspects hook過程詳解
先看看函數調用棧的情況
- aspect_prepareClassAndHookSelector(self, selector, error);
├── aspect_hookClass(self, error)
│ ├──aspect_swizzleClassInPlace
│ ├──aspect_swizzleForwardInvocation
│ │ └──__ASPECTS_ARE_BEING_CALLED__
│ │ ├──aspect_aliasForSelector
│ │ ├──aspect_getContainerForClass
│ │ ├──aspect_invoke
│ │ └──aspect_remove
│ └── aspect_hookedGetClass
├── aspect_isMsgForwardIMP
├──aspect_aliasForSelector(selector)
└── aspect_getMsgForwardIMP
從調用棧可以看出,Aspects hook過程主要分4個階段,hookClass,ASPECTS_ARE_BEING_CALLED,prepareClassAndHookSelector,remove。
1. hookClass
NSCParameterAssert(self);
Class statedClass = self.class;
Class baseClass = object_getClass(self);
NSString *className = NSStringFromClass(baseClass);
statedClass 和 baseClass是有區別的的。
Class object_getClass(id obj)
{
if (obj) return obj->getIsa();
else return Nil;
}
+ (Class)class {
return self;
}
statedClass 是獲取類對象,baseClass是獲取到類的isa。
// Already subclassed
if ([className hasSuffix:AspectsSubclassSuffix]) {
return baseClass;
// We swizzle a class object, not a single object.
}else if (class_isMetaClass(baseClass)) {
return aspect_swizzleClassInPlace((Class)self);
// Probably a KVO'ed class. Swizzle in place. Also swizzle meta classes in place.
}else if (statedClass != baseClass) {
return aspect_swizzleClassInPlace(baseClass);
}
先判斷是用來className是否包含hasSuffix:AspectsSubclassSuffix
static NSString *const AspectsSubclassSuffix = @"_Aspects_";
如果包含了@"_Aspects_"后綴,代表該類已經被hook過了,直接return。
如果不包含@"_Aspects_"后綴,再判斷是否是baseClass是否是元類,如果是元類,調用aspect_swizzleClassInPlace。如果也不是元類,再判斷statedClass 和 baseClass是否相等,如果不相等,說明為KVO過的對象,因為KVO的對象isa指針會指向一個中間類。對KVO中間類調用aspect_swizzleClassInPlace。
static Class aspect_swizzleClassInPlace(Class klass) {
NSCParameterAssert(klass);
NSString *className = NSStringFromClass(klass);
_aspect_modifySwizzledClasses(^(NSMutableSet *swizzledClasses) {
if (![swizzledClasses containsObject:className]) {
aspect_swizzleForwardInvocation(klass);
[swizzledClasses addObject:className];
}
});
return klass;
}
_aspect_modifySwizzledClasses會傳入一個入參為(NSMutableSet *swizzledClasses)的block,block里面就是判斷在這個Set里面是否包含當前的ClassName,如果不包含,就調用aspect_swizzleForwardInvocation()方法,并把className加入到Set集合里面。
static void _aspect_modifySwizzledClasses(void (^block)(NSMutableSet *swizzledClasses)) {
static NSMutableSet *swizzledClasses;
static dispatch_once_t pred;
dispatch_once(&pred, ^{
swizzledClasses = [NSMutableSet new];
});
@synchronized(swizzledClasses) {
block(swizzledClasses);
}
}
_aspect_modifySwizzledClasses方法里面保證了swizzledClasses這個Set集合是全局唯一的,并且給傳入的block加上了線程鎖@synchronized( ),保證了block調用中線程是安全的。
關于調用aspect_swizzleForwardInvocation,將原IMP指向forwardInvocation是下個階段的事情,我們先把hookClass看完。
// Default case. Create dynamic subclass.
const char *subclassName = [className stringByAppendingString:AspectsSubclassSuffix].UTF8String;
Class subclass = objc_getClass(subclassName);
if (subclass == nil) {
subclass = objc_allocateClassPair(baseClass, subclassName, 0);
if (subclass == nil) {
NSString *errrorDesc = [NSString stringWithFormat:@"objc_allocateClassPair failed to allocate class %s.", subclassName];
AspectError(AspectErrorFailedToAllocateClassPair, errrorDesc);
return nil;
}
aspect_swizzleForwardInvocation(subclass);
aspect_hookedGetClass(subclass, statedClass);
aspect_hookedGetClass(object_getClass(subclass), statedClass);
objc_registerClassPair(subclass);
}
object_setClass(self, subclass);
當className沒有包含@"_Aspects_"后綴,并且也不是元類,也不是KVO的中間類,即statedClass = = baseClass 的情況,于是,默認的新建一個子類subclass。
到此,我們可以了解到Aspects的設計思想,hook 是在runtime中動態創建子類的基礎上實現的。所有的 swizzling 操作都發生在子類,這樣做的好處是你不需要去更改對象本身的類,也就是,當你在 remove aspects 的時候,如果發現當前對象的 aspect 都被移除了,那么,你可以將 isa 指針重新指回對象本身的類,從而消除了該對象的 swizzling ,同時也不會影響到其他該類的不同對象)這樣對原來替換的類或者對象沒有任何影響而且可以在子類基礎上新增或者刪除aspect。
新建的類的名字,會先加上AspectsSubclassSuffix后綴,即在className后面加上@"_Aspects_",標記成子類。再調用objc_getClass方法,創建這個子類。
/***********************************************************************
* objc_getClass. Return the id of the named class. If the class does
* not exist, call _objc_classLoader and then objc_classHandler, either of
* which may create a new class.
* Warning: doesn't work if aClassName is the name of a posed-for class's isa!
**********************************************************************/
Class objc_getClass(const char *aClassName)
{
if (!aClassName) return Nil;
// NO unconnected, YES class handler
return look_up_class(aClassName, NO, YES);
}
objc_getClass會調用look_up_class方法。
/***********************************************************************
* look_up_class
* Look up a class by name, and realize it.
* Locking: acquires runtimeLock
**********************************************************************/
Class look_up_class(const char *name,
bool includeUnconnected __attribute__((unused)),
bool includeClassHandler __attribute__((unused)))
{
if (!name) return nil;
Class result;
bool unrealized;
{
rwlock_reader_t lock(runtimeLock);
result = getClass(name);
unrealized = result && !result->isRealized();
}
if (unrealized) {
rwlock_writer_t lock(runtimeLock);
realizeClass(result);
}
return result;
}
這個方法會去查看有沒有實現叫name的class,查看過程中會用到rwlock_reader_t lock(runtimeLock),讀寫鎖,底層是用pthread_rwlock_t實現的。
由于是我們剛剛新建的一個子類名,很有可能是objc_getClass()返回nil。那么我們需要新建這個子類。調用objc_allocateClassPair()方法。
/***********************************************************************
* objc_allocateClassPair
* fixme
* Locking: acquires runtimeLock
**********************************************************************/
Class objc_allocateClassPair(Class superclass, const char *name,
size_t extraBytes)
{
Class cls, meta;
rwlock_writer_t lock(runtimeLock);
// Fail if the class name is in use.
// Fail if the superclass isn't kosher.
if (getClass(name) || !verifySuperclass(superclass, true/*rootOK*/)) {
return nil;
}
// Allocate new classes.
cls = alloc_class_for_subclass(superclass, extraBytes);
meta = alloc_class_for_subclass(superclass, extraBytes);
// fixme mangle the name if it looks swift-y?
objc_initializeClassPair_internal(superclass, name, cls, meta);
return cls;
}
調用objc_allocateClassPair會新建一個子類,它的父類是入參superclass。
如果新建的子類subclass = = nil,就會報錯,objc_allocateClassPair failed to allocate class。
aspect_swizzleForwardInvocation(subclass)這是下一階段的事情,主要作用是替換當前類forwardInvocation方法的實現為__ASPECTS_ARE_BEING_CALLED__,先略過。
接著調用aspect_hookedGetClass( ) 方法。
static void aspect_hookedGetClass(Class class, Class statedClass) {
NSCParameterAssert(class);
NSCParameterAssert(statedClass);
Method method = class_getInstanceMethod(class, @selector(class));
IMP newIMP = imp_implementationWithBlock(^(id self) {
return statedClass;
});
class_replaceMethod(class, @selector(class), newIMP, method_getTypeEncoding(method));
}
aspect_hookedGetClass方法是把class的實例方法替換成返回statedClass,也就是說把調用class時候的isa指向了statedClass了。
aspect_hookedGetClass(subclass, statedClass);
aspect_hookedGetClass(object_getClass(subclass), statedClass);
這兩句的意圖我們也就明白了。
第一句是把subclass的isa指向了statedClass,第二句是把subclass的元類的isa,也指向了statedClass。
最后調用objc_registerClassPair( ) 注冊剛剛新建的子類subclass,再調用object_setClass(self, subclass);把當前self的isa指向子類subclass。
至此,hookClass階段就完成了,成功的把self hook成了其子類 xxx_Aspects_。
2. ASPECTS_ARE_BEING_CALLED
在上一階段hookClass的時候,有幾處都調用了aspect_swizzleForwardInvocation方法。
static NSString *const AspectsForwardInvocationSelectorName = @"__aspects_forwardInvocation:";
static void aspect_swizzleForwardInvocation(Class klass) {
NSCParameterAssert(klass);
// If there is no method, replace will act like class_addMethod.
IMP originalImplementation = class_replaceMethod(klass, @selector(forwardInvocation:), (IMP)__ASPECTS_ARE_BEING_CALLED__, "v@:@");
if (originalImplementation) {
class_addMethod(klass, NSSelectorFromString(AspectsForwardInvocationSelectorName), originalImplementation, "v@:@");
}
AspectLog(@"Aspects: %@ is now aspect aware.", NSStringFromClass(klass));
}
aspect_swizzleForwardInvocation就是整個Aspects hook方法的開始。
/***********************************************************************
* class_replaceMethod
**********************************************************************/
IMP class_replaceMethod(Class cls, SEL name, IMP imp, const char *types)
{
if (!cls) return nil;
return _class_addMethod(cls, name, imp, types, YES);
}
調用class_replaceMethod方法,實際底層實現是調用_class_addMethod方法。
static IMP _class_addMethod(Class cls, SEL name, IMP imp,
const char *types, bool replace)
{
old_method *m;
IMP result = nil;
if (!types) types = "";
mutex_locker_t lock(methodListLock);
if ((m = _findMethodInClass(cls, name))) {
// already exists
// fixme atomic
result = method_getImplementation((Method)m);
if (replace) {
method_setImplementation((Method)m, imp);
}
} else {
// fixme could be faster
old_method_list *mlist =
(old_method_list *)calloc(sizeof(old_method_list), 1);
mlist->obsolete = fixed_up_method_list;
mlist->method_count = 1;
mlist->method_list[0].method_name = name;
mlist->method_list[0].method_types = strdup(types);
if (!ignoreSelector(name)) {
mlist->method_list[0].method_imp = imp;
} else {
mlist->method_list[0].method_imp = (IMP)&_objc_ignored_method;
}
_objc_insertMethods(cls, mlist, nil);
if (!(cls->info & CLS_CONSTRUCTING)) {
flush_caches(cls, NO);
} else {
// in-construction class has no subclasses
flush_cache(cls);
}
result = nil;
}
return result;
}
從上述源碼中,我們可以看到,先_findMethodInClass(cls, name),從cls中查找有沒有name的方法。如果有,并且能找到對應的IMP的話,就進行替換method_setImplementation((Method)m, imp),把name方法的IMP替換成imp。這種方式_class_addMethod返回的是name方法對應的IMP,實際上就是我們替換完的imp。
如果在cls中沒有找到name方法,那么就添加該方法,在mlist -> method_list[0] 的位置插入新的name方法,對應的IMP就是傳入的imp。這種方式_class_addMethod返回的是nil。
回到aspect_swizzleForwardInvocation中,
IMP originalImplementation = class_replaceMethod(klass, @selector(forwardInvocation:), (IMP)__ASPECTS_ARE_BEING_CALLED__, "v@:@");
if (originalImplementation) {
class_addMethod(klass, NSSelectorFromString(AspectsForwardInvocationSelectorName), originalImplementation, "v@:@");
}
把forwardInvocation:的IMP替換成__ASPECTS_ARE_BEING_CALLED__ 。如果在klass里面找不到forwardInvocation:方法,就會新添加該方法。
由于子類本身并沒有實現 forwardInvocation ,隱藏返回的 originalImplementation 將為空值,所以也不會生成 NSSelectorFromString(AspectsForwardInvocationSelectorName) 。所以還需要_class_addMethod會為我們添加了forwardInvocation:方法的實現
謝謝簡書的大神 @zhao0 指點,這個坑在Aspects 1.4.1中已經修復了。
在aspect_swizzleForwardInvocation中,class_replaceMethod返回的是原方法的IMP,originalImplementation不為空的話說明原方法有實現,添加一個新方法__aspects_forwardInvocation:指向了原來的originalImplementation,在__ASPECTS_ARE_BEING_CALLED__那里如果不能處理,判斷是否有實現__aspects_forwardInvocation,有的話就轉發。
如果originalImplementation返回的不是nil,就說明已經替換成功。替換完方法之后,我們在klass中再加入一個叫“__aspects_forwardInvocation:”的方法,對應的實現也是(IMP)__ASPECTS_ARE_BEING_CALLED__。
接下來就是整個Aspects的核心實現了:__ASPECTS_ARE_BEING_CALLED__
static void __ASPECTS_ARE_BEING_CALLED__(__unsafe_unretained NSObject *self, SEL selector, NSInvocation *invocation) {
NSCParameterAssert(self);
NSCParameterAssert(invocation);
SEL originalSelector = invocation.selector;
SEL aliasSelector = aspect_aliasForSelector(invocation.selector);
invocation.selector = aliasSelector;
AspectsContainer *objectContainer = objc_getAssociatedObject(self, aliasSelector);
AspectsContainer *classContainer = aspect_getContainerForClass(object_getClass(self), aliasSelector);
AspectInfo *info = [[AspectInfo alloc] initWithInstance:self invocation:invocation];
NSLog(@"%@",info.arguments);
NSArray *aspectsToRemove = nil;
…… ……
}
這一段是hook前的準備工作:
- 獲取原始的selector
- 獲取帶有aspects_xxxx前綴的方法
- 替換selector
- 獲取實例對象的容器objectContainer,這里是之前aspect_add關聯過的對象。
- 獲取獲得類對象容器classContainer
- 初始化AspectInfo,傳入self、invocation參數
// Before hooks.
aspect_invoke(classContainer.beforeAspects, info);
aspect_invoke(objectContainer.beforeAspects, info);
調用宏定義執行Aspects切片功能
#define aspect_invoke(aspects, info) \
for (AspectIdentifier *aspect in aspects) {\
[aspect invokeWithInfo:info];\
if (aspect.options & AspectOptionAutomaticRemoval) { \
aspectsToRemove = [aspectsToRemove?:@[] arrayByAddingObject:aspect]; \
} \
}
之所以這里用一個宏定義來實現里面的功能,是為了獲得一個更加清晰的堆棧信息。
宏定義里面就做了兩件事情,一個是執行了[aspect invokeWithInfo:info]方法,一個是把需要remove的Aspects加入等待被移除的數組中。
[aspect invokeWithInfo:info]方法在上篇里面詳細分析過了其實現,這個函數的主要目的是把blockSignature初始化blockSignature得到invocation。然后處理參數,如果參數block中的參數大于1個,則把傳入的AspectInfo放入blockInvocation中。然后從originalInvocation中取出參數給blockInvocation賦值。最后調用[blockInvocation invokeWithTarget:self.block];這里Target設置為self.block。也就執行了我們hook方法的block。
所以只要調用aspect_invoke(classContainer.Aspects, info);這個核心替換的方法,就能hook我們原有的SEL。對應的,函數第一個參數分別傳入的是classContainer.beforeAspects、classContainer.insteadAspects、classContainer.afterAspects就能對應的實現before、instead、after對應時間的Aspects切片的hook。
// Instead hooks.
BOOL respondsToAlias = YES;
if (objectContainer.insteadAspects.count || classContainer.insteadAspects.count) {
aspect_invoke(classContainer.insteadAspects, info);
aspect_invoke(objectContainer.insteadAspects, info);
}else {
Class klass = object_getClass(invocation.target);
do {
if ((respondsToAlias = [klass instancesRespondToSelector:aliasSelector])) {
[invocation invoke];
break;
}
}while (!respondsToAlias && (klass = class_getSuperclass(klass)));
}
這一段代碼是實現Instead hooks的。先判斷當前insteadAspects是否有數據,如果沒有數據則判斷當前繼承鏈是否能響應aspects_xxx方法,如果能,則直接調用aliasSelector。注意:這里的aliasSelector是原方法method
// After hooks.
aspect_invoke(classContainer.afterAspects, info);
aspect_invoke(objectContainer.afterAspects, info);
這兩行是對應的執行After hooks的。原理如上。
至此,before、instead、after對應時間的Aspects切片的hook如果能被執行的,都執行完畢了。
如果hook沒有被正常執行,那么就應該執行原來的方法。
// If no hooks are installed, call original implementation (usually to throw an exception)
if (!respondsToAlias) {
invocation.selector = originalSelector;
SEL originalForwardInvocationSEL = NSSelectorFromString(AspectsForwardInvocationSelectorName);
if ([self respondsToSelector:originalForwardInvocationSEL]) {
((void( *)(id, SEL, NSInvocation *))objc_msgSend)(self, originalForwardInvocationSEL, invocation);
}else {
[self doesNotRecognizeSelector:invocation.selector];
}
}
invocation.selector先換回原來的originalSelector,如果沒有被hook成功,那么AspectsForwardInvocationSelectorName還能再拿到原來的IMP對應的SEL。如果能相應,就調用原來的SEL,否則就報出doesNotRecognizeSelector的錯誤。
[aspectsToRemove makeObjectsPerformSelector:@selector(remove)];
最后調用移除方法,移除hook。
3. prepareClassAndHookSelector
現在又要回到上篇中提到的aspect_prepareClassAndHookSelector方法中來了。
static void aspect_prepareClassAndHookSelector(NSObject *self, SEL selector, NSError **error) {
NSCParameterAssert(selector);
Class klass = aspect_hookClass(self, error);
Method targetMethod = class_getInstanceMethod(klass, selector);
IMP targetMethodIMP = method_getImplementation(targetMethod);
if (!aspect_isMsgForwardIMP(targetMethodIMP)) {
// Make a method alias for the existing method implementation, it not already copied.
const char *typeEncoding = method_getTypeEncoding(targetMethod);
SEL aliasSelector = aspect_aliasForSelector(selector);
if (![klass instancesRespondToSelector:aliasSelector]) {
__unused BOOL addedAlias = class_addMethod(klass, aliasSelector, method_getImplementation(targetMethod), typeEncoding);
NSCAssert(addedAlias, @"Original implementation for %@ is already copied to %@ on %@", NSStringFromSelector(selector), NSStringFromSelector(aliasSelector), klass);
}
// We use forwardInvocation to hook in.
class_replaceMethod(klass, selector, aspect_getMsgForwardIMP(self, selector), typeEncoding);
AspectLog(@"Aspects: Installed hook for -[%@ %@].", klass, NSStringFromSelector(selector));
}
}
klass是我們hook完原始的class之后得到的子類,名字是帶有_Aspects_后綴的子類。因為它是當前類的子類,所以也可以從它這里獲取到原有的selector的IMP。
static BOOL aspect_isMsgForwardIMP(IMP impl) {
return impl == _objc_msgForward
#if !defined(__arm64__)
|| impl == (IMP)_objc_msgForward_stret
#endif
;
}
這里是判斷當前IMP是不是_objc_msgForward或者_objc_msgForward_stret,即判斷當前IMP是不是消息轉發。
如果不是消息轉發,就先獲取當前原始的selector對應的IMP的方法編碼typeEncoding。
如果子類里面不能響應aspects_xxxx,就為klass添加aspects_xxxx方法,方法的實現為原生方法的實現。
Aspects整個hook的入口就是這句話:
class_replaceMethod(klass, selector, aspect_getMsgForwardIMP(self, selector), typeEncoding);
由于我們將slector指向_objc_msgForward 和_objc_msgForward_stret,可想而知,當selector被執行的時候,也會觸發消息轉發從而進入forwardInvocation,而我們又對forwardInvacation進行了swizzling,因此,最終轉入我們自己的處理邏輯代碼中。
4. aspect_remove
aspect_remove整個銷毀過程的函數調用棧
- aspect_remove(AspectIdentifier *aspect, NSError **error)
└── aspect_cleanupHookedClassAndSelector
├──aspect_deregisterTrackedSelector
│ └── aspect_getSwizzledClassesDict
├──aspect_destroyContainerForObject
└── aspect_undoSwizzleClassInPlace
└── _aspect_modifySwizzledClasses
└──aspect_undoSwizzleForwardInvocation
static BOOL aspect_remove(AspectIdentifier *aspect, NSError **error) {
NSCAssert([aspect isKindOfClass:AspectIdentifier.class], @"Must have correct type.");
__block BOOL success = NO;
aspect_performLocked(^{
id self = aspect.object; // strongify
if (self) {
AspectsContainer *aspectContainer = aspect_getContainerForObject(self, aspect.selector);
success = [aspectContainer removeAspect:aspect];
aspect_cleanupHookedClassAndSelector(self, aspect.selector);
// destroy token
aspect.object = nil;
aspect.block = nil;
aspect.selector = NULL;
}else {
NSString *errrorDesc = [NSString stringWithFormat:@"Unable to deregister hook. Object already deallocated: %@", aspect];
AspectError(AspectErrorRemoveObjectAlreadyDeallocated, errrorDesc);
}
});
return success;
}
aspect_remove 是整個 aspect_add的逆過程。
aspect_performLocked是保證線程安全。把AspectsContainer都置為空,remove最關鍵的過程就是aspect_cleanupHookedClassAndSelector(self, aspect.selector);移除之前hook的class和selector。
static void aspect_cleanupHookedClassAndSelector(NSObject *self, SEL selector) {
NSCParameterAssert(self);
NSCParameterAssert(selector);
Class klass = object_getClass(self);
BOOL isMetaClass = class_isMetaClass(klass);
if (isMetaClass) {
klass = (Class)self;
}
…… ……
}
klass是現在的class,如果是元類,就轉換成元類。
// Check if the method is marked as forwarded and undo that.
Method targetMethod = class_getInstanceMethod(klass, selector);
IMP targetMethodIMP = method_getImplementation(targetMethod);
if (aspect_isMsgForwardIMP(targetMethodIMP)) {
// Restore the original method implementation.
const char *typeEncoding = method_getTypeEncoding(targetMethod);
SEL aliasSelector = aspect_aliasForSelector(selector);
Method originalMethod = class_getInstanceMethod(klass, aliasSelector);
IMP originalIMP = method_getImplementation(originalMethod);
NSCAssert(originalMethod, @"Original implementation for %@ not found %@ on %@", NSStringFromSelector(selector), NSStringFromSelector(aliasSelector), klass);
class_replaceMethod(klass, selector, originalIMP, typeEncoding);
AspectLog(@"Aspects: Removed hook for -[%@ %@].", klass, NSStringFromSelector(selector));
}
先回復MsgForward消息轉發函數,獲得方法簽名,然后把原始轉發方法替換回我們hook過的方法。
這里有一個需要注意的問題。
如果當前Student有2個實例,stu1和stu2,并且他們都同時hook了相同的方法study( ),stu2在執行完aspect_remove,把stu2的study( )方法還原了。這里會把stu1的study( )方法也還原了。因為remove方法這個操作是對整個類的所有實例都生效的。
要想每個實例還原各自的方法,不影響其他實例,上述這段代碼刪除即可。因為在執行 remove 操作的時候,其實和這個對象相關的數據結構都已經被清除了,即使不去恢復 stu2 的study( ) 的執行,在進入 __ASPECTS_ARE_BEING_CALLED__,由于這個沒有響應的 aspects ,其實會直接跳到原來的處理邏輯,并不會有其他附加影響。
static void aspect_deregisterTrackedSelector(id self, SEL selector) {
if (!class_isMetaClass(object_getClass(self))) return;
NSMutableDictionary *swizzledClassesDict = aspect_getSwizzledClassesDict();
NSString *selectorName = NSStringFromSelector(selector);
Class currentClass = [self class];
AspectTracker *subclassTracker = nil;
do {
AspectTracker *tracker = swizzledClassesDict[currentClass];
if (subclassTracker) {
[tracker removeSubclassTracker:subclassTracker hookingSelectorName:selectorName];
} else {
[tracker.selectorNames removeObject:selectorName];
}
if (tracker.selectorNames.count == 0 && tracker.selectorNamesToSubclassTrackers) {
[swizzledClassesDict removeObjectForKey:currentClass];
}
subclassTracker = tracker;
}while ((currentClass = class_getSuperclass(currentClass)));
}
還要移除AspectTracker里面所有標記的swizzledClassesDict。銷毀全部記錄的selector。
AspectsContainer *container = aspect_getContainerForObject(self, selector);
if (!container.hasAspects) {
// Destroy the container
aspect_destroyContainerForObject(self, selector);
// Figure out how the class was modified to undo the changes.
NSString *className = NSStringFromClass(klass);
if ([className hasSuffix:AspectsSubclassSuffix]) {
Class originalClass = NSClassFromString([className stringByReplacingOccurrencesOfString:AspectsSubclassSuffix withString:@""]);
NSCAssert(originalClass != nil, @"Original class must exist");
object_setClass(self, originalClass);
AspectLog(@"Aspects: %@ has been restored.", NSStringFromClass(originalClass));
// We can only dispose the class pair if we can ensure that no instances exist using our subclass.
// Since we don't globally track this, we can't ensure this - but there's also not much overhead in keeping it around.
//objc_disposeClassPair(object.class);
}else {
// Class is most likely swizzled in place. Undo that.
if (isMetaClass) {
aspect_undoSwizzleClassInPlace((Class)self);
}else if (self.class != klass) {
aspect_undoSwizzleClassInPlace(klass);
}
}
}
最后,我們還需要還原類的AssociatedObject關聯對象,以及用到的AspectsContainer容器。
static void aspect_destroyContainerForObject(id<NSObject> self, SEL selector) {
NSCParameterAssert(self);
SEL aliasSelector = aspect_aliasForSelector(selector);
objc_setAssociatedObject(self, aliasSelector, nil, OBJC_ASSOCIATION_RETAIN);
}
這個方法銷毀了AspectsContainer容器,并且把關聯對象也置成了nil。
static void aspect_undoSwizzleClassInPlace(Class klass) {
NSCParameterAssert(klass);
NSString *className = NSStringFromClass(klass);
_aspect_modifySwizzledClasses(^(NSMutableSet *swizzledClasses) {
if ([swizzledClasses containsObject:className]) {
aspect_undoSwizzleForwardInvocation(klass);
[swizzledClasses removeObject:className];
}
});
}
aspect_undoSwizzleClassInPlace會再調用aspect_undoSwizzleForwardInvocation方法。
static void aspect_undoSwizzleForwardInvocation(Class klass) {
NSCParameterAssert(klass);
Method originalMethod = class_getInstanceMethod(klass, NSSelectorFromString(AspectsForwardInvocationSelectorName));
Method objectMethod = class_getInstanceMethod(NSObject.class, @selector(forwardInvocation:));
// There is no class_removeMethod, so the best we can do is to retore the original implementation, or use a dummy.
IMP originalImplementation = method_getImplementation(originalMethod ?: objectMethod);
class_replaceMethod(klass, @selector(forwardInvocation:), originalImplementation, "v@:@");
AspectLog(@"Aspects: %@ has been restored.", NSStringFromClass(klass));
}
最后還原ForwardInvocation的Swizzling,把原來的ForwardInvocation再交換回來。
六. 關于Aspects 的一些 “坑”
在Aspects這個庫了,用到了Method Swizzling有幾處,這幾處如果處理不好,就會掉“坑”里了。
1.aspect_prepareClassAndHookSelector 中可能遇到的“坑”
在aspect_prepareClassAndHookSelector方法中,會把原始的selector hook成_objc_msgForward。但是如果這里的selector就是_objc_msgForward會發生什么呢?
其實這里的坑在作者的代碼注釋里面已經隱藏的提到了。
在__ASPECTS_ARE_BEING_CALLED__方法中,最后轉發消息的那段代碼里面有這樣一段注釋
// If no hooks are installed, call original implementation (usually to throw an exception)
看到這段注釋以后,你肯定會思考,為何到了這里就會throw an exception呢?原因是因為找不到NSSelectorFromString(AspectsForwardInvocationSelectorName)對應的IMP。
再往上找,就可以找到原因了。在實現aspect_prepareClassAndHookSelector中,會判斷當前的selector是不是_objc_msgForward,如果不是msgForward,接下來什么也不會做。那么aliasSelector是沒有對應的實現的。
由于 forwardInvocation 被 aspects 所 hook ,最終會進入到 aspects 的處理邏輯__ASPECTS_ARE_BEING_CALLED__中來,此時如果沒有找不到 aliasSelector 的 IMP 實現,因此會在此進行消息轉發。而且子類并沒有實現 NSSelectorFromString(AspectsForwardInvocationSelectorName),于是轉發就會拋出異常。
這里的“坑”就在于,hook的selector如果變成了_objc_msgForward,就會出現異常了,但是一般我們不會去hook _objc_msgForward這個方法,出現這個問題的原因是有其他的Swizzling會去hook這個方法。
比如說JSPatch把傳入的 selector 先被 JSPatch hook ,那么,這里我們將不會再處理,也就不會生成 aliasSelector 。就會出現閃退的異常了。
static Class aspect_hookClass(NSObject *self, NSError **error) {
...
subclass = objc_allocateClassPair(baseClass, subclassName, 0);
...
IMP originalImplementation = class_replaceMethod(subclass, @selector(forwardInvocation:), (IMP)__ASPECTS_ARE_BEING_CALLED__, "v@:@");
if (originalImplementation) {
class_addMethod(subclass, NSSelectorFromString(AspectsForwardInvocationSelectorName), originalImplementation, "v@:@");
} else {
Method baseTargetMethod = class_getInstanceMethod(baseClass, @selector(forwardInvocation:));
IMP baseTargetMethodIMP = method_getImplementation(baseTargetMethod);
if (baseTargetMethodIMP) {
class_addMethod(subclass, NSSelectorFromString(AspectsForwardInvocationSelectorName), baseTargetMethodIMP, "v@:@");
}
}
...
}
這里在這篇文章中給出了一個解決辦法:
在對子類的 forwardInvocation方法進行交換而不僅僅是替換,實現邏輯如下,強制生成一個 NSSelectorFromString(AspectsForwardInvocationSelectorName)指向原對象的 forwardInvocation的實現。
注意如果 originalImplementation為空,那么生成的 NSSelectorFromString(AspectsForwardInvocationSelectorName)
將指向 baseClass 也就是真正的這個對象的 forwradInvocation ,這個其實也就是 JSPatch hook 的方法。同時為了保證 block 的執行順序(也就是前面介紹的 before hooks / instead hooks / after hooks ),這里需要將這段代碼提前到 after hooks 執行之前進行。這樣就解決了 forwardInvocation 在外面已經被 hook 之后的沖突問題。
謝謝簡書的大神 @zhao0 指點,在這篇文章詳細分析了Aspect和JSPatch各種兼容性問題,經過詳細的分析,最后只有4種不兼容的情況。
2. aspect_hookSelector 可能出現的 “坑”
在Aspects中主要是hook selector,此時如果有多個地方會和Aspects去hook相同方法,那么也會出現doesNotRecognizeSelector的問題。
舉個例子,比如說在NSArray中用Aspects 去hook了objectAtIndex的方法,然后在NSMutableArray中Swizzling了objectAtIndex方法。在
NSMutableArray中,調用objectAtIndex就有可能出錯。
因為還是在于Aspects hook 了selector之后,會把原來的selector變成_objc_msgForward。等到NSMutableArray再去hook這個方法的時候,記錄的是IMP就是_objc_msgForward這個了。如果這時objc_msgSend執行原有實現,就會出錯了。因為原有實現已經被替換為_objc_msgForward,而真的IMP由于被Aspects先Swizzling掉了,所以找不到。
解決辦法還是類似JSPatch的解決辦法:
把-forwardInvocation:也進行Swizzling,在自己的-forwardInvocation:方法中進行同樣的操作,就是判斷傳入的NSInvocation的Selector,被Swizzling的方法指向了_objc_msgForward(或_objc_msgForward_stret)如果是自己可以識別的Selector,那么就將Selector變為原有Selector在執行,如果不識別,就直接轉發。
最后
最后用一張圖總結一下Aspects整體流程:
請大家多多指教。
