序
开发过程中,总是难免写出一些bug导致崩溃,即使有些崩溃原因显而易见,我们也很难完全避免, 这时候就要通过一些技术手段来避免问题。
今天想给大家分享一下关于在dealloc中初始化一个指向自身的weak指针产生崩溃的防护方案。
在某些类的dealloc中我们会去做一些清理工作,这时候可能就会去初始化一个指向自身的weak指针,尤其是在使用懒加载的时候。
问题分析
这段代码在走到dealloc的时候是必崩的。
#import "WeakTestObj.h" @implementation WeakTestObj - (void)dealloc {
__weak typeof(self) weakSelf = self;
} @end
原因呢我们可以看一下崩溃堆栈和输出的错
很明显,当我们在dealloc初始化指向自身的weak指针时,在objc_initWeak中发生了错误,原因是因为该对象正在被释放当中。
但为何对象在释放时初始化指向自身的weak指针会崩溃呢,我们可以通过runtime源码(https://opensource.apple.com/tarballs/objc4/)进一步分析。
我们先通过Xcode看一下崩溃时的汇编代码
libobjc.A.dylib`objc_initWeak: 0x7fff2019209e <+0>: pushq %rbp 0x7fff2019209f <+1>: movq %rsp, %rbp 0x7fff201920a2 <+4>: pushq %r15 0x7fff201920a4 <+6>: pushq %r14 0x7fff201920a6 <+8>: pushq %r13 0x7fff201920a8 <+10>: pushq %r12 0x7fff201920aa <+12>: pushq %rbx 0x7fff201920ab <+13>: subq $0x28, %rsp 0x7fff201920af <+17>: testq %rsi, %rsi 0x7fff201920b2 <+20>: je 0x7fff20192227 ; <+393> 0x7fff201920b8 <+26>: movq %rsi, %r13 0x7fff201920bb <+29>: movq %rdi, -0x40(%rbp) 0x7fff201920bf <+33>: movabsq $0x7ffffffffff8, %r14 ; imm = 0x7FFFFFFFFFF8 0x7fff201920c9 <+43>: movl %r13d, %eax 0x7fff201920cc <+46>: shrl $0x9, %eax 0x7fff201920cf <+49>: movl %r13d, %r12d 0x7fff201920d2 <+52>: shrl $0x4, %r12d 0x7fff201920d6 <+56>: xorl %eax, %r12d 0x7fff201920d9 <+59>: andl $0x3f, %r12d 0x7fff201920dd <+63>: shlq $0x6, %r12 0x7fff201920e1 <+67>: leaq 0x5fea34d8(%rip), %rax ; (anonymous namespace)::SideTablesMap 0x7fff201920e8 <+74>: leaq (%rax,%r12), %r15 0x7fff201920ec <+78>: movq %r15, %rdi 0x7fff201920ef <+81>: movl $0x50000, %esi ; imm = 0x50000 0x7fff201920f4 <+86>: callq 0x7fff201952b4 ; symbol stub for: os_unfair_lock_lock_with_options 0x7fff201920f9 <+91>: movq %r13, %rax 0x7fff201920fc <+94>: shrq $0x3c, %rax 0x7fff20192100 <+98>: movq %rax, -0x38(%rbp) 0x7fff20192104 <+102>: movq %r13, %rax 0x7fff20192107 <+105>: shrq $0x31, %rax 0x7fff2019210b <+109>: andl $0x7f8, %eax ; imm = 0x7F8 0x7fff20192110 <+114>: addq 0x64853871(%rip), %rax ; (void *)0x00007fff80030870: objc_debug_taggedpointer_ext_classes 0x7fff20192117 <+121>: movq %rax, -0x30(%rbp) 0x7fff2019211b <+125>: xorl %eax, %eax 0x7fff2019211d <+127>: movq %r13, %rcx 0x7fff20192120 <+130>: testq %r13, %r13 0x7fff20192123 <+133>: js 0x7fff20192192 ; <+244> 0x7fff20192125 <+135>: movq (%rcx), %rbx 0x7fff20192128 <+138>: cmpq %rax, %rbx 0x7fff2019212b <+141>: je 0x7fff201921ba ; <+284> 0x7fff20192131 <+147>: movq (%rbx), %rax 0x7fff20192134 <+150>: leaq -0x1(%rax), %rcx 0x7fff20192138 <+154>: cmpq $0xf, %rcx 0x7fff2019213c <+158>: jb 0x7fff2019214d ; <+175> 0x7fff2019213e <+160>: movq 0x20(%rbx), %rcx 0x7fff20192142 <+164>: andq %r14, %rcx 0x7fff20192145 <+167>: testb $0x1, (%rcx) 0x7fff20192148 <+170>: je 0x7fff2019214d ; <+175> 0x7fff2019214a <+172>: movq %rbx, %rax 0x7fff2019214d <+175>: movq 0x20(%rax), %rax 0x7fff20192151 <+179>: andq %r14, %rax 0x7fff20192154 <+182>: testb $0x20, 0x3(%rax) 0x7fff20192158 <+186>: jne 0x7fff201921ba ; <+284> 0x7fff2019215a <+188>: movq %r15, %rdi 0x7fff2019215d <+191>: callq 0x7fff201952ba ; symbol stub for: os_unfair_lock_unlock 0x7fff20192162 <+196>: leaq 0x5fe9f1d3(%rip), %rdi ; runtimeLock 0x7fff20192169 <+203>: movl $0x50000, %esi ; imm = 0x50000 0x7fff2019216e <+208>: callq 0x7fff201952b4 ; symbol stub for: os_unfair_lock_lock_with_options 0x7fff20192173 <+213>: movq %rbx, %rdi 0x7fff20192176 <+216>: movq %r13, %rsi 0x7fff20192179 <+219>: xorl %edx, %edx 0x7fff2019217b <+221>: callq 0x7fff2017bcdc ; initializeAndMaybeRelock(objc_class*, objc_object*, mutex_tt<false>&, bool) 0x7fff20192180 <+226>: movq %r15, %rdi 0x7fff20192183 <+229>: movl $0x50000, %esi ; imm = 0x50000 0x7fff20192188 <+234>: callq 0x7fff201952b4 ; symbol stub for: os_unfair_lock_lock_with_options 0x7fff2019218d <+239>: movq %rbx, %rax 0x7fff20192190 <+242>: jmp 0x7fff2019211d ; <+127> 0x7fff20192192 <+244>: movq -0x38(%rbp), %rcx 0x7fff20192196 <+248>: leaq 0x5fe9e653(%rip), %rdx ; objc_debug_taggedpointer_classes 0x7fff2019219d <+255>: movq (%rdx,%rcx,8), %rbx 0x7fff201921a1 <+259>: movq -0x30(%rbp), %rcx 0x7fff201921a5 <+263>: leaq 0x5fe9e504(%rip), %rdx ; (void *)0x00007fff80030688: __NSUnrecognizedTaggedPointer 0x7fff201921ac <+270>: cmpq %rdx, %rbx 0x7fff201921af <+273>: jne 0x7fff20192128 ; <+138> 0x7fff201921b5 <+279>: jmp 0x7fff20192125 ; <+135> 0x7fff201921ba <+284>: leaq 0x5fea33ff(%rip), %rax ; (anonymous namespace)::SideTablesMap 0x7fff201921c1 <+291>: leaq 0x20(%r12,%rax), %rdi 0x7fff201921c6 <+296>: movq %rax, %r12 0x7fff201921c9 <+299>: movq %r13, %rsi 0x7fff201921cc <+302>: movq -0x40(%rbp), %r14 0x7fff201921d0 <+306>: movq %r14, %rdx 0x7fff201921d3 <+309>: movl $0x1, %ecx 0x7fff201921d8 <+314>: callq 0x7fff201905ff ; weak_register_no_lock -> 0x7fff201921dd <+319>: movq %rax, %rbx 0x7fff201921e0 <+322>: testq %rax, %rax
崩溃发生在85行处,然后我们往上查找,可以看到是在weak_register_no_lock 这个方法内部发生了崩溃。
id weak_register_no_lock(weak_table_t *weak_table, id referent_id, id *referrer_id, WeakRegisterDeallocatingOptions deallocatingOptions) { objc_object *referent = (objc_object *)referent_id; objc_object **referrer = (objc_object **)referrer_id; if (referent->isTaggedPointerOrNil()) return referent_id; // ensure that the referenced object is viable if (deallocatingOptions == ReturnNilIfDeallocating || deallocatingOptions == CrashIfDeallocating) { bool deallocating; if (!referent->ISA()->hasCustomRR()) { deallocating = referent->rootIsDeallocating(); } else { // Use lookUpImpOrForward so we can avoid the assert in // class_getInstanceMethod, since we intentionally make this // callout with the lock held. auto allowsWeakReference = (BOOL(*)(objc_object *, SEL)) lookUpImpOrForwardTryCache((id)referent, @selector(allowsWeakReference), referent->getIsa()); if ((IMP)allowsWeakReference == _objc_msgForward) { return nil; } deallocating = ! (*allowsWeakReference)(referent, @selector(allowsWeakReference)); } if (deallocating) { if (deallocatingOptions == CrashIfDeallocating) { _objc_fatal("Cannot form weak reference to instance (%p) of " "class %s. It is possible that this object was " "over-released, or is in the process of deallocation.", (void*)referent, object_getClassName((id)referent)); } else { return nil; } } } // now remember it and where it is being stored weak_entry_t *entry; if ((entry = weak_entry_for_referent(weak_table, referent))) { append_referrer(entry, referrer); } else { weak_entry_t new_entry(referent, referrer); weak_grow_maybe(weak_table); weak_entry_insert(weak_table, &new_entry); } // Do not set *referrer. objc_storeWeak() requires that the // value not change. return referent_id; }
可以看一下第31行代码处,如果自身在dealloc中并且deallocatingOptions == CrashIfDeallocating,则打印错误日志并退出。
系统为什么要这么做呢? 因为在对象dealloc时,系统会去查找对象的弱引用表,并把所有指向该对象的弱引用置为nil,如果我们在对象的dealloc中去初始化一个指向该对象的弱引用指针,很明显这是会产生冲突的。
现在我们已经知道了崩溃产生的具体原因和位置,接下来就开始思考如何防护。
在37行代码处我们可以看到,如果 deallocatingOptions != CrashIfDeallocating系统直接返回了nil,此时不发生崩溃。因此我们也可以通过同样的操作来避免崩溃的出现。
在到崩溃发生前,其实经过了好几个C方法的调用,分别是 objc_initWeak,
storeWeak, weak_register_no_lock,理论上我们hook这当中任意一个方法都是可以的。hook之后判断一下该对象是否正在释放当中,如果是的话,直接返回nil。
至于如何判断是否正在释放中,我们也可以通过runtime的源码找到答案。
本人采用的是NSObjct的一个私有方法。
- (BOOL)_isDeallocating { return _objc_rootIsDeallocating(self); }
解决方案
接下来看一下具体的实现代码
#import "fishhook.h" //fishhook,请自行搜索 //分类暴露私有方法 @interface NSObject (runtimePrivate) - (BOOL)_isDeallocating; @end static id(*sys_objc_initWeak)(id _Nullable * _Nonnull location, id _Nullable obj); id _Nullable aigis_objc_initWeak(id _Nullable * _Nonnull location, id _Nullable obj) { //判断是否正在释放 if ([obj respondsToSelector:@selector(_isDeallocating)]) { if([obj _isDeallocating]) { return nil; } } //调用系统的initWeak return sys_objc_initWeak(location,obj); } //调用此方法进行hook void start_objec_weak_defender() { //hook objc_initWeak 方法 struct rebinding rebindObj; rebindObj.name = "objc_initWeak"; rebindObj.replacement = aigis_objc_initWeak; rebindObj.replaced = (void *)&sys_objc_initWeak; struct rebinding rebindings[] = {rebindObj}; int result = rebind_symbols(rebindings, 1); }
此外,细心的朋友们应该也注意到另一种方案,hook weak_register_no_lock之后,直接修改deallocatingOptions参数。(ps: 此方案未实现过,感兴趣的朋友们可以自行探索)
weak_register_no_lock(weak_table_t *weak_table, id referent_id, id *referrer_id, WeakRegisterDeallocatingOptions deallocatingOptions)
原文:https://www.cnblogs.com/bigly/p/14835432.html