Objective-c Low-level class exploration – Part 1

directory

• 1, the background
• From ISA to classes to metaclasses
• 3, the classic ISA bit and metaclass inheritance relationship (interview must ask)
• 4. Class structure
• 5, pointer and memory translation
• 6, class structure and memory calculation
• 7. Use LLDB to analyze the structure of classes
• Member variables and class methods
• 9,

1. The background

Learning is not confused, let me fly! Hi, I’m Tommy! First of all, I would like to apologize to you for the serious delay caused by my heavy work this month. I originally planned to update two articles, but only one of them was updated. I hope you can understand. So without further ado, let’s move on! ~ (Every article is carefully done)

This article is an exploration of objective-C underlying classes. After three articles, we have a new understanding of the underlying objects. Next, we will explore what the most familiar Class is.

3. Classic ISA bit and metaclass inheritance relationship (interview must ask)

• Isa bitmap

  • Through the above section we can see that our own class will be created at compile timemateClassThat’s what we’re talking aboutThe metaclass, let’s look at a picture:

  

  • This is something I’m sure you’ve seen before, but the original is a diagram from apple’s official documentation. Intended as an illustration of ISA and class inheritance chains. But do you really understand this picture? I believe that some friends still have some confusion, so I will take you to comb through, so that you can clear up the concept of ISA position.

  • Isa step concept analysis: we first to strengthen the overall concept, this point to understand is almost the same, please see the following several concept analysis:

  • ☆ There is a corresponding metaclass for each class.

  • The ISA of each metaclass refers to the Root metaclass.

  • ☆ What is a root metaclass? How to understand? You can view it as a metaclass of NSObject.

  • So let’s verify this bitmap to see if it’s consistent with what’s in the picture; First we can use the object_getClass() code to print the values for each class, but remember to reference the
    
    header file.
    

  The printed result is the same as using LLDB.

  • At this point, we’ve takenZXPersonThe information about the class is printed, so let’s print itNSObjectInformation. Look at the pictureRootClass(mate)Whether isNSObjectThe metaclass. Let’s add the following code to print and see the result.

  

  • We have confirmed the authenticity of isa bitmap by the printed output results, so we can draw a bitmap for better understanding of the conclusion verified by ourselves.

  

• Summary of ISA moving position:

  • ☆ All instances, classes, and metaclassesisaThe isa of the instance points to the class, and the ISA of the class points to the corresponding metaclass and metaclassisaPoint to the root metaclass(NSObject metaclass);
  • ☆ Finally onlyNSObjectThe metaclass (root metaclass) of his is specialisaHe was pointing at himself.

  The lastisaWe have sorted out the position and relationship of. Now let’s sort out the inheritance chain.

• Metaclass inheritance:

  • Yes, you read that right! Although metaclasses are created automatically at compile time, they are also a Class and have class-related features, including inheritance. Metaclasses also have inheritance relationships like ordinary classes.

  • The inheritance relationship of metaclases is actually very easy to understand, and it is consistent with the inheritance relationship of ordinary classes corresponding to it. For example, ZXPerson inherits from ZXHuman, and ZXPerson_MateClass inherits from ZXHuman_MateClass. There’s still something special that happens when the inheritance chain goes to NSObject. Let’s verify and explore it in code.

  • We first print the information for the normal and metaclass inheritance chains separately.

  

  • Then look at the output:

  

  • Based on the print results we found thatZXPersonThe parent of the metaclass (red box) ofZXHumanThe metaclass;ZXPersonThe metaclass 2 parent (blue box) of isNSObjectThe metaclass;ZXPersonThe metaclass 3 parent (green box) of isNSObjectIn the class.ZXPersonThe level 4 superclass of the metaclass ofnilThat means there are no more superclasses.

  

• Node summary:

  • After the above verification and explanation I think you should be rightisaGo a bit, the understanding of metaclass had a deeper level of comprehension. In the last few articles, we have introduced the underlying structure of objects. Now let’s explore what the underlying structure of classes looks like.

Pointer and memory translation

• The concept of memory pan is not hard to understand. We used the concept of memory pan again in the first section when we used the offset in the ASLR+MachO file to find the desired class information. The principle is to obtain the desired result by changing the cheap location of the current memory pointer. Let’s use a few examples to better understand this.

• Common type memory address:

  • So let’s start with some simple code, and we’ll define it separately3aintType, where a variable is assigned to10And then assign each to the others2Variable, and then print the value and memory address.

  

  • We found that although3The values of all variables are10But the addresses are different, so we can print the addresses separately and see how the values are stored.

  

  • Address after printing0x7ffeefbff3fc,0x7ffeefbff3f8,0x7ffeefbff3f4The values are0x0aThat is10For common types, values are stored separately in memory.

• Memory address of pointer type:

  • Let’s look at the memory address of the pointer type, which we createdNSObjectAnd then print them separately. throughLLDBBy analyzing it, I was able to get their previous relationshipaObjcFor example,&aObjcaddress0x7ffeefbff3e8The saved value isa0 59 54 00 01 00 00(Small segment mode looking from right to left) the positive row isaObjcThe address of the0x1005459a0And theaObjcThe value stored in the address is89 13 7a 80 ff ff 1d 01At the right moment is theaObjcThe object’sisaThe address of the0x011dffff807a1389.

  

• Memory address of array type:

  • Finally, let’s look at the memory address of the array, so let’s create an array. After printing, we find that the address of the array type is the address of the first element of the array. So can we print the values of other elements in the array by manipulating memory? The answer was available at the time.

  

• Memory translation test:

  • We just had an arrayarray[10]Perform a memory translation test as follows:

  

  • We go through the loop pairpointPointer to + operation, each time+ 1That’s the size of a type shift. Our array is of typeintType,4A byte size, then each time on the pointer+ 1Equivalent to memory translation4A step.(Each address is spaced by 4 sizes)

  

• Node summary:

  • Now we can use memory translation to get all the attributes of the other members of the objC_class structure, but we still need to figure out how much translation we need to get all the data we want. And that’s the next summary that we’re going to figure out which is the in-memory computation of class structures.

Analyze the structure of classes with LLDB

• Before starting this section, we will make a detailed analysis of class_datA_bits_t bits. Above, we only have a cursory understanding of some important data in bits, but we do not know the specific contents of these data. So let’s explore it.

• Class_data_bits_t bits hold the important information

  • We looked carefullyclass_data_bits_tStructures. I found one of themdata()Method, which returns aclass_rw_tThe structure of the body(Details about RW and RO will be introduced in the following chapters)To trackclass_rw_tWe found that this structure containsMethods (), properties(), protocols()This information, this is what we define in our normal class, and I’m going to use itLLDBTo analyze the structure of a class.

  

• Structure analysis

  • We have passed through the above processLLDBAccess to thebitsthedata()Content, i.eclass_rw_tStructure. We’re throughLLDBcallclass_rw_tLet’s see what happens with the method in the structure.

  

  • In the printproperties()After that, the data can be returned normally, indicating that we have obtained itproperties()Now that the object is returned, let’s go back to the source code and see if there’s any way we can print the contents of the member properties. Check the source code we knowproperties()The returnedprotocol_array_tIt’s something called a structure.(Also printed above via LLDB)

  

  • To follow upprotocol_array_tSource code, its internal is alist_array_tt.(Also printed above via LLDB)

  

  • According to theLLDBPrinted resultlist_array_ttThere should be an internal one namedlistAnd inside the set is a set calledptrWith these questions I came to seelist_array_ttSource code, first let’s take a look at the comments.

  

  • Generic implementation of metadata extensible by category;
  • parameterElement: Element is the base metadata type (for example, method_t);
  • parameterListIs a list type of metadata (for example, a list of methods);
  • parameterPtr: is a template that is applied to elements, used to generate elements *, and is useful for applying qualifiers to pointer types. (The Ptr argument is a RawPtr passed in PROTOCOL_array_t, which is a template and most likely used for encapsulation.)

  

  • And if you look down there’s one insidePtr<List> listThe type andLLDBPrint the same content. Let’s see if we can get throughLLDBTo get.

  

  • We have to$28.list.ptrYou print it, you get the result, and then you print itp *$34gotproperty_list_tAnd found an internal one calledentsize_list_ttThe structure of phi, thenproperty_list_twithentsize_list_ttWhat does it matter?
  • Let’s go back toproperty_array_tMethod, discovery calllist_array_ttWhen the incoming3Each of these parameters corresponds to the comment content we saw aboveElement, List, Ptr.So let’s take a lookproperty_list_tHow is it defined.

  

  • It doesn’t seem to jump from here by clicking directly, so we use searchcommand+shift+O

  

  • It turns out thatproperty_list_tIs the inheritance andentsize_list_ttHe didn’t achieve anything on his own. So let’s go straight to itentsize_list_tt.

  

  • We just printedproperty_list_t, the results show thatentsize_list_ttThe inside of thecountThe size is4, which suggests thatentsize_list_ttItself is also a collection structure, through the source code found that there is an iterator inside(the iterator)It also provides a method to get the inner element, OK! After all the trials and hardships, I finally found it! We’re throughgetDoes the method print out the properties in our class?

  

  • We’re throughLLDBcall$35. Get (I) ' 'We took each of the0-3To print,0-3Is the property that we defined,ZxName, zxAge, zxSex, zxHeight;(When it prints to 4, it says it's out of bounds.)

  

  • Now that we’re done with the property list, let’s look at the method list;

• Print method list data

  • Same way but get a different result, callget()Methods cannot print information about methods. Why? Look at the next summary.

  

• Node summary:

  

  • A proposed structure is attached to facilitate understanding of the relationship between the structures.
  • This summary we passLLDBIn combination with the source code, rightclass_rw_tThe structure is analyzed in detail and can successfully print out the attribute information, but when the same method is used to print the method information, it fails to meet the expectations. So, we’ll explore that in the next summary, and that’s the end of this summary.

9. To summarize

• 1. This article first guides you fromisaDerived metaclass, and detailed analysis and verificationisaConcepts such as bit-walking and metaclass inheritance.(This concept is not hard to recite, play once to understand)
• 2. Through the method of memory translation, the overall study of the structure of the class is carried out, mainly on which structures are stored in the attributes and methods of the class, and throughLLDBTo verify.
• 3. Finally, we startedclass_rw_tThis structure, what does this structure actually mean? So look at the next one.

Complementary extension

• MachO file:MachOA file format that includes executable files, static libraries, dynamic libraries,dyldAnd so on; Executable files that are included are a collection of multiple schemas, such as includeArmv7, arm64And so on;
• ASLR:iOSOpen one in the systemAppIt is time to beAppBinary data from the hard diskcopyTo the memory, then the binary data will correspond to a memory address, due to security and other factors, the memory address is replaced by the virtual cache address, and the address starting position is dynamic, each time the startup will be different, this technology isASLRSo whenDYLDloadingMachOThe first step is to relocate the data, and this relocation is calledrebase.

Wrote last

• This summary code example gitHub download address
• To this content and the end of this! Don’t forget to give a thumbs-up if you like it! Your praise is my biggest power source!

Navigation:

• Previous: Objective-C Low-level Object Research – Part 2 Next: to be continued…..