二进制重排

二进制重排作用

二进制重排的主要目的是将连续调用的函数连接到相邻的虚拟内存地址，这样在启动时可以减少缺页中断的发生，提升启动速度。目前网络上关于ios应用启动优化，通过XCode实现的版本比较多。MacOS上的应用也是通过clang进行编译的，理论上也可以进行二进制重排，主要分为两步。

首先是获取启动过程调用的函数符号，需要通过clang插桩方式实现，对于其它编译器目前没有找到类似的功能。

编译选项

set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize-coverage=func,trace-pc-guard")

set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize-coverage=func,trace-pc-guard")

入口函数

然后是入口函数实现，收集调用函数符号序列，通过下面的代码可以实现生成。

#ifndef APPCALLCOLLECTOR_H_
#define APPCALLCOLLECTOR_H_

#import <Foundation/Foundation.h>

//! Project version number for AppCallCollecter.
FOUNDATION_EXPORT double AppCallCollecterVersionNumber;

//! Project version string for AppCallCollecter.
FOUNDATION_EXPORT const unsigned char AppCallCollecterVersionString[];

/// 与CLRAppOrderFile只能二者用其一
extern NSArray <NSString *> *getAppCalls(void);

/// 与getAppCalls只能二者用其一
extern void appOrderFile(NSString* orderFilePath);

// In this header, you should import all the public headers of your framework using statements like #import <AppCallCollecter/PublicHeader.h>
#endif

#import "appcallcollector.h"
#import <dlfcn.h>
#import <libkern/OSAtomicQueue.h>
#import <pthread.h>

static OSQueueHead qHead = OS_ATOMIC_QUEUE_INIT;
static BOOL stopCollecting = NO;

typedef struct {
    void *pointer;
    void *next;
} PointerNode;

// dyld链接dylib时调用，start和stop地址之间的保存该dylib的所有符号的个数
// 可以不实现具体内容，不影响后续调用
extern "C" void __sanitizer_cov_trace_pc_guard_init(uint32_t *start,
                                         uint32_t *stop) {
    static uint32_t N;  // Counter for the guards.
    if (start == stop || *start) return;  // Initialize only once.
    printf("INIT: %p %p\n", start, stop);
    for (uint32_t *x = start; x < stop; x++)
        *x = ++N;  // Guards should start from 1.
    
    printf("totasl count %i\n", N);
}

// This callback is inserted by the compiler on every edge in the
// control flow (some optimizations apply).
// Typically, the compiler will emit the code like this:
//    if(*guard)
//      __sanitizer_cov_trace_pc_guard(guard);
// But for large functions it will emit a simple call:
//    __sanitizer_cov_trace_pc_guard(guard);
/* 通过汇编可发现，每个函数调用前都被插入了
 bl     0x102b188c0               ; symbol stub for: __sanitizer_cov_trace_pc_guard
 所以在每个函数调用时都会先跳转执行该函数
*/
extern "C" void __sanitizer_cov_trace_pc_guard(uint32_t *guard) {
    // If initialization has not occurred yet (meaning that guard is uninitialized), that means that initial functions like +load are being run. These functions will only be run once anyways, so we should always allow them to be recorded and ignore guard
    // +load方法先于guard_init调用，此时guard为0
   if(!*guard) { return; }

    if (stopCollecting) {
        return;
    }

    // __builtin_return_address 获取当前调用栈信息，取第一帧地址（即下条要执行的指令地址，被插桩的函数地址）
    void *PC = __builtin_return_address(0);
    PointerNode *node = (PointerNode *)malloc(sizeof(PointerNode));
    *node = (PointerNode){PC, NULL};
    // 使用原子队列要存储帧地址
    OSAtomicEnqueue(&qHead, node, offsetof(PointerNode, next));
}

extern NSArray <NSString *> *getAllFunctions(NSString *currentFuncName) {
    NSMutableSet<NSString *> *unqSet = [NSMutableSet setWithObject:currentFuncName];
    NSMutableArray <NSString *> *functions = [NSMutableArray array];
    while (YES) {
        PointerNode *front = (PointerNode *)OSAtomicDequeue(&qHead, offsetof(PointerNode, next));
        if(front == NULL) {
            break;
        }
        Dl_info info = {0};
        // dladdr获取地址符号信息
        dladdr(front->pointer, &info);
        NSString *name = @(info.dli_sname);
        // 去除重复调用
        if([unqSet containsObject:name]) {
            continue;
        }
        BOOL isObjc = [name hasPrefix:@"+["] || [name hasPrefix:@"-["];
        // order文件格式要求C函数和block前需要添加_
        NSString *symbolName = isObjc ? name : [@"_" stringByAppendingString:name];
        [unqSet addObject:name];
        [functions addObject:symbolName];
    }
    // 取反得到正确调用排序
    return [[functions reverseObjectEnumerator] allObjects];;
}

#pragma mark - public

extern NSArray <NSString *> *getAppCalls(void) {
    
    stopCollecting = YES;
    // 内存屏障，防止cpu的乱序执行调度内存（原子锁）
    __sync_synchronize();
    NSString* curFuncationName = [NSString stringWithUTF8String:__FUNCTION__];
    return getAllFunctions(curFuncationName);
}

extern void appOrderFile(NSString* orderFilePath) {
    stopCollecting = YES;
    __sync_synchronize();
    NSString* curFuncationName = [NSString stringWithUTF8String:__FUNCTION__];
    NSArray *functions = getAllFunctions(curFuncationName);
    NSString *orderFileContent = [functions.reverseObjectEnumerator.allObjects componentsJoinedByString:@"\n"];
    NSLog(@"[orderFile]: %@",orderFileContent);
    NSString *filePath = [NSTemporaryDirectory() stringByAppendingPathComponent:@"orderFile.order"];
    NSData * fileContents = [orderFileContent dataUsingEncoding:NSUTF8StringEncoding];

    // NSArray *functions = getAllFunctions(curFuncationName);
    // NSString * funcString = [symbolAry componentsJoinedByString:@"\n"];
    // NSString * filePath = [NSTemporaryDirectory() stringByAppendingPathComponent:@"lb.order"];
    // NSData * fileContents = [funcString dataUsingEncoding:NSUTF8StringEncoding];
    BOOL result = [[NSFileManager defaultManager] createFileAtPath:filePath contents:fileContents attributes:nil];
    if (result) {
        NSLog(@"%@",filePath);
    }else{
        NSLog(@"文件写入出错");
    }
}

链接器配置

拿到函数符号列表后，需要通过链接选项将列表文件传递给链接器，也可以通过链接选项输出link map，查看重排前后的符号顺序。

-order_file_statistics

Logs information about the processing of a -order_file.
-map map_file_path

Writes a map file to the specified path which details all symbols and their addresses in the output image.
-order_file file

Alters the order in which functions and data are laid out. For each section in the outputfile, any symbol in that section that are specified in the order file file is moved to the start of its section and laid out in the same order as in the order file file. Order files are text files with one symbol name per line. Lines starting with a # are comments. A symbol name may be optionally preceded with its object file leaf name and a colon (e.g. foo.o:_foo). This is useful for static functions/data that occur in multiple files. A symbol name may also be optionally preceded with the architecture (e.g. ppc:_foo or ppc:foo.o:_foo). This enables you to have one order file that works for multiple architec-tures. Literal c-strings may be ordered by by quoting the string (e.g. "Hello, world\n") in the order file.

可执行程序模块重排

set(CMAKE_CXX_LINK_FLAGS "-Xlinker -map -Xlinker /Users/Desktop/out/out001.txt -Xlinker -order_file_statistics -Xlinker -order_file -Xlinker /Users/Desktop/out/orderFile_cpp.order ${CMAKE_CXX_LINK_FLAGS}")

动态库重排

set(CMAKE_SHARED_LINKER_FLAGS "-Xlinker -map -Xlinker /Users/Desktop/out/out002.txt -Xlinker -order_file_statistics -Xlinker -order_file -Xlinker /Users/Desktop/out/orderFile_add.order ${CMAKE_SHARED_LINKER_FLAGS}")