ART世界探險(9) - 同步鎖
Java是一種把同步鎖寫進語言和指令集的語言。
從語言層面,Java提供了synchronized關鍵字驶冒。
從指令集層面,Java提供了monitorenter和monitorexit兩條指令韵卤。
下面我們就看看它們是如何實現(xiàn)的吧骗污。
三種鎖的方式
Java代碼
有三種方式來加鎖:
- 直接在函數(shù)上加synchronized關鍵字
- 在函數(shù)內用某Object去做同步
- 調用concurrent庫中的其他工具
public synchronized int newID(){
return mID++;
}
public int newID2(){
synchronized (mObj){
mID++;
}
return mID;
}
public int newID3(){
Lock lock = new ReentrantLock();
try{
lock.lock();
mID++;
}finally {
lock.unlock();
}
return mID++;
}
Class字節(jié)碼
第1個由于是加在函數(shù)上的屬性,所以對字節(jié)碼沒有造成任何影響沈条。
public synchronized int newID();
Code:
0: aload_0
1: dup
2: getfield #2 // Field mID:I
5: dup_x1
6: iconst_1
7: iadd
8: putfield #2 // Field mID:I
11: ireturn
第二個需忿,就會生成對應的monitorenter和monitorexit指令。
public int newID2();
Code:
0: aload_0
1: getfield #4 // Field mObj:Ljava/lang/Object;
4: dup
5: astore_1
6: monitorenter
7: aload_0
8: dup
9: getfield #2 // Field mID:I
12: iconst_1
13: iadd
14: putfield #2 // Field mID:I
17: aload_1
18: monitorexit
19: goto 27
22: astore_2
23: aload_1
24: monitorexit
25: aload_2
26: athrow
27: aload_0
28: getfield #2 // Field mID:I
31: ireturn
Exception table:
from to target type
7 19 22 any
22 25 22 any
第三個拍鲤,由于是新的工具贴谎,從指令集上是得不到支持的。
順帶我們講一下try和finally季稳,末尾有一個異常表擅这,從第8號到24號指令是其范圍,出現(xiàn)異常會跳到33語句處景鼠。
public int newID3();
Code:
0: new #7 // class java/util/concurrent/locks/ReentrantLock
3: dup
4: invokespecial #8 // Method java/util/concurrent/locks/ReentrantLock."<init>":()V
7: astore_1
8: aload_1
9: invokeinterface #9, 1 // InterfaceMethod java/util/concurrent/locks/Lock.lock:()V
14: aload_0
15: dup
16: getfield #2 // Field mID:I
19: iconst_1
20: iadd
21: putfield #2 // Field mID:I
24: aload_1
25: invokeinterface #10, 1 // InterfaceMethod java/util/concurrent/locks/Lock.unlock:()V
30: goto 42
33: astore_2
34: aload_1
35: invokeinterface #10, 1 // InterfaceMethod java/util/concurrent/locks/Lock.unlock:()V
40: aload_2
41: athrow
42: aload_0
43: dup
44: getfield #2 // Field mID:I
47: dup_x1
48: iconst_1
49: iadd
50: putfield #2 // Field mID:I
53: ireturn
Exception table:
from to target type
8 24 33 any
Dalvik代碼
我們首先看看第一個仲翎,翻譯成Dalvik指令后發(fā)生了變化痹扇,增加了monitor-enter和monitor-exit指令來包圍這個方法。
從中可以看到溯香,即使發(fā)生了exception鲫构,也是能正常走到monitor-exit的。
#2 : (in Lcom/yunos/xulun/testcppjni2/SampleClass;)
name : 'newID'
type : '()I'
access : 0x20001 (PUBLIC DECLARED_SYNCHRONIZED)
code -
registers : 3
ins : 1
outs : 0
insns size : 12 16-bit code units
1328c4: |[1328c4] com.yunos.xulun.testcppjni2.SampleClass.newID:()I
1328d4: 1d02 |0000: monitor-enter v2
1328d6: 5220 7a1d |0001: iget v0, v2, Lcom/yunos/xulun/testcppjni2/SampleClass;.mID:I // field@1d7a
1328da: d801 0001 |0003: add-int/lit8 v1, v0, #int 1 // #01
1328de: 5921 7a1d |0005: iput v1, v2, Lcom/yunos/xulun/testcppjni2/SampleClass;.mID:I // field@1d7a
1328e2: 1e02 |0007: monitor-exit v2
1328e4: 0f00 |0008: return v0
1328e6: 0d00 |0009: move-exception v0
1328e8: 1e02 |000a: monitor-exit v2
1328ea: 2700 |000b: throw v0
第二個:
這是我們手工加的玫坛,除了用Object之外结笨,跟上一個已經區(qū)別不大了。
#3 : (in Lcom/yunos/xulun/testcppjni2/SampleClass;)
name : 'newID2'
type : '()I'
access : 0x0001 (PUBLIC)
code -
registers : 3
ins : 1
outs : 0
insns size : 16 16-bit code units
1328f8: |[1328f8] com.yunos.xulun.testcppjni2.SampleClass.newID2:()I
132908: 5421 7b1d |0000: iget-object v1, v2, Lcom/yunos/xulun/testcppjni2/SampleClass;.mObj:Ljava/lang/Object; // field@1d7b
13290c: 1d01 |0002: monitor-enter v1
13290e: 5220 7a1d |0003: iget v0, v2, Lcom/yunos/xulun/testcppjni2/SampleClass;.mID:I // field@1d7a
132912: d800 0001 |0005: add-int/lit8 v0, v0, #int 1 // #01
132916: 5920 7a1d |0007: iput v0, v2, Lcom/yunos/xulun/testcppjni2/SampleClass;.mID:I // field@1d7a
13291a: 1e01 |0009: monitor-exit v1
13291c: 5220 7a1d |000a: iget v0, v2, Lcom/yunos/xulun/testcppjni2/SampleClass;.mID:I // field@1d7a
132920: 0f00 |000c: return v0
132922: 0d00 |000d: move-exception v0
132924: 1e01 |000e: monitor-exit v1
132926: 2700 |000f: throw v0
catches : 2
0x0003 - 0x000a
<any> -> 0x000d
0x000e - 0x000f
<any> -> 0x000d
positions :
0x0000 line=27
0x0003 line=28
0x0009 line=29
0x000a line=30
0x000d line=29
locals :
0x0000 - 0x0010 reg=2 this Lcom/yunos/xulun/testcppjni2/SampleClass;
第三個就像普通函數(shù)調用湿镀,就不多說了炕吸。
OAT的生成代碼
因為前兩個結構非常相似,到OAT這一級勉痴,我們就只分析第一個赫模。
3: int com.yunos.xulun.testcppjni2.SampleClass.newID() (dex_method_idx=16780)
DEX CODE:
0x0000: 1d02 | monitor-enter v2
0x0001: 5220 7a1d | iget v0, v2, I com.yunos.xulun.testcppjni2.SampleClass.mID // field@7546
0x0003: d801 0001 | add-int/lit8 v1, v0, #+1
0x0005: 5921 7a1d | iput v1, v2, I com.yunos.xulun.testcppjni2.SampleClass.mID // field@7546
0x0007: 1e02 | monitor-exit v2
0x0008: 0f00 | return v0
0x0009: 0d00 | move-exception v0
0x000a: 1e02 | monitor-exit v2
0x000b: 2700 | throw v0
OatMethodOffsets (offset=0x00277794)
code_offset: 0x0066275c
gc_map: (offset=0x002ce242)
OatQuickMethodHeader (offset=0x00662740)
mapping_table: (offset=0x0030855a)
vmap_table: (offset=0x0030df6a)
v65535/r30
QuickMethodFrameInfo
frame_size_in_bytes: 32
core_spill_mask: 0x40000000 (r30)
fp_spill_mask: 0x00000000
vr_stack_locations:
locals: v0[sp + #12] v1[sp + #16]
ins: v2[sp + #40]
method*: v3[sp + #0]
CODE: (code_offset=0x0066275c size_offset=0x00662758 size=168)...
0x0066275c: d1400bf0 sub x16, sp, #0x2000 (8192)
0x00662760: b940021f ldr wzr, [x16]
suspend point dex PC: 0x0000
GC map objects: v2 ([sp + #40])
前面還是不變的判suspend.
w1存的是當年的對象,存到sp+40蒸矛,這個下面就當成鎖對象用瀑罗。
0x00662764: f81e0fe0 str x0, [sp, #-32]!
0x00662768: f9000ffe str lr, [sp, #24]
0x0066276c: b9002be1 str w1, [sp, #40]
0x00662770: 79400250 ldrh w16, [tr] (state_and_flags)
0x00662774: 35000430 cbnz w16, #+0x84 (addr 0x6627f8)
把剛從sp+40的當前對象取出來到w0。
然后調用pLockObject過程去加鎖雏掠。
0x00662778: b9402be0 ldr w0, [sp, #40]
0x0066277c: f9419e5e ldr lr, [tr, #824] (pLockObject)
0x00662780: d63f03c0 blr lr
suspend point dex PC: 0x0000
GC map objects: v2 ([sp + #40])
w0的引用對象再讀回來斩祭。
sp+12是域變量mID,讀取寄存器w1
然后再存回去乡话,再讀到w0中停忿,因為下一個加法要在w0中算。
0x00662784: b9402be0 ldr w0, [sp, #40]
0x00662788: b940001f ldr wzr, [x0]
suspend point dex PC: 0x0001
GC map objects: v2 ([sp + #40])
0x0066278c: b9400c01 ldr w1, [x0, #12]
suspend point dex PC: 0x0001
GC map objects: v2 ([sp + #40])
0x00662790: b9000fe1 str w1, [sp, #12]
0x00662794: b9400fe0 ldr w0, [sp, #12]
計算mID++蚊伞,存到sp+16中。
再把對象從sp+40再讀出來吮铭,再找到mID时迫,存回去到sp+12.
0x00662798: 11000401 add w1, w0, #0x1 (1)
0x0066279c: b90013e1 str w1, [sp, #16]
0x006627a0: b9402be0 ldr w0, [sp, #40]
0x006627a4: b940001f ldr wzr, [x0]
suspend point dex PC: 0x0005
GC map objects: v2 ([sp + #40])
0x006627a8: b9000be0 str w0, [sp, #8]
0x006627ac: b9400be0 ldr w0, [sp, #8]
0x006627b0: b94013e1 ldr w1, [sp, #16]
0x006627b4: b9000c01 str w1, [x0, #12]
解鎖,從sp+40把對象引用再讀出來谓晌,用這個對象做參數(shù)調pUnlockObject.
0x006627b8: b9402be0 ldr w0, [sp, #40]
0x006627bc: f941a25e ldr lr, [tr, #832] (pUnlockObject)
0x006627c0: d63f03c0 blr lr
suspend point dex PC: 0x0007
GC map objects: v2 ([sp + #40])
sp+12記得是mID變量哈掠拳,讀到w0,準備返回纸肉,恢復LR溺欧,清理棧,返回柏肪。
0x006627c4: b9400fe0 ldr w0, [sp, #12]
0x006627c8: f9400ffe ldr lr, [sp, #24]
0x006627cc: 910083ff add sp, sp, #0x20 (32)
0x006627d0: d65f03c0 ret
下面是exception情況下的解鎖姐刁,將exception的值存在sp+12中。
從sp+40讀對象引用烦味,用它去pUnlockObject解鎖聂使。
catch entry dex PC: 0x0009
0x006627d4: b9408a40 ldr w0, [tr, #136] (exception)
0x006627d8: b9008a5f str wzr, [tr, #136] (exception)
0x006627dc: b9000fe0 str w0, [sp, #12]
0x006627e0: b9402be0 ldr w0, [sp, #40]
0x006627e4: f941a25e ldr lr, [tr, #832] (pUnlockObject)
0x006627e8: d63f03c0 blr lr
suspend point dex PC: 0x000a
GC map objects: v0 ([sp + #12]), v2 ([sp + #40])
解了鎖之后,再把剛才暫存在sp+12的exception,調用pDeliverException拋出去柏靶。
0x006627ec: b9400fe0 ldr w0, [sp, #12]
0x006627f0: f942225e ldr lr, [tr, #1088] (pDeliverException)
0x006627f4: d63f03c0 blr lr
suspend point dex PC: 0x000b
GC map objects: v0 ([sp + #12]), v2 ([sp + #40])
最后還是pTestSuspend弃理。
0x006627f8: f9421e5e ldr lr, [tr, #1080] (pTestSuspend)
0x006627fc: d63f03c0 blr lr
suspend point dex PC: 0x0000
GC map objects: v2 ([sp + #40])
0x00662800: 17ffffde b #-0x88 (addr 0x662778)
