在使用delegate时候, 尤其是自定义delegate的时候, 都会自觉不自觉的加上weak属性, 系统的delegate也是这样写的,
@property(nullable,nonatomic,weak) id<UIScrollViewDelegate>, 当然, 这样写的一个主要原因是为了防止循环引用, 但是在iOS8.x的系统上delegate并不是weak属性, 而是__unsafe_unretained.
先来说下__unsafe_unretained和weak的区别
先上段代码
__unsafe_unretained id obj0 = nil;
{
id obj1 = [[NSObject alloc] init];
obj0 = obj1;
NSLog(@"obj1: %@", obj1);
}
NSLog(@"obj0: %@", obj0);
__weak id obj0 = nil;
{
id obj1 = [[NSObject alloc] init];
obj0 = obj1;
NSLog(@"obj1: %@", obj1);
}
NSLog(@"obj0: %@", obj0);
__unsafe_unretained从名字上就可以看出来, 不安全, 赋值的时候引用计数不增加, 也就是obj0被赋值为obj1的地址, 但是出了obj1的作用域, obj1被释放了, 而obj0并不释放, 而是依旧持有, 这样就会造成不安全!
而使用weak的时候, 出了obj1的作用域, obj1被释放, obj0引用计数为0被释放, 随即会把obj0置为nil.
崩溃堆栈&&场景重现
0 libobjc.A.dylib!objc_msgSend + 0x10
1 UIKit!-[UIScrollView(UIScrollViewInternal) _delegateScrollViewAnimationEnded] + 0x40
2 UIKit!-[UIScrollView(UIScrollViewInternal) _scrollViewAnimationEnded:finished:] + 0xcc
3 UIKit!-[UIAnimator stopAnimation:] + 0x1f4
4 UIKit!-[UIAnimator(Static) _advanceAnimationsOfType:withTimestamp:] + 0x14c
5 QuartzCore!CA::Display::DisplayLinkItem::dispatch() + 0x1c
6 QuartzCore!CA::Display::DisplayLink::dispatch_items(unsigned long long, unsigned long long, unsigned long long) + 0x140
7 IOKit!IODispatchCalloutFromCFMessage + 0x174
8 CoreFoundation!__CFMachPortPerform + 0xb0
9 CoreFoundation!__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE1_PERFORM_FUNCTION__ + 0x34
大体上意思就是, 在scrollView滑动结束的时候, 会继续使用delegate, 而此时的delegate已经释放了, 在iOS9+系统上, 是没有问题的, 因为delegate是weak的, 释放了立即置空, 不存在安全隐患, 而iOS9-, 则不行, 因为是__unsafe_unretained的, 所以, 释放了, 但不置空, 这就造成了野指针崩溃.
重现代码
#import "ScrollViewController.h"
@interface ScrollViewController ()<UIScrollViewDelegate>
@property (nonatomic, weak) UIScrollView *scrollView;
@property (nonatomic, weak) UIView *leftView;
@property (nonatomic, weak) UIView *centerView;
@property (nonatomic, weak) UIView *rightView;
@property (nonatomic, assign) NSInteger currentPage;
@end
@implementation ScrollViewController
- (void)dealloc {
NSLog(@"dealloc");
}
- (void)viewDidLoad {
[super viewDidLoad];
UIScrollView *scrollView = [[UIScrollView alloc] init];
scrollView.delegate = self;
[self.view addSubview:scrollView];
UIView *leftView = [[UIView alloc] init];
leftView.backgroundColor = UIColor.redColor;
[scrollView addSubview:leftView];
UIView *centerView = [[UIView alloc] init];
centerView.backgroundColor = UIColor.blueColor;
[scrollView addSubview:centerView];
UIView *rightView = [[UIView alloc] init];
rightView.backgroundColor = UIColor.greenColor;
[scrollView addSubview:rightView];
self.scrollView = scrollView;
self.leftView = leftView;
self.centerView = centerView;
self.rightView = rightView;
self.currentPage = 1;
}
- (void)viewDidLayoutSubviews {
CGFloat W = self.view.frame.size.width;
CGFloat H = self.view.frame.size.height;
self.scrollView.frame = self.view.bounds;
self.scrollView.contentSize = CGSizeMake(3*W, H);
self.leftView.frame = CGRectMake(0, 0, W, H);
self.centerView.frame = CGRectMake(W, 0, W, H);
self.rightView.frame = CGRectMake(2*W, 0, W, H);
[super viewDidLayoutSubviews];
}
#pragma mark - UIScrollViewDelegate
- (void)scrollViewWillBeginDragging:(UIScrollView *)scrollView {
NSLog(@"scrollViewWillBeginDragging");
[self.navigationController popViewControllerAnimated:NO];
}
- (void)scrollViewWillEndDragging:(UIScrollView *)scrollView withVelocity:(CGPoint)velocity
targetContentOffset:(inout CGPoint *)targetContentOffset {
NSLog(@"scrollViewWillEndDragging");
float width = scrollView.bounds.size.width;
CGFloat scrolledOffset = targetContentOffset->x - width * self.currentPage;
if (scrolledOffset > 0 && scrolledOffset >= width / 2) {
self.currentPage = self.currentPage + 1;
[self.scrollView setContentOffset:CGPointMake(self.scrollView.bounds.size.width * self.currentPage, 0) animated:YES];
} else if (scrolledOffset < 0 && fabs(scrolledOffset) >= width / 2) {
self.currentPage = self.currentPage - 1;
[self.scrollView setContentOffset:CGPointMake(self.scrollView.bounds.size.width * self.currentPage, 0) animated:YES];
}
}
@end
好的, 在scrollView开始滑动的时候就释放调当前的ViewController, 这时候由于系统持有scrollView在做动画, 并没有立即释放, 当动画结束后, 系统释放scrollView, 然后来到dealloc, self被释放, 但是问题的关键是这句代码
[self.scrollView setContentOffset:CGPointMake(self.scrollView.bounds.size.width * self.currentPage, 0) animated:YES];
这里scrollview会在整个做动画scrollViewWillBeginDragging, scrollViewWillEndDragging, scrollViewDidEndDragging等, 被系统强引用, 所以这里都是没问题的, 不会崩溃, 但是在里面再去做animated动画, 就很危险了, 因为这时候self即将被释放, 到时候, delegate将变成野指针, 所以当animated动画结束的时候会造成崩溃(可能animated结束的时候系统又用delegate去做了什么事情).
因为控制台打出的日志显示
[ScrollViewController respondsToSelector:]: message sent to deallocated instance 0x7ff8324d6900
经调查发现0x7ff8324d6900这个地址正是delegate原来的地址.
解决办法
那么这样一来, 我们是不是可以通过把delegate置空来避免崩溃呢'?
可以:
_scrollView.delegate = nil;
这也是最简单的解决办法, _scrollView.delegate置空后面拿delegate干事儿就安全了, 还有一个办法, hook dealloc, 通常我们再将scrollView后不会去考虑scrollView.delegate的安全性问题, 因为都会觉得, 随着scrollview的置空delegate也将被置空, 然而并不是(iOS9-不是)!
有关hook这里就不多表了, 懂的自然懂, 不懂也不是一两句话就能说明白的, 直接上代码
+ (void)hookUIScrollViewSetDelegate
{
[MethodsHooker hookMethedClass:NSClassFromString(@"UIScrollView")
hookSEL:@selector(setDelegate:)
originalSEL:@selector(originalSetDelegate:)
myselfSEL:@selector(myselfSetDelegate:)];
}
- (void)myselfSetDelegate:(UIViewController *)delegate
{
if (delegate) {
UIScrollView * __weak weak_self = (UIScrollView *)self;
[delegate setDeallocCallback:^{
weak_self.delegate = nil;
if ([weak_self isKindOfClass:[UITableView class]]) {
((UITableView *)weak_self).editing = NO;
((UITableView *)weak_self).dataSource = nil;
((UITableView *)weak_self).delegate = nil;
} else if ([weak_self isKindOfClass:[UICollectionView class]]) {
((UICollectionView *)weak_self).dataSource = nil;
((UICollectionView *)weak_self).delegate = nil;
}
}];
}
[self originalSetDelegate:delegate];
}
- (void)originalSetDelegate:(id)delegate
{
}
.h
#import <UIKit/UIKit.h>
typedef void (^DeallocCallback)();
@interface UIViewController (Dealloc)
@property (nonatomic, copy) DeallocCallback deallocCallback;
@end
.m
@implementation UIViewController (Dealloc)
+ (void)load
{
static dispatch_once_t onceToken;
dispatch_once(&onceToken, ^{
[self hookSelectorName:@"dealloc" withSelector:@selector(myUIViewControllerDealloc)];
});
}
- (void)myUIViewControllerDealloc
{
DeallocCallback callback = [self deallocCallback];
if (callback) {
callback();
}
[self myUIViewControllerDealloc];
}
- (void)setDeallocCallback:(DeallocCallback)callback
{
objc_setAssociatedObject(self, _cmd, callback, OBJC_ASSOCIATION_COPY_NONATOMIC);
}
- (DeallocCallback)deallocCallback
{
return objc_getAssociatedObject(self, @selector(setDeallocCallback:));
}
@end
这里在给scrollView设置delegate的时候, 同时为delegate的dealloc方法添加block. 为了执行到自己写的block, 我们还要hook dealloc, 这样执行dealloc会先执行我们的block中的代码, 这里会将delegate置空, 从而完成任务.
网友评论