ART invoke flow in assembly code

[程超]

Hi :

I am stduy the method execute flow in ART.

I am clear the flow about the interpreter code invoke the compiled code., JNI code by reading the source code.

The flow is : artInterpreterToCompilededCode ==> ArtMethod.invoke ==>art_quick_invoke_stub==>GetEntryPointFromCompiledCode.  

Then we have four ways:

1. Compiled Code : code_offset 
2. Interpreter Code:  art_quick_to_interpreter_bridge ==> Interpreter::Execute
3. Static method: art_quick_resolution_trampoline
4. JNI Code: quick_generic_jni_trampoline 

But i am not clear about how compiled code invoke the other code? 

public void test(){
  
  TestB bp = new TestB();
  a = bp.fun1();
  a = bp.fun5();
}

public class TestB{

 public int fun1(){
  return 1;
 }
 
 public int fun5()
 {
   return TestC.fun4(10, 12);
 }
}

TestB bp = new TestB();

 

0x00213800: f940ea5e        ldr x30, [x18, #464] //new-instance and construct method

0x00213804: b90063e0        str w0, [sp, #96]   //save w0

0x00213808: aa1403e1        mov x1, x20

0x0021380c: 52807f80        movz w0, #0x3fc

0x00213810: d63f03c0        blr x30

I found that when i create an new object it always load the address from register x18 add offset #464. what's the x18?  when's the create flow?

a = bp.fun1();

 

0x00213934: aa0003f7        mov x21, x0  //the object address save in x21 return from x0

0x00213938: aa1703e1        mov x1, x21    //pass the object as arg2 (this)

0x0021393c: b940002a        ldr w13, [x1]

0x00213940: aa1403e0        mov x0, x20   

0x00213944: b9400c00        ldr w0, [x0, #12]

0x00213948: d2907f11        movz x12, #0x83e0 //different method has different offset value

0x0021394c: b8716800        ldr w0, [x0, x12] 

0x00213950: f940141e        ldr x30, [x0, #40]

0x00213954: d63f03c0        blr x30 

After create the new object, the instance save in x0.  Then move the object instance to x1 the pass  to the fun1.

But i'm not clear what is the x0?  I found all method invoke will :

1.  ldr w0, [x0, #12]   // what' this ? Get the method table?
2. set an offset, different have different offset
3. ldr w0, [x0, x12]    // what' this ? Get the method object?
4. ldr x30, [x0, #40]  // what' this ? Get the entry point method?
5. blr x30 

The x0 looks like [32bit address  + 32bit address], When we set the w0, we change the lower 32bit address. What's the memory struct? How can we find the object by change the w0?

  When we invoke the blr x30, we pass out args :

• arg1: x0, I guess the x0 is the method object ( ArtMethod ?)
• arg2: x1, class instance  (for static method no need this arg)
• arg3: if the method have args, it will use w2,w3

What the invoke flow after the blr x30?

------------------------------------------------------------------------------

When the fun5 be invoked , It will receive the ins arg from x0,  but i think the x0 as ins arg is different from the outs arg in fun1. Because if x0 is Method Object, how can we find the TestC.fun4 Method object from TestB.fun5 Method object?  

 public int fun5()
 {
   return TestC.fun4(10, 12);
 }

0x00285d30: d100c3ff        sub sp, sp, #0x30 (48)   //allocate the stack space

0x00285d34: a901d7f4        stp x20, x21, [sp, #24]  //save x20,x21 to stack

0x00285d38: f90017fe        str x30, [sp, #40]  //save x30 to stack

0x00285d3c: aa0003f5        mov x21, x0   //save arg x0 to x21, what's the x0?

0x00285d40: b90003e0        str w0, [sp]

0x00285d44: b90037e1        str w1, [sp, #52]

0x00285d48: 52800154        movz w20, #0xa  //w20 = 10

0x00285d4c: 52800182        movz w2, #0xc    //w2 = 12

0x00285d50: b90013e2        str w2, [sp, #16] 

[Ian Rogers]

In your example bp is known to be an instance of TestB and so the calls to fun1 and fun5 can be de-virtualized (aka made direct). Direct calls are made via the dex cache and so you are seeing dispatch via the dex cache and not via vtables. On method entry x0 is a reference to the method you are in (an ArtMethod) and that holds a reference to the dex cache.

Thanks,

Ian

[程超]

Hi Ian:

Thanks a lot. 

The ArtMethod have  a member dex_cache_resolved_methods_ point to the ObjectArray<ArtMethod*> in DexCache class.  Then we can find the callee ArtMethod* from caller ArtMethod*. The dex_cache_resolved_methods_ save the all ArtMethod* in current dex file.

But if i have another question: If i invoke a method in framework.jar  just like new method

TestB bp = new TestB();

0x00213800: f940ea5e ldr x30, [x18, #464]

0x00213804: b90063e0 str w0, [sp, #96]  

0x00213808: aa1403e1 mov x1, x20
0x0021380c: 52807f80 movz w0, #0x3fc
0x00213810: d63f03c0 blr x30

It invoke [x18, #464], The x18 looks like the ArtMethod* array in Framework.jar and the #464  is the method index.

But in boot.oat file, it contains many *.jar files. All those files will be generated the DexCache object.  If i want invoker method which in those DexCache from my apk DexFile, how can the system finde the ArtMethod?  

Thanks!

在 2015年5月20日星期三 UTC+8上午4:26:06，Ian Rogers写道：

[Ian Rogers]

Hi 程超,

your question is the same as asking, why can't Framework.jar call a static method in my apk? Framework.jar doesn't have references to your apk, which will have its own dex file and associated dex cache. Virtual or interface methods may be what you want, or reflection?

Thanks,

Ian

[weishu tian]

The DexCache of your apk contains all the method call informations in your code, which saves in the `resolvedTypes` and `strings`; When you call the a method in another Dex, ART can get the class of the call(through typeid), then get the dexcache of the callee class(in another dex), and the dexcache known everything of the callee method.

 :)
`
在 2015年5月27日星期三 UTC+8上午12:34:46，Chao Cheng写道：