
一键释放iOS 64位App潜力

 山峰云绕 2022-08-01 发布于贵州



| 导语 把我的iPhone XR扶起来,它还能再顶一会儿~


远在iOS 11时期(2017年),苹果就发公告要求所有需要上架AppStore的应用都必须支持64位。32位应用不再支持上架与运行。


  • 指针字长更长,可使用的虚拟内存更大,摆脱32位下受限的4G内存空间
    • 16 bit = 65,536 bytes (64 Kilobytes)
    • 32 bit = 4,294,967,296 bytes (4 Gigabytes)
    • 64 bit = 18,446,744,073,709,551,616 (16 Exabytes)
  • 寄存器更多,减少内存读写,加快执行速度




Last Exception :0  JavaScriptCore                 0x000000018b777570 _pas_panic_on_out_of_memory_error1  JavaScriptCore                 0x000000018b72e918 _bmalloc_try_iso_allocate_impl_impl_slow2  JavaScriptCore                 0x000000018b73d3d8 _bmalloc_heap_config_specialized_local_allocator_try_allocate_small_segregated_slow +  59523  JavaScriptCore                 0x000000018b7276f8 _bmalloc_allocate_impl_casual_case +  8004  JavaScriptCore                 0x000000018c60d494 JSC::PropertyTable::create(JSC::VM&, unsigned int) +  2445  JavaScriptCore                 0x000000018c66ba74 JSC::Structure::materializePropertyTable(JSC::VM&, bool) +  3246  JavaScriptCore                 0x000000018c66dfac JSC::Structure::changePrototypeTransition(JSC::VM&, JSC::Structure*, JSC::JSValue, JSC::DeferredStructureTransitionWatchpointFire&) +  6127  JavaScriptCore                 0x000000018c559930 JSC::JSObject::setPrototypeDirect(JSC::VM&, JSC::JSValue) +  1928  JavaScriptCore                 0x000000018c559e40 JSC::JSObject::setPrototypeWithCycleCheck(JSC::VM&, JSC::JSGlobalObject*, JSC::JSValue, bool) +  3169  JavaScriptCore                 0x000000018c4f580c JSC::globalFuncProtoSetter(JSC::JSGlobalObject*, JSC::CallFrame*) +  19210 JavaScriptCore                 0x000000018ba1f7a8 _vmEntryToNative +  28011 JavaScriptCore                 0x000000018c1b0cd0 JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) +  61612 JavaScriptCore                 0x000000018c474ecc JSC::GetterSetter::callSetter(JSC::JSGlobalObject*, JSC::JSValue, JSC::JSValue, bool) +  21213 JavaScriptCore                 0x000000018c5b6264 JSC::JSGenericTypedArrayView<JSC::Uint8Adaptor>::put(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) +  61214 JavaScriptCore                 0x000000018c2c2ecc _llint_slow_path_put_by_id +  3244// 忽略多余重复堆栈37 JavaScriptCore                 0x000000018ba1f5fc _vmEntryToJavaScript +  26438 JavaScriptCore                 0x000000018c1b0c7c JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) +  53239 JavaScriptCore                 0x000000018bac7ae4 _JSObjectCallAsFunction +  56840 mttlite                        0x0000000102a54914 hippy::napi::JSCCtx::CallFunction(std::__1::shared_ptr<hippy::napi::CtxValue> const&, unsigned long, std::__1::shared_ptr<hippy::napi::CtxValue> const*) (js_native_api_value_jsc.cc:406)41 mttlite                        0x0000000102a664e0 _ZNSt3__110__function6__funcIZN11TimerModule5StartERKN5hippy4napi12CallbackInfoEbE3$_4NS_9allocatorIS8_EEFvvEEclEv (memory:3237)42 mttlite                        0x0000000102a63018 hippy::base::TaskRunner::Run() (memory:3237)43 mttlite                        0x0000000102a64974 ThreadEntry (thread.cc:0)44 libsystem_pthread.dylib        0x00000001dc129348 __pthread_start +  116------Exception Type: SIGTRAP Exception Codes: fault addr: 0x000000018b777570Crashed Thread: 48 hippy.js





当时跟hippy SDK的同事也讨论过是否存在类似的内存不足情况。但由于大家对JSC黑盒都不熟悉,而且崩溃的JS堆栈也不确切。当时的建议是:少在后台加载JSC。最终也并没有解决该问题。

两年后,当浏览器集成flutter,类似的JS崩溃直接翻倍(21H2 0.08% -> 22H1 0.16%)。没办法,还是要看类似JSC和Dart VM的内存分配机制是怎样的,再挖掘一下是否存在解()决()方案。



// WebKit bmalloc VMAllocateinline void* tryVMAllocate(size_t vmSize, VMTag usage = VMTag::Malloc){    vmValidate(vmSize);    void* result = mmap(0, vmSize, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON | BMALLOC_NORESERVE, static_cast<int>(usage), 0);    if (result == MAP_FAILED)        return nullptr;    return result;}
// Dart VM的虚拟内存VirtualMemory* VirtualMemory::Allocate(intptr_t size,                                       bool is_executable,                                       const char* name) {  ASSERT(Utils::IsAligned(size, PageSize()));  const int prot = PROT_READ | PROT_WRITE | (is_executable ? PROT_EXEC : 0);  int map_flags = MAP_PRIVATE | MAP_ANONYMOUS;#if (defined(DART_HOST_OS_MACOS) && !defined(DART_HOST_OS_IOS))  if (is_executable && IsAtLeastOS10_14()) {    map_flags |= MAP_JIT;  }#endif  // defined(DART_HOST_OS_MACOS)  // Some 64-bit microarchitectures store only the low 32-bits of targets as  // part of indirect branch prediction, predicting that the target's upper bits  // will be same as the call instruction's address. This leads to misprediction  // for indirect calls crossing a 4GB boundary. We ask mmap to place our  // generated code near the VM binary to avoid this.  void* hint = is_executable ? reinterpret_cast<void*>(&Allocate) : nullptr;  void* address = mmap(hint, size, prot, map_flags, -1, 0);  if (address == MAP_FAILED) {    return nullptr;  }  return new VirtualMemory(address, size);}VirtualMemory::~VirtualMemory() {  if (address_ != nullptr) {    if (munmap(address_, size_) != 0) {      int error = errno;      const int kBufferSize = 1024;      char error_buf[kBufferSize];      FATAL("munmap error: %d (%s)", error,            Utils::StrError(error, error_buf, kBufferSize));    }  }}



/* * mmap stub, with preemptory failures due to extra parameter checking * mandated for conformance. * * This is for UNIX03 only. */void *mmap(void *addr, size_t len, int prot, int flags, int fildes, off_t off){    /*     * Preemptory failures:     *      * o    off is not a multiple of the page size     * o    flags does not contain either MAP_PRIVATE or MAP_SHARED     * o    len is zero     */    extern void cerror_nocancel(int);    if ((off & PAGE_MASK) ||        (((flags & MAP_PRIVATE) != MAP_PRIVATE) &&         ((flags & MAP_SHARED) != MAP_SHARED)) ||        (len == 0)) {        cerror_nocancel(EINVAL);        return(MAP_FAILED);    }    void *ptr = __mmap(addr, len, prot, flags, fildes, off);        if (__syscall_logger) {        int stackLoggingFlags = stack_logging_type_vm_allocate;        if (flags & MAP_ANON) {            stackLoggingFlags |= (fildes & VM_FLAGS_ALIAS_MASK);        } else {            stackLoggingFlags |= stack_logging_type_mapped_file_or_shared_mem;        }        __syscall_logger(stackLoggingFlags, (uintptr_t)mach_task_self(), (uintptr_t)len, 0, (uintptr_t)ptr, 0);    }    return ptr;}

上面的调用会传递到内核kern_mman.c的实现函数mmap(proc_t p, struct mmap_args *uap, user_addr_t *retval)

/* * XXX Internally, we use VM_PROT_* somewhat interchangeably, but the correct * XXX usage is PROT_* from an interface perspective.  Thus the values of * XXX VM_PROT_* and PROT_* need to correspond. */intmmap(proc_t p, struct mmap_args *uap, user_addr_t *retval){        /*         * 上面忽略了一部分代码         */        result = vm_map_enter_mem_object(user_map,            &user_addr, user_size,            0, alloc_flags, vmk_flags,            tag,            IPC_PORT_NULL, 0, FALSE,            prot, maxprot,            (flags & MAP_SHARED) ?            VM_INHERIT_SHARE :            VM_INHERIT_DEFAULT);        /* If a non-binding address was specified for this anonymous         * mapping, retry the mapping with a zero base         * in the event the mapping operation failed due to         * lack of space between the address and the map's maximum.         */        if ((result == KERN_NO_SPACE) && ((flags & MAP_FIXED) == 0) && user_addr && (num_retries++ == 0)) {            user_addr = vm_map_page_size(user_map);            goto map_anon_retry;        }        /*         * 下面忽略了一部分代码         */}


// 下面这个只截了个头,大概带一下,我也没调过代码~/* *  Routine:    vm_map_enter * *  Description: *      Allocate a range in the specified virtual address map. *      The resulting range will refer to memory defined by *      the given memory object and offset into that object. * *      Arguments are as defined in the vm_map call. */kern_return_tvm_map_enter(    vm_map_t                map,    vm_map_offset_t         *address,       /* IN/OUT */    vm_map_size_t           size,    vm_map_offset_t         mask,    int                     flags,    vm_map_kernel_flags_t   vmk_flags,    vm_tag_t                alias,    vm_object_t             object,    vm_object_offset_t      offset,    boolean_t               needs_copy,    vm_prot_t               cur_protection,    vm_prot_t               max_protection,    vm_inherit_t            inheritance)





Size Matters: An Exploration of Virtual Memory on iOS


#define ARM64_MIN_MAX_ADDRESS (SHARED_REGION_BASE_ARM64 + SHARED_REGION_SIZE_ARM64 + 0x20000000) // end of shared region + 512MB for various purposesconst vm_map_offset_t min_max_offset = ARM64_MIN_MAX_ADDRESS; // end of shared region + 512MB for various purposesif (arm64_pmap_max_offset_default) {    max_offset_ret = arm64_pmap_max_offset_default;} else if (max_mem > 0xC0000000) {    max_offset_ret = min_max_offset + 0x138000000; // Max offset is 13.375GB for devices with > 3GB of memory} else if (max_mem > 0x40000000) {    max_offset_ret = min_max_offset + 0x38000000;  // Max offset is 9.375GB for devices with > 1GB and <= 3GB of memory} else {    max_offset_ret = min_max_offset;}



Address Space



> 3 GiB

15.375 GiB

7.375 GiB

- iPhone XS – iPhone 13
- iPad Air (4th generation)
- iPad Pro (12.9-inch), (10.5-inch), (11-inch)

> 1 GiB

11.375 GiB

3.375 GiB

- iPhone 6s – X, SE, XR
- iPad (5th generation) – iPad (8th generation)
- iPad Air 2, iPad Air (3rd generation)
- iPad mini 4, iPad mini (5th generation)
- iPad Pro (9.7-inch)

<= 1 GiB

10.5 GiB

2.5 GiB

- iPhone 5s, iPhone 6
- iPad Air
- iPad mini 2, iPad mini 3

而xnu的源码(pmap.c)中还透露了内核内存分配存在jumbo机制。当iOS App带有指定的能力声明时,xnu内核将会以jumbo模式运行,虚拟内存地址空间将会直接分配为最大值64GB:

if (option == ARM_PMAP_MAX_OFFSET_JUMBO) {    if (arm64_pmap_max_offset_default) {        // Allow the boot-arg to override jumbo size        max_offset_ret = arm64_pmap_max_offset_default;    } else {        max_offset_ret = MACH_VM_MAX_ADDRESS;     // Max offset is 64GB for pmaps with special "jumbo" blessing    }}


/* * Apply the requested maximum address. */if (error == 0 && imgp->ip_px_sa != NULL) {    struct _posix_spawnattr *psa = (struct _posix_spawnattr *) imgp->ip_px_sa;    if (psa->psa_max_addr) {        vm_map_set_max_addr(get_task_map(new_task), (vm_map_offset_t)psa->psa_max_addr);    }}




Use this entitlement if your app has specific needs that require a larger addressable space. For example, games that memory map assets to stream to the GPU may benefit from a larger address space.


描述上看,配置该选项时,将开启上面xnu的jumbo mode,地址的扩充刚好能解决上面的崩溃问题。


为验证地址分配的极限值,简单做个实验(测试设备使用iPhone XR iOS 16 Beta 2):

通过malloc进行连续的内存分配(也可以用vm_allocate,阈值不一样),阈值卡在1009字节(为什么是1009字节,这里可以参考【ios 内核】源码解读(3) 详解ios是怎么malloc的(上) - 钟路成的博客 (luchengzhong.github.io))。

for (size_t i = 0; i < SIZE_T_MAX; i++) {    void *a = malloc(1009);    if (a == NULL) {        NSLog(@"error count: %lu", i);        break;    }}


size = 1009 > SMALL_THRESHOLD (64位系统下1008字节,32位系统下496)

内存扩展前malloc失败阈值约 7065482 * 1009 = 6.63 GB

内存扩展后malloc失败阈值约 56753881 * 1009 = 53.33 GB

当然,在xnu的单元测试代码中,也可找到jumbo mode相关的测试代码,与上面的测试结果完全一致,即最多可分配53GB的空间。

#define GB (1ULL * 1024 * 1024 * 1024)/* * This test expects the entitlement to be the enabling factor for a process to * allocate at least this many GB of VA space. i.e. with the entitlement, n GB * must be allocatable; whereas without it, it must be less. * This value was determined experimentally to fit on applicable devices and to * be clearly distinguishable from the default VA limit. */#define ALLOC_TEST_GB 53T_DECL(TESTNAME,    "Verify that a required entitlement is present in order to be granted an extra-large "    "VA space on arm64",    T_META_NAMESPACE("xnu.vm"),    T_META_CHECK_LEAKS(false)){    int i;    void    *res;    if (!dt_64_bit_kernel()) {        T_SKIP("This test is only applicable to arm64");    }    T_LOG("Attemping to allocate VA space in 1 GB chunks.");    for (i = 0; i < (ALLOC_TEST_GB * 2); i++) {        res = mmap(NULL, 1 * GB, PROT_NONE, MAP_PRIVATE | MAP_ANON, 0, 0);        if (res == MAP_FAILED) {            if (errno != ENOMEM) {                T_WITH_ERRNO;                T_LOG("mmap failed: stopped at %d of %d GB allocated", i, ALLOC_TEST_GB);            }            break;        } else {            T_LOG("%d: %p\n", i, res);        }    }#if defined(ENTITLED)    T_EXPECT_GE_INT(i, ALLOC_TEST_GB, "Allocate at least %d GB of VA space", ALLOC_TEST_GB);#else    T_EXPECT_LT_INT(i, ALLOC_TEST_GB, "Not permitted to allocate %d GB of VA space", ALLOC_TEST_GB);#endif}





  1. 苹果很少在公开文档中说明64位App在虚拟内存使用上存在限制。而且很多App也并没有像浏览器内一样,为业务灵活性而选择将hippy、flutter等技术进行大规模的组合使用,所以可能很多App其实并不会遇到虚拟内存不足的情况。
  2. 上线效果也说明浏览器在混合开发的场景下,内存优化仍然存在很大的空间。因为Extended Virtual Addressing仅能缓解虚拟内存不足的情况,并不意味着App的物理内存也得到增加,对FOOM的治理仍然需要持续。
  3. 鉴于司内有不少的著名组件都会使用mmap机制进行内存管理,建议在使用相关组件时,控制好mmap的大小。
  4. 如果有需要在iPhone 12 Pro、M1 iPad、M1上运行应用,并希望解放更多的物理内存,建议增加com.apple.developer.kernel.increased-memory-limit的能力声明,实测在iPhone 13 Pro下可以增加1GB的可用物理内存。
  5. ReactNative和类似框架在项目中使用较多的,建议需要考虑多个Context的复用,减少创建重复内容,司内外都有实践证明该措施十分有效。
  6. 对于flutter一类的内存优化,可翻阅engine的相关代码。flutter vm在创建时允许外部传参控制vm行为,包括:old heap size、leak vm等。合适的参数可比较有效控制内存占用。


    转藏 分享 献花(0



    请遵守用户 评论公约

    类似文章 更多