Android 热修复方案分析.docx

1、Android 热修复方案分析Android 热修复方案分析绝大部分的APP项目其实都需要一个动态化方案,来应对线上紧急bug修复发新版本的高成本.之前有利用加壳，分拆两个dex结合DexClassLoader实现了一套全量更新的热更方案.实现原理在这篇博客中有分解.因为这套方案是在Java端实现,并且是全量更新所以兼容性较好,成功率较高.但是在线上跑了几个月之后就碰到了瓶颈,因为随着业务的增长分拆过之后的dex文件方法数也超过65535个,更换拆包方案的话维护成本太高.同时由于没有做差异diff,就带来了patch包过大,冗余多等缺点.正好微信的动态化方案Tinker也开源了，就趁这个机会先

2、把市面上主流的热更方案汇总分析下,再选一个方向深入研究一个尽量兼并兼容性扩展性及时性的方案.Github 相关数据分析先统计下github上几个star比较多的开源热更方案,数据为2016年11月3号采集的,仅供参考.从非技术的角度来分析下表的数据,根据开源时间到最近commit时间、commit数量、issues的关闭率和Release版本数都可以看出这几个项目目前的维护情况.还有Wiki相关文档的支持.怎么看Tinker现在都是一副很生猛的架势.而阿里百川的商业化Hotfix现在还在公测,方式用的是Andfix，把热更做成一个商业化的功能，就不清楚Andfix以后在github上的维护情况

3、了,但是同时也证明了Andfix的价值.而Dexposed一直没有兼容ART,这里就先不详细分析了.实现原理AndfixAndfix实现热更的核心方法是在JNI中动态hook替换目标方法,来达到即时修复bug的目的.而替换的方法则是由源apk文件和修改过的apk文件的dex做diff,反编译补丁包工具apkpatch可以看到两个dex遍历做diff的过程. public DiffInfo diff(File newFile, File oldFile) throws IOException DexBackedDexFile newDexFile = DexFileFactory.loadDex

4、File(newFile, 19, true); DexBackedDexFile oldDexFile = DexFileFactory.loadDexFile(oldFile, 19, true); DiffInfo info = DiffInfo.getInstance(); boolean contains = false; for(Iterator iterator = newDexFile.getClasses().iterator(); iterator.hasNext();) DexBackedClassDef newClazz = (DexBackedClassDef)ite

5、rator.next(); Set oldclasses = oldDexFile.getClasses(); for(Iterator iterator1 = oldclasses.iterator(); iterator1.hasNext();) DexBackedClassDef oldClazz = (DexBackedClassDef)iterator1.next(); if(newClazz.equals(oldClazz) compareField(newClazz, oldClazz, info); compareMethod(newClazz, oldClazz, info)

6、; contains = true; break; if(!contains) info.addAddedClasses(newClazz); return info; 遍历出修改过的方法加上一个MethodReplace的注解(包含要替换的目标类和目标方法),生成一个diff dex,再签上名更名为.apatch的补丁包通过更新的方式分发的各个终端处.通过反编译中间diff dex可以看到补丁文件中对fix method的描述. MethodReplace(clazz=workbench.agent.impl.NBSAgent, method=getBuildId) public stati

7、c String getBuildId() return 6f3d1afc-d890-47c2-8ebe-76dc6c53050c; 终端在效验过补丁包的合法性后,则把补丁包中带有MethodReplace注解的方法遍历出来,根据注解中的目标方法配置,将old method利用classloader加载进内存,然后交给JNI去替换old method. private void fixClass(Class clazz, ClassLoader classLoader) Method methods = clazz.getDeclaredMethods(); MethodReplace met

8、hodReplace; String clz; String meth; for (Method method : methods) methodReplace = method.getAnnotation(MethodReplace.class); if (methodReplace = null) continue; clz = methodReplace.clazz(); meth = methodReplace.method(); if (!isEmpty(clz) & !isEmpty(meth) replaceMethod(classLoader, clz, meth, metho

9、d); private void replaceMethod(ClassLoader classLoader, String clz, String meth, Method method) try String key = clz + + classLoader.toString(); Class clazz = mFixedClass.get(key); if (clazz = null) / class not load Class clzz = classLoader.loadClass(clz); / initialize target class clazz = AndFix.in

10、itTargetClass(clzz); if (clazz != null) / initialize class OK mFixedClass.put(key, clazz); Method src = clazz.getDeclaredMethod(meth, method.getParameterTypes(); AndFix.addReplaceMethod(src, method); catch (Exception e) Log.e(TAG, replaceMethod, e); 在Andfix.app中可以看到JNI中replaceMethod方法,由于从Lolipop开始An

11、droid放弃使用dalvik转向android runtime,所以Andfix也要区分不同的平台进行替换.像Dexposed到目前为止都没有做ART的兼容.static void replaceMethod(JNIEnv* env, jclass clazz, jobject src, jobject dest) if (isArt) art_replaceMethod(env, src, dest); else dalvik_replaceMethod(env, src, dest); extern void _attribute_ (visibility (hidden) dalvik

12、_replaceMethod( JNIEnv* env, jobject src, jobject dest) jobject clazz = env-CallObjectMethod(dest, jClassMethod); ClassObject* clz = (ClassObject*) dvmDecodeIndirectRef_fnPtr( dvmThreadSelf_fnPtr(), clazz); clz-status = CLASS_INITIALIZED; Method* meth = (Method*) env-FromReflectedMethod(src); Method

13、* target = (Method*) env-FromReflectedMethod(dest); LOGD(dalvikMethod: %s, meth-name); meth-accessFlags |= ACC_PUBLIC; meth-methodIndex = target-methodIndex; meth-jniArgInfo = target-jniArgInfo; meth-registersSize = target-registersSize; meth-outsSize = target-outsSize; meth-insSize = target-insSize

14、; meth-prototype = target-prototype; meth-insns = target-insns; meth-nativeFunc = target-nativeFunc;由于兼容问题在ART的replaceMethod方法中对每一个不同的系统版本进行区分,分别实现.extern void _attribute_ (visibility (hidden) art_replaceMethod( JNIEnv* env, jobject src, jobject dest) if (apilevel 23) replace_7_0(env, src, dest); el

15、se if (apilevel 22) replace_6_0(env, src, dest); else if (apilevel 21) replace_5_1(env, src, dest); else if (apilevel 19) replace_5_0(env, src, dest); else replace_4_4(env, src, dest); 因为Andfix的方案是在native替换方法,所以稳定性和兼容性就是差一些.就Andfix开源项目来说在实际接入的过程中发现对multi dex支持不友好,还需要修改补丁包生成工具apkpatch,并且apkpatch开源得也不

16、友好,修复静态方法有问题.Nuwa由于Qzone只是分享了实现原理,并没有开源出来.而Nuwa是参考Qzone的实现方式开源的一套方案,这里就主要分析Nuwa了.Nuwa的修复流程并不复杂，不像Andfix需要在JNI中进行方法替换.在Application中的attachBaseContext方法中对Nuwa进行初始化,先将asset路径下的hack.apk复制到指定位置,然后以加载补丁的方式加载hack.apk至于这个hack.apk的作用下面会讲. public static void init(Context context) File dexDir = new File(contex

17、t.getFilesDir(), DEX_DIR); dexDir.mkdir(); String dexPath = null; try dexPath = AssetUtils.copyAsset(context, HACK_DEX, dexDir); catch (IOException e) Log.e(TAG, copy + HACK_DEX + failed); e.printStackTrace(); loadPatch(context, dexPath); 加载补丁的方法主要的作用是把补丁dex通过反射加载到dexElements数组的最前端。因为Classloader在fin

18、dClass的时候是按顺序遍历dexElements(dex数组),只要dexElement中有该class就加载并停止遍历.所以利用Classloader的这种特性把补丁包插入dexElements的首位,系统在findClass的时候就优先拿到补丁包中的class,达到修复bug的目的. public static void loadPatch(Context context, String dexPath) if (context = null) Log.e(TAG, context is null); return; if (!new File(dexPath).exists() Lo

19、g.e(TAG, dexPath + is null); return; File dexOptDir = new File(context.getFilesDir(), DEX_OPT_DIR); dexOptDir.mkdir(); try DexUtils.injectDexAtFirst(dexPath, dexOptDir.getAbsolutePath(); catch (Exception e) Log.e(TAG, inject + dexPath + failed); e.printStackTrace(); public static void injectDexAtFir

20、st(String dexPath, String defaultDexOptPath) throws NoSuchFieldException, IllegalAccessException, ClassNotFoundException DexClassLoader dexClassLoader = new DexClassLoader(dexPath, defaultDexOptPath, dexPath, getPathCassLoader(); Object baseDexElements = getDexElements(getPathList(getPathClassLoader

21、(); Object newDexElements = getDexElements(getPathList(dexClassLoader); Object allDexElements = combineArray(newDexElements, baseDexElements); Object pathList = getPathList(getPathClassLoader(); ReflectionUtils.setField(pathList, pathList.getClass(), dexElements, allDexElements); 如果只是把补丁包插入dexElemen

22、ts的首位然后运行就会有一个异常 java.lang.IllegaAccessError:Class ref in pre-verified class resoved to unexpected implementation 造成这个异常的原因是因为补丁包中的类和与其有关联的类不在同一个dex文件中.跟踪这个异常,定位到Android源码中的Resolve.cpp 中的dvmResolveClass方法，可以看到只要满足最外层 (!fromUnverifiedConstant & IS_CLASS_FLAG_SET(referrer, CLASS_ISPREVERIFIED) 的条件就会抛出

23、pre-verified的异常.Qzone就是从CLASS_ISPREVERIFIED标记入手, 想办法让Class不打上CLASS_ISPREVERIFIED标签.ClassObject* dvmResolveClass(const ClassObject* referrer, u4 classIdx, bool fromUnverifiedConstant) . . if (!fromUnverifiedConstant & IS_CLASS_FLAG_SET(referrer, CLASS_ISPREVERIFIED) ClassObject* resClassCheck = resCl

24、ass; if (dvmIsArrayClass(resClassCheck) resClassCheck = resClassCheck-elementClass; if (referrer-pDvmDex != resClassCheck-pDvmDex & resClassCheck-classLoader != NULL) ALOGW(Class resolved by unexpected DEX: %s(%p):%p ref %s %s(%p):%p, referrer-descriptor, referrer-classLoader, referrer-pDvmDex, resC

25、lass-descriptor, resClassCheck-descriptor, resClassCheck-classLoader, resClassCheck-pDvmDex); ALOGW(%s had used a different %s during pre-verification), referrer-descriptor, resClass-descriptor); dvmThrowIllegalAccessError( Class ref in pre-verified class resolved to unexpected implementation); retu

26、rn NULL; . . return resClass;Qzone根据dexopt的过程中(DexPrepare.cpp - verifyAndOptimizeClass)如果dvmVerifyClass返回true了,就会给class标记上CLASS_ISPREVERIFIED.所以我们要确保dvmVerifyClass返回false, 只要不被打上CLASS_ISPREVERIFIED标记,就不会触发上述的异常./* Verify and/or optimize a specific class.*/static void verifyAndOptimizeClass(DexFile*

27、pDexFile, ClassObject* clazz, const DexClassDef* pClassDef, bool doVerify, bool doOpt) . . /* * First, try to verify it. */ if (doVerify) if (dvmVerifyClass(clazz) /* * Set the is preverified flag in the DexClassDef. We * do it here, rather than in the ClassObject structure, * because the DexClassDe

28、f is part of the odex file. */ assert(clazz-accessFlags & JAVA_FLAGS_MASK) = pClassDef-accessFlags); (DexClassDef*)pClassDef)-accessFlags |= CLASS_ISPREVERIFIED; verified = true; else / TODO: log when in verbose mode ALOGV(DexOpt: %s failed verification, classDescriptor); . .为了能让dvmVerifyClass返回fals

29、e,我们继续跟踪这个方法(DexVerify.app - dvmVerifyClass).首先是过滤重复验证,由于补丁包加载之前是没有做过验证的,所以这个条件可以直接忽略.接下来是遍历clazz的directMethods(包含构造,静态,私有方法)和virtualMethods,只要这两个数组中的方法存在有关联的对象跨dex文件的情况就可以让dvmVerifyClass返回false./* Verify a class.* By the time we get here, the value of gDvm.classVerifyMode should already* have been

30、factored in. If you want to call into the verifier even* though verification is disabled, thats your business.* Returns true on success.*/bool dvmVerifyClass(ClassObject* clazz) int i; if (dvmIsClassVerified(clazz) ALOGD(Ignoring duplicate verify attempt on %s, clazz-descriptor); return true; for (i = 0; i directMethodCount; i+) if (!verifyMethod(&clazz-directMethodsi) LOG_VFY(Verifier rejected class %s, clazz-descriptor); return fal