一、事例
1.1 Test.java
public class Test { public static void main(String[] args) { System.out.println("Hello World!"); } }
执行:javac Test.java,生成咱们今天要分析的Test.class文件。
1.2 查看二进制文件(命令:hexdump -C Test.class)
00000000 ca fe ba be 00 00 00 32 00 1d 0a 00 06 00 0f 09 |.......2........| 00000010 00 10 00 11 08 00 12 0a 00 13 00 14 07 00 15 07 |................| 00000020 00 16 01 00 06 3c 69 6e 69 74 3e 01 00 03 28 29 |.....<init>...()| 00000030 56 01 00 04 43 6f 64 65 01 00 0f 4c 69 6e 65 4e |V...Code...LineN| 00000040 75 6d 62 65 72 54 61 62 6c 65 01 00 04 6d 61 69 |umberTable...mai| 00000050 6e 01 00 16 28 5b 4c 6a 61 76 61 2f 6c 61 6e 67 |n...([Ljava/lang| 00000060 2f 53 74 72 69 6e 67 3b 29 56 01 00 0a 53 6f 75 |/String;)V...Sou| 00000070 72 63 65 46 69 6c 65 01 00 09 54 65 73 74 2e 6a |rceFile...Test.j| 00000080 61 76 61 0c 00 07 00 08 07 00 17 0c 00 18 00 19 |ava.............| 00000090 01 00 0c 48 65 6c 6c 6f 20 57 6f 72 6c 64 21 07 |...Hello World!.| 000000a0 00 1a 0c 00 1b 00 1c 01 00 04 54 65 73 74 01 00 |..........Test..| 000000b0 10 6a 61 76 61 2f 6c 61 6e 67 2f 4f 62 6a 65 63 |.java/lang/Objec| 000000c0 74 01 00 10 6a 61 76 61 2f 6c 61 6e 67 2f 53 79 |t...java/lang/Sy| 000000d0 73 74 65 6d 01 00 03 6f 75 74 01 00 15 4c 6a 61 |stem...out...Lja| 000000e0 76 61 2f 69 6f 2f 50 72 69 6e 74 53 74 72 65 61 |va/io/PrintStrea| 000000f0 6d 3b 01 00 13 6a 61 76 61 2f 69 6f 2f 50 72 69 |m;...java/io/Pri| 00000100 6e 74 53 74 72 65 61 6d 01 00 07 70 72 69 6e 74 |ntStream...print| 00000110 6c 6e 01 00 15 28 4c 6a 61 76 61 2f 6c 61 6e 67 |ln...(Ljava/lang| 00000120 2f 53 74 72 69 6e 67 3b 29 56 00 21 00 05 00 06 |/String;)V.!....| 00000130 00 00 00 00 00 02 00 01 00 07 00 08 00 01 00 09 |................| 00000140 00 00 00 1d 00 01 00 01 00 00 00 05 2a b7 00 01 |............*...| 00000150 b1 00 00 00 01 00 0a 00 00 00 06 00 01 00 00 00 |................| 00000160 01 00 09 00 0b 00 0c 00 01 00 09 00 00 00 25 00 |..............%.| 00000170 02 00 01 00 00 00 09 b2 00 02 12 03 b6 00 04 b1 |................| 00000180 00 00 00 01 00 0a 00 00 00 0a 00 02 00 00 00 03 |................| 00000190 00 08 00 04 00 01 00 0d 00 00 00 02 00 0e |..............| 0000019e
1.3 查看字节码文件 (命令:javap -verbose Test)
Compiled from "Test.java" public class Test extends java.lang.Object SourceFile: "Test.java" minor version: 0 major version: 50 Constant pool: const #1 = Method #6.#15; // java/lang/Object."<init>":()V const #2 = Field #16.#17; // java/lang/System.out:Ljava/io/PrintStream; const #3 = String #18; // Hello World! const #4 = Method #19.#20; // java/io/PrintStream.println:(Ljava/lang/String;)V const #5 = class #21; // Test const #6 = class #22; // java/lang/Object const #7 = Asciz <init>; const #8 = Asciz ()V; const #9 = Asciz Code; const #10 = Asciz LineNumberTable; const #11 = Asciz main; const #12 = Asciz ([Ljava/lang/String;)V; const #13 = Asciz SourceFile; const #14 = Asciz Test.java; const #15 = NameAndType #7:#8;// "<init>":()V const #16 = class #23; // java/lang/System const #17 = NameAndType #24:#25;// out:Ljava/io/PrintStream; const #18 = Asciz Hello World!; const #19 = class #26; // java/io/PrintStream const #20 = NameAndType #27:#28;// println:(Ljava/lang/String;)V const #21 = Asciz Test; const #22 = Asciz java/lang/Object; const #23 = Asciz java/lang/System; const #24 = Asciz out; const #25 = Asciz Ljava/io/PrintStream;; const #26 = Asciz java/io/PrintStream; const #27 = Asciz println; const #28 = Asciz (Ljava/lang/String;)V; { public Test(); Code: Stack=1, Locals=1, Args_size=1 0: aload_0 1: invokespecial #1; //Method java/lang/Object."<init>":()V 4: return LineNumberTable: line 1: 0 public static void main(java.lang.String[]); Code: Stack=2, Locals=1, Args_size=1 0: getstatic #2; //Field java/lang/System.out:Ljava/io/PrintStream; 3: ldc #3; //String Hello World! 5: invokevirtual #4; //Method java/io/PrintStream.println:(Ljava/lang/String;)V 8: return LineNumberTable: line 3: 0 line 4: 8 }
看不明白没有关系,咱们稍后分析
二、分析文件
现在咱们就来分析一下这个文件。首先在分析文件之前要明确JAVA字节码文件的基本格式。
2.1 第一行分析:
那么咱们的代码:
00000000 ca fe ba be 00 00 00 32 00 1d 0a 00 06 00 0f 09 |.......2........|
2.1.1 magic
魔术方法,4个字节,对应着cafebabe
2.1.2 minor_version
次要版本信息:0000
2.1.3 major_version
主要版本信息:0032,换算成十进制是:50。Class文件的版本号是从45开始的,JDK1.1之后每一个JDK大版本发布主版本号就向上加1。JDK1.1能支持的版本号为45.0~45.65535的Class文件,JDK1.2能支持的版本号为46.0~46.65535以此类推,现在最新的JDK1.7能支持51.0~51.65535版本号的Class文件。还需要注意的一点是:高版本的JDK可以向下兼容以前版本的Class文件,但不能运行以后版本的Class文件。0x0032换算成十进制为50,按照上面的推导,该Class文件是可以被JDK1.6或以上的版本的虚拟机执行的Class文件(也可以反映出该Class文件是由JDK1.6版本的编译器编译的)。
继续分析常量池,也就是cp_info部分
2.2 常量池分析
00000000 ca fe ba be 00 00 00 32 00 1d 0a 00 06 00 0f 09 |.......2........| 00000010 00 10 00 11 08 00 12 0a 00 13 00 14 07 00 15 07 |................| 00000020 00 16 01 00 06 3c 69 6e 69 74 3e 01 00 03 28 29 |.....<init>...()| 00000030 56 01 00 04 43 6f 64 65 01 00 0f 4c 69 6e 65 4e |V...Code...LineN| 00000040 75 6d 62 65 72 54 61 62 6c 65 01 00 04 6d 61 69 |umberTable...mai| 00000050 6e 01 00 16 28 5b 4c 6a 61 76 61 2f 6c 61 6e 67 |n...([Ljava/lang| 00000060 2f 53 74 72 69 6e 67 3b 29 56 01 00 0a 53 6f 75 |/String;)V...Sou| 00000070 72 63 65 46 69 6c 65 01 00 09 54 65 73 74 2e 6a |rceFile...Test.j| 00000080 61 76 61 0c 00 07 00 08 07 00 17 0c 00 18 00 19 |ava.............| 00000090 01 00 0c 48 65 6c 6c 6f 20 57 6f 72 6c 64 21 07 |...Hello World!.| 000000a0 00 1a 0c 00 1b 00 1c 01 00 04 54 65 73 74 01 00 |..........Test..| 000000b0 10 6a 61 76 61 2f 6c 61 6e 67 2f 4f 62 6a 65 63 |.java/lang/Objec|
2.2.1 contant_pool_count
用于描述常量池中常量的个数,这里是001d,也就是29,这里注意,实际的常量的个数是contant_pool_count-1
2.2.2 contant_pool
下面来具体分析常量池,常量池之中主要存放两大类常量:字面量(Literal)和符号引用(Symbolic Reference)。
常量池中的每一项常量都是一个表类型,在JDK6.0之前有11种结构的表数据,这11种表都有一个共同的特点,就是表开始的第一位是一个u1类型的标志位(tag,取值为1~12,标志2空缺),它代表了当前这个常量属于那种常量类型,11种常量类型所代表的具体含义如下图所示:
2.2.2.1 CONSTANT_InterfaceMethodref_info
咱们再举其中CONSTANT_InterfaceMethodref_info结构体的例子:
CONSTANT_InterfaceMethodref_info {
u1 tag;
u2 class_index;
u2 name_and_type_index;
}
对应着上面的
00000000 ca fe ba be 00 00 00 32 00 1d 0a 00 06 00 0f 09 |.......2........|
- 0a 表示常量池的项目类型
- 0006和000f,分别是地址:6和15,这个需要记住
2.2.2.2 CONSTANT_Fieldfref_info 字段的符号引用
CONSTANT_Fieldref_info {
u1 tag;
u2 class_index;
u2 name_and_type_index;
}
对应的是
00000000 ca fe ba be 00 00 00 32 00 1d 0a 00 06 00 0f 09 |.......2........| 00000010 00 10 00 11 08 00 12 0a 00 13 00 14 07 00 15 07 |................|
- 09 字段的符号引用
- 0010和0011分别对应的地址是:16和17
2.2.2.3 CONSTANT_String_info
00000010 00 10 00 11 08 00 12 0a 00 13 00 14 07 00 15 07 |................|
- 08 String 类型字面量
- 0012 是18
2.2.3 上面记住了很多地址,现在对应一下:
const #1 = Method #6.#15; // java/lang/Object."<init>":()V------------------------------对应的是 0a 00 06 00 0f const #2 = Field #16.#17; // java/lang/System.out:Ljava/io/PrintStream;---------对应的是 09 00 10 00 11 const #3 = String #18; // Hello World!-----------------------------------------------对应的是 08 00 12 const #4 = Method #19.#20; // java/io/PrintStream.println:(Ljava/lang/String;)V const #5 = class #21; // Test const #6 = class #22; // java/lang/Object const #7 = Asciz <init>; const #8 = Asciz ()V; const #9 = Asciz Code; const #10 = Asciz LineNumberTable; const #11 = Asciz main; const #12 = Asciz ([Ljava/lang/String;)V; const #13 = Asciz SourceFile; const #14 = Asciz Test.java; const #15 = NameAndType #7:#8;// "<init>":()V const #16 = class #23; // java/lang/System const #17 = NameAndType #24:#25;// out:Ljava/io/PrintStream; const #18 = Asciz Hello World!; const #19 = class #26; // java/io/PrintStream const #20 = NameAndType #27:#28;// println:(Ljava/lang/String;)V const #21 = Asciz Test; const #22 = Asciz java/lang/Object; const #23 = Asciz java/lang/System; const #24 = Asciz out; const #25 = Asciz Ljava/io/PrintStream;; const #26 = Asciz java/io/PrintStream; const #27 = Asciz println; const #28 = Asciz (Ljava/lang/String;)V;
依次类推,找出对应的常量池里面的内容
2.3 类信息
2.3.1 access_flag
const #21 = Asciz Test; const #22 = Asciz java/lang/Object; const #23 = Asciz java/lang/System; const #24 = Asciz out; const #25 = Asciz Ljava/io/PrintStream;; const #26 = Asciz java/io/PrintStream; const #27 = Asciz println; const #28 = Asciz (Ljava/lang/String;)V; //常量池结束
根据以前分析的内容,使用javap查看,发现结束的是上面的:(Ljava/lang/String;)V;
那么对应的使用hexdump查看的内容是:
00000100 6e 74 53 74 72 65 61 6d 01 00 07 70 72 69 6e 74 |ntStream...print| 00000110 6c 6e 01 00 15 28 4c 6a 61 76 61 2f 6c 61 6e 67 |ln...(Ljava/lang| 00000120 2f 53 74 72 69 6e 67 3b 29 56 00 21 00 05 00 06 |/String;)V.!....| 00000130 00 00 00 00 00 02 00 01 00 07 00 08 00 01 00 09 |................|
access_flag: 是2个字节代表的访问标志,这个标志的作用是用于识别一些类或者接口层次的访问信息,例如:这个Class是类还是接口,是否定义为public,是否定义为abstract,如果是类的话,是否被定义为final类型的之类的信息。具体的标志位及标志的含义如下表:
| 标志名称 | 标志值 | 含义 |
| ACC_PUBLIC | 0x0001 | 是否为public类型 |
| ACC_FINAL | 0x0010 | 是否被声明为final,只有类可以设置,接口不能设置该标志 |
| ACC_SUPER | 0x0020 | 是否允许使用invokespecial字节码指令(查了一下该命令的作用为"调用超类的构造方法,实例的构造方法,私有方法"),JDK1.2以后的编译器编译出来的class文件该标志都为真 |
| ACC_INTERFACE | 0x0200 | 标识这是一个接口 |
| ACC_ABSTRACT | 0x0400 | 是否被声明为abstract类型,对于接口和抽象类来说此标志为真,其他类为假 |
| ACC_SYNTHETIC | 0x1000 | 标识这个类并非由用户代码生成 |
| ACC_ANNOTATION | 0x2000 | 标识这是一个注解 |
| ACC_ENUM | 0x4000 | 标识这是一个枚举 |
由于Test.class类被声明为"public"的,JDK1.6编译出来的文件,JVM中没有使用标志为一律为0,所以只有ACC_PUBLIC与ACC_SUPER标志位不为0,因此它access_flag的值为0x0001|0x0020=0x0021("|"布尔或操作符),这里省略了其他6个标志的计算,因为"|"操作符,只有全为0才为0,所以虽然要计算8个标志为的值,但是可以简化为2个。对应如下图:
00000100 6e 74 53 74 72 65 61 6d 01 00 07 70 72 69 6e 74 |ntStream...print|
00000110 6c 6e 01 00 15 28 4c 6a 61 76 61 2f 6c 61 6e 67 |ln...(Ljava/lang|
00000120 2f 53 74 72 69 6e 67 3b 29 56 00 21 00 05 00 06 |/String;)V.!....|
00000130 00 00 00 00 00 02 00 01 00 07 00 08 00 01 00 09 |................|
2.3.2 类信息
access_flag分析完后,紧接着access_flag的是2个字节的类索引(this_class),2个字节的父类索引(super_class)和一组2个字节的数据集合接口索引(interfaces)。Class文件中就是由这三项数据确定这个类的继承关系。其中类索引this_class用于确定这个类的全限定名:接下来是00 05 00 06,分别对应自身的class和继承的class在常量池里面的位置。
2.3.3 Code属性
2.3.3.1 顺序内容
- arribute_name_index,u2 是指向CONSTANT_Utf8_info型常量的索引
- arribute_length,u4 属性的长度
- max_stack,u2 操作数栈
- max_locals,u2 局部变量存储空间,单位是slot
- code_length,u4
- code,u1
- exception_table_length,u2
- exception_table,exception_info
- atrributes_count,u2
- atrributes,attribute_info
操作深度和变量表的长度都是 00 01
所占用的长度是 00 05
00000140 00 00 00 1d 00 01 00 01 00 00 00 05 2a b7 00 01 |............*...| 00000150 b1 00 00 00 01 00 0a 00 00 00 06 00 01 00 00 00 |................| 00000160 01 00 09 00 0b 00 0c 00 01 00 09 00 00 00 25 00 |..............%.| 00000170 02 00 01 00 00 00 09 b2 00 02 12 03 b6 00 04 b1 |................| 00000180 00 00 00 01 00 0a 00 00 00 0a 00 02 00 00 00 03 |................| 00000190 00 08 00 04 00 01 00 0d 00 00 00 02 00 0e |..............|
2.3.3.2 执行过程
读入:2a,指令是aload_0,意思是将第一个变量推送到栈顶
读入:b7,指令时invokespecial
。。。。
读入:b1,return
-
三、执行程序
public static void main(java.lang.String[]); Code: Stack=2, Locals=1, Args_size=1 0: getstatic #2; //Field java/lang/System.out:Ljava/io/PrintStream; 3: ldc #3; //String Hello World! 5: invokevirtual #4; //Method java/io/PrintStream.println:(Ljava/lang/String;)V 8: return LineNumberTable: line 3: 0 line 4: 8
- ldc:ldc 将int, float或String型常量值从常量池中推送至栈顶
- invokeviretual: 调用方法,对应这地址#4一层层的查找
关于执行方面的内容,也可以参考另外的一篇文章:http://www.cnblogs.com/liqiu/p/3437113.html