Binder - AMS的addService流程

2022-03-09  本文已影响0人  w达不溜w

Zygote进程开始fork子进程,启动SystemServer

//path: /frameworks/base/services/java/com/android/server/SystemServer.java
/**
 * The main entry point from zygote.
 */
public static void main(String[] args) {
  new SystemServer().run();
}

private void run() {
  //创建SystemServiceManager
  mSystemServiceManager = new SystemServiceManager(mSystemContext);
  //启动服务
  startBootstrapServices();
}

private void startBootstrapServices() {
  //通过反射创建AMS对象
  mActivityManagerService = mSystemServiceManager.startService(
                ActivityManagerService.Lifecycle.class).getService();
  //将AMS注册到SM中
  mActivityManagerService.setSystemProcess();
}

ActivityManagerService.setSystemProcess

//path: /frameworks/base/services/core/java/com/android/server/am/ActivityManagerService.java
public void setSystemProcess() {
  //调用addService向SM中注册AMS(this参数指的是AMS)
  ServiceManager.addService(Context.ACTIVITY_SERVICE, this, true);
}

ServiceManager.addService

//path: /frameworks/base/core/java/android/os/ServiceManager.java
public static void addService(String name, IBinder service) {
  try {
    //getIServiceManager()=>new ServiceManagerProxy(new binderProxy())
    getIServiceManager().addService(name, service, false);
  } catch (RemoteException e) {
    Log.e(TAG, "error in addService", e);
  }
}

private static IServiceManager getIServiceManager() {
  if (sServiceManager != null) {
    //单例返回
    return sServiceManager;
  }

  // Find the service manager
  sServiceManager =       ServiceManagerNative.asInterface(BinderInternal.getContextObject());
  return sServiceManager;
}

BinderInternal.getContextObject() 返回BinderProxy对象

//path: /frameworks/base/core/java/com/android/internal/os/BinderInternal.java
public static final native IBinder getContextObject();

getContextObject是native方法,通过JNI往下调用(调到哪个JNI方法分析见:Binder - Binder的JNI方法注册)

//path:/frameworks/base/core/jni/android_util_Binder.cpp
static jobject android_os_BinderInternal_getContextObject(JNIEnv* env, jobject clazz)
{
  //打开binder驱动,创建BpBinder(handle)对象
  sp<IBinder> b = ProcessState::self()->getContextObject(NULL);
  return javaObjectForIBinder(env, b);
}

ProcessState::self()->getContextObject(NULL)和defaultServiceManager流程一样,都是创建BpBinder(handle)对象(具体分析见:Binder - 获取ServiceManager服务

接着看javaObjectForIBinder,BinderProxy和BpBinder互相绑定

//path: /frameworks/base/core/jni/android_util_Binder.cpp
jobject javaObjectForIBinder(JNIEnv* env, const sp<IBinder>& val)
{
  //从BpBinder中查找BinderProxy对象,第一次为null
  //gBinderProxyOffsets结构体的初始化,是在int_register_android_os_BinderProxy()中完成的,在JNI注册的时候就会调用
  jobject object = (jobject)val->findObject(&gBinderProxyOffsets);
  //创建BinderProxy对象
  object = env->NewObject(gBinderProxyOffsets.mClass, gBinderProxyOffsets.mConstructor);
  //通过BinderProxy的mObject成员变量记录BpBinder对象
  env->SetLongField(object, gBinderProxyOffsets.mObject, (jlong)val.get());
  //将BinderProxy对象信息添加到BpBinder的mObject中
  val->attachObject(&gBinderProxyOffsets, refObject,
                jnienv_to_javavm(env), proxy_cleanup);
  
  sp<DeathRecipientList> drl = new DeathRecipientList;
  drl->incStrong((void*)javaObjectForIBinder);
  //BinderProxy的mOrgue记录死亡通知对象
  env->SetLongField(object, gBinderProxyOffsets.mOrgue, reinterpret_cast<jlong>(drl.get()));
  //最终返回BinderProxy对象
  return object;
}

ServiceManagerNative.asInterface

//path: /frameworks/base/core/java/android/os/ServiceManagerNative.java
static public IServiceManager asInterface(IBinder obj)
{
  //obj为BinderProxy,默认返回null
  IServiceManager in =
    (IServiceManager)obj.queryLocalInterface(descriptor);
  if (in != null) {
    return in;
  }
  //创建ServiceManagerProxy对象
  return new ServiceManagerProxy(obj);
}

ServiceManagerProxy

//path: /frameworks/base/core/java/android/os/ServiceManagerNative.java
class ServiceManagerProxy implements IServiceManager {
  //mRemote为BinderProxy对象
  public ServiceManagerProxy(IBinder remote) {
    mRemote = remote;
  }

  //上面的getIServiceManager().addService调到了这里
  public void addService(String name, IBinder service, boolean allowIsolated)
                    throws RemoteException {
    Parcel data = Parcel.obtain();
    Parcel reply = Parcel.obtain();
    //①此处的service是AMS,把ASM放到data
    data.writeStrongBinder(service);
    //②mRemote为BinderProxy对象
    mRemote.transact(ADD_SERVICE_TRANSACTION, data, reply, 0);
  }
}

①Parcel.writeStrongBinder

//path: /frameworks/base/core/java/android/os/Parcel.java
public final void writeStrongBinder(IBinder val) {
  nativeWriteStrongBinder(mNativePtr, val);
}

private static native void nativeWriteStrongBinder(long nativePtr, IBinder val);

nativeWriteStrongBinder映射关系对应android_os_Parcel_writeStrongBinder

//path: /frameworks/base/core/jni/android_os_Parcel.cpp
static void android_os_Parcel_writeStrongBinder(JNIEnv* env, jclass clazz, jlong                                                                                                        nativePtr, jobject object)
{
  //将Java层的Parcel转换为Native层Parcel
  Parcel* parcel = reinterpret_cast<Parcel*>(nativePtr);
  if (parcel != NULL) {
    const status_t err = parcel->writeStrongBinder(ibinderForJavaObject(env, object));
  }
}

ibinderForJavaObject 创建JavaBBinder对象

//path: /frameworks/base/core/jni/android_util_Binder.cpp
sp<IBinder> ibinderForJavaObject(JNIEnv* env, jobject obj)
{
   //是否是Java层的Binder对象,此处obj是AMS,进入if
   if (env->IsInstanceOf(obj, gBinderOffsets.mClass)) {
        JavaBBinderHolder* jbh = (JavaBBinderHolder*)
            env->GetLongField(obj, gBinderOffsets.mObject);
            //返回JavaBBinder对象
        return jbh != NULL ? jbh->get(env, obj) : NULL;
    }
}

class JavaBBinderHolder : public RefBase
{
public:
  sp<JavaBBinder> get(JNIEnv* env, jobject obj)
  {
    //将弱指针升级为强指针,首次进来为空
    sp<JavaBBinder> b = mBinder.promote();
    if (b == NULL) {
      //创建JavaBBinder对象
      b = new JavaBBinder(env, obj);
    }
    return b;
  }
}

parcel->writeStrongBinder

//path: /frameworks/native/libs/binder/Parcel.cpp
status_t Parcel::writeStrongBinder(const sp<IBinder>& val)
{
    return flatten_binder(ProcessState::self(), val, this);
}

status_t flatten_binder(const sp<ProcessState>& /*proc*/,
    const sp<IBinder>& binder, Parcel* out)
{
  flat_binder_object obj;
  //binder为AMS,不为null
  if (binder != NULL) {
    //binder为AMS,继承自BBinder,local不为NULL
    IBinder *local = binder->localBinder();
    if (!local) {
    }else{
      //通过flat_binder_object保存AMS信息
      obj.type = BINDER_TYPE_BINDER;
      obj.binder = reinterpret_cast<uintptr_t>(local->getWeakRefs());
      obj.cookie = reinterpret_cast<uintptr_t>(local);
    }
  }
  return finish_flatten_binder(binder, obj, out); 
}

inline static status_t finish_flatten_binder(
    const sp<IBinder>& /*binder*/, const flat_binder_object& flat, Parcel* out)
{
  //将flat_binder_object写入out(out=>data,flat_binder_object=>AMS)
  return out->writeObject(flat, false);
}

②BinderProxy.transact

//path: /frameworks/base/core/java/android/os/Binder.java
final class BinderProxy implements IBinder {
  public boolean transact(int code, Parcel data, Parcel reply, int flags) throws RemoteException {
    return transactNative(code, data, reply, flags);
  }
  //native方法调到android_os_BinderProxy_transact
  public native boolean transactNative(int code, Parcel data, Parcel reply,
            int flags) throws RemoteException;
}

//path: /frameworks/base/core/jni/android_util_Binder.cpp
static jboolean android_os_BinderProxy_transact(JNIEnv* env, jobject obj,
        jint code, jobject dataObj, jobject replyObj, jint flags) // throws RemoteException
{
  //获取data对象
    Parcel* data = parcelForJavaObject(env, dataObj);
  //获取reply对象
  Parcel* reply = parcelForJavaObject(env, replyObj);
  //对应上面SetLongField(object, gBinderProxyOffsets.mObject, (jlong)val.get()):通过BinderProxy的mObject成员变量记录BpBinder对象
  //获取BpBinder对象
  IBinder* target = (IBinder*)
        env->GetLongField(obj, gBinderProxyOffsets.mObject);
  //target为BpBinder
  status_t err = target->transact(code, *data, reply, flags);
}
//path: /frameworks/native/libs/binder/BpBinder.cpp
status_t BpBinder::transact(
    uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags)
{
  status_t status = IPCThreadState::self()->transact(mHandle, code, data, reply, flags);
}
//path: /frameworks/native/libs/binder/IPCThreadState.cpp
status_t IPCThreadState::transact(int32_t handle,
                                  uint32_t code, const Parcel& data,
                                  Parcel* reply, uint32_t flags)
{
  //数据错误检查
  status_t err = data.errorCheck();
  //TF_ACCEPT_FDS:允许回复中包含文件描述符
  flags |= TF_ACCEPT_FDS;
  //整理数据,把结果存入mOut中
  err = writeTransactionData(BC_TRANSACTION, flags, handle, code, data, NULL);
  //TF_ONE_WAY表示当前业务是异步的,不需要等待
  //当前不是异步,进入if
  if ((flags & TF_ONE_WAY) == 0) {
    if (reply) {
      //等待回应事件
      err = waitForResponse(reply);
    } 
  }
}

status_t IPCThreadState::writeTransactionData(int32_t cmd, uint32_t binderFlags,
    int32_t handle, uint32_t code, const Parcel& data, status_t* statusBuffer)
{
  binder_transaction_data tr;
  //此处handle为0
  tr.target.handle = handle;
  //此处code为ADD_SERVICE_TRANSACTION
  tr.code = code;
  //此处flags为0
  tr.flags = binderFlags;
  //...将数据保存到tr
  
  //mOut写入命令BC_TRANSACTION
  mOut.writeInt32(cmd);
  //写入binder_transaction_data数据
  mOut.write(&tr, sizeof(tr));
}

status_t IPCThreadState::waitForResponse(Parcel *reply, status_t *acquireResult)
{
  while (1) {
    //循环等待结果
    if ((err=talkWithDriver()) < NO_ERROR) break;
  }
}

status_t IPCThreadState::talkWithDriver(bool doReceive)
{
  //读的buffer是否为空? mIn是IPCThreadState的成员变量,现在读为null
  const bool needRead = mIn.dataPosition() >= mIn.dataSize();
  //读的时候不能写mOut
  const size_t outAvail = (!doReceive || needRead) ? mOut.dataSize() : 0;
  //bwr需要写入的大小
  bwr.write_size = outAvail;
  //bwr需要写入的内容
  bwr.write_buffer = (uintptr_t)mOut.data();
  // This is what we'll read.
  if (doReceive && needRead) {
    bwr.read_size = mIn.dataCapacity();
    bwr.read_buffer = (uintptr_t)mIn.data();
  } else {
    //neerRead为false走else
    bwr.read_size = 0;
    bwr.read_buffer = 0;
  }
  //while循环条件不成立,只会执行一次
  do {
    //通过ioctl写入命令BC_TRANSACTION
    if (ioctl(mProcess->mDriverFD, BINDER_WRITE_READ, &bwr) >= 0)
          err = NO_ERROR;
  }while (err == -EINTR);
}

关于ioctl的分析见:Binder - 内核驱动层源码浅析

//path: /drivers/staging/android/binder.c
static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
{
  switch (cmd) {
  case BINDER_WRITE_READ:
    ret = binder_ioctl_write_read(filp, cmd, arg, thread);
      break;
  }
}

static int binder_ioctl_write_read(struct file *filp,
                unsigned int cmd, unsigned long arg,
                struct binder_thread *thread)
{
  ret = binder_thread_write(proc, thread,
                      bwr.write_buffer,
                      bwr.write_size,
                      &bwr.write_consumed);
}

static int binder_thread_write(struct binder_proc *proc,
            struct binder_thread *thread,
            binder_uintptr_t binder_buffer, size_t size,
            binder_size_t *consumed)
{
  switch (cmd) {
        case BC_TRANSACTION:
      //此处cmd为BC_TRANSACTION
      binder_transaction(proc, thread, &tr, cmd == BC_REPLY);
      break;
  }
}

binder_transaction

//path: /drivers/staging/android/binder.c
static void binder_transaction(struct binder_proc *proc,
              struct binder_thread *thread,
              struct binder_transaction_data *tr, int reply)
{
 struct binder_transaction *t;
 struct binder_work *tcomplete;
 //此处reply为false(cmd为BC_TRANSACTION)
 if (reply) {}
 else{
   //找SM,handle为0,走else
   if (tr->target.handle) {}
   else{
     //①获取目标对象SM的target_node,直接使用全局变量binder_context_mgr_node
     target_node = binder_context_mgr_node;
   }
   //②获取SM进程
   target_proc = target_node->proc; 
 }
 //③找到SM的todo和wait队列
 target_list = &target_proc->todo;
 target_wait = &target_proc->wait;
 //生成一个binder_transaction变量t,用于描述本次要进行的transaction,最后将其加入target_thread->todo,这样目标对象被唤醒时,就可以从这个队列中取出要做的工作
 t = kzalloc(sizeof(*t), GFP_KERNEL);
 //生成一个binder_work变量tcomplete,用于说明当前调用者线程有未完成的transaction,最后会添加到本线程的todo队列中
   tcomplete = kzalloc(sizeof(*tcomplete), GFP_KERNEL);
 
 if (!reply && !(tr->flags & TF_ONE_WAY))
   //非oneway的通信方式,将当前的thread保存到transaction的from字段
       t->from = thread;
   else
       t->from = NULL;
 
 //④下面的一些操作是将SM的数据放入t
 
 t->sender_euid = task_euid(proc->tsk);
 //target_proc为此次通信的目标进程为SM进程
   t->to_proc = target_proc;
   t->to_thread = target_thread;
 //此次通信的code为ADD_SERVICE_TRANSACTION
   t->code = tr->code;
 //此次通信flags为0
   t->flags = tr->flags;
 //当前线程任务的优先级
   t->priority = task_nice(current);
 
 //从SM进程中分配buffer(从mmap开辟的空间中申请内存)
 t->buffer = binder_alloc_buf(target_proc, tr->data_size,
       tr->offsets_size, !reply && (t->flags & TF_ONE_WAY));
 
 /*****⑤真正一次拷贝的有效数据*****/
 //拷贝用户空间的ptr.buffer到内核 
 if (copy_from_user(t->buffer->data, (const void __user *)(uintptr_t)
              tr->data.ptr.buffer, tr->data_size))
 //拷贝用户空间ptr.offsets到内核
 if (copy_from_user(offp, (const void __user *)(uintptr_t)
              tr->data.ptr.offsets, tr->offsets_size))

 //SM和Client是两个进程
   
 //⑥记录本次transaction,这样就知道是谁调用的(方便SM找到client)
 thread->transaction_stack = t;
 //⑦设置t的类型为BINDER_WORK_TRANSACTION(t的命令是发送给SM的:工作)
 t->work.type = BINDER_WORK_TRANSACTION;
 //将t加入目标的处理队列中
 list_add_tail(&t->work.entry, target_list);
 //⑧设置binder_work的类型为BINDER_WORK_TRANSACTION_COMPLETE(tcomplete的命令是给client的:挂起)
 tcomplete->type = BINDER_WORK_TRANSACTION_COMPLETE;
 list_add_tail(&tcomplete->entry, &thread->todo);
 if (target_wait)
   //⑨唤醒SM
       wake_up_interruptible(target_wait);
}

ServiceManager在内部会通过binder_loop循环监听client消息,代码会被阻塞在Binder驱动的binder_thread_read函数(具体分析见:Binder - 启动ServiceManager服务

接着我们分析下ServiceManager被唤醒后的流程

binder_thread_read — ServiceManager被唤醒后

//path: /drivers/staging/android/binder.c
static int binder_thread_read(struct binder_proc *proc,
                  struct binder_thread *thread,
                  binder_uintptr_t binder_buffer, size_t size,
                  binder_size_t *consumed, int non_block)
{
  if (*consumed == 0) {
    //设置命令为BR_NOOP
        if (put_user(BR_NOOP, (uint32_t __user *)ptr))
            return -EFAULT;
        ptr += sizeof(uint32_t);
    }
  
  while (1) {
    struct binder_work *w;
    //前面binder_transaction函数中:把一个binder_work添加到thread->todo队列中,类型为BINDER_WORK_TRANSACTION_COMPLETE
    if (!list_empty(&thread->todo)) {
      //w->type为BINDER_WORK_TRANSACTION_COMPLETE
            w = list_first_entry(&thread->todo, struct binder_work,entry);
        }
    switch (w->type) {
      case BINDER_WORK_TRANSACTION_COMPLETE: 
        cmd = BR_TRANSACTION_COMPLETE;
        //写入命令BR_TRANSACTION_COMPLETE
        if (put_user(cmd, (uint32_t __user *)ptr))
          return -EFAULT;
        break;   
    }
  }
}

回到上面IPCThreadState::waitForResponse中循环等待结果处

//path: /frameworks/native/libs/binder/IPCThreadState.cpp
status_t IPCThreadState::waitForResponse(Parcel *reply, status_t *acquireResult)
{
  while (1) {
    //循环等待结果
    if ((err=talkWithDriver()) < NO_ERROR) break;
    switch (cmd) {
        //处理BR_TRANSACTION_COMPLETE命令
        case BR_TRANSACTION_COMPLETE:
                // 当前为同步(!reply为false),不进入if,继续循环
            if (!reply && !acquireResult) goto finish;
            break;
    }
  }
}

binder_thread_read — ServiceManager开始处理数据

//path: /drivers/staging/android/binder.c
static int binder_thread_read(...){
  //同理:
  case BINDER_WORK_TRANSACTION: {
        //把用户请求复制的SM中并对个队列进行调整
            t = container_of(w, struct binder_transaction, work);
  //...
    //设置命令为BR_TRANSACTION
   cmd = BR_TRANSACTION;
}

SM启动的时候会调用binder_loop:循环监听,处理client发来的请求

//path: /frameworks/native/cmds/servicemanager/binder.c
void binder_loop(struct binder_state *bs, binder_handler func)
{
  for (;;) {
    //解析
    res = binder_parse(bs, 0, (uintptr_t) readbuf, bwr.read_consumed, func);
  }
}

int binder_parse(struct binder_state *bs, struct binder_io *bio,
                 uintptr_t ptr, size_t size, binder_handler func)
{
  switch(cmd) {
    case BR_TRANSACTION: {
      if (func) {
        int res;
        //①reply初始化
        bio_init(&reply, rdata, sizeof(rdata), 4);
        //②由svcmgr_handler处理请求(func是参数传来的svcmgr_handler)
        res = func(bs, txn, &msg, &reply);
        //③将reply发给binder驱动
        binder_send_reply(bs, &reply, txn->data.ptr.buffer, res);
      }
    }
  }
}

svcmgr_handler

//path: /frameworks/native/cmds/servicemanager/service_manager.c
int svcmgr_handler(struct binder_state *bs,
                   struct binder_transaction_data *txn,
                   struct binder_io *msg,
                   struct binder_io *reply)
{
  //addService
  case SVC_MGR_ADD_SERVICE:
    //注册指定服务
    if (do_add_service(bs, s, len, handle, txn->sender_euid,
                     allow_isolated, txn->sender_pid))
}

int do_add_service(struct binder_state *bs,
                   const uint16_t *s, size_t len,
                   uint32_t handle, uid_t uid, int allow_isolated,
                   pid_t spid)
{
  //因为SM是管理了很多服务,所以先要查找下有木有
  si = find_svc(s, len);
  if (si) {
    if (si->handle) {
      //先释放服务
      svcinfo_death(bs, si);
    }
    //再重新添加
    si->handle = handle;
  }else{
    //申请内存
    si = malloc(sizeof(*si) + (len + 1) * sizeof(uint16_t));
    //一些服务信息
    si->handle = handle;
    si->len = len;
    //将服务保存到svclist,addService完成
    si->next = svclist;
    //svclist用来保存所有已注册的服务
    svclist = si;
  }
}

binder_send_reply

//path: /frameworks/native/cmds/servicemanager/binder.c
void binder_send_reply(struct binder_state *bs,
                       struct binder_io *reply,
                       binder_uintptr_t buffer_to_free,
                       int status)
{
  //BC_REPLY命令
  data.cmd_reply = BC_REPLY;
  //调用binder驱动的binder_thread_write
  binder_write(bs, &data, sizeof(data));
}
//path: /drivers/staging/android/binder.c
static int binder_thread_write(struct binder_proc *proc,
            struct binder_thread *thread,
            binder_uintptr_t binder_buffer, size_t size,
            binder_size_t *consumed)
{
  case BC_REPLY:
   //和上面binder_transaction一样
    binder_transaction(proc, thread, &tr, cmd == BC_REPLY);
}

总结:


addService.png
上一篇下一篇

猜你喜欢

热点阅读