虽说阅读Binder的源代码是学习Binder机制的最好的方式,但是也绝不能打无准备之仗,因为Binder的相关源代码是比较枯燥无味而且比较难以理解的,如果能够辅予一些理论知识,那就更好了。闲话少说,网上关于Binder机制的资料还是不少的,这里就不想再详细写一遍了,强烈推荐下面两篇文章:
Android深入浅出之Binder机制
Android Binder设计与实现 – 设计篇
void MediaPlayerService::instantiate() { 266 defaultServiceManager()->addService( 267 String16("media.player"), new MediaPlayerService()); 268}
defaultServiceManager = BpServiceManager
class MediaPlayerService : public BnMediaPlayerService
Bn Binder Native层
Bp Binder Proxy 代理
BpServiceManager BnServiceManager BnMediaPlayerService BpMediaPlayerService来和他交互呢
p<IServiceManager> defaultServiceManager()
{
sp<IBinder> ProcessState::getContextObject(const sp<IBinder>& /*caller*/) { return getStrongProxyForHandle(0); }
b = new BpBinder(handle);
template<typename INTERFACE> inline sp<INTERFACE> interface_cast(const sp<IBinder>& obj) { return INTERFACE::asInterface(obj); }
DECLARE_META_INTERFACE(ServiceManager);
#define DECLARE_META_INTERFACE(INTERFACE) \ static const android::String16 descriptor; \ static android::sp<I##INTERFACE> asInterface( \ const android::sp<android::IBinder>& obj); \ virtual const android::String16& getInterfaceDescriptor() const; \ I##INTERFACE(); \ virtual ~I##INTERFACE(); \
怎么和MFC这么类似?微软的影响很大啊!知道MFC的,有DELCARE肯定有IMPLEMENT
class BpServiceManager : public BpInterface<IServiceManager> { public: BpServiceManager(const sp<IBinder>& impl) : BpInterface<IServiceManager>(impl) { }
addService Parcel writeInterfaceToken ADD_SERVICE_TRANSACTION
remote transact
class BpRefBase : public virtual RefBase {
inline IBinder* remote() { return mRemote; }
BpBinder::BpBinder(int32_t handle)
class BpServiceManager : public BpInterface<IServiceManager> { public: BpServiceManager(const sp<IBinder>& impl) : BpInterface<IServiceManager>(impl) { }
inline BpInterface<INTERFACE>::BpInterface(const sp<IBinder>& remote) : BpRefBase(remote) { }
BpRefBase::BpRefBase(const sp<IBinder>& o) : mRemote(o.get()), mRefs(NULL), mState(0) {
virtual status_t addService(const String16& name, const sp<IBinder>& service, bool allowIsolated) { Parcel data, reply; data.writeInterfaceToken(IServiceManager::getInterfaceDescriptor()); data.writeString16(name); data.writeStrongBinder(service); data.writeInt32(allowIsolated ? 1 : 0); status_t err = remote()->transact(ADD_SERVICE_TRANSACTION, data, &reply); return err == NO_ERROR ? reply.readExceptionCode() : err; }
BpBinder转换为 IServiceManager :BpRefBase
status_t BpBinder::transact( uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags) {
//又绕回去了,调用IPCThreadState的transact。
//注意啊,这里的mHandle为0,code是ADD_SERVICE_TRANSACTION,data是命令包
//reply是回复包,flags=0
status_t IPCThreadState::transact(int32_t handle, uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags) {
err = waitForResponse(reply); status_t IPCThreadState::writeTransactionData(int32_t cmd, uint32_t binderFlags, int32_t handle, uint32_t code, const Parcel& data, status_t* statusBuffer) { binder_transaction_data tr;
tr.data.ptr.buffer = reinterpret_cast<uintptr_t>(statusBuffer); reinterpret_cast<uintptr_t>(statusBuffer) 上面把命令数据封装成binder_transaction_data,然后
写到mOut中,mOut是命令的缓冲区,也是一个Parcel
mOut.writeInt32(cmd);
mOut.write(&tr, sizeof(tr));
//仅仅写到了Parcel中,Parcel好像没和/dev/binder设备有什么关联啊?
恩,那只能在另外一个地方写到binder设备中去了。难道是在?
return NO_ERROR; status_t IPCThreadState::waitForResponse(Parcel *reply, status_t *acquireResult) {
//看见没?这里开始操作mIn了,看来talkWithDriver中
//把mOut发出去,然后从driver中读到数据放到mIn中了。 status_t IPCThreadState::talkWithDriver(bool doReceive) {
binder_write_read bwr; if (ioctl(mProcess->mDriverFD, BINDER_WRITE_READ, &bwr) >= 0) 好了,到这里,我们发送addService的流程就彻底走完了。
BpServiceManager发送了一个addService命令到BnServiceManager,然后收到回复。
int main(int argc __unused, char** argv) { sp<ProcessState> proc(ProcessState::self()); MediaLogService::instantiate(); ProcessState::self()->startThreadPool(); 一个调用的函数是ProcessState::self(),然后赋值给了proc变量,程序运行完,proc会自动delete内部的内容,所以就自动释放了先前分配的资源。
bs = binder_open(128*1024); bs->fd = open("/dev/binder", O_RDWR); bs->mapped = mmap(NULL, mapsize, PROT_READ, MAP_PRIVATE, bs->fd, 0);//映射内存 if (binder_become_context_manager(bs)) { ALOGE("cannot become context manager (%s)\n", strerror(errno)); return -1; } int binder_become_context_manager(struct binder_state *bs) { return ioctl(bs->fd, BINDER_SET_CONTEXT_MGR, 0); }
binder_loop(bs, svcmgr_handler); void binder_loop(struct binder_state *bs, binder_handler func) {
struct binder_write_read bwr; binder_write(bs, readbuf, sizeof(uint32_t)); res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr); res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr);
if (res < 0) { ALOGE("binder_loop: ioctl failed (%s)\n", strerror(errno)); break; }
res = binder_parse(bs, 0, (uintptr_t) readbuf, bwr.read_consumed, func); int binder_parse(struct binder_state *bs, struct binder_io *bio, uintptr_t ptr, size_t size, binder_handler func) {
恩,最后有一个类似handleMessage的地方处理各种各样的命令。这个就是
svcmgr_handler,就在ServiceManager.c中
int svcmgr_handler(struct binder_state *bs, struct binder_transaction_data *txn, struct binder_io *msg, struct binder_io *reply) {
struct binder_transaction_data *txn = (struct binder_transaction_data *) ptr; if (func) { if (do_add_service(bs, s, len, handle, txn->sender_euid, allow_isolated, txn->sender_pid)) int do_add_service(struct binder_state *bs, const uint16_t *s, size_t len, uint32_t handle, uid_t uid, int allow_isolated, pid_t spid)
//si = malloc(sizeof(*si) + (len + 1) * sizeof(uint16_t)); si = malloc(sizeof(*si) + (len + 1) * sizeof(uint16_t))
// memcpy(si->name, s, (len + 1) * sizeof(uint16_t)); memcpy(si-name,s, (len + 1) * sizeof(uint16_t)) //si->next = svclist; //svclist = si; si->next = svclist svclist = si; 喔,对于addService来说,看来ServiceManager把信息加入到自己维护的一个服务列表中了。 ServiceManager存在的意义 Android系统中Service信息都是先add到ServiceManager中,由ServiceManager来集中管理,这样就可以查询当前系统有哪些服务。而且,Android系统中某个服务例如MediaPlayerService的客户端想要和MediaPlayerService通讯的话,必须先向ServiceManager查询MediaPlayerService的信息,然后通过ServiceManager返回的东西再来和MediaPlayerService交互。
毕竟,要是MediaPlayerService身体不好,老是挂掉的话,客户的代码就麻烦了,就不知道后续新生的MediaPlayerService的信息了,所以只能这样:
另外,ServiceManager的handle标示是0,所以只要往handle是0的服务发送消息了,最终都会被传递到ServiceManager中去
virtual status_t addService(const String16& name, const sp<IBinder>& service, bool allowIsolated) { Parcel data, reply; data.writeInterfaceToken(IServiceManager::getInterfaceDescriptor()); data.writeString16(name); data.writeStrongBinder(service); data.writeInt32(allowIsolated ? 1 : 0); status_t err = remote()->transact(ADD_SERVICE_TRANSACTION, data, &reply); return err == NO_ERROR ? reply.readExceptionCode() : err; } defaultServiceManager()->addService( String16("media.player"), new MediaPlayerService()); class MediaPlayerService : public BnMediaPlayerService {
class BnMediaPlayerService: public BnInterface<IMediaPlayerService> { public: virtual status_t onTransact( uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags = 0); };
template<typename INTERFACE> class BnInterface : public INTERFACE, public BBinder { 兑现后变成
class BnInterface : public IMediaPlayerService, public BBinder
class PoolThread : public Thread {
t->run(name.string());
ProcessState::self()->startThreadPool(); IPCThreadState::self()->joinThreadPool(); void IPCThreadState::joinThreadPool(bool isMain) {
./work/android-5.0.2/external/lldb/source/Target/Thread.cpp
ProcessState::self()->startThreadPool(); spawnPooledThread(true); sp<Thread> t = new PoolThread(isMain); t->run(name.string()); IPCThreadState::self()->joinThreadPool(); 喔,这个时候还没有创建线程呢。然后调用PoolThread::run,实际调用了基类的run。
status_t Thread::run(const char* name, int32_t priority, size_t stack)
{
bool res;
if (mCanCallJava) {
res = createThreadEtc(_threadLoop,//线程函数是_threadLoop
this, name, priority, stack, &mThread);
}
//终于,在run函数中,创建线程了。从此
主线程执行
IPCThreadState::self()->joinThreadPool();
新开的线程执行_threadLoop
我们先看看_threadLoop
int Thread::_threadLoop(void* user)
{
Thread* const self = static_cast<Thread*>(user);
sp<Thread> strong(self->mHoldSelf);
wp<Thread> weak(strong);
self->mHoldSelf.clear();
do {
...
if (result && !self->mExitPending) {
result = self->threadLoop();哇塞,调用自己的threadLoop
}
}
我们是PoolThread对象,所以调用PoolThread的threadLoop函数
IPCThreadState::self()->joinThreadPool();
./work/android-5.0.2/external/lzma/CPP/Windows/Thread.h ./work/android-5.0.2/external/lldb/include/lldb/Target/Thread.h ./work/android-5.0.2/system/core/include/utils/Thread.h
http://androidxref.com/4.4.2_r1/xref/system/core/include/utils/Thread.h
class Thread : virtual public RefBase { public: // Create a Thread object, but doesn't create or start the associated // thread. See the run() method. Thread(bool canCallJava = true); virtual bool threadLoop() = 0;
class PoolThread : public Thread 57{
virtual bool threadLoop() 66 { 67 IPCThreadState::self()->joinThreadPool(mIsMain); 68 return false; 69 }
http://androidxref.com/4.4.2_r1/xref/system/core/libutils/Threads.cpp
666Thread::Thread(bool canCallJava) 667 : mCanCallJava(canCallJava), 668 mThread(thread_id_t(-1)), 669 mLock("Thread::mLock"), 670 mStatus(NO_ERROR), 671 mExitPending(false), mRunning(false) 672#ifdef HAVE_ANDROID_OS 673 , mTid(-1)
status_t Thread::run(const char* name, int32_t priority, size_t stack) { res = createThreadEtc(_threadLoop, this, name, priority, stack, &mThread); int Thread::_threadLoop(void* user) { Thread* const self = static_cast<Thread*>(user);
result = self->threadLoop(); class PoolThread : public Thread 57{
//mIsMain为true。
//而且注意,这是一个新的线程,所以必然会创建一个
新的IPCThreadState对象(记得线程本地存储吗?TLS),然后 virtual bool threadLoop() 66 { 67 IPCThreadState::self()->joinThreadPool(mIsMain); 68 return false; 69 }
class Thread : virtual public RefBase virtual bool threadLoop() = 0; 主线程和工作线程都调用了joinThreadPool,看看这个干嘛了! void IPCThreadState::joinThreadPool(bool isMain) { result = getAndExecuteCommand(); result = executeCommand(cmd); case BR_TRANSACTION:
{
binder_transaction_data tr;
result = mIn.read(&tr, sizeof(tr));
//来了一个命令,解析成BR_TRANSACTION,然后读取后续的信息
Parcel reply;
if (tr.target.ptr) {
//这里用的是BBinder。
sp<BBinder> b((BBinder*)tr.cookie);
const status_t error = b->transact(tr.code, buffer, &reply, 0);
}
让我们看看BBinder的transact函数干嘛了
status_t BBinder::transact( uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags) { err = onTransact(code, data, reply, flags);
BnMediaPlayerService从BBinder派生,所以会调用到它的onTransact函数
终于水落石出了,让我们看看BnMediaPlayerServcice的onTransact函数。
IMediaPlayerService.cpp class BpMediaPlayerService: public BpInterface<IMediaPlayerService> {
status_t BnMediaPlayerService::onTransact( uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags) {
// BnMediaPlayerService从BBinder和IMediaPlayerService派生,所有IMediaPlayerService
class BnMediaPlayerService: public BnInterface<IMediaPlayerService>
template<typename INTERFACE> class BnInterface : public INTERFACE, public BBinder
//看到下面的switch没?所有IMediaPlayerService提供的函数都通过命令类型来区分
//status_t BnMediaPlayerService::onTransact( uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags) {
switch (code) { case CREATE: { CHECK_INTERFACE(IMediaPlayerService, data, reply); sp<IMediaPlayerClient> client = interface_cast<IMediaPlayerClient>(data.readStrongBinder()); int audioSessionId = data.readInt32(); create是一个虚函数,由MediaPlayerService来实现!! sp<IMediaPlayer> player = create(client, audioSessionId); class MediaPlayerService : public BnMediaPlayerService { class BnMediaPlayerService: public BnInterface<IMediaPlayerService> { public: virtual status_t onTransact( uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags = 0); };
class BBinder : public IBinder {
virtual status_t onTransact( uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags = 0);
sp<IMediaPlayer> MediaPlayerService::create(const sp<IMediaPlayerClient>& client, int audioSessionId) {
pid_t pid = IPCThreadState::self()->getCallingPid(); int32_t connId = android_atomic_inc(&mNextConnId);
sp<Client> c = new Client( this, pid, connId, client, audioSessionId, IPCThreadState::self()->getCallingUid());
ALOGV("Create new client(%d) from pid %d, uid %d, ", connId, pid, IPCThreadState::self()->getCallingUid());
wp<Client> w = c; { Mutex::Autolock lock(mLock); mClients.add(w); } return c; }
class MediaPlayerService : public BnMediaPlayerService { class Client; virtual sp<IMediaPlayer> create(const sp<IMediaPlayerClient>& client, int audioSessionId); class IMediaPlayerService: public IInterface {
virtual sp<IMediaPlayer> create(const sp<IMediaPlayerClient>& client, int audioSessionId = 0) = 0; IMediaPlayerService.cpp
virtual sp<IMediaPlayer> create( const sp<IMediaPlayerClient>& client, int audioSessionId) { Parcel data, reply; data.writeInterfaceToken(IMediaPlayerService::getInterfaceDescriptor()); data.writeStrongBinder(client->asBinder()); data.writeInt32(audioSessionId);
remote()->transact(CREATE, data, &reply); return interface_cast<IMediaPlayer>(reply.readStrongBinder()); } 其实,到这里,我们就明白了。BnXXX的onTransact函数收取命令,然后派发到派生类的函数,由他们完成实际的工作。 四 MediaPlayerClient
这节讲讲MediaPlayerClient怎么和MediaPlayerService交互。
使用MediaPlayerService的时候,先要创建它的BpMediaPlayerService。我们看看一个例子
IMediaDeathNotifier::getMediaPlayerService() {
sp<IServiceManager> sm = defaultServiceManager(); sp<IBinder> binder; do { binder = sm->getService(String16("media.player")); if (binder != 0) { break; } sMediaPlayerService = interface_cast<IMediaPlayerService>(binder);
gDefaultServiceManager = interface_cast<IServiceManager>(
/通过interface_cast,将这个binder转化成BpMediaPlayerService
//注意,这个binder只是用来和binder设备通讯用的,实际
//上和IMediaPlayerService的功能一点关系都没有。
//还记得我说的Bridge模式吗?BpMediaPlayerService用这个binder和BnMediaPlayerService
//通讯。
4.1 Native层 刚才那个getMediaPlayerService代码是C++层的,但是整个使用的例子确实JAVA->JNI层的调用。如果我要写一个纯C++的程序该怎么办?
int main()
{
getMediaPlayerService();直接调用这个函数能获得BpMediaPlayerService吗?
不能,为什么?因为我还没打开binder驱动呐!但是你在JAVA应用程序里边却有google已经替你
封装好了。
所以,纯native层的代码,必须也得像下面这样处理:
sp<ProcessState> proc(ProcessState::self());//这个其实不是必须的,因为
//好多地方都需要这个,所以自动也会创建.
getMediaPlayerService();
还得起消息循环呐,否则如果Bn那边有消息通知你,你怎么接受得到呢?
ProcessState::self()->startThreadPool();
//至于主线程是否也需要调用消息循环,就看个人而定了。不过一般是等着接收其他来源的消息,例如socket发来的命令,然后控制MediaPlayerService就可以了。
}
五 实现自己的Service
好了,我们学习了这么多Binder的东西,那么想要实现一个自己的Service该咋办呢?
如果是纯C++程序的话,肯定得类似main_MediaService那样干了。
int main()
{
sp<ProcessState> proc(ProcessState::self());
sp<IServiceManager> sm = defaultServiceManager();
sm->addService(“service.name”,new XXXService());
ProcessState::self()->startThreadPool();
IPCThreadState::self()->joinThreadPool();
}
看看XXXService怎么定义呢?
我们需要一个Bn,需要一个Bp,而且Bp不用暴露出来。那么就在BnXXX.cpp中一起实现好了。
另外,XXXService提供自己的功能,例如getXXX调用
5.1 定义XXX接口 XXX接口是和XXX服务相关的,例如提供getXXX,setXXX函数,和应用逻辑相关。
需要从IInterface派生
class IXXX: public IInterface
{
public:
DECLARE_META_INTERFACE(XXX);申明宏
virtual getXXX() = 0;
virtual setXXX() = 0;
}这是一个接口。
5.2 定义BnXXX和BpXXX 为了把IXXX加入到Binder结构,需要定义BnXXX和对客户端透明的BpXXX。
其中BnXXX是需要有头文件的。BnXXX只不过是把IXXX接口加入到Binder架构中来,而不参与实际的getXXX和setXXX应用层逻辑。
这个BnXXX定义可以和上面的IXXX定义放在一块。分开也行。
class BnXXX: public BnInterface<IXXX>
{
public:
virtual status_t onTransact( uint32_t code,
const Parcel& data,
Parcel* reply,
uint32_t flags = 0);
//由于IXXX是个纯虚类,而BnXXX只实现了onTransact函数,所以BnXXX依然是
一个纯虚类
};
有了DECLARE,那我们在某个CPP中IMPLEMNT它吧。那就在IXXX.cpp中吧。
IMPLEMENT_META_INTERFACE(XXX, "android.xxx.IXXX");//IMPLEMENT宏
status_t BnXXX::onTransact(
uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags)
{
switch(code) {
case GET_XXX: {
CHECK_INTERFACE(IXXX, data, reply);
读请求参数
调用虚函数getXXX()
return NO_ERROR;
} break; //SET_XXX类似
BpXXX也在这里实现吧。
class BpXXX: public BpInterface<IXXX>
{
public:
BpXXX (const sp<IBinder>& impl)
: BpInterface< IXXX >(impl)
{
}
vitural getXXX()
{
Parcel data, reply;
data.writeInterfaceToken(IXXX::getInterfaceDescriptor());
data.writeInt32(pid);
remote()->transact(GET_XXX, data, &reply);
return;
}
//setXXX类似
至此,Binder就算分析完了,大家看完后,应该能做到以下几点:
l 如果需要写自己的Service的话,总得知道系统是怎么个调用你的函数,恩。对。有2个线程在那不停得从binder设备中收取命令,然后调用你的函数呢。恩,这是个多线程问题。
l 如果需要跟踪bug的话,得知道从Client端调用的函数,是怎么最终传到到远端的Service。这样,对于一些函数调用,Client端跟踪完了,我就知道转到Service去看对应函数调用了。反正是同步方式。也就是Client一个函数调用会一直等待到Service返回为止。
sp<ProcessState> proc(ProcessState::self);
getMediaPlayerService
ProcessState self IServiceManager defaultServiceManager addService new XXXService startThreadPool joinThreadPool
BnXXX.cpp 5.1 定义XXX接口 XXX接口是和XXX服务相关的,例如提供getXXX,setXXX函数,和应用逻辑相关。
需要从IInterface派生
class IXXX: public IInterface
{
public:
DECLARE_META_INTERFACE(XXX);申明宏
virtual getXXX() = 0;
virtual setXXX() = 0;
}这是一个接口。
5.2 定义BnXXX和BpXXX 为了把IXXX加入到Binder结构,需要定义BnXXX和对客户端透明的BpXXX。
其中BnXXX是需要有头文件的。BnXXX只不过是把IXXX接口加入到Binder架构中来,而不参与实际的getXXX和setXXX应用层逻辑。
这个BnXXX定义可以和上面的IXXX定义放在一块。分开也行。
class BnXXX: public BnInterface<IXXX>
{
public:
virtual status_t onTransact( uint32_t code,
const Parcel& data,
Parcel* reply,
uint32_t flags = 0);
//由于IXXX是个纯虚类,而BnXXX只实现了onTransact函数,所以BnXXX依然是
一个纯虚类
};
有了DECLARE,那我们在某个CPP中IMPLEMNT它吧。那就在IXXX.cpp中吧。
IMPLEMENT_META_INTERFACE(XXX, "android.xxx.IXXX");//IMPLEMENT宏
status_t BnXXX::onTransact(
uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags)
{
switch(code) {
case GET_XXX: {
CHECK_INTERFACE(IXXX, data, reply);
读请求参数
调用虚函数getXXX()
return NO_ERROR;
} break; //SET_XXX类似
BpXXX也在这里实现吧。
class BpXXX: public BpInterface<IXXX>
{
public:
BpXXX (const sp<IBinder>& impl)
: BpInterface< IXXX >(impl)
{
}
vitural getXXX()
{
Parcel data, reply;
data.writeInterfaceToken(IXXX::getInterfaceDescriptor());
data.writeInt32(pid);
remote()->transact(GET_XXX, data, &reply);
return;
}
//setXXX类似
至此,Binder就算分析完了,大家看完后,应该能做到以下几点:
l 如果需要写自己的Service的话,总得知道系统是怎么个调用你的函数,恩。对。有2个线程在那不停得从binder设备中收取命令,然后调用你的函数呢。恩,这是个多线程问题。
l 如果需要跟踪bug的话,得知道从Client端调用的函数,是怎么最终传到到远端的Service。这样,对于一些函数调用,Client端跟踪完了,我就知道转到Service去看对应函数调用了。反正是同步方式。也就是Client一个函数调用会一直等待到Service返回为止。
getXXX setXXX BnXXX BnInterface IXXX onTransact
BpXXX IBinder BpInterface getXXX Parcel writeInterfaceToken writeInt32 remote transact getXXX &reply
