通過AMS分析Binder流程(Java到Kernel)
阿新 • • 發佈:2019-01-08
栗子: public class MainActivity extends Activity{ @Override protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); Intent intent = new Intent(this, DisplayMessageActivity.class); startActivity(intent);//啟動一個Activity } } 1.frameworks/base/core/java/android/app/Activity.java <1>.public void startActivity(Intent intent) { this.startActivity(intent, null); } <2>.注意:這裡繼承關係: Activity —-—> ContextThemeWrapper ——> ContextWrapper ——> Context ————>public class Activity extends ContextThemeWrapper{} ————>public class ContextThemeWrapper extends ContextWrapper{} ————>public class ContextWrapper extends Context {} <3>.在frameworks/base/core/java/android/content/Context.java中定義抽象方法startActivity() public abstract void startActivity(@RequiresPermission Intent intent); 並且在frameworks/base/core/java/android/app/ContextImpl.java中實現了startActivity()抽象方法. public void startActivity(Intent intent) { mMainThread.getInstrumentation().execStartActivity(); } 2.frameworks/base/core/java/android/app/Instrumentation.java public ActivityResult execStartActivity(){ int result = ActivityManagerNative.getDefault().startActivity(); } 3.frameworks/base/core/java/android/app/ActivityManagerNative.java <1>.static public IActivityManager getDefault(){ return gDefault.get(); } <2>.private static final Singleton<IActivityManager> gDefault = new Singleton<IActivityManager>(){ IBinder b = ServiceManager.getService("activity"); IActivityManager am = asInterface(b); return am; } 4.frameworks/base/core/java/android/os/ServiceManager.java public static void addService(String name, IBinder service){ } <1>.public static IBinder getService(String name) { return getIServiceManager().getService(name); } <2>.private static IServiceManager getIServiceManager() { sServiceManager = ServiceManagerNative.asInterface(BinderInternal.getContextObject()); return sServiceManager; } 5.frameworks/base/core/java/com/android/internal/os/BinderInternal.java public static final native IBinder getContextObject();//jni函式 6.frameworks/base/core/jni/android_util_Binder.cpp static jobject android_os_BinderInternal_getContextObject(JNIEnv* env, jobject clazz){ sp<IBinder> b = ProcessState::self()->getContextObject(NULL); return javaObjectForIBinder(env, b); } 7.frameworks/native/libs/binder/ProcessState.cpp <1>.sp<IBinder> ProcessState::getContextObject(const sp<IBinder>& /*caller*/){ //這裡引數為0,就是ServiceManager的binder handle值。所以這裡你給個0,就返回給你servicemanager的Binder代理物件。 return getStrongProxyForHandle(0); } 8.sp<IBinder> ProcessState::getStrongProxyForHandle(int32_t handle){ sp<IBinder> result; Parcel data; status_t status = IPCThreadState::self()->transact(0, IBinder::PING_TRANSACTION, data, NULL, 0); b = new BpBinder(handle); result = b; //把BpBinder物件傳給了IBinder物件,並且返回IBinder return result;//返回的result是IBinder*型別 } 注意:frameworks/native/include/binder/BpBinder.h這裡BpBinder類是繼承於IBinder的. class BpBinder : public IBinder{ } 9.分析BpBinder(Proxy Binder)和BBinder(Base Binder)怎麼聯絡起來的? 所以在frameworks/native/libs/binder/IServiceManager.cpp裡 //frameworks/native/libs/binder/Static.cpp sp<IServiceManager> gDefaultServiceManager; gDefaultServiceManager = interface_cast<IServiceManager>(ProcessState::self()->getContextObject(NULL)); 注意:sp<IBinder> result; b = new BpBinder(handle); result = b; return result; IBinder就是new BpBinder(0); ======>interface_cast<IServiceManager>(new BpBinder(handle)/*handle為0;*/); ======>interface_cast<IServiceManager>(new BpBinder(0)//返回IBinder型別); ======>IServiceManager::asInterface(obj);//obj就是傳進來:new BpBinder(0);即IBinder ======>new BpServiceManager(obj);//obj就是傳進來:new BpBinder(0);即IBinder ======>class BpServiceManager : public BpInterface<IServiceManager>{} ======>inline BpInterface<INTERFACE>::BpInterface(const sp<IBinder>& obj) : BpRefBase(remote){} ======>BpRefBase::BpRefBase(const sp<IBinder>& o): mRemote(o.get()), mRefs(NULL), mState(0){} 注意:sp<IBinder>& o型別初始化函式列表:把o傳給mRemote,這裡o就是new BpServiceManager(obj)的obj==>new BpBinder(0);即IBinder 最終目的:把BpBinder傳給了mRemote,mRemote就是remote(),就是IBinder*型別物件; 後邊使用remote()->transact()傳輸到kernel層,就調到BpBinder.cpp裡的transact()函式,這條路就打通了.因為:BpBinder和BBinder就是通過IBinder聯絡起來的. //一.BBinder繼承表 class BBinder : public IBinder{}; class BnInterface : public INTERFACE, public BBinder{}; //二.BpBinder繼承表 class BpRefBase : public virtual RefBase{ IBinder* const mRemote; inline IBinder* remote() { return mRemote; } } class BpInterface : public INTERFACE, public BpRefBase{}; inline BpInterface<INTERFACE>::BpInterface(const sp<IBinder>& remote) : BpRefBase(remote){} <1>.分析interface_cast是個什麼鬼? frameworks/native/include/binder/IInterface.h template<typename INTERFACE> inline sp<INTERFACE> interface_cast(const sp<IBinder>& obj){ return INTERFACE::asInterface(obj); } 僅僅是一個模板函式,所以interface_cast<IServiceManager>()等價於: inline sp<IServiceManager> interface_cast(const sp<IBinder>& obj){ return IServiceManager::asInterface(obj); } <2>.在frameworks/native/include/binder/IServiceManager.h中, IServiceManager類繼承於IInterface類 class IServiceManager : public IInterface{ //關鍵無比的巨集! DECLARE_META_INTERFACE(ServiceManager);//巨集裡面的一些定義 IMPLEMENT_META_INTERFACE(ServiceManager, "android.os.IServiceManager”);//巨集力面的實現 } 將IServiceManager的DELCARE巨集進行相應的替換後得到的程式碼如下所示: #define DECLARE_META_INTERFACE(ServiceManager) //定義一個描述字串 static const android::String16 descriptor; //定義一個asInterface函式 static android::sp< IServiceManager>asInterface(constandroid::sp<android::IBinder>& obj) //定義一個getInterfaceDescriptor函式,返回就是descriptor字串 virtual const android::String16&getInterfaceDescriptor() const; //定義IServiceManager的建構函式和解構函式 IServiceManager (); virtual ~IServiceManager(); 將IServiceManager中的IMPLEMENT巨集的定義展開,如下所示: #define IMPLEMENT_META_INTERFACE(ServiceManager, "android.os.IServiceManager") //初始化函式列表:descriptor的賦值為:android.os.IServiceManager const android::String16 IServiceManager::descriptor(“android.os.IServiceManager”); //實現getInterfaceDescriptor函式 const android::String16& IServiceManager::getInterfaceDescriptor()const { //返回字串descriptor,值是“android.os.IServiceManager” return IServiceManager::descriptor; } //實現asInterface函式 android::sp<IServiceManager> IServiceManager::asInterface(constandroid::sp<android::IBinder>& obj) { android::sp<IServiceManager> intr; if(obj != NULL) { intr = static_cast<IServiceManager *>(obj->queryLocalInterface(IServiceManager::descriptor).get()); if (intr == NULL) { //obj是我們剛才建立的那個BpBinder(0) intr = new BpServiceManager(obj); } } return intr;//BpBinder(這裡已經把BpBinder轉換成了BpServiceManager)指標轉換成一個IServiceManager } //實現建構函式和解構函式 IServiceManager::IServiceManager() {} IServiceManager::~ IServiceManager() {} //如何BpBinder(這裡已經把BpBinder轉換成了BpServiceManager)指標轉換成一個IServiceManager? interface_cast是如何把BpBinder指標轉換成一個IServiceManager指標的呢? 答案就在asInterface函式的一行程式碼中,如下所示:intr = new BpServiceManager(obj); <3>.frameworks/native/libs/binder/IServiceManager.cpp class BpServiceManager : public BpInterface<IServiceManager>{ public: BpServiceManager(const sp<IBinder>& impl):BpInterface<IServiceManager>(impl){} } <4>.frameworks/native/include/binder/IInterface.h //在這裡BpInterface類又繼承於BpRefBase類 template<typename INTERFACE> inline BpInterface<INTERFACE>::BpInterface(const sp<IBinder>& remote) : BpRefBase(remote){ } <5>.frameworks/native/libs/binder/Binder.cpp frameworks/native/include/binder/Binder.h std::atomic<int32_t> mState; IBinder* const mRemote; RefBase::weakref_type* mRefs; //注意:sp<IBinder>& o中初始化函式列表:給成員函式賦初值.mRemote=o.get();mRefs=NULL; mState=0;這裡o就是new BpServiceManager(obj)的obj==>new BpBinder(0);即IBinder BpRefBase::BpRefBase(const sp<IBinder>& o): mRemote(o.get()), mRefs(NULL), mState(0){ mRemote->incStrong(this); } 10.分析addService()方法,解讀transact中Java和Kernel建立通訊流程. frameworks/base/core/java/android/os/ServiceManager.java <1>.mRemote.transact(ADD_SERVICE_TRANSACTION, data, reply, 0); <2>.frameworks/native/libs/binder/IServiceManager.cpp virtual status_t addService(const String16& name, const sp<IBinder>& service){ data.writeInterfaceToken(IServiceManager::getInterfaceDescriptor()); //remote()其實就是BpBinder status_t err = remote()->transact(ADD_SERVICE_TRANSACTION, data, &reply); } 11.frameworks/native/libs/binder/IServiceManager.cpp <1>.//這裡注意BpInterface就是BpBinder class BpServiceManager : public BpInterface<IServiceManager>{ virtual status_t addService(){ //這裡remote()的new BpServiceManager就是BpBinder status_t err = remote()->transact(ADD_SERVICE_TRANSACTION, data, &reply); } } 在frameworks/native/include/binder/IServiceManager.h中,IServiceManager類繼承於IInterface類 class IServiceManager : public IInterface{ //這裡巨集定義和巨集實現,把BpBinder轉換為IServiceManager物件,前面已經分析過了. DECLARE_META_INTERFACE(INTERFACE) IMPLEMENT_META_INTERFACE(INTERFACE, NAME) } /*******************************************************************************************/ 分析remote()是從哪裡來的? <6>.frameworks/native/include/binder/IInterface.h //在IInterface.h中BpInterface返回了remote() template<typename INTERFACE> inline IBinder* BpInterface<INTERFACE>::onAsBinder(){ return remote(); } 注意:mRemote和remote()的型別其實是IBinder,其實就是BpInterface(即BpBinder) <7>.在frameworks/native/include/binder/Binder.h中,remote()返回的是IBinder*型別的mRemote. IBinder* const mRemote; //這個是模版函式 template<typename INTERFACE> inline IBinder* remote(){ return mRemote; } //在這裡BpInterface類又繼承於BpRefBase類 template<typename INTERFACE> inline BpInterface<INTERFACE>::BpInterface(const sp<IBinder>& remote) : BpRefBase(remote){ } //BpRefBase定義mRemote就是BpBinder frameworks/native/include/binder/Binder.h class BpRefBase : public virtual RefBase{ protected: inline IBinder* remote(){ return mRemote; } private: IBinder* const mRemote; }; //BnInterface繼承於BBinder template<typename INTERFACE> class BnInterface : public INTERFACE, public BBinder{ protected: virtual IBinder* onAsBinder(); } 注意:BpInterface和BnInterface它們是基於 IBinder*型別連線起來的。 /*******************************************************************************************/ 12.frameworks/native/libs/binder/BpBinder.cpp status_t BpBinder::transact(){ status_t status = IPCThreadState::self()->transact(mHandle, code, data, reply, flags)); } 13.frameworks/native/libs/binder/IPCThreadState.cpp /*******************************************************************************************/ //開啟”/dev/binder”裝置節點和kernel通訊 //IPCThreadState建構函式,初始化成員變數列表:mProcess = ProcessState::self(); IPCThreadState::IPCThreadState(): mProcess(ProcessState::self()){ if(gHaveTLS) return new IPCThreadState; }; IPCThreadState::IPCThreadState(): mProcess(ProcessState::self())){ pthread_setspecific(gTLS, this); } //ProcessState建構函式,初始化成員變數列表:mDriverFD = open_driver(); frameworks/native/libs/binder/ProcessState.cpp ProcessState::ProcessState(): mDriverFD(open_driver()){ } //開啟/dev/binder static int open_driver(){ int fd = open("/dev/binder", O_RDWR | O_CLOEXEC); ioctl(fd, BINDER_VERSION, &vers); ioctl(fd, BINDER_SET_MAX_THREADS, &maxThreads) } /*******************************************************************************************/ <1>.status_t IPCThreadState::transact(){ err = waitForResponse(reply); } <2>.status_t IPCThreadState::waitForResponse(Parcel *reply, status_t *acquireResult){ talkWithDriver(); <3>.status_t IPCThreadState::talkWithDriver(bool doReceive){ ioctl(mProcess->mDriverFD, BINDER_WRITE_READ, &bwr);//通過ioctl()和Kernel通訊. } 14.kernel/msm-3.18/drivers/staging/android/binder.c <1>.static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg){ case BINDER_WRITE_READ: ret = binder_ioctl_write_read(filp, cmd, arg, thread); } <2>.static int binder_ioctl_write_read(struct file *filp,struct binder_thread *thread){ binder_thread_write(); trace_binder_write_done(); binder_thread_read(); trace_binder_read_done(); }
