发布时间 : 2024/7/7 11:11:44 星期日 文章Binder更新完毕开始阅读1b83fd85ec3a87c24028c48a

Binder

---Sinkin(jinzhcheng@tom.com)

一、 Binder相关 a) Binder Driver

主要看ioctl函数中对于INDER_WRITE_READ的处理：

switch (cmd) {

case BINDER_WRITE_READ: { struct binder_write_read bwr; if (size != sizeof(struct binder_write_read)) { ret = -EINVAL; goto err; } if (copy_from_user(&bwr, ubuf, sizeof(bwr))) { ret = -EFAULT; goto err; } if (bwr.write_size > 0) { ret = binder_thread_write(proc, thread, (void __user *)bwr.write_buffer, bwr.write_size, &bwr.write_consumed); if (ret < 0) { bwr.read_consumed = 0; if (copy_to_user(ubuf, &bwr, sizeof(bwr))) ret = -EFAULT; goto err; } } if (bwr.read_size > 0) { ret = binder_thread_read(proc, thread, (void __user *)bwr.read_buffer, bwr.read_size, &bwr.read_consumed, filp->f_flags & O_NONBLOCK); if (!list_empty(&proc->todo)) wake_up_interruptible(&proc->wait); if (ret < 0) { if (copy_to_user(ubuf, &bwr, sizeof(bwr))) ret = -EFAULT; goto err; } }

if (copy_to_user(ubuf, &bwr, sizeof(bwr))) { ret = -EFAULT; goto err; } break; }

先处理write，后处理read。

在处理write的binder_thread_write()中针对BC_TRANSACTION的处理：

case BC_TRANSACTION: case BC_REPLY: {

struct binder_transaction_data tr;

if (copy_from_user(&tr, ptr, sizeof(tr)))

return -EFAULT; ptr += sizeof(tr);

binder_transaction(proc, thread, &tr, cmd == BC_REPLY); break; }

binder_transaction will create a new binder node if the packet contains a

BINDER_TYPE_BINDER flattened object.所以在添加一个service的时候，会针对这个service，创建一个node。

binder_transaction在找到target_node, target_proc and target_thread后，就会唤醒睡眠在target_wait的process(见binder_thread_read())。

b) Servicemanager

The source is in frameworks/base/cmds/servicemanager/service_manager.c. 执行程序的路径：system/bin/servicemanager

Init会根据init.rc启动servicemanager，以管理各个service并和binder驱动进行交互。

执行流程：

打开“/dev/binder”文件，并通过mmap映射到内存空间(注意jffs2并不支持Mmap操作)

通过BINDER_SET_CONTEXT_MGR ioctl to let binder kernel driver know it acts as a manager. 进入binder_loop，通过BINDER_WRITE_READ ioctl读取别的进程发送的数据并调用binder_parse()分析处理. Binder_parse() 读取cmd，根据cmd进行不同处理： BR_TRANSACTION 调用处理函数即svcmgr_handler()，在svcmgr_handler里主要完成

service的Get/Check/Add操作. Servicemanager维护了一个service链表

svclist。需要注意的是，在添加service时，需要检查是否有相应权限。 Binder_parse()或者svcmgr_handler()根据情况会调用binder_*()发送reply 或者acquire…

二、 Get IServiceManager

在SystemServer::init2()引发的一系列创建添加Service的过程中，基本上都是采用ServiceManager.addService()接口来添加Service。

ServiceManager类提供的static IServiceManager类型成员sServiceManager由ServiceManagerNative.asInterface(BinderInternal.getContextObject())生成。 1、

BinderInternal.getContextObject()由Native函数android_os_BinderInternal_getContextObject()实现，调用ProcessState::self()->getContextObject(NULL)。

sp ProcessState::getContextObject(const sp& caller) {

if (supportsProcesses()) {

return getStrongProxyForHandle(0); } else {

return getContextObject(String16(\ } }

对于支持Binder driver的Target环境，会调用getStrongProxyForHandle()

sp ProcessState::getStrongProxyForHandle(int32_t handle) {

sp result;

AutoMutex _l(mLock);

handle_entry* e = lookupHandleLocked(handle);

if (e != NULL) {

// We need to create a new BpBinder if there isn't currently one, OR we // are unable to acquire a weak reference on this current one. See comment

// in getWeakProxyForHandle() for more info about this. IBinder* b = e->binder;

if (b == NULL || !e->refs->attemptIncWeak(this)) { b = new BpBinder(handle); e->binder = b;

if (b) e->refs = b->getWeakRefs(); result = b; } else {

// This little bit of nastyness is to allow us to add a primary

// reference to the remote proxy when this team doesn't have one // but another team is sending the handle to us. result.force_set(b);

e->refs->decWeak(this); } }

return result; }

第一次运行时，需要创建BpBinder对象，

BpBinder::BpBinder(int32_t handle) : mHandle(handle) , mAlive(1) , mObitsSent(0)

, mObituaries(NULL) {

LOGV(\

extendObjectLifetime(OBJECT_LIFETIME_WEAK);

// Will add a BC_INCREFS command in output buffer and will write to binder driver // later

IPCThreadState::self()->incWeakHandle(handle); }

2、ServiceManagerNative.asInterface()在模拟器上运行时， new ServiceManagerProxy(obj)对象并返回。

3、ServiceManagerProxy::addService() Parcel data = Parcel.obtain(); Parcel reply = Parcel.obtain();

data.writeInterfaceToken(IServiceManager.descriptor); data.writeString(name);

data.writeStrongBinder(service);

mRemote.transact(ADD_SERVICE_TRANSACTION, data, reply, 0); reply.recycle(); data.recycle();

（1）Parcel的writeStrongBinder的Native实现在Parcel.cpp： status_t Parcel::writeStrongBinder(const sp& val) {

return flatten_binder(ProcessState::self(), val, this);