相关文章链接:
1. Android Framework - 学习启动篇
2. Android Binder 驱动 - Media 服务的添加过程
3. Android Binder 驱动 - 启动 ServiceManager 进程
4. Android Binder 驱动 - 内核驱动层源码分析
5. Android Binder 驱动 - 从驱动层来分析服务的添加过程
6. Android Binder 驱动 - 从 Java 层来跟踪服务的查找过程
7. Android 四大组件 - 进程的 fork 创建过程
相关源码文件:
/frameworks/base/core/java/android/app/ContextImpl.java
/frameworks/base/core/java/android/app/ActivityManagerNative.java
/frameworks/base/core/jni/android_util_Binder.cpp
/frameworks/base/core/jni/android_os_Parcel.cpp
/frameworks/native/libs/binder/Parcel.cpp
/drivers/staging/android/binder.c
/frameworks/base/services/core/java/com/android/server/am/ActivityManagerService.java
/frameworks/base/core/java/android/app/ActivityThread.java
本文主要从 bindService 的跨进程通信与数据交互来入手分析,关于其具体的创建和绑定流程,大家可以看看之前的内容。aidl 一直都是一个晦涩难懂的内容,笔者在几年前也曾反复尝试去了解其原理,其过程至今想想仍然是心有余悸,因此建议大家如果是刚入手 Android ,只需要了解开发套路就可以了。但还是倡导大家,等有了一定技术沉淀之后,要尝试着去理解其内部实现原理。我们先来看一个简单的示例代码
// 客户端
public class MainActivity extends AppCompatActivity {
// 客户端一定要获取aidl的实例
private UserAidl mUserAidl;
private ServiceConnection mServiceConn = new ServiceConnection() {
@Override
public void onServiceConnected(ComponentName name, IBinder service) {
// 链接好了 service就是服务端给我们的 IBinder
mUserAidl = UserAidl.Stub.asInterface(service);
}
@Override
public void onServiceDisconnected(ComponentName name) {
// 断开链接
}
};
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
Intent intent = new Intent(this,MessageService.class);
bindService(intent, mServiceConn, Context.BIND_AUTO_CREATE);
}
public void testClick(View view) {
try {
Log.e("TAG","userName = "+mUserAidl.getUserName());
} catch (RemoteException e) {
e.printStackTrace();
}
}
}
// 服务端
public class MessageService extends Service {
@Override
public IBinder onBind(Intent intent) {
// 绑定
return mBinder;
}
private final UserAidl.Stub mBinder = new UserAidl.Stub()
{
@Override
public String getUserName() throws RemoteException {
return "[email protected]";
}
@Override
public String getUserPassword() throws RemoteException {
return "19940223";
}
};
}
服务端返回的是 Aidl.Stub 服务对象,这个对象是我们自定义 aidl 后,编译器帮我们自动生成的一个对象,该对象继承自 Binder.java 对象,子类在构建对象时默认会执行父类的构造函数,也就是说会执行 Binder.java 的构造函数:
public Binder() {
// 调用初始化方法
init();
}
// 调用 native 方法
private native final void init();
static void android_os_Binder_init(JNIEnv* env, jobject obj)
{
JavaBBinderHolder* jbh = new JavaBBinderHolder();
...
env->SetLongField(obj, gBinderOffsets.mObject, (jlong)jbh);
}
由上面的源码可以看出,Stub 对象在构建的时候,会对应绑定 native 层的一个 JavaBBinderHolder 对象,至于为什么要创建 native 层对象,是因为跨进程通信的核心是要基于 binder 驱动。
@Override
public boolean bindService(Intent service, ServiceConnection conn,
int flags) {
warnIfCallingFromSystemProcess();
return bindServiceCommon(service, conn, flags, Process.myUserHandle());
}
private boolean bindServiceCommon(Intent service, ServiceConnection conn, int flags,
UserHandle user) {
IServiceConnection sd;
...
if (mPackageInfo != null) {
sd = mPackageInfo.getServiceDispatcher(conn, getOuterContext(),
mMainThread.getHandler(), flags);
} else {
throw new RuntimeException("Not supported in system context");
}
validateServiceIntent(service);
try {
IBinder token = getActivityToken();
if (token == null && (flags&BIND_AUTO_CREATE) == 0 && mPackageInfo != null
&& mPackageInfo.getApplicationInfo().targetSdkVersion
< android.os.Build.VERSION_CODES.ICE_CREAM_SANDWICH) {
flags |= BIND_WAIVE_PRIORITY;
}
service.prepareToLeaveProcess();
// 像 AMS 发起 bind 请求
int res = ActivityManagerNative.getDefault().bindService(
mMainThread.getApplicationThread(), getActivityToken(), service,
service.resolveTypeIfNeeded(getContentResolver()),
sd, flags, getOpPackageName(), user.getIdentifier());
if (res < 0) {
throw new SecurityException(
"Not allowed to bind to service " + service);
}
return res != 0;
} catch (RemoteException e) {
throw new RuntimeException("Failure from system", e);
}
}
由于 ServiceConnection 是一个普通对象,并不能用来做跨进程传递,所以在 bindService 的源码底层,系统帮我包装了一个可以跨进程传递的 IServiceConnection 对象,该对象是一个 Stub 对象。
public int bindService(IApplicationThread caller, IBinder token,
Intent service, String resolvedType, IServiceConnection connection,
int flags, String callingPackage, int userId) throws RemoteException {
Parcel data = Parcel.obtain();
Parcel reply = Parcel.obtain();
data.writeInterfaceToken(IActivityManager.descriptor);
data.writeStrongBinder(caller != null ? caller.asBinder() : null);
data.writeStrongBinder(token);
service.writeToParcel(data, 0);
data.writeString(resolvedType);
// asBinder 返回的是 connection 自身
data.writeStrongBinder(connection.asBinder());
data.writeInt(flags);
data.writeString(callingPackage);
data.writeInt(userId);
mRemote.transact(BIND_SERVICE_TRANSACTION, data, reply, 0);
reply.readException();
int res = reply.readInt();
data.recycle();
reply.recycle();
return res;
}
static void android_os_Parcel_writeStrongBinder(JNIEnv* env, jclass clazz, jlong nativePtr, jobject object)
{
Parcel* parcel = reinterpret_cast(nativePtr);
if (parcel != NULL) {
const status_t err = parcel->writeStrongBinder(ibinderForJavaObject(env, object));
if (err != NO_ERROR) {
signalExceptionForError(env, clazz, err);
}
}
}
sp ibinderForJavaObject(JNIEnv* env, jobject obj)
{
if (obj == NULL) return NULL;
// 返回的其实是一个 JavaBBinder
if (env->IsInstanceOf(obj, gBinderOffsets.mClass)) {
JavaBBinderHolder* jbh = (JavaBBinderHolder*) env->GetLongField(obj, gBinderOffsets.mObject);
return jbh != NULL ? jbh->get(env, obj) : NULL;
}
...
return NULL;
}
// 这个之前的文章有讲就不再贴代码了
status_t Parcel::writeStrongBinder(const sp& val)
{
return flatten_binder(ProcessState::self(), val, this);
}
上面会调用 writeStrongBinder 方法将 IServiceConnection 对象写入到 Parcel 内存中,其实也就是将 native 层的 JavaBBinder 对象写入到 native 层的 Parcel 中,关于 flatten_binder 方法的实现原理大家可以参考之前的文章。
我们向 ServiceManager 查询到的 AMS 对象,其实是一个 BindProxy.java 对象,对应 native 层的 BpBinder 对象,也就是说 mRemote.transact 最后会调用 BpBinder.cpp 的 transact 方法。
static void binder_transaction(struct binder_proc *proc,
struct binder_thread *thread,
struct binder_transaction_data *tr, int reply)
{
if (reply) {
...
} else {
if (tr->target.handle) {
struct binder_ref *ref;
// 找到 AMS 目标进程的 binder_node 和 binder_proc
ref = binder_get_ref(proc, tr->target.handle);
target_node = ref->node;
} else {
...
}
...
}
...
off_end = (void *)offp + tr->offsets_size;
for (; offp < off_end; offp++) {
struct flat_binder_object *fp;
...
fp = (struct flat_binder_object *)(t->buffer->data + *offp);
switch (fp->type) {
case BINDER_TYPE_BINDER:
case BINDER_TYPE_WEAK_BINDER: {
struct binder_ref *ref;
// 先通过 fp->binder 从自己进程找 binder_node
struct binder_node *node = binder_get_node(proc, fp->binder);
// 刚开始第一次是找不到的
if (node == NULL) {
// 把他添加到当前进程
node = binder_new_node(proc, fp->binder, fp->cookie);
...
}
// 添加到目标进程
ref = binder_get_ref_for_node(target_proc, node);
if (ref == NULL) {
return_error = BR_FAILED_REPLY;
goto err_binder_get_ref_for_node_failed;
}
// 替换 type 和 handle 值
if (fp->type == BINDER_TYPE_BINDER)
fp->type = BINDER_TYPE_HANDLE;
else
fp->type = BINDER_TYPE_WEAK_HANDLE;
fp->handle = ref->desc;
} break;
...
}
}
t->work.type = BINDER_WORK_TRANSACTION;
list_add_tail(&t->work.entry, target_list);
tcomplete->type = BINDER_WORK_TRANSACTION_COMPLETE;
list_add_tail(&tcomplete->entry, &thread->todo);
// 唤醒目标进程的等待队列
if (target_wait)
wake_up_interruptible(target_wait);
return;
}
AMS 接收到 bindService 请求后会去读取 IServiceConnection 对象,注意这里读取到的 IServiceConnection 其实已经是本地的一个 BpBinder 了,只不过我们可以通过 BpBinder 对象回调到客户端的 onServiceConnected 绑定方法。
case BIND_SERVICE_TRANSACTION: {
data.enforceInterface(IActivityManager.descriptor);
IBinder b = data.readStrongBinder();
IApplicationThread app = ApplicationThreadNative.asInterface(b);
IBinder token = data.readStrongBinder();
Intent service = Intent.CREATOR.createFromParcel(data);
String resolvedType = data.readString();
b = data.readStrongBinder();
int fl = data.readInt();
String callingPackage = data.readString();
int userId = data.readInt();
IServiceConnection conn = IServiceConnection.Stub.asInterface(b);
int res = bindService(app, token, service, resolvedType, conn, fl, callingPackage, userId);
reply.writeNoException();
reply.writeInt(res);
return true;
}
static jobject android_os_Parcel_readStrongBinder(JNIEnv* env, jclass clazz, jlong nativePtr)
{
Parcel* parcel = reinterpret_cast(nativePtr);
if (parcel != NULL) {
return javaObjectForIBinder(env, parcel->readStrongBinder());
}
return NULL;
}
sp Parcel::readStrongBinder() const
{
sp val;
unflatten_binder(ProcessState::self(), *this, &val);
return val;
}
status_t unflatten_binder(const sp& proc,
const Parcel& in, sp* out)
{
const flat_binder_object* flat = in.readObject(false);
if (flat) {
switch (flat->type) {
case BINDER_TYPE_BINDER:
*out = reinterpret_cast(flat->cookie);
return finish_unflatten_binder(NULL, *flat, in);
case BINDER_TYPE_HANDLE:
*out = proc->getStrongProxyForHandle(flat->handle);
return finish_unflatten_binder(
static_cast(out->get()), *flat, in);
}
}
return BAD_TYPE;
}
服务端处理客户端的请求,肯定会有一个等待执行处理的过程,但整个交互逻辑流程分析下来,并没有发现服务端有等待的过程。那服务端到底是怎样进入等待的呢?这个得追溯到 Zygote 创建进程的流程去。
public static final void zygoteInit(int targetSdkVersion, String[] argv, ClassLoader classLoader)
throws ZygoteInit.MethodAndArgsCaller {
if (DEBUG) Slog.d(TAG, "RuntimeInit: Starting application from zygote");
Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, "RuntimeInit");
redirectLogStreams();
commonInit();
nativeZygoteInit();
applicationInit(targetSdkVersion, argv, classLoader);
}
private static final native void nativeZygoteInit();
static void com_android_internal_os_RuntimeInit_nativeZygoteInit(JNIEnv* env, jobject clazz)
{
gCurRuntime->onZygoteInit();
}
virtual void onZygoteInit()
{
// 初始化 binder 驱动
sp proc = ProcessState::self();
ALOGV("App process: starting thread pool.\n");
// 启动一个线程进入循环处理客户端 binder 请求
proc->startThreadPool();
}
void ProcessState::spawnPooledThread(bool isMain)
{
if (mThreadPoolStarted) {
String8 name = makeBinderThreadName();
ALOGV("Spawning new pooled thread, name=%s\n", name.string());
sp t = new PoolThread(isMain);
t->run(name.string());
}
}
class PoolThread : public Thread
{
public:
PoolThread(bool isMain)
: mIsMain(isMain)
{
}
protected:
virtual bool threadLoop()
{
IPCThreadState::self()->joinThreadPool(mIsMain);
return false;
}
const bool mIsMain;
};
void IPCThreadState::joinThreadPool(bool isMain)
{
...
status_t result;
do {
...
// 进入 binder 驱动的 wait 队列上进行等待
result = getAndExecuteCommand();
...
} while (result != -ECONNREFUSED && result != -EBADF);
...
}
视频地址:https://pan.baidu.com/s/1qd2UafSGELpKwBsT30IuHw
视频密码:0tgv