startPreview()调用细节分析三
前面章节我们介绍了startPreview()函数中ICamera对象mCamera的出处,这一章我们介绍前面提到的IBinder指针的由来.
BnMediaRecorder的onTransact()函数是在哪被调用的呢?先看BpMediaRecorder的相关代码:
class BpMediaRecorder: public BpInterface
{
public:
BpMediaRecorder(const sp& impl)
: BpInterface(impl)
{
}
status_t setCamera(const sp& camera, const sp& proxy)
{
ALOGV("setCamera(%p,%p)", camera.get(), proxy.get());
Parcel data, reply;
data.writeInterfaceToken(IMediaRecorder::getInterfaceDescriptor());
data.writeStrongBinder(camera->asBinder());
data.writeStrongBinder(proxy->asBinder());
remote()->transact(SET_CAMERA, data, &reply);
return reply.readInt32();
}
省略...
};
注意上面setCamera()函数中remote()->transact(),remote()实际上返回一个BnMediaRecorder对象(为什么是BnMediaRecorder,我们在后续章节分析),它同时也是一个BBinder对象,很显然remote()->transact()函数最终调用的就是BnMediaRecorder的onTransact()函数.
setCamera()函数中又传入了一个ICamera对象,并且通过transact()函数传入了camera->asBinder(),它正是我们要找的IBinder指针.
我们要找到IBinder指针的源头,就需要找到这个ICamera对象在哪实例化的,我们继续逆向跟踪:
status_t MediaRecorder::setCamera(const sp& camera, const sp& proxy)
{
ALOGV("setCamera(%p,%p)", camera.get(), proxy.get());
if (mMediaRecorder == NULL) {
ALOGE("media recorder is not initialized yet");
return INVALID_OPERATION;
}
if (!(mCurrentState & MEDIA_RECORDER_IDLE)) {
ALOGE("setCamera called in an invalid state(%d)", mCurrentState);
return INVALID_OPERATION;
}
status_t ret = mMediaRecorder->setCamera(camera, proxy);
if (OK != ret) {
ALOGV("setCamera failed: %d", ret);
mCurrentState = MEDIA_RECORDER_ERROR;
return ret;
}
return ret;
}
注:函数setCamera()中mMediaRecorder是一个BpMediaRecorder对象.
static void android_media_MediaRecorder_setCamera(JNIEnv* env, jobject thiz, jobject camera)
{
// we should not pass a null camera to get_native_camera() call.
if (camera == NULL) {
jniThrowNullPointerException(env, "camera object is a NULL pointer");
return;
}
sp c = get_native_camera(env, camera, NULL);
if (c == NULL) {
// get_native_camera will throw an exception in this case
return;
}
sp mr = getMediaRecorder(env, thiz);
process_media_recorder_call(env, mr->setCamera(c->remote(), c->getRecordingProxy()),
"java/lang/RuntimeException", "setCamera failed.");
}
c->remote()返回值是Camera类中的成员变量mCamera,它是一个ICamera对象,通过调用Camera:connect()函数获得,这个ICamera对象
实际上从另一进程MediaServer传过来的,IBinder指针也是在这个进程中实例化,并通过ipc一起传过来,详细的过程在后续章节中分析.
BnMediaRecorder的onTransact()函数是在哪被调用的呢?先看BpMediaRecorder的相关代码:
class BpMediaRecorder: public BpInterface
{
public:
BpMediaRecorder(const sp
: BpInterface
{
}
status_t setCamera(const sp
{
ALOGV("setCamera(%p,%p)", camera.get(), proxy.get());
Parcel data, reply;
data.writeInterfaceToken(IMediaRecorder::getInterfaceDescriptor());
data.writeStrongBinder(camera->asBinder());
data.writeStrongBinder(proxy->asBinder());
remote()->transact(SET_CAMERA, data, &reply);
return reply.readInt32();
}
省略...
};
注意上面setCamera()函数中remote()->transact(),remote()实际上返回一个BnMediaRecorder对象(为什么是BnMediaRecorder,我们在后续章节分析),它同时也是一个BBinder对象,很显然remote()->transact()函数最终调用的就是BnMediaRecorder的onTransact()函数.
setCamera()函数中又传入了一个ICamera对象,并且通过transact()函数传入了camera->asBinder(),它正是我们要找的IBinder指针.
我们要找到IBinder指针的源头,就需要找到这个ICamera对象在哪实例化的,我们继续逆向跟踪:
status_t MediaRecorder::setCamera(const sp
{
ALOGV("setCamera(%p,%p)", camera.get(), proxy.get());
if (mMediaRecorder == NULL) {
ALOGE("media recorder is not initialized yet");
return INVALID_OPERATION;
}
if (!(mCurrentState & MEDIA_RECORDER_IDLE)) {
ALOGE("setCamera called in an invalid state(%d)", mCurrentState);
return INVALID_OPERATION;
}
status_t ret = mMediaRecorder->setCamera(camera, proxy);
if (OK != ret) {
ALOGV("setCamera failed: %d", ret);
mCurrentState = MEDIA_RECORDER_ERROR;
return ret;
}
return ret;
}
注:函数setCamera()中mMediaRecorder是一个BpMediaRecorder对象.
static void android_media_MediaRecorder_setCamera(JNIEnv* env, jobject thiz, jobject camera)
{
// we should not pass a null camera to get_native_camera() call.
if (camera == NULL) {
jniThrowNullPointerException(env, "camera object is a NULL pointer");
return;
}
sp
if (c == NULL) {
// get_native_camera will throw an exception in this case
return;
}
sp
process_media_recorder_call(env, mr->setCamera(c->remote(), c->getRecordingProxy()),
"java/lang/RuntimeException", "setCamera failed.");
}
c->remote()返回值是Camera类中的成员变量mCamera,它是一个ICamera对象,通过调用Camera:connect()函数获得,这个ICamera对象
实际上从另一进程MediaServer传过来的,IBinder指针也是在这个进程中实例化,并通过ipc一起传过来,详细的过程在后续章节中分析.