Android Binder机制学习总结(三)-ServiceManager部分
接上篇的内容,分析下ServiceManager的实现。
从结果来看,getContextObject返回了一个mHandle=0的BpBinder实例
实际上,BpBinder未重载queryLocalInterface的实现,所以,实际执行的是其父类IBinder提供的实现:
13. find_svc
让我们回到3. do_add_service,如果service未注册过,则创建新的svcinfo对象:
ServiceManager的实现位于:
4.2:/frameworks/base/cmds/servicemanager/
4.3:frameworks/native/cmds/servicemanager/
ServiceManager的启动
ServiceManager的的启动由init进程根据init.rc文件的配置执行,从时间顺序上来说,ServiceManager的启动优先于Zygote进程
service servicemanager /system/bin/servicemanager
class core //core类服务
user system //用户名
group system //用户组
critical //重要service, 如果4分钟内crush4次以上,则重启系统并进入recovery
onrestart restart zygote //servicemanager重启以后,自动重启zygote
onrestart restart media //同上
onrestart restart surfaceflinger //同上
onrestart restart drm //同上int main(int argc, char **argv)
{
struct binder_state *bs;
void *svcmgr = BINDER_SERVICE_MANAGER;
bs = binder_open(128*1024);
if (binder_become_context_manager(bs)) {
ALOGE("cannot become context manager (%s)\n", strerror(errno));
return -1;
}
svcmgr_handle = svcmgr;
binder_loop(bs, svcmgr_handler);//svcmgr_handle为具体的请求处理逻辑
return 0;
}- 打开dev/binder,并创建binder缓冲区
- 注册当前进程为上下文管理者(ServiceManager)
- 进入处理循环,等待Service/Client的请求
步骤一
步骤一,由binder_open函数实现(frameworks/base/cmds/servicemanager/binder.c):
struct binder_state *binder_open(unsigned mapsize)
{
struct binder_state *bs;
bs = malloc(sizeof(*bs));
if (!bs) {
errno = ENOMEM;
return 0;
}
bs->fd = open("/dev/binder", O_RDWR);//上一节讲过,这里会转入内核态,执行binder_open,创建binder_proc
if (bs->fd < 0) {
fprintf(stderr,"binder: cannot open device (%s)\n",
strerror(errno));
goto fail_open;
}
bs->mapsize = mapsize;//mapsize = 128KB
bs->mapped = mmap(NULL, mapsize, PROT_READ, MAP_PRIVATE, bs->fd, 0);//上一节讲过,这里会转入内核态,执行binder_mmap
//在内核态创建相同size的缓冲区,并分配第一个物理页面,计算内核缓冲区地址和用户缓冲区地址的偏移量
if (bs->mapped == MAP_FAILED) {
fprintf(stderr,"binder: cannot map device (%s)\n",
strerror(errno));
goto fail_map;
}
/* TODO: check version */
return bs;
fail_map:
close(bs->fd);
fail_open:
free(bs);
return 0;
}struct binder_state
{
int fd;
void *mapped;
unsigned mapsize;
};步骤二
步骤二,由binder_become_context_manager函数实现:
int binder_become_context_manager(struct binder_state *bs)
{
return ioctl(bs->fd, BINDER_SET_CONTEXT_MGR, 0);
} case BINDER_SET_CONTEXT_MGR:
if (binder_context_mgr_node != NULL) {
printk(KERN_ERR "binder: BINDER_SET_CONTEXT_MGR already set\n");
ret = -EBUSY;
goto err;
}
ret = security_binder_set_context_mgr(proc->tsk);
if (ret < 0)
goto err;
if (binder_context_mgr_uid != -1) {
if (binder_context_mgr_uid != current->cred->euid) {
printk(KERN_ERR "binder: BINDER_SET_"
"CONTEXT_MGR bad uid %d != %d\n",
current->cred->euid,
binder_context_mgr_uid);
ret = -EPERM;
goto err;
}
} else
binder_context_mgr_uid = current->cred->euid;
binder_context_mgr_node = binder_new_node(proc, NULL, NULL);//binder_context_mgr_node->proc = servicemanager
if (binder_context_mgr_node == NULL) {
ret = -ENOMEM;
goto err;
}
binder_context_mgr_node->local_weak_refs++;
binder_context_mgr_node->local_strong_refs++;
binder_context_mgr_node->has_strong_ref = 1;
binder_context_mgr_node->has_weak_ref = 1;
break;步骤三
处理循环的实现在binder_loop函数中:
void binder_loop(struct binder_state *bs, binder_handler func)
{
int res;
struct binder_write_read bwr;
unsigned readbuf[32];
bwr.write_size = 0;
bwr.write_consumed = 0;
bwr.write_buffer = 0;
readbuf[0] = BC_ENTER_LOOPER;
binder_write(bs, readbuf, sizeof(unsigned));//binder driver会通过binder_thread_write函数处理BC_ENTER_LOOPER指令
for (;;) {
bwr.read_size = sizeof(readbuf);
bwr.read_consumed = 0;
bwr.read_buffer = (unsigned) readbuf;
res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr);//读取client/service的请求
if (res < 0) {
ALOGE("binder_loop: ioctl failed (%s)\n", strerror(errno));
break;
}
res = binder_parse(bs, 0, readbuf, bwr.read_consumed, func);//处理请求
if (res == 0) {
ALOGE("binder_loop: unexpected reply?!\n");
break;
}
if (res < 0) {
ALOGE("binder_loop: io error %d %s\n", res, strerror(errno));
break;
}
}
}ServiceManager客户端代理
ServiceManager运行在自己的进程中,为了向Client/Service进程提供服务,ServiceManager为自己准备了客户端代理,方便Client/Service调用。
IServiceManager和BpServiceManager
IServiceManager是ServiceManager在native层的接口(framework/native/include/binder/IServiceManager.h):
class IServiceManager : public IInterface
{
public:
DECLARE_META_INTERFACE(ServiceManager);
/**
* Retrieve an existing service, blocking for a few seconds
* if it doesn't yet exist.
*/
virtual sp getService( const String16& name) const = 0;
/**
* Retrieve an existing service, non-blocking.
*/
virtual sp checkService( const String16& name) const = 0;
/**
* Register a service.
*/
virtual status_t addService( const String16& name,
const sp& service,
bool allowIsolated = false) = 0;
/**
* Return list of all existing services.
*/
virtual Vector listServices() = 0;
enum {
GET_SERVICE_TRANSACTION = IBinder::FIRST_CALL_TRANSACTION,
CHECK_SERVICE_TRANSACTION,
ADD_SERVICE_TRANSACTION,
LIST_SERVICES_TRANSACTION,
};
}; - getService,同checkService
- checkService,供Client获取Service的binder
- addService, 供Service注册binder
- listService,用于枚举所有已经注册的binder
而BpServiceManager是IServiceManager的一个子类,提供了IServiceManager的实现(frameworks/native/libs/binder/IServiceManager.cpp):
class BpServiceManager : public BpInterface
{
public:
BpServiceManager(const sp& impl)
: BpInterface(impl)
{
}
virtual sp getService(const String16& name) const
{
...... //实现啥的,我们后面再看
}
virtual sp checkService( const String16& name) const
{
......
}
virtual status_t addService(const String16& name, const sp& service,
bool allowIsolated)
{
......
}
virtual Vector listServices()
{
......
}
};
前缀Bp可以理解为Binder Proxy,即BpServiceManager实际上是ServiceManager在客户进程中的一个代理,所以BpServiceManager并不负责实现真正的功能,而是通过Binder通信发送请求到前面启动的ServiceManager进程。上一节中我们讲到过,Binder通信的前提是客户端进程需要有BpBinder,那么BpBinder从何而来呢?
defaultServiceManager
作为一个特殊的“Service”,Android系统为ServiceManager准备了“快捷方式”,这个快捷方式就是defaultServiceManager(frameworks/native/libs/binder/IServiceManager.cpp):
sp defaultServiceManager()
{
if (gDefaultServiceManager != NULL) return gDefaultServiceManager;//单例模式
{
AutoMutex _l(gDefaultServiceManagerLock);
if (gDefaultServiceManager == NULL) {
gDefaultServiceManager = interface_cast(
ProcessState::self()->getContextObject(NULL));
}
}
return gDefaultServiceManager;
} - ProcessState::self()
- ProcessState->getContextObject(NULL)
- interface_cast
()
1.1 ProcessState::self()看起:
sp ProcessState::self()
{
Mutex::Autolock _l(gProcessMutex);//又是单例模式,因为是进程信息,所以,一个进程只能有一个实例
if (gProcess != NULL) {
return gProcess;
}
gProcess = new ProcessState;
return gProcess;
} ProcessState::ProcessState()
: mDriverFD(open_driver())
, mVMStart(MAP_FAILED)
, mManagesContexts(false)
, mBinderContextCheckFunc(NULL)
, mBinderContextUserData(NULL)
, mThreadPoolStarted(false)
, mThreadPoolSeq(1)
{
if (mDriverFD >= 0) {
// XXX Ideally, there should be a specific define for whether we
// have mmap (or whether we could possibly have the kernel module
// availabla).
#if !defined(HAVE_WIN32_IPC)
// mmap the binder, providing a chunk of virtual address space to receive transactions.
mVMStart = mmap(0, BINDER_VM_SIZE, PROT_READ, MAP_PRIVATE | MAP_NORESERVE, mDriverFD, 0);
if (mVMStart == MAP_FAILED) {
// *sigh*
ALOGE("Using /dev/binder failed: unable to mmap transaction memory.\n");
close(mDriverFD);
mDriverFD = -1;
}
#else
mDriverFD = -1;
#endif
}
LOG_ALWAYS_FATAL_IF(mDriverFD < 0, "Binder driver could not be opened. Terminating.");
}
1.3 open_driver()
static int open_driver()
{
int fd = open("/dev/binder", O_RDWR);
if (fd >= 0) {
fcntl(fd, F_SETFD, FD_CLOEXEC);
int vers;
status_t result = ioctl(fd, BINDER_VERSION, &vers);
if (result == -1) {
ALOGE("Binder ioctl to obtain version failed: %s", strerror(errno));
close(fd);
fd = -1;
}
if (result != 0 || vers != BINDER_CURRENT_PROTOCOL_VERSION) {
ALOGE("Binder driver protocol does not match user space protocol!");
close(fd);
fd = -1;
}
size_t maxThreads = 15;
result = ioctl(fd, BINDER_SET_MAX_THREADS, &maxThreads);
if (result == -1) {
ALOGE("Binder ioctl to set max threads failed: %s", strerror(errno));
}
} else {
ALOGW("Opening '/dev/binder' failed: %s\n", strerror(errno));
}
return fd;
} int fd = open("/dev/binder", O_RDWR);- mDriverFD = open(“dev/binde")
- mmap(mDriveFD)
2.1 getContextObject
sp ProcessState::getContextObject(const sp& caller)
{
return getStrongProxyForHandle(0);
} sp ProcessState::getStrongProxyForHandle(int32_t handle)//handle = 0
{
sp result;
AutoMutex _l(mLock);
handle_entry* e = lookupHandleLocked(handle);
if (e != NULL) {
// We need to create a new BpBinder if there isn't currently one, OR we
// are unable to acquire a weak reference on this current one. See comment
// in getWeakProxyForHandle() for more info about this.
IBinder* b = e->binder;
if (b == NULL || !e->refs->attemptIncWeak(this)) {
b = new BpBinder(handle);
e->binder = b;
if (b) e->refs = b->getWeakRefs();
result = b;
} else {
// This little bit of nastyness is to allow us to add a primary
// reference to the remote proxy when this team doesn't have one
// but another team is sending the handle to us.
result.force_set(b);
e->refs->decWeak(this);
}
}
return result;
} ProcessState::handle_entry* ProcessState::lookupHandleLocked(int32_t handle) //handle = 0
{
const size_t N=mHandleToObject.size();
if (N <= (size_t)handle) {
handle_entry e;
e.binder = NULL;
e.refs = NULL;
status_t err = mHandleToObject.insertAt(e, N, handle+1-N);
if (err < NO_ERROR) return NULL;
}
return &mHandleToObject.editItemAt(handle);
}VectormHandleToObject; struct handle_entry {
IBinder* binder;
RefBase::weakref_type* refs;
};
再回到2.2:
IBinder* b = e->binder;//所以,这里b可能为空
if (b == NULL || !e->refs->attemptIncWeak(this)) {//b也有可能已经被释放
//构造新的BpBinder
b = new BpBinder(handle); //注意:handle=0
e->binder = b; //给e赋值
if (b) e->refs = b->getWeakRefs();
result = b;
} else {
// This little bit of nastyness is to allow us to add a primary
// reference to the remote proxy when this team doesn't have one
// but another team is sending the handle to us.
result.force_set(b);
e->refs->decWeak(this);
}
2.4 BpBinder构造函数
BpBinder::BpBinder(int32_t handle)
: mHandle(handle)
, mAlive(1)
, mObitsSent(0)
, mObituaries(NULL)
{
ALOGV("Creating BpBinder %p handle %d\n", this, mHandle);
extendObjectLifetime(OBJECT_LIFETIME_WEAK);
IPCThreadState::self()->incWeakHandle(handle);
}
现在,再来看看interface_cast函数,从前面的分析,我们可以这样来理解输入参数:
interface_cast(new BpBinder(0)) template
inline sp interface_cast(const sp& obj)
{
return INTERFACE::asInterface(obj);
}
3.2 IServiceManager::asInterface()的实现要从IMPLEMENT_META_INTERFACE说起:
IMPLEMENT_META_INTERFACE(ServiceManager, "android.os.IServiceManager");#define IMPLEMENT_META_INTERFACE(INTERFACE, NAME) \
const android::String16 I##INTERFACE::descriptor(NAME); \
const android::String16& \
I##INTERFACE::getInterfaceDescriptor() const { \
return I##INTERFACE::descriptor; \
} \
android::sp I##INTERFACE::asInterface( \
const android::sp& obj) \
{ \
android::sp intr; \
if (obj != NULL) { \
intr = static_cast( \
obj->queryLocalInterface( \
I##INTERFACE::descriptor).get()); \
if (intr == NULL) { \
intr = new Bp##INTERFACE(obj); \
} \
} \
return intr; \
} \
I##INTERFACE::I##INTERFACE() { } \
I##INTERFACE::~I##INTERFACE() { } \ const android::String16 IServiceManager::descriptor("android.os.IServiceManager");
const android::String16&
IServiceManager::getInterfaceDescriptor() const {
return IServiceManager::descriptor;
}
android::sp IServiceManager::asInterface(
const android::sp& obj) // obj = new BpBinder(0);
{
android::sp intr;
if (obj != NULL) {
intr = static_cast(
obj->queryLocalInterface(
IServiceManager::descriptor).get());
if (intr == NULL) {
intr = new BpServiceManager(obj);
}
}
return intr;
}
IServiceManager::IServiceManager() { }
IServiceManager::~IServiceManager() { } 实际上,BpBinder未重载queryLocalInterface的实现,所以,实际执行的是其父类IBinder提供的实现:
sp IBinder::queryLocalInterface(const String16& descriptor)
{
return NULL;
}
所以,回到3.2,我们可以知道
obj->queryLocalInterface(IServiceManager::descriptor).get() intr = new BpServiceManager(obj);
小结一下,Client和Service是如何获取ServiceManager的代理的过程:
- open "dev/binder",并执行mmap
- new BpBinder(0)
- new BpServiceManager(bpBinder)
ServiceManager的工作流程
ServiceManager其实是个很“单纯”的家伙,从IServiceManager接口我们可以知道,它只提供了getSerivce、checkService、addService、listServices四个函数。
getService
首先从BpServiceManager开始:
virtual sp getService(const String16& name) const
{
unsigned n;
for (n = 0; n < 5; n++){//只要5次checkService有一次成功,getService就成功
sp svc = checkService(name);
if (svc != NULL) return svc;
ALOGI("Waiting for service %s...\n", String8(name).string());
sleep(1);
}
return NULL;
} checkService
checkService用于返回执行service name的BpHandler,如果指定的service尚未注册,则返回NULL。
1. BpServiceManager.checkService的实现:
virtual sp checkService( const String16& name) const
{
Parcel data, reply;//因为篇幅的关系,Parcel类不做分析,简单来说,一个数据容器而已
data.writeInterfaceToken(IServiceManager::getInterfaceDescriptor());
data.writeString16(name);//name为请求的service name,以MediaPlayer为例,name="media.player"
remote()->transact(CHECK_SERVICE_TRANSACTION, data, &reply);
return reply.readStrongBinder();
} inline IBinder* remote() { return mRemote; }
2. BpBinder->transact
status_t BpBinder::transact(
uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags)
{
// Once a binder has died, it will never come back to life.
if (mAlive) {
status_t status = IPCThreadState::self()->transact(
mHandle, code, data, reply, flags);//mHandle = 0; code = CHECK_SERVICE_TRANSACTION
if (status == DEAD_OBJECT) mAlive = 0;
return status;
}
return DEAD_OBJECT;
}
3. IPCThreadState::self()
IPCThreadState* IPCThreadState::self()
{
if (gHaveTLS) {
restart:
const pthread_key_t k = gTLS;
IPCThreadState* st = (IPCThreadState*)pthread_getspecific(k);
if (st) return st;
return new IPCThreadState;
}
if (gShutdown) return NULL;
pthread_mutex_lock(&gTLSMutex);
if (!gHaveTLS) {
if (pthread_key_create(&gTLS, threadDestructor) != 0) {
pthread_mutex_unlock(&gTLSMutex);
return NULL;
}
gHaveTLS = true;
}
pthread_mutex_unlock(&gTLSMutex);
goto restart;
}pthread_getspecific(k);//k = gTLS
4. IPCThreadState的构造函数
IPCThreadState::IPCThreadState()
: mProcess(ProcessState::self()),//注意,mProcess的赋值
mMyThreadId(androidGetTid()),
mStrictModePolicy(0),
mLastTransactionBinderFlags(0)
{
pthread_setspecific(gTLS, this);//把自己保存到LTS中
clearCaller();
mIn.setDataCapacity(256);
mOut.setDataCapacity(256);
} status_t status = IPCThreadState->transact(mHandle, code, data, reply, flags);//mHandle = 0; code = CHECK_SERVICE_TRANSACTION
5. IPCThreadState->transact
status_t IPCThreadState::transact(int32_t handle,
uint32_t code, const Parcel& data,
Parcel* reply, uint32_t flags)
{
status_t err = data.errorCheck();
flags |= TF_ACCEPT_FDS;//支持回复文件binder
......
if (err == NO_ERROR) {
......
err = writeTransactionData(BC_TRANSACTION, flags, handle, code, data, NULL);
}
......
if ((flags & TF_ONE_WAY) == 0) {
......
if (reply) {
err = waitForResponse(reply);
} else {
Parcel fakeReply;
err = waitForResponse(&fakeReply);
}
......
}
} else {
err = waitForResponse(NULL, NULL);//第二个NULL,表示无需read
//上一节中也讲到,binder driver被设计为不允许异步Binder回复请求
}
return err;
}
6. IPCThreadState->writeTransactionData
status_t IPCThreadState::writeTransactionData(int32_t cmd, uint32_t binderFlags,
int32_t handle, uint32_t code, const Parcel& data, status_t* statusBuffer)
{
binder_transaction_data tr;//构造了binder_transaction_data接口体,准备和binder driver通信了
tr.target.handle = handle;//handle = 0
tr.code = code; //code = CHECK_SERVICE_TRANSACTION
tr.flags = binderFlags;
tr.cookie = 0;
tr.sender_pid = 0;//不必在意sender_pid和sender_euid,稍后binder driver会给他们正确的赋值
tr.sender_euid = 0;
const status_t err = data.errorCheck();
if (err == NO_ERROR) { //err = NO_ERROR
tr.data_size = data.ipcDataSize(); //数据的长度
tr.data.ptr.buffer = data.ipcData(); //数据的首地址
tr.offsets_size = data.ipcObjectsCount()*sizeof(size_t);//偏移量数组的长度,字节为单位
tr.data.ptr.offsets = data.ipcObjects();//编译量数组的首地址
} else if (statusBuffer) {
tr.flags |= TF_STATUS_CODE;
*statusBuffer = err;
tr.data_size = sizeof(status_t);
tr.data.ptr.buffer = statusBuffer;
tr.offsets_size = 0;
tr.data.ptr.offsets = NULL;
} else {
return (mLastError = err);
}
mOut.writeInt32(cmd);//cmd = BC_TRANSACTION
mOut.write(&tr, sizeof(tr));//mOut是IPCThreadState的成员,Parcel类型
return NO_ERROR;
}
好吧,不管如何,返回到5继续看,writeTransactionData函数,返回后,接着调用了waitForResponse函数。
7. IPCThreadState->waitForResponse
status_t IPCThreadState::waitForResponse(Parcel *reply, status_t *acquireResult)
{
int32_t cmd;
int32_t err;
while (1) {
if ((err=talkWithDriver()) < NO_ERROR) break;//这里面有大文章
......
if (mIn.dataAvail() == 0) continue;
cmd = mIn.readInt32();
......
switch (cmd) {
......
case BR_REPLY:
{
binder_transaction_data tr;
err = mIn.read(&tr, sizeof(tr));
ALOG_ASSERT(err == NO_ERROR, "Not enough command data for brREPLY");
if (err != NO_ERROR) goto finish;
if (reply) {
if ((tr.flags & TF_STATUS_CODE) == 0) {
reply->ipcSetDataReference(
reinterpret_cast(tr.data.ptr.buffer),
tr.data_size,
reinterpret_cast(tr.data.ptr.offsets),
tr.offsets_size/sizeof(size_t),
freeBuffer, this);
} else {
err = *static_cast(tr.data.ptr.buffer);
freeBuffer(NULL,
reinterpret_cast(tr.data.ptr.buffer),
tr.data_size,
reinterpret_cast(tr.data.ptr.offsets),
tr.offsets_size/sizeof(size_t), this);
}
} else {
freeBuffer(NULL,
reinterpret_cast(tr.data.ptr.buffer),
tr.data_size,
reinterpret_cast(tr.data.ptr.offsets),
tr.offsets_size/sizeof(size_t), this);
continue;
}
}
goto finish;
......
}
}
finish:
......
return err;
}
8. IPCThreadState->talkWithDriver
status_t IPCThreadState::talkWithDriver(bool doReceive)//default,doReceive=true
{
if (mProcess->mDriverFD <= 0) {
return -EBADF;
}
binder_write_read bwr;
// Is the read buffer empty?
const bool needRead = mIn.dataPosition() >= mIn.dataSize();//输入缓冲无数据,所以需要从binder driver读取数据
// We don't want to write anything if we are still reading
// from data left in the input buffer and the caller
// has requested to read the next data.
const size_t outAvail = (!doReceive || needRead) ? mOut.dataSize() : 0;
bwr.write_size = outAvail;
bwr.write_buffer = (long unsigned int)mOut.data();//记得么? writeTransactionData函数中,在mOut中保存了一个binder_transaction_data结构体
// This is what we'll read.
if (doReceive && needRead) {
bwr.read_size = mIn.dataCapacity();
bwr.read_buffer = (long unsigned int)mIn.data();
} else {
bwr.read_size = 0;
bwr.read_buffer = 0;
}
......
bwr.write_consumed = 0;
bwr.read_consumed = 0;
status_t err;
do {
......
if (ioctl(mProcess->mDriverFD, BINDER_WRITE_READ, &bwr) >= 0)//终于看到了ioctl
err = NO_ERROR;
else
err = -errno;
......
} while (err == -EINTR); //因为binder driver中是通过wait_event_interrupt函数进行等待,所以系统中断会导致binder_thread_read在读取到数据前返回
//所以,当err=-EINTR时,需要再次调用ioctl读取数据
......
if (err >= NO_ERROR) {//根据ioctl的执行结果,调整mIn和mOut的状态
if (bwr.write_consumed > 0) {
if (bwr.write_consumed < (ssize_t)mOut.dataSize())
mOut.remove(0, bwr.write_consumed);
else
mOut.setDataSize(0);
}
if (bwr.read_consumed > 0) {
mIn.setDataSize(bwr.read_consumed);
mIn.setDataPosition(0);
}
......
return NO_ERROR;
}
return err;
}if (ioctl(mProcess->mDriverFD, BINDER_WRITE_READ, &bwr) >= 0)bwr.write_size = mOut.data;//sizeof(writeTransactionData);
bwr.write_buffer = mOut.data(); //binder_transaction_data的地址
bwr.write_consumed = 0;
bwr.read_size = mIn.dataCapacity(); //265
bwr.read_buffer = mIn.data(); //empty buffer
bwr.read_consumed=0;
根据上一章的分析,进入内核态以后,binder driver会执行binder_ioctl函数,而在binder_ioctl函数执行的过程中,会先调用binder_thread_write函数发送数据到service manager,然后通过调用binder_thread_read等待service manager的回复。所以,我们暂时离开BpServiceManager,转到service manager,分析它如何接收并处理请求。
不过,再离开BpServiceManager前,让我们再猜测一下为什么IPCThreadState把ioctl的调用留到了waitForResponse,而非writeTransactionData函数?
试想,如果在writeTransactionData函数中,调用ioctl,会导致Client立即进入阻塞状态,目前的设计,可以让Client做自己想做的事,直到它真的需要Service对请求的处理结果时,在进入阻塞状态。这一点,和java类加载器用时加载的逻辑相似,有利于实行效率的提高。
好吧,我想有人可能会想到“更好”的解决方案,把ioctl函数的调用分为两次,在writeTransactionData中调用ioctl函数,并置bwr.read_size = 0,发送请求给Service,然后,返回处理自己想做的事情,最后,当需要处理结果时,在waitForResponse中调用ioctl,并设置bwr.write_size为0。这样,即可以让Serivce尽早的获取请求,尽早开始处理请求,而Client也不必过早的等待Service的处理结果?
如果不考虑ioctl函数的调用成本,上面的设计的确堪称“完美”。但是,不同与普通的函数调用,ioctl的调用会导致两次CPU状态切换(用户态到内核态,再从内核态切换回用户态),而每一次状态切换的成本高达数百个CPU周期,所以这个“完美“的设计,存在不小的性能”成本”,不能保证适用于所有场景。当Client对于Service的处理时间并不敏感,而且Client本身需要处理的事务较多的特定场合,这种设计是“有利可图”的。但是,上述的情境,用异步binder发送请求,再用同步Binder查询处理结果的设计也能达到相似的效果。
现在,看看ServiceManager端的处理:
9.binder_loop
void binder_loop(struct binder_state *bs, binder_handler func)
{
int res;
struct binder_write_read bwr;
unsigned readbuf[32];
bwr.write_size = 0;
bwr.write_consumed = 0;
bwr.write_buffer = 0;
readbuf[0] = BC_ENTER_LOOPER;
binder_write(bs, readbuf, sizeof(unsigned));
for (;;) {
bwr.read_size = sizeof(readbuf);
bwr.read_consumed = 0;
bwr.read_buffer = (unsigned) readbuf;
res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr);//读取到请求以后,ioctl返回
......
res = binder_parse(bs, 0, readbuf, bwr.read_consumed, func);//回忆一下Service manager的启动,我们知道func = svcmgr_handler
......
}
}binder_transaction_data tr;
tr.code = CHECK_SERVICE_TRANSACTION data.writeInterfaceToken(IServiceManager::getInterfaceDescriptor());
data.writeString16(name);//name为请求的service name,以MediaPlayer为例,name="media.player"
10. binder_parse
int binder_parse(struct binder_state *bs, struct binder_io *bio,
uint32_t *ptr, uint32_t size, binder_handler func)
{
int r = 1;
uint32_t *end = ptr + (size / 4);
while (ptr < end) {
uint32_t cmd = *ptr++;
......
switch(cmd) {//cmd = BR_TRANSACTION
......
case BR_TRANSACTION: {
struct binder_txn *txn = (void *) ptr;
......
if (func) {
unsigned rdata[256/4];
struct binder_io msg;
struct binder_io reply;
int res;
bio_init(&reply, rdata, sizeof(rdata), 4);//因为rdata是一个空缓冲,所以从rdata初始化的reply目前也是空的,稍后将用于保存请求处理结果
bio_init_from_txn(&msg, txn);//txn=bwr.read_buffer,即请求数据,用请求数据初始化msg结构体
res = func(bs, txn, &msg, &reply);//func = svcmgr_handler
binder_send_reply(bs, &reply, txn->data, res);//回复请求处理结果
}
ptr += sizeof(*txn) / sizeof(uint32_t);
break;
}
......
}
}
return r;
}int svcmgr_handler(struct binder_state *bs,
struct binder_txn *txn,
struct binder_io *msg,
struct binder_io *reply)
{
struct svcinfo *si;
uint16_t *s;
unsigned len;
void *ptr;
uint32_t strict_policy;
int allow_isolated;
if (txn->target != svcmgr_handle)
return -1;
// Equivalent to Parcel::enforceInterface(), reading the RPC
// header with the strict mode policy mask and the interface name.
// Note that we ignore the strict_policy and don't propagate it
// further (since we do no outbound RPCs anyway).
strict_policy = bio_get_uint32(msg);//一般strict_policy = 0
s = bio_get_string16(msg, &len);//s=“android.os.IServiceManager”
if ((len != (sizeof(svcmgr_id) / 2)) ||
memcmp(svcmgr_id, s, sizeof(svcmgr_id))) {
fprintf(stderr,"invalid id %s\n", str8(s));
return -1;
}
switch(txn->code) {//code=SVC_MGR_CHECK_SERVICE
case SVC_MGR_GET_SERVICE:
case SVC_MGR_CHECK_SERVICE://SVC_MGR_GET_SERVICE和SVC_MGR_CHECK_SERVICE是等效的
s = bio_get_string16(msg, &len);//读取service name
ptr = do_find_service(bs, s, len, txn->sender_euid);//根据service name查找service
if (!ptr)
break;
bio_put_ref(reply, ptr);//ptr为handle, 把ptr保存到reply中
return 0;
......
}
default:
ALOGE("unknown code %d\n", txn->code);
return -1;
}
bio_put_uint32(reply, 0);
return 0;
} s = bio_get_string16(msg, &len);//s=“android.os.IServiceManager”
if ((len != (sizeof(svcmgr_id) / 2)) ||
memcmp(svcmgr_id, s, sizeof(svcmgr_id))) {
fprintf(stderr,"invalid id %s\n", str8(s));
return -1;
} const android::String16 IServiceManager::descriptor("android.os.IServiceManager");
const android::String16&
IServiceManager::getInterfaceDescriptor() const {
return IServiceManager::descriptor;
} data.writeInterfaceToken(IServiceManager::getInterfaceDescriptor());
然后,根据code执行对应的处理函数。这里,会执行do_find_service函数。
12. do_find_service
void *do_find_service(struct binder_state *bs, uint16_t *s, unsigned len, unsigned uid)
{
struct svcinfo *si;
si = find_svc(s, len);
if (si && si->ptr) {
if (!si->allow_isolated) {
// If this service doesn't allow access from isolated processes,
// then check the uid to see if it is isolated.
unsigned appid = uid % AID_USER;//AID_USER = 100000
if (appid >= AID_ISOLATED_START && appid <= AID_ISOLATED_END) {//AID_ISOLATED_START=99000, AID_ISOLATED_END=99999
return 0;
}
}
return si->ptr;
} else {
return 0;
}
}android:isolatedProcess="true"
,就属于这种情况。
13. find_svc
struct svcinfo *find_svc(uint16_t *s16, unsigned len)
{
struct svcinfo *si;
for (si = svclist; si; si = si->next) {//从svclist中搜索service
if ((len == si->len) &&
!memcmp(s16, si->name, len * sizeof(uint16_t))) {
return si;
}
}
return 0;
}
返回到12,do_find_service函数返回si->ptr,即handle。
再返回到11,svcmgr_handle函数,如果ptr有效,svcmgr_handle函数会调用bio_put_ref,把ptr保存到reply中,然后返回10 binder_parse。
然后,binder_parse函数会调用binder_send_reply函数,回复请求处理结果
14. binder_send_reply
void binder_send_reply(struct binder_state *bs,
struct binder_io *reply,
void *buffer_to_free,
int status)
{
struct {
uint32_t cmd_free;
void *buffer;
uint32_t cmd_reply;
struct binder_txn txn;
} __attribute__((packed)) data;
data.cmd_free = BC_FREE_BUFFER; //首先发送BC_FREE_BUFFER,释放内核态缓冲区
data.buffer = buffer_to_free;
data.cmd_reply = BC_REPLY;//发送回复请求
data.txn.target = 0;//BC_REPLY指令会忽略target,cookie,code参数
data.txn.cookie = 0;
data.txn.code = 0;
if (status) {//status = 0,所以执行else
data.txn.flags = TF_STATUS_CODE;
data.txn.data_size = sizeof(int);
data.txn.offs_size = 0;
data.txn.data = &status;
data.txn.offs = 0;
} else {
data.txn.flags = 0;
data.txn.data_size = reply->data - reply->data0;
data.txn.offs_size = ((char*) reply->offs) - ((char*) reply->offs0);
data.txn.data = reply->data0;
data.txn.offs = reply->offs0;
}
binder_write(bs, &data, sizeof(data));
}
struct binder_object
{
uint32_t type;
uint32_t flags;
void *pointer;
void *cookie;
};struct flat_binder_object {
/* 8 bytes for large_flat_header. */
unsigned long type;
unsigned long flags;
/* 8 bytes of data. */
union {
void *binder; /* local object */
signed long handle; /* remote object */
};
/* extra data associated with local object */
void *cookie;
};
所以,servicemanager通过BC_REPLY指令返回了一个flat_binder_object对象。
15. binder_write
int binder_write(struct binder_state *bs, void *data, unsigned len)
{
struct binder_write_read bwr;
int res;
bwr.write_size = len;
bwr.write_consumed = 0;
bwr.write_buffer = (unsigned) data;
bwr.read_size = 0;
bwr.read_consumed = 0;
bwr.read_buffer = 0;
res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr);//调用ioctl,通过BINDER_WRITE_READ指令返回数据
if (res < 0) {
fprintf(stderr,"binder_write: ioctl failed (%s)\n",
strerror(errno));
}
return res;
}
然后,binder_send_reply函数返回,到了10. binder_parse。
最后再由binder_parse函数返回到9 binder_looper调用ioctl,等待下一个请求。
现在,又要返回到client进程了。
前面service manager在内核态唤醒了线程的等待队列,所以wait_event_interrupt函数返回到binder_thread_read函数,然后再返回到binder_ioctl函数,进而返回到用户态的8. IPCThreadState->talkwithDriver()函数:
do {
......
if (ioctl(mProcess->mDriverFD, BINDER_WRITE_READ, &bwr) >= 0)//终于看到了ioctl
err = NO_ERROR;
else
err = -errno;
......
} while (err == -EINTR); //因为binder driver中是通过wait_event_interrupt函数进行等待,所以系统中断会导致binder_thread_read在读取到数据前返回
//所以,当err=-EINTR时,需要再次调用ioctl读取数据
......
if (err >= NO_ERROR) {//根据ioctl的执行结果,调整mIn和mOut的状态
if (bwr.write_consumed > 0) {
if (bwr.write_consumed < (ssize_t)mOut.dataSize())
mOut.remove(0, bwr.write_consumed);
else
mOut.setDataSize(0);
}
if (bwr.read_consumed > 0) {
mIn.setDataSize(bwr.read_consumed);
mIn.setDataPosition(0);
}
......
return NO_ERROR;
} case BR_REPLY:
{
binder_transaction_data tr;
err = mIn.read(&tr, sizeof(tr));
ALOG_ASSERT(err == NO_ERROR, "Not enough command data for brREPLY");
if (err != NO_ERROR) goto finish;
if (reply) {
if ((tr.flags & TF_STATUS_CODE) == 0) {
reply->ipcSetDataReference(
reinterpret_cast(tr.data.ptr.buffer),
tr.data_size,
reinterpret_cast(tr.data.ptr.offsets),
tr.offsets_size/sizeof(size_t),
freeBuffer, this);
} else {
err = *static_cast(tr.data.ptr.buffer);
freeBuffer(NULL,
reinterpret_cast(tr.data.ptr.buffer),
tr.data_size,
reinterpret_cast(tr.data.ptr.offsets),
tr.offsets_size/sizeof(size_t), this);
}
} else {
freeBuffer(NULL,
reinterpret_cast(tr.data.ptr.buffer),
tr.data_size,
reinterpret_cast(tr.data.ptr.offsets),
tr.offsets_size/sizeof(size_t), this);
continue;
}
}
goto finish;
再返回到5. IPCThreadState->transaction函数。
然后,返回到4. BpBinder->transaction函数。
最后,返回到1. BpServiceManager.checkService函数,调用如下函数:
reply.readStrongBinder();addService
addService用于service向service manager注册。
1. BpServiceManager.addService:
virtual status_t addService(const String16& name, const sp& service,
bool allowIsolated)
{
Parcel data, reply;
data.writeInterfaceToken(IServiceManager::getInterfaceDescriptor());//无论什么请求,interfaceToken都是需要发送的
data.writeString16(name);//service name
data.writeStrongBinder(service);// BBinder地址
data.writeInt32(allowIsolated ? 1 : 0);
status_t err = remote()->transact(ADD_SERVICE_TRANSACTION, data, &reply);
return err == NO_ERROR ? reply.readExceptionCode() : err;
}
2. svcmgr_handler
int svcmgr_handler(struct binder_state *bs,
struct binder_txn *txn,
struct binder_io *msg,
struct binder_io *reply)
{
struct svcinfo *si;
uint16_t *s;
unsigned len;
void *ptr;
uint32_t strict_policy;
int allow_isolated;
......
switch(txn->code) {
case SVC_MGR_ADD_SERVICE:
s = bio_get_string16(msg, &len);//service name
ptr = bio_get_ref(msg);//handle
allow_isolated = bio_get_uint32(msg) ? 1 : 0;
if (do_add_service(bs, s, len, ptr, txn->sender_euid, allow_isolated))
return -1;
break;
......
}
bio_put_uint32(reply, 0);//回复0,表示请求处理成功
return 0;
}int do_add_service(struct binder_state *bs,
uint16_t *s, unsigned len,
void *ptr, unsigned uid, int allow_isolated)
{
struct svcinfo *si;
......
if (!svc_can_register(uid, s)) {//检查注册的service是否合法
ALOGE("add_service('%s',%p) uid=%d - PERMISSION DENIED\n",
str8(s), ptr, uid);
return -1;
}
si = find_svc(s, len);
if (si) {//service已经注册
if (si->ptr) {
ALOGE("add_service('%s',%p) uid=%d - ALREADY REGISTERED, OVERRIDE\n",
str8(s), ptr, uid);
svcinfo_death(bs, si);
}
si->ptr = ptr;
} else {//尚未注册
si = malloc(sizeof(*si) + (len + 1) * sizeof(uint16_t));
if (!si) {
ALOGE("add_service('%s',%p) uid=%d - OUT OF MEMORY\n",
str8(s), ptr, uid);
return -1;
}
si->ptr = ptr;
si->len = len;
memcpy(si->name, s, (len + 1) * sizeof(uint16_t));
si->name[len] = '\0';
si->death.func = svcinfo_death;
si->death.ptr = si;
si->allow_isolated = allow_isolated;
si->next = svclist;
svclist = si;//保存到svclist
}
binder_acquire(bs, ptr);//增加binder_ref和binder_node的引用计数
binder_link_to_death(bs, ptr, &si->death);//注册binder_ref的死亡通知
return 0;
}
4. svc_can_register
int svc_can_register(unsigned uid, uint16_t *name)
{
unsigned n;
if ((uid == 0) || (uid == AID_SYSTEM))//root和system可以注册
return 1;
for (n = 0; n < sizeof(allowed) / sizeof(allowed[0]); n++)//否则必须匹配特定的uid和service name才能注册
if ((uid == allowed[n].uid) && str16eq(name, allowed[n].name))
return 1;
return 0;
}static struct {
unsigned uid;
const char *name;
} allowed[] = {
{ AID_MEDIA, "media.audio_flinger" },
{ AID_MEDIA, "media.player" },
{ AID_MEDIA, "media.camera" },
{ AID_MEDIA, "media.audio_policy" },
{ AID_DRM, "drm.drmManager" },
{ AID_NFC, "nfc" },
{ AID_BLUETOOTH, "bluetooth" },
{ AID_RADIO, "radio.phone" },
{ AID_RADIO, "radio.sms" },
{ AID_RADIO, "radio.phonesubinfo" },
{ AID_RADIO, "radio.simphonebook" },
/* TODO: remove after phone services are updated: */
{ AID_RADIO, "phone" },
{ AID_RADIO, "sip" },
{ AID_RADIO, "isms" },
{ AID_RADIO, "iphonesubinfo" },
{ AID_RADIO, "simphonebook" },
{ AID_MEDIA, "common_time.clock" },
{ AID_MEDIA, "common_time.config" },
};
现在先假设svc_can_register函数返回1,3. do_add_service函数中,接下来调用find_svc。这个函数之前已经解释过了,所以我们知道如果service已经注册过了,就会返回上次注册的svcinfo信息:
struct svcinfo
{
struct svcinfo *next;//下一各svcinfo
void *ptr;//handle
struct binder_death death;
int allow_isolated;
unsigned len;//service name的长度
uint16_t name[0];//service name
}; struct binder_death {
void (*func)(struct binder_state *bs, void *ptr);
void *ptr;
}; if (si->ptr) {
ALOGE("add_service('%s',%p) uid=%d - ALREADY REGISTERED, OVERRIDE\n",
str8(s), ptr, uid);
svcinfo_death(bs, si);//释放旧的binder_ref
}
si->ptr = ptr;
5. svcinfo_death
void svcinfo_death(struct binder_state *bs, void *ptr)
{
struct svcinfo *si = ptr;
ALOGI("service '%s' died\n", str8(si->name));
if (si->ptr) {
binder_release(bs, si->ptr);
si->ptr = 0;
}
}
6. binder_release
void binder_release(struct binder_state *bs, void *ptr)
{
uint32_t cmd[2];
cmd[0] = BC_RELEASE;
cmd[1] = (uint32_t) ptr;
binder_write(bs, cmd, sizeof(cmd));
}让我们回到3. do_add_service,如果service未注册过,则创建新的svcinfo对象:
si = malloc(sizeof(*si) + (len + 1) * sizeof(uint16_t));
if (!si) {
ALOGE("add_service('%s',%p) uid=%d - OUT OF MEMORY\n",
str8(s), ptr, uid);
return -1;
}
si->ptr = ptr;
si->len = len;
memcpy(si->name, s, (len + 1) * sizeof(uint16_t));
si->name[len] = '\0';
si->death.func = svcinfo_death;
si->death.ptr = si;
si->allow_isolated = allow_isolated;
si->next = svclist;
svclist = si;//保存到svclistvoid svcinfo_death(struct binder_state *bs, void *ptr)
{
struct svcinfo *si = ptr;
ALOGI("service '%s' died\n", str8(si->name));
if (si->ptr) {
binder_release(bs, si->ptr);
si->ptr = 0;
}
}
然后,无论svcinfo是原有的,还是新创建的,下面的操作都是需要执行的:
binder_acquire(bs, ptr);//增加binder_ref和binder_node的引用计数
binder_link_to_death(bs, ptr, &si->death);//注册binder_ref的死亡通知
return 0;void binder_link_to_death(struct binder_state *bs, void *ptr, struct binder_death *death)
{
uint32_t cmd[3];
cmd[0] = BC_REQUEST_DEATH_NOTIFICATION;
cmd[1] = (uint32_t) ptr;
cmd[2] = (uint32_t) death;
binder_write(bs, cmd, sizeof(cmd));
}int binder_parse(struct binder_state *bs, struct binder_io *bio,
uint32_t *ptr, uint32_t size, binder_handler func)
{
int r = 1;
uint32_t *end = ptr + (size / 4);
while (ptr < end) {
uint32_t cmd = *ptr++;
.......
switch(cmd) {
case BR_DEAD_BINDER: {
struct binder_death *death = (void*) *ptr++;//death即刚才注册时写入的death
death->func(bs, death->ptr);//death->func即svcinfo_death函数,而svcinfo_deatch会调用binder_release函数
break;
}
......
}
}
return r;
} bio_put_uint32(reply, 0);//回复0,表示请求处理成功
最后,BpServiceManager.addService函数就可以读取到返回值:
status_t err = remote()->transact(ADD_SERVICE_TRANSACTION, data, &reply); //err为servicemanager发送的0
return err == NO_ERROR ? reply.readExceptionCode() : err;listServices
listServices用于返回所有注册的service name。
1. BpServiceManager.listSevices()
virtual Vector listServices()
{
Vector res;
int n = 0;
for (;;) {
Parcel data, reply;
data.writeInterfaceToken(IServiceManager::getInterfaceDescriptor());
data.writeInt32(n++);
status_t err = remote()->transact(LIST_SERVICES_TRANSACTION, data, &reply);
if (err != NO_ERROR)
break;
res.add(reply.readString16());
}
return res;
} 我们可以看到,listService函数是通过循环实现的,每次返回一个service name。同样的,直接看serivcemanager的处理逻辑。
2. svcmgr_handler
int svcmgr_handler(struct binder_state *bs,
struct binder_txn *txn,
struct binder_io *msg,
struct binder_io *reply)
{
struct svcinfo *si;
uint16_t *s;
unsigned len;
void *ptr;
uint32_t strict_policy;
int allow_isolated;
......
switch(txn->code) {
case SVC_MGR_LIST_SERVICES: {
unsigned n = bio_get_uint32(msg);
si = svclist;
while ((n-- > 0) && si)
si = si->next;
if (si) {//service
bio_put_string16(reply, si->name);//返回指定service的service name
return 0;
}
return -1;//n >= 所有注册的service的数量
}
......
}
......
}reply.readString16()总结
- 作为Android系统的基础之一,Service Manager的启动顺序在Iinux内核启动以后,Zygote进程启动以前。
- ServiceManager为客户端提供了BpServiceManager类作为代理,而BpServiceManager以IServiceManager的形式,为Client提供服务。
- 客户端可以通过defaultManagerService函数获得BpServiceManager。