APP进程获取AMS BinderProxy 代理对象过程

APP进程的创建需要通过AMS将创建请求发往zygote进程，而AMS所在的进程为system_server进程，这两进程间利用binder机制完成通信。以sartService为例，先调用ServiceManager.getService("activity"），访问binder驱动，从servicemanager进程中获取AMS的代理对象BinderProxy.

ContextWrapper.java
复制代码

public ComponentName startService(Intent service) {
        return mBase.startService(service);
    }
复制代码

ContextImpl.java
复制代码

    @Override
    public ComponentName startService(Intent service) {
        warnIfCallingFromSystemProcess();
        return startServiceCommon(service, mUser);
    }
    private ComponentName startServiceCommon(Intent service, UserHandle user) {
        ComponentName cn = ActivityManagerNative.getDefault().startService(
                mMainThread.getApplicationThread(), service, service.resolveTypeIfNeeded(
                            getContentResolver()), getOpPackageName(), user.getIdentifier());
    }
复制代码

1 getDefault()

ActivityManagerNative.java
复制代码

public abstract class ActivityManagerNative extends Binder implements IActivityManager
{
    static public IActivityManager getDefault() {
        return gDefault.get();
    }
    
    private static final Singleton gDefault = new Singleton() {
        protected IActivityManager create() {
            IBinder b = ServiceManager.getService("activity");
            IActivityManager am = asInterface(b);
            return am;
        }
    };
复制代码

getService

APP进程通过getService创建BinderProxy对象。

IBinder b = ServiceManager.getService("activity");
复制代码

ServiceManager.java
复制代码

public static IBinder getService(String name) {
        try {
            IBinder service = sCache.get(name);
            if (service != null) {
                return service;
            } else {
                return getIServiceManager().getService(name);
            }
        } catch (RemoteException e) {
            Log.e(TAG, "error in getService", e);
        }
        return null;
    }
复制代码

getIServiceManager

    private static IServiceManager getIServiceManager() {
        if (sServiceManager != null) {
            return sServiceManager;
        }

        // Find the service manager
        sServiceManager = ServiceManagerNative.asInterface(BinderInternal.getContextObject());//创建BinderProxy
        return sServiceManager;
    }

复制代码

注意native方法getContextObject，创建BinderProxy

getContextObject

BinderInternal.java
复制代码

public static final native IBinder getContextObject();
复制代码

android_util_Binder.cpp
复制代码

static jobject android_os_BinderInternal_getContextObject(JNIEnv* env, jobject clazz)
{
    sp b = ProcessState::self()->getContextObject(NULL);
    return javaObjectForIBinder(env, b);
}

jobject javaObjectForIBinder(JNIEnv* env, const sp& val)
{
    object = env->NewObject(gBinderProxyOffsets.mClass, gBinderProxyOffsets.mConstructor);//创建BinderProxy
    return object;
}
复制代码

ServiceManagerNative.asInterface

ServiceManagerNative.java
复制代码

    static public IServiceManager asInterface(IBinder obj)
    {
        if (obj == null) {
            return null;
        }
        IServiceManager in =
            (IServiceManager)obj.queryLocalInterface(descriptor);
        if (in != null) {
            return in;
        }
        
        return new ServiceManagerProxy(obj);
    }
    
    class ServiceManagerProxy implements IServiceManager {
        public ServiceManagerProxy(IBinder remote) {
            mRemote = remote;
        }
复制代码

IServiceManager.getService

        //name为activity
public IBinder getService(String name) throws RemoteException {
        Parcel data = Parcel.obtain();
        Parcel reply = Parcel.obtain();
        data.writeInterfaceToken(IServiceManager.descriptor);
        data.writeString(name);
        mRemote.transact(GET_SERVICE_TRANSACTION, data, reply, 0);
        IBinder binder = reply.readStrongBinder();
        reply.recycle();
        data.recycle();
        return binder;
    }
    }
复制代码

mRemote指向native方法getContextObject创建的BinderProxy对象。binder为AMS的BinderProxy对象。

transact

Binder.java
复制代码

final class BinderProxy implements IBinder {
    public native boolean pingBinder();
    public native boolean isBinderAlive();

    public IInterface queryLocalInterface(String descriptor) {
        return null;
    }

    public boolean transact(int code, Parcel data, Parcel reply, int flags) throws RemoteException {
        Binder.checkParcel(this, code, data, "Unreasonably large binder buffer");
        return transactNative(code, data, reply, flags);
    }
    
    public native boolean transactNative(int code, Parcel data, Parcel reply,
            int flags) throws RemoteException;
复制代码

transactNative访问binder驱动。驱动回调Binder.execTransact方法，来到execTransact方法

execTransact

Binder.java
复制代码

private boolean execTransact(int code, long dataObj, long replyObj,
            int flags) {
    res = onTransact(code, data, reply, flags);//调用子类ServiceManagerNative的onTransact方法
}
复制代码

ServiceManagerNative.java
复制代码

    public boolean onTransact(int code, Parcel data, Parcel reply, int flags)
    {
        try {
            switch (code) {
            case IServiceManager.GET_SERVICE_TRANSACTION: {
                data.enforceInterface(IServiceManager.descriptor);
                String name = data.readString();
                IBinder service = getService(name);
                reply.writeStrongBinder(service);
                return true;
            }
    }
复制代码

至此，就返回了AMS代理对象BinderProxy,Binder b = ServiceManager.getService("activity");

ActivityManagerNative.asInterface

   String descriptor = "android.app.IActivityManager";
   
   static public IActivityManager asInterface(IBinder obj) {
       if (obj == null) {
           return null;
       }
       IActivityManager in =
           (IActivityManager)obj.queryLocalInterface(descriptor);
       if (in != null) {
           return in;
       }

       return new ActivityManagerProxy(obj);
   }
}

class ActivityManagerProxy implements IActivityManager
{
   public ActivityManagerProxy(IBinder remote)
   {
       mRemote = remote;
   }
   
   public ComponentName startService(IApplicationThread caller, Intent service,
           String resolvedType, String callingPackage, int userId) throws RemoteException
   {
       Parcel data = Parcel.obtain();
       Parcel reply = Parcel.obtain();
       data.writeInterfaceToken(IActivityManager.descriptor);
       data.writeStrongBinder(caller != null ? caller.asBinder() : null);
       service.writeToParcel(data, 0);
       data.writeString(resolvedType);
       data.writeString(callingPackage);
       data.writeInt(userId);
       mRemote.transact(START_SERVICE_TRANSACTION, data, reply, 0);
       reply.readException();
       ComponentName res = ComponentName.readFromParcel(reply);
       data.recycle();
       reply.recycle();
       return res;
   }
}
复制代码

mRemote为ActivityManagerProxy类型.

ActivityManagerNative.startService

ActivityManagerNative.java
复制代码

    public ComponentName startService(IApplicationThread caller, Intent service,
            String resolvedType, String callingPackage, int userId) throws RemoteException
    {
        Parcel data = Parcel.obtain();
        Parcel reply = Parcel.obtain();
        data.writeInterfaceToken(IActivityManager.descriptor);
        data.writeStrongBinder(caller != null ? caller.asBinder() : null);
        service.writeToParcel(data, 0);
        data.writeString(resolvedType);
        data.writeString(callingPackage);
        data.writeInt(userId);
        mRemote.transact(START_SERVICE_TRANSACTION, data, reply, 0);
        reply.readException();
        ComponentName res = ComponentName.readFromParcel(reply);
        data.recycle();
        reply.recycle();
        return res;
    }
复制代码

mRemote指向ServiceManager.getService("activity")，为BinderProxy类型。接着调用transact，与GET_SERVICE_TRANSACTION类似，访问binder驱动，进入AMS所在system_server进程。

转载于:https://juejin.im/post/5c9b2a5d5188251e3f74fc88