android graphic(8)—surface申请GraphicBuffer过程


  • surfacedequeueBuffer函数
  • BufferQueue申请内存
  • SurfacerequestBuffer

本节分析surfaceBuffer Queue申请GraphicBuffer的过程(这里的surfacenativesurface,不是Java中的),在此过程中还会涉及利用Flattenable协议对对象序列化,binder传递文件描述符等概念。



intSurface::hook_dequeueBuffer(ANativeWindow* window,

       ANativeWindowBuffer** buffer, int* fenceFd) {

   Surface* c = getSelf(window);

   return c->dequeueBuffer(buffer, fenceFd);



typedefstruct android_native_base_t


   /* a magic value defined by the actual EGL native type */

   int magic;


   /* the sizeof() of the actual EGL native type */



   void* reserved[4];


   /* reference-counting interface */

   void (*incRef)(struct android_native_base_t* base);

   void (*decRef)(struct android_native_base_t* base);

} android_native_base_t;


typedefstruct native_handle


   intversion;        /*sizeof(native_handle_t) */

   int numFds;         /* number offile-descriptors at &data[0] */

   int numInts;        /* number of intsat &data[numFds] */

   int data[0];        /* numFds + numIntsints */

} native_handle_t;


typedefconst native_handle_t* buffer_handle_t;



typedefstruct ANativeWindowBuffer


   struct android_native_base_t common;


   int width;

   int height;

   int stride;

   int format;

   int usage;


   void* reserved[2];


   buffer_handle_t handle;


   void* reserved_proc[8];

} ANativeWindowBuffer_t;

图形的buffer其实核心就是buffer_handle_t handle;这个handle,上节分析过,就是通过mmap返回的fdsizemap到进程中内存的起始地址。

int Surface::dequeueBuffer(android_native_buffer_t** buffer, int* fenceFd) {



   Mutex::Autolock lock(mMutex);

   int buf = -1;

   int reqW = mReqWidth ? mReqWidth :mUserWidth;

   int reqH = mReqHeight ? mReqHeight :mUserHeight;

   sp fence;


   // mGraphicBufferProducerBufferQueueBp对象

   status_t result = mGraphicBufferProducer->dequeueBuffer(&buf,&fence, mSwapIntervalZero,

            reqW, reqH, mReqFormat, mReqUsage);

   if (result < 0) {

       ALOGV("dequeueBuffer: IGraphicBufferProducer::dequeueBuffer(%d, %d, %d, %d)"

             "failed: %d", mReqWidth, mReqHeight, mReqFormat, mReqUsage,


       return result;


   sp& gbuf(mSlots[buf].buffer);


   // this should never happen

   ALOGE_IF(fence == NULL, "Surface::dequeueBuffer: received nullFence! buf=%d", buf);


   if (result &IGraphicBufferProducer::RELEASE_ALL_BUFFERS) {




   if ((result &IGraphicBufferProducer::BUFFER_NEEDS_REALLOCATION) || gbuf == 0) {



       // 匿名共享内存和binder传递描述符映射过去的,Surface通过调用

       // requestBuffer将图形缓冲区映射到Surface所在进程

        result =mGraphicBufferProducer->requestBuffer(buf, &gbuf);

       if (result != NO_ERROR) {

            ALOGE("dequeueBuffer:IGraphicBufferProducer::requestBuffer failed: %d", result);

            return result;




   if (fence->isValid()) {

       *fenceFd = fence->dup();

       if (*fenceFd == -1) {

            ALOGE("dequeueBuffer:error duping fence: %d", errno);

            // dup() should never fail; something is badly wrong. Soldier on

            // and hope for the best; the worst that should happenis some

            // visible corruption that lasts until the next frame.


   } else {

       *fenceFd = -1;



   *buffer = gbuf.get();

   return OK;






BufferSlot mSlots[NUM_BUFFER_SLOTS];


   struct BufferSlot {


       sp buffer;

       Region dirtyRegion;


   //int buf = -1;

   // buf是个int值,是上面mSlots数组的下标

   status_t result =mGraphicBufferProducer->dequeueBuffer(&buf, &fence,mSwapIntervalZero,

            reqW, reqH, mReqFormat, mReqUsage);


classBpGraphicBufferProducer : public BpInterface<IGraphicBufferProducer>


    virtualstatus_t dequeueBuffer(int *buf, sp<Fence>* fence, boolasync,

            uint32_tw, uint32_th, uint32_tformat, uint32_tusage) {

        Parcel data, reply;








        status_tresult = remote()->transact(DEQUEUE_BUFFER, data, &reply);

        if (result != NO_ERROR) {




        *buf =reply.readInt32();

        boolnonNull = reply.readInt32();

        if (nonNull) {

            *fence= new Fence();



        result =reply.readInt32();




client侧,也就是BpGraphicBufferProducer侧,通过DEQUEUE_BUFFER后核心只返回了一个*buf =reply.readInt32();(先不管fence),也就是数组mSlots的下标。看来,BufferQueue中应该也有个和mSlots对应的数组,也是32个,一一对应,继续分析server侧,即Bn侧,


   uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags)


     caseDEQUEUE_BUFFER: {

            CHECK_INTERFACE(IGraphicBufferProducer, data, reply);

            bool async      = data.readInt32();

            uint32_t w      = data.readInt32();

            uint32_t h      = data.readInt32();

            uint32_t format = data.readInt32();

            uint32_t usage  = data.readInt32();

            int buf;

            sp<Fence> fence;



            int result =dequeueBuffer(&buf, &fence, async, w, h, format, usage);



            reply->writeInt32(fence != NULL);

            if (fence != NULL) {




            return NO_ERROR;




但是BufferSlot 结构不同于Surface中的,由于BufferQueue的核心职责就是管理图形缓冲区,需要记录每个缓冲区的状态(FREEDEQUEUEDQUEUEDACQUIRED)等,关于生产者消费者这里不细述了,

  struct BufferSlot {



       : mEglDisplay(EGL_NO_DISPLAY),






         mNeedsCleanupOnRelease(false) {



       // mGraphicBuffer points to the buffer allocated for this slot oris NULL

       // if no buffer has been allocated.

       sp mGraphicBuffer;


       // mEglDisplay is the EGLDisplayused to create EGLSyncKHR objects.

       EGLDisplay mEglDisplay;


       // BufferState represents the different states in which a buffer slot

       // can be. All slots are initially FREE.

       enum BufferState {

            // FREE indicates that the buffer is available to be dequeued

            // by the producer.  The buffer may bein use by the consumer for

           // a finite time, so thebuffer must notbe modified until the

            // associated fence is signaled.


            // The slot is "owned" byBufferQueue.  It transitions to DEQUEUED

            // when dequeueBuffer is called.

            FREE = 0,


            // DEQUEUED indicates that the buffer has been dequeued by the

            // producer, but has not yet been queued or canceled.  The

            // producer may modify the buffer'scontents as soon as the

            // associated ready fence is signaled.


            // The slot is "owned" by theproducer.  It can transition to

            // QUEUED (via queueBuffer) or back to FREE (via cancelBuffer).

            DEQUEUED = 1,


            // QUEUED indicates that the buffer has been filled by the

            // producer and queued for use by the consumer.  The buffer

            // contents may continue to be modified for a finite time,so

            // the contents must notbe accessed until the associated fence

            // is signaled.


            // The slot is "owned" byBufferQueue.  It can transition to

            // ACQUIRED (via acquireBuffer) or to FREE (if another buffer is

            // queued in asynchronous mode).

           QUEUED = 2,


            // ACQUIRED indicates that the buffer has been acquired by the

            // consumer.  As with QUEUED, the contents must notbe accessed

            // by the consumer until the fence is signaled.


            // The slot is "owned" by theconsumer.  It transitions to FREE

            // when releaseBuffer is called.

            ACQUIRED = 3



       // mBufferState is the currentstate of this buffer slot.

       BufferState mBufferState;


       // mRequestBufferCalled is used for validating that the producerdid

       // call requestBuffer() when told to do so. Technically this isnot

       // needed but useful for debugging and catchingproducer bugs.

       bool mRequestBufferCalled;


       // mFrameNumber is the number of the queuedframe for this slot.  This

       // is used to dequeue buffers in LRU order (useful because buffers

       // may be released before their release fence is signaled).

       uint64_t mFrameNumber;


       // mEglFence is the EGL sync object that must signal before the buffer

       // associated with this buffer slot may be dequeued. It is initialized

       // to EGL_NO_SYNC_KHR when the buffer is created and may beset to a

       // new sync object inreleaseBuffer.  (This is deprecated in favor of

       // mFence, below.)

       EGLSyncKHR mEglFence;


       // mFence is a fence whichwill signal when work initiated by the

       // previous owner of the buffer is finished. When the buffer is FREE,

       // the fence indicates when the consumer has finished reading

       // from the buffer, or when the producer has finished writing if it

       // called cancelBuffer after queueing some writes. When the buffer is

       // QUEUED, it indicates when the producer has finished filling the

       // buffer. When the buffer is DEQUEUED or ACQUIRED, thefence has been

       // passed to the consumer or producer alongwith ownership of the

       // buffer, and mFence isset to NO_FENCE.

       sp mFence;


       // Indicates whether this buffer has been seen by a consumer yet

       bool mAcquireCalled;


       // Indicates whether this buffer needs to be cleaned up by the

       // consumer.  This isset when a buffer in ACQUIRED state is freed.

       // It causes releaseBuffer to return STALE_BUFFER_SLOT.

       bool mNeedsCleanupOnRelease;



status_t BufferQueue::dequeueBuffer(int *outBuf, sp* outFence, boolasync,

       uint32_t w, uint32_t h, uint32_t format, uint32_t usage) {


   ST_LOGV("dequeueBuffer: w=%d h=%d fmt=%#x usage=%#x", w, h, format, usage);



   status_t returnFlags(OK);

   EGLDisplay dpy = EGL_NO_DISPLAY;

   EGLSyncKHR eglFence = EGL_NO_SYNC_KHR;


   { // Scope for the lock

       Mutex::Autolock lock(mMutex);


       if (format == 0) {

            format = mDefaultBufferFormat;


        // turn on usage bits the consumerrequested

       usage |= mConsumerUsageBits;


       int found = -1;

       bool tryAgain = true;

       while (tryAgain) {

            if (mAbandoned) {

                ST_LOGE("dequeueBuffer:BufferQueue has been abandoned!");

                return NO_INIT;



            constint maxBufferCount =getMaxBufferCountLocked(async);

            if (async && mOverrideMaxBufferCount) {

                // FIXME: somedrivers are manually setting the buffer-count (which they

                // shouldn't), sowe do this extra test here to handle that case.

                // This isTEMPORARY, until we get this fixed.

                if (mOverrideMaxBufferCount < maxBufferCount) {

                    ST_LOGE("dequeueBuffer:async mode is invalid with buffercount override");

                    return BAD_VALUE;




            // Free up anybuffers that are in slots beyond the max buffer

            // count.

            for (int i = maxBufferCount; i

                assert(mSlots[i].mBufferState== BufferSlot::FREE);

                if (mSlots[i].mGraphicBuffer != NULL) {


                    returnFlags |=IGraphicBufferProducer::RELEASE_ALL_BUFFERS;




            // look for a freebuffer to give to the client

            found = INVALID_BUFFER_SLOT;

            int dequeuedCount = 0;

            int acquiredCount = 0;


            for (int i = 0; i < maxBufferCount; i++) {

                constint state = mSlots[i].mBufferState;

                switch (state) {

                    case BufferSlot::DEQUEUED:



                    case BufferSlot::ACQUIRED:



                    case BufferSlot::FREE:

                        /* We return the oldest of the freebuffers to avoid

                        * stalling the producer if possible. This is because

                        * the consumer may still have pending reads of the

                        * buffers in flight.


                        if ((found < 0) ||

                               mSlots[i].mFrameNumber < mSlots[found].mFrameNumber) {

                            found = i;






            // clients are notallowed to dequeue more than one buffer

            // if they didn'tset a buffer count.

            if (!mOverrideMaxBufferCount && dequeuedCount) {

                ST_LOGE("dequeueBuffer:can't dequeue multiple buffers without "

                        "settingthe buffer count");

                return -EINVAL;



            // See whether abuffer has been queued since the last

            // setBufferCountso we know whether to perform the min undequeued

            // buffers checkbelow.

            if (mBufferHasBeenQueued) {

                // make sure theclient is not trying to dequeue more buffers

                // than allowed.

                constint newUndequeuedCount = maxBufferCount -(dequeuedCount+1);

                constint minUndequeuedCount =getMinUndequeuedBufferCount(async);

                if (newUndequeuedCount < minUndequeuedCount) {

                    ST_LOGE("dequeueBuffer:min undequeued buffer count (%d) "

                            "exceeded(dequeued=%d undequeudCount=%d)",



                    return -EBUSY;




            // If no buffer isfound, wait for a buffer to be released or for

            // the max buffercount to change.

            tryAgain = found ==INVALID_BUFFER_SLOT;


            if (tryAgain) {

                // return an errorif we're in "cannot block" mode (producer and consumer

                // are controlledby the application) -- however, the consumer is allowed

                // to acquirebriefly an extra buffer (which could cause us to have to wait here)

                // and that's okaybecause we know the wait will be brief (it happens

                // if we dequeue abuffer while the consumer has acquired one but not released

                // the old one yet-- for e.g.: see GLConsumer::updateTexImage()).

                if (mDequeueBufferCannotBlock && (acquiredCount <=mMaxAcquiredBufferCount)) {

                    ST_LOGE("dequeueBuffer:would block! returning an error instead.");

                   return WOULD_BLOCK;







       if (found == INVALID_BUFFER_SLOT) {

            // This should nothappen.

            ST_LOGE("dequeueBuffer:no available buffer slots");

            return -EBUSY;



       constint buf = found;

       *outBuf = found;




       constbool useDefaultSize = !w && !h;

       if (useDefaultSize) {

           // use the defaultsize

            w = mDefaultWidth;

            h = mDefaultHeight;




       mSlots[buf].mBufferState = BufferSlot::DEQUEUED;


       const sp&buffer(mSlots[buf].mGraphicBuffer);



       if ((buffer == NULL) ||

            (uint32_t(buffer->width)  != w) ||

            (uint32_t(buffer->height) != h)||

            (uint32_t(buffer->format) !=format) ||

            ((uint32_t(buffer->usage) &usage) != usage))


            mSlots[buf].mAcquireCalled = false;

            mSlots[buf].mGraphicBuffer = NULL;

            mSlots[buf].mRequestBufferCalled = false;

            mSlots[buf].mEglFence =EGL_NO_SYNC_KHR;

            mSlots[buf].mFence =Fence::NO_FENCE;

            mSlots[buf].mEglDisplay =EGL_NO_DISPLAY;


            returnFlags |=IGraphicBufferProducer::BUFFER_NEEDS_REALLOCATION;




       if (CC_UNLIKELY(mSlots[buf].mFence == NULL)) {

            ST_LOGE("dequeueBuffer:about to return a NULL fence from mSlot. "

                    "buf=%d, w=%d,h=%d, format=%d",

                    buf, buffer->width,buffer->height, buffer->format);



       dpy = mSlots[buf].mEglDisplay;

       eglFence = mSlots[buf].mEglFence;

       *outFence = mSlots[buf].mFence;

       mSlots[buf].mEglFence = EGL_NO_SYNC_KHR;

       mSlots[buf].mFence = Fence::NO_FENCE;

   }  // end lock scope


   // buffer需要重新申请,则调用mGraphicBufferAlloc去创建buffer

   if (returnFlags &IGraphicBufferProducer::BUFFER_NEEDS_REALLOCATION) {

       status_t error;

       sp graphicBuffer(

                mGraphicBufferAlloc->createGraphicBuffer(w,h, format, usage, &error));

       if (graphicBuffer == 0) {

            ST_LOGE("dequeueBuffer:SurfaceComposer::createGraphicBuffer failed");

            return error;



       { // Scope for the lock

            Mutex::Autolock lock(mMutex);


            if (mAbandoned) {

                ST_LOGE("dequeueBuffer:BufferQueue has been abandoned!");

                return NO_INIT;



            mSlots[*outBuf].mFrameNumber = ~0;

            mSlots[*outBuf].mGraphicBuffer =graphicBuffer;




   if (eglFence != EGL_NO_SYNC_KHR) {

       EGLint result = eglClientWaitSyncKHR(dpy, eglFence, 0, 1000000000);

       // If something goes wrong, log the error, but return the buffer without

       // synchronizing access to it.  It'stoo late at this point to abort the

       // dequeue operation.

       if (result == EGL_FALSE) {

            ST_LOGE("dequeueBuffer:error waiting for fence: %#x",eglGetError());

       } elseif (result == EGL_TIMEOUT_EXPIRED_KHR) {

            ST_LOGE("dequeueBuffer:timeout waiting for fence");


       eglDestroySyncKHR(dpy, eglFence);



   ST_LOGV("dequeueBuffer: returning slot=%d/%llu buf=%pflags=%#x", *outBuf,


           mSlots[*outBuf].mGraphicBuffer->handle, returnFlags);


   return returnFlags;


const sp&buffer(mSlots[buf].mGraphicBuffer),取找到的buf中的mGraphicBuffer,如果buffer为空,或者非空,但是buffer的尺寸有变化,将returnFlags添加BUFFER_NEEDS_REALLOCATION重新申请标志; 

       sp graphicBuffer(

               mGraphicBufferAlloc->createGraphicBuffer(w, h, format, usage, &error));


classBpGraphicBufferAlloc : public BpInterface<IGraphicBufferAlloc>


    virtual sp<GraphicBuffer>createGraphicBuffer(uint32_tw, uint32_th,

            PixelFormatformat, uint32_tusage, status_t* error) {

        Parcel data, reply;






        remote()->transact(CREATE_GRAPHIC_BUFFER, data, &reply);


        status_tresult = reply.readInt32();

        if (result == NO_ERROR) {


           graphicBuffer = new GraphicBuffer();



            // herewe don't even have to read the BufferReference from

            // theparcel, it'll die with the parcel.


        *error =result;






   uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags)


            CHECK_INTERFACE(IGraphicBufferAlloc, data, reply);

            uint32_t w = data.readInt32();

            uint32_t h = data.readInt32();

           PixelFormat format = data.readInt32();

            uint32_t usage = data.readInt32();

            status_t error;


            sp<GraphicBuffer> result =

                    createGraphicBuffer(w, h,format, usage, &error);


            if (result != 0) {



                // We add a BufferReference to this parcel to make sure the

                // buffer stays alive until theGraphicBuffer object on

                // the other side has beencreated.

                // This is needed so that the buffer handle can be

                // registered before the bufferis destroyed on implementations

                // that do not use file-descriptors to track their buffers.

                reply->writeStrongBinder(new BufferReference(result) );


            return NO_ERROR;

       } break;

sp<GraphicBuffer>GraphicBufferAlloc::createGraphicBuffer(uint32_t w, uint32_t h,

       PixelFormat format, uint32_t usage, status_t* error) {

   sp<GraphicBuffer> graphicBuffer(newGraphicBuffer(w, h, format, usage));

   status_t err = graphicBuffer->initCheck();

   *error = err;

   if (err !=0|| graphicBuffer->handle==0) {

       if (err == NO_MEMORY) {



       ALOGE("GraphicBufferAlloc::createGraphicBuffer(w=%d, h=%d) "

             "failed (%s),handle=%p",

                w, h, strerror(-err), graphicBuffer->handle);



   return graphicBuffer;


GraphicBuffer::GraphicBuffer(uint32_t w, uint32_t h,

       PixelFormat reqFormat, uint32_t reqUsage)

   : BASE(), mOwner(ownData), mBufferMapper(GraphicBufferMapper::get()),



   width  =

   height =

   stride =

   format =

   usage  =0;


   mInitCheck = initSize(w, h,reqFormat, reqUsage);



    result = mGraphicBufferProducer->requestBuffer(buf, &gbuf);


int Surface::dequeueBuffer(android_native_buffer_t**buffer, int* fenceFd) {


   sp& gbuf(mSlots[buf].buffer);


   if ((result &IGraphicBufferProducer::BUFFER_NEEDS_REALLOCATION) || gbuf == 0) {


       result = mGraphicBufferProducer->requestBuffer(buf, &gbuf);

       if (result != NO_ERROR) {

            ALOGE("dequeueBuffer:IGraphicBufferProducer::requestBuffer failed: %d", result);

            return result;





上面调用了mGraphicBufferProducer->requestBuffer(buf, &gbuf), 

classBpGraphicBufferProducer : public BpInterface<IGraphicBufferProducer>




    virtualstatus_t requestBuffer(intbufferIdx, sp<GraphicBuffer>* buf) {

        Parcel data, reply;




        status_tresult =remote()->transact(REQUEST_BUFFER, data, &reply);

        if (result != NO_ERROR) {



        boolnonNull = reply.readInt32();

        if (nonNull) {


            *buf =new GraphicBuffer();



        result =reply.readInt32();




综上,真正申请图形缓冲区是在surface flinger进程中,因为GraphicBufferAlloc对象是在surface flingernew出来的,然后BufferQueueSurface中的图形缓冲区都是通过GraphicBuffer的序列化和反序列化新映射出来的。

