native: #00 pc 000000000006e1c4 /system/lib64/libc.so (__ioctl+4)
native: #01 pc 00000000000290d0 /system/lib64/libc.so (ioctl+136)
native: #02 pc 000000000005a5e4 /system/lib64/libbinder.so (android::IPCThreadState::talkWithDriver(bool)+256)
native: #03 pc 000000000005b48c /system/lib64/libbinder.so (android::IPCThreadState::waitForResponse(android::Parcel*, int*)+340)
native: #04 pc 000000000005b1c0 /system/lib64/libbinder.so (android::IPCThreadState::transact(int, unsigned int, android::Parcel const&, android::Parcel*, unsigned int)+176)
native: #05 pc 0000000000051318 /system/lib64/libbinder.so (android::BpBinder::transact(unsigned int, android::Parcel const&, android::Parcel*, unsigned int)+72)
native: #06 pc 000000000012f970 /system/lib64/libandroid_runtime.so (android_os_BinderProxy_transact(_JNIEnv*, _jobject*, int, _jobject*, _jobject*, int)+152)
at android.os.BinderProxy.transactNative(Native method)
at android.os.BinderProxy.transact(Binder.java:1127)
at android.os.ServiceManagerProxy.getService(ServiceManagerNative.java:125)
at android.os.ServiceManager.rawGetService(ServiceManager.java:253)
at android.os.ServiceManager.getService(ServiceManager.java:124)
at android.telephony.SubscriptionManager.getDefaultDataSubscriptionId(SubscriptionManager.java:1381)
从 android.os.BinderProxy.transact 方法起手,到 android::IPCThreadState::waitForResponse,表示这是一个阻塞的 binder,再到 android::IPCThreadState::talkWithDriver,调用到 talkWithDriver 就说明正在和 binder 驱动交互了
"Binder:1270_2" prio=5 tid=9 Blocked
| group="main" sCount=1 dsCount=0 flags=1 obj=0x12c403c0 self=0x74cc13a000
| sysTid=1301 nice=0 cgrp=default sched=0/0 handle=0x74aeac84f0
| state=S schedstat=( 967786174 2041516626 7827 ) utm=54 stm=42 core=0 HZ=100
| stack=0x74ae9cd000-0x74ae9cf000 stackSize=1009KB
| held mutexes=
at com.android.server.am.ActivityManagerService.isUserAMonkey(ActivityManagerService.java:14253)
- waiting to lock <0x09e15d64> (a com.android.server.am.ActivityManagerService) held by thread 120
at android.app.IActivityManager$Stub.onTransact(IActivityManager.java:1200)
at com.android.server.am.ActivityManagerService.onTransact(ActivityManagerService.java:3498)
at android.os.Binder.execTransact(Binder.java:731)
从 android.os.Binder.execTransact 起手,到 AIDL 生成文件的 onTransact 方法,再到 Stub 子类的 onTransact 方法,再到具体的 AIDL 实现
native: #00 pc 000000000006e1c4 /system/lib64/libc.so (__ioctl+4)
native: #01 pc 00000000000290d0 /system/lib64/libc.so (ioctl+136)
native: #02 pc 000000000005a5e4 /system/lib64/libbinder.so (android::IPCThreadState::talkWithDriver(bool)+256)
native: #03 pc 000000000005b374 /system/lib64/libbinder.so (android::IPCThreadState::waitForResponse(android::Parcel*, int*)+60)
native: #04 pc 000000000005b1c0 /system/lib64/libbinder.so (android::IPCThreadState::transact(int, unsigned int, android::Parcel const&, android::Parcel*, unsigned int)+176)
native: #05 pc 0000000000051318 /system/lib64/libbinder.so (android::BpBinder::transact(unsigned int, android::Parcel const&, android::Parcel*, unsigned int)+72)
native: #06 pc 0000000000074324 /system/lib64/libgui.so (android::BpGraphicBufferProducer::dequeueBuffer(int*, android::sp*, unsigned int, unsigned int, int, unsigned long, unsigned long*, android::FrameEventHistoryDelta*)+208)
native: #07 pc 000000000008492c /system/lib64/libgui.so (android::Surface::dequeueBuffer(ANativeWindowBuffer**, int*)+388)
与 java 层大体类似,只是不需要 JNI 到 android::BpBinder::transact 了,Native 层可直接调用到 android::BpBinder::transact 然后调用 waitForResponse 阻塞线程
"Binder:4348_1" prio=5 tid=4 Native
| group="main" sCount=1 dsCount=0 flags=1 obj=0x13b002a8 self=0x74c5015800
| sysTid=4363 nice=0 cgrp=default sched=0/0 handle=0x74b1a3c4f0
| state=S schedstat=( 20542242 92802343 324 ) utm=0 stm=2 core=2 HZ=100
| stack=0x74b1941000-0x74b1943000 stackSize=1009KB
| held mutexes=
kernel: (couldn't read /proc/self/task/4363/stack)
native: #00 pc 000000000006e1c4 /system/lib64/libc.so (__ioctl+4)
native: #01 pc 00000000000290d0 /system/lib64/libc.so (ioctl+136)
native: #02 pc 000000000005a5e4 /system/lib64/libbinder.so (android::IPCThreadState::talkWithDriver(bool)+256)
native: #03 pc 000000000005a7b8 /system/lib64/libbinder.so (android::IPCThreadState::getAndExecuteCommand()+24)
native: #04 pc 000000000005af04 /system/lib64/libbinder.so (android::IPCThreadState::joinThreadPool(bool)+60)
native: #05 pc 000000000007b56c /system/lib64/libbinder.so (android::PoolThread::threadLoop()+24)
native: #06 pc 000000000000f9d8 /system/lib64/libutils.so (android::Thread::_threadLoop(void*)+280)
native: #07 pc 00000000000b50e0 /system/lib64/libandroid_runtime.so (android::AndroidRuntime::javaThreadShell(void*)+140)
native: #08 pc 00000000000819b4 /system/lib64/libc.so (__pthread_start(void*)+36)
native: #09 pc 0000000000023478 /system/lib64/libc.so (__start_thread+68)
(no managed stack frames)
在等待 Binder 请求的标记是调用栈停在 getAndExecuteCommand,但没调用 executeCommand 方法
"Binder:784_5" sysTid=1251
#00 pc 000000000001f02c /system/lib64/libc.so (syscall+28)
#01 pc 000000000002217c /system/lib64/libc.so (__futex_wait_ex(void volatile*, bool, int, bool, timespec const*)+140)
#02 pc 0000000000080ef8 /system/lib64/libc.so (pthread_cond_wait+60)
#03 pc 000000000005dde8 /system/lib64/libgui.so (android::BufferQueueProducer::waitForFreeSlotThenRelock(android::BufferQueueProducer::FreeSlotCaller, int*) const+808)
#04 pc 000000000005dfc8 /system/lib64/libgui.so (android::BufferQueueProducer::dequeueBuffer(int*, android::sp*, unsigned int, unsigned int, int, unsigned long, unsigned long*, android::FrameEventHistoryDelta*)+380)
#05 pc 0000000000072f08 /system/lib64/libgui.so (android::BnGraphicBufferProducer::onTransact(unsigned int, android::Parcel const&, android::Parcel*, unsigned int)+1208)
#06 pc 000000000004fa60 /system/lib64/libbinder.so (android::BBinder::transact(unsigned int, android::Parcel const&, android::Parcel*, unsigned int)+136)
#07 pc 000000000005ab00 /system/lib64/libbinder.so (android::IPCThreadState::executeCommand(int)+520)
#08 pc 000000000005a83c /system/lib64/libbinder.so (android::IPCThreadState::getAndExecuteCommand()+156)
#09 pc 000000000005af04 /system/lib64/libbinder.so (android::IPCThreadState::joinThreadPool(bool)+60)
#10 pc 000000000007b56c /system/lib64/libbinder.so (android::PoolThread::threadLoop()+24)
#11 pc 000000000000f9d8 /system/lib64/libutils.so (android::Thread::_threadLoop(void*)+280)
#12 pc 00000000000819b4 /system/lib64/libc.so (__pthread_start(void*)+36)
#13 pc 0000000000023478 /system/lib64/libc.so (__start_thread+68)
Native层接受到 Binder 请求后会通过 getAndExecuteCommand 方法获取并解析数据,然后调用 executeCommand 方法根据其方法序号给 android::BBinder::transact 方法分配给对应的实现方法