基于android10.0
应用调用接口
以启动服务为例,看下AMS获取全流程。 一般,我么可以通过在Activity通过调用startService启动某个服务
//ContextImpl.java
@Override
public ComponentName startService(Intent service) {
warnIfCallingFromSystemProcess();
return startServiceCommon(service, false, mUser);
}
private ComponentName startServiceCommon(Intent service, boolean requireForeground,
UserHandle user) {
try {
validateServiceIntent(service);
service.prepareToLeaveProcess(this);
ComponentName cn = ActivityManager.getService().startService(
mMainThread.getApplicationThread(), service,
service.resolveTypeIfNeeded(getContentResolver()), requireForeground,
getOpPackageName(), getAttributionTag(), user.getIdentifier());
...
return cn;
} catch (RemoteException e) {
throw e.rethrowFromSystemServer();
}
}
以上分为两步,首先获取AMS的本地代理服务,然后通过代理对象启动服务
获取AMS服务
//ActivityManager.getService()
public static IActivityManager getService() {
return IActivityManagerSingleton.get();
}
@UnsupportedAppUsage
private static final Singleton<IActivityManager> IActivityManagerSingleton =
new Singleton<IActivityManager>() {
@Override
protected IActivityManager create() {
final IBinder b = ServiceManager.getService(Context.ACTIVITY_SERVICE);
final IActivityManager am = IActivityManager.Stub.asInterface(b);
return am;
}
};
system_server进程的AMS服务是注册在servicemanager进程中的,因此需要通过ServiceManager获取
servicemanager服务获取
servicemanager服务本地代理BinderProxy获取的整体调用流程如下:
我们从关键函数开始说起
@UnsupportedAppUsage
private static IServiceManager getIServiceManager() {
if (sServiceManager != null) {
return sServiceManager;
}
// Find the service manager
sServiceManager = ServiceManagerNative
.asInterface(Binder.allowBlocking(BinderInternal.getContextObject()));
return sServiceManager;
}
分为两步步:
- BinderInternal.getContextObject())获取BinderProxy对象
- asInterface获取封装了BinderProxy的ServiceManagerProxy对象
BinderInternal.getContextObject()
主要流程如下:
- 通过JNI调用调用到native层
- 完成进程ProcessState的初始化,主要是打开binder驱动设备和mmap映射共享内存
- 通过servicemanager进程对应的handle 0, 创建本地代表远程serviceanager对象的BpBinder对象
- 将BpBinder对象,转换成java层的BinderProxy对象,返回给java层
JNI映射
static jobject android_os_BinderInternal_getContextObject(JNIEnv* env, jobject clazz)
{
sp<IBinder> b = ProcessState::self()->getContextObject(NULL);
return javaObjectForIBinder(env, b);
}
初始化ProcessState
sp<ProcessState> ProcessState::self()
{
return init(kDefaultDriver, false /*requireDefault*/);
}
sp<ProcessState> ProcessState::init(const char *driver, bool requireDefault)
{
[[clang::no_destroy]] static sp<ProcessState> gProcess;
[[clang::no_destroy]] static std::mutex gProcessMutex;
if (driver == nullptr) {
std::lock_guard<std::mutex> l(gProcessMutex);
return gProcess;
}
[[clang::no_destroy]] static std::once_flag gProcessOnce;
std::call_once(gProcessOnce, [&](){
if (access(driver, R_OK) == -1) {
driver = "/dev/binder";
}
std::lock_guard<std::mutex> l(gProcessMutex);
//构造初始化
gProcess = new ProcessState(driver);
});
...
return gProcess;
}
ProcessState::ProcessState(const char *driver)
: mDriverFD(open_driver(driver))//打开binder驱动
, mVMStart(MAP_FAILED)
...
, mCallRestriction(CallRestriction::NONE)
{
if (mDriverFD >= 0) {
// mmap the binder, providing a chunk of virtual address space to receive transactions.
//将binder驱动文件映射到也缓存,然后转换成用户空间地址
mVMStart = mmap(nullptr, BINDER_VM_SIZE, PROT_READ, MAP_PRIVATE | MAP_NORESERVE, mDriverFD, 0);
if (mVMStart == MAP_FAILED) {
close(mDriverFD);
mDriverFD = -1;
mDriverName.clear();
}
}
}
BpBinder创建
//processstate.cpp
sp<IBinder> ProcessState::getStrongProxyForHandle(int32_t handle)
{
sp<IBinder> result;
AutoMutex _l(mLock);
//本地缓存,没有的时候新建一个空对象
handle_entry* e = lookupHandleLocked(handle);
//创建了一个初始化对象,e不为null
if (e != nullptr) {
IBinder* b = e->binder;
//首次是空对象,b为null
if (b == nullptr || !e->refs->attemptIncWeak(this)) {
//servicemanager对应的handle为0
if (handle == 0) {
Parcel data;
//检测binder驱动设备是否可以ping通
status_t status = IPCThreadState::self()->transact(
0, IBinder::PING_TRANSACTION, data, nullptr, 0);
if (status == DEAD_OBJECT)
return nullptr;
}
//根据handle创建一个BpBinder对象
b = BpBinder::create(handle);
e->binder = b;
if (b) e->refs = b->getWeakRefs();
result = b;
} else {
// This little bit of nastyness is to allow us to add a primary
// reference to the remote proxy when this team doesn't have one
// but another team is sending the handle to us.
result.force_set(b);
e->refs->decWeak(this);
}
}
return result;
}
BpBinder对象只是一个普通的c++ IBinder对象,创建过程处理验证是否能ping通binder驱动设备,并没有其他操作binder驱动的行为。
实际上,应用层通过java层调用native层BpBinder的transact方法的时候,才开始真正与binder进行通信,
lookupHandleLocked
ProcessState::handle_entry* ProcessState::lookupHandleLocked(int32_t handle)
{
const size_t N=mHandleToObject.size();
if (N <= (size_t)handle) {
handle_entry e;
e.binder = nullptr;
e.refs = nullptr;
status_t err = mHandleToObject.insertAt(e, N, handle+1-N);
if (err < NO_ERROR) return nullptr;
}
return &mHandleToObject.editItemAt(handle);
}
生成BinderProxy
将BpBinder对象,转换成java层的BinderProxy对象BinderProxyNativeData的mObejct对象,然后通过CallStaticObjectMethod转化成jobject
//android_util_Binder.cpp
static jobject android_os_BinderInternal_getContextObject(JNIEnv* env, jobject clazz)
{
sp<IBinder> b = ProcessState::self()->getContextObject(NULL);
//c++对象转化成java对象
return javaObjectForIBinder(env, b);
}
// If the argument is a JavaBBinder, return the Java object that was used to create it.
// Otherwise return a BinderProxy for the IBinder. If a previous call was passed the
// same IBinder, and the original BinderProxy is still alive, return the same BinderProxy.
jobject javaObjectForIBinder(JNIEnv* env, const sp<IBinder>& val)
{
// N.B. This function is called from a @FastNative JNI method, so don't take locks around
// calls to Java code or block the calling thread for a long time for any reason.
if (val == NULL) return NULL;
if (val->checkSubclass(&gBinderOffsets)) {
// It's a JavaBBinder created by ibinderForJavaObject. Already has Java object.
jobject object = static_cast<JavaBBinder*>(val.get())->object();
LOGDEATH("objectForBinder %p: it's our own %p!\n", val.get(), object);
return object;
}
BinderProxyNativeData* nativeData = new BinderProxyNativeData();
nativeData->mOrgue = new DeathRecipientList;
nativeData->mObject = val;//BpBinder赋值给BinderProxyNativeData的mObject对象
jobject object = env->CallStaticObjectMethod(gBinderProxyOffsets.mClass,
gBinderProxyOffsets.mGetInstance, (jlong) nativeData, (jlong) val.get());
if (env->ExceptionCheck()) {
// In the exception case, getInstance still took ownership of nativeData.
return NULL;
}
BinderProxyNativeData* actualNativeData = getBPNativeData(env, object);
if (actualNativeData == nativeData) {
// Created a new Proxy
uint32_t numProxies = gNumProxies.fetch_add(1, std::memory_order_relaxed);
uint32_t numLastWarned = gProxiesWarned.load(std::memory_order_relaxed);
if (numProxies >= numLastWarned + PROXY_WARN_INTERVAL) {
// Multiple threads can get here, make sure only one of them gets to
// update the warn counter.
if (gProxiesWarned.compare_exchange_strong(numLastWarned,
numLastWarned + PROXY_WARN_INTERVAL, std::memory_order_relaxed)) {
ALOGW("Unexpectedly many live BinderProxies: %d\n", numProxies);
}
}
} else {
delete nativeData;
}
return object;
}
/**
* Java proxy for a native IBinder object.
* Allocated and constructed by the native javaObjectforIBinder function. Never allocated
* directly from Java code.
*
* @hide
*/
public final class BinderProxy implements IBinder
{...}
asInterface生成ServiceManagerProxy
asInterface获取封装了BinderProxy的ServiceManagerProxy对象
@UnsupportedAppUsage
private static IServiceManager getIServiceManager() {
if (sServiceManager != null) {
return sServiceManager;
}
// Find the service manager
sServiceManager = ServiceManagerNative
.asInterface(Binder.allowBlocking(BinderInternal.getContextObject()));
return sServiceManager;
}
@UnsupportedAppUsage
public static IServiceManager asInterface(IBinder obj) {
if (obj == null) {
return null;
}
// ServiceManager is never local
return new ServiceManagerProxy(obj);
}
public ServiceManagerProxy(IBinder remote) {
mRemote = remote;
mServiceManager = IServiceManager.Stub.asInterface(remote);
}
IServiceManager是通过aidl自动生成,他的stub应当是这样的
public static IServiceManager asInterface(android.os.IBinder obj)
{
if ((obj==null)) {
return null;
}
android.os.IInterface iin = obj.queryLocalInterface(DESCRIPTOR);
if (((iin!=null)&&(iin instanceof cIServiceManager))) {
return ((IServiceManager)iin);
}
return new IServiceManager.Stub.Proxy(obj);
}
总结
通过以上过程,应用层获取了以下对象: java 层: IServiceManager-->ServiceManagerNative-->ServiceManagerProxy-->ServiceManager.Stub.Proxy-->BinderProxy
native层: android_util_Binder.cpp-->ProcessState-->BpBinder
获取ServiceManager本地代理队形的整体流程如下:
- 应用层通过getIServiceManager获取ServiceManager本地代理
- getIServiceManager首先通过getContextObject JNI调用调用到native层
- 完成进程ProcessState的初始化,主要是打开binder驱动设备和mmap映射共享内存
- 通过servicemanager进程对应的handle 0, 创建本地代表远程serviceanager对象的BpBinder对象
- 将BpBinder对象,转换成java层的BinderProxy对象,返回给java层
- java层焦勇asinterface封装BinderProxy,得到ServiceManagerNative。ServiceManagerProxy对象
