前面一节我们分析了Binder通信相关的两个重要类:ProcessState 和 IPCThreadState。ProcessState负责打开Binder
驱动,每个进程只有一个。而 IPCThreadState负责提供与Binder通信相关的接口,每个线程有一个。下面我们通过具体
示例MediaPlayerService来分析我们应用程序中怎么通过Binder通信的。
frameworks/base/media/mediaserver/main_mediaserver.cpp
int main(int argc, char*argv[])
{
sp<ProcessState> proc(ProcessState)::self(); // 获得ProcessState在构造函数中打开binder驱动
sp<IServiceManager> sm = defaultServiceManager();
MediaPlayService::instantiate();
ProcessState::self()->startThreadPool();
IPCThreadState::self()->joinThreadPool();
}
1)获得ServiceManager的代理BpServiceManager
sp<IServiceManager> sm = defaultServiceManager();
sp<IServiceManager> defaultServiceManager()
{
if(gDefaultServiceManager != NULL) return gDefaultServiceManager;
{
AutoMutex -l(gDefaultServiceManagerLock);
if(gDefaultServiceManager == NULL)
gDefaultServiceManager = interface_cast<IServiceManager>(
ProcessState::self()->getContextObject(NULL));
}
return gDefaultServiceManager;
}
这里又是一个单例模式,每个进程只需要一个BpServiceManager代理,通过interface_cast获得。
首先看看ProcessState::self()->getContextObject(NULL)
sp<IBinder> ProcessState::getContextObject(const sp<IBinder>& caller)
{
return getStrongProxyForHandle(0);
}
sp<IBinder> ProcessState::getStrongProxyForHandle(int32_t handle)
{
sp<IBinder> result;
AutoMutex _l(mLock);
handle_entry *e = lookupHandleLocked(handle);
if( e != NULL) {
IBinder* b = e->binder;
if(b == NULL || !e->refs->attemptIncWeak(this)) {
b = new BpBinder(handle);
e->binder = b;
if(b) e->refs = b->getWeakRefs();
result = b;
}else{
result.force_set(b);
e->refs->decWeak(this);
}
}
return result;
}
struct handle_entry{
IBinder* binder;
RefBase::weakref_type* refs;
}
ProcessState::handle_entry* ProcessState::lookupHandleLocked()从数组mHandleToObject里面根据handle索引,查找
一个handle_entry结构体。然后根据传入的句柄handle这里为0,表示ServiceManager,new一个BpBinder
所以现在相当于:
gDefaultServiceManager = interface_cast(new BpBinder(0));
现在我们看看interface_cast是什么?
frameworks/base/include/binder/IInterface.h
template<typename INTERFACE>
inline sp<INTERFACE> interface_cast(const sp<IBinder>& obj)
{
return INTERFACE::asInterface(obj);
}
等价于:
inline sp<IServiceManager> interface_cast(const sp<IBinder>& obj)
{
return IServiceManager::asInterface(obj);
}
继续我们跟到IServiceManager里面去:
frameworks/base/include/binder/IServiceManager.h
class IServiceManager:public IInterface
{
public:
DECLARE_META_INTERFACE(ServiceManager);// MLGB的又是宏!!!
virtual status_t addService(const String16& name, const sp<IBinder>& service) = 0;
virtual sp<IBinder> getService(const String16& name) const = 0;
}
#define DECLARE_META_INTERFACE(INTERFACE)
static const android::String16 descriptor;
static android::sp<I##INTERFACE> asInterface(
const android::sp<android::IBinder>& obj);
virtual const android::String16& getInterfaceDescriptor() const;
I##INTERFACE();
virtual !I##INTERFACE();
替换之后就是:
static const android::String16 descriptor;
static android::sp<IServiceManager> asInterface(
const android::sp<android::IBinder>& obj);
virtual const android::String16& getInterfaceDescriptor() const;
IServiceManager();
virtual !IServiceManager();
都是一些函数声明,既然有声明的地方,肯定有实现的地方了。
#define IMPLEMENT_META_INTERFACE(INTERFACE, NAME)
const android::String16 I##INTERFACE::descriptor(NAME);
const android::String16&
I##INTERFACE::getInterfaceDescriptor() const {
return I##INTERFACE::descriptor;
}
android::sp<I##INTERFACE> I##INTERFACE::asInterface(
const android::sp<android::IBinder>& obj)
{
android::sp<I##INTERFACE> intr;
if (obj != NULL) {
intr = static_cast<I##INTERFACE*>(
obj->queryLocalInterface(
I##INTERFACE::descriptor).get());
if (intr == NULL) {
intr = new Bp##INTERFACE(obj);
}
}
return intr;
}
I##INTERFACE::I##INTERFACE() { }
I##INTERFACE::~I##INTERFACE() { }
继续替换:
{
const android::String16 IServiceManager::descriptor(NAME);
const android::String16&
IServiceManager::getInterfaceDescriptor() const {
return IServiceManager::descriptor;
}
android::sp<IServiceManager> IServiceManager::asInterface(
const android::sp<android::IBinder>& obj) // 参数为new BpBinder(0)
{
android::sp<IServiceManager> intr;
if (obj != NULL) {
intr = static_cast<IServiceManager*>(
obj->queryLocalInterface(
IServiceManager::descriptor).get());
if (intr == NULL) {
intr = new BpServiceManager(obj); // 原来在这里new 了一个BpServiceManager对象
}
}
return intr;
}
IServiceManager::IServiceManager() { }
IServiceManager::~IServiceManager() { }
}
总结:根据句柄handle 0 创建一个new BpBinder(0),根据这个BpBinder创建了一个BpServiceManager代理。
下面来看看BpServiceManager代理:
class BpServiceManager : public BpInterface<IServiceManager>
{
public:
BpServiceManager(const sp<IBinder>& impl) : BpInterface<IServiceManager>(iml)
{}
}
这里BpInterface是一个模板类,表示这里BpServiceManager同时继承与BpInterface和IServiceManager类
template<typename INTERFACE>
class BpInterface : public INTERFACE, public BpRefBase
{
public: BpInterface(const sp<IBinder>& remote);
...
}
调用了基类BpInterface构造函数:
BpInterface<IServiceManager>::BpInterace(const sp<IBinder>& remote) : BpRefBase(remote)
{}
//这里的remote就是刚刚的new BpBinder(0)
BpRefBase::BpRefBase(const sp<IBinder>& o) : mRemote(o.get()),mRefs(NULL), mState(0)
{
}
2)添加服务 MediaPlayerService::instantiate();
frameworks/base/media/libmediaplayerservice/ibMediaPlayerService.cpp
void MediaPlayerService::instantiate()
{
defaultServiceManager()->addService(String16("media.player"), new MediaPlayerService);
}
defaultServiceManager()返回的是刚创建的BpServiceManager,调用add函数。
BpMediaPlayService作为服务代理端,那么BnMediaPlayerService一定是实现端,MediaPlayerService继承于
BnMediaPlayerService,实现了真正的业务函数。
来看看BpServiceManager的addService()函数:
virtual status_t addService(const String16& name, const sp<IBinder>& service)
{
Parcel data, reply;
data.writeInterfaceToken(IServiceManager.getInterfaceDescriptor()); // android.os.IServiceManager
data.writeString16(name); // media.player
data.writeStrongBinder(service); // 也就是MediaPlayerService
status_t err = remote()->transact(ADD_SERVICE_TRANSACTION, data, &reply);
return err == NO_ERROR ? reply.readInt32() : err;
}
这里remote()就是前面创建的BpBinder(0)对象。
status_t BpBinder::transact(uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags)
{
IPCThreadState::self()->transact(mHandle, code, data, reply, flags);
}
status_t IPCThreadState::transact(int32_t handle, uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags)
{
// 发送ADD_SERVICE_TRANSACTION请求
writeTransactionData(BC_TRANSACTION, flags, handle, code, data, NULL);
if(reply) // 等待响应
waitForResponse(NULL, reply);
}
status_t IPCThreadState::writeTransactionData(int32_t cmd, uint32_t binderFlags, int32_t handle,
uint32_t code, const Parcel& data, status_t *statusBuffer)
{
// cmd BC_TRANSACTION 应用程序向BINDER发送的命令
binder_transaction_data tr;
tr.target.handle = handle; // 0
tr.code = code; // ADD_SERVICE_TRANSACTION
tr.flags = binderFlags;
// 把命令和数据一起发送到 Parcel mOut中
mOut.writeInt32(cmd);
mOut.write(&tr, sizeof(tr));
}
status_t IPCThreadState::waitForResponse(Parcel* reply, status_t *acquireResult)
{
int32_t cmd;
while(1)
talkWithDriver();
cmd = mIn.readInt32();
switch(cmd) {
case BR_TRANSACTION_COMPLETE:
...
break;
}
{
return err;
}
status_t IPCThreadState::talkWithDriver(bool doReceive)
{
binder_write_read bwr;
bwr.write_size = outAvail;
bwr.write_buf = (long unsigned int)mOut.data(); // 写入mOut的数据
bwr.read_size = mIn.dataCapacity;
bwr.read_buffer = (long unsigned int)mIn.data();
ioctl(mProcess->mDriverFD, BINDER_WRITE_READm &bwr); // 把mOut写到Binder,并读取mIn数据
}
3)IPCThreadState::joinThreadPool(), ProcessState::self()->startThreadPool()
进入线程循环talkWithDriver 等待客户端Client请求,从Binder读取命令请求进行处理。
到现在为止MediaPlayerService的服务端已经向服务总管ServiceManager注册了,下面我们看看客户端是如何获得服务的代理并和服务端通信的。
我们以MediaPlayer的业务函数decode解析播放一个URL为例
sp<IMemory> MediaPlayer::decode(const char*url, uint32_t *pSampleRate, ...)
{
sp<IMemory> p;
const sp<IMediaPlayerService>& service = getMediaPlayerService(); // 获得BpMediaPlayerSerivce代理
if(service != 0)
p = service->decode(url, ....);
return p;
}
这里我们主要分析getMediaPlayerService,客户端是如何向ServiceManager总管查询服务并获得代理的。
sp<IMediaPlayerService>& IMediaDeathNotifier::getMediaPlayerService()
{
sp<IServiceManager> sm = defaultServiceManager(); // 生成一个BpServiceManager代理对象
sp<IBinder> binder;
do {
binder = sm->getService(String16("media.player"));
if(binder != 0)
break;
usleep(500000)
} while(true);
sMediaPlayerService = interface_cast<IMediaPlayerService>(binder);
return sMediaPlayerService;
}
1)首先获得BpServiceManager的代理,然后调用getService()函数向服务总管ServiceManager查询服务。
frameworks/base/libs/binder/IServiceManager.cpp
class BpServiceManager : public BpInterface<IServiceManager>
{
public:
virtual sp<IBinder> getService(const String16& name) const
{
for(n = 0; n < 5; n++) {
sp<IBinder> svc = checkService(name); // 调用checkService函数
if(svc != NULL) return svc;
sleep(1);
}
return NULL;
}
virtual sp<IBinder> checkService(const String16& name) const
{
Parcel data, reply;
data.writeInterfaceToken(IServiceManager::getInterfaceDescriptor());
// 首先调用data.writeInt32(IPCThreadState::self()->getStrictModePolicy())
// 然后再写入android.os.IServiceManager
data.writeString16(name); // 写入 media.player
remote()->transact(CHECK_SERVICE_TRANSACTION, data, &reply);
return reply.readStrongBinder();
}
}
这里首先将请求打包成Parcel各式,然后调用remote()->transact()函数,前面我们分析过BpServiceManager::remote()返回
的就是前面new BpBinder(0)对应句柄为ServiceManager。继续去BpBinder中寻找实现代码:
frameworks/base/libs/binder/BpBinder.cpp
status_t BpBinder::transact(uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags)
{
IPCThreadState::self()->transact(mHandle, code, data, reply, flags);
}
最后调用的IPCThreadState的transact()函数,IPCThreadState是专门提供通过Binder进程间通信的接口的。
status_t IPCTheadState::transact(int32_t handle, uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags)
{
// 填充binder_transaction_data 结构体,写入到mOut中去
writeTransactionData(BC_TRANSACTION, flags, handle, code, data, NULL);
// 调用talkWithDriver() 将mOut写到Binder驱动,并从Binder驱动读取mIn数据
waitForResponse(reply);
}
首先通过writeTransactionData函数来填充mOut结构体,mOut里面内容为:
mOut.writeInt32(BC_TRANSACTION);
mOut.write(&tr, sizeof(tr));
这里binder_transaction_data tr内容为:
tr.target.handle = 0; // 表面是发往ServiceManager的
tr.code = CHECK_SERVICE_TRANSACTION;
tr.flags = 0;
tr.data内容为:
data.writeInt32(IPCThreadState::self()->getStrictModePolicy() | STRICT_MODE_PENALTY_GATHER);
data.writeString16("android.os.IServiceManager");
data.writeString16("media.player");
根据前面Android开发之ServiceManager一章中我们分析,svcmgr_handler处理从句柄为0的Binder的请求:
strict_policy = bio_get_string32();
s = bio_get_string16(); // 就是上面的android.os.IServiceManager
s = bio_get_string16(); // 就是上面的 media.player
根据media.player遍历全局链表svclist找到相应的服务,调用bio_put_ref(reply, ptr) 返回目标Binder实体。
这个waitForResponse()函数是关键:
status_t IPCThreadState::waitForResponse(Parcel* reply)
{
while(1) {
talkWithDriver(); // 输入mOut 输出mIn
cmd = mIn.readInt32();
switch(cmd) {
case BR_REPLY:
{
binder_transaction_data tr;
mIn.read(&tr, sizeof(tr));
if(reply) {
reply->ipcSetDataReference(reinterpret_cast<const uint8_t*>(tr.data.ptr.buffer),
tr.data.size, reinterpret_cast<const size_t*>(tr.data.ptr.offsets),
tr.offsets_size/sizeof(sizt_t), freeBuffer, this);
} else {
err = *static_cast<const status_t*>(tr.data.ptr.buffer);
freeBuffer(NULL, reinterpret_cast<const uint8_t*>(tr.data.ptr.buffer),
tr.data.size, reinterpret_cast<const size_t*>(tr.data.ptr.offsets),
tr.offsets_size/sizeof(sizt_t), freeBuffer, this)
}
}
}
}
}
最后返回的是:return reply.readStrongBinder();进入到Parcel的readStrongBinder()函数
sp<IBinder> Parcel::readStrongBinder() const
{
sp<IBinder> val;
unflatten_binder(ProcessState::self(), *this, &val);
return val;
}
status_t unflatten_binder(const sp<ProcessState>& proc, const Parcel& in, sp<IBinder>* out)
{
const flat_binder_object* flat = in.readObject(false);
if(flat) {
switch(flat->type) {
case BINDER_TYPE_BINDER:
*out = static_cast<IBinder*>(flat->cookie);
return finish_unflatten_binder(NULL, *flat, in);
case BINDER_TYPE_HANDLE:
*out = proc->getStrongProxyForHandle(flat->handle);
return finish_unflatten_binder(static_cast<BpBinder*>(out->get()), *flat, in);
}
}
}
这里flat->type是BINDER_TYPE_HANDLE,所以调用ProcessState::getStrongProxyForHandle()函数
sp<IBinder> ProcessState::getStrongProxyForHandle(int32_t handle)
{
sp<IBinder> result;
handle_entry* e = lookupHandleLocked(handle);
if(e != NULL) {
IBinder* b = e->binder;
if(b == NULL || !e->refs->attemptIncWeak(this)) {
b = new BpBinder(handle);
e->binder = b;
if( b ) e->refs = e->getWeakRefs();
result = b;
} else {
result.force_set(b);
e->refs->decWeak(this);
}
}
return result;
}
这里的handle就是ServiceManager内维护的MediaPlayerService对应的Binder句柄,这个ProcessState根据这个句柄
new 了一个BpBinder,并将其保存起来,这样下次需要从ServiceManager请求获取到相同句柄的时候就可以直接返回了。
最后根据这个返回的BpBinder获得MediaPlayerService的代理:
sMediaPlayerService = interface_cast(binder);
根据前面ServiceManager一样,最后调用的是IMediaPlayerService的asInterface()宏函数
android::sp<IMediaPlayerService> IMediaPlayerService::asInterface(const android::sp<android::IBinder>& obj)
{
android::sp<IMediaPlayerService> intr;
if(obj != NULL ) {
intr = static_cast<IMediaPlayerService>(
obj->queryLocalInterface(IMediaPlayerService::descriptor).get);
if (intr == NULL) {
intr = new BpMediaPlayerService(obj);
}
}
return intr;
}
这样我就获得了一个代理BpMediaPlayerService对象,它的remote()为BpBinder(handle),这个handle就是向服务总共ServiceManager
查询到的MediaPlayerService对应的Binder句柄。
下一章我们分析,客户端如何通过这个BpServiceManager代理对象调用服务端MediaPlayerService的业务函数的?