日韩性视频-久久久蜜桃-www中文字幕-在线中文字幕av-亚洲欧美一区二区三区四区-撸久久-香蕉视频一区-久久无码精品丰满人妻-国产高潮av-激情福利社-日韩av网址大全-国产精品久久999-日本五十路在线-性欧美在线-久久99精品波多结衣一区-男女午夜免费视频-黑人极品ⅴideos精品欧美棵-人人妻人人澡人人爽精品欧美一区-日韩一区在线看-欧美a级在线免费观看

歡迎訪問 生活随笔!

生活随笔

當(dāng)前位置: 首頁(yè) > 运维知识 > Android >内容正文

Android

Android Binder 之 ServiceManager (基于android 12.0/S)

發(fā)布時(shí)間:2024/3/13 Android 34 豆豆
生活随笔 收集整理的這篇文章主要介紹了 Android Binder 之 ServiceManager (基于android 12.0/S) 小編覺得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.

Binder 原理整理:

因?yàn)長(zhǎng)inux中的進(jìn)程的用戶空間是不共享的,內(nèi)核空間是共享的,所以IPC通信是兩個(gè)用戶空間(APP 進(jìn)程)通過共享的內(nèi)核空間(Binder驅(qū)動(dòng))進(jìn)行數(shù)據(jù)交互。

Binder 整體框架:

?Binder 通信框架:

ServiceManager :

ServiceManager 可執(zhí)行文件的生成:

ServiceManager 在android系統(tǒng)中是一個(gè)可執(zhí)行文件,位于/system/bin/servicemanager下面

?Servicemanager 是在init.rc中啟動(dòng)的

在android 10.0.0.R47 及以前 servicemanager是由以下目錄結(jié)構(gòu)編譯生成的,

?在android 10.0.0.R47 及以前 控制編譯的相關(guān)bp文件:

在android 11.0.0_r21后面原先的service_manager.c變成了ServiceManager.cpp,binder.c變成了main.cpp,同時(shí)添加了Access.cpp和Access.h,bctest 變成了 test_sm。

Android 11.0.0_r21 以后的bp如圖,先是將ServiceManager.cpp和Access.cpp一起生成了servicemanager_defaults,然后通過servicemanager_defaults編譯生成可運(yùn)行的servicemanager。

?

再簡(jiǎn)單看下目前android 12中的代碼目錄結(jié)構(gòu)和 android 13的代碼結(jié)構(gòu):

?

Android T(13.0)中添加了servicemanager.microdroid.rc 和servicemanager.recovery.rc 兩個(gè)rc文件。

ServiceManager的代碼分析:

總?cè)肟?#xff1a;

Android S 中將android 10.0.0.R47 及以前 在service_manager.c中的 main 方法提取到了main.cpp中。main.cpp中除了main 方法外還額外有ClientCallbackCallback和BinderCallback兩個(gè)callback.

int main(int argc, char** argv) { if (argc > 2) {LOG(FATAL) << "usage: " << argv[0] << " [binder driver]";}const char* driver = argc == 2 ? argv[1] : "/dev/binder";//第二個(gè)參數(shù)可以缺省sp<ProcessState> ps = ProcessState::initWithDriver(driver);//打開binder驅(qū)動(dòng)ps->setThreadPoolMaxThreadCount(0);ps->setCallRestriction(ProcessState::CallRestriction::FATAL_IF_NOT_ONEWAY);// 實(shí)例化ServiceManagersp<ServiceManager> manager = sp<ServiceManager>::make(std::make_unique<Access>());// 將自身注冊(cè)到ServiceManager當(dāng)中if (!manager->addService("manager", manager, false /*allowIsolated*/, IServiceManager::DUMP_FLAG_PRIORITY_DEFAULT).isOk()) {LOG(ERROR) << "Could not self register servicemanager";}// 將ServiceManager設(shè)置給IPCThreadState的全局變量IPCThreadState::self()->setTheContextObject(manager);ps->becomeContextManager();//注冊(cè)成為binder服務(wù)的大管家// 準(zhǔn)備Loopersp<Looper> looper = Looper::prepare(false /*allowNonCallbacks*/);//給Looper設(shè)置callback BinderCallback::setupTo(looper);ClientCallbackCallback::setupTo(looper, manager);//進(jìn)入無(wú)限循環(huán),處理client端發(fā)來(lái)的請(qǐng)求while(true) {looper->pollAll(-1);}// should not be reachedreturn EXIT_FAILURE; }

?下圖為android 10.0.0.R47 及以前 在service_manager.c中的 main 方法(因?yàn)轫?yè)面截圖空間限制沒有截全 可以自行查看 http://aospxref.com/android-10.0.0_r47/xref/frameworks/native/cmds/servicemanager/service_manager.c#382),相關(guān)代碼講解可以參考http://gityuan.com/2015/11/07/binder-start-sm/

其中main方法中主要干了四件事:

1)初始化binder驅(qū)動(dòng)

2)將自身以“manager” 注冊(cè)到servicemanager中

3)注冊(cè)成為binder服務(wù)的大管家

4) 給Looper設(shè)置callback,進(jìn)入無(wú)限循環(huán),處理client端發(fā)來(lái)的請(qǐng)求

這里面著重講后三個(gè)代碼塊

1)第一個(gè)代碼塊中,android 10.0.0.R47 之前是通過binder_open 直接操作binder驅(qū)動(dòng),沒有借助libbinder,Android 11.0.0_r21 以后是通過initWithDriver 對(duì)于binder進(jìn)行操作的,在編譯servicemanager的時(shí)候,添加了libbinder的庫(kù)依賴進(jìn)去。

2)第二個(gè)代碼塊,將自身以“manager” 注冊(cè)到servicemanager中:

Status ServiceManager::addService(const std::string& name, const sp<IBinder>& binder, bool allowIsolated, int32_t dumpPriority) { auto ctx = mAccess->getCallingContext();//獲取到調(diào)用的Context// apps cannot add services (AID_APP =10000)if (multiuser_get_app_id(ctx.uid) >= AID_APP) {return Status::fromExceptionCode(Status::EX_SECURITY);}if (!mAccess->canAdd(ctx, name)) {return Status::fromExceptionCode(Status::EX_SECURITY);}if (binder == nullptr) {return Status::fromExceptionCode(Status::EX_ILLEGAL_ARGUMENT);}if (!isValidServiceName(name)) {LOG(ERROR) << "Invalid service name: " << name;return Status::fromExceptionCode(Status::EX_ILLEGAL_ARGUMENT);}#ifndef VENDORSERVICEMANAGERif (!meetsDeclarationRequirements(binder, name)) {// already loggedreturn Status::fromExceptionCode(Status::EX_ILLEGAL_ARGUMENT);} #endif // !VENDORSERVICEMANAGER// implicitly unlinked when the binder is removed if (binder->remoteBinder() != nullptr &&binder->linkToDeath(sp<ServiceManager>::fromExisting(this)) != OK) {LOG(ERROR) << "Could not linkToDeath when adding " << name;return Status::fromExceptionCode(Status::EX_ILLEGAL_STATE);}//以上代碼多是異常情況處理 // Overwrite the old service if it exists//將service的相關(guān)信息寫入到 servicemanager的 map中mNameToService[name] = Service {.binder = binder,.allowIsolated = allowIsolated,.dumpPriority = dumpPriority,.debugPid = ctx.debugPid,};auto it = mNameToRegistrationCallback.find(name);if (it != mNameToRegistrationCallback.end()) {for (const sp<IServiceCallback>& cb : it->second) {mNameToService[name].guaranteeClient = true;// permission checked in registerForNotificationscb->onRegistration(name, binder);}}return Status::ok(); }

上面的addService 涉及到 Binder的報(bào)錯(cuò)類型枚舉類:

?servicemanager中維護(hù)注冊(cè)服務(wù)的map:

?分解看service類和ServiceMap:

?這里可以看到servicemanager是用map維護(hù)注冊(cè)的服務(wù)的,android 10.0.0.R47 及以前是通過鏈表進(jìn)行維護(hù)的。這里面猜測(cè)數(shù)據(jù)結(jié)構(gòu)的變化是隨著手機(jī)代碼的內(nèi)存增大和性能指標(biāo)的增強(qiáng),鏈表省空間但是查詢較慢的特性已經(jīng)不能滿足需求,于是改用了查詢更快的 map進(jìn)行存儲(chǔ)。下圖是 android 10.0.0.R47 的注冊(cè)方法:?

3)第三個(gè)代碼塊,servicemanager 成為binder服務(wù)的大管家。此處通過ioctl往binder驅(qū)動(dòng)發(fā)了#define BINDER_SET_CONTEXT_MGR_EXT _IOW('b', 13, struct flat_binder_object) 的命令,如果不好用則按照android 10.0.0.R47的方式發(fā) #define BINDER_SET_CONTEXT_MGR _IOW('b', 7, __s32)。后續(xù)流程的拆解歡迎大家?guī)兔ρa(bǔ)充下。

?4)第四個(gè)代碼塊,給Looper設(shè)置callback,進(jìn)入無(wú)限循環(huán),處理client端發(fā)來(lái)的請(qǐng)求

給Looper 設(shè)置了BinderCallback 和 ClientCallbackCallback,兩個(gè)callback 都是Loopercallback的子類。

?

?

class BinderCallback : public LooperCallback { public:static sp<BinderCallback> setupTo(const sp<Looper>& looper) { // 實(shí)例化BinderCallback sp<BinderCallback> cb = sp<BinderCallback>::make();int binder_fd = -1;//通過IPCThreadState獲取binder_fd,這里面的IPCThreadState待補(bǔ)充IPCThreadState::self()->setupPolling(&binder_fd);LOG_ALWAYS_FATAL_IF(binder_fd < 0, "Failed to setupPolling: %d", binder_fd);//添加監(jiān)聽目標(biāo)int ret = looper->addFd(binder_fd,Looper::POLL_CALLBACK,Looper::EVENT_INPUT,cb,nullptr /*data*/);LOG_ALWAYS_FATAL_IF(ret != 1, "Failed to add binder FD to Looper");return cb;}int handleEvent(int /* fd */, int /* events */, void* /* data */) override { //處理回調(diào)IPCThreadState::self()->handlePolledCommands();return 1; // Continue receiving callbacks.} };

?

Looper會(huì)監(jiān)聽ServiceManager 進(jìn)程中打開的binder_fd,有消息上來(lái)了會(huì)調(diào)用handlePolledCommands處理。

核心是getAndExecuteCommand方法:?

status_t IPCThreadState::getAndExecuteCommand(){status_t result;int32_t cmd;//從binder driver獲取mIn數(shù)據(jù)result = talkWithDriver();if (result >= NO_ERROR) {size_t IN = mIn.dataAvail();if (IN < sizeof(int32_t)) return result;cmd = mIn.readInt32();IF_LOG_COMMANDS() {alog << "Processing top-level Command: "<< getReturnString(cmd) << endl;}pthread_mutex_lock(&mProcess->mThreadCountLock);mProcess->mExecutingThreadsCount++;if (mProcess->mExecutingThreadsCount >= mProcess->mMaxThreads &&mProcess->mStarvationStartTimeMs == 0) {mProcess->mStarvationStartTimeMs = uptimeMillis();}pthread_mutex_unlock(&mProcess->mThreadCountLock);// 解析出對(duì)應(yīng)的cmd,執(zhí)行cmdresult = executeCommand(cmd);pthread_mutex_lock(&mProcess->mThreadCountLock);mProcess->mExecutingThreadsCount--;if (mProcess->mExecutingThreadsCount < mProcess->mMaxThreads &&mProcess->mStarvationStartTimeMs != 0) {int64_t starvationTimeMs = uptimeMillis() - mProcess->mStarvationStartTimeMs;if (starvationTimeMs > 100) {ALOGE("binder thread pool (%zu threads) starved for %" PRId64 " ms",mProcess->mMaxThreads, starvationTimeMs);}mProcess->mStarvationStartTimeMs = 0;}// Cond broadcast can be expensive, so don't send it every time a binder// call is processed. b/168806193if (mProcess->mWaitingForThreads > 0) {pthread_cond_broadcast(&mProcess->mThreadCountDecrement);}pthread_mutex_unlock(&mProcess->mThreadCountLock);}return result; } status_t IPCThreadState::executeCommand(int32_t cmd){BBinder* obj;RefBase::weakref_type* refs;status_t result = NO_ERROR;switch ((uint32_t)cmd) {case BR_ERROR:result = mIn.readInt32();break;case BR_OK:break;case BR_ACQUIRE:refs = (RefBase::weakref_type*)mIn.readPointer();obj = (BBinder*)mIn.readPointer();ALOG_ASSERT(refs->refBase() == obj,"BR_ACQUIRE: object %p does not match cookie %p (expected %p)",refs, obj, refs->refBase());obj->incStrong(mProcess.get());IF_LOG_REMOTEREFS() {LOG_REMOTEREFS("BR_ACQUIRE from driver on %p", obj);obj->printRefs();}mOut.writeInt32(BC_ACQUIRE_DONE);mOut.writePointer((uintptr_t)refs);mOut.writePointer((uintptr_t)obj);break;case BR_RELEASE:refs = (RefBase::weakref_type*)mIn.readPointer();obj = (BBinder*)mIn.readPointer();ALOG_ASSERT(refs->refBase() == obj,"BR_RELEASE: object %p does not match cookie %p (expected %p)",refs, obj, refs->refBase());IF_LOG_REMOTEREFS() {LOG_REMOTEREFS("BR_RELEASE from driver on %p", obj);obj->printRefs();}mPendingStrongDerefs.push(obj);break;case BR_INCREFS:refs = (RefBase::weakref_type*)mIn.readPointer();obj = (BBinder*)mIn.readPointer();refs->incWeak(mProcess.get());mOut.writeInt32(BC_INCREFS_DONE);mOut.writePointer((uintptr_t)refs);mOut.writePointer((uintptr_t)obj);break;case BR_DECREFS:refs = (RefBase::weakref_type*)mIn.readPointer();obj = (BBinder*)mIn.readPointer();// NOTE: This assertion is not valid, because the object may no// longer exist (thus the (BBinder*)cast above resulting in a different// memory address).//ALOG_ASSERT(refs->refBase() == obj,// "BR_DECREFS: object %p does not match cookie %p (expected %p)",// refs, obj, refs->refBase());mPendingWeakDerefs.push(refs);break;case BR_ATTEMPT_ACQUIRE:refs = (RefBase::weakref_type*)mIn.readPointer();obj = (BBinder*)mIn.readPointer();{const bool success = refs->attemptIncStrong(mProcess.get());ALOG_ASSERT(success && refs->refBase() == obj,"BR_ATTEMPT_ACQUIRE: object %p does not match cookie %p (expected %p)",refs, obj, refs->refBase());mOut.writeInt32(BC_ACQUIRE_RESULT);mOut.writeInt32((int32_t)success);}break;case BR_TRANSACTION_SEC_CTX:case BR_TRANSACTION:{//讀取mIn中的數(shù)據(jù)到一個(gè)binder_transaction_data中binder_transaction_data_secctx tr_secctx;binder_transaction_data& tr = tr_secctx.transaction_data;if (cmd == (int) BR_TRANSACTION_SEC_CTX) {result = mIn.read(&tr_secctx, sizeof(tr_secctx));} else {result = mIn.read(&tr, sizeof(tr));tr_secctx.secctx = 0;}ALOG_ASSERT(result == NO_ERROR,"Not enough command data for brTRANSACTION");if (result != NO_ERROR) break;Parcel buffer;buffer.ipcSetDataReference(reinterpret_cast<const uint8_t*>(tr.data.ptr.buffer),tr.data_size,reinterpret_cast<const binder_size_t*>(tr.data.ptr.offsets),tr.offsets_size/sizeof(binder_size_t), freeBuffer);const void* origServingStackPointer = mServingStackPointer;mServingStackPointer = &origServingStackPointer; // anything on the stackconst pid_t origPid = mCallingPid;const char* origSid = mCallingSid;const uid_t origUid = mCallingUid;const int32_t origStrictModePolicy = mStrictModePolicy;const int32_t origTransactionBinderFlags = mLastTransactionBinderFlags;const int32_t origWorkSource = mWorkSource;const bool origPropagateWorkSet = mPropagateWorkSource;// Calling work source will be set by Parcel#enforceInterface. Parcel#enforceInterface// is only guaranteed to be called for AIDL-generated stubs so we reset the work source// here to never propagate it.clearCallingWorkSource();clearPropagateWorkSource();mCallingPid = tr.sender_pid;mCallingSid = reinterpret_cast<const char*>(tr_secctx.secctx);mCallingUid = tr.sender_euid;mLastTransactionBinderFlags = tr.flags;// ALOGI(">>>> TRANSACT from pid %d sid %s uid %d\n", mCallingPid,// (mCallingSid ? mCallingSid : "<N/A>"), mCallingUid);Parcel reply;status_t error;IF_LOG_TRANSACTIONS() {TextOutput::Bundle _b(alog);alog << "BR_TRANSACTION thr " << (void*)pthread_self()<< " / obj " << tr.target.ptr << " / code "<< TypeCode(tr.code) << ": " << indent << buffer<< dedent << endl<< "Data addr = "<< reinterpret_cast<const uint8_t*>(tr.data.ptr.buffer)<< ", offsets addr="<< reinterpret_cast<const size_t*>(tr.data.ptr.offsets) << endl;}if (tr.target.ptr) {// We only have a weak reference on the target object, so we must first try to// safely acquire a strong reference before doing anything else with it.if (reinterpret_cast<RefBase::weakref_type*>(tr.target.ptr)->attemptIncStrong(this)) {error = reinterpret_cast<BBinder*>(tr.cookie)->transact(tr.code, buffer,&reply, tr.flags);reinterpret_cast<BBinder*>(tr.cookie)->decStrong(this);} else {error = UNKNOWN_TRANSACTION;}} else {//調(diào)用BBinder的transact方法error = the_context_object->transact(tr.code, buffer, &reply, tr.flags);}//打開該處log可以用來(lái)調(diào)試//ALOGI("<<<< TRANSACT from pid %d restore pid %d sid %s uid %d\n",// mCallingPid, origPid, (origSid ? origSid : "<N/A>"), origUid);if ((tr.flags & TF_ONE_WAY) == 0) {LOG_ONEWAY("Sending reply to %d!", mCallingPid);if (error < NO_ERROR) reply.setError(error);constexpr uint32_t kForwardReplyFlags = TF_CLEAR_BUF;//將返回的結(jié)果重新發(fā)給bindersendReply(reply, (tr.flags & kForwardReplyFlags));} else {if (error != OK) {alog << "oneway function results for code " << tr.code<< " on binder at "<< reinterpret_cast<void*>(tr.target.ptr)<< " will be dropped but finished with status "<< statusToString(error);// ideally we could log this even when error == OK, but it// causes too much logspam because some manually-written// interfaces have clients that call methods which always// write results, sometimes as oneway methods.if (reply.dataSize() != 0) {alog << " and reply parcel size " << reply.dataSize();}alog << endl;}LOG_ONEWAY("NOT sending reply to %d!", mCallingPid);}mServingStackPointer = origServingStackPointer;mCallingPid = origPid;mCallingSid = origSid;mCallingUid = origUid;mStrictModePolicy = origStrictModePolicy;mLastTransactionBinderFlags = origTransactionBinderFlags;mWorkSource = origWorkSource;mPropagateWorkSource = origPropagateWorkSet;IF_LOG_TRANSACTIONS() {TextOutput::Bundle _b(alog);alog << "BC_REPLY thr " << (void*)pthread_self() << " / obj "<< tr.target.ptr << ": " << indent << reply << dedent << endl;}}break;case BR_DEAD_BINDER:{BpBinder *proxy = (BpBinder*)mIn.readPointer();proxy->sendObituary();mOut.writeInt32(BC_DEAD_BINDER_DONE);mOut.writePointer((uintptr_t)proxy);} break;case BR_CLEAR_DEATH_NOTIFICATION_DONE:{BpBinder *proxy = (BpBinder*)mIn.readPointer();proxy->getWeakRefs()->decWeak(proxy);} break;case BR_FINISHED:result = TIMED_OUT;break;case BR_NOOP:break;case BR_SPAWN_LOOPER:mProcess->spawnPooledThread(false);break;default:ALOGE("*** BAD COMMAND %d received from Binder driver\n", cmd);result = UNKNOWN_ERROR;break;}if (result != NO_ERROR) {mLastError = result;}return result; }

ClientCallbackCallback:

// LooperCallback for IClientCallbackclass ClientCallbackCallback : public LooperCallback { public:static sp<ClientCallbackCallback> setupTo(const sp<Looper>& looper, const sp<ServiceManager>& manager) { sp<ClientCallbackCallback> cb = sp<ClientCallbackCallback>::make(manager);//創(chuàng)建一個(gè)定時(shí)器描述符timerfdint fdTimer = timerfd_create(CLOCK_MONOTONIC, 0 /*flags*/);LOG_ALWAYS_FATAL_IF(fdTimer < 0, "Failed to timerfd_create: fd: %d err: %d", fdTimer, errno);itimerspec timespec {.it_interval = {.tv_sec = 5,.tv_nsec = 0,},.it_value = {.tv_sec = 5,.tv_nsec = 0,},};//啟動(dòng)所有的定時(shí)器int timeRes = timerfd_settime(fdTimer, 0 /*flags*/, &timespec, nullptr);LOG_ALWAYS_FATAL_IF(timeRes < 0, "Failed to timerfd_settime: res: %d err: %d", timeRes, errno);//以時(shí)間為描述符注冊(cè)到Looper中int addRes = looper->addFd(fdTimer,Looper::POLL_CALLBACK,Looper::EVENT_INPUT,cb,nullptr);LOG_ALWAYS_FATAL_IF(addRes != 1, "Failed to add client callback FD to Looper");return cb;}int handleEvent(int fd, int /*events*/, void* /*data*/) override { uint64_t expirations;int ret = read(fd, &expirations, sizeof(expirations));if (ret != sizeof(expirations)) {ALOGE("Read failed to callback FD: ret: %d err: %d", ret, errno);}mManager->handleClientCallbacks();return 1; // Continue receiving callbacks.} private:friend sp<ClientCallbackCallback>;ClientCallbackCallback(const sp<ServiceManager>& manager) : mManager(manager) {}sp<ServiceManager> mManager; };

當(dāng)looper接收到消息時(shí)候,調(diào)用servicemanager的 handleClientCallbacks進(jìn)行處理。

?主要調(diào)用handleServiceClientCallback進(jìn)行處理:

ssize_t ServiceManager::handleServiceClientCallback(const std::string& serviceName, bool isCalledOnInterval) {auto serviceIt = mNameToService.find(serviceName);if (serviceIt == mNameToService.end() || mNameToClientCallback.count(serviceName) < 1) {return -1;}Service& service = serviceIt->second;ssize_t count = service.getNodeStrongRefCount();// binder driver doesn't support this featureif (count == -1) return count;bool hasClients = count > 1; // this process holds a strong countif (service.guaranteeClient) {// we have no record of this clientif (!service.hasClients && !hasClients) {sendClientCallbackNotifications(serviceName, true);}// guarantee is temporaryservice.guaranteeClient = false;}// only send notifications if this was called via the interval checking workflowif (isCalledOnInterval) {if (hasClients && !service.hasClients) {// client was retrieved in some other waysendClientCallbackNotifications(serviceName, true);}// there are no more clients, but the callback has not been called yetif (!hasClients && service.hasClients) {sendClientCallbackNotifications(serviceName, false);}}return count; }

?最后通過Looper.pollAll進(jìn)入無(wú)限循環(huán),如果Looper收到消息則觸發(fā)callback。

servicemanager的主要功能:

1)注冊(cè)服務(wù)

其中注冊(cè)服務(wù)主要是通過addService 方法實(shí)現(xiàn)的,在講解總?cè)肟诘诙€(gè)代碼塊的時(shí)候已經(jīng)做過拆解,不再贅余。

2)查詢服務(wù)

sp<IBinder> ServiceManager::tryGetService(const std::string& name, bool startIfNotFound) { auto ctx = mAccess->getCallingContext();sp<IBinder> out;Service* service = nullptr;if (auto it = mNameToService.find(name); it != mNameToService.end()) {service = &(it->second);if (!service->allowIsolated) {uid_t appid = multiuser_get_app_id(ctx.uid);bool isIsolated = appid >= AID_ISOLATED_START && appid <= AID_ISOLATED_END;if (isIsolated) {return nullptr;}}//將map中的信息賦值out = service->binder;}if (!mAccess->canFind(ctx, name)) {return nullptr;}//如果找不到對(duì)應(yīng)的service,則嘗試以AIDL的方式啟動(dòng)該serviceif (!out && startIfNotFound) {tryStartService(name);}if (out) {// Setting this guarantee each time we hand out a binder ensures that the client-checking// loop knows about the event even if the client immediately drops the serviceservice->guaranteeClient = true;}return out; }

3)獲取servicemanager

不論是注冊(cè)服務(wù)或者查詢服務(wù),都需要先獲得servicemanager的實(shí)例,servicemanager是通過defaultServiceManager 獲取的,

[[clang::no_destroy]] static std::once_flag gSmOnce; sp<IServiceManager> defaultServiceManager(){std::call_once(gSmOnce, []() {//AidlServiceManager?就是IServiceManagersp<AidlServiceManager> sm = nullptr;while (sm == nullptr) {sm = interface_cast<AidlServiceManager>(ProcessState::self()->getContextObject(nullptr));if (sm == nullptr) {ALOGE("Waiting 1s on context object on %s.", ProcessState::self()->getDriverName().c_str());sleep(1);}}gDefaultServiceManager = sp<ServiceManagerShim>::make(sm);});return gDefaultServiceManager; }

這里面的gSmOnce和call_once 從名字看是只調(diào)用一次的意思,這里先不求甚解。類比android 10.0之前是使用的單例模式,此處的功能應(yīng)該是類似的。

如圖,AidlServiceManager 就是IServiceManager。

這里與一般的單例模式不太一樣,里面多了一層while循環(huán),這是google在2013年1月Todd Poynor提交的修改。當(dāng)嘗試創(chuàng)建或獲取ServiceManager時(shí),ServiceManager可能尚未準(zhǔn)備就緒,這時(shí)通過sleep 1秒后,循環(huán)嘗試獲取直到成功。gDefaultServiceManager的創(chuàng)建過程,可分解為以下3個(gè)步驟

  • ProcessState::self():用于獲取ProcessState對(duì)象(也是單例模式),每個(gè)進(jìn)程有且只有一個(gè)ProcessState對(duì)象,存在則直接返回,不存在則創(chuàng)建;

  • getContextObject(): 用于獲取BpBinder對(duì)象,對(duì)于handle=0的BpBinder對(duì)象,存在則直接返回,不存在才創(chuàng)建;

  • interface_cast<AidlServiceManager>():用于獲取BpServiceManager對(duì)象;

分開講三個(gè)流程:

1)ProcessState::self() 獲取ProcessState對(duì)象

sp<ProcessState> ProcessState::init(const char *driver, bool requireDefault){[[clang::no_destroy]] static sp<ProcessState> gProcess;[[clang::no_destroy]] static std::mutex gProcessMutex;if (driver == nullptr) {std::lock_guard<std::mutex> l(gProcessMutex);return gProcess;}[[clang::no_destroy]] static std::once_flag gProcessOnce;std::call_once(gProcessOnce, [&](){if (access(driver, R_OK) == -1) {ALOGE("Binder driver %s is unavailable. Using /dev/binder instead.", driver);driver = "/dev/binder";}std::lock_guard<std::mutex> l(gProcessMutex);//ProcessState調(diào)用構(gòu)造方法進(jìn)行初始化gProcess = sp<ProcessState>::make(driver);});if (requireDefault) {// Detect if we are trying to initialize with a different driver, and// consider that an error. ProcessState will only be initialized once above.LOG_ALWAYS_FATAL_IF(gProcess->getDriverName() != driver,"ProcessState was already initialized with %s,"" can't initialize with %s.",gProcess->getDriverName().c_str(), driver);}return gProcess; }

ProcessState::ProcessState(const char *driver) : mDriverName(String8(driver)), mDriverFD(open_driver(driver))//打開Binder驅(qū)動(dòng), mVMStart(MAP_FAILED), mThreadCountLock(PTHREAD_MUTEX_INITIALIZER), mThreadCountDecrement(PTHREAD_COND_INITIALIZER), mExecutingThreadsCount(0), mWaitingForThreads(0), mMaxThreads(DEFAULT_MAX_BINDER_THREADS), mStarvationStartTimeMs(0), mThreadPoolStarted(false), mThreadPoolSeq(1), mCallRestriction(CallRestriction::NONE) {if (mDriverFD >= 0) {// mmap the binder, providing a chunk of virtual address space to receive transactions. //mmap binder驅(qū)動(dòng),提供一個(gè)虛擬內(nèi)存空間地址用于收到事務(wù)//#define BINDER_VM_SIZE ((1 * 1024 * 1024) - sysconf(_SC_PAGE_SIZE) * 2)mVMStart = mmap(nullptr, BINDER_VM_SIZE, PROT_READ, MAP_PRIVATE | MAP_NORESERVE, mDriverFD, 0);if (mVMStart == MAP_FAILED) {// *sigh*ALOGE("Using %s failed: unable to mmap transaction memory.\n", mDriverName.c_str());close(mDriverFD);mDriverFD = -1;mDriverName.clear();}}#ifdef __ANDROID__LOG_ALWAYS_FATAL_IF(mDriverFD < 0, "Binder driver '%s' could not be opened. Terminating.", driver); #endif }

?打開binder驅(qū)動(dòng)代碼塊:

static int open_driver(const char *driver){// 打開/dev/binder設(shè)備,建立與內(nèi)核的Binder驅(qū)動(dòng)的交互通道int fd = open(driver, O_RDWR | O_CLOEXEC);if (fd >= 0) {int vers = 0;status_t result = ioctl(fd, BINDER_VERSION, &vers);if (result == -1) {ALOGE("Binder ioctl to obtain version failed: %s", strerror(errno));close(fd);fd = -1;}if (result != 0 || vers != BINDER_CURRENT_PROTOCOL_VERSION) {ALOGE("Binder driver protocol(%d) does not match user space protocol(%d)! ioctl() return value: %d",vers, BINDER_CURRENT_PROTOCOL_VERSION, result);close(fd);fd = -1;}size_t maxThreads = DEFAULT_MAX_BINDER_THREADS;// 通過ioctl設(shè)置binder驅(qū)動(dòng),能支持的最大線程數(shù)//#define DEFAULT_MAX_BINDER_THREADS 15 默認(rèn)是15個(gè)線程result = ioctl(fd, BINDER_SET_MAX_THREADS, &maxThreads);if (result == -1) {ALOGE("Binder ioctl to set max threads failed: %s", strerror(errno));}uint32_t enable = DEFAULT_ENABLE_ONEWAY_SPAM_DETECTION;result = ioctl(fd, BINDER_ENABLE_ONEWAY_SPAM_DETECTION, &enable);if (result == -1) {ALOGD("Binder ioctl to enable oneway spam detection failed: %s", strerror(errno));}} else {ALOGW("Opening '%s' failed: %s\n", driver, strerror(errno));}return fd; }

2)getContextObject(): 獲取BpBinder對(duì)象

獲取handle=0的IBinder

sp<IBinder> ProcessState::getStrongProxyForHandle(int32_t handle){sp<IBinder> result;AutoMutex _l(mLock);//查找handle對(duì)應(yīng)的資源項(xiàng)handle_entry* e = lookupHandleLocked(handle);if (e != nullptr) {// We need to create a new BpBinder if there isn't currently one, OR we// are unable to acquire a weak reference on this current one. The// attemptIncWeak() is safe because we know the BpBinder destructor will always// call expungeHandle(), which acquires the same lock we are holding now.// We need to do this because there is a race condition between someone// releasing a reference on this BpBinder, and a new reference on its handle// arriving from the driver.IBinder* b = e->binder;if (b == nullptr || !e->refs->attemptIncWeak(this)) {if (handle == 0) {// Special case for context manager...// The context manager is the only object for which we create// a BpBinder proxy without already holding a reference.// Perform a dummy transaction to ensure the context manager// is registered before we create the first local reference// to it (which will occur when creating the BpBinder).// If a local reference is created for the BpBinder when the// context manager is not present, the driver will fail to// provide a reference to the context manager, but the// driver API does not return status. Note that this is not race-free if the context manager// dies while this code runs. TODO: add a driver API to wait for context manager, or// stop special casing handle 0 for context manager and add// a driver API to get a handle to the context manager with// proper reference counting.IPCThreadState* ipc = IPCThreadState::self();CallRestriction originalCallRestriction = ipc->getCallRestriction();ipc->setCallRestriction(CallRestriction::NONE);Parcel data;status_t status = ipc->transact(0, IBinder::PING_TRANSACTION, data, nullptr, 0);//通過ping操作測(cè)試binder是否準(zhǔn)備就緒ipc->setCallRestriction(originalCallRestriction);if (status == DEAD_OBJECT)return nullptr;}//當(dāng)handle值所對(duì)應(yīng)的IBinder不存在或弱引用無(wú)效時(shí),則創(chuàng)建BpBinder對(duì)象sp<BpBinder> b = BpBinder::create(handle);e->binder = b.get();if (b) e->refs = b->getWeakRefs();result = b;} else {// This little bit of nastyness is to allow us to add a primary// reference to the remote proxy when this team doesn't have one// but another team is sending the handle to us.result.force_set(b);e->refs->decWeak(this);}}return result; }

如果handle 為0的Ibinder存在且通過Ping 測(cè)試已經(jīng)準(zhǔn)備好了,則返回該Ibinder,當(dāng)handle值所對(duì)應(yīng)的IBinder不存在或弱引用無(wú)效時(shí),則創(chuàng)建BpBinder對(duì)象。

ProcessState::handle_entry* ProcessState::lookupHandleLocked(int32_t handle){const size_t N=mHandleToObject.size();//當(dāng)handle大于mHandleToObject的長(zhǎng)度時(shí),進(jìn)入該分支if (N <= (size_t)handle) {handle_entry e;e.binder = nullptr;e.refs = nullptr;//從mHandleToObject的第N個(gè)位置開始,插入(handle+1-N)個(gè)e到隊(duì)列中status_t err = mHandleToObject.insertAt(e, N, handle+1-N);if (err < NO_ERROR) return nullptr;}return &mHandleToObject.editItemAt(handle); }

(下面模板函數(shù)部分文案出自GitYuan,非原創(chuàng))根據(jù)handle值來(lái)查找對(duì)應(yīng)的handle_entry,handle_entry是一個(gè)結(jié)構(gòu)體,里面記錄IBinder和weakref_type兩個(gè)指針。當(dāng)handle大于mHandleToObject的Vector長(zhǎng)度時(shí),則向該Vector中添加(handle+1-N)個(gè)handle_entry結(jié)構(gòu)體,然后再返回handle向?qū)?yīng)位置的handle_entry結(jié)構(gòu)體指針。

當(dāng)handle值所對(duì)應(yīng)的IBinder不存在或弱引用無(wú)效時(shí),創(chuàng)建BpBinder并延長(zhǎng)對(duì)象的生命時(shí)間,創(chuàng)建BpBinder對(duì)象中會(huì)將handle相對(duì)應(yīng)Binder的弱引用增加1:

?3)interface_cast<AidlServiceManager>():獲取BpServiceManager對(duì)象

AidlServiceManager就是IServiceManager,所以主要拆解 interface_cast:

?(interface_cast<IServiceManager>() 等價(jià)于 IServiceManager::asInterface(),asInterface是通過模板函數(shù)來(lái)定義的,

主要由以下兩個(gè)部分構(gòu)成:

① DECLARE_META_INTERFACE(IServiceManager)

② IMPLEMENT_META_INTERFACE(IServiceManager,"android.os.IServiceManager")

?對(duì)于IServiceManager來(lái)說(shuō)只需要換INTERFACE=IServiceManager即可,

DECLARE_META_INTERFACE 過程主要是聲明asInterface(),getInterfaceDescriptor()方法。

IMPLEMENT_META_INTERFACE 過程:

?對(duì)于IServiceManager來(lái)說(shuō) INTERFACE=IServiceManager, NAME=”android.os.IServiceManager”,可以看到DECLARE_META_INTERFACE 中的IServiceManager::asInterface() 等價(jià)于 BpIServiceManager()::make(obj)。在這里,更確切地說(shuō)應(yīng)該是BpIServiceManager::make(BpBinder)。

BpIServiceManager/BpServiceManager 的構(gòu)造暫時(shí)未找到,能力有限,模板函數(shù)并不是很熟悉,此處文大家可以參考GitYuan的博客http://gityuan.com/2015/11/08/binder-get-sm/ 先看下android 11.0之前的講解。后續(xù)會(huì)補(bǔ)上android 12部分的拆解

?總結(jié)來(lái)看,defaultServiceManager 幾近 等于BpIServiceManager::make(BpBinder),這樣就獲得到了serviceManager的proxy,類似systemServer 中調(diào)用PackageManagerService的方法要拿到PackageManager 一樣,后續(xù)就可以調(diào)用serviceManager中的addService和getService方法了。

?從網(wǎng)上找到的 Android 11 之前的 啟動(dòng)流程圖,可以先借助理解下,后面會(huì)更新最新的圖示:

?權(quán)限控制模塊:

Access 主要是通過Selinux來(lái)進(jìn)行權(quán)限控制的

1)注冊(cè)服務(wù)的時(shí)候的校驗(yàn):

由于manager在service_contexts中注冊(cè)了,所以這塊Selinux可以順利通過。?

2)在查詢服務(wù)的時(shí)候通過canFind對(duì)于權(quán)限進(jìn)行校驗(yàn)。?

最后和 addService一樣也會(huì)通過actionAllowedFromLookup 進(jìn)行校驗(yàn)。

?對(duì)外接口:

在android 11之前對(duì)外接口只有四個(gè):

在android 12中擴(kuò)充為14個(gè):?(這里將binderDied和handleClientCallbacks計(jì)算在內(nèi)了)

?相關(guān)面試題:

servicemanager映射的虛擬內(nèi)存有多大?現(xiàn)在的答案是和普通應(yīng)用一樣大:1M-2頁(yè)。

frameworks/native/libs/binder/ProcessState.cpp

#define BINDER_VM_SIZE ((1 * 1024 * 1024) - sysconf(_SC_PAGE_SIZE) * 2)

參考資料:

Android 12 系統(tǒng)源碼分析 | Native Binder 代碼變遷 - 秋城 - 博客園

Android 12(S) Binder(一) - 青山渺渺 - 博客園

www.jb51.net

Binder系列-開篇 - Gityuan博客 | 袁輝輝的技術(shù)博客

Binder系列3-啟動(dòng)ServiceManager - Gityuan博客 | 袁輝輝的技術(shù)博客

總結(jié)

以上是生活随笔為你收集整理的Android Binder 之 ServiceManager (基于android 12.0/S)的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò),歡迎將生活随笔推薦給好友。