1、總圖中的第一步
第一步 <喎?http://www.bkjia.com/kf/ware/vc/" target="_blank" class="keylink">vcD4KPHA+ICAgICAgIH4vQW5kcm9pZC9mcmFtZXdvcmtzL2Jhc2UvY29yZS9qYXZhL2FuZHJvaWQvYXBwPC9wPgo8cD4gICAgICAgLS0tLUFjdGl2aXR5TWFuYWdlck5hdGl2ZS5qYXZhPC9wPgo8cD48cHJlIGNsYXNzPQ=="brush:java;">class ActivityManagerProxy implements IActivityManager{ public int startActivity(IApplicationThread caller, Intent intent, String resolvedType, Uri[] grantedUriPermissions, int grantedMode, IBinder resultTo, String resultWho, int requestCode, boolean onlyIfNeeded, boolean debug) throws RemoteException { Parcel data = Parcel.obtain(); Parcel reply = Parcel.obtain(); data.writeInterfaceToken(IActivityManager.descriptor); data.writeStrongBinder(caller != null ? caller.asBinder() : null); intent.writeToParcel(data, 0); ......... data.writeStrongBinder(resultTo); mRemote.transact(START_ACTIVITY_TRANSACTION, data, reply, 0); } 其中caller為:
final ApplicationThread mAppThread = new ApplicationThread();繼承於ApplicationThreadNative,ApplicationThreadNative繼承於Binder實現了IApplicationThread。
resultTo如所示:
java層的Parcel,writeStrongBinder方法,最後映射到C++層,執行如下:
~/Android/frameworks/base/core/jni
----android_util_Binder.cpp
static void android_os_Parcel_writeStrongBinder(JNIEnv* env, jobject clazz, jobject object)//clazz為Parcel,object指向了在Java層中建立的硬體訪問服務FregService{ Parcel* parcel = parcelForJavaObject(env, clazz);//擷取java層Parcel對象data的引用 if (parcel != NULL) { const status_t err = parcel->writeStrongBinder(ibinderForJavaObject(env, object)); if (err != NO_ERROR) { jniThrowException(env, "java/lang/OutOfMemoryError", NULL); } }}
ibinderForjavaObject實現如下:
~/Android/frameworks/base/core/jni
----android_util_Binder.cpp
sp ibinderForJavaObject(JNIEnv* env, jobject obj){ if (obj == NULL) return NULL; if (env->IsInstanceOf(obj, gBinderOffsets.mClass)) { JavaBBinderHolder* jbh = (JavaBBinderHolder*) env->GetIntField(obj, gBinderOffsets.mObject);//這裡把obj對象的mObject成員變數強制轉為JavaBBinderHolder對象 return jbh != NULL ? jbh->get(env) : NULL; } if (env->IsInstanceOf(obj, gBinderProxyOffsets.mClass)) { return (IBinder*) env->GetIntField(obj, gBinderProxyOffsets.mObject); } LOGW("ibinderForJavaObject: %p is not a Binder object", obj); return NULL;}
(1)如果傳入的是caller.asBinder(),那麼首先產生一個JavaBBinder本機物件。
(2)如果傳入的是resultTo,那麼產生一個代理對象。
writeStrongBinder實現如下:
~/Android/frameworks/base/libs/binder
----Parcel.cpp
status_t Parcel::writeStrongBinder(const sp& val){ return flatten_binder(ProcessState::self(), val, this);}
status_t flatten_binder(const sp& proc, const sp& binder, Parcel* out){ flat_binder_object obj; obj.flags = 0x7f | FLAT_BINDER_FLAG_ACCEPTS_FDS; if (binder != NULL) { IBinder *local = binder->localBinder(); if (!local) { BpBinder *proxy = binder->remoteBinder(); if (proxy == NULL) { LOGE("null proxy"); } const int32_t handle = proxy ? proxy->handle() : 0; obj.type = BINDER_TYPE_HANDLE; obj.handle = handle; obj.cookie = NULL; } else { obj.type = BINDER_TYPE_BINDER; obj.binder = local->getWeakRefs(); obj.cookie = local; } } else { obj.type = BINDER_TYPE_BINDER; obj.binder = NULL; obj.cookie = NULL; } return finish_flatten_binder(binder, obj, out);}
(1)如果是本機物件,obj.cookie為本機物件IBinder地址。
(2)如果是代理對象,obj.handle為代理對象的控制代碼值。
第二步
Binder Driver:調用binder_transaction:
~/Android//kernel/goldfish/drivers/staging/android
----binder.c
case BINDER_TYPE_BINDER:case BINDER_TYPE_WEAK_BINDER: {struct binder_ref *ref;struct binder_node *node = binder_get_node(proc, fp->binder);if (node == NULL) {node = binder_new_node(proc, fp->binder, fp->cookie);......}.......ref = binder_get_ref_for_node(target_proc, node);if (ref == NULL) {return_error = BR_FAILED_REPLY;goto err_binder_get_ref_for_node_failed;}if (fp->type == BINDER_TYPE_BINDER)fp->type = BINDER_TYPE_HANDLE;elsefp->type = BINDER_TYPE_WEAK_HANDLE;fp->handle = ref->desc;......} break;case BINDER_TYPE_HANDLE:case BINDER_TYPE_WEAK_HANDLE: {struct binder_ref *ref = binder_get_ref(proc, fp->handle);......if (ref->node->proc == target_proc) {if (fp->type == BINDER_TYPE_HANDLE)fp->type = BINDER_TYPE_BINDER;elsefp->type = BINDER_TYPE_WEAK_BINDER;fp->binder = ref->node->ptr;fp->cookie = ref->node->cookie;binder_inc_node(ref->node, fp->type == BINDER_TYPE_BINDER, 0, NULL);if (binder_debug_mask & BINDER_DEBUG_TRANSACTION)printk(KERN_INFO " ref %d desc %d -> node %d u%p\n", ref->debug_id, ref->desc, ref->node->debug_id, ref->node->ptr);} else {.......}} break;
(2)如果是BINDER_TYPE_HANDLE,首先擷取引用對象,再擷取實體物件,cookie為本機物件IBinder的地址。
第三步
~/Android/frameworks/base/core/java/android/app
----ActivityManagerNative.java
public abstract class ActivityManagerNative extends Binder implements IActivityManager{ ...... public boolean onTransact(int code, Parcel data, Parcel reply, int flags) throws RemoteException { switch (code) { case START_ACTIVITY_TRANSACTION: { data.enforceInterface(IActivityManager.descriptor); IBinder b = data.readStrongBinder(); IApplicationThread app = ApplicationThreadNative.asInterface(b); Intent intent = Intent.CREATOR.createFromParcel(data); String resolvedType = data.readString(); ...... IBinder resultTo = data.readStrongBinder(); ...... return true; }
~/Android/frameworks/base/core/jni
----android_util_Binder.cpp
static jobject android_os_Parcel_readStrongBinder(JNIEnv* env, jobject clazz){ Parcel* parcel = parcelForJavaObject(env, clazz);//獲得Java層reply的引用 if (parcel != NULL) { return javaObjectForIBinder(env, parcel->readStrongBinder()); } return NULL;}
~/Android/frameworks/base/libs/binder
----Parcel.cpp
sp Parcel::readStrongBinder() const{ sp val; unflatten_binder(ProcessState::self(), *this, &val); return val;}
status_t unflatten_binder(const sp& proc, const Parcel& in, sp* out){ const flat_binder_object* flat = in.readObject(false); if (flat) { switch (flat->type) { case BINDER_TYPE_BINDER: *out = static_cast(flat->cookie); return finish_unflatten_binder(NULL, *flat, in); case BINDER_TYPE_HANDLE: *out = proc->getStrongProxyForHandle(flat->handle); return finish_unflatten_binder( static_cast(out->get()), *flat, in); } } return BAD_TYPE;}
(1)如果是BINDER_TYPE_BINDER,返回本機物件。
(2)如果是BINDER_TYPE_HANDLE,根據控制代碼值,返回代理對象。
然後執行javaObjectForIBinder。
~/Android/frameworks/base/core/jni ----android_util_Binder.cpp
jobject javaObjectForIBinder(JNIEnv* env, const sp& val){ if (val == NULL) return NULL; if (val->checkSubclass(&gBinderOffsets)) { // One of our own! jobject object = static_cast(val.get())->object(); ........ return object; } // For the rest of the function we will hold this lock, to serialize // looking/creation of Java proxies for native Binder proxies. AutoMutex _l(mProxyLock); // Someone else's... do we know about it? jobject object = (jobject)val->findObject(&gBinderProxyOffsets);//檢查當前進程之前是否已經為它建立過一個BinderProxy對象 if (object != NULL) {//如果有返回來的就是一個指向該BinderProxy對象的WeakReference對象object,即一個弱引用對象 jobject res = env->CallObjectMethod(object, gWeakReferenceOffsets.mGet);//由於弱引用對象object所指向的BinderProxy對象可能已經失效,因此,需要檢查它的有效性,方法是調用它的成員函數get來獲得一個強引用對象。 if (res != NULL) {//如果不為NULL ...... return res;//直接返回 } ..... android_atomic_dec(&gNumProxyRefs);//如果為NULL val->detachObject(&gBinderProxyOffsets);//解除它與一個無效的BinderProxy對象的對應關係 env->DeleteGlobalRef(object);//刪除弱引用對象的全域引用 } object = env->NewObject(gBinderProxyOffsets.mClass, gBinderProxyOffsets.mConstructor);//建立一個BinderProxy對象 if (object != NULL) { ....... env->SetIntField(object, gBinderProxyOffsets.mObject, (int)val.get());//BinderProxy.mObject成員變數記錄了這個BpBinder對象的地址 val->incStrong(object); // The native object needs to hold a weak reference back to the // proxy, so we can retrieve the same proxy if it is still active. jobject refObject = env->NewGlobalRef( env->GetObjectField(object, gBinderProxyOffsets.mSelf));//擷取BinderProxy內部的成員變數mSelf(BinderProxy的弱引用對象),接著再建立一個全域引用對象來引用它 val->attachObject(&gBinderProxyOffsets, refObject, jnienv_to_javavm(env), proxy_cleanup);//把它放到BpBinder裡面去,下次就要使用時,就可以在上一步調用BpBinder::findObj把它找回來了 // Note that a new object reference has been created. android_atomic_inc(&gNumProxyRefs); incRefsCreated(env); } return object;}
IBinder resultTo = data.readStrongBinder();
(2)如果是代理對象,首先產生BinderProxy對象,裡面的mObject指向代理對象,向上轉型為IBinder。
IBinder b = data.readStrongBinder(); IApplicationThread app = ApplicationThreadNative.asInterface(b);然後產生ActivityManagerProxy對象,裡面mRemote指向BinderProxy對象。
第四步
~/Android/frameworks/base/services/java/com/android/server/am
----ActivityManagerService.java
public final int startActivity(IApplicationThread caller, Intent intent, String resolvedType, Uri[] grantedUriPermissions, int grantedMode, IBinder resultTo, String resultWho, int requestCode, boolean onlyIfNeeded, boolean debug) { return mMainStack.startActivityMayWait(caller, intent, resolvedType, grantedUriPermissions, grantedMode, resultTo, resultWho, requestCode, onlyIfNeeded, debug, null, null); }
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
