Android Binder Mechanism (3) — 如何向系統註冊Service

最後更新：2018-12-03 來源：互聯網

上載者：User

創建阿里雲帳戶，並獲得超過 40 款產品的免費試用版；而企業帳戶則可以享有總值 $1200 的免費試用版。立即註冊！

在這篇文章中，我們將深入剖析一下如何向系統註冊Service。

在第一篇文章的例子中，ExampleService通過如下語句向系統註冊服務。

// File: ExampleService.cpp int r = defaultServiceManager()->addService(String16("byn.example"), new ExampleService());

在上一篇文章中，我們已經知道通過調用defaultServiceManager()全域函數可以獲得當前進程的ServiceManager代理對象的引用。在深入剖析addService()方法之前，讓我們先瞭解一下ServiceManager是如何啟動的。首先來看一下它的原始碼：

// File: frameworks/base/cmds/servicemanager/service_manager.c int main(int argc, char **argv) { struct binder_state *bs; void *svcmgr = BINDER_SERVICE_MANAGER; bs = binder_open(128*1024); if (binder_become_context_manager(bs)) { LOGE("cannot become context manager (%s)/n", strerror(errno)); return -1; } svcmgr_handle = svcmgr; binder_loop(bs, svcmgr_handler); return 0; }

ServiceManager本身是一個系統進程，是Android核心程式。從它的main函數來看，它首先調用binder_open()函數開啟binder裝置(/dev/binder)，接著調用binder_become_context_manager()函數，將自己變為系統服務的“管理員”。我們看一下binder_become_context_manager()函數的原始碼：

// File: frameworks/base/cmds/servicemanager/service_manager.c int binder_become_context_manager(struct binder_state *bs) { return ioctl(bs->fd, BINDER_SET_CONTEXT_MGR, 0); }

可以看到以BINDER_SET_CONTEXT_MGR為參數進行ioctl系統調用，就可以將自身設定成系統服務的“管理員”，即ServiceManager。

最後，ServiceManager調用binder_loop進入到迴圈狀態，並提供了一個回呼函數svcmgr_handler()，等待使用者的請求。

現在讓我們剖析一下向系統註冊Service的過程吧。首先，調用defaultServiceManager()全域函數獲得的是ServiceManager代理對象的引用，所以這裡的調用的addService方法是代理對象的方法，而不是真正的ServiceManager的addService方法。讓我們看一下它的原始碼：

// File: frameworks/base/libs/binder/IServiceManager.cpp class BpServiceManager : public BpInterface<IServiceManager> { public: ...... virtual status_t addService(const String16& name, const sp<IBinder>& service) { Parcel data, reply; data.writeInterfaceToken(IServiceManager::getInterfaceDescriptor()); data.writeString16(name); data.writeStrongBinder(service); status_t err = remote()->transact(ADD_SERVICE_TRANSACTION, data, &reply); return err == NO_ERROR ? reply.readInt32() : err; } ...... }

這裡是以ADD_SERVICE_TRANSACTION為命令代碼調用的transact()方法。因為ServiceManager代理對象BpServiceManager繼承自BpBinder，所以這裡調用的是BpBinder::transact()，我們看一下它的原始碼：

// File: frameworks/base/libs/binder/BpBinder.cpp status_t BpBinder::transact( uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags) { // Once a binder has died, it will never come back to life. if (mAlive) { status_t status = IPCThreadState::self()->transact( mHandle, code, data, reply, flags); if (status == DEAD_OBJECT) mAlive = 0; return status; } return DEAD_OBJECT; }

我們看到該方法是通過調用IPCThreadState類的同名方法繼續傳遞請求。這裡需要解釋一下IPCThreadState類的作用。

每個進程中有且僅有一個IPCThreadState對象，它的作用是維護當前進程中所有對binder裝置(/dev/binder)的I/O操作，也就是說一個進程要想通過binder機制與另外一個進程進行通訊，最終都是要通過IPCThreadState對象來完成的。有了IPCThreadState這層封裝之後，應用程式就不需要通過ioctl同binder裝置直接打交道了。下面讓我們來看一下IPCThreadState類的transact方法的原始碼：

// File: frameworks/base/libs/binder/IPCThreadState.cpp status_t IPCThreadState::transact(int32_t handle, uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags) { status_t err = data.errorCheck(); flags |= TF_ACCEPT_FDS; IF_LOG_TRANSACTIONS() { TextOutput::Bundle _b(alog); alog << "BC_TRANSACTION thr " << (void*)pthread_self() << " / hand " << handle << " / code " << TypeCode(code) << ": " << indent << data << dedent << endl; } if (err == NO_ERROR) { LOG_ONEWAY(">>>> SEND from pid %d uid %d %s", getpid(), getuid(), (flags & TF_ONE_WAY) == 0 ? "READ REPLY" : "ONE WAY"); err = writeTransactionData(BC_TRANSACTION, flags, handle, code, data, NULL); } if (err != NO_ERROR) { if (reply) reply->setError(err); return (mLastError = err); } if ((flags & TF_ONE_WAY) == 0) { if (reply) { err = waitForResponse(reply); } else { Parcel fakeReply; err = waitForResponse(&fakeReply); } IF_LOG_TRANSACTIONS() { TextOutput::Bundle _b(alog); alog << "BR_REPLY thr " << (void*)pthread_self() << " / hand " << handle << ": "; if (reply) alog << indent << *reply << dedent << endl; else alog << "(none requested)" << endl; } } else { err = waitForResponse(NULL, NULL); } return err; }

這裡調用了writeTransactionData()方法來完成請求，我們再看一下writeTransactionData()方法的定義：

// File: frameworks/base/libs/binder/IPCThreadState.cpp status_t IPCThreadState::writeTransactionData(int32_t cmd, uint32_t binderFlags, int32_t handle, uint32_t code, const Parcel& data, status_t* statusBuffer) { binder_transaction_data tr; tr.target.handle = handle; tr.code = code; tr.flags = binderFlags; const status_t err = data.errorCheck(); if (err == NO_ERROR) { tr.data_size = data.ipcDataSize(); tr.data.ptr.buffer = data.ipcData(); tr.offsets_size = data.ipcObjectsCount()*sizeof(size_t); tr.data.ptr.offsets = data.ipcObjects(); } else if (statusBuffer) { tr.flags |= TF_STATUS_CODE; *statusBuffer = err; tr.data_size = sizeof(status_t); tr.data.ptr.buffer = statusBuffer; tr.offsets_size = 0; tr.data.ptr.offsets = NULL; } else { return (mLastError = err); } mOut.writeInt32(cmd); mOut.write(&tr, sizeof(tr)); return NO_ERROR; }

最終是在這裡將命令和資料封裝好之後寫入待發送的隊列(mOut.writeInt32(cmd)，mOut.write(&tr, sizeof(tr)))。回到IPCThreadState類的transact()方法。writeTransactionData()方法返回之後，會通過調用waitForResponse()方法發送請求並等待返回結果。而waitForResponse()方法會調用IPCThreadState::talkWithDriver()方法發送請求並取回傳回值。我們看一下talkWithDriver()方法的原始碼：

// File: frameworks/base/libs/binder/IPCThreadState.cpp status_t IPCThreadState::talkWithDriver(bool doReceive) { LOG_ASSERT(mProcess->mDriverFD >= 0, "Binder driver is not opened"); binder_write_read bwr; // Is the read buffer empty? const bool needRead = mIn.dataPosition() >= mIn.dataSize(); // We don't want to write anything if we are still reading // from data left in the input buffer and the caller // has requested to read the next data. const size_t outAvail = (!doReceive || needRead) ? mOut.dataSize() : 0; bwr.write_size = outAvail; bwr.write_buffer = (long unsigned int)mOut.data(); // This is what we'll read. if (doReceive && needRead) { bwr.read_size = mIn.dataCapacity(); bwr.read_buffer = (long unsigned int)mIn.data(); } else { bwr.read_size = 0; } IF_LOG_COMMANDS() { TextOutput::Bundle _b(alog); if (outAvail != 0) { alog << "Sending commands to driver: " << indent; const void* cmds = (const void*)bwr.write_buffer; const void* end = ((const uint8_t*)cmds)+bwr.write_size; alog << HexDump(cmds, bwr.write_size) << endl; while (cmds < end) cmds = printCommand(alog, cmds); alog << dedent; } alog << "Size of receive buffer: " << bwr.read_size << ", needRead: " << needRead << ", doReceive: " << doReceive << endl; } // Return immediately if there is nothing to do. if ((bwr.write_size == 0) && (bwr.read_size == 0)) return NO_ERROR; bwr.write_consumed = 0; bwr.read_consumed = 0; status_t err; do { IF_LOG_COMMANDS() { alog << "About to read/write, write size = " << mOut.dataSize() << endl; } #if defined(HAVE_ANDROID_OS) if (ioctl(mProcess->mDriverFD, BINDER_WRITE_READ, &bwr) >= 0) err = NO_ERROR; else err = -errno; #else err = INVALID_OPERATION; #endif IF_LOG_COMMANDS() { alog << "Finished read/write, write size = " << mOut.dataSize() << endl; } } while (err == -EINTR); IF_LOG_COMMANDS() { alog << "Our err: " << (void*)err << ", write consumed: " << bwr.write_consumed << " (of " << mOut.dataSize() << "), read consumed: " << bwr.read_consumed << endl; } if (err >= NO_ERROR) { if (bwr.write_consumed > 0) { if (bwr.write_consumed < (ssize_t)mOut.dataSize()) mOut.remove(0, bwr.write_consumed); else mOut.setDataSize(0); } if (bwr.read_consumed > 0) { mIn.setDataSize(bwr.read_consumed); mIn.setDataPosition(0); } IF_LOG_COMMANDS() { TextOutput::Bundle _b(alog); alog << "Remaining data size: " << mOut.dataSize() << endl; alog << "Received commands from driver: " << indent; const void* cmds = mIn.data(); const void* end = mIn.data() + mIn.dataSize(); alog << HexDump(cmds, mIn.dataSize()) << endl; while (cmds < end) cmds = printReturnCommand(alog, cmds); alog << dedent; } return NO_ERROR; } return err; }

talkWithDriver()方法會將待發送的請求(之前已經存放在mOut對象中)封裝到一個binder_write_read類型的結構體bwr中，並調用ioctl(mProcess->mDriverFD, BINDER_WRITE_READ, &bwr)完成發送請求。接下來的工作就由核心空間來完成了。此進程當前會阻塞在ioctl這裡，直到有傳回值返回。由此可見，通過binder機制進行的IPC通訊是一個同步過程。這一點非常重要。

用戶端的程式我們暫時先分析到這裡，現在讓我們看看服務端在收到這一請求之後都會做哪些處理。

前面提到，ServiceManager的main函數中註冊了回呼函數svcmgr_handler()，因此上面的請求通過binder裝置發送到ServiceManager這一端的時候，該函數會被調用。我們看一下它的原始碼：

// File: frameworks/base/cmds/servicemanager/service_manager.c int svcmgr_handler(struct binder_state *bs, struct binder_txn *txn, struct binder_io *msg, struct binder_io *reply) { struct svcinfo *si; uint16_t *s; unsigned len; void *ptr; LOGI("[BYN]target=%p code=%d pid=%d uid=%d/n", txn->target, txn->code, txn->sender_pid, txn->sender_euid); if (txn->target != svcmgr_handle) return -1; s = bio_get_string16(msg, &len); if ((len != (sizeof(svcmgr_id) / 2)) || memcmp(svcmgr_id, s, sizeof(svcmgr_id))) { fprintf(stderr,"invalid id %s/n", str8(s)); return -1; } switch(txn->code) { case SVC_MGR_GET_SERVICE: case SVC_MGR_CHECK_SERVICE: s = bio_get_string16(msg, &len); ptr = do_find_service(bs, s, len); if (!ptr) break; bio_put_ref(reply, ptr); return 0; case SVC_MGR_ADD_SERVICE: s = bio_get_string16(msg, &len); ptr = bio_get_ref(msg); if (do_add_service(bs, s, len, ptr, txn->sender_euid)) return -1; break; case SVC_MGR_LIST_SERVICES: { unsigned n = bio_get_uint32(msg); si = svclist; while ((n-- > 0) && si) si = si->next; if (si) { bio_put_string16(reply, si->name); return 0; } return -1; } default: LOGE("unknown code %d/n", txn->code); return -1; } bio_put_uint32(reply, 0); return 0; }

由於調用的是addService服務，所以會走到SVC_MGR_ADD_SERVICE分支，調用do_add_service()函數。我們看一下它的原始碼：

// File: frameworks/base/cmds/servicemanager/service_manager.c int do_add_service(struct binder_state *bs, uint16_t *s, unsigned len, void *ptr, unsigned uid) { struct svcinfo *si; // LOGI("add_service('%s',%p) uid=%d/n", str8(s), ptr, uid); if (!ptr || (len == 0) || (len > 127)) return -1; if (!svc_can_register(uid, s)) { LOGE("add_service('%s',%p) uid=%d - PERMISSION DENIED/n", str8(s), ptr, uid); return -1; } si = find_svc(s, len); if (si) { if (si->ptr) { LOGE("add_service('%s',%p) uid=%d - ALREADY REGISTERED/n", str8(s), ptr, uid); return -1; } si->ptr = ptr; } else { si = malloc(sizeof(*si) + (len + 1) * sizeof(uint16_t)); if (!si) { LOGE("add_service('%s',%p) uid=%d - OUT OF MEMORY/n", str8(s), ptr, uid); return -1; } si->ptr = ptr; si->len = len; memcpy(si->name, s, (len + 1) * sizeof(uint16_t)); si->name[len] = '/0'; si->death.func = svcinfo_death; si->death.ptr = si; si->next = svclist; svclist = si; } binder_acquire(bs, ptr); binder_link_to_death(bs, ptr, &si->death); return 0; }

這裡首先判斷一下是否有許可權註冊服務(svc_can_register(uid, s))，如果可以的話，再判斷該服務是否已經註冊過；如果沒有註冊過的話，就構造一個svcinfo對象，並將它添加到svclist鏈表中。最後通知binder裝置：有一個新的Service註冊進來。

伺服器端返回之後，用戶端被解除阻塞(ioctl系統調用)，然後逐層返回，從而完成了註冊服務的請求。

本文章原先以中文撰寫並發佈於 aliyun.com，亦設英文版本，僅作資訊用途。本網站不對文章的準確性，完整性或可靠性或其任何翻譯作出任何明示或暗示的陳述或保證。如對該文章有任何疑慮或投訴，請傳送電郵至 info-contact@alibabacloud.com 並提供相關疑慮或投訴的詳細說明。職員會於 5 個工作天內與您聯絡，一經驗證之後，即會刪除該侵權內容。

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More

Android Binder Mechanism (3) — 如何向系統註冊Service

聯繫我們

A Free Trial That Lets You Build Big!

Sales Support

After-Sales Support