【Binder 机制】Native 层 Binder 机制分析 ( binder_loop | svcmgr_handler | binder.c | binder_parse )
白淇
前言
在上一篇博客 【Binder 机制】Native 层 Binder 机制分析 ( service_manager.c | 开启 Binder | 注册 Binder 进程上下文 | 开启 Binder 循环 ) 中分析了 Binder Native 实现中的 service_manager.c 中的 main 函数的启动过程 ;
- 开启 Binder :
bs = binder_open(driver, 128*1024); - 将自己注册成 Binder 进程的上下文 :
binder_become_context_manager(bs) - 开启 Binder 循环 :
binder_loop(bs, svcmgr_handler);
一、binder_loop 方法调用
在 service_manager.c 中的 main 函数中 , 执行了 binder_loop 方法 , 传入了 svcmgr_handler 方法名作为回调函数 ;
int main(int argc, char** argv)
{
binder_loop(bs, svcmgr_handler);
return 0;
}
完整代码参考 /frameworks/native/cmds/servicemanager/service_manager.c
二、binder_loop 方法参数 svcmgr_handler
svcmgr_handler 方法定义在 service_manager.c 中 ; svcmgr_handler 方法名是 Service Manager Handler 的简写 ;
struct binder_io *msg 是传入的消息 ;
struct binder_io *reply 参数是返回参数 ;
svcinfo 结构体是一个链表 ;
传入不同的消息执行不同的处理 :
- SVC_MGR_ADD_SERVICE : 收到消息 , 添加一个 Binder 服务 ;
- SVC_MGR_CHECK_SERVICE : 收到消息 , 找到一个 Binder 服务 ;
struct svcinfo
{
struct svcinfo *next; //指向下一个 svcinfo 结构体元素
uint32_t handle;
struct binder_death death;
int allow_isolated; // 是否允许独立于进程
uint32_t dumpsys_priority;
size_t len; // 长度
uint16_t name[0]; // 名称
};
int svcmgr_handler(struct binder_state *bs,
struct binder_transaction_data *txn,
struct binder_io *msg,
struct binder_io *reply)
{
// 链表
struct svcinfo *si;
uint16_t *s;
size_t len;
uint32_t handle;
uint32_t strict_policy;
int allow_isolated;
uint32_t dumpsys_priority;
// 根据不同的 txn->code 执行不同的方法
switch(txn->code) {
case SVC_MGR_GET_SERVICE:
case SVC_MGR_CHECK_SERVICE:// 收到消息 , 找到一个 Binder 服务
s = bio_get_string16(msg, &len);
if (s == NULL) {
return -1;
}
handle = do_find_service(s, len, txn->sender_euid, txn->sender_pid);
if (!handle)
break;
bio_put_ref(reply, handle);
return 0;
case SVC_MGR_ADD_SERVICE:// 收到消息 , 添加一个 Binder 服务
s = bio_get_string16(msg, &len);
if (s == NULL) {
return -1;
}
handle = bio_get_ref(msg);
allow_isolated = bio_get_uint32(msg) ? 1 : 0;
dumpsys_priority = bio_get_uint32(msg);
if (do_add_service(bs, s, len, handle, txn->sender_euid, allow_isolated, dumpsys_priority,
txn->sender_pid))
return -1;
break;
case SVC_MGR_LIST_SERVICES: { // 获取服务列表
uint32_t n = bio_get_uint32(msg);
uint32_t req_dumpsys_priority = bio_get_uint32(msg);
if (!svc_can_list(txn->sender_pid, txn->sender_euid)) {
ALOGE("list_service() uid=%d - PERMISSION DENIED\n",
txn->sender_euid);
return -1;
}
si = svclist;
// walk through the list of services n times skipping services that
// do not support the requested priority
while (si) {
if (si->dumpsys_priority & req_dumpsys_priority) {
if (n == 0) break;
n--;
}
si = si->next;
}
if (si) {
bio_put_string16(reply, si->name);
return 0;
}
return -1;
}
default:
ALOGE("unknown code %d\n", txn->code);
return -1;
}
bio_put_uint32(reply, 0);
return 0;
}
完整代码参考 /frameworks/native/cmds/servicemanager/service_manager.c
三、binder_loop 方法
在开启 Binder 循环的 binder_loop 方法中 , 如果收到 Binder 读写消息信息 , 调用 binder_parse 方法处理 , 调用代码如下 :
res = binder_parse(bs, 0, (uintptr_t) readbuf, bwr.read_consumed, func);
binder_loop 方法代码如下 :
void binder_loop(struct binder_state *bs, binder_handler func)
{
int res;
struct binder_write_read bwr;
uint32_t readbuf[32];
bwr.write_size = 0;
bwr.write_consumed = 0;
bwr.write_buffer = 0;
readbuf[0] = BC_ENTER_LOOPER;
//
binder_write(bs, readbuf, sizeof(uint32_t));
// 开启无限循环
for (;;) {
bwr.read_size = sizeof(readbuf);
bwr.read_consumed = 0;
bwr.read_buffer = (uintptr_t) readbuf;
res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr);
if (res < 0) {
ALOGE("binder_loop: ioctl failed (%s)\n", strerror(errno));
break;
}
// 如果收到 Binder 读写消息信息 , 调用 binder_parse 方法处理 ;
res = binder_parse(bs, 0, (uintptr_t) readbuf, bwr.read_consumed, func);
if (res == 0) {
ALOGE("binder_loop: unexpected reply?!\n");
break;
}
if (res < 0) {
ALOGE("binder_loop: io error %d %s\n", res, strerror(errno));
break;
}
}
}
完整代码参考 /frameworks/native/cmds/servicemanager/binder.c
四、binder_parse 方法
binder_parse 方法中接收的 binder_handler func 参数是一个回调方法 ; 该方法是 Binder 服务收到了客户端请求后的回调函数 ;
int binder_parse(struct binder_state *bs, struct binder_io *bio,
uintptr_t ptr, size_t size, binder_handler func)
{
int r = 1;
uintptr_t end = ptr + (uintptr_t) size;
while (ptr < end) {
uint32_t cmd = *(uint32_t *) ptr;
ptr += sizeof(uint32_t);
#if TRACE
fprintf(stderr,"%s:\n", cmd_name(cmd));
#endif
// 根据不同指令 , 执行不同操作 ;
switch(cmd) {
case BR_NOOP:
break;
case BR_TRANSACTION_COMPLETE:
break;
case BR_INCREFS:
case BR_ACQUIRE:
case BR_RELEASE:
case BR_DECREFS:
#if TRACE
fprintf(stderr," %p, %p\n", (void *)ptr, (void *)(ptr + sizeof(void *)));
#endif
ptr += sizeof(struct binder_ptr_cookie);
break;
case BR_TRANSACTION: {
struct binder_transaction_data *txn = (struct binder_transaction_data *) ptr;
if ((end - ptr) < sizeof(*txn)) {
ALOGE("parse: txn too small!\n");
return -1;
}
binder_dump_txn(txn);
if (func) {
unsigned rdata[256/4];
struct binder_io msg;
struct binder_io reply;
int res;
bio_init(&reply, rdata, sizeof(rdata), 4);
bio_init_from_txn(&msg, txn);
// 执行回调方法
res = func(bs, txn, &msg, &reply);
if (txn->flags & TF_ONE_WAY) {
binder_free_buffer(bs, txn->data.ptr.buffer);
} else {
binder_send_reply(bs, &reply, txn->data.ptr.buffer, res);
}
}
ptr += sizeof(*txn);
break;
}
case BR_REPLY: {
struct binder_transaction_data *txn = (struct binder_transaction_data *) ptr;
if ((end - ptr) < sizeof(*txn)) {
ALOGE("parse: reply too small!\n");
return -1;
}
binder_dump_txn(txn);
if (bio) {
bio_init_from_txn(bio, txn);
bio = 0;
} else {
/* todo FREE BUFFER */
}
ptr += sizeof(*txn);
r = 0;
break;
}
case BR_DEAD_BINDER: {
struct binder_death *death = (struct binder_death *)(uintptr_t) *(binder_uintptr_t *)ptr;
ptr += sizeof(binder_uintptr_t);
death->func(bs, death->ptr);
break;
}
case BR_FAILED_REPLY:
r = -1;
break;
case BR_DEAD_REPLY:
r = -1;
break;
default:
ALOGE("parse: OOPS %d\n", cmd);
return -1;
}
}
return r;
}
类似资料: