【Binder 机制】Native 层 Binder 机制分析 ( binder_loop | svcmgr_handler | binder.c | binder_parse )

白淇
2023-12-01

前言

在上一篇博客 【Binder 机制】Native 层 Binder 机制分析 ( service_manager.c | 开启 Binder | 注册 Binder 进程上下文 | 开启 Binder 循环 ) 中分析了 Binder Native 实现中的 service_manager.c 中的 main 函数的启动过程 ;

  • 开启 Binder : bs = binder_open(driver, 128*1024);
  • 将自己注册成 Binder 进程的上下文 : binder_become_context_manager(bs)
  • 开启 Binder 循环 : binder_loop(bs, svcmgr_handler);




一、binder_loop 方法调用



在 service_manager.c 中的 main 函数中 , 执行了 binder_loop 方法 , 传入了 svcmgr_handler 方法名作为回调函数 ;

int main(int argc, char** argv)
{

    binder_loop(bs, svcmgr_handler);

    return 0;
}

完整代码参考 /frameworks/native/cmds/servicemanager/service_manager.c





二、binder_loop 方法参数 svcmgr_handler



svcmgr_handler 方法定义在 service_manager.c 中 ; svcmgr_handler 方法名是 Service Manager Handler 的简写 ;

struct binder_io *msg 是传入的消息 ;

struct binder_io *reply 参数是返回参数 ;

svcinfo 结构体是一个链表 ;

传入不同的消息执行不同的处理 :

  • SVC_MGR_ADD_SERVICE : 收到消息 , 添加一个 Binder 服务 ;
  • SVC_MGR_CHECK_SERVICE : 收到消息 , 找到一个 Binder 服务 ;
struct svcinfo
{
    struct svcinfo *next;	//指向下一个 svcinfo 结构体元素
    uint32_t handle;		 
    struct binder_death death;	
    int allow_isolated;		// 是否允许独立于进程 
    uint32_t dumpsys_priority;
    size_t len;				// 长度
    uint16_t name[0];		// 名称 
};

int svcmgr_handler(struct binder_state *bs,
                   struct binder_transaction_data *txn,
                   struct binder_io *msg,
                   struct binder_io *reply)
{
	// 链表 
    struct svcinfo *si;
    uint16_t *s;
    size_t len;
    uint32_t handle;
    uint32_t strict_policy;
    int allow_isolated;
    uint32_t dumpsys_priority;

	// 根据不同的 txn->code 执行不同的方法 
    switch(txn->code) {
    case SVC_MGR_GET_SERVICE:
    case SVC_MGR_CHECK_SERVICE:// 收到消息 , 找到一个 Binder 服务 
        s = bio_get_string16(msg, &len);
        if (s == NULL) {
            return -1;
        }
        handle = do_find_service(s, len, txn->sender_euid, txn->sender_pid);
        if (!handle)
            break;
        bio_put_ref(reply, handle);
        return 0;

    case SVC_MGR_ADD_SERVICE:// 收到消息 , 添加一个 Binder 服务
        s = bio_get_string16(msg, &len);
        if (s == NULL) {
            return -1;
        }
        handle = bio_get_ref(msg);
        allow_isolated = bio_get_uint32(msg) ? 1 : 0;
        dumpsys_priority = bio_get_uint32(msg);
        if (do_add_service(bs, s, len, handle, txn->sender_euid, allow_isolated, dumpsys_priority,
                           txn->sender_pid))
            return -1;
        break;

    case SVC_MGR_LIST_SERVICES: { // 获取服务列表 
        uint32_t n = bio_get_uint32(msg);
        uint32_t req_dumpsys_priority = bio_get_uint32(msg);

        if (!svc_can_list(txn->sender_pid, txn->sender_euid)) {
            ALOGE("list_service() uid=%d - PERMISSION DENIED\n",
                    txn->sender_euid);
            return -1;
        }
        si = svclist;
        // walk through the list of services n times skipping services that
        // do not support the requested priority
        while (si) {
            if (si->dumpsys_priority & req_dumpsys_priority) {
                if (n == 0) break;
                n--;
            }
            si = si->next;
        }
        if (si) {
            bio_put_string16(reply, si->name);
            return 0;
        }
        return -1;
    }
    default:
        ALOGE("unknown code %d\n", txn->code);
        return -1;
    }

    bio_put_uint32(reply, 0);
    return 0;
}

完整代码参考 /frameworks/native/cmds/servicemanager/service_manager.c





三、binder_loop 方法



在开启 Binder 循环的 binder_loop 方法中 , 如果收到 Binder 读写消息信息 , 调用 binder_parse 方法处理 , 调用代码如下 :

res = binder_parse(bs, 0, (uintptr_t) readbuf, bwr.read_consumed, func);

binder_loop 方法代码如下 :

void binder_loop(struct binder_state *bs, binder_handler func)
{
    int res;
    struct binder_write_read bwr;
    uint32_t readbuf[32];

    bwr.write_size = 0;
    bwr.write_consumed = 0;
    bwr.write_buffer = 0;

    readbuf[0] = BC_ENTER_LOOPER;
    // 
    binder_write(bs, readbuf, sizeof(uint32_t));

	// 开启无限循环 
    for (;;) {
        bwr.read_size = sizeof(readbuf);
        bwr.read_consumed = 0;
        bwr.read_buffer = (uintptr_t) readbuf;

        res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr);

        if (res < 0) {
            ALOGE("binder_loop: ioctl failed (%s)\n", strerror(errno));
            break;
        }
		
		// 如果收到 Binder 读写消息信息 , 调用 binder_parse 方法处理 ;
        res = binder_parse(bs, 0, (uintptr_t) readbuf, bwr.read_consumed, func);
        if (res == 0) {
            ALOGE("binder_loop: unexpected reply?!\n");
            break;
        }
        if (res < 0) {
            ALOGE("binder_loop: io error %d %s\n", res, strerror(errno));
            break;
        }
    }
}

完整代码参考 /frameworks/native/cmds/servicemanager/binder.c





四、binder_parse 方法



binder_parse 方法中接收的 binder_handler func 参数是一个回调方法 ; 该方法是 Binder 服务收到了客户端请求后的回调函数 ;

int binder_parse(struct binder_state *bs, struct binder_io *bio,
                 uintptr_t ptr, size_t size, binder_handler func)
{
    int r = 1;
    uintptr_t end = ptr + (uintptr_t) size;

    while (ptr < end) {
        uint32_t cmd = *(uint32_t *) ptr;
        ptr += sizeof(uint32_t);
#if TRACE
        fprintf(stderr,"%s:\n", cmd_name(cmd));
#endif
		// 根据不同指令 , 执行不同操作 ; 
        switch(cmd) {
        case BR_NOOP:
            break;
        case BR_TRANSACTION_COMPLETE:
            break;
        case BR_INCREFS:
        case BR_ACQUIRE:
        case BR_RELEASE:
        case BR_DECREFS:
#if TRACE
            fprintf(stderr,"  %p, %p\n", (void *)ptr, (void *)(ptr + sizeof(void *)));
#endif
            ptr += sizeof(struct binder_ptr_cookie);
            break;
        case BR_TRANSACTION: {
            struct binder_transaction_data *txn = (struct binder_transaction_data *) ptr;
            if ((end - ptr) < sizeof(*txn)) {
                ALOGE("parse: txn too small!\n");
                return -1;
            }
            binder_dump_txn(txn);
            if (func) {
                unsigned rdata[256/4];
                struct binder_io msg;
                struct binder_io reply;
                int res;

                bio_init(&reply, rdata, sizeof(rdata), 4);
                bio_init_from_txn(&msg, txn);
                // 执行回调方法 
                res = func(bs, txn, &msg, &reply);
                if (txn->flags & TF_ONE_WAY) {
                    binder_free_buffer(bs, txn->data.ptr.buffer);
                } else {
                    binder_send_reply(bs, &reply, txn->data.ptr.buffer, res);
                }
            }
            ptr += sizeof(*txn);
            break;
        }
        case BR_REPLY: {
            struct binder_transaction_data *txn = (struct binder_transaction_data *) ptr;
            if ((end - ptr) < sizeof(*txn)) {
                ALOGE("parse: reply too small!\n");
                return -1;
            }
            binder_dump_txn(txn);
            if (bio) {
                bio_init_from_txn(bio, txn);
                bio = 0;
            } else {
                /* todo FREE BUFFER */
            }
            ptr += sizeof(*txn);
            r = 0;
            break;
        }
        case BR_DEAD_BINDER: {
            struct binder_death *death = (struct binder_death *)(uintptr_t) *(binder_uintptr_t *)ptr;
            ptr += sizeof(binder_uintptr_t);
            death->func(bs, death->ptr);
            break;
        }
        case BR_FAILED_REPLY:
            r = -1;
            break;
        case BR_DEAD_REPLY:
            r = -1;
            break;
        default:
            ALOGE("parse: OOPS %d\n", cmd);
            return -1;
        }
    }

    return r;
}
 类似资料: