原文来自此链接,加上了自己的一些理解
framework/base/core/java/android/os/
IInterface.java
IServiceManager.java
ServiceManager.java
ServiceManagerNative.java(包含内部类ServiceManagerProxy)
framework/base/core/java/android/os/
IBinder.java
Binder.java(包含内部类BinderProxy)
Parcel.java
framework/base/core/java/com/android/internal/os/
- BinderInternal.java
framework/base/core/jni/
android系统在8.0后将大部分的*ManageNative等方式都改成了AIDL的方式实现,目前只保留了 ServiceManager 相关的实现采用 ServiceManagerNative 的方式实现,其他都改变了。比如ActivityManagerNative.getDefault() 改成了 ActivityManager.getService() 因此之前对应的实现
ActivityManagerNative -> IActivityManager.Stub ActivityManagerProxy -> IActivityManager.Stub.Proxy
以bindService来看一次IPC的通信流程
ContextWrapper#bindService
ContextImpl#bindService
ContextImpl#bindServiceCommon
ActivityManager.getService().bindService
ServiceManager.getService
ServiceManagerNative.asInterface(Binder.allowBlocking(BinderInternal.getContextObject()))
BinderInternal.getContextObject() -> new BinderProxy()
ServiceManagerNative.asInterface -> new ServiceManagerProxy()
IActivityManager.Stub.asInterface(b)
bindService
IActivityManager.Stub.Proxy#bindService —- 客户端进程空间
mRemote.transact -> BinderProxy.transact (mRemote相当于BinderProxy)
BpBinder.transact -> BBinder.onTransact -> JavaBBinder.onTransact -> Binder.execTransact -> Native|| I.Stub.onTransact
IActivityManager.Stub#onTransact —- system_server进程空间
ActivityManagerService#onTransact — code对应的接口方法都被此类重写
ActivityManagerService对应的接口方法
也就是说AMS的 Stub(也就是 *Native)位于system_server进程
Proxy相关的操作位于 客户端进程空间**
一、概述
1.1 Binder架构
binder在framework层,采用JNI技术来调用native(C/C++)层的binder架构,从而为上层应用程序提供服务。 看过binder系列之前的文章,我们知道native层中,binder是C/S架构,分为Bn端(Server)和Bp端(Client)。对于java层在命名与架构上非常相近,同样实现了一套IPC通信架构
1.2 Binder类图
ServiceManager:通过getIServiceManager方法获取的是ServiceManagerProxy对象; ServiceManager的addService, getService实际工作都交由ServiceManagerProxy的相应方法来处理;
ServiceManagerProxy:其成员变量mRemote指向BinderProxy对象,ServiceManagerProxy的addService, getService方法最终是交由mRemote来完成。
ServiceManagerNative:其方法asInterface()返回的是ServiceManagerProxy对象,ServiceManager便是借助ServiceManagerNative类来找到ServiceManagerProxy;
Binder:其成员变量mObject (其实就是 native 层的BpBinder类)和方法execTransact()用于native方法
BinderInternal:内部有一个GcWatcher类,用于处理和调试与Binder相关的垃圾回收。
IBinder:接口中常量FLAG_ONEWAY:客户端利用binder跟服务端通信是阻塞式的,但如果设置了FLAG_ONEWAY,这成为非阻塞的调用方式,客户端能立即返回,服务端采用回调方式来通知客户端完成情况。另外IBinder接口有一个内部接口DeathDecipient(死亡通告)
1.3 Binder类分层
整个Binder从kernel至,native,JNI,Framework层所涉及的全部类
二、初始化交互流程
在Android系统开机过程中,Zygote启动时会有一个虚拟机注册过程,该过程调用AndroidRuntime::startReg
方法来完成jni方法的注册。
2.1 startReg
==> AndroidRuntime.cpp
int AndroidRuntime::startReg(JNIEnv* env)
{
androidSetCreateThreadFunc((android_create_thread_fn) javaCreateThreadEtc);
env->PushLocalFrame(200);
//注册jni方法【见2.2】
if (register_jni_procs(gRegJNI, NELEM(gRegJNI), env) < 0) {
env->PopLocalFrame(NULL);
return -1;
}
env->PopLocalFrame(NULL);
return 0;
}
注册JNI方法,其中gRegJNI
是一个数组,记录所有需要注册的jni方法,其中有一项便是REG_JNI(register_android_os_Binder),下面说说register_android_os_Binder
过程。
2.2 register_android_os_Binder
==> android_util_Binder.cpp
int register_android_os_Binder(JNIEnv* env) {
// 注册Binder类的jni方法【见2.3】
if (int_register_android_os_Binder(env) < 0)
return -1;
// 注册BinderInternal类的jni方法【见2.4】
if (int_register_android_os_BinderInternal(env) < 0)
return -1;
// 注册BinderProxy类的jni方法【见2.5】
if (int_register_android_os_BinderProxy(env) < 0)
return -1;
...
return 0;
}
可以看出java层共有三个类会注册对应的jni方法
Binder
BinderInternal
BinderProxy
2.3 注册Java Binder
==> android_util_Binder.cpp
static int int_register_android_os_Binder(JNIEnv* env) {
//其中kBinderPathName = "android/os/Binder";查找kBinderPathName路径所属类
jclass clazz = FindClassOrDie(env, kBinderPathName);
//将Java层Binder类保存到mClass变量;
gBinderOffsets.mClass = MakeGlobalRefOrDie(env, clazz);
//将Java层execTransact()方法保存到mExecTransact变量;
gBinderOffsets.mExecTransact = GetMethodIDOrDie(env, clazz, "execTransact", "(IJJI)Z");
//将Java层mObject属性保存到mObject变量
gBinderOffsets.mObject = GetFieldIDOrDie(env, clazz, "mObject", "J");
//注册JNI方法
return RegisterMethodsOrDie(env, kBinderPathName, gBinderMethods,
NELEM(gBinderMethods));
}
注册 Binder类的jni方法,其中:
FindClassOrDie(env, kBinderPathName) 基本等价于 env->FindClass(kBinderPathName)
MakeGlobalRefOrDie() 等价于 env->NewGlobalRef()
GetMethodIDOrDie() 等价于 env->GetMethodID()
GetFieldIDOrDie() 等价于 env->GeFieldID()
RegisterMethodsOrDie() 等价于 Android::registerNativeMethods();
(1)gBinderOffsets
gBinderOffsets
是全局静态结构体(struct),定义如下:
static struct bindernative_offsets_t
{
jclass mClass; //记录Binder类
jmethodID mExecTransact; //记录execTransact()方法
jfieldID mObject; //记录mObject属性
} gBinderOffsets;
gBinderOffsets
保存了Binder.java
类本身以及其成员方法execTransact()
和成员属性mObject
,这为JNI层访问Java层提供通道。另外通过查询获取Java层 binder信息后保存到gBinderOffsets
,而不再需要每次查找binder类信息的方式能大幅度提高效率,是由于每次查询需要花费较多的CPU时间,尤其是频繁访问时,但用额外的结构体来保存这些信息,是以空间换时间的方法。
(2)gBinderMethods
static const JNINativeMethod gBinderMethods[] = {
/* 名称, 签名, 函数指针 */
{ "getCallingPid", "()I", (void*)android_os_Binder_getCallingPid },
{ "getCallingUid", "()I", (void*)android_os_Binder_getCallingUid },
{ "clearCallingIdentity", "()J", (void*)android_os_Binder_clearCallingIdentity },
{ "restoreCallingIdentity", "(J)V", (void*)android_os_Binder_restoreCallingIdentity },
{ "setThreadStrictModePolicy", "(I)V", (void*)android_os_Binder_setThreadStrictModePolicy },
{ "getThreadStrictModePolicy", "()I", (void*)android_os_Binder_getThreadStrictModePolicy },
{ "flushPendingCommands", "()V", (void*)android_os_Binder_flushPendingCommands },
{ "init", "()V", (void*)android_os_Binder_init },
{ "destroy", "()V", (void*)android_os_Binder_destroy },
{ "blockUntilThreadAvailable", "()V", (void*)android_os_Binder_blockUntilThreadAvailable }
};
通过RegisterMethodsOrDie(),将为gBinderMethods数组中的方法建立了一一映射关系,从而为Java层访问JNI层提供通道。
总之,int_register_android_os_Binder
方法的主要功能:
通过gBinderOffsets,保存Java层Binder类的信息,为JNI层访问Java层提供通道;
通过RegisterMethodsOrDie,将gBinderMethods数组完成映射关系,从而为Java层访问JNI层提供通道。
也就是说该过程建立了Binder类在Native层与framework层之间的相互调用的桥梁。
2.4 注册BinderInternal
==> android_util_Binder.cpp
static int int_register_android_os_BinderInternal(JNIEnv* env) {
//其中kBinderInternalPathName = "com/android/internal/os/BinderInternal"
jclass clazz = FindClassOrDie(env, kBinderInternalPathName);
gBinderInternalOffsets.mClass = MakeGlobalRefOrDie(env, clazz);
gBinderInternalOffsets.mForceGc = GetStaticMethodIDOrDie(env, clazz, "forceBinderGc", "()V");
return RegisterMethodsOrDie(
env, kBinderInternalPathName,
gBinderInternalMethods, NELEM(gBinderInternalMethods));
}
注册BinderInternal类的jni方法,gBinderInternalOffsets
保存了BinderInternal的forceBinderGc()
方法。
下面是BinderInternal类的JNI方法注册:
static const JNINativeMethod gBinderInternalMethods[] = {
{ "getContextObject", "()Landroid/os/IBinder;", (void*)android_os_BinderInternal_getContextObject },
{ "joinThreadPool", "()V", (void*)android_os_BinderInternal_joinThreadPool },
{ "disableBackgroundScheduling", "(Z)V", (void*)android_os_BinderInternal_disableBackgroundScheduling },
{ "handleGc", "()V", (void*)android_os_BinderInternal_handleGc }
};
该过程其【2.3】非常类似,也就是说该过程建立了是BinderInternal类在Native层与framework层之间的相互调用的桥梁。
2.5 注册BinderProxy
==> android_util_Binder.cpp
static int int_register_android_os_BinderProxy(JNIEnv* env) {
//gErrorOffsets保存了Error类信息
jclass clazz = FindClassOrDie(env, "java/lang/Error");
gErrorOffsets.mClass = MakeGlobalRefOrDie(env, clazz);
//gBinderProxyOffsets保存了BinderProxy类的信息
//其中kBinderProxyPathName = "android/os/BinderProxy"
clazz = FindClassOrDie(env, kBinderProxyPathName);
gBinderProxyOffsets.mClass = MakeGlobalRefOrDie(env, clazz);
gBinderProxyOffsets.mConstructor = GetMethodIDOrDie(env, clazz, "<init>", "()V");
gBinderProxyOffsets.mSendDeathNotice = GetStaticMethodIDOrDie(env, clazz, "sendDeathNotice", "(Landroid/os/IBinder$DeathRecipient;)V");
gBinderProxyOffsets.mObject = GetFieldIDOrDie(env, clazz, "mObject", "J");
gBinderProxyOffsets.mSelf = GetFieldIDOrDie(env, clazz, "mSelf", "Ljava/lang/ref/WeakReference;");
gBinderProxyOffsets.mOrgue = GetFieldIDOrDie(env, clazz, "mOrgue", "J");
//gClassOffsets保存了Class.getName()方法
clazz = FindClassOrDie(env, "java/lang/Class");
gClassOffsets.mGetName = GetMethodIDOrDie(env, clazz, "getName", "()Ljava/lang/String;");
return RegisterMethodsOrDie(
env, kBinderProxyPathName,
gBinderProxyMethods, NELEM(gBinderProxyMethods));
}
注册BinderProxy类的jni方法,gBinderProxyOffsets
保存了BinderProxy的构造方法,sendDeathNotice(), mObject, mSelf, mOrgue信息。
下面BinderProxy类的JNI方法注册:
static const JNINativeMethod gBinderProxyMethods[] = {
/* 名称, 签名, 函数指针 */
{"pingBinder", "()Z", (void*)android_os_BinderProxy_pingBinder},
{"isBinderAlive", "()Z", (void*)android_os_BinderProxy_isBinderAlive},
{"getInterfaceDescriptor", "()Ljava/lang/String;", (void*)android_os_BinderProxy_getInterfaceDescriptor},
{"transactNative", "(ILandroid/os/Parcel;Landroid/os/Parcel;I)Z", (void*)android_os_BinderProxy_transact},
{"linkToDeath", "(Landroid/os/IBinder$DeathRecipient;I)V", (void*)android_os_BinderProxy_linkToDeath},
{"unlinkToDeath", "(Landroid/os/IBinder$DeathRecipient;I)Z", (void*)android_os_BinderProxy_unlinkToDeath},
{"destroy", "()V", (void*)android_os_BinderProxy_destroy},
};
该过程其【2.3】非常类似,也就是说该过程建立了是BinderProxy类在Native层与framework层之间的相互调用的桥梁。
三、Java&Native交互-ServiceManager
3.1 获取getIServiceManager
[-> ServiceManager.java]
private static IServiceManager getIServiceManager() {
if (sServiceManager != null) {
return sServiceManager;
}
sServiceManager = ServiceManagerNative.asInterface(BinderInternal.getContextObject());
return sServiceManager;
}
采用了单例模式获取ServiceManager#getIServiceManager()返回的是ServiceManagerProxy(简称SMP)对象
3.2.1 getContextObject()
[-> android_util_binder.cpp]
static jobject android_os_BinderInternal_getContextObject(JNIEnv* env, jobject clazz)
{
sp<IBinder> b = ProcessState::self()->getContextObject(NULL);
return javaObjectForIBinder(env, b); //【见3.2.2】
}
BinderInternal.java中有一个native方法getContextObject
(),JNI调用执行上述方法。
对于ProcessState::self()->getContextObject(),在这篇文章已经详细说明,即ProcessState::self()->getContextObject()
等价于 new BpBinder(0)
;
3.2.2 javaObjectForIBinder
[-> android_util_binder.cpp]
jobject javaObjectForIBinder(JNIEnv* env, const sp<IBinder>& val) {
if (val == NULL) return NULL;
if (val->checkSubclass(&gBinderOffsets)) { //返回false
jobject object = static_cast<JavaBBinder*>(val.get())->object();
return object;
}
AutoMutex _l(mProxyLock);
jobject object = (jobject)val->findObject(&gBinderProxyOffsets);
if (object != NULL) { //第一次object为null
jobject res = jniGetReferent(env, object);
if (res != NULL) {
return res;
}
android_atomic_dec(&gNumProxyRefs);
val->detachObject(&gBinderProxyOffsets);
env->DeleteGlobalRef(object);
}
//创建BinderProxy对象
object = env->NewObject(gBinderProxyOffsets.mClass, gBinderProxyOffsets.mConstructor);
if (object != NULL) {
//BinderProxy.mObject成员变量记录BpBinder对象
env->SetLongField(object, gBinderProxyOffsets.mObject, (jlong)val.get());
val->incStrong((void*)javaObjectForIBinder);
jobject refObject = env->NewGlobalRef(
env->GetObjectField(object, gBinderProxyOffsets.mSelf));
//将BinderProxy对象信息附加到BpBinder的成员变量mObjects中
val->attachObject(&gBinderProxyOffsets, refObject,
jnienv_to_javavm(env), proxy_cleanup);
sp<DeathRecipientList> drl = new DeathRecipientList;
drl->incStrong((void*)javaObjectForIBinder);
//BinderProxy.mOrgue成员变量记录死亡通知对象
env->SetLongField(object, gBinderProxyOffsets.mOrgue, reinterpret_cast<jlong>(drl.get()));
android_atomic_inc(&gNumProxyRefs);
incRefsCreated(env);
}
return object;
}
根据BpBinder(C++)生成BinderProxy(Java)对象. 主要工作是创建BinderProxy对象,并把BpBinder对象地址保存到BinderProxy.mObject成员变量. 到此,可知ServiceManagerNative.asInterface(BinderInternal.getContextObject())
等价于
ServiceManagerNative.asInterface(new BinderProxy())
3.3 SMN.asInterface
[-> ServiceManagerNative.java]
static public IServiceManager asInterface(IBinder obj) {
if (obj == null) { //obj为BpBinder
return null;
}
//由于obj为BpBinder,该方法默认返回null
IServiceManager in = (IServiceManager)obj.queryLocalInterface(descriptor);
if (in != null) {
return in;
}
return new ServiceManagerProxy(obj); //【见小节3.3.1】
}
由此,可知ServiceManagerNative.asInterface(new BinderProxy())
等价于new ServiceManagerProxy(new BinderProxy())
. 为了方便,ServiceManagerProxy简称为SMP。
3.3.1 ServiceManagerProxy初始化
[-> ServiceManagerNative.java ::ServiceManagerProxy]
class ServiceManagerProxy implements IServiceManager {
public ServiceManagerProxy(IBinder remote) {
mRemote = remote;
}
}
mRemote为BinderProxy对象,该BinderProxy对象对应于BpBinder(0),其作为binder代理端,指向native层大管家service Manager。
ServiceManager.getIServiceManager
最终等价于new ServiceManagerProxy(new BinderProxy())
,意味着【3.1】中的getIServiceManager().addService(),等价于SMP.addService().
framework层的ServiceManager的调用实际的工作确实交给ServiceManagerProxy
的成员变量BinderProxy;而BinderProxy通过jni方式,最终会调用BpBinder对象;可见上层binder架构的核心功能依赖native架构的服务来完成的。
注册/获取服务相关的内容,参见原文