1、总图中的第一步
如图:第一步
~/Android/frameworks/base/core/java/android/app
----ActivityManagerNative.java
class ActivityManagerProxy implements IActivityManager { public int startActivity(IApplicationThread caller, Intent intent, String resolvedType, Uri[] grantedUriPermissions, int grantedMode, IBinder resultTo, String resultWho, int requestCode, boolean onlyIfNeeded, boolean debug) throws RemoteException { Parcel data = Parcel.obtain(); Parcel reply = Parcel.obtain(); data.writeInterfaceToken(IActivityManager.descriptor); data.writeStrongBinder(caller != null ? caller.asBinder() : null); intent.writeToParcel(data, 0); ......... data.writeStrongBinder(resultTo); mRemote.transact(START_ACTIVITY_TRANSACTION, data, reply, 0); }其中caller为:
final ApplicationThread mAppThread = new ApplicationThread();继承于ApplicationThreadNative,ApplicationThreadNative继承于Binder实现了IApplicationThread。
resultTo如下图所示:
java层的Parcel,writeStrongBinder方法,最后映射到C++层,执行如下:
~/Android/frameworks/base/core/jni
----android_util_Binder.cpp
static void android_os_Parcel_writeStrongBinder(JNIEnv* env, jobject clazz, jobject object)//clazz为Parcel,object指向了在Java层中创建的硬件访问服务FregService { Parcel* parcel = parcelForJavaObject(env, clazz);//获取java层Parcel对象data的引用 if (parcel != NULL) { const status_t err = parcel->writeStrongBinder(ibinderForJavaObject(env, object)); if (err != NO_ERROR) { jniThrowException(env, "java/lang/OutOfMemoryError", NULL); } } }
ibinderForjavaObject实现如下:
~/Android/frameworks/base/core/jni
----android_util_Binder.cpp
sp<IBinder> ibinderForJavaObject(JNIEnv* env, jobject obj) { if (obj == NULL) return NULL; if (env->IsInstanceOf(obj, gBinderOffsets.mClass)) { JavaBBinderHolder* jbh = (JavaBBinderHolder*) env->GetIntField(obj, gBinderOffsets.mObject);//这里把obj对象的mObject成员变量强制转为JavaBBinderHolder对象 return jbh != NULL ? jbh->get(env) : NULL; } if (env->IsInstanceOf(obj, gBinderProxyOffsets.mClass)) { return (IBinder*) env->GetIntField(obj, gBinderProxyOffsets.mObject); } LOGW("ibinderForJavaObject: %p is not a Binder object", obj); return NULL; }
(1)如果传入的是caller.asBinder(),那么首先生成一个JavaBBinder本地对象。
(2)如果传入的是resultTo,那么生成一个代理对象。
writeStrongBinder实现如下:
~/Android/frameworks/base/libs/binder
----Parcel.cpp
status_t Parcel::writeStrongBinder(const sp<IBinder>& val) { return flatten_binder(ProcessState::self(), val, this); }
status_t flatten_binder(const sp<ProcessState>& proc, const sp<IBinder>& binder, Parcel* out) { flat_binder_object obj; obj.flags = 0x7f | FLAT_BINDER_FLAG_ACCEPTS_FDS; if (binder != NULL) { IBinder *local = binder->localBinder(); if (!local) { BpBinder *proxy = binder->remoteBinder(); if (proxy == NULL) { LOGE("null proxy"); } const int32_t handle = proxy ? proxy->handle() : 0; obj.type = BINDER_TYPE_HANDLE; obj.handle = handle; obj.cookie = NULL; } else { obj.type = BINDER_TYPE_BINDER; obj.binder = local->getWeakRefs(); obj.cookie = local; } } else { obj.type = BINDER_TYPE_BINDER; obj.binder = NULL; obj.cookie = NULL; } return finish_flatten_binder(binder, obj, out); }
(1)如果是本地对象,obj.cookie为本地对象IBinder地址。
(2)如果是代理对象,obj.handle为代理对象的句柄值。
如图:第二步
Binder Driver:调用binder_transaction:
~/Android//kernel/goldfish/drivers/staging/android
----binder.c
case BINDER_TYPE_BINDER: case BINDER_TYPE_WEAK_BINDER: { struct binder_ref *ref; struct binder_node *node = binder_get_node(proc, fp->binder); if (node == NULL) { node = binder_new_node(proc, fp->binder, fp->cookie); ...... } ....... ref = binder_get_ref_for_node(target_proc, node); if (ref == NULL) { return_error = BR_FAILED_REPLY; goto err_binder_get_ref_for_node_failed; } if (fp->type == BINDER_TYPE_BINDER) fp->type = BINDER_TYPE_HANDLE; else fp->type = BINDER_TYPE_WEAK_HANDLE; fp->handle = ref->desc; ...... } break; case BINDER_TYPE_HANDLE: case BINDER_TYPE_WEAK_HANDLE: { struct binder_ref *ref = binder_get_ref(proc, fp->handle); ...... if (ref->node->proc == target_proc) { if (fp->type == BINDER_TYPE_HANDLE) fp->type = BINDER_TYPE_BINDER; else fp->type = BINDER_TYPE_WEAK_BINDER; fp->binder = ref->node->ptr; fp->cookie = ref->node->cookie; binder_inc_node(ref->node, fp->type == BINDER_TYPE_BINDER, 0, NULL); if (binder_debug_mask & BINDER_DEBUG_TRANSACTION) printk(KERN_INFO " ref %d desc %d -> node %d u%p\n", ref->debug_id, ref->desc, ref->node->debug_id, ref->node->ptr); } else { ....... } } break;
(1)如果是BINDER_TYPE_BINDER,首先创建实体对象,再创建引用对象。handle为引用句柄值。
(2)如果是BINDER_TYPE_HANDLE,首先获取引用对象,再获取实体对象,cookie为本地对象IBinder的地址。
如图:第三步
~/Android/frameworks/base/core/java/android/app
----ActivityManagerNative.java
public abstract class ActivityManagerNative extends Binder implements IActivityManager { ...... public boolean onTransact(int code, Parcel data, Parcel reply, int flags) throws RemoteException { switch (code) { case START_ACTIVITY_TRANSACTION: { data.enforceInterface(IActivityManager.descriptor); IBinder b = data.readStrongBinder(); <span style="font-size:14px;">IApplicationThread app = ApplicationThreadNative.asInterface(b);</span> Intent intent = Intent.CREATOR.createFromParcel(data); String resolvedType = data.readString(); ...... IBinder resultTo = data.readStrongBinder(); ...... return true; }
~/Android/frameworks/base/core/jni
----android_util_Binder.cpp
static jobject android_os_Parcel_readStrongBinder(JNIEnv* env, jobject clazz) { Parcel* parcel = parcelForJavaObject(env, clazz);//获得Java层reply的引用 if (parcel != NULL) { return javaObjectForIBinder(env, parcel->readStrongBinder()); } return NULL; }
~/Android/frameworks/base/libs/binder
----Parcel.cpp
sp<IBinder> Parcel::readStrongBinder() const { sp<IBinder> val; unflatten_binder(ProcessState::self(), *this, &val); return val; }
status_t unflatten_binder(const sp<ProcessState>& proc, const Parcel& in, sp<IBinder>* out) { const flat_binder_object* flat = in.readObject(false); if (flat) { switch (flat->type) { case BINDER_TYPE_BINDER: *out = static_cast<IBinder*>(flat->cookie); return finish_unflatten_binder(NULL, *flat, in); case BINDER_TYPE_HANDLE: *out = proc->getStrongProxyForHandle(flat->handle); return finish_unflatten_binder( static_cast<BpBinder*>(out->get()), *flat, in); } } return BAD_TYPE; }
(1)如果是BINDER_TYPE_BINDER,返回本地对象。
(2)如果是BINDER_TYPE_HANDLE,根据句柄值,返回代理对象。
然后执行javaObjectForIBinder。
~/Android/frameworks/base/core/jni ----android_util_Binder.cpp
jobject javaObjectForIBinder(JNIEnv* env, const sp<IBinder>& val) { if (val == NULL) return NULL; if (val->checkSubclass(&gBinderOffsets)) { // One of our own! jobject object = static_cast<JavaBBinder*>(val.get())->object(); ........ return object; } // For the rest of the function we will hold this lock, to serialize // looking/creation of Java proxies for native Binder proxies. AutoMutex _l(mProxyLock); // Someone else's... do we know about it? jobject object = (jobject)val->findObject(&gBinderProxyOffsets);//检查当前进程之前是否已经为它创建过一个BinderProxy对象 if (object != NULL) {//如果有返回来的就是一个指向该BinderProxy对象的WeakReference对象object,即一个弱引用对象 jobject res = env->CallObjectMethod(object, gWeakReferenceOffsets.mGet);//由于弱引用对象object所指向的BinderProxy对象可能已经失效,因此,需要检查它的有效性,方法是调用它的成员函数get来获得一个强引用对象。 if (res != NULL) {//如果不为NULL ...... return res;//直接返回 } ..... android_atomic_dec(&gNumProxyRefs);//如果为NULL val->detachObject(&gBinderProxyOffsets);//解除它与一个无效的BinderProxy对象的对应关系 env->DeleteGlobalRef(object);//删除弱引用对象的全局引用 } object = env->NewObject(gBinderProxyOffsets.mClass, gBinderProxyOffsets.mConstructor);//创建一个BinderProxy对象 if (object != NULL) { ....... env->SetIntField(object, gBinderProxyOffsets.mObject, (int)val.get());//BinderProxy.mObject成员变量记录了这个BpBinder对象的地址 val->incStrong(object); // The native object needs to hold a weak reference back to the // proxy, so we can retrieve the same proxy if it is still active. jobject refObject = env->NewGlobalRef( env->GetObjectField(object, gBinderProxyOffsets.mSelf));//获取BinderProxy内部的成员变量mSelf(BinderProxy的弱引用对象),接着再创建一个全局引用对象来引用它 val->attachObject(&gBinderProxyOffsets, refObject, jnienv_to_javavm(env), proxy_cleanup);//把它放到BpBinder里面去,下次就要使用时,就可以在上一步调用BpBinder::findObj把它找回来了 // Note that a new object reference has been created. android_atomic_inc(&gNumProxyRefs); incRefsCreated(env); } return object; }
(1)如果是本地对象,首先向下转型为JavaBBinder,然后取得ActivityRecord对象,它继承了IApplicationToken.Stub。而IApplicationToken.Stub继承Binder,实现了IApplicationToken。所以可以向上转型为IBinder。
IBinder resultTo = data.readStrongBinder();
(2)如果是代理对象,首先生成BinderProxy对象,里面的mObject指向代理对象,向上转型为IBinder。
IBinder b = data.readStrongBinder(); IApplicationThread app = ApplicationThreadNative.asInterface(b);然后生成ActivityManagerProxy对象,里面mRemote指向BinderProxy对象。
如图:第四步
~/Android/frameworks/base/services/java/com/android/server/am
----ActivityManagerService.java
public final int startActivity(IApplicationThread caller, Intent intent, String resolvedType, Uri[] grantedUriPermissions, int grantedMode, IBinder resultTo, String resultWho, int requestCode, boolean onlyIfNeeded, boolean debug) { return mMainStack.startActivityMayWait(caller, intent, resolvedType, grantedUriPermissions, grantedMode, resultTo, resultWho, requestCode, onlyIfNeeded, debug, null, null); }
待续