|
此篇文章的解析参考Android Binder(C语言版本)_we1less的博客-CSDN博客
模仿例子参考Android Binder(C语言版本例子)_we1less的博客-CSDN博客
servicemanager.rc 路径? frameworks/native/cmds/servicemanager/servicemanager.rc
service servicemanager /system/bin/servicemanager
class core animation
user system
group system readproc
critical
onrestart restart healthd
onrestart restart zygote
onrestart restart audioserver
onrestart restart media
onrestart restart surfaceflinger
onrestart restart inputflinger
onrestart restart drm
onrestart restart cameraserver
writepid /dev/cpuset/system-background/tasks
shutdown critical
main函数? 路径? frameworks/native/cmds/servicemanager/service_manager.c
int main(int argc, char** argv)
{
struct binder_state *bs;
union selinux_callback cb;
char *driver;
if (argc > 1) {
driver = argv[1];
} else {
driver = "/dev/binder";
}
//打开binder驱动
bs = binder_open(driver, 128*1024);
...
//成为servicemanager
if (binder_become_context_manager(bs)) {
ALOGE("cannot become context manager (%s)\n", strerror(errno));
return -1;
}
...
//进入循环 这里向binder_loop中传递一个函数指针
binder_loop(bs, svcmgr_handler);
return 0;
}
binder_open? 路径??frameworks/native/cmds/servicemanager/binder.c
? ? ? ? 主要是用做打开驱动内存映射
struct binder_state *binder_open(const char* driver, size_t mapsize)
{
struct binder_state *bs;
struct binder_version vers;
bs = malloc(sizeof(*bs));
if (!bs) {
errno = ENOMEM;
return NULL;
}
//打开驱动节点
bs->fd = open(driver, O_RDWR | O_CLOEXEC);
...
bs->mapsize = mapsize;
//进行内存地址映射 这里面是 128 * 1024 128k
bs->mapped = mmap(NULL, mapsize, PROT_READ, MAP_PRIVATE, bs->fd, 0);
...
return NULL;
}
?binder_become_context_manager??路径??frameworks/native/cmds/servicemanager/binder.c
? ? ? ? 告诉binder驱动此进程为servicemanager
int binder_become_context_manager(struct binder_state *bs)
{
return ioctl(bs->fd, BINDER_SET_CONTEXT_MGR, 0);
}
binder_loop??路径??frameworks/native/cmds/servicemanager/binder.c
????????func这个为一个函数来自service_manager.c的svcmgr_handler
void binder_loop(struct binder_state *bs, binder_handler func)
{
...
//代表进入循环
readbuf[0] = BC_ENTER_LOOPER;
binder_write(bs, readbuf, sizeof(uint32_t));
for (;;) {
...
//向binder驱动读取写入数据
res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr);
...
//解析数据
res = binder_parse(bs, 0, (uintptr_t) readbuf, bwr.read_consumed, func);
...
}
}
binder_parse??路径??frameworks/native/cmds/servicemanager/binder.c
????????//调用service_manager.c的svcmgr_handler并且填充reply
? ? ? ??//不是ONE_WAY的方式就将结果返回
int binder_parse(struct binder_state *bs, struct binder_io *bio,
uintptr_t ptr, size_t size, binder_handler func)
{
int r = 1;
uintptr_t end = ptr + (uintptr_t) size;
while (ptr < end) {
uint32_t cmd = *(uint32_t *) ptr;
ptr += sizeof(uint32_t);
switch(cmd) {
case BR_NOOP:
case BR_TRANSACTION_COMPLETE:
case BR_INCREFS:
case BR_ACQUIRE:
case BR_RELEASE:
case BR_DECREFS:
case BR_TRANSACTION: {
struct binder_transaction_data *txn = (struct binder_transaction_data *) ptr;
...
binder_dump_txn(txn);
if (func) {
unsigned rdata[256/4];
struct binder_io msg;
struct binder_io reply;
int res;
bio_init(&reply, rdata, sizeof(rdata), 4);
bio_init_from_txn(&msg, txn);
//调用service_manager.c的svcmgr_handler并且填充reply
res = func(bs, txn, &msg, &reply);
if (txn->flags & TF_ONE_WAY) {
binder_free_buffer(bs, txn->data.ptr.buffer);
//不是ONE_WAY的方式就将结果返回
} else {
binder_send_reply(bs, &reply, txn->data.ptr.buffer, res);
}
}
ptr += sizeof(*txn);
break;
}
case BR_REPLY:
case BR_DEAD_BINDER
case BR_FAILED_REPLY:
case BR_DEAD_REPLY:
default:
ALOGE("parse: OOPS %d\n", cmd);
return -1;
}
}
return r;
}
svcmgr_handler? 路径? frameworks/native/cmds/servicemanager/service_manager.c
????????SVC_MGR_CHECK_SERVICE ?查询服务
????????SVC_MGR_ADD_SERVICE ? ?注册服务????????//主要是调用do_add_service
int svcmgr_handler(struct binder_state *bs,
struct binder_transaction_data *txn,
struct binder_io *msg,
struct binder_io *reply)
{
...
switch(txn->code) {
case SVC_MGR_GET_SERVICE:
case SVC_MGR_CHECK_SERVICE:
...
handle = do_find_service(s, len, txn->sender_euid, txn->sender_pid);
...
case SVC_MGR_ADD_SERVICE:
s = bio_get_string16(msg, &len);
if (s == NULL) {
return -1;
}
handle = bio_get_ref(msg);
allow_isolated = bio_get_uint32(msg) ? 1 : 0;
//主要是调用do_add_service
if (do_add_service(bs, s, len, handle, txn->sender_euid,
allow_isolated, txn->sender_pid))
return -1;
break;
case SVC_MGR_LIST_SERVICES: {
...
}
default:
ALOGE("unknown code %d\n", txn->code);
return -1;
}
bio_put_uint32(reply, 0);
return 0;
}
?do_add_service? 路径? frameworks/native/cmds/servicemanager/service_manager.c
????????svcinfo结构体? ? ?看struct svcinfo *next;这是一个链表结构
struct svcinfo
{
struct svcinfo *next;
uint32_t handle;
struct binder_death death;
int allow_isolated;
size_t len;
uint16_t name[0];
};
int do_add_service(struct binder_state *bs,
const uint16_t *s, size_t len,
uint32_t handle, uid_t uid, int allow_isolated,
pid_t spid)
{
struct svcinfo *si;
...
//遍历svclist链表比较名字查找 这个service是否已经存在
si = find_svc(s, len);
if (si) {
...
//将这个svcinfo的handle更新一下
si->handle = handle;
} else {
//构造一个svcinfo 加入svclist
si = malloc(sizeof(*si) + (len + 1) * sizeof(uint16_t));
...
si->handle = handle;
si->len = len;
memcpy(si->name, s, (len + 1) * sizeof(uint16_t));
si->name[len] = '\0';
...
si->next = svclist;
svclist = si;
}
binder_acquire(bs, handle);
binder_link_to_death(bs, handle, &si->death);
return 0;
}
do_find_service??路径? frameworks/native/cmds/servicemanager/service_manager.c
uint32_t do_find_service(const uint16_t *s, size_t len, uid_t uid, pid_t spid)
{
//遍历svclist链表比较名字查找 这个service是否已经存在
struct svcinfo *si = find_svc(s, len);
...
//返回handle
return si->handle;
}
?binder_send_reply? 路径??frameworks/native/cmds/servicemanager/binder.c
void binder_send_reply(struct binder_state *bs,
struct binder_io *reply,
binder_uintptr_t buffer_to_free,
int status)
{
...
binder_write(bs, &data, sizeof(data));
}
int binder_write(struct binder_state *bs, void *data, size_t len)
{
struct binder_write_read bwr;
...
//向binder驱动写入数据
res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr);
..
return res;
}
|