Android Binder ServiceManager启动源码分析
Posted we1less
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Android Binder ServiceManager启动源码分析相关的知识,希望对你有一定的参考价值。
此篇文章的解析参考Android Binder(C语言版本)_we1less的博客-CSDN博客
模仿例子参考Android Binder(C语言版本例子)_we1less的博客-CSDN博客
servicemanager.rc 路径 frameworks/native/cmds/servicemanager/servicemanager.rc
service servicemanager /system/bin/servicemanager
class core animation
user system
group system readproc
critical
onrestart restart healthd
onrestart restart zygote
onrestart restart audioserver
onrestart restart media
onrestart restart surfaceflinger
onrestart restart inputflinger
onrestart restart drm
onrestart restart cameraserver
writepid /dev/cpuset/system-background/tasks
shutdown critical
main函数 路径 frameworks/native/cmds/servicemanager/service_manager.c
int main(int argc, char** argv)
{
struct binder_state *bs;
union selinux_callback cb;
char *driver;
if (argc > 1) {
driver = argv[1];
} else {
driver = "/dev/binder";
}
//打开binder驱动
bs = binder_open(driver, 128*1024);
...
//成为servicemanager
if (binder_become_context_manager(bs)) {
ALOGE("cannot become context manager (%s)\\n", strerror(errno));
return -1;
}
...
//进入循环 这里向binder_loop中传递一个函数指针
binder_loop(bs, svcmgr_handler);
return 0;
}binder_open 路径 frameworks/native/cmds/servicemanager/binder.c
主要是用做打开驱动内存映射
struct binder_state *binder_open(const char* driver, size_t mapsize)
{
struct binder_state *bs;
struct binder_version vers;
bs = malloc(sizeof(*bs));
if (!bs) {
errno = ENOMEM;
return NULL;
}
//打开驱动节点
bs->fd = open(driver, O_RDWR | O_CLOEXEC);
...
bs->mapsize = mapsize;
//进行内存地址映射 这里面是 128 * 1024 128k
bs->mapped = mmap(NULL, mapsize, PROT_READ, MAP_PRIVATE, bs->fd, 0);
...
return NULL;
}
binder_become_context_manager 路径 frameworks/native/cmds/servicemanager/binder.c
告诉binder驱动此进程为servicemanager
int binder_become_context_manager(struct binder_state *bs)
{
return ioctl(bs->fd, BINDER_SET_CONTEXT_MGR, 0);
}binder_loop 路径 frameworks/native/cmds/servicemanager/binder.c
func这个为一个函数来自service_manager.c的svcmgr_handler
void binder_loop(struct binder_state *bs, binder_handler func)
{
...
//代表进入循环
readbuf[0] = BC_ENTER_LOOPER;
binder_write(bs, readbuf, sizeof(uint32_t));
for (;;) {
...
//向binder驱动读取写入数据
res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr);
...
//解析数据
res = binder_parse(bs, 0, (uintptr_t) readbuf, bwr.read_consumed, func);
...
}
}binder_parse 路径 frameworks/native/cmds/servicemanager/binder.c
//调用service_manager.c的svcmgr_handler并且填充reply
//不是ONE_WAY的方式就将结果返回
int binder_parse(struct binder_state *bs, struct binder_io *bio,
uintptr_t ptr, size_t size, binder_handler func)
{
int r = 1;
uintptr_t end = ptr + (uintptr_t) size;
while (ptr < end) {
uint32_t cmd = *(uint32_t *) ptr;
ptr += sizeof(uint32_t);
switch(cmd) {
case BR_NOOP:
case BR_TRANSACTION_COMPLETE:
case BR_INCREFS:
case BR_ACQUIRE:
case BR_RELEASE:
case BR_DECREFS:
case BR_TRANSACTION: {
struct binder_transaction_data *txn = (struct binder_transaction_data *) ptr;
...
binder_dump_txn(txn);
if (func) {
unsigned rdata[256/4];
struct binder_io msg;
struct binder_io reply;
int res;
bio_init(&reply, rdata, sizeof(rdata), 4);
bio_init_from_txn(&msg, txn);
//调用service_manager.c的svcmgr_handler并且填充reply
res = func(bs, txn, &msg, &reply);
if (txn->flags & TF_ONE_WAY) {
binder_free_buffer(bs, txn->data.ptr.buffer);
//不是ONE_WAY的方式就将结果返回
} else {
binder_send_reply(bs, &reply, txn->data.ptr.buffer, res);
}
}
ptr += sizeof(*txn);
break;
}
case BR_REPLY:
case BR_DEAD_BINDER
case BR_FAILED_REPLY:
case BR_DEAD_REPLY:
default:
ALOGE("parse: OOPS %d\\n", cmd);
return -1;
}
}
return r;
}svcmgr_handler 路径 frameworks/native/cmds/servicemanager/service_manager.c
SVC_MGR_CHECK_SERVICE 查询服务
SVC_MGR_ADD_SERVICE 注册服务 //主要是调用do_add_service
int svcmgr_handler(struct binder_state *bs,
struct binder_transaction_data *txn,
struct binder_io *msg,
struct binder_io *reply)
{
...
switch(txn->code) {
case SVC_MGR_GET_SERVICE:
case SVC_MGR_CHECK_SERVICE:
...
handle = do_find_service(s, len, txn->sender_euid, txn->sender_pid);
...
case SVC_MGR_ADD_SERVICE:
s = bio_get_string16(msg, &len);
if (s == NULL) {
return -1;
}
handle = bio_get_ref(msg);
allow_isolated = bio_get_uint32(msg) ? 1 : 0;
//主要是调用do_add_service
if (do_add_service(bs, s, len, handle, txn->sender_euid,
allow_isolated, txn->sender_pid))
return -1;
break;
case SVC_MGR_LIST_SERVICES: {
...
}
default:
ALOGE("unknown code %d\\n", txn->code);
return -1;
}
bio_put_uint32(reply, 0);
return 0;
}do_add_service 路径 frameworks/native/cmds/servicemanager/service_manager.c
svcinfo结构体 看struct svcinfo *next;这是一个链表结构
struct svcinfo
{
struct svcinfo *next;
uint32_t handle;
struct binder_death death;
int allow_isolated;
size_t len;
uint16_t name[0];
};int do_add_service(struct binder_state *bs,
const uint16_t *s, size_t len,
uint32_t handle, uid_t uid, int allow_isolated,
pid_t spid)
{
struct svcinfo *si;
...
//遍历svclist链表比较名字查找 这个service是否已经存在
si = find_svc(s, len);
if (si) {
...
//将这个svcinfo的handle更新一下
si->handle = handle;
} else {
//构造一个svcinfo 加入svclist
si = malloc(sizeof(*si) + (len + 1) * sizeof(uint16_t));
...
si->handle = handle;
si->len = len;
memcpy(si->name, s, (len + 1) * sizeof(uint16_t));
si->name[len] = '\\0';
...
si->next = svclist;
svclist = si;
}
binder_acquire(bs, handle);
binder_link_to_death(bs, handle, &si->death);
return 0;
}do_find_service 路径 frameworks/native/cmds/servicemanager/service_manager.c
uint32_t do_find_service(const uint16_t *s, size_t len, uid_t uid, pid_t spid)
{
//遍历svclist链表比较名字查找 这个service是否已经存在
struct svcinfo *si = find_svc(s, len);
...
//返回handle
return si->handle;
}binder_send_reply 路径 frameworks/native/cmds/servicemanager/binder.c
void binder_send_reply(struct binder_state *bs,
struct binder_io *reply,
binder_uintptr_t buffer_to_free,
int status)
{
...
binder_write(bs, &data, sizeof(data));
}
int binder_write(struct binder_state *bs, void *data, size_t len)
{
struct binder_write_read bwr;
...
//向binder驱动写入数据
res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr);
..
return res;
}
以上是关于Android Binder ServiceManager启动源码分析的主要内容,如果未能解决你的问题,请参考以下文章
Android : 跟我学Binder --- 驱动情景分析