SurfaceFlinger框架是基于Binder进程间通信机制搭建的,SF作为一个服务进程,用户程序想要跟它通信必然要经过Binder机制。首先说一下,用户要跟SF通信,那么SF必须出现在ServiceManager中,因为SF也是一个服务,所有的服务都由ServiceManager来进行统一管理。在系统启动的过程中,SF就在ServiceManager中注册好了,注册好之后,SF在后台中监视一些surface的变化从而做出处理。
而启动之后,用户程序想操作一些跟surface有关的动作,就必须和SF进行交互。而这种交互是基于Binder进程间通信机制的。下面是一张图简单说明了SF的基本框架:
大体结构是这样,有些地方有些小错误用图形不能很好的表达。用文字来说明一下:
当应用程序需要请求SurfaceFlinger服务时,首先需要构造SurfaceComposerClient对象,通过SurfaceComposerClient对象就可以访问SurfaceFlinger服务了。基本的服务流程都是这么走的,我们看一下SurfaceComposerClient的构造函数:
- SurfaceComposerClient::SurfaceComposerClient()
- : mStatus(NO_INIT), mComposer(Composer::getInstance())
- {
- }
可想而知没做啥事啊,SurfaceComposerClient 继承于RefBase类,在创建SurfaceComposerClient对象,系统第一次引用SurfaceComposerClient对象时,onFirstRef函数自动调用,我们看一下它的onFirstRef
- void SurfaceComposerClient::onFirstRef() {
- sp<ISurfaceComposer> sm(ComposerService::getComposerService());
- if (sm != 0) {
- sp<ISurfaceComposerClient> conn = sm->createConnection();
- if (conn != 0) {
- mClient = conn;
- mStatus = NO_ERROR;
- }
- }
- }
上面代码,第二行的作用是获得SurfaceFlinger这个服务,我们跟踪一下:
- sp<ISurfaceComposer> ComposerService::getComposerService() {
- ComposerService& instance = ComposerService::getInstance();
- Mutex::Autolock _l(instance.mLock);
- if (instance.mComposerService == NULL) {
- ComposerService::getInstance().connectLocked();
- assert(instance.mComposerService != NULL);
- ALOGD("ComposerService reconnected");
- }
- return instance.mComposerService;
- }
第二行得到了ComposerService的对象,是为了下一步访问它的成员变量mComposerService(ISurfaceComposer类的),跟踪到第五行的函数 connectLocked():
- void ComposerService::connectLocked() {
- const String16 name("SurfaceFlinger");
- while (getService(name, &mComposerService) != NO_ERROR) {
- usleep(250000);
- }
- assert(mComposerService != NULL);
-
- }
这里看到第三行getService(),第一个参数是“SurfaceFlinger”,第二个参数是mComposerService,记住它的类型的强引用的ISurfaceComposer,对就是这句得到了一个SurfaceFlinger服务的代理对象,看一下这个的函数的实体:
- template<typename INTERFACE>
- status_t getService(const String16& name, sp<INTERFACE>* outService)
- {
- const sp<IServiceManager> sm = defaultServiceManager();
- if (sm != NULL) {
- *outService = interface_cast<INTERFACE>(sm->getService(name));
- if ((*outService) != NULL) return NO_ERROR;
- }
- return NAME_NOT_FOUND;
- }
到第四行这里跟之前启动过程中SurfaceFlinger的创建一模一样了,最后outService会被强转化成BpSurfaceComposer类,BpSurfaceComposer就是SurfaceFlinger在客户端这边的Binder代理,与之对应的是BnSurfaceComposer相当于SurfaceFlinger这边与BpSurfaceComposer进行交互的一方。获得了代理之后,我们再回到之前的onFirstRef函数:
- void SurfaceComposerClient::onFirstRef() {
- sp<ISurfaceComposer> sm(ComposerService::getComposerService());
- if (sm != 0) {
- sp<ISurfaceComposerClient> conn = sm->createConnection();
- if (conn != 0) {
- mClient = conn;
- mStatus = NO_ERROR;
- }
- }
- }
这时候走到if,sm有值了,所以往下走,看名字可以得出这是客户端在请求连接到SurfaceFlinger服务。我们跟踪一下createConnection:
- virtual sp<ISurfaceComposerClient> createConnection()
- {
- uint32_t n;
- Parcel data, reply;
- data.writeInterfaceToken(ISurfaceComposer::getInterfaceDescriptor());
- remote()->transact(BnSurfaceComposer::CREATE_CONNECTION, data, &reply);
- return interface_cast<ISurfaceComposerClient>(reply.readStrongBinder());
- }
函数的大概意思是把一些连接信息写到数据包data里,然后通过transact这个函数传出去,remote()之前有研究过他是IBinder类的,这里重点看transact这个函数,他是IBinder类的成员函数故它的实现必定在BpBinder类里,我们跳到这个函数的实体:
- status_t BpBinder::transact(
- uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags)
- {
-
- if (mAlive) {
- status_t status = IPCThreadState::self()->transact(
- mHandle, code, data, reply, flags);
- if (status == DEAD_OBJECT) mAlive = 0;
- return status;
- }
-
- return DEAD_OBJECT;
- }
发现他又调用了transact这个函数,不同的是 是在IPCThreadState类中的 我们继续跟踪:
- status_t IPCThreadState::transact(int32_t handle,
- uint32_t code, const Parcel& data,
- Parcel* reply, uint32_t flags)
- {
- status_t err = data.errorCheck();
-
- flags |= TF_ACCEPT_FDS;
-
- IF_LOG_TRANSACTIONS() {
- TextOutput::Bundle _b(alog);
- alog << "BC_TRANSACTION thr " << (void*)pthread_self() << " / hand "
- << handle << " / code " << TypeCode(code) << ": "
- << indent << data << dedent << endl;
- }
-
- if (err == NO_ERROR) {
- LOG_ONEWAY(">>>> SEND from pid %d uid %d %s", getpid(), getuid(),
- (flags & TF_ONE_WAY) == 0 ? "READ REPLY" : "ONE WAY");
- err = writeTransactionData(BC_TRANSACTION, flags, handle, code, data, NULL);
- }
-
- if (err != NO_ERROR) {
- if (reply) reply->setError(err);
- return (mLastError = err);
- }
-
- if ((flags & TF_ONE_WAY) == 0) {
- #if 0
- if (code == 4) {
- ALOGI(">>>>>> CALLING transaction 4");
- } else {
- ALOGI(">>>>>> CALLING transaction %d", code);
- }
- #endif
- if (reply) {
- err = waitForResponse(reply);
- } else {
- Parcel fakeReply;
- err = waitForResponse(&fakeReply);
- }
- #if 0
- if (code == 4) {
- ALOGI("<<<<<< RETURNING transaction 4");
- } else {
- ALOGI("<<<<<< RETURNING transaction %d", code);
- }
- #endif
-
- IF_LOG_TRANSACTIONS() {
- TextOutput::Bundle _b(alog);
- alog << "BR_REPLY thr " << (void*)pthread_self() << " / hand "
- << handle << ": ";
- if (reply) alog << indent << *reply << dedent << endl;
- else alog << "(none requested)" << endl;
- }
- } else {
- err = waitForResponse(NULL, NULL);
- }
-
- return err;
- }
这里已经扯到Binder机制的基本原理了,简单说就是客户端的SF代理通过BpBinder跟/dev/binder设备进行交互,向binder里写东西,函数err = writeTransactionData(BC_TRANSACTION, flags, handle, code, data, NULL);就是实现了这个功能,写完后他又等待服务端(SurfaceFlinger)那端的回应,err = waitForResponse(reply);当然服务端那边同样有人跟他进行交互。到这里,如果服务端收到消息并且返回了一个消息给客户端,这说明客户端请求连接成功。
请求成功后conn就不为0了,回到onFirstRef,成功后把coon赋给mClient。
既然客户端有请求了,那么服务端肯定有东西会去留意这个消息,回到更以前,做出向服务端请求连接这件事其实是SurfaceFlinger在客户端这边的代理BpSurfaceComposer完成的,那么之前说过,与之对应的就是BnSurfaceComposer。我们看一下他类的定义:
- class BnSurfaceComposer: public BnInterface<ISurfaceComposer> {
- public:
- enum {
-
-
- BOOT_FINISHED = IBinder::FIRST_CALL_TRANSACTION,
- CREATE_CONNECTION,
- CREATE_GRAPHIC_BUFFER_ALLOC,
- CREATE_DISPLAY_EVENT_CONNECTION,
- CREATE_DISPLAY,
- DESTROY_DISPLAY,
- GET_BUILT_IN_DISPLAY,
- SET_TRANSACTION_STATE,
- AUTHENTICATE_SURFACE,
- BLANK,
- UNBLANK,
- GET_DISPLAY_INFO,
- CONNECT_DISPLAY,
- CAPTURE_SCREEN,
- };
-
- virtual status_t onTransact(uint32_t code, const Parcel& data,
- Parcel* reply, uint32_t flags = 0);
- }
发现他没有构造函数只有一个成员函数 onTransact。跟踪一下:
- status_t BnSurfaceComposer::onTransact(
- uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags)
- {
- switch(code) {
- case CREATE_CONNECTION: {
- CHECK_INTERFACE(ISurfaceComposer, data, reply);
- sp<IBinder> b = createConnection()->asBinder();
- reply->writeStrongBinder(b);
- return NO_ERROR;
- }
- case CREATE_GRAPHIC_BUFFER_ALLOC: {
- CHECK_INTERFACE(ISurfaceComposer, data, reply);
- sp<IBinder> b = createGraphicBufferAlloc()->asBinder();
- reply->writeStrongBinder(b);
- return NO_ERROR;
- }
- case SET_TRANSACTION_STATE: {
- CHECK_INTERFACE(ISurfaceComposer, data, reply);
- size_t count = data.readInt32();
- ComposerState s;
- Vector<ComposerState> state;
- state.setCapacity(count);
- for (size_t i=0 ; i<count ; i++) {
- s.read(data);
- state.add(s);
- }
- count = data.readInt32();
- DisplayState d;
- Vector<DisplayState> displays;
- displays.setCapacity(count);
- for (size_t i=0 ; i<count ; i++) {
- d.read(data);
- displays.add(d);
- }
- uint32_t flags = data.readInt32();
- setTransactionState(state, displays, flags);
- return NO_ERROR;
- }
- case BOOT_FINISHED: {
- CHECK_INTERFACE(ISurfaceComposer, data, reply);
- bootFinished();
- return NO_ERROR;
- }
- case CAPTURE_SCREEN: {
- CHECK_INTERFACE(ISurfaceComposer, data, reply);
- sp<IBinder> display = data.readStrongBinder();
- sp<IGraphicBufferProducer> producer =
- interface_cast<IGraphicBufferProducer>(data.readStrongBinder());
- uint32_t reqWidth = data.readInt32();
- uint32_t reqHeight = data.readInt32();
- uint32_t minLayerZ = data.readInt32();
- uint32_t maxLayerZ = data.readInt32();
- status_t res = captureScreen(display, producer,
- reqWidth, reqHeight, minLayerZ, maxLayerZ);
- reply->writeInt32(res);
- return NO_ERROR;
- }
- case AUTHENTICATE_SURFACE: {
- CHECK_INTERFACE(ISurfaceComposer, data, reply);
- sp<IGraphicBufferProducer> bufferProducer =
- interface_cast<IGraphicBufferProducer>(data.readStrongBinder());
- int32_t result = authenticateSurfaceTexture(bufferProducer) ? 1 : 0;
- reply->writeInt32(result);
- return NO_ERROR;
- }
- case CREATE_DISPLAY_EVENT_CONNECTION: {
- CHECK_INTERFACE(ISurfaceComposer, data, reply);
- sp<IDisplayEventConnection> connection(createDisplayEventConnection());
- reply->writeStrongBinder(connection->asBinder());
- return NO_ERROR;
- }
- case CREATE_DISPLAY: {
- CHECK_INTERFACE(ISurfaceComposer, data, reply);
- String8 displayName = data.readString8();
- bool secure = bool(data.readInt32());
- sp<IBinder> display(createDisplay(displayName, secure));
- reply->writeStrongBinder(display);
- return NO_ERROR;
- }
- case DESTROY_DISPLAY: {
- CHECK_INTERFACE(ISurfaceComposer, data, reply);
- sp<IBinder> display = data.readStrongBinder();
- destroyDisplay(display);
- return NO_ERROR;
- }
- case GET_BUILT_IN_DISPLAY: {
- CHECK_INTERFACE(ISurfaceComposer, data, reply);
- int32_t id = data.readInt32();
- sp<IBinder> display(getBuiltInDisplay(id));
- reply->writeStrongBinder(display);
- return NO_ERROR;
- }
- case BLANK: {
- CHECK_INTERFACE(ISurfaceComposer, data, reply);
- sp<IBinder> display = data.readStrongBinder();
- blank(display);
- return NO_ERROR;
- }
- case UNBLANK: {
- CHECK_INTERFACE(ISurfaceComposer, data, reply);
- sp<IBinder> display = data.readStrongBinder();
- unblank(display);
- return NO_ERROR;
- }
- case GET_DISPLAY_INFO: {
- CHECK_INTERFACE(ISurfaceComposer, data, reply);
- DisplayInfo info;
- sp<IBinder> display = data.readStrongBinder();
- status_t result = getDisplayInfo(display, &info);
- memcpy(reply->writeInplace(sizeof(DisplayInfo)), &info, sizeof(DisplayInfo));
- reply->writeInt32(result);
- return NO_ERROR;
- }
- default: {
- return BBinder::onTransact(code, data, reply, flags);
- }
- }
-
- return NO_ERROR;
- }
代码虽然有点长,但是整体框架就是一个swith语句,看到第一个分支,马上就能看出来这是一个对请求连接信号的处理,这里大概能知道这个onTransact的功能就是判断收到的消息即参数code是哪种类型从而做出相应的处理。在server测,一开始创建SF服务的时候,在线城池创建的时候就已经开启线程去监听binder设备了我们来跟踪下:
从最开始SF服务启动的源文件开始:
- int main(int argc, char** argv) {
-
-
- ProcessState::self()->setThreadPoolMaxThreadCount(4);
-
-
- sp<ProcessState> ps(ProcessState::self());
- ps->startThreadPool();
是一个片段,最后一句就是开始线程池。跟踪其代码:
- void ProcessState::startThreadPool()
- {
- AutoMutex _l(mLock);
- if (!mThreadPoolStarted) {
- mThreadPoolStarted = true;
- spawnPooledThread(true);
- }
- }
核心也在最后一句,
- void ProcessState::spawnPooledThread(bool isMain)
- {
- if (mThreadPoolStarted) {
- String8 name = makeBinderThreadName();
- ALOGV("Spawning new pooled thread, name=%s\n", name.string());
- sp<Thread> t = new PoolThread(isMain);
- t->run(name.string());
- }
- }
到这里,可以看到实质的线程创建和开始运行。接下来我用一张图来表示他的函数调用的走向:
这里一旦检测到有连接请求消息就会跳到executeCommand的switch分支BR_TRANSACTION,去执行BBinder的transact,transact函数会调用onTransact函数,这个onTransact由其子类实现,在这里由BnSurfaceComposer完成,即调用的是BnSurfaceComposer::onTransact(),函数的具体内容在上面已贴出,就是处理不同的请求。
到此为止,客户端已经与SF进行连接,也就是交手过了,那么自然连接了,一定要做些事情比如客户端请求渲染一个surface,或者等等其他的。接下去的工作就是SurfaceFlinger的事,对客户端不同的请求而进行不同的处理,这才是SF核心工作所在。当然所有的通信机制都是基于binder机制,而求也有负责这个方面的客户端这边的binder代理BpSurfaceComposerClient和服务端这边的本地对象 BnSurfaceComposerClient,而这里有点不一样的是BnSurfaceComposerClient派生出Client所以事情都交与Client做了。