Android11 Service绑定流程分析
上一篇我们介绍了Android11 Service启动流程,这一篇我们接着介绍Service绑定流程。service的绑定流程有一部分与启动流程是重合的我们就不重复介绍了,例如:服务没有启动的时候会先走创建启动service的流程。这里只分析它的绑定流程。不了解Service的启动流程的可以查看我的这一篇文章《Android 11 Service启动流程分析》
service绑定流程调用时序图
service绑定流程源码分析
我们一般在使用中会调用bindService方法,这个方法在ContextWarpper中,代码如下:
public boolean bindService(Intent service, int flags, Executor executor,
ServiceConnection conn) {
return mBase.bindService(service, flags, executor, conn);
}
这里我们通过前面的文章可以知道,这里的mBase指的就是ContextImpl,所以我们直接看ContextImpl中的bindService代码:
public boolean bindService(
Intent service, int flags, Executor executor, ServiceConnection conn) {
warnIfCallingFromSystemProcess();
return bindServiceCommon(service, conn, flags, null, null, executor, getUser());
}
bindService方法的最后又return了一个bindServiceCommon方法,代码如下:
private boolean bindServiceCommon(Intent service, ServiceConnection conn, int flags,
String instanceName, Handler handler, Executor executor, UserHandle user) {
IServiceConnection sd;
...
if (mPackageInfo != null) {
if (executor != null) {
sd = mPackageInfo.getServiceDispatcher(conn, getOuterContext(), executor, flags);
} else {
//1
sd = mPackageInfo.getServiceDispatcher(conn, getOuterContext(), handler, flags);
}
} else {
throw new RuntimeException("Not supported in system context");
}
validateServiceIntent(service);
try {
...
service.prepareToLeaveProcess(this);
//2
int res = ActivityManager.getService().bindIsolatedService(
mMainThread.getApplicationThread(), getActivityToken(), service,
service.resolveTypeIfNeeded(getContentResolver()),
sd, flags, instanceName, getOpPackageName(), user.getIdentifier());
...
return res != 0;
} catch (RemoteException e) {
throw e.rethrowFromSystemServer();
}
}
在注释1处调用了LoadedApk的getServiceDispatcher方法,它主要的作用就是把我们传入的ServiceConnection 封装成IServiceConnection类型的对象sd。我们点进去会发现它的内部new了一个ServiceDispatcher类型的对象sd,ServiceDispatcher的构造方中又会new一个InnerConnection类型的对象,而这个InnerConnection又继承自IServiceConnection.Stub。从这里我们就可以看到IServiceConnection是一个Binder接口,目的就是为了支持跨进程通信。相关代码如下:
private IServiceConnection getServiceDispatcherCommon(ServiceConnection c,
Context context, Handler handler, Executor executor, int flags) {
synchronized (mServices) {
...
if (sd == null) {
if (executor != null) {
sd = new ServiceDispatcher(c, context, executor, flags);
} else {
sd = new ServiceDispatcher(c, context, handler, flags);
}
...
return sd.getIServiceConnection();
}
}
//ServiceDispatcher的构造方法
ServiceDispatcher(ServiceConnection conn,
Context context, Handler activityThread, int flags) {
mIServiceConnection = new InnerConnection(this);
mConnection = conn;
mContext = context;
mActivityThread = activityThread;
mActivityExecutor = null;
mLocation = new ServiceConnectionLeaked(null);
mLocation.fillInStackTrace();
mFlags = flags;
}
private static class InnerConnection extends IServiceConnection.Stub {
@UnsupportedAppUsage
final WeakReference<LoadedApk.ServiceDispatcher> mDispatcher;
InnerConnection(LoadedApk.ServiceDispatcher sd) {
mDispatcher = new WeakReference<LoadedApk.ServiceDispatcher>(sd);
}
public void connected(ComponentName name, IBinder service, boolean dead)
throws RemoteException {
LoadedApk.ServiceDispatcher sd = mDispatcher.get();
if (sd != null) {
sd.connected(name, service, dead);
}
}
}
接着我们回到bindServiceCommon方法中注释2的地方又见到我们熟悉的ActivityManager了,这里会调用到ActivityManagerService的bindIsolatedService方法。代码如下:
public int bindIsolatedService(IApplicationThread caller, IBinder token, Intent service,
String resolvedType, IServiceConnection connection, int flags, String instanceName,
String callingPackage, int userId) throws TransactionTooLargeException {
...
synchronized(this) {
return mServices.bindServiceLocked(caller, token, service,
resolvedType, connection, flags, instanceName, callingPackage, userId);
}
}
bindIsolatedService方法的最后会调用ActiveServices的bindServiceLocked方法:
int bindServiceLocked(IApplicationThread caller, IBinder token, Intent service,
String resolvedType, final IServiceConnection connection, int flags,
String instanceName, String callingPackage, final int userId)
throws TransactionTooLargeException {
...
try {
//1
if ((flags&Context.BIND_AUTO_CREATE) != 0) {
s.lastActivity = SystemClock.uptimeMillis();
if (bringUpServiceLocked(s, service.getFlags(), callerFg, false,
permissionsReviewRequired) != null) {
return 0;
}
}
...
if (s.app != null && b.intent.received) {//2
try {
c.conn.connected(s.name, b.intent.binder, false);//3
} catch (Exception e) {
...
}
if (b.intent.apps.size() == 1 && b.intent.doRebind) {//4
requestServiceBindingLocked(s, b.intent, callerFg, true);//5
}
} else if (!b.intent.requested) {//6
requestServiceBindingLocked(s, b.intent, callerFg, false);//7
}
maybeLogBindCrossProfileService(userId, callingPackage, callerApp.info.uid);
getServiceMapLocked(s.userId).ensureNotStartingBackgroundLocked(s);
} finally {
Binder.restoreCallingIdentity(origId);
}
return 1;
}
在注释1处会bringUpServiceLocked方法,在bringUpServiceLocked方法中又会调用realStartServiceLocked方法,最终由ActivityThread来调用Service的onCreate方法启动Service,这一过程属于Service启动流程了,这里就不关心了。注释2处s.app != null表示Service已经运行了,其中s是ServiceRecord类型的对象,app 是ProcessRecord类型对象,b.intent.received表示当前应用程序进程的Client端已经接收到绑定Service时返回的Binder,这样应用程序进程的Client端就可以通过Binder来获取要绑定的Service的访问接口。注释3处调用了c.conn的connected方法,其中c.cnn其实就是我们前面提到的IServiceConnection这个aidl接口,具体的实现类就是ServiceDispatcher.InnerConnection,其中ServiceDispatcher是LoadedApk的内部类InnerConnection的connected方法内部会调用H的post方法向主线程发送RunConnection的Runnable消息,从而解决当前应用程序进程和Service跨进程通信的问题。
在注释4处如果当前应用程序进程的Client端第一次与Service进行绑定的,并且Service已经调用过onUnBind方法,则需要调用注释5的代码。
注释6处如果应用程序进程的Client端没有发送过绑定Service的请求,则会调用注释7的代码,注释7和注释5的代码区别就是最后一个参数rebind为false,表示不是再次绑定。
接下来我们看一下requestServiceBindingLocked这个方法具体做了什么,代码如下:
private final boolean requestServiceBindingLocked(ServiceRecord r, IntentBindRecord i,
boolean execInFg, boolean rebind) throws TransactionTooLargeException {
...
if ((!i.requested || rebind) && i.apps.size() > 0) {//1
try {
...
//2
r.app.thread.scheduleBindService(r, i.intent.getIntent(), rebind,
r.app.getReportedProcState());
if (!rebind) {
i.requested = true;
}
i.hasBound = true;
i.doRebind = false;
} catch (TransactionTooLargeException e) {
...
} catch (RemoteException e) {
...
return false;
}
}
return true;
}
注释1处,从前面的分析我们知道i.requested 是否已经发送过绑定请求,由于我们是第一次这时requested肯定为false,rebind也是false因为我们不是重新绑定,这时当绑定服务的客户端进程记录大于0的时候就会执行注释2处的代码ApplicationThread的scheduleBindService方法。scheduleBindService的代码如下:
public final void scheduleBindService(IBinder token, Intent intent,
boolean rebind, int processState) {
updateProcessState(processState, false);
BindServiceData s = new BindServiceData();
s.token = token;
s.intent = intent;
s.rebind = rebind;
if (DEBUG_SERVICE)
Slog.v(TAG, "scheduleBindService token=" + token + " intent=" + intent + " uid="
+ Binder.getCallingUid() + " pid=" + Binder.getCallingPid());
sendMessage(H.BIND_SERVICE, s);
}
从上面的代码我们可以看到首先会把Service的信息封装到BindServiceData 中然后把BindServiceData作为参数传入到sendMessage方法中,sendMessage就是想Handler H中发送一条BIND_SERVICE的消息,接下来我们查看H的handleMessage方法:
public void handleMessage(Message msg) {
if (DEBUG_MESSAGES) Slog.v(TAG, ">>> handling: " + codeToString(msg.what));
switch (msg.what) {
case BIND_SERVICE:
Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, "serviceBind");
handleBindService((BindServiceData)msg.obj);
Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);
break;
}
}
当接收到BIND_SERVICE消息时就会调用ActivityThread的handleBindService方法:
private void handleBindService(BindServiceData data) {
Service s = mServices.get(data.token);
...
if (s != null) {
try {
data.intent.setExtrasClassLoader(s.getClassLoader());
data.intent.prepareToEnterProcess();
try {
if (!data.rebind) {//1
IBinder binder = s.onBind(data.intent);//2
ActivityManager.getService().publishService(
data.token, data.intent, binder);//3
} else {
s.onRebind(data.intent);//4
ActivityManager.getService().serviceDoneExecuting(
data.token, SERVICE_DONE_EXECUTING_ANON, 0, 0);
}
} catch (RemoteException ex) {
...
}
} catch (Exception e) {
...
}
}
}
注释1处如果不是重新绑定那么就会执行注释2处Service的onBind方法,紧接会执行注释3处ActivityManagerService的publishService方法,如果是再次绑定那么就会执行注释4处Service的onRebind方法。接下来我们看一下ActivityManagerService的publishService方法:
public void publishService(IBinder token, Intent intent, IBinder service) {
...
synchronized(this) {
...
mServices.publishServiceLocked((ServiceRecord)token, intent, service);
}
}
这里会调用ActiveServices的publishServiceLocked方法:
void publishServiceLocked(ServiceRecord r, Intent intent, IBinder service) {
final long origId = Binder.clearCallingIdentity();
try {
if (DEBUG_SERVICE) Slog.v(TAG_SERVICE, "PUBLISHING " + r
+ " " + intent + ": " + service);
if (r != null) {
Intent.FilterComparison filter
= new Intent.FilterComparison(intent);
IntentBindRecord b = r.bindings.get(filter);
if (b != null && !b.received) {
b.binder = service;
b.requested = true;
b.received = true;
ArrayMap<IBinder, ArrayList<ConnectionRecord>> connections = r.getConnections();
for (int conni = connections.size() - 1; conni >= 0; conni--) {
ArrayList<ConnectionRecord> clist = connections.valueAt(conni);
for (int i=0; i<clist.size(); i++) {
ConnectionRecord c = clist.get(i);
...
try {
//1
c.conn.connected(r.name, service, false);
} catch (Exception e) {
...
}
}
}
}
..
}
}
}
注释1部分我们前面提到过c.conn指的就是IServiceConnection 具体的实现类是ServiceDispatcher.InnerConnection,而ServiceDispatcher又是LoadedApk的内部类,ServiceDispatcher.InnerConnection的具体代码如下:
static final class ServiceDispatcher {
...
private static class InnerConnection extends IServiceConnection.Stub {
@UnsupportedAppUsage
final WeakReference<LoadedApk.ServiceDispatcher> mDispatcher;
InnerConnection(LoadedApk.ServiceDispatcher sd) {
mDispatcher = new WeakReference<LoadedApk.ServiceDispatcher>(sd);
}
public void connected(ComponentName name, IBinder service, boolean dead)
throws RemoteException {
LoadedApk.ServiceDispatcher sd = mDispatcher.get();
if (sd != null) {
//1
sd.connected(name, service, dead);
}
}
}
这里注释1处调用了ServiceDispatcher 的connected方法:
public void connected(ComponentName name, IBinder service, boolean dead) {
if (mActivityExecutor != null) {
mActivityExecutor.execute(new RunConnection(name, service, 0, dead));
} else if (mActivityThread != null) {
//1
mActivityThread.post(new RunConnection(name, service, 0, dead));
} else {
doConnected(name, service, dead);
}
}
注释1的地方调用了mActivityThread对象的post方法,其实这个mActivityThread指的就是ActivityThread类中的Handler H 类。因此H的post方法发送一个RunConnection消息使的RunConnection的run方法运行在主线程中。RunConnection的代码如下:
private final class RunConnection implements Runnable {
...
public void run() {
if (mCommand == 0) {
//1
doConnected(mName, mService, mDead);
} else if (mCommand == 1) {
doDeath(mName, mService);
}
}
...
}
这里注释1处会调用ServiceDispatcher 的doConnected的方法:
public void doConnected(ComponentName name, IBinder service, boolean dead) {
...
// If there was an old service, it is now disconnected.
if (old != null) {
mConnection.onServiceDisconnected(name);
}
...
if (service != null) {
//1
mConnection.onServiceConnected(name, service);
} else {
// The binding machinery worked, but the remote returned null from onBind().
mConnection.onNullBinding(name);
}
}
在注释1处调用了ServiceConnection类型的对象mConnection的onServiceConnected方法,这样在客户端中实现了ServiceConnection接口的类的onServiceConnected方法就会被执行。至此,Service的绑定流程就分析完了。