我分析代码的喜欢从main函数开始,因为还不知道代码结构的情况下,这是最直接的方法。所以先看adb.c的main函数
- int main(int argc, char **argv)
- {
- adb_trace_init();
- #if ADB_HOST
- adb_sysdeps_init();
- return adb_commandline(argc - 1, argv + 1);
- #else
- if((argc > 1) && (!strcmp(argv[1],"recovery"))) {
- adb_device_banner = "recovery";
- recovery_mode = 1;
- }
- start_device_log();
- return adb_main(0);
- #endif
- }
宏ADB_HOST用来区别编译adb和adbd,参见上一篇博客http://blog.csdn.net/yinlijun2004/article/details/7008952。
现在用一个常用命令“adb devices”用来捋顺代码流程,adb_trace_init用于log tag初始化,在host端,输入命令"adb devices"之后,进入adb_commandline函数。
adb_commandline首先解析参数,判断有没有指定transport type,即指定与哪个设备通信,emulator 或者 device,指定设备的方法是
- -d
- -e
- -s <serial number>
然后调用adb_set_transport将type,serial赋值给全局变量,
- void adb_set_transport(transport_type type, const char* serial)
- {
- __adb_transport = type;
- __adb_serial = serial;
- }
这两个全局变量由client保存,将用来告诉server,与何种设备通信,用何种方式传输通信。
接下来,adb_commandline用来判断server守护进程是否已经启动,
- if ((argc > 0) && (!strcmp(argv[0],"server"))) {
- if (no_daemon || is_daemon) {
- r = adb_main(is_daemon);
- } else {
- r = launch_server();
- }
- if(r) {
- fprintf(stderr,"* could not start server *\n");
- }
- return r;
- }
在这里我们的client第一次执行“adb device”,因此会去启动server,在launch_server中,执行fork()操作,生成一对管道用于父子进程的通信。子进程调用execl,执行adb fork-server server,父进程等待来自子进程的OK应答。
- // child side of the fork
- // redirect stderr to the pipe
- // we use stderr instead of stdout due to stdout's buffering behavior.
- adb_close(fd[0]);
- dup2(fd[1], STDERR_FILENO);
- adb_close(fd[1]);
- // child process
- int result = execl(path, "adb", "fork-server", "server", NULL);
- // this should not return
- fprintf(stderr, "OOPS! execl returned %d, errno: %d\n", result, errno);
这里子进程将STDERR_FILENO重定向到管道的写端fd[1];然后讲管道关闭,这样所有对stderr的操作都将写入父进程,fprintf语句只有在execl执行失败时执行。
- // parent side of the fork
- char temp[3];
- temp[0] = 'A'; temp[1] = 'B'; temp[2] = 'C';
- // wait for the "OK\n" message
- adb_close(fd[1]);
- int ret = adb_read(fd[0], temp, 3);
- adb_close(fd[0]);
- if (ret < 0) {
- fprintf(stderr, "could not read ok from ADB Server, errno = %d\n", errno);
- return -1;
- }
- if (ret != 3 || temp[0] != 'O' || temp[1] != 'K' || temp[2] != '\n') {
- fprintf(stderr, "ADB server didn't ACK\n" );
- return -1;
- }
- setsid();
父进程从管道的读端读取子进程发过来的应答,如果非“OK”,代表创建server失败,返回,setsid用于避免父进程退出时子进程也退出,即server真正成为一个守护进程。
花开两朵各表一只,先看fork出来的子进程,即守护进程server,前面说到,它的启动command是adb fork-server server,我们在回到adb的main函数,它用走到了adb_commandline里面来,这时候它解析参数以后,is_daemon就变成1了,因此执行adb_daemon(is_daemon)。
- init_transport_registration();
- ADB_HOST
- HOST = 1;
- usb_vendors_init();
- usb_init();
- local_init(ADB_LOCAL_TRANSPORT_PORT);
- if(install_listener("tcp:5037", "*smartsocket*", NULL)) {
- exit(1);
- }
- e
adb_daemon首先初始化transport registrantion,等待注册transport时间的到来,transport是用来与远端设备进行通信的,对HOST来说远端设备就是device/emulator,反之亦然。注册信息本身,是用通过一个socket对transport_registration_send,transport_registration_recv来传递的,这属于线程之间的通信。
首先初始化本地USB,监听本地usb的情况,如果有用于ADB的USB设备,则注册一个type为kTransportUsb的transport,
具体调用流程:usb_init->client_socket_thread出一个device_poll_thread线程,在device_poll_thread中:
- for (;;) {
- sleep(5);
- kick_disconnected();
- scan_usb_devices();
- }
scan_usb_devices->check_device->register_device->register_usb_transport->init_usb_transport->register_transport
在init_usb_transport中,
- void init_usb_transport(atransport *t, usb_handle *h, int state)
- {
- D("transport: usb\n");
- t->close = remote_close;
- t->kick = remote_kick;
- t->read_from_remote = remote_read;
- t->write_to_remote = remote_write;
- t->sync_token = 1;
- t->connection_state = state;
- t->type = kTransportUsb;
- t->usb = h;
- #if ADB_HOST
- HOST = 1;
- #else
- HOST = 0;
- #endif
- }
接着然后试图连接5555-55585之间的端口,这个时候如果已经有emulator在运行,即调用socket_network_client成功,则注册一个type为kTransportLocal的transport,
调用流程:local_init->adb_thread_create出一个client_socket_thread线程,在client_socket_thread中,尝试连接5555-55585的本地端口
client_socket_thread->socket_loopback_client
如果socket_loopback_client返回值大于0,说明已连接上emulator,
则调用:register_socket_transport->init_socket_transport->register_transport
在init_socket_transport中
- int init_socket_transport(atransport *t, int s, int port, int local)
- {
- int fail = 0;
- t->kick = remote_kick;
- t->close = remote_close;
- t->read_from_remote = remote_read;
- t->write_to_remote = remote_write;
- t->sfd = s;
- t->sync_token = 1;
- t->connection_state = CS_OFFLINE;
- t->type = kTransportLocal;
- #if ADB_HOST
- if (HOST && local) {
- adb_mutex_lock( &local_transports_lock );
- {
- int index = (port - ADB_LOCAL_TRANSPORT_PORT)/2;
- if (!(port & 1) || index < 0 || index >= ADB_LOCAL_TRANSPORT_MAX) {
- D("bad local transport port number: %d\n", port);
- fail = -1;
- }
- else if (local_transports[index] != NULL) {
- D("local transport for port %d already registered (%p)?\n",
- port, local_transports[index]);
- fail = -1;
- }
- else
- local_transports[index] = t;
- }
- adb_mutex_unlock( &local_transports_lock );
- }
- #endif
- return fail;
- }
注意看ADB_HOST里面的东西,如果是在HOST端,则将transport添加到列表里面,因为adb device就是从这个列表里面读信息的。
再看register_transport,它将transport信息,一个tmsp的结构体,写入transport_registration_send
- struct tmsg
- {
- atransport *transport;
- int action;
- };
action为0表示移除该transport,1表示添加。
则接收端的描述符transport_registration_recv会收到对应的信息,它的处理回调函数是transport_registration_func,在transport_registration_func中,首先读取出待注册的transport的地址,在这里创建套接字对,一个是fd,负责从远端读入,或者写入远端。transport_socket负责跟本地(emulator或者device)交互,同时启动两个线程output_thread,调用read_from_remote从远端读入,还有input_thread,调用write_to_remote写入远端。
以output_thread为例,
- p = get_apacket();
- p->msg.command = A_SYNC;
- p->msg.arg0 = 1;
- p->msg.arg1 = ++(t->sync_token);
- p->msg.magic = A_SYNC ^ 0xffffffff;
- if(write_packet(t->fd, &p)) {
- put_apacket(p);
- D("from_remote: failed to write SYNC apacket to transport %p", t);
- goto oops;
- }
首先向fd写入一个包含A_SYNC命令的信息包,用于同步,transport_socket的处理回调函数transport_socket_events会执行,继而调用handle_packet处理信息包
- case A_SYNC:
- if(p->msg.arg0){
- send_packet(p, t);
- if(HOST) send_connect(t);
- } else {
- t->connection_state = CS_OFFLINE;
- handle_offline(t);
- send_packet(p, t);
- }
- return;
handle_packet判断是A_SYNC同步命令,则同时将信息包发送给远端,并发送一个连接请求给远端,里面包含adb版本,最大载荷等信息。send_package讲信息包写回给transport_socket。
回过头来output_thread线程回收到这些信息包,并将这些包写入远端。
写的太深入了,回到adb_main函数,初始化完可能USB和emulator的transport之后,执行下面这段代码
- if(install_listener("tcp:5037", "*smartsocket*", NULL)) {
- exit(1);
- }
listener是一个很重要的概念,它绑定到一个本地端口,即local socket,负责与client通信(稍候将看到),并且创建一个连接到远端的remote socket,smartsocket是一个特殊的socket,它其实类似一个接线员的角色,它分析后看你要连接到哪个remote socket,然后帮你连上。注意这里的第三个参数NULL,因为接线员还来不及分析你的adb命令参数,不知道你要往哪个remote上连,所以这里为NULL,等分析好了,确定要连接那个remote socket,smartsocket的任务也完成了。
- struct alistener
- {
- alistener *next;
- alistener *prev;
- fdevent fde;
- int fd;
- const char *local_name;
- const char *connect_to;
- atransport *transport;
- adisconnect disconnect;
- };
- l->fd = local_name_to_fd(local_name);
- close_on_exec(l->fd);
- if(!strcmp(l->connect_to, "*smartsocket*")) {
- fdevent_install(&l->fde, l->fd, ss_listener_event_func, l);
- }
接下来,adb_main执行下面代码,
- if (is_daemon)
- {
- // inform our parent that we are up and running.
- f defined(HAVE_FORKEXEC)
- fprintf(stderr, "OK\n");
- if
- start_logging();
- }
接下来,server调用fdevent_loop进入事件循环。
- for(;;) {
- fdevent_process();
- while((fde = fdevent_plist_dequeue())) {
- unsigned events = fde->events;
- fde->events = 0;
- fde->state &= (~FDE_PENDING);
- dump_fde(fde, "callback");
- fde->func(fde->fd, events, fde->arg);
- }
- }
- struct fdevent
- {
- fdevent *next;
- fdevent *prev;
- int fd;
- unsigned short state;
- unsigned short events;
- fd_func func;
- void *arg;
- };
如果有相关事件的到达则调用fun进行处理。
adb_main,即server已经启动完成,再回到client的adb_commandline函数,我们继续adb device命令的解析,
- if(!strcmp(argv[0], "devices")) {
- char *tmp;
- snprintf(buf, sizeof buf, "host:%s", argv[0]);
- tmp = adb_query(buf);
- if(tmp) {
- printf("List of devices attached \n");
- printf("%s\n", tmp);
- return 0;
- } else {
- return 1;
- }
- }
它调用adb_query函数,参数是"host:devices“,它表示需要发往server的请求,这些请求分两种query型和command型,分别调用adb_query和adb_command
- char *adb_query(const char *service)
- {
- char buf[5];
- unsigned n;
- char *tmp;
- D("adb_query: %s\n", service);
- int fd = adb_connect(service);
- if(readx(fd, buf, 4)) goto oops;
- if(readx(fd, tmp, n) == 0) {
- }
- }
可以看到,它连接到server,返回一个描述符,然后直接从该描述符里面读取结果就可以了。看起来很简单,adb_connect把下面很复杂的东西都包装起来了。
adb_connect包装了_adb_connect函数,包装了一些adb server是否已经成功启动,查询adb server版本信息的工作,在_adb_connect中
调用socket_loopback_client(ADB_PORT, SOCK_STREAM);尝试连接ADB_PORT,也就是5037,记住刚才adb server已经调用socket_loopback_server(port, SOCK_STREAM);这样,client和service之间就可以开始通信了。请求信息“host:devices”将写入adb server,来看adb server的处理函数ss_listener_event_func
ss_listener_event_func创建一个local socket读取该信息,
- fd = adb_socket_accept(_fd, &addr, &alen);
- if(fd < 0) return;
- adb_socket_setbufsize(fd, CHUNK_SIZE);
- s = create_local_socket(fd);
- if(s) {
- connect_to_smartsocket(s);
- return;
- }
先看create_local_socket,这个socket负责与client通信,回调处理函数是local_socket_event_func。
- asocket *create_local_socket(int fd)
- {
- asocket *s = calloc(1, sizeof(asocket));
- if(s == 0) fatal("cannot allocate socket");
- install_local_socket(s);
- s->fd = fd;
- s->enqueue = local_socket_enqueue;
- s->ready = local_socket_ready;
- s->close = local_socket_close;
- fdevent_install(&s->fde, fd, local_socket_event_func, s);
- return s;
- }
也就是由local_socket_event_func来读取“host:devices”串,然后调用s->peer->enqueue(s->peer, p);交给对断处理。
那local socket的对端是谁,看connect_to_smartsocket
- void connect_to_smartsocket(asocket *s)
- {
- D("Connecting to smart socket \n");
- asocket *ss = create_smart_socket(smart_socket_action);
- s->peer = ss;
- ss->peer = s;
- s->ready(s);
- }
这里明白了local socket的对端就是smart socket(remote socket的一种),与local socket交互。
- asocket *create_smart_socket(void (*action_cb)(asocket *s, const char *act))
- {
- asocket *s = calloc(1, sizeof(asocket));
- if(s == 0) fatal("cannot allocate socket");
- s->id = 0;
- s->enqueue = smart_socket_enqueue;
- s->ready = smart_socket_ready;
- s->close = smart_socket_close;
- s->extra = action_cb;
- return s;
- }
这两个socket结对以后,调用local socket的ready回调函数,也就是local_socket_ready
- static void local_socket_ready(asocket *s)
- {
- fdevent_add(&s->fde, FDE_READ);
- }
那local socket调用的s->peer->enqueue(s->peer, p);就是smart_socket_enqueue
在smart_socket_enqueue中,将刚刚读取到的package插入到package列表中,然后解析service,即发过来的“host:devices”
- #if ADB_HOST
- service = (char *)p->data + 4;
- if(!strncmp(service, "host-serial:", strlen("host-serial:"))) {
- char* serial_end;
- service += strlen("host-serial:");
- // serial number should follow "host:"
- serial_end = strchr(service, ':');
- if (serial_end) {
- *serial_end = 0; // terminate string
- serial = service;
- service = serial_end + 1;
- }
- } else if (!strncmp(service, "host-usb:", strlen("host-usb:"))) {
- ttype = kTransportUsb;
- service += strlen("host-usb:");
- } else if (!strncmp(service, "host-local:", strlen("host-local:"))) {
- ttype = kTransportLocal;
- service += strlen("host-local:");
- } else if (!strncmp(service, "host:", strlen("host:"))) {
- ttype = kTransportAny;
- service += strlen("host:");
- } else {
- service = NULL;
- }
- s2 = create_host_service_socket(service, serial);
- if(s2 == 0) {
- D( "SS(%d): couldn't create host service '%s'\n", s->id, service );
- sendfailmsg(s->peer->fd, "unknown host service");
- goto fail;
- }
- adb_write(s->peer->fd, "OKAY", 4);
- s->peer->ready = local_socket_ready;
- s->peer->close = local_socket_close;
- s->peer->peer = s2;
- s2->peer = s->peer;
- s->peer = 0;
- D( "SS(%d): okay\n", s->id );
- s->close(s);
先来看可以用handle_host_request的部分,处理devices部分请求的代码如下
- // return a list of all connected devices
- if (!strcmp(service, "devices")) {
- char buffer[4096];
- memset(buf, 0, sizeof(buf));
- memset(buffer, 0, sizeof(buffer));
- D("Getting device list \n");
- list_transports(buffer, sizeof(buffer));
- snprintf(buf, sizeof(buf), "OKAY%04x%s",(unsigned)strlen(buffer),buffer);
- D("Wrote device list \n");
- writex(reply_fd, buf, strlen(buf));
- return 0;
- }
它讲transport列表里面的信息读取出来,然后写入reply_fd里面,其实这里猜也猜到了,它就是local socket的fd,也就是将信息写入port5037里面,这样我们的client端就能将当前连接的设备信息打印到屏幕上了。
整个过程的如下,
___________________________________
| |
| ADB Server (host) |
| |
Client <-------> LocalSocket <-------------> RemoteSocket |
| ^^ |
|___________________________||_______|
||
转自:http://blog.csdn.net/yinlijun2004/article/details/7014168
529
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
