本文深入剖析了Android 9.0中USB HAL 1.0的HIDL Service注册流程,从创建IUsb对象到通过HidlManager的add方法,详细解释了Binder机制在注册过程中的作用,包括Parcel的写入、服务的添加以及与驱动的交互。整个流程涉及多个库文件和内核驱动,展示了Android系统服务注册的复杂性和精妙之处。
前言
写一个自己的 Android Hidl Service这里写了怎么创建一个自己的hidlservice,现在讲一下hidlservice的注册流程
HwBinder的框架
流程分析
现在以Android9.0的USB HAL 1.0为例子分析一下hidl service的注册流程
注册流程
1. hardware/interfaces/usb/1.0/default/service.cpp
...
android::sp<IUsb> service = new Usb();
configureRpcThreadpool(1, true /*callerWillJoin*/);
status_t status = service->registerAsService();
...
service->registerAsService()是将IUsb对象注册为HW service
registerAsService()方法声明在
out/soong/.intermediates/hardware/interfaces/usb/1.0/android.hardware.usb@1.0_genc++_headers/gen/android/hardware/usb/1.0/IUsb.h里面,实现在out/soong/.intermediates/hardware/interfaces/usb/1.0/android.hardware.usb@1.0_genc++/gen/android/hardware/usb/1.0/UsbAll.cpp
2. out/soong/.intermediates/hardware/interfaces/usb/1.0/android.hardware.usb@1.0_genc++/gen/android/hardware/usb/1.0/UsbAll.cpp
::android::status_t IUsb::registerAsService(const std::string &serviceName) {
::android::hardware::details::onRegistration("android.hardware.usb@1.0", "IUsb", serviceName);
const ::android::sp<::android::hidl::manager::V1_0::IServiceManager> sm
= ::android::hardware::defaultServiceManager();
if (sm == nullptr) {
return ::android::INVALID_OPERATION;
}
::android::hardware::Return<bool> ret = sm->add(serviceName.c_str(), this);
return ret.isOk() && ret ? ::android::OK : ::android::UNKNOWN_ERROR;
}
然后通过Hidl manager的 add方法向下走,首先看一下IServiceManager的实现
defaultServiceManagers()方法声明system/libhidl/transport/include/hidl/ServiceManagement.h,实现在system/libhidl/transport/ServiceManagement.cpp
2.1. system/libhidl/transport/ServiceManagement.cpp
sp<IServiceManager1_0> defaultServiceManager() {
return defaultServiceManager1_1();
}
sp<IServiceManager1_1> defaultServiceManager1_1() {
{
AutoMutex _l(details::gDefaultServiceManagerLock);
if (details::gDefaultServiceManager != nullptr) {
return details::gDefaultServiceManager;
}
if (access("/dev/hwbinder", F_OK|R_OK|W_OK) != 0) {
// HwBinder not available on this device or not accessible to
// this process.
return nullptr;
}
waitForHwServiceManager();
while (details::gDefaultServiceManager == nullptr) {
details::gDefaultServiceManager =
fromBinder<IServiceManager1_1, BpHwServiceManager, BnHwServiceManager>(
ProcessState::self()->getContextObject(nullptr));
if (details::gDefaultServiceManager == nullptr) {
LOG(ERROR) << "Waited for hwservicemanager, but got nullptr.";
sleep(1);
}
}
}
return details::gDefaultServiceManager;
}
fromBinder() 是个模板函数,声明和实现都在system/libhidl/transport/include/hidl/HidlBinderSupport.h
2.2. system/libhidl/transport/include/hidl/HidlBinderSupport.h
template <typename IType, typename ProxyType, typename StubType>
sp<IType> fromBinder(const sp<IBinder>& binderIface) {
using ::android::hidl::base::V1_0::IBase;
using ::android::hidl::base::V1_0::BnHwBase;
if (binderIface.get() == nullptr) {
return nullptr;
}
if (binderIface->localBinder() == nullptr) {
return new ProxyType(binderIface);
}
sp<IBase> base = static_cast<BnHwBase*>(binderIface.get())->getImpl();
if (details::canCastInterface(base.get(), IType::descriptor)) {
StubType* stub = static_cast<StubType*>(binderIface.get());
return stub->getImpl();
} else {
return nullptr;
}
}
binderIface就是传入的参数,反过来再看2.1传入的参数ProcessState::self()->getContextObject(nullptr),这个实现在system/libhwbinder/ProcessState.cpp
2.2.1. system/libhwbinder/ProcessState.cpp
getContextObject(nullptr)的实现:
sp<IBinder> ProcessState::getContextObject(const sp<IBinder>& /*caller*/)
{
return getStrongProxyForHandle(0);
}
再看getStrongProxyForHandle(0),实现在同一个文件中
sp<IBinder> ProcessState::getStrongProxyForHandle(int32_t handle)
{
sp<IBinder> result;
AutoMutex _l(mLock);
handle_entry* e = lookupHandleLocked(handle);
if (e != NULL) {
// We need to create a new BpHwBinder if there isn't currently one, OR we
// are unable to acquire a weak reference on this current one. See comment
// in getWeakProxyForHandle() for more info about this.
IBinder* b = e->binder;
if (b == NULL || !e->refs->attemptIncWeak(this)) {
b = new BpHwBinder(handle);
e->binder = b;
if (b) e->refs = b->getWeakRefs();
result = b;
} else {
// This little bit of nastyness is to allow us to add a primary
// reference to the remote proxy when this team doesn't have one
// but another team is sending the handle to us.
result.force_set(b);
e->refs->decWeak(this);
}
}
return result;
}
有代码可以看出resault和e相关,再看lookupHandleLocked(handle),
ProcessState::handle_entry* ProcessState::lookupHandleLocked(int32_t handle)
{
const size_t N=mHandleToObject.size();
if (N <= (size_t)handle) {
handle_entry e;
e.binder = NULL;
e.refs = NULL;
status_t err = mHandleToObject.insertAt(e, N, handle+1-N);
if (err < NO_ERROR) return NULL;
}
return &mHandleToObject.editItemAt(handle);
}
由于mHandleToObject 是成员变量,且只有此函数调用,且此函数为此进程第一次调用,所以size为0,
由此把handle_entry e 放进mHandleToObject,并返回,然后接着看上一个函数getStrongProxyForHandle(0),谈的返回值就是new BpHwBinder(0)
2.2.2. system/libhwbinder/BpHwBinder.cpp
BpHwBinder::BpHwBinder(int32_t handle)
: mHandle(handle)
, mAlive(1)
, mObitsSent(0)
, mObituaries(NULL)
{
ALOGV("Creating BpHwBinder %p handle %d\n", this, mHandle);
extendObjectLifetime(OBJECT_LIFETIME_WEAK);
IPCThreadState::self()->incWeakHandle(handle, this);
}
2.2.3. system/libhwbinder/IPCThreadState.cpp
void IPCThreadState::incWeakHandle(int32_t handle, BpHwBinder *proxy)
{
LOG_REMOTEREFS("IPCThreadState::incWeakHandle(%d)\n", handle);
mOut.writeInt32(BC_INCREFS);
mOut.writeInt32(handle);
// Create a temp reference until the driver has handled this command.
proxy->getWeakRefs()->incWeak(mProcess.get());
mPostWriteWeakDerefs.push(proxy->getWeakRefs());
}
这里mOut最终会传给binder驱动,handle = 0 就是IHwServiceManager的Bp 这个下面会说到这里先掠过,再回到2.2->2.1 就会知道defaultServiceManager() 返回的就是BpHwServiceManager对象,然后执行sm->add方法,找到实现在/out/soong/.intermediates/system/libhidl/transport/manager/1.0/android.hidl.manager@1.0_genc++/gen/android/hidl/manager/1.0/ServiceManagerAll.cpp
3. /out/soong/.intermediates/system/libhidl/transport/manager/1.0/android.hidl.manager@1.0_genc++/gen/android/hidl/manager/1.0/ServiceManagerAll.cpp
::android::hardware::Return<bool> BpHwServiceManager::add(const ::android::hardware::hidl_string& name, const ::android::sp<::android::hidl::base::V1_0::IBase>& service){
::android::hardware::Return<bool> _hidl_out = ::android::hidl::manager::V1_0::BpHwServiceManager::_hidl_add(this, this, name, service);
return _hidl_out;
}
然后同一个类的_hidl_add
::android::hardware::Return<bool> BpHwServiceManager::_hidl_add(::android::hardware::IInterface *_hidl_this, ::android::hardware::details::HidlInstrumentor *_hidl_this_instrumentor, const ::android::hardware::hidl_string& name, const ::android::sp<::android::hidl::base::V1_0::IBase>& service) {
....
::android::hardware::Parcel _hidl_data;
::android::hardware::Parcel _hidl_reply;
::android::status_t _hidl_err;
::android::hardware::Status _hidl_status;
bool _hidl_out_success;
...
if (service == nullptr) {
_hidl_err = _hidl_data.writeStrongBinder(nullptr);
} else {
::android::sp<::android::hardware::IBinder> _hidl_binder = ::android::hardware::toBinder<
::android::hidl::base::V1_0::IBase>(service); //USB对象
if (_hidl_binder.get() != nullptr) {
_hidl_err = _hidl_data.writeStrongBinder(_hidl_binder);//写入parcel
} else {
_hidl_err = ::android::UNKNOWN_ERROR;
}
}
if (_hidl_err != ::android::OK) { goto _hidl_error; }
::android::hardware::ProcessState::self()->startThreadPool();
_hidl_err = ::android::hardware::IInterface::asBinder(_hidl_this)->transact(2 /* add */, _hidl_data, &_hidl_reply);
if (_hidl_err != ::android::OK) { goto _hidl_error; }
_hidl_err = ::android::hardware::readFromParcel(&_hidl_status, _hidl_reply);
if (_hidl_err != ::android::OK) { goto _hidl_error; }
if (!_hidl_status.isOk()) { return _hidl_status; }
_hidl_err = _hidl_reply.readBool(&_hidl_out_success);
if (_hidl_err != ::android::OK) { goto _hidl_error; }
...
_hidl_status.setFromStatusT(_hidl_err);
return ::android::hardware::Return<bool>(_hidl_out_success);
_hidl_error:
_hidl_status.setFromStatusT(_hidl_err);
return ::android::hardware::Return<bool>(_hidl_status);
}
先看tobinder实现在system/libhidl/transport/include/hidl/HidlBinderSupport.h
3.1. system/libhidl/transport/include/hidl/HidlBinderSupport.h
template <typename IType,
typename = std::enable_if_t<std::is_same<details::i_tag, typename IType::_hidl_tag>::value>>
sp<IBinder> toBinder(sp<IType> iface) {
IType *ifacePtr = iface.get();
if (ifacePtr == nullptr) {
return nullptr;
}
if (ifacePtr->isRemote()) {
return ::android::hardware::IInterface::asBinder(
static_cast<BpInterface<IType>*>(ifacePtr));
} else {
std::string myDescriptor = details::getDescriptor(ifacePtr);
if (myDescriptor.empty()) {
// interfaceDescriptor fails
return nullptr;
}
// for get + set
std::unique_lock<std::mutex> _lock = details::gBnMap.lock();
wp<BHwBinder> wBnObj = details::gBnMap.getLocked(ifacePtr, nullptr);
sp<IBinder> sBnObj = wBnObj.promote();
if (sBnObj == nullptr) {
auto func = details::getBnConstructorMap().get(myDescriptor, nullptr);
if (!func) {
func = details::gBnConstructorMap.get(myDescriptor, nullptr);
if (!func) {
return nullptr;
}
}
sBnObj = sp<IBinder>(func(static_cast<void*>(ifacePtr)));
if (sBnObj != nullptr) {
details::gBnMap.setLocked(ifacePtr, static_cast<BHwBinder*>(sBnObj.get()));
}
}
return sBnObj;
}
}
然后看isRemote(),传参是Usb对象,Usb继承了IUsb而在out/soong/.intermediates/hardware/interfaces/usb/1.0/android.hardware.usb@1.0_genc++_headers/gen/android/hardware/usb/1.0/IUsb.h
3.1.1 out/soong/.intermediates/hardware/interfaces/usb/1.0/android.hardware.usb@1.0_genc++_headers/gen/android/hardware/usb/1.0/IUsb.h
struct IUsb : public ::android::hidl::base::V1_0::IBase {
typedef android::hardware::details::i_tag _hidl_tag;
// Forward declaration for forward reference support:
virtual bool isRemote() const override { return false; }
...
所以isRemote()为false 所以3.章节的_hidl_binder是BHwBinder
接着往下看就是 _hidl_data.writeStrongBinder(_hidl_binder)实现在/system/libhwbinder/Parcel.cpp
3.2. /system/libhwbinder/Parcel.cpp
status_t Parcel::writeStrongBinder(const sp<IBinder>& val)
{
return flatten_binder(ProcessState::self(), val, this);
}
接着同一个cpp往下看
status_t flatten_binder(const sp<ProcessState>& /*proc*/,
const sp<IBinder>& binder, Parcel* out)
{
flat_binder_object obj;
if (binder != NULL) {
BHwBinder *local = binder->localBinder();
if (!local) {
BpHwBinder *proxy = binder->remoteBinder();
if (proxy == NULL) {
ALOGE("null proxy");
}
const int32_t handle = proxy ? proxy->handle() : 0;
obj.hdr.type = BINDER_TYPE_HANDLE;
obj.flags = FLAT_BINDER_FLAG_ACCEPTS_FDS;
obj.binder = 0; /* Don't pass uninitialized stack data to a remote process */
obj.handle = handle;
obj.cookie = 0;
} else {
// Get policy and convert it
int policy = local->getMinSchedulingPolicy();
int priority = local->getMinSchedulingPriority();
obj.flags = priority & FLAT_BINDER_FLAG_PRIORITY_MASK;
obj.flags |= FLAT_BINDER_FLAG_ACCEPTS_FDS | FLAT_BINDER_FLAG_INHERIT_RT;
obj.flags |= (policy & 3) << FLAT_BINDER_FLAG_SCHEDPOLICY_SHIFT;
obj.hdr.type = BINDER_TYPE_BINDER;
obj.binder = reinterpret_cast<uintptr_t>(local->getWeakRefs());
obj.cookie = reinterpret_cast<uintptr_t>(local);
}
} else {
obj.hdr.type = BINDER_TYPE_BINDER;
obj.binder = 0;
obj.cookie = 0;
}
return finish_flatten_binder(binder, obj, out);
}
BHwBinder *local = binder->localBinder();由于binder是BnHwUsb继承BnHwBase,BnHwBase继承BHwBinder 而BHwBinder类实现在system/libhwbinder/Binder.cpp
3.2.1. system/libhwbinder/Binder.cpp
BHwBinder* BHwBinder::localBinder()
{
return this;
}
所以3.2 走else分支obj.hdr.type = BINDER_TYPE_BINDER;
接着3.章节的_hidl_add函数往下看该走到
_hidl_err = ::android::hardware::IInterface::asBinder(_hidl_this)->transact(2 /* add */, _hidl_data, &_hidl_reply); asasBinder 实现在system/libhwbinder/IInterface.cpp
3.3. system/libhwbinder/IInterface.cpp
sp<IBinder> IInterface::asBinder(const sp<IInterface>& iface)
{
if (iface == NULL) return NULL;
return iface->onAsBinder();
}
onAsBinder的实现在system/libhwbinder/include/hwbinder/IInterface.h里面
3.3.1. system/libhwbinder/include/hwbinder/IInterface.h
template<typename INTERFACE>
inline IBinder* BpInterface<INTERFACE>::onAsBinder()
{
return remote();
}
remote()实现在system/libhwbinder/include/hwbinder/Binder.h
inline IBinder* remote() const { return mRemote; }
所以asBinder之后变成了BpHwBinder,然后看transact函数实现在system/libhwbinder/BpHwBinder.cpp
3.4. BpHwBinder.cpp
status_t BpHwBinder::transact(
uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags, TransactCallback /*callback*/)
{
// Once a binder has died, it will never come back to life.
if (mAlive) {
status_t status = IPCThreadState::self()->transact(
mHandle, code, data, reply, flags);
if (status == DEAD_OBJECT) mAlive = 0;
return status;
}
return DEAD_OBJECT;
}
接着调用到了system/libhwbinder/IPCThreadState.cpp
3.4.1. system/libhwbinder/IPCThreadState.cpp
status_t IPCThreadState::transact(int32_t handle,
uint32_t code, const Parcel& data,
Parcel* reply, uint32_t flags)
{
status_t err;
flags |= TF_ACCEPT_FDS;
...
err = writeTransactionData(BC_TRANSACTION_SG, flags, handle, code, data, NULL);
if (err != NO_ERROR) {
if (reply) reply->setError(err);
return (mLastError = err);
}
if ((flags & TF_ONE_WAY) == 0) {
...
if (reply) {
err = waitForResponse(reply);
} else {
Parcel fakeReply;
err = waitForResponse(&fakeReply);
}
...
} else {
err = waitForResponse(NULL, NULL);
}
return err;
}
writeTransactionData 实现如下
status_t IPCThreadState::writeTransactionData(int32_t cmd, uint32_t binderFlags,
int32_t handle, uint32_t code, const Parcel& data, status_t* statusBuffer)
{
binder_transaction_data_sg tr_sg;
/* Don't pass uninitialized stack data to a remote process */
tr_sg.transaction_data.target.ptr = 0;
tr_sg.transaction_data.target.handle = handle;
tr_sg.transaction_data.code = code;
tr_sg.transaction_data.flags = binderFlags;
tr_sg.transaction_data.cookie = 0;
tr_sg.transaction_data.sender_pid = 0;
tr_sg.transaction_data.sender_euid = 0;
...
mOut.writeInt32(cmd);
mOut.write(&tr_sg, sizeof(tr_sg));
return NO_ERROR;
}
mOut有poll负责监听读写,最终由下面的函数写给驱动
status_t IPCThreadState::talkWithDriver(bool doReceive)
{
if (mProcess->mDriverFD <= 0) {
return -EBADF;
}
binder_write_read bwr;
// Is the read buffer empty?
const bool needRead = mIn.dataPosition() >= mIn.dataSize();
// We don't want to write anything if we are still reading
// from data left in the input buffer and the caller
// has requested to read the next data.
const size_t outAvail = (!doReceive || needRead) ? mOut.dataSize() : 0;
bwr.write_size = outAvail;
bwr.write_buffer = (uintptr_t)mOut.data();
// This is what we'll read.
if (doReceive && needRead) {
bwr.read_size = mIn.dataCapacity();
bwr.read_buffer = (uintptr_t)mIn.data();
} else {
bwr.read_size = 0;
bwr.read_buffer = 0;
}
...
// Return immediately if there is nothing to do.
if ((bwr.write_size == 0) && (bwr.read_size == 0)) return NO_ERROR;
bwr.write_consumed = 0;
bwr.read_consumed = 0;
status_t err;
do {
...
#if defined(__ANDROID__)
if (ioctl(mProcess->mDriverFD, BINDER_WRITE_READ, &bwr) >= 0)
err = NO_ERROR;
else
err = -errno;
#else
err = INVALID_OPERATION;
#endif
if (mProcess->mDriverFD <= 0) {
err = -EBADF;
}
...
}
} while (err == -EINTR);
...
return err;
}
最终由ioctrl写入驱动
if (ioctl(mProcess->mDriverFD, BINDER_WRITE_READ, &bwr) >= 0)
4. drivers/android/binder.c
binder驱动的接收实现
case BINDER_WRITE_READ:
ret = binder_ioctl_write_read(filp, cmd, arg, thread);
if (ret)
goto err;
break;
接着往下调用
static int binder_ioctl_write_read(struct file *filp,
unsigned int cmd, unsigned long arg,
struct binder_thread *thread)
{
int ret = 0;
struct binder_proc *proc = filp->private_data;
unsigned int size = _IOC_SIZE(cmd);
void __user *ubuf = (void __user *)arg;
struct binder_write_read bwr;
if (size != sizeof(struct binder_write_read)) {
ret = -EINVAL;
goto out;
}
if (copy_from_user(&bwr, ubuf, sizeof(bwr))) {
ret = -EFAULT;
goto out;
}
if (bwr.write_size > 0) {
ret = binder_thread_write(proc, thread,
bwr.write_buffer,
bwr.write_size,
&bwr.write_consumed);
trace_binder_write_done(ret);
if (ret < 0) {
bwr.read_consumed = 0;
if (copy_to_user(ubuf, &bwr, sizeof(bwr)))
ret = -EFAULT;
goto out;
}
}
if (bwr.read_size > 0) {
ret = binder_thread_read(proc, thread, bwr.read_buffer,
bwr.read_size,
&bwr.read_consumed,
filp->f_flags & O_NONBLOCK);
trace_binder_read_done(ret);
binder_inner_proc_lock(proc);
if (!binder_worklist_empty_ilocked(&proc->todo))
binder_wakeup_proc_ilocked(proc);
binder_inner_proc_unlock(proc);
if (ret < 0) {
if (copy_to_user(ubuf, &bwr, sizeof(bwr)))
ret = -EFAULT;
goto out;
}
}
...
if (copy_to_user(ubuf, &bwr, sizeof(bwr))) {
ret = -EFAULT;
goto out;
}
out:
return ret;
}
由第3.章节的调用可知if (bwr.write_size > 0) 成立所以接着往下看
static int binder_thread_write(struct binder_proc *proc,
struct binder_thread *thread,
binder_uintptr_t binder_buffer, size_t size,
binder_size_t *consumed)
{
uint32_t cmd;
struct binder_context *context = proc->context;
void __user *buffer = (void __user *)(uintptr_t)binder_buffer;
void __user *ptr = buffer + *consumed;
void __user *end = buffer + size;
while (ptr < end && thread->return_error.cmd == BR_OK) {
int ret;
if (get_user(cmd, (uint32_t __user *)ptr))
return -EFAULT;
ptr += sizeof(uint32_t);
trace_binder_command(cmd);
if (_IOC_NR(cmd) < ARRAY_SIZE(binder_stats.bc)) {
atomic_inc(&binder_stats.bc[_IOC_NR(cmd)]);
atomic_inc(&proc->stats.bc[_IOC_NR(cmd)]);
atomic_inc(&thread->stats.bc[_IOC_NR(cmd)]);
}
switch (cmd) {
...
case BC_TRANSACTION_SG:
case BC_REPLY_SG: {
struct binder_transaction_data_sg tr;
if (copy_from_user(&tr, ptr, sizeof(tr)))
return -EFAULT;
ptr += sizeof(tr);
binder_transaction(proc, thread, &tr.transaction_data,
cmd == BC_REPLY_SG, tr.buffers_size);
break;
}
...
}
return 0;
}
接着看binder_transaction函数
static void binder_transaction(struct binder_proc *proc,
struct binder_thread *thread,
struct binder_transaction_data *tr, int reply,
binder_size_t extra_buffers_size)
{
......
for (buffer_offset = off_start_offset; buffer_offset < off_end_offset;
buffer_offset += sizeof(binder_size_t)) {
......
hdr = &object.hdr;
off_min = object_offset + object_size;
switch (hdr->type) {
case BINDER_TYPE_BINDER:
case BINDER_TYPE_WEAK_BINDER: {
struct flat_binder_object *fp;
fp = to_flat_binder_object(hdr);
ret = binder_translate_binder(fp, t, thread);
.......
} break;
.......
在接者看binder_translate_binder
static int binder_translate_binder(struct flat_binder_object *fp,
struct binder_transaction *t,
struct binder_thread *thread)
{
......
ret = binder_inc_ref_for_node(target_proc, node,
fp->hdr.type == BINDER_TYPE_BINDER,
&thread->todo, &rdata);
if (ret)
goto done;
if (fp->hdr.type == BINDER_TYPE_BINDER)
fp->hdr.type = BINDER_TYPE_HANDLE;
else
fp->hdr.type = BINDER_TYPE_WEAK_HANDLE;
fp->binder = 0;
fp->handle = rdata.desc;
fp->cookie = 0;
....
done:
binder_put_node(node);
return ret;
}
然后先看binder_inc_ref_for_node 函数
*/
static int binder_inc_ref_for_node(struct binder_proc *proc,
struct binder_node *node,
bool strong,
struct list_head *target_list,
struct binder_ref_data *rdata)
{
...
ref = binder_get_ref_for_node_olocked(proc, node, NULL);
if (!ref) {
binder_proc_unlock(proc);
new_ref = kzalloc(sizeof(*ref), GFP_KERNEL);
if (!new_ref)
return -ENOMEM;
binder_proc_lock(proc);
ref = binder_get_ref_for_node_olocked(proc, node, new_ref);
}
...
return ret;
}
然后看binder_get_ref_for_node_olocked这个函数就可以看到handle如果是servicemanager就是0,如果不是就从1开始递增,然后,从binder_translate_binder函数就可以看到如果type是BINDER_TYPE_BINDER强制改为BINDER_TYPE_HANDLE并给handle赋值,至此,驱动流程基本走完
static struct binder_ref *binder_get_ref_for_node_olocked(
struct binder_proc *proc,
struct binder_node *node,
struct binder_ref *new_ref)
{
struct binder_context *context = proc->context;
struct rb_node **p = &proc->refs_by_node.rb_node;
struct rb_node *parent = NULL;
struct binder_ref *ref;
struct rb_node *n;
while (*p) {
parent = *p;
ref = rb_entry(parent, struct binder_ref, rb_node_node);
if (node < ref->node)
p = &(*p)->rb_left;
else if (node > ref->node)
p = &(*p)->rb_right;
else
return ref;
}
if (!new_ref)
return NULL;
binder_stats_created(BINDER_STAT_REF);
new_ref->data.debug_id = atomic_inc_return(&binder_last_id);
new_ref->proc = proc;
new_ref->node = node;
rb_link_node(&new_ref->rb_node_node, parent, p);
rb_insert_color(&new_ref->rb_node_node, &proc->refs_by_node);
new_ref->data.desc = (node == context->binder_context_mgr_node) ? 0 : 1;
for (n = rb_first(&proc->refs_by_desc); n != NULL; n = rb_next(n)) {
ref = rb_entry(n, struct binder_ref, rb_node_desc);
if (ref->data.desc > new_ref->data.desc)
break;
new_ref->data.desc = ref->data.desc + 1;
}
p = &proc->refs_by_desc.rb_node;
while (*p) {
parent = *p;
ref = rb_entry(parent, struct binder_ref, rb_node_desc);
if (new_ref->data.desc < ref->data.desc)
p = &(*p)->rb_left;
else if (new_ref->data.desc > ref->data.desc)
p = &(*p)->rb_right;
else
BUG();
}
......
}
接着就是走system/libhwbinder/IPCThreadState.cpp收到通知,调用BHwBinder的transact,回调非Bn端的onTransact
5. system/libhwbinder/Binder.cpp
status_t BHwBinder::transact(
uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags, TransactCallback callback)
{
data.setDataPosition(0);
status_t err = NO_ERROR;
switch (code) {
default:
err = onTransact(code, data, reply, flags,
[&](auto &replyParcel) {
replyParcel.setDataPosition(0);
if (callback != NULL) {
callback(replyParcel);
}
});
break;
}
return err;
}
6. out/soong/.intermediates/system/libhidl/transport/manager/1.0/android.hidl.manager@1.0_genc++/gen/android/hidl/manager/1.0/ServiceManagerAll.cpp
::android::status_t BnHwServiceManager::onTransact(
uint32_t _hidl_code,
const ::android::hardware::Parcel &_hidl_data,
::android::hardware::Parcel *_hidl_reply,
uint32_t _hidl_flags,
TransactCallback _hidl_cb) {
::android::status_t _hidl_err = ::android::OK;
switch (_hidl_code) {
......
case 2 /* add */:
{
bool _hidl_is_oneway = _hidl_flags & 1 /* oneway */;
if (_hidl_is_oneway != false) {
return ::android::UNKNOWN_ERROR;
}
_hidl_err = ::android::hidl::manager::V1_0::BnHwServiceManager::_hidl_add(this, _hidl_data, _hidl_reply, _hidl_cb);
break;
}
......
顺着_hidl_add函数接着往下看
::android::status_t BnHwServiceManager::_hidl_add(
::android::hidl::base::V1_0::BnHwBase* _hidl_this,
const ::android::hardware::Parcel &_hidl_data,
::android::hardware::Parcel *_hidl_reply,
TransactCallback _hidl_cb) {
{
......
::android::sp<::android::hardware::IBinder> _hidl_binder;
_hidl_err = _hidl_data.readNullableStrongBinder(&_hidl_binder);
if (_hidl_err != ::android::OK) { return _hidl_err; }
service = ::android::hardware::fromBinder<::android::hidl::base::V1_0::IBase,::android::hidl::base::V1_0::BpHwBase,::android::hidl::base::V1_0::BnHwBase>(_hidl_binder);
......
bool _hidl_out_success = static_cast<IServiceManager*>(_hidl_this->getImpl().get())->add(*name, service);
......
}
先看_hidl_data.readNullableStrongBinder函数
6.1. system/libhwbinder/Parcel.cpp
status_t Parcel::readNullableStrongBinder(sp<IBinder>* val) const
{
return unflatten_binder(ProcessState::self(), *this, val);
}
接着看unflatten_binder函数实现
status_t unflatten_binder(const sp<ProcessState>& proc,
const Parcel& in, sp<IBinder>* out)
{
const flat_binder_object* flat = in.readObject<flat_binder_object>();
if (flat) {
switch (flat->hdr.type) {
case BINDER_TYPE_BINDER:
*out = reinterpret_cast<IBinder*>(flat->cookie);
return finish_unflatten_binder(NULL, *flat, in);
case BINDER_TYPE_HANDLE:
*out = proc->getStrongProxyForHandle(flat->handle);
return finish_unflatten_binder(
static_cast<BpHwBinder*>(out->get()), *flat, in);
}
}
return BAD_TYPE;
}
由第4.步标黄部分可知type已经改为BINDER_TYPE_HANDLE
下面拿到的就是BpHwBinder对象,在经过fromBinder,就拿到了BpHwUsb的对象并以BpHwBase这个基类对象存储,接着就是IServiceManager实现类的add方法,实现/system/hwservicemanager/ServiceManager.cpp
7. system/hwservicemanager/ServiceManager.cpp
Return<bool> ServiceManager::add(const hidl_string& name, const sp<IBase>& service) {
bool isValidService = false;
if (service == nullptr) {
return false;
}
// TODO(b/34235311): use HIDL way to determine this
// also, this assumes that the PID that is registering is the pid that is the service
pid_t pid = IPCThreadState::self()->getCallingPid();
auto context = mAcl.getContext(pid);
auto ret = service->interfaceChain([&](const auto &interfaceChain) {
if (interfaceChain.size() == 0) {
return;
}
// First, verify you're allowed to add() the whole interface hierarchy
for(size_t i = 0; i < interfaceChain.size(); i++) {
const std::string fqName = interfaceChain[i];
if (!mAcl.canAdd(fqName, context, pid)) {
return;
}
}
{
// For IBar extends IFoo if IFoo/default is being registered, remove
// IBar/default. This makes sure the following two things are equivalent
// 1). IBar::castFrom(IFoo::getService(X))
// 2). IBar::getService(X)
// assuming that IBar is declared in the device manifest and there
// is also not an IBaz extends IFoo.
const std::string childFqName = interfaceChain[0];
const PackageInterfaceMap &ifaceMap = mServiceMap[childFqName];
const HidlService *hidlService = ifaceMap.lookup(name);
if (hidlService != nullptr) {
const sp<IBase> remove = hidlService->getService();
if (remove != nullptr) {
const std::string instanceName = name;
removeService(remove, &instanceName /* restrictToInstanceName */);
}
}
}
for(size_t i = 0; i < interfaceChain.size(); i++) {
const std::string fqName = interfaceChain[i];
PackageInterfaceMap &ifaceMap = mServiceMap[fqName];
HidlService *hidlService = ifaceMap.lookup(name);
if (hidlService == nullptr) {
ifaceMap.insertService(
std::make_unique<HidlService>(fqName, name, service, pid));
} else {
hidlService->setService(service, pid);
}
ifaceMap.sendPackageRegistrationNotification(fqName, name);
}
bool linkRet = service->linkToDeath(this, kServiceDiedCookie).withDefault(false);
if (!linkRet) {
LOG(ERROR) << "Could not link to death for " << interfaceChain[0] << "/" << name;
}
isValidService = true;
});
if (!ret.isOk()) {
LOG(ERROR) << "Failed to retrieve interface chain.";
return false;
}
return isValidService;
}
可以看到把service放到map,至此注册流程就结束了
注册流程图
扫一扫
1045
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
