Android SystemServer BpBinder监控源码分析

如果有Java层，BpBinder监控也可以理解为BinderProxy的监控。

systemReady

frameworks/base/services/core/java/com/android/server/am/ActivityManagerService.java

    /**
     * The number of binder proxies we need to have before we start warning and
     * dumping debug info.
     */
    private static final int BINDER_PROXY_HIGH_WATERMARK = 6000;
    /**
     * Low watermark that needs to be met before we consider dumping info again,
     * after already hitting the high watermark.
     */
    private static final int BINDER_PROXY_LOW_WATERMARK = 5500;
    t.traceBegin("setBinderProxies");BinderInternal.nSetBinderProxyCountWatermarks(BINDER_PROXY_HIGH_WATERMARK,
                    BINDER_PROXY_LOW_WATERMARK);
            BinderInternal.nSetBinderProxyCountEnabled(true);
            BinderInternal.setBinderProxyCountCallback(
                    (uid) -> {
                        Slog.wtf(TAG, "Uid " + uid + " sent too many Binders to uid "
                                + Process.myUid());
                        BinderProxy.dumpProxyDebugInfo();
                        if (uid == Process.SYSTEM_UID) {
                            Slog.i(TAG, "Skipping kill (uid is SYSTEM)");
                        } else {
                            killUid(UserHandle.getAppId(uid), UserHandle.getUserId(uid),
                                    "Too many Binders sent to SYSTEM");
                            // We need to run a GC here, because killing the processes involved
                            // actually isn't guaranteed to free up the proxies; in fact, if the
                            // GC doesn't run for a long time, we may even exceed the global
                            // proxy limit for a process (20000), resulting in system_server itself
                            // being killed.
                            // Note that the GC here might not actually clean up all the proxies,
                            // because the binder reference decrements will come in asynchronously;
                            // but if new processes belonging to the UID keep adding proxies, we
                            // will get another callback here, and run the GC again - this time
                            // cleaning up the old proxies.
                            VMRuntime.getRuntime().requestConcurrentGC();
                        }
                    }, mHandler);
t.traceEnd(); // setBinderProxies

在systemReady的时候会设置BinderProxy监控数量的回调。

nSetBinderProxyCountWatermarks

    /**
     * Set the Binder Proxy watermarks. Default high watermark = 2500. Default low watermark = 2000
     * @param high  The limit at which the BinderProxyListener callback will be called.
     * @param low   The threshold a binder count must drop below before the callback
     *              can be called again. (This is to avoid many repeated calls to the
     *              callback in a brief period of time)
     */
    public static final native void nSetBinderProxyCountWatermarks(int high, int low);

它是一个native函数：

frameworks/base/core/jni/android_util_Binder.cpp
static const JNINativeMethod gBinderInternalMethods[] = {
  ......
    { "nSetBinderProxyCountWatermarks", "(II)V", (void*)android_os_BinderInternal_setBinderProxyCountWatermarks}
};

static void android_os_BinderInternal_setBinderProxyCountWatermarks(JNIEnv* env, jobject clazz,
                                                                    jint high, jint low)
{
    BpBinder::setBinderProxyCountWatermarks(high, low);
}

void BpBinder::setBinderProxyCountWatermarks(int high, int low) {
    AutoMutex _l(sTrackingLock);
    sBinderProxyCountHighWatermark = high;
    sBinderProxyCountLowWatermark = low;
}

setBinderProxyCountWatermarks会重新设置sBinderProxyCountHighWatermark和sBinderProxyCountLowWatermark的值。

// Arbitrarily high value that probably distinguishes a bad behaving app
uint32_t BpBinder::sBinderProxyCountHighWatermark = 2500;
// Another arbitrary value a binder count needs to drop below before another callback will be called
uint32_t BpBinder::sBinderProxyCountLowWatermark = 2000;

sBinderProxyCountHighWatermark的值默认为2500，sBinderProxyCountLowWatermark默认为2000.
sBinderProxyCountHighWatermark意味着高于此值的时候，会触发回调。
sBinderProxyCountLowWatermark意味着binder proxy的数量下降到低于该值时，才能再次触发回调。

nSetBinderProxyCountEnabled

    /**
     * Enable/disable Binder Proxy Instance Counting by Uid. While enabled, the set callback will
     * be called if this process holds too many Binder Proxies on behalf of a Uid.
     * @param enabled true to enable counting, false to disable
     */
    public static final native void nSetBinderProxyCountEnabled(boolean enabled);

用于启用/禁用按UID计数的Binder Proxy实例。当启用时，如果该进程代表某个UID持有太多的Binder Proxy实例，将会调用设置的回调函数

static const JNINativeMethod gBinderInternalMethods[] = {
    ......
    { "nSetBinderProxyCountEnabled", "(Z)V", (void*)android_os_BinderInternal_setBinderProxyCountEnabled },

static void android_os_BinderInternal_setBinderProxyCountEnabled(JNIEnv* env, jobject clazz,
                                                                 jboolean enable)
{
    BpBinder::setCountByUidEnabled((bool) enable);
}

void BpBinder::setCountByUidEnabled(bool enable) { sCountByUidEnabled.store(enable); }
std::atomic_bool BpBinder::sCountByUidEnabled(false);

sCountByUidEnabled是原子的，默认为false，这里赋值为true

setBinderProxyCountCallback

    /**
     * Set a callback to be triggered when a uid's Binder Proxy limit is reached for this process.
     * @param listener OnLimitReached of listener will be called in the thread provided by handler
     * @param handler must not be null, callback will be posted through the handler;
     *
     */
    public static void setBinderProxyCountCallback(BinderProxyLimitListener listener,
            @NonNull Handler handler) {
        Preconditions.checkNotNull(handler,
                "Must provide NonNull Handler to setBinderProxyCountCallback when setting "
                        + "BinderProxyLimitListener");
        sBinderProxyLimitListenerDelegate.setListener(listener, handler);
    }

设置监听回调的listener以及处理所在的handler。当binder proxy达到阈值的时候，会回调该listener。

    static final BinderProxyLimitListenerDelegate sBinderProxyLimitListenerDelegate =
            new BinderProxyLimitListenerDelegate();

    static private class BinderProxyLimitListenerDelegate {
        private BinderProxyLimitListener mBinderProxyLimitListener;
        private Handler mHandler;

        void setListener(BinderProxyLimitListener listener, Handler handler) {
            synchronized (this) {
                mBinderProxyLimitListener = listener;
                mHandler = handler;
            }
        }

        void notifyClient(final int uid) {
            synchronized (this) {
                if (mBinderProxyLimitListener != null) {
                    mHandler.post(new Runnable() {
                        @Override
                        public void run() {
                            mBinderProxyLimitListener.onLimitReached(uid);
                        }
                    });
                }
            }
        }
    }

可以看到这里只是设置一个监听，拿回调监听的函数为notifyClient，看下这个函数的在哪里调用的：

    /**
     * Callback used by native code to trigger a callback in java code. The callback will be
     * triggered when too many binder proxies from a uid hits the allowed limit.
     * @param uid The uid of the bad behaving app sending too many binders
     */
    public static void binderProxyLimitCallbackFromNative(int uid) {
       sBinderProxyLimitListenerDelegate.notifyClient(uid);
    }

这个函数由native调用：

static int int_register_android_os_BinderInternal(JNIEnv* env)
{
    jclass clazz = FindClassOrDie(env, kBinderInternalPathName);

    gBinderInternalOffsets.mProxyLimitCallback = GetStaticMethodIDOrDie(env, clazz, "binderProxyLimitCallbackFromNative", "(I)V");

    return RegisterMethodsOrDie(
        env, kBinderInternalPathName,
        gBinderInternalMethods, NELEM(gBinderInternalMethods));
}

可以看到当jni初始化的时候，就把binderProxyLimitCallbackFromNative的方法ID赋值给了gBinderInternalOffsets.mProxyLimitCallback。那看下调用方法的地方：

static void android_os_BinderInternal_proxyLimitcallback(int uid)
{
    JNIEnv *env = AndroidRuntime::getJNIEnv();
    env->CallStaticVoidMethod(gBinderInternalOffsets.mClass,
                              gBinderInternalOffsets.mProxyLimitCallback,
                              uid);

    if (env->ExceptionCheck()) {
        ScopedLocalRef<jthrowable> excep(env, env->ExceptionOccurred());
        binder_report_exception(env, excep.get(),
                                "*** Uncaught exception in binderProxyLimitCallbackFromNative");
    }
}

由jni函数android_os_BinderInternal_proxyLimitcallback调用，那它又是哪里调用的呢？

static int int_register_android_os_BinderInternal(JNIEnv* env)
{
    jclass clazz = FindClassOrDie(env, kBinderInternalPathName);
    ...
    BpBinder::setLimitCallback(android_os_BinderInternal_proxyLimitcallback);

    return RegisterMethodsOrDie(
        env, kBinderInternalPathName,
        gBinderInternalMethods, NELEM(gBinderInternalMethods));
}

可以看到jni注册时候，把android_os_BinderInternal_proxyLimitcallback设置为了BpBinder的回调函数。

binder_proxy_limit_callback BpBinder::sLimitCallback;

void BpBinder::setLimitCallback(binder_proxy_limit_callback cb) {
    AutoMutex _l(sTrackingLock);
    sLimitCallback = cb;
}

android_os_BinderInternal_proxyLimitcallback又赋值给了sLimitCallback，那sLimitCallback又是哪里调用的呢？

sp<BpBinder> BpBinder::create(int32_t handle) {
    int32_t trackedUid = -1;
    if (sCountByUidEnabled) {
        trackedUid = IPCThreadState::self()->getCallingUid();
        AutoMutex _l(sTrackingLock);
        uint32_t trackedValue = sTrackingMap[trackedUid];
        if (CC_UNLIKELY(trackedValue & LIMIT_REACHED_MASK)) {
            if (sBinderProxyThrottleCreate) {
                return nullptr;
            }
            trackedValue = trackedValue & COUNTING_VALUE_MASK;
            uint32_t lastLimitCallbackAt = sLastLimitCallbackMap[trackedUid];

            if (trackedValue > lastLimitCallbackAt &&
                (trackedValue - lastLimitCallbackAt > sBinderProxyCountHighWatermark)) {
                ALOGE("Still too many binder proxy objects sent to uid %d from uid %d (%d proxies "
                      "held)",
                      getuid(), trackedUid, trackedValue);
                if (sLimitCallback) sLimitCallback(trackedUid);
                sLastLimitCallbackMap[trackedUid] = trackedValue;
            }
        } else {
            if ((trackedValue & COUNTING_VALUE_MASK) >= sBinderProxyCountHighWatermark) {
                ALOGE("Too many binder proxy objects sent to uid %d from uid %d (%d proxies held)",
                      getuid(), trackedUid, trackedValue);
                sTrackingMap[trackedUid] |= LIMIT_REACHED_MASK;
                if (sLimitCallback) sLimitCallback(trackedUid);
                sLastLimitCallbackMap[trackedUid] = trackedValue & COUNTING_VALUE_MASK;
                if (sBinderProxyThrottleCreate) {
                    ALOGI("Throttling binder proxy creates from uid %d in uid %d until binder proxy"
                          " count drops below %d",
                          trackedUid, getuid(), sBinderProxyCountLowWatermark);
                    return nullptr;
                }
            }
        }
        sTrackingMap[trackedUid]++;
    }
    return sp<BpBinder>::make(BinderHandle{handle}, trackedUid);
}

1. 每一个uid都对应一个值，如果uid相同，则值++，所以这里记录了以uid为key，以数量为value的数据。
2. 当value值的数量超过sBinderProxyCountHighWatermark的时候，会执行sLimitCallback回调函数。
3. 返回BpBinder对象。
   注意：有个地方需要注意，就是trackedUid和getuid

trackedUid = IPCThreadState::self()->getCallingUid();请求者的Uid
getuid() 当前进程的Uid

所以这个地方BpBinder的创建是可以定位到源头的，即哪个进程发送binder请求导致的BpBinder的不断创建的。

setBinderProxyCountCallback

再次回到AMS systemReady的setBinderProxyCountCallback，当回调执行的时候：

            BinderInternal.setBinderProxyCountCallback(
                    (uid) -> {
                        Slog.wtf(TAG, "Uid " + uid + " sent too many Binders to uid "
                                + Process.myUid());
                        BinderProxy.dumpProxyDebugInfo();
                        if (uid == Process.SYSTEM_UID) {
                            Slog.i(TAG, "Skipping kill (uid is SYSTEM)");
                        } else {
                            killUid(UserHandle.getAppId(uid), UserHandle.getUserId(uid),
                                    "Too many Binders sent to SYSTEM");
                            // We need to run a GC here, because killing the processes involved
                            // actually isn't guaranteed to free up the proxies; in fact, if the
                            // GC doesn't run for a long time, we may even exceed the global
                            // proxy limit for a process (20000), resulting in system_server itself
                            // being killed.
                            // Note that the GC here might not actually clean up all the proxies,
                            // because the binder reference decrements will come in asynchronously;
                            // but if new processes belonging to the UID keep adding proxies, we
                            // will get another callback here, and run the GC again - this time
                            // cleaning up the old proxies.
                            VMRuntime.getRuntime().requestConcurrentGC();
                        }
                    }, mHandler);

1. 把每个进程的BinderProxy的数量写入日志
2. 如果应用BinderProxy的数量超过6000，会杀掉该应用。

如哪里有错误，请予以指正。

最后

如果想要成为架构师或想突破20~30K薪资范畴，那就不要局限在编码，业务，要会选型、扩展，提升编程思维。此外，良好的职业规划也很重要，学习的习惯很重要，但是最重要的还是要能持之以恒，任何不能坚持落实的计划都是空谈。

如果你没有方向，这里给大家分享一套由阿里高级架构师编写的《Android八大模块进阶笔记》，帮大家将杂乱、零散、碎片化的知识进行体系化的整理，让大家系统而高效地掌握Android开发的各个知识点。

相对于我们平时看的碎片化内容，这份笔记的知识点更系统化，更容易理解和记忆，是严格按照知识体系编排的。

欢迎大家一键三连支持，若需要文中资料，直接扫描文末CSDN官方认证微信卡片免费领取↓↓↓（文末还有ChatGPT机器人小福利哦，大家千万不要错过）

PS:群里还设有ChatGPT机器人，可以解答大家在工作上或者是技术上的问题